Further research results on confusion coefficient of Boolean functions

Zhenyu Liu; Zepeng Zhuo

doi:10.1515/jmc-2021-0039

Artikel Open Access

Further research results on confusion coefficient of Boolean functions

Zhenyu Liu und Zepeng Zhuo

Veröffentlicht/Copyright: 21. November 2023

Veröffentlicht von

Veröffentlichen auch Sie bei De Gruyter Brill

Manuskript einreichen Informationen für Autor*innen

Aus der Zeitschrift Journal of Mathematical Cryptology Band 17 Heft 1

Abstract

The notion of confusion coefficient (CC) is a property that attempts to characterize the confusion property of cryptographic algorithms against differential power analysis. In this article, we establish a relationship between CC and the transparency order (TO) for any Boolean function and deduce some relationships between the sum-of-squares of CC, signal-to-noise ratio, and TO. We also give a tight upper bound and a tight lower bound on the sum-of-squares of CC for balanced s-plateaued functions. Finally, the results generalized a lower bound on the sum-of-squares of CC of Boolean functions with the Hamming weight k.

Keywords: transparency order; Boolean function; confusion coefficient; nonlinearity; signal-to-noise ratio

MSC 2010: 94-D10

1 Introduction

Side-channel analysis (SCA) is a very powerful technique for block ciphers [1]. Differential power analysis (DPA) is one of the effective methods of SCA. To improve the resistance of a block cipher to DPA, the substitution boxes ( ( n , m ) -functions or S-boxes), as the most important nonlinear part of block ciphers, should have some features reducing the information leakage. Currently, there are three important indicators regarding the resistance of S-boxes against DPA-like attacks.

(1) Signal-to-noise ratio (SNR) following [2] was proposed by Guilley at CARDIS conference in 2004. First, they built a complete model of information leakage based on the framework of traditional cryptographic analysis, so that the attacker could obtain the autocorrelation value of Hamming weight of the guessed key value.

(2) In 2005, transparency order (TO) was introduced for ( n , m ) -functions based on single-bit DPA and the Hamming distance model in the study by Prouff [3]. With the in-depth research of scholars’ cryptology, Chakraborty et al. [4] refined TO with the cross-correlation function, and they found that the refined TO has impact on the resistance of the implementation against DPA attacks.

(3) In 2012, confusion coefficient (CC) was presented when they studied the confusion property of cryptographic algorithms in the study by Fei et al. [5]. Based on the results of the study by Fei et al. [5], Picek et al. [6] calculated the nonlinearity of S-boxes of different sizes in 2014 and obtained the variance of CC. In the same year, Qiu et al. [7] revised the original CC and gave a new definition of CC in order to reduce the dimension and the number of CC.

The organization of this article is as follows. In Section 2, the basic concepts and notions are presented. In Section 3, we deduce the relationship between TO and CC. In Section 4, we derive the lower bound on the sum of squares of CC from TO and sum of squares of Boolean functions and give the relationships between CC, SNR and TO. We also investigate the upper bound and lower bound on the sum-of-squares of CC for a s-plateaued function and discuss the lower bound on the sum-of-squares of CC of Boolean function with the Hamming weight k . We end in Section 5 with conclusions.

2 Preliminaries

Let n be a positive integer, F 2 be the binary finite field, F 2 n be the n -dimensional vector space on F 2 and B n be the set of all n -dimensional Boolean functions. The support of a Boolean function f ∈ B n is defined as Supp ( f ) = { ( x 1 , x 2 , … , x n ) ∈ F 2 n ∣ f ( x 1 , x 2 , … , x n ) = 1 } . The Hamming weight of f is denoted by w t ( f ) , that is, w t ( f ) = ∣ Supp ( f ) ∣ .

For any function f ∈ B n , the Walsh transform of f (also known as the Walsh spectrum) is defined as:

F ( f + φ a ) = ∑ x ∈ F 2 n ( − 1 ) f ( x ) + φ a ( x ) ,

where φ a ( x ) = a ⋅ x = x 1 a 1 + x 2 a 2 + ⋯ + x n a n . We denote by + the additions in F 2 , in F 2 n and in B n .

