Alzette: A 64-Bit ARX-box: (feat. CRAX and TRAX)

Abstract : S-boxes are the only source of non-linearity in many symmet-ric primitives. While they are often defined as being functions operatingon a small space, some recent designs propose the use of much larger ones(e.g., 32 bits). In this context, an S-box is then defined as a subfunctionwhose cryptographic properties can be estimated precisely.We present a 64-bit ARX-based S-box calledAlzette, which can be eval-uated in constant time using only 12 instructions on modern CPUs. Itsparallel application can also leverage vector (SIMD) instructions. Oneiteration ofAlzettehas differential and linear properties comparable tothose of the AES S-box, and two are at least as secure as the AES superS-box. As the state size is much larger than the typical 4 or 8 bits, thestudy of the relevant cryptographic properties ofAlzetteis not trivial.We further discuss how such wide S-boxes could be used to constructround functions of 64-, 128- and 256-bit (tweakable) block ciphers withgood cryptographic properties that are guaranteed even in the related-tweak setting. We use these structures to design a very lightweight 64-bitblock cipher (Crax) which outperforms SPECK-64/128 for short mes-sages on micro-controllers, and a 256-bit tweakable block cipher (Trax)which can be used to obtain strong security guarantees against powerfuladversaries (nonce misuse, quantum attacks).
