1 Introduction

The Advanced Encryption Standard (AES)  [13] is the main and widely used symmetric cryptosystem. It was standardized by NIST in 2000 in replacement of DES  [7]. AES is a Substitution Permutation Network (SPN) which is based on a non-linear substitution layer and a linear diffusion layer. The non-linear layer is represented by a \(16\times 16\) S-box which is a permutation of the Galois finite field \(\mathbb {F}_{2^8}\). The design of the S-box is a challenging task since the security of AES is mainly based on its structure. A strong S-box should satisfy several cryptographic criteria to resist the known cryptanalytic attacks, such as linear cryptanalysis  [12] and differential cryptanalysis  [1]. Although AES is resistant to linear and differential attacks, it presents some weaknesses in regards with a variety of cryptanalytic criteria. A typical example is that an S-box should have high algebraic degree when expressed as a polynomial. The AES S-box has algebraic degree 254 with only 9 monomials which is very simple  [11]. Another weak criterion for the AES S-box is that some elements of \(\mathbb {F}_{2^8}\) have short iterative periods as it is the case with \(S^2(0x73)= 0x73\), \(S^{27}(0xfa)=0xfa\), \(S^{59}(0x00)=0x00\), \(S^{81}(0x01)=0x01\), and \(S^{87}(0x04)=0x04\) (see  [5]). One more weak criterion for the AES S-box is the distance to SAC (Strict Avalanche Criterion) which is evaluated to 432  [5] while it should be as small as possible. Yet another example of the weakness of the AES S-box is its affine transformation period  [5, 16]. It is equal to 4 which is very low in comparison with the optimal value 16.

In the literature, various techniques and tools have been proposed to create strong S-boxes for AES (see  [5, 9, 10, 15, 17, 20, 21] for various constructions of S-boxes). In most cases, the proposed S-box is based on a bijective function on \(\mathbb {F}_{2^8}\) with an explicit formulae. In AES  [13], the S-box is a \(16\times 16\) table of bytes obtained by a function of the form \(f(x)=Ax^{-1}+b\) where, for \(x\ne 0\), \(x^{-1}\) is the inverse of x in \(\mathbb {F}_{2^8}\), and \(0^{-1}=0\), and where A is a \(8\times 8\) a circular matrix of bits and \(b=0x63\). In  [5], the proposed S-box is obtained by a function of the form \(f(x)= A'(A'x+b')^{-1}+b'\) where \(A'\) is a \(8\times 8\) circular matrix of bits obtained by 0x5b and \(b'=0x5d\). The proposed S-box in  [5] has better values for some cryptographic criteria. Typically, the distance to SAC is reduced to 372, the iterative period is increased to 256, the affine transformation period is increased to 16, and the number of terms in the algebraic expression is increased to 255.

In this paper, we propose a new function over \(\mathbb {F}_{2^8}\) to construct \(16\times 16\) S-boxes of bytes with good cryptographic properties. The function is defined for a byte x by

$$ S(x)= {\left\{ \begin{array}{ll} \frac{Ax+ \alpha }{Ax+ \beta }, &{} \text {if } x \ne A^{-1}\beta \\ 0x01&{} \text {if } x = A^{-1}\beta , \end{array}\right. } $$

where A is an \(8\times 8\) invertible matrix of bits and \(\alpha \) and \(\beta \) are two fixed different bytes. The cryptographic properties of the new S-boxes depend on the choice of A, \(\alpha \) and \(\beta \) and there are approximately \(5.3 \times 10^{18}\) of possible values. In this paper, we consider the parameters

$$ A = \left( \begin{array}{cccccccc} 1&{}0&{}0&{}0&{}1&{}1&{}0&{}1\\ 1&{}1&{}0&{}0&{}1&{}0&{}0&{}1\\ 0&{}1&{}1&{}1&{}0&{}0&{}0&{}1\\ 0&{}0&{}0&{}0&{}1&{}1&{}0&{}1\\ 0&{}0&{}1&{}0&{}0&{}0&{}1&{}0\\ 1&{}0&{}0&{}0&{}1&{}0&{}1&{}1\\ 0&{}1&{}1&{}1&{}0&{}0&{}0&{}0\\ 1&{}1&{}0&{}1&{}0&{}1&{}1&{}0 \end{array} \right) , ~~~~\alpha = 0xfe , ~~~~\beta = 0x3f. $$

With the former values, some of the cryptographic criteria are improved. The distance to SAC is reduced to 328, the iterative period is increased to 256, and the number of terms in the algebraic expression is increased to 255. We notice that our construction ovoids any affine structure while in AES and in  [5], there are induced affine transformations of the form \(f(x)=A'x+b\) where the \(8\times 8\) bit-matrix \(A'\) and the byte b are constant.

