ABSTRACT There is a theoretically strong relationship between chaos and cryptology. In practice, one of the most successful applications of this relationship is chaos-based s-box structures. However, the performance metrics of chaos-based s-box designs are worse compared to those for s-box structure based on algebraic techniques used in modern encryption algorithms, such as the AES algorithm. What is the reason for using chaos-based s-box structures, even though they have worse cryptographic characteristics? Researchers claim that they may be an alternative defense against implementation attacks, especially side-channel analyses. However, no studies have supported or refuted this claim so far. In this paper, side-channel analyses have been performed for two different chaos-based s-box structures. These two s-box structures have been selected for having with the best and worst performance measurements for s-box structures previously proposed in the literature. The results were compared with the AES s-box structure. Analysis of the results showed that chaos-based s-box structures are more resistant against side-channel attacks. Therefore, chaos-based designs may be an alternative defense against implementation attacks, as alleged. However, both algebraic and chaos-based s-box designs have been observed to be insecure if the attacker has more than 30 plaintexts in the side channel analyses. These results show that implementation analysis studies are required in the chaos-based cryptology literature.
I. INTRODUCTION
A block encryption algorithm must provide two basic properties, confusion and diffusion. In many block encryption algorithms, the confusion property is provided by cryptographic components known as substitution box (s-box) structures. Therefore, block encryption algorithms take their strength from s-box structures. Several methods have been proposed in the literature for the design of s-box structures, including algebraic methods, pseudorandom methods, and heuristic methods [1] . Modern block encryption algorithms often use s-box design techniques based on strong algebraic relations. The most well-known of these was proposed by Nyberg [2] . This method is also used in the s-box of the AES (Advanced Encryption Standard) block encryption algorithm [3] .
In the last decade, chaos-based s-box design techniques have been proposed as an alternative to algebraic s-box design algorithms. The idea of using chaotic systems in the s-box
The associate editor coordinating the review of this manuscript and approving it for publication was Fan Zhang. design process is based on the similarities between chaos and cryptography [4] . Both of these designs use chaotic systems as a source of randomness. S-box structures are created through the unpredictable outputs of the chaotic system. When the performance criteria of the proposed chaos-based s-box structures were examined, it was found that the chaos-based s-box structures have worse cryptographic properties than those of the AES s-box structure. For example, the nonlinearity value of the AES s-box is 112. Since the AES s-box is designed in terms of the best known cryptographic features, this value is the upper limit that can be reached. In the chaos-based s-box designs, the maximum limit for the nonlinearity value has been shown to be 106.75. Another important performance measure, the maximum value in the Input/Output XOR (differential analysis) table used to measure the resistance to differential attacks, is 4 in the AES s-box structure. This value should be as small as possible and 4 is the smallest value that can be reached. It has been shown that the smallest value that can be reached in chaos-based designs is 10 [5] .
A question comes to mind at this point. Does it make sense to use chaos-based s-box structures when there is a cryptographic component with superior cryptographic features, such as the AES s-box? In the literature, it has been claimed that their resistant to side-channel attacks [6] is the most important advantage of chaos-based s-box structures [7] - [39] compared to the AES s-box structure. However, this claim has not been proven in any theoretical or experimental study. In this study, the resistance of chaos-based s-box structures against side-channel attacks has been analyzed. This is the first study to realize this aim in the literature. Considering the results obtained, it is thought that it will bring a new perspective to the chaos-based cryptography literature.
The study consists of five sections. In the second section, side-channel attacks are briefly explained step by step. In the third section, the experimental set used for side-channel attacks is described in detail. In the fourth section, the sidechannel analysis is reported for the Nyberg s-box and two different chaos-based s-box structures in the AES algorithm architecture. The first of the chaos-based s-box structures used in the analyses is the s-box structure from the literature with the best performance characteristics. The other chaosbased s-box structure used in the analyses is the s-box structure with the worst performance characteristics. In this way, the effect of chaos-based s-box structures is examined for the best and worst cases and a wide evaluation is presented. In the final section, the results are discussed and the study is summarized.
