(IJCNS) International Journal of Computer and Network Security, 51
Vol. 2, No. 9, September 2010
Generating the New S-box and Analyzing the
Diffusion Strength to Improve the Security of AES
Algorithm
Mohan H. S.1 and A Raji Reddy2
1
Research Scholar, Dr MGR University, Chennai. India
mohan_kit@yahoo.com
2
Professor, Department of Electronics and Communication
Madanapalle Institute of Technology & Science, Madanapalle. India
ar_reddy@yahoo.com
Abstract: Shared-key (symmetric) encryption is the most
fundamental cryptographic task. It is used in a large variety of
applications, including protection of the secrecy of login
passwords, ATM, e-mail messages, video transmissions, wireless
systems and internet-distributed digital content. Several
encryption algorithms are available for deploying into these
applications. The earlier standard for shared key encryption was
the DES cipher, which was developed by in the early 70’s. Later
RIJNDAEL was proposed and was selected as the Advanced
Encryption Standard (AES). The main objective of this paper is
to analyze RIJNDAEL algorithm, a Shared-key (symmetric)
block cipher supporting 128-bit blocks and 128-bit key size and
to develop a new S-box. Design of block ciphers requires
implementation of high speed algorithms with less number of
rounds. The number of rounds in a block cipher is decided
based upon the resistivity levels against the known attacks. The
very first level of attack on an encryption algorithm is to search
for repetitive cipher values and relate them to plaintext. This
attack can be made ineffective if an algorithm is designed to
comply with Strict Avalanche Criteria (SAC). In this paper,
diffusion analysis based upon First order SAC and higher order
SAC is carried out for RIJNDAEL algorithm and suggesting a
new S-box generation. The results provide good insight into
RIJNDAEL strength by using the diffusion behavior and useful
in the design of new strong encryption algorithm.
Keywords: Diffusion analysis, Strict Avalanche Criteria, First
order SAC, higher order SAC.
1. Introduction
Cryptography allows people to send and receive information
over the communication channel thus allowing them to do
business electronically, without worries of deception. The
perpetual increase of information transmitted electronically
has led to an increased reliance on cryptography.
Cryptography is important to the continual growth of
Internet and E-commerce.
Various cryptographic tools are used to provide
information security. These tools are to be evaluated with
respect to various criteria for (1) Level of security (2)
Functionality (3) modes of operation (4) Performance and
(5) ease of implementation.
A cryptographic algorithm or a cipher is the
mathematical function used for encryption and decryption.
If the security of an algorithm is based up on the way that
algorithm works as a secret then it is known as restricted
algorithm. A large or changing group of users cannot use
them, because every time a user leaves the group, everyone
else must change the algorithm. Even more, restricted
algorithms allow no quality control or standardization. But
these are enormously popular for low security applications.
Modern cryptography solves this problem with a key,
denoted by k. Both the encryption and decryption operations
use this key. So the encryption and decryption functions now
become Ek (M) =C for encryption Ek→Encryption using key
k, M→ message Dk (C) =M for decryption Dk →Decryption
using key k, C→ cipher text.
1.1 Symmetric Algorithms
There are two general types of key based algorithms:
Symmetric and Public Key. In Symmetric algorithms
encryption key can be same as the decryption key and vice
versa. These are also called as secret key algorithms.
Symmetric algorithms can be divided into two categories: i)
some operate on the plaintext a single bit at a time which
are called Stream ciphers, and ii) others operate on the
plaintext in groups of bits, such groups of bits are called
blocks and such algorithms are called Block ciphers.
1.2 Stream Ciphers and Block Ciphers
Stream ciphers are generally faster than block ciphers in
hardware, and have less complex hardware circuitry. Stream
ciphers are more suitable for situations where transmission
errors are highly probable.
Symmetric key block ciphers are the most prominent and
important elements in many cryptographic systems.
Individually, they provide confidentiality. The examples of
block ciphers are DES, 3-DES, FEAL, SAFER, RC5 and
AES. The implementation of any basic block cipher is
generally known as Electronic Code Book (ECB) mode. In
order to increase the security further additional modes are
also defined. They are (1) Cipher Feed Back (CFB) mode
(2) Output Feed Back (OFB) mode (3) Counter mode
(CTR). The counter mode has become popular in IPSec and
IPv6 applications.
1.3 Cryptanalysis
There are two general approaches for attacking a
conventional encryption algorithm:
Cryptanalysis: This is used for deciphering a message
without any knowledge of the enciphering details.
52
Cryptanalysis is the science of recovering the plaintext of a
message without the access to the key. Successful
cryptanalysis may recover the plaintext or the key. It also
finds weakness in the cryptosystem.
Brute – Force attack: The attack tries every possible key
