2016 49th Hawaii International Conference on System Sciences

SBoxScope: A Meta S-box Strength Evaluation Framework for Heterogeneous
Confusion Boxes

Abrar Ahmad, Muddassar Farooq, Amin
Next Generation Intellegent Networks Research Center (nexGIN RC)
Institute of Space Technology
Islamabad, 44000, Pakistan
Email: {abrar.ahmad,muddassar.farooq,amin}@ist.edu.pk

Abstract non-linear formal models. As a result, every S-box is unique
having its own set of parameters: (1) size of S-box (number
In cipher algorithms – both block or streaming – the
most important non-linear component is a confusion box of elements); (2) the number of rows and columns of an S-
(commonly termed as s Substitution box or an S-box). The box; (3) the size of substitution block (nibble, byte or 32 bits
designers of cipher algorithms create an S-box on the basis word). An important challenge for a cryptanalyst is: how to
of a unique formal model; as a result, its parameters – conduct a comparative study to draw scientific conclusions
including its size – are different. Consequently, it becomes a about the cryptographic strength of heterogeneous S-boxes?
daunting task for a cryptanalyst to conduct a comparative To the best of our knowledge, no framework exists that em-
study to analyze, in a scientific yet unbiased manner, the powers a designer or cryptanalyst to determine with a certain
cryptographic strength of these heterogeneous S-boxes. The degree of confidence e.g. the S-box of AES is cryptographi-
major contribution of this paper is SBoxScope – a meta S-Box cally stronger compared with that of MARS.
strength evaluation framework – that enables designers and
analysts to evaluate cryptographic strength of heterogeneous The major contribution of this paper is a meta S-box
S-boxes. The framework consists of two layers: (1) White strength evaluation framework - SBoxScope – that allows
Box Layer analyzes the contents of an S-box and calculates S-box designers to compare the cryptographic strength of
8 relevant parameters (5 core and 3 auxiliary) and then heterogeneous S-boxes. SBoxScope consists of two layers:
normalizes them to draw conclusions about the strength of White Box Layer (WBL) and Black Box Layer (BBL). The
an S-box; (2) Black Box Layer assumes that no knowledge WBL assumes that the design, implementation, and contents
is available about the contents of an S-box; rather, it gives of an S-box are known and it conducts a pattern based anal-
a predefined input bit stream to each S-box and then applies ysis on the contents by running 8 independent tests. Conse-
NIST tests to measure 10 parameters. Finally, the two layers quently, 5 core and 3 auxiliary parameters are computed by
are augmented that empowers an analyst to make a decision the WBL. These parameters are then normalized to remove
about the strength of an S-box after analyzing 18 different the bias introduced due to the size of an S-box. Finally, it
parameters. In this paper, we have evaluated 9 S-boxes of ranks the S-boxes on each parameter and accumulates the
five well known cipher algorithms: AES, MARS, Skipjack,
rank score of each S-box. An S-box with the lowest rank score
Serpent and Twofish.
is declared as the best cryptographically strong S-box among
all heterogeneous S-boxes.
The BBL assumes that a cipher algorithm consists of only
Cryptography, Cipher Algorithms, Cryptographic Strength one component – the S-box – and its deisgn, implementation
and contents need not to be known. BBL creates a number
of input bit streams by taking inspiration from NIST test
1. Introduction suite for cipher algorithms. It provides these streams to each
S-box and its output is treated as the cipher text. In the
The majority of cipher algorithms, proposed in the lit- next step 10 NIST tests are conducted and the p-values of
erature, uses a non-linear component – a Substitution box relevant 10 parameters are measured. The BBL provides the
(S-box) – that introduces confusion in a cipher. The moti- analysts a microlevel probe into the substitution pattern of
vation of using a cryptographically strong S-box is to make an S-box. The analysts could easily compare the p-values
it difficult for a cryptanalyst to break a cipher by modeling it of input bit stream with that of the output cipher stream.
