Journal of Systems Engineering and Electronics

Vol. 18, No. 2, 2007, pp.427-433

One AES S-box to increase complexity and its cryptanalysis∗

Liu Jingmei1 , Wei Baodian2 & Wang Xinmei1

1. National Key Lab. of Integrated Service Networks, Xidian Univ., Xi’an 710071, P.R. China;
2. Information Science and Technology School of Sun Yat-sen Univ., Guangzhou 510275, P.R. China
(Received November 26, 2005)
Abstract: It is well known that the algebraic expression of AES S-box is very simple and only 9 terms are
involved. Hence, AES security is suspected although there is no vulnerability on it so far. To eliminate the
weakness of extremely small terms in the algebraic expression of AES S-box, one improved AES S-box is proposed,
which preserves the algebraic degree invariable but significantly increases the number of its algebraic expression
terms from 9 to 255. At the same time, Boolean function has good characters in balance and strict avalanche
criterion (SAC), etc. Finally, it is proved that the improved AES S-box scheme is secure against the powerful known
differential and linear cryptanalysis.

Keywords: AES, Sbox, Strict avalanche criterion.

announcement and official publication of the AES.

1. Introduction Between August 1998 and May 2004, NIST has orga-
In January 1997, the National Institute of Standards nized 4 conferences to demonstrate the security and
and Technology (NIST) initiated the search for a re- performance of AES. On the contrary, the increased
placement for the Data Encryption Standard (DES)[1] . visibility of the algorithm selected has spurred various
The requirements for the new standard, to be called interesting new approaches to cryptanalyze (reduced
the Advanced Encryption Standard (AES), were that versions of) Rijndael. Over the last few decades,
it should be: the most notable, and successful attacks against the
– a 128-bit block cipher with the choice of three key best block ciphers were linear[4] and differential[5]
sizes of 128, 192, 256 bits, respectively. cryptanalysis. In addition to many others, Rijndael
– a public and flexible design. is designed from the ground to resist these attacks,
– at least as secure as two-key triple-DES, and by employing special algebraic properties of its
– available royalty-free worldwide. primitive operations. The significant square[6] attack
At the conclusion of this standardization effort, is only capable of resisting against the 6-round 128
with several man-years of cryptanalytic and imple- bit attack. Nowdays, people have almost shifted
mentation expertise provided from around the world, their attention to Rijndael algebraic cryptanalysis,
Rijndael, developed by Joan Daemen and Vincent which is one of the most powerful cryptanalysis
Rijmen[2] , was a popular choice to become the AES. tools and is the focus of cryptanalysis. S-box is the
In November 2001, the AES effort reached its conclu- only nonlinear part of Rijndael and it completes
sion with the publication of FIPS 197[3] , and today, shannon’s[7] confusion function; hence, to a large
the AES is rapidly becoming a vital component of the extent, it determines the performance of the whole
digital infrastructure, and is proposed for the protec- block cipher. So far, considerable work has been
tion of computerized and sensitive information in the concentrated on Rijndael structural properties, such
next few decades. The cryptanalysis of the crypto- as the latest two significant progresses[8−9], which are
graphic strength of Rijndael has not stopped after the based on the cryptanalysis of its S-box.
* This project was supported by the National Natural Science Foundation of China (90604009).
428 Liu Jingmei1 , Wei Baodian2 & Wang Xinmei1

It is found that the algebraic expression of AES (b) The intermediate value x is regarded as a
S-box is very simple and only 9 terms are involved. GF (2)-vector of dimension 8 and is transformed using
Therefore, its security to resist against interpolation an 8 × 8GF (2)-matrix LA . The transfor-med vector
attack is suspected although there is no breakthrough LA · x is then regarded as an element of finite field in
on it so far. Since no one has illustrated and proposed the natural way.
improvements on the simple algebraic expression, this ⎡ ⎤
1 1 1 1 1 0 0 0
article will challenge these problems. The reason for ⎢ ⎥
⎢ 0 1 1 1 1 1 0 0 ⎥
the algebraic expression of AES S-box being very sim- ⎢ ⎥
⎢ ⎥
⎢ 0 0 1 1 1 1 1 0 ⎥
ple is illustrated, and we also introduce an improve- ⎢ ⎥
⎢ ⎥
ment to increase the complexity of the algebraic ex- ⎢ 0 0 0 1 1 1 1 1 ⎥
LA = ⎢⎢ ⎥ (1)
⎥
pression of AES S-box with an algebraic expression ⎢ 1 0 0 0 1 1 1 1 ⎥
⎢ ⎥
involving 255 terms, and show great advantage over ⎢ ⎥
⎢ 1 1 0 0 0 1 1 1 ⎥
the former algorithm. To describe the improved AES ⎢ ⎥
⎢ 1 1 1 0 0 0 1 1 ⎥
⎣ ⎦
S-box more clearly, we also research some performance
of the Boolean function and the algebraic expression of 1 1 1 1 0 0 0 1
the improved AES S-box. A cryptanalysis of security Here, the transformed vector LA can be deduced from
is also done, which shows that the proposed scheme is the polynomial module multiplication:
capable of resisting against the powerful known differ-
ential cryptanalysis. a(x)(x7 + x6 + x5 + x4 + 1) mod x8 + 1

