A New Type of Countermeasure against DPA in Multi-Sbox of Block Cipher

The Internet of Things (IoT) provides the network for physical devices, like home appliances, embedded with electronics, sensors, and software, to share and exchange data. With its fast development, security of IoT has become a crucial problem. Among the methods of attack, side-channel attack has proven to be an effective tool to compromise the security of different devices with improving techniques of data processing, like DPA and CPA. Meanwhile, many countermeasures have risen accordingly as well, such as masking and noise addition. However, their common deficiency was that every single countermeasuremight not be able to protect the key information completely after statistical analysis. Sensitive information will be disclosed during differential power analysis of Sbox, since it is the only nonlinear component in block cipher. Thus, how to protect Sbox effectively was the highlight of researches. Based on Sbox-reuse concept proposed by Bilgin, this paper put forward a new type of a countermeasure scheme against DPA inmulti-Sbox of block cipher.We first converted the multi-Sbox into 4 × 4 permutations and then reused permutation with the algebraic degree of more than one so as to turn it into a special reusable Sbox and then numbered 4 × 4 permutation input. Finally, we made these inputs of permutations completely random by masking. Since it was necessary to make the collected power consumption curve subject to alignment process in DPA by chosen-plaintext attack, this scheme combined the concept from DPA countermeasures of masking and noise addition. After the experiment with the proposed implementation, successful prevention of the attacker from accurately aligning the power consumption curve of the target Sbox has been proven, and the level of security has been improved by adding more random noise to protect key information and decrease the accuracy of statistical analysis.


Introductions
The Internet of Things (IoT) has been undergoing a fast and vast development in recent decades, which improved the efficiency and accuracy of many tasks in our life and brings more economic benefit.However, it also gives rise to the issue of security [1][2][3][4] especially in electronic devices [5].Since 1996, when Paul Kocher proposed the side-channel attack [6], which will make the IoT applications unsecured and vulnerable, many improvements of attack method have induced the researches in countermeasures.Not only the range of cryptology security has extended from the initial security simply based on mathematical theory to comprehensive security of mathematical theory together with cryptography implementation, but also a huge thwart to the security of hardware device needed to be overcome in IoT.From the beginning of the 20 th century until now, research achievements in this field emerge endlessly, such as power analysis [7,8], timing analysis [9], electromagnetic analysis [10,11], fault injection [12,13], more advanced template attack [14,15], Glitch attack [16,17], and machine learning attack [18][19][20][21][22][23], among which power analysis has become the research emphasis for its easy implementation, lower costs, and higher successful attacking rate especially in lightweight block cipher [24].Power analysis consists of simple power analysis, differential power analysis, and high-order power analysis, which are all based on the concept of recovering key with power difference generated by logic circuit composed with CMOS when processing "0" or "1" bit.Thanks to the vigorous development of attack theory, researches looking into countermeasures theory against power attack have also been in full swing.Over the years of study on countermeasures, the theories are basically divided 2 Wireless Communications and Mobile Computing into two categories.One is the countermeasure scheme based on algorithm, such as random masking, shuffling, and hiding, characterized by low costs but low security [25][26][27].The other is based on circuit level technique, featuring higher security, and more implementation costs, including two major technologies: sense amplifier based logic (SABL) [28] and wave dynamic differential logic (WDDL) [29].In 2006, Svetla proposed the secret sharing and multiparty secure computation-based threshold implementation scheme [30], a welldeveloped scheme that can resist high-order DPA attack and Glitch attack [31][32][33], which possesses higher security and lower implementation costs.Inspired by threshold implementation and based on the concept of reused Sbox of block cipher, Bilgin proposed a design with compact implementation of multi-Sbox in 2015 [34], which greatly reduced the cost in implementation of DES.
Based on the study mentioned above, our paper puts forward a new type of a countermeasure scheme against DPA attack using concept of reused Sbox in [34].We first convert the multi-Sbox into 4 × 4 permutation and reuse the permutation with the algebraic degree of more than one in order to turn it into a special and reusable Sbox and then number the 4 × 4 permutation input.Finally, each group of 4 × 4 permutation enters into Sbox after random masking; the power consumption curve is randomized by scrambling the data input from Sbox to have a higher probability of invalidating DPA.The security and feasibility of this scheme are verified by DES algorithm in our experiment.
The novel contributions of this paper are as follows.
(1) In this paper, we put forward a new type of countermeasure against DPA and it is divided into two phases.The first phase is converting the multi-Sbox into 4×4 permutations and reusing the permutation with the algebraic degree of more than one to turn it into a special reusable Sbox.The next phase is generating random input, which makes input data of Sbox completely random.
(2) Compared to other DPA masking techniques, the proposed scheme uses the value of masking as a selector and controls the sequence of data input of the multi-Sbox, instead of applying XOR or modular multiplication onto value of masking and original data.This not only results in reduced number of masking, but also increases the difficulty of aligning each power consumption curve for the attacker, which indirectly increases the noise for resisting DPA attacks.
(3) The proposed scheme can be applied to many other cryptographic algorithms based on multi-Sbox; the only difference is that, in the first phase of converting Sbox, different principles of generating permutations from Sbox that correspond to different algorithms should be considered in order to have a special and reusable Sbox and then proceed with the phase of generating random input.
This paper is organized as follows.Section 2 includes preliminaries of DPA procedures, physical basis of power attack, and concept of compact implementation.Section 3 introduces our countermeasure scheme.In Section 4, the results of the experiments are presented for validation of our scheme.Section 5 shows the security analysis of our countermeasure scheme.Section 6 is dedicated to conclusions.