The rest of the paper is organized as follows. In Sect. 2, we present some known facts related to AES, in Sect. 3, we present the new S-box and, in Sect. 4, we study the cryptographic criteria of the proposed S-box. In Sect. 5, we give a comparison of the new S-box with the AES S-box and other existing S-boxes. We conclude the paper in Sect. 6.

2 Preliminaries

In this section, we present the main mathematical properties that will be used in this paper.

2.1 Description of an S-box

An S-box of a block cipher is a \(n\times n\) matrix defined by a multivariate Boolean function \(S : \mathbb {F}_{2^n}\rightarrow \mathbb {F}_{2^n}\) such that for \(x\in \mathbb {F}_{2^n}\),

$$ S(x)=(S_{n-1}(x),\ldots ,S_{0}(x)), $$

where \(S_i\), \(0\le i\le n-1\) is a component Boolean function. An S-box should be bijective with no fixed point and should guarantee nonlinearity to the cryptosystem and strengthen its cryptographic security. Moreover, it should satisfy several criteria such as balancedness  [14], strict avalanche criterion (SAC)  [18], distance to SAC  [18], bit independence criterion (BIC)  [8], algebraic complexity and algebraic degree  [2].

2.2 Description of AES

AES is a block cipher with 128-bits blocks. It operates on blocks, called states which are 4 \(\times \) 4 arrays of bytes. Each state is indexed \(0,\ldots ,15\). The rows are in the form \((i,i+4,i+8,i+12)\) while the columns are in the form \((4i,4i+1,4i+2,4i+3)\) for \(0\le i\le 3\). AES has \(N_r\in \{10,12,14\}\) rounds, formed by the transformations AddRoundKey, SubBytes, ShiftRows, and MixColumns as follows.

  1. 1.

    The first round is preceded by a transformation denoted AddRoundKey.

  2. 2.

    The first \(N_r-1\) rounds are composed by 4 transformations:

    1. (a)

      SubBytes Transformation: it is a non linear transformation of the state and is represented by the S-box;

    2. (b)

      ShiftRows Transformation: it is a circular shift on the rows of the state;

    3. (c)

      MixColumns Transformation: it is a linear transformation of the state;

    4. (d)

      AddRoundKey Transformation: it is a transformation of the state by xoring a 128 bit key.

  3. 3.

    The final round is composed by the three transformations:

    1. (a)

      SubBytes Transformation;

    2. (b)

      ShiftRows Transformation;

    3. (c)

      AddRoundKey Transformation.

SubBytes is the transformation that is based on the S-box. The security of AES depends mainly on the structure of the S-box.

2.3 Structure of the AES S-box

AES uses the Galois field \(\mathbb {F}_{2^8}\), defined by

$$\mathbb {F}_{2^8} = \mathbb {F}_2[t]/(t^8 + t^4 + t^3 + t + 1),$$

where each byte \(b=(b_7,b_6,b_5,b_4,b_3,b_2,b_1,b_0)\in \mathbb {F}_{2}^8\) is mapped to the element

$$ b_7 t^7 + b_6 t^6 + b_5 t^5 + b_4 t^4 + b_3 t^3 + b_2 t^2 +b_1 t +b_0 $$

of the Galois field \(\mathbb {F}_{2^8}\). For example, the byte \(0x53 =(0,1,0,1,0,0,1,1)\) is identified with the field element \(t^6 + t^4 + t + 1\).

The AES S-box S is constructed by combining two transformations f and g for \(x\in \mathbb {F}_{2^8}\) by \(S(x)=g\circ f(x)\) where

  1. 1.

    The first transformation is the nonlinear function f defined by

    $$ f(x)= {\left\{ \begin{array}{ll} 0 &{}\hbox {if } x = 0, \\ x^{-1} &{} \hbox {if } x \ne 0. \end{array}\right. } $$

    Hence, the function f maps zero to zero, and for a non-zero field element x, it maps the element to its multiplicative inverse \(x^{-1}\) in \(\mathbb {F}_{2^8}\).

