Multiplicative complexity of bijective 4×4 S-boxes

Abstract

Multiplicative complexity of S-box is the minimum number of 2-input AND-gates required to implement the S-box in AND, XOR, NOT logic. We show that under an affine equivalence there is only a single class of bijective n×n S-boxes with multiplicative complexity 1. Furthermore, we show that each bijective 4×4 S-box has multiplicative complexity at most 5. Finally, we refine the bounds on the multiplicative complexity of each affine class of bijective 4×4 S-boxes.

1 Introduction

A basic building block providing the security of many cipher designs is an S-box. From the mathematical point of view, it is simply a vectorial Boolean function, with specific properties induced by security goals. In practice, an S-box can be implemented as a look-up table, a (relatively complex) electronic circuit, or as a specific sequence of (logic) instructions. When designing ciphers we must balance the security and effectiveness of the implementation. Although larger S-boxes have better resistance against linear and differential cryptanalysis, they are more difficult to implement: they take larger chip area, more operations operations in software and more memory for lookup tables. Another concern is the presence of side-channel attacks, as it seems more difficult to protect designs with larger S-boxes.

Implementation concerns are especially important in lightweight cryptography [10]. Lightweight cryptography deals with implementations in resource constrained environments, such as smartcards or RFID tags. Lightweight cryptography might be especially important for securing solutions based on intelligent sensors, such as body sensor networks in eHealth and telemedicine solutions. The lightweight cipher Present [3] is standardized in ISO/IEC 29192-2:2012. A core building block of Present is a special 4×4 bijective S-box optimized from both security and implementation aspects.

Minimum size of a bijective non-linear S-box is 3×3, i.e., the S-box operates on 3-bit inputs and produces 3-bit outputs. A more practical size for an S-box is 4×4 due to the accepted word sizes in prevailing hardware. There are 16!≈2⁴⁴ bijective 4×4 S-boxes. It is possible to study various properties of all of these S-boxes [1, 12, 16, 18] using fast affine equivalence algorithms [2]. We are interested in one specific property: multiplicative complexity. This property is important for various problems connected to S-boxes, such as logic circuit minimization, algebraic cryptanalysis, and optimal masking against higher order power analysis attacks.

Boyar and Peralta [5] introduced a new technique for logic synthesis and circuit minimization based on the notion of multiplicative complexity. They define multiplicative complexity (MC) of the circuit as a minimum number of AND gates required to implement a circuit in (AND, XOR) algebra (all other logic gates can be constructed with these two). Although MC addresses only a part of an overall Gate complexity (XOR gates are not counted) Boyar and Peralta formulate a hypothesis that

it is plausible that a two-step process, which first reduces multiplicative complexity and then optimizes linear components, leads to small circuits5.

Courtois et. al. [9] introduced new tools to compute MC for small S-boxes. They also conjectured that MC of whole ciphers plays a significant role in algebraic cryptanalysis. In [19] we described a new method suitable for algebraic cryptanalysis that has a complexity closely related only to the number of non-linear operations (and thus MC of the related circuit).

The number of non-linear operations in hardware realization of S-boxes is also important for implementations resistant against the first-order DPA [1]. However, in this area the complexity is usually expressed in the number of G F(2ⁿ) multiplications instead of just G F(2) multiplications (AND gates) [7, 15]. We discuss the problem of connection between G F(2ⁿ)-multiplicative complexity and G F(2)-multiplicative complexity in Section 6.

It is easy to show that MC is invariant under affine transforms of the S-box. Thus it is possible to study MC of affine classes of S-boxes instead of individual ones. We investigate S-boxes with low multiplicative complexity. Our contribution is two-fold. First, we show that there is only a single affine class of n×n S-boxes with MC equal to 1 for any n. Then we explore small 3×3 S-boxes, and show that all 4 affine classes can be generated as a composition of the single MC1 S-box. We show that this result does not hold for larger n’s.

Our additional results for n=4 are mostly computer generated. We have implemented an algorithm that allows us to enumerate affine classes of S-boxes up to a given MC (feasible up to 4). Then, using composition of S-boxes of MC at most 3, we have found that the limit on MC in case n=4 is 5. I.e., each 4×4 S-boxes can be realized using at most 5 AND-gates. We provide the statistics and the list of representatives of the affine classes along with their multiplicative complexity.

2 Preliminaries

In the article, the term (n-bit) S-box will denote a bijective vectorial Boolean function S:G F(2)ⁿ→G F(2)ⁿ. An affine mapping is a bijective vectorial Boolean function A:G F(2)ⁿ→G F(2)ⁿ,A(x)=A⋅x+c, where c∈G F(2)ⁿ, and A∈G F(2)^(n×n) is an invertible n×n matrix over G F(2). If c=0, mapping A is linear. As usual, we denote the set of affine mappings over G F(2)ⁿ by A f f(2,n).

Let us define a relation: S ₁∼S ₂ iff there exist two affine mappings A ₁,A ₂, such that A ₁∘S ₁=S ₂∘A ₂. It is easy to show that ∼ is an equivalence relation. We will call S ₁∼S ₂ affinely equivalent.

We will call an S-box with the property S(0)=0 a constant-free S-box. From any S-box we can get an affine equivalent constant-free S-box by using the affine mapping S(x)↦S(x)+S(0). Every bijective S-box is affinely equivalent to a function that keeps the canonical basis invariant (see Lemma 1), i.e., S(e ⁽ⁱ⁾)=e ⁽ⁱ⁾, where e ⁽ⁱ⁾ denotes a vector with a single one on i-th position. We call a bijective constant-free function that keeps canonical basis invariant a normalized S-box. Each affine class of bijective S-boxes contains a normalized S-box.