2. Simple algebraic nature of AES S-box where, a(x) denotes the polynomial expression of the
value x, which is regarded as a GF (2)-vector of di-
Here, we will illustrate the nature of the AES S-box,
mension 8.
which can show the reason for such small terms to
(c) Finally, the output of the AES S-box is LA ·
be included in the algebraic expression of AES S-box.
x + 0x63, where addition is with respect to GF (2).
We refer to the AES proposal for a full description of
The constant 0x63 is used to eliminate the fixed point
the AES cipher, but we only list the significant step,
x → x and the contrary fixed point x → x.
which is named S-box here. This S-box is the only
To describe the structure in a simpler manner, we
nonlinear part of AES, but it completes the most im-
define the following functions:
portant function: confusion, which is the significant
component in the Shannon information theory. Thus, Definition 1 ∀x ∈ GF (q n ), ByteInverse(x) =
n
we can consider that it determines the security of the x−1 = xp −2 is defined as the inverse of element x
whole block cipher to a large degree. The structure of over GF (q n ).
the AES S-box is arranged as follows. Definition 2 ∀x ∈ GF (q n ) = (xn−1 , xn−2 , · · · ,
2.1 Basic structure of the AES S-Box x0 ), An×n is matrix over GF (q) with size n ×
n, and bit-linear transformation is defined by
The AES encrypts a 16-byte block using a 16-byte BitLinear(x) = An×n (xn−1 , xn−2 , · · · , x0 )T .
key with 10 encryption rounds. The value of each byte
Definition 3 ∀x, c ∈ GF (q n ), XORConst(x) =
in the array is substituted according to a table look-
x ⊕ c is defined as the XOR transformation of element
up. This table look-up S-box is a combination of three
x.
transformations:
Based on all the above definitions, the entire pro-
(a) The input x is mapped to x = x−1 , where x−1 cedure of the AES S-box can also be seen as:
is defined by x = x254 (x = 0).
y = XORConst(BitLinear(ByteInverse(x)))
Here, we must notice that the “AES inversion” is
identical to the standard field inversion in finite field The byte inversion operation over GF (28 ) was chosen
for nonzero field elements but with 0−1 = 0. by its designers to resist all possible linear and differ-
One AES S-box to increase complexity and its cryptanalysis∗ 429
⎧ n−1
ence invariance, which are the basic ingredients of lin- ⎪
⎪ 
⎪
⎪ x = xi αi
ear and differential cryptanalysis. However, using sim- ⎪
⎪
⎪
⎪ i=0
⎪
⎪ n−1
ple algebraic operations with known properties, their ⎪
⎪ 
⎨ xq = xi αqi mod (qn −1)
combinations may possess various interesting and un- (2)
⎪ i=0
expected algebraic properties that were not known at ⎪
⎪
⎪
⎪ ···
⎪
⎪
the initial design time. The simple algebraic expres- ⎪
⎪ n−1

