Differential Power Analysis in Hamming Weight Model: How to Choose among (Extended) Affine Equivalent S-boxes

摘要

Prom the first principle, we concentrate on the Differential Power Analysis (DPA) in the Hamming weight model. Based on the power related data of an (n,n) permutation S-box, we propose a spectrum (we call it Relative Power Spectrum, RPS in short) at 2~n points each providing a vector containing n coordinates. Each coordinate contains the data related to single-bit DPA, and taking them together we provide relevant results in the domain of multi-bit DPA. For two affine equivalent (n, n) permutation S-boxes F and G, such that G(x) = F(Ax ⊕ 6), where A is a linear permutation (nonsingular binary matrix) and b is an n-bit vector, the RPSs of F and G are permutations of each other. However, this is not true in general when F and G are affine or extended affine equivalent, i.e., G(x) = B(F(Ax⊕b))⊕L(x)⊕c, where B is a linear permutation, L is a linear mapping, and c is an n-bit vector. In such a case, the RPSs of F and G may not be related by permutation and may contain completely different vectors. We provide the effect of this in terms of DPA both in noise-free and noisy scenarios. Our results guide the designer to choose one S-box among all those in the same (extended) affine equivalence class when DPA in the Hamming weight model is considered. This is an instance where cryptographic advantage is attained by applying (extended) affine equivalence. For example, we provide a family of S-boxes that should replace the (4,4) S-boxes proposed in relation to the PRINCE block cipher.