On the confusion coe ﬃ cient of Boolean functions

: The notion of the confusion coe ﬃ cient is a property that attempts to characterize confusion property of cryptographic algorithms against di ﬀ erential power analysis. In this article, we establish a relationship between the confusion coe ﬃ cient and the autocorrelation function for any Boolean function and give a tight upper bound and a tight lower bound on the confusion coe ﬃ cient for any ( balanced ) Boolean function. We also deduce some deep relationships between the sum - of - squares of the confusion coe ﬃ cient and other cryptographic indicators ( the sum - of - squares indicator, hamming weight, algebraic immunity and correlation immunity ) , respectively. Moreover, we obtain some trade - o ﬀ s among the sum - of - squares of the confusion coe ﬃ cient, the signal - to - noise ratio and the rede ﬁ ned transparency order for a Boolean function.


Introduction
Side-channel attacks (SCAs), which can use physical emanation from the device, are based on the fact that cryptographic algorithms are implemented on a physical device. Differential power analysis (DPA) is the most widely used attack method in SCA [1]. Since DPA was proposed, many algorithms have been attacked, like DES, LILI-128 [2]. In these attacks, S-boxes (or multiple output nonlinear Boolean functions, or named by ( ) n m , -functions) are prominent targets for these attacks. This is because they allow us to distinguish clearly between correct and incorrect hypotheses on key guesses [1,[3][4][5]. Some links between indicators of ( ) n m , -functions and SCAs were established in a mathematical point of view, and these indicators included the signal-to-noise ratio (denoted by ) [4], the transparency order (denoted by ) [1] or the redefined transparency order (denoted by ) [6] and the confusion coefficient (denoted by ) [7]. In 2004, when Guilley et al. studied noise sources occurring during DPA and electrical simulation of the DPA, they introduced for ( ) n m , -functions and gave some bounds on for different S-boxes. Known results implied that the S-box could resist against DPA attack very well, if an S-box has a small . In refs [8,9], they obtained an upper bound on of balanced ( ) n m , -functions, and some deep relationships between of ( ) n m , -functions and three other cryptographic indicators (the maximum value of the absolute value of the Walsh transform, the sum-of-squares indicator and the nonlinearity of its coordinates), respectively, and they proved that of ( ) n m , -functions is not affine invariant.
In 2005, was introduced for ( ) n m , -functions based on single-bit DPA and the Hamming distance model in ref. [1]. The lower bound on for an ( ) n m , -function was obtained. In the same year, a relationship between and the nonlinearity of an ( ) n m , -function was given in ref. [3]. Later, a fast method for computing was given in ref. [10]. In 2017, Chakraborty et al. found a redundancy in , and put up [6], and deduced a lower bound on using Walsh spectrum only. The new indicator was used in multi-bit DPA attack and is better than the original definition in ref. [1]. From the two definitions, we know that and are the same for an ( ) n, 1 -function (i.e, a Boolean function). In 2019, some bounds on for only one Boolean function were obtained in ref. [11], including some tight upper bounds on for certain Boolean functions. Meanwhile, a relationship of between any Boolean function and its decomposition Boolean functions was given in ref. [12], and the distributions of for 4-variable and 5-variable balanced Boolean functions are obtained.
In 2012, was proposed when they studied the confusion property of cryptographic algorithms in ref. [7]. Some experimental results of DPA and CPA on both AES and DES verify the statistical model with high accuracy and demonstrate effectiveness of the algorithmic confusion analysis in ref. [13]. A novel heuristic technique to generate S-boxes with better values of the confusion coefficient in terms of improving their sidechannel resistance is given in ref. [14]. Some new methods for generating almost optimal 8-bit S-boxes having good theoretical DPA metrics (including , and , etc.) are obtained in ref. [15]. So far, many results about and for ( ) n m , -functions are obtained in a mathematical point of view, but little attempt has been made to analyze for ( ) n m , -functions. How to characterize for ( ) n m , -functions? What is the bound on for ( ) n m , -functions? When further investigating the in-depth relationships between the and other cryptography indicators it still appears to be an important issue. In this article, we will investigate these questions for ( ) n, 1 -functions (a Boolean function with n variables). The organization of this article is as follows. In Section 2, the basic concepts and notions are presented. In Section 3, we deduce a equivalent characterization of the confusion coefficients. In Section 4, we give some relationships between the sum-of-squares of the confusion coefficients and other cryptographical indicators. In Section 5, some relationships among the sum-of-squares of the confusion coefficient, the RTO and the SNR are given. Finally, Section 6 concludes this article.

