Optimized Implementation of Low-Depth Lightweight S-Boxes
-
摘要: 在轻量级密码领域,S盒作为核心非线性组件,其硬件实现的面积与电路深度优化始终是轻量级密码研究的热点。公开文献针对小规模S盒硬件实现占用资源、电路深度的优化等进行了大量研究,取得了很多优秀成果,能够对规模不大于5比特的S盒给出面积或电路深度优的实现方案,现有针对小规模 S 盒硬件实现的研究多以面积最小化或电路深度最小化为单一优化目标,对两者之间的协同优化工作较少。该文从面积与电路深度协同优化的角度出发,构建了一个深度为$ k $,宽度为$ w $的电路模型,在给定面积约束的条件下,采用可满足性问题(SAT)求解技术判断该电路模型能否实现S盒,通过调整电路深度、宽度、面积等指标,最终给出S盒的优化实现方案。采用该方法能够对规模不大于4比特的S盒,给出面积和电路深度均较优的实现方案。在UMC 180 nm工艺库下对Lblock、Rectangle、Midori、Prøst等轻量级密码算法的S盒进行了优化实现,给出了较好的实验结果,将Lblock算法S盒的实现深度由10降低到了3,将Rectangle算法S盒的逆盒实现面积由24.33 GE降低到了17.66 GE,将Midori算法S盒的面积由20.00 GE降低到了16.33 GE、将Prøst算法S盒的实现面积由22.00 GE降低到了13.33 GE。Abstract:
Objective With the rapid development and widespread deployment of the Internet of Things (IoT), embedded systems, and mobile computing devices, ensuring secure communication and data protection on resource-constrained platforms has become a central focus in the field of information security. These devices are typically characterized by severe limitations in terms of computational capability, storage capacity, and energy consumption, which render traditional cryptographic algorithms inefficient or even infeasible in such environments. In response to these constraints, lightweight cryptographic algorithms have been proposed as an effective class of solutions. Their primary objective is to achieve comparable levels of security as traditional algorithms while significantly reducing the hardware and computational overhead through deliberate algorithmic simplifications and structural optimizations. These algorithms are designed to operate efficiently within tight resource bounds and are especially suitable for applications such as sensor networks, smart cards, RFID systems, and wearable devices. From the perspective of hardware implementation, the design of lightweight cryptographic algorithms must account for multiple performance indicators, including throughput, latency, power efficiency, chip area, and circuit depth. Among these, chip area and depth are considered particularly critical, as they directly influence the physical cost of production and the speed of computation. The Substitution-box (S-Box), as the core nonlinear component responsible for providing confusion in most symmetric encryption schemes, plays a decisive role in determining the security strength and implementation efficiency of the entire cipher. Therefore, exploring efficient methods to realize low-area and low-depth implementations of S-Boxes is of fundamental importance to the design of secure and practical lightweight cryptographic systems. Methods In this work, a novel S-Box optimization algorithm based on Boolean satisfiability (SAT) solving is proposed to simultaneously optimize two key hardware metrics: logic area and circuit depth. To this end, a circuit model with depth k and width w is constructed. Under a given area constraint, SAT