On the Modified Transparency Order of (n, m)-Functions

Science and Technology on Communication Security Laboratory, Chengdu 610041, China Department of Communication and Information Engineering, Guilin University of Electronic Technology, Guilin 541004, China State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093, China State Key Laboratory of Cryptology, P.O. Box 5159, Beijing 100878, China


Introduction
Differential power analysis (DPA) was introduced by Kocher et al. in [1] and is a well-known and thoroughly studied threat for implementations of block ciphers, like DES and AES [2].
Beierle et al. [3] validated the correlation power analysis attack through the Hamming distance power model. Fischer et al. [4] presented efficient differential power analysis of Gain and Trivium through carefully chosen IVs to eliminate the algorithmic noise. In 2005, Prouff [5] gave the model of the DPA resilience of the S-boxes and proposed the definition of the transparency order (denoted by TO) based on the autocorrelation coefficients for (n, m)-functions. He obtained that S-boxes with smaller TO have higher DPA resilience and deduced the tightness of the upper bound and the lower bound on the TO. In the same year, Carlet [6] obtained the lower bound on the transparency order and gave the relationship between the transparency order and the nonlinearity for Boolean functions. Next, Fan et al. [7] gave a fast method for calculating the transparency order by optimization cycle of the original algorithm.
In 2012, Fei et al. [8] proposed the confusion coefficient and obtained some relations between the success rate and the cryptographic algorithm. For power analysis attacks, the side-channel characteristic of the physical implementation can be seen as the signal-to-noise ratio (denote by SNR) [9]. Experimental results of DPA on both DES or AES verified this model with high accuracy and demonstrated effectiveness of the algorithmic confusion analysis and SNR extraction. Experimental results shown that the algorithm has better anti-noise performance than the original algorithm for present.
Chakraborty et al. [10] found the limitations of the definition in [5] and gave a redefined transparency order (denoted by RTO) based on the cross-correlation coefficients for (n, m)-functions. en, they were able to theoretically capture DPA in the Hamming weight model for hardware implementation with precharge logic. Picek et al. [11] proposed a technique for constructions using the modified transparency order as a guiding metric. Wang and Stȃnicȃ [12] obtained an upper bound on the redefined transparency order in terms of nonlinearity for Boolean functions and constructed two infinite class of balanced semibent Boolean functions with provably good transparency order.
But in 2020, Li et al. [13] put up a flaw in original transparency order [10] and gave the modified transparency order denoted by MTO, obtained a lower bound on MTO based on the Walsh transform, and deduced the distribution of MTO values for sixteen optimal affine equivalent classes of (4,4) S-boxes.
So far, little attempt has been made to study the relationship between RTO and MTO, and Li et al. [13] gave a lower bound on MTO for any (n, m)-functions based on Walsh spectrum, but not based on m. Moreover, how to further investigate the in-depth relationships between RTO and MTO with other cryptography indicators still appears to be an important issue.
In this article, we focus on some unresolved problems related to both RTO and MTO. Firstly, we give the relationship between MTO and RTO, and this result implies that MTO(F) ≥ RTO(F) for any (n, m)-functions F. We also obtain the upper bound and the lower bound on MTO.
To design good S-boxes with respect to the MTO [13], we deduce some important connections between MTO and other cryptographic properties such as the sum-of-squares indicator, nonlinearity, the maximum absolute of Walsh transform, and algebraic immunity of the coordinate functions of S-boxes. In particular, it is shown that these results have a direct influence on the resistance to DPA attacks. More precisely, the smaller the sum-of-squares indicator (or the maximum absolute of Walsh transform) of the coordinate functions of a given (n, m)-function, the larger the MTO, whereas a higher nonlinearity (or algebraic immunity) of the coordinate functions of a given (n, m)-function also implies a larger MTO (not desirable). Furthermore, there is also a connection between the algebraic immunity and transparency order which essentially indicates (along with other trade-offs) that the design of cryptographically secure S-boxes is hardly achievable if the protection against DPA attacks is taken into account. Finally, we give the MTO and RTO for (4,4) S-boxes which are commonly used in some lightweight block ciphers, it implies that MTO is better than RTO from the perspective of information leakage. is paper is organized as follows. In Section 2, we introduce the basic concepts and notions. In Section 3, the tightness of the upper bound and the lower bound on the modified transparency order of (n, m)-functions is derived. In Section 4, some relationships between MTO(F) and other cryptographic properties are derived. Section 5 gives some data analysis results for some (4, 4) S-boxes. Section 6 concludes this paper.

