Lightweight S-Box Architecture for Secure Internet of Things

Abstract

Lightweight cryptographic solutions are required to guarantee the security of Internet of Things (IoT) pervasiveness. Cryptographic primitives mandate a non-linear operation. The design of a lightweight, secure, non-linear 4 × 4 substitution box (S-box) suited to Internet of Things (IoT) applications is proposed in this work. The structure of the 4 × 4 S-box is devised in the finite fields GF (2⁴) and GF ((2²)²). The finite field S-box is realized by multiplicative inversion followed by an affine transformation. The multiplicative inverse architecture employs Euclidean algorithm for inversion in the composite field GF ((2²)²). The affine transformation is carried out in the field GF (2⁴). The isomorphic mapping between the fields GF (2⁴) and GF ((2²)²) is based on the primitive element in the higher order field GF (2⁴). The recommended finite field S-box architecture is combinational and enables sub-pipelining. The linear and differential cryptanalysis validates that the proposed S-box is within the maximal security bound. It is observed that there is 86.5% lesser gate count for the realization of sub field operations in the composite field GF ((2²)²) compared to the GF (2⁴) field. In the PRESENT lightweight cipher structure with the basic loop architecture, the proposed S-box demonstrates 5% reduction in the gate equivalent area over the look-up-table-based S-box with TSMC 180 nm technology.

1. Introduction

Cryptography paves the way for the realization of security in the information technology era. Lightweight cryptographic algorithms are in immense demand in the present decade for Internet of Things (IoT) applications. Industrial IoT systems are ubiquitous in nature and have widespread access through smart devices. They are strictly resource-constrained, and lightweight security solutions are the most suitable option for the security of such systems. The traditional security algorithms, such as Advanced Encryption Standard (AES), are not suitable for IoT devices due to their intense mathematical operations, which are computationally expensive. IoT physical security concerns emphasize the resource constraints and the level of security to be addressed by the lightweight cryptographic algorithms and lightweight cryptographic primitives [1,2,3,4,5,6]. The necessity of lightweight ciphers with compact implementation of the non-linear S-box to realize the practical IoT is addressed in [7,8,9]. The optimal linear and differential cryptanalysis resistance of the lightweight S-box is also analyzed as a major factor. Trends in the lightweight cipher design for IoT are based on two factors: the choice of the non-linear operation and the key schedule [10]. The non-linear operation is mandatory in any cryptographic primitive. The primary non-linear operation in the cryptographic algorithms is the S-box. This work contributes to the finite field hardware design of the combinational, lightweight, optimal S-box suited to IoT devices. An S-box in a finite field is an inversion followed by affine transformation.

The proposed S-box is lightweight in terms of having a smaller number of gates and has adequate security properties, as discussed in the latter sections. The combinational design of the proposed lightweight S-box offers hardware advantages—namely compactness in terms of a smaller number of gates—enables sub-pipelining to improve performance optimization and also enables masking mechanisms to counteract side channel attacks [11]. Hardware implementations of the symmetric cryptographic algorithms have been widely explored in the literature [12,13,14,15,16,17]. However, they report the bare minimal focus on the architectural design of the different symmetric lightweight security ciphers. All the lightweight ciphers defined so far have only look-up table-based S-boxes, which have their own limitations in hardware [18,19,20,21,22,23,24,25].

Sufficient background on the derivation of the hardware structures in the finite fields is given in [26,27,28,29,30]. The finite field design involves the design of the operations in varied sub fields. The isomorphism between the fields and the methods for those transformations has been explained in [31,32,33]. Reference [34] discusses the properties of affine equivalence in AES. Literature to date on lightweight cipher algorithm implementations has concentrated on the gate equivalents in ASIC implementations and RAM-based Field Programmable Gate Array (FPGA) implementations [35,36,37,38,39]. A Boolean S-box using the Karnaugh map and the factorization technique has been designed to achieve a maximum throughput of 51.32 Mbps for the PRESENT cipher architecture for an 8-bit data path [40]. To the best of the knowledge of the authors, this work is the first attempt at the construction of a finite field hardware style for the 4 × 4 S-box.

The rest of the paper is organized as follows: Section 2 reiterates the properties of the optimal S-box. Section 3 explains the design methodology of the proposed work. Section 4 elaborates the construction of the fields, followed by the multiplicative inversion derivation in the composite field in Section 5. Section 6 focuses on the isomorphism between the fields GF (2⁴) and GF ((2²)²), and the description of the involved affine transformation is given in Section 7. The proposed hardware structure for the S-box and its implementation are shown in Section 8 and Section 9, respectively. The security analyses of the proposed S-box are presented in Section 10. Section 11 concludes the paper.

