Constrained Search for a Class of Good S-Boxes with Improved DPA Resistivity

Abstract. In FSE 2005, transparency order was proposed as a parameter for the robustness of S-boxes to Differential Power Analysis (DPA): lower transparency order implying more resistance. However most cryptographically strong Boolean functions have been found to have high transparency order. Also it is a difficult problem to search for Boolean functions which are strong cryptographically, and yet have low transparency order, the total search space for (n, n)-bit Boolean functions being as large as n2 n . In this paper we characterize transparency order for various classes of Boolean functions by computing the upper and lower bounds of transparency order for both even and odd numbers of variables. The transparency order is defined in terms of diffusion properties of the structures of Boolean functions namely the number of bit flips in the output of the functions corresponding to the number of bit flips at the input of the function. The calculated bounds depend on the number of vectors flipping the input of S-box for which bias of probability of S-box output bit deviates from the value of 0.5. The transparency order is found to be high in the class of those Boolean functions which have larger cardinality of input differences for which the probability of output bit flip is 0.5. Also we find that instead of propagation characteristics, autocorrelation spectra of the S-box function F is a more qualifying candidate in deciding the characteristics of transparency order. The relations developed to characterize transparency order aid in our constrained random generation and search of a class of balanced 8 × 8 S-boxes with transparency order upper bounded by 7.8, nonlinearity in range (104, 110) and absolute indicator values of GAC in range (48, 88).