Cryptology ePrint Archive: Report 2005/387

On highly nonlinear S-boxes and their inability to thwart DPA attacks (completed version)

C. Carlet

Abstract: Prouff has introduced recently, at FSE 2005, the notion of transparency order of S-boxes. This new characteristic is related to the ability of an S-box, used in a cryptosystem in which the round keys are introduced by addition, to thwart single-bit or multi-bit DPA attacks on the system. If this parameter has sufficiently small value, then the S-box is able to withstand DPA attacks without that ad-hoc modifications in the implementation be necessary (these modifications make the encryption about twice slower). We prove lower bounds on the transparency order of highly nonlinear S-boxes. We show that some highly nonlinear functions (in odd or even numbers of variables) have very bad transparency orders: the inverse functions (used as S-box in the AES), the Gold functions and the Kasami functions (at least under some assumption).

Category / Keywords: secret-key cryptography /

Publication Info: completed version of a paper presented at INDOCRYPT 2005

Date: received 28 Oct 2005, last revised 5 Dec 2005

Contact author: claude carlet at inria fr

Available format(s): PDF | BibTeX Citation

Note: The cases of Gold and Kasami functions in odd and even numbers of variables are now treated

Version: 20051205:164044 (All versions of this report)

Short URL:

[ Cryptology ePrint archive ]