Abstract
The Internet of Things (IoT) provides the network for physical devices, like home appliances, embedded with electronics, sensors, and software, to share and exchange data. With its fast development, security of IoT has become a crucial problem. Among the methods of attack, sidechannel attack has proven to be an effective tool to compromise the security of different devices with improving techniques of data processing, like DPA and CPA. Meanwhile, many countermeasures have risen accordingly as well, such as masking and noise addition. However, their common deficiency was that every single countermeasure might not be able to protect the key information completely after statistical analysis. Sensitive information will be disclosed during differential power analysis of Sbox, since it is the only nonlinear component in block cipher. Thus, how to protect Sbox effectively was the highlight of researches. Based on Sboxreuse concept proposed by Bilgin, this paper put forward a new type of a countermeasure scheme against DPA in multiSbox of block cipher. We first converted the multiSbox into 4 × 4 permutations and then reused permutation with the algebraic degree of more than one so as to turn it into a special reusable Sbox and then numbered 4 × 4 permutation input. Finally, we made these inputs of permutations completely random by masking. Since it was necessary to make the collected power consumption curve subject to alignment process in DPA by chosenplaintext attack, this scheme combined the concept from DPA countermeasures of masking and noise addition. After the experiment with the proposed implementation, successful prevention of the attacker from accurately aligning the power consumption curve of the target Sbox has been proven, and the level of security has been improved by adding more random noise to protect key information and decrease the accuracy of statistical analysis.
1. Introductions
The Internet of Things (IoT) has been undergoing a fast and vast development in recent decades, which improved the efficiency and accuracy of many tasks in our life and brings more economic benefit. However, it also gives rise to the issue of security [1–4] especially in electronic devices [5]. Since 1996, when Paul Kocher proposed the sidechannel attack [6], which will make the IoT applications unsecured and vulnerable, many improvements of attack method have induced the researches in countermeasures. Not only the range of cryptology security has extended from the initial security simply based on mathematical theory to comprehensive security of mathematical theory together with cryptography implementation, but also a huge thwart to the security of hardware device needed to be overcome in IoT. From the beginning of the century until now, research achievements in this field emerge endlessly, such as power analysis [7, 8], timing analysis [9], electromagnetic analysis [10, 11], fault injection [12, 13], more advanced template attack [14, 15], Glitch attack [16, 17], and machine learning attack [18–23], among which power analysis has become the research emphasis for its easy implementation, lower costs, and higher successful attacking rate especially in lightweight block cipher [24]. Power analysis consists of simple power analysis, differential power analysis, and highorder power analysis, which are all based on the concept of recovering key with power difference generated by logic circuit composed with CMOS when processing “0” or “1” bit. Thanks to the vigorous development of attack theory, researches looking into countermeasures theory against power attack have also been in full swing. Over the years of study on countermeasures, the theories are basically divided into two categories. One is the countermeasure scheme based on algorithm, such as random masking, shuffling, and hiding, characterized by low costs but low security [25–27]. The other is based on circuit level technique, featuring higher security, and more implementation costs, including two major technologies: sense amplifier based logic (SABL) [28] and wave dynamic differential logic (WDDL) [29]. In 2006, Svetla proposed the secret sharing and multiparty secure computationbased threshold implementation scheme[30], a welldeveloped scheme that can resist highorder DPA attack and Glitch attack [31–33], which possesses higher security and lower implementation costs. Inspired by threshold implementation and based on the concept of reused Sbox of block cipher, Bilgin proposed a design with compact implementation of multiSbox in 2015 [34], which greatly reduced the cost in implementation of DES.
Based on the study mentioned above, our paper puts forward a new type of a countermeasure scheme against DPA attack using concept of reused Sbox in [34]. We first convert the multiSbox into permutation and reuse the permutation with the algebraic degree of more than one in order to turn it into a special and reusable Sbox and then number the permutation input. Finally, each group of permutation enters into Sbox after random masking; the power consumption curve is randomized by scrambling the data input from Sbox to have a higher probability of invalidating DPA. The security and feasibility of this scheme are verified by DES algorithm in our experiment.
The novel contributions of this paper are as follows.
In this paper, we put forward a new type of countermeasure against DPA and it is divided into two phases. The first phase is converting the multiSbox into 4×4 permutations and reusing the permutation with the algebraic degree of more than one to turn it into a special reusable Sbox. The next phase is generating random input, which makes input data of Sbox completely random.
