 Research
 Open Access
 Published:
Transparency order versus confusion coefficient: a case study of NIST lightweight cryptography SBoxes
Cybersecurity volume 4, Article number: 35 (2021)
Abstract
Sidechannel resistance is nowadays widely accepted as a crucial factor in deciding the security assurance level of cryptographic implementations. In most cases, nonlinear components (e.g. SBoxes) of cryptographic algorithms will be chosen as primary targets of sidechannel attacks (SCAs). In order to measure sidechannel resistance of SBoxes, three theoretical metrics are proposed and they are reVisited transparency order (VTO), confusion coefficients variance (CCV), and minimum confusion coefficient (MCC), respectively. However, the practical effectiveness of these metrics remains still unclear. Taking the 4bit and 8bit SBoxes used in NIST Lightweight Cryptography candidates as concrete examples, this paper takes a comprehensive study of the applicability of these metrics. First of all, we empirically investigate the relations among three metrics for targeted Sboxes, and find that CCV is almost linearly correlated with VTO, while MCC is inconsistent with the other two. Furthermore, in order to verify which metric is more effective in which scenarios, we perform simulated and practical experiments on nine 4bit SBoxes under the nonprofiled attacks and profiled attacks, respectively. The experiments show that for quantifying sidechannel resistance of SBoxes under nonprofiled attacks, VTO and CCV are more reliable while MCC fails. We also obtain an interesting observation that none of these three metrics is suitable for measuring the resistance of SBoxes against profiled SCAs. Finally, we try to verify whether these metrics can be applied to compare the resistance of SBoxes with different sizes. Unfortunately, all of them are invalid in this scenario.
Introduction
With the emergence and explosive development of the Internet of Things, a large number of highly constrained devices are interconnected and working in concert to accomplish certain tasks (Zhu and Reddi 2017). In order to protect the security of most applications, lightweight cryptographic algorithms tailored for constrained devices have been researched for more than a decade (Heuser et al. 2020). Specifically, NIST has initiated a process to solicit, evaluate, and standardize lightweight cryptographic algorithms (NIST 2021). Subsequently, many ingenious ciphers have been proposed (Bao et al. 2019; Zhang et al. 2019; Dobraunig and Mennink 2019).
The security evaluation of lightweight cryptographic algorithms is a topic of interest due to their wide application prospects. In particular, the resistance of cryptographic implementations against sidechannel attacks (SCAs) has been recognized as a crucial factor (Heuser et al. 2020). Essentially, SCAs exploit physical leakages (e.g., power consumption (Kocher et al. 1999), electromagnetic emanations (Brier et al. 2004)) from cryptosystems to recover their underlying sensitive data. Generally speaking, SCAs can be divided into two classes: nonprofiled attacks, such as differential power analysis (DPA) (Kocher et al. 1999) and correlation power analysis (CPA) (Brier et al. 2004), and profiled attacks, such as template attacks (TA) (Chari et al. 2002) and deep learning (DL) based profiled attacks (Maghrebi et al. 2016; Cagli et al. 2017; Wouters et al. 2020).
When performing an efficient SCA, it is evident that nonlinear components (e.g. SBoxes) of cryptographic algorithms will be chosen as the primary targets (Carlet 2005). Therefore, for evaluating the sidechannel resistance of a lightweight cipher, it is an important perspective to study how to measure the intrinsic resistance of SBoxes against SCAs. Consequently, various metrics have been proposed, such as DPA signaltonoise ratio (Guilley et al. 2004), transparency orders (Prouff 2005; Chakraborty et al. 2017; Li et al. 2020), confusion coefficients (Fei et al. 2012) and nonabsolute indicator (Carlet et al. 2021).
Among those metrics, transparency orders and confusion coefficients are the most commonly used to compare and select optimal SBoxes with high SCA resistance. As for the first ones, the original transparency order (TO) (Prouff 2005) and modified transparency order (MTO) (Chakraborty et al. 2017) has been widely used to select \(4\times 4\) SBoxes, \(6\times 6\) SBoxes, and \(8\times 8\) SBoxes (Picek et al. 2014, 2016; Kavut and Baloğlu 2016; Patranabis et al. 2019). However, it has been pointed out that both TO and MTO are flawed (Li et al. 2020). And the notion of reVisited transparency order (VTO) was further proposed in Li et al. (2020). As far as we know, VTO has been used to select \(4\times 4\) SBoxes in Runlian et al. (2020) and \(8\times 8\) SBoxes in MartínezDíaz and FreyreEchevarria (2020). As for confusion coefficients, confusion coefficient variance (CCV) and minimum confusion coefficient (MCC) were proposed by Picek et al. (2014) and Guilley et al. (2015), respectively. CCV has been used to heuristically select optimal \(4\times 4\) and \(8\times 8\) SBoxes for cryptographic algorithms (Ege et al. 2015; FreyreEchevarría et al. 2020). While MCC has not received much attention. Furthermore, there are some studies consider both transparency orders and confusion coefficients to select optimal SBoxes against SCAs (de la Cruz Jiménez 2018; MartínezDíaz and FreyreEchevarria 2020).
However, the practical effectiveness of these metrics remains still unclear. Specifically, for transparency orders, the existing research work is limited to the analysis of TO or MTO, and there is a lack of research on the recently proposed VTO. And for confusion coefficients, the effectiveness of CCV and MCC needs to be further verified. Therefore, we mainly focus on investigating the applicability and relations of VTO, CCV, and MCC in this work.
Our Contributions. In this paper, we give a comprehensive study of the applicability of three typical theoretical metrics for sidechannel analysis, namely VTO, CCV and MCC. We take the 4bit and 8bit SBoxes used in NIST Lightweight Cryptography candidates as concrete examples for our analysis. Firstly, we empirically investigate the relations among three metrics for targeted Sboxes. The metric values of these SBoxes show that CCV is almost linearly correlated with VTO, while MCC is inconsistent with the other two metrics.
Next, to verify the effectiveness of these metrics, we perform simulated and practical experiments on nine 4bit SBoxes in the nonprofiled and profiled scenarios, respectively. For the nonprofiled scenario, when VTO (resp. CCV) difference value of two SBoxes is relatively large, the SBox with a lower VTO (resp. higher CCV) value is generally more resistant to attacks. However, when VTO and CCV values of SBoxes turn relatively close to each other, these two metrics become inaccurate to some extent. Interestingly, the MCC fails to work in quantifying the resistance of SBoxes against CPA attacks. For the profiled scenario, template attacks and deep learning based profiled attacks are performed, respectively. Unfortunately, none of these three metrics (VTO, CCV and MCC) is suitable for measuring the resistance of SBoxes against profiled SCAs.
Finally, we try to verify whether these metrics can be applied to compare the resistance of SBoxes with different sizes. Interestingly, all of them cannot be used to compare the resistance of SBoxes with different sizes.
The rest of the paper is organized as follows. “Notations and preliminaries” section gives preliminary notions on SBoxes and theoretical metrics evaluating the resiliency of SBoxes against SCAs. “Evaluation of SBoxes” section provides basic information on the SBoxes we evaluated and the results based on the theoretical metrics. Then in Nonprofiled sidechannel attacks against 4 × 4 SBoxes section, we demonstrate the simulated and practical results of nonprofiled attacks on nine 4bit SBoxes. And the results of profiled attacks are shown in Profiled sidechannel attacks section. Furthermore, we verify whether these metrics can be applied to compare the resistance of SBoxes with different sizes in “p04 × 4 SBoxes versus 8 × 8 SBoxes” section. Finally, we conclude our work in “Conclusions and future work” section.
