Novel Optimized Implementations of Lightweight Cryptographic S-Boxes via SAT Solvers

An optimized implementation of S-boxes has a significant impact on the performance of cryptographic primitives. SAT-based methods can find optimal implementations for moderately sized S-boxes but their efficiency decreases when handling complex S-boxes. To improve the efficiency of the implementations, we propose two different methods, namely OR-encoding and IF-encoding, to encode the implementations of S-boxes. Furthermore, we also simplify the encoding of the outputs of logic gates and introduce new SAT-based search methods to optimize the implementations of S-boxes. Finally, to get a better trade-off between the search results (optimized implementations of S-boxes) and the search efficiency (in terms of time complexity), an encoding scheme using local solutions is proposed. Compared to the previous methods, our algorithms are relatively simple and more efficient. For instance, when a serial software implementation is considered, then the S-boxes of Sycon, ASCON, and the <inline-formula> <tex-math notation="LaTeX">$\chi $ </tex-math></inline-formula> function in Xoodyak, require 6, 1, and 2 fewer programming instructions, respectively, than the best known methods. Similar improvements are obtained for hardware implementations of S-boxes in some cryptographic primitives (e.g. LBlock, RECTANGLE, PRESENT/PHOTON-Beetle, TWINE, and ASCON), with the saving of gate equivalent (GE) that range from 1.67GE to 5.34GE compared to the current best implementations. Furthermore, our model can be applied to 6-bit, 7-bit, and 8-bit S-boxes, when the considered S-boxes are of low complexity.