Choosing the function of intermediate values

Hi everyone, I am new in this area.
I have a question for clearly understanding about SCA. Why do we usually choose the non-linear part (Subbyte) for taking the intermediate values?

Thank all of you.


There’s three main reasons why we choose a nonlinear mix of the key and the text to attack:

  1. There tends to be some other operations that also linearly correlate with the plaintext, giving “ghost peaks”
  2. Linear operations tend to give a poor separation between correct and incorrect keys. Whereas attacking the STM32F3/TINYAES SBox, you’ll get a correlation different around 0.4 or 0.5, attacking the XOR will typically only give you a difference around 0.1. This becomes a much bigger problem with hardware AES than it is for software AES as well.
  3. A more minor point, but with XOR, the sign of the correlation will actually matter, since the key and the inverse of the key will have the exact same correlation


Thank you very much, Alex