Improved Rijndael-Like S-Box and Its Transform Domain Analysis

Seok-Yong Jin, Jong-Min Baek, and Hong-Yeop Song

Coding and Information Theory Lab, School of Electrical and Electronic Engineering, Yonsei University, 134 Sinchon-dong, Seodaemun-gu, Seoul 120-749, Korea {sy.jin, jm.back, hy.song}@coding.yonsei.ac.kr

Abstract. In this paper, we propose a simple scheme which produces a new S-box from a given S-box. We use the well-known conversion technique between the polynomial functions over F2n and the boolean functions from Fn to F2 . We have applied the scheme to Rijndael S-box and 2 obtained 29 new S-boxes, of which only one is a bijection with better algebraic expression than the original Rijndael S-box and has the same spectral properties as the original Rijndael S-box. All others turned out to be non-bijective, and have dierent spectral properties, and hence, they all are inequivalent to the original as boolean functions. Keywords: Rijndael, AES, S-box, Hadamard transform, Avalanche transform.

Introduction

It is widely known that the properties of substitution box (S-box) are fundamental to the secrecy of symmetric encryption algorithms after Shannon [10]. Since S-boxes are usually implemented as look up tables, they are attractive for fast software encryption algorithms [3]. Most of popular block ciphers and some of stream ciphers have adopted various S-boxes and a lot of research has been given to designing better S-boxes. There have been proposed [3] several methods to generate cryptographically useful S-boxes, such as the selection of nearly optimal (for dierential [2] and linear [9] attacks) boolean functions as components of the S-boxes, random generation, using nite eld operations and heuristic algorithms. Among these, nite eld power operation based S-boxes achieve [3] several security criteria simultaneously, and have been used in many cipher proposals including Rijndael [14,15], major portfolio of NESSIE [19], ARIA [17] in Korea, and CRYPTREC [18] in Japan, mentioned only a few. Rijndael was selected as the Advanced Encryption Standard (AES) by the US NIST in October 2000, and published as FIPS-197 [16] in November 2001.
This work was supported by grant No.(R01-2003-000-10330-0) from the Basic Research Program of the Korea Science & Engineering Foundation.
G. Gong et al. (Eds.): SETA 2006, LNCS 4086, pp. 153167, 2006. c Springer-Verlag Berlin Heidelberg 2006

154

S.-Y. Jin, J.-M. Baek, and H.-Y. Song

Rijndael S-box is the nite eld inversion together with a bitwise ane transformation. Until Rijndael was selected as AES, it was generally claimed that such S-box would prevent algebraic attacks. There have been some progress in the research of algebraic aspect of Rijndael S-box. It is known [13, 3, 7] that every component function of Rijndael S-box is a single term trace function on nite eld GF(256), and has a property of algebraic linear redundancy that is inherent in nite eld exponentiation. At the same time, researchers successively have proposed several improved S-boxes. In [7], the research eort has focused on the S-boxes with no simple algebraic expression while Fuller and Millan in [3] concentrates on the S-boxes with no linear redundancy. This paper is organized as follows. In Section 2, we rst introduce some background materials including one-to-one correspondence between the polynomial functions over a nite eld and the boolean functions. Some denitions which are frequently used in the cryptanalysis of boolean functions will also be given. Section 3 describes the design scheme which produces a new S-box from a given S-box working on 4-bit inputs and outputs. We apply this scheme in Section 4 to Rijndael S-box and obtain 29 new S-boxes, of which only one is a bijection with better algebraic expression than the original Rijndael S-box and has the same spectral properties as the original Rijndael S-box. All others turned out to be non-bijective, and have dierent spectral properties, and hence, they all are inequivalent to the original as boolean functions. We give some concluding remarks and open problems in Section 5.

2
2.1

Preliminaries
Sequences, Trace-Represented Polynomial Functions and Boolean Functions

Let F2n be a nite eld with 2n elements and a = {at }N 1 be a sequence over F2 t=0 of period N = 2n 1. Let be a primitive element in F2n . The discrete Fourier transform (DFT) of a is dened as
N 1

Ak =
t=0

at tk , k = 0, 1, , N 1 .

Its inverse formula is given as follows:

N 1

at =
k=0

Ak kt , t = 0, 1, , N 1 .

