Abstract
The Advanced Encryption Standard (AES) is the most widely used symmetric encryption algorithm. Its security is mainly based on the structure of the S-box. In this paper, we present a new way to create S-boxes for AES and exhibit an S-box with improved cryptographic properties such as Bit Independence Criterion (BIC), periodicity, algebraic complexity, Strict Avalanche Criterion (SAC) and Distance to SAC.
Access provided by Autonomous University of Puebla. Download conference paper PDF
Similar content being viewed by others
1 Introduction
The Advanced Encryption Standard (AES) [13] is the main and widely used symmetric cryptosystem. It was standardized by NIST in 2000 in replacement of DES [7]. AES is a Substitution Permutation Network (SPN) which is based on a non-linear substitution layer and a linear diffusion layer. The non-linear layer is represented by a \(16\times 16\) S-box which is a permutation of the Galois finite field \(\mathbb {F}_{2^8}\). The design of the S-box is a challenging task since the security of AES is mainly based on its structure. A strong S-box should satisfy several cryptographic criteria to resist the known cryptanalytic attacks, such as linear cryptanalysis [12] and differential cryptanalysis [1]. Although AES is resistant to linear and differential attacks, it presents some weaknesses in regards with a variety of cryptanalytic criteria. A typical example is that an S-box should have high algebraic degree when expressed as a polynomial. The AES S-box has algebraic degree 254 with only 9 monomials which is very simple [11]. Another weak criterion for the AES S-box is that some elements of \(\mathbb {F}_{2^8}\) have short iterative periods as it is the case with \(S^2(0x73)= 0x73\), \(S^{27}(0xfa)=0xfa\), \(S^{59}(0x00)=0x00\), \(S^{81}(0x01)=0x01\), and \(S^{87}(0x04)=0x04\) (see [5]). One more weak criterion for the AES S-box is the distance to SAC (Strict Avalanche Criterion) which is evaluated to 432 [5] while it should be as small as possible. Yet another example of the weakness of the AES S-box is its affine transformation period [5, 16]. It is equal to 4 which is very low in comparison with the optimal value 16.
In the literature, various techniques and tools have been proposed to create strong S-boxes for AES (see [5, 9, 10, 15, 17, 20, 21] for various constructions of S-boxes). In most cases, the proposed S-box is based on a bijective function on \(\mathbb {F}_{2^8}\) with an explicit formulae. In AES [13], the S-box is a \(16\times 16\) table of bytes obtained by a function of the form \(f(x)=Ax^{-1}+b\) where, for \(x\ne 0\), \(x^{-1}\) is the inverse of x in \(\mathbb {F}_{2^8}\), and \(0^{-1}=0\), and where A is a \(8\times 8\) a circular matrix of bits and \(b=0x63\). In [5], the proposed S-box is obtained by a function of the form \(f(x)= A'(A'x+b')^{-1}+b'\) where \(A'\) is a \(8\times 8\) circular matrix of bits obtained by 0x5b and \(b'=0x5d\). The proposed S-box in [5] has better values for some cryptographic criteria. Typically, the distance to SAC is reduced to 372, the iterative period is increased to 256, the affine transformation period is increased to 16, and the number of terms in the algebraic expression is increased to 255.
In this paper, we propose a new function over \(\mathbb {F}_{2^8}\) to construct \(16\times 16\) S-boxes of bytes with good cryptographic properties. The function is defined for a byte x by
where A is an \(8\times 8\) invertible matrix of bits and \(\alpha \) and \(\beta \) are two fixed different bytes. The cryptographic properties of the new S-boxes depend on the choice of A, \(\alpha \) and \(\beta \) and there are approximately \(5.3 \times 10^{18}\) of possible values. In this paper, we consider the parameters
With the former values, some of the cryptographic criteria are improved. The distance to SAC is reduced to 328, the iterative period is increased to 256, and the number of terms in the algebraic expression is increased to 255. We notice that our construction ovoids any affine structure while in AES and in [5], there are induced affine transformations of the form \(f(x)=A'x+b\) where the \(8\times 8\) bit-matrix \(A'\) and the byte b are constant.
