PIPO: A Lightweight Block Cipher with Efficient Higher-Order Masking Software Implementations

Abstract

In this paper, we introduce a new lightweight 64-bit block cipher PIPO (PIPO stands for “Plug-In” and “Plug-Out”, representing its use in side-channel protected and unprotected environments, respectively.) supporting a 128 or 256-bit key. It is a byte-oriented and bitsliced cipher that offers excellent performance in 8-bit AVR software implementations. In particular, PIPO allows for efficient higher-order masking implementations, since it uses a minimal number of nonlinear operations. Our implementations demonstrate that PIPO outperforms existing block ciphers (for the same block and key lengths) in both side-channel protected and unprotected environments, on an 8-bit AVR. Furthermore, PIPO records competitive round-based hardware implementations.

For the nonlinear layer of PIPO, we have developed a new lightweight 8-bit S-box that provides an efficient bitsliced implementation including only 11 nonlinear bitwise operations. Furthermore, its differential and linear branch numbers are both 3. This characteristic enables PIPO to thwart differential and linear attacks with fewer rounds. The security of PIPO has been scrutinized with regards to state-of-the-art cryptanalysis.

This work was supported by Institute for Information & communications Technology Promotion (IITP) grant funded by the Korea government (MSIT) (No. 2017-0-00520, Development of SCR-Friendly Symmetric Key Cryptosystem and Its Application Modes).

Appendices

A Test Vectors

The following test vectors are represented in big endian representation.

• PIPO-64/128

  \(\bullet \):

  Secret key: 0x6DC416DD_779428D2_7E1D20AD_2E152297

  \(\bullet \):

  Plaintext: 0x098552F6_1E270026

  \(\bullet \):

  Ciphertext: 0x6B6B2981_AD5D0327

• PIPO-64/256

  \(\bullet \):

  Secret key:0x009A3AA4_76A96DB5_54A71206_26D15633_6DC416DD _779428D2_7E1D20AD_2E152297

  \(\bullet \):

  Plaintext: 0x098552F6_1E270026

  \(\bullet \):

  Ciphertext: 0x816DAE6F_B6523889

B Proofs of Proposition and Theorems

1.1 B.1 Proof of Proposition 1

(\(\Rightarrow \))

If \(S_{3}\) or \(S^{1}_{5}\) is non-bijective, there are two different inputs \(X_L||X_R,X_L'||X_R'\) satisfying \((S^{1}_{5}(X_L),S_{3}(X_R))=(S^{1}_{5}(X_L'),S_{3}(X_R'))\). Then, it is easy to see that \(S_8(X_L||X_R)=S_8(X_L'||X_R')\), and thus two conditions i) and ii) should hold. Assume that the \(f_{y}\) in condition iii) is non-bijective for some \(y\in \mathbb {F}^{3}_{2}\). Then there should be two different inputs \(a,a'\) satisfying \(f_{y}(a)=f_{y}(a')\). It induces \(\tau _2'(S^{2}_{5}(y||a))=\tau _2'(S^{2}_{5}(y||a'))\). On the other hand, we can take a pair \(X_{R},X_{R}'\) satisfying \(\tau _3(S^{2}_{5}(y||a))\oplus S_3(X_R)=\tau _3(S^{2}_{5}(y||a'))\oplus S_3(X_R')\), and thus \(C_R=C_R'\). Combining the above two equations yields \(S^{2}_{5}(y||a)\oplus (S_3(X_R)||0^{(2)})=S^{2}_{5}(y||a')\oplus (S_3(X_R')||0^{(2)})\). And, we take a pair \(X_L,X_L'\) satisfying \(S^{1}_{5}(X_{L})=(y\oplus S_{3}(X_R))||a\) and \(S^{1}_{5}(X_{L}')=(y\oplus S_{3}(X_R'))||a'\). Since \(a\ne a'\), we have \(X_L \ne X_L'\) satisfying \(S_8(X_L||X_R)=S_8(X_L'||X_R')\). Therefore, condition iii) should also hold.