For a given sequence a, there exists a polynomial function f (x) from F2n to F2 , associated with a, such that at = f (t ), t = 0, 1, , N 1. We write a f , and call a as an evaluation of the function f at . By the inverse DFT or Lagrange interpolation, we have [5]:

Improved Rijndael-Like S-Box and Its Transform Domain Analysis

155

at = f (x) =

,
x=t n

t = 0, 1, ...N 1 , ,
x=t

T r1 j Aj xj
j (N )

Aj F2n ,

(1)

where (N ) is the set of cyclotomic coset leaders modulo N with respect to 2, n Cj is the coset which contains j, nj = |Cj |, T r1 j (x) is the trace [8] function from F2nj to F2 , and Aj F2nj is the DFT coecient of a. Then the sum of trace functions of (1) is a desired polynomial function and called the trace representation of sequence a. Now, let g(xn1 , , x0 ) be a boolean function in n-variables. By applying the Lagrange interpolation, its polynomial representation f (x) of g(xn1 , , x0 ) can be determined as: (x is just indeterminant) f (x) = g(0, , 0) 2n 1 j j=1 dj x x = 0, x Fn , 2 (2)

with coecient dj , 1 j 2n 1, being dj =

Fn 2 n1

g(xn1 , , x0 )j ,

(3)

where = i=0 xi i , and {0 , , n1 } is a basis of F2n over F2 , denoted by F2n = {0 , , n1 } . A conversion from a polynomial function to a boolean function is given by g(xn1 , , x0 ) = f x0 0 + + xn1 n1 , where F2n = {0 , , n1 } . (4) In the rest of this paper, by a boolean function f in n variables, we mean two notations f (x) = f (xn1 , , x0 ), x Fn and f (x), x F2n interchangeably. 2 2.2 Transform Domain Analysis Tools

For transform domain analysis of cryptographic functions, see Gong and Golomb [4], for example. The following denitions are mainly from [5, Ch. 6 and 10] with the same notation as above. For a f (x), the Hadamard transform (HT) of a or f (x) is dened by f () =
xF2n

(1)T r(x)+f (x) ,

F2n .

The Walsh transform of a boolean function f (x) is dened by f (w) =

xFn 2

(1)wx+f (x) , w Fn . 2

156

S.-Y. Jin, J.-M. Baek, and H.-Y. Song

The Hadamard transform of f (x) and the Walsh transform of f (x) have the relation: f (w) = f (), w Fn , F2n , where w x = T r(x) . 2 Nonlinearity Nf of a boolean function f in n variables is dened as Nf =
wFn , cF2 2

min

d f (x), w x + c ,

where d(x, y) denotes the Hamming distance between x and y, and is calculated using Hadamard transform of f : Nf = 2n1 1 max f (w) 2 wFn 2 1 n1 max f () . =2 2 F2n

(5)

The Avalanche transform (AT) or additive correlation (convolution) of f (x) is dened by (f f )(w) = F (w) =
xF2n

(1)f (x+w)+f (x),

w F2n .

(6)

Avalanche transform analysis of cryptographic functions was rst introduced by Webster and Tavares [12]. We say that a boolean function f satises Strict Avalanche Criterion (SAC) if its Avalanche transform F (w) = 0 for all w with binary hamming weight wt(w) = 1. 2.3 Equivalence Classes of Boolean Functions

Let f and g be two boolean functions in n-variables. If there exist a non-singular binary matrix D of order n, two n-tuple binary vectors a and b, and a binary constant c such that for all x Fn 2 g(x) = f DxT aT b xT c , where b xT = b1 x1 b2 x2 bn xn denotes a linear function selected by b, then f and g are said to be (ane) equivalent [3]. The absolute values of the Hadamard transform and the correlation transform are both re-arranged by ane transform and thus nonlinearity of a boolean function is unchanged under ane transform [3]. 2.4 Description of Rijndael S-Box

An n-bit processing substitution box is a a vector valued boolean function s(x) from Fn to Fn . If we let s(x) = sn1 (x), , s1 (x), s0 (x) , then each si (x), 2 2

Improved Rijndael-Like S-Box and Its Transform Domain Analysis

157

i = 0, , n 1, is an ordinary boolean function in n variables and called a component function or coordinate function of the given S-box. By (4), si (x), x Fn can be identied as si (x), x = n1 xi bi F2n where {b0 , b1 , . . . , bn1 } 2 i=0 is a basis of F2n over F2 . We take bi = i for 0 i < 8 where is a root of z 8 + z 4 + z 3 + z 1 + 1, which is the dening irreducible (but not primitive) polynomial of F = F28 for the Rijndael cipher. This transforms eight boolean functions into eight polynomial functions from F to F2 , which are s0 (x) = T r( 166 x1 ) + 1 = T r( 83 x127 ) + 1 s1 (x) = T r( 53 x1 ) + 1 = T r( 154 x127 ) + 1 = T r( 18 x127 ) s2 (x) = T r( 36 x1 ) 11 1 s3 (x) = T r( x ) = T r( 133 x127 ) 72 1 = T r( 36 x127 ) s4 (x) = T r( x ) 76 1 s5 (x) = T r( x ) + 1 = T r( 38 x127 ) + 1 s6 (x) = T r( 51 x1 ) + 1 = T r( 153 x127 ) + 1 = T r( 13 x127 ), s7 (x) = T r( 26 x1 )
7

(7)

where = + 1 is a primitive element of F , and x = i=0 xi bi F. The above algebraic expressions of component functions si (x) have been determined by Inverse DFT or Lagrange interpolation (2), dual basis approach [13], or qpolynomial method [7].

