A New Method for Designing Lightweight S-Boxes With High Differential and Linear Branch Numbers, and its Application

Bit permutations are efficient linear functions often used for lightweight cipher designs. However, they have low diffusion effects, compared to word-oriented binary and maximum distance separable (MDS) matrices. Thus, the security of bit permutation-based ciphers is significantly affected by differential and linear branch numbers (DBN and LBN) of nonlinear functions. In this paper, we introduce a widely applicable method for constructing S-boxes with high DBN and LBN. Our method exploits constructions of S-boxes from smaller S-boxes and it derives/proves the required conditions for smaller S-boxes so that the DBN and LBN of the constructed S-boxes are at least 3. These conditions enable us to significantly reduce the search space required to create such S-boxes. Using the unbalanced-Bridge and unbalanced-MISTY structures, we develop a variety of new lightweight S-boxes that provide not only both DBN and LBN of at least 3 but also efficient bitsliced implementations including at most 11 nonlinear bitwise operations. The new S-boxes are the first that exhibit these characteristics.


I. INTRODUCTION
The fourth industrial revolution encompasses a wide range of advanced technologies. One of its core elements is the Internet of Things (IoT), which binds together people, objects, processes, data, applications, and services. However, trustworthy systems are required to enable secure and reliable IoTbased infrastructures, and an essential building block for such systems is cryptography.
Since most devices in the IoT environment have limited resources and are small, lightweight cryptography is essential to provide their security. ISO/IEC has even standardized The associate editor coordinating the review of this manuscript and approving it for publication was Gautam Srivastava . some lightweight block ciphers, such as PRESENT [1] and CLEFIA [2]. In addition, a lightweight cryptography standardization project is ongoing at NIST.
In 1996, Paul Kocher first introduced side-channel attacks, which extract secret information by analyzing side-channel information [3]. Since the security against side-channel attacks cannot be provided by the resistance to classical mathematical cryptanalysis, various countermeasures have been studied. As side-channel attacks become more sophisticated and the costs of the associated equipments decrease, the application of side-channel countermeasures to cryptography becomes important. Recently, various studies have been actively conducted on efficient implementations of side-channel countermeasures, especially on efficient masked implementations. To minimize the resource overhead used in masked implementations, these studies focus on reducing the number of nonlinear operations. Several lightweight block ciphers, with the design goal of low nonlinear operation count, have been proposed [4]- [6].

A. MOTIVATION
Constructing cryptographically secure 8-bit S-boxes is a topic that is being actively studied, and S-boxes using various methods such as polynomial or chaotic mappings have been proposed [7]- [9]. A highly secure 8-bit S-box constructed by perfect nonlinear transformation was adopted for the Advanced Encryption Standard (AES) design [10]. However, it is known that at least 35 nonlinear operations are still required to implement the S-box of AES [11]. Although there are many S-box construction methods that guarantee cryptographic security, the implementation efficiency must be considered in order to be used as a component of block cipher. Considering the implementation of side-channel countermeasures, there is a need for the S-box that can be implemented with fewer nonlinear operations.
There were a few lightweight block ciphers such as Zorro, Fantomas, Robin, SKINNY, and FLY that are intended for use in side-channel protected environments. The block cipher Zorro adopted lightweight S-box using a polynomial S-box construction [12]. In Midori and SKINNY, 8-bit S-boxes constructed with two 4-bit S-boxes are adopted [13], [14]. The block ciphers Fantomas, Robin, and FLY use 8-bit S-boxes constructed from three small S-boxes [6], [15].
Based on the S-box construction methods presented so far, we considered that block cipher designers need S-box construction methods that satisfy all four conditions below.
1) It should be possible to efficiently secure the logic of bitsliced implementation. 2) The number of nonlinear operations required for implementation should be small. 3) Both DBN and LBN should be greater than 2. 4) It should have sufficient cryptographic security to be used as a component of block cipher.
The first two conditions are necessary for efficient implementations of side-channel countermeasures in a resource constrained environment. The third condition is to supplement the weak diffusion effect of bit permutation with the characteristic of S-box. High DBN and LBN help to secure resistance to differential and linear attacks in fewer rounds. It is also important that the cryptographic security should not be inferior to the S-boxes used in lightweight block ciphers. The lightweightness of block ciphers and the efficiency of their side-channel protected implementations depend significantly on their nonlinear functions. Many of lightweight block ciphers use 4-bit S-boxes [1], [4], [16]- [18] or 8-bit S-boxes [2], [6], [14], [15], [19] as nonlinear functions. One of the main design approaches of lightweight 8-bit S-boxes is to use existing structures, such as Feistel, Lai-Massey and MISTY, employing smaller S-boxes (e.g., 3, 4, or 5-bit S-boxes). However, most related studies have focused on the S-box construction to combine with the linear functions such as word-oriented binary or MDS matrices [6], [19], [20].