  2. 2.

    The second transformation g is the affine function defined by \(g(x)=Ax+ b\) where A is \(8\times 8\) bit-matrix and b is a constant. Namely, for a field element \(x=(x_7,x_6,x_5,x_4,x_3,x_2,x_1,x_0)\), \(y=Ax+b\) with

    $$ \left( \begin{array}{cccccccc} y_0 \\ y_1 \\ y_2 \\ y_3 \\ y_4 \\ y_5 \\ y_6 \\ y_7 \end{array} \right) = \left( \begin{array}{cccccccc} 1 &{} 0 &{} 0 &{} 0 &{} 1 &{} 1 &{} 1 &{} 1 \\ 1 &{} 1 &{} 0 &{} 0 &{} 0 &{} 1 &{} 1 &{} 1 \\ 1 &{} 1 &{} 1 &{} 0 &{} 0 &{} 0 &{} 1 &{} 1 \\ 1 &{} 1 &{} 1 &{} 1 &{} 0 &{} 0 &{} 0 &{} 1 \\ 1 &{} 1 &{} 1 &{} 1 &{} 1 &{} 0 &{} 0 &{} 0 \\ 0 &{} 1 &{} 1 &{} 1 &{} 1 &{} 1 &{} 0 &{} 0 \\ 0 &{} 0 &{} 1 &{} 1 &{} 1 &{} 1 &{} 1 &{} 0 \\ 0 &{} 0 &{} 0 &{} 1 &{} 1 &{} 1 &{} 1 &{} 1 \end{array} \right) \left( \begin{array}{cccccccc} x_0 \\ x_1 \\ x_2 \\ x_3 \\ x_4 \\ x_5 \\ x_6 \\ x_7 \end{array} \right) + \left( \begin{array}{cccccccc} 1 \\ 1 \\ 0 \\ 0 \\ 0 \\ 1 \\ 1 \\ 0 \end{array} \right) $$

Here is an example showing \(S(0x53)=0xed\):

  • \(0x53 =(0,1,0,1,0,0,1,1)\) is mapped to \(t^6 + t^4 + t + 1\);

  • the inverse of \(t^6 + t^4 + t + 1\) modulo \(t^8 + t^4 + t^3 + t + 1\) is \(t^7 + t^6 + t^3 + t\) so

    $$ f(t^6 + t^4 + t + 1) = t^7 + t^6 + t^3 + t, $$

    which is (1, 1, 0, 0, 1, 0, 1, 0) in binary form;

  • apply the affine transformation g

    $$ \left( \begin{array}{cccccccc} 1 &{} 0 &{} 0 &{} 0 &{} 1 &{} 1 &{} 1 &{} 1 \\ 1 &{} 1 &{} 0 &{} 0 &{} 0 &{} 1 &{} 1 &{} 1 \\ 1 &{} 1 &{} 1 &{} 0 &{} 0 &{} 0 &{} 1 &{} 1 \\ 1 &{} 1 &{} 1 &{} 1 &{} 0 &{} 0 &{} 0 &{} 1 \\ 1 &{} 1 &{} 1 &{} 1 &{} 1 &{} 0 &{} 0 &{} 0 \\ 0 &{} 1 &{} 1 &{} 1 &{} 1 &{} 1 &{} 0 &{} 0 \\ 0 &{} 0 &{} 1 &{} 1 &{} 1 &{} 1 &{} 1 &{} 0 \\ 0 &{} 0 &{} 0 &{} 1 &{} 1 &{} 1 &{} 1 &{} 1 \end{array} \right) \left( \begin{array}{cccccccc} 0 \\ 1 \\ 0 \\ 1 \\ 0 \\ 0 \\ 1 \\ 1 \end{array} \right) + \left( \begin{array}{cccccccc} 1 \\ 1 \\ 0 \\ 0 \\ 0 \\ 1 \\ 1 \\ 0 \end{array} \right) = \left( \begin{array}{cccccccc} 1 \\ 0 \\ 1 \\ 1 \\ 0 \\ 1 \\ 1 \\ 1 \end{array} \right) ; $$

  • the S-box output is then (1, 1, 1, 0, 1, 1, 0, 1), that is 0xed.

