(IJCNS) International Journal of Computer and Network Security, 51 Vol. 2, No.

9, September 2010

Generating the New S-box and Analyzing the Diffusion Strength to Improve the Security of AES Algorithm
Mohan H. S.1 and A Raji Reddy2
1

Research Scholar, Dr MGR University, Chennai. India mohan_kit@yahoo.com
2

Professor, Department of Electronics and Communication Madanapalle Institute of Technology & Science, Madanapalle. India ar_reddy@yahoo.com

Abstract: Shared-key (symmetric) encryption is the most
fundamental cryptographic task. It is used in a large variety of applications, including protection of the secrecy of login passwords, ATM, e-mail messages, video transmissions, wireless systems and internet-distributed digital content. Several encryption algorithms are available for deploying into these applications. The earlier standard for shared key encryption was the DES cipher, which was developed by in the early 70’s. Later RIJNDAEL was proposed and was selected as the Advanced Encryption Standard (AES). The main objective of this paper is to analyze RIJNDAEL algorithm, a Shared-key (symmetric) block cipher supporting 128-bit blocks and 128-bit key size and to develop a new S-box. Design of block ciphers requires implementation of high speed algorithms with less number of rounds. The number of rounds in a block cipher is decided based upon the resistivity levels against the known attacks. The very first level of attack on an encryption algorithm is to search for repetitive cipher values and relate them to plaintext. This attack can be made ineffective if an algorithm is designed to comply with Strict Avalanche Criteria (SAC). In this paper, diffusion analysis based upon First order SAC and higher order SAC is carried out for RIJNDAEL algorithm and suggesting a new S-box generation. The results provide good insight into RIJNDAEL strength by using the diffusion behavior and useful in the design of new strong encryption algorithm.

algorithm. A large or changing group of users cannot use them, because every time a user leaves the group, everyone else must change the algorithm. Even more, restricted algorithms allow no quality control or standardization. But these are enormously popular for low security applications. Modern cryptography solves this problem with a key, denoted by k. Both the encryption and decryption operations use this key. So the encryption and decryption functions now become Ek (M) =C for encryption Ek→Encryption using key k, M→ message Dk (C) =M for decryption Dk →Decryption using key k, C→ cipher text. 1.1 Symmetric Algorithms There are two general types of key based algorithms: Symmetric and Public Key. In Symmetric algorithms encryption key can be same as the decryption key and vice versa. These are also called as secret key algorithms. Symmetric algorithms can be divided into two categories: i) some operate on the plaintext a single bit at a time which are called Stream ciphers, and ii) others operate on the plaintext in groups of bits, such groups of bits are called blocks and such algorithms are called Block ciphers. 1.2 Stream Ciphers and Block Ciphers Stream ciphers are generally faster than block ciphers in hardware, and have less complex hardware circuitry. Stream ciphers are more suitable for situations where transmission errors are highly probable. Symmetric key block ciphers are the most prominent and important elements in many cryptographic systems. Individually, they provide confidentiality. The examples of block ciphers are DES, 3-DES, FEAL, SAFER, RC5 and AES. The implementation of any basic block cipher is generally known as Electronic Code Book (ECB) mode. In order to increase the security further additional modes are also defined. They are (1) Cipher Feed Back (CFB) mode (2) Output Feed Back (OFB) mode (3) Counter mode (CTR). The counter mode has become popular in IPSec and IPv6 applications. 1.3 Cryptanalysis There are two general approaches for attacking a conventional encryption algorithm: Cryptanalysis: This is used for deciphering a message without any knowledge of the enciphering details.

Keywords: Diffusion analysis, Strict Avalanche Criteria, First
order SAC, higher order SAC.

1. Introduction
Cryptography allows people to send and receive information over the communication channel thus allowing them to do business electronically, without worries of deception. The perpetual increase of information transmitted electronically has led to an increased reliance on cryptography. Cryptography is important to the continual growth of Internet and E-commerce. Various cryptographic tools are used to provide information security. These tools are to be evaluated with respect to various criteria for (1) Level of security (2) Functionality (3) modes of operation (4) Performance and (5) ease of implementation. A cryptographic algorithm or a cipher is the mathematical function used for encryption and decryption. If the security of an algorithm is based up on the way that algorithm works as a secret then it is known as restricted

52

(IJCNS) International Journal of Computer and Network Security, Vol. 2, No. 9, September 2010

