Chapter 3
Dynamic Substitution Box
3.1
Introduction
The fundamental concepts of confusion and diffusion as identified
by Shannon are the foundations of any cipher system. The S-boxes
are an integral part of symmetric key cryptosystems. Their basic
purpose is to provide the necessary confusion. They are used for
obscuring the relation between the plain text and the cipher text.
They are essentially non-linear mapping which take as input a
certain number of bits and convert them into some number of bits.
The number of bits at the input and output need not be equal.
The security of systems using the S-boxes depends a great deal on
their proper selection. A good amount of research has been going
on in this direction.
Advanced Encryption Standard (AES), also known as Rijndael,
is a block cipher adopted as an encryption standard by the US government. It has been analyzed extensively and is now used world39
wide. AES was announced by the National Institute of Standard
and Technology (NIST) as US FIPS PUB 197 on November 26,
2001. This algorithm makes use of a static (16 x 16 entries) S-box
throughout. The AES has been proved to be highly resistant to
different forms of attack.
In a development which attracted a good deal of controversy and
skepticism, Nicolas T. Courtois and Joseph Pieprzyk proposed an
attack on AES called the XSL attack[15]. The XSL attack relies
on first analyzing the internals of a cipher and deriving a system of
quadratic simultaneous equations. These systems of equations are
typically very large, for example 8000 equations with 1600 variables for the AES-128. The attack is notable for requiring only
a handful of known plaintexts to perform; previous methods of
cryptanalysis, such as linear and differential cryptanalysis, often
require an unrealistically large number of known or chosen plaintexts. The authors were not able to implement the breaking of
AES. This led to the approach being called ’infeasible’. On the
other hand, while raising questions regarding the practicality of
the XSL approach Bruce Schneier also leaves the door open for
new possibilities of attack.
This thesis describes a method of generating dynamic S-boxes
with respect to the AES algorithm. Such S-boxes are aimed at
foiling attacks from the methods which depend on the fact that
40
the AES in it’s present form has a static S-box. Our method
intends to inject a greater deal of obscurity and confusion by use
of dynamic S-box. While we do not question the security of AES
in its present form, our aim is to look into a new alternative ways
to fight future algebraic attacks like XSL attack.
3.2
The S-box in AES algorithm
This section provides a little background on the quantities used
for generating the S-box in AES algorithm. The generation of Sbox involves operation in a Galois Field GF, specifically GF (28 ).
Polynomials are either represented in the algebraic form, hexadecimal or decimal notation. The irreducible polynomial m used in
AES is given by m = x8 + x4 + x3 + x + 1, or by m = 11bh , or by
m = 283. The polynomial given by m is a first irreducible polynomial of degree 8. The use of m ensures that all the operations
would give results which are below degree 8.
The S-box is constructed by following the steps[58]:
• Initialize the S-box with the byte values in ascending sequence
row by row. The first row contains 00h , 01h , 02h ,..., 0fh ; the
second row contains 10h , 11h , 12h ,..., 1fh ; and so on.
• Map each byte in the S-box to its multiplicative inverse in the
finite field GF (28 ), the value of 00h is mapped to itself.
41
• Consider that each byte in the S-box consists of 8 bits labeled
[b7 , b6 , b5 , b4 , b3 , b2 , b1 , b0 ]. Apply the following transformation
to each bit of each byte in the S-box:
0
bi = bi ⊕ b(i+4) mod 8 ⊕ b(i+5) mod 8 ⊕ b(i+6) mod 8 ⊕ b(i+7) mod 8 ⊕ ci .
(3.1)
where bi is the ith bit of the byte and ci is the ith bit of a byte.
c is a constant and has the value 63h or (01100011)2 or (99)10 .
0
b indicates that the variable is to be updated with the value
on the right.
In matrix form, the affine transformation element of the S-box can
be expressed as:
  

b0  
 

0 
b1  
 
 
0

b2 
 
 
0 

b3  
=

0 

b4 
 
 
0 

b5  
 

0 

b6 
 
 
0
b7
1 0 0 0 1 1 1 1 


1 1 0 0 0 1 1 1 



1 1 1 0 0 0 1 1



1 1 1 1 0 0 0 1 



1 1 1 1 1 0 0 0



0 1 1 1 1 1 0 0 



0 0 1 1 1 1 1 0


0 0 0 1 1 1 1 1
0

























b0  
 
 
b1  
 
 

b2 
 
 
 
b3  
⊕
 

b4 
 
 
 
b5  
 
 

