The substitution table (S-Box) of Advanced Encryption Standard (AES) and its properties are key elements in cryptanalysis ciphering. We aim here to propose a straightforward method for the non-linear transformation of AES S-Box construction. The method reduces the steps needed to compute the multiplicative inverse, and computes the matrices multiplication used in this transformation, without a need to use the characteristic matrix, and the result is a modern method constructing the S-Box.

Advanced Encryption Standard S-Box Extended Euclidean Algorithm Greatest Common Divisor XOR Operation
1. Introduction

The S-Box table of AES is taken as a lookup table to substitute an input byte by another, this table is constructed using a non-linear transformation depends on the usual method taking more calculation steps to give the corresponding byte.

The S-Box plays a fundamental role in encryption and decryption processes, as byte substitution appears in many steps. At the first round of the encryption process, we add the plaintext matrix to the key matrix, then we substitute each byte by another byte according to S-Box, for example, to substitute the byte xy(say), we take the byte in the cell that has x as the column index and y as the row index, we do this substitute byte step in all rounds of the encryption process, and in all round of the decryption process, we do the inverse substitute byte step, to substitute the byte xy(say), we take the index of the column, and the index of the row of the cell that contains xy, as the left and the right character of the result byte, respectively. The S-Box (Table 1), involves substitution bytes for all bytes from {00} to {FF} in hexdecimal presentation.

The S-Box is constructed using the following operations  :

1) Finding the multiplicative inverse of an input byte in the finite field G F ( 2 8 ) based on the irreducible polynomial P ( x ) = x 8 + x 4 + x 3 + x + 1 .

2) Multiplying this multiplicative inverse by a specific matrix (matrix M).

3) Adding the multiplication result to a specific vector ( { 63 } = 01100011 ) .

We convert the hexadecimal presentation of the input byte into binary presentation as ( a 7 a 6 a 5 a 4 a 3 a 2 a 1 a 0 ) and write it as a polynomial A ( x ) = a 7 x 7 + a 6 x 6 + a 5 x 5 + a 4 x 4 + a 3 x 3 + a 2 x 2 + a 1 x + a 0 , let its multiplicative inverse be T ( x ) = t 7 x 7 + t 6 x 6 + t 5 x 5 + t 4 x 4 + t 3 x 3 + t 2 x 2 + t 1 x + t 0 , we multiply T ( x ) by the following characteristic matrix:

M = [ 1 0 0 0 1 1 1 1 1 1 0 0 0 1 1 1 1 1 1 0 0 0 1 1 1 1 1 1 0 0 0 1 1 1 1 1 1 0 0 0 0 1 1 1 1 1 0 0 0 0 1 1 1 1 1 0 0 0 0 1 1 1 1 1 ] (1)

Then, we add the result to (01100011).

We note that, for the input {00} the output is {63}.

The AES S-Box
0123456789ABCDEF
0637C777BF26B6FC53001672BFED7AB76
2B7FD9326363FF7CC34A5E5F171D83115
304C723C31896059A071280E2EB27B275
409832C1A1B6E5AA0523BD6B329E32F84
553D100ED20FCB15b6ACBBE394A4C58CF
6D0EFAAFB434D338545F9027f503C9FA8
751A3408F929D38F5BCB6DA2110FFF3D2
8CD0C13EC5F974417C4A77E3D645D1973
960814FDC222A908846EEB814DE5E0BDB
AE0323A0A4906245CC2D3AC629195E479
BE7C8376D8DD54EA96C56F4EA657AAE08
CBA78252E1CA6B4C6E8DD741F4BBD8B8A
D703EB5664803F60E613557B986C11D9E
EE1F8981169D98E949B1E87E9CE5528DF
F8CA1890DBFE6426841992D0FB054BB16
1.1. Problem Statement

We search for an easier and straightforward method for constructing the AES S-Box.

1.2. Proposed Solution

The multiplicative inverse of an input byte can be computed in clear steps using an iterated formula.

Multiplying the multiplicative inverse matrix by the characteristic matrix can be determined directly from this multiplicative inverse using simple XOR operations, without a need to use the characteristic matrix.

In cryptography, the extended Euclidean algorithm has wide uses especially for finding a multiplicative inverse (modular inverse).

Euclidean algorithm is used to find the greatest common divisor of two integers a and b, (denoted by gcd ( a , b ) ).