The rest of the paper is organized as follows. In Sect. 2, we present some known facts related to AES, in Sect. 3, we present the new S-box and, in Sect. 4, we study the cryptographic criteria of the proposed S-box. In Sect. 5, we give a comparison of the new S-box with the AES S-box and other existing S-boxes. We conclude the paper in Sect. 6.
2 Preliminaries
In this section, we present the main mathematical properties that will be used in this paper.
2.1 Description of an S-box
An S-box of a block cipher is a \(n\times n\) matrix defined by a multivariate Boolean function \(S : \mathbb {F}_{2^n}\rightarrow \mathbb {F}_{2^n}\) such that for \(x\in \mathbb {F}_{2^n}\),
where \(S_i\), \(0\le i\le n-1\) is a component Boolean function. An S-box should be bijective with no fixed point and should guarantee nonlinearity to the cryptosystem and strengthen its cryptographic security. Moreover, it should satisfy several criteria such as balancedness [14], strict avalanche criterion (SAC) [18], distance to SAC [18], bit independence criterion (BIC) [8], algebraic complexity and algebraic degree [2].
2.2 Description of AES
AES is a block cipher with 128-bits blocks. It operates on blocks, called states which are 4 \(\times \) 4 arrays of bytes. Each state is indexed \(0,\ldots ,15\). The rows are in the form \((i,i+4,i+8,i+12)\) while the columns are in the form \((4i,4i+1,4i+2,4i+3)\) for \(0\le i\le 3\). AES has \(N_r\in \{10,12,14\}\) rounds, formed by the transformations AddRoundKey, SubBytes, ShiftRows, and MixColumns as follows.
-
1.
The first round is preceded by a transformation denoted AddRoundKey.
-
2.
The first \(N_r-1\) rounds are composed by 4 transformations:
-
(a)
SubBytes Transformation: it is a non linear transformation of the state and is represented by the S-box;
-
(b)
ShiftRows Transformation: it is a circular shift on the rows of the state;
-
(c)
MixColumns Transformation: it is a linear transformation of the state;
-
(d)
AddRoundKey Transformation: it is a transformation of the state by xoring a 128 bit key.
-
(a)
-
3.
The final round is composed by the three transformations:
-
(a)
SubBytes Transformation;
-
(b)
ShiftRows Transformation;
-
(c)
AddRoundKey Transformation.
-
(a)
SubBytes is the transformation that is based on the S-box. The security of AES depends mainly on the structure of the S-box.
2.3 Structure of the AES S-box
AES uses the Galois field \(\mathbb {F}_{2^8}\), defined by
where each byte \(b=(b_7,b_6,b_5,b_4,b_3,b_2,b_1,b_0)\in \mathbb {F}_{2}^8\) is mapped to the element
of the Galois field \(\mathbb {F}_{2^8}\). For example, the byte \(0x53 =(0,1,0,1,0,0,1,1)\) is identified with the field element \(t^6 + t^4 + t + 1\).
The AES S-box S is constructed by combining two transformations f and g for \(x\in \mathbb {F}_{2^8}\) by \(S(x)=g\circ f(x)\) where
-
1.
The first transformation is the nonlinear function f defined by
$$ f(x)= {\left\{ \begin{array}{ll} 0 &{}\hbox {if } x = 0, \\ x^{-1} &{} \hbox {if } x \ne 0. \end{array}\right. } $$Hence, the function f maps zero to zero, and for a non-zero field element x, it maps the element to its multiplicative inverse \(x^{-1}\) in \(\mathbb {F}_{2^8}\).
-
2.