Proposed Scheme of Designing a New S-Box from a Given S-Box

We will describe a proposed scheme of designing a new S-box from a given one. For convenience, we explain using a smaller size example, e.g., over F24 . Consider the following S-box denoted as SB-0 (the left-most one in Table 1), dened by s(x) = x1 over the eld F = F24 using the irreducible polynomial g0 (z) = z 4 + z 3 + z 2 + z + 1. Then, the following algorithm produces SB-1 and SB-2 in the middle and right-most in Table 1, respectively.

Table 1. Three S-boxes (in hexadecimal) 00 0 8 4 d 01 1 6 7 c 10 f 5 3 b 11 a 9 e 2 00 0 6 2 3 01 1 8 b e 10 a 5 d 7 11 f 9 c 4 00 0 6 e 8 01 c 7 2 a 10 7 4 e 5 11 0 7 6 a

00 01 10 11

00 01 10 11

00 01 10 11

SB-0

SB-1

SB-2

158

S.-Y. Jin, J.-M. Baek, and H.-Y. Song

Polynomial functions for each of the 4 coordinate boolean functions of SB-0 over F can be found using Lagrange interpolation explained in Section 2: s(x) = s3 (x), s2 (x), s1 (x), s0 (x) , s(x) = s3 (x), s2 (x), s1 (x), s0 (x)
4 4 4 4 = T r1 ( 14 x7 ), T r1 ( 7 x7 ), T r1 ( 10 x7 ), T r1 ( 8 x7 ) ,

or (8)

3 where x = (x3 , x2 , x1 , x0 ) is the input to SB-0, x = i=0 xi bi F = {bi | bi = i , 0 i < 4} , is a root of g0 (z) which is the dening polynomial of F , and = 1 + is a primitive element of F . Now, we let K be the eld dened by g1 (z) = z 4 + z 3 + 1. Then the polynomial functions of SB-0 over K are determined as

r(x) = r3 (x), r2 (x), r1 (x), r0 (x) 4 10 T 2 T r1 ( x + 12 x3 + 14 x7 ) + T r1 ( 10 x5 ) 4 2 T r1 ( 3 x + 4 x3 + 5 x7 ) + T r1 (x5 ) = 4 9 10 3 13 7 2 5 5 T r1 ( x + x + x ) + T r1 ( x ) 4 2 T r1 ( 2 x + 13 x3 + 6 x7 ) + T r1 ( 5 x5 )

(9)

3 where x = i=0 xi ci K {ci | ci = i , 0 i < 4} and is a root of g1 (z). = To obtain polynomial functions for the new S-box, which we call SB-1, we simply replace the coecients (some powers of in (9)) with the corresponding powers of . This gives new polynomial functions from (9), which are 4 2 h3 (x) = T r1 ( 10 x + 12 x3 + 14 x7 ) + T r1 ( 10 x5 ), 4 2 h2 (x) = T r1 ( 3 x + 4 x3 + 5 x7 ) + T r1 (x5 ), 4 2 h1 (x) = T r1 ( 9 x + 10 x3 + 13 x7 ) + T r1 ( 5 x5 ), 4 2 h0 (x) = T r1 ( 2 x + 13 x3 + 6 x7 ) + T r1 ( 5 x5 ).

Finally, to construct SB-1 shown in the middle of Table 1, we evaluate the above polynomial functions over F = F24 with multiplication mod g0 (z). There is another irreducible polynomial of degree 4 over F2 , which is g2 (z) = z 4 + z + 1. We denote E by the eld dened by g2 (z). Then, similarly, over E, the polynomial functions of SB-0 are determined as t(x) = t3 (x), t2 (x), t1 (x) , t0 (x) T 4 2 T r1 ( 2 x + 9 x3 + 10 x7 ) + T r1 ( 5 x5 ) 4 2 T r1 ( 4 x + 12 x3 + 12 x7 ) + T r1 (x5 ) = 4 6 2 3 14 7 2 5 T r1 ( x + x + x ) + T r1 (x ) 4 2 T r1 ( 11 x + 11 x3 + 2 x7 ) + T r1 ( 10 x5 )

(10)

where x = 3 xi di E {di | di = i , 0 i < 4} and is a root of g2 (z). = i=0 By replacing in (10) with , we obtain another set of polynomial functions from (10):

Improved Rijndael-Like S-Box and Its Transform Domain Analysis

4 2 u3 (x) = T r1 ( 2 x + 9 x3 + 10 x7 ) + T r1 ( 5 x5 ), 4 2 u2 (x) = T r1 ( 4 x + 12 x3 + 12 x7 ) + T r1 (x5 ), 4 2 u1 (x) = T r1 ( 6 x + 2 x3 + 14 x7 ) + T r1 (x5 ), 4 2 u0 (x) = T r1 ( 11 x + 11 x3 + 2 x7 ) + T r1 ( 10 x5 ).