with the help of well known linear functions. The designers BBL provides a valuable insight into an S-box: if an S-box
of cipher algorithms create an S-box with the help of highly is the only component of a cipher algorithm then how much

1530-1605/16 $31.00 © 2016 IEEE 5544
DOI 10.1109/HICSS.2016.685

Having said that. work that is relevant and related to SBoxScope is presented. Skipjack [15]. For example. WBL uses cope classifies only those S-boxes as cryptographically strong five core parameters – Nonlinearity (NL) [6]. if an S-box does not achieve a relatively high [4]. Section 3 discusses the architecture of SBoxScope and also Linear Complexity Test. The five algorithms are: AES with high nonlinearity will also have high BIC and nearly [11]. it is ranks each S-box on the basis of p-value of each parameter important to emphasize that the core parameters that build and then accumulates the rank score. we conclude the paper with an outlook ST 1 Twofish 16 1 x 16 4 ST 2 Twofish 16 1 x 16 4 to our future work in Section 5. BBL strength of heterogeneous S-boxes. Run Test. it is dropped from the list of [7][8] – to measure the cryptographic strength of S-boxes. AES. SBoxS. cipher algorithms and it is beyond the scope of this paper. without the need of complementing it with a Substitution Permutation Network (SPN). Serpent [13] and Twofish desirable SAC (approximately 0. Finally. The other 6 NIST S-boxes among the selected 9 candidates. TABLE 1: Design Parameters of Shortlisted S-boxes gives definitions of quantitative parameters used in WBL SBox Algorithm # of elements Dimension Bits Substituted and BBL. quite similar to that of AES. ters – Fixed Points (FP). Finally. no framework is presented infeasible for a cryptanalyst to draw conclusions about the in the literature that allows analysts to compare cryptographic correlation between ciphertext and plaintext. Rank Test. BBL only conducts organized as follows. is to adapt and normalize them for an unbiased comparison Once the S-boxes are ranked by WBL and BBL. [14]. bit stream generation methods that are relevant to the con- boxes on the majority of WBL and BBL strength parameters text of S-box evaluation: Cipher Text Plain Text Correlation and clearly classified as the two best cryptographically secure (CTPT) and Random Plain Text (RPT). The NL is defined by Meier and Staffelbach in [6]. an S. Related Work confusion it can add. The Skipjack S-box stream generation methods are relevant for evaluating entire is placed at number 3 after AES and MARS S-boxes. Approximate Entropy Test. Similarly In order to do the comparative study. ST 3 Twofish 16 1 x 16 4 2. type of cipher stream. The results of SBoxScope show that the S-boxes analyzing the NIST test suite. we have chosen S0. we have shortlisted 9 S-boxes of the streams and computing associated 41 parameters for each above-mentioned five algorithms for our comparative study. the detailed discussion and comprehensive anal- S4 Serpent 16 1 x 16 4 ysis of the results obtained from the SBoxScope are presented S7 Serpent 16 1 x 16 4 in Section 4. the foundation of quantitative framework of WBL and BBL box with the lowest rank score is considered to be the best are already present in the literature. cryptographically strong S-boxes. Twofish and Serpent have similar kind of 8 The BBL of SBoxScope is adapted from NIST test suite S-boxes. Random 5546 5545 . we have shortlisted only two of AES and MARS have consistently outperformed other S. MARS and Skipjack have only zero. The 4 shortlisted algorithms (except Skipjack) reached The WBL of SBoxScope consists of 3 auxiliary parame- the final of NIST competition held for standardizing AES. Differential Probability (DP) and Linear Probability (LP) rank in any of the testing layers. Similarly. The test suite consists of generating 8 different types steps. As a result. Immunity (CI) – that are referred to if the ranks computed Skipjack is shortlisted because it has been widely used by on the basis of core parameters. instead of running 15 tests. Similar to WBL. we have chosen two S-boxes [1] that is the standard benchmark for evaluating cipher algo- from q0 permutation and one S-box from q1 permutation rithms. to make it To the best of our knowledge. of two or more S-boxes are NSA and the structure of its S-box (16 * 16 elements) is very close to each other. Balancedness (BN) and Correlation (We have excluded RC6 because it does not have an S-box). NIST recommends computing p-values Table 1 tabulates different design parameters of these S-boxes of each parameter to conclude whether the cipher algorithm that demonstrates diversity and heterogeneity of shortlisted has passed the corresponding test or not. than 30 well known cipher algorithms and shortlisted only Generally speaking. FP. these parameters are correlated: an S-box 5 among them for the study. MARS [12]. The novel contribution cryptographically strong S-box. Block Frequency Test. In case of Twofish. Strict Avalanched Criteria (SAC) WBL and BBL. After carefully S-boxes. (NSA declassified Skipjack on [9] and [6] respectively. Discrete Fourier Transform Test. a brief summary of the 10 tests: Frequency Test. S4 and S7 S-boxes for of input bit streams and then running 15 tests on the cipher Serpent. The section also builds an intuitive understanding SA AES 256 16 x 16 8 of each parameter by highlighting what aspect of strength SM MARS 512 512 x 1 32 it measures. Long Run Test. After presenting the quantitative framework of SK Skipjack 256 16 x 16 8 S0 Serpent 16 1 x 16 4 SBoxScope. of different heterogeneous S-boxes. we surveyed more BIC and SAC were introduced by Webster and Tavares in [4]. Organization of the Paper: The rest of the paper is Similarly. The desirable value for BN and FP is 29th May 1998) [17]. In Section 2. Bit Indepen- that are ranked high (closest to their ideal values) both by dence Criteria (BIC) [4]. 1 S-box each. while for CI it is 1. BN and CI are proposed in [10].5).