Notations and preliminaries
In this section, we first give basic notions about the cryptographic properties of SBoxes. Then, we introduce the notions of reVisited transparency order (VTO), confusion coefficient variance (CCV), and minimum confusion coefficient (MCC).
Boolean functions and SBoxes
Let \({\mathbb{F}}_2^n\) be the vector space that contains all the nbit binary vectors, where n is a positive integer. For every vector \(u \in {\mathbb{F}}_2^n\), we denote by H(u) the Hamming weight (HW) of u. A Boolean function on n variables can be viewed as a mapping from \({\mathbb{F}}_2^n\) to \({\mathbb{F}}_2\), and the mappings from the vector space \({\mathbb{F}}_2^n\) to the vector space \({\mathbb{F}}_2^m\) are called (n, m)vectorial Boolean functions where \(m \leqslant n\). An (n, m)function F that performs substitution in the cryptosystem is commonly referred to as the \(n \times m\) SBox. Generally, SBoxes have to be chosen carefully to satisfy cryptographic properties like resisting linear and differential cryptanalysis.
For each (n, m)function F, the Boolean functions \(f_1,\ldots ,f_m\) defined for every \(x \in {\mathbb{F}}_2^n\) by \(F(x) = (f_1(x),\ldots ,f_m(x))\) are called the coordinate functions of F. Let \(z \in {\mathbb{F}}_2^m\) be a vector whose binary coordinates are all zero except one which is assumed to be at index j. The jth component function of the function F is a single output Boolean function \(z \cdot F\), and we also denote this component function as \(F_j\). The crosscorrelation spectrum between two Boolean functions \(f_1\), \(f_2\) is defined as the value \({\mathcal{C}}_{f_1, f_2}(u) = \begin{matrix} \sum _{x \in {\mathbb{F}}_2^n} (1)^{f_1(x) \oplus f_2(x \oplus u )} \end{matrix}\) for every \(u \in {\mathbb{F}}_2^n\).
ReVisited transparency order
Following the work of Prouff on transparency order (TO) (Prouff 2005), Chakraborty et al. (2017) presented modified transparency order (MTO). Recently, Li et al. amended a definitional flaw in the work of TO and spotted MTO overestimates the sidechannel resistance of SBoxes in the HW leakage model. Then they proposed reVisited transparency order (VTO) and verified the soundness of this notion through simulated and practical experiments. The work of MartínezDíaz and FreyreEchevarria (2020) also verified that VTO is a more accurate metric. Mathematically, the VTO value of an SBox F equals to
where \(\beta _i\) denotes the value of the ith bit of the register initial state \(\beta\), and \({\mathcal{C}}_{F_i, F_j}(a)\) denotes the crosscorrelation spectrum between the component functions \(F_i\) and \(F_j\).
Specifically, the VTO metric assumes that target devices leak the HW value of \(v \oplus \beta\), where v denotes the data being processed, and \(\beta\) denotes the register initial state that is assumed to be constant. In Eq. (1), the value of \(\mathrm{{VTO}}(F)\) is obtained by traversing all register initial state \(\beta \in {\mathbb{F}}_{2}^{m}\), and it represents the worst case context when implementing the SBox. However, in practice, the strategy of the adversary depends on the target device. As a result, we set the value of \(\beta\) to zero for each SBox implementation in our experiments. It corresponds to our context in which the target microcontroller leaks the HW value of the manipulated value v. And the corresponding value of VTO is denoted as \(\mathrm{VTO}_{\mathrm{0}}(F)\).
Confusion coefficient variance
Fei et al. (2012) introduced another metric called confusion coefficient. This metric measurers the probability of occurrences for which key hypotheses \(k_i\) and \(k_i\) result in different intermediate values v. For DPA attacks, it can be calculated through measuring the difference between the v values under the two keys by the expectation of their squared distance. That is, it can be computed as:
where \({\mathcal{L}}\) denotes the leakage function, p denotes the arbitrary inputs, and \({\mathbb{E}}\) is the mean operator.
Then, Picek et al. (2014) proposed to calculate the variance of all confusion coefficients with respect to each possible \(k_i\) and \(k_j\) under the HW leakage model. And the SBox with higher confusion coefficient variance (CCV) value leads to a higher resistance against SCAs. Formally, for all the key pairs \(k_i, k_j\), \(k_i \ne k_j\), the value of CCV of an SBox is calculated as follows:
Minimum confusion coefficient
Guilley et al. (2015) pointed out that when the signaltonoiseratio (SNR) of the leakage is low, the empirical success rate of DPA, CPA and the optimal distinguisher mainly depends on minimum confusion coefficient (MCC) \(\min _{k \ne k^{*}} \kappa ^{\prime }\left( k^{*}, k\right)\). Where \(k^{*}\) denotes the secret key, and k denotes a key hypothesis that is not the secret key. The lower the value of MCC, the lower the success probability to extract the secret key based on leakages associated with the SBox. Here the \(\kappa ^{\prime }\left( k^{*}, k\right)\) is calculated as follows:
which is slightly different from \(\kappa \left( k^{*}, k\right)\), but it does not affect the order of the different SBoxes. Note that the distribution of \(\kappa ^{\prime }\left( k^{*}, k\right)\) is independent on the particular choice of \(k^{*}\) and the values are only permuted. Therefore, \(k^{*}\) can be set to 0 during the calculation. In Heuser et al. (2016) and Heuser et al. (2020), the effectiveness of using MCC to measure the resistance of different SBoxes against CPA and the optimal distinguisher was validated through simulated experiments.
Evaluation of SBoxes
In this section, we first show basic information on the SBoxes we investigate. Next, the values of \(\mathrm{VTO}_{\mathrm{0}}\), CCV, and MCC of these SBoxes are given.
Investigated SBoxes
Of the 25 NIST Lightweight Cryptography secondround candidates that use SBoxes as the nonlinear component, 18 schemes use 4bit or 8bit SBoxes. Therefore, we mainly evaluate the 4bit and 8bit SBoxes in this work. More precisely, we focus on the following 11 SBoxes.
\(4\times 4\) SBoxes of PHOTONBeetle (Bao et al. 2019), KNOT (Zhang et al. 2019), Pyjamask (Goudarzi et al. 2019), GIFTCOFB (Banik et al. 2019), Elephant (Dobraunig and Mennink 2019), SATURNIN (Canteaut et al. 2019), ForkAE (Andreeva et al. 2019) and Spook (Bellizia et al. 2020). More specifically, the nine SBoxes are listed in Table 1. Note that a cipher may use several different SBoxes (e.g., SATURNIN). In addition, the above nine SBoxes are also used in other NIST candidate ciphers. For instance, the GIFT SBox is also used in ESTATE (ESTATE TweGIFT128) (Chakraborti et al. 2020), HYENA (Chakraborti et al. 2019), SUNDAEGIFT (Banik et al. 2019), LOTUSAEAD and LOCUSAEAD (Chakraborti et al. 2019). And ORANGE (Chakraborty and Nandi 2019) uses the same SBox with PHOTONBeetle.
\(8\times 8\) SBoxes of AES (FIPS PUB 2001) (used in SAEAES Naito et al. 2019, mixFeed Chakraborty and Nandi 2019, COMET Gueron et al. 2019, SKINNYAEAD and SKINNYHash Beierle et al. 2020 and ESTATE Chakraborti et al. 2020) and SKINNY128 (Beierle et al. 2020) (used in SKINNYAEAD and SKINNYHash Beierle et al. 2020, Romulus Iwata et al. 2019 and ForkAE Andreeva et al. 2019).
