(n,m)函数抗差分功耗攻击指标的研究综述

doi:10.19665/j.issn1001-2400.2021.01.006

摘要/Abstract

摘要：

(n,m)函数是对称密码算法的最基本部件,其密码学性质的优劣一定程度上决定着对称密码算法的安全性。因此,如何设计和分析满足多种密码学性质的(n,m)函数是对称密码部件研究中重要的基础问题。随着对称密码算法的侧信道分析研究的深入,在(n,m)函数抵抗差分功耗攻击方面出现了一些指标:信噪比、透明阶和混淆系数,这些指标也逐渐成为衡量(n,m)函数密码性能好坏的重要参考之一,目前已被应用在S盒的设计和评估中。从理论角度综述了(n,m)函数的信噪比、透明阶和混淆系数方面研究成果,主要包括:(n,m)函数和布尔函数的信噪比与传统密码学指标的关系;(n,m)函数和布尔函数的透明阶与传统密码学性质的关系,布尔函数与其分解函数的透明阶的关系以及小变元平衡函数透明阶的分布;(n,m)函数的混淆系数刻画;一些公开算法中S盒的三种指标综合分析。最后,给出了这三个指标的研究展望。

关键词: (n,m)函数, 布尔函数, 抗差分功耗分析, 透明阶, 信噪比, 混淆系数

Abstract:

(n,m) functions (or S-boxes) are the most basic components in symmetric cryptography,and its cryptographic properties determine some security of symmetric cryptography.Therefore,how to design and analyze (n,m) functions which satisfy various cryptographic properties is an important problem in the research on symmetric cryptography.With the development of the research on the side channel of symmetric cipher algorithms,there are some indicators in the aspect of (n,m) functions resisting differential power attack:the signal-to-noise ratio,transparency order and confusion coefficient.These indicators have gradually become the main indicators to measure the cryptographic properties of (n,m) functions cryptography,and have been applied to the design and analysis of block cipher S-boxes.In this paper,the research results of the signal-to-noise ratio (SNR),transparency order (TO) and confusion coefficient (CC) of (n,m) functions are summarized,including:(1) some relationships between the signal-to-noise ratio of (n,m) functions and the traditional cryptographic indicators;(2) some relationships between the transparency order of (n,m) functions and the traditional cryptographic property;some relationships between the transparency order of a Boolean function and its decomposition functions;few distributions of the transparency order of small variable balance functions;(3) the confusion coefficient of (n,m) function(s);(4)a comprehensive analysis of three indicators of a S-box in some public algorithms.Finally,the research prospect of these three indicators is given.

Key words: (n,m)functions, boolean functions, differential power analysis, transparency order, signal-to-noise ratio, confusion coefficient

中图分类号:

TN918.1

周宇,陈智雄,卓泽朋,杜小妮. (n,m)函数抗差分功耗攻击指标的研究综述[J]. 西安电子科技大学学报, 2021, 48(1): 50-60.

ZHOU Yu,CHEN Zhixiong,ZHUO Zepeng,DU Xiaoni. Survey of results of (n,m)-functions against differential power attack[J]. Journal of Xidian University, 2021, 48(1): 50-60.