2.4 Algebraic Complexity of AES S-box

The algebraic complexity of an S-box S is measured by the number of non trivial monomials in the representation of S by a polynomial such that

$$ S(x)=a_{255}x^{255}+a_{254}x^{254}+\cdots +a_1x+a_0. $$

The AES S-box is constructed using the function \(S(x)=g\circ f(x)\) where \(f(x)=x^{-1}=x^{254}\) and \(g(x)=Ax+B\). Hence f is a power function and g is an affine function. For a combination of such kind of functions, the following result fixes the algebraic complexity (see  [4]).

Theorem 1

Let \(S=g\circ f\) be the function of an S-box on \(\mathbb {F}_2^{n}\) with a power function f and an affine function g. Then the algebraic complexity of S is at most \(n+1\).

The former result partially explains why the algebraic complexity of AES is 9  [4].

3 The Proposed S-box

In this section, we present the new S-box. We first define a \(8\times 8\) invertible matrix A with components in \(\mathbb {F}_2\) and two constants \(\alpha ,\beta \in \mathbb {F}_{2^8}\). The following result gives the number of invertible matrices with entries in \(\mathbb {F}_2\) (see  [19], Section 3.3).

Lemma 1

Let \(\mathbb {F}_q\) be a finite field with q elements. For \(n\ge 2\), let \(GL(n,\mathbb {F}_q)\) be the group of invertible \(n\times n\) matrices with entries in \(\mathbb {F}_q\). The order of \(GL(n,\mathbb {F}_q)\) is

$$ \left| GL(n,\mathbb {F}_q)\right| =\prod _{k=0}^{n-1}\left( q^n-q^k\right) . $$

For \(n=8\) and \(q=2\), the group \(GL(8,\mathbb {F}_{2})\) of invertible \(8\times 8\) matrices A with entries in \(\mathbb {F}_2\), the order is

$$ \left| GL(8,\mathbb {F}_{2})\right| = 5~348~063~769~211~699~200 \approx 5.3 \times 10^{18}. $$

Let

$$ A = \left( \begin{array}{cccccccc} 1&{}0&{}0&{}0&{}1&{}1&{}0&{}1\\ 1&{}1&{}0&{}0&{}1&{}0&{}0&{}1\\ 0&{}1&{}1&{}1&{}0&{}0&{}0&{}1\\ 0&{}0&{}0&{}0&{}1&{}1&{}0&{}1\\ 0&{}0&{}1&{}0&{}0&{}0&{}1&{}0\\ 1&{}0&{}0&{}0&{}1&{}0&{}1&{}1\\ 0&{}1&{}1&{}1&{}0&{}0&{}0&{}0\\ 1&{}1&{}0&{}1&{}0&{}1&{}1&{}0 \end{array} \right) $$

and

$$ \alpha = 0xfe = (1,1,1,1, 1,1,1,0),\quad \beta = 0x3f = (0,0,1,1, 1,1,1,1). $$

The new S-box is generated by the multivariate Boolean function \(S_N\) defined for \(x\in \mathbb {F}_{2^8}\) by

$$\begin{aligned} S_N(x)= {\left\{ \begin{array}{ll} \frac{Ax+ \alpha }{Ax+ \beta }, &{} \text {if } Ax+ \beta \ne 0 \\ 0x01&{} \text {if } Ax+ \beta =0, \end{array}\right. } \end{aligned}$$
(1)

Here are two examples showing \(S_N(0xdd) = 0xed\) and \(S_N(0xfa) = 0x01\).

Example 1: \(S_N(0xdd) = 0xed\)

  • \(0xdd = (1,1,0,1,1,1,0,1) = (x_7,x_6,x_5,x_4,x_3,x_2,x_1,x_0)\)

  • apply the affine transformation \(Ax+\beta \)

    $$ \left( \begin{array}{cccccccc} 1&{}0&{}0&{}0&{}1&{}1&{}0&{}1\\ 1&{}1&{}0&{}0&{}1&{}0&{}0&{}1\\ 0&{}1&{}1&{}1&{}0&{}0&{}0&{}1\\ 0&{}0&{}0&{}0&{}1&{}1&{}0&{}1\\ 0&{}0&{}1&{}0&{}0&{}0&{}1&{}0\\ 1&{}0&{}0&{}0&{}1&{}0&{}1&{}1\\ 0&{}1&{}1&{}1&{}0&{}0&{}0&{}0\\ 1&{}1&{}0&{}1&{}0&{}1&{}1&{}0 \end{array} \right) \left( \begin{array}{cccccccc} 1\\ 0\\ 1\\ 1\\ 1\\ 0\\ 1\\ 1 \end{array} \right) + \left( \begin{array}{cccccccc} 1\\ 1\\ 1\\ 1\\ 1\\ 1\\ 0\\ 0 \end{array} \right) = \left( \begin{array}{cccccccc} 0\\ 0\\ 0\\ 1\\ 1\\ 1\\ 0\\ 1 \end{array} \right) $$

    so \(Ax+\beta = (1,0,1,1,1,0,0,0) = 0xb8\)