The second transformation g is the affine function defined by \(g(x)=Ax+ b\) where A is \(8\times 8\) bit-matrix and b is a constant. Namely, for a field element \(x=(x_7,x_6,x_5,x_4,x_3,x_2,x_1,x_0)\), \(y=Ax+b\) with
$$ \left( \begin{array}{cccccccc} y_0 \\ y_1 \\ y_2 \\ y_3 \\ y_4 \\ y_5 \\ y_6 \\ y_7 \end{array} \right) = \left( \begin{array}{cccccccc} 1 &{} 0 &{} 0 &{} 0 &{} 1 &{} 1 &{} 1 &{} 1 \\ 1 &{} 1 &{} 0 &{} 0 &{} 0 &{} 1 &{} 1 &{} 1 \\ 1 &{} 1 &{} 1 &{} 0 &{} 0 &{} 0 &{} 1 &{} 1 \\ 1 &{} 1 &{} 1 &{} 1 &{} 0 &{} 0 &{} 0 &{} 1 \\ 1 &{} 1 &{} 1 &{} 1 &{} 1 &{} 0 &{} 0 &{} 0 \\ 0 &{} 1 &{} 1 &{} 1 &{} 1 &{} 1 &{} 0 &{} 0 \\ 0 &{} 0 &{} 1 &{} 1 &{} 1 &{} 1 &{} 1 &{} 0 \\ 0 &{} 0 &{} 0 &{} 1 &{} 1 &{} 1 &{} 1 &{} 1 \end{array} \right) \left( \begin{array}{cccccccc} x_0 \\ x_1 \\ x_2 \\ x_3 \\ x_4 \\ x_5 \\ x_6 \\ x_7 \end{array} \right) + \left( \begin{array}{cccccccc} 1 \\ 1 \\ 0 \\ 0 \\ 0 \\ 1 \\ 1 \\ 0 \end{array} \right) $$
Here is an example showing \(S(0x53)=0xed\):
-
\(0x53 =(0,1,0,1,0,0,1,1)\) is mapped to \(t^6 + t^4 + t + 1\);
-
the inverse of \(t^6 + t^4 + t + 1\) modulo \(t^8 + t^4 + t^3 + t + 1\) is \(t^7 + t^6 + t^3 + t\) so
$$ f(t^6 + t^4 + t + 1) = t^7 + t^6 + t^3 + t, $$which is (1, 1, 0, 0, 1, 0, 1, 0) in binary form;
-
apply the affine transformation g
$$ \left( \begin{array}{cccccccc} 1 &{} 0 &{} 0 &{} 0 &{} 1 &{} 1 &{} 1 &{} 1 \\ 1 &{} 1 &{} 0 &{} 0 &{} 0 &{} 1 &{} 1 &{} 1 \\ 1 &{} 1 &{} 1 &{} 0 &{} 0 &{} 0 &{} 1 &{} 1 \\ 1 &{} 1 &{} 1 &{} 1 &{} 0 &{} 0 &{} 0 &{} 1 \\ 1 &{} 1 &{} 1 &{} 1 &{} 1 &{} 0 &{} 0 &{} 0 \\ 0 &{} 1 &{} 1 &{} 1 &{} 1 &{} 1 &{} 0 &{} 0 \\ 0 &{} 0 &{} 1 &{} 1 &{} 1 &{} 1 &{} 1 &{} 0 \\ 0 &{} 0 &{} 0 &{} 1 &{} 1 &{} 1 &{} 1 &{} 1 \end{array} \right) \left( \begin{array}{cccccccc} 0 \\ 1 \\ 0 \\ 1 \\ 0 \\ 0 \\ 1 \\ 1 \end{array} \right) + \left( \begin{array}{cccccccc} 1 \\ 1 \\ 0 \\ 0 \\ 0 \\ 1 \\ 1 \\ 0 \end{array} \right) = \left( \begin{array}{cccccccc} 1 \\ 0 \\ 1 \\ 1 \\ 0 \\ 1 \\ 1 \\ 1 \end{array} \right) ; $$ -
the S-box output is then (1, 1, 1, 0, 1, 1, 0, 1), that is 0xed.
2.4 Algebraic Complexity of AES S-box
The algebraic complexity of an S-box S is measured by the number of non trivial monomials in the representation of S by a polynomial such that
The AES S-box is constructed using the function \(S(x)=g\circ f(x)\) where \(f(x)=x^{-1}=x^{254}\) and \(g(x)=Ax+B\). Hence f is a power function and g is an affine function. For a combination of such kind of functions, the following result fixes the algebraic complexity (see [4]).
