Yongzhuang Wei’s research while affiliated with Guilin University of Electronic Technology and other places

In deep learning-based side-channel analysis (DL-SCA), there may be a proliferation of model parameters as the number of trace power points increases, especially in the case of raw power traces. Determining how to design a lightweight deep learning model that can handle a trace with more power points and has fewer parameters and lower time costs for profiled SCAs appears to be a challenge. In this article, a DL-SCA model is proposed by introducing a non-trained DL technique called random convolutional kernels, which allows us to extract the features of leakage like using a transformer model. The model is then processed by a classifier with an attention mechanism, which finally outputs the probability vector for the candidate keys. Moreover, we analyze the performance and complexity of the random kernels and discuss how they work in theory. On several public AES datasets, the experimental results show that the number of required profiling traces and trainable parameters reduce, respectively, by over 70% and 94% compared with state-of-the-art works, while ensuring that the number of power traces required to recover the real key is acceptable. Importantly, differing from previous SCA models, our architecture eliminates the dependency between the feature length of power traces and the number of trainable parameters, which allows for the architecture to be applied to the case of raw power traces.

In this article, we derive the weight distribution of linear codes stemming from a subclass of (vectorial) p-ary plateaued functions, which includes all the explicitly known examples of non-weakly regular bent functions. This construction of linear codes is referred in the literature as the first generic construction. First, we refine the results presented in [8, 10, 14, 15, 18]. Namely, we derive the full weight distributions of codes stemming from all s-plateaued functions for n + s odd, whereas for n + s even, from the class of s-plateaued functions such that either f * is zero or W f * (0) = t(f *)νp n−s 2 for some ν ∈ {1, i}. The exact derivation of such distributions is achieved by using some well-known equations over finite fields to count certain dual preimages. In order to improve the dimension of these codes, we then extend our results to the vectorial case, thus providing the weight distributions of certain codes associated to known vectorial plateaued functions and obtaining codes with parameters [p n −1, 2n, p n −p n−1 −p (n+s−2)/2 (p−1)]. For the first time, we provide the full weight distributions of codes from (a subclass of) vectorial p-ary plateaued functions. This class includes all known explicit examples in the literature. Moreover, in some cases, the obtained codes are minimal and self-orthogonal.

In the era of the highly pervasive Internet of Things (IoT), the optimized implementation of lightweight cryptographic algorithms for protecting data security has extensively received attention, for instance, the Piccolo cipher. Piccolo is an ultra‐lightweight block cipher designed for extremely resource‐constrained devices. Currently, many optimized implementations of Piccolo have been proposed; however, these implementations are heavily rely on optimizing different architectures. Actually, these implementation schemes have all neglected the optimization of the core components. How to achieve the new optimized implementation of the Piccolo cipher (via both the architectures and the core components) appears to be an interesting problem. In this article, new circuit structures for components (key schedules and round functions) of the Piccolo are first proposed using fewer logic gates. Based on these circuit structures, three architectures (iterative, integrated iterative, and scalar) are proposed to maximize implementation performances. To demonstrate their effectiveness and practicality, these architectures are simulated and synthesized on different field‐programmable gate arrays (FPGA) devices. Compared with the existing architectures of Piccolo, the results indicate that the iterative architectures and the integrated iterative architecture provide a better trade‐off between area and throughput, and the scalar architectures provide the highest throughput. Especially for Piccolo‐128, the area of its iterative architecture is 30 look‐up tables (LUTs) and 22 slices less than the best known implementation; the throughput and efficiency are 68.56% higher and twice higher than the best known implementation, respectively. Compared with other block ciphers, the efficiency and area‐delay product of the Piccolo‐128 iterative architecture outperform PRESENT, GIFT, SIMON, Midori, SIMON, and SIMECK. Compared with the best results, its encryption efficiency has increased by 31.53%, and the area‐delay product has decreased by 44.63%.

Threshold implementation (TI) is a well-known Boolean masking technique that provides provable security against side-channel attacks. In the presence of glitches, the probing model was replaced by the so-called glitch-extended probing model which specifies a broader security framework. In CHES 2021, Shahmirzadi et al. introduced a general search method for finding first-order 2-share TI schemes without fresh randomness (under the presence of glitches) for a given encryption algorithm. Although it handles well single-output Boolean functions, this method has to store output shares in registers when extended to vector Boolean functions, which results in more chip area and increased latency. Therefore, the design of TI schemes that have low-implementation cost under the glitch-extended probing model appears to be an important research challenge. In this article, we propose an approach to design the first-order glitch-extended probing secure TI schemes when quadratic functions are employed in the substitution layer. This method only requires a small amount of fresh random bits and a single clock cycle for its implementation. In particular, the random bits in our approach are reusable and compatible with the changing of the guards technique. Our dedicated TI scheme for the AES cipher gives 20.23% smaller implementation area and 4.2% faster encryption compared to the TI scheme of AES (without using fresh randomness) proposed in CHES 2021. Additionally, we propose a parallel implementation of two S-boxes that further reduces latency (about $39.83\%$ ) at the expense of increasing the chip area by 9%. We have positively confirmed the security of AES under the glitch-extended probing model using the verification tool—SILVER and the side-channel leakage assessment method—TVLA.