solving techniques are employed to determine whether the circuit model can implement the target S-Box. By iteratively adjusting circuit depth, width, and area parameters, an optimized implementation scheme of the S-Box is eventually obtained. The method is specifically developed for 4-bit S-Boxes, which are widely adopted in many lightweight block ciphers, and it provides implementations that are highly efficient in both structural compactness and computational depth. This dual optimization approach helps to reduce hardware costs while maintaining low latency, making it especially suitable for scenarios where performance and energy efficiency are both critical. The proposed method begins by transforming the S-Box implementation problem into a formal SAT problem, enabling the use of powerful SAT solvers to exhaustively explore possible logic-level representations. In this transformation, a diverse set of logic gates—including 2-input, 3-input, and 4-input gates—is utilized to construct flexible logic networks. To enforce area and depth constraints, arithmetic operations such as binary addition and comparator logic are encoded into SAT-compatible Boolean constraints, which guide the solver toward low-area and low-depth solutions. To further accelerate the solving process and avoid redundant search paths, symmetry-breaking constraints are introduced. These constraints help eliminate logically equivalent but structurally different representations, thereby significantly reducing the size of the solution space. The Cadical SAT solver, known for its speed and efficiency in handling large-scale SAT problems, is employed to compute optimized S-Box implementations that minimize both depth and area. The proposed approach not only generates efficient implementations but also provides a general modeling framework that can be extended to other logic synthesis problems in cryptographic hardware design. Results and Discussions To validate the effectiveness of the proposed optimization method, a comprehensive set of experiments was conducted on 4-bit S-Boxes from several representative lightweight block ciphers, including Joltik, Piccolo, Rectangle, Skinny, Lblock, Lac, Midori, and Prøst. The results demonstrate that the method consistently produces high-quality implementations that are competitive or superior in terms of both chip area and circuit depth when compared with existing state-of-the-art results. Specifically, for the S-Boxes of Joltik and Piccolo, as well as for those used in Skinny and Rectangle, the generated implementations match the best known results in both metrics, indicating that the method can successfully reproduce optimal or near-optimal designs. In the cases of Lblock and Lac, although the logic area remains similar to prior results, the circuit depth is significantly reduced, from an initial value of 10 down to 3, which