A NOTE ON THE SIGNAL-TO-NOISE RATIO OF ( n, m ) -FUNCTIONS

. The concept of the signal-to-noise ratio (SNR) as a useful measure indicator of the robustness of ( n,m )-functions F = ( f 1 ,...,f m ) (cryptographic S-boxes) against diﬀerential power analysis (DPA), has received extensive attention during the previous decade. In this paper, we give an upper bound on the SNR of balanced ( n,m )-functions, and a clear upper bound regarding unbalanced ( n,m )-functions. Moreover, we derive some deep relationships be-tween the SNR of ( n,m )-functions and three other cryptographic parameters (the maximum value of the absolute value of the Walsh transform, the sum-of-squares indicator, and the nonlinearity of its coordinates), respectively. In particular, we give a trade-oﬀ between the SNR and the reﬁned transparency order of ( n,m )-functions. Finally, we prove that the SNR of ( n,m )-functions is not aﬃne invariant, and data experiments verify this result.


Introduction
Differential power analysis (DPA) is one of the most effective methods of sidechannel attacks [13], where the leakage information regarding the user's secret key is extracted by using the obtained power traces, while the encryption algorithm is being physically executed on some specific platforms. In order to resist this attack, the substitution boxes ((n, m)-functions or S-boxes), as the only nonlinear parts of block ciphers, should have acceptable resistance to reduce the information leakage under DPA-like attacks. Currently, there are three important indicators regarding the resistance of S-boxes against DPA-like attacks, i.e. signal-to-noise ratio (SNR), transparency order (TO) and confusion coefficient (CC). More specially, in 2004, the concept of SNR was introduced by Guilley et al. in [11]. In 2005, the transparency order (TO) with the auto-correlation function which measures the resistance of (n, m)-functions to DPA attacks was proposed by Prouff et al. in [16]. Later, some flaws have been found in the original definition of the transparency order, and a new refined transparency order (RT O, see Definition 6) with the cross-correlation function was presented in [8]. The refined transparency order has important influence on the resistance against DPA attacks. A tight upper bound on transparency order for an (n, 1)-function was established in [21], and the lower bound directly depending on the nonlinearity was also obtained. In 2012, the definition of confusion coefficient (CC) was proposed by Fei et al. in [9]. On the other hand, in 2006, an efficient DPA attack on Grain and Trivium ciphers was proposed by Fischer et al. in [10], where the side-channel characteristic of the physical implementation can be seen as the SNR as defined in [11] indeed. In 2014, two theoretical distinguishers based on the Kolmogorov-Smirnov (KS) distance were presented in [12]. In this case, the relationship between SNR and CC on the distinguishers performance was discussed.
Notice that the notion of SNR was defined in terms of Walsh transform of (n, m)functions in [11]. In particular, an upper bound on the SNR of balanced (n, m)functions and a lower bound on the SNR of unbalanced (n, m)-functions were respectively investigated in [11]. It can be seen from the SNR of (n, m)-functions that the SNR is closely related to the Walsh transforms of its coordinates.
So far, few attempts have been made to check whether the balanced (n, m)functions can really achieve the upper bound on the SNR or not. And whether the SNR of (n, m)-functions is affine invariant or not. But further investigating the in-depth relationships between the SNR and other cryptography indicators still appears to be an important issue.
In this paper, we consider the unsolved problems regarding SNR in [11]. Specially, in this reference it is shown that α∈F n 2 Y α = m · 2 2n if F = (f 1 , f 2 , · · · , f m ) is a balanced (n, m)-function, but α∈F n 2 Y α ∈ [0, m 2 2 2n ] for the rest of the cases. Actually, the condition of our result (see Theorem 2) is weaker than that in [11]. A comprehensive description is given, i.e. α∈F n 2 Y α = m·2 2n if f i ⊕f j (1 ≤ i < j ≤ m) is a balanced function, but α∈F n 2 Y α ∈ [0, m 2 2 2n ] for the rest of the cases. By this observation, we prove that the SNR of any balanced (n, m)-function cannot achieve the upper bound 2 n/2 . On the other hand, the tight upper bound on the SNR of unbalanced (n, m)-functions F = (f 1 , f 2 , · · · , f m ) is described. In particular, the upper bound on the SNR of bent (n, m)-functions is determined exactly. The concept of the sum of Walsh transform-product indicator (SWTPI) is introduced, and a relationship between SWTPI and the sum-of-squares indicator is derived as well. Based on SWTPI, some relationships between the SNR of (n, m)-functions and other important cryptographic indicators (including the maximum value of the absolute value of the Walsh transform, the sum-of-squares indicator and the nonlinearity of its coordinates) are established. Some bounds on the SNR of (n, m)functions are given in Table 2. Furthermore, the equality between the SNR of F and F • A is verified for any affine permutation A, while F and A • F can have different SNR. It directly means that SNR does not have the affine invariant property. For instance, we calculate SNR for all optimal (4, 4) S-boxes and many S-boxes used in some well-know encryption algorithms. These S-boxes all miss the affine invariant property.
The paper is organized as follows. In Section 2, the basic concepts are introduced. In Section 3, some results regarding SWTPI are given. In Section 4, the upper bounds on the SNR of balanced and unbalanced (n, m)-functions are derived. Moreover, some relationships between the SNR and three cryptographic indicators are investigated. The simulations results are discussed in Section 5. Some concluding remarks are given in Section 6.