⎪
⎪ qn−1 n−1
mod (qn −1)
sion is one of the most interesting and disadvantageous ⎪
⎩ x = xi αiq
properties, although no vulnerability has been found i=0

about it until now. From the above description, we If xi (i = 0, 1, 2, · · · , n − 1) is variable, then equation
can derive the AES S-box algebraic expression: (2) can be represented as follows:
⎡ ⎤
y = 05 x254 + 09 x253 + f 9 x251 + 25 x247 + 1 α α2 ··· αn−1
⎢ ⎥
⎢ ⎥
⎢ 1 αq α2q ··· α(n−1)q ⎥

f 4 x239 + 01 x223 + b5 x191 + 8f  x127 + 0x63 ⎢ ⎥
⎢ 2 2 2 ⎥
⎢ 1 αq α2q ··· α(n−1)q ⎥ (3)
⎢ ⎥
⎢ .. .. ⎥
2.2 Reason for including small terms of ⎢ . . ⎥
⎣ ⎦
n−1 n−1 n−1
the AES S-box 1 αq α2q · · · α(n−1)q
Obviously, the AES S-box algebraic expression is ⎡ ⎤ ⎡ ⎤
x0 x
very simple, and only 9 terms are involved. So far, ⎢ ⎥ ⎢ ⎥
⎢ ⎥ ⎢ ⎥
no accurate reason has illustrated why the AES S-box ⎢ x1 ⎥ ⎢ xq ⎥
⎢ ⎥ ⎢ ⎥
⎢ ⎥ ⎢ 2 ⎥
algebraic expression is very simple; we challenge this ⎢ x2 ⎥ = ⎢ xq ⎥
⎢ ⎥ ⎢ ⎥
open problem and present a rationale for it. Since ⎢ .. ⎥ ⎢ .. ⎥
⎢ . ⎥ ⎢ . ⎥
all operations of the AES-box are based on the bit- ⎣ ⎦ ⎣ ⎦
qn−1
xn−1 x
level, it is necessary to research the relationship of
All coordinates in equation (3) constitute
the coordinates of the elements and the field elements.
a Vandermonde matrix, and it is obvious
Then, we have the following Theorem 1. i j
that (αq − αq ) = 0; hence, equation
For the finite field GF (q n ) generated by the irre- 0
j<i
n−1
ducible polynomial g(x) over GF (q) with degree n, 
n−1 j
(2) has the resolution xi = aj xq . Following, we
standard base B = (1, α, α2 , · · · , αn−1 ) (in which α j=0
is a root of g(x)), relate x ∈ GF (q n ) to the element will prove aj = 0. q
coordinates xi ∈ GF (q): = (xn−1 , xn−2 , · · · , x0 )B = 
n−1 j 
n−1 j
From (xi )q = aj xq = xi = aj xq ,

n−1
j=0 j=0
xi αi ; we then obtain the following conclusion:
i=0 aj = a(j+1) mod n is derived. If ∃ak = 0, then
Theorem 1 For finite field GF (q n ), element a(k+1) mod n = a(k+2) mod n = · · · = 0, that all
coordinates xi ∈ GF (q) and the element ∀x = ai = 0(i = 0, 1, 2, · · · , n − 1), xi ≡ 0, but it is im-

n−1
possible obviously. Thus, for all i = 0, 1, 2, · · · , n − 1,
(xn−1 , xn−2 , · · · , x0 ) = xi pi have the relationship
i=0 we have aj = 0. End.

n−1
pj
xi = aj x , 0 = aj ∈ GF (pn ). Corollary xi (i = 0, 1, · · · , n − 1) ∈ GF (2),
j=0
is in GF (2)-vector of dimension 8 of x, then xi =
Proof Let B(1, α, α2 , · · · , αn−1 ) be a
=

n−1 j

n−1
aj x2 , aj ∈ GF (2n ), and the expression of xi is
standard base over GF (q n ), then x = xi αi . j=0
i=0
k linear over GF (2).
(xi )q = xi , and q is the power of field char-
k This conclusion is very interesting and is helpful to
acter p = ch(GF (q n )): q = pm ; thus, xq =

n−1 k n
us; it presents a simple and direct method to resolve
xi αiq mod (q −1) , for k = 0, 1, 2, · · · , n − 1, equa- the reason why only 9 terms are involved in the ex-
i=0
tion (2) can be constituted: pression of the Rijndael S-box. We know from Sec.2.1
430 Liu Jingmei1 , Wei Baodian2 & Wang Xinmei1

that the transformation of the Rijndael S-box is based 0, 1 · · · , n − 1, i = j. Since the expression AI(x) =
on the bit-level, and all operations are progressed over ByteInverse(BitLinear(x)) can be seen as the mul-
GF (2) linearly; hence, after the linear transformation, tiplication of n − 1 linear polynomials, the number of
the expression is still a linear expression over GF (2). degree (2n − 1) − 2i , i = 0, 1, · · · , n − 1 in the algebraic
It is well known that the linear expression over GF (2) expression AI(x) = ByteInverse(BitLinear(x)) is