When b > a , and

b − r = a q (2)

for some integers r and q, we say

r = b ( mod a ) (3)

and if b ( mod a ) = 0 then

gcd ( a , b ) = a (4)

With the polynomials A ( x ) and P ( x ) , we write gcd ( A ( x ) , P ( x ) )  .

The algorithm below gives gcd ( A ( x ) , P ( x ) ) , where A ( x ) < P (x)

The step (1.(a)) of the algorithm (1) involves the division algorithm:

P ( x ) = A ( x ) q ( x ) + r ( x ) (5)

where 0 ≤ r ( x ) = P ( x ) mod A ( x ) < A ( x ) .

It implies that 

gcd ( A ( x ) , P ( x ) ) = gcd ( A ( x ) , r ( x ) ) (6)

If r ( x ) ≠ 0 , the step will be repeated, let us write the repeated application of the division algorithm as:

P ( x ) = q 1 ( x ) A ( x ) + r 1 ( x ) , 0 ≤ r 1 ( x ) < A (x)

A ( x ) = q 2 ( x ) r 1 ( x ) + r 2 ( x ) , 0 ≤ r 2 ( x ) < r 1 (x)

r 1 ( x ) = q 3 ( x ) r 2 ( x ) + r 3 ( x ) , 0 ≤ r 3 ( x ) < r 2 (x)

r i − 3 ( x ) = q i − 1 ( x ) r i − 2 ( x ) + r i − 1 ( x ) , 0 ≤ r i − 1 ( x ) < r i − 2 (x)

r i − 2 ( x ) = q i ( x ) r i − 1 ( x ) + r i ( x ) , 0 ≤ r i ( x ) < r i − 1 ( x ) (7)

When r i ( x ) = 0 , and since

gcd ( A ( x ) , P ( x ) ) = gcd ( r i − 1 ( x ) , r i ( x ) ) (8)

we get

gcd ( A ( x ) , P ( x ) ) = r i − 1 ( x ) (9)

The extended form of the Euclidean algorithm is called Extended Euclidean algorithm, it gives (besides gcd ( A ( x ) , P ( x ) ) , X ( x ) and Y ( x ) such that

gcd ( A ( x ) , P ( x ) ) = A ( x ) X ( x ) + P ( x ) Y ( x ) (10)

Rewrite the equations of the system (7) as:

r 1 ( x ) = P ( x ) − q 1 ( x ) A (x)

r 2 ( x ) = A ( x ) − q 2 ( x ) r 1 (x)

r 3 ( x ) = r 1 ( x ) − q 3 ( x ) r 2 (x)

r i − 2 ( x ) = r i − 4 ( x ) − q i − 2 ( x ) r i − 3 (x)

r i − 1 ( x ) = r i − 3 ( x ) − q i − 1 ( x ) r i − 2 ( x ) (11)

Then, in the last equation of system (11), r i − 1 ( x ) = r i − 3 ( x ) − q i − 1 ( x ) r i − 2 ( x ) , replace r i − 2 ( x ) with its value from the above equation (it involves r i − 3 ( x ) ), then replace r i − 3 ( x ) with its value from the above equation, continue doing this replacement, we obtain

r i − 1 ( x ) = r i − 3 ( x ) − ( q i − 1 ( x ) ) ( r i − 4 ( x ) − ( q i − 2 ( x ) ) ( r i − 5 ( x ) − ( q i − 3 ( x ) )     × ( r i − 6 ( x ) − ( q i − 4 ( x ) ) ( ( ⋯ ) ( P ( x ) − q 1 ( x ) A ( x ) ) ) ) ) ) (12)

Equation (12) takes the form

r i − 1 ( x ) = A ( x ) X ( x ) + P ( x ) Y ( x ) (13)

In our problem 1 ≤ i < 8 , and since the multiplicative inverse only exists when the gcd is 1  .

r i − 1 ( x ) = 1 (14)

The multiplicative inverse  of A ( x ) modulo P ( x ) is A − 1 ( x ) such that

A ( x ) A − 1 ( x ) = 1 ( mod P ( x ) ) (15)

When gcd ( A ( x ) , P ( x ) ) = 1 ,

1 = A ( x ) X ( x ) + P ( x ) Y ( x ) (16)

1 ( mod P ( x ) ) = ( A ( x ) X ( x ) + P ( x ) Y ( x ) ) ( mod P ( x ) ) (17)

and since

P ( x ) Y ( x ) = 0 ( mod P ( x ) ) (18)

we get

X ( x ) = A − 1 ( x ) (19)

So, the procedure of the extended Euclidean algorithm finds the greatest common divisor, also it finds the multiplicative inverse.