  • apply the affine transformation \(Ax+\alpha \)

    $$ \left( \begin{array}{cccccccc} 1&{}0&{}0&{}0&{}1&{}1&{}0&{}1\\ 1&{}1&{}0&{}0&{}1&{}0&{}0&{}1\\ 0&{}1&{}1&{}1&{}0&{}0&{}0&{}1\\ 0&{}0&{}0&{}0&{}1&{}1&{}0&{}1\\ 0&{}0&{}1&{}0&{}0&{}0&{}1&{}0\\ 1&{}0&{}0&{}0&{}1&{}0&{}1&{}1\\ 0&{}1&{}1&{}1&{}0&{}0&{}0&{}0\\ 1&{}1&{}0&{}1&{}0&{}1&{}1&{}0 \end{array} \right) \left( \begin{array}{cccccccc} 1\\ 0\\ 1\\ 1\\ 1\\ 0\\ 1\\ 1 \end{array} \right) + \left( \begin{array}{cccccccc} 0\\ 1\\ 1\\ 1\\ 1\\ 1\\ 1\\ 1 \end{array} \right) = \left( \begin{array}{cccccccc} 1\\ 0\\ 0\\ 1\\ 1\\ 1\\ 1\\ 0 \end{array} \right) $$

    so \(Ax+\alpha = (0,1,1,1,1,0,0,1) = 0x79\)

  • Calculate the S-box value

    $$\begin{aligned} S_N(0xdd)= & {} \frac{Ax+\alpha }{Ax+\beta }\\= & {} \frac{0x79}{0xb8}\\= & {} \frac{t^6+t^5+t^4+t^3+1}{t^7+t^5+t^4+t^3}\\= & {} t^7+t^6+t^5+t^3+t^2+1\pmod {t^8 + t^4 + t^3 + t + 1}\\= & {} (1,1,1,0, 1,1,0,1)\\= & {} 0xed. \end{aligned}$$

Example 2: \(S_N(0xfa) = 0x01\)

  • \(0xfa = (1,1,1,1, 1,0,1,0) = (x_7,x_6,x_5,x_4,x_3,x_2,x_1,x_0)\)

  • apply the affine transformation \(Ax+\beta \)

    $$ \left( \begin{array}{cccccccc} 1&{}0&{}0&{}0&{}1&{}1&{}0&{}1\\ 1&{}1&{}0&{}0&{}1&{}0&{}0&{}1\\ 0&{}1&{}1&{}1&{}0&{}0&{}0&{}1\\ 0&{}0&{}0&{}0&{}1&{}1&{}0&{}1\\ 0&{}0&{}1&{}0&{}0&{}0&{}1&{}0\\ 1&{}0&{}0&{}0&{}1&{}0&{}1&{}1\\ 0&{}1&{}1&{}1&{}0&{}0&{}0&{}0\\ 1&{}1&{}0&{}1&{}0&{}1&{}1&{}0 \end{array} \right) \left( \begin{array}{cccccccc} 0\\ 1\\ 0\\ 1\\ 1\\ 1\\ 1\\ 1 \end{array} \right) + \left( \begin{array}{cccccccc} 1\\ 1\\ 1\\ 1\\ 1\\ 1\\ 0\\ 0 \end{array} \right) = \left( \begin{array}{cccccccc} 0\\ 0\\ 0\\ 0\\ 0\\ 0\\ 0\\ 0 \end{array} \right) $$

    so \(Ax+\beta = (0,0,0,0,0,0,0,0) = 0x00\)

  • Therefore, using the definition of \(S_N\) in (1), we get

    $$ S_N(0xfa) = 0x01. $$

Applying the function \(S_N\) to \(\mathbb {F}_{2^8}\), we get the new S-box presented in Table 1.

