WO2010151103A1 - Bijective substitution box - Google Patents

Bijective substitution box Download PDF

Info

Publication number
WO2010151103A1
WO2010151103A1 PCT/MY2010/000101 MY2010000101W WO2010151103A1 WO 2010151103 A1 WO2010151103 A1 WO 2010151103A1 MY 2010000101 W MY2010000101 W MY 2010000101W WO 2010151103 A1 WO2010151103 A1 WO 2010151103A1
Authority
WO
WIPO (PCT)
Prior art keywords
bijective
function
boolean map
functions
linear
Prior art date
Application number
PCT/MY2010/000101
Other languages
French (fr)
Inventor
Mamadolimov Abdurashid
Isa Herman
Soeheila Mohamad Moesfa
Original Assignee
Mimos Berhad
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Mimos Berhad filed Critical Mimos Berhad
Publication of WO2010151103A1 publication Critical patent/WO2010151103A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0618Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation

Definitions

  • the present invention relates to a method of generating a bijective Substitution Boxes (S-Boxes).
  • S-Boxes are vectorial Boolean functions satisfying some cryptographic criteria. S-Boxes are used as basic component of block ciphers in Cryptography. An important condition on S-Boxes is a high resistance to the differential and linear cryptanalysis, which are the main attacks on block ciphers. The functions with low differential uniformity and high nonlinearity possess a good resistance to the differential and linear attacks and they are considered as cryptographically strong.
  • the ciphers that are Substitution-permutation networks use bijective S-Boxes.
  • 8x8 size is optimal.
  • S-Boxes with 8x 8 size can be considered as strong if they have differential uniformity of at most 10 and nonlinearity of at least 100. It has to be noted that the best known pair of these parameters is 4 and 112, respectively, and S-Boxes with differential uniformity below 10 and nonlinearity above 100 are very rare.
  • the present invention is a method of generating a bijective Substitution Boxes.
  • the method comprises selecting an initial Boolean map from a plurality of non-bijective power functions over the finite field, extending image of initial map, without changing differential uniformity and nonlinearity, obtaining bijective function from extended function, with small aggravation of differential uniformity and nonlinearity and performing differential uniformity and nonlinearity tests on the bijective function, until the differential uniformity and nonlinearity parameters meet a predetermined condition.
  • FIG.1 illustrates a flowchart of a method for generating a bijective Substitution Box (S- Box).
  • FIG.2 illustrates a flowchart of extending an image of a Boolean map to generate an extended Boolean map.
  • FIG. 3 illustrates a flowchart of obtaining a bijective function from an extended Boolean map.
  • the present invention relates to a method for generating a bijective Substitution Box (S- Box).
  • S- Box bijective Substitution Box
  • the method for generating the bijective S-Box relates to generating a cryptographically strong S-Box.
  • the method of generating cryptographically strong S-Boxes of the present invention comprises generating bijective n x n size S-Boxes using non-bijective power functions in the finite field.
  • the n x n size S-Boxes of the present invention have good differential uniformity and nonlinearity parameters and are not equivalent to any known S-Boxes.
  • FIG. 1 illustrates a flowchart of the method (100) for generating the bijective S-Box.
  • the method (100) for generating the bijective S-Box comprises selecting an initial Boolean map (102) from a plurality of non-bijective power functions over the finite field, extending image of initial Boolean map (104), without changing differential uniformity and nonlinearity, obtaining bijective function (106) from extended function, with small aggravation of differential uniformity and nonlinearity and performing differential uniformity and nonlinearity tests (108) on the bijective function, until the differential uniformity and nonlinearity parameters meet a predetermined condition.
  • the method (100) of generating the bijective S-Boxes according to the present invention begins with selecting the Boolean map (102) from a plurality of non-bijective power functions over the finite field.
  • F 2 is a
  • the image of the selected Boolean map is extended (104) to generate an extended Boolean map
  • FIG. 2 illustrates a flowchart of extending the image of the Boolean map to generate the extended Boolean map.
  • the Boolean map is extended by identifying a first linear power function (202) from a plurality of linear power functions, generating binomial function (204) by adding initial Boolean map multiplied a constant alpha to a chosen linear power function multiplied by a constant beta and identifying binomial function (206) with a maximum number of image elements.
  • the steps generating binomial function (204) by adding initial Boolean map multiplied a constant alpha to a chosen linear power function multiplied by a constant beta and identifying binomial function (206) with a maximum number of image elements are iterated for all linear combinations from the plurality of linear combinations.
  • the steps identifying a first linear power function (202) from a plurality of linear power functions, generating binomial function (204) by adding initial Boolean map multiplied a constant alpha to a chosen linear power function multiplied by a constant beta and identifying binomial function (206) with a maximum number of image elements are iterated for all linear power functions from the plurality of linear power functions.
  • 86. When power function JC 3 is considered
  • NL(x 3 ) NL( ⁇ - jc 3 + /? jc 4 ). If J is image of a ⁇ JC 3 + ⁇ ⁇ x A then / c J and
  • 192. With this, the power function x 3 almost resembles a bijective function without compromising the differential uniformity parameter and the nonlinearity parameter.
  • FIG. 3 illustrates a flowchart of obtaining the bijective function from the extended Boolean map.
  • obtaining the bijective function comprises identifying a first duplicate output element (302) of the output list of function, selecting a first element (304) which is not in the output list of the function and has least distance from the identified duplicate output element and replacing the first duplicate output element with the selected first element (306).
  • the steps of identifying the first duplicate output element (302), selecting the first element (304) and replacing the first duplicate output element with the selected first element (306) are iterated until the Boolean map is free from a plurality duplicate output elements.
  • the bijective function obtained is subjected to differential uniformity test (108) to obtain the differential uniformity parameter and nonlinearity test (108) to obtain the nonlinearity parameter.
  • the steps of extending the image of the Boolean map (104), obtaining a bijective function (106) and performing the uniformity test and nonlinearity test (108) are iterated until the differential uniformity parameter and the nonlinearity parameter meet the predetermined condition of DU less than or equal to 10 and NL more than or equal to 100.
  • performing the differential uniformity test on the bijective function comprises introducing all possible changes to an input and comparing an output to an original output, counting a number of the inputs which produce the same output difference for any given input change and identifying a maximum number of the counts to determine the differential uniformity parameter of the bijective function.
  • performing the nonlinearity test on the bijective function comprises generating all non-trivial linear combinations of a plurality of component functions, generating all affine functions with the same number variables as a given function, counting a Hamming distance between pairs of linear combination and affine functions and identifying a minimum number of the counts to determine the nonlinearity parameter of the bijective function.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Apparatus For Radiation Diagnosis (AREA)
  • Compression Or Coding Systems Of Tv Signals (AREA)
  • Image Processing (AREA)