Cryptanalysis is the science of recovering the plaintext of a message without the access to the key. Successful cryptanalysis may recover the plaintext or the key. It also finds weakness in the cryptosystem. Brute – Force attack: The attack tries every possible key on a piece of cipher text until an intelligible translation into plain text is obtained. This is tedious and may not be feasible if key length is relatively long. 1.4 Confusion and Diffusion These are the two important techniques for building any cryptographic system. Claude Shannon introduced the terms Confusion and Diffusion. According to Shannon, in an ideal cipher, “all statistics of the cipher text are independent of the particular key used”. In Diffusion, each plaintext digit affects many cipher text digits, which is equivalent to saying that each cipher text digit is affected by many plain text digits. All encryption algorithms will make use of diffusion and confusion layers. Diffusion layer is based upon simple linear operations such as multi-permutations, key additions, multiplication with known constants etc. On the other hand, confusion layer is based upon complex and linear operations such as Substitution Box (S-box).

One of the most intense areas of research in the field of symmetric block ciphers is that of S-box design. The characteristic of the S-box is its size. An n x m S-box has n input bits and m output bits. Larger S-boxes, by and large, are more resistant to differential and linear cryptanalysis. However, large dimension n leads to larger lookup table. The size of lookup table decides the size of the program memory. Therefore, the small S-box is required for the hardware with less program memory and large S-box can be used with hardware having more program memory. For example, AES uses 16 x 16 S-box. This is implemented in a suite of hardware platforms: 8051 based microcontrollers, PIC processor, ARM processors, FPGA based processors, ASIC, etc. It is possible to implement 256 x 256 S-box in high end processors. Another practical consideration is that the larger the S-box, the more difficult it is to design it properly. S-box is required for both encryption and decryption. An n x m S-box typically consists of 2n rows of m bits each. The n bits of input select one of the rows of the S-box, and the m bits in that row are the output. For example, in an 8 x 32 S-box, if the input is 00001001, the output consists of the 32 bits in row 9 (the first row is labeled row 0). 2.3 Key Schedule Algorithm A final area of block cipher design is the key schedule algorithm. A block cipher requires one sub-key for each round of operation. The sub-key is generated from the input master key. Generation of sub-key requires an algorithm. This algorithm should ensure that not sub-key is repeated. In general, we select subkeys to maximize the difficulty of deducing individual subkeys and the difficulty of working back to the main key. 2.4 Avalanche criteria: There are two different types of strict avalanche criteria: i) First order SAC: It is a change in output bit when a single input bit is flipped and ii) Higher order SAC: It is a change in output bit when many input bits are flipped.

2.

Related Work

2.1 Evaluation of Advanced Encryption Standard The principal drawback of 3DES is that the algorithm is relatively sluggish in software. The original DES is designed for mid 1970’s hardware implementation and does not produce efficient software code. Since 3DES has three times as many rounds as DES, it is relatively slower. A secondary drawback is that both DES and 3DES use a 64-bit block size. For reasons of both efficiency and security a larger block size is desirable. Because of the drawbacks, NIST in 1997 issued a call for proposals for a new Advanced Encryption Standard (AES), which should have security strength equal to or better than 3DES and significantly, improved efficiency. In addition, NIST specifies that AES must be a symmetric block cipher with a block length of 128 bits and support for key lengths of 128,192 and 256 bits. In first round 15 proposals were submitted and in second round 5 algorithms were selected. NIST completed its evaluation in November 2001 and selected Rijndael for AES are both cryptographers from Belgium: Dr. Joan Daemen and Dr. Vincent Rijmen. This standard specifies the Rijndael algorithm ([3] and [4]), a symmetric block cipher that can process data blocks of 128 bits, using cipher keys with lengths of 128, 192, and 256 bits. Rijndael was designed to handle additional block sizes and key lengths; however they are not adopted in this standard. Throughout the remainder of this standard, the algorithm specified herein will be referred to as “the AES algorithm.” The algorithm may be used with the three different key lengths indicated above, and therefore these different “flavors” may be referred to as “AES-128”, “AES-192”, and “AES-256”. 2.2 S-Box Design

3. Statement of the Problem
AES is a symmetric block cipher which encrypts/decrypts one block of data a time. AES has an iterative structure consisting of a repetition of a round, which is applied to the data block to be encrypted for a fixed number of times. The mandatory feature required for any block cipher is good diffusion. The problem statement is given below: i. To implement the encryption and decryption of the algorithm. ii. To increase the Diffusion power of the AES algorithm. iii. To suggest a new S-box to the AES algorithm to increase the confusion.