159

This, in turn, gives a third S-box, SB-2, shown in the right-most of Table 1, when we evaluate the above polynomial functions over F = F24 with multiplication mod g0 (z). Remark 1. Observe that SB-1 is a bijection but SB-2 is not. The reason why they are so dierent would be a topic of further research. Remark 2. A simple calculation shows that all three S-boxes in Table 1 have the same spectral properties. That is, they have the same proles of Hadamard transform and Avalanche transform, where the transform is applied to each of the coordinate boolean functions. It turned out that the spectral properties do not have to be all the same when this scheme is applied to larger S-boxes, which we will discuss in the next section.

4
4.1

Application of Proposed Scheme to Rijndael S-Box

Using z 8 + z 4 + z 3 + z 2 + 1

We apply the proposed design scheme explained in Section 3 to the original Rijndael S-box, which we denote by BOX-0. From now on, we use the parallel notations in Section 3, but g0 (z) and g1 (z) are changed to: g0 (z) = z 8 + z 4 + z 3 + z 1 + 1, and g1 (z) = z 8 + z 4 + z 3 + z 2 + 1,

where g0 (z) is the dening polynomial of F28 for the Rijndael cipher and g1 (z) is a primitive polynomial of degree 8 over F2 . Recall that the polynomial functions si (x), 0 i < 8, for the coordinate boolean functions of BOX-0 were determined as in (7) over F = F28 dened by g0 (z), where = 1 + is a primitive element of F , where is a root of g0 (z), and x = 7 xi bi F {bi |bi = i , 0 i < 8} . = i=0 Now, over K = F28 dened by g1 (z), the same boolean functions give some other polynomial functions ri (x), 0 i < 8, where, for example,
2 4 r7 (x) = T r1 ( 85 x85 ) + T r1 ( 238 x17 + 34 x51 + 136 x119 ) 8 + T r1 ( 4 x1 + 43 x3 + 60 x5 + 3 x7 + 54 x9 + 155 x11 ) 8 + T r1 ( 86 x13 + 157 x15 + 157 x19 + 48 x21 + 163 x23 + 98 x25 ) 8 + T r1 ( 50 x27 + 92 x29 + 67 x31 + 69 x37 + 181 x39 + 1 x43 ) 8 + T r1 ( 2 x45 + 194 x47 + 110 x53 + 145 x55 + 105 x59 246 x61 ) 8 + T r1 ( 192 x63 + 45 x87 + 20 x91 + 160 x95 + 144 x111 + 13 x127 ) ,

(11)

160

S.-Y. Jin, J.-M. Baek, and H.-Y. Song Table 2. Polynomial functions ri s of BOX-0 over K (hi s of BOX-1 over F) k nk r7 85 238 34 136 4 43 60 3 54 155 86 157 157 48 163 98 50 92 67 69 181 1 2 194 110 145 105 246 192 45 20 160 144 13 r6 1 0 0 102 0 129 251 163 19 221 31 80 143 28 48 78 29 74 49 253 145 125 253 246 23 173 65 176 252 7 239 236 41 141 r5 1 170 102 238 187 65 43 162 50 120 242 199 74 231 69 100 37 25 21 69 52 68 168 127 233 129 74 121 111 141 157 73 186 149 14 r4 0 136 17 85 213 12 197 233 97 163 91 56 16 3 173 9 115 220 157 155 145 228 200 173 77 35 186 176 80 61 76 66 35 91 r3 170 136 85 0 52 233 79 134 33 92 17 242 99 190 16 197 16 162 233 32 114 244 25 43 16 6 228 17 142 230 251 236 167 90 r2 170 68 17 83 23 57 193 139 151 41 148 33 198 242 157 25 130 6 121 242 64 102 133 143 90 161 81 6 20 222 32 220 r1 1 0 17 17 187 14 174 166 246 159 2 208 86 65 106 248 225 189 71 107 219 12 217 133 108 245 159 182 213 213 98 123 156 154 166 r0 1 85 119 85 51 127 30 24 119 33 226 153 214 251 136 120 72 167 174 35 230 91 58 164 119 136 64 108 100 178 78 94 248 210 71

const. 85 2 17 4 51 4 119 4 1 8 3 8 5 8 7 8 9 8 11 8 13 8 15 8 19 8 21 8 23 8 25 8 27 8 29 8 31 8 37 8 39 8 43 8 45 8 47 8 53 8 55 8 59 8 61 8 63 8 87 8 91 8 95 8 111 8 127 8 LS

254 247 255 254 254 242 255 255

where is a root of g1 (z) in this section, and is a primitive element of K. For the other ri (x), see Table 2. The rst and second column of Table 2 represents cyclotomic coset leaders and sizes, respectively. The values in the third column are the exponents of the coecients of xk in the trace representation of r7 (x), with the convention of = 0, where is a primitive element in K. The bottom row of Table 2 shows the number of nonzero terms in each ri (x). Note that these values are very large (255 is the maximum) compared to that of the expression in (7).

