[Cryptography] Gates are cheap. Should cipher design change?

Jerry Leichter leichter at lrw.com
Tue Mar 29 15:01:52 EDT 2016


> In addition, the original thought was about a "modern cipher”. There are three such reasons I believe Simon meets this criteria. 1) Many would consider a cipher that is relatively trivial to analyze for security would be an advancement over many other ciphers. Algorithms with “expensive” gates (I read as complicated primitives) are harder to analyze. 2) S-Boxes have a significant amount of “magic” in the choice of the S-Box....
I don't have a reference, but as I recall, S-box design is hard *for small S-boxes*.  Once S-boxes get large enough, getting the necessary properties becomes much easier.

Of course, large S-boxes are a really bad idea for software implementations.  Whether you want to design something that is aimed, as exclusively as possible, at hardware implementations, is a whole other story.  The initial and final permutations in DES were allegedly added (though they have no security impact) because they were trivial in hardware but expensive in software - and the NSA at the time didn't believe in software cryptography.  Over the last 30 or so years, almost all crypto implementations have been in software - and we've discovered repeatedly that it's hard to avoid various kinds of side-channel attacks against software.  Since Intel moved AES support into hardware, we've seen some shift back from software to hardware (well, it's a mix, but the complicated performance-critical stuff is in hardware).  Perhaps that's where we're heading.

                                                        -- Jerry



More information about the cryptography mailing list