Analysis of Development of Dynamic S-Box Generation

Advanced Encryption Standard is a symmetric block cipher which is widely used in encrypting data by different organizations to make secure their data from being hacked. The only nonlinear part of Advanced Encryption Standard (AES) is S-Box (Substitution Box), which provides confusion in the algorithm. But the main limitation of the S-Box in AES is that it is a static one throughout the algorithm, which is the main center of attraction for the cryptanalyst to analysis the weakness for certain attacks. Since 2000 onwards a number of algebraic attacks on AES ha ve been carried out, which challenged the security of AES. But at the same time till date a number of researches have being carried out for making AES more secure by using dynamic S-Boxes to provide more confusion to the cryptanalyst. In present paper we tried to address dynamic S-Box techniques and provide their analysis on the basis of S-Box properties, which are essential for secure S-Box construction like Non-linearity, XOR profile, Strict Avalanche criterion (SAC) and Bit independence criteria (BIC). Also these techniques are compared with the original AES results.


Introduction
Cryptography is a method or technique of secure communication in the presence of an adversary. In modern age of computers, cryptography is a technique to scramble plain text or ordinary text into ciphertext (by using cryptographic algorithms called encryption process) and converting back into plain text on receiver side (called decryption). The central objective of modern cryptography is to attain data confidentiality, data integrity, authentication and non repudiation.
Cryptography is broadly divided into two major categories. One is symmetric key cryptography and another is asymmetric key cryptography.
Symmetric key encryption is a form of cryptosystem in which encryption and decryption are performed using the same key [1] . It is also known as conventional encryption. Symmetric encryption transforms plaintext into ciphertext using a secret key and an encryption algorithm. Using the same key and a decryption algorithm, the plaintext is recovered from the ciphertext. Most widely used symmetric ciphers are DES (Data Encryption Standard) and AES (Advanced Encryption Standard).
Asymmetric key encryption is a form of cryptosystem in which encryption and decryption are performed using the different keys one is public key and another is private key [2]. It is also known as public-key encryption. Asymmetric key encryption transforms plaintext into ciphertext using a one of two keys and an encryption algorithm. Using the paired key and a decryption algorithm, the plaintext is recovered from the ciphertext. Asymmetric encryption can be used for confidentiality, authentication or both. The most widely used public-key cryptosystem are RSA, Diffie-Hellman key exchange, ElGamal Cryptosystem, Elliptic Curve cryptography.

Advanced Encryption Standard
AES is designed on the principle of combination of both substitution and permutation. AES is a variant of Rijndael which uses fixed input block size of 128 bits, which means data is divided into fixed 128 bit blocks and represented in matrix form, called state matrix and a key size of 128, 192, or 256 bits is used depending upon the variant Computer Science and Information Technology 5(5): 154-163, 2017 155 of AES used. AES operates on a 4 × 4 column-major order matrix of bytes. Most AES calculations are done in a special finite field GF (2 8 ). The key size used for an AES cipher specifies the number of repetitions of transformation rounds (Nr 10, 12,14) that convert the input, called the plaintext, into the final output, called the ciphertext. The number of cycles of repetition is as follows: • 10 cycles of repetition for 128-bit keys. [3] • 12 cycles of repetition for 192-bit keys. [4] • 14 cycles of repetition for 256-bit keys. [5] For example consider the follwing input and key: Input:-32 43 f6 a8 88 5a 30 8d 31 31 98 a2 e0 37 07 34 Key:-00 e9 c9 f2 a5 09 d4 e8 a8 bb b7 60 a0 2a ab 08 The number of column in input is used are denoted by N b and in key is denoted by N k . Each round consists of four different stages, including one that depends on the encryption key itself. A set of reverse rounds are applied to transform ciphertext back into the original plaintext using the same encryption key.