represents a substantial improvement in processing latency and suitability for real-time applications. For the inverse S-Box of the Rectangle cipher, the proposed implementation achieves the same circuit depth as previous designs but reduces the area from 24.33 gate equivalents (GE) to 17.66 GE, yielding a more compact and efficient realization. The optimization results for the Midori S-Box further confirm the effectiveness of the method, where both depth and area are improved—depth is reduced from 4 to 3, and area is brought down from 20.00 GE to 16.33 GE. For the Prøst cipher’s S-Box, two alternative implementations are presented to illustrate the trade-off between area and depth. The first achieves a depth of 4 with an area of 22.00 GE, matching the best known depth but at a higher area cost, while the second increases the depth to 5 but reduces the area significantly to 13.00 GE. These results demonstrate that the method not only supports flexible optimization under different design constraints but also contributes to a deeper understanding of the complexity and trade-offs involved in S-Box implementation. Conclusions This paper presents a SAT-based method for jointly optimizing S-box hardware implementations in terms of area and circuit depth. By modeling the S-box realization as a satisfiability problem and exploiting advanced constraint encoding, multi-input logic gates, and symmetry-breaking techniques, the method effectively reduces hardware complexity while maintaining or improving depth performance. Extensive experiments on various 4-bit S-boxes demonstrate that the proposed approach matches or outperforms existing results, particularly in reducing circuit depth and improving logic compactness. This makes it well suited for lightweight cryptographic systems operating under strict constraints on silicon area, speed, and energy consumption.Despite these advantages, the method still has limitations. While it achieves optimal or near-optimal results for 4-bit S-boxes, scalability to larger instances such as 5-bit or 8-bit S-boxes remains challenging due to the exponential growth of the search space and solving time. As model complexity increases, solving becomes computationally expensive and may not converge in practice. Future work will focus on improving modeling efficiency and solver performance through refined constraint generation, stronger pruning strategies, and heuristic-guided search, with the goal of extending the method to more complex S-boxes and other nonlinear components in lightweight and post-quantum cryptographic systems. -
Key words:
- S-Box Optimization /
- Satisfiability problem /
- Equivalent gates /
- Circuit area /
- Circuit depth
-
表 1 符号及含义
