SAND: an AND-RX Feistel lightweight block cipher supporting S-box-based security evaluations

We revisit designing AND-RX block ciphers, that is, the designs assembled with the most fundamental binary operations—AND, Rotation and XOR operations and do not rely on existing units. Likely, the most popular representative is the NSA cipher SIMON, which remains one of the most efficient designs, but suffers from difficulty in security evaluation. As our main contribution, we propose SAND, a new family of lightweight AND-RX block ciphers. To overcome the difficulty regarding security evaluation, SAND follows a novel design approach, the core idea of which is to restrain the AND-RX operations to be within nibbles. By this, SAND admits an equivalent representation based on a 4× 8 synthetic S-box ( SSb ). This enables the use of classical S-box-based security evaluation approaches. Consequently, for all versions of SAND, (a) we evaluated security bounds with respect to differential and linear attacks, and in both single-key and related-key scenarios; (b) we also evaluated security against impossible differential and zero-correlation linear attacks. This better understanding of the security enables the use of a relatively simple key schedule, which makes the ASIC round-based hardware implementation of SAND to be one of the state-of-art Feistel lightweight ciphers. As to software performance, due to the natural bitslice structure, SAND reaches the same level of performance as SIMON and is among the most software-efficient block ciphers.