Lightweight (AND, XOR) Implementations of Large-Degree S-boxes

The problem of finding a minimal circuit to implement a given function is one of the oldest in electronics. In cryptography, the focus is on small functions, especially on S-boxes which are classically the only non-linear functions in iterated block ciphers. In this work, we propose new ad-hoc automatic tools to look for lightweight implementations of non-linear functions on up to 5 variables for degree-4 S-boxes, 7 variables for degree-3 S-boxes and up to 9 variables for degree-2 S-boxes. These tools are mainly aimed at finding implementations of arbitrary cryptographic S-boxes, with the goal of enabling lightweight protected implementations (such as masking), hence we focus on two metrics
that we try to minimize : multiplicative depth and multiplicative complexity. We introduce new algorithms inspired by manual design strategies, relying on the precomputation of multiplicative tables and successive divisions which are instantiated into a tool specifically focused on binary operations AND and XOR.