b6 
 
 
b7
1


1


0



0


0



1


1


0

(3.2)
The corresponding S-box generated above is given in Table3.1.
This static S-box is used for all byte substitution operations
throughout the AES algorithm. Though the XSL attack failed to
42
Table 3.1: The Static S-box used in AES algorithm.
0
1
2
3
4
5
6
7
8
9
a
b
c
d
e
f
0
63
7c
77
7b
f2
6b
6f
c5
30
01
67
2b
fe
d7
ab
76
1
ca
82
c9
7d
fa
59
47
f0
ad
d4
a2
af
9c
a4
72
c0
2
b7
fd
93
26
36
3f
f7
cc
34
a5
e5
f1
71
d8
31
15
3
04
c7
23
c3
18
96
05
9a
07
12
80
e2
eb
27
b2
75
4
09
83
2c
1a
1b
6e
5a
a0
52
3b
d6
b3
29
e3
2f
84
5
53
d1
00
ed
20
fc
b1
5b
6a
cb
be
39
4a
4c
58
cf
6
d0
ef
aa
fb
43
4d
33
85
45
f9
02
7f
50
3c
9f
a8
7
51
a3
40
8f
92
9d
38
f5
bc
b6
da
21
10
ff
f3
d2
8
cd
0c
13
ec
5f
97
44
17
c4
a7
7e
3d
64
5d
19
73
9
60
81
4f
dc
22
2a
90
88
46
ee
b8
14
de
5e
0b
db
a
e0
32
3a
0a
49
06
24
5c
c2
d3
ac
62
91
95
e4
79
b
e7
c8
37
6d
8d
d5
4e
a9
6c
56
f4
ea
65
7a
ae
08
c
ba
78
25
2e
1c
a6
b4
c6
e8
dd
74
1f
4b
bd
8b
8a
d
70
3e
b5
66
48
03
f6
0e
61
35
57
b9
86
c1
1d
9e
e
e1
f8
98
11
69
d9
8e
94
9b
1e
87
e9
ce
55
28
df
f
8c
a1
89
0d
bf
e6
42
68
41
99
2d
0f
b0
54
bb
16
substantiate its claims some doubts persist about the security of
the cipher due to its simple algebraic structure.
3.3
S-boxes from Affine transformation
Over the years a lot of research has gone into designing the better
S-boxes. In the light of the above attempts it becomes evident
that there exists ample room for improvement in the present Sbox, either by modifying it or replacing it by a better S-box.
According to the Rijndael proposal, an S-box should have the
following characteristics:
• Invertibility.
• Minimization of the largest of the non-trivial correlation be43
tween linear combinations of input bits and linear combination of output bits.
• Minimization of the largest non-trivial value in the XOR table.
• Complexity of its algebraic expression in GF (28 ).
• Simplicity of description.
All the above criteria are fulfilled by taking the inverse over
the finite field GF (28 ) and the Affine transformation S-box used
in AES algorithm consists of 16 × 16 entries, they are the bytes
from 00h to f fh and all the entries are unique. Since there are 256
elements in an S-box, the possible S- boxes are 256! ≈ 21684 . If it
is possible to construct any one of these S-boxes, depending on the
secret key, cryptanalysis by algebraic attacks like the linear , the
differential and the XSL attacks as well as the Brute-force attack
become very difficult
Affine transformation is defined as y = Ax ⊕ C mod m where
A is an 8 × 8 non-singular matrix with GF (2) and C is a constant
and is 8 × 1 column matrix of one byte (any value from 00h to
f fh ). x is the one byte input and y is the corresponding one byte
output, m is an irreducible polynomial of degree 8. The possible
non-singular A matrix with s × s entries in GF (2)
= (2s − 1)(2s − 2) · · · (2s − 2s−1 )
44
In AES S-box s = 8. Then the number of possible non-singular A
matrices = (28 − 1)(28 − 2) · · · (28 − 27 ) ≈ 262
The number of possible constant c values are 256 = 28 , and there
are 30 irreducible polynomials of degree 8 ≈ 25
The total S-boxes possible with all affine transformations = 262+8+5
= 275 .
In AES S-box construction, the first step is to initialize the Sbox entries from 00h to f fh . It is possible to initially permute
these values in a structured form. As this is a linear operation and
various techniques are possible. By initially introducing this operation, then the Affine transformation, it is possible to construct
all the possible 21684 S-boxes.
3.4
Construction of the Dynamic S-box
The block diagram of the key dependent dynamic S-box is shown
in the Fig.3.1. It is constructed by following the steps given below:
• Initialize the S-box with the byte values in ascending sequence
row by row. The first row contains 00h , 01h , 02h ,· · · 0fh ; the
second row contains 10h , 11h , 12h ,· · · 1fh ; and so on.
• Using an auxiliary key of size 1 byte to 256 byte, permute the
S-box entries as follows:
– Initialize a temporary array T[256] with an auxiliary key
45
Figure 3.1: Block diagram of Dynamic S-box
46
of 256 bytes.
– If the length of the key is less than 256 bytes, reuse the
key bytes to initialize T.
– Permute the S-box entries as following:
j = 0;
for i = 0 to 255 do,
j = ( s[i] + T[i] + j )mod256;
swap ( s[i], s[j] );
• Select another auxiliary key 256 bits or 32 bytes, in which the
first 128 bits are arbitrary and the next 128 bits are fixed.
Among these 256 bits select only 224 bits, leaving the MSB
of each byte of key.
• From the first 64 bits i.e. from b0 to b63 , construct an 8 × 8
matrix A and find the determinant. If matrix A is singular,
construct a new matrix with new bits from b1 to b64 and check
for singularity. Repeat this procedure till matrix A is nonsingular.
• Take the sum of 16 bytes auxiliary key and mod30 of the
sum. Select the respective irreducible polynomial m from 30
irreducible polynomials in degree 8 of GF (28 ).
• Calculate the affine constant c, by taking the polynomial multiplication of 16 byte auxiliary key with irreducible polynomial
47
m.
• Modify the permuted entries of S-box of step 2, by taking the
multiplicative inverse of each byte with irreducible polynomial
m.
• Use affine transformation y = Ax ⊕ C mod m, construct the
dynamic S-box.
The inverse dynamic S-box needed at the receiver to decrypt
the cipher text, can be constructed as above, with the same permutation key and auxiliary key. Now the dynamic inverse S-box
entries are constructed from the dynamic S-box itself.
3.5
Algebraic expression for S-box
A new property of finite field is discovered [59][60], that the new
co-ordinates of the field elements are expressed by arithmetic polynomials with the element y itself as the variable. They have shown
that any polynomial z ∈ GF (pn ) can be represented as


 

c0,1
c0,2 . . . c0,n−1   z 
 z0   c0,0

 


 z   c


p 
c1,1
c1,2 . . . c1,n−1   z 
 1   1,0

 



 
  p2 
 z2  =  c2,1

 (3.3)
c2,1
c2,2 . . . c2,n−1 

 
 z 
 . 
 .   .
..
..
.
.
 ..   ..


.
.
.
.
.
. 

 
  .. 

 


pn−1
cn−1,0 cn−1,1 cn−1,2 . . . cn−1,n−1
z
zn−1
48
For x ∈ GF (28 ) this relationship is given by

 
























x0  
 
 
x1  
 
 

x2 
 
 
 
x3  
=
 

x4 
 
 
 
x5  
 
 

x6 
 
 
x7
29 2d 3d 26 78 9c d1 26  


b0 ed 0c 50 b0 ed 0c 50  



58 f 0 46 bf b8 ad a7 e3 



05 11 1a 5f e5 cc f b 03  



a6 e2 59 f 1 47 be b9 ac 



53 b5 f c 16 af 55 a1 f 7  



a4 e6 49 ea 19 5a f 4 56 


52 b4 f d 17 0e 54 a0 f 6

x 

2 
x 


x4 


8 
x 
 (3.4)

x16 


32 
x 


64 
x 

128
x
This relationship can be used to generate the S-box elements of the
AES algorithm. To generate the S- box an affine transformation
is used as
z = A y ⊕ C mod m
(3.5)
Where the generator matrix A and constant C used in AES algorithm are
49













A=













1 1 1 1 1 0 0 0
0
 

 

1
0 1 1 1 1 1 0 0
 

 

1
0 0 1 1 1 1 1 0
 

 

 

0 0 0 1 1 1 1 1
0
C =  
 

0
1 0 0 0 1 1 1 1
 

 

 

1 1 0 0 0 1 1 1
0
 

 

1
1 1 1 0 0 0 1 1
 

 

1
1 1 1 1 0 0 0 1
(3.6)
These two matrices can be represented as
A = [f 8h , 7ch , 3eh , 1fh , 8fh , c7h , e3h , f 1h ]T and C = [63h ]T . All
the entries of the matrix A is obtained from the initial value f 8h
circularly shifted right by one place for each row elements. To
construct the S-box from the z ∈ GF (28 ) the affine transformation
is simplified as

