Abstract
The concept of transparency order is introduced to measure the resistance of -functions against multi-bit differential power analysis in the Hamming weight model, including the original transparency order (denoted by ), redefined transparency order (denoted by ), and modified transparency order (denoted by ). In this paper, we firstly give a relationship between and and show that is less than or equal to for any -functions. We also give a tight upper bound and a tight lower bound on for balanced -functions. Secondly, some relationships between and the maximal absolute value of the Walsh transform (or the sum-of-squares indicator, algebraic immunity, and the nonlinearity of its coordinates) for -functions are obtained, respectively. Finally, we give and for (4,4) S-boxes which are commonly used in the design of lightweight block ciphers, respectively.
1. Introduction
Differential power analysis (DPA) was introduced by Kocher et al. in [1] and is a well-known and thoroughly studied threat for implementations of block ciphers, like DES and AES [2].
Beierle et al. [3] validated the correlation power analysis attack through the Hamming distance power model. Fischer et al. [4] presented efficient differential power analysis of Gain and Trivium through carefully chosen IVs to eliminate the algorithmic noise. In 2005, Prouff [5] gave the model of the DPA resilience of the S-boxes and proposed the definition of the transparency order (denoted by ) based on the autocorrelation coefficients for -functions. He obtained that S-boxes with smaller have higher DPA resilience and deduced the tightness of the upper bound and the lower bound on the . In the same year, Carlet [6] obtained the lower bound on the transparency order and gave the relationship between the transparency order and the nonlinearity for Boolean functions. Next, Fan et al. [7] gave a fast method for calculating the transparency order by optimization cycle of the original algorithm.
In 2012, Fei et al. [8] proposed the confusion coefficient and obtained some relations between the success rate and the cryptographic algorithm. For power analysis attacks, the side-channel characteristic of the physical implementation can be seen as the signal-to-noise ratio (denote by ) [9]. Experimental results of DPA on both DES or AES verified this model with high accuracy and demonstrated effectiveness of the algorithmic confusion analysis and extraction. Experimental results shown that the algorithm has better anti-noise performance than the original algorithm for present.
Chakraborty et al. [10] found the limitations of the definition in [5] and gave a redefined transparency order (denoted by ) based on the cross-correlation coefficients for -functions. Then, they were able to theoretically capture DPA in the Hamming weight model for hardware implementation with precharge logic. Picek et al. [11] proposed a technique for constructions using the modified transparency order as a guiding metric. Wang and Stănică [12] obtained an upper bound on the redefined transparency order in terms of nonlinearity for Boolean functions and constructed two infinite class of balanced semibent Boolean functions with provably good transparency order.
But in 2020, Li et al. [13] put up a flaw in original transparency order [10] and gave the modified transparency order denoted by , obtained a lower bound on based on the Walsh transform, and deduced the distribution of values for sixteen optimal affine equivalent classes of (4,4) S-boxes.
So far, little attempt has been made to study the relationship between and , and Li et al. [13] gave a lower bound on for any -functions based on Walsh spectrum, but not based on . Moreover, how to further investigate the in-depth relationships between and with other cryptography indicators still appears to be an important issue.
In this article, we focus on some unresolved problems related to both and . Firstly, we give the relationship between and , and this result implies that for any -functions . We also obtain the upper bound and the lower bound on . To design good S-boxes with respect to the [13], we deduce some important connections between and other cryptographic properties such as the sum-of-squares indicator, nonlinearity, the maximum absolute of Walsh transform, and algebraic immunity of the coordinate functions of S-boxes. In particular, it is shown that these results have a direct influence on the resistance to DPA attacks. More precisely, the smaller the sum-of-squares indicator (or the maximum absolute of Walsh transform) of the coordinate functions of a given -function, the larger the , whereas a higher nonlinearity (or algebraic immunity) of the coordinate functions of a given -function also implies a larger (not desirable). Furthermore, there is also a connection between the algebraic immunity and transparency order which essentially indicates (along with other trade-offs) that the design of cryptographically secure S-boxes is hardly achievable if the protection against DPA attacks is taken into account. Finally, we give the and for (4,4) S-boxes which are commonly used in some lightweight block ciphers, it implies that is better than from the perspective of information leakage.
