CE39 - Sécurité Globale, Cybersécurité

Sboxes for Symmetric-Key Primitives – SWAP

Submission summary

Symmetric-key cryptology is one of the most important and active branches of cybersecurity. Block ciphers and hash functions are the most well-studied families of symmetric algorithms and are typically built by iterating several times a round function.

To prevent attacks, the round function has to be non-linear. The most common way for ensuring non-linearity while keeping good performances is to apply in parallel to the state an Sbox. An Sbox is a small function mapping n bits to m bits and it is usually the only source of non-linearity of a symmetric primitive. Its choice is thus crucial for the security of the overall construction.

One of the most popular attacks against symmetric-key primitives is differential cryptanalysis and a precise evaluation of its complexity has led to some design criteria for Sboxes. The main criterion is the differential uniformity. This parameter should be as small as possible in order to maximize the complexity of differential attacks, and the mappings with the lowest differential uniformity, named APN mappings, have been investigated in many works during the last thirty years. In parallel, the development of new attacks through the years has given rise to other criteria for the design of Sboxes. A good Sbox should for example have a high non-linearity, a low boomerang uniformity, a high algebraic degree and other more specific properties to resist linear, boomerang, algebraic, integral and other attacks.

On the other hand, the staggering increase of the number of connected objects and the emerging of new industry applications such as white-box cryptography, and fully homomorphic encryption (FHE), for which block ciphers and hash functions are crucial components, has led to new design principles for cryptographic primitives. Indeed, all these new computing environments and applications have specific efficiency and security requirements for which the current standards, too heavy and energy-demanding, cannot satisfy. Yet, the communications of these devices and applications have to be secured because they often treat data that is of paramount importance to the user's security (e.g., medical implants). Also, cryptographic primitives are in practice implemented on all kind of devices and architectures. The software or hardware implementations may provide an attacker with the opportunity to apply side-channel attacks and these must be taken into consideration when designing an Sbox. Indeed, a suitable Sbox choice may ease the use of masking in software or of a threshold implementation in hardware. Recent schemes with nearly optimal asymptotic complexity could also lead to specific design criteria. One of the goals of the Swap project, will be to study all these emerging use-cases and implementation paradigms to exhibit precise design criteria for Sboxes. Based on these criteria we will propose new constructions of Sboxes as a building block of larger cryptographic primitives that efficiently address the identified use-cases.

Unlike in more classical contexts, Sboxes that were designed for specific applications or environments are often built using lightweight subcomponents. The second goal of the Swap project will be to analyze the impact of the use of specific inner structures for designing Sboxes on cryptanalysis. We will target speed-ups of actual attacks, and also find new types of attacks exploiting unusual constructions and other representations.

Finally, our last goal will be to investigate new strategies for attacking the big APN problem, that is the existence of APN permutations for an even number of variables. This a long-standing challenge that has reached researchers far beyond its cryptographical origins.

In conclusion, the SWAP project aims at bringing together experts in Boolean functions, cryptanalysis and implementation aspects to explore all the above design principles for Sboxes, from the theoretical, practical and cryptanalytical points of view.

Project coordination

christina boura (Laboratoire de mathématiques de Versailles)

The author of this summary is the project coordinator, who is responsible for the content of this summary. The ANR declines any responsibility as for its contents.


LMV Laboratoire de mathématiques de Versailles
CryptoExperts / R&D
Centre de Recherche Inria de Paris

Help of the ANR 596,076 euros
Beginning and duration of the scientific project: January 2022 - 48 Months

Useful links

Explorez notre base de projets financés



ANR makes available its datasets on funded projects, click here to find more.

Sign up for the latest news:
Subscribe to our newsletter