A Modern Method for Constructing the S-Box of Advanced Encryption Standard

Abstract

The substitution table (S-Box) of Advanced Encryption Standard (AES) and its properties are key elements in cryptanalysis ciphering. We aim here to propose a straightforward method for the non-linear transformation of AES S-Box construction. The method reduces the steps needed to compute the multiplicative inverse, and computes the matrices multiplication used in this transformation, without a need to use the characteristic matrix, and the result is a modern method constructing the S-Box.

Share and Cite:

Ahmed, W. (2019) A Modern Method for Constructing the S-Box of Advanced Encryption Standard. Applied Mathematics, 10, 234-244. doi: 10.4236/am.2019.104018.

1. Introduction

The S-Box table of AES is taken as a lookup table to substitute an input byte by another, this table is constructed using a non-linear transformation depends on the usual method taking more calculation steps to give the corresponding byte.

The S-Box plays a fundamental role in encryption and decryption processes, as byte substitution appears in many steps. At the first round of the encryption process, we add the plaintext matrix to the key matrix, then we substitute each byte by another byte according to S-Box, for example, to substitute the byte xy(say), we take the byte in the cell that has x as the column index and y as the row index, we do this substitute byte step in all rounds of the encryption process, and in all round of the decryption process, we do the inverse substitute byte step, to substitute the byte xy(say), we take the index of the column, and the index of the row of the cell that contains xy, as the left and the right character of the result byte, respectively. The S-Box (Table 1), involves substitution bytes for all bytes from {00} to {FF} in hexdecimal presentation.

The S-Box is constructed using the following operations [1] :

1) Finding the multiplicative inverse of an input byte in the finite field G F ( 2 8 ) based on the irreducible polynomial P ( x ) = x 8 + x 4 + x 3 + x + 1 .

2) Multiplying this multiplicative inverse by a specific matrix (matrix M).

3) Adding the multiplication result to a specific vector ( { 63 } = 01100011 ) .

We convert the hexadecimal presentation of the input byte into binary presentation as ( a 7 a 6 a 5 a 4 a 3 a 2 a 1 a 0 ) and write it as a polynomial A ( x ) = a 7 x 7 + a 6 x 6 + a 5 x 5 + a 4 x 4 + a 3 x 3 + a 2 x 2 + a 1 x + a 0 , let its multiplicative inverse be T ( x ) = t 7 x 7 + t 6 x 6 + t 5 x 5 + t 4 x 4 + t 3 x 3 + t 2 x 2 + t 1 x + t 0 , we multiply T ( x ) by the following characteristic matrix:

M = [ 1 0 0 0 1 1 1 1 1 1 0 0 0 1 1 1 1 1 1 0 0 0 1 1 1 1 1 1 0 0 0 1 1 1 1 1 1 0 0 0 0 1 1 1 1 1 0 0 0 0 1 1 1 1 1 0 0 0 0 1 1 1 1 1 ] (1)

Then, we add the result to (01100011).

We note that, for the input {00} the output is {63}.

Table 1. The AES S-Box.

1.1. Problem Statement

We search for an easier and straightforward method for constructing the AES S-Box.

1.2. Proposed Solution

The multiplicative inverse of an input byte can be computed in clear steps using an iterated formula.

Multiplying the multiplicative inverse matrix by the characteristic matrix can be determined directly from this multiplicative inverse using simple XOR operations, without a need to use the characteristic matrix.

2. Traditional Way

In cryptography, the extended Euclidean algorithm has wide uses especially for finding a multiplicative inverse (modular inverse).

Euclidean algorithm is used to find the greatest common divisor of two integers a and b, (denoted by gcd ( a , b ) ).

When b > a , and

b r = a q (2)

for some integers r and q, we say

r = b ( mod a ) (3)

and if b ( mod a ) = 0 then

gcd ( a , b ) = a (4)

With the polynomials A ( x ) and P ( x ) , we write gcd ( A ( x ) , P ( x ) ) [2] .

