Cryptology ePrint Archive: Report 2014/367

Redefining the Transparency Order

Kaushik Chakraborty and Subhamoy Maitra and Sumanta Sarkar and Bodhisatwa Mazumdar and Debdeep Mukhopadhyay

Abstract: In this paper, we consider the multi-bit Differential Power Analysis (DPA) in the Hamming weight model. In this regard, we revisit the definition of Transparency Order (TO) from the work of Prouff (FSE 2005) and find that the definition has certain limitations. Although this work has been quite well referred in the literature, surprisingly, these limitations remained unexplored for almost a decade. The existing definition of TO (by Prouff) for an S-box $F: \F_2^n \rightarrow \F_2^m$ considers maximization on $\beta \in \F_2^m$. However, we show that the expression suggested by Prouff is always maximum when $\beta$ is either all-zero or all-one, that makes the maximization over all $\beta \in \F_2^m$ redundant. Digging TO deeper, we note that the existing definition of TO assumes certain cross-correlation terms between the co-ordinate Boolean functions of $F$ as zero. This is not true in general and thus we need to accommodate these terms in the definition. Further the definition is based on the assumption that the co-ordinate functions in the S-boxes are balanced (which is indeed logical for practical S-boxes), but unfortunately the measure has been calculated for bent functions (which are not balanced) in Prouff's paper and subsequent works. We analyse the definition from scratch, modify it and finally provide a substantially improved and logical definition that can theoretically capture DPA in Hamming weight model for hardware implementation with precharge logic. In this regard, our analysis comes with numerical data for AES S-Box and the family of S-Boxes described in the context of Prince.

Category / Keywords: implementation / AES, Auto-correlation, Cross-correlation, Differential Power Analysis, Prince, S-Box, Transparency Order, Walsh Spectrum.