Abstract

A method (100) for generating a bijective Substitution Box, the method (100) comprises selecting a Boolean map (102) from a plurality of non-bijective power functions and iterating extending an image of the Boolean map (104) to generate an extended Boolean map, obtaining a bijective function (106) from the extended Boolean map, performing a differential uniformity test (108) on the bijective function to obtain a differential uniformity parameter and performing a nonlinearity test (108) on the bijective function to obtain a nonlinearity parameter, until the differential uniformity parameter and the nonlinearity parameter meet a predetermined condition.

Description

BIJECTIVE SUBSTITUTION BOX
FIELD OF INVENTION
The present invention relates to a method of generating a bijective Substitution Boxes (S-Boxes).
BACKGROUND ART
S-Boxes are vectorial Boolean functions satisfying some cryptographic criteria. S-Boxes are used as basic component of block ciphers in Cryptography. An important condition on S-Boxes is a high resistance to the differential and linear cryptanalysis, which are the main attacks on block ciphers. The functions with low differential uniformity and high nonlinearity possess a good resistance to the differential and linear attacks and they are considered as cryptographically strong. The ciphers that are Substitution-permutation networks use bijective S-Boxes.
For practical use, 8x8 size is optimal. S-Boxes with 8x 8 size can be considered as strong if they have differential uniformity of at most 10 and nonlinearity of at least 100. It has to be noted that the best known pair of these parameters is 4 and 112, respectively, and S-Boxes with differential uniformity below 10 and nonlinearity above 100 are very rare.
Several methods to generate cryptographically strong S-Boxes exist, such as random generation, the use of finite field operations, as well as heuristic algorithms. SUMMARY OF INVENTION
In one embodiment of the present invention is a method of generating a bijective Substitution Boxes. The method comprises selecting an initial Boolean map from a plurality of non-bijective power functions over the finite field, extending image of initial map, without changing differential uniformity and nonlinearity, obtaining bijective function from extended function, with small aggravation of differential uniformity and nonlinearity and performing differential uniformity and nonlinearity tests on the bijective function, until the differential uniformity and nonlinearity parameters meet a predetermined condition.
The present invention consists of features and a combination of parts hereinafter fully described and illustrated in the accompanying drawings, it being understood that various changes in the details may be made without departing from the scope of the invention or sacrificing any of the advantages of the present invention.
BRIEF DESCRIPTION OF THE ACCOMPANYING DRAWINGS
To further clarify various aspects of some embodiments of the present invention, a more particular description of the invention will be rendered by references to specific embodiments thereof, which are illustrated, in the appended drawings. It is appreciated that these drawings depict only typical embodiments of the invention and are therefore not to be considered limiting of its scope. The invention will be described and explained with additional specificity and detail through the accompanying drawings in which:
FIG.1 illustrates a flowchart of a method for generating a bijective Substitution Box (S- Box).
FIG.2 illustrates a flowchart of extending an image of a Boolean map to generate an extended Boolean map.
FIG. 3 illustrates a flowchart of obtaining a bijective function from an extended Boolean map.
DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS
The present invention relates to a method for generating a bijective Substitution Box (S- Box). Hereinafter, this specification will describe the present invention according to the preferred embodiments of the present invention. However, it is to be understood that limiting the description to the preferred embodiments of the invention is merely to facilitate discussion of the present invention and it is envisioned that those skilled in the art may devise various modifications and equivalents without departing from the scope of the appended claims.
The method for generating the bijective S-Box according to the embodiments of the present invention relates to generating a cryptographically strong S-Box. The method of generating cryptographically strong S-Boxes of the present invention comprises generating bijective n x n size S-Boxes using non-bijective power functions in the finite field. The n x n size S-Boxes of the present invention have good differential uniformity and nonlinearity parameters and are not equivalent to any known S-Boxes.
Reference is being made to FIG. 1. FIG. 1 illustrates a flowchart of the method (100) for generating the bijective S-Box. The method (100) for generating the bijective S-Box comprises selecting an initial Boolean map (102) from a plurality of non-bijective power functions over the finite field, extending image of initial Boolean map (104), without changing differential uniformity and nonlinearity, obtaining bijective function (106) from extended function, with small aggravation of differential uniformity and nonlinearity and performing differential uniformity and nonlinearity tests (108) on the bijective function, until the differential uniformity and nonlinearity parameters meet a predetermined condition. The method (100) of generating the bijective S-Boxes according to the present invention begins with selecting the Boolean map (102) from a plurality of non-bijective power functions over the finite field. In one embodiment of the present invention, where F2, is a