Lemma 1

Let S:GF(2) ⁿ →GF(2) ⁿ be a bijective function. Then there exist two non-singular matrices A,B ∈GF(2) ^(n×n) , and a constant vector c ∈GF(2) ⁿ , such that the function F:GF(2) ⁿ →GF(2) ⁿ ,F( x)=A⋅S(B⋅x)+c is a normalized S-box. That is, F(0)=0, and F( e ⁽ⁱ⁾ )= e ⁽ⁱ⁾ for i=1,2,…,n.

Proof

Let us define a new notation useful for the proof: let M be an arbitrary n×n matrix. We denote the i-the column of M by M ⁽ⁱ⁾. Note that M ⁽ⁱ⁾=M⋅e ⁽ⁱ⁾.

Let S _B denote a vectorial Boolean function given by a choice of n×n matrix B:

$$S_{\mathbf{B}} = S(\mathbf{B} \cdot \mathbf{x}) + S(\mathbf{0}). $$

It is easy to see that S _B is a bijection only if B is non-singular. We also note that S _B (0)=0. Let us construct an n×n matrix M _B with columns given by \(\mathbf {M}_{\mathbf {B}}^{(i)} = S_{\mathbf {B}}(\mathbf {e}^{(i)})\). If matrix M _B is non-singular, then we can define a vectorial Boolean function F as \(F(\mathbf {x})= \mathbf {M}_{\mathbf {B}}^{-1}\cdot S_{\mathbf {B}}(\mathbf {x}) = \mathbf {M}_{\mathbf {B}}^{-1}\cdot S(\mathbf {B} \cdot \mathbf {x}) + \mathbf {M}_{\mathbf {B}}^{-1}\cdot S(\mathbf {0})\). It is easy to verify that F has the desired properties F(0)=0, and F(e ⁽ⁱ⁾)=e ⁽ⁱ⁾. Thus, for a given B, we get \(\mathbf {A}=\mathbf {M}_{\mathbf {B}}^{-1},\) and \(\mathbf {c}=\mathbf {M}_{\mathbf {B}}^{-1}\cdot S(\mathbf {0})\), respectively.

To prove Lemma 1, we must show that for an arbitrary S-box S we can always find a suitable non-singular matrix B producing a corresponding non-singular matrix M _B .

Recall that columns of B and M _B are connected by the following equation:

$$ \mathbf{M}_{\mathbf{B}}^{(i)} = S_{\mathbf{B}}(\mathbf{e}^{(i)}) = S(\mathbf{B} \cdot \mathbf{e}^{(i)}) + S(\mathbf{0}) = S(\mathbf{B}^{(i)}) + S(\mathbf{0}). $$

(1)

Because S is a bijection, there is a single vector \(\mathbf {M}_{\mathbf {B}}^{(i)}\) corresponding to a given B ⁽ⁱ⁾ (and vice-versa). Moreover, since S _B has a fixed point at zero, a non-zero column B ⁽ⁱ⁾ always corresponds to a non-zero column \(\mathbf {M}_{\mathbf {B}}^{(i)}\).

Let I be the n×n identity matrix. Let M _I have t<n linearly independent columns (if t=n, we can set B=I and we are done). We can swap columns of M _I , along with the corresponding columns of I to produce a permutation matrix B _t , for which exactly the first t columns of \(\mathbf {M}_{\mathbf {B}_{t}} \) are linearly independent (recall that M _I =S(e ⁽ⁱ⁾)+S(0), and \(\mathbf {M}_{\mathbf {B}_{t}}^{(i)}=S(\mathbf {M}_{\mathbf {B}_{t}}^{(i)}) + S(\mathbf {0})\), respectively). We now have two corresponding matrices B _t , \(\mathbf {M}_{\mathbf {B}_{t}} \), with first t<n columns linearly independent.

Let \(\mathcal {S}\) denote a set of vectors v for which u=S(v)+S(0) (see (1)) is not a linear combination of vectors \(\mathbf {M}_{\mathbf {B}_{t}}^{(1)}\), \(\mathbf {M}_{\mathbf {B}_{t}}^{(2)}\), …, \(\mathbf {M}_{\mathbf {B}_{t}}^{(t)}\). There are 2^t forbidden vectors u, thus \(|\mathcal {S}| = 2^{n} - 2^{t}\). Note that \(\mathbf {0} \not \in \mathcal {S}\). Let us further exclude from \(\mathcal {S}\) all non-zero linear combinations of vectors \(\mathbf {B}_{t}^{(1)}\), \(\mathbf {B}_{t}^{(2)}\), …, \(\mathbf {B}_{t}^{(t)}\), giving us set \(\mathcal {S}'\). There are 2^t−1 non-zero linear combinations of vectors \(\mathbf {B}_{t}^{(1)}\), \(\mathbf {B}_{t}^{(2)}\), …, \(\mathbf {B}_{t}^{(t)}\), thus \(|\mathcal {S}'| \geq |\mathcal {S}| - (2^{t}-1) = 2^{n}-2^{t+1}+1\). Using t<n, we get \(|\mathcal {S}'| \geq 1\), so there exists at least one vector in \(|\mathcal {S}'|\). Now let \(\mathbf {B}_{t+1}^{(i)} = \mathbf {B}_{t}^{(i)}\) for each i≠t+1, and let us select any vector \(\mathbf {B}_{t+1}^{(t+1)} \in \mathcal {S}'\). This choice ensures that the first t+1 columns of both B _t+1, and the corresponding \(\mathbf {M}_{\mathbf {B}_{t}} \) are linearly independent.

We can now repeat this procedure with matrices B _t+1,B _t+2 …, B _n−1. Final pair B _n , \(\mathbf {M}_{\mathbf {B}_{n}} \) will be a pair of required non-singular matrices, which completes the proof.

There are different systems of representatives for known affine classes of S-boxes [1, 6, 12, 16]. We propose to use a combination of [16], and [1]: As a natural representative we use the first normalized S-box in a lexicographic order. In the appendix we use the numbering of classes from [1], and our system of representatives.