B. CONTRIBUTIONS
This paper is an expanded version of the conference paper [21] presented at ICISC 2020. In particular, we generalize and extend the S-box design proposed in [21].
In this paper, we introduce a construction method for a different type of lightweight 8-bit S-boxes that are wellsuited to a linear bit permutation layer, based on which we develop many of new S-boxes with both DBN and LBN of at least 3 and with efficient masked software implementations. Our S-box construction methodology enables both DBN and LBN of at least 3, and this property, in combination with a bit permutation, enhances security. It can be used in the construction of a variety of S-boxes from smaller S-boxes. In this study, the Feistel, Lai-Massey, unbalanced-MISTY, and unbalanced-Bridge structures have been analyzed. Our framework eliminates all the input and output differences (or masks) where the sum of their Hamming weights is two, during which some conditions of the employed smaller S-boxes are induced. These conditions could accelerate the S-box search, resulting in more than 10,000 new lightweight 8-bit S-boxes with both DBN and LBN of 3. Some of their bitsliced implementations include 11 nonlinear bitwise operations each. Our methodology was also used to find more than 1,000 8-bit S-boxes with DBN of 4 and LBN of 3. To the best of our knowledge, all the aforementioned S-boxes are the first S-boxes with such properties. Furthermore, we found 6 and 7-bit new S-boxes with both DBN and LBN of 3 which are more efficient than existing ones.

C. ORGANIZATION
In section II, we introduce a method for constructing S-boxes with DBN and LBN greater than 2. Using this method, section III constructs new S-boxes and provides comparison of our and existing S-boxes. Section III-D shows an appropriate application of our S-box as a block cipher component. Finally, section IV concludes the paper, and suggests future studies.

D. NOTATION AND DEFINITIONS
The following notations and definitions are used throughout this paper. Table of an n-bit S-box whose ( α, β) entry is #{x ∈ F n 2 |S(x) ⊕ S(x ⊕ α) = β}, where α, β ∈ F n 2 .

Differential uniformity max
DBN Differential Branch Number of an S-box defined as min LBN Linear Branch Number of an S-box defined as min (wt(a) + wt(b)).

