Top

Published in:

23-07-2016

Redefining the transparency order

Authors: Kaushik Chakraborty, Sumanta Sarkar, Subhamoy Maitra, Bodhisatwa Mazumdar, Debdeep Mukhopadhyay, Emmanuel Prouff

Published in: Designs, Codes and Cryptography | Issue 1-2/2017

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

In this paper, we consider the multi-bit Differential Power Analysis (DPA) in the Hamming weight model. In this regard, we revisit the definition of Transparency Order (\(\mathsf {TO}\)) from the work of Prouff (FSE 2005) and find that the definition has certain limitations. Although this work has been quite well referred in the literature, surprisingly, these limitations remained unexplored for almost a decade. We analyse the definition from scratch, modify it and finally provide a definition with better insight that can theoretically capture DPA in Hamming weight model for hardware implementation with precharge logic. At the end, we confront the notion of (revised) transparency order with attack simulations in order to study to what extent the low transparency order of an s-box impacts the efficiency of a side channel attack against its processing. To the best of our knowledge, this is the first time that such a critical analysis is conducted (even considering the original notion of Prouff). It practically confirms that the transparency order is indeed related to the resistance of the s-box against side-channel attacks, but it also shows that it is not sufficient alone to directly achieve a satisfying level of security. Regarding this point, our conclusion is that the (revised) transparency order is a valuable criterion to consider when designing a cryptographic algorithm, and even if it does not preclude to also use classical countermeasures like masking or shuffling, it enables to improve their effectiveness.

previous article On the direct construction of recursive MDS matrices

next article Improving impossible-differential attacks against Rijndael-160 and Rijndael-224

Available only for authorised users

Such a model is used in CPA, together with the key hypothesis K, to compute the predictions that are correlated to each point of the traces \({\varvec{T}}_x\) (see [4] for a detailed presentation of the CPA).

This should correspond to a maximum level of security.

We recall that the correlation coefficient between two random variables U and V can be soundly estimated from respectively N observations \((u_i)_i\) and \((v_i)_i\) of U and V by \(\rho (U,V) \simeq (N\sum _i u_iv_i - \sum _i u_iv_i) / (\sqrt{N\sum _i u_i^2 - (\sum _i u_i)^2}\sqrt{N\sum _i v_i^2 - (\sum _i v_i)^2})\).

Those s-boxes correspond to the two opposite extrema in terms of \(\mathsf {TO}\).

These standard deviations correspond to j % of the mean \(\mathsf {H}(y)\) when y ranges uniformly over \({\mathbb {F}}_2^4\) and \(j\in \{0,10,20,30,40,50\}\).

The number of repetitions is 1000.

Bévan R., Knudsen E.: Ways to enhance differential power analysis. In: Lee, P., Lim, C. (eds.) Information Security and Cryptolog—ICISC 2002. Lecture Notes in Computer Science, vol, 2587, pp. 327–342. Springer, New York (2002).

Bilgin B., Nikova S., Nikov V., Rijmen V., Stütz G.: Threshold implementations of all \(3 \times 3\) and \(4 \times 4\) s-boxes. In: Prouff E., Schaumont P. (eds.): Cryptographic Hardware and Embedded Systems—CHES 2012—14th International Workshop, Leuven, Belgium, 9–12 Sept, 2012. Lecture Notes in Computer Science, vol. 7428, pp. 76–91. Springer, New York (2012).

Borghoff J., Canteaut A., Güneysu T., Kavun E.B., Knezevic M., Knudsen L.R., Leander G., Nikov V., Paar C., Rechberge C., Rombouts P., Thomsen S.S., Yalçin T.: PRINCE—a low-latency block cipher for pervasive computing applications—extended abstract. In: Wang X., Sako K. (eds.) Advances in Cryptology—ASIACRYPT 2012—18th International Conference on the Theory and Application of Cryptology and Information Security, Beijing, China, 2–6 Dec, 2012. Lecture Notes in Computer Science, vol. 7658, pp. 208–225. Springer, New York (2012).

Brier E., Clavier C., Olivier F.: Correlation power analysis with a leakage model. In: Joye M., Quisquater J.J. (eds.) Cryptographic Hardware and Embedded Systems—CHES 2004. Lecture Notes in Computer Science, vol. 3156, pp. 16–29. Springer, New York (2004).

Carlet C.: On Highly nonlinear S-boxes and their inability to thwart DPA attacks. In: Maitra S., Veni Madhavan C.E., Venkatesan R. (eds.) Progress in Cryptology—INDOCRYPT 2005. Lecture Notes in Computer Science, vol. 3797, pp. 49–62. Springer, New York (2006).

Carlet C.: Vectorial Boolean functions for cryptography. In: Boolean Models and Methods in Mathematics, Computer Science, and Engineering, chapter 9, pp. 398–469. Cambridge University Press, Cambridge (2010).

Chari S., Jutla C., Rao J., Rohatgi P.: A cautionary note regarding evaluation of AES candidates on smart-cards. In: Second AES Candidate Conference—AES, vol. 2 (1999).

Chari S., Jutla C., Rao J., Rohatgi P.: Towards sound approaches to counteract power-analysis attacks. In: Wiener M. (ed.) Advances in Cryptology—CRYPTO ’99. Lecture Notes in Computer Science, vol. 1666, pp. 398–412. Springer, New York (1999).

Chari S., Rao J., Rohatgi P.: Template attacks. In: Kaliski Jr. B., Koç Ç., Paar C. (eds.) Cryptographic Hardware and Embedded Systems—CHES 2002. Lecture Notes in Computer Science, vol. 2523, pp. 13–29. Springer, New York (2002).

10.