n−1 j
(n − 1).
has this form: f (x) = aj x2 , aj ∈ GF (2n ); then,
j=0
after the affine transformation, the expression includes 3. Structure of the improved AES S-box
only n+1 terms. Thus, the reason why only 9 terms and its algebraic properties
are involved in the AES S-box expression is seemingly Since all transformation of AES S-box is XORConst
resolved. (BitLinear(ByteInverse(x))) over GF (2), it does not
To increase the complexity of the algebraic expres- matter which affine transformation matrix and irre-
sion of the AES S-box, we will improve the AES S-box. ducible polynomial are selected and the final algebraic
Theory 2 is an interesting conclusion in our procedure expression of the AES S-box involves only 9 terms.
of improving the AES S-box. With such low complexity, the security of the AES S-
Theorem 2 There are at least number of box is suspected. To eliminate the vulnerability of the
(n − 1)! terms with degree (2n − 1) − 2i , i = simple algebraic expression, we improve the AES S-
0, 1, · · · , n − 1 in algebraic expression AI(x) = box. In the improved AES-box, we do not change the
ByteInverse(BitLinear(x)) over GF (2n ). previous irreducible polynomial, affine transformation
Proof Let y = BitALinear(x), then matrix, and affine constant, but the complexity of al-
gebraic expression increases from 9 to 255, with the
n−1
 j
y= aj x2 , aj ∈ GF (2n ) capability to resist against differential cryptanalysis
j=0 invariable. The improved scheme is as follows:
⎛ ⎞−1 Step 1: y = XORConst(x) = x ⊕ 0x63
n−1
 j Step 2: z = BitLinear(y) = An×n (yn−1 , yn−2 , · · · ,
ByteInverse(y) = ⎝ aj x2 ⎠ =
j=0
y0 )T
⎛ ⎞2n −2 Step 3: u = ByteInverse(z)
n−1

⎝ 2j ⎠
aj x = 3.1 Property of the algebraic expression
j=0
n−1 n−1 n−1 n−3
(a21 x+a22 x2 +· · ·+a2n−1 x2 + After the affine transformation, the algebraic ex-
n−1 n−2 n−1 n−1 n−2 pression of the improved AES S-box is:
a2n x2 + a20 x2 )(a22 x+
2n−3
y =  05 (x ⊕ 0x63)+  09 (x ⊕ 0x63)2 +  f 9 (x ⊕ 0x63)4+
n−2 n−2
a23 x + ··· +
2
a2n−1 x +

n−2 n−2 n−2 n−1 n−k n−k 25 (x ⊕ 0x63)8 +  f 4 (x ⊕ 0x63)16 +  01 (x ⊕ 0x63)32+
a20 x2 +a21 x2 ) · · · (a2k x+a2k+1 x2 +· · ·+

n−k n−k n−k n−k+1 n−k n−k+2 b5 (x ⊕ 0x63)64 +  8f  (x ⊕ 0x63)128 =  05 x+  09 x2 +
a2n x2 + a20 x2 + a21 x2 + ···+

n−k n−1 f 9 x4 +  25 x8 +  f 4 x16 +  01 x32 +  b5 x64 + 8f  x128 +
a2k−1 x2 ) · · · (a2n−1 x + a20 x2 + a21 x4 + a22 x8 + ···+
n
2 −2 0xba
n−2 n−1
j
a2n−3 x2 + a2n−2 x2 ) = bj x
after the transformation ByteInverse(y)
j=0
We can see that ByteInverse(y) is a multiplication of
 i
n−1 y = y −1 = ( 05 x + 09 x2 + f 9 x4 + 25 x8 +
n − 1 linear polynomials. We know 2n − 1 = 2, 
i=0 f 4 x16 + 01 x32 + b5 x64 + 8f  x128 + 0xba)−1 =

n−1
2n − 1 − 2j = 2i . In algebraic expression ( 05 x + 09 x2 + f 9 x4 + 25 x8 + f 4 x16 +
i=0,i=j

AI(x), the terms with degree 2n − 1 − 2j can be gen- 01 x32 + b5 x64 + 8f  x128 + 0xba)254 = 05 x254 +

erated by the n − 1 terms with different degree 2i , i = cf  x253 + b3 x252 + · · · + 7e x2 + f 3 x + 52
One AES S-box to increase complexity and its cryptanalysis∗ 431