2. Properties of the Optimal S-Box

The security of IoT devices needs lightweight cryptographic primitives and they deploy 4 × 4 S-boxes in their cipher definition. The selection of the S-box in the lightweight block ciphers plays an important role in characterizing its security–performance trade-off. The choice of the 4 × 4 S-box for the lightweight constructions results in compact hardware, unlike the 8 × 8 S-box used in the AES. A high volume of the lightweight ciphers and hash functions, namely, PRESENT, RECTANGLE, SPONGENT, ICEBERG, SERPENT, NOEKEON, PRINT and PRINCE, have the 4 × 4 S-box in their structure [41]. The improved hardware performance with fixed level of security margin is attained by the optimal S-box constructions. Let the 4 × 4 bijective S-box be denoted by S in the field $F_2^4$. The conditions to be satisfied for the S-box to be optimal are

(1)

Bijective, i.e., $\mathrm{S}(\mathrm{x})\ne \mathrm{S}(\mathrm{x}\prime )$ for any $\mathrm{x}\ne \mathrm{x}\prime$.

(2)

Let the difference XOR propagation between the input XOR values (ΔI) and the output XOR values (ΔO) be given by NDs (ΔI, ΔO) = #{x $\in$ $F_2^4$|S(x) ⊕ S (x ⊕ ΔI) = ΔO}; it should be ≤4.

(3)

The differential uniformity: i.e., the diffusion of the S-box is given by the ${\max }_{\Delta \mathrm{I}\ne 0,\Delta \mathrm{O}}\left|\mathrm{NDs}(\Delta \mathrm{I},\Delta \mathrm{O})\right|$.

(4)

Let the linear imbalance of the S-box be denoted by Imbs (ΓI, ΓO) = #{x $\in$ $F_2^4$|ΓI .x = ΓO. S(x)} − 8|: it should be ≤4, where ΓI and ΓO are the input and output masks of the S-box linear approximation and “.” is the inner product on $F_2^4$.

(5)

The linearity of the S-box is given by the ${\max }_{\mathsf{\Gamma }\mathrm{I},\mathsf{\Gamma }\mathrm{O}\ne 0}\left|\mathrm{NDs}(\Delta \mathrm{I},\Delta \mathrm{O})\right|.$

(6)

No fixed point, i.e., $\mathrm{S}(\mathrm{x})\ne \mathrm{x}$ for any $F_2^4$.

S-boxes that satisfy these values are said to be optimal S-boxes [42,43,44]. The smaller the value of diffusion of the S-box, the more secure the S-box is against differential cryptanalysis. Similarly, the smaller the value of linearity of the S-box, the more secure the S-box is against linear cryptanalysis. For an S-box, the number of times that a 1-bit input difference causes a 1-bit output difference and the number of times that a 1-bit input selection pattern causes a 1-bit output selection pattern also determines the differential and linear cryptanalysis resistance of the 4-bit S-boxes.

3. Design Methodology

The finite field theory specifies the mathematical operations in terms of logic gates. The design methodology employs the finite fields in a polynomial basis for the hardware definition of the 4 × 4 S-box. The multiplicative inverse is derived in the composite field, resulting in less hardware complexity. The steps involved in the S-box design are elucidated as follows and are shown in Figure 1.

(1)

The construction of the field GF (2^nm=4) in the polynomial basis using the irreducible primitive polynomial of degree 4.

(2)

The construction of the composite field GF ((2ⁿ⁼²)^m=2) in the polynomial basis using the respective bases.

(3)

Derivation of the multiplicative inverse structure in the composite field GF ((2ⁿ⁼²)^m=2) using the Euclidean algorithm. The multiplicative inversion involves the subfields GF (2), GF ((2ⁿ⁼²)^m=2) and GF (2^nm=4).

(4)

The isomorphic transformation of the sub fields based on the primitive element of the higher order field.

(5)

The affine transformation in the field GF (2^nm=4).

(6)

Validation of the proposed S-box structure through the physical implementation of the proposed S-box in the one of the lightweight cipher algorithms, PRESENT, and estimation of its hardware performance.

(7)

Security analysis of the proposed S-box structure to prove its security strength.

4. Construction of the Fields

The field GF (2⁴) is constructed with the irreducible polynomial of degree 4 in the polynomial basis. There are three irreducible polynomials of degree 4:

$$\mathrm{r}1(\mathrm{x})={\mathrm{x}}^4+\mathrm{x}+1$$

(1)

$$\mathrm{r}2(\mathrm{x})={\mathrm{x}}^4+{\mathrm{x}}^3+1$$

(2)

$$\mathrm{r}3(\mathrm{x})={\mathrm{x}}^4+{\mathrm{x}}^3+{\mathrm{x}}^2+\mathrm{x}+1$$

(3)

A primitive irreducible polynomial generates all the unique 2⁴ = 16 elements of the field GF (2⁴). However, the non-primitive polynomial will not generate all the 16 unique elements. Both the primitive polynomials $\mathrm{r}1(\mathrm{x})$ and $\mathrm{r}2(\mathrm{x})$ are applicable for the GF (2⁴) field generation. The polynomial $\mathrm{r}3(\mathrm{x})$ is a non-primitive polynomial. The proposed work generates the field based on the polynomial $\mathrm{r}1(\mathrm{x})$. The composite field GF ((2ⁿ⁼²)^m=2) is also constructed using the polynomial basis. The process involved in the construction of the composite field GF ((2²)²) for the realization of the 4 × 4 S-box employs the following three polynomial bases: B1, B2 and B3.

