Decomposed S-Boxes and DPA Attacks: A Quantitative Case Study Using PRINCE

Abstract

Lightweight ciphers become indispensable and inevitable in the ubiquitous smart devices. However, the security of ciphers is often subverted by various types of attacks, especially, implementation attacks such as side-channel attacks. These attacks emphasise the necessity of providing efficient countermeasures. In this paper, our contribution is threefold: First, we propose a method to choose the efficient decomposition of S-box in terms of area. Then we slightly alter the widely used formula to improve the accuracy for weighted sum estimation of the shared S-Box and present the practical implementation of two level decomposition using PRINCE S-Box. Finally, we present the first quantitative study on the efficacy of Transparency Order (TO) of decomposed S-Boxes in thwarting a side-channel attack. For PRINCE S-Box we observe that TO-based decomposed implementation has better DPA resistivity than the naive implementation. To benchmark the DPA resistivity of TO(decomposed S-Box) implementation we arrive at an efficient threshold implementation of PRINCE, which itself merits to be an interesting contribution.

A TI Solution

This section elaborates the selection of efficient solution and its implementation approach.

Fig. 8.

Architecture of PRINCE non-linear function with TI

The Architecture of PRINCE non-linear function with the decomposition is depicted in Fig. 8. The weighted sum were calculated for 644 decomposed function and the value of the efficient function is given in Table 7. To implement the TI countermeasures on PRINCE non-linear function 766 GE were required.

Table 7. Weighted sum.

We observed that the S-Box and Inverse S-Box has same \('G'\) function. This leads us to optimize the architecture by sharing the \('G'\) function between S-Box (F,G,H) and Inverse S-Box (\(F^{-1}\),G,\(H^{-1}\)). Hence the gate count is reduced to 643.

Listed below are the algebraic normal forms (ANFs) of the PRINCE S-Box decomposition with 3-shares for TI countermeasure.

F and H function

• \(F_1(w_2, x_2, y_2, z_2, w_3, x_3, y_3, z_3) = (f_{13}, f_{12}, f_{11}, f_{10})\)

• \(f_{10} = x_2 + w_2y_2 + w_2y_3 + w_3y_2 + w_2z_2 + w_2z_3 + w_3z_2\)

• \(f_{11} = z_2 + y_2 + w_2\)

• \(f_{12} = w_2\)

• \(f_{13} = z_2 + w_2 + x_2z_2 + x_2z_3 + x_3z_2 + x_2y_2 + x_2y_3 + x_3y_2\)

• \(F_2(w_3, x_3, y_3, z_3, w_1, x_1, y_1, z_1) = (f_{23}, f_{22}, f_{21}, f_{20})\)

• \(f_{20} = x_3 + w_3y_3 + w_3y_1 + w_1y_3 + w_3z_3 + w_3z_1 + w_1z_3\)

• \(f_{21} = z_3 + y_3 + w_3\)

• \(f_{22} = w_3\)

• \(f_{23} = z_3 + w_3 + x_3z_3 + x_3z_1 + x_1z_3 + x_3y_3 + x_3y_1 + x_1y_3\)

• \(F_3(w_1, x_1, y_1, z_1, w_2, x_2, y_2, z_2) = (f_{33}, f_{32}, f_{31}, f_{30})\)

• \(f_{30} = x_1 + w_1y_1 + w_1y_2 + w_2y_1 + w_1z_1 + w_1z_2 + w_2z_1 \)

• \(f_{31} = z_1 + y_1 + w_1 \)

• \(f_{32} = w_1 \)

• \(f_{33} = z_1 + w_1 + x_1z_1 + x_1z_2 + x_2z_1 + x_1y_1 + x_1y_2 + x_2y_1\)

• \(H_1(w_2, x_2, y_2, z_2, w_3, x_3, y_3, z_3) = (h_{13}, h_{12}, h_{11}, h_{10}) \)

• \(h_{10} = 1 + z_2 + x_2 + w_2y_2 + w_2y_3 + w_3y_2 \)