 

z7  
 
 
z6  
 
 

z5 
 
 
 
z4  
=
 

z3 
 
 
 
z2  
 
 

z1 
 
 
z0
1 1 1 1 1 0 0 0 


0 1 1 1 1 1 0 0 



0 0 1 1 1 1 1 0



0 0 0 1 1 1 1 1 



1 0 0 0 1 1 1 1



1 1 0 0 0 1 1 1 



1 1 1 0 0 0 1 1


1 1 1 1 0 0 0 1











z=











50


y7  
 
 
y6  
 
 

y5 
 
 
 
y4  
⊕
 

y3 
 
 
 
y2  
 
 

y1 
 
 
y0

0


1


1



0
 (3.7)

0



0


1


1


y3  
 
 
y6
y5
y4
y3
y2  
 
 

y5
y4
y3
y2
y1 
 
 
 
y4
y3
y2
y1
y0  
⊕
⊕
⊕
⊕
⊕
 

y3
y2
y1
y0
y7 
 
 
 
y2
y1
y0
y7
y6  
 
 

y1
y0
y7
y6
y5 
 
 
y0
y7
y6
y5
y4
0


1


1



0


0



0


1


1













=











y7
y6
y5
y4
(3.8)
Put y = y7 y6 y5 y4 y3 y2 y1 y0 , then (y << 1) = y6 y5 y4 y3 y2 y1 y0 y7
and (y << 2) = y5 y4 y3 y2 y1 y0 y7 y6 and so on. Then
z = y ⊕ (y << 1)⊕ (y << 2)⊕ (y << 3)⊕ (y << 4)⊕63h (3.9)
where (y << 1) is a one bit left cyclic shift of y, the multiplication
2y is a one bit left shift of y followed by the XOR with 1bh for irreducible polynomial 11bh , when a carry exists after multiplication.
That is (y << 1) = 2y ⊕ y7 (01h ⊕ 1bh ) = 2y ⊕ 1ah y7 . Similarly
(y << 2 = 04h y ⊕ 34h y7 ⊕ 1ah y6 and so on. By substituting these
values in Eqn.3.9 we get
z = 1fh y ⊕ 96h (y << 1) ⊕ 46h (y << 2) ⊕ 2eh (y << 3)⊕
1ah (y << 4) ⊕ 63h
(3.10)
Now substituting for y7 , y6 , y5 , and y4 from Eqn.3.2 in Eqn.3.8 we
51
get
z = 05h y ⊕ 09h y 2 ⊕ f 9h y 4 ⊕ 25h y 8 ⊕ f 4h y 16 ⊕ 01h y 32
⊕ b5h y 64 ⊕ 8fh y 128 ⊕ 63h
(3.11)
But y is multiplicative inverse of x , that is y = x254 . Similarly
y 2 = x253 and so on. Thus
z = 05h x254 ⊕ 09h x253 ⊕ f 9h x251 ⊕ 25h x247 ⊕ f 4h x239
⊕ 01h x223 ⊕ b5h x191 ⊕ 8fh x127 ⊕ 63h
3.5.1
(3.12)
General Algebraic Equation for Affine Transformation S-box
There are 256 polynomials in GF (28 ). Using the 8-bits of any one
of these polynomial as first row elements of A matrix and circularly
(left or right) shifting this polynomial each time the remaining 7
rows can be constructed. For example consider the first polynomial 01h . By left circularly shifting this polynomial 7 times, get
the polynomials 02h , 04h , 08h , 10h , 20h , 40h , 80h and construct the
52
A matrix by using these elements. Then

 

 
1 0 0 0 0 0 0 0 


0 1 0 0 0 0 0 0 



0 0 1 0 0 0 0 0



0 0 0 1 0 0 0 0 



0 0 0 0 1 0 0 0



0 0 0 0 0 1 0 0 



0 0 0 0 0 0 0 0


0 0 0 0 0 0 0 1
y7  
 
 
y6  
 
 

y5 
 
 
 
y4  
⊕
 

y3 
 
 
 
y2  
 
 

y1 
 
 
y0











z=











z7  
 
 
z6  
 
 

z5 
 
 
 
z4  
=
 

z3 
 
 
 
z2  
 
 

z1 
 
 
z0

0


1


1



0
 = y⊕63h

0



0


1


1
(3.13)
All other combinations will give rise to (y << 1) ⊕ 63h , (y <<
2) ⊕ 63h and so on. It is found that with cyclic shift only the following independent polynomials will give non-singular matrices.
They are 01h , 07h , 0bh , 0dh , 13h , 15h , 19h , 1fh , 25h , 2fh , 37h , 3dh , 57h
and 7fh . By using any one of these polynomials and appropriate left or right circular shift, S-box can be constructed. For
these S-box a general algebraic equation is derived as follows: Let
x ∈ GF (28 ) is an input polynomial to the S-box then the output
of S-box z ∈ GF (28 ) is given by
z = a0 (y << 0) ⊕ a1 (y << 1) ⊕ a2 (y << 2) ⊕ a3 (y << 3)⊕
a4 (y << 4) ⊕ a5 (y << 5) ⊕ a6 (y << 6) ⊕ a7 (y << 7) ⊕ 63h
(3.14)
53
where ai ∈ GF (2) and a = a7 a6 a5 a4 a3 a2 a1 a0 is any one polynomial
from 01h , 07h , 0bh , 0dh , 13h , 15h , 19h , 1fh , 25h , 2fh , 37h , 3dh , 57h and
7fh . In the above expression,
(y << 7) = 80h y ⊕ dah y7 ⊕ 6dh y6 ⊕ bbh y5 ⊕ d0h y4 ⊕ 68h y3 ⊕ 34h y2 ⊕
1ah y1
(y << 6) = 40h y ⊕ 6dh y7 ⊕ bbh y6 ⊕ d0h y5 ⊕ 68h y4 ⊕ 34h y3 ⊕ 1ah y2
(y << 5) = 20h y ⊕ bbh y7 ⊕ d0h y6 ⊕ 68h y5 ⊕ 34h y4 ⊕ 1ah y3
(y << 4) = 10h y ⊕ d0h y7 ⊕ 68h y6 ⊕ 34h y5 ⊕ 1ah y4
(y << 3) = 08h y ⊕ 68h y7 ⊕ 34h y6 ⊕ 1ah y5
(y << 2) = 04h y ⊕ 34h y7 ⊕ 1ah y6
(y << 1) = 02h y ⊕ 1ah y7
(y << 0) = 01h y
y7 to y1 can be represented in terms of y and its powers. Now
substitute for y in terms of x as follows,
y = x254 , y 2 = x253 , y 4 = x251 , y 8 = x247 , y 16 = x239 , y 32 = x223 ,
y 64 = x181 , y 128 = x127 By substituting the x values, from 00h to
f fh the S-box values are calculated.
3.5.2
The generalized algebraic expression for Polynomial b5h
Consider a polynomial a = b5h ∈ GF (28 ), which is having odd
number of one’s or odd number of zero’s. Then a = (10110101)2 ,
and a7 = 1, a6 = 0, a5 = 1, a4 = 1, a3 = 0, a2 = 1, a1 = 0, a0 = 1
54
Substituting these in equation (3) we get
z = (y << 0) ⊕ (y << 2) ⊕ (y << 4) ⊕ (y << 5) ⊕ (y << 7) ⊕ 63h
= b5h y ⊕ 85h y7 ⊕ cfh y6 ⊕ e7h y5 ⊕ f eh y4 ⊕ 72h y3
⊕ 34h y2 ⊕ 1ah y1 ⊕ 63h
(3.15)
Substituting y1 to y7 from equation (2) and then simplifying we
get,
z = 14h y ⊕ f dh y 2 ⊕ 13h y 4 ⊕ 57h y 8 ⊕ f eh y 16 ⊕ 73h y 32
⊕ 96h y 64 ⊕ 03h y 128 ⊕ 63h
(3.16)
Now substitute multiplicative inverse of y 0 s in terms of x0 to get
z = 14h x254 ⊕ f dh x253 ⊕ 13h x251 ⊕ 57h x247 ⊕ f eh x239
⊕ 73h x223 ⊕ 96h x191 ⊕ 03h x127 ⊕ 63h
(3.17)
This is the generalized algebraic equation to generate S-box by using the polynomial b5h . Now substitute the x values from 00h to
f fh to construct the required S-box. The result is shown in Table
3.2. Another S-box is constructed by using the Affine transformation y = A x ⊕ C mod m, where matrix A, constant C are given
below and irreducible polynomial m = 11bh is used.
55