II. SIDE-CHANNEL ANALYSIS
The importance of embedded systems has gradually increased in our lives, which has been digitized by technological developments, and in parallel, new attacks have been developed for implementation against embedded systems. One of the most popular of these attacks in recent years has been side-channel analysis [6] . The aim of side-channel analysis is to learn the secret parameters used in cryptographic operations. The physical and/or electrical effects of normal operations are used for analysis. If these effects involuntarily give information about the secret key, the information they provide is called side-channel information and these effects are called side channels. Side-channel analysis is divided into four groups according to the effect used, namely timing analysis, power analysis, electromagnetic radiation analysis, and acoustic analysis. In timing analysis, the completion time of a cryptography process is used [40] . The dynamic power expenditure of the device during the cryptography process is used in power expenditure analysis [41] . Electromagnetic radiation analysis uses electromagnetic radiation produced by the device during operation [42] . Acoustic analysis uses the sound produced by the device during operation [43] .
Power consumption attacks, which are a kind of sidechannel attack, involve measuring the power expended during the encryption process and establishing a relationship between this power and the encryption key used. In the case of power consumption attacks, the transistors within the electronic system that perform the encryption process are counted as 0-1 passes and the current information drawn by the system is estimated. This information provides a simulation of the power that the system expends. As a result, when implementing the encryption algorithm, the power consumed by the implementation of the hardware is important for the security of the data. Power consumption attacks are carried out using the following steps [6] , [40] - [43] :
Step 1. Encryption algorithm run on the embedded system.
Step 2. When encryption operations are performed on the embedded system, the device's power consumption is measured by oscilloscope.
Step 3. In the software environment, it is calculated from which power values the hypothetical results of the algorithm with the N input random value and the possible K key values.
Step 4. For each N plaintext, the values at the attack point are estimated.
Step 5. Statistical analysis is applied to obtain the device's possible key using hypothetical power consumption values and the actual power consumption values.
III. EXPERIMENT SET FOR SIDE-CHANNEL ANALYSIS
An integrated experiment set was used to perform the side-channel analysis. In this study, a ChipWhispererLite CW1173 Side-Channel Attack Test device equipped with Spartan-6 FPGA from NewAE is used to conduct side-channel analysis study ( Figure 1 ).
This device is low-cost and provided with an open-source software package to manage attacks. Thus, it provides a very suitable environment for studying side-channel analysis. This device is also used in several articles and books about side-channel analysis [44] - [47] . To use the device, the VOLUME 7, 2019 open-source ChipWhisperer Capture and ChipWhisperer Analyzer programs can be downloaded free of charge from the manufacturer's website [48] .
The CW303 device in Figure 1 is the target device to be attacked. The Xmega processor on the CW303 can be programmed to run various encryption algorithms. While encryption operations are being performed on this embedded system, the power consumption values of the ChipWhispererLite CW1173 and the CW303 can be measured, as shown in Figure 2 , and a Differential Power Analysis (DPA) attack can be conducted via power traces measured by the ChipWhisperer open-source software system. In addition, sidechannel attacks can be performed on the system using the same software. The side-channel analysis of a cryptographic device is performed in two steps by ChipWhisperer-Lite. The first step is to record the power consumption values of the target device with the ChipWhisperer-Lite device and ChipWhisperer Capture software, as shown in Figure 2 . The second step is to access the system using the same software.
ChipWhisperer-Lite should be connected to a personal computer (PC) via the USB port, as shown in Figure 3 , to measure the power consumption values of the target device. After the physical connection to the PC is set up, ChipWhisperer Capture software should be opened, as shown in Figure 4 .
Once the software is opened, the steps shown in Figure 5 should be followed to connect the ChipWhisperer-Lite, which is already connected to the PC, to the target device (CW303).
Then, the encryption algorithm to be executed on the target device should be selected, as shown in Figure 6 . Here, the AES algorithm will be loaded into the Xmega processor.
If any changes are made to the standard AES algorithm, the program codes of the compiled program with a '.hex' extension must be loaded manually onto the Xmega processor, as shown in Figure 7 .
Then, the key value of the AES algorithm that will be run on the target device and the number of power traces should be selected from the menus, as shown in Figure 8 .
Then, the measurement process should be performed as shown in Figure 9 to measure the power traces when the target device is running.
After measuring the power traces, the image should be saved for later analysis, as shown in Figure 10 .
After saving the power traces, ChipWhisperer Capture should be closed and ChipWhisperer Analyzer should be run, as shown in Figure 11 .
The power traces recorded by the ChipWhisperer Capture software are analyzed using the ChipWhisperer Analyzer software. First, the previously saved power trace record file should be opened, as shown in Figure 12 .
After the saved power trace file is opened, the steps shown in Figure 13 should be followed.