(\(\Leftarrow \))

Assume that \(X_L\ne X_L'\) and \(X_R=X_R'\). If \(\tau _3(S^1_5(X_L))\ne \tau _3(S^1_5(X_L'))\), then \(C_L(X_L,X_R)\ne C_L(X_L',X_R')\). Let \(\tau _3(S^1_5(X_L))=\tau _3(S^1_5(X_L'))\). It leads to \(C_L(X_L,X_R)\) \(= C_L(X_L',X_R')\), and \(\tau _2'(S^1_5(X_L))\ne \tau _2'(S^1_5(X_L'))\). Because of condition iii), \(\tau _2(C_R(X_L,\) \(X_R))\ne \tau _2(C_R(X_L',X_R'))\). Assume that \(X_L= X_L'\) and \(X_R\ne X_R'\). Since \(S_3(X_R)\ne S_3(X_R')\), \(C_L(X_L,X_R)\ne C_L(X_L',X_R')\). Assume that \(X_L\ne X_L'\), \(X_R\ne X_R'\). If \(C_L(X_L,X_R)= C_L(X_L',X_R')\), either \(\tau _2'(S^1_5(X_L))\ne \tau _2'(S^1_5(X_L'))\) or \(\tau _2'(S^1_5(X_L))=\tau _2'(S^1_5(X_L'))\). The former case leads to \(\tau _2(C_R(X_L,X_R))\ne \tau _2(C_R(X_L',X_R'))\), and the latter case leads to \(\tau _3'(C_R(X_L,X_R))\ne \tau _3'(C_R(X_L',X_R'))\). Therefore, the 8-bit S-box is bijective. \(\blacksquare \)

1.2 B.2 Proof of Theorem 1

We define the following notation for ease of expression.

\(Y=S^1_5(X_L)\), \(Z=S^1_5(X_L)\oplus (S_3(X_R)||0^{(2)})\), \(A=\tau _2'(Y)=\tau _2'(Z)\), \(Y=Y'||A\), \(Z=Z'||A\).

Then, the expression of the \(C_L\) and \(C_R\) is

\(C_L(X_L,X_R)=\tau _3(Y)\oplus S_3(X_R)=\tau _3(Z)\),

\(C_R(X_L,X_R)=\rho _c(S^2_5(Y\oplus (S_3(X_R)||0^{(2)})))\oplus S_3(X_R)=\rho _c(Z)\oplus S_3(X_R)\).

For convenience, we do not write 0 paddings on MSBs of smaller-bit data operating with larger-bit data; here, the 5-bit operand \(S_3(X_{R})\) represents \(0^{(2)}||S_3(X_{R})\).

  : It happens if and only if there exists at least one \((X_{L},X_{R})\) satisfying both \(C_{L}(X_{L},X_{R})\oplus C_{L}(X_{L},X_{R}\oplus \varDelta a)=\varDelta 0\) and \(C_{R}(X_{L},X_{R})\oplus C_{R}(X_{L},X_{R}\oplus \varDelta a)=\varDelta c\). The first equation is expressed as

$$\begin{aligned} \tau _3(Y)\oplus S_3(X_R)\oplus \tau _3(Y)\oplus S_3(X_R\oplus \varDelta a)=S_{3}(X_{R})\oplus S_{3}(X_{R}\oplus \varDelta a)=\varDelta 0. \end{aligned}$$

Since \(S_{3}\) is bijective, the \((0^{(5)}||\varDelta a,0^{(3)}||\varDelta c)\) case dose not happen.

  : It happens if and only if there exists at least one \((X_L,X_R)\) satisfying both \(C_{L}(X_L,X_R)\oplus C_{L}(X_L,X_R\oplus \varDelta a)=\varDelta d\) and \(C_{R}(X_L,X_R)\oplus C_{R}(X_L,X_R\oplus \varDelta a)=\varDelta 0\). The first equation is expressed as

$$\begin{aligned} \tau _3(Y)\oplus S_3(X_R)\oplus \tau _3(Y)\oplus S_3(X_R\oplus \varDelta a)=S_{3}(X_{R})\oplus S_{3}(X_{R}\oplus \varDelta a)=\varDelta d. \end{aligned}$$

(1)

Similarly, the second equation \(C_{R}(X_L,X_R)\oplus C_{R}(X_L,X_R\oplus \varDelta a)=\varDelta 0\) is expressed as

$$\begin{aligned} \rho _c({}&S^{2}_{5}(Y\oplus (S_{3}(X_{R})||0^{(2)})))\oplus S_{3}(X_{R})\\ {}&\oplus \rho _c(S^{2}_{5}(Y\oplus (S_{3}(X_{R}\oplus \varDelta a)||0^{(2)})))\oplus S_{3}(X_{R}\oplus \varDelta a)\\ {}&=\rho _c(S^{2}_{5}(Y\oplus (S_{3}(X_{R})||0^{(2)})))\oplus \rho _c(S^{2}_{5}(Y\oplus ((S_{3}(X_{R})\oplus \varDelta d)||0^{(2)})))\oplus \varDelta d=\varDelta 0. \end{aligned}$$