Test. The remaining 5 tests – Non-Overlapping rank of two or more S-boxes. Overlapping Test. If the to [1] for details). The idea of adapting and applying NIST test box by treating an S-box as the cipher algorithm. Figure 1: The Architecture of SBoxScope Excursion Test and Random Excursion Varian Test (Refer layer is then utilized to rank S-boxes for each parameter. The Nonlinearity. compute Non-linearity [6].dll of each S- of SBoxScope. computed by WBL layer. recommends an α = 0. The adaptation layer converts the ing it as a substitution table of a certain size and analyzing the contents of S-boxes into a byte stream and also takes its values in the S-box. therefore. The SBoxScope consists of four major components: (1) and Black Box Layers: Adaptation Layer. As mentioned before. WBL com- putes 5 core and 3 auxiliary parameters for each S-box. The Nonlinearity Nf of a boolean function values of parameters are stored in a database. Moreover. it sion it can add to the substituted cipher stream? The answer means the sequence after substitution would be considered to provides useful insight into the substitution pattern of a given be random with a confidence level of 99% [1]. White Box Layer (WBL) Parameters these for any type of S-box. Serial Test is close to each other then WBL considers their rank on the and Cumulative Sum Test – are relevant for evaluating an basis of auxiliary parameters. determined by core parameters. entire cipher algorithm and hence are excluded from BBL The Black Box Layer (BBL) builds a . NIST complemented by an SPN network. and intuitively build its of Boolean functions with values +1 and -1 that is used to relevance to the cryptographic strength of a given S-box.) The architecture of SBoxScope is presented in Figure Quantitative Measurement Framework for White Box 1. Both S-box and its Walsh trans- form are given as input to the WBL. The ranking S-box and its associated strength. (2) White Box Layer. BBL then suite for Black Box testing of S-boxes is novel and helps in applies adapted NIST test suite on each S-box and stores p- answering a fundamental question: If a given S-box is not values of associated parameters in a database. Universal Statistical Test. The ranking is defined as the distance between the function and Affine 5547 5546 . then how much confu.01. layer again ranks each S-box on the basis of p-values for each test and then determines the overall rank of an S-box 3. Since.1. (3) Black Box Layer WBL analyzes the implementation of an S-box by treat- and (4) Ranking Layer. it also adapts the core and auxiliary parameters to enable WBL to compute 3. (All symbols used in this paper are tabulated in Table 2 for a ready reference. The Architecture of SBoxScope on the basis of all 10 tests. if p − value ≥ 0.01. We now describe each core and auxiliary Walsh transform. Walsh Transform is basically representation parameter.

it is 240. (4) functions that are composition of linear functions and their DA defines the number of times an S-box fulfills uniform translations [6]. After doing the normalization. BIC also has an ideal upper w∈{0. LP is defined in [7][8] as: sirable because it shows that it is not possible to estimate the    #{x/x • Γx = S(x) • Γy } 1  substitution pattern of an S-box with the help of Affine func. the mask Γx is equal to the parity of the output bits selected Generally speaking. WBL normalizes it using the following formula: 22 ST 2 t1 S-Box from Permutation q0 23 ST 3 t3 S-Box from Permutation q1 (obtained DA) 24 S0 Serpent S0 S-Box ηD = . 21 ST 1 t0 S-Box from Permutation q0 therefore. Similarly.5. Balancedness(BN) A boolean function f : {0. Its ideal value is zero. if any number of bits are changed 11 PR p-value of Run Test 12 PL p-value of Long Run Test at the input. The other challenge is: the simple value of Nf cannot be used to quantitatively compare different heterogeneous S. Consequently.5 and it is independent of the 6 ξ Normalized Fixed Points size of S-box which does not require normalization. Mathematically. For AES S-box. For example the ideal value text. (6) WBL normalizes the nonlinearity in the following manner: log2 (obtained Nf ) This means that the number of times the output (after substi- ηN = (2) tution) is the same as input. Similarly. The ideal value of LP is 0.. by the mask Γy [16].125. an analyst should not be able to predict the plain different and depends on its size. a higher value of nonlinearity is de. The range of ξ= (7) normalized nonlinearity is 0 < ηN ≤ 1 that is independent of 2n the size of an S-box. Nf = 2n−1 − max{|λ. 0 ≥ i ≤ 2n − 1}. Its ideal value is 0. it is possible to compute and compare DP 1 of any type of S-box. In order to compute DP. (3) n 25 S4 Serpent S4 S-Box 26 S7 Serpent S7 S-Box where n is number of bits substituted by an S-box and Differ- 27 SM MARS S-Box ential Approximation (DA) is defined by [7][8]: 28 n Number of bits substituted by S-box DA = #{x ∈ X/S(x) ⊕ S(x ⊕ Δx) = Δy}. It ensures that by knowing the cipher stream. of 256 elements of AES S-box is 120. ηL = max   −  (5) Γx . log2 (ideal Nf ) WBL normalizes Fixed Points (FP) as: The upper bound for nonlinearity (or ideal nonlinearity) is (obtained # of F P ) computed by using the formula given in [6]. one has to 15 PC p-value of Linear Complexity Test 16 PA p-value of Approximate Entropy Test take a fraction of the uniform number of bits changed to the 17 PE p-value of Random Excursion Test total number of elements in the S-box. mask Γx and boxes because in each case the ideal value of nonlinearity is mask Γy . DP 18 PV p-value of Random Excursion Variant Test is 248 = 0. The parity of the input bits selected by rows of Hadamard Matrix used in calculating nonlinearity. approximately half the bits are changed 4 ηD Normalized Differential Probability 5 ηL Normalized Linear Probability at the output. (1) 2 Linear Probability is the maximum value of the im- where λ is the sequences of functions and l0 . In order to remove the bias of size.. BIC defines that all avalanche variables should be pair.1}n 5548 5547 . 1 ηN Normalized Nonlinearity the range of BIC is 0 < βN ≤ 1. 1} is said to be balanced if its truth table has 2n−1 zeros are generated by complementing a single plain text bit[16]. while for 512 element Fixed Point(FP) of an S-box is defined by: of MARS S-box. f (x) = x.Γy =0 2n 2 tions. . 1}n → wise independent for a given set of avalanche vectors that {0. li|.0156. Since DP is dependent on the size of S-box. for the S-box of Twofish it is 19 SA AES S-Box 2 20 SK Skipjack S-Box 24 = 0. it is defined by: differential criterion. (or ones) [9]:  It ensures that an S-box with one changed bit could still not f (w) = 2n−i (8) be modeled by Affine functions. TABLE 2: Symbols used in this paper value for each type of S-box and WBL normalizes its value by Sr Symbol Description using the above-mentioned normalization formula. 2 βic Normalized Bit Independence Criteria SAC is represented by σ that ensures if one bit is 3 σ Normalized Strict Avalanche Criteria changed at the input. 7 βN Normalized Balancedness 8 ψ Normalized Correlation Immunity Differential Probability(DP) ensures that an input 9 PF p-value of Frequency Test differential Δxi shall uniquely map to an output differential 10 PB p-value of Block Frequency Test Δyi [16]. a constant or uniform number of bits are al- 13 PK p-value of Rank Test ways changed at the output and this is termed as Uniform 14 PD p-value of Discrete Fourier Transform Test differential criterion.. l2n −1 are balance of an event. Ideally ηD should be 0.