Theorem 1
Let \(S=g\circ f\) be the function of an S-box on \(\mathbb {F}_2^{n}\) with a power function f and an affine function g. Then the algebraic complexity of S is at most \(n+1\).
The former result partially explains why the algebraic complexity of AES is 9 [4].
3 The Proposed S-box
In this section, we present the new S-box. We first define a \(8\times 8\) invertible matrix A with components in \(\mathbb {F}_2\) and two constants \(\alpha ,\beta \in \mathbb {F}_{2^8}\). The following result gives the number of invertible matrices with entries in \(\mathbb {F}_2\) (see [19], Section 3.3).
Lemma 1
Let \(\mathbb {F}_q\) be a finite field with q elements. For \(n\ge 2\), let \(GL(n,\mathbb {F}_q)\) be the group of invertible \(n\times n\) matrices with entries in \(\mathbb {F}_q\). The order of \(GL(n,\mathbb {F}_q)\) is
For \(n=8\) and \(q=2\), the group \(GL(8,\mathbb {F}_{2})\) of invertible \(8\times 8\) matrices A with entries in \(\mathbb {F}_2\), the order is
Let
and
The new S-box is generated by the multivariate Boolean function \(S_N\) defined for \(x\in \mathbb {F}_{2^8}\) by
Here are two examples showing \(S_N(0xdd) = 0xed\) and \(S_N(0xfa) = 0x01\).
Example 1: \(S_N(0xdd) = 0xed\)
-
\(0xdd = (1,1,0,1,1,1,0,1) = (x_7,x_6,x_5,x_4,x_3,x_2,x_1,x_0)\)
-
apply the affine transformation \(Ax+\beta \)
$$ \left( \begin{array}{cccccccc} 1&{}0&{}0&{}0&{}1&{}1&{}0&{}1\\ 1&{}1&{}0&{}0&{}1&{}0&{}0&{}1\\ 0&{}1&{}1&{}1&{}0&{}0&{}0&{}1\\ 0&{}0&{}0&{}0&{}1&{}1&{}0&{}1\\ 0&{}0&{}1&{}0&{}0&{}0&{}1&{}0\\ 1&{}0&{}0&{}0&{}1&{}0&{}1&{}1\\ 0&{}1&{}1&{}1&{}0&{}0&{}0&{}0\\ 1&{}1&{}0&{}1&{}0&{}1&{}1&{}0 \end{array} \right) \left( \begin{array}{cccccccc} 1\\ 0\\ 1\\ 1\\ 1\\ 0\\ 1\\ 1 \end{array} \right) + \left( \begin{array}{cccccccc} 1\\ 1\\ 1\\ 1\\ 1\\ 1\\ 0\\ 0 \end{array} \right) = \left( \begin{array}{cccccccc} 0\\ 0\\ 0\\ 1\\ 1\\ 1\\ 0\\ 1 \end{array} \right) $$so \(Ax+\beta = (1,0,1,1,1,0,0,0) = 0xb8\)
-
apply the affine transformation \(Ax+\alpha \)
$$ \left( \begin{array}{cccccccc} 1&{}0&{}0&{}0&{}1&{}1&{}0&{}1\\ 1&{}1&{}0&{}0&{}1&{}0&{}0&{}1\\ 0&{}1&{}1&{}1&{}0&{}0&{}0&{}1\\ 0&{}0&{}0&{}0&{}1&{}1&{}0&{}1\\ 0&{}0&{}1&{}0&{}0&{}0&{}1&{}0\\ 1&{}0&{}0&{}0&{}1&{}0&{}1&{}1\\ 0&{}1&{}1&{}1&{}0&{}0&{}0&{}0\\ 1&{}1&{}0&{}1&{}0&{}1&{}1&{}0 \end{array} \right) \left( \begin{array}{cccccccc} 1\\ 0\\ 1\\ 1\\ 1\\ 0\\ 1\\ 1 \end{array} \right) + \left( \begin{array}{cccccccc} 0\\ 1\\ 1\\ 1\\ 1\\ 1\\ 1\\ 1 \end{array} \right) = \left( \begin{array}{cccccccc} 1\\ 0\\ 0\\ 1\\ 1\\ 1\\ 1\\ 0 \end{array} \right) $$so \(Ax+\alpha = (0,1,1,1,1,0,0,1) = 0x79\)
-