Encryption Process
Encryption process follows following steps as shown in fig. no. (2) • Add Round Key The Add Round Key operation is an XOR operation between the State and the Round Key. The State s and round key 'w' is of the same size. By doing XOR operation element by element of both (s and 'w') matrix next state matrix is obtained. • The Byte Substitution Transformation: In AES, S-Box is generated by using GF(2 8 ) (Galois Field) and irreducible polynomial x 8 + x 4 + x 3 + x + 1. AES S-Box is a matrix of (16 x 16 = 256) elements in which rows and columns are having values ranging from 0 to 15 (0 to f in hexadecimal). Each byte of S-Box is mapped to its multiplicative inverse in GF(2 8 ), where 00 is mapped into itself. Then, an affine transformation (over GF (2)) is computed. An affine cipher is a cipher of the following form: [6]. S-Box of AES is generated by equation (2).
where 'A' is represented as affine matrix, 'x' is a vector that is multiplicative inverse of element of state matrix s , 'c' is affine constant i.e. 63 (01100011) and 'M' is irreducible polynomial The S-Box generated by equation (2) is represented in the Table (1).
The multiplicative inverse of 'a' is 'BB h ' in hexadecimal and its binary representation is 10111011. The second step is to calculate affine transformation in GF(2) as following.  • Key Expansion In AES round keys are generated from cipher key as shown in fig. no. (1). The need of number of round keys to encrypt 128 bit block length data depends on the key length being used. 10 rounds are needed to encrypt 128 bit block data with 128 bit key length. So there is a need to generate 11 round keys for the same. In 'K' key matrix i-th column is denoted by Wi. The main idea in key expansion is to expand the 'K' matrix and the expended form of 'K' is called 'W'. The key expansion works between two cases where N k ≤ 6 and N k > 6. When N k ≤ 6 the key expansion is as under: where 'S' is a function that cyclically sifts the the elements of W (i−1) . The S-Box function perform byte substitution operation on each element of the vector. rcon( i N k ) is defined as a vector rcon(i)=[x i−1 , '00', '00','00'], with x i−1 being powers of 'x' in finite field GF (2 8 ). When N k > 6 the key expression equation will have slight change as under For example in order to obtain round keys from key matrix, it must be expended upto 40 columns to obtain round keys for 10 rounds of AES. Each round has a round key matrix of 4 colunms. In key expansion the elements Wi for 0 ≤ i

Decryption Process
Decryption process follows same steps as encryption process but in reverse order as shown in fig. no. (2) • Inverse Byte Substitution: Inverse byte substitution is similar as byte substitution. In decryption process inverse S-Box is used. Inverse S-Box is shown in table (2) • Inverse Shift Row: The inverse shift row operation is same as shift row operation in encryption but the element shift is on the right instead of left.
• Inverse Mix Columns: In decryption inverse mix column matrix is used. The matrix is shown as under     0e 0b 0d 09 09 0e 0b 0d 0d 09 0e 0b 0b 0d 09 0e     • Decryption Key Schedule: The key schedule for decryption is same as encryption.
AES algorithm is shown in Figure No

Essential Properties of S-Box
The strength of block ciphers, which work on substitution and permutation like AES heavily depends on the construction of S-Box (First layer of AES system) which must satisfy some essential properties to develop a secure crypto system. The crypto system that could resist algebraic attacks.  of ones contained by a vector [10].
• Hamming Distance: Hamming distance is calculated on two vectors which tells the number of bit positions where two vectors differ [10].
• Nonlinearity: The nonlinearity is defined as the minimum hamming distance between the function f : {0, 1} n → {0, 1} and a set of its all affine functions [9] [10]. Nonlinearity specifies the distance to weak cryptographically affine functions. where where # denotes the cardinality of the set, α ∈ {0, 1} n 0, β ∈ {0, 1} m . Some of the properties of XOR distribution table are that all the entries of XOR will be zeros or positive even integers, the sum of all the entries in a row will be equal to 2 n , the input difference α may cause output difference β with probability p = δ 2 n where δ is the eirty of (α, β) in XOR table, if an entry (α, β) in XOR table is zero, then input difference α can not cause output difference β.
• Strict Avalanche Criterion The SAC is the concept given by Webster and Tavares in 1985 [7]. A function satisfies SAC if one bit of the plain text or key is complemented then the output is changed with the probability of 1 2 bits. SAC is calculated by equation 11 where x and e are two n bit vectors which differ only in one bit i. The Boolean function f (x) accomplishes SAC criterion if and only if α = 2 n−1 for all i, 0 ≤ i ≤ n − 1.
• Bit Independence Criteria The concept of BIC was introduced by Webster and Tavares [7]. According to BIC, with the change of single bit in plain text or a key for a given set of avalanche vectors, all avalanche variables of respective vectors should be pairwise independent. The correlation coefficient of j th and k th components of avalanche vector D ei is calculated to measure the bit independence property of over all input pairs P and Pi, which differ only in bit i (Pi = P ⊕ ei).
Then the overall BIC is defined as: BIC(f) is defined in the range 0 and 1. It is ideally equal to zero, and in worst case it is equal to one.