Table 1. The new S-box
Full size table

The inverse function of \(S_N\) is \(S_N^{-1}\) and is defined for a byte y by

$$ S_N^{-1}(y)= {\left\{ \begin{array}{ll} A^{-1}\left( \frac{\beta y+ \alpha }{y+ 1}\right) , &{} \text {if } y \ne 0x01 \\ A^{-1}\beta &{} \text {if } y = 0x01. \end{array}\right. } $$

The new inverse S-box is presented in Table 2.

Table 2. The new inverse S-box
Full size table

4 Cryptographic Criteria of the New S-box

4.1 Linear Cryptanalysis of the New S-box

The resistance against linear cryptanalysis of a block cipher with an S-box function S over \(\mathbb {F}_{2^n}\) is measured by the non-linearity parameter NL(S), defined as (see  [2], Section 3)

$$ NL(S)=2^{n-1}-\frac{1}{2}\max _{a\in \mathbb {F}_2^{n*},b\in \mathbb {F}_2^{n}} \left| \sum _{x\in \mathbb {F}_{2^n}}(-1)^{a\cdot S(x)\oplus b\cdot x}\right| , $$

where \(u\cdot v\) is the dot product of u and v, defined by

$$ u\cdot v=(u_{n-1},\cdots ,u_0)\cdot (v_{n-1},\cdots ,v_0)=u_{n-1}v_{n-1}\oplus \cdots \oplus u_0v_0. $$

The non-linearity parameter NL(S) is upper bounded by \(2^{n-1}-2^{\frac{n}{2}-1}\) (see  [6]). For \(n=8\), the upper bound becomes \(2^7-2^3=120\) while the non-linearity value NL(S) is 112 for both AES S-box and the new S-box, which is very close to the maximal value of perfect nonlinear function.

4.2 Differential Cryptanalysis of the New S-box

The resistance against differential cryptanalysis of a block cipher with S-box function S over \(\mathbb {F}_{2^n}\) is measured by the differential uniformity parameter \(\delta (S)\), defined as

$$ \delta (S)=\max _{(a,b)\in \mathbb {F}_{2^n}^* \times \mathbb {F}_{2^m}} D(a,b), $$

where, for \((a,b)\in \mathbb {F}_{2^n}^2\),

$$ D(a,b)= \left| \{x\in \mathbb {F}_{2^n}\ |\ S(x)+S(x+a)=b \}\right| , $$

is the differential distribution of the S-box. For the new S-box, we have the following properties which are similar than the AES S-box:

  • \(D(0,0)=256\).

  • For all \(a\ne 0\), \(D(a,0)=0\).

  • For all \(b\ne 0\), \(D(0,b)=0\).

  • For all \(a\ne 0\), \(\left| \{b\in \mathbb {F}_{2^n} | D(a,b)=0\}\right| =129\).

  • For all \(b\ne 0\), \(\left| \{a\in \mathbb {F}_{2^n} | D(a,b)=0\}\right| =129\).

  • For all \(a\ne 0\), \(\left| \{b\in \mathbb {F}_{2^n} | D(a,b)=2\}\right| =126\).

  • For all \(b\ne 0\), \(\left| \{a\in \mathbb {F}_{2^n} | D(a,b)=2\}\right| =126\).

  • For all \(a\ne 0\), \(\left| \{b\in \mathbb {F}_{2^n} | D(a,b)=4\}\right| =1\).

  • For all \(b\ne 0\), \(\left| \{a\in \mathbb {F}_{2^n} | D(a,b)=4\}\right| =1\).

  • For all \(\delta \not \in \{0,2,4\}\), \(\left| \{(a,b)\in \mathbb {F}_{2^n}^2 | D(a,b)=\delta \}\right| =0\).

The lower bound of the differential uniformity for an S-box defined over \(\mathbb {F}_{2^n}\) is 2  [3]. The maximal differential uniformity for the new S-box is 4, which is similar than the AES S-box (see  [3, 4]).

4.3 Bit Independence Criterion (BIC) of the New S-box

The bit independence criterion (BIC) was introduced by Webster and Tavares in  [18]. It states that, if any input bit i is inverted in x, this changes any output bits j and k without any dependence on each other. This is useful to avoid any statistical pattern or statistical dependencies between output bits of the output vectors. Hence, for a strong S-box, the dependence between output bits should be as small as possible.