Preliminaries
A Boolean function on n variables may be viewed as a mapping from {0, 1} n into {0, 1}. Throughout this paper the binary field GF (2) is denoted by F 2 and the set of all Boolean functions mapping from F n 2 to F 2 is denoted by BF n . Let ⊕ be the addition operation. A Boolean function f is commonly represented as a multivariate polynomial over F 2 called the algebraic normal form (ANF) of f . More precisely, f (x 1 , x 2 , · · · , x n ) can be written as where P(N ) denotes the power set of N = {1, · · · , n} in [6]. Every coordinate x i (x = (x 1 , x 2 , · · · , x n )) appears in this polynomial with exponents at most 1. The degree of the ANF is denoted by deg(f ) and is called the algebraic degree of the function (this makes sense thanks to the existence and uniqueness of the ANF): deg(f ) = max{|I| : a I = 0}, where |I| denotes the size of I. The Hamming weight w H (x) of a binary vector x ∈ F n 2 is the number of its nonzero coordinates, i.e. the size of {i ∈ N : x i = 0}, where N denotes the set {1, 2, · · · , n}, called the support of the binary vector. The Hamming weight w H (f ) of a Boolean function f on F n 2 is the size of the support of the function, i.e. the set {x ∈ F n 2 : f (x) = 0}. We say that a Boolean function f is balanced if its Hamming weight equals 2 n−1 . A Boolean function is an affine function if its algebraic degree satisfies deg(f ) < 2, and the set of all affine functions is denoted by A n . If the constant term of an affine function is equal to zero, then this Boolean function is also called a linear function.
where ϕ α (x) = α · x = α 1 x 1 ⊕ α 2 x 2 ⊕ · · · ⊕ α n x n , α = (α 1 , · · · , α n ) ∈ F n 2 . The nonlinearity of f ∈ BF n is defined as the minimum Hamming distance to the set of all n-variable affine function. From Definition 1, we know that the nonlinearity of f can be computed by Definition 2. Let f ∈ BF n . The auto-correlation function of f is defined by where And the cross-correlation function of two Boolean functions f , g ∈ BF n is defined by is called the derivative of f and g in the direction of b ∈ F n 2 . Two n-variable Boolean functions f and g are perfectly uncorrelated if F(D α (f, g)) = 0 for all α ∈ F n 2 , and they are uncorrelated of degree k if F(D α (f, g)) = 0 for all α ∈ F n 2 such that 0 ≤ w H (α) ≤ k. From the results in [17, Corollary 3.4], we have F(f ⊕ ϕ α )F(g ⊕ ϕ α ) = 0 for any α ∈ F n 2 if f and g are perfectly uncorrelated. This property is equivalent to the fact that f and g have disjoint Walsh supports (see [15]).
Let n and m be two positive integers. The functions F = (f 1 , f 2 , · · · , f m ) from F n 2 to F m 2 are called (n, m)-functions (we call also vectorial Boolean functions [7]), the Boolean functions f 1 , f 2 , · · · , f m are called the coordinate functions of F . An (n, m)-function F is balanced if and only if its component functions are balanced, that is, for every nonzero v ∈ F m 2 , the Boolean function v · F is balanced. Definition 3. ( [11]) Let F = (f 1 , . . . , f m ) be an (n, m)-function. The signal-tonoise ratio (SNR) of F is defined by For convenience, we introduce the following symbol: which will be used in the sequel. ).
If f = g, then we have (also see GAC in [23]): Notice that, for any f , g ∈ BF n we have, as shown in [17]: In particular, (2) implies that the sum-of-squares indicator can be expressed in terms of Walsh transform. In order to further characterize the product of the Walsh transforms of these functions, we introduce a new definition to generalize V(f, g) by (2).
In order to describe the relationship between the SNR and the RT O, we consider Definition 6.