Table 1 Truth Table of the Improved AES S-box

H
HH y 0 1 2 3 4 5 6 7 8 9 A B C D E F
x HH
0 52 9 6a d5 30 36 a5 38 bf 40 a3 9e 81 f3 d7 fb
1 7c e3 39 82 9b 2f ff 87 34 8e 43 44 c4 de e9 cb
2 54 7b 94 32 a6 c2 23 3d ee 4c 95 b 42 fa c3 4e
3 8 2e a1 66 28 d9 24 b2 76 5b a2 49 6b 8b d1 25
4 72 f8 f6 64 86 68 98 16 d4 a4 5c cc 5d 65 b6 92
5 6c 70 48 50 fd ed b9 da 5e 15 46 57 a7 8d 9d 84
6 90 d8 ab 00 8c bc d3 0a f7 e4 58 05 b8 b3 45 06
7 d0 2c 1e 8f ca 3f 0f 02 c1 af bd 03 01 13 8a 6b
8 3a 91 11 41 4f 67 dc ea 97 f2 cf ce f0 b4 e6 73
9 96 ac 74 22 e7 ad 35 85 e2 f9 37 e8 1c 75 df 6e
A 47 f1 1a 71 1d 29 c5 89 6f b7 62 0e aa 18 be 1b
B fc 56 3e 4b c6 d2 79 20 9a db c0 fe 78 cd 5a f4
C 1f dd a8 33 88 07 c7 31 b1 12 10 59 27 80 ec 5f
D 60 51 7f a9 19 b5 4a 0d 2d e5 7a 9f 93 c9 9c ef
E a0 e0 3b 4d ae 2a f5 b0 c8 eb bb 3c 83 53 99 61
F 17 2b 04 7e ba 77 d6 26 e1 69 14 63 55 21 0c 7d

We can consider that the workload with degree 254 determine the performance of the whole block ci-
is very large. A simpler and more general method is pher. In addition, to a large degree, it also determines
to substitute all the 256 values in truth Table 1 to the the intensity of the block cipher. Hence, the S-box
Lagrange interpolation formula is the center of the whole block cipher. It is worth
researching whether our improved AES can satisfy
lk (x) = the necessary performance.
(x − x0 ) · · · (x − xk−1 )(x − xk+1 ) · · · (x − xn−1 )
, 3.2 Performance of the Boolean function
(xk − x0 ) · · · (xk − x0 )(xk − xk+1 ) · · · (xk − xn−1 )
(k = 0, 1 · · · , n − 1 = 255)
Definition 4[10] If the input is over space 2n , and
and substitute the middle-value is in the equation the output is also over space 2n , then the Boolean is

n−1
s(xi ) = yk lk (xj ) = yi , i = (0, 1 · · · , n − 1 = 255); denoted to satisfy the balance.
j=0
then, all coefficients of the algebraic expression of our For our improved AES S-box, it is a surjection
improved AES S-box can be resolved. GF (28 ) → GF (28 ), and thus, it is easy to prove that
Data c in Table 2 and the coefficients of the im- our improved S-box satisfies the balance criteria.
proved AES S-box Algebraic Expression have a rela- Theorem 3 8 Boolean functions of the improved
tionship: AES S-box satisfy the balance.

15
Proof According to the truth table of the im-
s(x) = c16∗x+y x16∗x+y
x,y=0
proved AES S-box, it is a surjection GF (28 ) →
GF (28 ). Then, when inputs are over space GF (28 ),
It is obvious that the terms of the improved AES S-
outputs will be over space GF (28 ). Hence, the im-
box algebraic expression are up to the most 255, which
proved AES S-box satisfies the balance and avoids lin-
exceeds the 9 terms of the AES S-box algebraic expres-
ear cryptanalysis.
sion largely, and improves the complexity of the AES
S-box algebraic expression; also,a good S-box must Definition 5[11] Strict Avalanche Criterion
satisfy several criteria, since its nonlinear properties (SAC): function f : z2n → z2 , ∀c = (cn−1 , cn−2 , · · · ,
432 Liu Jingmei1 , Wei Baodian2 & Wang Xinmei1

