Authenticated-Encryption with Associated-Data (AEAD) plays an important role in guaranteeing confidentiality, integrity, and authenticity in network communications. To meet the requirements of high-performance applications, several AEADs make use of AES New Instructions (AES-NI), which can conduct operations of AES encryption and decryption dramatically fast by hardware accelerations. At SAC 2013, Wu and Preneel proposed an AES-based AEAD scheme called AEGIS-128/128L/256, to achieve high-speed software implementation. At FSE 2016, Jean and Nikolić generalized the construction of AEGIS and proposed more efficient round functions. At ToSC 2021, Sakamoto et al. further improved the constructions of Jean and Nikolić, and proposed an AEAD scheme called Rocca for beyond 5G. In this study, we first evaluate the security of the initialization phases of Rocca and AEGIS family against differential and integral attacks using MILP (Mixed Integer Linear Programming) tools. Specifically, according to the evaluation based on the lower bounds for the number of active S-boxes, the initialization phases of AEGIS-128/128L/256 are secure against differential attacks after 4/3/6 rounds, respectively. Regarding integral attacks, we present the integral distinguisher on 6 rounds and 6/5/7 rounds in the initialization phases of Rocca and AEGIS-128/128L/256, respectively. Besides, we evaluate the round function of Rocca and those of Jean and Nikolić as cryptographic permutations against differential, impossible differential, and integral attacks. Our results indicate that, for differential attacks, the growth rate of increasing the number of active S-boxes in Rocca is faster than those of Jean and Nikolić. For impossible differential and integral attacks, we show that the round function of Rocca achieves the sufficient level of the security against these attacks in smaller number of rounds than those of Jean and Nikolić.

Generalized Feistel Network (GFN) is widely used in block ciphers. CLEFIA is one of the GFN type-2 block ciphers. CLEFIA employs Diffusion Switching Mechanism (DSM) in its diffusion layer. DSM improves CLEFIA's security by increasing its number of active S-boxes, which is an indicator of security against differential and linear cryptanalyses. However, two matrices in DSM increase implementational cost. In this paper, we pursue the research question whether it is possible to achieve the same security as original CLEFIA with only one matrix without overhead in hardware. Our idea to answer the research question is applying byte-shuffling technique to CLEFIA. Byte-shuffling is an operation to shuffle 8-bit bytes. On the other hand, traditional GFN ciphers rotate 32-bit or larger words in their permutation layer. Since implementation of byte-shuffling is considered as cost-free in hardware, it adds no overhead in comparison with word rotation. Byte-shuffling has numerous shuffle patterns whereas word rotation has a few patterns. In addition, security property varies among the shuffle patterns. So, we have to find the optimal shuffle pattern(s) on the way to pursue the research question. Although one way to find the optimal shuffle pattern is evaluating all possible shuffle patterns, it is impractical to evaluate them since the evaluation needs much time and computation. We utilize even-odd byte-shuffling technique to narrow the number of shuffle patterns to be searched. Among numerous shuffle patterns, we found 168 shuffle patterns as the optimal shuffle patterns. They achieved full diffusion in 5 rounds. This is the same security as original CLEFIA. They achieved enough security against differential and linear cryptanalyses at 13th and 14th round, respectively, by active S-box evaluations. It is just one and two rounds longer than original CLEFIA. However, it is three and two rounds earlier than CLEFIA without DSM.

This paper investigates the security of KCipher-2 against differential attacks. We utilize an MILP-based method to evaluate the minimum number of active S-boxes in each round. We try to construct an accurate model to describe the 8-bit truncated difference propagation through the modular addition operation and the linear transformation of KCipher-2, respectively, which were omitted or simplified in the previous evaluation by Preneel et al. In our constructed model, the difference characteristics neglected in Preneel et al.'s evaluation can be taken into account and all valid differential characteristics can be covered. As a result, we reveal that the minimal number of active S-boxes is 25 over 15 rounds in the related IV setting and it is 17 over 24 rounds in the related IV-key setting. Therefore, this paper shows for the first time that KCipher-2 is secure against the related IV differential attack.