A=















1 0 1 1 0 1 0 1
0
 

 

1
0 1 1 0 1 0 1 1
 

 

1
1 1 0 1 0 1 1 0
 

 

 

1 0 1 0 1 1 0 1
0
C =  
 

0
0 1 0 1 1 0 1 1
 

 

 

1 0 1 1 0 1 1 0
0
 

 

1
0 1 1 0 1 1 0 1
 

 

1
1 1 0 1 1 0 1 0
(3.18)
Table 3.2: S-box for the Polynomial b5h
0
1
2
3
4
5
6
7
8
9
a
b
c
d
e
f
0
63
d6
77
84
a7
3e
90
3a
cf
ab
cd
d4
54
d7
01
dc
1
35
82
c9
7d
fa
a6
b8
f0
f8
2b
f7
af
9c
0e
72
3f
2
48
a8
93
8c
36
c0
a2
cc
61
a5
4f
5b
8e
d8
64
bf
3
ae
6d
89
c3
e7
96
05
65
52
ed
d5
1d
eb
27
4d
20
4
f6
29
86
b0
1b
3b
5a
a0
07
6e
7c
e6
83
b6
7a
7b
5
ac
2e
00
12
75
03
b1
f1
95
9e
be
39
e0
19
0d
30
6
85
45
aa
51
16
b2
33
d0
ef
06
57
2a
50
3c
60
fd
7
fb
5c
ea
da
38
37
92
f5
e9
e3
8f
de
ba
ff
0c
d2
8
67
f3
46
b9
5f
3d
44
e8
91
f2
81
97
31
08
4c
d9
9
9f
7e
e5
76
22
7f
6f
88
13
ee
47
14
21
f4
a1
24
a
4a
98
c5
0a
1c
f9
db
a3
68
79
53
c8
c4
6a
e4
d3
b
18
62
9d
c7
8d
80
4e
56
6c
a9
5e
40
9a
2f
04
5d
c
10
78
70
d1
49
59
b4
c6
17
dd
8b
b5
4b
42
74
df
d
25
6b
1f
66
b7
fc
09
a4
34
ca
02
ec
2c
94
e2
cb
e
e1
ad
32
11
69
73
71
c1
ce
1e
87
bc
9b
55
28
8a
f
26
0b
23
58
15
b3
bd
c2
41
99
2d
0f
1a
fe
bb
43
3.5.3
Results on Dynamic S-box
Large number of S-boxes are constructed and tested them for their
invertibility, Avalanche criteria as required by AES. A few results
56
are tabulated below.
1. The Dynamic S-box1 is constructed with the following parameters.
Permute Key: 0123456789abcdef .
Auxiliary Key: abcdef ghijklmnop.
A matrix Polynomials: b0h , 78h , 4ch , 2eh , 9bh , cfh , e8h , b4h
Irreducible polynomial m : 18dh
Affine constant c: e5h
The respective S-box is tabulated in Table3.3.
2. The Dynamic S-box2 is constructed with the following parameters.
Permute Key: 123456789abcdef g.
Auxiliary Key: bcdef ghijklmnopq.
A matrix Polynomials: 31h , b9h , 6ch , 3eh , a3h , d3h , eah , b4h
Irreducible polynomial m : 11bh Affine constant c: 55h
The respective S-box is tabulated in Table3.4.
3. The Dynamic S-box3 is constructed with the following parameters.
Permute Key: 23456789abcdef gh.
Auxiliary Key: cdef ghijklmnopqr.
A matrix Polynomials: 31h , b9h , 6ch , 3eh , a3h , d3h , eah , 35h
Irreducible polynomial m : 18dh Affine constant c: edh
The respective S-box is tabulated in Table3.5.
57
4. The Dynamic S-box4 is constructed with the following parameters.
Permute Key: 3456789abcdef ghi.
Auxiliary Key: def ghijklmnopqrs.
A matrix Polynomials: b9h , 6ch , 3eh , a3h , d3h , eah , 35h , bbh
Irreducible polynomial m : 11bh
Affine constant c: 02h
The respective S-box is tabulated in Table3.6.
Table 3.3: The Dynamic S-box1
0
1
2
3
4
5
6
7
8
9
a
b
c
d
e
f
0
5f
39
04
3d
0b
d6
2f
37
87
7b
b0
9c
6a
dd
46
56
1
7e
fe
07
17
94
29
1b
a1
1d
f3
f8
57
b7
41
34
e5
2
2a
4a
12
55
cc
ca
d3
c1
8c
69
43
75
ef
3c
d0
bd
3
91
97
49
eb
a0
2b
14
ad
30
9e
ce
f4
8d
45
e3
0f
4
68
77
4e
b8
6b
ff
3f
e1
db
ea
aa
09
ae
fb
35
a4
5
cd
65
c3
f0
9f
03
80
22
4d
a8
e8
8f
08
67
73
7c
6
f2
1a
89
b9
98
62
95
52
d9
13
47
01
2d
36
f6
58
7
19
a7
fa
5a
59
fd
16
10
cb
40
7d
3b
6f
c5
79
a5
8
74
b5
a9
42
a2
a3
99
f9
3e
96
9a
e6
bf
83
06
78
9
d1
20
33
e0
4f
93
e4
e9
0a
0e
86
0d
24
31
de
44
a
ec
f7
64
05
be
b2
9b
c0
d8
48
92
63
c2
54
dc
8e
b
4c
0c
71
66
61
00
88
df
c6
53
b4
1e
1f
5b
18
11
c
b6
5d
60
9d
7f
32
5c
b3
c8
15
1c
ab
c7
8b
38
7a
d
e2
25
28
c9
50
21
bc
cf
6d
d7
d4
e7
d2
2e
85
ee
e
27
6e
76
51
c4
84
90
3a
b1
02
f5
da
fc
6c
82
a6
f
ac
af
f1
8a
81
ba
23
70
26
d5
5e
72
2c
bb
ed
4b
3.6
Avalanche Criteria of S-box
The S-box, constructed in AES algorithm, uses the Affine transformation y = Ax ⊕ C mod m where A is an 8 × 8 matrix with
58
Table 3.4: The Dynamic S-box2
0
1
2
3
4
5
6
7
8
9
a
b
c
d
e
f
0
0e
d2
d3
40
38
a3
44
21
3f
24
06
8f
b8
0d
84
97
1
37
81
10
41
5d
64
c8
28
1d
16
20
52
09
42
75
dc
2
43
89
ec
7d
7e
73
e6
b2
71
86
b9
ea
8d
4a
03
45
3
14
e3
cc
a4
00
a9
2e
3e
78
70
11
39
2f
c2
9c
b7
4
f0
46
f4
48
07
0a
0b
99
08
3c
4e
7f
56
c3
4f
ab
5
5e
6d
af
1e
9b
31
fa
92
65
7a
3b
b3
98
74
2b
cf
6
eb
c1
30
1f
e7
4b
f6
6a
e5
a2
63
2c
de
ee
0f
36
7
04
18
2a
bb
be
ce
4c
b6
7b
22
25
fe
90
aa
1a
34
8
54
ed
05
7c
33
95
13
ae
91
3a
47
c9
6e
8e
51
0c
9
96
6f
c6
60
c5
5b
fb
f3
5a
5c
29
62
69
6b
f7
8b
a
8a
66
ca
8c
85
cb
a6
1c
6c
d4
2d
77
a7
a0
e9
b5
b
e4
9d
9a
b4
12
f1
55
f2
32
d7
da
f8
d1
83
bd
94
c
b1
a5
87
72
9f
53
58
80
d9
fd
bc
50
02
a1
57
c7
d
5f
b0
c0
e0
d0
bf
4d
d8
01
c4
f5
67
76
dd
93
ef
e
db
d5
1b
ad
e8
ac
61
68
ff
f9
3d
59
88
19
ba
26
f
23
49
df
82
9e
fc
17
e2
35
a8
27