• B1: The binary extension field employed is the GF (2⁴), and is defined over the prime field GF (2). If $\mathsf{\alpha }$ is a root of $\mathrm{p}(\mathrm{x})$, then the set $\mathrm{B}1=\{1,\mathsf{\alpha },{\mathsf{\alpha }}^2,{\mathsf{\alpha }}^3\}$ forms the basis for the field GF (2⁴). Any element A in $\mathrm{GF}(2^4)$ can be expressed as $\mathrm{A}={{\displaystyle \sum }}_{\mathrm{i}=0}^3{\mathrm{a}}_{\mathrm{i}}{\mathsf{\alpha }}^{\mathrm{i}}$, where $\mathrm{a}$_i $\mathsf{ϵ}$ $\mathrm{GF}(2)$ for i = 0 to 3. The row vector (${\mathrm{a}}_0,{\mathrm{a}}_1,{\mathrm{a}}_2,{\mathrm{a}}_3$) is called the representation of the element A in the basis B1. This is the polynomial basis for the representation of the field GF (2⁴) over GF (2).
• B2: The irreducible polynomial $\mathrm{q}(\mathrm{x})$ of degree $m=2$ defined over GF (2²) has root $\mathsf{\beta }$. Then, the set $\mathrm{B}2=\left\{1,\mathsf{\beta }\right\}$ is the basis of GF ((2²)²). Any element in the basis B2 can be expressed as $\mathrm{A}={{\displaystyle \sum }}_{\mathrm{i}=0}^1{\mathrm{a}}_{\mathrm{i}}^{\prime }{\mathsf{\beta }}^{\mathrm{i}}$, where ${\mathrm{a}}_{\mathrm{i}}^{\prime }$ $\mathsf{ϵ}$ $\mathrm{GF}(2^2)$ for i = 0, 1. The row vector (${\mathrm{a}}_0^{\prime }$, ${\mathrm{a}}_1^{\prime })$ is called the composite field representation of the element A in the basis B2. The coefficients in the composite field representation are in the ground field GF (2²).
• B3: The irreducible polynomial $\mathrm{v}(\mathrm{x})$ of degree $n=2$ over GF (2) constructs the ground field GF (2²) with a root $\mathsf{\gamma }$ and the basis B3. Therefore, any element $\mathrm{a}$ $\mathsf{ϵ}$ GF (2²) can be written as $\mathrm{a}={{\displaystyle \sum }}_{\mathrm{i}=0}^1{\mathrm{a}}_{\mathrm{i}}^{\prime }{\mathsf{\gamma }}^{\mathrm{i}}$, where ${\mathrm{a}}_{\mathrm{i}}^{\prime }$ $\mathsf{ϵ}$ $\mathrm{GF}(2)$. The row vector (${\mathrm{a}}_0^{″},{\mathrm{a}}_1^{″})$ represents the element $\mathrm{a}\mathsf{ϵ}$ GF (2²), in the basis B3.

The representations of the different bases involved in the composite field construction are expressed below.

$$\mathrm{B}1:\mathrm{p}(\mathrm{x})={\mathrm{x}}^4+\mathrm{x}+1\mathrm{in}\mathrm{GF}(2^4)/\mathrm{GF}(2)$$

(4)

$$\mathrm{B}2:\mathrm{q}(\mathrm{x})={\mathrm{x}}^2+\mathrm{x}+\varnothing \mathrm{in}\mathrm{GF}{((2^2)}^2)/\mathrm{GF}(2^2),\varnothing ={10}_2$$

(5)

$$\mathrm{B}3:\mathrm{v}(\mathrm{x})={\mathrm{x}}^2+\mathrm{x}+1\mathrm{in}\mathrm{GF}(2^2)/\mathrm{GF}(2)$$

(6)

The field $\mathrm{GF}(2^2)$ has only one irreducible polynomial of degree 2. The field $\mathrm{GF}{((2^2)}^2)$ is irreducible with the polynomial of the form $\mathrm{q}(\mathrm{x})$ with the possible value of $\varnothing ={10}_2$ in GF (2). The derivation of the multiplicative inverse structure in the composite field $\mathrm{GF}{((2^2)}^2)$ is detailed in the next section.

