Trade-Offs for S-Boxes: Cryptographic Properties and Side-Channel Resilience

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10355)


When discussing how to improve side-channel resilience of a cipher, an obvious direction is to use various masking or hiding countermeasures. However, such schemes come with a cost, e.g. an increase in the area and/or reduction of the speed. When considering lightweight cryptography and various constrained environments, the situation becomes even more difficult due to numerous implementation restrictions. However, some options are possible like using S-boxes that are easier to mask or (more on a fundamental level), using S-boxes that possess higher inherent side-channel resilience. In this paper we investigate what properties should an S-box possess in order to be more resilient against side-channel attacks. Moreover, we find certain connections between those properties and cryptographic properties like nonlinearity and differential uniformity. Finally, to strengthen our theoretical findings, we give an extensive experimental validation of our results.



This work has been supported in part by Croatian Science Foundation under the project IP-2014-09-4882. The parts of this work were done while the third author was affiliated with KU Leuven, Belgium.

Supplementary material


  1. 1.
    Matsui, M., Yamagishi, A.: A new method for known plaintext attack of FEAL cipher. In: Rueppel, R.A. (ed.) EUROCRYPT 1992. LNCS, vol. 658, pp. 81–91. Springer, Heidelberg (1993). doi: 10.1007/3-540-47555-9_7 CrossRefGoogle Scholar
  2. 2.
    Biham, E., Shamir, A.: Differential cryptanalysis of DES-like cryptosystems. In: Menezes, A.J., Vanstone, S.A. (eds.) CRYPTO 1990. LNCS, vol. 537, pp. 2–21. Springer, Heidelberg (1991). doi: 10.1007/3-540-38424-3_1 CrossRefGoogle Scholar
  3. 3.
    Mangard, S., Oswald, E., Popp, T.: Power Analysis Attacks: Revealing the Secrets of Smart Cards (Advances in Information Security). Springer-Verlag New York Inc., Secaucus (2007)zbMATHGoogle Scholar
  4. 4.
    Nikova, S., Rechberger, C., Rijmen, V.: Threshold implementations against side-channel attacks and glitches. In: Ning, P., Qing, S., Li, N. (eds.) ICICS 2006. LNCS, vol. 4307, pp. 529–545. Springer, Heidelberg (2006). doi: 10.1007/11935308_38 CrossRefGoogle Scholar
  5. 5.
    Heuser, A., Rioul, O., Guilley, S.: A theoretical study of kolmogorov-smirnov distinguishers. In: Prouff, E. (ed.) COSADE 2014. LNCS, vol. 8622, pp. 9–28. Springer, Cham (2014). doi: 10.1007/978-3-319-10175-0_2 Google Scholar
  6. 6.
    Brier, E., Clavier, C., Olivier, F.: Correlation power analysis with a leakage model. In: Joye, M., Quisquater, J.-J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 16–29. Springer, Heidelberg (2004). doi: 10.1007/978-3-540-28632-5_2 CrossRefGoogle Scholar
  7. 7.
    Fei, Y., Luo, Q., Ding, A.A.: A statistical model for DPA with novel algorithmic confusion analysis. In: Prouff, E., Schaumont, P. (eds.) CHES 2012. LNCS, vol. 7428, pp. 233–250. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-33027-8_14 CrossRefGoogle Scholar
  8. 8.
    Carlet, C.: Vectorial boolean functions for cryptography. In: Crama, Y., Hammer, P.L. (eds.) Boolean Models and Methods in Mathematics, Computer Science, and Engineering, 1st edn, pp. 398–469. Cambridge University Press, New York (2010)CrossRefGoogle Scholar
  9. 9.
    Nyberg, K.: On the construction of highly nonlinear permutations. In: Rueppel, R.A. (ed.) EUROCRYPT 1992. LNCS, vol. 658, pp. 92–98. Springer, Heidelberg (1993). doi: 10.1007/3-540-47555-9_8 CrossRefGoogle Scholar
  10. 10.
    Chabaud, F., Vaudenay, S.: Links between differential and linear cryptanalysis. In: Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 356–365. Springer, Heidelberg (1995). doi: 10.1007/BFb0053450 Google Scholar
  11. 11.
    Nyberg, K.: Perfect nonlinear S-boxes. In: Davies, D.W. (ed.) EUROCRYPT 1991. LNCS, vol. 547, pp. 378–386. Springer, Heidelberg (1991). doi: 10.1007/3-540-46416-6_32 Google Scholar
  12. 12.
    Kocher, P., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999). doi: 10.1007/3-540-48405-1_25 CrossRefGoogle Scholar
  13. 13.