d6
cd
e1
79
15
Table 3.5: The Dynamic S-box3
0
1
2
3
4
5
6
7
8
9
a
b
c
d
e
f
0
b0
17
69
b4
ac
32
be
3c
b9
23
0e
cd
50
a5
a0
8e
1
35
c1
99
43
8f
65
ef
55
09
b3
a3
25
e0
11
a4
ae
2
4c
19
ff
51
b6
a1
8a
80
c4
8c
82
dc
fe
33
c2
5c
3
79
44
d5
84
d1
89
71
0b
05
6c
40
1b
ee
e9
f8
aa
4
bc
83
a6
81
87
1e
04
6b
78
67
75
03
da
3d
0c
f2
5
e4
f4
a7
36
c9
62
95
7f
48
88
14
30
3b
20
29
cc
6
ed
61
0d
1d
60
64
59
12
fc
8d
13
56
fa
70
77
73
7
ec
21
ad
7c
2f
dd
bd
fb
d7
6f
46
4f
2e
f3
52
7a
8
b5
e1
26
6e
af
bf
74
5f
28
5d
7e
37
db
98
42
3e
9
2d
15
f6
9d
7d
4a
2a
93
f1
d8
68
1c
8b
86
58
92
a
bb
39
1f
31
16
d6
b7
f5
e8
c3
cb
c7
02
4d
c6
9f
b
72
b1
d2
9e
d4
eb
d9
b8
a9
c5
5a
4b
de
d0
b2
18
c
08
41
9c
4e
97
3a
2b
96
a2
ba
d3
22
0f
e2
ce
63
d
01
76
3f
49
66
38
06
c8
ea
e5
f7
f0
9a
47
85
10
e
c0
e6
ab
6a
00
90
54
a8
e7
6d
53
7b
df
e3
07
45
f
91
94
9b
cf
57
34
f9
fd
24
27
0a
5b
ca
5e
1a
2c
59
Table 3.6: The Dynamic S-box4
0
1
2
3
4
5
6
7
8
9
a
b
c
d
e
f
0
3e
f5
75
d4
ec
5e
12
c7
1e
92
b9
10
30
c4
cf
07
1
69
f9
18
ac
ba
8d
16
6c
c1
38
ad
c3
01
e1
43
6e
2
f3
ab
09
48
f1
c9
af
e6
89
9c
44
95
6d
2b
a9
99
3
34
6a
d3
82
e5
51
33
42
54
be
5f
ca
7c
58
77
eb
4
e8
fa
35
66
05
08
d0
5b
0e
4e
4b
36
cb
a1
94
9f
5
d7
8f
91
46
06
40
84
aa
e9
c8
13
fe
0b
97
e3
e2
6
a7
e7
b6
d5
2d
0d
4c
17
ff
52
67
64
80
c5
59
7e
7
fd
ea
57
2e
68
bc
62
14
df
19
9a
39
2c
04
0a
bb
8
56
6b
20
0c
2a
6f
b1
bd
a0
ce
dc
9b
49
7b
7f
5d
9
87
db
f6
65
78
4a
61
23
90
3f
71
8c
b5
73
d1
d8
a
d6
96
4d
b2
de
d2
dd
a4
1c
22
1b
88
28
1f
24
8e
b
50
03
37
00
7a
55
79
a3
3b
da
31
c6
9e
81
1a
60
c
15
8b
b4
02
5a
f2
f4
11
21
53
32
25
e4
e0
5c
1d
d
a8
a6
85
76
ee
3a
74
2f
45
b3
3c
cd
d9
b8
f0
26
e
a5
0f
7d
8a
c2
ed
98
fc
ae
27
4f
fb
f8
b0
70
93
f
9d
b7
29
cc
ef
a2
f7
47
86
c0
3d
72
63
bf
83
41
entries in GF (2) and C is a column matrix in GF (2), m is an
irreducible polynomial in GF (28 ). The entries used in A matrix
are [f 8h , 7ch , 3eh , 1fh , 8fh , c7h , e1h , f 1h ]T and C = [63h ]T
To be useful as an S-box generator, matrix A should be nonsingular. We can generate approximately 263 such non-singular
matrices with each irreducible polynomial. The polynomials that
result in non-singular matrices are bound by
[01h , 02h , 04h , 08h , 10h , 20h , 40h , 80h ]T on lower end and
[f eh , 7fh , bfh , dfh , efh , f 7h , f bh , f dh ]T on higher end.
Avalanche criteria of any cryptographic function is defined as
a one bit change in the input should result in at least 50 percent
changes in the output bits. A cryptographic function which satisfies the above condition is said to be satisfying Strict Avalanche
60
Criteria if and only if a one bit change in input should result in
exactly 50 percent change in the output bits . In this work we construct different S-boxes using Affine transformation and different
irreducible polynomials for GF (28 ) and test them for Avalanche
Criteria property.
3.6.1
Avalanche Criteria calculation for the S-boxes
For a given function f , the Avalanche Criteria is given by
Sj =
X
f (x) ⊕ f (x ⊕ ei ) mod m
(3.19)
x∈GF (28 )
where ei is the vector having only one entry as ’1’ in the ith position(bit position), Sj (f ) are called difference distribution vectors
of f and j ∈ (1, 2, · · · 8), is the distance between the input vectors. In this case f (x) = Ax ⊕ C mod m and (x, y, f (x)) ∈ GF (28 )
and i ∈ (1, 2, · · · , 8). It is shown that f satisfies the SAC if and
only if Sj (f ) = 2n−1 = 128 for all i and j ∈ (1, 2, · · · 8) and f
satisfies Avalanche criteria if Sj (f ) = 2n−1 ≥ 128 for all i and j
∈ (1, 2, · · · 8). Table3.7 shows the Avalanche criteria values calculated for the S-box of AES algorithm shown in Table3.1.
In this S-box generation the A matrix is constructed with the
polynomials from A = [f 8h , 7ch , 3eh , 1fh , 8fh , c7h , e1h , f 1h ]T and
C = [63h ]T . From the difference distribution vectors it is found
that, the polynomials f 8h and e3h belong to S7 , 7ch and 3eh to
S6 , 8fh and f 1h to S5 , c7h to S4 and 1fh to S3 . The respective
61
Table 3.7: The Avalanche Criteria values for S-box in Table3.1
S8
S7
S6
S5
S4
S3
S2
S1
00000001
128
116
124
116
144
116
132
132
00000010
136
128
116
124
128
144
124
120
00000100
128
136
128
144
120
128
132
132
00001000
140
128
136
128
116
120
136
136
00010000
136
140
128
128
132
116
128
116
00100000
136
136
140
120
120
132
116
116
01000000
124
136
136
120
132
120
136
136
10000000
132
124
136
124