Improved Rijndael-Like S-Box and Its Transform Domain Analysis

161

By replacing the coecients (which are the powers of in (11)) with the corresponding powers of , as described in Section 3, we obtain a set of 8 new polynomial functions hi (x), 0 i < 8, one of which is
2 4 h7 (x) = T r1 ( 85 x85 ) + T r1 ( 238 x17 + 34 x51 + 136 x119 ) 8 + T r1 ( 4 x1 + 43 x3 + 60 x5 + 3 x7 + 54 x9 + 155 x11 ) 8 + T r1 ( 86 x13 + 157 x15 + 157 x19 + 48 x21 + 163 x23 + 98 x25 ) 8 + T r1 ( 50 x27 + 92 x29 + 67 x31 + 69 x37 + 181 x39 + 1 x43 ) 8 + T r1 ( 2 x45 + 194 x47 + 110 x53 + 145 x55 + 105 x59 + 246 x61 ) 8 + T r1 ( 192 x63 + 45 x87 + 20 x91 + 160 x95 + 144 x111 + 13 x127 ),

(12)

where = 1 + is the primitive element of F , where is a root of g0 (z). Now, evaluating these polynomials over F = F28 with multiplication mod g0 (z) gives a new S-box, BOX-1, shown in Table 3.
Table 3. BOX-1 (in hexadecimal) 0 0 1 2 3 4 5 6 7 8 9 a b c d e f 63 82 c3 93 fc 1b 33 f5 16 28 4b c1 ac ea ee c4 1 7c ca 23 26 20 6e 85 38 bb df bd 86 62 f4 46 a7 2 7b c9 04 fd b1 a0 4d 92 b0 55 8a 1d d3 6c b8 3d 3 77 7d c7 b7 5b 5a 43 9d 54 ce 8b 9e c2 56 14 7e 4 6b fa 05 cc 53 83 fb 40 2d e9 dd 61 79 ae de 5d 5 f2 59 9a f7 d1 09 aa 8f 0f 87 e8 35 e4 08 5e 64 6 6f f0 96 36 ed 2c d0 a3 99 9b 74 b9 91 7a db 19 7 c5 47 18 3f 00 1a ef 51 41 1e 1f 57 95 65 0b 73 8 76 72 eb d8 be b3 f9 bc 8c f8 2e b5 06 8d 90 17 9 ab c0 27 71 39 d6 45 b6 a1 e1 25 66 49 d5 88 44 a fe a4 75 31 cb 52 02 21 0d 98 ba 3e 24 a9 2a 5f b d7 9c b2 15 6a 3b 7f da 89 11 78 70 5c 4e 22 97 c 67 af 12 34 cf 2f 50 ff e6 69 b4 0e e0 c8 dc 13 d 2b a2 07 a5 58 84 3c 10 bf d9 c6 f6 32 e7 4f ec e 01 ad 80 f1 4a e3 a8 f3 42 94 a6 48 0a 37 60 0c f 30 d4 e2 e5 4c 29 9f d2 68 8e 1c 03 3a 6d 81 cd

We now list some cryptographic properties of BOX-1 in parallel with those of BOX-0. We will use hi (x) in Table 2 for BOX-1 and si (x) in (7) for BOX-0. 1. BOX-1 is a bijective map. So is BOX-0. 2. The component boolean functions of BOX-1 are balanced. So is BOX-0. 3. It is not dicult to show that the highest degree in its algebraic normal form (ANF) of a boolean function f is the maximum binary Hamming weight wt(k) as k runs through all the exponents in the trace representation of f [5]. For k = 127, wt(k) = 7 and every coordinate function hi (x), i = 0, , 7,

162

S.-Y. Jin, J.-M. Baek, and H.-Y. Song

has the term x127 in its trace representation for some nonzero Fn . 2 The ANF of any boolean function can be found by exhaustive truth table summation [11]. In fact, the number of linear and highest degree terms in the ANF of hi (x) and si (x) turns out to be given as follows:
h0 h1 h2 h3 h4 h5 h6 h7 s0 s1 s2 s3 s4 s5 s6 s7 Number of linear terms 4 3 4 4 6 3 3 3 6 4 6 4 6 2 4 4 Number of degree 7 terms 4 4 5 1 5 4 3 3 5 4 2 4 2 3 4 4

4. Since the linear span of a function or a sequence is just the number of nonzero terms in its polynomial function [5], we have:
h0 h1 h2 h3 h4 h5 h6 h7 s0 s1 s2 s3 s4 s5 s6 s7 9 9 8 8 8 9 9 8 Linear span 255 255 242 254 254 255 247 254

5. Hadamard transform of a boolean function has a connection (5) with nonlinearity and with the rst-order correlation immunity [11]. Hadamard transform prole of component functions of BOX-1 and BOX-0 are determined as:
Absolute HT value si for all 0 i < 8 0 4 8 12 16 20 24 28 32 Total 5 5 256 256 hi for all 0 i < 8 17 48 36 40 34 24 36 16 17 48 36 40 34 24 36 16

