22000099 IInntteerrnnaattiioonnaall

Coonnffeerreennccee
C oonn
Coom
mppuutteerr
C Teecchhnnoollooggyy
T danDeevveellooppm
D meenntt

Struktur S-Box Baru untuk Meningkatkan Kompleksitas Ekspresi Aljabar

Block Cipher Cryptosystems

Bao Ngoc TRAN Kam Dinh NGUYEN, Kam Dan TRAN

Fakultas Matematika dan Informatika HCMC Sekolah Tinggi Ilmu Pengetahuan Alam
University of Pedagogy, Vietnam Universitas Nasional HCMC, Vietnam {ndthuc,
baotn@math.hcmup.edu.vn tdthu} @ fit.hcmuns.edu.vn

Kata kunci: kompleksitas aljabar, ekspresi aljabar, transformasi linier, S-Box, AES.

Abstrak cara baru untuk merepresentasikan S-Box berdasarkan transformasi linier

dan fungsi non-linier yang diberikan akan dijelaskan secara rinci di bagian
3. Perbandingan S-Box yang diusulkan dan S-Box AES lainnya pada
Dalam makalah ini, kami mengusulkan pendekatan baru
kompleksitas juga akan dijelaskan di sini. bagian. Dan bagian 4 adalah
untuk merepresentasikan S-Box umum berdasarkan transformasi
kesimpulan dan pekerjaan masa depan.
linier dan fungsi non-linier yang diberikan yang meningkatkan
kompleksitas ekspresi aljabar dan ukuran S-Box. Untuk ukuran 8,
S-Box yang diusulkan dapat mengarsipkan jumlah maksimum istilah
(255 istilah) dan oleh karena itu dapat digunakan untuk 2. Penyisihan
menggantikan komponen S-Box klasik di AES asli. Selanjutnya,
S-Box yang diusulkan mewarisi semua karakteristik kriptografi yang Pada bagian ini, kami mengusulkan beberapa masalah terkait hasil
baik dari S-Box AES asli, seperti nonlinier, keseragaman diferensial, teori untuk merepresentasikan pemetaan transformasi linier.
dan longsoran salju yang ketat.
Definisi 1: Memberikan na matriks non-singular berakhir
, Sebuah … transformasi linier adalah bijeksi

fungsi: su …
h…c ……
th .
1. Perkenalan

Dalam [1], [8], S-Box non-linear dari Rijndael dianalisis untuk (1)
memberikan sifat kriptografi yang optimal, seperti rasio prop maksimum
…… Sebuah … t,
[9] dan korelasi input-output maksimum [9]. Namun, Rijndael S-Box
masih memiliki properti yang tidak diinginkan dengan deskripsi
……
sederhana di 2 th,at is ju 1 st the sedikit where ,
[2], [7]. Ekspresi aljabar-nya jarang dengan hanya 9 suku, yang 0,1 W
, … e denote by
mengarah ke perhatian serangan aljabar [8], [10] dan serangan Theorem 1: Given a non-singular matrix
interpolasi [13]. Oleh karena itu, ada banyak peneliti yang fokus over , :1, be a linear-transform
pada perbaikan S-Box baru-baru ini [4], [12], [13]. then:,

0,1, … , 2 (2)
Dalam makalah ini, kami akan mengusulkan cara baru untuk
merepresentasikan S-Box umum berdasarkan transformasi linier dan fungsi Proof :
non-linier yang diberikan. Dengan cara ini, kita dapat meningkatkan S-Box By Definition 1, we … have …
tentang kompleksitas ekspresi aljabar dan ukurannya. Kami juga
(3)
membuktikan bahwa S-Box yang diusulkan dalam [1], [4], [12] hanyalah kasus
khusus dari S-Box yang diusulkan.
(4)
The remainder of paper is organized as follows. In section 2,
we propose some of theory results related problems for
representing linear-transform mapping. A

997788--00--77669955--33889922--11//0099 $$2266..0000 EE
© 22000099 IIE
© EE
E 221122

DO CC CTTD
OII 1100..11110099//IIC D..22000099..223355
 2 0,1, … , 1, 2 00…0. .0 1
(5)

(11)
2 …2 22
th 8,
: Fo 2 r Examp
as00l the
0 e following
0w 2 002 2 100002001
1000 2 … 22

r h,an
I,n the o 0 t,h 1 e, … 2 d, 1 ,
000 01
i 001 31 be 0 a 0 l 0 in 111
e 1 a 1 r-transform
0 2 (12)