We denote a normalized representative of S-box S by S ^∗. The following conditions hold:

1. 1.

   S∼S ^∗,

2. 2.

   S ^∗ is normalized,

3. 3.

   for each S ₁∼S: S ^∗≤_lex S ₁.

All affine mappings are affinely equivalent with the identity mapping. For n>2, all affine mappings are even permutations, thus all permutations in an affine class are either odd or even.

Definition 1

Multiplicative complexity of Boolean function F:G F(2)ⁿ→G F(2)ⁿ is the (minimum) number of G F(2) multiplications sufficient and necessary to compute F(x) for any x.

We will denote multiplicative complexity of function F by M C(F). Equivalent definition of multiplicative complexity is based on the number of (2-input) AND-gates in (∧,⊕,1) algebra, where ∧ (AND) is multiplication in G F(2), ⊕ is addition in G F(2), and negation is computed by adding a constant, i.e., x⊕1. We do not need to consider the addition of constants for constant-free S-boxes (i.e., S(0)=0) (see Lemma 2 in [11]).

Multiplicative complexity has been intensively studied in the context of quadratic forms [14, 17], simple Boolean predicates [11], and symmetric functions [4]. However, not much is known in the case of vectorial Boolean functions (and S-boxes).

It is easy to see that multiplicative complexity of all S-boxes in an affine class is the same. Thus it is sufficient to compute the multiplicative complexity of the selected representatives of affine classes. One possible practical approach to computing multiplicative complexity was presented by Courtois [9]. In this case, a problem of computing M C(S) is converted to an instance of SAT, and verified by a SAT solver (top-down approach). Another practical approach is presented by Ullrich et. al [18]. The main idea is to go through all possible combinations of an instruction set (in case of constant-free S-boxes these consists only of AND, and XOR instructions) by a search, until each class is enumerated (bottom-up approach). We use the bottom-up approach, however, unlike in [18], our approach presented in Section 5 focuses strictly on multiplications. Furthermore, it is complemented by a different approach based on the composition, using the fact that M C(S ₁∘S ₂)≤M C(S ₁)+M C(S ₂).

3 Bijective S-boxes with multiplicative complexity 1

The purpose of this section is to show that there is only a single affine class of bijective S-boxes with multiplicative complexity 1 for any n≥3. Moreover, we can choose a very specific representative of this class, which can be realized by a generalization of the circuit depicted in Fig. 1. We formalize this result in Theorem 1, and the rest of this section contains the proof of this theorem.

Fig. 1

The representative Λ₄ of the affine class of bijective 4×4 S-boxes with M C(S)=1. Inputs and outputs are numbered from bottom up

Theorem 1

Let S:GF(2) ⁿ →GF(2) ⁿ be a bijective vectorial Boolean function with multiplicative complexity 1. Then for n≥3 it is affinely equivalent to Λ _n :GF(2) ⁿ →GF(2) ⁿ ,

$$\Lambda_{n}(\mathbf{x}) = (x_{1}+x_{n-1} x_{n}, x_{2}, \ldots, x_{n-1}, x_{n}). $$

Proof

To prove the Theorem 1, we will first restrict the search using Lemma 2. Then we need to prove Lemma 4 that provides a generic formula S-boxes with multiplicative complexity 1. For the proof of Lemma 4, we will use Lemma 3. Afterwards, we finish the proof by using affine equivalence. The first two lemmas are rather trivial, but we include them for the sake of completeness. Lemma 4 is also relatively straightforward, as there are not many choices we can make if we can only use a single AND gate to construct a Boolean function. However, a special care is needed to show the conditions that guarantee that this function is bijective.

Lemma 2

Any S-box S is affinely equivalent to S-box S _c given by S _c (x)=S(x)+ c.

Lemma 2 is trivially derived from the definition of affine equivalence.

If we choose c=S(0), we get a constant free S-box with S _c (0)=0. Using Lemma 2, and the transitivity of affine equivalence, we only need to prove Theorem 1 for constant-free S-boxes.

Lemma 3

Let f,g,h:GF(2) ⁿ →GF(2), and let h( x)=f(x)⋅g(x). If f,g are distinct balanced Boolean functions, then their product h is not balanced.

Proof

Function f is balanced, so there are exactly 2ⁿ⁻¹ points where f(x)=1. We can only get h(x)=1, if both f(x)=1, and g(x)=1. Functions f, and g are distinct, so there is at least one point such that f(x)=1, and g(x)=0. Thus there are at most 2ⁿ⁻¹−1 points, where h(x)=1, which means that h is not balanced.

It is a well known that all (non-constant) affine Boolean functions are balanced. Thus, a corollary of Lemma 3 is that a product of two affine Boolean functions is not balanced. We use this fact in the proof of Lemma 4.

Lemma 4

Any bijective n-bit S-box S with S( 0)=0, and multiplicative complexity MC(S)=1, can be written in the form

$$ S(\mathbf{x}) = \mathbf{M} \mathbf{x} + \left((\mathbf{a}^{T} \mathbf{x}) \cdot (\mathbf{b}^{T} \mathbf{x})\right) \mathbf{d}, $$

(2)

where a,b,d ∈GF(2) ⁿ ∖{ 0}, a≠b, M is an invertible n×n matrix over GF(2), and a ^T M ⁻¹ d=b ^T M ⁻¹ d =0.

Proof

It is easy to see that any S given by (2) has MC at most 1, and that (2) covers any Boolean function that can be realized by a single G F(2) multiplication. We must show that conditions of Lemma 4 are necessary and sufficient for S to be a non-linear bijection.