By applying \(\rho _c^{-1}\), we have

$$\begin{aligned} S^{2}_{5}(Y\oplus (S_{3}(X_{R})||0^{(2)}))\oplus S^{2}_{5}(Y\oplus ((S_{3}(X_{R})\oplus \varDelta d)||0^{(2)}))=\varDelta d||0^{(2)}. \end{aligned}$$

By applying Z, we obtain

$$\begin{aligned} S^{2}_{5}(Z)\oplus S^{2}_{5}(Z\oplus (\varDelta d||0^{(2)}))=\varDelta d||0^{(2)}. \end{aligned}$$

(2)

Since the function \((X_L,X_R)\mapsto (Z,X_R)\) is bijective, the \((0^{(5)}||\varDelta a,\varDelta d||0^{(5)})\) case does not happen if and only if there is no \((Z,X_R)\) satisfying both Eqs. (1) and (2), which is equivalent to condition i) where \(\varDelta \alpha =\varDelta a\), \(\varDelta \beta =\varDelta d\).

  : It happens if and only if there exists at least one \((X_L,X_R)\) satisfying both \(C_{L}(X_L,X_R)\oplus C_{L}(X_L\oplus \varDelta b,X_R)=\varDelta 0\) and \(C_{R}(X_L,X_R)\oplus C_{R}(X_L\oplus \varDelta b,X_R)=\varDelta c\). The first equation is expressed as

$$\begin{aligned} \tau _3(S^{1}_{5}(X_{L}))\oplus S_{3}(X_{R})\oplus \tau _3(S^{1}_{5}(X_{L}\oplus \varDelta b))\oplus S_{3}(X_{R})=\tau _3(S^{1}_{5}(X_{L}))\oplus \tau _3(S^{1}_{5}(X_{L}\oplus \varDelta b))=\varDelta 0. \end{aligned}$$

Since \(S^{1}_{5}\) is bijective, for a non-zero difference \(\varDelta \omega \in \mathbb {F}^{2}_{2}\), the above equation becomes

$$\begin{aligned} S^{1}_{5}(X_{L})\oplus S^{1}_{5}(X_{L}\oplus \varDelta b)=\varDelta \omega . \end{aligned}$$

The equation is rewritten as

$$\begin{aligned} S^{1}_{5}(X_{L}\oplus \varDelta b)=S^{1}_{5}(X_{L})\oplus \varDelta \omega . \end{aligned}$$

By applying \((S^1_5)^{-1}\), we obtain

$$\begin{aligned} X_{L}\oplus \varDelta b=(S^{1}_{5})^{-1}(S^{1}_{5}(X_{L})\oplus \varDelta \omega ). \end{aligned}$$

By using the variables \(Y,Y'\) and A, we have

$$\begin{aligned} (S^{1}_{5})^{-1}(Y)\oplus (S^{1}_{5})^{-1}(Y\oplus \varDelta \omega )=\varDelta b, \end{aligned}$$

$$\begin{aligned} (S^{1}_{5})^{-1}(Y'||A)\oplus (S^{1}_{5})^{-1}(Y'||(A\oplus \varDelta \omega ))=\varDelta b. \end{aligned}$$

(3)

And the second equation \(C_{R}(X_L,X_R)\oplus C_{R}(X_L\oplus \varDelta b,X_R)=\varDelta c\) is expressed as

$$\begin{aligned} \rho _c({}&S^{2}_{5}(S^{1}_{5}(X_{L})\oplus (S_{3}(X_{R})||0^{(2)})))\oplus S_{3}(X_{R})\\ {}&\oplus \rho _c(S^{2}_{5}(S^{1}_{5}(X_{L}\oplus \varDelta b)\oplus (S_{3}(X_{R})||0^{(2)})))\oplus S_{3}(X_{R})\\ {}&= \rho _c( S^{2}_{5}(Z))\oplus \rho _c(S^{2}_{5}(Z\oplus \varDelta \omega ))=\varDelta c. \end{aligned}$$

By applying \(\rho _c^{-1}\), we obtain

$$\begin{aligned} S^{2}_{5}(Z)\oplus S^{2}_{5}(Z\oplus \varDelta \omega )=\rho _c^{-1}(\varDelta c). \end{aligned}$$