Preliminaries
Let n denote the set of n-variable Boolean functions. The support of a Boolean function ∈ f n is defined as . The Hamming weight of f is denoted by . We say that a Boolean function f is balanced if its truth table contains equal numbers of ones and zeros, i.e., ( ) = − wt f 2 n 1 . A Boolean function ∈ f n is affine if the algebraic degree of f is at most one, and the set of all affine functions is denoted by n . An affine function with constant term equalling to zero is called a linear function.
The Walsh spectrum of f is defined as . Based on the Walsh spectrum, the nonlinearity of ∈ f n can be determined by The cross-correlation function of f and g is defined as f g x f x g x α n , 2 n 2 If = f g, then the autocorrelation function of f is defined as Definition 2.2. The two indicators ( ) σ , Δ f f are called the global avalanche characteristics of a Boolean function ∈ f n (GAC [16]): For any Boolean function ∈ f n , the smaller Δ f and σ f , the better the GAC. In 2012, Fei et al. proposed a statistical model for DPA that has taken characteristics of both the physical implementation and cryptographic algorithm into consideration and established a quantitative relation between the success rate of DPA and a cryptographic system. Finally, they point that the side-channel property of the cryptographic algorithm is extracted by a novel algorithmic confusion analysis and presented a definition of confusion coefficient for S-boxes [7].
where N t is the total number of values for the relevant ciphertext bits, and ( ) ( ) j is the number of occurrences for which different key hypotheses k i and k j result in different ψ values.
Picek et al. [14] pointed that the low confusion coefficient values (also referred to as high collision values) can make SCAs harder, i.e., they may require an increase in number of traces to yield the correct key candidate.
Carlet et al. studied the intrinsic resiliency of S-boxes against SCAs, and further gave the concrete form of the confusion coefficient for a Boolean function ∈ f n (e.g., a coordinate function of the S-box) [17]: where ∈ t n 2 is one known plaintext, ∈ * k n 2 is the correct key and ∈ k n 2 is the key. In other words, this equation gives a characterization relationship between the confusion coefficient and a Boolean function. In this article, we will study the confusion coefficient of a Boolean function based on this equation.

General bounds on of Boolean functions
In this section, we give one equivalent characterization of the confusion coefficient and give an upper and a lower bound on the confusion coefficient. Finally, we get some relationships between the confusion coefficient and the nonlinearity (propagation criterion). Then Δ , Proof. According to Definition 2.3, we have  Table 1 (the distribution of autocorrelation function for a Boolean function is denoted by D-of-A, and the distribution of confusion coefficient for one distribution of autocorrelation function is denoted by D-of-CC).
Based on Lemma 3.1, we can give an upper bound and a lower bound on the confusion coefficient for any Boolean functions. Proof. From ref. [19], we have . And from Lemma 3.1, we have Thus, this result is proved. □ From Lemma 3.3, we know that the confusion coefficients become larger, if f becomes larger. That is to say that the two indicators (the confusion coefficients and nonlinearity) cannot achieve the best for a given Boolean function at the same time. Moreover, for any balanced Boolean function ∈   Lemma 3.4 is easy to be proved by the following relation in ref. [19]: Theorem 3.2 gives the upper and the lower bounds on confusion coefficient. At the same time, we will also analyze the value of the sum of the confusion coefficients. Remark 3.6. From Theorem 3.5, we know that the value of the sum of the confusion coefficients for a given Boolean function ∈ f n , if we give the hamming weight of this Boolean function. In particular, for a balanced Boolean function ∈ f n , we have for a given * k .

Bounds on the sum-of-squares of the confusion coefficient of one Boolean function
In order to establish some new relationships between the confusion coefficient and the traditional cryptography indicators (such as the sum-of-square indicator, hamming weight, algebraic immunity, correlation immunity, etc.), we need to use the sum-of-squares of the confusion coefficient. At first, we give the relationship between the sum-of-squares of confusion coefficient and the sum-of-square indicator for a Boolean function.
For the convenience of description and research in the following, for a given ∈ * k n 2 we denoted the sum-of-squares of the confusion coefficient for a Boolean function by  Proof. From Lemma 3.1, we have    Corollary 4.4 is easy to be proved by the following relation in ref. [23]: And if a balanced Boolean function satisfies the propagation criterion, then we have Corollary 4.5 by using Theorem 3 in ref. [24] and Theorem 4.1.  As designers, we want m to be bigger, ( ) AI f to be bigger, σ f to be smaller and ( ) * k f to be smaller for one Boolean function, thus these indicators cannot be the best at the same time. However, the best values of ( ) AI f , σ f and ( ) * k f may be achieved at the same time. These results can provide theoretical support for S-box design and evaluation.

Relationships among , and
In the section, we give three relationships among the confusion coefficient, the SNR and the RTO. In 2004, Guilley et al. [4] presented the SNR of ( ) n m , -function in Definition 5.1. In 2017, Chakraborty et al. [6] presented the RTO of ( ) n m , -function in Definition 5.2.
The of F, based on the cross-correlation properties of F , is defined by:  And from [19] we know ( ) Through the confusion coefficient of any Boolean function, we establish a relationship between and . For any ( ) n m , -function, a relationship between and was obtained in ref. [8]. If = m 1, Theorem 5.6 improves the result in ref. [8].

Conclusions
In this article, we give some bounds on the confusion coefficient for a Boolean function. And we also give some relationships between the confusion coefficient and other cryptographic properties. Moreover, some links among the confusion coefficient, the SNR and RTO are determined first. From the designer point of view, we hope to construct S-boxes with low the confusion coefficient, but a good S-box cannot make the confusion coefficient and some cryptographic indicators reaching the best at the same time, we hope that these results of Boolean functions will help us to construct good ( ) n m , -functions or S-box in the next step.