5. Multiplicative Inverse in the Composite Field

The multiplicative inversion and its efficient hardware implementation are the key elements in the structural realization of the S-box. The inversion is calculated using the extended Euclidean algorithm. The multiplicative inverse in the higher order field domain is more complex, and hence the lower order composite field is preferred, with all the arithmetic operations performed in the lower domain. The composite field GF ((2²)²) with the suitable values of n = 2 and m = 2, for k = 2 × 2 = 4, is generated based on the respective degree field polynomials.

The multiplicative inverse in the composite field is realized by the following steps:

(1)

Isomorphic transformation from the higher order field representation $\mathrm{GF}(2^4)$ to the lower order composite field representation $\mathrm{GF}{((2^2)}^2)$.

(2)

Multiplicative inversion in the composite field $\mathrm{GF}{((2^2)}^2)$ using the Euclidean theorem.

(3)

Inverse isomorphic transformation of the result obtained by the multiplicative inverse, to the higher order field $\mathrm{GF}(2^4)$.

6. Isomorphism and Field Polynomials

The calculation of the multiplicative inverse in the lower field $\mathrm{GF}{((2^2)}^2$ offers an advantage as discussed in Section 3. The computation of inverse in the composite field cannot be applied directly in $\mathrm{GF}(2^4)$. Therefore, every element needs to be mapped to its composite field representation $\mathrm{GF}{((2^2)}^2)$ via isomorphic mapping and vice versa. Such an isomorphism provides the conversion of the field representations. The derivations of the conversion matrix to establish the isomorphism between the fields is evaluated through any one of the two mechanisms mentioned below:

(1)

Construction of the conversion matrix between $\mathrm{GF}(2^4)$ and $\mathrm{GF}{((2^2)}^2)$, where the generation polynomials are known a priori through an exhaustive search method.

(2)

Construction of the conversion matrix, in which the generator polynomial is not known a priori nor fixed. In this field conversion, the isomorphism between the fields is derived based on the primitive or the non-primitive polynomials. The primitive elements of the irreducible polynomials are the key for the isomorphic transformations in this technique.

This work employs the primitive element method for its isomorphism. The manipulations involved for the base representations, the minimal polynomials involved and the conversion mechanism are explained in the following sub sections.

6.1. Minimal Polynomials for the Composite Field Conversion

The two different fields, namely $\mathrm{GF}(2^4)$ over $\mathrm{GF}(2),\mathrm{and}\mathrm{GF}{((2^2)}^2)$ over $\mathrm{GF}(2^2)$, have the following minimal polynomials:

(1)

With $n=2$ and $m=2,$ the composite field $\mathrm{GF}{((2^2)}^2)$ is constructed with $\mathrm{GF}(2^2)$ as the ground field. The minimal polynomial of $\mathsf{\alpha }$ for the composite field $\mathrm{GF}{((2^2)}^2)$ construction is given as

$${\mathrm{m}}_{\mathsf{\alpha }}(\mathrm{x})=(\mathrm{x}+\mathsf{\alpha })(\mathrm{x}+{\mathsf{\alpha }}^4)$$

(7)

The polynomial ${\mathrm{m}}_{\mathsf{\alpha }}(\mathrm{x})$ is an irreducible polynomial of degree 2 with coefficients in $\mathrm{GF}(2^2)$. The subfield is $\mathrm{GF}(2^2)$. The operation in the field is performed in $\mathrm{GF}{((2^2)}^2)$ over $\mathrm{GF}(2^2)$.

(2)

The minimal polynomial of $\mathsf{\alpha }$ for the field $\mathrm{GF}(2^4)$ over $\mathrm{GF}(2)$ construction is given as

$${\mathrm{m}}_{\mathsf{\alpha }}^{\prime }(\mathrm{x})=(\mathrm{x}+\mathsf{\alpha })(\mathrm{x}+{\mathsf{\alpha }}^2)(\mathrm{x}+{\mathsf{\alpha }}^4)(\mathrm{x}+{\mathsf{\alpha }}^8)$$

(8)

The polynomial ${\mathrm{m}}_{\mathsf{\alpha }}^{\prime }(\mathrm{x})$ is an irreducible polynomial of degree 4 with coefficients in $\mathrm{GF}(2)$. The primitive polynomial used for the field construction is a polynomial of degree $\mathrm{k}=4(\mathrm{nm}),$ whose coefficients are in $\mathrm{GF}(2)$.