4. Algorithm Specification
For the AES algorithm, the length of the input block, the output block and the State is 128 bits. This is represented by

(IJCNS) International Journal of Computer and Network Security, 53 Vol. 2, No. 9, September 2010

Nb = 4 which reflects the number of 32-bit words (number of columns) in the State. For the AES algorithm, the length of the Cipher Key, K, is 128, 192, or 256 bits. The key length is represented by Nk = 4, 6, or 8, which reflects the number of 32-bit words (number of columns) in the Cipher Key. For the AES algorithm, the number of rounds to be performed during the execution of the algorithm is dependent on the key size. The number of rounds is represented by Nr, where Nr = 10 when Nk = 4, Nr = 12 when Nk = 6, and Nr = 14 when Nk = 8.

Hence, at the beginning of the Cipher or Inverse Cipher, the input array, in, is copied to the State array according to the scheme: s[r, c] = in[r + 4c] for 0 ≤ r < 4 and 0 ≤ c < Nb and at the end of the Cipher and Inverse Cipher, the State is copied to the output array out as follows: out[r + 4c] = s[r, c] for 0 ≤ r < 4 and 0 ≤ c < Nb. 4.2 The State as an Array of Columns The four bytes in each column of the State array form 32-bit words, where the row number r provides an index for the four bytes within each word. The state can hence be interpreted as a one-dimensional array of 32 bit words (columns), w0...w3, where the column number c provides an index into this array. Hence, for the example in Fig. 2, the State can be considered as an array of four words, as follows: w0 = s0,0 s1,0 s2,0 s3,0 w2 = s0,2 s1,2 s2,2 s3,2 w1 = s0,1 s1,1 s2,1 s3,1 w3 = s0,3 s1,3 s2,3 s3,3

The only Key-Block-Round combinations that conform are shown below. Figure 1. Key-Block-Round Combinations. For both its Cipher and Inverse Cipher, the AES algorithm uses a round function that is composed of four different byte-oriented transformations: 1) byte substitution using a substitution table (S-box), 2) shifting rows of the State array by different offsets, 3) mixing the data within each column of the State array, and 4) adding a Round Key to the State. 4.1 The State Internally, the AES algorithm’s operations are performed on a two-dimensional array of bytes called the State. The State consists of four rows of bytes, each containing Nb bytes, where Nb is the block length divided by 32. In the State array denoted by the symbol s, each individual byte has two indices, with its row number r in the range 0 £ r < 4 and its column number c in the range 0 £ c < Nb. This allows an individual byte of the State to be referred to as either sr,c or s[r,c]. For this standard, Nb=4, i.e., 0 £ c < 4. At the start of the Cipher and Inverse Cipher, the input – the array of bytes in0, in1 … in15 – is copied into the State array as illustrated in Fig. 2. The Cipher or Inverse Cipher operations are then conducted on this State array, after which its final value is copied to the output – the array of bytes out0, out1 … out15.

5. Diffusion Analysis
Diffusion analysis of any encryption algorithm enables to estimate the strength of that algorithm. The strength of the algorithm is related to how cipher values are sensitive to input plain text changes. In other words, how many of output cipher text bits undergo changes when a single bit of input plain text is changed. Hamming distance is a measure of Hamming weight of a function derived from xoring two cipher text values. Hamming distance indicates the Avalanche of encryption algorithm. For well-diffused cipher values, higher avalanche values are required. Therefore, it is imperative to define the amount of avalanche is required for a given encryption algorithm. Strict Avalanche Criterion (SAC) is defined to indicate the required diffusion level. It is mandatory to every encryption algorithm to satisfy the SAC in order to meet the diffusion requirements. In this paper, Avalanche values are measured for this encryption algorithm for First order SAC and for Higher Order SAC. The measured results are shown in later sections. Flipping one bit input plain text and keeping the key value constant, avalanche values are measured for each round. The measured result shows a definite pattern. With respect to CASE (1) i.e. implementation of the first order SAC, keeping the plaintext constant. Initially in the first round it is low, the number of bits that differ are 22 and the SAC value is 17. Then increases to a maximum, in the 7th round ,the number of bits that differ are 75 with a SAC value 58 and decreases, finally after the 10 round, it ends with the number of bits differ are 72 with a SAC value 56 which satisfies the desired Strict Avalanche Criteria. Similarly the same holds for all the other cases which are shown in the later sections. From the results, it is evident that Avalanche values exceed the SAC value in the initial, rounds, sometimes in the second round itself. The AES encryption algorithm is designed based upon the various criteria, and then the number of rounds in here is adequate and robust, as it uses S-boxes as nonlinear components. So far Rijndael has no known security attacks.

Figure 2. State array input and output.