The Hamming distance between two functions f and g , denoted d ( f , g ) = w t ( f + g ) . We say that an n -variable Boolean function f is balanced if w t ( f ) = 2 n − 1 . Let f ∈ B n , the nonlinearity of f is N f = min g ∈ A n d ( f , g ) , and it can be determined by:

N f = 2 n − 1 − 1 2 max a ∈ F 2 n ∣ F ( f + φ a ) ∣ .

Any f ∈ B n can be expressed in algebraic normal form (ANF) as:

f ( x ) = ⊕ I ∈ P N a I ( ∏ i ∈ I ) = ⊕ I ∈ P N a I x I ,

where P N denotes the power set of N = 1 , … , n in ref. [14]. Every coordinate x i ( x = ( x 1 , x 2 , … , x n ) ) appears in this polynomial with exponents at most 1. The degree of the ANF is denoted by deg ( f ) and is called the algebraic degree of the function: deg ( f ) = max { ∣ I ∣ : a I ≠ 0 } , where ∣ I ∣ denotes the size of I . A Boolean function is an affine function if its algebraic degree satisfies deg ( f ) < 2 , and the set of all affine functions is denoted by A n .

The nonlinearity of an n -variable Boolean function is less than or equal to 2 n − 1 − 2 n 2 − 1 , and a function is called bent if it attains this bound.

Let f , g ∈ B n . The cross-correlation function of f and g is defined as:

Δ f , g ( a ) = ∑ x ∈ F 2 n ( − 1 ) f ( x ) + g ( x + a ) , a ∈ F 2 n .

If f = g , then the autocorrelation function of f at a ∈ F 2 n is defined as:

Δ f ( a ) = ∑ x ∈ F 2 n ( − 1 ) f ( x ) + f ( x + a ) .

The two indicators ( σ f , Δ f ) are called the global avalanche characteristics of a Boolean function f ∈ B n :

σ f = ∑ x ∈ F 2 n [ Δ f ( a ) ] 2 , Δ f = max a ∈ F 2 n , a ≠ 0 ∣ Δ f ( a ) ∣ .

Let n and m be two positive integers. The functions F = ( f 1 , … , f m ) , f i ∈ B n , be a vectorial function from F 2 n to F 2 m , and the Boolean functions f 1 , f 2 , … , f m are called the coordinate functions of F .

TO of F is defined by:

TO ( F ) = max β ∈ F 2 m m − 1 2 2 n − 2 n ∑ y ∈ F 2 n * ∑ j = 1 m ∑ i = 1 m ( − 1 ) β i + β j Δ f i , f j ( y ) ,

where

Δ f i , f j ( y ) = ∑ x ∈ F 2 n ( − 1 ) f i ( x ) + f j ( x + y )

is the cross-correlation between f i , f j (if f i = f j , we shall use the notation Δ f i and call it the autocorrelation of f i ). If m = 1 , then F = f is a Boolean function, and

TO ( f ) = 1 − 1 2 n ( 2 n − 1 ) ∑ y ∈ F 2 n * ∑ x ∈ F 2 n ( − 1 ) f ( x ) + f ( x + y ) .

This article only focus on the case when m = 1 .

The next definition gives the distribution of the Walsh spectra for a three-valued Boolean function.

Let f ∈ B n . Then, for any a ∈ F 2 n ,

∑ y ∈ F 2 n ∑ x ∈ F 2 n ( − 1 ) f ( x ) + f ( x + y ) + a ⋅ y = F 2 ( f + φ a ) .

The SNR of f is defined by:

SNR ( f ) = 2 2 n ∑ a ∈ F 2 n F 4 ( f + φ a ) .

Let k i and k j ∈ F 2 n be two keys. The CC κ over ( k i , k j ) is defined as:

κ = κ ( k i , k j ) = Pr [ ( ψ ∣ k i ) ≠ ( ψ ∣ k j ) ] = N ( ψ ∣ k i ) ≠ ( ψ ∣ k j ) N t ,

where N t is the total number of values for the relevant ciphertext bits, and N ( ψ ∣ k i ) ≠ ( ψ ∣ k j ) is the number of occurrences for which different key hypotheses k i and k j result in different ψ values.