Below an algorithm to find A − 1 ( x ) , we will denote A − 1 ( x ) by T ( x ) .

Now, we have T ( x ) = ( t 7 t 6 t 5 t 4 t 3 t 2 t 1 t 0 ) , we multiply it (from the left) by matrix M

M ( T ( x ) ) = [ 1 0 0 0 1 1 1 1 1 1 0 0 0 1 1 1 1 1 1 0 0 0 1 1 1 1 1 1 0 0 0 1 1 1 1 1 1 0 0 0 0 1 1 1 1 1 0 0 0 0 1 1 1 1 1 0 0 0 0 1 1 1 1 1 ] [ t 0 t 1 t 2 t 3 t 4 t 5 t 6 t 7 ] = [ t 0 + t 4 + t 5 + t 6 + t 7 t 0 + t 1 + t 5 + t 6 + t 7 t 0 + t 1 + t 2 + t 6 + t 7 t 0 + t 1 + t 2 + t 3 + t 7 t 0 + t 1 + t 2 + t 3 + t 4 t 1 + t 2 + t 3 + t 4 + t 5 t 2 + t 3 + t 4 + t 5 + t 6 t 3 + t 4 + t 5 + t 6 + t 7 ] (20)

Then, we add the result to ( { 63 } = 01100011 ) to obtain the output of the input A ( x ) = ( a 7 a 6 a 5 a 4 a 3 a 2 a 1 a 0 )

[ t 0 + t 4 + t 5 + t 6 + t 7 t 0 + t 1 + t 5 + t 6 + t 7 t 0 + t 1 + t 2 + t 6 + t 7 t 0 + t 1 + t 2 + t 3 + t 7 t 0 + t 1 + t 2 + t 3 + t 4 t 1 + t 2 + t 3 + t 4 + t 5 t 2 + t 3 + t 4 + t 5 + t 6 t 3 + t 4 + t 5 + t 6 + t 7 ] + [ 1 1 0 0 0 1 1 0 ] = [ t 0 + t 4 + t 5 + t 6 + t 7 + 1 t 0 + t 1 + t 5 + t 6 + t 7 + 1 t 0 + t 1 + t 2 + t 6 + t 7 t 0 + t 1 + t 2 + t 3 + t 7 t 0 + t 1 + t 2 + t 3 + t 4 t 1 + t 2 + t 3 + t 4 + t 5 + 1 t 2 + t 3 + t 4 + t 5 + t 6 + 1 t 3 + t 4 + t 5 + t 6 + t 7 ] (21)

Example

Using the traditional way, we want to find the output byte that corresponding to the input byte {53} (Table 2).

{ 53 } = 01010011 , A ( x ) = x 6 + x 4 + x + 1 , P ( x ) = x 8 + x 4 + x 3 + x + 1 .

Iteration 1

Iteration 2

Iteration 3

T ( x ) = y 1 ( x ) = x 7 + x 6 + x 3 + x = 11001010 .

[ 1 0 0 0 1 1 1 1 1 1 0 0 0 1 1 1 1 1 1 0 0 0 1 1 1 1 1 1 0 0 0 1 1 1 1 1 1 0 0 0 0 1 1 1 1 1 0 0 0 0 1 1 1 1 1 0 0 0 0 1 1 1 1 1 ] [ 0 1 0 1 0 0 1 1 ] = [ 0 1 1 1 0 0 0 1 ] (22)

[ 0 1 1 1 0 0 0 1 ] + [ 1 1 0 0 0 1 1 0 ] = [ 1 0 1 1 0 1 1 1 ] (23)

The output is 11101101 = E D .

To find the output of {53}
3
5??
3. Modern Way

We use the formula  below to find the multiplicative inverse.

3.1. The Iterated Formula

The iterated formula

T i ( x ) = ( q i ( x ) ) ( T i − 1 ( x ) ) + T i ( x ) , 2 ≤ i < 8 (24)

where T 0 ( x ) = 1 , T 1 ( x ) = q 1 ( x ) , gives the multiplicative inverse T = T i when r i = 1 .

To show that, we use the system (11).

When i = 1 , r 1 ( x ) = 1 ,

r 1 ( x ) = P ( x ) − ( q 1 ( x ) ) ( A ( x ) ) (25)

1 = P ( x ) − ( q 1 ( x ) ) ( A ( x ) ) (26)

We obtain T ( x ) = q 1 ( x ) = T 1 ( x ) . (Equation (24), takes this as given).

When i = 2 , r 2 ( x ) = 1 , r 1 ( x ) ≠ 0 ,

r 2 ( x ) = A ( x ) − ( q 2 ( x ) ) ( r 1 ( x ) ) (27)

1 = A ( x ) − ( q 2 ( x ) ) ( P ( x ) − ( q 1 ( x ) ) ( A ( x ) ) ) = ( 1 − ( q 2 ( x ) ) ( q 1 ( x ) ) ) ( A ( x ) ) − ( q 2 ( x ) ) ( P ( x ) ) = ( 1 − ( q 2 ( x ) ) ( q 1 ( x ) ) ) ( A ( x ) ) − ( q 2 ( x ) ) ( P ( x ) ) (28)

We obtain T ( x ) = ( q 2 ( x ) ) ( q 1 ( x ) ) + 1 . From Equation (24)

T ( x ) = T 2 ( x ) = q 2 ( x ) T 1 ( x ) + T 0 ( x ) = ( q 2 ( x ) ) ( q 1 ( x ) ) + 1 (29)

When i = 3 , r 3 ( x ) = 1 , r 1 ( x ) ≠ 0 , r 2 ( x ) ≠ 0 ,

r 3 ( x ) = r 1 ( x ) − q 3 ( x ) r 2 ( x ) (30)

1 = P ( x ) − q 1 ( x ) A ( x ) − q 3 ( x ) ( ( 1 − q 2 ( x ) q 1 ( x ) ) A ( x ) − q 2 ( x ) P ( x ) ) = ( ( q 3 ( x ) ) ( 1 − q 2 ( x ) q 1 ( x ) ) − q 1 ( x ) ) A ( x ) + K ( x ) P ( x ) (31)

We obtain

T ( x ) = ( q 3 ( x ) ) ( 1 − ( q 2 ( x ) ) ( q 1 ( x ) ) ) − q 1 ( x ) = q 3 ( x ) T 2 ( x ) + T 1 ( x ) (32)

and from Equation (24)

T ( x ) = T 3 ( x ) = q 3 ( x ) T 2 ( x ) + T 1 ( x ) (33)

By this way, we can show that Equation (24) gives T ( x ) for 2 ≤ i < 8 , when r i = 1 .

Below an algorithm to find T ( x ) using the modern way.

Now, we want to multiply T ( x ) by the matrix M.

First, write M as 

M = [ [ 1 0 1 1 0 0 0 0 1 1 1 1 1 0 1 1 ] [ 1 1 0 1 1 1 1 1 0 0 0 0 1 1 0 1 ] [ 1 1 0 1 1 1 1 1 0 0 0 0 1 1 0 1 ] [ 1 0 1 1 0 0 0 0 1 1 1 1 1 0 1 1 ] ] (34)

Let

M 1 = [ 1 0 1 1 0 0 0 0 1 1 1 1 1 0 1 1 ] , M 2 = [ 1 1 0 1 1 1 1 1 0 0 0 0 1 1 0 1 ] (35)

And write T ( x ) as

T = [ [ t 0 t 1 t 2 t 3 ] [ t 4 t 5 t 6 t 7 ] ] (36)

Let

T 1 = [ t 0 t 1 t 2 t 3 ] , T 2 = [ t 4 t 5 t 6 t 7 ] (37)

Then

M 1 T 1 = [ t 0 t 0 + t 1 t 0 + t 1 + t 2 t 0 + t 1 + t 2 + t 3 ] (38)

M 1 T 2 = [ t 4 t 4 + t 5 t 4 + t 5 + t 6 t 4 + t 5 + t 6 + t 7 ] (39)

M 2 T 1 = [ t 3 + t 2 + t 1 + t 0 t 3 + t 2 + t 1 t 3 + t 2 t 3 ] (40)