54

(IJCNS) International Journal of Computer and Network Security, Vol. 2, No. 9, September 2010

Based upon the above considerations, we can conclude that an encryption algorithm can be designed with less number of rounds provided it does not show any weakness to differential and linear attacks.

6. Alternate S-box
In a block cipher, S-box provides the confusion. S-box maps the plain text to a cipher value using nonlinear operations. Since plain text and cipher values are not related linearly, it is difficult to construct plain text from a given cipher value. This problem is generally known as “hard”. Some of the block ciphers have used multiplicative inverse of a byte in the GF(28) field for constructing S-box. This S-box is constructed by filling the multiplicative inverse values. The same S-box can be used for decryption thus providing involution. However, these are not as secure as that of an Sbox constructed using double transformation, i.e., separate S-box for each encryption and decryption. But involution Sbox is extremely useful for involution cipher, where hardware is premium such as Smart card, etc. This is also used as a basic building block to construct an S-box using double transformation. 6.1 Design Criteria for S-Box Following are the design criteria for S-box, appearing in order of importance: • Non – Linearity: (a) Correlation: The maximum input-output correlation amplitude must be as small as possible. (b) Difference propagation probability: The maximum difference propagation probability must be as small as possible. • Algebraic Complexity: The algebraic expression of SRD in GF (28) has to be complex. 6.2 S-Box of AES S-box is constructed in the following fashion: • Initialize the S-box with the byte values in ascending sequence row by row contains {00},{01},{02},……..{0F}; the second row contains {10},{11},etc.; and so on. Thus the value of a byte at row x, column y is {xy}. • Map each byte in the S-box to its Multiplicative inverse in the finite field GF(28); the value {00} is mapped to itself. • Consider that each byte in the S-box consists of 8 bits labeled (b7,b6,b5,b4,b3,b2,b1,b0). Apply the following transformation to each bit of each byte in the S-box: b`i=bi b(i+4)mod 8 b(i+5)mod 8 b(i+6)mod 8 b(i+7)mod 8 b(i+8) mod 8 ci Where ci is the ith bit of byte c with the value {63} i.e. (c7 c6 c5 c4 c3 c2 c1 c0) = (01100011). The prime (`) indicates that the variable is to be updated by the value on the right. The AES standard depicts this transformation in matrix form as follows:

6.3 Proposed S-box Here we are proposing that we can generate our own Sboxes by choosing different constant value which is used in the affine transformation in the construction of S-box.

7. Experimental Results
AES algorithm is designed with a same three key size alternatives i.e. 128/192/256 but limits the block length to 128 bits. The algorithm efficiently encrypts and decrypts the plaintext and the result is tabulated. Also diffusion analysis is used as a tool to measure the strength of the AES algorithm. This is achieved by analyzing the diffusion that exhibits a strong avalanche effect for the First order SAC and Higher order SAC taking the following cases. • Changing one bit at a time in a plaintext, keeping key as constant. • Changing one bit at a time in a key, keeping plaintext as constant. • Changing many bits at a time in a plaintext, keeping key as constant. • Changing many bits at a time in a key, keeping plaintext as constant. Each round avalanche value is tabulated for all the above cases and proved that the Rijndael algorithm exhibit good Strict avalanche Criteria. Also, generation of an alternate S-box is an attempt to secure the algorithm from any attacks and then using the generated S-box for encryption and diffusion analysis, for comparison. The following are the results that have been achieved: 7.1 Encryption The length of the key is entered; accordingly the key and the plaintext are to be entered in hexadecimal. Simultaneously the cipher text is generated.

Figure 3. Shows the result of encryption using 128-bit key length.

(IJCNS) International Journal of Computer and Network Security, 55 Vol. 2, No. 9, September 2010

7.2 Decryption The key has to be entered, which was previously entered for encryption. As a result, the plain text entered during encryption and the text after decrypting is generated.

Figure 7. Shows the results of Avalanche Effect for Case (3). CASE 4: Changing many bits at a time in a plaintext, keeping key as constant.

Figure 4. Showing the result after decryption for 128 bit key length. 7.3 Diffusion Analysis for First Order SAC CASE 1: Changing one bit at a time in a key, keeping plaintext as constant Figure 8. Shows the results of Avalanche Effect for Case (4). 7.5 With alternate S-box The alternate S-box is generated, and the encryption and diffusion analysis is carried out with new S-box.

Figure 5. Shows the results of Avalanche Effect for Case (1). CASE 2: Changing one bit at a time in a plaintext, keeping key as constant. Figure 9. Shows the result of encryption using 128-bit key length.