finite field of 2" elements, jc-»xrf power functions are considered, where x e F2, and d is a positive integer.
It is well known some power functions with lowest DU or highest NL. For practical use we limit oneself the case «=8. S-Boxes with 8χ 8 size can be considered as strong if they have DU ≤ 10 and NL ≥ 100. The only 8 bijective power functions (permutations) satisfy above mentioned condition. They are *l2\ **\ *25\ **', x1", xm, xm, χm . All these functions are cyclomatic cosets, i.e., they are equivalent functions. Therefore there is only one strong bijective power function up to equivalence.
It is considered strong non-bijective power functions. There are 24 non-bijective power functions with best parameters (DU, NL)=(2,112). They include 3 non-equivalence classes: (3, 6, 12, 24, 48, 96, 192, 129), (9, 18, 36, 72, 144, 33, 66, 132) and (39, 78, 156, 57, 114, 228, 201, 147). It can be chosen any representative of these functions for next using. It is chosen first function of first class, i.e., the function x3.
Upon selecting the Boolean map, the image of the selected Boolean map is extended (104) to generate an extended Boolean map
Reference is now being made to FIG. 2. FIG. 2 illustrates a flowchart of extending the image of the Boolean map to generate the extended Boolean map. According to the embodiments of the present invention, the Boolean map is extended by identifying a first linear power function (202) from a plurality of linear power functions, generating binomial function (204) by adding initial Boolean map multiplied a constant alpha to a chosen linear power function multiplied by a constant beta and identifying binomial function (206) with a maximum number of image elements.
The steps generating binomial function (204) by adding initial Boolean map multiplied a constant alpha to a chosen linear power function multiplied by a constant beta and identifying binomial function (206) with a maximum number of image elements are iterated for all linear combinations from the plurality of linear combinations.
The steps identifying a first linear power function (202) from a plurality of linear power functions, generating binomial function (204) by adding initial Boolean map multiplied a constant alpha to a chosen linear power function multiplied by a constant beta and identifying binomial function (206) with a maximum number of image elements are iterated for all linear power functions from the plurality of linear power functions.
The power function JC3 has (DU, NL) = (2, 112) and is a non-bijective function. If / is image of the power function x3 , then |/| = 86. When power function JC3 is considered
as a mapping of F2'8 → F2 *, , wherein F2 * 8 =F2, /{(0,0,...,0)} , then the power function JC3 appears as a three to one function. In order to obtain strong bijective functions from the power function x3 , function a • x3 + β • x* is considered, wherein a,β e F2, . Due to the
fact that power function x4 is linear, hence DU(x3)=DU(α x3 + β- x4 ) and
NL(x3)=NL(α - jc3 + /? jc4 ). If J is image of a JC3 + β ■ xA then / c J and |J| = 192. With this, the power function x3 almost resembles a bijective function without compromising the differential uniformity parameter and the nonlinearity parameter.
Upon extending the image of the Boolean map, the bijective function is obtained from the extended Boolean map. Reference is now being made to FIG. 3. FIG. 3 illustrates a flowchart of obtaining the bijective function from the extended Boolean map.
According to the embodiments of the present invention, obtaining the bijective function comprises identifying a first duplicate output element (302) of the output list of function, selecting a first element (304) which is not in the output list of the function and has least distance from the identified duplicate output element and replacing the first duplicate output element with the selected first element (306). The steps of identifying the first duplicate output element (302), selecting the first element (304) and replacing the first duplicate output element with the selected first element (306) are iterated until the Boolean map is free from a plurality duplicate output elements.
According to the embodiments of the present invention, the bijective function obtained is subjected to differential uniformity test (108) to obtain the differential uniformity parameter and nonlinearity test (108) to obtain the nonlinearity parameter. The steps of extending the image of the Boolean map (104), obtaining a bijective function (106) and performing the uniformity test and nonlinearity test (108) are iterated until the differential uniformity parameter and the nonlinearity parameter meet the predetermined condition of DU less than or equal to 10 and NL more than or equal to 100. According to the embodiments of the present invention, performing the differential uniformity test on the bijective function comprises introducing all possible changes to an input and comparing an output to an original output, counting a number of the inputs which produce the same output difference for any given input change and identifying a maximum number of the counts to determine the differential uniformity parameter of the bijective function.
According to the embodiments of the present invention, performing the nonlinearity test on the bijective function comprises generating all non-trivial linear combinations of a plurality of component functions, generating all affine functions with the same number variables as a given function, counting a Hamming distance between pairs of linear combination and affine functions and identifying a minimum number of the counts to determine the nonlinearity parameter of the bijective function.