The attack process continues as shown in Figure 14 . When the attack process is completed, the key estimates with the highest correlation, as shown in Figure 15 , are estimated as the actual key of the device.
IV. ANALYSIS RESULTS
Three different side-channel analyses are reported in this section. All analyses were performed for the standard AES block encryption algorithm. The aim of the analysis is to obtain the 128-bit length key value of the standard AES algorithm using the side-channel information. The only factor that was changed in the analysis is the s-box structure. In the first analysis, the original AES s-box [2] was used. In the second and third analyses, chaos-based s-box structures [5] , [49] were used. The performance characteristics of these s-box structures are given in Table 1 .
To assess the quality of these s-boxes, five basic requirements are used in the literature. These are bijective, nonlinearity, strict avalanche criterion (SAC), bit independence criterion (BIC) and input/output XOR distribution. The readers are directed to Ref. [1] , [5] for more detailed information.
The bijective criterion checks whether each element in an s-box is unique. Nonlinearity is one of the most important properties of the s-box. For testing of this property, firstly the s-box is expressed by linear equations. It is desirable that the 79032 VOLUME 7, 2019 equations are not as linear as possible. The Walsh spectrum is used to measure this and the maximum value that can be reached for this measurement is 112.
Another important test criterion for s-boxes is the SAC, proposed by Fesitel [1] . This test criterion measures the extent to which the change occurring at the input is VOLUME 7, 2019 FIGURE 6. Selection of the cryptographic algorithm to be executed on the target device. reflected at the output. In the ideal case, it is desired that a one-bit change in the input caused a half-bit change to the output bits. The optimum value for the SAC criterion is 0.5.
The BIC, a hybrid measurement for the detection of the s-box structure, analyzes the effects of the two previous test criteria on the output bits. This test was firstly proposed by Tavares and Webster. The last measurement is the input/output XOR distribution. This criterion is related to differential cryptanalysis. The highest value in the s-box should be as small as possible. The minimum value available for this measurement is 4.
When the analysis results in Table 1 are examined, it is clear that the AES s-box structure proposed by Nyberg has ideal characteristics since the Nyberg s-box is based on algebraic methods. Chaotic s-box1 [5] is the s-box structure with the best performance values based on chaotic systems. These values are the best available values for chaos-based designs.
The nonlinearity is 106.75 and the maximum I/O XOR is 10. These values are the highest values that can be obtained theoretically [39] and experimentally [5] . The last s-box structure (chaotic s-box2) is the chaos-based s-box with the worst performance characteristics published in the literature [49] .
A. ANALYSIS STUDY 1 (ORIGINAL S-BOX)
Three different case studies were used to better understand the effects of side-channel analysis. In the first case study, VOLUME 7, 2019 FIGURE 14. Attack process. the values at the attack point were estimated for each of the 10 plaintexts. Success rate and guessing entropy are widely used to evaluate the side-channel attacks. In this study, success rate criterion has been used to evaluate the success of the side channel attack. The values that overlap with the key part are shown as 1 from the estimated values. The secret key of the 128-bit AES algorithm is divided into 16 parts. For example, as can be seen from Table 2 ; in the first attack attempt, only the D2 value of the key has been obtained. In other words, the success rate of first attack attempt using 10 plaintext data is 1/16. These attack attempts were repeated 10 times in order to obtain a reliable evaluation. The last cell of Table 2 shows average success rate of attack attempts using 10 plaintext.
In the second case study, the values at the attack point were estimated for each of the 20 plaintexts. As can be seen from Table 3 , more key parts were obtained since more side-channel information was used. A total of 10 different attack attempts were performed and average success rate of attack attempts using 20 plaintext is 89/160.
In the third case study, the values at the attack point were estimated for each of the 30 plaintexts. The results are shown in Table 4 . In this scenario, average success rate is 144/160. In this case study, the whole of the key was obtained for attack attempt 4 and 6. In fact, knowing some of the key parts can be used to estimate the rest of the key. As more than 75% of the key part was found in each attack attempt, therefore, analysis using more traces of plaintext was not been continued. In other words, if the attacker has 30 or more plaintext data in the side channel attack scenario, chaos-based s-box structures will not be secure.