on a piece of cipher text until an intelligible translation into
plain text is obtained. This is tedious and may not be
feasible if key length is relatively long.
1.4 Confusion and Diffusion
These are the two important techniques for building any
cryptographic system. Claude Shannon introduced the terms
Confusion and Diffusion. According to Shannon, in an ideal
cipher, “all statistics of the cipher text are independent of
the particular key used”. In Diffusion, each plaintext digit
affects many cipher text digits, which is equivalent to saying
that each cipher text digit is affected by many plain text
digits.
All encryption algorithms will make use of diffusion and
confusion layers. Diffusion layer is based upon simple linear
operations such as multi-permutations, key additions,
multiplication with known constants etc. On the other hand,
confusion layer is based upon complex and linear operations
such as Substitution Box (S-box).
2. Related Work
2.1 Evaluation of Advanced Encryption Standard
The principal drawback of 3DES is that the algorithm is
relatively sluggish in software. The original DES is
designed for mid 1970’s hardware implementation and does
not produce efficient software code. Since 3DES has three
times as many rounds as DES, it is relatively slower. A
secondary drawback is that both DES and 3DES use a 64-bit
block size. For reasons of both efficiency and security a
larger block size is desirable.
Because of the drawbacks, NIST in 1997 issued a call for
proposals for a new Advanced Encryption Standard (AES),
which should have security strength equal to or better than
3DES and significantly, improved efficiency. In addition,
NIST specifies that AES must be a symmetric block cipher
with a block length of 128 bits and support for key lengths
of 128,192 and 256 bits.
In first round 15 proposals were submitted and in second
round 5 algorithms were selected. NIST completed its
evaluation in November 2001 and selected Rijndael for AES
are both cryptographers from Belgium: Dr. Joan Daemen
and Dr. Vincent Rijmen. This standard specifies the
Rijndael algorithm ([3] and [4]), a symmetric block cipher
that can process data blocks of 128 bits, using cipher keys
with lengths of 128, 192, and 256 bits. Rijndael was
designed to handle additional block sizes and key lengths;
however they are not adopted in this standard. Throughout
the remainder of this standard, the algorithm specified
herein will be referred to as “the AES algorithm.” The
algorithm may be used with the three different key lengths
indicated above, and therefore these different “flavors” may
be referred to as “AES-128”, “AES-192”, and “AES-256”.
2.2 S-Box Design
(IJCNS) International Journal of Computer and Network Security,
Vol. 2, No. 9, September 2010
One of the most intense areas of research in the field of
symmetric block ciphers is that of S-box design. The
characteristic of the S-box is its size. An n x m S-box has n
input bits and m output bits. Larger S-boxes, by and large,
are more resistant to differential and linear cryptanalysis.
However, large dimension n leads to larger lookup table.
The size of lookup table decides the size of the program
memory. Therefore, the small S-box is required for the
hardware with less program memory and large S-box can be
used with hardware having more program memory. For
example, AES uses 16 x 16 S-box. This is implemented in a
suite of hardware platforms: 8051 based microcontrollers,
PIC processor, ARM processors, FPGA based processors,
ASIC, etc. It is possible to implement 256 x 256 S-box in
high end processors.
Another practical consideration is that the larger the S-box,
the more difficult it is to design it properly. S-box is
required for both encryption and decryption. An n x m S-box
typically consists of 2n rows of m bits each. The n bits of
input select one of the rows of the S-box, and the m bits in
that row are the output. For example, in an 8 x 32 S-box, if
the input is 00001001, the output consists of the 32 bits in
row 9 (the first row is labeled row 0).
2.3 Key Schedule Algorithm
A final area of block cipher design is the key schedule
algorithm. A block cipher requires one sub-key for each
round of operation. The sub-key is generated from the input
master key. Generation of sub-key requires an algorithm.
This algorithm should ensure that not sub-key is repeated.
In general, we select subkeys to maximize the difficulty of
deducing individual subkeys and the difficulty of working
back to the main key.
2.4 Avalanche criteria:
There are two different types of strict avalanche criteria: i)
First order SAC: It is a change in output bit when a single
input bit is flipped and ii) Higher order SAC: It is a change
in output bit when many input bits are flipped.
3. Statement of the Problem
AES is a symmetric block cipher which encrypts/decrypts
one block of data a time. AES has an iterative structure
consisting of a repetition of a round, which is applied to the
data block to be encrypted for a fixed number of times. The
mandatory feature required for any block cipher is good
diffusion. The problem statement is given below:
i. To implement the encryption and decryption of the
algorithm.
ii. To increase the Diffusion power of the AES algorithm.
iii. To suggest a new S-box to the AES algorithm to