Table 2 Coefficients of the Improved AES S-box Algebraic Expression

HH y
x
HH 0 1 2 3 4 5 6 7 8 9 A B C D E F
H
0 52 f3 7e 1e 90 bb 2c 8a 1c 85 6d c0 B2 1b 40 23
1 f6 73 29 d9 39 21 cf 3d 9a 8a 2f cf 7b 04 e8 c8
2 85 7b 7c af 86 2f 13 65 75 d3 6d d4 89 8e 65 05
3 ea 77 50 a3 c5 01 0b 46 bf a7 0c c7 8e f2 b1 cb
4 e5 e2 10 d1 05 b0 f5 86 e4 03 71 a6 56 03 9e 3e
5 19 18 52 16 b9 d3 38 d9 04 e3 72 6b ba e8 bf 9d
6 1d 5a 55 ff 71 e1 a8 8e fe a2 a7 1f df b0 03 cd
7 08 53 6f b0 7f 87 8b 02 B1 92 81 27 40 2e 1a ee
8 10 ca 82 4f 09 aa c7 55 24 6c E2 58 bc e0 26 37
9 ed 8d 2a d5 ed 45 c3 ec 1c 3e 2a b3 9e b7 38 82
A 23 2d 87 ea da 45 24 03 e7 19 e3 d3 4e dd 11 4e
B 81 91 91 59 a3 80 92 7e db c4 20 ec db 55 7f a8
C c1 64 ab 1b fd 60 05 13 2c a9 76 a5 1d 32 8e 1e
D c0 65 cb 8b 93 e4 ae be 5f 2c 3b d2 0f 9f 42 cc
E 6c 80 68 43 09 23 C5 6d 1d 18 bd 5e 1b B4 85 49
F bc 0d 1f a6 6b d8 22 01 7a c0 55 16 b3 cf 05 00