Carlet et al. [8] studied the intrinsic resiliency of S-boxes against SCA and further gave the concrete form of CC for a Boolean function f ∈ B n :

κ ( k , k * ) = 1 2 n + 2 ∑ t ∈ F 2 n [ f ( t + k * ) − f ( t + k ) ] 2 ,

where t ∈ F 2 n is one known plaintext, k * ∈ F 2 n is the correct key and k ∈ F 2 n is the key.

3 Relationship between TO and CC

We first discuss the relationship between TO and CC.

Lemma 1

[9] Let f ∈ B n . k * , k ∈ F 2 n , and k + k * ≠ 0 . Then,

κ ( k , k * ) ≥ 1 4 − ( 2 n − 2 N f ) 2 2 n + 3 .

Lemma 2

[10] Let f ∈ B n . Then,

TO ( f ) = 1 − ( 2 n − 2 N f ) 2 2 n ( 2 n − 1 ) + 1 2 n − 1 .

According to Lemmas 1 and 2, we obtain Theorem 1.

Corollary 1

Let f ∈ B n . k * , k ∈ F 2 n , and k + k * ≠ 0 . Then,

TO ( f ) ≤ 1 − 1 − 8 κ ( k , k * ) 2 n − 1 .

Proof

By Lemma 1, we have

( 2 n − 2 N f ) 2 ≥ 1 4 − κ ( k , k * ) 2 n + 3 ,

and from Lemma 2, we have

□ TO ( f ) ≤ 1 − 2 n + 3 1 4 − κ ( k , k * ) 2 n ( 2 n − 1 ) + 1 2 n − 1 = 1 − 2 − 8 κ ( k , k * ) 2 n − 1 + 1 2 n − 1 = 1 − 1 − 8 κ ( k , k * ) 2 n − 1 .

According to Corollary 1, we can find that the smaller CC of a Boolean function is, the smaller the upper bound of TO is.

4 Some research results of sum-of-squares of CC

4.1 Bounds on the sum-of-squares of CC of one Boolean function

For the convenience, for a given k * ∈ F 2 n , we denoted the sum-of-squares of CC for a Boolean function by:

K f ( k * ) = ∑ k ∈ F 2 n κ 2 ( k , k * ) .

Lemma 3

[12] Let f ∈ B n . For a given k * ∈ F 2 n , we have

K f ( k * ) = 2 n − 6 − [ 2 n − 2 w t ( f ) ] 2 2 n + 5 + σ f 2 2 n + 6 .

Theorem 1

Let f ∈ B n . For a given k * ∈ F 2 n , we have

K f ( k * ) ≥ 2 n − 6 − ( 2 n − 1 ) TO ( f ) − 2 n 32 + σ f 2 2 n + 6 .

Proof

We know the Walsh spectrum of f ( x ) at a = 0 is

F ( f + φ 0 ) = ∑ x ∈ F 2 n ( − 1 ) f ( x ) = 2 n − 2 w t ( f ) ,

∑ y ∈ F 2 n * ∑ x ∈ F 2 n ( − 1 ) f ( x ) + f ( x + y ) ≥ max a ∈ F 2 n F 2 ( f + φ a ) − 2 n .

∑ y ∈ F 2 n * ∑ x ∈ F 2 n ( − 1 ) f ( x ) + f ( x + y ) ≥ F 2 ( f + φ 0 ) − 2 n = [ 2 n − 2 w t ( f ) ] 2 − 2 n .

From the definition of TO

TO ( f ) = 1 − 1 2 n ( 2 n − 1 ) ∑ y ∈ F 2 n * ∑ x ∈ F 2 n ( − 1 ) f ( x ) + f ( x + y ) ≤ 1 − [ 2 n − 2 w t ( f ) ] 2 − 2 n 2 n ( 2 n − 1 ) .

Based on Lemma 3,

[ 2 n − 2 w t ( f ) ] 2 = 2 n + 5 2 n − 6 + σ f 2 2 n + 6 − K f ( k * ) .

Thus,

□ TO ( f ) ≤ 1 − 2 3 n + σ f − 2 2 n + 6 K f ( k * ) − 2 2 n + 1 2 2 n + 1 ( 2 n − 1 ) .

K f ( k * ) ≥ 2 n − 6 + ( 2 n − 1 ) TO ( f ) − 2 n 32 + σ f 2 2 n + 6 .

According to Theorem 1, we can find that the bigger the TO and the σ f of a Boolean function is, the bigger the lower bound of the K f ( k * ) is.