II. CONSTRUCTION OF S-BOXES WITH DIFFERENTIAL AND LINEAR BRANCH NUMBERS GREATER THAN 2
In this section, we describe how to construct S-boxes with DBN>2 and LBN>2. In [22], Ruisanchez proposed algorithm to construct 8-bit S-boxes with a DBN of 3, but did not consider LBN. And Sarkar et al. proposed a method for constructing S-boxes with both DBN and LBN of 3 using resilient Boolean functions, and designed such 5 and 6-bit S-boxes [23]. Our method takes a different approach: it uses smaller S-boxes to create S-boxes with DBN>2 (or LBN>2) by eliminating all the input and output differences (or masks) where the sum of their Hamming weights is 2. During this elimination process, relevant conditions of the employed smaller S-boxes can be induced. In this section, we focus on the construction of bijective 8-bit S-boxes. Several methods have been proposed in the literature to construct 8-bit S-boxes from smaller ones. These methods typically rely on one of the Feistel, Lai-Massey, or (unbalanced-)MISTY structures, as depicted in Fig. 1-(A), (B), and (C), respectively [6], [15], [19], [20], [24]- [26]. The unbalanced-Bridge structure ( Fig. 1-(D)) was mentioned in [27], but an S-box constructed using it has not been presented so far. In Fig. 1, S j i represents the j-th and i-bit S-box. Among the structures in Fig. 1, both (A) and (B) use three 4-bit S-boxes and 12 XOR operations on a bit level, whereas both (C) and (D) use one 3-bit and two 5-bit S-boxes and 6 XOR operations.
In this section, we use the following notation.
Proposition 1 [21]: The 8-bit S-box constructed using the unbalanced-Bridge structure of Fig. 1-(D) is bijective if and only if the following three conditions are all satisfied: In order to guarantee the bijectivity of S-boxes generated from the Lai-Massey and unbalanced-MISTY structures, all the smaller S-boxes except for S 1 4 should be bijective, whereas the Feistel structure always offers bijective S-boxes regardless of the smaller S-boxes.
Since all the structures in Fig. 1 have two input branches, S-boxes with DBN>2 can be constructed by eliminating four cases ( 0|| a, 0|| c), ( 0|| a, d|| 0), represents the input and output difference pair of the S-boxes, and wt( a) = wt( b) = wt( c) = wt( d) = 1. S-boxes with LBN>2 can be made in the same way. Some conditions of the employed smaller S-boxes are required to rule out these four cases.
The following theorems present the necessary and sufficient conditions of smaller S-boxes so that the 8-bit S-boxes constructed by the Feistel, Lai-Massey, unbalanced-MISTY and unbalanced-Bridge structures have both differential and linear branch numbers greater than 2.
Theorem 1: The DBN of bijective 8-bit S-boxes, constructed using the Feistel structure depicted in Fig. 1-(A), is greater than 2 if and only if conditions i) -iv) are all satisfied ( α and β below represent arbitrary 4-bit differences where wt( α) = wt( β) = 1). For each α and β; i) the entry of the ( α, 0) in DDT of S 2 4 is 0, ii) at least one entry of the ( α, β) in DDT of S 2 4 and ( β, α) in DDT of S 3 4 is 0, iii) at least one entry of the ( α, β) in DDT of S 1 4 and The expression of the C L and C R is ). We define the following notation for ease of expression.
|| a, 0 (4) || c): It happens if and only if there exists at least one (X L , X R ) satisfying both C L (X L , X R ) ⊕ C L (X L , X R ⊕ a) = 0 and C R (X L , X R ) ⊕ C R (X L , X R ⊕ a) = c. The first equation is expressed as Similarly, the second equation is expressed as By applying equation (1), we get a = c.
does not happen if and only if there is no Y satisfying equation (1). This means the entries of the ( a, 0) in DDT of S 2 4 have to be zero, which is equivalent to condition i) where α = a.
(0 (4) || a, d||0 (4) ): It happens if and only if there exists at least one (X L , The first equation is expressed as By applying Y , we have Similarly, the second equation By applying equation (2) and using the definition of Z , we obtain Since the function (X L , X R ) → (Y , Z ) is bijective, the (0 (4) || a, d||0 (4) ) case does not happen if and only if there is no (Y , Z ) satisfying both equations ((2 and 3)), which is equivalent to condition ii) where α = a, β = d.

It becomes
Similarly, the second equation VOLUME 9, 2021 By applying equation (4), we get By applying equation (5) and using the definition of Y , equation (4) is rewritten as Since the function (X L , X R ) → (Y , X R ) is bijective, the ( b||0 (4) , 0 (4) || c) case does not happen if and only if there is no (Y , X R ) satisfying both equations (5) and (6), which is equivalent to condition iii) where α = b, β = c.
( b||0 (4) , d||0 (4) ): It happens if and only if there exists at least one (X L , The second equation is expressed as Similarly, the first equation

It becomes
Therefore, ( b||0 (4) , d||0 (4) ) case does not happen if and only if there is no (X L , X R ) satisfying both equations (7) and (8), which is equivalent to condition iv).
(0 (4) ||λ a , 0 (4) ||λ c ): Its bias can be calculated by the number of (X L , X R ) satisfying X R •λ a = C R (X L , X R )•λ c . The equation is expressed as It follows The equation becomes by using the definition of Y . As mentioned before, the func- has zero bias if and only if the equation (9) is not biased. This (4) ): Its bias can be calculated by the number of (X L , It follows The equation becomes by using the definition of Y . Note that the function (4) ) case has zero bias if and only if the equation (10) is not biased, which is equivalent to condition ii) where λ α = λ d , λ β = λ a .