Compared to other DPA masking techniques, the proposed scheme uses the value of masking as a selector and controls the sequence of data input of the multiSbox, instead of applying XOR or modular multiplication onto value of masking and original data. This not only results in reduced number of masking, but also increases the difficulty of aligning each power consumption curve for the attacker, which indirectly increases the noise for resisting DPA attacks.
The proposed scheme can be applied to many other cryptographic algorithms based on multiSbox; the only difference is that, in the first phase of converting Sbox, different principles of generating permutations from Sbox that correspond to different algorithms should be considered in order to have a special and reusable Sbox and then proceed with the phase of generating random input.
This paper is organized as follows. Section 2 includes preliminaries of DPA procedures, physical basis of power attack, and concept of compact implementation. Section 3 introduces our countermeasure scheme. In Section 4, the results of the experiments are presented for validation of our scheme. Section 5 shows the security analysis of our countermeasure scheme. Section 6 is dedicated to conclusions.
2. Preliminaries
2.1. Differential Power Analysis
Differential power analysis (DPA) [7] is a sidechannel attack scheme in DES algorithm put forward by Paul Kocher in 1999, whose model is based on hamming weight. The author believes that register requires different power when storing “0” and “1”, which leads to the disclosure of power information. Compared with simple power analysis, differential power analysis recovers keys with statistical differential technology instead of requiring algorithm details. However, it has to collect much more consumption curves. This paper offers a conclusion of the typical process of DES algorithm differential power analysis as follows.
Choose sets of plaintexts and encrypt each of them with the same key K to measure each set of consumption curve and mark it as ; among which, i refers to the sets of plaintexts measured and j means the sampling sites.
A distinguisher is chosen to represent b of the median at the end of the first group of Sbox, among which M represents plaintext and stands for 6bit key entering into the Sbox corresponding to bit b.
According to the predicted and the speculated value of distinguisher , all the consumption curves with the distinguisher value of 0 and 1 are averaged to record differential power curve, as revealed in
During the observation of the current differential power curve, if an obvious large peak appears, the speculation about 6bit key is considered as correct; if there is no remarkable peak, such speculation is incorrect and should continue.
The 6bit key that corresponds to other Sbox is predicted with the same scheme; the last 8 checking bits are obtained by brute force.
2.2. Physical Basis of Power Attack
Due to the improved manufacturing process, logic gates made by CMOS process possess lower power consumption, less costs, and stronger antijamming capability compared to TTL circuit. Almost all the mainstream cipher chips and equipment adopt devices of CMOS process to construct circuit. For the convenience of analysis, the following part offers an introduction to the physical property of CMOS device regarding its power consumption. Take inverter as an example with its internal structure shown in Figure 1.
As shown in Figure 1, this structure consists of two enhanced MOSFET, namely, N channel structure and P channel structure. When the low logic level is input, P channel conducts and N channel is cut off with high logic level output; when the high logic level is input, N channel conducts and P channel is cut off with low logic level output. The total power consumption refers to the sum of static power and dynamic power which is
When input of inverter stabilizes, the output is also stable; under such circumstances, there are the conduction and the cutoff between P channel and N channel. It is found in actual measurement that a small amount of leak current is conveyed through the cutoff channel. Therefore, static power can be calculated according to the following:
When the input of inverter changed, the output changed accordingly. At this time, the dynamic power generated usually consists of two parts: one is , power consumption of load capacitor , while charge and discharge account for 85%; the other is , power consumption of topdown shortcircuit current generated by the two concurrently conducting channels within very short period of time when the input level reaches (accounts for 15%). Table 1 represents the constitution of the total power consumption of inverter with different inputs. Other logic gates based on CMOS process also have the abovementioned consumption properties with much more complicated structure. Multielectrode MOS hopping superposition has made the generated dynamic power more obvious. Therefore, attackers can easily align the power consumption with the key, which serves as the principle of power attack after the hardware implementation of cryptographic algorithm.
