Hardware architecture of Dillon's APN permutation for different primitive polynomials

Abstract

Cryptographically strong functions used as S-boxes in block cyphers are fundamental for the cypher’s security. Their representation as lookup tables is possible for functions of small dimension. For larger dimensions, this is infeasible, especially if resources are limited. An alternative is representing the function as a polynomial over a finite field, and constructing a circuit evaluating this polynomial. We study how the choice of primitive polynomial affects the efficiency of hardware implementations. We take Dillon’s permutation on 6 bits (the only known permutation in even dimension from the cryptographically optimal Almost Perfect Nonlinear functions) as a relevant example, and present hardware architectures, polynomial representations and hardware theoretical complexities for all primitive polynomials of degree six. To compare the efficiency, we report on results obtained from FPGA (Field Programmable Gate Array) implementations. To the best of our knowledge, no similar study has been given in the literature. We observe that using the primitive trinomial 𝑦6 + 𝑦 + 1 reduces the number of 2-input XOR gates up to 11.7% and the number of XOR gates × Delay metrics up to 13.2% with respect to the worst-case implementation. Therefore, the choice of primitive polynomial can profoundly impact the efficiency of such an implementation, and should be carefully considered.