Definition 1

Let \(S : \mathbb {F}_{2^n}\rightarrow \mathbb {F}_{2^n}\) be a multivariate Boolean function defining an S-box. Let \(\alpha _i=(\delta _{i,n-1},\ldots ,\delta _{i,0})\) where \(\delta _{i,i}=1\) and \(\delta _{i,j}=0\) if \(i\ne j\). For all \(x\in \mathbb {F}_{2^n}\), the corresponding vector to \(S(x)\oplus S(x\oplus \alpha _i)\) is

$$ v(i,x)=\left( a_{i,n-1}(x),\ldots ,a_{i,0}(x))\right) . $$

The list \((a_{i,j}(x))\) of all \(x\in \mathbb {F}_{2^n}\) is denoted \(a_{i,j}\).

The correlation coefficient of \((a_{i,j},a_{i,k})\) is defined as

$$ \text {corr}(a_{i,j},a_{i,k})= \frac{\frac{1}{2^n}\left( \sum _{x\in \mathbb {F}_{2^n}}a_{i,j}(x)a_{i,k}(x)\right) -E(a_{i,j})E(a_{i,k})}{\sqrt{E\left( a_{i,j}^2\right) -\left( E(a_{i,j})\right) ^2}\cdot \sqrt{E\left( a_{i,k}^2\right) -\left( E(a_{i,k})\right) ^2}}, $$

where E(t) is the expected value of the list t.

A bit independence parameter corresponding to the independence of the output bits j and k under the effect of the change of the input bit i is defined as

$$ BIC(j,k)=\max _{0\le i\le n-1}\text {corr}(a_{i,j},a_{i,k}). $$

The table of BIC(ij), \(0\le i,j\le 7\), for the new S-box is listed in Table 3. For comparison, the table of BIC(ij), \(0\le i,j\le 7\), for the AES S-box is listed in Table 4.

Table 3. Table of \(BIC(a_j,a_k)\) for the New S-box
Full size table
Table 4. Table of \(BIC(a_j,a_k)\) for the AES S-box
Full size table

For the whole S-box, defined by the function S, the bit independence criterion parameter is defined as

$$ BIC(S)=\max _{0\le j<k\le n-1}BIC(j,k). $$

For the new S-box, the BIC value is 0.12. This is better than the BIC of the AES S-box which is 0.13.

4.4 Periodicity of the New S-box

The periodicity of an S-box is related to the number of minimum compositions to get the identity function (see  [5, 16]).

Definition 2

Let \(S : \mathbb {F}_{2^n}\rightarrow \mathbb {F}_{2^n}\) be the function defining an S-box. For \(x\in \mathbb {F}_{2^n}\), the period of x under S is the smallest positive integer n such that \(S^n(x)=x\).

It is shown in Table 5 that in AES, there are 5 possible periods, namely 2, 27, 59, 81 and 87 containing respectively 2, 27, 59, 81 and 87 different elements of \(\mathbb {F}_{2^8}\).

Table 5. Periodicity of the AES S-box
Full size table

For the new S-box, as shown in Table 6, 256 is the unique period so that the distribution of elements of \(\mathbb {F}_{2^8}\) is more balanced for the periodicity criterion.

Table 6. Periodicity of the new S-box
Full size table

4.5 Fixed and Opposite Points

Definition 3

The opposite of \(x\in \mathbb {F}_{2^8}\) is the field element \(\bar{x}\in \mathbb {F}_{2^8}\) such that \(x+\bar{x}=0xff\).

The AES S-box has no fixed point, that is \(S(x) \ne x\) and no opposite fixed points, that is \(S(x) \ne \bar{x}\)) for all \(x\in \mathbb {F}_{2^8}\) (see  [6]). Similarly, the new S-box has no fixed points and no opposite fixed points.