2.3. Compact Implementation
2.3.1. Introduction
Sbox compact implementation is proposed by Bilgin based on threshold implementation in 2015 [34]. In threshold implementation, Sbox with algebraic degree of two will be implemented with at least three shares while Sbox is with algebraic degree of three with at least four shares. The circuit scale grows exponentially with the increasing number of shares. Therefore, researchers hope to replace the Sbox of higher algebraic degree with several serial Sbox of lower algebraic degree so as to ensure less resource consumption and less reduction of speed thanks to the employment of pipeline technology. Bilgin adopted the affineequivalence technology to seek the public highdegree permutation of the eight Sbox in DES algorithm for reuse and then implemented the residual parts with algebraic degree of 1, thus reducing the hardware resources of Sbox by 50% [34].
2.3.2. Scheme Implementation
This scheme is dedicated to the Sbox. As it can be seen as the permutations are of 4 bits, some of its properties deserve further study.
One permutation of n bits constitutes a symmetric group. An affine equivalence is defined as follows.
Definition 1. If there is a pair of affine permutation and which also meets , and can be called affine equivalence.
The permutations that form affine equivalence in n bits permutations constitute a class. In this class, a permutation can be regarded as the representation element. The permutations in one class have the same algebra degree. At the same time, all the permutations are represented with or .
Literature reveals that in 4bit permutations, there are one affine class, six quadratic classes, and 295 cubic classes, among which all the affine class and quadratic classes all belong to ; however, 144 out of 295 cubic classes belong to and the remaining 151 are categorized into .
is a set for 6 quadratic classes. It is proven in [19] that, in , permutations with any algebra degree can be represented by the elements from . The cubic class permutation in can be represented by one or many secondary permutations in and onethird of permutations in ; however, the third permutation in is often chosen to represent all because they possess some fine properties. Therefore, we aim to decompose different Sbox such that minimum number of nonlinear permutations is used to jointly describe all Sbox. Refer to [34] for more specific implementation of scheme.
3. Our Countermeasure Scheme
3.1. Classification of DPA Countermeasures Methods
DPA can speculate the key by subjecting the collected consumption curve to statistical difference. Therefore, the protection of any of the links can reduce the possibility of successful attack. Currently, the countermeasure methods for DPA usually fall into the following three categories.
(1 ) Countermeasures for the Leaked Information. In light of the low power consumption and fast speed, the mainstream hardware platforms all use chips based on CMOS process. It is defined by the working principle of CMOS gates that different power consumption will be generated when processing bit “0” and “1”. Therefore, the countermeasures targeted the nature of disclosed information which is changing the processed “0” and “1” bit through certain technologies, such as adding mask.
(2 ) Countermeasures for the Implementation of Circuit Environment. As DPA is a method based on chosenplaintext attack, it has high requirements for precision of measured consumption curve. If Signal to Noise Ratio (SNR) reduces, it will give rise to the high number of power consumption curves in attack and even result in the failure of attack. Therefore, the countermeasures for the implementation of circuit environment are to artificially introduce noise to the circuit in order to enhance attack difficulty and reduce the probability of successful attacks.
(3 ) Countermeasures for the Data Postprocessing. Data of the collected power consumption curve need to be aligned during the data postprocessing of DPA. The alignment is carried out by keeping the leaking points, which leak the sensitive information from different power consumption curves, aligning at the same point of time, to recover the key with a higher efficiency. The countermeasure of scrambling is employed to increase the difficulty of aligning different power consumption curves, in order to protect the circuit from leaking sensitive information.
This scheme is a combined countermeasure that includes countermeasures for the leaked information, the implementation of circuit environment, and data postprocessing. By utilizing the Sboxreuse technology and randomly inputting data with masking, it can resist DPA because of raising random noise and preventing attackers from aligning the consumption curves corresponding with the key data with high probability in the data postprocessing.
3.2. Scheme Flow
In accordance with Nikova’s theory, when the bit digit input , such permutation is secure. It is also noted that, in the existing cryptography scheme, the smallest Sbox is ; under such circumstances, the minimum permutation of in the Sbox framework turns out to be logical. The specific scheme flow is listed as follows.
n independent parallel Sboxes are replaced by a special and reusable Sbox framework , using the compact algorithm. The Sbox in is numbered
in which stands for the input of the 4bit Sbox permutation, is the output of the 4bit Sbox permutation, and is a special and reusable Sbox framework.
A random number appears before the Sbox algorithm of circuit
Among which, and stands for the binary bit digit that corresponds to , the number of Sbox participating in algorithm.
The first Sbox permutation entering is chosen based on value; the permutation is .