6.2. Evaluation of the Conversion Matrix

The conversion from the composite field representation to the binary representation based on the primitive elements is explained below. The primitive polynomial involved in the construction of $\mathrm{GF}(2^4)$ with root $\mathsf{\alpha }$ is given by $\mathrm{p}(\mathrm{x})={\mathrm{x}}^4+\mathrm{x}+1$ and $\mathsf{\alpha }$ is a primitive element in $\mathrm{GF}(2^4)$. The elements A in $\mathrm{GF}(2^4)$ in basis B1 is given by

$$\mathrm{A}={\mathrm{a}}_0+{\mathrm{a}}_1\mathsf{\alpha }+{\mathrm{a}}_2{\mathsf{\alpha }}^2+{\mathrm{a}}_3{\mathsf{\alpha }}^3$$

(9)

The primitive element for the composite field construction ${\mathsf{\alpha }}^5$ is expressed in the ground field $\mathrm{GF}(2^2)$. The irreducible polynomial used to construct $\mathrm{GF}{((2^2)}^2)$ over $\mathrm{GF}(2^2)$ is given by as ${\mathrm{m}}_{\mathsf{\alpha }}(\mathrm{x})=(\mathrm{x}+\mathsf{\alpha })(\mathrm{x}+{\mathsf{\alpha }}^4)$ and it is of degree 2 with the coefficients from the ground field $\mathrm{GF}(2^2)$.

The reduction of the polynomial as ${\mathrm{m}}_{\mathsf{\alpha }}(\mathrm{x})=(\mathrm{x}+\mathsf{\alpha })(\mathrm{x}+{\mathsf{\alpha }}^4)$ evaluate to the form as given below.

$${\mathrm{m}}_{\mathsf{\alpha }}(\mathrm{x})={\mathrm{x}}^2+(\mathsf{\alpha }+{\mathsf{\alpha }}^4)\mathrm{x}+{\mathsf{\alpha }}^5$$

(10)

where $\mathsf{\alpha }$ is in $\mathrm{GF}(2^4)$.

The elements of A in the field in basis 2 can be written as ${{\displaystyle \sum }}_{\mathrm{j}=0}^{\mathrm{m}-1}{\mathrm{a}}_{\mathrm{j}}{}^{\prime }{\mathsf{\alpha }}^{\mathrm{j}}$, where ${\mathrm{a}}_{\mathrm{j}}{}^{\prime }$ $\in$ $\mathrm{GF}(2^2)$. Using $\mathsf{\gamma }={\mathsf{\alpha }}^5$ as the primitive element, the ${\mathrm{a}}_{\mathrm{j}}^{\prime }$ can be expressed as ${\mathrm{a}}_{\mathrm{j}}^{\prime }=\overline{{\mathrm{a}}_{\mathrm{j}0}}+\overline{{\mathrm{a}}_{\mathrm{j}1}}\mathsf{\gamma }$.

Substituting this expression for ${\mathrm{a}}_{\mathrm{j}}{}^{\prime }$, the elements of A are arrived at as given below.

$$\mathrm{A}=\overline{{\mathrm{a}}_{00}}+\overline{{\mathrm{a}}_{01}}{\mathsf{\alpha }}^5+\overline{{\mathrm{a}}_{10}}\mathsf{\alpha }+\overline{{\mathrm{a}}_{11}}{\mathsf{\alpha }}^6$$

(11)

Reducing this using $\mathrm{p}(\mathrm{x})={\mathrm{x}}^4+\mathrm{x}+1$, the element can now be expressed as

$$\mathrm{A}=\overline{{\mathrm{a}}_{00}}+(\overline{{\mathrm{a}}_{01}}+\overline{{\mathrm{a}}_{10}})\mathsf{\alpha }+(\overline{{\mathrm{a}}_{01}}+\overline{{\mathrm{a}}_{11}}){\mathsf{\alpha }}^2+\overline{{\mathrm{a}}_{11}}{\mathsf{\alpha }}^3$$

(12)

Comparison of the elements on the basis B1 and B2, the following equations relating the coefficients can be derived as follows:

$${\mathrm{a}}_0=\overline{{\mathrm{a}}_{00}}$$

(13)

$${\mathrm{a}}_1=\overline{{\mathrm{a}}_{01}}+\overline{{\mathrm{a}}_{10}}$$

(14)

$${\mathrm{a}}_2=\overline{{\mathrm{a}}_{01}}+\overline{{\mathrm{a}}_{11}}$$

(15)

$${\mathrm{a}}_3=\overline{{\mathrm{a}}_{11}}$$

(16)

Based on relations (13) to (16) cited above, the conversion matrix from the binary field to the composite field and vice versa are shown below.

Conversion matrix from $\mathrm{GF}(2^4)$ to $\mathrm{GF}{((2^2)}^2)$

$$\left[\begin{array}{cccc}1& 0& 0& 0\\ 1& 1& 1& 0\\ 1& 1& 0& 0\\ 0& 0& 0& 1\end{array}\right]$$

(17)

Conversion matrix from $\mathrm{GF}{((2^2)}^2)\mathrm{to}\mathrm{GF}(2^4)$

$$\left[\begin{array}{cccc}1& 0& 0& 0\\ 1& 0& 1& 0\\ 0& 1& 1& 0\\ 0& 0& 0& 1\end{array}\right]$$

(18)

The discussions made so far pertained to the processes involved in finding the multiplicative inverse and the necessary isomorphic transformations between the different fields. The affine transformation chosen for the S-box is explained in Section 7.