Results based on theoretical metrics
The theoretical measurement results of the \(\mathrm{VTO}_{\mathrm{0}}\), CCV, and MCC for the SBoxes are listed in Table 2. We can observe that when sorting the SBoxes of the same size, the order of SBoxes sorted by \(\mathrm{VTO}_{\mathrm{0}}\) and sorted by CCV is basically the same. However, the ordering of SBoxes sorted according to MCC is inconsistent with both \(\mathrm{VTO}_{\mathrm{0}}\) and CCV. As for the \(4\times 4\) SBoxes, the absolute Kendall rank correlation coefficients between the values of \(\mathrm{VTO}_{\mathrm{0}}\) and CCV, \(\mathrm{VTO}_{\mathrm{0}}\) and MCC, and CCV and MCC are 0.985, 0.039 and 0.040, respectively. That is to say, MCC conflicts with \(\mathrm{VTO}_{\mathrm{0}}\) and CCV. The second observation is that larger SBoxes lead to significantly higher values of \(\mathrm{VTO}_{\mathrm{0}}\) and MCC, which implies SBoxes with larger sizes are more vulnerable against SCAs. But CCV doesn’t show such a result. Overall, there exist contradictions between the three metrics.
Specifically, for the \(4\times 4\) SBoxes, we have the following order (from the most resistive SBoxes to the least resistive) according to (1) \(\mathrm{VTO}_{\mathrm{0}}\), (2) CCV, and (3) MCC:
 \(\mathrm{VTO}_{\mathrm{0}}\)::

PHOTON, KNOT and Pyjamask128, GIFT, Elephant, SATURNIN\(_{\mathrm{S0}}\) and SATURNIN\(_{\mathrm{S1}}\), SKINNY64 and Spook.
 CCV::

PHOTON, KNOT and Pyjamask128, GIFT and Elephant, SATURNIN\(_{\mathrm{S0}}\) and SATURNIN\(_{\mathrm{S1}}\), SKINNY64 and Spook.
 MCC::

Pyjamask128, PHOTON and KNOT and SATURNIN\(_{\mathrm{S0}}\) and SATURNIN\(_{\mathrm{S1}}\) and SKINNY64 and Spook, GIFT and Elephant.
For the \(8\times 8\) SBoxes, the results of all three metrics show that the SBox of SKINNY128 is more resistant against SCAs than that of AES.
Nonprofiled sidechannel attacks against \(4\times 4\) SBoxes
Among various nonprofiled attacks, we focus on CPA due to its simplicity and efficiency. Actually, CPA is equivalent to multibit DPA up to a change of the attacker leakage modeling (Doget et al. 2011). Therefore, \(\mathrm{VTO}_{\mathrm{0}}\), CCV and MCC can all be used to measure the resistance of SBoxes against CPA under the HW leakage model in theory. Concretely, CPA recovers the secret key by selecting the key that maximizes the Pearson correlation coefficient between the actual leakage and the estimated leakage based on the assumed secret key. That is,
where \(\rho (X, Y)\) denotes the Pearson correlation coefficient between X and Y. \({\mathcal{L}}_{k^*}\) represents the measured traces, and \(\widehat{{\mathcal{L}}_k}\) denotes the estimated leakages.
Experiments of the unprotected SBoxes
We first perform simulated and practical attacks against the nine unprotected \(4\times 4\) SBoxes and compare their CPA resistance.
Simulated experiments
Experimental setup We implement SBoxes in the same way by using lookup tables, and leakages are simulated as
where \(F\left( p \oplus k^{*}\right)\) denotes the sensitive variable, and \(\omega\) denotes a Gaussian random variable centered in zero with a standard deviation \(\sigma\). In the experimental setup, the value of \(\sigma\) varies in the set \(\left\{ 2^{1}, 2^{\frac{1}{2}}, 1,2^{\frac{1}{2}}, 2,\right.\) \(\left. 2^{\frac{3}{2}}, 4 ,2^{\frac{5}{2}}\right\}\).
Experimental results In the field of sidechannel analysis, success rate (Standaert et al. 2005) is a common metric to evaluate an attack. Here, for each attack, we evaluate the minimum number of traces N required to achieve an attack success rate of 90% as it is a sound way to evaluate the efficiency of a sidechannel attack (Mangard 2004). The attack results are shown in Fig. 1a.
It can be observed that when the noise is low, the number of traces required for successful attacks of different SBoxes is very close. And with the noise increases, the difference between different SBoxes becomes more significant. However, the order of SBoxes resistance against CPA attacks is basically the same under different noise levels. So we mainly take the result with noise variance of \(2^5\) as an example to illustrate for easy observation.
According to our experimental results, SBoxes with lower \(\mathrm{VTO}_{\mathrm{0}}\) and higher CCV values are more resistant against CPA. Such as the SBoxes of PHOTON and GIFT are more resilient than SBoxes of SKINNY64 and Spook. However, the difficulty of attacking an SBox is quite different from the outcome of the MCC metric. For example, the MCC value of Elephant’s SBox is higher than that of Spook’s SBox, while the number of required traces of the former is approximately 1.5 times that for the latter.
One may also note that sometimes there exists discordance between the \(\mathrm{VTO}_{\mathrm{0}}\) (CCV) and the simulation results. Such as the \(\mathrm{VTO}_{\mathrm{0}}\) (CCV) value of Elephant’s SBox is higher (lower) than that of PHOTON’s SBox, while the Elephant’s SBox is more resilient than PHOTON’s SBox. As for VTO, the reason for this phenomenon is explained in Li et al. (2020), which is due to the different perspectives of VTO and the success rate metric when quantifying the SCA resistance of SBoxes. In detail, the basic idea of VTO is quantifying the difference between the score for the correct key and the average score for the other hypotheses; however, the success rate metric quantifies the number of successful attacks (i.e. the number of attacks in which the correct key is ranked first) in all attacks performed. As for CCV, we argue that it takes into account the distinctiveness level of the SBox outputs for all key hypothesis pairs, which is also different from the basic idea of the success rate. Besides, the number of traces used for attacks is limited, but in the notions of VTO and CCV, it is assumed that the number of traces is sufficient so that the noise can be omitted.
Overall, when the difference of the \(\mathrm{VTO}_{\mathrm{0}}\) (CCV) values of the two SBoxes is relatively large, the SBox with a lower \(\mathrm{VTO}_{\mathrm{0}}\) (higher CCV) value is generally more resistant to CPA attacks. However, when the difference of the \(\mathrm{VTO}_{\mathrm{0}}\) (CCV) values of the two SBoxes is relatively small, these two metrics lack the accuracy to evaluate the resiliency of SBoxes. Besides, MCC fails to work in our experiments.
Practical experiments
Experimental setup In practical experiments, all the nine SBoxes are implemented on a CW308STM32F Target Board (for ChipWhisperer CW308 UFO Board) with the STM32F405RGT6 Arm 32bit CortexM4 device, and the power traces are captured through the ChipWhispererLite Capture Board (O’Flynn and Chen 2014). The sampling rate is set to 29.5 MHz, and the 500 points around the sensitive operations are taken to attack. Same as the simulated experiments, the SBoxes are implemented by using lookup tables, and the register initial state \(\beta\) is set to 0. In order to study the performance of the three metrics with different noise levels, the attacks are performed based on the raw traces and traces with added Gaussian noise. Before adding noise, we standardize the traces (zero mean and unit variance). And the value of \(\sigma\) is set to the same as in simulated experiments.
Experimental results The attack results are shown in Fig. 1b. The \(\infty\) on the x axis represents the attack is performed on the raw traces with no additional noise. It can be observed that for most SBox examples, the results obtained are consistent with simulated results. However, one may also note that for certain cases, the results are slightly inconsistent with the simulation results. We infer the reasons for the inconsistent results are the leakages in the real environment do not fully satisfy the HW leakage model and the noise does not fulfill the Gaussian noise assumption.