The random number and the input of Sbox permutation entering are subjected to XOR operation with the input data as the random number of the next Sbox permutation
Repeat and Step ; if the Sbox that corresponds to the newly generated random number has been chosen, then execute .
is subjected to XOR operation bit by bit, is obtained. Namely,
Choose a distinguisher .
If , the result of bitbybit XOR operation of is “0”, the permutation is chosen; if the result is “1”, the permutation is chosen. If the result is the selected Sbox permutation, execute until the Sbox that has never been chosen appears and returns to .
Repeat the abovementioned steps until all n Sbox permutations have all been chosen and entered the ; Figure 2 is the flow of our scheme.
4. Experiments
This part mainly introduces the scheme implementation by using DES algorithm Sbox. Although it is known that DES algorithm of 56bit key has been proven insecure in many applications, TripleDES has been proven secure for its 112bit key and widely applied to many electronic devices [35].
4.1. Implementation Steps of DES Algorithm Sbox Scheme
According to DES algorithm, its Sbox consists of eight parallel Sboxes; in each Sbox, the first and sixth of its 6bit input are used to determine four 4 × 4 permutaions. The 4bit input consists of the second, third, fourth, and fifth of the 6bit input; therefore, the eight Sboxes actually consist of thirtytwo multiSbox. The DES algorithm Sbox is implemented according to the flows introduced in 3.2 with specific steps listed as follows.
The eight Sboxes in DES algorithm are converted into thirtytwo permutations. As suggested by Bilgin’s reuse concept, n independent parallel Sboxes are converted into a special and reusable Sbox framework .
The logic diagram after conversion is listed in Figure 3:
GK, GL, F, , , and are known permutations. Refer to [34] for the specific permutations.
As there are 8 Sboxes of participating in DES algorithm, therefore, and . To satisfy the following algorithm requirements, we make . is the random number generated, .
Suppose ; the first Sbox permutation entering is chosen based on the value of .
The random number and the input of Sbox permutation entering are subjected to XOR operation; the results obtained serve as the random number for the selection of the next Sbox permutation.
Repeat and Step ; if the Sbox that corresponds to the newly generated random number has been chosen, then execute .
is subjected to XOR operation bit by bit to obtain .
Choose a distinguisher function
If , the result of bitbybit XOR operation of is “0”; the permutation is chosen; if the result is “1”, the permutation is chosen. If the result is the selected Sbox permutation, execute until the Sbox that has never been chosen appears and returns to .
Repeat the abovementioned steps until all eight Sboxes permutations have all been chosen and entered the . Finally, output all the parts of S simultaneously. The pseudocode of scheme is listed as Algorithm 1 where means Sbox has never been chosen.

4.2. Experimental Results
The experiment environment of this scheme is presented in Table 2.
In accordance with 3.2, this scheme is subjected to experiment with the results listed as follows.
4.2.1. Resource and Operating Speed Result
On one hand, Tables 3 and 4 are the resources consumed by the algorithm in the FPGA platform between the scheme proposed in this paper and original scheme. It can be seen that the total logic elements of this scheme are 33k, which is roughly eightfold the original scheme. But considering the whole resources in FPGA chip (about 114480 logic elements), our scheme is still practical to operate.
On the other hand, the speed of our countermeasure implementation is up to 80M and an average number of periods of 41 are needed to process one group of plaintext.
4.2.2. Security Result
Figures 4 and 5 are the DPA result comparison between original DES algorithm and our countermeasure scheme for each Sbox within right key (both are using fourthorder cumulate to make result more obviously). Apparently, after 800 power traces of DPA, we found that there was one obvious peak in original DPA of DES algorithm for each Sbox. On the contrary, several peaks in our scheme with 5000 traces we found in Figure 5 were “ghost” peaks, which leads to wrong key corresponding to the target Sbox. Therefore, we conclude that our countermeasure scheme in Sbox of DES can improve the security of implementation against DPA.
5. Security Analysis
5.1. Theory of DPA Power Analysis
The DPA power attack is target at the output of register corresponding to the Sbox in cryptographic algorithms circuit. Although sensitive information might leak from the logic circuits inside the Sbox and be used by attackers for Glitch attack, we mainly focus on DPA, and our scheme is offering protection to registers.
Take 4 × 4 Sbox as an example with the specific circuit diagram shown in Figure 6, in which power region is at where attackers want to collect power consumption.
represents the input of Sbox, stands for output of Sbox as well as the input of register, and is the output of register.