符号 定义 $ \neg a $ 布尔变量$ a $的逻辑非 $ a\wedge b $ 布尔变量$ a $和$ b $的逻辑与 $ a\vee b $ 布尔变量$ a $和$ b $的逻辑或 $ a\oplus b $ 布尔变量$ a $和$ b $的异或 $ a\uparrow b $ 布尔变量$ a $和$ b $的与非 $ a\downarrow b $ 布尔变量$ a $和$ b $的或非 $ a\leftrightarrow b $ 布尔变量$ a $和$ b $的异或非 $ x_{\rm{i}} $ S盒的输入 $ y_{\rm{i}} $ S盒的输出 $ {q}_{4i} $ 第$ i $个门的输入 $ t_{\rm{i}} $ 第$ i $个门的输出 $ a_{\rm{i}} $ 逻辑门之间的布线 $ b_{\rm{i}}$ 单个逻辑门内部的布线 $ k $ S盒电路实现的深度 $ w $ 每层允许的逻辑门最大个数 $ G $ 逻辑电路的总面积 $ n $ S盒的位数 
下载: 导出CSV
表 2 逻辑元件及表达式
逻辑元件符号 输出表达式 UMC 180 nm (GE) NOT($ x{_{0}} $) $ \neg {x}_{0} $ $ 0.67 $ AND$ (x{_{0}},x_{1} ) $ $ x{_{0}}\wedge x_{1} $ $ 1.33 $ OR$ (x{_{0}},x_{1} ) $ $ x{_{0}}\vee x_{1} $ $ 1.33 $ XOR$ (x{_{0}},x_{1} ) $ $ x{_{0}} \oplus x_{1} $ $ 2.67 $ NAND$ (x{_{0}},x_{1} ) $ $ \neg (x{_{0}}\wedge x_{1} ) $ $ 1.00 $ NOR$ (x{_{0}},x_{1} ) $ $ \neg (x{_{0}}\vee x_{1} ) $ $ 1.00 $ XNOR$ (x{_{0}},x_{1} ) $ $ \neg (x{_{0}} \oplus x_{1} ) $ $ 2.00 $ ANDN$ (x{_{0}},x_{1} ) $ $ \neg x{_{0}}\wedge x_{1} $ $ 1.67 $ ORN$ (x{_{0}},x_{1} ) $ $ \neg x{_{0}}\vee x_{1} $ $ 1.67 $ NANDN$ (x{_{0}},x_{1} ) $ $ x{_{0}}\vee \neg x_{1} $ $ 1.67 $ NORN$ (x{_{0}},x_{1} ) $ $ x{_{0}}\wedge \neg x_{1} $ $ 1.67 $ AND3$ (x{_{0}},x_{1} ,x{_{2}}) $ $ x{_{0}}\wedge x_{1}\wedge x{_{2}} $ $ 2.33 $ OR3$ (x{_{0}},x_{1},x{_{2}}) $ $ x{_{0}}\vee x_{1} \vee x{_{2}} $ $ 2.33 $ XOR3$ (x{_{0}},x_{1} ,x{_{2}}) $ $ x{_{0}} \oplus x_{1} \oplus x{_{2}} $ $ 4.67 $ NAND3$ (x{_{0}},x_{1} ,x{_{2}}) $ $ \neg (x{_{0}}\wedge x_{1}\wedge x{_{2}}) $ $ 1.33 $ NOR3$ (x{_{0}},x_{1} ,x{_{2}}) $ $ \neg (x{_{0}}\vee x_{1}\vee x{_{2}}) $ $ 1.33 $ XNOR3$ (x{_{0}},x_{1} ,x{_{2}}) $ $ \neg (x{_{0}} \oplus x_{1} \oplus x{_{2}}) $ $ 4.67 $ MAOI1$ (x{_{0}},x_{1} ,x{_{2}},x{_{3}}) $ $ \neg ((a\wedge b)\vee (\neg (c\vee d))) $ $ 2.67 $ MOAI1$ (x{_{0}},x_{1} ,x{_{2}},x{_{3}}) $ $ \neg ((a\vee b)\wedge (\neg (c\wedge d))) $ $ 2.00 $
下载: 导出CSV
表 3 不同类型门的表示
$ {b}_{8i}\parallel {b}_{8i+1}\parallel {b}_{8i+2} $
$ \parallel {b}_{8i+3}\parallel {b}_{8i+4}\parallel {b}_{8i+5} $
$ \parallel {b}_{8i+6}\parallel {b}_{8i+7} $门类型 门函数 0 0 0 0 0 0 1 1 NOT $ \neg {q}_{0} $ 0 0 0 0 0 1 0 0 XOR $ {q}_{0}\mathrm{ \oplus }{q}_{1} $ 0 0 0 0 0 1 0 1 XNOR $ {q}_{0}\leftrightarrow {q}_{1} $ 0 0 0 0 0 1 1 1 NOT $ \neg {q}_{1} $ 0 0 0 0 1 0 0 0 AND $ {q}_{0}\wedge {q}_{1} $ 0 0 0 0 1 0 0 1 NAND $ {q}_{0}\uparrow {q}_{1} $ 0 0 0 0 1 0 1 0 NORN $ {q}_{0}\wedge \neg {q}_{1} $ 0 0 0 0 1 0 1 1 ORN $ \neg {q}_{0}\vee {q}_{1} $ 0 0 0 0 1 1 0 0 OR $ {q}_{0}\vee {q}_{1} $ 0 0 0 0 1 1 0 1 NOR $ {q}_{0}\downarrow {q}_{1} $ 0 0 0 0 1 1 1 0 ANDN $ \neg {q}_{0}\wedge {q}_{1} $ 0 0 0 0 1 1 1 1 NANDN $ {q}_{0}\vee \neg {q}_{1} $ 0 0 0 1 0 0 0 0 XOR3 $ {q}_{0}\mathrm{ \oplus }{q}_{1}\mathrm{ \oplus }{q}_{2} $ 0 0 0 1 0 0 0 1 XNOR3 $ \neg \left({q}_{0}\mathrm{ \oplus }{q}_{1}\mathrm{ \oplus }{q}_{2}\right) $ 0 1 0 0 0 0 0 0 AND3 $ {q}_{0}\wedge {q}_{1}\wedge {q}_{2} $ 0 1 0 0 0 0 0 1 NAND3 $ \neg \left({q}_{0}\wedge {q}_{1}\wedge {q}_{2}\right) $ 0 1 1 0 0 0 0 0 OR3 $ {q}_{0}\vee {q}_{1}\vee {q}_{2} $ 0 1 1 0 0 0 0 1 NOR3 $ \neg \left({q}_{0}\vee {q}_{1}\vee {q}_{2}\right) $ 1 0 0 0 0 0 0 0 MAOI1 $ \neg (({q}_{0}\wedge {q}_{1})\vee (\neg ({q}_{2}\vee {q}_{3}))) $ 1 0 0 0 0 0 0 1 MOAI1 $ \neg (({q}_{2}\vee {q}_{3})\wedge (\neg ({q}_{0}\wedge {q}_{1}))) $