AES Security
There are number of attacks designed to break block ciphers like AES. Those are algebraic attacks and side channel attacks. The algebraic attacks analysis the algebraic structures of block cipher while side channel attacks are on physical implementation of block ciphers on hardware level. In this paper algebraic attacks are taken into consideration. Algebraic attacks are linear cryptanalysis, Differential cryptanalysis, Boomerage Attacks, Interpolation attacks, Slide attack, Multiset attacks include round 4, 6, 7, 8 and 9 rounds, XL and XSL attacks.
The linear cryptanalysis attack was invented by Mastsui in 1993 [13]. This is a known plain-text attack. It exploits the linear relationship between input and output of a cipher to discover cipher key bits. This is done by approximating the S-Boxes by linear expressions that have high probability bias larger than 1/2, then it finds approximation of entire cipher with combinations of plaintext, ciphertext and key bits. It is found that there are no 4 round linear trails with bias above 2 −75 and no 8 round linear trails with bias above 2 −150 [12]. This is sufficient to resist against this attack.
Differential cryptanalysis was invented by Biham and Shamir in 1990 [11]. This is a chosen plaintext attack. In this attack attacker analysis the effect of difference of input pair of plaintext on the difference of output pair to discover the key bits. The idea is to find the high probability difference pairs for an S-Box under attack. These input output differences are used to form a differential trail for the entire cipher. It is found that there are no 4 round differential trails with bias above 2 −150 and no 8 round differential trails with bias above 2 −300 [12]. This is sufficient to resist against this attack.
In Boomerage attack the attacker propagates highly probable differential patterns from both ends of the cipher to find which differences agree in the middle [14]. This is also called meet in middle attack. But due to low differential probabilities (i.e. 2 −150 for 4 rounds) and good diffusion properties of mix column and shift row layer of AES this attack is not successful.
In Interpolation attack the plaintext and ciphertext pairs are converted into polynomials [15]. But this attack works  [21] invented a method to solve MQ problem (also called NP-hard) in which they represented 128 bit AES with 1600 variables and 8000 quadratic equations and presented that by using eXtended Linearization the complexity of solving these equations is 2 330 . In the improvement in XL attack if the MQ is sparse then this can be solved by new method called XSL (eXtended Sparse Linearization). This improvement reduced the complexity for AES just 2 256 , which is not sufficient to break AES.