Preliminaries
Let B n be the set of n-variable Boolean functions. We denote by ⊕ the addition modulo two performed in F 2 and the vector space F n 2 . e support of a Boolean function f ∈ B n is defined as supp(f) � (x 1 , . . . , x n ) ∈ F n 2 |f(x 1 , . . . , x n ) � 1 . e Hamming weight of f is denoted by wt(f) and corresponds to the cardinality of its support wt(f) � |supp(f)|. A Boolean function f is said to be balanced if its truth table contains equal number of ones and zeros, i.e., wt(f) � 2 n− 1 . e set of affine functions, whose algebraic degree deg(f) ≤ 1 is denoted by A n . Especially, an affine function with the constant term equal to zero is called a linear function.
In this paper, let 0 n � 0, . . . , 0 Definition 1. Let f ∈ B n . e Walsh spectrum of f is defined by . e nonlinearity of f can be computed using Let f, g ∈ B n . e cross-correlation function between f and g is defined by In particular, when f � g, then the autocorrelation function of f ∈ B n is given by For more research on the autocorrelation function and the cross-correlation function of Boolean functions, refer to reference [14].
Definition 2 (see [16]). e two indicators capturing the global avalanche characteristics (GACs) of a Boolean function f ∈ B n are given by In 2010, Zhou et al. [17] generalized GAC and gave the global avalanche characteristics between two Boolean functions f, g ∈ B n : For two positive integers n and m, a function F: F n 2 ⟶ F m 2 is called an (n, m)-function. Such a function F can be viewed as a collection of its coordinate Boolean functions, and thus F � (f 1 , . . . , f m ), where f i : F n 2 ⟶ F 2 . An (n, m)-function F is balanced if and only if its component functions are balanced, meaning that for every nonzero v ∈ F m 2 , the Boolean function v · F is balanced. e original transparency order [5] and the redefining transparency order [10] are for balanced (n, m) functions. In this paper, in order to expand the research scope of (n, m)-function, we extend the balanced (n, m)-function to any (n, m)-function, which makes our results more universal (see Definition 3 and Definition 4).
e modified transparency order of F, based on the cross-correlation properties of F, is defined by Note that and for research convenience, let us,

Bounds on the Modified Transparency Order
Based on Definition 4, a lower bound on MTO was derived in [13] in terms of the Walsh spectrum of the coordinate functions of F, but this lower bound is very complex. In order to obtain a tight lower and upper bounds on MTO, we firstly give a relationship between MTO and MTO.
Lemma 1 (see [17]). Let f, g ∈ B n . en, For any a ∈ F n 2 , we have  Although at present we cannot theoretically give the condition on In the following, we give a tight upper bound and a tight lower bound on MTO(F) by using the perfectly uncorrelated functions.
Proof. On the one hand, from Definition 4 and Lemma 1, we have Security and Communication Networks By Cauchy's inequality and us, From equation (20), we have at is, MTO(F) ≥ 0. In the following, we give two examples for reaching the upper and lower bounds on MTO, respectively.
and f be a bent function. Its coordinate functions are specified as en, f 1 and f 2 are bent functions. We know Δ f i (a) � 0 and Δ f i ,f j (a) � 0 for any a ∈ F n * 2 and 1 ≤ i ≠ j ≤ m. We have and thus MTO(F) � m � 2. We also obtain RTO(F) � m � 2.
In particular, we give the modified transparency order for any (n, 1)-function.
Proof. If m � 1 in Definition 4, then

The Relationships between MTO and Some Cryptographic Properties
In this section, we use the sum-of-squares indicator to establish some links between MTO and some cryptographic indicators. ese links can help us understand MTO more deeply and lay a foundation for designing and analyzing S-boxes. In the following, we give a relationship between MTO and the sum-of-squares indicator, and this result is the basic of Corollaries 3 and 4.

e Relationships between MTO and the Sum-of-Squares Indicator
Theorem 3. Let F � (f 1 , . . . , f m ) be a balanced (n, m)-function. en, Proof. By using the Cauchy-Schwarz inequality and for any Since F is a balanced (n, m)-function, f i ⊕f j is balanced Furthermore, we have Because σ f,g ≤ ���� � σ f σ g for any f, g ∈ B n [18], we have

Security and Communication Networks
From Definition 4, we know that us, □ Remark 3. eorem 3 gives one relationship between MTO(F) and σ f i (1 ≤ i ≤ m), which implies that the smaller Based on eorem 3, we give some lower bounds on MTO by nonlinearity and algebraic immunity.
Proof. Zheng and Zhang [19] Proof. Since L f i � 2 n − 2N f i for 1 ≤ i ≤ m, this result is easily proved. where Proof. Carlet [20]

e Relationships between MTO and Hamming Weight.
In this section, we give an upper bound on MTO by the Hamming weight of coordinate functions.
Proof. Using the relation of absolute value inequality and Lemma 1, since f i is a balanced function for 1 ≤ i ≤ m, we have 6 Security and Communication Networks which proves the result. F � (f 1 , . . . , f m ) be a balanced (n, m)-function. en,

Corollary 5. Let
Wang and Stȃnicȃ [12] gave a tight upper bound on the transparency order in terms of nonlinearity for a Boolean function and obtained a lower bound between transparency order and nonlinearity for a Boolean function. In the following, for a Boolean function, we also give one upper bound and some lower bounds on MTO.
Corollary 6. Let f ∈ B n . en, Remark 6. In this section, we have the following facts. (2) Wang and Stȃnicȃ [12] gave the upper bound on RTO by the nonlinearity of Boolean function; here we give the lower bounds on MTO by the nonlinearity, the sum-of-squares indicator, and the maximum absolute of Wash transform, respectively. (3) ese results show that the smaller the sum-ofsquares indicator (or the maximal absolute value of Walsh spectrum) of its coordinate, the bigger the modified transparency order, and the bigger the nonlinearity (or the algebraic immunity) of its coordinate, the bigger the modified transparency order.