Experiments of the masked SBoxes
Masking, due to its provable security and good device independence, has been one of the widely adopted countermeasures against SCAs (Duc et al. 2019). Naturally, the effectiveness of the three metrics is an important question when masking is adopted. Based on the work in Rivain et al. (2009), the CPA results toward dthorder masked SBoxes of the same size is only related to the masking order d under the HW model for Boolean masking schemes. And the function of SBox does not affect the security gain from unprotected SBoxes to dthorder masked SBoxes. Thus, the three metrics (\(\mathrm{VTO}_{\mathrm{0}}\), CCV, and MCC) should be independent of the masking order for Boolean making when higherorder CPA attacks are utilized. We also try to verify it first by simulated experiments.
Simulated experiments
Experimental setup As for simulation of masking, we separately simulate first and secondorder masked SBoxes. So two and three points corresponding to their shares \(y_i\) are simulated, and we have
where y denotes the output of the SBox while \(p\oplus k^*\) is the input. \(y_i (i>0)\) is generated randomly, and \(y_0\) is processed such that Eq. (4) is satisfied. Each share of y is under the HW model, and the value of initial state \(\beta\) is set to zero. So each leakage point corresponding to \(y_i\) can be simulated as: \({\mathcal{L}}\left( y_{i}\right) ={\text{zscore}}\left( \textsf{H}\left( y_{i}\right) \right) +\omega _{i}\), where \(\omega _{i}\) denotes the Gaussian noise centered in zero with a standard deviation \(\sigma\) at this moment. In the firstorder masking experiments, the value of \(\sigma\) varies in the set \(\left\{ 2^{\frac{3}{4}}, 2^{\frac{1}{2}}, 2^{\frac{1}{4}}, 1,2^{\frac{1}{4}}, 2^{\frac{1}{2}}, 2^{\frac{3}{4}}, 2\right\}\). And in the secondorder masking experiments, the value of \(\sigma\) varies in the set \(\left\{ 2^{\frac{7}{4}}, 2^{\frac{3}{2}}, 2^{\frac{5}{4}}, 2^{1}, 2^{\frac{3}{4}}, 2^{\frac{1}{2}}, 2^{\frac{1}{4}}, 1\right\}\).
Experimental results The attack results are shown in Figs. 2a and 3a, respectively. With these experiments, one can note that the results of masked SBoxes are basically consistent with those of unprotected SBoxes, especially in the case of low noise. The SBox of Elephant is the most resistant against CPA attacks, and the SBoxes of Spook and SKINNY64 are the weakest. In addition, with the noise increase, the order of SBoxes resistance against CPA attacks fluctuates slightly in the experimental results. We argue that this is due to the increase of noise, which makes the evaluation results unstable.
Practical experiments
Experimental setup For the first and secondorder masking cases, the masking scheme proposed in Benadjila et al. (2020) and Valiveti and Vivek (2020) are adopted and implemented as our attack targets, respectively.
Experimental results The attack results are shown in Figs. 2b and 3b. It can be observed that for most SBox examples, we obtain similar results. Namely, those SBoxes with lower \(\mathrm{VTO}_{\mathrm{0}}\) (higher CCV) values still have higher CPA resistance in real environments.
Profiled sidechannel attacks
In this section, we further investigate the resistance of different SBoxes against profiled sidechannel attacks and check whether the three metrics are applicable to profiled attacks scenario.
Profiled sidechannel attacks consist of two phases: the offline profiling phase and the online attack phase. The attacker is assumed to have an open copy of the target device to learn the leakage distribution and to perform attacks with the learned models. In profiling phase, the attacker has a device with knowledge about the secret key implemented and acquires a set of N sidechannel traces \({\mathcal{L}}_{\text{profiling}}=\left\{ \varvec{{\widetilde{l}}}_{j} \mid j=1,2, \ldots , N\right\}\). Each trace \(\varvec{{\widetilde{l}}}_{j}\) is corresponding to sensitive variable \(y_{j}=f\left( p_{j}, k\right)\) in one encryption (or decryption) with known key \(k \in {\mathcal{K}}\) and plaintext (or ciphertext) \(p_{j}\). Once the acquisition is done, the attacker builds suitable models and computes the estimation of probability:
from a profiling set \(\left\{ (\varvec{{\widetilde{l}}}_{j}, y_{j})\right\} _{j=1}^{N}\). Then in attack phase, the attacker attempts to recover the unknown key in the target device with the help of profiled leakage details.
Specifically, we launch template attacks and deep learning based profiled attacks by simulated and practical experiments.
Template attacks on the nine \(4 \times 4\) SBoxes
Among profiled attacks, template attack (TA) (Chari et al. 2002) and its modified version efficient template attack (ETA) (Choudary and Kuhn 2013) are the most popular and widely used approaches. In TA, the attacker assumes that \(\varvec{L} \mid Y\) has a multivariate Gaussian distribution, and estimates the mean vector \(\varvec{\mu }_{y}\) and \(\varvec{\Sigma }_{y}\) for each \(y \in {\mathcal{Y}}\) (i.e. the socalled templates). In this way, Eq. (5) is approximated by the Gaussian probability distribution function with parameters \(\varvec{\mu }_{y}\) and \(\varvec{\Sigma }_{y}\). And in ETA, the attacker replaces the covariance matrixes with one pooled covariance matrix to cope with some statistical difficulties (Choudary and Kuhn 2013). In this paper, ETA is adopted to evaluate the resistance of the SBoxes. In the attack phase, the attacker acquires a small new set of traces \({\mathcal{L}}_{\text{ attack } }=\left\{ \varvec{l}_{j} \mid j=1,2, \ldots , Q\right\}\) with a fixed unknown key \(k^*\). With the knowledge of the established models, the estimated posterior probabilities can be calculated via the Bayes’ Theorem. Then the attacker can select the key that maximizes the probability following the Maximum Likelihood strategy:
Equation (6) stands only when acquisitions are independent, which is a practical condition in reality. Notice that the attacker can launch a highorder template attack if the leakages exist in highorder moments of sample points, such as defeating mask countermeasures.
Similar to the previous section, we also study the resistance of SBoxes in unprotected, first and secondorder masking cases, respectively.
Experiments of the Unprotected SBoxes
Experimental setup We perform both simulated and practical attacks to compare different SBoxes. As for simulated experiments, the leakages are simulated in the same way as in the nonprofiled scenario. In detail, we generate 3 points of interest (PoIs) corresponding to the output of SBoxes. As for practical experiments, the experimental setup is exactly the same as that in the previous section, and we preselect 3 PoIs with the highest Pearson correlation coefficient. We profile 16 efficient templates using 10,000 traces for each SBox. And attacks are performed at almost no leakage noise, low leakage noise and high leakage noise levels (\(\sigma =0.1\), \(\sigma =1\) and \(\sigma =2\)), respectively. For each SBox, we run ETA attacks 100 times with randomly selected subsamples of attack set for evaluation and record the minimum number of traces N required to achieve an attack success rate of 90%.
Experimental results The experimental results are shown in Fig. 14 of the Appendix. We can observe that the resistance of different unprotected SBoxes against ETA attacks is very close, even under high noise condition. We believe the main reason is that the efficient templates have a good characterization of the leakages in both simulated and practical experiments. Therefore, we further investigate the resistance of different SBoxes in first and secondorder masking cases.