    Gandolfi, K., Mourtel, C., Olivier, F.: Electromagnetic analysis: concrete results. In: Koç, Ç.K., Naccache, D., Paar, C. (eds.) CHES 2001. LNCS, vol. 2162, pp. 251–261. Springer, Heidelberg (2001). doi: 10.1007/3-540-44709-1_21 CrossRefGoogle Scholar
  14. 14.
    Mangard, S., Oswald, E., Popp, T.: Power Analysis Attacks: Revealing the Secrets of Smart Cards. Springer, Heidelberg (2006). ISBN 0-387-30857-1. zbMATHGoogle Scholar
  15. 15.
    Guilley, S., Heuser, A., Rioul, O.: A key to success. In: Biryukov, A., Goyal, V. (eds.) INDOCRYPT 2015. LNCS, vol. 9462, pp. 270–290. Springer, Cham (2015). doi: 10.1007/978-3-319-26617-6_15 CrossRefGoogle Scholar
  16. 16.
    Thillard, A., Prouff, E., Roche, T.: Success through confidence: evaluating the effectiveness of a side-channel attack. In: Bertoni, G., Coron, J.-S. (eds.) CHES 2013. LNCS, vol. 8086, pp. 21–36. Springer, Heidelberg (2013). doi: 10.1007/978-3-642-40349-1_2 CrossRefGoogle Scholar
  17. 17.
    Picek, S., Papagiannopoulos, K., Ege, B., Batina, L., Jakobovic, D.: Confused by confusion: systematic evaluation of DPA resistance of various S-boxes. In: Meier, W., Mukhopadhyay, D. (eds.) INDOCRYPT 2014. LNCS, vol. 8885, pp. 374–390. Springer, Cham (2014). doi: 10.1007/978-3-319-13039-2_22 Google Scholar
  18. 18.
    Banik, S., Bogdanov, A., Isobe, T., Shibutani, K., Hiwatari, H., Akishita, T., Regazzoni, F.: Midori: a block cipher for low energy (extended version). Cryptology ePrint Archive, Report 2015/1142 (2015).
  19. 19.
    Journault, A., Standaert, F.X., Varici, K.: Improving the security and efficiency of block ciphers based on LS-designs. Codes Crypt. Des. 82(1–2), 495–509 (2016)MathSciNetzbMATHGoogle Scholar
  20. 20.
    Gong, Z., Nikova, S., Law, Y.W.: KLEIN: a new family of lightweight block ciphers. In: Juels, A., Paar, C. (eds.) RFIDSec 2011. LNCS, vol. 7055, pp. 1–18. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-25286-0_1 CrossRefGoogle Scholar
  21. 21.
    Heuser, A., Picek, S., Guilley, S., Mentens, N.: Side-channel analysis of lightweight ciphers: does lightweight equal easy? Cryptology ePrint Archive, Report 2017/261 (2017).
  22. 22.
    Lerman, L., Markowitch, O., Veshchikov, N.: Comparing Sboxes of ciphers from the perspective of side-channel attacks. IACR Cryptology ePrint Archive 2016/993 (2016)Google Scholar
  23. 23.
    Daemen, J., Peeters, M., Assche, G.V., Rijmen, V.: Nessie proposal: the block cipher Noekeon. Nessie submission (2000).
  24. 24.
    Shibutani, K., Isobe, T., Hiwatari, H., Mitsuda, A., Akishita, T., Shirai, T.: Piccolo: an ultra-lightweight blockcipher. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 342–357. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-23951-9_23 CrossRefGoogle Scholar
  25. 25.
    Bogdanov, A., Knudsen, L.R., Leander, G., Paar, C., Poschmann, A., Robshaw, M.J.B., Seurin, Y., Vikkelsoe, C.: PRESENT: an ultra-lightweight block cipher. In: Paillier, P., Verbauwhede, I. (eds.) CHES 2007. LNCS, vol. 4727, pp. 450–466. Springer, Heidelberg (2007). doi: 10.1007/978-3-540-74735-2_31 CrossRefGoogle Scholar
  26. 26.
    Borghoff, J., et al.: PRINCE – a low-latency block cipher for pervasive computing applications. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 208–225. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-34961-4_14 CrossRefGoogle Scholar
  27. 27.
    Zhang, W., Bao, Z., Lin, D., Rijmen, V., Yang, B., Verbauwhede, I.: RECTANGLE: a bit-slice lightweight block cipher suitable for multiple platforms. Sci. Chin. Inf. Sci. 58(12), 1–15 (2015)Google Scholar
  28. 28.
    Beierle, C., Jean, J., Kölbl, S., Leander, G., Moradi, A., Peyrin, T., Sasaki, Y., Sasdrich, P., Sim, S.M.: The SKINNY family of block ciphers and its low-latency variant MANTIS. Cryptology ePrint Archive, Report 2016/660 (2016).
  29. 29.
    Standaert, F., Malkin, T., Yung, M.: A unified framework for the analysis of side-channel key recovery attacks (extended version). IACR Cryptology ePrint Archive 2006/139 (2006)Google Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  1. 1.Universities of Paris VIII and Paris XIII, LAGA, UMR 7539, CNRSSaint-DenisFrance
  2. 2.CNRS/IRISARennesFrance
  3. 3.Massachusetts Institute of Technology, CSAILCambridgeUSA
  4. 4.Cyber Security Research GroupDelft University of TechnologyDelftThe Netherlands

Personalised recommendations