The in [1]. The intention is to detect whether the number of peaks. 5549 5548 . zeros. The purpose of this test is to determine randomness. this test is to ensure that S-box should not introduce a linear else fails. The purpose of this test is to troduced periodic features in the cipher bit stream that would determine whether an S-box is able to ensure that the number indicate a deviation from assumed randomness. The purpose of is computed. of S-boxes:(1) Cipher Text Plain Text (CTPT) correlation Runs Test (Rn) The purpose of this test is to determine (recommended by NIST) in which pseudo-random number whether the S-box is able to maintain the required oscillation generator (PRNG) is applied at input (see Fig 2). running a stress test on S-Boxes by gener- The test identifies whether the transitions between such zeros ating input stream from a highly correlated windows image or ones is too slow or too fast. The basic motivation of CTPT is to factor fashion as expected in a random bit stream. S-box passes the test. purpose of this test is to determine whether the S-box is able both streams are exclusively xored and NIST tests are run to limit the longest run of ones within M block bits in such a on the final stream. The the S-box to get the substituted cipher stream. (9) n where n is the number of bits substituted by an S-box. Its p-value is denoted by PR . Afterwards. BN is equal to the number of unbalanced columns. Its p-value is denoted by PC . purpose of this test is to identify whether the S-box has in- Frequency Test (F). as a result. the p-value of the associated parameter Binary Matrix Rank Test (RK). and instead the longest run of ones is irregular. WBL normalizes the CI by using the following equation: Figure 4: The Windows Image used for Generating Plain log2 (obtained CI) Text Stream ψ= . Now the purpose of each test is briefly summarize dependence among fixed length disjoint sub matrices of the as described by the authors in [1] to make the paper self entire cipher bit stream. Block Frequency Test (BF). the input generated stream is given to Longest Run of Ones in a Block Test (LR). if out the correlative artifacts in the plain bit stream. Correlation Immunity(CI) ensures that the ele- ments of an S-box should be independent of each other. (see Fig 4). in the cipher stream by computing the length of Linear Feed- Figure 2: Input Stream Generation Using Cipher Text back Shift Register. Plain Text (RPT). Its p-value is denoted by PB .In order to compute BN. Black Box Layer (BBL) Parameters The p-value of the associated parameter is PF . we have used only 2 bit stream number of ones and zeros – even in small substituted blocks generation methods that are relevant to evaluate the strength of a given length M. Its p-value is denoted by PK . Consequently. of ones and zeros in the substituted cipher stream are approx- imately the same as would be expected in a random cipher. (10) n−1 Ideal value of ψ is 1. An interested reader may find detailed discussion Discrete Fourier Transform Test (DFT). Its p-value is denoted by PD .2. Linear Complexity Test (LC). the same would hold for focus on the randomness in the substituted cipher bit stream. (2) Random speed between variable length k continuous ones and zeros. ensures the that the S- box is able to maintain the notion of randomness – equal As mentioned before. the substituted cipher stream does not contain correlated sequences. If the p − value ≥ 0. otherwise. Once a test is finished. the corresponding S-box is considered as balanced and BN = 0. If the number of zeros and ones in each of the 8 bit columns is the same. In CTPT.01. The BN is normalized using the following equation: Figure 3: Input Stream Generation Using Random Plain Text (RPT) (obtained BN ) βN = . 3. introduced by the S-box. in the Discrete Fourier Transform of cipher bit stream. exceeding the 95% threshold differs significantly by 5%. Its value is denoted by PL . contained. WBL converts all entries of an S- box into binary and writes them into a table. Longer LFSR characterizes a random Plain Text Correlation (CTPT) sequence.