The relationships between SW T P I and the sum-of-squares indicator
In this section, some relationships between SW T P I and the sum-of-squares indicator are discussed. We give some equations on σ (i,j,k,l) f,g,s,t . Lemma 7. Let f, g, s, t ∈ BF n . Then 1) σ Proof. For any u ∈ F n 2 , we know , and the matrix H be generated in the following way: is the integer corresponding to vector α ∈ F n 2 , and H i denotes the i-th row of H.
Thus, we know that H is a Hadamard matrix with rank 2 n . Meanwhile, let c f,g , c s,t be two column vectors defined by: And let A α be the product between H i and c f,g , B α be the product between H i and c s,t . According to the property of the Hadamard matrix: HH T = 2 n I (I is the identity matrix), we have f,g,s,t . Similarly, 2), 3), 4) and 5) can be proved as well.
Based on Lemma 7, the upper bounds on SWTPI are presented.
Proof. According to Definition 5 and Cauchy inequality, we have There are four cases: 2) If i = 3, j = 1 and k = l = 0, then we have 3) If i = 2, j = 2 and k = l = 0, then we have The sufficient and necessary conditions of 1), 2), 3) and 4) are easy to be proved.
These results are closely related to the lower bound on the SNR of any (n, m)function in Section 4.3.

4.
The new upper bound on the SNR of (n, m)-functions In order to attain the exact upper bounds on the SNR of balanced or unbalanced (n, m)-functions, we first give Lemma 9.
Lemma 9. ( [20,25]) For where the equality (5) is achieved if and only if one of the following conditions holds: Lemma 11. Let f ∈ BF n . Then Lemma 12 implies that ω∈F n Proof. According to the expression of Y ω , we have It also means, ω∈F n 2 Y ω can achieve the upper bound m·2 2n (m = 1). Furthermore, where the equality (6) The coordinate functions are defined as: where g is a bent (n − 2)-function and n (n ≥ 4) is even. Then we have the Walsh transform in Table 1, where γ ∈ F n−2 2 and γ 1 , γ 2 ∈ F 2 . Table 1.
By Table 1, we have Moreover, we can calculate SN R(DP A)(F ) = 2 n/2 . From 4), we also find that ω∈F n 2 Y ω = m · 2 2n , if f i and f j are perfectly uncorrelated (or disjoint spectra functions) for any 1 ≤ i = j ≤ m, where F = (f 1 , · · · , f m ). ω∈F n 2 Y ω = m2 2n plays an important role in obtaining the upper bound on the SNR of unbalanced (n, m)-functions (see [11]). For ω∈F n 2 Y ω to reach m2 2n , Theorem 13 is more detailed than Lemma 12. By Example 1, there are unbalanced (n, m)-functions such that f i ⊕ f j (1 ≤ i < j ≤ m) are balanced functions. Thus, compared with Lemma 12, Theorem 13 enables us to find more (n, m)-functions satisfying: ω∈F n 2 Y ω = m2 2n . Therefore, we have an upper bound on SN R(DP A)(F ) for Based on Lemma 12, it has been shown in [11] that the SNR of balanced (n, m)functions is bounded above by 2 n/2 . In this section, we verify that this upper bound cannot be tight at all.

New upper bounds on the SNR of unbalanced (n, m)-functions.
In this section, the upper bound on the SNR of unbalanced (n, m)-functions is discussed by Hamming weight of the coordinate functions. Moreover, the upper bound on the SNR of bent (n, m)-functions is presented.
where (8) takes the equal if and only if Y ω = m · 2 n + 2H F for all ω ∈ F n 2 .
Proof. According to the expression of Y ω , we have