The equation becomes
by using the definition of Y and Z . Note that the function (4) , 0 (4) ||λ c ) case has zero bias if and only if the equation (11) is not biased, (4) ): Its bias can be calculated by the number of (X L , by using the definition of Y . Since the left side of the equation is always not biased, only need to consider the right side. The equation (12) is not biased if and only if is not biased. The (λ b ||0 (4) , λ d ||0 (4) ) case has zero bias if and only if the equation (13) is not biased, which is equivalent to condition iv) where λ α = λ d .
). We define the following notation for ease of expression.
|| a, 0 (4) || c): It happens if and only if there exists at least one (X L , X R ) satisfying both C L (X L , The first equation is expressed as S 2 4 (X L ⊕ S 1 4 (X L ⊕ X R )) ⊕S 2 4 (X L ⊕ S 1 4 (X L ⊕ X R ⊕ a)) = 0. By applying (S 2 4 ) −1 and using the definition of Y , we obtain Similarly, the second equation C R (X L , X R ) ⊕ C R (X L , X R ⊕ a) = c is expressed as By applying equation (14) and using the definition of W , we obtain Since the function (X L , X R ) → (Y , W ) is bijective, the (0 (4) || a, 0 (4) || c) case does not happen if and only if there is no (Y , W ) satisfying both equations (14) and (15), which is equivalent to condition i) where α = a, β = c.
(0 (4) || a, d||0 (4) ): It happens if and only if there exists at least one (X L , X R ) satisfying both C L (X L , The second equation is expressed as By applying (S 3 4 ) −1 and using the definition of Y , we obtain Similarly, the first equation By applying equation (16) and using the definition of Z , we obtain Since the function (X L , X R ) → (Z , Y ) is bijective, the (0 (4) || a, d||0 (4) ) case does not happen if and only if there is no (Z , Y ) satisfying both equations (16) and (17), which is equivalent to condition ii) where α = a, β = d.
( b||0 (4) , 0 (4) || c): It happens if and only if there exists at least one (X L , X R ) satisfying both C L (X L ,

The first equation is expressed as
By applying (S 2 4 ) −1 and using the definition of Y , we obtain Similarly, the second equation By applying equation (18) and using the definition of W , we obtain Since the function (X L , X R ) → (Y , W ) is bijective, the ( b||0 (4) , 0 (4) || c) case does not happen if and only if there is no (Y , W ) satisfying both equations (18) and (19), which is equivalent to condition iii) where α = b, β = c. VOLUME 9, 2021 ( b||0 (4) , d||0 (4) ): It happens if and only if there exists at least one (X L , X R ) satisfying both C L (X L ,

The second equation is expressed as
By applying (S 3 4 ) −1 and using the definition of Y , we obtain Similarly, the first equation By applying equation (20) and using the definition of Z , we obtain Since the function (X L , X R ) → (Z , Y ) is bijective, the ( b||0 (4) , d||0 (4) ) case does not happen if and only if there is no (Z , Y ) satisfying both equations (20) and (21), which is equivalent to condition iv) where α = b, β = d.
(0 (4) ||λ a , 0 (4) ||λ c ): Its bias can be calculated by the number of (X L , X R ) satisfying X R •λ a = C R (X L , X R )•λ c . The equation is expressed as

The equation becomes
by using the definition of Y and W . Note that the function has zero bias if and only if the equation (22) is not biased, which is equivalent to condition i) where λ α = λ a , λ β = λ c . (0 (4) ||λ a , λ d ||0 (4) ): Its bias can be calculated by the number of (X L , X R ) satisfying X R • λ a = C L (X L , X R ) • λ d . The equation is expressed as by using the definition of Y and W . Note that the function (X L , X R ) → (Y , W ) is bijective. The (0 (4) ||λ a , λ d ||0 (4) ) case has zero bias if and only if the equation (23) is not biased, which is equivalent to condition ii) where λ α = λ a , λ β = λ d .

The equation becomes
by using the definition of Y and Z . Note that the function (X L , X R ) → (Z , Y ) is bijective. The (λ b ||0 (4) , λ d ||0 (4) ) case has zero bias if and only if the equation (25) is not biased, which is equivalent to condition iv) where λ α = λ b , λ β = λ d . Fig. 1