This gives the equation

$$\begin{aligned} S^{2}_{5}(Z'||A)\oplus S^{2}_{5}(Z'||(A\oplus \varDelta \omega ))=\rho _c^{-1}(\varDelta c). \end{aligned}$$

(4)

For each A, the above Eqs. (3) and (4) are equivalent to

$$\begin{aligned} \mathfrak {F}^{1}_{A}(Y')\oplus \mathfrak {F}^{1}_{A\oplus \varDelta \omega }(Y')=\varDelta b, \end{aligned}$$

(5)

$$\begin{aligned} \mathfrak {F}^{2}_{A}(Z')\oplus \mathfrak {F}^{2}_{A\oplus \varDelta \omega }(Z')=\rho ^{-1}_c(\varDelta c). \end{aligned}$$

(6)

Here, \(\varDelta \omega \) is arbitrary nonzero 2-bit difference, and thus we can define \(B=A\oplus \varDelta \omega \) i.e.,  \(B\ne A\). Since the function \((X_L,X_R)\mapsto (Y',A,Z')\) is bijective, the \((\varDelta b||0^{(3)},0^{(3)}||\varDelta c)\) case does not happen if and only if there is no \((Y',A,Z')\) satisfying both Eqs. (5) and (6) for all \(B(\ne A)\), which is equivalent to condition ii) where \(\varDelta \alpha =\varDelta b\), \(\varDelta \beta =\rho ^{-1}_c(\varDelta c)\).

  : It happens if and only if there exists at least one \((X_L,X_R)\) satisfying both \(C_{L}(X_L,X_R)\oplus C_{L}(X_L\oplus \varDelta b,X_R)=\varDelta d\) and \(C_{R}(X_L,X_R)\oplus C_{R}(X_L\oplus \varDelta b,X_R)=\varDelta 0\). The first equation is expressed as

$$\begin{aligned} \tau _3(S^{1}_{5}(X_{L}))\oplus S_{3}(X_{R})\oplus \tau _3(S^{1}_{5}(X_{L}\oplus \varDelta b))\oplus S_{3}(X_{R})=\tau _3(S^{1}_{5}(X_{L}))\oplus \tau _3(S^{1}_{5}(X_{L}\oplus \varDelta b))=\varDelta d. \end{aligned}$$

For a difference \(\varDelta \omega \in \mathbb {F}^{2}_{2}\), the above equation becomes

$$\begin{aligned} S^{1}_{5}(X_{L})\oplus S^{1}_{5}(X_{L}\oplus \varDelta b)=\varDelta d||\varDelta \omega . \end{aligned}$$

As in Eq. (3), we obtain

$$\begin{aligned} (S^{1}_{5})^{-1}(Y'||A)\oplus (S^{1}_{5})^{-1}((Y'\oplus \varDelta d)||(A\oplus \varDelta \omega ))=\varDelta b. \end{aligned}$$

(7)

And the second equation is expressed as

$$\begin{aligned} \rho _c({}&S^{2}_{5}(S^{1}_{5}(X_{L})\oplus (S_{3}(X_{R})||0^{(2)})))\oplus S_{3}(X_{R})\\ {}&\oplus \rho _c(S^{2}_{5}(S^{1}_{5}(X_{L}\oplus \varDelta b)\oplus (S_{3}(X_{R})||0^{(2)})))\oplus S_{3}(X_{R})\\ {}&= \rho _c( S^{2}_{5}(Z))\oplus \rho _c(S^{2}_{5}(Z\oplus (\varDelta d||\varDelta \omega )))=\varDelta 0. \end{aligned}$$

Clearly,

$$\begin{aligned} S^{2}_{5}(Z)\oplus S^{2}_{5}(Z\oplus (\varDelta d||\varDelta \omega ))=\varDelta 0. \end{aligned}$$

It becomes

$$\begin{aligned} S^{2}_{5}(Z'||A)\oplus S^{2}_{5}((Z'\oplus \varDelta d)||(A\oplus \varDelta \omega ))=\varDelta 0. \end{aligned}$$

(8)

For each A, the above Eqs. (7) and (8) are equivalent to

$$\begin{aligned} \mathfrak {F}^{1}_{A}(Y')\oplus \mathfrak {F}^{1}_{A\oplus \varDelta \omega }(Y'\oplus \varDelta d)=\varDelta b, \end{aligned}$$

(9)

$$\begin{aligned} \mathfrak {F}^{2}_{A}(Z')\oplus \mathfrak {F}^{2}_{A\oplus \varDelta \omega }(Z'\oplus \varDelta d)=\varDelta 0. \end{aligned}$$