Preliminaries
2.1.Differential Power Analysis.Differential power analysis (DPA) [7] is a side-channel attack scheme in DES algorithm put forward by Paul Kocher in 1999, whose model is based on hamming weight.The author believes that register requires different power when storing "0" and "1", which leads to the disclosure of power information.Compared with simple power analysis, differential power analysis recovers keys with statistical differential technology instead of requiring algorithm details.However, it has to collect much more consumption curves.This paper offers a conclusion of the typical process of DES algorithm differential power analysis as follows.
(1) Choose  sets of plaintexts  1 ,  2 ,  3 , ...,   and encrypt each of them with the same key K to measure each set of consumption curve and mark it as   []; among which, i refers to the sets of plaintexts measured (1 ≤  ≤ ) and j means the sampling sites.
(2) A distinguisher (  , ,   ) is chosen to represent b of the median at the end of the first group of Sbox, among which M represents plaintext and 0 ≤  s ≤ 2 6 stands for 6-bit key entering into the Sbox corresponding to bit b.
(3) According to the predicted   and the speculated value of distinguisher (  , ,   ), all the consumption curves with the distinguisher value of 0 and 1 are averaged to record differential power curve, as revealed in (4) During the observation of the current differential power curve, if an obvious large peak appears, the speculation about 6-bit key is considered as correct; if there is no remarkable peak, such speculation is incorrect and should continue.
(5) The 6-bit key that corresponds to other Sbox is predicted with the same scheme; the last 8 checking bits are obtained by brute force.

Physical Basis of Power Attack.
Due to the improved manufacturing process, logic gates made by CMOS process possess lower power consumption, less costs, and stronger antijamming capability compared to TTL circuit.Almost all the mainstream cipher chips and equipment adopt devices of CMOS process to construct circuit.For the convenience of analysis, the following part offers an introduction to the physical property of CMOS device regarding its power consumption.Take inverter as an example with its internal structure shown in Figure 1.
As shown in Figure 1, this structure consists of two enhanced MOSFET, namely, N channel structure and P channel structure.When the low logic level is input, P channel conducts and N channel is cut off with high logic level output; when the high logic level is input, N channel conducts and P channel is cut off with low logic level output.The total power consumption refers to the sum of static power and dynamic power which is When input   of inverter stabilizes, the output   is also stable; under such circumstances, there are the conduction and the cut-off between P channel and N channel.It is found in actual measurement that a small amount of leak current   is conveyed through the cut-off channel.Therefore,   static power can be calculated according to the following: When the input   of inverter changed, the output   changed accordingly.At this time, the dynamic power generated usually consists of two parts: one is  ℎrg , power consumption of load capacitor   , while charge and discharge account for 85%; the other is   , power consumption of topdown short-circuit current generated by the two concurrently conducting channels within very short period of time when the input level reaches   /2 (accounts for 15%).Table 1 represents the constitution of the total power consumption of inverter with different inputs.Other logic gates based on CMOS process also have the above-mentioned consumption properties with much more complicated structure.Multielectrode MOS hopping superposition has made the generated dynamic power more obvious.Therefore, attackers can easily align the power consumption with the key, which serves as the principle of power attack after the hardware implementation of cryptographic algorithm.