Calculate the S-box value
$$\begin{aligned} S_N(0xdd)= & {} \frac{Ax+\alpha }{Ax+\beta }\\= & {} \frac{0x79}{0xb8}\\= & {} \frac{t^6+t^5+t^4+t^3+1}{t^7+t^5+t^4+t^3}\\= & {} t^7+t^6+t^5+t^3+t^2+1\pmod {t^8 + t^4 + t^3 + t + 1}\\= & {} (1,1,1,0, 1,1,0,1)\\= & {} 0xed. \end{aligned}$$
Example 2: \(S_N(0xfa) = 0x01\)
-
\(0xfa = (1,1,1,1, 1,0,1,0) = (x_7,x_6,x_5,x_4,x_3,x_2,x_1,x_0)\)
-
apply the affine transformation \(Ax+\beta \)
$$ \left( \begin{array}{cccccccc} 1&{}0&{}0&{}0&{}1&{}1&{}0&{}1\\ 1&{}1&{}0&{}0&{}1&{}0&{}0&{}1\\ 0&{}1&{}1&{}1&{}0&{}0&{}0&{}1\\ 0&{}0&{}0&{}0&{}1&{}1&{}0&{}1\\ 0&{}0&{}1&{}0&{}0&{}0&{}1&{}0\\ 1&{}0&{}0&{}0&{}1&{}0&{}1&{}1\\ 0&{}1&{}1&{}1&{}0&{}0&{}0&{}0\\ 1&{}1&{}0&{}1&{}0&{}1&{}1&{}0 \end{array} \right) \left( \begin{array}{cccccccc} 0\\ 1\\ 0\\ 1\\ 1\\ 1\\ 1\\ 1 \end{array} \right) + \left( \begin{array}{cccccccc} 1\\ 1\\ 1\\ 1\\ 1\\ 1\\ 0\\ 0 \end{array} \right) = \left( \begin{array}{cccccccc} 0\\ 0\\ 0\\ 0\\ 0\\ 0\\ 0\\ 0 \end{array} \right) $$so \(Ax+\beta = (0,0,0,0,0,0,0,0) = 0x00\)
-
Therefore, using the definition of \(S_N\) in (1), we get
$$ S_N(0xfa) = 0x01. $$
Applying the function \(S_N\) to \(\mathbb {F}_{2^8}\), we get the new S-box presented in Table 1.
The inverse function of \(S_N\) is \(S_N^{-1}\) and is defined for a byte y by
The new inverse S-box is presented in Table 2.
4 Cryptographic Criteria of the New S-box
4.1 Linear Cryptanalysis of the New S-box
The resistance against linear cryptanalysis of a block cipher with an S-box function S over \(\mathbb {F}_{2^n}\) is measured by the non-linearity parameter NL(S), defined as (see [2], Section 3)
where \(u\cdot v\) is the dot product of u and v, defined by
The non-linearity parameter NL(S) is upper bounded by \(2^{n-1}-2^{\frac{n}{2}-1}\) (see [6]). For \(n=8\), the upper bound becomes \(2^7-2^3=120\) while the non-linearity value NL(S) is 112 for both AES S-box and the new S-box, which is very close to the maximal value of perfect nonlinear function.
4.2 Differential Cryptanalysis of the New S-box
The resistance against differential cryptanalysis of a block cipher with S-box function S over \(\mathbb {F}_{2^n}\) is measured by the differential uniformity parameter \(\delta (S)\), defined as
where, for \((a,b)\in \mathbb {F}_{2^n}^2\),
is the differential distribution of the S-box. For the new S-box, we have the following properties which are similar than the AES S-box:
-
\(D(0,0)=256\).
-
For all \(a\ne 0\), \(D(a,0)=0\).
-
For all \(b\ne 0\), \(D(0,b)=0\).
-
For all \(a\ne 0\), \(\left| \{b\in \mathbb {F}_{2^n} | D(a,b)=0\}\right| =129\).