136
132
144
132
Avalanche Criteria values ≥ 128 are 2×7+2×6+2×5+1×4+1×3 =
43. It follows that the total number of entries which give Avalanche
Criteria value ≥ 128 are 43 out of total 64 entries in the Avalanche
Criteria Table ??, which is 71.88 percent .
Now consider the A matrix which consists of 8 × 8 entries
∈ GF (2) , treating each row as a polynomial entry of one byte
∈ GF (28 ) , test for the Avalanche Criteria of each entry. Table
3.8 shows the number of polynomials that satisfy the difference
distribution vectors of S, for irreducible polynomial 11bh .
Table 3.8: Number of polynomials that satisfy S.
S8
S7
S6
S5
S4
S3
S2
S1
04
26
54
61
67
35
08
01
Consider all the four polynomials from S8 , which give Avalanche
Criteria ≥ 128 in 8 places. Select the remaining four polynomials
from group S7 , such that A matrix generated from all the 8 polynomials is a non-singular matrix. The polynomial from group S7
62
gives Avalanche Criteria ≥ 128 in 7 places. The total number of
entries which satisfy Avalanche Criteria is 8 × 4 + 7 × 4 = 60, out
of 64 entries and it is 93.75 percent.
It is possible to select four polynomials at a time out of 26
available polynomials from group S7 , after selecting all four polynomials from group S8 . Now 26C4 = 14950 possible combinations
are there to construct 8 × 8 A matrices. It is found that only
4915 combinations will give non-singular matrices. It is possible
to construct at most 4915 S-boxes which give 93.75 percent.
3.6.2
Avalanche Criteria for m = 11bh
As an example consider the first four polynomials [22h , 25h , 4ah and95h ]
from group S8 and the remaining four polynomials [04h , 09h , 12h andf 8h ]
from group S7 and construct the A matrix and any arbitrary constant C = c5h . The respective S-box and its Avalanche Criteria
are shown in Table 3.9 and Table 3.10 respectively.
3.6.3
Classification of polynomials based on m
There are 30 irreducible polynomials in GF (29 ) and they are
[11bh , 11dh , 12bh , 12dh , 139h , 13fh , 14dh , 15fh , 163h , 165h , 169h , 171h ,
177h , 17bh , 187h , 18bh , 18dh , 19fh , 1a3h , 1a9h , 1b1h , 1bdh , 1c3h , 1cfh ,
1d7h , 1ddh , 1efh , 1f 3h ]
63
Table 3.9: The S-box which gives 93.75 percent Avalanche Criteria
0
1
2
3
4
5
6
7
8
9
a
b
c
d
e
f
0
c5
ef
d9
dd
02
cc
c1
2b
ee
90
c8
c9
06
60
7a
bc
1
10
1c
2f
8a
0b
d8
c2
58
2d
5f
16
77
53
41
b1
43
2
6f
39
68
a8
b9
d5
6a
47
e3
24
21
38
8e
5b
8b
8c
3
f8
71
c0
7c
ed
00
9d
04
c7
be
46
13
7f
cd
07
83
4
99
79
fb
b7
d2
a4
b2
4c
bb
d8
05
62
93
76
c4
4b
5
de
37
f5
28
ff
5c
38
d7
a9
75
03
82
a3
f4
e8
78
6
52
72
1f
6e
cf
91
d1
2e
98
34
af
d0
e1
ea
6c
45
7
84
73
f0
7d
0d
36
e7
30
59
0a
01
9a
e4
63
67
08
8
22
f1
db
4d
da
65
fd
db
4e
7e
b5
8f
f7
80
88
d4
9
fa
23
cb
56
a5
ac
57
4f
e7
17
54
e9
0c
bf
c3
64
a
49
b4
bd
a6
9c
a2
f2
e5
19
6d
48
a0
32
3f
44
87
b
7b
da
dc
9b
27
3a
ae
20
fe
b6
55
1a
92
b8
12
fc
c
0e
e2
97
a1
e0
1b
50
14
40
33
e6
df
c6
3c
70
15
d
eb
b0
35
ad
f9
ca
0f
ab
9f
86
d3
31
11
26
85
09
e
2c
51
5e
81
96
3e
18
5a
61
ba
74
25
1d
d9
f6
69
f
42
29
2a
94
66
1e
aa
f3
95
3b
9e
ce
5d
ec
6b
b3
Table 3.10: The Avalanche Criteria values for S-box in Table 3.9
S8
S7
S6
S5
S4
S3
S2
S1
00000001
140
132
136
140
140
132
132
128
00000010
132
136
140
132
132
132
128
136
00000100
136
140
132
140
132
128
136
128
00001000
132
132
140
128
128
136
120
140
00010000
140
140
128
128
136
120
132
136
00100000
140
128
128
136
120
132
136
136
01000000
128
128
136
132
132
136
140
124
10000000
132
136
132
140
136
140
132
132
64
The different distribution vectors of f are tabulated in Table 3.11.
Table 3.11: Number of polynomials that satisfy different Sj for all m
m
S8 S7 S6 S5 S4 S3 S2 S1 S0 m
S8 S7 S6 S5 S4 S3 S2 S1 S0
11b
04 26 54 61 67 35 08 00 01 11d
01 20 53 86 60 27 07 01 01
12b
10 26 44 72 66 20 07 08 03 12d
03 21 56 79 57 26 11 02 01
139
03 24 60 68 55 32 11 02 01 13f
01 27 59 72 53 28 10 05 01
14d
10 25 47 79 43 33 12 05 02 15f
08 27 37 63 89 24 07 00 01
163
04 34 42 68 63 32 10 02 01 165
10 25 47 79 43 33 12 05 02
169
03 21 56 79 57 26 11 02 01 171
01 20 53 86 60 27 07 01 01
177
05 22 43 81 68 31 05 00 01 17b
09 21 60 60 58 31 12 04 01
187
00 18 62 71 72 27 05 00 01 18b
04 11 49 93 72 24 02 00 01
18d
04 34 42 68 63 32 10 02 01 19f
00 24 50 79 69 27 06 00 01
1a3
04 11 49 93 72 24 02 00 01 1a9
10 26 44 72 66 20 07 08 03
1b1
04 26 54 61 67 35 08 00 01 1bd
09 21 60 60 58 31 12 04 01
1c3