7. Affine Transformation

The affine transformation resists interpolation attacks and wraps algebraic manipulations so that it is less vulnerable to such attacks. An appropriate affine transform resists the interpolation attacks without causing damage to the resistance of the linear and differential cryptanalysis properties of the multiplicative inverse operation. The affine transformation is a scaling operation followed by addition with an affine constant. The affine and inverse transformations are given by

$$\mathrm{y}=\mathrm{b}+\mathrm{ax}$$

(19)

$$\mathrm{x}={\mathrm{a}}^{-1}\mathrm{y}+{\mathrm{a}}^{-1}\mathrm{b},$$

(20)

where ‘a’ and ‘${\mathrm{a}}^{-1}$’ are 4 × 4 matrices and ‘b’ is a 4 × 1 matrix.

The expression for the affine transformation and the inverse affine transformation are represented in Equations (21) and (22) respectively.

$$\text{Affine Transform}=\left[\begin{array}{cccc}0& 0& 0& 1\\ 0& 0& 1& 0\\ 0& 1& 0& 0\\ 1& 0& 0& 1\end{array}\right]\left[\begin{array}{c}a3\\ a2\\ a1\\ a0\end{array}\right]\oplus [\begin{array}{cccc}0& 1& 1& 1\end{array}]$$

(21)

$$\text{Inverse Affine}=\left[\begin{array}{cccc}1& 0& 0& 1\\ 0& 0& 1& 0\\ 0& 1& 0& 0\\ 1& 0& 0& 0\end{array}\right]\left[\begin{array}{c}\mathrm{a}3\\ \mathrm{a}2\\ \mathrm{a}1\\ \mathrm{a}0\end{array}\right]\oplus [\begin{array}{cccc}1& 1& 1& 0\end{array}]$$

(22)

The hardware structures of the affine transformation are also implemented based on the finite field arithmetic. All the related composite field arithmetic operations and the hardware realization of the individual substructures for implementation of inversion in the field $\mathrm{GF}{((2^2)}^2)$ are discussed in Section 8.

8. Overall S-Box Structure and Substructures

This section presents the overall structure of the proposed 4 × 4 S-box. Figure 2 depicts the overall structure in the field derived using the Euclidean approach. The structure of the sub operations in the field $\mathrm{GF}{((2^2)}^2)$ are shown in Figure 3, Figure 4 and Figure 5. Note that, in the finite field, all the arithmetic operations are expressed in terms of the AND and XOR gates.

Table 1. Symbolic representation of the substructures.

Symbol	Operation
x2	Squaring operation in $\mathrm{GF}{((2^2)}^2)$
X	Multiplication in $\mathrm{GF}{((2^2)}^2)$
Xø	Multiplication with constant in $\mathrm{GF}{((2^2)}^2)$
⊕	Bitwise addition in $\mathrm{GF}{((2^2)}^2)$
X−1	Inversion in Fermat’s with m = 2
δ	Isomorphism from $\mathrm{GF}(2^4)$ to $\mathrm{GF}{((2^2)}^2)$
δ−1	Inverse isomorphism from $\mathrm{GF}{((2^2)}^2)\mathrm{to}\mathrm{GF}(2^4)$
→	Affine transformation in $\mathrm{GF}(2^4)$

The multiplicative inversion operations are defined in the field $\mathrm{GF}{((2^2)}^2)$ and the field isomorphism and the affine transformation are defined in the field $\mathrm{GF}(2^4)$.

lists the symbols employed for each of these operation involved in the structure.

9. Hardware Performance in Block Ciphers

The proposed S-box is depicted in

Table 2. Proposed S-box.

X	0	1	2	3	4	5	6	7	8	9	A	B	C	D	E	F
S[x]	7	E	F	0	D	B	8	1	9	3	4	C	2	5	A	6

. The gate counts required for the individual sub operations in the composite field $\mathrm{GF}{((2^2)}^2)$ and $\mathrm{GF}(2^4)$ are shown in

Table 3. Individual gate counts of the substructures in $\mathrm{GF}{((2^2)}^2)$ and $\mathrm{GF}(2^4)$.

Operations	$\mathbf{G}\mathbf{F}{((2^2)}^2)$ [PROPOSED]	$\mathbf{G}\mathbf{F}(2^4)$
Squaring	1 XOR	4 XOR
Multiplication with constant	1 XOR (×$\varnothing )$	3 XOR ($\times \mathsf{\lambda })$
Multiplication	4 XOR + 3 AND	21 XOR + 9 AND

. To demonstrate the efficiency of the proposed S-box in the block cipher hardware, the same is replaced in the substitution operation of the PRESENT cipher definition, and the performance results are given in

Table 4. Comparisons of the related works.