6. From the above calculation, it is easy to see that nonlinearity of every coordinate function of BOX-1 is 112, which is the same as that of BOX-0, the original Rijndael S-box. 7. The frequency distribution of Avalanche (additive correlation) transform of each component function of BOX-1 and BOX-0 is determined as:
Absolute AT value hi for all 0 i < 8 si for all 0 i < 8 0 32 32 8 84 84 16 74 74 24 52 52 32 13 13 Total 255 255

8. It is interesting to observe that for all i = 0, 1, , 7, hi and si have the same Hadamard and Avalanche transform spectrum (as a prole), which is not an accident due to the following theorem. Theorem 1. Let = {s0 , s1 , , s7 , h0 , h1 , , h7 } be the set consisting of all the component functions of BOX-0 and BOX-1. Then any two boolean functions in are pairwise equivalent. Proof. Since si (x) = T r(i x1 ) + ei for some i F28 , i = 0, , 7, and ei is either 1 or 0 as shown in (7), it is easily shown [3, Theorem 3] that si and sj are equivalent for any 0 i, j 7. Now it is enough to establish the ane equivalence between s0 and hi for all i = 0, 1, , 7. Some calculation shows that h0 (x) = s0 (D0 xT ), where binary 8 8 square matrix D0 is given as D0 = [ 11d 148d 182d 82d 224d 8d 105d 31d ] ,

Improved Rijndael-Like S-Box and Its Transform Domain Analysis

163

where the rst column 11d is the decimal form of [00001011]T . Similarly, for i = 1, 2, , 7, we have hi (x) = s0 (Di xT ) + ci , where D1 D2 D3 D4 D5 D6 D7 = = = = = = = [ [ [ [ [ [ [ 51d 47d 35d 26d 42d 47d 67d 150d 235d 156d 78d 142d 86d 112d 68d 4d 94d 156d 1d 101d 4d 220d 90d 18d 241d 146d 81d 29d 223d 149d 213d 172d 237d 151d 161d 77d 164d 186d 55d 35d 137d 199d 28d 62d 121d 85d 247d 143d 246d 1d 240d 129d 124d 191d 122d 61d ] ] ] ] , ] ] ]

and constant ci is given by c2 = c3 = c4 = c7 = 1 and c1 = c5 = c6 = 0. 9. Finally, we check SAC for BOX-1 and BOX-0.
00000001 00000010 00000100 00001000 00010000 00100000 01000000 10000000

h7 h6 h5 h4 h3 h2 h1 h0 s7 s6 s5 s4 s3 s2 s1 s0

0 24 8 24 -32 24 -8 -8 -8 -8 24 -32 24 8 24 0

-16 -16 16 -8 16 -16 0 16 16 8 -32 0 8 24 0 -16

-8 8 24 -16 24 32 24 24 -8 -8 0 16 -32 0 -16 0

-24 -8 24 -8 -16 24 -16 -8 -16 -16 16 24 0 -16 0 -24

-32 8 24 32 8 -16 8 -8 24 0 24 -8 0 0 -24 -16

-8 -24 -8 0 -8 0 -8 0 24 -8 -8 16 16 -24 -16 -16

16 16 -16 24 16 0 8 16 -16 -16 16 -8 16 -16 -16 8

8 -32 -8 16 -16 -8 -24 0 -8 -32 -8 -16 8 -16 8 -8

Since an ane transformation rearranges additive correlation values, the Avalanche transform of hi is possibly non-identical to that of si . However, for w F8 with binary Hamming weight one, the maximum absolute correlation 2 value of (hi hi )(w) is equal to that of (sj sj )(w) for 0 i, j 7, and the frequency of occurrences of each possible values of both BOX-1 and BOX-0 are very similar. Therefore, BOX-1 and BOX-0 have almost the same level of performance in correlation aspect. 4.2 Using All Other Irreducible Polynomials of Degree 8

Analysis result of BOX-1, especially the items from 4 to 7 in the above list, and Theorem 1, shows that BOX-1 is equivalent to the original S-box of Rijndael in many aspects. The eect of replacing the irreducible polynomial in Rijndael has been enough studied previously. Any replacement of irreducible polynomial in Rijndael cipher