In this article, we identify certain instances of bent functions, constructed using the so-called P τ property, that are provably outside the completed Maiorana-McFarland (MM #) class. This also partially answers an open problem in posed by Kan et al. (IEEE Trans Inf Theory,https://doi.org/10.1109/TIT.2022.314018, 2022). We show that this design framework (using the P τ property), can provide instances of bent functions that are outside the known classes of bent functions, including the classes MM # , C, D and D 0 , where the latter three were introduced by Carlet in the early nineties. We provide two generic methods for identifying such instances, where most notably one of these methods uses permutations that may admit linear structures. For the first time, a set of sufficient conditions for the functions of the form h(y, z) = T r(yπ(z)) + G 1 (T r m 1 (α 1 y),. .. , T r m 1 (α k y))G 2 (T r m 1 (β k+1 z),. .. , T r m 1 (β τ z)) + G 3 (T r m 1 (α 1 y),. .. , T r m 1 (α k y)) to be bent and outside MM # is specified without a strong assumption that the components of the permutation π do not admit linear structures.

In this article, we identify certain instances of bent functions, constructed using the so-called Pτ$P_\tau$ property, that are provably outside the completed Maiorana–McFarland (MM#${\mathcal{M}\mathcal{M}}^\#$) class. This also partially answers an open problem in posed by Kan et al. (IEEE Trans Inf Theory, https://doi.org/10.1109/TIT.2022.3140180, 2022). We show that this design framework (using the Pτ$P_\tau$ property), can provide instances of bent functions that are outside the known classes of bent functions, including the classes MM#${\mathcal{M}\mathcal{M}}^\#$, C,D${{\mathcal {C}}},{{\mathcal {D}}}$ and D0${{\mathcal {D}}}_0$, where the latter three were introduced by Carlet in the early nineties. We provide two generic methods for identifying such instances, where most notably one of these methods uses permutations that may admit linear structures. For the first time, a set of sufficient conditions for the functions of the form h(y,z)=Tr(yπ(z))+G1(Tr1m(α1y),…,Tr1m(αky))G2(Tr1m(βk+1z),…,Tr1m(βτz))+G3(Tr1m(α1y),…,Tr1m(αky))$h(y,z)=Tr(y\pi (z)) + G_1(Tr_1^m(\alpha _1y),\ldots ,Tr_1^m(\alpha _ky))G_2(Tr_1^m(\beta _{k+1}z),\ldots ,Tr_1^m(\beta _{\tau }z))+ G_3(Tr_1^m(\alpha _1y),\ldots ,Tr_1^m(\alpha _ky))$ to be bent and outside MM#${\mathcal{M}\mathcal{M}}^\#$ is specified without a strong assumption that the components of the permutation π$\pi$ do not admit linear structures.

Since their introduction in early 2000, CPA (correlation power analysis), as a cryptographic tool, has been widely used in the cryptanalysis of cryptographic algorithms (being applicable to both symmetric key ciphers as well as to public key encryption schemes). An application of the classical CPA method, along with its variants, to cryptographic algorithms that use parallel implementation of its substitution boxes (S-boxes) commonly requires more power traces to extract the secret key compared to the case when serial implementation of S-boxes is employed. To reduce the amount of power traces in this scenario, we propose a modification of the standard CPA approaches and demonstrate practically that our method performs better than the existing ones in this respect. To verify the efficiency of our improved CPA method, we apply it to the public databases of DPA Contest V2. In particular, the experimental results show that only 495 power traces are required to recover the secret key of AES. We also compare the performance of our attack to the relevant methods whose parameters are available at DPA Contest V2. The results show that compared to the best nonprofiling side-channel attack (SCA) attack, our method reduces the number of power traces required to recover the secret key by 6,566. Also, our new method performs almost similarly as the best profiling SCA attack of Benoit Gerard (in terms of the required number of power traces), thus reducing the gap in the performance of profiling and nonprofiling SCA attacks.