International Conference on Security, Privacy, and Applied Cryptography Engineering

Security, Privacy, and Applied Cryptography Engineering pp 151-171 | Cite as

S-boxes, Boolean Functions and Codes for the Resistance of Block Ciphers to Cryptographic Attacks, with or without Side Channels

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9354)


The choice of functions \(S: \mathbb{F}_2^n\mapsto \mathbb{F}_2^m\) to be used as substitution boxes (S-boxes), fastly implementable and contributing to resisting attacks is a crucial question for the design of block ciphers. We summary the state of the art in this domain, considering also the case m < n which has been less studied. We also recall the method for protecting block ciphers against side channel attacks (SCA) by masking, and how the S-boxes can be processed in order to ensure this protection. We state a related open problem, also interesting for its own sake. We eventually see how Boolean functions, vectorial functions and error correcting codes can be used in different ways for reducing the cost of masking while keeping the same resistance to some SCA and also for allowing resisting fault injection attacks (FIA).


  1. 1.
    Adams, C.M.: Constructing symmetric ciphers using the CAST design procedure. Designs, Codes, and Cryptography (12), 283–316 (1997)Google Scholar
  2. 2.
    Al Salami, Y.: Constructions with High Algebraic Degree of Differentially 4-uniform (n, n − 1)-Functions and Differentially 8-uniform (n, n − 2)-Functions. Preprint (2015)Google Scholar
  3. 3.
    Aoki, K., Ichikawa, T., Kanda, M., Matsui, M., Moriai, S., Nakajima, J., Tokita, T.: Camellia: A 128-Bit Block Cipher Suitable for Multiple Platforms - Design and Analysis. In: Stinson, D.R., Tavares, S. (eds.) SAC 2000. LNCS, vol. 2012, pp. 39–56. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  4. 4.
    Anderson, R., Biham, E., Knudsen, L.: Serpent: A proposal for the advanced encryption standard (1998).
  5. 5.
    Ben-Or, M., Goldwasser, S., Wigderson, A.: Completeness theorems for non-cryptographic fault-tolerant distributed computation. In: STOC 1988: Proceedings of the Twentieth Annual ACM Symposium on Theory of Computing, pp. 1–10. ACM, New York (1988)CrossRefGoogle Scholar
  6. 6.
    Beth, T., Ding, C.: On almost perfect nonlinear permutations. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 65–76. Springer, Heidelberg (1994)CrossRefGoogle Scholar
  7. 7.
    Bhasin, S., Carlet, C., Guilley, S.: Theory of masking with codewords in hardware: low weight d-th order correlation-immune functions. IACR ePrint Archive 2013/303Google Scholar
  8. 8.
    Biham, E., Shamir, A.: Differential cryptanalysis of DES-like cryptosystems. Journal of Cryptology 4(1), 3–72 (1991)MathSciNetCrossRefMATHGoogle Scholar
  9. 9.
    Blakley, G.: Safeguarding cryptographic keys. In: National Comp. Conf., vol. 48, pp. 313–317. AFIPS Press, New York (1979)Google Scholar
  10. 10.
    Bogdanov, A., Knudsen, L.R., Leander, G., Paar, C., Poschmann, A., Robshaw, M.J.B., Seurin, Y., Vikkelsoe, C.: PRESENT: An Ultra-Lightweight Block Cipher. In: Paillier, P., Verbauwhede, I. (eds.) CHES 2007. LNCS, vol. 4727, pp. 450–466. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  11. 11.
    Bracken, C., Leander, G.: A highly nonlinear differentially 4 uniform power mapping that permutes fields of even degree. Finite Fields and their Applications 16(4), 231–242 (2010)MathSciNetCrossRefMATHGoogle Scholar
  12. 12.
    Bracken, C., Tan, C.H., Tan, Y.: Binomial differentially 4-uniform permutations with high nonlinearity. Finite Fields Applications 18, 537–546 (2012)MathSciNetCrossRefMATHGoogle Scholar
  13. 13.