下载: 导出CSV
输入:$ s_{7}^{i},s_{6}^{i},s_{5}^{i},s_{4}^{i},s_{3}^{i},s_{2}^{i},s_{1}^{i},s_{0}^{i},i\mathrm{\epsilon }[0,kw-1] $:每个门的面积 $ {L}_{7},{L}_{6}, {L}_{5}, {L}_{4}, {L}_{3}, {L}_{2}, {L}_{1}, {L}_{0} $面积上界 $ {A}_{7},{A}_{6}, {A}_{5}, {A}_{4}, {A}_{3}, {A}_{2}, {A}_{1}, {A}_{0} $:进位 $ {A}_{-1} $:辅助量 $ {S}_{7},{S}_{6}, {S}_{5}, {S}_{4}, {S}_{3}, {S}_{2}, {S}_{1}, {S}_{0} $:电路面积 输出:如果以下问题有解,则返回True;若无解,则返回False 1 $ {S}_{7}={S}_{6}={S}_{5}={S}_{4}={S}_{3}={S}_{2}={S}_{1}={S}_{0}=0 $; 2 $ {A}_{7}={A}_{6}={A}_{5}={A}_{4}={A}_{3}={A}_{2}={A}_{1}={A}_{0}={A}_{-1}=0; $ 3 $ {e}_{8}=1 $ 4 for$ i\leftarrow 0 \;\text{to}\;k\cdot w-1 \;\text{do} $: 5 $ \bf{for}\;j\leftarrow 0 \;\mathrm{to} \;7 \;\text{do} $: 6 $ {S}_{j}={S}_{j}\mathrm{ \oplus }s_{j}^{i}\mathrm{ \oplus }{A}_{j-1} $ 7 $ {A}_{j}={S}_{j}\bigwedge s_{j}^{i}\bigwedge {A}_{j-1} $ 8 $ \bf{end\;for} $ 9 $ \bf{end\;for} $ 10 $ \bf{for}\;j\leftarrow 7\; \mathrm{to}\; 0 \;\text{do} $: 11 $ {e}_{j}={e}_{j+1}\wedge \left({S}_{j}\leftrightarrow {L}_{j}\right) $ 12 $ \bf{end \;for} $ 13 $ \bf{for}\;j\leftarrow 7\; \mathrm{to} \;0 \;\text{do} $: 14 $ {c}_{j}\leftrightarrow \left({e}_{j+1}\wedge \neg {S}_{j}\wedge {L}_{j}\right) $ 15 $ \bf{end\;for} $ 16 if $ {c}_{0}\bigvee {c}_{1}\bigvee {c}_{2}\bigvee {c}_{3}\bigvee {c}_{4}\bigvee {c}_{5}\bigvee {c}_{6}\bigvee {c}_{7}==1 $ 17 return true; 18 else 19 return false;
下载: 导出CSV
表 4 实验结果比较
S盒 本文结果 [8] [9] [5] 深度 面积(GE) 深度 面积(GE) 深度 面积(GE) 深度 面积(GE) Joltik/Piccolo 4 13.00 4 13.00 4 22.33 4 13.00 Rectangle 7 18.33 7 18.33 3 28.33 8 20.34 $ {\text{Rectangle}}^{-1} $ 3 17.66 $ - $ $ - $ 3 24.33 8 20.34 Skinny 4 13.33 4 13.33 $ - $ $ - $ 4 13.33 Lblock/Lac 3 16.33 10 16.33 3 26.00 8 16.33 Midori 3 16.33 $ - $ $ - $ $ - $ $ - $ 4 20.00 Prøst 4 13.33 $ - $ $ - $ 4 22.00 $ - $ $ - $ 5 13.00
下载: 导出CSV
表 5 Joltik/Piccolo S盒的实现
Joltik/Piccolo k=4 w=2 13.00 GE $ {t}_{0}= $OR$ \left({x}_{0},{x}_{1}\right) $ $ {t}_{1}= $OR$ \left({x}_{1},{x}_{2}\right) $ $ {t}_{2}= $XNOR$ \left({x}_{3},{t}_{0}\right) $ $ {t}_{3}= $MOAI1$ \left({x}_{2},{t}_{0},{x}_{0},{t}_{1}\right) $ $ {t}_{4}= $NOR$ \left({x}_{2},{t}_{2}\right) $ $ {t}_{5}= $OR$ \left({t}_{2},{t}_{3}\right) $ $ {t}_{6}= $MOAI1$ \left({x}_{1},{t}_{4},{t}_{4},{x}_{1}\right) $ $ {t}_{7}= $XNOR$ \left({x}_{2},{t}_{5}\right) $ $ {y}_{0}={t}_{2} $ $ {y}_{1}={t}_{3} $ $ {y}_{2}={t}_{6} $ $ {y}_{3}={t}_{7} $
下载: 导出CSV
表 6 Skinny S盒的实现
Skinny k=4 w=3 13.33 GE $ {t}_{0}= $OR$ \left({x}_{2},{x}_{3}\right) $ $ {t}_{1}= $OR$ \left({x}_{0},{x}_{1}\right) $ $ {t}_{2}= $ OR$ \left({x}_{1},{x}_{2}\right) $ $ {t}_{3}= $ XNOR$ \left({x}_{0},{t}_{2}\right) $ $ {t}_{4}= $MOAI1$ \left({x}_{3},{t}_{1},{x}_{3},{t}_{1}\right) $ $ {t}_{5}= $OR$ \left({x}_{0},{t}_{4}\right) $ $ {t}_{6}= $MOAI1$ \left({t}_{2},{t}_{4},{t}_{0},{x}_{1}\right) $ $ {t}_{7}= $MOAI1$ \left({t}_{3},{t}_{0},{t}_{5},{x}_{2}\right) $ $ {y}_{0}={t}_{4} $ $ {y}_{1}={t}_{3} $ $ {y}_{2}={t}_{6} $ $ {y}_{3}={t}_{7} $