If a={0}, b={0}, or d={0}, formula (2) is reduced to S(x)=M x, which means that S is a linear function. Similarly, if a=b, we get

$$ S(\mathbf{x}) = \mathbf{M} \mathbf{x} + (\mathbf{a}^{T} \mathbf{x}) \mathbf{d} = \left(\mathbf{M} + \mathbf{d} \mathbf{a}^{T}\right) \mathbf{x}, $$

which is also a linear function. In any other case the non-linear terms provided by ((a ^T x)⋅(b ^T x))d cannot be cancelled out. Thus S is non-linear (with M C(S)=1), if and only if the following conditions hold: a,b,d≠{0}, and a≠b, respectively.

The remaining conditions of Lemma 4 are needed to ensure that S is a bijective function. First we will show that if M is singular, then S cannot be bijective. Let u be any non-zero vector from the kernel of the mapping M x. We can find 2ⁿ⁻¹ pairs of vectors (x ₁,x ₂=x ₁+u), such that M x ₁=M x ₂. If S is a bijection than for each pair x ₁≠x ₂ we must get S(x ₁)≠S(x ₂), or equivalently S(x ₁)+S(x ₂)≠0.

We can rewrite this using (2) to:

$$ S(\mathbf{x}_{1}) + S(\mathbf{x}_{2}) = \left((\mathbf{a}^{T} \mathbf{x}_{1}) \cdot (\mathbf{b}^{T} \mathbf{x}_{1}) + (\mathbf{a}^{T} \mathbf{x}_{2}) \cdot (\mathbf{b}^{T} \mathbf{x}_{2})\right) \mathbf{d} \neq \mathbf{0}, $$

and thus

$$ \left((\mathbf{a}^{T} \mathbf{x}_{1}) \cdot (\mathbf{b}^{T} \mathbf{x}_{1}) \neq (\mathbf{a}^{T} \mathbf{x}_{2}) \cdot (\mathbf{b}^{T} \mathbf{x}_{2})\right). $$

(3)

Let g(x)=(a ^T x)⋅(b ^T x). Condition (3) means that g must be a balanced Boolean functions, because we must choose the pairs (x ₁,x ₂) in such a way that g(x ₁)=0, and g(x ₂)=1. On the other hand, g is a product of two distinct linear functions a ^T x, and b ^T x, which are balanced, and according to Lemma 3, g is not balanced. So there is no suitable function g, and thus S cannot be a bijection if there is a non-zero vector u in the kernel of the mapping M x, i.e., if M is singular. Thus if S is bijective, M must be an invertible matrix. On the other hand, just the condition that M is invertible is not sufficient for bijective S.

Finally, we must show (by contradiction) that last two conditions a ^T M ⁻¹ d=0, and b ^T M ⁻¹ d=0, are necessary and sufficient for bijective S. Without the loss of generality, let a ^T⋅M ⁻¹ d=1 (similarly for b). Let us consider function h(x)=a ^T M ⁻¹ S(x). If S is bijection then h must be a balanced Boolean function [13].

However, if we rewrite h using formula (2):

$$\begin{array}{*{20}l} h(\mathbf{x}) &= \mathbf{a}^{T} \mathbf{M}^{-1} \mathbf{M} x + \left((\mathbf{a}^{T} \mathbf{x}) \cdot (\mathbf{b}^{T} \mathbf{x})\right) \mathbf{a}^{T} \cdot \mathbf{M}^{-1} \mathbf{d}\\ &= \mathbf{a}^{T} \mathbf{x} + (\mathbf{a}^{T} \mathbf{x}) \cdot (\mathbf{b}^{T} \mathbf{x}) \\ &= (\mathbf{a}^{T} \mathbf{x}) \cdot (1 \oplus \mathbf{b}^{T} \mathbf{x}), \end{array} $$

we can see that h is a product of two distinct affine functions. According to Lemma 3, h cannot not balanced. Thus we get a contradiction, so both a ^T M ⁻¹ d=0, and b ^T M ⁻¹ d=0, must hold to get bijective S.

On the other hand, let us suppose that S is not bijective, i.e., S(x ₁)=S(x ₂) for some x ₁≠x ₂. From S(x ₁)=S(x ₂) we can derive that

$$\mathbf{x}_{1} + \mathbf{x}_{2} = \left((\mathbf{a}^{T} \mathbf{x}_{1}) \cdot (\mathbf{b}^{T} \mathbf{x}_{1}) + (\mathbf{a}^{T} \mathbf{x}_{1}) \cdot (\mathbf{b}^{T} \mathbf{x}_{1})\right) \mathbf{M}^{-1} \mathbf{d} $$

Multiplying by a ^T, and b ^T, we get that

$$ \mathbf{a}^{T}(\mathbf{x}_{1}+\mathbf{x}_{2}) = \mathbf{b}^{T}(\mathbf{x}_{1}+\mathbf{x}_{2}) = \mathbf{0}, $$

(4)

or equivalently

$$ \mathbf{a}^{T} \mathbf{x}_{1} = \mathbf{a}^{T} \mathbf{x}_{2},\quad\text{and}\quad \mathbf{b}^{T} \mathbf{x}_{1} = \mathbf{b}^{T} \mathbf{x}_{2}. $$

(5)

Rewriting S(x ₁+x ₂) using (2) yields

$$S(\mathbf{x}_{1} + \mathbf{x}_{2}) = \left((\mathbf{a}^{T} \mathbf{x}_{1}) \cdot (\mathbf{b}^{T} \mathbf{x}_{2}) + (\mathbf{a}^{T} \mathbf{x}_{2}) \cdot (\mathbf{b}^{T} \mathbf{x}_{1})\right) \mathbf{d}. $$

Using (5), we finally get S(x ₁+x ₂)=0. But S is constant-free, so x ₁+x ₂=0. This is a contradiction, so S must be a bijection.