This paper is organized as follows. In Section 2, we introduce the basic concepts and notions. In Section 3, the tightness of the upper bound and the lower bound on the modified transparency order of -functions is derived. In Section 4, some relationships between and other cryptographic properties are derived. Section 5 gives some data analysis results for some S-boxes. Section 6 concludes this paper.
2. Preliminaries
Let be the set of -variable Boolean functions. We denote by the addition modulo two performed in and the vector space . The support of a Boolean function is defined as . The Hamming weight of is denoted by and corresponds to the cardinality of its support . A Boolean function is said to be balanced if its truth table contains equal number of ones and zeros, i.e., . The set of affine functions, whose algebraic degree is denoted by . Especially, an affine function with the constant term equal to zero is called a linear function.
In this paper, let be the zero vector in .
Definition 1. Let . The Walsh spectrum of is defined bywhere , x = (), . The nonlinearity of can be computed usingLet . The cross-correlation function between and is defined byIn particular, when , then the autocorrelation function of is given byFor more research on the autocorrelation function and the cross-correlation function of Boolean functions, refer to reference [14].
Two functions are said to be perfectly uncorrelated if , for any . From [15], if and are perfectly uncorrelated, then for any .
Definition 2. (see [16]). The two indicators capturing the global avalanche characteristics (GACs) of a Boolean function are given byIn 2010, Zhou et al. [17] generalized and gave the global avalanche characteristics between two Boolean functions :For two positive integers and , a function is called an -function. Such a function can be viewed as a collection of its coordinate Boolean functions, and thus , where . An -function is balanced if and only if its component functions are balanced, meaning that for every nonzero , the Boolean function is balanced.
The original transparency order [5] and the redefining transparency order [10] are for balanced (n, m) functions. In this paper, in order to expand the research scope of -function, we extend the balanced -function to any -function, which makes our results more universal (see Definition 3 and Definition 4).
Definition 3. (see [10]). Let be an -function. The redefined transparency order of , based on the cross-correlation properties of , is defined bywhere .
In 2019, Li et al. gave the modified transparency order in [13].
Definition 4. (see [13]). Let be an -function. The modified transparency order of , based on the cross-correlation properties of , is defined byNote thatand for research convenience, letThus,
3. Bounds on the Modified Transparency Order
Based on Definition 4, a lower bound on was derived in [13] in terms of the Walsh spectrum of the coordinate functions of , but this lower bound is very complex. In order to obtain a tight lower and upper bounds on , we firstly give a relationship between and .
Lemma 1 (see [17]). Let . Then,
Theorem 1. Let be an -function. Then,
Proof. By using the inequality for any , we haveFor any , we haveBased on the above equation, we have .
Remark 1. From the proof process, we can know that for any -function , including balanced functions and unbalanced functions.
Although at present we cannot theoretically give the condition on of -functions , we can give an example with (see Example 1).
In the following, we give a tight upper bound and a tight lower bound on by using the perfectly uncorrelated functions.
Theorem 2. Let be a balanced -function. If the coordinate functions and are perfectly uncorrelated for , then
Proof. On the one hand, from Definition 4 and Lemma 1, we haveSince is a balanced -function, then and are balanced functions. That is, for any and . We have and for any , .
Thus, , that is, .
On the other hand, if the coordinate functions and are perfectly uncorrelated for , then for any and .
From Definition 4, we haveBy Cauchy’s inequality and for any in [16], we haveThus,From equation (20), we haveThat is, .
In the following, we give two examples for reaching the upper and lower bounds on , respectively.
Example 1. Let be an -function and be a bent function. Its coordinate functions are specified asThen, and are bent functions. We know and for any and . We haveand thus . We also obtain .
Example 2. Let be a -function. Its coordinate functions are specified asThen, is balanced (). We know and for any and . Then, we haveand thus .
