Motivation
Symmetric-key ciphers provide confidentiality, authentication, and integrity, and are widely deployed in our everyday devices for their performance. Among them, block-ciphers and hash functions, which are probably the most studied symmetric algorithms, all rely on so-called S-boxes to ensure non-linearity.
Over the years, the development of new attacks against these symmetric algorithms has motivated the definition of new criteria for S-boxes. However, while these criteria must still be met, new requirements have emerged. For example, connected objects often require light, less heavy and less energy-consuming constructions. In another context, symmetric algorithms used in the white-box cryptography scenario where an adversary has full access to the implementation must be protected against key-extraction attacks. In yet another context, the use of homomorphic encryption schemes also imposes constraints on the symmetric cryptography primitives whose operations must make homomorphic computation efficient enough. Finally, the implementation of these symmetric schemes may be vulnerable to side-channel attacks. The efficiency of countermeasures against these attacks depends on the structure of the primitive and, in particular, the underlying S-boxes.
The SWAP project aims to explore all of the above design criteria for S-boxes and symmetric cryptography primitives, from a theoretical, practical and cryptanalytical point of view.
Objectives
The SWAP project follows three main objectives:
  - New designs for the various use cases listed. The partners aim to focus on the design of symmetric primitives for efficient computation on encrypted data (i.e. with FHE), for secure computation in the presence of physical leakage (i.e. with side-channel countermeasures), and for efficient white-box implementation (i.e. with practical obfuscation techniques).
- Exploit the particular structures of the S-boxes in the attacks. The partners aim to analyze the impact of using specific inner structures for S-box design on cryptanalysis. They will investigate how these structures can speed up existing attacks and also introduce new types of attacks that exploit unusual constructions and other representations.
- Search for APN S-boxes in an even number of variables. Finally, the partners aim to search (with new dedicated algorithms) for new quadratic (non-bijective) APN functions with specific structures, then to try and deduce permutations from them.