Experiments of the masked SBoxes
In the profiling phase, we first profile 16 efficient templates using 10,000 traces for each share. Next, in the attack phase, we match the leakages to the profiled templates, which are denoted as \({\varvec{M}}^{{\varvec{i}}}\) and \(i \in \{0,1,\ldots ,d\}\). Then we get the probability \(P\left( Y_{j}^{i}=y_{j}^{i} \mid \right.\) \(\left. \varvec{l}_{j}^{i}, {\varvec{M}}^{{\varvec{i}}}\right)\) utilizing the efficient templates for each trace. Where \(y_{j}^{i}\) denotes the ith share of the output of the SBox corresponding to the jth trace, and \(\varvec{l}_{j}^{i}\) denotes the leakage for the ith share of the jth trace. The probability of \(y_{j}\) can be expressed as:
where \({\mathcal{S}}\) is the set \(\left\{ \left( y_{j}^{0}, \ldots , y_{j}^{d}\right) \mid y_{j}=y_{j}^{0} \oplus \cdots \oplus y_{j}^{d}\right\}\), and \(\varvec{l}_{j}\) denotes the leakages of all shares of the jth trace. With the information of the inverse mapping and the plaintext, \(P(y_{j})\) can be mapped to \(P_{j}(k)\). Add up the \(P_{j}(k)\) of all the attack traces, and the key hypothesis corresponding to the maximum value of P(k) is the revealed key.
Experimental setup As for simulated experiments, we generate 3 PoIs corresponding to each share of the output of SBoxes. As for practical experiments, we also preselect 3 PoIs for each share to construct templates and perform attacks. The remaining experimental settings are the same as those in the previous experiments.
Experimental results The attack results of first and secondorder masking cases with different noise levels are shown in Figs. 4 and 5, respectively. As for the secondorder masking case, the increase of noise will seriously affect the stability of the attack results and the accuracy of the evaluation, so we only show the experimental results when \(\sigma =0.1\) and \(\sigma =1\). It can be observed that in both first and secondorder masking implementations, when the noise level is very low, the resistance of different SBoxes against ETA attacks is still very close to each other. So we think that in very lownoise scenarios, it doesn’t seem necessary to consider how to select optimal \(4 \times 4\) SBoxes against ETA attacks.
With the noise increase, the difference between different SBoxes becomes slightly more significant. However, the practical results are not consistent with the simulation results. We infer the main reasons for the inconsistent results are the leakages in the real environment do not fully satisfy the HW leakage model and the noise does not fulfill the Gaussian noise assumption. And with the noise increase, the accuracy of the constructed templates is seriously affected. In addition, neither the simulated results nor the practical results are consistent with the results of all the three metrics. We argue that this is because the characterization of the noise, rather than the intrinsic properties of SBoxes, is the dominant factor affecting the effectiveness of the attacks. Therefore, these metrics may not be suitable for evaluating the resistance of SBoxes against template attacks.
In addition, we find that the difference between SBoxes against ETA is far less than that of SBoxes against CPA attacks. And the experimental results of ETA are not consistent with those of CPA attacks. For example, the SBox of Elephant is the most resistant to CPA attacks, but obviously not the most resistant to ETA attacks. And none of the 4bit SBoxes shows significantly more resistant than the others. We also perform attacks that target the HW of the outputs of the SBoxes (profiling 5 efficient templates), again with no clear pattern that could be observed. The possible reason is that the intrinsic properties of the SBoxes we analyzed are relatively close to each other. Whatever, when selecting the optimal SBoxes, it is necessary to comprehensively consider the resistance of SBoxes against a different type of attacks. It is not sufficient to consider only transparency orders or confusion coefficients.
Deep learning based profiled attacks
Recently, deep learning techniques gained substantial interest in the community of sidechannel analysis. Previous researches have evidenced deep learning based attacks give a very efficient alternative to the stateoftheart profiled attacks, and even outperform the traditional profiled attacks (Maghrebi et al. 2016; Cagli et al. 2017). We explore the resistance of the nine \(4 \times 4\) SBoxes against such attacks, and whether the three metrics are effective when measuring the resistance against deep learning based attacks. According to the work in Wouters et al. (2020), when the traces are synchronized, the Multi Layer Perceptron (MLP) models are as effective as Convolutional Neural Network (CNN) models. Since we only consider the case of the traces are aligned in this work, the attacks based on the MLP networks are performed.
In this subsection, all experiments are conducted on an Intel(R) Xeon(R) CPU E52667 v4 @3.20 GHz 32 core machine with two NVIDIA TITAN Xp GPUs. We use the Keras library (version 2.2.2) with the TensorFlow library (version 1.10.0) as the backend for MLP.
MLP architecture We refer to the recent work (Wouters et al. 2020) and then design our MLP models. For the unprotected and firstorder masking cases, the MLP is composed of one hidden layer with 10 neurons. And for the secondorder masking case, the MLP is composed of two hidden layers with 10 neurons. Each layer is activated by the ReLU function and He Uniform initialization is used to improve the weight initialization. The output layer contains 16 neurons activated by the softmax function. Crossentropy is used as the loss function. As a remark, the network architectures used in this subsection are surely not optimal, as our goal is not to select the optimal parameters.
For the training of MLP networks, the minibatch size is 128 and the maximum iterative epoch is 100. And the network kernel weights are recorded for the best validation loss. Once the training is done, we reconstruct the neuron network with the best recorded weights. The learning rate is initially 0.005, and a technique called One Cycle Policy (Smith 2017) is used to choose the right learning rate.
Experiments of the Unprotected SBoxes
Experimental setup As for simulated experiments, we generate 10 sample points for each trace, of which the first three points are PoIs corresponding to the output of SBoxes and the rest are randomly generated in [0, 4]. As for practical experiments, 10 samples that contain information on the output of SBoxes are captured for each trace. There are 10,000 traces for profiling and 5,000 traces for the attack. In the profiling traces, 90% are used for training and 10% are used for validation. We run each attack 100 times with randomly selected subsamples of attack sets and record the minimum number of traces required to achieve an attack success rate of 90%. Since the training of the neural network might be unstable, we repeat the experiments 10 times and take the average results.
Experimental results The experimental results are shown in Fig. 15 of the Appendix. Similar to the results of ETA attacks, the resistance of different unprotected SBoxes against deep learning based attacks is still very close, even under the high noise condition. Next, we further investigate the resistance of different SBoxes in first and secondorder masking cases.
Experiments of the masked SBoxes
Experimental setup Both the simulated and practical traces consist of 10 sample points. As for simulated experiments, we generate 3 PoIs corresponding to each share of the output of SBoxes, and the rest are randomly generated in [0, 4]. As for practical experiments, 10 samples that contain information on each share of the output of SBoxes are captured. For the firstorder masking case, there are 10,000 traces for profiling and 10,000 traces for the attack. And for the 2ndorder masking case, there are 30,000 traces for profiling and 20,000 traces for the attack.
Experimental results The results of first and secondorder masking cases are shown in Figs. 6 and 7, respectively. Similar to the results of ETA attacks, when the noise level is very low, the resistance of different SBoxes against deep learning based attacks is still very close to each other in both first and secondorder masking cases. As the noise increases, the difference between different SBoxes becomes more obvious. However, we still cannot find patterns in the experimental results. On the one hand, the practical results are not consistent with the simulation results. In addition to the reasons mentioned above, the instability of the network training may also contribute to this phenomenon. On the other hand, neither the simulated results nor the practical results are consistent with the results of all the three metrics. Namely, all the three metrics are not suitable for evaluating the resistance of SBoxes against deep learning based attacks. Therefore, how to quantify the resistance of SBoxes against deep learning based attacks still has a long way to go.