Existing Work
The only nonlinear part of AES algotithm is S-Box which is fixed throughout the algorithm and in previous section we analyze that the cryptanalyst tried to exploit this weakness. So to improve the immunity of AES S-Box against algebraic attacks much research had been carried out by different people to make the S-Box dynamic. We have covered the overview of these in this section.
Krishnamurthy et. al [22] used AES-KDS block cipher which worked on 128 bit key length as well as data length, which used 5 stages instead of 4 stages used in AES. On the encryption side the extra stage that is rotate S-Box added on the top of existing stages which rotates the elements of S-Box on the basis of round key and on decryption side and inverse S-Box is used which nullify the effect of rotate S-Box state. This extra stage which is added on the encryption side makes the S-Box dynamic. This algorithm used four cases to provide different level of security. First case provides moderate level of security in whcih S-Box rotation is based on only one byte of the round key. Second case provides high level of security in which S-Box values are rotated on the bases of the whole round key. Third stage provides very high level of security by creating two subset of the round keys from key expansion algorithm in which one set of keys generated are used to find the value on which the values of the S-Box are rotated and the other set of keys are used to find the key for add round key operation. Stage four provides very high level security in which the S-Box values are dependent on the whole key of the key generated from the set of keys of the set one.
Piotr Mroczkowski [23] presents a general framework for improving the security of the cryptosystem based on the symmetric block cipher. The main idea is based on possibility of chancing substitution boxes (called S-boxes) in encryption/decryption algorithm. In order to make it possible he used pseudorandom sequences to generate identical boxes for encryption and decryption.
Abd-ElGhafar et. al [24] presented another technique in which RC4 algorithm was used to generate key dependent dynamic S-Boxes.In this algorithm all the values of S-Box are dependent on input key if any byte of input key is changed then different 256 values were generated, like this 256! S-Boxes could be generated.
Kazlauskas et. al [25] proposed an approach to generate the random S-boxes changing for every change of the secret key. The fact that the S-boxes are randomly keydependent and unknown is the main strength of the new approach, since both linear and differential cryptanalysis require known S-boxes. They analyzed the AES algorithm, substitution S-boxes, linear and differential cryptanalysis, and described a randomly key-dependent S-box and inverse S-box generation algorithm.
Ghada Zaibi et. al [26] presented dynamic S-Boxes based on one-dimensional chaotic maps compared to classic S-Box and evaluated the more suitable one dimensional map to construct a dynamic S-Box used in the AES algorithm.
Jie Cui et. al [27] proposed algorithm to increase the complexity and security of AES S-box by modifying the affine transformation and adding an affine transformation. Performance analysis demonstrates that the improved AES S-box showed improvement in affine transformation period, iterative period and distance to SAC.
Anna Grocholewska-Czurylo [28] presented an algorithm to construct 8 × 8 S-Boxes on the basis of random irreducible polynomial chosen.
Julia Juremi et. al [29] presented algorithm involved key expansion algorithm together with S-box rotation and that property was used to make the S-box key-dependent to provide a better security to the block cipher.
Razi Hosseinkhani et. al [30] presented dynamic S-Boxes on the basis of cipher key. They used cipher key to dynamically generate S-Boxes.
Oleksandr Kazymyrov et. al [31] proposed an improved gradient descent method for increasing performance of nonlinear vectorial Boolean functions generation with optimal cryptographic properties. Substitutions were generated by proposed method for the most common 8-bits input and output messages have nonlinearity 104, 8 uniformity and algebraic immunity 3.
Mona Dara et. al [32] used Chaotic Logistic Map to generate S-box for AES using its cipher key. Proposed S-box were analyzed and tested for avalanche effect, strict avalanche effect, bit independency criterion, nonlinearity, input/output XOR distribution and key sensitivity.
Eman Mohammed Mahmoud et. al [33] used another technique in which PN Sequence generator was used to generate perfect random sequence of bits. This approach used LFSR (Linear Feedback Shift Register) to generate key dependent dynamic S-Boxes.
Sliman Arrag et. al [34] proposed an approach of nonlinear transformation algorithm for AES S-Box to enhance the complexity of the S-Box structure, They made AES stronger by using Dynamic S-box by using look up table S-box and Key expansion schedule was also modified.
Fatma Ahmed et. al [35] modified AES with S-boxes bank to be acted like rotor mechanism and dynamic key MDS matrix (SDK-AES). They tried to make AES key dependent and resist the frequency attack.
Adi Narayana Reddy K et. al [36] presented a dynamic S-Box by adding a secrete value to the static index to shift the substitution to a secrate location. For added security they have also generated variable sub keys by using sequence of pseudo random numbers. They tested this algorithm on the basis of correlation coefficient (BIC) and strict avalanche criteria (SAC).
Kazlauskas et. al [37] modified their key dependent S-Box generation algorithm and presented a fast algorithm to generate key dependent S-Boxes. Author checked the randomness of generated S-Boxes by applying NIST tests. The author claims that new S-Boxes provide algorithm resistance to algebraic attacks and algebraic properties of new S-Boxes are as good as AES S-Boxes.
Balajee Maram et. al [38] proposed a new algorithm to generate S-Boxes based on Pseudo-Random generator. The author claims that this algorithm generates S-Boxes in less time then other existing algorithms and the generated S-Boxes have good liner and differential properties.
Shishir Katiyar et. al [39] proposed a new algorithm which generates S-Boxes based on one-dimensional chaotic map (logistic and PWLCM). The new S-Boxes are checked against the AES S-Boxes and claims that they are as good as AES S-Boxes.
Tianyong Ao et. al [40] proposed an algorithm in which they generated S-Boxes based on key dependent affine transformation. The new generated S-Boxes are tested on the basis of nonlinearity, XOR profile etc. and found that they are as good as AES-SBox.