-(C), is greater than 2 if and only if conditions i) and
ii) are both satisfied ( α, β, and γ below represent arbitrary 5, 5 and 3-bit differences, respectively, where wt( α) = wt( β) = wt( γ ) = 1). For each α, β, and γ ; i) at least one entry of the ( γ , γ ) in DDT of S 3 and ( γ ||0 (2) The expression of the C L and C R is . We define the following notation for ease of expression.
(0 (5) || a, d||0 (3) ): It happens if and only if there exists at least one (X L , X R ) satisfying both C L (X L , X R ) ⊕ C L (X L , X R ⊕ a) = d and C R (X L , X R ) ⊕ C R (X L , X R ⊕ a) = 0. The second equation is expressed as Similarly, the first equation By using the definition of Z , we obtain Since the function (X L , X R ) → (Z , X R ) is bijective, the (0 (5) || a, d||0 (3) ) case does not happen if and only if there is no (Z , X R ) satisfying both equations (26) and (27), which is equivalent to condition i) where α = a, β = d.
( b||0 (3) , 0 (5) || c): It happens if and only if there exists at least one (X L , X R ) satisfying both C L (X L ,

The second equation is expressed as
By applying (S 1 5 ) −1 , we get X L ⊕ b = (S 1 5 ) −1 (S 1 5 (X L ) ⊕ ω). By using the definition of Y , we obtain Similarly, the first equation By applying equation (30) and using the definition of Y , we obtain For each A, the equations (31) and (32) are equivalent to Here, ω is arbitrary nonzero 2-bit difference, and thus we can define B = A ⊕ ω i.e., B = A. Since the function (X L , X R ) → (Y , A, Z ) is bijective, the ( b||0 (3) , d||0 (3) ) case does not happen if and only if there is no (Y , A, Z ) satisfying both equations (33) and (34) for all B( = A), which is equivalent to condition ii) where α = b, β = d.
(λ b ||0 (3) , λ d ||0 (3) ): Its bias can be calculated by the number of (X L , X R ) satisfying X L • λ b = C L (X L , X R ) • λ d . The equation is expressed as The equation becomes by using the definition of Y and Z . For definition of A, the above equation is equivalent to The (λ b ||0 (3) , λ d ||0 (3) ) case has zero bias if and only if the equation (36) is not biased, which is equivalent to condition ii) The detailed proofs of Theorems 7 and 8 can be found in [21].

TABLE 1. Comparison of bitslice 8-bit S-boxes with respect to cryptographic properties and numbers of operations ('U-' represents 'Unbalanced-').
In the above theorems, conditions of smaller S-boxes are different for each structure, leading to different numbers of the required smaller S-box computations. In order to find an S-box with DBN (or LBN) of 3, then the Feistel, Lai-Massey, unbalanced-MISTY and unbalanced-Bridge structures depicted in Fig. 1 require about 11,200, 1,000, 600, and 1,700 (or 13,300, 1,600, 800, and 900) smaller S-box computations, respectively, which were confirmed in our simulations. Employed smaller S-boxes or their combinations are early aborted once they do not meet any of the conditions in Theorems 1-8. Note that the method described in this section can be applied to any of S-box extension structures.

III. SEARCHING FOR NEW CRYPTOGRAPHICALLY GOOD AND LIGHTWEIGHT S-BOXES
In this section, we describe the characteristics of balanced and unbalanced structures and the S-box search process. Note that 6, 7 and 8-bit S-boxes constructed in this paper are all bijective. We focus on the following three criteria when constructing the 8-bit S-boxes.
1) It should offer an efficient bitsliced implementation including 12 or fewer nonlinear operations. 2) Its DBN and LBN should both be greater than 2.
3) Its differential uniformity should be 16 or less, and its non-linearity should be 96 or more. Criterion 1 minimizes the number of nonlinear operations required to implement an S-box, which allows for efficient higher-order masking implementations. Criteria 2 and 3 ensure the cryptographic strengths of the 8-bit S-box against differential cryptanalysis and linear cryptanalysis. The thresholds of the criteria were selected based on the properties of the existing lightweight 8-bit S-boxes (cf. Table 1). In this section, we take into account DBN, LBN, differential uniformity, non-linearity, algebraic degree, and fixed point as the security metrics of an S-box, which are directly necessary for the security analysis of instantiated block cipher. Other cryptographic properties, such as algebraic immunity, strict avalanche criterion (SAC), and bit independence criterion (BIC) are presented in Appendix A.