222 00000 126 1 1 ,, 2, …

0 00 (6) 1, 2 ,, (13)
2 0 000 101
010
000
000 1
224248 0100111111111111011000
22 00, 1, ,, 1,,2…, …
2 00 2 1111
Therefo …
2 01 0 0 0000000
000 14919 11 1
11110000000
1 re, … … 2… 2
2 1001 000 0 000 12473 1 00 00
1 1011
111
0 12 … 2 2
By the T 1 heor 1 em 0 1, w 0 e ha 0 ve 1 1 1 … … (14)

000 1 111 0 0 0 1
1 10 0 0 0 0 12

1 0 0 01 1 ar matrix.
1 11 0 0
(7)
1 1 1 01 1 1 001 0 de i t s an upp ∏ er-triangul 1
0 111 1 1 10 0
0 0 11 1 1 10 1 0 is invertible and is an linear-transform by
0 0 1 1 1 1 Definition 1
Le,mm|a 1 [14-Theorem 2.1.1]: , 8, ct 0 ion function
/ 0 no 1 n-singular ov 1 er , , as th
: For 2 Example 0 e 0 f 0 o 0 llowing
with

| then 2 00 0 0 000 01 1 be b 0 ij 0 00
e 01
0011

1 2 0 0 0
1 … 12 0 11 0 000
000 000 1 0 1
000

22 000000001 0000 13 01 11
2 12 2 0 0 1 00 158 0 100
2 11 2
2 0 34 0 001100000
8). 3 with 10 we
8, ( 8) 00000
10000 000
000 22 00 0(
1010 15)
h|ave
C 8 o,llora|ry 1 2: In the 1 form 22 100
0 01 00 00 1873 110011001010

1 ula ( 5 4 By the T 0 heor 1 em 1 2, w 1 e ha 0 ve 1 0 0

(9)
2 1
0 100 10 00 11 0
Theorem 2: Given a bijection function
0 11 10 0 0 0 1
2 2,21, 1, … , 2 1: ,
00 0
0, 1, s … uc, h tha 1, t. Let 0,1, … , be a matrix over 2 (16)
0 01
such that 0 0 00 01 01 00 1
then ,A 2 is inve 0 00 00 0 0 1 0
00 0 00 0 0 0 1
Proof :
e have 1 rtible and 0,1, 1,2 2,2
is a…linear-transform.
, er-triangula 1 r matrix.
1, … W
de is t an upp ∏
is invertible and is an linear-transform.
2 200,1, , 1 (10)
Lemma 2: Let be a non-
2
singular upper triangular matrix over then

221133
 | | (17)
2
…22

Proof :
Let be a non-singular upper … 10…0 1 (22)

triangular m … 0
…
1 …
0
0 atrix 1…over…
…
(18) 2
… …
0 0 … 1 20, (23)

0| 0 | … 2 0 1 ,1

. Indeed, 2 02…01 0 … 2
(24)
(i) |With | , we have 2, 22, 1 1, … , 2 1

1 We have 112| Hence, is created by Theorem 2

Collorary| |2: Let! 2 b/e the set of matrices
2 we will prove
which are created by Theorem 2, be a permutation matrix. Let
| ( ii) Su 1 pp| ose 2 that | then

1 (25)
/
0. We have 1
(19) 3. The proposal of structure of S-Box
0,1 ,
In this section, we will present a way to represent S-Box using
linear-transform and a given non-linear function. This S-Box
Let structure has good cryptographic characteristics and it will be
used to replace this classical S-Box component in AES.

3.1. Algebraic Exp 2 ression of the original AES

(20) S-Box
1 ….