Now, let us return the the proof of Theorem 1. Conditions of Lemma 4 are easy to verify for S-box Λ _n . We have M=I (identity matrix), and a=e ⁽ⁿ⁻¹⁾, b=e ⁽ⁿ⁾, d=e ⁽¹⁾, where vector e ⁽ⁱ⁾∈G F(2)ⁿ has only a single one on i-th position. Using (e ⁽ⁱ⁾)^T e ^(j)=0, for i≠j, it is easy to see that a ^T M ⁻¹ d=b ^T M ⁻¹ d=0.

Lemma 4 tells us how all bijective constant-free Boolean functions with multiplicative complexity 1 look like. Now we would like to show that for any permissible choice of parameters we can find two invertible matrices A, B, such that S(x)=BΛ _n (A x).

Let A be an invertible matrix chosen (at first) arbitrarily, with rows denoted by \(\mathbf {u}_{1}^{T}, \ldots , \mathbf {u}_{n}^{T}\). We remark that \((e^{(i)})^{T} \mathbf {A} = \mathbf {u}_{i}^{T}.\) Let B=M A ⁻¹. For linearly equivalent S-box S we can write

$$\begin{array}{*{20}l} S(\mathbf{x}) = \mathbf{B} \Lambda_{n} (\mathbf{A} \mathbf{x}) &= \mathbf{B} \mathbf{A} \mathbf{x} + \left((\mathbf{u}_{n-1}^{T} \mathbf{x}) \cdot (\mathbf{u}_{n}^{T} \mathbf{x})\right) \mathbf{B} \mathbf{e}^{(1)} \end{array} $$

(6)

$$\begin{array}{*{20}l} = \mathbf{M} \mathbf{x} + \left((\mathbf{u}_{n-1}^{T} \mathbf{x}) \cdot (\mathbf{u}_{n}^{T} \mathbf{x})\right) (\mathbf{M}\mathbf{A}^{-1} \mathbf{e}^{(1)}). \end{array} $$

(7)

Comparing (6) with (2), we require that u _n−1=a, u _n =b, and M A ⁻¹ e ⁽¹⁾=d, respectively. We must show that under these conditions it is still possible to construct matrix A for any permissible a, b, M, d.

Conditions of Lemma 4 a,b≠0, and a≠b guarantee that the last two rows of matrix A are linearly independent.

Matrix M is invertible, so we can rewrite M A ⁻¹ e ⁽¹⁾=d as A ⁻¹ e ⁽¹⁾=M ⁻¹ d. In other words, the first column of matrix A ⁻¹ must be equal to M ⁻¹ d.

Using identity A A ⁻¹=I we get

$$ \mathbf{u}_{i}^{T} \cdot \mathbf{M}^{-1} \mathbf{d} =\left\{ \begin{array}{ll} 1 \text{ if } i = 1, \\0 \text{ otherwise}. \end{array}\right. $$

(8)

Conditions a ^T M ⁻¹ d=b ^T M ⁻¹ d=0 of Lemma 4 guarantee that these conditions hold for prescribed vectors u _n−1=a, and u _n =b, respectively. We can always choose the set of remaining n−3, such that all u _i are linearly independent, and conditions (8) hold. E.g., we can choose u ₁=e ^(j), where j is the position of the first non-zero bit of M ⁻¹ d. For other vectors, we can try to use remaining basis vectors. If we get a conflict u _i M ⁻¹ d=1, we replace the offending vector by u _i +u ₁.

This completes the proof that any constant-free S-box S with n≥3, and M C(S)=1, if affinely (even linearly) equivalent with Λ _n . Now using Lemma 2 we can also drop the condition S(0)=0, and thus finish the proof of Theorem 1.

4 Bijective 3×3 S-boxes

In case of n=3, there are only 4 affine classes of 3×3 bijective S-boxes [1]. Thus, the situation with multiplicative complexity can be examined easily:

1. 1.

   All affine S-boxes are in the same class \(\mathcal {A}^{3}_{0}\) as the identity permutation 01234567.

2. 2.

   Permutation Λ₃ (01234576), class \(\mathcal {Q}^{3}_{1}\) is given by a single swap, thus it is an odd permutation. According to Theorem 1, Λ₃ is the only affine class with multiplicative complexity 1.

3. 3.

   A representative 01234756 of class \(\mathcal {Q}^{3}_{2}\) can be written as Λ₃∘rot₋₁∘Λ₃∘rot₁, where rot _n denotes a rotation of a bit vector by n positions (x _i ↦x _i+n ), giving \(MC(\mathcal {Q}^{3}_{2}) \leq 2\). Using Theorem 1, we can see that \(MC(\mathcal {Q}^{3}_{2}) = 2\).

4. 4.

   Finally, representative 01254736 of class \(\mathcal {Q}^{3}_{3}\) can be constructed as depicted in Fig. 2. Thus \(MC(\mathcal {Q}^{3}_{3}) \leq 3\). Theorem 1 gives \(MC(\mathcal {Q}^{3}_{3}) > 1\).

Fig. 2

Construction of representatives of affine classes of 3×3 S-boxes

We remark that in the case n=3, each class can be generated using the construction S=(Λ₃∘rot₋₁)^c, where c is the desired multiplicative complexity.

5 Multiplicative complexity of bijective 4×4 S-boxes

The situation for n=4 is more complicated, as there are are 16! S-boxes (11! normalized) in 302 affine classes of 4×4 bijective S-boxes [1]. It is still feasible to examine multiplicative complexities of 4×4 bijective S-boxes using a reasonable amount of computing power. Recall that we only need to compute multiplicative complexity of the representatives of affine classes.

First, let us extend the ∗-notation to sets of S-boxes. Let \(\mathcal {S}\) be a set of S-boxes. By \(\mathcal {S}^{*}\) we denote a set of representatives of affine classes of S-boxes in \(\mathcal {S}\). That is, \(\mathcal {S}^{*} = \{S^{*}; S \in \mathcal {S}\}\).