    Brier, E., Clavier, C., Olivier, F.: Correlation Power Analysis with a Leakage Model. In: Joye, M., Quisquater, J.-J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 16–29. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  14. 14.
    Bringer, J., Carlet, C., Chabanne, H., Guilley, S., Maghrebi, H.: Orthogonal Direct Sum Masking - A Smartcard Friendly Computation Paradigm in a Code, with Builtin Protection against Side-Channel and Fault Attacks. In: Naccache, D., Sauveron, D. (eds.) WISTP 2014. LNCS, vol. 8501, pp. 40–56. Springer, Heidelberg (2014)Google Scholar
  15. 15.
    Browning, K., Dillon, J.F., McQuistan, M.T., Wolfe, A.J.: An APN permutation in dimension six. Contemporary Mathematics 58, 33–42 (2010)MathSciNetCrossRefMATHGoogle Scholar
  16. 16.
    Bruneau, N., Guilley, S., Heuser, A., Rioul, O.: Masks Will Fall Off. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014, Part II. LNCS, vol. 8874, pp. 344–365. Springer, Heidelberg (2014)Google Scholar
  17. 17.
    Camion, P., Carlet, C., Charpin, P., Sendrier, N.: On correlation-immune functions. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 86–100. Springer, Heidelberg (1992)Google Scholar
  18. 18.
    Carlet, C.: The monography “Boolean Models and Methods in Mathematics, Computer Science, and Engineering”. In: Crama, Y., Hammer, P.L. (eds.) Boolean Functions for Cryptography and Error Correcting Codes, pp. 257–397. Cambridge University Press (2010), Preliminary version available at
  19. 19.
    Carlet, C.: The monography Boolean Models and Methods in Mathematics, Computer Science, and Engineering. In: Crama, Y., Hammer, P.L. (eds.) Vectorial boolean functions for cryptography, pp. 398–469. Cambridge University Press (2010), Preliminary version available at
  20. 20.
    Carlet, C.: On Known and New Differentially Uniform Functions. In: Proceedings of Information Security and Privacy - 16th Australasian Conference (ACISP) 2011, Melbourne, pp. 1–15 (2011)Google Scholar
  21. 21.
    Carlet, C., Al Salami, Y.: A New Construction of Differentially 4-uniform (n,n − 1)-Functions. To appear in Advances in Mathematics of Communications (2015)Google Scholar
  22. 22.
    Carlet, C., Daif, A., Danger, J.-L., Guilley, S., Najm, Z., Thuy Ngo, X., Porteboeuf, T., Tavernier, C.: Optimized Linear Complementary Codes Implementation for Hardware Trojan Prevention. In: Proceedings of ECCTD (2015, to appear)Google Scholar
  23. 23.
    Carlet, C., Danger, J.-L., Guilley, S., Maghrebi, H.: Leakage Squeezing of Order Two. In: Galbraith, S., Nandi, M. (eds.) INDOCRYPT 2012. LNCS, vol. 7668, pp. 120–139. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  24. 24.
    Carlet, C., Freibert, F., Guilley, S., Kiermaier, M., Kim, J.-L., Solé, P.: Higher-order CIS codes. IEEE Transactions on Information Theory 60(9), 5283–5295 (2014)MathSciNetCrossRefMATHGoogle Scholar
  25. 25.
    Carlet, C., Gaborit, P., Kim, J.-L., Solé, P.: A new class of codes for Boolean masking of cryptographic computations. IEEE Transactions on Information Theory 58(9), 6000–6011 (2012)MathSciNetCrossRefGoogle Scholar
  26. 26.
    Carlet, C., Goubin, L., Prouff, E., Quisquater, M., Rivain, M.: Higher-order masking schemes for S-boxes. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 366–384. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  27. 27.
    Carlet, C., Guilley, S.: Correlation-immune Boolean functions for easing counter-measures to side channel attacks. In: Proceedings of the Workshop “Emerging Applications of Finite Fields” Part of the Semester Program on Applications of Algebra and Number Theory, Linz, December 9-13. Algebraic Curves and Finite Fields, Radon Series on Computational and Applied Mathematics, pp. 41–70. Published by de Gruyter (2014)Google Scholar
  28. 28.
