A further study on bridge structures and constructing bijective S-boxes for low-latency masking

In ToSC 2020, Bilgin et al. proposed a new structure called bridge to construct S-boxes with low AND depth for low-latency masking. In this paper, we investigate the bridge structure in detail. Firstly, we prove the conjecture made by Bilgin et al. which is about lower bounds on the differential uniformity and linearity for the 2 n -bit bridge structure. However, the bounds are not always tight for a specific n . In particular, for 8-bit permutations with the bridge structure, we further prove that the tight lower bounds on the differential uniformity and linearity are 16 and 64, respectively. Then, we find the best implementations of such 8-bit permutations which reach the tight bounds for low-latency masking. We derive that, without global optimization, the optimal 8-bit permutations with 3-round balanced Feistel or Misty networks both require at least 12 AND gates with AND depth 4. While the optimal 8-bit permutations with the bridge structure require 12 AND gates with only AND depth 3. In addition, we propose a new unbalanced bridge structure with 2n-1 , 2 n and 2n+1 -bit components for the first time. Applying this structure, we can even construct an 8-bit S-box and its inverse with notable AND depths 2 and 3, which is, as far as we know, the lowest AND depth for 8-bit S-boxes with differential uniformity 16 and linearity 64.