A. CONSTRUCTING S-BOXES WITH THE BALANCED STRUCTURES
To construct an 8-bit S-box that satisfies criterion 3 through the balanced structures in Fig. 1, the differential uniformity of each 4-bit S-box must be less than or equal to 4 and the non-linearity must be greater than or equal to 8. It is known that at least 4 ANDs are required to implement such a 4bit S-box with a differential uniformity of 4 [29]. Therefore, to construct an 8-bit S-box that satisfies criterion 3 using the balanced structures, at least 12 nonlinear operations are required. Block ciphers Robin, Scream v3, and FLY each adopted an S-box constructed using different balanced structures, and 12 nonlinear operations are used to implement one of them (cf. Table 1). Among them, only the Littlun S-box used in the block cipher FLY satisfies criterion 2. We constructed S-boxes with DBN and LBN of 3 by combining 4-bit S-boxes that satisfy the conditions of Theorems 1-4, and presented them in Table 1. Appendix B includes the bitsliced implementations of the S-boxes found from each structure.

B. CONSTRUCTING S-BOXES WITH THE UNBALANCED STRUCTURES
The S-box adopted in the block cipher Fantomas was constructed using a unbalanced-MISTY structure, and is meaningful because it can be implemented with the fewest nonlinear operations among the 8-bit S-boxes that satisfy criterion 3 proposed so far. This is because the 8-bit S-box satisfies criterion 3 even if only 4 and 3 nonlinear operations are used in the 5-bit S-boxes and the 3-bit S-box of unbalanced structure, respectively. However, Fantomas adopts a word-oriented binary matrix as its linear layer, and thus the designers do not consider the DBN and LBN of the S-box.
Our search process with unbalanced structures is outlined as follows. First, we generated 3-bit and 5-bit S-box sets; for 3-bit S-boxes we ran an exhaustive search with AND, OR, XOR, and NOT instructions while restricting the number of nonlinear (resp. linear) operations to 3 (resp. 4), and for 5-bit S-boxes we ran an exhaustive search with AND, OR, and XOR instruction while restricting the number of nonlinear (resp. linear) operations to 4 (resp. 7) with a differential uniformity of 8 or less. Second, we classified two 5-bit S-boxes and one 3-bit S-box that satisfy the conditions of Theorems 5-8. For the unbalanced-Bridge structure, conditions of Proposition 1 must also be satisfied. During this process, the search space was significantly reduced because the early abort technique was used to select S 3 , S 5 1 , and S 5 2 . Third, we randomly chose the combination of S 3 , S 1 5 , and S 2 5 to verify whether the corresponding 8-bit S-boxes satisfy criterion 3.
Through this process, it was possible to construct S-box that satisfy all criteria 1-3 using unbalanced-MISTY structure. Table 1 and Listing 3 show that this S-box can be implemented with fewer operations than the S-box adopted by Fantomas. Also, in [27], it was mentioned that the S-box constructed through unbalanced-Bridge seems to give bad cryptanalytic properties, but we could find more than 8,000 of S-boxes satisfying criteria 1-3. One of them is adopted in the block cipher PIPO [21]. It can be implemented with the fewest operations among all the S-boxes presented so far that satisfy critrion 3.
Since the unbalanced-Bridge structure allows S 2 5 to be either bijective or non-bijective, the search pool is larger than that in the unbalanced-MISTY structure.
Proposition 2: The number of possible combinations of S 3 , S 1 5 , and S 2 5 in the unbalanced-Bridge structure of Fig. 1-(D) is 32! × 8! × 98304 8 ≈ 2 265.6 , whereas that in the structure of unbalanced-MISTY of Fig. 1 Proof: All the smaller S-boxes in (C) and (D) should be bijective except for S 2 5 in (D). Condition iii) of Proposition 1 should hold for S 2 5 in order to make the 8-bit S-box bijective. For a fixed y ∈ F 3 2 , the number of functions S 2 5 (y||·) is 4!×8 4 . Since y can have any value in F 3 2 , the number of possible S 2 5 is (4! × 8 4 ) 8 = 98304 8 . Furthermore, the unbalanced-Bridge structure enabled us to construct more than 1,000 S-boxes with DBN of 4 and LBN of 3. They were found by using the aforementioned additional conditions, but there is one entry of −128 in each of their LATs that might cause ciphers weakened by LC. Its bitsliced implementation can be found in the Listing 4.