/ 0…0 0,1
I n21AES,
( which
any is denoted
8-bit byte isinconsidered
hexadecimal
and by 0 11 ) inas an
processed
element in . This field is defined in terms
of the irreducible polynomial

⇒ | 1| | | 22
1 1 (21)
. The origin, al AES 0 S-Box [1] is a
2 2 2 2 combination of a powe 0 r, function 0 and an affine
surjection , where

Proposition 1: Given . The set of matrices which are created by (26)

Theorem 2 is just .
and 1
Proof :
1
1 0 00011 1
(i) that is created by 0 T,h 1 e,o … re,m 2 1 then
1 0 1 0 1 0 1 1 1 10 1 0
. 11 111 00 1 0
(27)
1 0 0
(ii) 0 1 1 1 01 1 11 0 11011 00 0 1
00 11 10 1
Let be column of
0 01 01 1 1 11 1 0

where is the bit of ° the byte . Thereby, AES

S-Box can be denoted by

(28)

221144
 From the above description, the algebraic expression of the 1 0
original AES S-Box can be written as 0 0
follows: 48 00 00 1 00 00 00 00 0
01 00 10 00 00 00 0
(32)
0 0 00
25 5 (29)
00 00 01 0 00 0
09 05 69301 0 00 0 0 0
000 0 00 01 01 00 1
hexadecimal notation to represent the value In this case, the proposed S-Box is exactly the S- Box in
16 Please (in
note that in We
decimal). our also
paper, wethat,
know will the
usealgebraic
the original AES [1]
expression of the original AES S-Box is so simple that only 9 terms Case 2: : be a linear-transform as
are involved, while the maximum number of terms is 255. In the follows
following section, we will present an approach to can archive this 2,2,2,2,20
optimal value. 1, 32 , 6,, 122, 214,, 4182, 906, , 1092 0. By 0 The 0 ore 0 m 1, we have

3.2. The proposed S-Box 0 00 0

0 1 0 0
Definition 2: G 2 iven a line : 01 01 10 10 00
(33)
, be an affin surjection 2 ar-traand 0 n,,sform
be a 2 n 0 on-linear
0 then S- 00 01 0 0110 0 0
000 0 0 00 1 10 0
function over
00 00 0 0 00 11 1
Box is a mapping that is 0 00 0
defined by In this case,: the proposed S-Box is Gray S-Box
[12] 2
° °, : (30)
Case 3: be a linear-transform as
B emm a| 1 w 2e have, the numb
fo 3 l 1 lo 2,6 ws,, 1224,12,482 ,
S-B| ox
y the
are L
, 3 2. , 2 , 2
1 r of proposed , 14
, 12e (31) we have
0, 241, 2227,,1992 1 1 1

or exa 1 mple with 5.34 1 80, we have | 8, | 1100 01 01

1 100 11 1
2F∏ S-Boxes which can
110 1 0 0 1 10By Theorem
0 1,
(34)
be used to replace the original S-Box component for Rijndeal AES 11 1 0
and proposed S-Box structure has all of properties of the original 0 1 1 1 1 1 1 1 0 01
S-Box such as nonlinearity, differential uniformity, and strict 0 01 11 1 1 0
avalanche. Besides, the algebraic expression is more complicated 000111 10 10 1
than the In this case, the proposed S-Box is the S-Box proposed by
original S-Box as be proved in the follow theorem [4]. L. Cui and Y. Cao [4].
Proposition 2: By the Definition 2, with 8
and be an affine surjection in original AES S-Box 3.3. Comparisons of AES S-Box and proposed S-Box
then S-Box des 8 cribed in [1], [4], [12] are special cases
of the proposed S-Box.

Proof : Table 1 represents the comparisons between the original

AES S-Box, the modified S-box proposed by Cui L. and Cao Y. in
With and be an affin surjection in [4], Gray S-box in [12], and some of randomly proposed S-Boxes
orig 2 inal, AES S-Box, consider some of special cases of as below. From table 1, we can conclude that all the modified
S-Box a o S-Boxes preserve important cryptographic properties of the
Case 1: , , : original one, including SAC, nonlinearity, and differential
follows uniformity. The number of terms in the algebraic expression of
each S-Box is used as a metric to evaluate the algebraic
By Theorem
1, 2, 4, 8 s ,f 126 llo 3 w 2 s,: 264,,1282 1, we
. , be 2 a ,line have 2 sfo,rm 2 as
2 ar-,tran complexity of this component.