下载: 导出CSV
表 7 Rectangle S盒的实现
Rectangle k=7 w=2 18.33 GE $ {t}_{0}= $MOAI1$ \left({x}_{0},{x}_{2},{x}_{0},{x}_{0}\right) $ $ {t}_{1}= $XNOR$ \left({x}_{0},{x}_{2}\right) $ $ {t}_{2}= $MOAI1$ \left({x}_{3},{t}_{0},{x}_{3},{t}_{0}\right) $ $ {t}_{3}= $MOAI1$ \left({x}_{1},{t}_{2},{t}_{2},{x}_{1}\right) $ $ {t}_{4}= $MAOI1$ \left({x}_{2},{x}_{1},{x}_{2},{t}_{3}\right) $ $ {t}_{5}= $XNOR$ \left({x}_{0},{t}_{4}\right) $ $ {t}_{6}= $MOAI1$ \left({{{t}_{2}},{{t}_{1}},t}_{2},{t}_{4}\right) $ $ {t}_{7}= $OR$ \left({t}_{6},{t}_{5}\right) $ $ {t}_{8}= $MOAI1$ \left({t}_{7},{t}_{2},{t}_{7},{t}_{2}\right) $ $ {y}_{0}={t}_{6} $ $ {y}_{1}={t}_{8} $ $ {y}_{2}={t}_{3} $ $ {y}_{3}={t}_{5} $
下载: 导出CSV
表 8 Lblock S盒的实现
Lblock k=3 w=4 16.33 GE $ {t}_{0}= $MAOI1$ \left({x}_{2},{x}_{1},{x}_{3},{x}_{1}\right) $ $ {t}_{1}= $XNOR$ \left({x}_{2},{x}_{3}\right) $ $ {t}_{2}= $OR$ \left({x}_{0},{x}_{1}\right) $ $ {t}_{3}= $NOT$ \left({x}_{0}\right) $ $ {t}_{4}= $MOAI1$ \left({t}_{2},{t}_{1},{t}_{2},{t}_{1}\right) $ $ {t}_{5}= $XNOR$ \left({x}_{0},{t}_{0}\right) $ $ {t}_{6}= $NOR$ \left({x}_{0},{t}_{0}\right) $ $ {t}_{7}= $MOAI1$ \left({t}_{0},{t}_{4},{t}_{4},{t}_{3}\right) $ $ {t}_{8}= $MAOI1$ \left({t}_{2},{t}_{6},{x}_{1},{t}_{6}\right) $ $ {y}_{0}={t}_{7} $ $ {y}_{1}={t}_{8} $ $ {y}_{2}={t}_{5} $ $ {y}_{3}={t}_{4} $
下载: 导出CSV
表 9 $ {\mathbf{Rectangle}}^{-\mathbf{1}} $ S盒的实现
$ {\mathbf{Rectangle}}^{-\mathbf{1}} $ k=3 w=4 17.66 GE $ {t}_{0}= $ MOAI1$ \left({x}_{1},{x}_{3},{x}_{0},{x}_{3}\right) $ $ {t}_{1}= $MOAI1$ \left({x}_{3},{x}_{2},{x}_{3},{x}_{2}\right) $ $ {t}_{2}= $ NOR$ \left({x}_{0},{x}_{3}\right) $ $ {t}_{3}= $NOT$ \left({x}_{2}\right) $ $ {t}_{4}= $MAOI1$ \left({t}_{1},{t}_{0},{t}_{1},{t}_{0}\right) $ $ {t}_{5}= $MOAI1$ \left({x}_{1},{t}_{2},{x}_{1},{t}_{2}\right) $ $ {t}_{6}= $NOT$ \left({t}_{1}\right) $ $ {t}_{7}= $MOAI1$ \left({t}_{5},{t}_{4},{t}_{4},{t}_{0}\right) $ $ {t}_{8}= $XNOR$ \left({t}_{5},{t}_{3}\right) $ $ {t}_{9}= $MAOI1$ \left({t}_{5},{t}_{6},{t}_{0},{t}_{5}\right) $ $ {y}_{0}={t}_{9} $ $ {y}_{1}={t}_{8} $ $ {y}_{2}={t}_{4} $ $ {y}_{3}={t}_{7} $
下载: 导出CSV
表 10 Prøst S盒的实现
Prøst k=5 w=2 13.00 GE $ {t}_{0}= $NAND$ \left({x}_{0},{x}_{1}\right) $ $ {t}_{1}= $NAND$ \left({x}_{2},{x}_{1}\right) $ $ {t}_{2}= $XNOR$ \left({x}_{2},{t}_{0}\right) $ $ {t}_{3}= $XNOR$ \left({x}_{3},{t}_{1}\right) $ $ {t}_{4}= $MOAI1$ \left({x}_{1},{x}_{1},{x}_{2},{t}_{3}\right) $ $ {t}_{5}= $NAND$ \left({t}_{3},{t}_{2}\right) $ $ {t}_{6}= $XNOR$ \left({x}_{0},{t}_{5}\right) $ $ {t}_{7}= $MOAI1$ \left({t}_{4},{t}_{4},{x}_{3},{t}_{6}\right) $ $ {y}_{0}={t}_{2} $ $ {y}_{1}={t}_{3} $ $ {y}_{2}={t}_{6} $ $ {y}_{3}={t}_{7} $