C. CONSTRUCTING 6 AND 7-BIT S-BOXES
Sarkar et al. proposed algorithms to search for 5 and 6-bit S-boxes with DBN and LBN greater than 2, and presented several such S-boxes [23]. They have good cryptographic properties. However, they are not efficient in a bitslice manner, since their search algorithms are based on the algebraic methods. Meanwhile, 7-bit S-boxes have been used in KASUMI and MISTY, but DBN and LBN of 7-bit S-boxes have not been studied.
With minor modifications, the theorems presented in Section II can be applied not only to the 6-bit S-boxes but also to the 7-bit S-boxes. We were able to find 6-bit S-boxes with DBN and LBN of 3 using three 3-bit S-boxes in the Feistel structure. Using two 4-bit S-boxes and a 3-bit S-box in the unbalanced-MISTY structure, we were able to find 7-bit S-boxes with DBN and LBN of 3. Since these are based on 3 and 4-bit small S-boxes, it is easy to find their efficient bitsliced implementations (some are described in Appendix B). The 6 and 7-bit S-boxes we found are compared with published ones in Table 2.

D. APPLICATION OF OUR S-BOX ON BLOCK CIPHER DESIGN
In general, in the SPN structure, the confusion is provided by the substitution function, and a diffusion layer is constructed using an MDS matrix, a binary matrix with a large branch number, or a bit permutation with a low branch number. Although there have been many studies on efficient matrices [6], [12], [30]- [32], bit permutation is a very attractive candidate for diffusion layer in lightweight block ciphers because it does not require any cost in hardware environment. Bit permutation based block ciphers use a large number of rounds to be immune to differential and linear attacks due to the weak diffusion effect. In order to reduce the amount of memory required for the implementation of the diffusion layer and increase the execution speed of block ciphers, PRESENT and GIFT propose new techniques that provide effective diffusions even based on bit permutations [1], [16]. The diffusion layer of the GIFT was chosen to be a BOGI (Bad Output must go to Good Input) bit permutation [16], whereas the PRESENT uses the S-box with DBN of 3 [1]. Since the new S-boxes we present in Tables 1 and 2 have high DBN  TABLE 3. Comparison of 8-bit S-boxes with respect to cryptographic properties. and LBN, if combined with appropriate bit permutations, instantiated block ciphers can be effectively secured.
The block cipher PIPO was designed with the S-box constructed by our method [21]. The ciphsr uses the 64-bit state as an 8 × 8 bit array, applying an S-box to each column and different 8-bit rotations to each row within one round. Therefore, the output bits of one S-box are positioned as inputs of different S-boxes in the next round. This design made it possible to secure cipher against differential and linear attacks with a small number of rounds through the combination of a bit permutation and an S-box with high DBN and LBN.

IV. CONCLUSION AND FUTURE WORK
In this paper, we presented a widely applicable method for constructing lightweight S-boxes with DBN and LBN greater than 2, from smaller S-boxes. Using structures such as the Feistel, Lai-Massey, unbalanced-MISTY and unbalanced-Bridge structure, we were able to find many lightweight S-boxes with both DBN and LBN of at least 3. We believe that our proposed method can help cipher designers build lightweight S-boxes with high DBN and LBN.
For future work, it would be interesting to investigate the following research questions.
• Are there any other 8-bit S-boxes that have the same level of cryptographic properties as the new S-boxes listed in Table 1 but require fewer nonlinear operations?
• Are there secure and efficient 8-bit S-boxes with both DBN and LBN of 4?

APPENDIX A ADDITIONAL CRYPTOGRAPHIC PROPERTIES OF S-BOXES
In Tables 1 and 2, we presented cryptographic properties that can be directly used for block cipher cryptanalyes. However, there are many other indicators for the cryptographic security of the S-box such as Correlation immunity (CI), Algebraic immunity (AI), SAC (Strict Avalanche Criterion), and BIC (Bit Independence Criterion) [33]- [35]. These indicators are often used when proposing a new S-box with high cryptographic security or an S-box for image encryption [7]- [9]. We define them as follows, and present and compare the corresponding values of the S-boxes in Tables 3 and 4.
We can see that there is no significant difference between the values of our new S-boxes and others. Since the new S-boxes we present have high LBN, their correlation immunities are also higher than those of other S-boxes with an LBN of 2. Let the independence matrix of an n-bit S-box S = (f 1 , · · · , f n ) be given by where e j is j-th standard basis. Then we can define cryptographic properties below.
• The BIC for non-linearity of an n-bit S-box S = (f 1 , · · · , f n ) is 1 2 2n − 2 n 1≤i,j≤n i =j NL(g i,j ) where NL(g i,j ) is non-linearity of g i,j for g i,j (x) = f i (x) ⊕ f j (x).
• The Correlation Immunity of a Boolean function f is the maximum number t such that