(10)

Similarly to the case above, we define \(B=A\oplus \varDelta \omega \). In this time, B can be either A or not, since \(\varDelta \omega \) can be a zero difference. The \((\varDelta b||0^{(3)},\varDelta d||0^{(5)})\) case does not happen if and only if there is no \((Y',A,Z')\) satisfying both Eqs. (9) and (10) for all B, which is equivalent to condition iii) where \(\varDelta \alpha =\varDelta d\), \(\varDelta \beta =\varDelta b\).\(\blacksquare \)

1.3 B.3 Proof of Theorem 2

We use \(Y,Y',Z,Z'\), and A defined in proof B.2.

  : This case is expressed as \(X_{R}\bullet \lambda _a=C_{R}(X_{L},X_{R})\bullet \lambda _c\). It follows \(X_{R}\bullet \lambda _a=(\rho _c(S^{2}_{5}(S^{1}_{5}(X_{L})\oplus (S_{3}(X_{R})||0^{(2)})))\oplus S_{3}(X_{R}))\bullet \lambda _c\). By applying the variable Z, the equation becomes \(X_R\bullet \lambda _a\oplus S_{3}(X_{R})\bullet \lambda _c = \rho _c(S^{2}_{5}(Z))\bullet \lambda _c\). Note that the function \((X_{L},X_{R})\mapsto (Z,X_R)\) is bijective. Suppose \(\tau _2(\lambda _c)\ne 0\). Then, the equation becomes \(X_R\bullet \lambda _a=\rho _c(S^{2}_{5}(Z))\bullet \lambda _c\). This should have zero bias because the equation \(X_R\bullet \lambda _a=0\) has zero bias, and Z and \(X_R\) are independent variables. Now, suppose \(\tau _2(\lambda _c)=0\). The equation \(X_R\bullet \lambda _a\oplus S_{3}(X_{R})\bullet \lambda _c = \rho _c(S^{2}_{5}(Z))\bullet \lambda _c\) has zero bias if and only if at least one of the entries \((\lambda _a,\tau _3'(\lambda _c))\) in LAT of \(S_3\) and \((0,\tau _3'(\lambda _c)||0^{(2)})\) in LAT of \(S_5^2\) is zero. This is due to the fact that Z is independent of \(X_R\). It is equivalent to condition i)

  : This case is expressed as \(X_{R}\bullet \lambda _a=C_{L}(X_{L},X_{R})\bullet \lambda _d\). It follows \(X_{R}\bullet \lambda _a=(\tau _3(S^{1}_{5}(X_{L}))\oplus S_{3}(X_{R}))\bullet \lambda _d\). The equation becomes \(X_R\bullet \lambda _a = \tau _3(Z)\bullet \lambda _d\) by using the definition of Z. So, this case has zero bias, because \(\tau _3(Z)\) is independent of \(X_R\).

  : This case is expressed as \(X_{L}\bullet \lambda _b=C_{R}(X_{L},X_{R})\bullet \lambda _c\). It follows \(X_{L}\bullet \lambda _b=(\rho _c(S^{2}_{5}(S^{1}_{5}(X_{L})\oplus (S_{3}(X_{R})||0^{(2)})))\oplus S_{3}(X_{R}))\bullet \lambda _c\). We can replace the equation to

$$\begin{aligned} X_{L}{}&\bullet \lambda _b\oplus S^{1}_{5}(X_{L})\bullet \lambda _t\\ {}&=(S^{1}_{5}(X_{L})\oplus (S_{3}(X_{R})||0^{(2)}))\bullet \lambda _t\oplus \rho _c(S^{2}_{5}(S^{1}_{5}(X_{L})\oplus (S_{3}(X_{R})||0^{(2)})))\bullet \lambda _c, \end{aligned}$$

where \(\lambda _t=\tau _3'(\lambda _c)||0^{(2)}\) (here, \(0^{(2)}\) can be replaced by 01, 10 or \(1^{(2)}\)). By applying the variables of Y and Z, this becomes equivalent to the following equations

$$\begin{aligned} (S^{1}_5)^{-1}(Y)\bullet \lambda _b\oplus Y\bullet \lambda _t=Z\bullet \lambda _t\oplus (\rho _c(S^{2}_{5}(Z)))\bullet \lambda _c, \end{aligned}$$

$$\begin{aligned} (S^{1}_5)^{-1}(Y'||A)\bullet \lambda _b\oplus (Y'||A)\bullet \lambda _t=(Z'||A)\bullet \lambda _t\oplus (\rho _c(S^{2}_{5}(Z'||A)))\bullet \lambda _c. \end{aligned}$$