The algorithm below gives gcd ( A ( x ) , P ( x ) ) , where A ( x ) < P (x)

The step (1.(a)) of the algorithm (1) involves the division algorithm:

P ( x ) = A ( x ) q ( x ) + r ( x ) (5)

where 0 r ( x ) = P ( x ) mod A ( x ) < A ( x ) .

It implies that [4]

gcd ( A ( x ) , P ( x ) ) = gcd ( A ( x ) , r ( x ) ) (6)

If r ( x ) 0 , the step will be repeated, let us write the repeated application of the division algorithm as:

P ( x ) = q 1 ( x ) A ( x ) + r 1 ( x ) , 0 r 1 ( x ) < A (x)

A ( x ) = q 2 ( x ) r 1 ( x ) + r 2 ( x ) , 0 r 2 ( x ) < r 1 (x)

r 1 ( x ) = q 3 ( x ) r 2 ( x ) + r 3 ( x ) , 0 r 3 ( x ) < r 2 (x)

r i 3 ( x ) = q i 1 ( x ) r i 2 ( x ) + r i 1 ( x ) , 0 r i 1 ( x ) < r i 2 (x)

r i 2 ( x ) = q i ( x ) r i 1 ( x ) + r i ( x ) , 0 r i ( x ) < r i 1 ( x ) (7)

When r i ( x ) = 0 , and since

gcd ( A ( x ) , P ( x ) ) = gcd ( r i 1 ( x ) , r i ( x ) ) (8)

we get

gcd ( A ( x ) , P ( x ) ) = r i 1 ( x ) (9)

The extended form of the Euclidean algorithm is called Extended Euclidean algorithm, it gives (besides gcd ( A ( x ) , P ( x ) ) , X ( x ) and Y ( x ) such that

gcd ( A ( x ) , P ( x ) ) = A ( x ) X ( x ) + P ( x ) Y ( x ) (10)

Rewrite the equations of the system (7) as:

r 1 ( x ) = P ( x ) q 1 ( x ) A (x)

r 2 ( x ) = A ( x ) q 2 ( x ) r 1 (x)

r 3 ( x ) = r 1 ( x ) q 3 ( x ) r 2 (x)

r i 2 ( x ) = r i 4 ( x ) q i 2 ( x ) r i 3 (x)

r i 1 ( x ) = r i 3 ( x ) q i 1 ( x ) r i 2 ( x ) (11)

Then, in the last equation of system (11), r i 1 ( x ) = r i 3 ( x ) q i 1 ( x ) r i 2 ( x ) , replace r i 2 ( x ) with its value from the above equation (it involves r i 3 ( x ) ), then replace r i 3 ( x ) with its value from the above equation, continue doing this replacement, we obtain

r i 1 ( x ) = r i 3 ( x ) ( q i 1 ( x ) ) ( r i 4 ( x ) ( q i 2 ( x ) ) ( r i 5 ( x ) ( q i 3 ( x ) ) × ( r i 6 ( x ) ( q i 4 ( x ) ) ( ( ) ( P ( x ) q 1 ( x ) A ( x ) ) ) ) ) ) (12)

Equation (12) takes the form

r i 1 ( x ) = A ( x ) X ( x ) + P ( x ) Y ( x ) (13)

In our problem 1 i < 8 , and since the multiplicative inverse only exists when the gcd is 1 [5] .

r i 1 ( x ) = 1 (14)

The multiplicative inverse [2] of A ( x ) modulo P ( x ) is A 1 ( x ) such that

A ( x ) A 1 ( x ) = 1 ( mod P ( x ) ) (15)

When gcd ( A ( x ) , P ( x ) ) = 1 ,

1 = A ( x ) X ( x ) + P ( x ) Y ( x ) (16)

1 ( mod P ( x ) ) = ( A ( x ) X ( x ) + P ( x ) Y ( x ) ) ( mod P ( x ) ) (17)

and since

P ( x ) Y ( x ) = 0 ( mod P ( x ) ) (18)

we get

X ( x ) = A 1 ( x ) (19)

So, the procedure of the extended Euclidean algorithm finds the greatest common divisor, also it finds the multiplicative inverse.