Counting the number of differentially active S-boxes is of great importance in evaluating the security of a block cipher against differential attack. Mouha et al. proposed a technique based on Mixed-Integer Linear Programming (MILP) to automatically calculate a lower bound of the number of differentially active S-boxes for word-oriented block ciphers, and applied it to symmetric ciphers AES and Enocoro-128v2. Later Sun et al. extended the method by introducing bit-level representations for S-boxes and new constraints in the MILP problem, and applied the extended method to PRESENT-80 and LBlock. This kind of methods greatly depends on the constraints in the MILP problem describing the differential propagation of the block cipher. A more accurate description of the differential propagation leads to a tighter bound on the number of differentially active S-boxes. In this paper, we refine the constraints in the MILP problem describing XOR operations, and apply the refined MILP modeling to determine a lower bound of the number of active S-boxes for the Lai-Massey type block cipher FOX in the model of single-key differential attack, and obtain a tighter bound in FOX64 than existing results. Experimental results show that 6, instead of currently known 8, rounds of FOX64 is strong enough to resist against basic single-key differential attack since the differential characteristic probability is upper bounded by 2-64, and thus the maximum differential characteristic probability of 12-round FOX64 is upper bounded by 2-128, where 128 is the key-length of FOX64. We also get the lower bound of the number of differentially active S-boxes for 5-round FOX128, and proved the security of the full-round FOX128 with respect to single-key differential attack.

Since substitution boxes (S-boxes) are the only nonlinear portion of most block ciphers, the design of cryptographically strong and low-complexity S-boxes is of great importance in cryptosystems. In this paper, a new kind of S-boxes obtained by iterating a discretized piecewise linear map is proposed. The S-box has an implementation efficiency both in software and hardware. Moreover, the results of performance test show that the proposed S-box has good cryptographic properties.

This paper shows two power analysis attacks against a software implementation of a first-order DPA resistant S-box algorithm that is based on the discrete Fourier Transform (DFT). The DPA resistant S-box algorithm based on DFT was proposed by Prouff et al. in 2006 and improved by Coron et al. in 2008, respectively. In our attacks against the improved one, we pre-process the power traces by separating them into two subgroups, so that each has a biased mask. For the separated power traces, two post analysis methods are proposed to identify the key. One is based on DPA attack against one subgroup, and the other utilizes the difference of means for two subgroups and a pattern matching. Finally, we compare these two attack methods and propose an algorithm-level countermeasure to enhance the security of S-box calculation based on the DFT.

A function F:F2n F2n is almost perfect nonlinear (APN) if, for every a 0, b in F2n, the equation F(x)+F(x+a)=b has at most two solutions in F2n. When used as an S-box in a block cipher, it contributes optimally to the resistance to differential cryptanalysis. The function F is almost bent (AB) if the minimum Hamming distance between all its component functions v F, v∈F2n {0} (where "" denotes any inner product in F2n ) and all affine Boolean functions on F2n takes the maximal value 2n-1-2. AB functions exist for n odd only and contribute optimally to the resistance to the linear cryptanalysis. Every AB function is APN, and in the n odd case, any quadratic APN function is AB. The APN and AB properties are preserved by affine equivalence: F F' if F'=A1 F A2, where A1,A2 are affine permutations. More generally, they are preserved by CCZ-equivalence, that is, affine equivalence of the graphs of F: {(x,F(xv)) | x∈ F2n} and of F'. Until recently, the only known constructions of APN and AB functions were CCZ-equivalent to power functions F(x)=xd over finite fields (F2n being identified with F2n and an inner product being x y=tr(xy) where tr is the trace function). Several recent infinite classes of APN functions have been proved CCZ-inequivalent to power functions. In this paper, we describe the state of the art in the domain and we also present original results. We indicate what are the most important open problems and make some new observations about them. Many results presented are from joint works with Lilya Budaghyan, Gregor Leander and Alexander Pott.

In this paper, we present a new low-cost concurrent error detection (CED) S-Box architecture for the Advanced Encryption Standard (AES). Because the complexity and the nonlinearity, it is difficult to develop error detection algorithms for the S-Box. Conventionally, a parity checked S-Box is implemented with ROM (read only memory). In some applications, for example, smart cards, both chip size and fault detection are demanded seriously. ROM-based parity checking cannot meet the demands. We propose our CED S-Box (CEDSB) architecture for two reasons. The first is to design a S-Box without ROM. The second is to obtain a compact S-Box with real time error detection. Based on the composite field, we develop the CEDSB architecture to implement the fault detection for the S-Box. The overhead of the CED for the S-Boxes in GF((24)2) and in GF(((22)2)2) are 152 and 132 NAND gates respectively. The amount of extra gates used for the CEDSB is nearly equal to that of the ROM-based CED S-Box (131 NAND gates). The chip area of the ROM-based CED S-Box, the CEDSBs in GF((24)2), and in GF(((22)2)2) are 2996, 558, and 492 NAND gates separately. The chip area of the CEDSB is more compact than a ROM-based CED S-Box.