下载: 导出CSV
表 11 Prøst S盒的实现
Prøst k=4 w=4 13.33 GE $ {t}_{0}= $NAND$ \left({x}_{0},{x}_{1}\right) $ $ {t}_{1}= $NOT$ \left({x}_{0}\right) $ $ {t}_{2}= $NAND$ \left({x}_{2},{x}_{1}\right) $ $ {t}_{3}= $NOT$ \left({x}_{1}\right) $ $ {t}_{4}= $XNOR$ \left({t}_{0},{x}_{2}\right) $ $ {t}_{5}= $XNOR$ \left({x}_{3},{t}_{2}\right) $ $ {t}_{6}= $MOAI1$ \left({t}_{1},{t}_{4},{t}_{1},{x}_{2}\right) $ $ {t}_{7}= $MOAI1$ \left({t}_{5},{t}_{1},{t}_{5},{t}_{6}\right) $ $ {t}_{8}= $MOAI1$ \left({t}_{3},{x}_{2},{x}_{3},{t}_{6}\right) $ $ {y}_{0}={t}_{4} $ $ {y}_{1}={t}_{5} $ $ {y}_{2}={t}_{7} $ $ {y}_{3}={t}_{8} $
下载: 导出CSV
表 12 midori_$ {\mathbf{s}}_{\mathbf{0}} $ S盒的实现
midori_$ {\mathbf{s}}_{\mathbf{0}} $ k=3 w=4 16.33 GE $ {t}_{0}= $NOT$ \left({x}_{0}\right) $ $ {t}_{1}= $XNOR$ \left({x}_{0},{x}_{1}\right) $ $ {t}_{2}= $OR$ \left({x}_{0},{x}_{3}\right) $ $ {t}_{3}= $NAND$ \left({x}_{1},{x}_{1}\right) $ $ {t}_{4}= $MOAI1$ \left({x}_{3},{t}_{1},{t}_{0},{t}_{1}\right) $ $ {t}_{5}= $ MOAI1$ \left({t}_{1},{t}_{3},{t}_{1},{x}_{3}\right) $ $ {t}_{6}= $MAOI1$ \left({t}_{2},{x}_{2},{t}_{0},{t}_{3}\right) $ $ {t}_{7}= $ MOAI1$ \left({t}_{1},{t}_{4},{x}_{2},{t}_{4}\right) $ $ {t}_{8}= $ MAOI1$ \left({t}_{4},{t}_{2},{x}_{2},{t}_{4}\right) $ $ {y}_{0}={t}_{6} $ $ {y}_{1}={t}_{8} $ $ {y}_{2}={t}_{5} $ $ {y}_{3}={t}_{7} $
下载: 导出CSV
-
[1] 钟悦, 谷杰铭, 曹洪林. 轻量级分组密码算法综述[J]. 计算机科学, 2023, 50(9): 3–15. doi: 10.11896/jsjkx.230500190.ZHONG Yue, GU Jieming, and CAO Honglin. A survey of lightweight block cipher[J]. Computer Science, 2023, 50(9): 3–15. doi: 10.11896/jsjkx.230500190. [2] 贾美纯. 两类轻量级分组密码算法的安全性研究[D]. [硕士论文]. 西北师范大学, 2024. doi: 10.27410/d.cnki.gxbfu.2024.002853.JIA Meichun. Security analysis on two types of lightweight block cipher algorithms[D]. [Master dissertation]. Northwest Normal University, 2024. doi: 10.27410/d.cnki.gxbfu.2024.002853. [3] JEAN J, PEYRIN T, SIM S M, et al. Optimizing implementations of lightweight building blocks[J]. IACR Transactions on Symmetric Cryptology, 2017, 2017(4): 130–168. doi: 10.13154/tosc.v2017.i4.130-168. [4] BAO Zhenzhen, GUO Jian, LING San, et al. PEIGEN–a platform for evaluation, implementation, and generation of S-boxes[J]. IACR Transactions on Symmetric Cryptology, 2019, 2019(1): 330–394. doi: 10.13154/tosc.v2019.i1.330-394. [5] WEI Zihao, SUN Siwei, LIU Fengmei, et al. Technology-dependent synthesis and optimization of circuits for small S-boxes[J]. IACR Communications in Cryptology, 2025, 1(4): 35. doi: 10.62056/akmpdkp10. [6] COURTOIS N, MOUROUZIS T, and HULME D. Exact logic minimization and multiplicative complexity of concrete algebraic and cryptographic circuits[J]. International Journal on Advances in Intelligent Systems, 2013, 6(3/4): 165–176. [7] STOFFELEN K. Optimizing S-box implementations for several criteria using SAT solvers[C]. Proceedings of the 23rd International Conference on Fast Software