M 2 T 2 = [ t 7 + t 6 + t 5 + t 4 t 7 + t 6 + t 5 t 7 + t 6 t 7 ] (41)

So, the multiplication of M and T ( x ) gives

[ M 1 T 1 + M 2 T 2 M 2 T 1 + M 1 T 2 ]

From Equation (38) and Equation (39), we note that the results of these multiplications give the form

[ firstelement first + second first + second + third first + second + third + fourth ]

of the second matrix, and similarly, Equation (40) and Equation (41), show that the results give the form

[ fourth + third + second + first fourth + third + second fourth + third fourth ]

of the second matrix, so we don’t need to use matrix M, as the traditional method.

In the last step, we add M ( T ( x ) ) to ( { 63 } = 01100011 ) .

3.2. Example

Using the modern way, we want to find the output of {53}

{ 53 } = 01010011 , A ( x ) = x 6 + x 4 + x + 1 , P ( x ) = x 8 + x 4 + x 3 + x + 1 .

First, finding the multiplicative inverse (Table 3).

Finding multiplicative inverse of {53}
iA ( x )q ( x )r ( x )P ( x )
1x 6 + x 4 + x + 1x 2 + 1x 2 + 1x 8 + x 4 + x 3 + x + 1
2x 2 + 1x 4 + x 2x + 1x 6 + x 4 + x + 1
3x + 1x + 11x 2 + 1

Since r 3 ( x ) = 1 ,

T ( x ) = T 3 ( x ) = ( q 3 ( x ) ) T 2 ( x ) + T 1 ( x ) = ( q 3 ( x ) ) ( ( q 2 ( x ) ) ( q 1 ( x ) ) + 1 ) + q 1 ( x ) = ( x + 1 ) [ ( x 4 + x 2 ) ( x 2 + 1 ) + 1 ] + x 2 + 1 = x 7 + x 6 + x 3 + x = 11001010

Then, computing the matrices multiplication:

[ 0 1 0 1 0 0 1 1 ] → [ [ 0 1 1 0 ] [ 0 0 0 1 ] [ 0 0 1 1 ] [ 0 0 1 0 ] ] = [ 0 1 1 1 0 0 0 1 ] (42)

[ 0 1 1 1 0 0 0 1 ] + [ 1 1 0 0 0 1 1 0 ] = [ 1 0 1 1 0 1 1 1 ] (43)

So, the output is 11101101 = E D .

4. Conclusions

In this paper, a straightforward method for obtaining the Advanced Encryption Standard S-Box look-up table without the traditional use of the characteristic Matrix M is proposed. We have demonstrated that the two methods are equivalent. In addition, the multiplicative inverse of A ( x ) has been found more elegantly.

In future work, we will investigate the properties and the impact of this technique on cipher complexity analysis.

Conflicts of Interest

The author declares no conflicts of interest regarding the publication of this paper.

Cite this paper

Ahmed, W.E. (2019) A Modern Method for Constructing the S-Box of Advanced Encryption Standard. Applied Mathematics, 10, 234-244. https://doi.org/10.4236/am.2019.104018

ReferencesNational Institute of Standards and Technology (NIST) (2001) Advanced Encryption Standard (AES). FIPS Publication 197.Burton, D.M. (2007) Elementary Number Theory. 6th Edition, McGraw-Hill, New York.Menezes, A., van Oorschot, P. and Vanstone, S. (1997) Handbook of Applied Cryptography. CRC Press, New York. https://doi.org/10.1201/9781439821916Cormen, T.H., Leiserson, C.E., Rivest, R.L. and Stein, C. (2009) Introduction to Algorithms. 3rd Edition, The MIT Press, Cambridge, London.Ahmed, W.E. (2019) A Way to Compute a Greatest Common Divisor in the Galois Field (GF (2^n)). Journal of Advances in Mathematics, 16, 8317-8321. https://doi.org/10.24297/jam.v16i0.8167Ahmed, W.E. (2019) Some Techniques to Compute Multiplicative Inverses for Advanced Encryption Standard. Journal of Advances in Mathematics, 16, 8208-8212. https://doi.org/10.24297/jam.v16i0.8016Ahmed, W.E. (2019) On Rijndael ByteSub Transformation. Applied Mathematics, 10, 113-118. https://doi.org/10.4236/am.2019.103010