which typically targets the substitution boxes (S-boxes) [ 26 , 37 - 39 ]. S-boxes are

at the heart of block ciphers and are the only non-linear parts of the ciphers. They

are typically used to hide the relationship between the key and the ciphertext

following Shannon's property of confusion to resist mathematical cryptanalysis.

In general, an S-box takes an n -bit input and transforms it into an m -bit output,

namely an n × m S-box.

In this work, a sub-module of the Serpent cipher [ 40 ] including its S-box, is

designed in QCA. The Serpent cipher is chosen because the presently available

QCA design and simulation tools are currently limited in their support for large

circuit designs. Serpent is a well-designed modern block cipher that offers a

large security margin. It was a finalist in the AES contest [ 41 ]. The 32 rounds

in the Serpent cipher provide an even higher security margin than the Rijndael

cipher which is the current AES standard. It uses eight 4

4 S-boxes which are

strongly secure against all known mathematical attacks [ 40 ]. However, similar

to AES and DES, Serpent can be attacked using a power analysis attack. The

essential idea of a power analysis attack is to attack a small part of the whole

key to reduce the computational complexity. More specifically, it can be used

to target a key-dependent sub-module of a cipher (usually the S-boxes for block

ciphers) to uncover a small subkey [ 32 ]. The whole key can then be revealed by

attacking each of the subkeys. A successful power analysis attack of the 4

×

×

4

Serpent S-box has been demonstrated on 65 nm CMOS cryptographic circuits

[ 42 ]. Therefore, Serpent is an appropriate example for demonstrating a power

analysis attack on QCA cryptographic circuits.

3.1 Sub-Module of Serpent Cipher

Serpent [ 40 ] is a 32-round substitution-permutation network that operates on

four 32-bit words. It encrypts a 128-bit plaintext to a 128-bit ciphertext in 32

rounds under the control of 33 128-bit subkeys K 0 ,..., K 32 . An initial permuta-

tion is applied to a plaintext before the first round. A set of eight 4

4 S-boxes

is used four times. In each round, only a single replicated S-box is used with a

subkey. The last round is slightly different from the others and uses two subkeys,

K 31 and K 32 .

The sub-module implemented in this work is expressed as follows:

×

S 0 B 0 ⊕

K 0 ,

V =

(10)

where

V is an intermediate value,

S 0 is the first Serpent S-box, namely the S 0 -box,

B 0 is the permutated plaintext used as the input to the first round,

K 0 is the first subkey.

Thus the function of the sub-module as shown in Fig. 11 is to produce the

first four bits of an intermediate vector by taking bits 0 , 1 , 2 , 3of B 0 ⊕

K 0 as the

input to the S 0 -box, which is chosen without loss of generality. As a replicated

S-box is used in each round, the next S 0 -box takes bits 4 , 5 , 6 , 7of B 0 ⊕

K 0 and