164

S.-Y. Jin, J.-M. Baek, and H.-Y. Song

with dierent one can create a new cipher, but it is equivalent to the original in all aspects. Barkan and Biham [1] concluded that the arbitrary choice for the irreducible polynomial to be replaced works the same always, and hence, there is no advantage to changing the original irreducible polynomial with any other. Careless conclusion from the above information would lead to a guess that the remaining S-boxes, BOX-2, ... , BOX-29, using each of the remaining irreducible polynomials of degree 8, respectively, would have the similar properties. That is, every BOX-i for 2 i 29 might be a balanced bijection with the same spectral properties (the same Hadamard and correlation transform prole) and whose coordinate functions would be all ane equivalent to that of Rijndael S-box. To our surprise, it turned out that this is not the case. Careful examination of the proposed scheme described in Section 3 will reveal that our scheme is completely dierent from simply changing the irreducible polynomial in Rijndael cipher. Instead, it is a method of constructing only a new S-box from the given one, and the whole cipher runs over the eld dened by the same irreducible polynomial. For example, we examine BOX-2, which is constructed using the irreducible polynomial g2 (z) = z 8 + z 5 + z 3 + z 1 + 1 in the conversion process. Again we use the parallel notations with Section 3, but in this case, we use the eld E dened by g2 (z). BOX-2 is shown in Table 4. The polynomial functions for BOX-2 are denoted by ui (x), their Hadamard transform proles and SAC table are given in Table 5 and Table 6, respectively. In summary, BOX-2 is completely dierent from BOX-1 or BOX-0: 1. BOX-2 is not bijective and no coordinate function is balanced. Therefore, it is worse against the linear attack than BOX-0.
Table 4. BOX-2 (in hexadecimal) 0 0 1 2 3 4 5 6 7 8 9 a b c d e f 63 4a cd ff 1e 78 4a 9b 3f a8 e7 4a ce 1b 1d 38 1 12 eb d3 d4 ac 2e ec 01 56 3c 48 b4 09 ff 02 06 2 31 84 c7 7e 27 dd f2 64 f3 62 50 ac bb 9c eb a4 3 1d c2 f2 82 2f ca a7 55 dc 8b 7c 85 e8 31 7d b9 4 f9 b9 2f 85 94 c3 a8 93 e1 70 48 bb ef 49 d7 2d 5 50 90 34 55 cb 18 1e d9 18 55 9b 62 11 7b df f6 6 e6 34 9e 90 0c a3 1b 80 f0 7c 89 98 e6 5a 31 20 7 22 d4 d4 88 eb 51 33 1c db 7a 72 22 f8 57 3f 99 8 4f 02 c3 21 7f 12 5e 2b 59 0d cb 6d 3a cb 72 3a 9 2f b6 14 ba c3 31 60 de e7 aa c4 b4 14 b6 9c 9b a 2e 61 b3 af 9f 22 94 98 ab c7 a5 e4 ac d0 a3 5e b e8 6c 56 23 b1 6e f5 78 cc 4c 40 b7 7c 3e 91 6e c 18 ea 7b b2 53 2d 07 42 fa 9e 05 ac 75 b9 b5 7e d f1 29 9d aa 2b 59 f4 eb 3d d4 b1 30 29 48 75 36 e 03 46 d0 ba 19 87 6d 65 89 bf 00 d0 c1 47 c9 58 f 08 2b 58 49 d2 da ac c5 18 00 fc 70 79 c8 08 14

Improved Rijndael-Like S-Box and Its Transform Domain Analysis Table 5. Hadamard transform prole (frequency distribution) of BOX-2 Absolute HT value 0 4 8 12 16 20 24 28 32 36 40 44 48 52 Total u7 27 59 45 28 21 30 25 7 5 4 2 0 3 0 256 26 45 46 42 31 22 17 13 6 4 1 2 1 0 256 u6 22 55 42 38 32 23 18 8 10 3 4 1 0 0 256 u5 25 45 38 33 42 31 15 17 5 2 3 0 0 0 256 u4 23 46 44 46 34 25 16 7 5 3 4 1 2 0 256 u3 33 53 38 32 33 22 15 15 5 6 3 0 1 0 256 u2 22 55 40 39 35 21 21 10 6 1 3 1 1 1 256 u1 30 44 47 41 29 20 15 16 4 6 2 1 1 0 256 u0 Table 6. Check for SAC of BOX-2
10000000 01000000 00100000 00010000 00001000 00000100 00000010 00000001

165

u7 u6 u5 u4 u3 u2 u1 u0

-8 16 40 24 24 -8 0 40

8 24 24 -32 16 8 8 16

-8 -24 8 16 -24 -8 8 24

-24 -24 -8 0 8 -8 32 -16

0 0 -8 8 -8 -24 16 0

-8 -24 0 0 8 -8 -8 16

8 0 -8 56 24 24 16 -8

-24 8 -24 8 -32 0 16 0

2. BOX-2 has worse spectrum in transform domain than BOX-0. 3. The Hadamard transform proles of the eight component functions of BOX-2 are all distinct. 4. All coordinate functions of BOX-2 are pairwise inequivalent as boolean functions, which is one of the desirable characteristics of an S-box. 5. None of the component functions of BOX-2 has a simple algebraic expression over F2n with the multiplication performed modulo any irreducible polynomial, while all coordinates of BOX-0 do have the simplest equations such as (7) with the current Rijndael irreducible polynomial. Therefore, BOX-2 is better against the interpolation attack [6] than the original S-box, BOX-0. We have experimentally checked all the remaining 27 S-boxes which are constructed from Rijndael S-box using the remaining 27 irreducible polynomials of degree 8, respectively. We have veried that all these share almost the same properties listed above with BOX-2.