We compute the multiplicative complexity of affine classes of S-boxes using the following idea. Let \(\mathcal {M}_{c}\) be a set of all S-boxes with M C(S)≤c. Then clearly M C(S)=c for each \(S \in \mathcal {M}_{c} \setminus \mathcal {M}_{c-1}\). Set \(\mathcal {M}_{c}\) is defined by these 2 conditions:

1. 1.

   for each \(S \in \mathcal {M}_{c}\), M C(S)≤c;

2. 2.

   if M C(S)≤c, then \(S \in \mathcal {M}_{c}\);

A set that fulfils condition 1 can be constructed by defining a set of circuits that use at most c 2-input AND gates. However, it is more difficult to ensure that condition 2 holds. As \(\mathcal {M}_{c}\) is large, in practice we want to work with the set \(\mathcal {M}_{c}^{*}\) instead.

Affine transformations do not require any multiplications, and non-linear transformations require at least one multiplication. Thus \(\mathcal {M}_{0}^{*} = Aff(2,n) = \{ id \}\). In Section 3 we have shown that there is only one class of S-boxes with multiplicative complexity 1, so we also know that¹

$$\mathcal{M}_{1}^{*} = \{ id, \Lambda_{n} \}. $$

For larger c, it is more difficult to ensure the construction of representatives directly. Instead, we will construct a set \(\mathcal {C}\) with the following properties:

• for each \(S \in \mathcal {C}\), M C(S)≤c;

• for each S with M C(S)≤c, there exist \(S_{1} \in \mathcal {C}\) such that S∼S ₁;

Then \(\mathcal {C}^{*} = \mathcal {M}_{c}^{*}\).

To produce sets \(\mathcal {C}\) we use two constructions based on Lemma 5 (composition), and Lemma 6 (expansion and compression), respectively.

Lemma 5

Let

$$ \mathcal{C}_{i,j} = \{ S_{2} \circ A \circ S_{1}; S_{1} \in \mathcal{M}_{i}^{*}, S_{2} \in \mathcal{M}_{j}^{*}, A \in Aff(2,n)\}. $$

Then for each \(S \in \mathcal {C}_{i,j}\) : MC(S)≤i+j.

Proof

S ₁ from the definition of \(\mathcal {C}_{i,j}\) can be constructed by using i G F(2) multiplications, and S ₂ using j multiplications, respectively. Affine transformation does not require multiplications. Thus any S-box in \(\mathcal {C}_{i,j}\) can be constructed using at most i+j multiplications.

As seen in Section 4, Lemma 5 can be used to construct all affine classes of bijective 3×3 S-boxes: \(\mathcal {M}_{2}^{*} = \mathcal {C}_{1,1}^{*}\), \(\mathcal {M}_{3}^{*} = \mathcal {C}_{2,1}^{*}\). The situation is different for n>3, as \(\mathcal {M}_{1}^{*}\) contains only even permutations, and thus we cannot construct odd permutations using only the iteration process based on Lemma 5.

Lemma 6

Let E _n :GF(2) ⁿ →GF(2) ⁿ⁺¹ ,

$$ E_{n}(\mathbf{x}) = \left(x_{1},x_{2},\ldots,x_{n}, (\mathbf{b}_{1}^{T} \cdot \mathbf{x})\cdot (\mathbf{b}_{2}^{T} \cdot \mathbf{x})\right). $$

Let C _m,n :GF(2) ^m →GF(2) ⁿ be a linear function. Any Boolean function F:GF(2) ⁿ →GF(2) ⁿ with F( 0)=0, and multiplicative complexity MC(F)≤c can be written as a composition

$$ F = C_{n+c,n} \circ E_{n+c-1} \circ \cdots \circ E_{n+1} \circ E_{n}. $$

Proof

Let c=0. Any function with F(0)=0, and M C(F)=0 is a linear function, which can be written as F=C _n,n .

Let c=1. Circuit to implement function F with M C(F)=1 must contains a single AND-gate. Circuit have n inputs x ₁,…,x _n . A circuit can implement any number of affine functions, i.e., functions h _i (x)=a _i ⋅x+c _i . At most n+1 of these functions are linearly independent. Let one of the independent functions be h ₀=1, and the n others h _i =e ⁽ⁱ⁾⋅x, i= 1,…,n.

Two inputs of the AND-gate can be consist of any affine transformation of available inputs, and the AND-gate provides a single output. The AND-gate can be expressed by the function \(g(\mathbf {x}) = (\mathbf {b}_{1}^{T} \cdot \mathbf {x} + d_{1})\cdot (\mathbf {b}_{2}^{T} \cdot \mathbf {x} + d_{2})\). We can move constants d ₁,d ₂ to the linear part of the circuit by constructing g as a sum g(x)=g ₁(( x))+g ₂(( x))+d ₁ d ₂, where

$$g_{1}(\mathbf{x}) = (\mathbf{b}_{1}^{T} \cdot \mathbf{x})\cdot(\mathbf{b}_{2}^{T} \cdot \mathbf{x}), $$

and

$$g_{2}(\mathbf{x}) = (d_{1} \mathbf{b}_{2}^{T} + d_{2} \mathbf{b}_{1}^{T}) \cdot \mathbf{x}. $$

Function g ₁ is linearly independent from any of h _i ’s (g ₂ is a linear combination of h _i ’s). Finally, we can construct any function with n outputs by using for each output any linear combination of n+2 linearly independent functions {1,h ₁,…,h _n ,g ₁}. However, F(0)=0, so each output f _i must be constant-free. Thus h ₀ is not used, and we get F as a linear combination of n+1 functions {h ₁,…,h _n ,g ₁}, which is exactly construction F=C _n+1,n ∘E _n .