00 18 62 71 72 27 05 00 01 1cf
01 32 51 59 70 36 05 01 01
1d7
02 20 67 60 64 34 08 00 01 1dd
05 22 43 81 68 31 05 00 01
1ef
01 32 51 59 70 36 05 01 01 1f3
00 24 50 79 69 27 06 00 01
1f5
08 27 37 63 89 24 07 00 01 1f9
01 27 59 72 53 28 10 05 01
From the above Table 3.11, it is observed that there are 8 irreducible polynomials which have more than 8 polynomials that
satisfy the maximum Avalanche Criteria. The irreducible polynomials 12bh , 14dh , 165h , and 1a9h have 10 polynomials each, 17bh ,
and 1bdh have 9 polynomials each and 15fh and 1f 5h have 8 polynomials each, from which maximum Avalanche Criteria can be
achieved. It is found that the matrices constructed from the respective polynomials of irreducible polynomials 15fh and 1f 5h are
singular matrices. It is also verified that all the generator matrices
65
constructed from 12bh and 1a9h are singular ones. The matrices
constructed from irreducible polynomials 17bh and 1bdh , that is
totally 2 × 9C8 = 18 are also singular, and only 2 × 5 = 10 are
non-singular. Similarly among the matrices constructed from the
remaining two irreducible polynomials 14dh and 165h , there are
only 2 × 20 = 40 non-singular, out of 2 × 10C8 = 90 . Hence in
total it is possible to construct 10 + 40 = 50, S-boxes from affine
transformation, that satisfy maximum Avalanche Criteria. The
polynomials which give S8 ≥ 8 for different irreducible polynomials m are tabulated in Table 3.12.
Table 3.12: The polynomials give S8 > 8
3.6.4
m
1
2
3
4
5
6
7
8
9
10
15f
22
24
2c
48
59
65
91
b2
-
-
1f5
3c
56
67
9e
ab
cf
d5
ea
-
-
17b
05
0a
15
6b
6d
82
b5
d7
da
-
1bd 36
3f
6d
7e
9b
9f
b7
db
fd
-
12b
49
58
63
8f
93
ac
b1
c2
c7
e1
14d
0d
1b
24
37
52
6f
86
92
a9
df
165
08
0e
10
21
28
43
51
87
c0
e0
1a9
04
09
12
25
2d
4b
71
96
97
e2
S-boxes for maximum Avalanche Criteria
As it was discussed in section 4.4, polynomials with irreducible
polynomials 17bh , 1bdh , 14dh and 165h only give non-singular matrices. With the above irreducible polynomials, the possible com66
bination of the polynomials which give non-singular matrices are
discussed below.
With m = 17bh , 5 matrices can be constructed excluding the
polynomials [05h , 0ah , 6dh , d7h , dah ] in each case. Similarly with
m = 1bdh , 5 matrices can be constructed excluding the polynomials [3fh , 6dh , 7eh , 9bh , b7h ] in each case. In the case, m = 14dh , 20
matrices can be constructed excluding the following pairs of polynomials for each case,
[92h , 49h ], [49h , dfh ], [86h , 49h ], [86h , dfh ], [6fh , 49h ],
[6fh , dfh ], [52h , 6fh ], [52h , 86h ], [52h , 92h ], [52h , 49h ],
[52h , dfh ], [24h , 6fh ], [24h , 86h ], [24h , 92h ], [24h , 49h ],
[24h , dfh ], [0dh , 24h ], [0dh , 52h ], [0dh , 49h ], [0dh , dfh ].
Similarly in the case of m = 165h , 20 more matrices can be constructed excluding the following pairs of polynomials for each case,
[c0h , e0h ], [87h , c0h ], [87h , e0h ], [51h , c0h ], [51h , e0h ], [28h , 51h ],
[28h , 87h ], [28h , c0h ], [10h , 28h ], [10h , c0h ], [10h , e0h ], [0eh , 28h ],
[0eh , c0h ], [0eh , e0h ], [08h , 0eh ], [08h , 10h ], [08h , 28h ], [08h , 51h ],
[08h , 87h ], [08h , e0h ]. (Refer to Table 3.13).
Construct an A matrix selecting anyone set of 8 polynomials
among the above 4 irreducible polynomials m. Using y = A x ⊕
C mod m , construct the S- box, C may be any constant from
00h to f fh , which will not change the Avalanche Criteria property.
Calculate the Avalanche Criteria for each S- box as explained in
67
Section 3.
Consider an example with irreducible polynomial 14dh with 8
polynomials [0dh , 1bh , 24h , 37h , 52h , 6fh , 86h , 92h , a9h , dfh ]T to construct the A matrix, from which the S- box is generated using
C = 97h and the respective Avalanche Criteria values are calculated and tabulated as in Table 3.13 and Table ?? respectively.
From the Avalanche Criteria Table 3.14, it is observed that all the
64 entries are > 128, that is 64/64 = 100 percent
Table 3.13: The AES S-box for 100 percent Avalanche Criteria.
3.6.5
0
1
2
3
4
5
6
7
8
9
a
b
c
d
e
f
0
97
3c
6e
0a
ec
eb
f1
7c
48
f5
8d
56
8a
09
78
74
1
60
49
1a
51
90
b2
f7
fa
55
70
a4
62
e8
43
6e
85
2
6a
d2
b0
06
65
26
32
f8
52
8c
cb
a6
9f
e3
c9
54
3
a2
d9
fe
05
4a
bd
ef
8f
d8
20
23
df
69
75
86
63
4
f9
b3
c3
96
4e
03
77
e4
2a
b5
6b
5d
6f
d4
4c
9a
5
67
e1
40
7a
91
a9
cf
35
81
2f
9b
dc
14
be
72
21
6
5f
de
8e
d7
59
b8
22
ab
e5
61
18
27
1d
