On the Evolution of Boomerang Uniformity in Cryptographic S-boxes

S-boxes are an important primitive that help cryptographic algorithms to be resilient against various attacks. The resilience against specific attacks can be connected with a certain property of an S-box, and the better the property value, the more secure the algorithm. One example of such a property is called boomerang uniformity, which helps to be resilient against boomerang attacks. How to construct S-boxes with good boomerang uniformity is not always clear. There are algebraic techniques that can result in good boomerang uniformity, but the results are still rare. In this work, we explore the evolution of S-boxes with good values of boomerang uniformity. We consider three different encodings and five S-box sizes. For sizes $4\times 4$ and $5\times 5$, we manage to obtain optimal solutions. For $6\times 6$, we obtain optimal boomerang uniformity for the non-APN function. For larger sizes, the results indicate the problem to be very difficult (even more difficult than evolving differential uniformity, which can be considered a well-researched problem).Comment: 15 pages, 3 figures, 4 table

A search for additional structure: The case of cryptographic s-boxes

We investigate whether it is possible to evolve cryptographically strong S-boxes that have additional constraints on their structure. We investigate two scenarios: where S-boxes additionally have a specific sum of values in rows, columns, or diagonals and the scenario where we check that the difference between the Hamming weights of inputs and outputs is minimal. The first case represents an interesting benchmark problem, while the second one has practical ramifications as such S-boxes could offer better resilience against side-channel attacks. We explore three solution representations by using the permutation, integer, and cellular automata-based encoding. Our results show that it is possible to find S-boxes with excellent cryptographic properties (even optimal ones) and reach the required sums when representing S-box as a square matrix. On the other hand, for the most promising S-box representation based on trees and cellular automata rules, we did not succeed in finding S-boxes with small differences in the Hamming weights between the inputs and outputs, which opens an interesting future research direction. Our results for this scenario and different encodings inspired a mathematical proof that the values reached by evolutionary algorithms are the best possible ones.</p