Similarly, for larger c, each E is used to construct the next function g ₂,g ₃,…, that is the output of the additional AND-gate. The input of the new c-th gate can be any linear² combination of the previous functions h ₁,…,h _n ,g ₁,g ₂,…,g _n+c−1 (so we use E _n+c−1 as the expansion function). Finally, we use n linear combinations of h ₁,…,h _n ,g ₁,g ₂,…,g _n+c−1,g _n+c (compression function C _n+c,n ) to construct outputs of F.

Lemma 6 can be used to compute \(\mathcal {M}_{c}\) by computing the set (Fig. 3)

$$\{F = C_{n+c,n} \circ E_{n+c-1} \circ \cdots \circ E_{n+1} \circ E_{n}; F \text{ is bijection}\}^{*}. $$

Unfortunately, this direct approach is quite impractical, as the number of options when constructing F’s is too large even for small c,n. E.g. for n=4,c=2 we need to choose (4×2)+(5×4) bits to go through all E’s and C’s, which is 2²⁸ S-boxes (many repeated). For n=4,c=4 we get 2⁷⁶ S-boxes (for which we do not have enough computing power).

Fig. 3

Illustration of Lemma 6, the construction of a Boolean function with a multiplicative complexity 3. Matrices A,B denote the place of linear equivalence

Figures 4, and 5, respectively, denote five classes of bijective 4×4 S-boxes. Three even classes can be decomposed using Λ₄, two odd classes cannot be decomposed in this way.

Fig. 4

Three affine classes of even S-boxes with multiplicative complexity 2 (one of the classes has degree 3)

Fig. 5

Two affine classes of odd S-boxes with multiplicative complexity 2

The search can be sped up if we use affine equivalence, and search only for \(\mathcal {M}_{c}^{*}\). We can use the following properties of the construction:

1. 1.

   Multiplication is commutative, and (b ^T⋅x)⋅(b ^T⋅x)=b ^T⋅x. Thus we can restrict the search to b ₁<b ₂ (halves the search space for each E).

2. 2.

   We only search for a single S-box in each affine class. We can suppose that there is an input linear transformation given by an invertible matrix B (so we compute F(B x) instead of F(x)). Now we can replace b ₁, b ₂ in E _n by e ⁽¹⁾,e ⁽²⁾, and move b ₁, b ₂ into B instead (as the first two rows). Inner transformation B x can be ”removed” in compression function C. (A similar construction is used in the proof of Theorem 1).

3. 3.

   Similarly, we can replace b ₁, b ₂ in E _n+1 by the choice of the next two rows of B. However, we must take into account possible linear combination with the inputs of the first AND-gate, e.g. to produce linearly independent functions g ₁(x)=x ₁ x ₂, and g ₂(x)=x ₁ x ₃. For n=4,c=2 we get nine options (see Table 1). For each option there are roughly 2²⁴ matrices C that should be explored (e.g. if we require M C(S)=2, we can skip C’s that do not use the outputs of the AND-gates). This process can be extended even further, but it is impractical to implement.

4. 4.

   Using outer linear transform we can also reduce the number of C’s we need to explore. C _n+c,n is given by n×(n+c) matrix C. We can write C=A T, where T is an upper triangular matrix, and A is an invertible n×n matrix that can be removed as outer linear transform of affine equivalence.

5. 5.

   In each class we focus our attention to normalized S-boxes. Each normalized S-box can be written in the form S(x)=x+F(x), where the component functions of F do not contain any linear terms in their ANF’s. Due to this fact, we suppose (an unproven hypothesis, which were verified by computer search for n=4,c=2,c=3), that we only need to concentrate on functions for which C=(I|c ⁿ⁺¹⋯c ^n+c), where I is an identity matrix, so that

   $$ \mathbf{C}\cdot (E_{n+c-1} \circ \cdots \circ E_{n}) = \mathbf{x} + (\mathbf{c}^{n+1} \cdots \mathbf{c}^{n+c}) \left(\begin{array}{c} g_{1} \\ \vdots \\ g_{c} \end{array} \right). $$

Table 1 Combinations of the vectors for the first two expansions explored in construction of \(\mathcal {M}_{c}^{*}\) (n=4)

We have used the above method to compute (for n=4) \(\mathcal {M}_{2}^{*}\), \(\mathcal {M}_{3}^{*}\), and \(\mathcal {M}_{4}^{*}\), respectively. Computing \(\mathcal {M}_{2}^{*}\), \(\mathcal {M}_{3}^{*}\) is relatively fast. For c=4, we have reduced the search space (using the above reductions) to \(9\cdot 2^{25} \cdot 2^{16} \doteq 2^{44}\) S-boxes. For each function thus generated, we verify whether it is a permutation. If it is a permutation, it is normalized, and using a large lookup table (11! entries) its affine class is determined. The computation was distributed to 16 computing cores³, and took between 6 and 7 days in real time to finish.

Using the computed sets \(\mathcal {M}_{2}^{*}\), \(\mathcal {M}_{3}^{*}\), we have further computed the set \(\mathcal {D} = [\mathcal {C}_{2,3} \cap \mathcal {C}_{3,2}]^{*}\). This set contains all 302 affine classes⁴, thus \(\mathcal {D} = \mathcal {M}_{5}^{*}\), and M C(S)≤5 for each bijective 5×5 S-box.

5.1 Computational results

Computational results (n=4) are summarized in Appendix. For each S-box we give a proof of construction with the given number of multiplications. It can be viewed as an upper bound on its multiplicative complexity. Unfortunately, it should not be considered as the proven multiplicative complexity, mainly due to computer generated results.

In this section we highlight some of the observations: S-boxes with multiplicative complexity 2, statistics of the S-box classes, and finally the results for S-box classes with optimal linear and differential properties (including the PRESENT S-box).

Table 2 summarizes the statistics of the multiplicative complexity as presented in Appendix. For each multiplicative complexity we list the number of classes, and the number of normalized representatives of the class. Although the number of classes with multiplicative complexity 4 is higher, classes with multiplicative complexity 5 have a larger number of representatives (an average number of representatives grows with multiplicative complexity).