    Carlet, C., Guilley, S.: Side-channel indistinguishability. In: Proceedings of HASP 2013, 2nd International Workshop on Hardware and Architectural Support for Security and Privacy, Tel Aviv, Israel, pp. 9:1–9:8. ACM, New York (2013)Google Scholar
  29. 29.
    Carlet, C., Guilley, S.: Complementary Dual Codes for Counter-Measures to Side-Channel Attacks. In: 4th International Castle Meeting, Palmela Castle, Portugal, September 15-18. CIM Series in Mathematical Sciences, vol. 3 (2014) (Submitted to the post-proceedings to appear in AMC)Google Scholar
  30. 30.
    Carlet, C., Prouff, E., Rivain, M., Roche, T.: Algebraic Decomposition for Probing Security. In: Gennaro, R., Robshaw, M. (eds.) Proceedings of CRYPTO 2015. LNCS, vol. 9215, pp. 742–763. Springer, Heidelberg (2015)CrossRefGoogle Scholar
  31. 31.
    Chari, S., Jutla, C., Rao, J., Rohatgi, P.: Towards Sound Approaches to Counteract Power-Analysis Attacks. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 398–412. Springer, Heidelberg (1999)Google Scholar
  32. 32.
    Chen, H., Cramer, R., Goldwasser, S., de Haan, R., Vaikuntanathan, V.: Secure computation from random error correcting codes. In: Naor, M. (ed.) EUROCRYPT 2007. LNCS, vol. 4515, pp. 291–310. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  33. 33.
    Coron, J.-S.: Higher order masking of look-up tables. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 441–458. Springer, Heidelberg (2014)CrossRefGoogle Scholar
  34. 34.
    Coron, J.-S., Giraud, C., Prouff, E., Renner, S., Rivain, M., Vadnala, P.K.: Conversion of security proofs from one leakage model to another: A new issue. In: Schindler, W., Huss, S.A. (eds.) COSADE 2012. LNCS, vol. 7275, pp. 69–81. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  35. 35.
    Coron, J.-S., Roy, A., Vivek, S.: Fast Evaluation of Polynomials over Finite Fields and Application to Side-channel Countermeasures. In: Batina, L., Robshaw, M. (eds.) CHES 2014. LNCS, vol. 8731, pp. 170–187. Springer, Heidelberg (2014); J. Cryptographic Engineering 5(2), 73–83 (2015)Google Scholar
  36. 36.
    Daemen, J., Rijmen, V.: The design of Rijndael: AES: The advanced encryption standard. Springer (2002)Google Scholar
  37. 37.
    Dobbertin, H.: Almost perfect nonlinear power functions over GF(2n): the Welch case. IEEE Transactions on Information Theory 45, 1271–1275 (1999)MathSciNetCrossRefMATHGoogle Scholar
  38. 38.
    Dobbertin, H.: Almost perfect nonlinear power functions over GF(2n): the Niho case. Information and Computation 151, 57–72 (1999)MathSciNetCrossRefMATHGoogle Scholar
  39. 39.
    Dobbertin, H.: Almost perfect nonlinear power functions on GF(2n): a new case for n divisible by 5. In: Proceedings of Finite Fields and Applications Fq5, Augsburg, Germany, pp. pp. 113–121. Springer (2000)Google Scholar
  40. 40.
    Karatsuba, A., Ofman, Y.: Multiplication of many-digital numbers by automatic computers. Proceedings of the USSR Academy of Sciences 145, 293–294 (1962); Translation in the academic journal Physics-Doklady, 7, pp. 595–596 (1963)Google Scholar
  41. 41.
    European Telecommunications Standards Institute. Technical Specification 135 202 V9.0.0: Universal mobile telecommunications system (UMTS); LTE; specification of the 3GPP confidentiality and integrity algorithms; Document 2: KASUMI specification (3GPP TS 35.202 V9.0.0 Release 9)Google Scholar
  42. 42.