Concluding Remarks

We proposed a simple scheme which produces a new S-box from the given S-box, which are based on operations over F2n . The essential steps of the construction are (i) to determine the trace-represented polynomial functions of the given S-box

166

S.-Y. Jin, J.-M. Baek, and H.-Y. Song

over F2n with the multiplication performed modulo some other irreducible polynomial than the one originally used, (ii) to replace the coecients in the tracerepresented polynomial functions with the corresponding powers of the original primitive element, and nally, (iii) to evaluate new polynomials in F2n with the multiplication now performed modulo the original irreducible polynomial. We have applied the scheme to Rijndael S-box, BOX-0, and constructed 29 dierent S-boxes, denoted by BOX-1, BOX-2, ... , BOX-29. All 29 S-boxes have much improved algebraic expressions over F2n with the multiplication performed modulo the original irreducible polynomial g0 (z) (compare with (7)). Only BOX-1 has almost the same cryptographic properties as BOX-0. It is because only BOX-1 is equivalent to BOX-0 as boolean functions. Only BOX-0 and BOX-1 have the property that the algebraic expressions over F2n with the multiplication performed modulo some appropriate irreducible polynomial turned out to consist of a single trace function. No other S-boxes have such a simple algebraic expression. Some theoretical developments that would be interesting are the following: Q1 When and why the resulting S-box is a bijection or not a bijection? Q2 When and why the resulting S-box has the same or dierent spectral properties as the original S-box? Q3 Restricting to the case of Rijndael S-box, why is only BOX-1 similar to the original S-box? This is very surprising considering that g1 (z) is an arbitrary choice among 29 irreducible polynomials of degree 8 over F2 . Q4 What are the distinctive properties of g1 (z) = z 8 + z 4 + z 3 + z 2 + 1 relative to g0 (z) = z 8 + z 4 + z 3 + z 1 + 1 compared with all other 28 irreducible polynomials of degree 8 over F2 ?

References
1. E. Barkan and E. Biham, In how many ways can you write Rijndael?, In: Y. Zheng (Ed.), ASIACRYPT 2002, LNCS vol. 2501, Springer-Verlag, 2002, pp. 160175. 2. E. Biham and A. Shamir, Dierential cryptanalysis of DES-like cryptosystems, Journal of Cryptology, vol. 4, pp. 372, 1991. 3. J. Fuller and W. Millan, Linear redundancy in S-boxes, In: T. Johansson (Ed.), Fast Software Encryption 2003, LNCS vol. 2887, Springer-Verlag, 2003, pp. 7486. 4. G. Gong and S.W. Golomb, Transform domain analysis of DES, IEEE Transactions on Information Theory, vol. 45, no. 6, pp. 20652073, Sep., 1999. 5. S.W. Golomb and G. Gong, Signal Design for Good Correlation: for wireless communication, cryptography, and radar. Cambridge University Press, 2005. 6. T. Jakobsen and L.R. Knudsen, The interpolation attack on block ciphers, In: E. Biham (Ed.), Fast Software Encryption 97, LNCS vol. 1267, Springer-Verlag, 1997, pp. 2840. 7. L. Jing-mei, W. Bao-dian, C. Xiang-guo, and W. Xin-mei, Cryptanalysis of Rijndael S-box and improvement, Applied Mathematics and Computation, vol. 170, pp. 958975, 2005. 8. R. Lidl and H. Niederreiter, Introduction to Finite Fields and Their Applications. Cambridge University Press, 1986.

Improved Rijndael-Like S-Box and Its Transform Domain Analysis

167

9. M. Matsui, Linear cryptanalysis method for DES cipher, In: T. Helleseth (Ed.), Advances in Cryptology: Eurocrypt 93, LNCS vol. 765, Springer-Verlag, 1993, pp. 386397. 10. C.E. Shannon, Communication theory of secrecy systems, Bell Systems Technical Journal, vol. 28, pp. 656715, 1949. 11. T. Siegenthaler, Correlation-immunity of nonlinear combining functions for cryptographic applications, IEEE Transactions on Information Theory, vol. 30, no. 5, pp. 776780, Sep., 1984. 12. A.F. Webster and S.E. Tavares, On the design of S-box, In: H.C. Williams (Ed.), Advances in Cryptology: Crypto 85, LNCS vol. 218, Springer-Verlag, 1986, pp. 523 534. 13. A.M. Youssef and S.E. Tavares, Ane equivalence in the AES round function, Discrete Applied Mathematics, vol. 148, pp. 161170, 2005. 14. J. Daemen and V. Rijmen, AES proposal: Rijndael 15. J. Daemen and V. Rijmen, The Design of Rijndael: AESThe Advanced Encryption Standard, Springer-Verlag, 2002. 16. FIPS-197: Advanced Encryption Standard (AES), Nov. 2001, http://csrc.nist.gov/publications/fips 17. Block Cipher ARIA, http://www.nsri.re.kr/ARIA/doc/ARIA-specification.pdf 18. CRYPTEC, http://www.ipa.go.jp/ (in Japanese). 19. NESSIE (The New European Schemes for Signatures, Integrity and Encryption), http://www.cryptonessie.org