Encryption, Bochum, Germany, 2016: 140–160. doi: 10.1007/978-3-662-52993-5_8. [8] LU Zhenyu, WANG Weijia, HU Kai, et al. Pushing the limits: Searching for implementations with the smallest area for lightweight S-boxes[C]. Proceedings of the 22nd International Conference on Progress in Cryptology, Jaipur, India, 2021: 159–178. doi: 10.1007/978-3-030-92518-5_8. [9] ZHANG Fuxin and HUANG Zhenyu. Optimizing S-box implementations using SAT solvers: Revisited[EB/OL]. Cryptology ePrint Archive, https://eprint.iacr.org/2023/1721, 2023. [10] JIA Chenhao, CUI Tingting, LING Qing, et al. How small can S-boxes be?[J]. IACR Transactions on Symmetric Cryptology, 2025, 2025(1): 592–622. doi: 10.46586/tosc.v2025.i1.592-622. [11] SUN Yu, WU Lixuan, JIA Chenhao, et al. Addendum to how small can S-boxes be?[J]. IACR Transactions on Symmetric Cryptology, 2025, 2025(2): 192–205. doi: 10.46586/TOSC.V2025.I2.192-205. [12] JEAN J, NIKOLIĆ I, and PEYRIN T. Joltik v1.3[EB/OL]. CAESAR Round, https://competitions.cr.yp.to/round2/joltikv13.pdf, 2015. [13] SHIBUTANI K, ISOBE T, HIWATARI H, et al. Piccolo: An ultra-lightweight blockcipher[C]. Proceedings of the 13th International Workshop on Cryptographic Hardware and Embedded Systems, Nara, Japan, 2011: 342–357. doi: 10.1007/978-3-642-23951-9_23. [14] ZHANG Wentao, BAO Zhenzhen, LIN Dongdai, et al. RECTANGLE: A bit-slice lightweight block cipher suitable for multiple platforms[J]. Science China Information Sciences, 2015, 58(12): 1–15. doi: 10.1007/s11432-015-5459-7. [15] BEIERLE C, JEAN J, KÖLBL S, et al. The SKINNY family of block ciphers and its low-latency variant MANTIS[C]. Proceedings of the 36th Annual International Cryptology Conference on Advances in Cryptology, Santa Barbara, USA, 2016: 123–153. doi: 10.1007/978-3-662-53008-5_5. [16] WU Wenling and ZHANG Lei. LBlock: A lightweight block cipher[C]. Proceedings of the 9th International Conference on Applied Cryptography and Network Security, Nerja, Spain, 2011: 327–344. doi: 10.1007/978-3-642-21554-4_19. [17] ZHANG Lei, WU Wenling, WANG Yanfeng, et al. LAC: A lightweight authenticated encryption cipher[EB/OL]. Submitted to the CAESAR competition, https://competitions.cr.yp.to/round1/lacv1.pdf, 2014. [18] BANIK S, BOGDANOV A, ISOBE T, et al. Midori: A block cipher for low energy[C]. Proceedings of the 21st International Conference on Advances in Cryptology, Auckland, New Zealand, 2015: 411–436. doi: 10.1007/978-3-662-48800-3_17. [19] KAVUN E B, LAURIDSEN M M, LEANDER G, et al. PRØST v1[EB/OL]. CAESAR Round, https://competitions.cr.yp.to/round1/proestv1.pdf, 2014. [20] BANIK S, FUNABIKI Y, and ISOBE T. More results on shortest linear programs[C]. Proceedings of the 14th International Workshop on Advances in Information and Computer Security, Tokyo, Japan, 2019: 109–128. doi: 10.1007/978-3-030-26834-3_7. -
表(13)
计量
- 文章访问数: 13
- HTML全文浏览量: 5
- PDF下载量: 1
- 被引次数: 0
下载:
