_{1}

The substitution table (S-Box) of Advanced Encryption Standard (AES) and its properties are key elements in cryptanalysis ciphering. We aim here to propose a straightforward method for the non-linear transformation of AES S-Box construction. The method reduces the steps needed to compute the multiplicative inverse, and computes the matrices multiplication used in this transformation, without a need to use the characteristic matrix, and the result is a modern method constructing the S-Box.

The S-Box table of AES is taken as a lookup table to substitute an input byte by another, this table is constructed using a non-linear transformation depends on the usual method taking more calculation steps to give the corresponding byte.

The S-Box plays a fundamental role in encryption and decryption processes, as byte substitution appears in many steps. At the first round of the encryption process, we add the plaintext matrix to the key matrix, then we substitute each byte by another byte according to S-Box, for example, to substitute the byte xy(say), we take the byte in the cell that has x as the column index and y as the row index, we do this substitute byte step in all rounds of the encryption process, and in all round of the decryption process, we do the inverse substitute byte step, to substitute the byte xy(say), we take the index of the column, and the index of the row of the cell that contains xy, as the left and the right character of the result byte, respectively. The S-Box (

The S-Box is constructed using the following operations [

1) Finding the multiplicative inverse of an input byte in the finite field G F ( 2 8 ) based on the irreducible polynomial P ( x ) = x 8 + x 4 + x 3 + x + 1 .

2) Multiplying this multiplicative inverse by a specific matrix (matrix M).

3) Adding the multiplication result to a specific vector ( { 63 } = 01100011 ) .

We convert the hexadecimal presentation of the input byte into binary presentation as ( a 7 a 6 a 5 a 4 a 3 a 2 a 1 a 0 ) and write it as a polynomial A ( x ) = a 7 x 7 + a 6 x 6 + a 5 x 5 + a 4 x 4 + a 3 x 3 + a 2 x 2 + a 1 x + a 0 , let its multiplicative inverse be T ( x ) = t 7 x 7 + t 6 x 6 + t 5 x 5 + t 4 x 4 + t 3 x 3 + t 2 x 2 + t 1 x + t 0 , we multiply T ( x ) by the following characteristic matrix:

M = [ 1 0 0 0 1 1 1 1 1 1 0 0 0 1 1 1 1 1 1 0 0 0 1 1 1 1 1 1 0 0 0 1 1 1 1 1 1 0 0 0 0 1 1 1 1 1 0 0 0 0 1 1 1 1 1 0 0 0 0 1 1 1 1 1 ] (1)

Then, we add the result to (01100011).

We note that, for the input {00} the output is {63}.

0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | A | B | C | D | E | F | |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|

0 | 63 | 7C | 77 | 7B | F2 | 6B | 6F | C5 | 30 | 01 | 67 | 2B | FE | D7 | AB | 76 |

1 | CA | 82 | C9 | 7D | FA | 59 | 47 | F0 | AD | D4 | A2 | AF | 9C | A4 | 72 | C0 |

2 | B7 | FD | 93 | 26 | 36 | 3F | F7 | CC | 34 | A5 | E5 | F1 | 71 | D8 | 31 | 15 |

3 | 04 | C7 | 23 | C3 | 18 | 96 | 05 | 9A | 07 | 12 | 80 | E2 | EB | 27 | B2 | 75 |

4 | 09 | 83 | 2C | 1A | 1B | 6E | 5A | A0 | 52 | 3B | D6 | B3 | 29 | E3 | 2F | 84 |

5 | 53 | D1 | 00 | ED | 20 | FC | B1 | 5b | 6A | CB | BE | 39 | 4A | 4C | 58 | CF |

6 | D0 | EF | AA | FB | 43 | 4D | 33 | 85 | 45 | F9 | 02 | 7f | 50 | 3C | 9F | A8 |

7 | 51 | A3 | 40 | 8F | 92 | 9D | 38 | F5 | BC | B6 | DA | 21 | 10 | FF | F3 | D2 |

8 | CD | 0C | 13 | EC | 5F | 97 | 44 | 17 | C4 | A7 | 7E | 3D | 64 | 5D | 19 | 73 |

9 | 60 | 81 | 4F | DC | 22 | 2A | 90 | 88 | 46 | EE | B8 | 14 | DE | 5E | 0B | DB |

A | E0 | 32 | 3A | 0A | 49 | 06 | 24 | 5C | C2 | D3 | AC | 62 | 91 | 95 | E4 | 79 |

B | E7 | C8 | 37 | 6D | 8D | D5 | 4E | A9 | 6C | 56 | F4 | EA | 65 | 7A | AE | 08 |

C | BA | 78 | 25 | 2E | 1C | A6 | B4 | C6 | E8 | DD | 74 | 1F | 4B | BD | 8B | 8A |

D | 70 | 3E | B5 | 66 | 48 | 03 | F6 | 0E | 61 | 35 | 57 | B9 | 86 | C1 | 1D | 9E |

E | E1 | F8 | 98 | 11 | 69 | D9 | 8E | 94 | 9B | 1E | 87 | E9 | CE | 55 | 28 | DF |

F | 8C | A1 | 89 | 0D | BF | E6 | 42 | 68 | 41 | 99 | 2D | 0F | B0 | 54 | BB | 16 |

We search for an easier and straightforward method for constructing the AES S-Box.

The multiplicative inverse of an input byte can be computed in clear steps using an iterated formula.

Multiplying the multiplicative inverse matrix by the characteristic matrix can be determined directly from this multiplicative inverse using simple XOR operations, without a need to use the characteristic matrix.

In cryptography, the extended Euclidean algorithm has wide uses especially for finding a multiplicative inverse (modular inverse).

Euclidean algorithm is used to find the greatest common divisor of two integers a and b, (denoted by gcd ( a , b ) ).

When b > a , and

b − r = a q (2)

for some integers r and q, we say

r = b ( mod a ) (3)

and if b ( mod a ) = 0 then

gcd ( a , b ) = a (4)

With the polynomials A ( x ) and P ( x ) , we write gcd ( A ( x ) , P ( x ) ) [

The algorithm below gives gcd ( A ( x ) , P ( x ) ) , where A ( x ) < P (x)

The step (1.(a)) of the algorithm (1) involves the division algorithm:

P ( x ) = A ( x ) q ( x ) + r ( x ) (5)

where 0 ≤ r ( x ) = P ( x ) mod A ( x ) < A ( x ) .

It implies that [

gcd ( A ( x ) , P ( x ) ) = gcd ( A ( x ) , r ( x ) ) (6)

If r ( x ) ≠ 0 , the step will be repeated, let us write the repeated application of the division algorithm as:

P ( x ) = q 1 ( x ) A ( x ) + r 1 ( x ) , 0 ≤ r 1 ( x ) < A (x)

A ( x ) = q 2 ( x ) r 1 ( x ) + r 2 ( x ) , 0 ≤ r 2 ( x ) < r 1 (x)

r 1 ( x ) = q 3 ( x ) r 2 ( x ) + r 3 ( x ) , 0 ≤ r 3 ( x ) < r 2 (x)

⋯

r i − 3 ( x ) = q i − 1 ( x ) r i − 2 ( x ) + r i − 1 ( x ) , 0 ≤ r i − 1 ( x ) < r i − 2 (x)

r i − 2 ( x ) = q i ( x ) r i − 1 ( x ) + r i ( x ) , 0 ≤ r i ( x ) < r i − 1 ( x ) (7)

When r i ( x ) = 0 , and since

gcd ( A ( x ) , P ( x ) ) = gcd ( r i − 1 ( x ) , r i ( x ) ) (8)

we get

gcd ( A ( x ) , P ( x ) ) = r i − 1 ( x ) (9)

The extended form of the Euclidean algorithm is called Extended Euclidean algorithm, it gives (besides gcd ( A ( x ) , P ( x ) ) , X ( x ) and Y ( x ) such that

gcd ( A ( x ) , P ( x ) ) = A ( x ) X ( x ) + P ( x ) Y ( x ) (10)

Rewrite the equations of the system (7) as:

r 1 ( x ) = P ( x ) − q 1 ( x ) A (x)

r 2 ( x ) = A ( x ) − q 2 ( x ) r 1 (x)

r 3 ( x ) = r 1 ( x ) − q 3 ( x ) r 2 (x)

⋯

r i − 2 ( x ) = r i − 4 ( x ) − q i − 2 ( x ) r i − 3 (x)

r i − 1 ( x ) = r i − 3 ( x ) − q i − 1 ( x ) r i − 2 ( x ) (11)

Then, in the last equation of system (11), r i − 1 ( x ) = r i − 3 ( x ) − q i − 1 ( x ) r i − 2 ( x ) , replace r i − 2 ( x ) with its value from the above equation (it involves r i − 3 ( x ) ), then replace r i − 3 ( x ) with its value from the above equation, continue doing this replacement, we obtain

r i − 1 ( x ) = r i − 3 ( x ) − ( q i − 1 ( x ) ) ( r i − 4 ( x ) − ( q i − 2 ( x ) ) ( r i − 5 ( x ) − ( q i − 3 ( x ) ) × ( r i − 6 ( x ) − ( q i − 4 ( x ) ) ( ( ⋯ ) ( P ( x ) − q 1 ( x ) A ( x ) ) ) ) ) ) (12)

Equation (12) takes the form

r i − 1 ( x ) = A ( x ) X ( x ) + P ( x ) Y ( x ) (13)

In our problem 1 ≤ i < 8 , and since the multiplicative inverse only exists when the gcd is 1 [

r i − 1 ( x ) = 1 (14)

The multiplicative inverse [

A ( x ) A − 1 ( x ) = 1 ( mod P ( x ) ) (15)

When gcd ( A ( x ) , P ( x ) ) = 1 ,

1 = A ( x ) X ( x ) + P ( x ) Y ( x ) (16)

1 ( mod P ( x ) ) = ( A ( x ) X ( x ) + P ( x ) Y ( x ) ) ( mod P ( x ) ) (17)

and since

P ( x ) Y ( x ) = 0 ( mod P ( x ) ) (18)

we get

X ( x ) = A − 1 ( x ) (19)

So, the procedure of the extended Euclidean algorithm finds the greatest common divisor, also it finds the multiplicative inverse.

Below an algorithm to find A − 1 ( x ) , we will denote A − 1 ( x ) by T ( x ) .

Now, we have T ( x ) = ( t 7 t 6 t 5 t 4 t 3 t 2 t 1 t 0 ) , we multiply it (from the left) by matrix M

M ( T ( x ) ) = [ 1 0 0 0 1 1 1 1 1 1 0 0 0 1 1 1 1 1 1 0 0 0 1 1 1 1 1 1 0 0 0 1 1 1 1 1 1 0 0 0 0 1 1 1 1 1 0 0 0 0 1 1 1 1 1 0 0 0 0 1 1 1 1 1 ] [ t 0 t 1 t 2 t 3 t 4 t 5 t 6 t 7 ] = [ t 0 + t 4 + t 5 + t 6 + t 7 t 0 + t 1 + t 5 + t 6 + t 7 t 0 + t 1 + t 2 + t 6 + t 7 t 0 + t 1 + t 2 + t 3 + t 7 t 0 + t 1 + t 2 + t 3 + t 4 t 1 + t 2 + t 3 + t 4 + t 5 t 2 + t 3 + t 4 + t 5 + t 6 t 3 + t 4 + t 5 + t 6 + t 7 ] (20)

Then, we add the result to ( { 63 } = 01100011 ) to obtain the output of the input A ( x ) = ( a 7 a 6 a 5 a 4 a 3 a 2 a 1 a 0 )

[ t 0 + t 4 + t 5 + t 6 + t 7 t 0 + t 1 + t 5 + t 6 + t 7 t 0 + t 1 + t 2 + t 6 + t 7 t 0 + t 1 + t 2 + t 3 + t 7 t 0 + t 1 + t 2 + t 3 + t 4 t 1 + t 2 + t 3 + t 4 + t 5 t 2 + t 3 + t 4 + t 5 + t 6 t 3 + t 4 + t 5 + t 6 + t 7 ] + [ 1 1 0 0 0 1 1 0 ] = [ t 0 + t 4 + t 5 + t 6 + t 7 + 1 t 0 + t 1 + t 5 + t 6 + t 7 + 1 t 0 + t 1 + t 2 + t 6 + t 7 t 0 + t 1 + t 2 + t 3 + t 7 t 0 + t 1 + t 2 + t 3 + t 4 t 1 + t 2 + t 3 + t 4 + t 5 + 1 t 2 + t 3 + t 4 + t 5 + t 6 + 1 t 3 + t 4 + t 5 + t 6 + t 7 ] (21)

ExampleUsing the traditional way, we want to find the output byte that corresponding to the input byte {53} (

{ 53 } = 01010011 , A ( x ) = x 6 + x 4 + x + 1 , P ( x ) = x 8 + x 4 + x 3 + x + 1 .

Iteration 1

Iteration 2

Iteration 3

T ( x ) = y 1 ( x ) = x 7 + x 6 + x 3 + x = 11001010 .

[ 1 0 0 0 1 1 1 1 1 1 0 0 0 1 1 1 1 1 1 0 0 0 1 1 1 1 1 1 0 0 0 1 1 1 1 1 1 0 0 0 0 1 1 1 1 1 0 0 0 0 1 1 1 1 1 0 0 0 0 1 1 1 1 1 ] [ 0 1 0 1 0 0 1 1 ] = [ 0 1 1 1 0 0 0 1 ] (22)

[ 0 1 1 1 0 0 0 1 ] + [ 1 1 0 0 0 1 1 0 ] = [ 1 0 1 1 0 1 1 1 ] (23)

The output is 11101101 = E D .

… | 3 | … | |
---|---|---|---|

⋮ | … | … | … |

5 | … | ?? | … |

⋮ | … | … | … |

We use the formula [

The iterated formula

T i ( x ) = ( q i ( x ) ) ( T i − 1 ( x ) ) + T i ( x ) , 2 ≤ i < 8 (24)

where T 0 ( x ) = 1 , T 1 ( x ) = q 1 ( x ) , gives the multiplicative inverse T = T i when r i = 1 .

To show that, we use the system (11).

When i = 1 , r 1 ( x ) = 1 ,

r 1 ( x ) = P ( x ) − ( q 1 ( x ) ) ( A ( x ) ) (25)

1 = P ( x ) − ( q 1 ( x ) ) ( A ( x ) ) (26)

We obtain T ( x ) = q 1 ( x ) = T 1 ( x ) . (Equation (24), takes this as given).

When i = 2 , r 2 ( x ) = 1 , r 1 ( x ) ≠ 0 ,

r 2 ( x ) = A ( x ) − ( q 2 ( x ) ) ( r 1 ( x ) ) (27)

1 = A ( x ) − ( q 2 ( x ) ) ( P ( x ) − ( q 1 ( x ) ) ( A ( x ) ) ) = ( 1 − ( q 2 ( x ) ) ( q 1 ( x ) ) ) ( A ( x ) ) − ( q 2 ( x ) ) ( P ( x ) ) = ( 1 − ( q 2 ( x ) ) ( q 1 ( x ) ) ) ( A ( x ) ) − ( q 2 ( x ) ) ( P ( x ) ) (28)

We obtain T ( x ) = ( q 2 ( x ) ) ( q 1 ( x ) ) + 1 . From Equation (24)

T ( x ) = T 2 ( x ) = q 2 ( x ) T 1 ( x ) + T 0 ( x ) = ( q 2 ( x ) ) ( q 1 ( x ) ) + 1 (29)

When i = 3 , r 3 ( x ) = 1 , r 1 ( x ) ≠ 0 , r 2 ( x ) ≠ 0 ,

r 3 ( x ) = r 1 ( x ) − q 3 ( x ) r 2 ( x ) (30)

1 = P ( x ) − q 1 ( x ) A ( x ) − q 3 ( x ) ( ( 1 − q 2 ( x ) q 1 ( x ) ) A ( x ) − q 2 ( x ) P ( x ) ) = ( ( q 3 ( x ) ) ( 1 − q 2 ( x ) q 1 ( x ) ) − q 1 ( x ) ) A ( x ) + K ( x ) P ( x ) (31)

We obtain

T ( x ) = ( q 3 ( x ) ) ( 1 − ( q 2 ( x ) ) ( q 1 ( x ) ) ) − q 1 ( x ) = q 3 ( x ) T 2 ( x ) + T 1 ( x ) (32)

and from Equation (24)

T ( x ) = T 3 ( x ) = q 3 ( x ) T 2 ( x ) + T 1 ( x ) (33)

By this way, we can show that Equation (24) gives T ( x ) for 2 ≤ i < 8 , when r i = 1 .

Below an algorithm to find T ( x ) using the modern way.

Now, we want to multiply T ( x ) by the matrix M.