Moreover, we have
By Lemma 9, we consider two cases. 1) If Y ω satisfies the first condition in Lemma 9, then we have Actually, F(f ⊕ ϕ ω ) ≡ 0 mod 4 for any balanced Boolean function f (x) ∈ BF n (ω ∈ F n 2 ), then we have Y ω ≡ 0 mod 16 for ω ∈ F n 2 , i.e. Y ω = M + 1. This is impossible. 2) If Y ω satisfies the second condition in Lemma 9, then Y ω = M = m · 2 n + 2H F for all ω ∈ F n 2 .
Remark 1. Theorem 16 also implies two facts: 1) This new upper bound on the SNR of an unbalanced (n, m)-function is presented for the first time, which is determined by the Hamming weight of the sum functions. In other word, if we know the Hamming weight of the sum functions, the exact upper bound on the SNR of unbalanced (n, m)-functions can be attained easily.
2) If f i ⊕ f j (1 ≤ i < j ≤ m) are balanced functions, then we have H F = 0, i.e. SN R(DP A)(F ) ≤ 2 n/2 . This upper bound is the same as the bound in Theorem 14.
Example 2. Let F = (f, 1 ⊕ f ) be an (n, 2)-function, where f is a bent function. Then we have Y ω = 2 · 2 n + 2 · 0 for all ω ∈ F n 2 , and SN R(DP A)(F ) = 2 √ 2 3n 2·2 n = 2 n/2 . The lower bound on the SNR of bent (n, m)-functions was obtained in [11], but the upper bound on the SNR was not provided. Theorem 16 gives the upper bound on the SNR of a bent (n, m)-function since any bent function is unbalanced. Generally, for a bent (n, m)-function we have Corollary 1.

The relationships between the SNR and other cryptographic properties.
In this section, the relationships between the SNR and other cryptographic properties are discussed.  1,1,1) fi,fj ,f k ,f l .
Proof. According to Definition 3, we have By Definition 5, we have Moreover, we have Corollary 2. .
Proof. Since f i and f j are perfectly uncorrelated for any 1 ≤ i < j ≤ m, that is, [17]. By Theorem 17, we easily attain this result. . . . , f m ) be a r-order plateaued (n, m)-function [24]. If f i and f j are perfectly uncorrelated for 1 ≤ i < j ≤ m, then we have SN R(DP A)(F ) = √ m · 2 r . 2) Let F = (f 1 , . . . , f m ) be a bent (n, m)-function. If f i and f j are perfectly uncorrelated for 1 ≤ i < j ≤ m, then we have SN R(DP A)(F ) = √ m · 2 n .

The signal-to-noise ratio of affine equivalence S-boxes.
Some the SNR of (8, 8) S-boxes (included (8, 8)-linear S-boxes, DES S-box, AES S-box, Bent S-box, etc) were proposed in [11], however the SNR of (4, 4) S-boxes are not investigated. Notice that some (4, 4) S-boxes are extensively used in many encryption algorithms, which are used in resource constrained environments. The number of bijective mappings (affine equivalence) F : F 4 2 → F 4 2 , was determined in [5], where the number of affine equivalence S-boxes is 302.
In what follows, the affine invariant property of SN R(DP A)(F ) will be discussed. Notice that some cryptographic properties remain invariant under affine equivalence, e.g. nonlinearity, algebraic degree, etc. More specifically, let S 1 and S 2 be two balanced (n, n)-functions, if there exists a pair of invertible affine mappings A and B such that B −1 • S 2 • A = S 1 , then we call S 1 and S 2 are affine equivalent. Each of these affine mappings can be expressed as a linear transform followed by an addition, which leads to an affine equivalence relation: where A is an invertible n × n-bit linear mapping, B is an invertible m × m-bit linear mapping, a is an n-bit constant and b is an m-bit constant. F = (f 1 , . . . , f m ) be a balanced (n, m)-function. Then

Theorem 19. Let
where A is an invertible n × n-bit linear mapping and c ∈ F 2 .
By Definition 3, we have On the other hand, we consider SN R(DP A)(F (A·x⊕c)⊕d) = SN R(DP A)(F (x)) for any affine permutation A ∈ A n and c, d ∈ F n 2 . For affine equivalent, we have Theorem 20.
Then F and G are affine equivalent S-boxes under affine transformation B, i.e. G = B • F : It can be verified that f i and f j (1 ≤ i = j ≤ m) are perfectly uncorrelated, but g i and g j (1 ≤ i = j ≤ m) are perfectly uncorrelated. By Corollary 2, we can easily calculate the distribution of Walsh transform with coordinate functions of F and G.
Note that g is a bent function such that | F(g ⊕ ϕ α ) |= 2 n/2 for any α ∈ F n 2 . Moreover, we have We have SN R(DP A)(F ) = SN R(DP A)(G).
From Theorem 20, we know that SN R(DP A)(F ) is not affine invariant. In Section 5, some simulations that support Theorems 19 and 20 are made for (4, 4)functions.