The purpose of this test is to determine if the number of visits to a particular state 1) What is the role of input stream generation method within a cycle – consisting of a sequence of steps of unit on p-values of shortlisted BBL tests? length taken at random in such a fashion that one returns to 2) What is the role of an S-box on p-values of short- origin – deviates from what one would expect for a random listed BBL tests? sequence. at WBL and BBL decisions? values. +2. BBL selects the minimum WBL. Moreover. In comparison. computed by 4. 5) Is it possible to generalize with a reasonable degree Random Excursion Variant Test (REV). SBoxScope is implemented these S-boxes have been able to achieve approximately their in C# as a multi-threaded application.5 – except the MARS S-box that has 0. This shows that RAM. selected S-boxes) that a highly non-linear S-Box will also rithms: AES. -3. Serpent and Twofish. boxes from weak ones by comprehensively looking This test consists of a series of 18 tests and produces 18 p. are enumerated in Table 3. could they be differentiated on overlapping m-bits patterns in the substituted cipher stream. while If we look at the normalized BIC (βic ) and SAC (σ) values BBL computes 10 p-values for 10 shortlisted tests. with the strength of an S-box? periments were conducted on a Virtual Machine (VM). declared by to each state. purpose of this test is to determine the number of times a will pass BBL tests with higher p-values? particular state is visited in cumulative sum random walk 6) Whether SBoxScope is able to differentiate strong S- and then conclude whether it deviates from the random walk. In this test. The powerful VM respective ideal nonlinearity values. we get 8 p-values corresponding 4) How significant it is that a strong S-box. MARS and Skipjack) also the following questions: have nearly ideal BIC and SAC values. MARS. +3 and +4 declared by WBL. as a result. as a consequence. The specifica. also have a large BIC and nearly ideal SAC value? Nevertheless it shows that if any number of bits change at the 3) What conclusions about the strength of an S-box can input. easily make a hypothesis: One of these 3 S-boxes is expected. the basis of Auxiliary parameters? A large frequency of consecutive m and m+1 length blocks is Similarly. and (3) 40 GB Hard Disk. We now present the results obtained. 1) What is the relationship of normalized Nonlinearity (3) What conclusions about the strength of an S-box can with the strength of an S-box? be drawn from DP and LP? 2) Whether the generally perceived fact holds (for the It is interesting to note that all S-boxes have nearly ideal selected S-boxes) that a highly nonlinear S-Box will DP (ηD ) value – 0. 4. for BBL results. WBL have a large BIC and nearly ideal SAC value? computes 5 core parameters and 3 auxiliary parameters. that AES S-box has the highest normalized nonlinearity (ηN ) tions of the VM are: (1) QuadCore 2 GHz processor. the number of visits to -4. we can allows to create and execute 8 threads in parallel. pertinent issues: Random Excursion Test (RE). we will address the following deviation from randomness. Results and Discussions of White Box Layer If an S-box has passed the BBL test. it is easy to assert that the hypothesis holds: highly discussion on WBL results. BBL again picks up the minimum one among them to simplify the analysis. (0. -2. +1) and then 3) Whether the hypothesis holds that a strong S-box.1. Now let us try to answer the questions related to WBL in the previous Section. then we classify it (WBL) Tests into one of 5 classes (see Table 4) depending on the p-value. In our in Table 3. and +1. the WBL parameters are computed in less than 2 minutes with a high probability. -1. The of accuracy that a strong S-box. It is obvious from the nonlinearity results in Table 3 tained from an HP Server running VMware. from the comprehensive experiments. It is denoted by PE . From the results. fails a BBL test? among them. (2) Whether the generally perceived fact holds (for the We have shortlisted 9 S-boxes of 5 well known algo. Its p-value is denoted by PA . all nine S. Skipjack. ob. is expected to pass all BBL tests? are calculated. almost all S-boxes are able to make sure that the output be drawn from DP and LP? changes by a fixed number of bits at least in half the elements 5550 5549 . declared by WBL. The ex.445. Serpent and Twofish S-boxes for one input stream – CTPT or RPT – and one S-box are have very small nonlinearity values and therefore may not be computed in less than 10 hours. (2) 8 GB followed by MARS and Skipjack S-boxes. To simplify analysis.1) is transformed to (-1. we will particularly try to answer nonlinear S-boxes (that of AES. to be declared as the strongest crypto- and stored in an oracle database. BBL parameters graphic S-box. Discussion and Results WBL. boxes for one input stream are evaluated in less than 4 days. The 5 core and 3 auxiliary parameters. The p-value is denoted by PV . with the help of (1) What is the relationship of normalized Nonlinearity SBoxScope. Approximate Entropy Test (AE). able to do well in the SBoxScope investigations. as a result. The purpose of 4) If some S-boxes cannot be differentiated on the basis this test is to determine whether an S-box has introduced of core parameters.