4.2 Relationships between K f ( k * ) , SNR, and TO

In this section, we give the relationships between the K f ( k * ) , the SNR, and the TO.

Lemma 4

[12] Let f ∈ B n . For a given k * ∈ F 2 n , we have

K f ( k * ) = 2 n − 6 1 + 1 SNR 2 ( f ) − [ 2 n − 2 w t ( f ) ] 2 2 n + 5 .

Theorem 2

Let f ∈ B n . For a given k * ∈ F 2 n , we have

K f ( k * ) ≥ 2 n − 6 1 + 1 SNR 2 ( f ) + ( 2 n − 1 ) TO ( f ) 2 5 − 2 n − 5 .

Proof

By Lemma 4,

K f ( k * ) = 2 n − 6 1 + 1 SNR 2 ( f ) − [ 2 n − 2 w t ( f ) ] 2 2 n + 5 .

Clearly,

∑ y ∈ F 2 n * ∑ x ∈ F 2 n ( − 1 ) f ( x ) + f ( x + y ) ≥ [ 2 n − 2 w t ( f ) ] 2 − 2 n ,

Therefore,

TO ( f ) ≤ 1 − [ 2 n − 2 w t ( f ) ] 2 − 2 n 2 n ( 2 n − 1 ) ,

[ 2 n − 2 w t ( f ) ] 2 ≤ 2 n + 2 n ( 2 n − 1 ) [ 1 − TO ( f ) ] .

Hence,

□ K f ( k * ) ≥ 2 n − 6 1 + 1 SNR 2 ( f ) − 2 n + 2 n ( 2 n − 1 ) [ 1 − TO ( f ) ] 2 n + 5 = 2 n − 6 1 + 1 SNR 2 ( f ) − 2 n + ( 2 n − 1 ) [ 2 n − 2 n TO ( f ) ] 2 n + 5 = 2 n − 6 1 + 1 SNR 2 ( f ) + ( 2 n − 1 ) TO ( f ) 2 5 − 2 n − 5 .

Based on Theorem 2, we know that the lower bound of sum-of-squares of CC is directly proportional to TO and inversely proportional to SNR for a Boolean function; thus, these indicators cannot be the best at the same time.

4.3 Bounds on the sum-of-squares of CC of s-plateaued function

Further, recall that f ∈ B n is called plateaued if ∣ F ( f + φ u ) ∣ ∈ { 0 , 2 n + s 2 } for all u ∈ F 2 n for a fixed integer s depending on f (we also then call f is s -plateaued).

Lemma 5

[13] Let f ∈ B n , then

SNR ( f ) ≥ 2 n 2 n − 2 N f .

Lemma 6

[12] Let f ∈ B n be a balanced Boolean function. For a given k ∈ F 2 n , we have

K f ( k * ) ≥ 2 n − 6 + [ 2 n − ( 2 n − 1 ) TO ( f ) ] 2 2 n + 6 .

Theorem 3

Let f ∈ B n be a balanced s-plateaued function, we have

2 n − 6 ( 1 + 2 2 s − 2 n ) ≤ K f ( k * ) ≤ 2 n − 6 ( 1 + 2 s − n ) .

Proof

By Lemma 4, we know that f ∈ B n be a balanced Boolean function. For a given k ∈ F 2 n , we have

K f ( k * ) = 2 n − 6 1 + 1 SNR 2 ( f ) .

According to the condition and Lemma 5, we know that f ∈ B n be a balanced s-plateaued function, then

N f = 2 n − 1 − 2 n + s 2 − 1 ,

K f ( k * ) = 2 n − 6 1 + 1 SNR 2 ( f ) ≤ 2 n − 6 1 + ( 2 n − 2 N f ) 2 2 2 n ≤ 2 n − 6 ( 1 + 2 s − n ) .

Based on Lemma 2, Lemma 6, and the condition, we have

K f ( k * ) ≥ 2 n − 6 + [ 2 n − ( 2 n − 1 ) TO ( f ) ] 2 2 n + 6 ≥ 2 n − 6 + 2 n − ( 2 n − 1 ) 1 − ( 2 n − 2 N f ) 2 2 n ( 2 n − 1 ) + 1 2 n − 1 2 2 n + 6 = 2 n − 6 + 2 2 s − n − 6 = 2 n − 6 ( 1 + 2 2 s − 2 n ) .