Below an algorithm to find A 1 ( x ) , we will denote A 1 ( x ) by T ( x ) .

Now, we have T ( x ) = ( t 7 t 6 t 5 t 4 t 3 t 2 t 1 t 0 ) , we multiply it (from the left) by matrix M

M ( T ( x ) ) = [ 1 0 0 0 1 1 1 1 1 1 0 0 0 1 1 1 1 1 1 0 0 0 1 1 1 1 1 1 0 0 0 1 1 1 1 1 1 0 0 0 0 1 1 1 1 1 0 0 0 0 1 1 1 1 1 0 0 0 0 1 1 1 1 1 ] [ t 0 t 1 t 2 t 3 t 4 t 5 t 6 t 7 ] = [ t 0 + t 4 + t 5 + t 6 + t 7 t 0 + t 1 + t 5 + t 6 + t 7 t 0 + t 1 + t 2 + t 6 + t 7 t 0 + t 1 + t 2 + t 3 + t 7 t 0 + t 1 + t 2 + t 3 + t 4 t 1 + t 2 + t 3 + t 4 + t 5 t 2 + t 3 + t 4 + t 5 + t 6 t 3 + t 4 + t 5 + t 6 + t 7 ] (20)

Then, we add the result to ( { 63 } = 01100011 ) to obtain the output of the input A ( x ) = ( a 7 a 6 a 5 a 4 a 3 a 2 a 1 a 0 )

[ t 0 + t 4 + t 5 + t 6 + t 7 t 0 + t 1 + t 5 + t 6 + t 7 t 0 + t 1 + t 2 + t 6 + t 7 t 0 + t 1 + t 2 + t 3 + t 7 t 0 + t 1 + t 2 + t 3 + t 4 t 1 + t 2 + t 3 + t 4 + t 5 t 2 + t 3 + t 4 + t 5 + t 6 t 3 + t 4 + t 5 + t 6 + t 7 ] + [ 1 1 0 0 0 1 1 0 ] = [ t 0 + t 4 + t 5 + t 6 + t 7 + 1 t 0 + t 1 + t 5 + t 6 + t 7 + 1 t 0 + t 1 + t 2 + t 6 + t 7 t 0 + t 1 + t 2 + t 3 + t 7 t 0 + t 1 + t 2 + t 3 + t 4 t 1 + t 2 + t 3 + t 4 + t 5 + 1 t 2 + t 3 + t 4 + t 5 + t 6 + 1 t 3 + t 4 + t 5 + t 6 + t 7 ] (21)

Example

Using the traditional way, we want to find the output byte that corresponding to the input byte {53} (Table 2).

{ 53 } = 01010011 , A ( x ) = x 6 + x 4 + x + 1 , P ( x ) = x 8 + x 4 + x 3 + x + 1 .

Iteration 1

Iteration 2

Iteration 3

T ( x ) = y 1 ( x ) = x 7 + x 6 + x 3 + x = 11001010 .

[ 1 0 0 0 1 1 1 1 1 1 0 0 0 1 1 1 1 1 1 0 0 0 1 1 1 1 1 1 0 0 0 1 1 1 1 1 1 0 0 0 0 1 1 1 1 1 0 0 0 0 1 1 1 1 1 0 0 0 0 1 1 1 1 1 ] [ 0 1 0 1 0 0 1 1 ] = [ 0 1 1 1 0 0 0 1 ] (22)

[ 0 1 1 1 0 0 0 1 ] + [ 1 1 0 0 0 1 1 0 ] = [ 1 0 1 1 0 1 1 1 ] (23)

The output is 11101101 = E D .

Table 2. To find the output of {53}.

3. Modern Way

We use the formula [6] below to find the multiplicative inverse.

3.1. The Iterated Formula

The iterated formula

T i ( x ) = ( q i ( x ) ) ( T i 1 ( x ) ) + T i ( x ) , 2 i < 8 (24)

where T 0 ( x ) = 1 , T 1 ( x ) = q 1 ( x ) , gives the multiplicative inverse T = T i when r i = 1 .

To show that, we use the system (11).