    Genelle, L., Prouff, E., Quisquater, M.: Thwarting higher-order side channel analysis with additive and multiplicative maskings. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 240–255. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  43. 43.
    Gold, R.: Maximal recursive sequences with 3-valued recursive cross-correlation functions. IEEE Transactions on Information Theory 14, 154–156 (1968)CrossRefMATHGoogle Scholar
  44. 44.
    Grosso, V., Standaert, F.-X., Prouff, E.: Low Entropy Masking Schemes, Revisited. In: Francillon, A., Rohatgi, P. (eds.) CARDIS 2013. LNCS, vol. 8419, pp. 33–43. Springer, Heidelberg (2014)Google Scholar
  45. 45.
    Ishai, Y., Sahai, A., Wagner, D.: Private Circuits: Securing Hardware against Probing Attacks. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 463–481. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  46. 46.
    Kasami, T.: The weight enumerators for several classes of subcodes of the second order binary Reed-Muller codes. Information and Control 18, 369–394 (1971)MathSciNetCrossRefMATHGoogle Scholar
  47. 47.
    Knudsen, L.R.: Truncated and higher order differentials. In: Preneel, B. (ed.) FSE 1994. LNCS, vol. 1008, pp. 196–211. Springer, Heidelberg (1995)CrossRefGoogle Scholar
  48. 48.
    Knudsen, L.R., Robshaw, M.: The block cipher companion. Springer (2011)Google Scholar
  49. 49.
    Kocher, P., Jaffe, J., Jun, B.: Differential Power Analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  50. 50.
    Maghrebi, M., Guilley, S., Danger, J.-L.: Leakage Squeezing Countermeasure Against High-Order Attacks. In: Ardagna, C.A., Zhou, J. (eds.) WISTP 2011. LNCS, vol. 6633, pp. 208–223. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  51. 51.
    Maghrebi, H., Carlet, C., Guilley, S., Danger, J.-L.: Optimal first-order masking with linear and non-linear bijections. In: Mitrokotsa, A., Vaudenay, S. (eds.) AFRICACRYPT 2012. LNCS, vol. 7374, pp. 360–377. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  52. 52.
    Mangard, S., Popp, T., Gammel, B.M.: Side-Channel Leakage of Masked CMOS Gates. In: Menezes, A. (ed.) CT-RSA 2005. LNCS, vol. 3376, pp. 351–365. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  53. 53.
    Mangard, S., Pramstaller, N., Oswald, E.: Successfully Attacking Masked AES Hardware Implementations. In: Rao, J.R., Sunar, B. (eds.) CHES 2005. LNCS, vol. 3659, pp. 157–171. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  54. 54.
    Massey, J.L.: Linear codes with complementary duals. Discrete Mathematics 106-107, 337–342 (1992)Google Scholar
  55. 55.
    Massey, J.L.: Minimal Codewords and Secret Sharings. In: Sixth Joint Sweedish-Russian Workshop on Information Theory, pp. 246–249 (1993)Google Scholar
  56. 56.
    Matsui, M.: Linear cryptanalysis method for DES cipher. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 386–397. Springer, Heidelberg (1994)CrossRefGoogle Scholar
  57. 57.
    Matsui, M.: Block encryption algorithm MISTY. In: Biham, E. (ed.) FSE 1997. LNCS, vol. 1267, pp. 54–68. Springer, Heidelberg (1997)CrossRefGoogle Scholar
  58. 58.
    Messerges, T.: Using Second-order Power Analysis to Attack DPA Resistant software. In: Paar, C., Koç, Ç.K. (eds.) CHES 2000. LNCS, vol. 1965, pp. 238–251. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  59. 59.
    National Institute of Standards and Technology. Data encryption standard (AES). Federal Information Processing Standards Publication 49-3. United States National Institute of Standards and Technology (NIST). Reaffirmed on October 25, 1999Google Scholar
  60. 60.
    Nyberg, K.: Perfect nonlinear S-boxes. In: Davies, D.W. (ed.) EUROCRYPT 1991. LNCS, vol. 547, pp. 378–386. Springer, Heidelberg (1991)CrossRefGoogle Scholar
  61. 61.