Figure 10. showing the diffusion analysis, for first order SAC of 128-bit key length. Figure 6. Shows the results of Avalanche Effect for Case (2). 7.4 Diffusion Analysis for Higher Order SAC CASE 3: Changing many bits at a time in a key, keeping plaintext as constant

8. Conclusions
The main aim of any encryption algorithm is to keep the data secure from the intruders. The DES did not satisfy the need for data security because of its short 56-bit key. Such short keys can be broken by brute force attacks and so it was proved insecure. So as a replacement, AES is proposed, Rijndael was selected, which is more secure than the DES.

56

(IJCNS) International Journal of Computer and Network Security, Vol. 2, No. 9, September 2010

Authors Profile
The basic design of an encryption algorithm is based upon the strength of diffusion and confusion. This dissertation explored diffusion and confusion elements used in the AES to an extent. Based on the studies, following techniques are developed as a security improvement, these are • Diffusion analysis, which is used as a tool to measure the strength of the algorithm. Therefore from the Experimental results; it is proved that AES meets the Strict Avalanche Criteria which is mandatory to an encryption algorithm in order to meet the diffusion requirements. • Suggesting an alternate S-box. Mohan H.S. received his Bachelor’s degree in computer Science and Engineering from Malnad college of Engineering, Hassan during the year 1999 and M. Tech in computer Science and Engineering from Jawaharlal Nehru National College of Engineering, Shimoga during the year 2004. Currently pursing his part time Ph.D degree in Dr. MGR university ,Chennai. He is working as a professor in the Dept of Information Science and Engineering at SJB Institute of Technology, Bangalore-60. He is having total 12 years of teaching experience. His area of interests are Networks Security, Image processing, Data Structures, Computer Graphics, finite automata and formal languages, Compiler Design. He has obtained a best teacher award for his teaching during the year 2008 at SJBIT Bangalore-60. He has published and presented papers in journals, international and national level conferences. A. Raji reddy received his M.Sc from Osmania University and M.Tech in Electrical and Electronics and communication Engineering from IIT, Kharagpur during the year 1979 and his Ph.D degree from IIT, kharagpur during the year 1986.He worked as a senior scientist in R&D of ITI Ltd, Bangalore for about 24 years. He is currently working as a professor and head in the department of Electronics and Communication, Madanapalle Institute of Technology & Science. Madanapalle. His current research areas in Cryptography and its application to wireless systems and network security. He has published and presented papers in journals, international and national level conferences.

9. Future Enhancements
• An alternate S-box for decryption can be developed. • All encryption algorithms both symmetric and public key, involve with arithmetic operations on integers with a finite field. Rijndael algorithm uses a irreducible polynomial m(x) = x8 +x4 +x3+x+1 = 0x11b (hex). So, a new irreducible polynomial of degree 8 could be used. There are 30 irreducible polynomials of degree 8 are present

References
[1] W Stallings, CRYPTOGRAPHY AND NETWORK SECURITY, Printice Hall, 2003. [2] AES page available via http://www.nist.gov/CryptoToolkit.4 [3] Computer Security Objects Register (CSOR): http://csrc.nist.gov/csor/. [4] J. Daemen and V. Rijmen, AES Proposal: Rijndael, AES Algorithm Submission, September 3, 1999. [5] J. Daemen and V. Rijmen, The block cipher Rijndael, Smart Card research and Applications, LNCS 1820, Springer-Verlag, pp. 288-296. [6] B. Gladman’s AES related home page http://fp.gladman.plus.com/cryptography_tetechnolo/. [7] A. Lee, NIST Special Publication 800-21, Guideline for Implementing Cryptography in the Federal Government, National Institute of Standards and Technology, November 1999. [8] A. Menezes, P. van Oorschot, and S. Vanstone, Handbook of Applied Cryptography, CRC Press, New York, 1997, p. 81-83. [9] J. Nechvatal, Report on the Development of the Advanced Encryption Standard (AES), National Institute of Standards and Technology, October 2, 2000. [10] Mohan H.S and A. Raji Reddy. " Diffusion Analysis of Mars Encryption Algorithm","International conference on current trends of information technology,MERG2005”,Bhimavaram, Andhrapradesh. [11] Mohan H.S and A. Raji Reddy. "An Effective Defense Against Distributed Denial of Service in Grid”, "IEEE International conference on integrated intelligent computing ICIIC-2010.SJBIT, Bangalore-60. ISBN 978-0-7695-4152-5, PP. 84-89.

Sign up to vote on this title
UsefulNot useful