Security Analysis of Different Algorithms
To make a cryptographic algorithm secure against various algebraic attacks it should comply with some standard tests like Non-linearity, Bit independence criteria, XOR profile and strict avalanche criteria. For AES the nonlinearity value is nl = 112 which is close to half as mentioned in equation (9). For AES in XOR distribution table the maximum probability of output differences Computer Science and Information Technology 5(5): 154-163, 2017 161 caused by input differences are 4 256 , which are very low. Strict avalanche criteria for AES as mentioned in equation (11) must be around 50% that means output bits in cipher text should be changed by probability with 1 2 when single bit of plaintext or key is complemented. The another important test is BIC (bit independence criteria), which shows the correlation between the pair of cipher texts produced by changing one bit of plaintext or key. It should range between −1 and 1 and in worst case it is equal to 0.
Not all the authors analyzed all parameters. They focused on differ parameters. Strict Avalanche Criteria: As shown in table no. (3) algorithms [22], [23], [24], [26], [27], [29], [32], [33], [35], [36], [37] and [38] worked on SAC. The average SAC values of all algorithms range from 46% to 57% which are around standard value 50%. This means that if a single bit or plain text or key has been changed then the output bits in a vector should change with the probability of one half. So the result is close to the AES standard result and sufficient to resist against algebraic attacks.
Non-Linearity: Non-linearity as shown in table no. (3) algorithms [23], [27], [28], [31] and [40] worked on Nonlinearity parameter. The non-linearity for these algorithms are 98, 112, 112, 104 and 112 respectively, which are around standard non-linearity of AES ranges between 112 to 144. This means that in linear approximation table (256 × 256 matrix) for different number of vectors the non-linearity value is different, but the minimum value is 112. So the results are close to AES and all the algorithms are resistant against linear cryptanalysis.
Bit Independence Criteria: Bit independence criteria as shown in table no. (3) algorithms [24], [25], [32], [36] and [37] worked on BIC parameter. The BIC for these algorithm are 0.4688, 0.4439, 0.4993, −0.0545 and 0.443 respectively, which are between −1 and +1 shows that with one bit change in key or plain text the output avalanche vectors are less correlated. This is an essential criteria which shows that with the small change in key or plain text the elements of output vectors should be pair wise independent. So these algorithms meet that criteria.
XOR Profile: XOR criteria as shown in table no. (3) algorithms [26], [27], [28] and [40] worked on Xor profile parameter. The XOR values of these algorithms are 10 256 for [26] and 4 256 for [27], [28] and [40]. XOR profile is calculated by constructing difference distribution table (256 × 256 matrix) in which the effect of input difference on the output difference is observed. The maximum probability of such values in DDT table is   4 256 , which makes it resistant to differential cryptanalysis. To cryptanalysis the algorithm the attacker is interested in higher values in DDT. The result of algorithms [26] and [27] are same as AES so they are resistant to this attack. So all in all we came to the conclusion that the proposed algorithms have good liner and differential properties to resist various algebraic attacks. The results are summarized in table no. (3)

Conclusion
In this paper we give introduction of AES algoritm. The overview of algebaric attacks on AES and different dynamic S-Box algorithms is given. All the techniques discussed in this paper enhance the security of existing AES algorithm by introducing the dynamic S-Box instead of static one used in AES algorithm. The results of all algorithms are comparable and very close to the AES algorithm. These algorithms tried to provide security against the different algebraic attacks by increasing the difficulty for the cryptanalyst by increasing the confusion in the first stage of AES algorithm.