图/表 9

表1

表2

图1

图2

图3

表3

表4

表5

表6

参考文献 50

[1]	GUILLEY S, HOOGVORST P, PACALET R. Differential Power Analysis Model and Some Results [C]//IFIP Advances in Information and Communication Technology:153.Heidelberg:Springer, 2004: 127-142.
[2]	PROUFF E. DPA Attacks and S-boxes [C]//Lecture Notes in Computer Science:3557.Heidelberg:Springer, 2005: 424-441.
[3]	FEI Y, DING A A, LAO J, et al.A Statistics-based Fundamental Model for Side-channel Attack Analysis:Cryptology ePrint Archive:Report 2014/152[R/OL]. [2020-07-12].https://eprint.iacr.org/2014/152.
[4]	KOCHER P, JAFFE J, JUN B. Differential Power Analysis [C]//Lecture Notes in Computer Science:1666.Heidelberg:Springer Verlag, 1999: 388-397.
[5]	MESSERGES T S, DABBISH E A, SLOAN R H. Examining Smart-card Security Under the Threat of Power Analysis Attacks[J]. IEEE Transactions on Computers, 2002,51(5):541-552. doi: 10.1109/TC.2002.1004593
[6]	BRIER E, CLAVIER C, OLIVIER F. Correlation Power Analysis with a Leakage Model [C]//Lecture Notes in Computer Science:3156.Heidelberg:Springer Verlag, 2004: 16-29.
[7]	ZHOU Y, ZHAO W, CHEN Z, et al. On the Signal-to-noise Ratio for Boolean Functions[J]. IEICE Transactions on Fundamentals of Electronics,Communications and Computer Sciences, 2020,DOI: 10.1587/transfun.2020EAL2037.
[8]	CHAKRABORTY K, SARKAR S, MAITRA S, et al. Redefining the Transparency Order[J]. Designs,Codes and Cryptography, 2017,82(1/2):95-115. doi: 10.1007/s10623-016-0250-3
[9]	LI H, ZHOU Y, MING J, et al.The Notion of Transparency Order,Revisited:Cryptology ePrint Archive:Report 2019[R/OL].[ 2020-07-12]. https://eprint.iacr.org/2019/683.
[10]	程让. 具有较低透明阶值S盒的分析与构造[D]. 西安:西安电子科技大学, 2017.
[11]	WANG Q, STANICA P. Transparency Order for Boolean Functions:Analysis and Construction[J]. Designs,Codes and Cryptography, 2019,87(9):2043-2059. doi: 10.1007/s10623-019-00604-1
[12]	CARLET C.DE CHERISEYE, GUILLEY S, et al. Intrinsic Resiliency of S-boxes against Side-channel Attacks—Best and Worst Scenarios[J]. IEEE Transactions on Information Forensics and Security, 2021,16:203-218. doi: 10.1109/TIFS.10206
[13]	FEI Y, LUO Q, DING A A. A Statistical Model for DPA with Novel Algorithmic Confusion Analysis [C]//Lecture Notes in Computer Science:7428.Heidelberg:Springer Verlag, 2012: 233-250.
[14]	PICEK S, PAPAGIANNOPOULOS K, EGE B, et al. Confused by Confusion:Systematic Evaluation of DPA Resistance of Various S-boxes [C]//Lecture Notes in Computer Science:8885.Heidelberg:Springer Verlag, 2014: 374-390.
[15]	邱爽, 白国强, 陈弘毅. 针对分组算法的改进混乱系数[J]. 密码学报, 2014,1(2):124-133.
	QIU Shuang, BAI Guoqiang, CHEN Hongyi. One-dimensional Confusion Coefficient for Block Cipher[J]. Journal of Cryptologic Research, 2014,1(2):124-133.
[16]	周宇, 胡予濮, 董新锋. 布尔函数的设计与分析[M]. 北京: 国防工业出版社, 2015.
[17]	LEANDER G, POSCHMANN A. On the Classification of 4 Bit S-boxes [C]//Lecture Notes in Computer Science:4547.Heidelberg:Springer Verlag, 2007: 159-176.
[18]	WU W L, ZHANG L. LBlock:a Lightweight Block Cipher [C]//Lecture Notes in Computer Science:6715.Heidelberg:Springer Verlag, 2011: 327-344.
[19]	BOGDANOV A, KNUDSEN L R, LEANDER G, et al. PRESENT:an Ultra-lightweight Block Cipher [C]//Lecture Notes in Computer Science:4727.Heidelberg:Springer Verlag, 2007: 450-466.
[20]	SHIBUTANI K, ISOBE T, HIWATARI H, et al. Piccolo:an Ultra-lightweight Blockcipher [C]//Lecture Notes in Computer Science:6917.Heidelberg:Springer Verlag, 2011: 342-357.
[21]	BEIERLE C, JEAN J, KOLBL S, et al. The SKINNY Family of Block Ciphers and Its Low-latency Variant MANTIS [C]//Lecture Notes in Computer Science:9815.Heidelberg:Springer Verlag, 2016: 123-153.
[22]	SIMPLICIO M A, PEDRO AQUINO B, BARRETO P S L M, et al.The Marvin Message Authentication Code and the Letter Soup Authenticated Encryption Scheme[J]. Security and Communication Networks, 2009,2(2):165-180. doi: 10.1002/sec.v2:2
[23]	BANIK S, BOGDANOV A, ISOBE T, et al. Midori:a Block Cipher for Low Energy [C]//Lecture Notes in Computer Science:9453.Heidelberg:Springer Verlag, 2015: 411-436.
[24]	BANIK S, PANDEY S K, PEYRIN T, et al. GIFT:a Small Present - towards Reaching the Limit of Lightweight Encryption [C]//Lecture Notes in Computer Science:10529.Heidelberg:Springer Verlag, 2017: 321-345.
[25]	DE CANNIERE C. Analysis and Design of Symmetric Encryption Algorithms[D]. Leuven:Katholieke Universiteit Leuven, 2007.
[26]	CARLET C. On Highly Nonlinear S-boxes and Their Inability to Thwart DPA Attacks [C]//Lecture Notes in Computer Science:3797.Heidelberg:Springer Verlag, 2005: 49-62.