221155
 Ta 2 bl,e 1 2. , Th 2 eo.c,mp

S-Box f ,. 2 arison of S-BoxesSAC

for AESNon-
( Differential Algebraic Reusability
linearity uniformity complexity

AES [1] (1, 2, 4, 8, 16, 32, 64, 128) ~1/2 112 4 9 terms

Cui L S-Box [4] (31, 62, 124, 248, 241, 227, 199, 143) ~1/2 112 4 253 terms Whole

Gray S-Box [12] (1, 3, 6, 12, 24, 48, 96, 192) ~1/2 112 4 255 terms Whole

Optimal value 1/2 120 4 255 terms Whole

Proposed S-Box

(1, 3, 5 , 9, 17, 33, 65, 129)

Then The linearized p 4 o 11 lynomial [ 0 6 9] o 9 f over 2 2 254 terms

Example 1 ~1/2 112 4 Whole
4

(1, 3, 7, 5 1 11 4, 28, 56, 11 90 2 2, 224)

Example 2 ~1/2 112 4 255 terms Whole

477

(1, 3, 5, 64 1 3 4, 18, 33, 6 8214

1, 172)

Example 3 ~1/2 112 4 254 terms Whole

056 55

(1, 3, 7, 15, 30, 60, 120, 240)

Example 4 ~1/2 112 4 253 terms Whole

332 1333 4287 4025

[6]. Dang Hai Van, Nguyen Thanh Binh, Tran Minh Triet,
4. Conclusion Tran Ngoc Bao, Nguyen Ho Minh Duc, SSM: Scalable Substitution
Matrix Cipher, Special Issue on Theories and Applications of
In this paper, we propose a n 8 ew way to represent S- Computer Science, Journal of Science and Technology, Vietnam
Box based on linear-transform and a given non-linear function to Academy of Science and Technology, ISSN 0866 708X, Vol 46,
No5A, 2008. pp. 165-178.
increase the complexity of algebraic expression and other
cryptographic characteristics of
[7]. J. Daemen, V. Rijmen, B. Preneel, A. Bosselaers, and
the original AES S-Box ( ) , the proposed S-Box
E.D. Win, “The cipher SHARK,” FSE 1996, LNCS, vol.1039, pp.99
structure can be used to replace this classical S-Box component in – 111, 1996
AES. Furthermore, the proposed S-Box structure not only can be [8]. N. Ferguson, R. Schroeppel, and D. Whiting, “The
used as the S-Box component to increase the complexity of inverse S-box, non-linear polynomial relations and cryptanalysis
algebraic expression of AES but also used in other block cipher of block ciphers,” AES-2004,
systems such as Hill cipher [5], [14], SSM [6],... LNCS,vol.3373, pp.170–188, 2004.
[9]. J. Daemen, Cipher and hash function design strategies
based on linear and differential cryptanalysis, Ph.D. thesis,
K.U.Leuven, 1995.
5. References [10]. N.T. Courtois and J. Pieprzyk, “Cryptanalysis of block
ciphers with overdefined systems of equations,” ASIACRYPT
[1]. J. Daemen and V. Rijmen. AES proposal: Rijndael. AES 2002, LNCS, vol.2501, pp.267–287, 2002. [11]. T. Jakobsen and
algorithm submission, 1999. L.R. Knudsen, “The interpolation
[2]. S. Murphy and M. J. Robshaw. Essential algebraic attack on block ciphers,” Fast Software Encryption, LNCS, vol.1267,
structure within the AES. In Crypto’02, LNCS 2442, pp. 1–16, 2002 pp.28–40, Springer-Verlag, 1997.
[12]. M.T. Tran, D.K. Bui, and A.D. Duong, “Gray sbox for
[3]. J. Rosenthal. A polynomial description of the Rijndael advanced encryption standard,” 2008 International Conference on
Advanced Encryption Standard. Journal of Algebra and its Applications, Computational Intelligence and Security (CIS’08), 2008
2(2):223–236, 2003
[4]. L. Cui and Y. Cao. A new S-box structure named Affine- [13]. J. Liu, B. Wai, X. Cheng, and X. Wang. An AES S-box
Power-Affine. International Journal of Innovative Computing, to increase complexity and cryptographic analysis. In Proceedings
Information and Control, 3(3), 2007 of the 19th International Conference on Advanced Information
[5]. Bao Ngoc Tran, “On Generating Key-matrix for Matrix Networking and Applications (AINA’05) Volume 1, pages 724–728,
Cipher and Applications”, Proceeding of Addendum Contributions to 2005
the 2008 IEEE International Conference on Research, Innovation & [14]. Jeffrey Overbey, William Traves, and Jerzy Wojdylo,
Vision for the Future (RIVF “On the Keyspace of the Hill Cipher”,
2008), Ho Chi Minh City, Vietnam, July 13-17, 2008, pp. 196-199. Cryptologia. 29:1 (2005): 59-72.

221166