First, write M as [

M = [ [ 1 0 1 1 0 0 0 0 1 1 1 1 1 0 1 1 ] [ 1 1 0 1 1 1 1 1 0 0 0 0 1 1 0 1 ] [ 1 1 0 1 1 1 1 1 0 0 0 0 1 1 0 1 ] [ 1 0 1 1 0 0 0 0 1 1 1 1 1 0 1 1 ] ] (34)

Let

M 1 = [ 1 0 1 1 0 0 0 0 1 1 1 1 1 0 1 1 ] , M 2 = [ 1 1 0 1 1 1 1 1 0 0 0 0 1 1 0 1 ] (35)

And write T ( x ) as

T = [ [ t 0 t 1 t 2 t 3 ] [ t 4 t 5 t 6 t 7 ] ] (36)

Let

T 1 = [ t 0 t 1 t 2 t 3 ] , T 2 = [ t 4 t 5 t 6 t 7 ] (37)

Then

M 1 T 1 = [ t 0 t 0 + t 1 t 0 + t 1 + t 2 t 0 + t 1 + t 2 + t 3 ] (38)

M 1 T 2 = [ t 4 t 4 + t 5 t 4 + t 5 + t 6 t 4 + t 5 + t 6 + t 7 ] (39)

M 2 T 1 = [ t 3 + t 2 + t 1 + t 0 t 3 + t 2 + t 1 t 3 + t 2 t 3 ] (40)

M 2 T 2 = [ t 7 + t 6 + t 5 + t 4 t 7 + t 6 + t 5 t 7 + t 6 t 7 ] (41)

So, the multiplication of M and T ( x ) gives

[ M 1 T 1 + M 2 T 2 M 2 T 1 + M 1 T 2 ]

From Equation (38) and Equation (39), we note that the results of these multiplications give the form

[ firstelement first + second first + second + third first + second + third + fourth ]

of the second matrix, and similarly, Equation (40) and Equation (41), show that the results give the form

[ fourth + third + second + first fourth + third + second fourth + third fourth ]

of the second matrix, so we don’t need to use matrix M, as the traditional method.

In the last step, we add M ( T ( x ) ) to ( { 63 } = 01100011 ) .

Using the modern way, we want to find the output of {53}

{ 53 } = 01010011 , A ( x ) = x 6 + x 4 + x + 1 , P ( x ) = x 8 + x 4 + x 3 + x + 1 .

First, finding the multiplicative inverse (

i | A ( x ) | q ( x ) | r ( x ) | P ( x ) |
---|---|---|---|---|

1 | x 6 + x 4 + x + 1 | x 2 + 1 | x 2 + 1 | x 8 + x 4 + x 3 + x + 1 |

2 | x 2 + 1 | x 4 + x 2 | x + 1 | x 6 + x 4 + x + 1 |

3 | x + 1 | x + 1 | 1 | x 2 + 1 |

Since r 3 ( x ) = 1 ,

T ( x ) = T 3 ( x ) = ( q 3 ( x ) ) T 2 ( x ) + T 1 ( x ) = ( q 3 ( x ) ) ( ( q 2 ( x ) ) ( q 1 ( x ) ) + 1 ) + q 1 ( x ) = ( x + 1 ) [ ( x 4 + x 2 ) ( x 2 + 1 ) + 1 ] + x 2 + 1 = x 7 + x 6 + x 3 + x = 11001010

Then, computing the matrices multiplication:

[ 0 1 0 1 0 0 1 1 ] → [ [ 0 1 1 0 ] [ 0 0 0 1 ] [ 0 0 1 1 ] [ 0 0 1 0 ] ] = [ 0 1 1 1 0 0 0 1 ] (42)

Last, adding (01100011)

[ 0 1 1 1 0 0 0 1 ] + [ 1 1 0 0 0 1 1 0 ] = [ 1 0 1 1 0 1 1 1 ] (43)

So, the output is 11101101 = E D .

In this paper, a straightforward method for obtaining the Advanced Encryption Standard S-Box look-up table without the traditional use of the characteristic Matrix M is proposed. We have demonstrated that the two methods are equivalent. In addition, the multiplicative inverse of A ( x ) has been found more elegantly.

In future work, we will investigate the properties and the impact of this technique on cipher complexity analysis.

The author declares no conflicts of interest regarding the publication of this paper.

Ahmed, W.E. (2019) A Modern Method for Constructing the S-Box of Advanced Encryption Standard. Applied Mathematics, 10, 234-244. https://doi.org/10.4236/am.2019.104018