Introduction.
Sbox compact implementation is proposed by Bilgin based on threshold implementation in 2015 [34].In threshold implementation, Sbox with algebraic degree of two will be implemented with at least three shares while Sbox is with algebraic degree of three with at least four shares.The circuit scale grows exponentially with the increasing number of shares.Therefore, researchers hope to replace the Sbox of higher algebraic degree with several serial Sbox of lower algebraic degree so as to ensure less resource consumption and less reduction of speed thanks to the employment of pipeline technology.Bilgin adopted the affineequivalence technology to seek the public high-degree permutation of the eight Sbox in DES algorithm for reuse and then implemented the residual parts with algebraic degree of 1, thus reducing the hardware resources of Sbox by 50% [34].

Scheme
Implementation.This scheme is dedicated to the 4 × 4 Sbox.As it can be seen as the permutations are of 4 bits, some of its properties deserve further study.
One permutation of n bits constitutes a symmetric group.An affine equivalence is defined as follows.
The permutations that form affine equivalence in n bits permutations constitute a class.In this class, a permutation can be regarded as the representation element.The permutations in one class have the same algebra degree.At the same time, all the permutations are represented with Literature reveals that in 4-bit permutations, there are one affine class, six quadratic classes, and 295 cubic classes, among which all the affine class and quadratic classes all belong to A 16 ; however, 144 out of 295 cubic classes belong to A 16 and the remaining 151 are categorized into S 16 \A 16 .[19] that, in A 16 , permutations with any algebra degree can be represented by the elements from M. The cubic class permutation in S 16 \A 16 can be represented by one or many secondary permutations in A 16 and one-third of permutations in S 16 \A 16 ; however, the third permutation in N = {Q 001 , Q 003 , Q 013 , Q 301 } is often chosen to represent all because they possess some fine properties.Therefore, we aim to decompose different Sbox such that minimum number of nonlinear permutations is used to jointly describe all Sbox.Refer to [34] for more specific implementation of scheme.

Our Countermeasure Scheme
3.1.Classification of DPA Countermeasures Methods.DPA can speculate the key by subjecting the collected consumption curve to statistical difference.Therefore, the protection of any of the links can reduce the possibility of successful attack.Currently, the countermeasure methods for DPA usually fall into the following three categories.
(1 ) Countermeasures for the Leaked Information.In light of the low power consumption and fast speed, the mainstream hardware platforms all use chips based on CMOS process.It is defined by the working principle of CMOS gates that different power consumption will be generated when processing bit "0" and "1".Therefore, the countermeasures targeted the nature of disclosed information which is changing the processed "0" and "1" bit through certain technologies, such as adding mask.(3 ) Countermeasures for the Data Postprocessing.Data of the collected power consumption curve need to be aligned during the data postprocessing of DPA.The alignment is carried out by keeping the leaking points, which leak the sensitive information from different power consumption curves, aligning at the same point of time, to recover the key with a higher efficiency.The countermeasure of scrambling is employed to increase the difficulty of aligning different power consumption curves, in order to protect the circuit from leaking sensitive information.This scheme is a combined countermeasure that includes countermeasures for the leaked information, the implementation of circuit environment, and data postprocessing.By utilizing the Sbox-reuse technology and randomly inputting data with masking, it can resist DPA because of raising random noise and preventing attackers from aligning the consumption curves corresponding with the key data with high probability in the data postprocessing.

Scheme Flow.
In accordance with Nikova's theory, when the bit digit input  ≥ 4, such permutation is secure.It is also noted that, in the existing cryptography scheme, the smallest Sbox is 4 × 4; under such circumstances, the minimum permutation of 4 × 4 in the Sbox framework turns out to be logical.The specific scheme flow is listed as follows.
(1) n independent parallel Sboxes are replaced by a special and reusable Sbox framework   , using the compact algorithm.The 4 × 4 Sbox in   is numbered in which  −1 stands for the input of the (-1) th 4-bit Sbox permutation,  −1 ( −1 ) is the output of the (-1) th 4-bit Sbox permutation, and   is a special and reusable Sbox framework.
(2) A random number  1 appears before the Sbox algorithm of circuit Among which, 0 ≤  1 ≤  − 1 and () stands for the binary bit digit that corresponds to , the number of 4 × 4 Sbox participating in algorithm.
(3) The first 4 × 4 Sbox permutation entering   is chosen based on  1 value; the permutation is   1 .
(4) The random number  1 and the input of 4 × 4 Sbox permutation entering   are subjected to XOR operation with the input data as the random number of the next 4 × 4 Sbox permutation (5) Repeat Step (3) and Step (4); if the 4 × 4 Sbox that corresponds to the newly generated random number   has been chosen, then execute Step (6).( 6)   is subjected to XOR operation bit by bit,   * is obtained.Namely, (7) Choose a distinguisher (  * ).