• \(h_{11} = 1 + y_2 + w_2x_2 + w_2x_3 + w_3x_2 \)

• \(h_{12} = z_2 + y_2 + w_2 + w_2y_2 + w_2y_3 + w_3y_2 + w_2x_2 + w_2x_3 + w_3x_2 \)

• \(h_{13} = y_2 + x_2 + w_2x_2 + w_2x_3 + w_3x_2\)

• \(H_2(w_3, x_3, y_3, z_3, w_1, x_1, y_1, z_1) = (h_{23}, h_{22}, h_{21}, h_{20})\)

• \(h_{20} = z_3 + x_3 + w_3y_3 + w_3y_1 + w_1y_3\)

• \(h_{21} = y_3 + w_3x_3 + w_3x_1 + w_1x_3\)

• \(h_{22} = z_3 + y_3 + w_3 + w_3y_3 + w_3y_1 + w_1y_3 + w_3x_3 + w_3x_1 + w_1x_3\)

• \(h_{23} = y_3 + x_3 + w_3x_3 + w_3x_1 + w_1x_3\)

• \(H_3(w_1, x_1, y_1, z_1, w_2, x_2, y_2, z_2) = (h_{33}, h_{32}, h_{31}, h_{30})\)

• \(h_{30} = z_1 + x_1 + w_1y_1 + w_1y_2 + w_2y_1 \)

• \(h_{31} = y_1 + w_1x_1 + w_1x_2 + w_2x_1 \)

• \(h_{32} = z_1 + y_1 + w_1 + w_1y_1 + w_1y_2 + w_2y_1 + w_1x_1 + w_1x_2 + w_2x_1 \)

• \(h_{33} = y_1 + x_1 + w_1x_1 + w_1x_2 + w_2x_1\)

\(F^{-1}\) and \(H^{-1}\) function of inverse S-box:

• \(F^{-1}_1(w_2, x_2, y_2, z_2, w_3, x_3, y_3, z_3) = (f^{-1}_{13}, f^{-1}_{12} f^{-1}_{11}, f^{-1}_{10}) \)

• \(f^{-1}_{10} = 1 + w_2 + x_2z_2 + x_2z_3 + x_3z_2 \)

• \(f^{-1}_{11} = 1 + z_2 \)

• \(f^{-1}_{12} = x_2 \)

• \(f^{-1}_{13} = z_2 + y_2 + w_2 + w_2z_2 + w_2z_3 + w_3z_2 + w_2x_2 + w_2x_3 + w_3x_2\)

• \(F^{-1}_2(w_3, x_3, y_3, z_3, w_1, x_1, y_1, z_1) = (f^{-1}_{23}, f^{-1}_{22}, f^{-1}_{21}, f^{-1}_{20}) \)

• \(f^{-1}_{20} = w_3 + x_3z_3 + x_3z_1 + x_1z_3 \)

• \(f^{-1}_{21} = z_3 \)

• \(f^{-1}_{22} = x_3 \)

• \(f^{-1}_{23} = z_3 + y_3 + w_3 + w_3z_3 + w_3z_1 + w_1z_3 + w_3x_3 + w_3x_1 + w_1x_3\)

• \(F^{-1}_3(w_1, x_1, y_1, z_1, w_2, x_2, y_2, z_2) = (f^{-1}_{33}, f^{-1}_{32}, f^{-1}_{31}, f^{-1}_{30}) \)

• \(f^{-1}_{30} = w_1 + x_1z_1 + x_1z_2 + x_2z_1 \)

• \(f^{-1}_{31} = z_1 \)

• \(f^{-1}_{32} = x_1 \)

• \(f^{-1}_{33} = z_1 + y_1 + w_1 + w_1z_1 + w_1z_2 + w_2z_1 + w_1x_1 + w_1x_2 + w_2x_1\)