-
For all \(b\ne 0\), \(\left| \{a\in \mathbb {F}_{2^n} | D(a,b)=0\}\right| =129\).
-
For all \(a\ne 0\), \(\left| \{b\in \mathbb {F}_{2^n} | D(a,b)=2\}\right| =126\).
-
For all \(b\ne 0\), \(\left| \{a\in \mathbb {F}_{2^n} | D(a,b)=2\}\right| =126\).
-
For all \(a\ne 0\), \(\left| \{b\in \mathbb {F}_{2^n} | D(a,b)=4\}\right| =1\).
-
For all \(b\ne 0\), \(\left| \{a\in \mathbb {F}_{2^n} | D(a,b)=4\}\right| =1\).
-
For all \(\delta \not \in \{0,2,4\}\), \(\left| \{(a,b)\in \mathbb {F}_{2^n}^2 | D(a,b)=\delta \}\right| =0\).
The lower bound of the differential uniformity for an S-box defined over \(\mathbb {F}_{2^n}\) is 2 [3]. The maximal differential uniformity for the new S-box is 4, which is similar than the AES S-box (see [3, 4]).
4.3 Bit Independence Criterion (BIC) of the New S-box
The bit independence criterion (BIC) was introduced by Webster and Tavares in [18]. It states that, if any input bit i is inverted in x, this changes any output bits j and k without any dependence on each other. This is useful to avoid any statistical pattern or statistical dependencies between output bits of the output vectors. Hence, for a strong S-box, the dependence between output bits should be as small as possible.
Definition 1
Let \(S : \mathbb {F}_{2^n}\rightarrow \mathbb {F}_{2^n}\) be a multivariate Boolean function defining an S-box. Let \(\alpha _i=(\delta _{i,n-1},\ldots ,\delta _{i,0})\) where \(\delta _{i,i}=1\) and \(\delta _{i,j}=0\) if \(i\ne j\). For all \(x\in \mathbb {F}_{2^n}\), the corresponding vector to \(S(x)\oplus S(x\oplus \alpha _i)\) is
The list \((a_{i,j}(x))\) of all \(x\in \mathbb {F}_{2^n}\) is denoted \(a_{i,j}\).
The correlation coefficient of \((a_{i,j},a_{i,k})\) is defined as
where E(t) is the expected value of the list t.
A bit independence parameter corresponding to the independence of the output bits j and k under the effect of the change of the input bit i is defined as
The table of BIC(i, j), \(0\le i,j\le 7\), for the new S-box is listed in Table 3. For comparison, the table of BIC(i, j), \(0\le i,j\le 7\), for the AES S-box is listed in Table 4.
For the whole S-box, defined by the function S, the bit independence criterion parameter is defined as
For the new S-box, the BIC value is 0.12. This is better than the BIC of the AES S-box which is 0.13.
4.4 Periodicity of the New S-box
The periodicity of an S-box is related to the number of minimum compositions to get the identity function (see [5, 16]).
Definition 2
Let \(S : \mathbb {F}_{2^n}\rightarrow \mathbb {F}_{2^n}\) be the function defining an S-box. For \(x\in \mathbb {F}_{2^n}\), the period of x under S is the smallest positive integer n such that \(S^n(x)=x\).
It is shown in Table 5 that in AES, there are 5 possible periods, namely 2, 27, 59, 81 and 87 containing respectively 2, 27, 59, 81 and 87 different elements of \(\mathbb {F}_{2^8}\).
For the new S-box, as shown in Table 6, 256 is the unique period so that the distribution of elements of \(\mathbb {F}_{2^8}\) is more balanced for the periodicity criterion.
4.5 Fixed and Opposite Points
Definition 3
The opposite of \(x\in \mathbb {F}_{2^8}\) is the field element \(\bar{x}\in \mathbb {F}_{2^8}\) such that \(x+\bar{x}=0xff\).
The AES S-box has no fixed point, that is \(S(x) \ne x\) and no opposite fixed points, that is \(S(x) \ne \bar{x}\)) for all \(x\in \mathbb {F}_{2^8}\) (see [6]). Similarly, the new S-box has no fixed points and no opposite fixed points.