Claims

1. A method (100) for generating a bijective Substitution Box, the method (100) comprises (i) selecting a Boolean map (102) from a plurality of non-bijective power functions; (ii) extending an image of the Boolean map (104) to generate an extended
Boolean map;
(iii) obtaining a bijective function (106) from the extended Boolean map; (iv) performing a differential uniformity test (108) on the bijective function to obtain a differential uniformity parameter; (v) performing a nonlinearity test (108) on the bijective function to obtain a nonlinearity parameter; and
(vi) iterating steps (ii), (iii), (iv) and (v) until the differential uniformity parameter and the nonlinearity parameter meet a predetermined condition.
2. The method (100) according to claim 1, wherein extending the image of the
Boolean map to generate the extended Boolean map further comprises (i) identifying a first linear power function (202) from a plurality of linear power functions;
(ii) generating the plurality of non-bijective power functions (204) using a linear combination from a plurality of linear combinations of the power function and the plurality of linear power functions; IO
(iii) identifying at least one non-bijective power function from the plurality of non-bijective power functions with a maximum number of image elements (206);
(iv) iterating steps (ii) and (iii) for all linear combinations from the plurality of linear combinations; and
(v) iterating steps (i), (ii) and (iii) for all linear power functions from the plurality of linear power functions.
3. The method (100) according to claim 1, wherein obtaining the bijective function from the extended Boolean map further comprises
(i) identifying a first duplicate output element (302) in the Boolean map;
(ii) selecting a first element (304) which is not an output in the Boolean map and has a least distance from the first duplicate output element; (iii) replacing the first duplicate output element with the first element (306); (iv) iterating steps (i), (ii) and (iii) until the Boolean map is free from a plurality duplicate output elements.
4. The method according to claim 1, wherein the performing the differential uniformity test on the bijective function further comprises introducing all possible changes to an input and comparing an output to an original output; counting a number of the inputs which produce the same output difference for any given input change; and identifying a maximum number of the counts to determine the differential uniformity parameter of the bijective function. I l
5. The method according to claim 1, wherein the performing the nonlinearity test on the bijective function further comprises generating all non-trivial linear combinations of a plurality of component functions; generating all affine functions with the same number variables as a given function; counting a Hamming distance between pairs of linear combination and affine functions; and identifying a minimum number of the counts to determine the nonlinearity parameter of the bijective function.
PCT/MY2010/000101 2009-06-22 2010-06-15 Bijective substitution box WO2010151103A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
MYPI20092626 2009-06-22
MYPI20092626 MY144134A (en) 2009-06-22 2009-06-22 Bijective substitution box