2.500 1 0. they are unable to large ηL and large ψ.774 4 1.500 1 0. one cannot make a sta.2 Barely Passed parameters (ξ. all S-boxes have normalized then we can easily conclude that in case of CTPT (logical BN (βN ) equal to the ideal value of 0 except MARS and stream generation mechanisms as prescribed by NIST).762 6 8 26 6 S7 0. BBL S-box of AES has outperformed the others followed by that runs 10 tests mentioned in Section 3.500 1 0. boxes. In case of MARS all columns do not have equal boxes have passed all 10 tests of BBL except S0 S-box of number of zeros and ones (though the imbalance is very Serpent that has failed Approximate Entropy test (PA ). sumes that the S-box is the only component of a cipher eters.500 1 0.5 ≤ p-value Extremely Strongly Passed The auxiliary parameters hence.250 4 18 0 1 0 1 1.500 1 0.594 3 0. To conclude. The test (PK ) and Linear Complexity Test PC because highly aforementioned discussion clearly suggests that ξ and βN are important requirements but not sufficient to determine TABLE 4: BBL Classification of S-box on p-values the strength of S-boxes.585 4 6 24 of S-box. and compare ST 1 .980 2 0. (4) If some S-boxes cannot be differentiated on the basis (1) What is the role of input generation stream method on of core parameters. it analyzes its strength by running WBL S-boxes. stream. computed by WBL.585 4 6 26 8 ST 2 0.774 4 0.000 5 0.500 1 0.500 1 0.375 5 20 0. Now. therefore.000 5 0.774 4 0.5 Strongly Passed 3 ζ=3 0. computed by WBL on the basis of core parameters. ψ may be an additional Sr Class Class Definition BBL Result parameter that distinguishes the strength of an S-box. it is clear from Table 3 difficult for a cryptanalyst to launch linear or differential that AES and MARS S-boxes have achieved values closer attacks on them. sirable characteristic. If we look at Table 5 and Table 6.0625 2 0 1 1.375 5 18 0 1 0 1 1. ηL may provide sufficient information to determine (BBL) Tests the strength of an S-box. the p-values of S-boxes with that of the original input stream. Subsequently. an analyst can detect parity patterns in the cipher stream. try to answer the questions related to BBL testing mentioned on the basis of core parameters. and Skipjack S-boxes are cryptographically strong and it is In case of normalized LP ηL . values.774 4 1.250 4 17 0 1 0 1 1.977 2 0.774 4 0. it classifies the S-box on the basis of p- tistically significant difference between MARS and Skipjack values with the help of classes mentioned in Table 4.985 1 0.774 4 1.774 5 0.774 5 0.386 5 0. this 4 ζ=4 0.723 5 7 24 7 ST 1 0. Results and Discussions of Black Box Layer conclude. may help to further dis. To 4.762 6 8 26 5 S4 0.4 Moderately Passed tinguish two closely ranked S-boxes on the basis of ψ.562 1 0. to differentiate the closely ranked algorithm.723 5 8 26 9 ST 3 0. Similarly.2 and then computes p- of MARS and Skipjack . in the previous section. 1 ζ=1 0.01 Failed 5551 5550 .750 4 0.750 4 0. βN ). As a result. hence.4 ≤ p-value < 0.750 4 0.01 ≤ p-value < 0.25 2 1.3 Satisfactorily Passed distinction however may not be conclusive for other auxiliary 5 ζ=5 0.0625 2 0 1 1.985 1 0. this is significantly lower.124 1 5 18 4 S0 0.143 2 4 9 2 SM 0. ST 2 of Twofish have fixed points which is not a de. This small).774 4 0. 2 ζ=2 0. MARS determine the strength of an S-box.158 3 7 17 3 SK 0. all S-boxes have failed Ranks The values for other S-boxes are significantly inferior.0625 2 0 1 1. however.000 5 0.974 3 0. for all S-boxes. The final rank of all nine S-boxes is 6 ζ=F p-value < 0. In comparison.774 4 0. while in case of Skipjack a quarter of the columns are may be compared with the original p-values of the Windows not balanced.3 ≤ p-value < 0.097 2 10 0 1 1 3 1. could they be differentiated on the basis p-values of shortlisted BBL tests? of Auxiliary parameters? It is important to again emphasize that SBoxScope as- Now SBoxScope brings into the picture Auxiliary param. Finally.250 4 18 0. DP is an important and necessary shown in Table 3.250 4 18 0.574 2 0. If we look at the cumulative rank score.500 1 0.774 4 0.962 3 0. therefore. all S- Skipjack. As expected. normalized CI (ψ) of Skipjack S-box Image in Table 6 and they represent a significant challenge is the highest that is closely followed by AES and MARS.2 ≤ p-value < 0. they must be complemented maintain a desirable uniform parity bits pattern in the cipher through a SPN network in a cipher algorithm. are not robust against linear cryptanalysis due to small ηN . It is obvious from Table 3 that S4 of Serpent and and BBL tests.113 3 13 0 1 0. criterion but it does not provide sufficient information to The major conclusion of WBL analysis is: AES. Twofish and Serpent S-boxes to the ideal value of 0. we S-boxes and the same holds for Serpent and Twofish S-boxes. TABLE 3: White Box Layer (WBL) Tests: Core and Auxiliary Parameters Core Parameters Auxiliary Parameters Sr SBox ηN # βic # σ # ηD # ηL # A ξ # βN # ψ # B Final = A+B 1 SA 0. whereas for Serpent and Twofish S. BBL creates two input bit streams: CTPT and RPT.445 2 0.062 1 5 0 1 0 1 1. Serpent S-boxes have the worst ηL values. However.