Table 2 Statistics of S-boxes according to multiplicative complexity

An important requirement for an S-boxes is its resistance against linear, and differential cryptanalysis, respectively. There are 16 affine classes of optimal 4×4 S-boxes [12]. Out of these classes, six classes have multiplicative complexity 4 (including PRESENT [3] S-box, see Fig. 6):

1. 1.

   even permutations: \(\mathcal {C}^{4}_{296},\mathcal {C}^{4}_{266},\mathcal {C}^{4}_{297},\mathcal {C}^{4}_{223}\) (G ₀,G ₁,G ₂,G ₈)

2. 2.

   odd permutations: \(\mathcal {C}^{4}_{209},\mathcal {C}^{4}_{210}\) (G ₁₄,G ₁₅)

Fig. 6

S-box construction which is affinely equivalent to PRESENT S-box, class \(\mathcal {C}^{4}_{266}\)

All other optimal classes have multiplicative complexity 5. We remark, that n×n S-box with M C(S) < n should not be used in the (classical SPN-like) cipher design, as we can always find a combination of inputs and outputs that sums to a constant (as there are only n−1 linearly independent non-linear component functions).

6 Conclusions and open questions

We show that there is a single class of bijective n×n S-boxes under affine equivalence (n≥3), represented by the permutation Λ _n . As Λ₃ is an odd permutation, it can be used to construct all affine classes of 3×3 S-boxes by composition, in such a way that multiplicative complexity corresponds to the number of Λ₃’s composed. For larger n’s Λ _n is an even permutation, and the composition based construction is not possible. We remark, that even if we add an odd permutation to the possible compositions, not all S-boxes can be decomposed in a similar way (such that the multiplicative complexity of the final S-box is given directly as a sum of multiplicative complexities of the composed S-boxes). However, the composition construction might be useful to prove the upper bounds on multiplicative complexity for a specific class of S-boxes. Using composition of S-boxes with multiplicative complexity 2, and 3, respectively, we have shown that multiplicative complexity of all 4×4 bijective S-boxes is at most 5. Combined with the SAT-solver based proofs of Courtois [9], we can be quite confident that some affine classes have multiplicative complexity exactly 5.

Using construction based on non-linear expansion and linear compression, we have computed the bounds for multiplicative complexities for each affine class of 4×4 S-boxes. Knowing S-box multiplicative complexity is useful for the optimal hardware implementation of the S-box, but it might also be used in algebraic cryptanalysis. Our construction can also be used for larger n’s to construct S-boxes with low multiplicative complexity. Unfortunately, in this case the number of possibilities, as well as the number of affine classes is much larger (already for n=5 the number is approx. 2⁶¹ [6]), so we cannot cover all classes (with the available computing power).

An interesting open question is the connection of multiplicative complexity based on G F(2) multiplications with masking complexity in G F(2ⁿ). In general, masking complexity is defined (Definition 3, [7]) as the number of non-linear multiplications required to evaluate polynomial representation of S-box over G F(2^k). Thus the multiplicative complexity is just a special case with k=1. On the other hand, in G F(2ⁿ) terms, multiplicative complexity expresses the minimum number of operations in the form T r(α ₁ x)T r(α ₂ x) required to evaluate the polynomial along with an unlimited number of linear operations.

The question of G F(2)-multiplicative complexity of multiplication in extension fields is intensively studied in the complexity theory area. E.g., it is known that to implement a G F(2⁴) multiplication we need at most eight G F(2) multiplications [8]. An important research question is to determine the optimal k (and the related circuit design) for general n (or a specific affine class of S-boxes) with respect to masking against DPA attacks. Our hypothesis is that optimum is obtained always at k=1: Let us suppose that we need at most M ₂(n) G F(2) multiplications to implement a single G F(2ⁿ) multiplication. Furthermore let the minimum number of non-linear G F(2ⁿ) multiplications to implement some S-box be k. Our hypothesis is that the multiplicative complexity of the S-box is significantly lower than k⋅M ₂(n). E.g., the masking complexity of PRESENT S-boxes and Serpent S-boxes in G F(2⁴) is 3 [15], but their multiplicative complexity (masking complexity over G F(2)) is significantly lower than the expected 3⋅8=24 (Serpent S-boxes 3 and 7 have MC =5, PRESENT S-box and other Serpent S-boxes have MC=4). If it is cheaper to mask 4 or 5 non-linear single-bit operations instead of 3 non-linear four-bit operations, than the choice of k=1 for evaluating masking complexity is more suitable.

Appendix

1.1 List of S-boxes

For each class of S-box we list its number according to [1] (we only list class number), its representative in hexadecimal notation (first normalized S-box in lexicographic order, prefix 01234 was removed to compress space), (upper bound on) multiplicative complexity, and the constructive proof of MC. The proof is either by composition of two S-boxes with lower MC, or by writing down coefficients of expansion-compression construction for an S-box in the given class (we do not provide a proof of affine equivalence with the representative). The expansion-compression proof was required for 2 S-boxes with M C(S)=2, 5 S-boxes with M C(S)=3, and 25 S-boxes with M C(S)=4.

The format of expansion-compression proof:

1. 1.

   Four (single-digit) hex numbers encode vectors c ⁿ⁺¹⋯c ⁿ⁺⁴,

2. 2.

   Eight (two-digit) hex numbers encode vectors b ₁,b ₂ for E ₄,E ₅,E ₆,E ₇.

Table 3

The format of composition proof S ₂∘A∘S ₁:

1. 1.

   S ₁ is representative of the first listed class;

2. 2.

   A is always linear transformation, encoded by 4 hexadecimal numbers, the images of 1,2,4,8 in this order (1 encodes e ⁽¹⁾).

3. 3.

   S ₂ is representative of the second listed class;

Table 4