Publications (1)

Publication Number Publication Date
WO2010151103A1 true WO2010151103A1 (en) 2010-12-29

Family

ID=43386723

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/MY2010/000101 WO2010151103A1 (en) 2009-06-22 2010-06-15 Bijective substitution box

Country Status (2)

Country Link
MY (1) MY144134A (en)
WO (1) WO2010151103A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2014092533A1 (en) * 2012-12-12 2014-06-19 Mimos Berhad A method to construct bijective substitution box from non-permutation power functions
WO2015084146A1 (en) * 2013-12-04 2015-06-11 Mimos Berhad A method to construct bijective substitution box from non-permutation power functions using heuristic techniques

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6064738A (en) * 1996-12-10 2000-05-16 The Research Foundation Of State University Of New York Method for encrypting and decrypting data using chaotic maps
US6804355B1 (en) * 2000-01-06 2004-10-12 Intel Corporation Block cipher for small selectable block sizes

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6064738A (en) * 1996-12-10 2000-05-16 The Research Foundation Of State University Of New York Method for encrypting and decrypting data using chaotic maps
US6804355B1 (en) * 2000-01-06 2004-10-12 Intel Corporation Block cipher for small selectable block sizes

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
BURNETT, LINDA: "Heuristic Optimization of Boolean Functions and Substitution Boxes for Cryptography", THESIS SUBMITTED FOR DEGREE OF DOCTOR OF PHILOSOPHY, 2005, QUEENSLAND UNIVERSITY OF TECHNOLOGY, Retrieved from the Internet <URL:http://eprints.qut.edu.au/16023> [retrieved on 20100902] *
KIM, K. ET AL.: "A Recursive Construction Method of S-boxes Satisfying Strict Avalanche Criterion", ADVANCES IN CRYPTOLOGY - CRYPTO'90, vol. 537, 1991 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2014092533A1 (en) * 2012-12-12 2014-06-19 Mimos Berhad A method to construct bijective substitution box from non-permutation power functions
WO2015084146A1 (en) * 2013-12-04 2015-06-11 Mimos Berhad A method to construct bijective substitution box from non-permutation power functions using heuristic techniques

Also Published As

Publication number Publication date
MY144134A (en) 2011-08-10

Similar Documents

Publication Publication Date Title
Sun et al. More accurate differential properties of LED64 and Midori64
Wang et al. A new chaos-based fast image encryption algorithm
Hosseinkhani et al. Using cipher key to generate dynamic S-box in AES cipher system
EP2273472A1 (en) Coder equipped with common key code function and built-in equipment
Gaži et al. The exact PRF-security of NMAC and HMAC
Tan et al. New families of differentially 4-uniform permutations over
Birrell et al. Randomness-dependent message security
WO2010151103A1 (en) Bijective substitution box
Zhao et al. Differential fault analysis on LED using Super‐Sbox
Gravel et al. Unicyclic strong permutations
Zhang et al. Hardware implementation of compact AES S-box
Chapaneri et al. Evaluation of chaotic map lattice systems for image encryption
Giraud et al. Piret and Quisquater's DFA on AES Revisited
Aslan et al. Classifying 8-bit to 8-bit S-boxes based on power mappings from the point of DDT and LAT distributions
Tran et al. A new S-box structure based on graph isomorphism
Du et al. Construction of Boolean functions with maximum algebraic immunity and count of their annihilators at lowest degree
Gouget et al. Revisiting correlation-immunity in filter generators
Berger et al. On almost perfect nonlinear mappings over F/sup n//sub 2
Wang et al. One-way hash function construction based on iterating a chaotic map
De la Cruz Jiménez A method for constructing permutations, involutions and orthomorphisms with strong cryptographic properties
Nga et al. On the improving diffusion layer and performance of AES algorithm
WO2011014054A1 (en) Nonlinear boolean permutation
AbdElHaleem et al. Utilizing LFSR and Feistel networks in image encryption
Courtois et al. Propagation of truncated differentials in GOST
Kazymyrov Extended criterion for absence of fixed points

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 10792378

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 10792378

Country of ref document: EP

Kind code of ref document: A1