For all \(A\in \mathbb {F}^2_2\), we have

$$\begin{aligned} \mathfrak {F}^{1}_A(Y')\bullet \lambda _b\oplus (Y'||A)\bullet \lambda _t=(Z'||A)\bullet \lambda _t\oplus (\rho _c(\mathfrak {F}^{2}_{A}(Z')))\bullet \lambda _c. \end{aligned}$$

Clearly,

$$\begin{aligned} \mathfrak {F}^{1}_A(Y')\bullet \lambda _b\oplus Y'\bullet \tau _3(\lambda _t)=Z'\bullet \tau _3(\lambda _t)\oplus (\rho _c(\mathfrak {F}^{2}_{A}(Z')))\bullet \lambda _c. \end{aligned}$$

A collection of \((Y',Z')\) that satisfies the above equation is equivalent to

$$\begin{aligned} \{Y'|{}&0= \mathfrak {F}^{1}_A(Y')\bullet \lambda _b\oplus Y'\bullet \tau _3(\lambda _t)\} \times \{Z'|0=Z'\bullet \tau _3(\lambda _t)\oplus (\rho _c(\mathfrak {F}^{2}_{A}(Z')))\bullet \lambda _c\}\\ {}&\cup \{Y'|1= \mathfrak {F}^{1}_A(Y')\bullet \lambda _b\oplus Y'\bullet \tau _3(\lambda _t)\} \times \{Z'|1=Z'\bullet \tau _3(\lambda _t)\oplus (\rho _c(\mathfrak {F}^{2}_{A}(Z')))\bullet \lambda _c\} \end{aligned}$$

Then the number of the above set is \((4+a_A)(4+b_A)+(4-a_A)(4-b_A)=32+2a_Ab_A\), where \(a_A\) and \(b_A\) are the entries of \((\tau _3(\lambda _t),\lambda _b)\) and \((\tau _3(\lambda _t),\rho _c^{-1}(\lambda _c))\) in LAT of \(\mathfrak {F}_A^1\) and \(\mathfrak {F}_A^2\), respectively. The above equation has zero bias if and only if

$$\begin{aligned} \sum _{A\in \mathbb {F}_2^2} (32+2a_Ab_A) = 2(\sum _{A\in \mathbb {F}_2^2} a_Ab_A) + 128 = 128 \end{aligned}$$

It leads to \(\sum _{A\in \mathbb {F}_2^2} a_Ab_A=0\). Because \(\tau _3(\lambda _t)=\tau _3'(\lambda _c)\), it is equivalent to condition ii) (when \(\tau _3'(\lambda _c)\ne 0\)) and condition iii) (when \(\tau _3'(\lambda _c)=0\)).

  : This case is expressed as \(X_{L}\bullet \lambda _b=C_{L}(X_{L},X_{R})\bullet \lambda _d\). It follows \(X_{L}\bullet \lambda _b=(\tau _3(S^{1}_{5}(X_{L}))\oplus S_{3}(X_{R}))\bullet \lambda _d\). The equation becomes \(X_L\bullet \lambda _b = Z'\bullet \lambda _d\) by using the definition of \(Z'\). We note that the function \((X_{L},X_{R})\mapsto (X_L,Z')\) is bijective, and \(X_L\) and \(Z'\) are independent variables. So, this equation has zero bias.\(\blacksquare \)

C 8-bit S-box of PIPO, \(S_8\)

1.1 C.1 Table of the \(S_8\)

Table 7 shows the \(S_{8}\).

Table 7. 8-bit S-box of PIPO in hexadecimal notation: For example, \(S_8\)(31)=86.

1.2 C.2 Bitsliced Implementations of the \(S_8\) and Its Inverse

Listing 1.2 is the bitsliced implementation of the \(S_8\).¹ The bitsliced implementation of the inverse \(S_8\) cannot be obtained by reversing the bitsliced implementation of the \(S_8\) because the input bits of \(S_5^2\) are not all given. The Listing 1.3 shows how to implement the inverse \(S_8\) with the given input bits. Since the \(S_8\) applies each column of \(8\times 8\) array of bits depicted in Fig. 1, we can implement the S-layer by replacing bit x[i] with byte X[i] which represents the i-th row value, where \(i=0,1,2,\cdots ,7\).