• \(H^{-1}_1(w_2, x_2, y_2, z_2, w_3, x_3, y_3, z_3) = (h^{-1}_{13}, h^{-1}_{12}, h^{-1}_{11}, h^{-1}_{10})\)

• \(h^{-1}_{10} = y_2 + w_2x_2 + w_2x_3 + w_3x_2 \)

• \(h^{-1}_{11} = x_2 + w_2 \)

• \(h^{-1}_{12} = 1 + y_2 + x_2 + w_2x_2 + w_2x_3 + w_3x_2 \)

• \(h^{-1}_{13} = z_2 + y_2 + w_2 + w_2x_2 + w_2x_3 + w_3x_2 + w_2y_2 + w_2y_3 + w_3y_2\)

• \(H^{-1}_2(w_3, x_3, y_3, z_3, w_1, x_1, y_1, z_1) = (h^{-1}_{23}, h^{-1}_{22}, h^{-1}_{21}, h^{-1}_{20})\)

• \(h^{-1}_{20} = y_3 + w_3x_3 + w_3x_1 + w_1x_3 \)

• \(h^{-1}_{21} = x_3 + w_3\)

• \(h^{-1}_{22} = y_3 + x_3 + w_3x_3 + w_3x_1 + w_1x_3\)

• \(h^{-1}_{23} = z_3 + y_3 + w_3 + w_3x_3 + w_3x_1 + w_1x_3 + w_3y_3 + w_3y_1 + w_1y_3 \)

• \(H^{-1}_3(w_1, x_1, y_1, z_1, w_2, x_2, y_2, z_2) = (h^{-1}_{33}, h^{-1}_{32}, h^{-1}_{31}, h^{-1}_{30})\)

• \(h^{-1}_{30} = y_1 + w_1x_1 + w_1x_2 + w_2x_1 \)

• \(h^{-1}_{31} = x_1 + w_1 \)

• \(h^{-1}_{32} = y_1 + x_1 + w_1x_1 + w_1x_2 + w_2x_1 \)

• \(h^{-1}_{33} = z_1 + y_1 + w_1 + w_1x_1 + w_1x_2 + w_2x_1 + w_1y_1 + w_1y_2 + w_2y_1\)

Common G function of both S-box and inverse S-box:

• \(G_1(w_2, x_2, y_2, z_2, w_3, x_3, y_3, z_3) = (g_{13}, g_{12}, g_{11}, g_{10}) \)

• \(g_{10} = w_2 \)

• \(g_{11} = 1 + z_2 + y_2 + w_2 + w_2y_2 + w_2y_3 + w_3y_2 \)

• \(g_{12} = 1 + x_2 + y_2 + w_2 + w_2z_2 + w_2z_3 + w_3z_2 \)

• \(g_{13} = 1 + z_2 + y_2 + x_2 + w_2x_2 + w_2x_3 + w_3x_2\)

• \(G_2(w_3, x_3, y_3, z_3, w_1, x_1, y_1, z_1) = (g_{23}, g_{22}, g_{21}, g_{20}) \)

• \(g_{20} = w_3 \)

• \(g_{21} = z_3 + y_3 + w_3 + w_3y_3 + w_3y_1 + w_1y_3 \)

• \(g_{22} = x_3 + y_3 + w_3 + w_3z_3 + w_3z_1 + w_1z_3 \)

• \(g_{23} = z_3 + y_3 + x_3 + w_3x_3 + w_3x_1 + w_1x_3\)

• \(G_3(w_1, x_1, y_1, z_1, w_2, x_2, y_2, z_2) = (g_{33}, g_{32}, g_{31}, g_{30})\)

• \(g_{30} = w_1\)

• \(g_{31} = z_1 + y_1 + w_1 + w_1y_1 + w_1y_2 + w_2y_1 \)

• \(g_{32} = x_1 + y_1 + w_1 + w_1z_1 + w_1z_2 + w_2z_1 \)

• \(g_{33} = z_1 + y_1 + x_1 + w_1x_1 + w_1x_2 + w_2x_1\)