Table 3 SAC of improved AES S-box changed is very close to 128, that is, the proba-
XAC S7 S6 S5 S4 S3 S2 S1 S0 bility is close to 1/2. When one bit of input is
00000001 120 112 140 140 124 124 128 116 inversed, its corresponding bit of output will inverse
00000010 116 120 112 140 144 128 124 128 with probability close to 1/2.
00000100 136 136 120 136 132 140 128 112
3.3 Differential cryptanalysis
00001000 112 136 136 120 136 136 140 132
00010000 132 112 136 136 140 136 136 132 In this section, we consider conventional differential
00100000 128 140 136 140 120 140 124 112 cryptanalysis of our improved AES S-box. Differential
01000000 112 128 140 136 136 128 140 132 cryptanalysis was first proposed in 1990 by Eli Biham
10000000 112 140 140 128 116 128 124 120 and Adi shamir. It is one of the most powerful meth-
ods in cryptanalysis. Using the special element in its
Table 4 SAC of AES S-box
distribution matrix, it can attack the block cipher suc-
SAC S7 S6 S5 S4 S3 S2 S1 S0
cessively. If some elements are greater than the rest,
00000001 128 116 124 116 144 116 132 132
then these are helpful for differential cryptanalysis. To
00000010 136 128 116 124 128 144 124 120
avoid this problem, the S-box must have trivial differ-
00000100 128 136 128 144 120 128 132 132
ential value. Using the following theory, we can prove
00001000 140 128 136 128 116 120 136 136
that our improved AES has the capability to resist
00010000 136 140 128 128 132 116 128 116
against differential cryptanalysis.
00100000 136 136 140 120 120 132 132 116
01000000 124 136 136 120 132 120 136 136 Theorem 4 The improved AES S-box has
10000000 132 124 136 124 136 132 144 132 differential-4 uniformity.
Proof Let the differential between input and out-
c0 ) ∈ GF (2n ), w(c) = 1, if w(f (x) + f (x + c)) = 2n−1 ,
put be (α, β), α = 0, then
then f satisfies the SAC.
f (x + α) − f (x) = β,that is,
Although each output-bit of the improved AES
S-box cannot satisfy SAC, the number of outputs f (x + α) − f (x) = {A[(x + α) + c]}−1 −
One AES S-box to increase complexity and its cryptanalysis∗ 433
−1
[A(x + c)] =β (4) References
Here, we have two cases: [1] National institute of standards and technology. advanced
encryption standard. FIPS 46–3, US Department of Com-
(1) if β = (Aα)−1 , then x = c, x = α + c are not
merce, Washington D.C., 1999, 10.
the roots of equation (4), [2] Daemen J, Rijmen V. AES proposal: Rijndael. Version
2.0, available via http://www.crsc.nist.gov
hence, Aα = β[A(x + c)]{A[(x + α) + c]}, that is,
[3] National Institute of standards and technology. Advanced
A2 βx2 + (A2 αβ + A2 cβ + Acβ)x + βAcα+ encryption standard, FIPS 197. Washington D.C: US De-
(5) partment of Commerce, , 2001, 11.
βAc2 + Aα = 0 [4] Matsui M. Linear cryptanalysis method for DES cipher.
If A2 β = 0, then Aβ = 0, and thus Aα = 0 in Advances in Cryptology- EuroCrypt’93. Springer-Verlag,
equation (4). For A = 0, α = 0. 1994: 386–397.
[5] Biham E, Shamir A. Differential cryptanalysis of DES-like
Contradiction! So only A2 β = 0, then we also have
cryposystems. Advances in Cryptology-CRYPTO’90 Pro-
the twocases:  ceedings. Springer-Verlag, 1991: 3–72.
A2 β(βAcα + βAc2 + Aα)
if trace = 0, then the [6] Daemen J , Knudsen L, Rijmen V. The block cipher Square.
(A2 αβ + A2 cβ + Acβ)2 Fast software Encryption’97. Lecture Notes in Computer
equation has two roots;  Science, 1967: 149–165.
A2 β(βAcα + βAc2 + Aα)
if trace = 1, then the [7] Sannon C E. Communication theory of secrecy systems.
(A2 αβ + A2 cβ + Acβ)2 The Bell system Technical Journal, 1998, 4(28): 656–715.
equation has no roots;
[8] Nicolas T C, Pieprzyk J. Cryptanalysis of block ciphers
(2) β = (Aα)−1 , it is obvious that x = c, x = α + c with overdefined systems of equations. AsiaCrypt 2002.
are both the roots of the equation. With the same Springer-Verlag, 2002: 267–287.
analysis as (1), the equation also has 2 or 4 roots. In [9] Murphy S, Robshaw M. Essential algebraic structure
within the AES. Advances in Cryptology: CRYPTO’02.
conclusion, equation (4) has a maximum of four roots.
Springer-Verlag, 2002: 1–16.
After our calculation, we obtain the consistent result; [10] Millan W, Clark A, Dawson E. Smart Hill Climbing finds
the differential table has only three values 0, 2, and 4, better boolean functions. 4th Workshop on Selected Areas
and in each row and column, only one 4. in Cryptography-SAC’97, Springer-Verlag, 1997: 50–63.
[11] Wen Qiaoyan, Niu Xinxi, Yang Yixian. Boolean functions
To demonstrate the difference cryptanalysis clearly,
in modern cryptology. Beijing: Science Press, 2000, 8.
we show the 4-circle diffusivity. We know that the
maximum diffusivity of the S-box is 2−6 , and the least
number of active S-box in random 4-circle of AES S- Liu Jingmei was born in 1979 and received the B.S.
box. Hence, the maximum diffusivity of 4-circle of and M.S. degrees from Xidian University in 2002 and
AES S-box is up to 2−150 , which is less than 2−127 . 2005 respectively, and the Ph. D. degree from Xi-
We can then consider that our improved AES S-box dian University in 2006. Hers research interests in-
can resist well against differential cryptanalysis. clude cryptanalysis and network security. E-mail: jm-
[email protected]
4. Conclusion
The algebraic expression of the AES S-box is simple
Wei Baodian was born in 1976 and received the B.S.
in terms and low in complexity. Although it does not
and M.S. degrees from Xidian University in 1997 and
lead to bad secure result, most researchers have sus-
2000 respectively, and the Ph. D. degree from Xid-
pected the security of AES. In this article, we im-
ian University in 2004. His research interests include
proved the AES S-box, and increased its algebraic ex-
cryptanalysis and network security.
pression terms to 255. The improved AES can not
only greatly avoid vulnerability of only 9 terms in the
AES S-box algebraic expression, but also shows good Wang Xinmei was born in 1937. He is a professor
performance of other algebraic properties. Besides, it in Xidian University, and his main research interests
can resist well against differential cryptanalysis. Thus, include information theory, coding and cryptology.
the improved AES S-box is very robust.