Reference Work	Block Size	Key Size	Cycles per Block	Logic Process	Area (GE)
PRESENT-80 [31]	64	80	32	0.18 µm	1570
PRESENT-128 [45]	128	128	32	0.18 µm	1884
CLEFIA [46]	128	128	36	0.09 µm	4950
CLEFIA [47]	128	128	18	0.09 µm	5979
AES [46]	128	128	11	0.13 µm	12,454
AES [46]	128	128	54	0.13 µm	5398
PRESENT-80 [Proposed]	64	80	32	0.18 µm	1486

Area (gate equivalent (GE)) is given in terms of equivalent two-input NAND gates.

. Performance estimation is done in terms of comparison of the gate equivalent (GE) area with the existing lightweight cipher ASIC implementations. It can be observed that the structure with the proposed S-box exhibits a smaller GE area compared to the look-up-table-based S-box implementation in the PRESENT cipher.

Note that the proposed S-box is applicable to any of the ciphers which employ a 4-bit substitution definition. The non-look-up-table-based S-box structure has the added advantage of further sub pipelining mechanisms to improve the throughput. The PRESENT basic loop architecture with the proposed S-box is specified in the VERILOG HDL and is implemented using the TSMC 0.18 µm standard cell library. The Cadence^® nclaunch simulator has been used for the functional simulation. The PRESENT cipher with a block length of 64 bits and key length of 80 bits were chosen for the implementation. Reduction of gate count for the sub field operations is observed to be 86.5% in the composite field $\mathrm{GF}{((2^2)}^2)$ compared to the field $\mathrm{GF}(2^4).$ A 5% lesser gate equivalent area is arrived at with the proposed S-box in the PRESENT lightweight cipher loop architecture in comparison with the look-up-table-based S-box in the same architecture. The security analysis of the impact of the S-box in the lightweight block ciphers has displayed satisfactory performance results and is explained as pertaining to security analysis in the following section.

10. Security Analysis

The characteristics of the S-box should resist linear and differential cryptanalysis. The linearity and the diffusion of the S-box reflect its strength with respect to the linear and differential cryptanalysis. The proposed substitution has the security characteristics that resist both the linear and differential cryptanalysis.

10.1. Linear Cryptanalysis

Linear cryptanalysis is a chosen plaintext attack that captures the highly probable linear relationship between the input plain texts and the resultant cipher texts. The proposed optimal S-box has a linearity of 4, as noted from the linear approximation structure in

Table 5. Linear approximation table of the proposed S-box.

	0	1	2	3	4	5	6	7	8	9	A	B	C	D	E	F
0	8	0	0	0	0	0	0	0	0	0	0	0	0	0	0	0
1	0	0	0	0	0	−4	0	4	2	−2	2	−2	2	2	2	2
2	0	4	2	2	0	0	2	−2	0	0	2	−2	0	−4	2	2
3	0	0	−2	2	0	0	−2	2	−2	−2	4	0	−2	−2	−4	0
4	0	0	0	−4	2	−2	−2	2	0	0	0	−4	−2	−2	2	−2
5	0	4	0	0	2	2	−2	2	−2	−2	−2	2	4	0	0	0
6	0	0	2	2	−2	2	−4	0	0	4	2	−2	2	2	0	0
7	0	0	−2	−2	−2	−2	0	0	2	2	0	0	4	−4	−2	−2
8	0	2	0	−2	0	−2	−4	−2	2	0	−2	0	−2	0	−2	4
9	0	2	0	−2	4	−2	0	−2	0	2	4	2	0	2	0	−2
A	0	−2	2	0	4	2	2	0	2	0	0	−2	2	0	−4	2
B	0	2	−2	0	0	−2	2	0	−4	2	−2	−4	0	2	−2	0
C	0	−2	4	2	2	−4	−2	0	−2	0	−2	0	0	−2	0	−2
D	0	2	4	−2	−2	0	2	4	0	2	0	2	−2	0	−2	0
E	0	−2	−2	0	2	0	0	2	−2	4	0	2	0	−2	2	4
F	0	−2	2	−4	−2	0	0	−2	−4	−2	2	0	2	0	0	2

.