98
15
f3
7
50
02
7e
fb
2b
5a
95
c8
ac
53
2d
3e
d3
88
3f
7d
8
9c
a5
1b
ea
87
0c
47
d1
75
0b
37
fc
3b
4b
5e
34
9
ed
42
0e
57
29
73
b4
92
b9
2e
d6
25
f0
bc
c1
10
a
af
08
1e
84
76
68
6d
a1
82
8b
1c
00
01
64
aa
9e
b
16
cc
ad
41
11
2c
c0
d5
66
46
4d
f2
7b
a3
ae
db
c
31
93
45
33
cb
c7
83
17
24
36
58
bf
fb
3a
99
07
d
8e
94
ba
a7
e0
19
bb
79
a0
f4
44
9d
b6
ee
0f
ff
e
e2
0d
e7
38
fd
ce
4f
30
3d
dd
71
1f
12
c5
c4
c2
f
5c
b1
b7
89
28
5b
e9
cd
13
e6
d0
04
39
da
a8
ca
Results on Avalanche Criteria
All the possible fifty S-boxes and their respective Avalanche Criteria’s are generated and tested. By changing the row positions
of the individual polynomials in A matrix, 8! = 40320 S-boxes are
constructed and tested for Avalanche Criteria. It is found that in
68
Table 3.14: Avalanche Criteria for the S-box in Table ??
S8
S7
S6
S5
S4
S3
S2
S1
00000001
136
144
132
132
140
128
140
132
00000010
144
132
128
128
144
132
136
136
00000100
132
128
136
132
128
136
144
132
00001000
128
132
132
136
136
132
132
136
00010000
132
136
144
132
136
136
128
132
00100000
136
132
136
136
128
132
132
128
01000000
132
136
128
132
136
128
136
128
10000000
136
132
136
128
136
128
132
136
all the cases the Avalanche Criteria is maximum. One of the Sboxes and the corresponding Avalanche Criteria are tabulated in
Table 4.8 and Table 4.9 .The Avalanche criteria for the following
affine transformation with different A matrix, C and irreducible
polynomials m are shown in Table 3.15 to Table 3.18.
Table 3.15: Avalanche Criteria for A = [1bh , 24h , 37h , 52h , 6fh , 86h , 92h , dfh ]T ,
C = [b5h ]T and m = 14dh
S8
S7
S6
S5
S4
S3
S2
S1
00000001
144
132
132
140
128
140
128
132
00000010
132
128
128
144
132
136
132
136
00000100
128
136
132
128
136
144
128
132
00001000
132
132
136
136
132
132
136
136
00010000
136
144
132
136
136
128
132
132
00100000
132
136
136
128
132
132
144
128
01000000
136
128
132
136
128
136
136
128
10000000
132
136
128
136
128
132
128
136
69
Table 3.16: Avalanche Criteria for A = [0eh , 10h , 21h , 28h , 43h , 51h , 87h , c0h ]T ,
C = [e8h ]T and m = 165h
S8
S7
S6
S5
S4
S3
S2
S1
00000001
132
128
128
136
132
128
136
136
00000010
136
128
132
128
136
136
132
128
00000100
132
132
136
136
132
144
136
136
00001000
128
136
132
144
136
132
132
136
00010000
132
132
136
132
132
136
128
128
00100000
144
136
132
136
128
128
132
144
01000000
136
132
128
128
132
132
144
140
10000000
140
128
132
132
144
128
136
132
Table 3.17: Avalanche Criteria for A = [0ah , 15h , 6bh , 6dh , 82h , b5h , d7h , dah ]T ,
C = [7eh ]T and m = 17bh
S8
S7
S6
S5
S4
S3
S2
S1
00000001
136
136
128
140
128
128
128
132
00000010
136
144
128
132
136
128
132
128
00000100
144
144
132
128
136
128
132
128
00001000
144
132
132
128
136
132
132
128
00010000
132
132
132
128
144
132
128
132
00100000
132
128
128
132
144
132
136
132
01000000
128
144
136
132
132
128
132
132
10000000
144
132
132
132
132
136
136
128
Table 3.18: Avalanche Criteria for A = [36h, 6dh , 7eh , 9bh , 9fh , b7h , dbh , f dh ]T ,
C = [5dh ]T and m = 1bdh
S8
S7
S6
S5
S4
S3
S2
S1
00000001
132
136
128
136
132
132
128
132
00000010
136
128
132
132
144
132
132
132
00000100
128
132
132
136
128
132
132
144
00001000
132
132
144
128
132
128
132
144
00010000
132
132
144
132
132
128
128
136
00100000
132
128
136
132
144
128
128
136
01000000
128
128
136
132
144
132
128
136
10000000
128
128
136
128
136
140
132
128
70
3.7
Conclusion
The proposed new approach, to generate the dynamic S-box for
AES algorithm, satisfies all the characteristics of the original static
S-box used in AES algorithm. The generated S-box is any one of
the possible 21638 S-boxes, and is the key dependent. The XSL attack, if the attack is successful, it becomes very difficult to cryptanalysis. The time required to generate the dynamic S-box is less
than 0.5 milliseconds and no extra memory required compared to
the AES algorithm. This approach increases the security level of
the AES algorithm.
It is possible to construct the S-box which satisfies maximum
Avalanche Criteria. There are only Four irreducible polynomials
which give these S-boxes. In total it is possible to construct only
50 S-boxes that satisfy maximum Avalanche Criteria with affine
transformation. It may be concluded that with any other combinations with any other irreducible polynomials, it is not possible
to construct the S-boxes which satisfy the maximum Avalanche
Criteria.
71