4.6 Algebraic Complexity of the New S-box
Let S be an S-box over \(\mathbb {F}_{2^n}\). Then S is completely defined by the set \(\{(x_i,y_i)\ |\ x_i\in \mathbb {F}_{2^n},\ y_i=S(x_i)\}\). A polynomial expression for S is determined by Lagrange’s interpolation polynomial
The polynomial P(x) is of degree of at most \(2^n-1\) and the number of its non-zero monomials is called the algebraic complexity. For AES, the polynomilal is [4]
which shows that the algebraic complexity for AES is 9. For the new S-box, the polynomial is of the form
where the list of the coefficients \(a_i\) is listed in Table 7. From this table, we see that the algebraic complexity of the new S-box is 255, which is optimal and makes it more resistant to possible algebraic attacks than the AES S-box.
Similarly, the algebraic expression of the inverse of the new S-box is presented in Table 8 and has 254 monomials which is almost optimal.
4.7 Strict Avalanche Criterion (SAC) of the New S-box
In [18], Webster and Tavares introduced an important criterion for strong S-boxes, called strict avalanche criterion (SAC). This criterion states that a single bit change in the input of a strong S-box should change the output bit with probability approaching \(\frac{1}{2}\).
Definition 4
A vectorial Boolean function \(S: \mathbb {F}_{2^n}\rightarrow \mathbb {F}_{2^n}\) satisfies SAC if and only if for all i, \(0\le i\le n-1\),
where the binary representation of \(\alpha _i\in \mathbb {F}_{2^n}\) is a vector of length n with a 1 in the ith position and 0 elsewhere.
Consequently, an S-box having a value of SAC closer to \(\left( 2^{n-1},\ldots ,2^{n-1}\right) \) has a good SAC property. Table 9 gives the SAC values of the new S-box and Table 10 gives the Sac values of the AES S-box.
From Table 9 and Table 10, we see that the mean value for SAC for the new S-box is 128.625 while it is 129.25 for the AES S-box.
4.8 Distance to SAC of the New S-box
In general, the SAC criterion is not absolutely performed by an S-box. A practical way to measure the deviation of the SAC the S-box is to compute the distance to sac.
Definition 5
Let \(S : \mathbb {F}_{2^n}\rightarrow \mathbb {F}_{2^n}\) be the function defining an S-box such that
The distance to SAC of S is the value
where the binary representation of \(\alpha _j\in \mathbb {F}_{2^n}\) is a vector of length n with a 1 in the jth position and 0 elsewhere.
A strong S-box should have a small DSAC. From Table 10, we find that DSAC for the AES S-box is 432 (see [5]) while Table 9 shows that DSAC for the new S-box 328.
5 Comparison with Existing S-boxes
In Table 11, we listed the performance of the AES S-box, the S-box proposed by Cui et al. [5] and the new S-box. The table shows that, for all cryptographic criteria, the performance of the new S-box is equal or better than the former ones and they are closer to the performances of an optimal S-box. This implies that the new S-box has better security than the former ones and is suitable for use in AES.
6 Conclusion
In this paper, we presented a new S-box for the AES encryption scheme and analyzed its security by studying the main cryptographic criteria. For all the criteria, the performances of the new S-box are at least as good as the performances of the existing S-boxes. More specifically, the new S-box has better distance to SAC, better BIC and better algebraic complexity.