The relationship between the SNR and the RT O.
In this section, the relationship between the SNR and the RT O for any (n, m)function is established.
In 2005, the notion of transparency order (TO) was proposed by Prouff et al. in [16], and this notion was also defined in terms of the auto-correlation coefficients of S-boxes. However, in 2017 Chakraborty et al. [8] identified certain limitations of the original definition in [16], and they presented the definition of transparency order (RT O) based on the cross-correlation coefficients of (n, m)-functions.  Then where f α i = F(f i ⊕ ϕ α ) for 1 ≤ i ≤ m and α ∈ F n 2 . Moreover, we also give another form of Lemma 22.
Based on Lemma 22 and Lemma 23, we have Theorem 24.
Theorem 24. Let F = (f 1 , . . . , f m ) be a balanced (n, m)-function. Then Remark 4. Although this relationship is rather rough, it can also reflect the relationship between the SNR and the RT O. Moreover, the definition of the SNR in [11] can be expressed by Combining the relation (5) and Theorem 24, we have It implies that the SN R(DP A)(F ) becomes larger, if RT O(F ) becomes larger.

Experimental data
By Theorem 19 and Theorem 20, we know that the SNR is not affine invariant. In the following we analyse SNR of (4, 4) S-boxes. We know that a balanced (4, 4) Sbox corresponds to a 16-bit permutation, and the number of 16-bit permutations is 16! (= 2092278988800), which is about 2 44.25 . Moreover, according to the definition of the SNR, the Walsh transform of four component functions have to be calculated, and the number of the addition ( ) in the Walsh transform for four component functions is at least 4×2 4 ×2 4 = 2 10 . If we ignore the scale of logical operations (for example vector inner product ω · x, addition f (x) ⊕ ω · x, (−1) f (x)⊕ω·x , x, ω ∈ F 4 2 ), this will take at least 2 54.25 operations to calculate the SNR of all permutations.
It is almost infeasible for ordinary platform to finish simulations of the SNR of all balanced (4, 4) S-boxes in some months. In this case, we only focus on calculating the SNR of (4, 4) S-boxes in two aspects (see Section 5.1 and Section 5.2).
3) In Table 4, the SNR of 14 S-boxes (in 18 S-boxes with the well known encryption algorithms) is located in the range [2.023858, 2.945839], and the SNR reaches the maximum value 3.108115 for only one S-box. It directly means the SNR of the (4, 4) S-boxes used in these algorithm is highly consistent to the SNR of 302 affine equivalent classes S-box. 5.2. The SNR of 16 classes of optimal (4, 4) S-boxes.
In 2007, Leander et al. gave 16 classes optimal (4, 4) S-boxes in [14]. These Sboxes satisfy three cryptographic properties: 1) the linearity is 8; 2) the difference is 8; 3) the algebraic degree is 3. The representatives of the truth table are put in Table 5.
By Theorem 19 and Theorem 20, for each type of S-box G = (g 1 , g 2 , g 3 , g 4 ) (g i ∈ BF 4 , i = 1, 2, 3, 4), we can calculate the SNR of its affine equivalent S-box A•G (A is an invertible 4×4 matrix in F 2 ). Here we do not consider the case of G(x•A⊕b) (A is an invertible 4×4 matrix in F 2 , b ∈ F 4 2 ) because of SN R(DP A)(G(x•A⊕b)) = SN R(DP A)(G(x)) for A and b (see Theorem 19). Table 5. Representatives for all 16 classes of optimal (4, 4) Sboxes [14] Table 7. This implies that the distribution of values is relatively concentrated.
3) The range of the mean value for the SNR of affine equivalent S-boxes A • G i belongs to the range of [2.448995, 2.481046], and the variance belongs to range of [0.092405, 0.110267]. The distribution of its value is concentrated in a relatively small interval. 4) Especially, we get the detailed distribution of the SNR of A • G 0 in Table 7. The calculation results of other G i (i = 1, 2, 3, ..., 15) are similar to Table 7, which is ignored due to the limited length of this paper.

Conclusions
In this paper, some exact bounds on the SNR of (n, m)-functions are investigated. In particular, we prove that the SNR of balanced (n, m)-functions should be less than 2 n/2 . Moreover, some relationships between the SNR of (n, m)-functions and three other cryptographic parameters are provided. Furthermore, the SNR of many (4, 4) S-boxes are described via practical simulations.