\(\varvec{4 \times 4}\) SBoxes versus \(\varvec{8 \times 8}\) SBoxes
In this section, taking several \(4 \times 4\) SBoxes and \(8 \times 8\) SBoxes as examples, we verify whether VTO, CCV and MCC can be applied to compare the resistance of SBoxes with different sizes through simulated and practical experiments.
Nonprofiled sidechannel attacks
From the perspective of theoretical analysis, among nine \(4 \times 4\) SBoxes, the SBox of PHOTON is the hardest to attack, and the SBox of Spook is one of the easiest to attack. In addition, according to the experimental results, the SBox of Elephant is the most resistant against CPA attacks, and the SBox of Spook is one of the easiest to attack. Considering the above factors, we select the SBoxes of PHOTON, Elephant, and Spook as the representatives of the \(4 \times 4\) SBoxes to compare with the \(8 \times 8\) SBoxes of SKINNY128 and AES.
Experimental setup We study the resistance of SBoxes in unprotected, first and secondorder masking cases, respectively. And the simulated and practical experiments are performed with different noise levels. Due to the simulated traces and practical traces are standardized (zero mean and unit variance) before Gaussian noise added, the \(4 \times 4\) SBoxes and \(8 \times 8\) SBoxes are compared at almost the same SNR.
Experimental results The results of simulated and practical experiments are shown in Figs. 8 and 9, respectively. In the unprotected case, we can observe that the SBoxes of SKINNY128 and AES perform worse than that of Elephant, similar to PHOTON, and better than Spook. Therefore, the \(4 \times 4\) SBoxes that are selected carefully could be even more resistant against CPA attacks than certain \(8 \times 8\) SBoxes. However, according to the values of theoretical metrics, the two \(8 \times 8\) SBoxes lead to higher values of \(\mathrm{VTO}_{\mathrm{0}}\) and MCC than the \(4 \times 4\) SBoxes, which implies \(8 \times 8\) SBoxes are more vulnerable to attacks. And the resistance of the SBox of SKINNY128 should be worse than that of PHOTON and Elephant, and slightly better than that of Spook in terms of VCC. As for the SBox of AES, it should be the easiest to attack among all the SBoxes. The inconsistency between theoretical analysis and practical results indicates that none of the three metrics can be used to quantify and compare SBoxes with different sizes.
As for first and secondorder masking cases, the two \(8 \times 8\) SBoxes perform much better than the \(4 \times 4\) SBoxes. The main reason is that the 8bit masks provide much better randomization than the 4bit masks. Of course, the larger size of SBoxes also leads to higher implementation costs. This is a tradeoff between the security and costs, which is outside the scope of this work.
In addition, for the two \(8 \times 8\) SBoxes we evaluated, the SBox of SKINNY128 always performs better than that of AES. However, the results in Heuser et al. (2016) show that the \(4 \times 4\) SBoxes they studied have a different sidechannel resiliency, while the difference in the \(8 \times 8\) SBoxes is only theoretically present. We argue that a good selection of \(8 \times 8\) SBoxes could also result in an improvement in inherent resilience.
Profiled sidechannel attacks
In this section, we compare the resistance of 4bit and 8bit SBoxes against profiled sidechannel attacks. The SBoxes used are the same as above.
Template attacks
Experimental setup We study the resistance of SBoxes in unprotected and firstorder masking cases. And the simulated and practical experiments are performed with different noise levels. We profile 16 efficient templates using 10,000 traces for each \(4 \times 4\) SBox, and profile 256 efficient templates using 160,000 traces for each \(8 \times 8\) SBox. Therefore, the number of profiling traces for each class of \(4 \times 4\) SBoxes and \(8 \times 8\) SBoxes is roughly the same.
Experimental results The results of the unprotected and firstorder cases are shown in Figs. 10 and 11, respectively. In the unprotected case, we can observe that the resistance of 8bit SBoxes and 4bit SBoxes are quite close. The main reason is that the efficient templates have a good characterization of the leakages. As for the firstorder case, it is obvious that the two 8bit SBoxes are more resistant against ETA attacks than the 4bit SBoxes. It seems natural since 8bit SBoxes have a significantly larger number of classes than 4bit SBoxes. In addition, in practical experiments, the difference between the 4bit and 8bit SBoxes is larger than that in the simulated experiments. We infer the main reasons are the leakages in the real environment do not fully satisfy the HW leakage model and the noise does not fulfill the Gaussian noise assumption. Because the traces of the 8bit SBox is divided into 256 classes, it requires higher precision of the constructed templates, and then the accuracy decreases faster.
Deep Learning Based Profiled Attacks
Experimental setup We study the resistance of \(4 \times 4\) SBoxes and \(8 \times 8\) SBoxes against deep learning based profiled attacks. The simulated and practical experiments are performed with different noise levels. We profile 16 efficient templates using 10,000 traces for each \(4 \times 4\) SBox, and profile 256 efficient templates using 160,000 traces for each \(8 \times 8\) SBox. The network architectures and other experimental settings are the same as those in the previous section.
Experimental results The results of the unprotected and firstorder cases are shown in Figs. 12 and 13, respectively. It is obvious that, in both unprotected and firstorder cases, the two 8bit SBoxes are more resistant against deep learning based profiled attacks than the 4bit SBoxes. It implies that, when the leakages cannot be characterized very accurately, SBoxes with larger sizes are more resistant than SBoxes with smaller sizes. Interestingly, for the firstorder case, practical attacks perform even better than simulated attacks. We guess the reason is the irregular noise in practical traces alleviates the overfitting during the training of networks. This phenomenon also shows that when evaluating the resistance of SBoxes against deep learning based sidechannel attacks, it is not sufficient to perform simulated experiments alone.
Conclusions and future work
In this paper, taking the SBoxes used in NIST Lightweight Cryptography candidates as concrete examples, we give a comprehensive study of the applicability of three popular theoretical metrics for sidechannel analysis, namely VTO, CCV and MCC. Firstly, we find that CCV is almost linearly correlated with VTO, while MCC is inconsistent with the other two metrics. Next, to verify which metric is more effective in which scenarios, we perform simulated and practical experiments on nine 4bit SBoxes in the nonprofiled and profiled scenarios, respectively. For the nonprofiled attacks, when the difference of VTO (resp. CCV) values of the two SBoxes is relatively large, the SBox with a lower VTO (resp. higher CCV) value is generally more resistant to CPA attacks. However, when VTO and CCV values of SBoxes become relatively close to each other, these two metrics turn less accurate. Interestingly, MCC fails to work in quantifying the resistance of SBoxes against CPA attacks. As for the profiled scenario, we perform efficient template attacks and deep learning based profiled attacks. However, none of the three metrics is suitable for measuring the resistance of SBoxes against profiled SCAs. Finally, we try to verify whether these metrics can be applied to compare the resistance of SBoxes with different sizes. Unfortunately, all the three metrics fail to work when measuring and comparing SBoxes with different sizes.
Since VTO and CCV lack the accuracy to evaluate the resistance of SBoxes against CPAlike attacks, it is significant to further analyze the reasons for the lack of precision of the existing metrics, and then explore the theoretical metric that fits the reality better. Additionally, exploring the theoretical relationship between transparency order and confusion coefficients may be helpful to propose the new metric.
Availability of data and materials
Not applicable.