[27]	FAN L, ZHOU Y, FENG D. A Fast Implementation of Computing the Transparency Order of S-boxes [C]//Proceedings of the 2008 9th International Conference for Young Computer Scientists.Washington:IEEE Computer Society, 2008: 206-211.
[28]	MAZUMDAR B, MUKHOPADHYAY D, SENGUPTA I. Constrained Search for a Class of Good Bijective S-boxes with Improved DPA Resistivity[J]. IEEE Transactions on Information Forensics and Security, 2013,8(12):2154-2163. doi: 10.1109/TIFS.2013.2285522
[29]	PICEKS, EGE B, PAPAGIANOPOULOS K, et al. Optimality and beyond:the Case of 4*4 S-boxes [C]//Proceedings of the 2014 IEEE International Symposium on Hardware-Oriented Security and Trust.Piscataway:IEEE, 2014: 80-83.
[30]	SARKAR S, MAITRA S, CHAKRABORTY K. Differential Power Analysis in Hamming Weight Model:How to Choose Among (Extend) Affine Equivalent S-boxes [C]//Lecture Notes in Computer Science:8885.Heidelberg:Springer Verlag, 2014: 360-373.
[31]	MAZUMDAR B. Some RSSB Constructions with Improved Resistance towards Differential Power Analysis [C]// Proceedings of the 2014 9th Workshop on Embedded Systems Security.New York:ACM, 2014: 2668330.
[32]	DE LACRUZ JIMENEZ R A.On Some Methods for Constructing almost Optimal S-boxes and Their Resilience against Side-channel Attacks:IACR Cryptology ePrint Archive:Report 2018-618[R/OL]. [2020-07-12].https://eprint.iacr.org/2018/618.pdfhttps://eprint.iacr.org/2018/618.pdf.
[33]	NIST. Advanced Encryption Standard:Federal Information Processing Standard (FIPS) 197[S]. November 2001.
[34]	Belarusian State University National Research Center for Applied Problems of Mathematics and Informatics. Encryption Algorithm and Hash Function Implementations:State Standard of Republic of Belarus:STB 34.101.31-2011[S]. 2011.
[35]	SHIRAI T, SHIBUTANI K, AKISHITA T, et al. The 128-bit Blockcipher CLEFIA [C]//Lecture Notes in Computer Science:4593.Heidelberg:Springer Verlag, 2007: 181-195.
[36]	VAUDENAY S, JUNOD P.Device and Method for Encrypting and Decrypting a Block of Data:USP20040247117A1[P]. 2004-12-09.
[37]	STANDAERT F X, PIRET G, ROUVROY G, et al. ICEBERG:an Involutional Cipher Efficient for Block Encryption in Reconfigurable Hardware [C]//Lecture Notes in Computer Science:3017.Heidelberg:Springer Verlag, 2004: 279-298.
[38]	BARRETO P S L M, RIJMEN V.The Khazad Legacy-level Block Cipher[C/OL].[2020-07-12].https://www.researchgate.net/profile/Vincent_Rijmen/publication/228924670_The_Khazad_legacy-level_block_cipher/links/0912f50c0517db7739000000/The-Khazad-legacy-level-block-cipher.pdf.
[39]	RFC.Hash Function:RFC 6986-GOST R 34.11-2012[S/OL].[ 2020- 07- 12]. http://www.faqs.org/rfcs/rfc6986.html.
[40]	PIRET G, ROCHE T, CARLET C. PICARO - a Block Cipher Allowing Efficient Higher-order Side-channel Resistance [C]//Lecture Notes in Computer Science:7341.Heidelberg:Springer Verlag, 2012: 311-328.
[41]	GROSSO V, LEURENT G, STANDAERT F X, et al. SCREAM and iSCREAM Side-channel Resistant Authenticated Encryption with Masking[EB/OL].[2020-07-12].https://hal.inria.fr/hal-01093512.
[42]	GERARD B, GROSSO V, NAYA-PLASENCIA M, et al. Block Ciphers That are Easier to Mask:How Far Can We Go? [C]//Lecture Notes in Computer Science:8086.Heidelberg:Springer, 2013: 383-399.
[43]	KAZYMYROV O V, KAZYMYROVA V N, OLIYNYKOV R V. A Method for Generation of High-nonlinear S-boxes Based on Gradient Descent[J]. Mathematical Aspects of Cryptography, 2014,5(2):71-78.
[44]	IVANOV G, NIKOLOV N, NIKOVA S. Reversed Genetic Algorithms for Generation of Bijective S-boxes with Good Cryptographic Properties[J]. Cryptography and Communications, 2016,8(2):247-276.
[45]	ISA H, JAMIL N, Z'ABA M R.Hybrid Heuristic Methods in Constructing Cryptographically Strong S-boxes[J]. International Journal of Cryptology Research, 2016,6(1):1-15.
[46]	IVANOV G, NIKOLOV N, NIKOVA S. Cryptographically Strong S-boxes Generated by Modified Immune Algorithm [C] //Lecture Notes in Computer Science:9540.Heidelberg:Springer Verlag, 2016: 31-42.
[47]	FULLER J, MILLAN W. Linear Redundancy in S-boxes [C]//Lecture Notes in Computer Science:2887.Heidelberg:Springer Verlag, 2003: 74-86.
[48]	DEY S, CHAKRABARTI A, GHOSH R. 4-bit Boolean Functions in Generation and Cryptanalysis of Secure 4-bit Crypto S-boxes[J]. Security and Privacy, 2020,3(1):e90.
[49]	SIMS M.Differential Power Analysis on (Non-)Linear Feedback Shift Registers:IACR Cryptology ePrint Archive:Report 2020-349[R/OL].[ 2020- 07- 12]. http://eprint.iacr.org/2020/349.pdf.
[50]	TANG D. A Note on the Fast Algebraic Immunity and Its Consequences on Modified Majority Functions[J]. Advances in Mathematics of Communications, 2020,14(1):111-125.