𝑓 (𝑅
If   * , the result of bit-by-bit XOR operation of   is "0", the permutation  (  −1+)mod  is chosen; if the result is "1", the permutation  (  +1)mod  is chosen.If the result is the selected 4 × 4 Sbox permutation, execute Step (7) until the 4 × 4 Sbox that has never been chosen appears and returns to Step (3).
(8) Repeat the above-mentioned steps until all n 4 × 4 Sbox permutations have all been chosen and entered the   ; Figure 2 is the flow of our scheme.

Experiments
This part mainly introduces the scheme implementation by using DES algorithm Sbox.Although it is known that DES algorithm of 56-bit key has been proven insecure in many applications, Triple-DES has been proven secure for its 112bit key and widely applied to many electronic devices [35].implemented according to the flows introduced in 3.2 with specific steps listed as follows.
(1) The eight 6 × 4 Sboxes in DES algorithm are converted into thirty-two 4 × 4 permutations.As suggested by Bilgin's reuse concept, n independent parallel Sboxes are converted into a special and reusable Sbox framework   .
The logic diagram after conversion is listed in Figure 3: GK, GL, F, , , and  are known permutations.Refer to [34] for the specific permutations.
(3) Suppose  1  = ( 2 ,  3 ,  4 ); the first 4×4 Sbox permutation entering   is chosen based on the value of  1  .(4) The random number  1 and the input of 4 × 4 Sbox permutation entering   are subjected to XOR operation; the results obtained serve as the random number for the selection of the next 4 × 4 Sbox permutation.
If   * , the result of bit-by-bit XOR operation of   is "0"; the permutation  (   +7)mod 8 is chosen; if the result is "1", the permutation  (   +1)mod 8 is chosen.If the result is the selected 4 × 4 Sbox permutation, execute Step (7) until the 4 × 4 Sbox that has never been chosen appears and returns to Step (3).
(8) Repeat the above-mentioned steps until all eight 4 × 4 Sboxes permutations have all been chosen and entered the   .Finally, output all the parts of S simultaneously.The pseudocode of scheme is listed as Algorithm 1 where     =  means 4 × 4 Sbox     has never been chosen.

Experimental Results.
The experiment environment of this scheme is presented in Table 2.
In accordance with 3.2, this scheme is subjected to experiment with the results listed as follows.

Resource and Operating Speed
Result.On one hand, Tables 3 and 4 are the resources consumed by the algorithm in the FPGA platform between the scheme proposed in this paper and original scheme.It can be seen that the total logic elements of this scheme are 33k, which is roughly eightfold the original scheme.But considering the whole resources in FPGA chip (about 114480 logic elements), our scheme is still practical to operate.
On the other hand, the speed of our countermeasure implementation is up to 80M and an average number of periods of 41 are needed to process one group of plaintext.4 and 5 are the DPA result comparison between original DES algorithm and our countermeasure scheme for each Sbox within right key (both are using fourth-order cumulate to make result more obviously).Apparently, after 800 power traces of DPA, we found that

Security Result. Figures
Chose  (  +7)mod8 (16) go to Line (8) (17) else if Chose  (  +1)mod8 (19) go to Line (8) (20) end if (21) end if (22) end for (23)      there was one obvious peak in original DPA of DES algorithm for each Sbox.On the contrary, several peaks in our scheme with 5000 traces we found in Figure 5 were "ghost" peaks, which leads to wrong key corresponding to the target Sbox.Therefore, we conclude that our countermeasure scheme in Sbox of DES can improve the security of implementation against DPA.

Security Analysis
5.1.Theory of DPA Power Analysis.The DPA power attack is target at the output of register corresponding to the Sbox in cryptographic algorithms circuit.Although sensitive information might leak from the logic circuits inside the Sbox and be used by attackers for Glitch attack, we mainly focus on DPA, and our scheme is offering protection to registers.Take 4 × 4 Sbox as an example with the specific circuit diagram shown in Figure 6, in which power region is at where attackers want to collect power consumption.
represents the input of Sbox,   stands for output of Sbox as well as the input of register, and   is the output of register.
The internal structure of one register is shown as Figure 7.
One register consists of a few control components and one D trigger; the D trigger is composed of 6 NAND gates shown in Figure 8.
Therefore, in line with the analysis of 2.2, when an obvious large hopping takes place after D is input, CMOS transistors within eight NAND gates, one OR gate, and one NOT gate will instantaneously generate dynamic power consumption.Attackers can attack the device according to the power consumption collected and by means of DPA.