References
Andreeva E, Lallemand V, Purnal A, Reyhanitabar R, Roy A, Vizár D (2019) Forkae v. In: Submission to NIST lightweight cryptography project
Banik S, Bogdanov A, Peyrin T, Sasaki Y, Sim SM, Tischhauser E Todo Y (2019) Sundaegift. In: Submission to NIST lightweight cryptography project 1
Banik S, Chakraborti A, Iwata T, Minematsu K, Nandi M, Peyrin T, Sasaki Y, Sim SM, Todo Y (2019) Giftcofb. In: Submission to NIST lightweight cryptography project 1
Bao Z, Chakraborti A, Datta N, Guo J, Nandi M, Peyrin T, Yasuda K (2019) Photonbeetle authenticated encryption and hash family. Submiss NIST Lightweight Cryptogr Proj 1:115
Beierle C, Jean J, Kölbl S, Leander G, Moradi A, Peyrin T, Sasaki Y, Sasdrich P, Sim SM (2020) SKINNYAEAD and skinnyhash. IACR Trans Symmetric Cryptol 2020(S1):88–131. https://doi.org/10.13154/tosc.v2020.iS1.88131
Bellizia D, Berti F, Bronchain O, Cassiers G, Duval S, Guo C, Leander G, Leurent G, Levi I, Momin C et al (2020) Spook: Spongebased leakageresistant authenticated encryption with a masked tweakable block cipher. IACR Trans Symmetric Cryptol 2020(S1):295–349. https://doi.org/10.13154/tosc.v2020.iS1.295349
Benadjila R, Prouff E, Strullu R, Cagli E, Dumas C (2020) Deep learning for sidechannel analysis and introduction to ASCAD database. J Cryptogr Eng 10(2):163–188. https://doi.org/10.1007/s13389019002208
Brier E, Clavier C, Olivier F (2004) Correlation power analysis with a leakage model. In: Cryptographic hardware and embedded systems—CHES 2004: 6th international workshop Cambridge, vol 3156. MA, USA, August 11–13, 2004. Springer, Berlin, pp 16–29
Cagli E, Dumas C, Prouff E (2017) Convolutional neural networks with data augmentation against jitterbased countermeasures—profiling attacks without preprocessing. In: Fischer W, Homma N (eds) Cryptographic hardware and embedded systems—CHES 2017—19th international conference, Taipei, Taiwan, September 25–28, 2017, vol 10529. Lecture Notes in Computer Science. Springer, Berlin, pp 45–68
Canteaut A, Duval S, Leurent G, NayaPlasencia M, Perrin L, Pornin T, Schrottenloher A (2019) Saturnin: a suite of lightweight symmetric algorithms for postquantum security
Carlet C (2005) On highly nonlinear sBoxes and their inability to thwart DPA attacks. In: Progress in cryptology—INDOCRYPT 2005. 6th international conference on cryptology in India, Bangalore, India, December 10–12, 2005. Springer, Berlin, pp 49–62
Carlet C, de Chérisey É, Guilley S, Kavut S, Tang D (2021) Intrinsic resiliency of SBoxes against sidechannel attacksbest and worst scenarios. IEEE Trans Inf Forensics Secur 16:203–218. https://doi.org/10.1109/TIFS.2020.3006399
Chakraborti A, Datta N, Jha A, MancillasLópez C, Nandi M, Sasaki Y (2020) Estate: a lightweight and low energy authenticated encryption mode. IACR Trans Symmetric Cryptol 2020(S1):350–389. https://doi.org/10.13154/tosc.v2020.iS1.350389
Chakraborti A, Datta N, Jha A, Lopez CM, Nandi M, Sasaki Y (2019) Lotusaead and locusaead. In: Submission to NIST lightweight cryptography project
Chakraborti A, Datta N, Jha A, Nandi M (2019) Hyena. In: Submission to NIST lightweight cryptography project
Chakraborty K, Sarkar S, Maitra S, Mazumdar B, Mukhopadhyay D, Prouff E (2017) Redefining the transparency order. Des Codes Crypt 82(1–2):95–115. https://doi.org/10.1007/s1062301602503
Chakraborty B, Nandi M (2019) mixFeed https://csrc.nist.gov/projects/lightweightcryptography/round2candidates
Chakraborty B, Nandi M (2019) Orange. In: Submission to NIST lightweight cryptography project
Chari S, Rao JR, Rohatgi P (2002) Template attacks. In: Jr., B.S.K., Koç, Ç.K., Paar, C. (eds.) Cryptographic hardware and embedded systems—CHES 2002, 4th international workshop, Redwood Shores, CA, USA, August 13–15, 2002. Lecture Notes in Computer Science, vol. 2523. Springer, Berlin, pp. 13–28
Choudary O, Kuhn MG (2013) Efficient template attacks. In: Francillon, A., Rohatgi, P. (eds.) Smart card research and advanced applications—12th international conference, CARDIS 2013, Berlin, Germany, November 27–29, 2013. Lecture Notes in Computer Science, vol. 8419. Springer, Berlin, pp. 253–270. https://doi.org/10.1007/9783319083025_17
de la Cruz Jiménez RA (2018) On some methods for constructing almost optimal sboxes and their resilience against sidechannel attacks. IACR Cryptol ePrint Arch 2018:618
Dobraunig C, Mennink B (2019) Elephant v1. In: Submission to NIST lightweight cryptography project
Doget J, Prouff E, Rivain M, Standaert FX (2011) Univariate side channel attacks and leakage modeling. J Cryptogr Eng 1(2):123. https://doi.org/10.1007/s1338901100102
Duc A, Dziembowski S, Faust S (2019) Unifying leakage models: from probing attacks to noisy leakage. J Cryptol 32(1):151–177. https://doi.org/10.1007/s0014501892841
Ege B, Papagiannopoulos K, Batina L, Picek S (2015) Improving DPA resistance of SBoxes: How far can we go? In: 2015 IEEE international symposium on circuits and systems. ISCAS 2015, Lisbon, Portugal, May 24–27, 2015. IEEE Press, Piscataway, NJ, pp 2013–2016
Fei Y, Luo Q, Ding AA (2012) A statistical model for DPA with novel algorithmic confusion analysis. In: Cryptographic hardware and embedded systems—CHES 2012—14th international workshop, vol 7428. Leuven, Belgium, September 9–12, 2012. Springer, Berlin, pp 233–250
FIPS PUB 197: Advanced encryption standard. National Institute of Standards and Technology, Gaithersburg, Maryland, USA (2001)
FreyreEchevarría A, MartínezDíaz I, LegónPérez CM, Gómez GS, Rojas O (2020) Evolving nonlinear SBoxes with improved theoretical resilience to power attacks. IEEE Access 8:202728–202737. https://doi.org/10.1109/ACCESS.2020.3035163
Goudarzi D, Jean J, Kölbl S, Peyrin T, Rivain M, Sasaki Y, Sim SM (2019) Pyjamask v1. 0. In: Submission to NIST lightweight cryptography project
Gueron S, Jha A, Nandi M (2019) Comet: counter mode encryption with authentication tag. In: Submission to NIST lightweight cryptography project
Guilley S, Heuser A, Rioul O (2015) A key to success—success exponents for sidechannel distinguishers. In: Biryukov A, Goyal V (eds) Progress in cryptology—INDOCRYPT 2015—16th international conference on cryptology in India, Bangalore, India, December 6–9, 2015, vol 9462. Springer, Berlin, pp 270–290
Guilley S, Hoogvorst P, Pacalet R (2004) Differential power analysis model and some results. In: Smart card research and advanced applications VI, IFIP 18th world computer congress, TC8/WG8.8 and TC11/WG11.2 Sixth international conference on smart card research and advanced applications (CARDIS), 22–27 August 2004, Toulouse, France, vol. 153. Springer, Berlin, pp 127–142
Heuser A, Picek S, Guilley S, Mentens N (2020) Lightweight ciphers and their sidechannel resilience. IEEE Trans Comput 69(10):1434–1448. https://doi.org/10.1109/TC.2017.2757921