(n,m) 函数	SNR的上界或者下界	备注
非平衡(n,m) 函数	S_SNR≥1/m	非平衡 (n,m) 函数SNR下界
平衡(n,m) 函数	1≤S_SNR≤(2ⁿ)^1/2	并没有回答上界是否能达到
仿射(n,m) 函数	S_SNR=(m)^1/2	仿射(n,m) 函数SNR精确值
Bent(n,m) 函数	S_SNR≥(2ⁿ)¹^/²/m	若m=1,则SNR达到下界

序号	信噪比	个数	百分比
1	1.000 000	62	0.000 01
2	1.302 062	15 872	0.002 64
3	1.705 606	59 520	0.009 90
4	1.735 444	833 280	0.138 63
5	2.000 000	8 680	0.001 44
6	2.157 440	555 520	0.092 42
7	2.285 714	9 999 360	1.663 56
8	2.359 071	8 888 320	1.478 72
9	2.439 977	1 666 560	0.277 26
10	2.529 822	1 145 760	0.190 62
11	2.630 384	6 249 600	1.039 73
12	2.873 685	73 773 056	12.273 41
13	3.023 716	90 549 760	15.064 50
14	3.200 000	66 662 400	11.090 43
15	3.411 211	133 324 800	22.180 86
16	3.670 652	166 656 000	27.726 08
17	4.000 000	39 025 280	6.492 52
18	4.437 602	1 666 560	0.277 26

S盒	κ值
Present S盒	1.709
Present仿射变换S盒	3.070
G3,G4,G5,G6,G7,G11,G12,G13	3.020
G0,G1,G2,G8,G9,G10,G14,G15	3.070
AES S盒	0.111
AES仿射变换S盒	0.149

(4,4) S盒	非线性度	差分均匀度	透明阶	信噪比	κ值
Prince S盒	4	4	3.400 0	2.129	1.709
Present S盒	4	4	3.533 3	2.129	1.709
Nokekeon S盒	4	4	3.533 3	2.187	1.615
Klein S盒	4	4	3.467 0	1.691	2.742
Luffa S盒	4	4	3.733 3	2.530	1.191

(8,8) S盒	非线性度	差分均匀度	代数次数	代数免疫	改进透明阶	信噪比	混淆系数
AES S盒^[33]	112	4	7	2	7.860	9.600	0.111
Belt S盒^[34]	102	8	6	3	7.833	8.318	0.169
Clefia S盒^[35]	100	10	6	3	7.745	9.662	0.109
FOX S盒^[36]	96	16	6	3	7.788	9.342	0.121
Iceberg S盒^[37]	96	8	7	3	7.812	10.254	0.089
Khazad S盒^[38]	96	8	7	3	7.800	8.860	0.141
Kuznyechik S盒^[39]	100	8	7	3	7.835	9.571	0.112
Picaro S盒^[40]	94	4	2	3	7.843	8.557	0.147
Scream S盒^[41]	96	8	6	3	7.598	7.921	0.194
Zorro S盒^[42]	96	10	6	3	7.806	9.260	0.124