The high probability linear approximation over the number of rounds will exploit the secret information without any knowledge of the intermediate values. The linear approximation of the only non-linear component in the cipher structure, i.e., the S-box over the rounds, will be concatenated using the pilling-up lemma in order to calculate the upper bound of linearity. The maximal bound is proportional to the number of active S-boxes in each of the rounds. The more the number of active S-boxes in each round, the better is the linear cryptanalysis resistance. In order to determine the maximal bound, the worst scenario of one active S-box in each round is taken into consideration. The r − 1 linear approximation probability is given as follows:

$$|{\mathsf{\epsilon }}_{\mathsf{ɭ}}|\le 2^{\mathrm{r}-2}|{\mathsf{\epsilon }}_{\mathrm{s}}{|}^{\mathrm{r}-1}=2^{-32}$$

(23)

Here, |${\mathsf{\epsilon }}_{\mathrm{s}}$| represents the maximum linear approximation probability bias of the S-box and is 2⁻² for the proposed optimal S-box. The value of r = 32 is the number of rounds of the cipher. The number of plain texts required to perform the linear cryptanalysis is proportional to $1/\mathsf{\epsilon }{l}^2$. Hence, 2⁶⁴ plaintexts are required, which is not practically possible. Note that the analysis has been done for the upper bound of one active S-box per round as indicated above, and hence the proposed S-box in the cipher provides better linear cryptanalysis resistance as the S-box in the existing lightweight block ciphers.

10.2. Differential Cryptanalysis

Differential cryptanalysis is also a chosen plain text attack, which focuses the high differential probability between the plain texts and cipher texts. The difference distribution table shows the XOR profile of the S-boxes which demands diffusion in its distribution of the input XOR profile, with respect to the output XOR profile. The proposed optimal S-box has a diffusion of 4 as seen from the difference distribution table in

Table 6. Difference distribution table of the proposed S-box.

	0	1	2	3	4	5	6	7	8	9	A	B	C	D	E	F
0	16	0	0	0	0	0	0	0	0	0	0	0	0	0	0	0
1	0	0	0	0	0	0	2	2	2	4	2	0	2	0	0	2
2	0	0	0	2	0	2	0	0	4	0	2	0	0	2	2	2
3	0	2	0	2	2	2	0	4	0	0	0	0	2	0	0	2
4	0	2	0	0	0	2	2	2	0	0	4	2	0	0	2	0
5	0	2	2	2	0	0	2	0	2	0	0	0	4	0	2	0
6	0	0	2	2	0	2	2	0	0	2	0	2	0	0	0	4
7	0	2	0	0	2	0	4	0	0	2	0	0	0	2	2	2
8	0	0	2	0	0	0	0	2	0	0	0	2	2	2	4	2
9	0	0	0	2	4	0	0	2	2	2	0	2	0	0	2	0
A	0	0	2	4	2	0	0	2	0	0	2	0	0	2	0	0
B	0	2	0	2	0	0	0	0	0	2	2	4	2	2	0	0
C	0	0	0	0	2	4	2	0	2	0	0	2	2	2	0	0
D	0	0	4	0	2	2	0	0	0	2	2	0	2	0	2	0
E	0	2	2	0	0	2	0	2	2	2	0	0	0	4	0	0
F	0	4	2	0	2	0	0	0	2	0	2	2	0	0	0	2

.

In addition to the linearity property and the linear cryptanalysis resistance, the diffusion and the differential cryptanalysis resistance of the S-box in the cipher needs to be to known to estimate the security margin. The maximal differential bound is estimated by the high differential characteristic probability and the number of active S-boxes involved in each round of the cipher. The maximal differential characteristic probability of the proposed optimal S-box is 2⁻². The upper bound on the complexity of the attack is evaluated by considering one active S-box in each round. With one active S-box per round, the expression for the differential characteristic of the cipher with the number of rounds r = 32 are given by

|2⁻²|^r−1 = 2⁻⁶²

(24)

The complexity of the attack is inversely proportional to the differential characteristic probability and is equal to 2⁶². Such a value offers a reasonable limit on the upper bound of the differential characteristic. Hence, the proposed S-box in the cipher offers a sufficient margin of differential cryptanalysis resistance.

11. Conclusions

The primary objective of this work is to design a lightweight, secure optimal S-box that suits IoT applications. The combinational architecture in the finite field for the hardware implementation of the 4 × 4 S-box is presented. The motive for the combinational S-box design is to pave the way for additional optimization mechanisms, namely sub pipelining in the S-box structure. Such hardware optimization is infeasible with the traditional look-up-table-based S-box structure. The choice of the finite field for the hardware design yields all operations: namely multiplication, addition, multiplication with a constant, affine transformation and isomorphic mapping in terms of the logical AND and XOR gates. The hardware structure for the realization of the 4 × 4 S-box has been carried out through extensive mathematical derivations and exploitation of the linear algebra and the finite field theory. The validation of the derived structure is done through the incorporation of the S-box structure in the PRESENT block cipher with the TSMC 0.18 µm technology. The composite field GF ((2²)²) based architecture shows less hardware complexity and a reduced gate count compared to its counterpart GF (2⁴). Furthermore, the security analysis of the designed S-box proves its resistance to the linear and differential cryptanalysis.

The research presented in the paper provides further scope for improving the S-box architecture based on the requirements, the implementation choices, the optimization mechanisms and the algorithms employed.