4.6 Algebraic Complexity of the New S-box

Let S be an S-box over \(\mathbb {F}_{2^n}\). Then S is completely defined by the set \(\{(x_i,y_i)\ |\ x_i\in \mathbb {F}_{2^n},\ y_i=S(x_i)\}\). A polynomial expression for S is determined by Lagrange’s interpolation polynomial

$$ P(x)=\sum _{i=1}^{n}y_iL_i(x),\quad L_i(x)=\displaystyle {\frac{\prod _{j\ne i}(x-x_j)}{\prod _{j\ne i}(x_i-x_j)}}. $$

The polynomial P(x) is of degree of at most \(2^n-1\) and the number of its non-zero monomials is called the algebraic complexity. For AES, the polynomilal is  [4]

$$\begin{aligned} \begin{aligned} P(x)=\,&05x^{254}+09x^{253}+f9x^{251}+25x^{247}+f4x^{239}+01x^{223}+b5x^{191}\\ {}&+8fx^{127}+63, \end{aligned} \end{aligned}$$

which shows that the algebraic complexity for AES is 9. For the new S-box, the polynomial is of the form

$$ P(x)=\sum _{i=0}^{255}a_ix^i, $$

where the list of the coefficients \(a_i\) is listed in Table 7. From this table, we see that the algebraic complexity of the new S-box is 255, which is optimal and makes it more resistant to possible algebraic attacks than the AES S-box.

Table 7. Algebraic expression of the new S-box
Full size table

Similarly, the algebraic expression of the inverse of the new S-box is presented in Table 8 and has 254 monomials which is almost optimal.

Table 8. Algebraic expression of the inverse of the new S-box
Full size table

4.7 Strict Avalanche Criterion (SAC) of the New S-box

In  [18], Webster and Tavares introduced an important criterion for strong S-boxes, called strict avalanche criterion (SAC). This criterion states that a single bit change in the input of a strong S-box should change the output bit with probability approaching \(\frac{1}{2}\).

Definition 4

A vectorial Boolean function \(S: \mathbb {F}_{2^n}\rightarrow \mathbb {F}_{2^n}\) satisfies SAC if and only if for all i, \(0\le i\le n-1\),

$$ \sum _{x\in \mathbb {F}_{2^n}} f(x)\oplus S(x\oplus \alpha _i)=\left( 2^{n-1},\ldots ,2^{n-1}\right) , $$

where the binary representation of \(\alpha _i\in \mathbb {F}_{2^n}\) is a vector of length n with a 1 in the ith position and 0 elsewhere.

Consequently, an S-box having a value of SAC closer to \(\left( 2^{n-1},\ldots ,2^{n-1}\right) \) has a good SAC property. Table 9 gives the SAC values of the new S-box and Table 10 gives the Sac values of the AES S-box.

Table 9. SAC of the new S-box
Full size table
Table 10. SAC of the AES S-box
Full size table

From Table 9 and Table 10, we see that the mean value for SAC for the new S-box is 128.625 while it is 129.25 for the AES S-box.

4.8 Distance to SAC of the New S-box

In general, the SAC criterion is not absolutely performed by an S-box. A practical way to measure the deviation of the SAC the S-box is to compute the distance to sac.

Definition 5

Let \(S : \mathbb {F}_{2^n}\rightarrow \mathbb {F}_{2^n}\) be the function defining an S-box such that

$$ S(x_{n-1},\ldots ,x_0)=\left( f_{n-1}(x),\ldots ,f_0(x_0)\right) . $$

The distance to SAC of S is the value

$$ DSAC(S)=\sum _{j=0}^{n-1}\sum _{i=0}^{n-1}\left| \sum _{x\in \mathbb {F}_{2^n}} f_i(x\oplus \alpha _j)\oplus f_i(x)-2^{n-1}\right| . $$

where the binary representation of \(\alpha _j\in \mathbb {F}_{2^n}\) is a vector of length n with a 1 in the jth position and 0 elsewhere.

A strong S-box should have a small DSAC. From Table 10, we find that DSAC for the AES S-box is 432 (see  [5]) while Table 9 shows that DSAC for the new S-box 328.

5 Comparison with Existing S-boxes

In Table 11, we listed the performance of the AES S-box, the S-box proposed by Cui et al.  [5] and the new S-box. The table shows that, for all cryptographic criteria, the performance of the new S-box is equal or better than the former ones and they are closer to the performances of an optimal S-box. This implies that the new S-box has better security than the former ones and is suitable for use in AES.

Table 11. Comparison of the new S-box with two former S-boxes
Full size table

6 Conclusion

In this paper, we presented a new S-box for the AES encryption scheme and analyzed its security by studying the main cryptographic criteria. For all the criteria, the performances of the new S-box are at least as good as the performances of the existing S-boxes. More specifically, the new S-box has better distance to SAC, better BIC and better algebraic complexity.