increase the confusion.
4. Algorithm Specification
For the AES algorithm, the length of the input block, the
output block and the State is 128 bits. This is represented by
 (IJCNS) International Journal of Computer and Network Security, 53
Nb = 4 which reflects the number of 32-bit words (number
of columns) in the State.
For the AES algorithm, the length of the Cipher Key, K,
is 128, 192, or 256 bits. The key length is represented by Nk
= 4, 6, or 8, which reflects the number of 32-bit words
(number of columns) in the Cipher Key. For the AES
algorithm, the number of rounds to be performed during the
execution of the algorithm is dependent on the key size. The
number of rounds is represented by Nr, where Nr = 10 when
Nk = 4, Nr = 12 when Nk = 6, and Nr = 14 when Nk = 8.
The only Key-Block-Round combinations that conform
are shown below.
Figure 1. Key-Block-Round Combinations.
For both its Cipher and Inverse Cipher, the AES
algorithm uses a round function that is composed of four
different byte-oriented transformations: 1) byte substitution
using a substitution table (S-box), 2) shifting rows of the
State array by different offsets, 3) mixing the data within
each column of the State array, and 4) adding a Round Key
to the State.
4.1 The State
Internally, the AES algorithm’s operations are performed on
a two-dimensional array of bytes called the State. The State
consists of four rows of bytes, each containing Nb bytes,
where Nb is the block length divided by 32. In the State
array denoted by the symbol s, each individual byte has two
indices, with its row number r in the range 0 £ r < 4 and its
column number c in the range 0 £ c < Nb. This allows an
individual byte of the State to be referred to as either sr,c or
s[r,c]. For this standard, Nb=4, i.e., 0 £ c < 4.
At the start of the Cipher and Inverse Cipher, the input –
the array of bytes in0, in1 … in15 – is copied into the State
array as illustrated in Fig. 2. The Cipher or Inverse Cipher
operations are then conducted on this State array, after
which its final value is copied to the output – the array of
bytes out0, out1 … out15.
Figure 2. State array input and output.
Vol. 2, No. 9, September 2010
Hence, at the beginning of the Cipher or Inverse Cipher, the
input array, in, is copied to the State array according to the
scheme:
s[r, c] = in[r + 4c] for 0 ≤ r < 4 and 0 ≤ c < Nb
and at the end of the Cipher and Inverse Cipher, the State is
copied to the output array out as follows:
out[r + 4c] = s[r, c] for 0 ≤ r < 4 and 0 ≤ c < Nb.
4.2 The State as an Array of Columns
The four bytes in each column of the State array form 32-bit
words, where the row number r provides an index for the
four bytes within each word. The state can hence be
interpreted as a one-dimensional array of 32 bit words
(columns), w0...w3, where the column number c provides an
index into this array. Hence, for the example in Fig. 2, the
State can be considered as an array of four words, as
follows:
w0 = s0,0 s1,0 s2,0 s3,0 w2 = s0,2 s1,2 s2,2 s3,2
w1 = s0,1 s1,1 s2,1 s3,1 w3 = s0,3 s1,3 s2,3 s3,3
5. Diffusion Analysis
Diffusion analysis of any encryption algorithm enables to
estimate the strength of that algorithm. The strength of the
algorithm is related to how cipher values are sensitive to
input plain text changes. In other words, how many of
output cipher text bits undergo changes when a single bit of
input plain text is changed.
Hamming distance is a measure of Hamming weight of a
function derived from xoring two cipher text values.
Hamming distance indicates the Avalanche of encryption
algorithm. For well-diffused cipher values, higher avalanche
values are required. Therefore, it is imperative to define the
amount of avalanche is required for a given encryption
algorithm. Strict Avalanche Criterion (SAC) is defined to
indicate the required diffusion level. It is mandatory to every
encryption algorithm to satisfy the SAC in order to meet the
diffusion requirements.
In this paper, Avalanche values are measured for this
encryption algorithm for First order SAC and for Higher
Order SAC. The measured results are shown in later
sections.
Flipping one bit input plain text and keeping the key value
constant, avalanche values are measured for each round.
The measured result shows a definite pattern.
With respect to CASE (1) i.e. implementation of the first
order SAC, keeping the plaintext constant. Initially in the
first round it is low, the number of bits that differ are 22 and
the SAC value is 17. Then increases to a maximum, in the
7th round ,the number of bits that differ are 75 with a SAC
value 58 and decreases, finally after the 10 round, it ends
with the number of bits differ are 72 with a SAC value 56
which satisfies the desired Strict Avalanche Criteria.
Similarly the same holds for all the other cases which are
shown in the later sections. From the results, it is evident
that Avalanche values exceed the SAC value in the initial,
rounds, sometimes in the second round itself.
The AES encryption algorithm is designed based upon
the various criteria, and then the number of rounds in here
is adequate and robust, as it uses S-boxes as nonlinear
components. So far Rijndael has no known security attacks.
54 (IJCNS) International Journal of Computer and Network Security,
Vol. 2, No. 9, September 2010