Data Analysis of (4, 4) S-Boxes
In this section, we give RTO or MTO of three types of 4bit S-boxes: (1) some lightweight S-boxes used in some wellknown encryption algorithms, (2) 16 classes of optimal (4, 4) S-boxes, and (3) 302 affine equivalent (4, 4) S-boxes. us, we give the analysis results of S-boxes in three subsections.

Security and Communication Networks
By Proposition 3 in [13], we know that MTO means affine invariant only under certain affine transformations which are based on S 2 (x) � S 1 (A ∘ x⊕c)⊕d, where S 1 , S 2 are two (n, n) S-boxes, and A is an invertible n × n matrix, c, d ∈ F n 2 . is means that MTO may change under the different affine transformations S 2 (x) � A ∘ S 1 (x), and we only consider this case in the following. From the finite field, we know that the number of the invertible n × n matrix in F q is q n(n− 1)/2 n i�1 (q i − 1). us, the number of the invertible 4 × 4 matrix in F 2 is 20160, i.e., the number of the affine S-boxes (A ∘ G) of one S-boxes (G) is 20160, where G is a 4bit S-box and A is an invertible 4 × 4 matrix.
At the same time, bounds and the frequency distribution of MTO are given for all affine transformations of 16 optimal classes in [13]. But from these data, we cannot find out what the distribution of G i , i � 0, 1, . . . , 15 is, and how many s boxes there are in each distribution value. For example, in the algorithm design, we want to know the exact value of MTO, not the range of MTO in [13]. erefore, we need to give specific data values for every G i (i � 0, 1, . . . , 15), and Tables 3-6 provide support for us to select S-box. Meanwhile, these data further improve the data in [13].
In Table 3, we calculate MTO of 20160 S-boxes A ∘ G i for G i (0 ≤ i ≤ 15). We find the following facts:   Furthermore, we give the corresponding mean and variance in each optimal class in Table 4. e mean value of MTO for A ∘ G i (i � 0, 1, 2, . . . , 15) belongs to the range of [3.195714, 3.264286], and the variance belongs to range of [0.007448, 0.021143]. e distribution of its value is concentrated in a relatively small interval.
Especially, we get the detailed distribution of MTO of A°G 0 and A°G 3 in Tables 5 and 6, respectively. e calculation results of other G i (i � 1, 2, 4, 5, . . . , 15) are similar to Table 5, which is ignored due to the limited length of this paper.
ere are 302 affine equivalence classes of 4-bit S-boxes [30]. We compute MTO and RTO of all 302 S-boxes of size 4 × 4. Our simulations show that the modified transparency order is confined within the range 2.666667 ≤ MTO(F) ≤ 3.533333, but 0 ≤ RTO(F) ≤ 2.766667 in Table 7-9. We summarize the comparison of modified transparency order and the redefined transparency   (4,4) S-box, the probability that its transparency order is in the range MTO (4,4) is approximately 95.03%, which is quite high. is again questions the whole idea of embedding the protection against DPA attacks        directly in the design of S-boxes, since a more natural option is to implement such a protection through some masking technique.

Conclusion
is paper further studies some unresolved problems related to the modified transparency order for (n, m)-functions. Our result implies that RTO is less than or equal to MTO for any (n, m)-function. In addition, a useful characterization of the modified transparency order is derived in terms of its tight bounds and its relation to other important cryptographic properties. ese results show that the smaller the sum-of-squares indicator (or the nonlinearity and the algebraic immunity) of its coordinate, the bigger the modified transparency order. Although some results of MTO have been given in this paper, there are still few studies on MTO. e design of (n, m)-functions with small modified transparent order and good cryptographic indicators remains an open problem. At the same time, we will focus on the experimental verification of (8, 8)-functions for differential power attack and investigate the relationship between transparency order and confusion coefficient.

Data Availability
e data used to support the findings of this study are included within the article.

Conflicts of Interest
e authors declare that they have no conflicts of interest. Acknowledgments e first author was supported by the National Key R&D Program of China (nos. 2017YFB0802000 and 2017YFB0802004) and in part by the Sichuan Science and Technology Program (no. 2020JDJQ0076). e second author was supported in part by the National Natural Science