When i = 1 , r 1 ( x ) = 1 ,

r 1 ( x ) = P ( x ) ( q 1 ( x ) ) ( A ( x ) ) (25)

1 = P ( x ) ( q 1 ( x ) ) ( A ( x ) ) (26)

We obtain T ( x ) = q 1 ( x ) = T 1 ( x ) . (Equation (24), takes this as given).

When i = 2 , r 2 ( x ) = 1 , r 1 ( x ) 0 ,

r 2 ( x ) = A ( x ) ( q 2 ( x ) ) ( r 1 ( x ) ) (27)

1 = A ( x ) ( q 2 ( x ) ) ( P ( x ) ( q 1 ( x ) ) ( A ( x ) ) ) = ( 1 ( q 2 ( x ) ) ( q 1 ( x ) ) ) ( A ( x ) ) ( q 2 ( x ) ) ( P ( x ) ) = ( 1 ( q 2 ( x ) ) ( q 1 ( x ) ) ) ( A ( x ) ) ( q 2 ( x ) ) ( P ( x ) ) (28)

We obtain T ( x ) = ( q 2 ( x ) ) ( q 1 ( x ) ) + 1 . From Equation (24)

T ( x ) = T 2 ( x ) = q 2 ( x ) T 1 ( x ) + T 0 ( x ) = ( q 2 ( x ) ) ( q 1 ( x ) ) + 1 (29)

When i = 3 , r 3 ( x ) = 1 , r 1 ( x ) 0 , r 2 ( x ) 0 ,

r 3 ( x ) = r 1 ( x ) q 3 ( x ) r 2 ( x ) (30)

1 = P ( x ) q 1 ( x ) A ( x ) q 3 ( x ) ( ( 1 q 2 ( x ) q 1 ( x ) ) A ( x ) q 2 ( x ) P ( x ) ) = ( ( q 3 ( x ) ) ( 1 q 2 ( x ) q 1 ( x ) ) q 1 ( x ) ) A ( x ) + K ( x ) P ( x ) (31)

We obtain

T ( x ) = ( q 3 ( x ) ) ( 1 ( q 2 ( x ) ) ( q 1 ( x ) ) ) q 1 ( x ) = q 3 ( x ) T 2 ( x ) + T 1 ( x ) (32)

and from Equation (24)

T ( x ) = T 3 ( x ) = q 3 ( x ) T 2 ( x ) + T 1 ( x ) (33)

By this way, we can show that Equation (24) gives T ( x ) for 2 i < 8 , when r i = 1 .

Below an algorithm to find T ( x ) using the modern way.

Now, we want to multiply T ( x ) by the matrix M.

First, write M as [7]

M = [ [ 1 0 1 1 0 0 0 0 1 1 1 1 1 0 1 1 ] [ 1 1 0 1 1 1 1 1 0 0 0 0 1 1 0 1 ] [ 1 1 0 1 1 1 1 1 0 0 0 0 1 1 0 1 ] [ 1 0 1 1 0 0 0 0 1 1 1 1 1 0 1 1 ] ] (34)

Let

M 1 = [ 1 0 1 1 0 0 0 0 1 1 1 1 1 0 1 1 ] , M 2 = [ 1 1 0 1 1 1 1 1 0 0 0 0 1 1 0 1 ] (35)

And write T ( x ) as

T = [ [ t 0 t 1 t 2 t 3 ] [ t 4 t 5 t 6 t 7 ] ] (36)

Let

T 1 = [ t 0 t 1 t 2 t 3 ] , T 2 = [ t 4 t 5 t 6 t 7 ] (37)

Then

M 1 T 1 = [ t 0 t 0 + t 1 t 0 + t 1 + t 2 t 0 + t 1 + t 2 + t 3 ] (38)

M 1 T 2 = [ t 4 t 4 + t 5 t 4 + t 5 + t 6 t 4 + t 5 + t 6 + t 7 ] (39)

M 2 T 1 = [ t 3 + t 2 + t 1 + t 0 t 3 + t 2 + t 1 t 3 + t 2 t 3 ] (40)