References
Biham, E., Shamir, A.: Differential cryptanalysis of DES-like cryptosystems. J. Cryptol. 4(1), 3–72 (1991). https://doi.org/10.1007/BF00630563
Carlet, C.: Vectorial boolean functions for cryptography. In: Crama, Y., Hammer, P. (eds.) Boolean Models and Methods in Mathematics, Computer Science, and Engineering. Encyclopedia of Mathematics and its Applications, pp. 398–470. Cambridge University Press, Cambridge (2010)
Canteaut, A.: Lecture Notes on Cryptographic Boolean Functions, 10 March 2016. https://www.rocq.inria.fr/secret/Anne.Canteaut/poly.pdf
Cui, L., Cao, Y.: A new S-box structure named affine-power-affine. Int. J. Innov. Comput. Inf. Control 3(3), 751–759 (2007)
Cui, J., Huang, L., Zhong, H., Chang, C., Yang, W.: An improved AES S-box and its performance analysis. Int. J. Innov. Comput. Inf. Control 75(A), 2291–2302 (2011)
Daemen J., Rijmen V.: AES Proposal: Rijndael (1999). https://csrc.nist.gov/csrc/media/projects/cryptographic-standards-and-guidelines/documents/aes-development/rijndael-ammended.pdf
Data Encryption Standard, National Bureau of Standards, NBS FIPS PUB 46. U.S. Department of Commerce (1977)
Detombe, J., Tavares, S.: Constructing large cryptographically strong S-boxes. In: Seberry, J., Zheng, Y. (eds.) AUSCRYPT 1992. LNCS, vol. 718, pp. 165–181. Springer, Heidelberg (1993). https://doi.org/10.1007/3-540-57220-1_60
Dragomir, I.R., Lazar, M.: Generating and testing the components of a block cipher. In: 8th International Conference on Electronics, Computers and Artificial Intelligence (ECAI), Ploiesti, pp. 1–4 (2016)
Juremi, J., Mahmod, R., Sulaiman, S.: A proposal for improving AES S-box with rotation and key-dependent. In: Proceedings of the International Conference on Digital Cyber Security, CyberWarfare and Digital Forensic, Kuala Lumpur, Malaysia, pp. 26–28 (2012)
Ma, H., Liu, L.: Algebraic expression for AES S-box and InvS-box. Comput. Eng. 32(18), 149–151 (2006)
Matsui, M.: Linear cryptanalysis method for DES cipher. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 386–397. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48285-7_33
National Institute of Standards and Technology: Federal Information Processing Standards Publication 197: Announcing the Advanced Encryption Standard (AES). http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf. Accessed 09 June 2019
Prouff, E.: DPA attacks and S-boxes. In: Gilbert, H., Handschuh, H. (eds.) FSE 2005. LNCS, vol. 3557, pp. 424–441. Springer, Heidelberg (2005). https://doi.org/10.1007/11502760_29
Sahoo, O.B., Kole, D.K., Rahaman, H.: An optimized S-box for advanced encryption standard (AES) design. In: Proceedings of the International Conference on Advanced Computer Communication, Chennai, India, pp. 3–5 (2012)
Wang, Y.B.: Analysis of structure of AES and its S-box. J. PLA Univ. Sci. Technol. 3(3), 13–17 (2002)
Wang, H., Zheng, H., Hu, B., Tang, H.: Improved lightweight encryption algorithm based on optimized S-box. In: 2013 International Conference on Computational and Information Sciences, Shiyang, pp. 734–737 (2013)
Webster, A.F., Tavares, S.E.: On the design of S-boxes. In: Williams, H.C. (ed.) CRYPTO 1985. LNCS, vol. 218, pp. 523–534. Springer, Heidelberg (1986). https://doi.org/10.1007/3-540-39799-X_41
Wilson, R.A.: The Finite Simple Groups. Graduate Texts in Mathematics, vol. 251. Springer, London (2009). https://doi.org/10.1007/978-1-84800-988-2
Zahid, A.H., Arshad, M.J.: An innovative design of substitution-boxes using cubic polynomial mapping. Math. Comput. Sci. Symmetry 11(3), 437 (2019)
Zahid, A.H., Arshad, M.J., Ahmad, M.: A novel construction of efficient substitution-boxes using cubic fractional transformation. Entropy 21(3), 245 (2019)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Nitaj, A., Susilo, W., Tonien, J. (2020). A New Improved AES S-box with Enhanced Properties. In: Liu, J., Cui, H. (eds) Information Security and Privacy. ACISP 2020. Lecture Notes in Computer Science(), vol 12248. Springer, Cham. https://doi.org/10.1007/978-3-030-55304-3_7
Download citation
DOI: https://doi.org/10.1007/978-3-030-55304-3_7
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-55303-6
Online ISBN: 978-3-030-55304-3
eBook Packages: Computer ScienceComputer Science (R0)