Differential Power Analysis in Hamming Weight Model: How to Choose among (Extended) Affine Equivalent S-boxes
详细信息 查看全文
- 作者:Sumanta Sarkar (15)
Subhamoy Maitra (15)
Kaushik Chakraborty (15) - 关键词:Cross ; correlation ; Differential Power Analysis (DPA) ; (Extended) Affine Equivalence ; Prince ; Permutation S ; box
- 刊名:Lecture Notes in Computer Science
- 出版年:2014
- 出版时间:2014
- 年:2014
- 卷:1
- 期:1
- 页码:360-373
- 全文大小:250 KB
- 参考文献:1. Advanced Encryption Standard, http://en.wikipedia.org/wiki/Rijndael_S-box
2. Bilgin, B., Nikova, S., Nikov, V., Rijmen, V., St眉tz, G.: Threshold Implementations of All 3 脳3 and 4 脳4 S-Boxes. In: Prouff, E., Schaumont, P. (eds.) CHES 2012. LNCS, vol. 7428, pp. 76鈥?1. Springer, Heidelberg (2012) CrossRef
3. Borghoff, J., Canteaut, A., G眉neysu, T., Kavun, E.B., Knezevic, M., Knudsen, L.R., Leander, G., Nikov, V., Paar, C., Rechberger, C., Rombouts, P., Thomsen, S.S., Yal莽谋n, T.: PRINCE 鈥?A Low-Latency Block Cipher for Pervasive Computing Applications. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 208鈥?25. Springer, Heidelberg (2012) CrossRef
4. Brier, E., Clavier, C., Olivier, F.: Correlation Power Analysis with a Leakage Model. In: Joye, M., Quisquater, J.-J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 16鈥?9. Springer, Heidelberg (2004) CrossRef
5. Carlet, C.: On Highly Nonlinear S-Boxes and Their Inability to Thwart DPA Attacks. In: Maitra, S., Veni Madhavan, C.E., Venkatesan, R. (eds.) INDOCRYPT 2005. LNCS, vol. 3797, pp. 49鈥?2. Springer, Heidelberg (2005) CrossRef
6. Chakraborty, K., Maitra, S., Sarkar, S., Mazumdar, B., Mukhopadhyay, D.: Redefining the Transparency Order. http://eprint.iacr.org/2014/367
7. Guilley, S., Hoogvorst, P., Pacalet, R.: Differential Power Analysis Model and Some Results. In: Proceedings of Smart Card Research and Advanced Applications VI, CARDIS 2004, pp. 127鈥?42. Kluwer Academic Publishers (2004)
8. Kocher, P.C., Jaffe, J., Jun, B.: Differential Power Analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388鈥?97. Springer, Heidelberg (1999) CrossRef
9. Mazumdar, B., Mukhopadhyay, D., Sengupta, I.: Constrained Search for a Class of Good Bijective S-Boxes with Improved DPA Resistivity. IEEE Transactions on Information Forensics and Security 8(12), 2154鈥?163 (2013) CrossRef
10. Prouff, E.: DPA Attacks and S-Boxes. In: Gilbert, H., Handschuh, H. (eds.) FSE 2005. LNCS, vol. 3557, pp. 424鈥?41. Springer, Heidelberg (2005) CrossRef
11. Whitnall, C., Oswald, E.: A Fair Evaluation Framework for Comparing Side-Channel Distinguishers. J. Cryptographic Engineering 1(2), 145鈥?60 (2011) CrossRef - 作者单位:Sumanta Sarkar (15)
Subhamoy Maitra (15)
Kaushik Chakraborty (15)
15. Indian Statistical Institute, 203 B T Road, Kolkata, 700 108, India - ISSN:1611-3349
文摘
From the first principle, we concentrate on the Differential Power Analysis (DPA) in the Hamming weight model. Based on the power related data of an \((n, n)\) permutation S-box, we propose a spectrum (we call it Relative Power Spectrum, RPS in short) at \(2^n\) points each providing a vector containing \(n\) coordinates. Each coordinate contains the data related to single-bit DPA, and taking them together we provide relevant results in the domain of multi-bit DPA. For two affine equivalent \((n,n)\) permutation S-boxes \(F\) and \(G\) , such that \(G(x) = F(Ax \oplus b)\) , where \(A\) is a linear permutation (nonsingular binary matrix) and \(b\) is an \(n\) -bit vector, the RPSs of \(F\) and \(G\) are permutations of each other. However, this is not true in general when \(F\) and \(G\) are affine or extended affine equivalent, i.e., \(G(x) = B(F(Ax \oplus b)) \oplus L(x) \oplus c\) , where \(B\) is a linear permutation, \(L\) is a linear mapping, and \(c\) is an \(n\) -bit vector. In such a case, the RPSs of \(F\) and \(G\) may not be related by permutation and may contain completely different vectors. We provide the effect of this in terms of DPA both in noise-free and noisy scenarios. Our results guide the designer to choose one S-box among all those in the same (extended) affine equivalence class when DPA in the Hamming weight model is considered. This is an instance where cryptographic advantage is attained by applying (extended) affine equivalence. For example, we provide a family of S-boxes that should replace the \((4, 4)\) S-boxes proposed in relation to the PRINCE block cipher.