00 F 0. Serpent and Twofish S.30 3 41 ST 2 0. the overall rank (1 being the highest and 9 If the p-values of input data stream are in the passing being the lowest) of 9 S-boxes.000 0.22 4 30 +2F S0 0.21 4 0. other.11 5 0. ness.26 4 0.15 5 0. A cryptographically strong S-box S-boxes from weak ones by looking at WBL and BBL deci- has passed all tests with high p-values.25 4 0. MARS and S-boxes of AES.20 4 0.61 1 0.00 F 0.32 3 0.001 0.14 5 0.00 F 0.307 0.24 4 0.47 2 38 TABLE 6: Black Box Layer (BBL) Tests: p-values of 10 NIST Tests for RPT (Windows Image Input Stream) p-values of Windows Image without applying any S-Box PF PB PR PL PK PD PC PA PE PV Image 0.12 5 0.53 1 23+4F S7 0.02 5 0.39 3 0.061 0.03 5 0.01 5 0.37 3 0.00 F 0.40 2 0.19 5 0.17 5 0. BBL tests with higher p-values? (2) What is the role of an S-box on p-values of shortlisted Yes and the discussion is already done in answering ques- BBL tests? tion number 2. fails a BBL test? To conclude.54 1 0.02 5 0.00 F 0. determined by WBL.18 5 0.00 F 0.15 5 0.43 2 0.37 3 0.09 5 0.43 2 0.177 0.18 5 0.08 5 0. (7) ST 3 of Twofish. In fact.028 0. reason for using small S-boxes appear to be memory and (4) How significant it is that a strong S-box.03 5 0.56 1 0.01 5 0.08 5 0. To conclude. Serpent and input data.44 2 0. it is a significant weak.18 5 0.30 3 0.556 p-values of BBL Tests for Windows Image PF ζ PB ζ PR ζ PL ζ PK ζ PD ζ PC ζ PA ζ PE ζ PV ζ Total SA 0. declared by WBL.53 1 0.37 3 0.00 F 0.30 3 0. (6) ST 2 and ST 3 of Twofish. declared by WBL.01 5 0.49 2 0.03 5 0. Serpent. it is easier to have passed BBL tests with relatively high p-values.00 F 0.45 2 41 ST 3 0.32 3 0.25 4 0.001 F 0.28 4 0.02 5 0.000 0.29 4 27+2F SK 0.00 F 0.13 5 0.24 4 0.005 0.15 5 0.31 3 0.00 F 0.20 4 0.38 3 0. will pass wise. (5) S7 of are small (or in the failing range).04 5 0.02 5 0. TABLE 5: Black Box Layer (BBL) Tests: p-values of 10 NIST Tests for CTPT (PRNG Input Stream) p-values without applying any S-Box PF PB PR PL PK PD PC PA PE PV PRNG 0.03 5 0.009 F 0.43 2 0.186 0.11 5 0. boxes (determined by BBL) in Tables 5 and 6.41 2 0.34 3 0.41 2 40 ST 1 0.000 0.41 2 0.12 5 0.26 4 0.002 F 0.39 3 0.4 2 0.358 p-values of BBL Tests for CTPT PF ζ PB ζ PR ζ PL ζ PK ζ PD ζ PC ζ PA ζ PE ζ PV ζ Total SA 0.17 5 0.55 1 0.13 5 0.00 F 0.08 5 0.008 0. assert that SBoxScope has been able to differentiate strong the final rank score in Table 5 proves that AES.14 5 0. It is again emphasized that Serpent WBL but also in BBL.34 3 0.27 4 0.41 2 0.28 4 0.47 2 0. it (5) Is it possible to generalize with a reasonable degree is important to generate pseudo-random input stream.18 5 0.00 F 0.20 4 0.01 5 0. Moreover.32 3 0.56 1 0.00 F 0.000 0.203 0.08 5 0.04 5 0. On the other hand. The obvious cope.00 F 0.39 3 0.20 4 0.41 2 36 S7 0.00 F 0. of accuracy that a strong S-box.36 3 0.26 4 0.003 0. WBL.001 F 0.03 5 0.02 5 0.56 1 0.54 1 0. plement their weak S-boxes with a strong SPN.02 5 0.17 5 22+5F ST 3 0.14 5 0.01 5 0. sions? (3) Whether the hypothesis holds that a strong S-box.12 5 0.273 0. Generally speaking it is evident from Table 5 that p-values (6) Whether SboxScope will be able to differentiate strong are dependent on the S-box.31 3 0.01 5 0.42 2 0.12 5 28+4F ST 2 0.23 4 0.23 4 0.27 4 0.04 5 0. then a test failure is un.00 F 0.002 F 0.30 3 30 S0 0. and desirable but may not be avoidable due to correlation in the (8) S0 of Serpent.33 3 0.001 F 0.03 5 0.23 4 27+4F ST 1 0. 5552 5551 . and Twofish themselves are strong ciphers because they com- boxes are poorly ranked by both WBL and BBL of SBoxS.37 3 30 SK 0.000 0.003 F 0.27 4 31+3F correlated data exists in the picture.14 5 0. if the p-values of input data stream (2) MARS S-box.35 3 0.02 5 0.23 4 0.46 2 32+F S4 0.01 5 0.02 5 0.01 5 0.17 5 0.06 5 0. Twofish have even failed 3 to 4 more tests. by adding scores of WBL and BBL tests is: (1) AES S-box.31 3 0.22 4 0.42 2 0.20 4 30+2F SM 0.00 F 0.133 0.43 2 0.06 5 0.03 5 0. BBL analysis would not be very useful.004 F 0. is expected to pass all BBL tests? If we look at the ranking of S-boxes (determined by The results in Table 5 and Table 6 prove the hypothesis WBL) in Table 3 and compare them with the ranking of S- that cryptographically strong S-boxes.00 F 0.15 5 0.40 2 0. determined by SBoxScope range and then an S-box fails a test.31 3 0.004 F 0. Similarly.16 5 0.31 3 0.04 5 23+5F S4 0.23 4 0.004 F 0.35 3 0. declared by processing efficiency.000 0.32 3 0.04 5 0. (4) S4 of Serpent.38 3 30 SM 0.009 F 0.41 2 0. (3) Skipjack.32 3 0.45 2 0.07 5 0.00 F 0. MARS and Skipjack from weak S-boxes Skipjack S-boxes are not only the top ranking S-boxes in of Serpent and Twofish.00 F 0.10 5 0.