Doget J., Prouff E., Rivain M., Standaert F.-X.: Univariate side channel attacks and leakage modeling. J. Cryptogr. Eng. 1(2), 123–144 (2011).

11.

Evci M.A., Kavut S.: DPA resilience of rotation-symmetric S-boxes. In: IWSEC, pp. 146–157 (2014).

12.

Fei Y., Luo Q., Ding A.A.: A statistical model for DPA with novel algorithmic confusion analysis. In: Prouff E., Schaumont P. (eds.): Cryptographic Hardware and Embedded Systems—CHES 2012—14th International Workshop, Leuven, Belgium, 9–12 Sept, 2012. Lecture Notes in Computer Science, vol. 7428, pp. 233–250. Springer, New York (2012).

13.

FIPS PUB 197. Advanced encryption standard. National Institute of Standards and Technology (2001).

14.

Gierlichs B., Batina L., Tuyls P., Preneel B.: Mutual information analysis. In: Oswald E., Rohatgi P. (eds.) CHES. Lecture Notes in Computer Science, vol. 5154, pp. 426–442. Springer, New York (2008).

15.

Guilley S., Hoogvorst P., Pacalet R.: Differential power analysis model and some results. In: Quisquater J.J., Paradinas P., Deswarte Y., Kalam A.E. (eds.) Smart Card Research and Advanced Applications VI—CARDIS 2004, pp. 127–142. Kluwer Academic Publishers, London (2004).

16.

Kocher P., Jaffe J., Jun B.: Differential power analysis. In: Wiener M. (ed.): Advances in Cryptology—CRYPTO ’99. Lecture Notes in Computer Science, vol. 1666, pp. 388–397. Springer, New York (1999).

17.

Mangard S.: Hardware countermeasures against DPA—a statistical analysis of their effectiveness. In: Okamoto T. (ed.) Topics in Cryptology—CT-RSA 2004. Lecture Notes in Computer Science, vol. 2964, pp. 222–235. Springer, New York (2004).

18.

Mazumdar B., Mukhopadhyay D., Sengupta, I.: Constrained search for a class of good bijective s-boxes with improved DPA resistivity. IEEE Trans. Inf. Forens. Secur. 8(12), 2154–2163 (2013).

19.

Messerges T.: Power analysis attacks and countermeasures for cryptographic algorithms. PhD thesis, University of Illinois, Champaign (2000).

20.

Nikova S., Rijmen V., Schläffer M.: Secure hardware implementation of nonlinear functions in the presence of glitches. J. Cryptol. 24(2), 292–321 (2011).

21.

Picek S., Ege B., Papagiannopoulos K., Batina L., Jakobovic D.: Optimality and beyond: the case of \(4\times 4\) s-boxes. In: 2014 IEEE International Symposium on Hardware-Oriented Security and Trust, HOST 2014, Arlington, VA, USA, 6–7 May, 2014, pp. 80–83. IEEE Computer Society, Washington, DC (2014).

22.

Picek S., Papagiannopoulos K., Ege B., Batina L., Jakobovic D.: Confused by confusion: systematic evaluation of DPA resistance of various s-boxes. In: Meier W., Mukhopadhyay D. (eds.) Progress in Cryptology—INDOCRYPT 2014—15th International Conference on Cryptology in India, New Delhi, India, December 14–17, 2014. Lecture Notes in Computer Science, vol. 8885, pp. 374–390. Springer, New York (2014).

23.

Prouff E.: DPA attacks and S-Boxes. In: Handschuh H., Gilbert H. (eds.) Fast Software Encryption—FSE 2005. Lecture Notes in Computer Science, vol. 3557, pp. 424–442. Springer, New York (2005).

24.

Prouff E., Rivain M., Bévan R.: Statistical analysis of second order differential power analysis. IEEE Trans. Comput. 58(6), 799–811 (2009).

25.

Rivain M., Prouff E., Doget J.: Higher-order masking and shuffling for software implementations of block ciphers. In: Clavier C., Gaj K. (eds.) CHES. Lecture Notes in Computer Science, vol. 5747, pp. 171–188. Springer, New York (2009).

26.

Tiri K., Verbauwhede I.: A logic level design methodology for a secure DPA resistant ASIC or FPGA implementation. In: 2004 Design, Automation and Test in Europe Conference and Exposition (DATE 2004), , Paris, France, 16–20 Feb 2004, pp. 246–251. IEEE Computer Society, Washington, DC (2004).

27.

Whitnall C., Oswald E.: A comprehensive evaluation of mutual information analysis using a fair evaluation framework. In: Rogaway P. (ed.) CRYPTO. Lecture Notes in Computer Science, vol. 6841, pp. 316–334. Springer, New York (2011).

Title: Redefining the transparency order
Authors: Kaushik Chakraborty
Sumanta Sarkar
Subhamoy Maitra
Bodhisatwa Mazumdar
Debdeep Mukhopadhyay
Emmanuel Prouff
Publication date: 23-07-2016
Publisher: Springer US
Published in: Designs, Codes and Cryptography / Issue 1-2/2017
Print ISSN: 0925-1022
Electronic ISSN: 1573-7586
DOI: https://doi.org/10.1007/s10623-016-0250-3

Springer Professional

Redefining the transparency order

Abstract

Premium Partner

Springer Professional

Abstract

Please log in to get access to your license.

Other articles of this Issue 1-2/2017

Reflection ciphers

Towards a general construction of recursive MDS diffusion layers

Joint data and key distribution of simple, multiple, and multidimensional linear cryptanalysis test statistic and its impact to data complexity

Upper bounds on the complexity of algebraic cryptanalysis of ciphers with a low multiplicative complexity

Signature codes for noisy multiple access adder channel

Symmetric disjunctive list-decoding codes

Premium Partner