Analysis of the Security of Traditional Power Model.
It is shown in 2.2 that, in cryptographic calculation circuit, the total power consumption is the sum of dynamic power and static power: Due to the output of register, different hopping corresponds to different power consumption and is represented by  0→1 ,  1→0 ,  0→0 , and  1→1 ; and, obviously,  0→0 =  1→1 =   .Therefore, as shown by 5.1, in which  is a constant coefficient,   ,   , and   are dynamic power consumption in logic gates, and  is noise.As abundant facts have proven that  0→1 >  1→0 , it is believed that As hamming weight model is adopted in DPA, therefore, The following part offers an analysis of the DPA security.
If attackers succeed in guessing the key, refer to Table 5.In accordance with DPA principle, power consumption with the guessed value of 1 minus the power consumption with the guessed value of 0 is represented as follows: If attackers fail to guess the key, refer to Table 6.
Power consumption with the guessed value of 1 minus the power consumption with the guessed value of 0 is represented as follows: Therefore, the possibility of guessing the key correctly for the attackers is 1/16.

Analysis of the Security in Our
Scheme.The proposed scheme combines the methods of conversion of Sbox and randomizes the input to resist DPA.Table 7 lists the situation of guessing key in our scheme.
As it is shown in the table, the attackers can only locate the position of leaking point on the power consumption curve of target Sbox, when the sequence of speculating Sbox and the key to the corresponding Sbox are both correct.In other cases, the positions of leaking points are random.Compared to conventional masking schemes, there are 3 advantages.
(1) Multi-Sboxes will rely on each other, due to existence of the selector for value of masking.
Keys of conventional cryptographic algorithms can be successfully recovered by DPA because their multi-Sboxes are parallel independently; DPA is able to successfully recover key from each single Sbox to get the corresponding key.However, the proposed scheme utilizes a special reusable Sbox, having random sequence of encrypting data in Sboxes each time, resulting in different success rate of recovering key from different Sboxes, shown in Table 8.Also depicted in Figure 9, the success rate of recovering key from corresponding Sbox with proposed scheme is decreasing exponentially compared to conventional method.(2) It is difficult to align power consumption curves increases during data postprocessing.
Since the principle of DPA is to align the position of leaking points for sensitive information, the statistical differential method is then applied to recover the key.However, the positions of leaking points for sensitive information on different power consumption curves are not located within one period with a high possibility for proposed scheme; additional measures need to be applied to move power consumption curves during data postprocessing for attacks.
(3) Increased noise exists for DPA attack.Since the noise generated during DPA attack can be eliminated with statistical differential method, the noise will be on superposition randomly while processing data of each single Sbox during process of encryption for the proposed scheme, as the method for inputting data is based on Sbox in series randomly.Moreover, this noise cannot be eliminated by statistical differential method; thus, even if the attackers moved the power consumption curves precisely and successfully recovered the keys corresponding to Sboxes, the attack will still end up in failure because of the interference of the noises in the result.

Conclusions
This paper proposed a countermeasure scheme of multi-Sbox against DPA attack, based on the multi-Sbox-reuse concept and random input for IoT applications security.Compared to other DPA masking techniques, the proposed scheme uses the value of masking as a selector and controls the sequence of data input of the multi-Sbox, instead of applying XOR or modular multiplication onto value of masking and original data.This not only results in reduced number of masking, but also increases the difficulty of aligning each power consumption curve for the attacker, which indirectly increases the noise for resisting DPA attacks.With the experiments, our scheme is supported correctly and accurately by experimental evidence of power data for DES algorithm processing in our DPA platform as Figure 10

Figure 1 :
Figure 1: The internal structure of inverter.
) return S (25) end function Algorithm 1: The pseudocode of scheme.

Figure 9 :
Figure 9: Comparison between conventional DPA and our scheme in success rate.

Table 1 :
Constitution of the total power consumption of inverter with different inputs.
) Repeat Step (3) and Step (4); if the 4 × 4 Sbox that corresponds to the newly generated random number   has been chosen, then execute Step (6).(6)   is subjected to XOR operation bit by bit to obtain   * .

Table 3 :
Total logic elements of original scheme.

Table 4 :
Total logic elements of this scheme.

Table 5 :
Situation when attackers succeed in guessing the key.

Table 6 :
Situation when attackers fail to guess the key.

Table 7 :
Situation of guessing key in our scheme.

Table 8 :
The success rate of recovering key corresponding n th Sbox.