The internal structure of one register is shown as Figure 7.
One register consists of a few control components and one D trigger; the D trigger is composed of 6 NAND gates shown in Figure 8.
Therefore, in line with the analysis of 2.2, when an obvious large hopping takes place after D is input, CMOS transistors within eight NAND gates, one OR gate, and one NOT gate will instantaneously generate dynamic power consumption. Attackers can attack the device according to the power consumption collected and by means of DPA.
5.2. Analysis of the Security of Traditional Power Model
It is shown in 2.2 that, in cryptographic calculation circuit, the total power consumption is the sum of dynamic power and static power:
Due to the output of register, different hopping corresponds to different power consumption and is represented by , , , and ; and, obviously, . Therefore, as shown by 5.1,
in which is a constant coefficient, , , and are dynamic power consumption in logic gates, and is noise. As abundant facts have proven that , it is believed that
As hamming weight model is adopted in DPA, therefore,
The following part offers an analysis of the DPA security.
If attackers succeed in guessing the key, refer to Table 5.
In accordance with DPA principle, power consumption with the guessed value of 1 minus the power consumption with the guessed value of 0 is represented as follows:
If attackers fail to guess the key, refer to Table 6.
Power consumption with the guessed value of 1 minus the power consumption with the guessed value of 0 is represented as follows:
Therefore, the possibility of guessing the key correctly for the attackers is 1/16.
5.3. Analysis of the Security in Our Scheme
The proposed scheme combines the methods of conversion of Sbox and randomizes the input to resist DPA. Table 7 lists the situation of guessing key in our scheme.
As it is shown in the table, the attackers can only locate the position of leaking point on the power consumption curve of target Sbox, when the sequence of speculating Sbox and the key to the corresponding Sbox are both correct. In other cases, the positions of leaking points are random. Compared to conventional masking schemes, there are 3 advantages.
MultiSboxes will rely on each other, due to existence of the selector for value of masking.
Keys of conventional cryptographic algorithms can be successfully recovered by DPA because their multiSboxes are parallel independently; DPA is able to successfully recover key from each single Sbox to get the corresponding key. However, the proposed scheme utilizes a special reusable Sbox, having random sequence of encrypting data in Sboxes each time, resulting in different success rate of recovering key from different Sboxes, shown in Table 8. Also depicted in Figure 9, the success rate of recovering key from corresponding Sbox with proposed scheme is decreasing exponentially compared to conventional method.
It is difficult to align power consumption curves increases during data postprocessing.
Since the principle of DPA is to align the position of leaking points for sensitive information, the statistical differential method is then applied to recover the key. However, the positions of leaking points for sensitive information on different power consumption curves are not located within one period with a high possibility for proposed scheme; additional measures need to be applied to move power consumption curves during data postprocessing for attacks.
Increased noise exists for DPA attack.
Since the noise generated during DPA attack can be eliminated with statistical differential method, the noise will be on superposition randomly while processing data of each single Sbox during process of encryption for the proposed scheme, as the method for inputting data is based on Sbox in series randomly. Moreover, this noise cannot be eliminated by statistical differential method; thus, even if the attackers moved the power consumption curves precisely and successfully recovered the keys corresponding to Sboxes, the attack will still end up in failure because of the interference of the noises in the result.
6. Conclusions
This paper proposed a countermeasure scheme of multiSbox against DPA attack, based on the multiSboxreuse concept and random input for IoT applications security. Compared to other DPA masking techniques, the proposed scheme uses the value of masking as a selector and controls the sequence of data input of the multiSbox, instead of applying XOR or modular multiplication onto value of masking and original data. This not only results in reduced number of masking, but also increases the difficulty of aligning each power consumption curve for the attacker, which indirectly increases the noise for resisting DPA attacks. With the experiments, our scheme is supported correctly and accurately by experimental evidence of power data for DES algorithm processing in our DPA platform as Figure 10 has shown.
Data Availability
The data used to support the findings of this study are available from the corresponding author upon request.
Conflicts of Interest
The authors declare that they have no conflicts of interest.
Acknowledgments
This work was supported by the National Key R&D Program of China (Grant no. 2017YFB0802000), National Natural Science Foundation of China (Grant nos. U1636114, 61772550, and 61572521), and National Cryptography Development Fund of China (Grant no. MMJJ20170112).