A Quantitative Security Analysis of S-boxes in the NIST Lightweight Cryptography Finalists
Mahnoor Naseer, Sundas Tariq, Naveed Riaz, Naveed Ahmed, Shah Fahd, Mureed Hussain, Sajid Ali Khan
TL;DR
The paper investigates the S-boxes of six NIST LWC finalists (ASCON, ISAP, GIFT-COFB, Photon-Beetle, Elephant, Romulus) by applying a comprehensive set of cryptographic properties across diffusion, linear, differential, boomerang, differential-linear, algebraic, and side-channel analyses. It documents that many S-boxes exhibit weak avalanche behavior, fixed points, and high barycentric indicators, with several properties not meeting ideal bounds, and it highlights affine-equivalence effects on several metrics. A key contribution is the generation and evaluation of a new $4\times4$ S-box with optimized permutation, DU, AD, and LS, offering a trade-off analysis against finalists and underscoring the challenges of achieving simultaneous resilience to classical cryptanalysis and side-channel leakage. The results underscore that S-box quality alone cannot guarantee cipher security in lightweight designs; holistic consideration of diffusion layers, round constants, and implementation security is essential. Overall, the work provides a principled framework for component-level S-box assessment and demonstrates that even well-studied finalists may harbor exploitable weaknesses in their nonlinear layers, motivating further design refinements.
Abstract
Lightweight cryptography was primarily inspired by the design criteria of symmetric cryptography. It plays a vital role in ensuring the security, privacy, and reliability of microelectronic devices without compromising the overall functionality and efficiency. However, the increasingly platform specific design requirements prompted the development of a standard lightweight algorithm. In 2017, NIST put forward security requirements for a standard lightweight scheme - security strength of at least 112 bits against known cryptanalysis attacks, mitigation against side channel and fault injection attacks, and implementation efficiency. After three rounds of review, ASCON was crowned as the winner of the competition. Evaluating the individual components used in any cryptographic algorithm is an important step in the verification of security claims. A fundamental component used to ensure Shannon's property of confusion in cryptographic primitives is an S-box. Hence, the quality of an S-box is a significant contributing factor in the security strength of a cipher. In this paper, we evaluate the S-boxes of 6 NIST LWC competition finalists based on well-known cryptographic properties, and comment on how the results reflect upon NIST security requirements. Our findings have revealed that these S-boxes do not comply with the basic notions of avalanche, making it vulnerable to high-order sophisticated cryptanalysis.