M 2 T 2 = [ t 7 + t 6 + t 5 + t 4 t 7 + t 6 + t 5 t 7 + t 6 t 7 ] (41)

So, the multiplication of M and T ( x ) gives

[ M 1 T 1 + M 2 T 2 M 2 T 1 + M 1 T 2 ]

From Equation (38) and Equation (39), we note that the results of these multiplications give the form

[ firstelement first + second first + second + third first + second + third + fourth ]

of the second matrix, and similarly, Equation (40) and Equation (41), show that the results give the form

[ fourth + third + second + first fourth + third + second fourth + third fourth ]

of the second matrix, so we don’t need to use matrix M, as the traditional method.

In the last step, we add M ( T ( x ) ) to ( { 63 } = 01100011 ) .

3.2. Example

Using the modern way, we want to find the output of {53}

{ 53 } = 01010011 , A ( x ) = x 6 + x 4 + x + 1 , P ( x ) = x 8 + x 4 + x 3 + x + 1 .

First, finding the multiplicative inverse (Table 3).

Table 3. Finding multiplicative inverse of {53}.

Since r 3 ( x ) = 1 ,

T ( x ) = T 3 ( x ) = ( q 3 ( x ) ) T 2 ( x ) + T 1 ( x ) = ( q 3 ( x ) ) ( ( q 2 ( x ) ) ( q 1 ( x ) ) + 1 ) + q 1 ( x ) = ( x + 1 ) [ ( x 4 + x 2 ) ( x 2 + 1 ) + 1 ] + x 2 + 1 = x 7 + x 6 + x 3 + x = 11001010

Then, computing the matrices multiplication:

[ 0 1 0 1 0 0 1 1 ] [ [ 0 1 1 0 ] [ 0 0 0 1 ] [ 0 0 1 1 ] [ 0 0 1 0 ] ] = [ 0 1 1 1 0 0 0 1 ] (42)

Last, adding (01100011)

[ 0 1 1 1 0 0 0 1 ] + [ 1 1 0 0 0 1 1 0 ] = [ 1 0 1 1 0 1 1 1 ] (43)

So, the output is 11101101 = E D .

4. Conclusions

In this paper, a straightforward method for obtaining the Advanced Encryption Standard S-Box look-up table without the traditional use of the characteristic Matrix M is proposed. We have demonstrated that the two methods are equivalent. In addition, the multiplicative inverse of A ( x ) has been found more elegantly.

In future work, we will investigate the properties and the impact of this technique on cipher complexity analysis.

Conflicts of Interest

The authors declare no conflicts of interest.

References

[1] National Institute of Standards and Technology (NIST) (2001) Advanced Encryption Standard (AES). FIPS Publication 197.
[2] Burton, D.M. (2007) Elementary Number Theory. 6th Edition, McGraw-Hill, New York.
[3] Menezes, A., van Oorschot, P. and Vanstone, S. (1997) Handbook of Applied Cryptography. CRC Press, New York.
https://doi.org/10.1201/9781439821916
[4] Cormen, T.H., Leiserson, C.E., Rivest, R.L. and Stein, C. (2009) Introduction to Algorithms. 3rd Edition, The MIT Press, Cambridge, London.
[5] Ahmed, W.E. (2019) A Way to Compute a Greatest Common Divisor in the Galois Field (GF (2^n)). Journal of Advances in Mathematics, 16, 8317-8321.
https://doi.org/10.24297/jam.v16i0.8167
[6] Ahmed, W.E. (2019) Some Techniques to Compute Multiplicative Inverses for Advanced Encryption Standard. Journal of Advances in Mathematics, 16, 8208-8212.
https://doi.org/10.24297/jam.v16i0.8016
[7] Ahmed, W.E. (2019) On Rijndael ByteSub Transformation. Applied Mathematics, 10, 113-118.
https://doi.org/10.4236/am.2019.103010

Copyright © 2024 by authors and Scientific Research Publishing Inc.

Creative Commons License

This work and the related PDF file are licensed under a Creative Commons Attribution 4.0 International License.