In particular, we give the modified transparency order for any -function.
Corollary 1. Let . Then,
Proof. If in Definition 4, thenNote that for any . Then, . if and only if for any , that is, is an affine function. if and only if for any , that is, is a bent function.
Remark 2. Corollary 1 is a special case of Theorem 2. It also shows that both the upper bound and the lower bound on can be reached.
4. The Relationships between and Some Cryptographic Properties
In this section, we use the sum-of-squares indicator to establish some links between and some cryptographic indicators. These links can help us understand more deeply and lay a foundation for designing and analyzing S-boxes. In the following, we give a relationship between and the sum-of-squares indicator, and this result is the basic of Corollaries 3 and 4.
4.1. The Relationships between and the Sum-of-Squares Indicator
Theorem 3. Let be a balanced -function. Then,
Proof. By using the Cauchy–Schwarz inequality and for any , we haveSince is a balanced -function, is balanced for , that is, . Thus,Furthermore, we haveBecause for any [18], we haveFrom Definition 4, we know thatThus,
Remark 3. Theorem 3 gives one relationship between and , which implies that the smaller , the bigger the .
Based on Theorem 3, we give some lower bounds on by nonlinearity and algebraic immunity.
Corollary 2. Let be a balanced -function. Then,
Proof. Zheng and Zhang [19] obtained for any , where for any , and thus this result is easily proved.
Corollary 3. Let be a balanced -function. Then,
Proof. Since for , this result is easily proved.
Corollary 4. Let be a balanced -function. Then,where .
Proof. Carlet [20] obtained for , and thus this result is easily proved.
Remark 4. From Corollaries 3 and 4, we have(1)The larger the (or ) (), the larger the .(2)For the conventional attacks, S-boxes should have higher nonlinearity, algebraic immunity, good the sum-of-squares indicators, etc. For the differential power analysis, S-boxes should have lower the transparency order. Therefore, the trade-off among these indicators should be considered when designing cryptographic algorithm components in practice.
4.2. The Relationships between and Hamming Weight
In this section, we give an upper bound on by the Hamming weight of coordinate functions.
Theorem 4. Let be an -function and . Then, for any ,
Proof. Using the relation of absolute value inequality and Lemma 1, since is a balanced function for , we havewhich proves the result.
Remark 5. If for any , then . This implies that for balanced -functions .
Corollary 5. Let be a balanced -function. Then,
Wang and Stănică [12] gave a tight upper bound on the transparency order in terms of nonlinearity for a Boolean function and obtained a lower bound between transparency order and nonlinearity for a Boolean function. In the following, for a Boolean function, we also give one upper bound and some lower bounds on .
Corollary 6. Let . Then,(1).(2).(3).(4).
Remark 6. In this section, we have the following facts.(1)Theorem 3 and Corollaries 2–5 are all about balanced Boolean functions, but Corollary 6 is about Boolean function (including balanced and unbalanced Boolean functions).(2)Wang and Stănică [12] gave the upper bound on by the nonlinearity of Boolean function; here we give the lower bounds on by the nonlinearity, the sum-of-squares indicator, and the maximum absolute of Wash transform, respectively.(3)These results show that the smaller the sum-of-squares indicator (or the maximal absolute value of Walsh spectrum) of its coordinate, the bigger the modified transparency order, and the bigger the nonlinearity (or the algebraic immunity) of its coordinate, the bigger the modified transparency order.
5. Data Analysis of S-Boxes
In this section, we give or of three types of 4-bit S-boxes: (1) some lightweight S-boxes used in some well-known encryption algorithms, (2) 16 classes of optimal S-boxes, and (3) 302 affine equivalent S-boxes. Thus, we give the analysis results of S-boxes in three subsections.
5.1. and of Some Known S-Boxes in Well-Known Encryption Algorithms
We give the and of S-boxes in some well-known encryption algorithms (such as Pride [21], Midori [22], Gift [23], MANTIS [3], SKINNY [3], PRESENT [24], Prince [25], Marvin [26], Piccolo [27], and Lblock [28]) in Table 1.