LNCS. S. Kazymyrova and R. S. 2001 respectively. E. Banks. Cambridge Univ.Leigh.Peyravian. NIST special publication. Conclusions and Future Work [5] M. Fast Software Encryp- tion. Boolean functions for cryptography and error correcting codes. publications. 1978. [16] M.Matsui. Nechvatal. How to create good s-boxes?.Mroczkowski.Sung.Avignon. 2013 analysis is that AES S-box is at the top of the list among [11] Announcing the ADVANCED ENCRYPTION STANDARD (AES): Federal Information Processing Standards Publication 197. Nonlinear Dynamics. Cambridge. 523-534. L. Dray. IACR Cryptology ePrint Archive 2006. E. Vangel. This shall be the topic of forthcoming [17] Skipjack and KEA Algorithm Specifications. April 1012. S. it is not a good idea to Twofish: A 128-Bit Block Cipher. [2] Y. LNCS. Gondal.562. F. Crama. June 2010. D. J. 1986 5553 5552 . comments and views detailed herein may not necessarily reflect the endorsements of IST R&D Fund. June 10. A Sta- tistical Test Suite for Random and Pseudorandom Number Generators for Cryptographic Applications. M. weak S-boxes.Levenson.Safford.Schneier. Advances in Cryptology – CRYPTO85. On the Design of S-boxes.Knudsen.Meier. LNCS 434. M. I. S. Control.Anderson1.OConnor.Rodwald and P. Serpent.5. 257-397. The information. References [1] A. The other important contribution of the study [12] C. D. M. Serpent: A Proposal for the Advanced Encryption Standard the last decade. 549 has the ability to determine the cryptographic strength of het.Zunic. T. USA. R. O. P. 1039.Gennaro. 18-20 September test. S. Oliynykov.Barker. SBoxScope consists of two layers:(1) against Differential and Linear Cryptanalysis. and Twofish – with Generation Of High-Nonlinear S-Boxes Based On Gradient Descent. Novem- a round level to better compare the cryptographic strength ber 2012. is that small size S-boxes need to be complemented with a C. Yucel. Tavares. the help of SBoxScope. M.M.” (2010). H. Electrical Engineering and Telecommunications ICYR 2006.Biham..D. Khan. Matsui. pp 205-218. strong SPN. against Differential and Linear Cryptanalysis for the SPN Structure. [10] O. 1998. M.L. 2006 We evaluated 9 S-boxes of five well known cipher algo. D. J. Advances in Cryptology – EUROCRYPT89. The outcome of the comprehensive IACR Cryptology ePrin. Mahmood. Vo. Vol. Soto. Vol. the reason of choosing small S-boxes N. Webster. N. BBL also classifies how strongly an S-box has passed a Researchers in Computer Science. Shah. Nonlinearity Criteria for cryptographic func- The major contribution of this paper is SBoxScope that tions.Jutla. and (2) Black Box Layer assumes that the implementation of Fast Soft Encryption. S. MARS.oppersmith. 765. LNCS. J. pp 386-397. Vol. Z. A. pp. Rukhin. 2: 1-23.Halevi.Hall. 218.Lim. Acknowledgment Abrar Ahmad is supported through a research fellowship (Ref no: IST/R&D/30026) awarded by IST R&D Fund. Kazymyrov. Therefore. Matyas Jr. 1998 appear to be memory and processing efficiency.Hong. November all S-boxes followed by MARS S-box and Skipjack S-box 26. Young not. C. Vol. M.A. Version 2. 1994 [6] W. Probably. E. D. J. Algorithm Specifications Version. Vol. 15 June 1998 use large number of relatively small size cryptographically [15] Skipjack and Kea. data. . Skipjack. pp. 1990 erogeneous S-boxes and rank them after removing biasness [7] M.Whiting. 2001 determine whether an S-box can pass the tests on its own or [9] P.0. 70. 2. J.Kelsey. A novel In future. Linear cryptanalysis method of DES cipher. UK. New Structure of Block Ciphers with Provable Security due to size of the S-box.Cheon. Heckert. Smid.Lee. we want to evaluate S-boxes of all 30 surveyed technique for the construction of strong S-boxes based on chaotic cipher algorithms and also increase the unit of evaluation to Lorenz systems. New S-box is not known and it runs adapted NIST test suite to York. Poland. IBM Corporation. Advances in Cryptology – Eurocrypt93.Cho. L. pp. has significantly reduced. of cipher algorithms. Provable Security known and it computes 5 core and 3 auxiliary parameters. Press (2010) [3] Kavut. These might be relevant at the time NIST announced the competition but in [13] R.Wagner. S. There exist Boolean function on n (odd) variables having nonlinearity 2n−1 − 2(n−1)/2 if and only if n ≥ 7. D. 1996 White Box Layer assumes that the design of an S-box is [8] S. pp 2303-2311. A Method For rithms – AES. Vol.Staffelbach. LNCS. pp 273-283.a candidate cipher for AES. E.Ferguson. J.Gra. 181 (2006) [4] A. I. DC. Hussain. V.D. 29 May 1998. MARS . the cost of high speed processors and memory [14] B.Burwick. Hammer.