Heuser A, Picek S, Guilley S, Mentens N (2016) Sidechannel analysis of lightweight ciphers: Does lightweight equal easy? In: Radio frequency identification and IoT security—12th international workshop, vol 10155. RFIDSec 2016, Hong Kong, China, November 30–December 2, 2016. Springer, Berlin, pp 91–104
Iwata T, Khairallah M, Minematsu K, Peyrin T (2019) Romulus v1. 2. In: Submission to NIST lightweight cryptography project
Kavut S, Baloğlu S (2016) Classification of \(6 \times 6\) Sboxes obtained by concatenation of RSSBs. In: Lightweight cryptography for security and privacy—5th international workshop, vol 10098. LightSec 2016, Aksaray, Turkey, September 21–22, 2016. Springer, Berlin, pp 110–127
Kocher P, Jaffe J, Jun B (1999) Differential power analysis. In: Advances in cryptology—CRYPTO ’99. 19th annual international cryptology conference, Santa Barbara, California, USA, August 15–19, 1999. Springer, Berlin, pp 388–397
Li H, Zhou Y, Ming J, Yang G, Jin C (2020) The notion of transparency order, revisited. Comput J 63(12):1915–1938. https://doi.org/10.1093/comjnl/bxaa069
Maghrebi H, Portigliatti T, Prouff E (2016) Breaking cryptographic implementations using deep learning techniques. In: Carlet C, Hasan MA, Saraswat V (eds) Security, privacy, and applied cryptography engineering—6th international conference, SPACE 2016, Hyderabad, India, December 14–18, 2016, vol 10076. Lecture Notes in Computer Science. Springer, Berlin, pp 3–26
Mangard S (2004) Hardware countermeasures against DPA ? In: A statistical analysis of their effectiveness. Topics in Cryptology—CTRSA 2004, vol 2964. The cryptographers’ track at the RSA conference 2004, San Francisco, CA, USA, February 23–27, 2004. Springer, Berlin, pp 222–235
MartínezDíaz I, FreyreEchevarria A (2020) Sboxes with theoretical resistance against power attacks under Hamming leakage models. https://www.researchgate.net/publication/344233977_Sboxes_with_theoretical_resistance_against_power_attacks_under_Hamming_leakage_models. Accessed 7 June 2021
Naito Y, Matsui M, Sakai Y, Suzuki D, Sakiyama K, Sugawara T (2019) Saeaes. In: Submission to NIST lightweight cryptography project
NIST (2021) Lightweight cryptography standardization process. https://csrc.nist.gov/projects/lightweightcryptography. Accessed 7 June 2021
O’Flynn C, Chen ZD (2014) Chipwhisperer: an opensource platform for hardware embedded security research. In: Constructive sidechannel analysis and secure design—5th international workshop, COSADE 2014, Paris, France, April 13–15, 2014, vol. 8622. Springer, Berlin, pp 243–260
Patranabis S, Roy DB, Chakraborty A, Nagar N, Singh A, Mukhopadhyay D, Ghosh S (2019) Lightweight designforsecurity strategies for combined countermeasures against side channel and fault analysis in IoT applications. J Hardw Syst Secur 3(2):103–131. https://doi.org/10.1007/s416350180049y
Picek S, Batina L, Jakobovic D (2014) Evolving DPAresistant Boolean functions. In: Parallel problem solving from nature—PPSN XIII—13th international conference, vol 8672. Ljubljana, Slovenia, September 13–17, 2014. Springer, Berlin, pp 812–821
Picek S, Papagiannopoulos K, Ege B, Batina L, Jakobovic D (2014) Confused by confusion: systematic evaluation of DPA resistance of various SBoxes. In: Progress in cryptology—INDOCRYPT 2014—15th international conference on cryptology in India, vol 8885. New Delhi, India, December 14–17, 2014. Springer, Berlin, pp 374–390
Picek S, Yang B, Mentens N (2016) A search strategy to optimize the affine variant properties of SBoxes. In: Arithmetic of finite fields—6th international workshop, vol 10064. WAIFI 2016, Ghent, Belgium, July 13–15, 2016. Springer, Berlin, pp 208–223
Prouff E (2005) DPA attacks and SBoxes. In: Fast software encryption: 12th international workshop, vol 3557. FSE 2005, Paris, France, February 21–23, 2005. Springer, Berlin, pp 424–441
Rivain M, Prouff E, Doget J (2009) Higherorder masking and shuffling for software implementations of block ciphers. In: Cryptographic hardware and embedded systems—CHES 2009, vol 5747. 11th international workshop, Lausanne, Switzerland, September 6–9, 2009. Springer, Berlin, pp 171–188
Runlian Z, Yaping S, Yongzhuang W, Yingxin L (2020) A new automatic search method for cryptographic SBox. J Comput Res Dev 57(7):1415. https://doi.org/10.7544/issn10001239.2020.20190537
Smith LN (2017) Cyclical learning rates for training neural networks. In: 2017 IEEE winter conference on applications of computer vision, WACV 2017, Santa Rosa, CA, USA, March 24–31, 2017, pp. 464–472. IEEE Computer Society, Piscataway, NJ. https://doi.org/10.1109/WACV.2017.58
Standaert FX, Peeters E, Quisquater JJ (2005) On the masking countermeasure and higherorder power analysis attacks. In: International symposium on information technology: coding and computing (ITCC 2005), vol 1. Las Vegas, Nevada, USA,4–6 April 2005. IEEE Computer Society, Piscataway, NJ, pp 562–567
Valiveti A, Vivek S (2020) Secondorder masked lookup table compression scheme. IACR Trans Cryptogr Hardw Embed Syst 2020(4):129–153. https://doi.org/10.13154/tches.v2020.i4.129153
Wouters L, Arribas V, Gierlichs B, Preneel B (2020) Revisiting a methodology for efficient CNN architectures in profiling attacks. IACR Trans Cryptogr Hardw Embed Syst 2020(3):147–168. https://doi.org/10.13154/tches.v2020.i3.147168
Zhang W, Ding T, Yang B, Bao Z, Xiang Z, Ji F, Zhao X (2019) Knot: algorithm specifications and supporting document. In: Submission to NIST lightweight cryptography project
Zhu Y, Reddi VJ (2017) Optimizing generalpurpose CPUs for energyefficient mobile web computing. ACM Trans Comput Syst 35(1):1–1131. https://doi.org/10.1145/3041024
Acknowledgements
Not applicable.
Funding
This work is supported in part by National Natural Science Foundation of China (Nos. 61632020, U1936209 and 62002353) and Beijing Natural Science Foundation (No.4192067).
Author information
Authors and Affiliations
Contributions
HL completed the main work of the paper and drafted the manuscript. GY and JM participated in the experiments of nonprofiled and profiled SCAs, respectively. YZ participated in problem discussions and improvements of the manuscript. CJ participated in the experiments of SCAs against 8bit Sboxes. All authors read and approved the final manuscript.
Corresponding author
Ethics declarations
Competing interests
The authors declare that they have no competing interests.
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.
About this article
Cite this article
Li, H., Yang, G., Ming, J. et al. Transparency order versus confusion coefficient: a case study of NIST lightweight cryptography SBoxes. Cybersecur 4, 35 (2021). https://doi.org/10.1186/s42400021000991
Received:
Accepted:
Published:
DOI: https://doi.org/10.1186/s42400021000991
Keywords
 Sidechannel attacks
 NIST lightweight cryptography SBoxes
 Transparency order
 Confusion coefficient