Thus, this result is proved.□

Example 1

If s = 1 ( n must then be odd), or s = 2 ( n must then be even), we call f s e m i − b e n t . We can make Tables 1 and 2.

Table 1

s = 1 : the bounds on K f ( k * ) for balanced s-plateaued function

n	Lower bound on K f ( k * )	Upper bound on K f ( k * )
1	0.0625	0.0625
3	0.1328	0.1563
5	0.5020	0.5313

Table 2

s = 2 : the bounds on K f ( k * ) for balanced s-plateaued function

n	Lower bound on K f ( k * )	Upper bound on K f ( k * )
2	0.125	0.125
4	0.2656	0.3125
6	1.0039	1.0625

4.4 Bounds on the sum-of-squares of CC of Boolean function with the Hamming weight k

Finally, we discuss some properties of CC of Boolean function with the hamming weight k .

Lemma 7

[11] Let f ∈ B n , w t ( f ) = k , and k ( k − 1 ) 2 ( 2 n − 1 ) = t . Then,

σ f ≥ 2 3 n + 3 ⋅ 2 n + 3 k 2 − 2 2 n + 3 k − 32 ⋅ k 3 + 16 ⋅ k 2 + 2 5 [ ( 2 t + 1 ) ( k 2 − k ) − ( 2 n + 1 − 2 ) ( t 2 + t ) ] .

Theorem 4

Let f ∈ B n . w t ( f ) = k and k ( k − 1 ) 2 ( 2 n − 1 ) = t , then

K f ( k * ) ≥ 2 n − 5 − ( 2 n − 2 k ) 2 2 n + 5 + 3 k 2 2 n + 3 − k 8 − k 3 2 2 n + 1 + k 2 2 2 n + 2 + ( 2 t + 1 ) ( k 2 − k ) 2 2 n + 1 − ( 2 n + 1 − 2 ) ( t 2 + t ) 2 2 n + 1 .

Proof

By Lemma 7, we know that:

□ K f ( k * ) = 2 n − 6 − [ 2 n − 2 w t ( f ) ] 2 2 n + 5 + σ f 2 2 n + 6 ≥ 2 n − 6 − ( 2 n − 2 k ) 2 2 n + 5 + 2 3 n + 3 ⋅ 2 n + 3 k 2 − 2 2 n + 3 k − 32 k 3 + 16 k 2 2 2 n + 6 + 2 5 [ ( 2 t + 1 ) ( k 2 − k ) − ( 2 n + 1 − 2 ) ( t 2 + t ) ] 2 2 n + 6 = 2 n − 5 − ( 2 n − 2 k ) 2 2 n + 5 + 3 k 2 2 n + 3 − k 8 − k 3 2 2 n + 1 + k 2 2 2 n + 2 + ( 2 t + 1 ) ( k 2 − k ) 2 2 n + 1 − ( 2 n + 1 − 2 ) ( t 2 + t ) 2 2 n + 1 .

Example 2

We can deduce that K f ( k * ) ≥ 2 n − 6 − 2 − n − 3 − 2 − 6 , ( n ≥ 3 ) if f is the balanced Boolean function. Table 3 can be drawn.

Table 3

Lower bound on K f ( k * ) for balanced Boolean functions

n	Lower bound on K f ( k * )
3	0.1563
4	0.2734
5	0.5196
6	1.0176
7	2.0167

5 Conclusion

In this article, we give the relationship between CC and TO. And we also give the relationships between sum-of-squares of CC, TO, and SNR of Boolean function. Furthermore, we give the upper and lower bound on the sum-of-squares of CC of s-plateaued function and the lower bound on sum-of-squares of CC of Boolean function with the Hamming weight k . But CC and other cryptographic indicators cannot reach the best; at the same time, we hope that these results of Boolean functions will help us to construct good S-box in the future.

Funding information: This study was supported by the Natural Science Foundation of Anhui Higher Education institutions of China (No. KJ2020ZD008) and Graduate Innovation Fund of Huaibei Normal University (No. yc2021022).
Conflict of interest: Authors state no conflict of interest.