    Nyberg, K., Knudsen, L.R.: Provable security against a differential attack. Journal of Cryptology 8(1), 27–37 (1995)MathSciNetCrossRefMATHGoogle Scholar
  62. 62.
    Omura, J., Massey, J.L.: Computational method and apparatus for finite field arithmetic. Technical report, Omnet Associates, Patent Number 4,587,627 (May 1986)Google Scholar
  63. 63.
    Piret, G., Roche, T., Carlet, C.: PICARO - A block cipher allowing efficient higher-order side-channel resistance. In: Bao, F., Samarati, P., Zhou, J. (eds.) ACNS 2012. LNCS, vol. 7341, pp. 311–328. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  64. 64.
    Prouff, E., Roche, T.: Higher-order glitches free implementation of the aes using secure multi-party computation protocols. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 63–78. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  65. 65.
    Prouff, E., Rivain, M., Bevan, R.: Statistical Analysis of Second Order Differential Power Analysis. IEEE Trans. Computers 58(6), 799–811 (2009)MathSciNetCrossRefGoogle Scholar
  66. 66.
    Rivain, M., Prouff, E.: Provably secure higher-order masking of aes. In: Mangard, S., Standaert, F.-X. (eds.) CHES 2010. LNCS, vol. 6225, pp. 413–427. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  67. 67.
    Roy, A., Vivek, S.: Analysis and improvement of the generic higher-order masking scheme of fse 2012. In: Bertoni, G., Coron, J.-S. (eds.) CHES 2013. LNCS, vol. 8086, pp. 417–434. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  68. 68.
    Shamir, A.: How to Share a Secret. Commun. ACM 22(11), 612–613 (1979)MathSciNetCrossRefMATHGoogle Scholar
  69. 69.
    Shannon, C.E.: Communication theory of secrecy systems. Bell System Technical Journal 28, 656–715 (1949)MathSciNetCrossRefMATHGoogle Scholar
  70. 70.
    Shirai, T., Shibutani, K., Akishita, T., Moriai, S., Iwata, T.: The 128-Bit Blockcipher CLEFIA. In: Biryukov, A. (ed.) FSE 2007. LNCS, vol. 4593, pp. 181–195. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  71. 71.
    Siegenthaler, T.: Decrypting a Class of Stream Ciphers Using Ciphertext Only. IEEE Transactions on Computer C-34(1), 81–85 (1985)Google Scholar
  72. 72.
    Sunar, B., Koç, Ç.K.: An efficient optimal normal basis type ii multiplier. IEEE Trans. Computers 50(1), 83–87 (2001)MathSciNetCrossRefMATHGoogle Scholar
  73. 73.
    Tan, Y., Qu, L., Tan, C., Li, C.: New families of differentially 4-uniform permutations over \(\mathbb{F}_{2^{2k}}\). In: Helleseth, T., Jedwab, J. (eds.) SETA 2012. LNCS, vol. 7280, pp. 25–39. Springer, Heidelberg (2012)Google Scholar
  74. 74.
    Waddle, J., Wagner, D.: Towards Efficient Second-Order Power Analysis. In: Joye, M., Quisquater, J.-J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 1–15. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  75. 75.
    Xu, G., Cao, X., Xu, S.: Constructing new differentially 4-uniform permutations and APN functions over finite fields. To appear in Cryptography and Communications - Discrete Structures, Boolean Functions and Sequences (2015)Google Scholar
  76. 76.
    Yu, Y., Wang, M., Li, Y.: Constructing low differential uniformity functions from known ones. Chinese Journal of Electronics 22(3), 495–499 (2013)Google Scholar
  77. 77.
    Zha, Z., Hu, L., Sun, S.: Constructing new differentially 4-uniform permutations from the Inverse function. Finite Fields Applications 25, 64–78 (2014)MathSciNetCrossRefMATHGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  1. 1.LAGA, Universities of Paris 8 and Paris 13; CNRS, UMR 7539; Department of MathematicsUniversity of Paris 8Saint-Denis cedex 02France

Personalised recommendations