B. ANALYSIS STUDY 2 (BEST CHAOTIC S-BOX)
The difference between analysis study 1 and analysis study 2 is the s-box structure. In this second analysis, only the s-box structure was changed in the standard AES block VOLUME 7, 2019 encryption architecture. The chaos-based s-box structure in Ref. [5] was used. This s-box structure showed the best performance criteria in the literature for chaos-based s-box structures. In the first case study, the values at the attack points were estimated for each of the 10 plaintexts. The results show that none of the 160 key parts can be obtained. That is, although 10 plaintexts are known, no side-channel information can be obtained when the chaos-based s-box structure in Ref. [5] is used.
In the second case study, the values at the attack point were estimated for each of the 20 plaintexts. Table 5 shows that 63 parts can be obtained from 160 key parts. Average success rate of attack using 20 plaintext is 63/160. Again, compared to the AES s-box structure, the chaos-based s-box structure is more reliable than the original AES s-box for side-channel analysis.
In the third case study, the values at the attack point were estimated for each of the 30 plaintexts. The results are reported in Table 6 . In this scenario, 139 parts were obtained from 160 key parts for 10 different attack attempt. Average success rate of attack using 30 plaintext is 139/160. In this scenario, the whole of the key was obtained for attack attempt 7 and 9. Therefore, analysis using more traces was not continued.
C. ANALYSIS STUDY 3 (WORST CHAOTIC S-BOX)
In this analysis, the chaos-based s-box structure from ref. [49] has been used. This s-box structure has the worst performance characteristics among the chaos-based s-box structures in the literature. In the first case study, the values at the attack point were estimated for each of the 10 plaintexts. Table 7 shows that five of 160 key parts were obtained. Average success rate of attack using 10 plaintext is 5/160.
In the second case study, the values at the attack point were estimated for each of the 20 plaintexts. A total of 10 trials were performed. As shown in the results in Table 8 , 85 parts were obtained from 160 key parts. Average success rate of attack using 20 plaintext is 85/160.
In the third case study, the values at the attack point were estimated for each of the 30 plaintexts. The results are shown in Table 9 . In this scenario, 148 parts were obtained from 160 key parts for 10 different tries. In this scenario, the whole of the key was obtained for attack attempts 1, 3, and 7. Therefore, analysis using more traces was not continued. Average success rate of attack using 30 plaintext is 139/160.
V. CONCLUSIONS
One of the most successful examples of the similarities between the chaos and cryptology sciences is the design of s-box structures based on random selection. In these designs, chaotic systems have been used as a source of randomness and many s-box structures have been proposed in the literature. Although the proposed chaotic s-box constructs have worse cryptographic performance measurements than the AES s-box structure, researchers have claimed that these designs may be more resistant to implementation attacks, such as side-channel analysis. However, no studies confirming this hypothesis have been reported to date. This study is the first study related to the side-channel analysis of chaos-based s-box structures. In this study, side-channel analyses were carried out among the proposed chaos-based s-box structures in the literature with the best and worst performance characteristics. The analyses were used to compare the s-box structure developed by Nyberg based on the standard AES algorithm and the chaos-based s-box structures.
VOLUME 7, 2019
The detailed analyses given in Section 4 are summarized in Table 10 . Each attack scenario was repeated 10 times to obtain an average value. The key length in the standard AES algorithm is 128-bit. In the analyses, the key was divided into 16 parts and attack points were formed. For a total of 10 attempts, the number of key parts is 16 × 10 = 160. The results presented in Table 10 shows the success rate of the side channel attack. Lower values indicate better resistance to side-channel attacks. Therefore, it can be said that the chaosbased s-box structure is more resistant against side-channel attacks than the AES s-box structure.
In addition to, if the attacker has 30 or more plaintext data in the side channel attack scenario, chaos-based s-box structures will not be secure. These results show that implementation analysis studies are required in the chaos-based cryptology literature.
According to the results, the following inferences can be made:
• As claimed, chaos-based designs may be an alternative to application attacks, such as side-channel analysis.
• However, this feature cannot be used alone because the chaos-based s-box structure with the best performance measurements is still worse than the AES s-box structure. It is also shown that if 30 plaintexts and above are known, the whole of the key can be obtained by a side-channel attack.
• For future work, it is imperative to assess the side-channel analysis resistance of other chaos-based designs in the literature.
• In future studies, chaotic systems can be used as a countermeasure to prevent side-channel attacks. AHMET BEDRİ ÖZER is currently a Professor of computer engineering with Firat University. He has authored a number of studies on information security. He has consulted many M.S. and Ph.D. students. VOLUME 7, 2019 