References

[1] Kocher P, Jaffe J, Jun B. Differential power analysis. Advances in Cryptology-CRYPTOa99. LNCS 1666. Berlin: Springer; 1999. p. 388–397. 10.1007/3-540-48405-1_25Suche in Google Scholar

[2] Guilley S, Hoogvorst P, Pacalet R. Differential power analysis model and some results. In Smart Card Research and Advanced Applications VI, IFIP 18th World Computer Congress, TC8/WG8.8 and TC11/WG11.2 Sixth International Conference on Smart Card Research and Advanced Applications(CARDIS), Toulouse, France, 2004. p. 127–142. 10.1007/1-4020-8147-2_9Suche in Google Scholar

[3] Prouff E. DPA attacks and s-boxes. Fast Software Encryption-FSE 2005. LNCS 3557. Berlin, Heidelberg: Springer; 2005. p. 424–441. 10.1007/11502760_29Suche in Google Scholar

[4] Chakraborty K, Sarkar S, Maitra S, Mazumdar B, Mukhopadhyay D, Prouff E. Redefining the transparency order. Designs Codes Cryptography. 2017;82(1):95–115. 10.1007/s10623-016-0250-3Suche in Google Scholar

[5] Fei Y, Luo Q, Ding AA. A statistical model for DPA with novel algorithmic confusion analysis. International Workshop on Cryptographic Hardware and Embedded Systems. Berlin, Heidelberg: Springer; 2012. p. 233–250. 10.1007/978-3-642-33027-8_14Suche in Google Scholar

[6] Picek S, Papagiannopoulos K, Ege B, Batina L, Jakobovic D. Confused by confusion: systematic evaluation of DPA resistance of various s-boxes. In: Meier W, Mukhopadhyay D. (eds). Progress in Cryptology-INDOCRYPT 2014, LNCS 8885. 2014. p. 374–390. 10.1007/978-3-319-13039-2_22Suche in Google Scholar

[7] Qiu S, Bai GQ, Chen HY. One-dimensional confusion coefficient for block cipher. J Cryptol Res. 2014;1(2):124–133. Suche in Google Scholar

[8] Carlet C, de Chérisey É, Gulley S, Kavut S, Tang D. Intrinsic resiliency of S-boxes against Side-channel Attacks-best and Worst Scenarios. IEEE Trans Informa Forensic Secur. 2021;16:203–218. 10.1109/TIFS.2020.3006399Suche in Google Scholar

[9] Zhang XM, Zheng YL. Auto-correlations and new bounds on the nonlinearity of Boolean functions. EUROCRYPT’96 Proceedings, LNCS. Vol. 1070. Berlin, Heidelberg: Springer-Verlag; 1996. p. 294–306. 10.1007/3-540-68339-9_26Suche in Google Scholar

[10] Wang QC, Stanica P. Transparency order for Boolean functions: analysis and construction. Designs Codes Cryptography. 2019;87(9):2043–2059. 10.1007/s10623-019-00604-1Suche in Google Scholar

[11] Zhou Y, Wang WQ, Xiao GZ. Global avalanche characteristics and nonlinearity of Boolean function with the Hamming weight k. J Electron Inform Technol. 2009;31(2):435–438. Suche in Google Scholar

[12] Zhou Y, Hu JY, Miao XD, Han Y, Zhang F. On the confusion coefficient of Boolean functions. J Math Cryptol. 2022;16:1–13. 10.1515/jmc-2021-0012Suche in Google Scholar

[13] Zhou Y, Zhao W, Chen ZX, et al. On the signal-to-noise ratio for Boolean functions. IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences, 2020;E103.A(12). 10.1587/transfun.2020EAL2037Suche in Google Scholar

[14] Crama E, Hammer PL. Boolean models and methods in mathematics, computer science, and engineering. Cambridge, UK: Cambridge University Press; 2010. 10.1017/CBO9780511780448Suche in Google Scholar

Received: 2021-09-23

Revised: 2022-12-25

Accepted: 2023-04-06

Published Online: 2023-11-21

This work is licensed under the Creative Commons Attribution 4.0 International License.

Artikel in diesem Heft

https://doi.org/10.1515/jmc-2021-0039

Schlagwörter für diesen Artikel

transparency order; Boolean function; confusion coefficient; nonlinearity; signal-to-noise ratio

Creative Commons

BY 4.0