The Notion of Transparency Order, Revisited

We revisit the definition of Transparency Order (TO) and that of Modified Transparency Order (MTO) as well, which were proposed to measure the resistance of an S-box against Differential Power Analysis (DPA). We spot a definitional flaw in original TO, which is proved to have significantly affected the soundness of TO and hinder it to be a good quantitative security criterion. Regretfully, the flaw itself remains virtually undiscovered in MTO, either. Surprisingly, MTO overlooks this flaw and yet it happens to incur no bad effects on the correctness of its formulation, even though the start point of this formulation is highly questionable. It is also this neglect of the flaw that made MTO take a variant of multi-bit DPA attack into consideration, which was mistakenly thought to appropriately serve as an alternative powerful attack. Based on this observation, we also find that MTO introduces such an alternative adversary that it might overestimate the resistance of an S-box in some cases, as the variant of multi-bit DPA attack considered in MTO is not that powerful as one may think. This implies the soundness of MTO is also more or less arguable. Consequently, we fix this definitional flaw, and provide a revised definition in which a powerful adversary is also involved. For demonstrating validity and soundness of our revised TO (RTO), we adopt both optimal $4\times4$ S-boxes and $8\times8$ S-boxes as study cases, and present simulated and practical DPA attacks as well on implementations of those S-boxes. The results of our attacks verify our findings and analysis as well. Furthermore, as a concrete application of the revised TO, we also present the distribution of RTO values for sixteen optimal affine equivalence classes of $4\times4$ S-boxes. Finally, we give some recommended guidelines on how to select optimal $4\times4$ S-boxes in practical implementations

Achilles\u27 Heel: the Unbalanced Mask Sets May Destroy a Masking Countermeasure

Low Entropy Masking Scheme (LEMS) has attracted wide attention for its low-cost feature of small fixed mask sets in Side-Channel-Analysis (SCA). To achieve the expected side channel security, it is necessary to find a balanced mask set to reduce the correlations between key dependent variables and their corresponding leakages. However, the security proof of LEMS, based on an inadequate assumption, might lead to consequent mask sets proposed without balance property, which could cause vulnerable LEMS implementations. This paper focusing on correcting and improving this scheme, first gives the formal definitions of univariate balance property on mask sets and extends it to multivariate settings. From these definitions, we propose three fundamental properties to analyze the balance of mask sets in Rotating Sbox Masking (RSM), the most popular LEMS implementations. To demonstrate the definitions and properties, three state-of-the-art RSM mask sets were selected as research objects. The corresponding attacks when any properties violated distinctly indicate the necessity of evaluating the balance property of the mask set in advance (during the design phase). However, it is found impossible to get a mask set for the RSM with all three properties satisfied, which means the vulnerabilities of RSM scheme in its unbalanced mask set are unavoidable. Thus, this promising masking scheme may be broken for its unqualified mask set

Revealing the Weakness of Addition Chain Based Masked SBox Implementations

Addition chain is a well-known approach for implementing higher-order masked SBoxes. However, this approach induces more computations of intermediate monomials over F2n, which in turn leak more information related to the sensitive variables and may decrease its side-channel resistance consequently. In this paper, we introduce a new notion named polygon degree to measure the resistance of monomial computations. With the help of this notion, we select several typical addition chain implementations with the strongest or the weakest resistance. In practical experiments based on an ARM Cortex-M4 architecture, we collect power and electromagnetic traces in consideration of different noise levels. The results show that the resistance of the weakest masked SBox implementation is close to that of an unprotected implementation, while the strongest one can also be broken with fewer than 1,500 traces due to extra leakages. Moreover, we study the resistance of addition chain implementations against profiled attacks. We find that some monomials with smaller output size leak more information than the SBox output. The work by Duc et al. at JOC 2019 showed that for a balanced function, the smaller the output size is, the less information is leaked. Thus, our attacks demonstrate that this property of balanced functions does not apply to unbalanced functions