The data in Table 1 show that for a given S-box. This is consistent with Theorem 1.
5.2. The of 16 Optimal S-Boxes
In 2007, Leander et al. gave 16 different optimal balanced (4,4) S-boxes based on affine equivalence in [29]. The representatives of the truth table are given in Table 2.
By Proposition 3 in [13], we know that means affine invariant only under certain affine transformations which are based on , where are two S-boxes, and is an invertible matrix, . This means that may change under the different affine transformations , and we only consider this case in the following. From the finite field, we know that the number of the invertible matrix in is Thus, the number of the invertible matrix in is 20160, i.e., the number of the affine S-boxes () of one S-boxes () is 20160, where is a 4-bit S-box and is an invertible matrix.
At the same time, bounds and the frequency distribution of are given for all affine transformations of 16 optimal classes in [13]. But from these data, we cannot find out what the distribution of , is, and how many s boxes there are in each distribution value. For example, in the algorithm design, we want to know the exact value of , not the range of in [13]. Therefore, we need to give specific data values for every (), and Tables 3–6 provide support for us to select S-box. Meanwhile, these data further improve the data in [13].
In Table 3, we calculate of 20160 S-boxes for . We find the following facts:(1)The of has 11 values, if .(2)The of has 10 values, if .(3)The of has 9 values, if .(4)The of has 8 values, if .(5)The of has 7 values, if .(6)The of has 4 values, if .
Furthermore, we give the corresponding mean and variance in each optimal class in Table 4.
The mean value of for () belongs to the range of [3.195714, 3.264286], and the variance belongs to range of [0.007448, 0.021143]. The distribution of its value is concentrated in a relatively small interval.
Especially, we get the detailed distribution of of and in Tables 5 and 6, respectively. The calculation results of other are similar to Table 5, which is ignored due to the limited length of this paper.
5.3. The and of 302 Affine Equivalent S-Boxes
There are 302 affine equivalence classes of 4-bit S-boxes [30]. We compute and of all 302 S-boxes of size . Our simulations show that the modified transparency order is confined within the range , but in Table 7–9. We summarize the comparison of modified transparency order and the redefined transparency order in Tables 7–9 and find that , and these data show that Theorem 1 is correct.
Remark 7. In Table 10, the number of affine equivalence classes whose modified transparency order lies in the range is equal to , which corresponds to about of their total number. This simply means that for a randomly selected S-box, the probability that its transparency order is in the range is approximately , which is quite high. This again questions the whole idea of embedding the protection against DPA attacks directly in the design of S-boxes, since a more natural option is to implement such a protection through some masking technique.
6. Conclusion
This paper further studies some unresolved problems related to the modified transparency order for -functions. Our result implies that is less than or equal to for any -function. In addition, a useful characterization of the modified transparency order is derived in terms of its tight bounds and its relation to other important cryptographic properties. These results show that the smaller the sum-of-squares indicator (or the nonlinearity and the algebraic immunity) of its coordinate, the bigger the modified transparency order. Although some results of have been given in this paper, there are still few studies on . The design of -functions with small modified transparent order and good cryptographic indicators remains an open problem. At the same time, we will focus on the experimental verification of -functions for differential power attack and investigate the relationship between transparency order and confusion coefficient.
Data Availability
The data used to support the findings of this study are included within the article.
Conflicts of Interest
The authors declare that they have no conflicts of interest.
Acknowledgments
The first author was supported by the National Key R&D Program of China (nos. 2017YFB0802000 and 2017YFB0802004) and in part by the Sichuan Science and Technology Program (no. 2020JDJQ0076). The second author was supported in part by the National Natural Science Foundation of China (61872103), Guangxi Science and Technology Foundation (Guike AB18281019), and Guangxi Natural Science Foundation (2019GXNSFGA245004). The third author was supported in part by the National Cryptography Development Fund (grant no. MMJJ 20180223).