Based upon the above considerations, we can conclude that

an encryption algorithm can be designed with less number
of rounds provided it does not show any weakness to
differential and linear attacks.

6. Alternate S-box
In a block cipher, S-box provides the confusion. S-box maps
the plain text to a cipher value using nonlinear operations.
Since plain text and cipher values are not related linearly, it
6.3 Proposed S-box
is difficult to construct plain text from a given cipher value.
This problem is generally known as “hard”. Some of the Here we are proposing that we can generate our own S-
block ciphers have used multiplicative inverse of a byte in boxes by choosing different constant value which is used in
the GF(28) field for constructing S-box. This S-box is the affine transformation in the construction of S-box.
constructed by filling the multiplicative inverse values. The
same S-box can be used for decryption thus providing 7. Experimental Results
involution. However, these are not as secure as that of an S-
AES algorithm is designed with a same three key size
box constructed using double transformation, i.e., separate
alternatives i.e. 128/192/256 but limits the block length to
S-box for each encryption and decryption. But involution S-
128 bits. The algorithm efficiently encrypts and decrypts the
box is extremely useful for involution cipher, where
plaintext and the result is tabulated. Also diffusion analysis
hardware is premium such as Smart card, etc. This is also
is used as a tool to measure the strength of the AES
used as a basic building block to construct an S-box using
algorithm. This is achieved by analyzing the diffusion that
double transformation.
exhibits a strong avalanche effect for the First order SAC
6.1 Design Criteria for S-Box and Higher order SAC taking the following cases.
Following are the design criteria for S-box, appearing in • Changing one bit at a time in a plaintext, keeping
order of importance: key as constant.
• Non – Linearity: • Changing one bit at a time in a key, keeping
(a) Correlation: The maximum input-output correlation plaintext as constant.
amplitude must be as small as possible. • Changing many bits at a time in a plaintext,
(b) Difference propagation probability: The maximum keeping key as constant.
difference propagation probability must be as small as • Changing many bits at a time in a key, keeping
possible. plaintext as constant.
• Algebraic Complexity: Each round avalanche value is tabulated for all the above
The algebraic expression of SRD in GF (28) has to be cases and proved that the Rijndael algorithm exhibit good
complex. Strict avalanche Criteria.
Also, generation of an alternate S-box is an attempt to
6.2 S-Box of AES secure the algorithm from any attacks and then using the
S-box is constructed in the following fashion: generated S-box for encryption and diffusion analysis, for
• Initialize the S-box with the byte values in ascending comparison.
sequence row by row contains {00},{01},{02},……..{0F}; The following are the results that have been achieved:
the second row contains {10},{11},etc.; and so on. Thus
the value of a byte at row x, column y is {xy}. 7.1 Encryption
• Map each byte in the S-box to its Multiplicative inverse in The length of the key is entered; accordingly the key and the
the finite field GF(28); the value {00} is mapped to itself. plaintext are to be entered in hexadecimal. Simultaneously
• Consider that each byte in the S-box consists of 8 bits the cipher text is generated.
labeled (b7,b6,b5,b4,b3,b2,b1,b0). Apply the following
transformation to each bit of each byte in the S-box:
b`i=bi b(i+4)mod 8 b(i+5)mod 8 b(i+6)mod 8 b(i+7)mod 8
b(i+8) mod 8 ci
Where ci is the ith bit of byte c with the value {63} i.e. (c7
c6 c5 c4 c3 c2 c1 c0) = (01100011). The prime (`) indicates that
the variable is to be updated by the value on the right.
The AES standard depicts this transformation in matrix
form as follows:

Figure 3. Shows the result of encryption using 128-bit

key length.
 (IJCNS) International Journal of Computer and Network Security, 55
Vol. 2, No. 9, September 2010

7.2 Decryption
The key has to be entered, which was previously entered for
encryption. As a result, the plain text entered during
encryption and the text after decrypting is generated.

Figure 7. Shows the results of Avalanche Effect for

Case (3).
CASE 4: Changing many bits at a time in a plaintext,
keeping key as constant.

Figure 4. Showing the result after decryption for 128 bit key
length.
7.3 Diffusion Analysis for First Order SAC
CASE 1: Changing one bit at a time in a key, keeping
plaintext as constant

Figure 8. Shows the results of Avalanche Effect for

Case (4).
7.5 With alternate S-box
The alternate S-box is generated, and the encryption and
diffusion analysis is carried out with new S-box.

Figure 5. Shows the results of Avalanche Effect for

Case (1).
CASE 2: Changing one bit at a time in a plaintext, keeping Figure 9. Shows the result of encryption using 128-bit key
key as constant. length.

Figure 10. showing the diffusion analysis, for first order

SAC of 128-bit key length.

Figure 6. Shows the results of Avalanche Effect for

Case (2).
7.4 Diffusion Analysis for Higher Order SAC
CASE 3: Changing many bits at a time in a key, keeping
plaintext as constant
8. Conclusions
The main aim of any encryption algorithm is to keep the
data secure from the intruders. The DES did not satisfy the
need for data security because of its short 56-bit key. Such
short keys can be broken by brute force attacks and so it was
proved insecure. So as a replacement, AES is proposed,
Rijndael was selected, which is more secure than the DES.
56 (IJCNS) International Journal of Computer and Network Security,
Vol. 2, No. 9, September 2010

Authors Profile
The basic design of an encryption algorithm is based upon Mohan H.S. received his Bachelor’s
the strength of diffusion and confusion. This dissertation degree in computer Science and
explored diffusion and confusion elements used in the AES Engineering from Malnad college of
to an extent. Based on the studies, following techniques are Engineering, Hassan during the year
developed as a security improvement, these are 1999 and M. Tech in computer Science
• Diffusion analysis, which is used as a tool to measure the and Engineering from Jawaharlal Nehru
strength of the algorithm. Therefore from the Experimental National College of Engineering, Shimoga during the year
results; it is proved that AES meets the Strict Avalanche 2004. Currently pursing his part time Ph.D degree in Dr.
Criteria which is mandatory to an encryption algorithm in MGR university ,Chennai. He is working as a professor in
order to meet the diffusion requirements. the Dept of Information Science and Engineering at SJB
• Suggesting an alternate S-box. Institute of Technology, Bangalore-60. He is having total 12
years of teaching experience. His area of interests are
9. Future Enhancements Networks Security, Image processing, Data Structures,
Computer Graphics, finite automata and formal languages,
• An alternate S-box for decryption can be developed.
Compiler Design. He has obtained a best teacher award for
• All encryption algorithms both symmetric and public key,
his teaching during the year 2008 at SJBIT Bangalore-60.
involve with arithmetic operations on integers with a finite
He has published and presented papers in journals,
field. Rijndael algorithm uses a irreducible polynomial
international and national level conferences.
m(x) = x8 +x4 +x3+x+1 = 0x11b (hex).
So, a new irreducible polynomial of degree 8 could be used.
A. Raji reddy received his M.Sc from
There are 30 irreducible polynomials of degree 8 are present
Osmania University and M.Tech in
Electrical and Electronics and
References communication Engineering from IIT,
[1] W Stallings, CRYPTOGRAPHY AND NETWORK Kharagpur during the year 1979 and his
SECURITY, Printice Hall, 2003. Ph.D degree from IIT, kharagpur during
[2] AES page available via the year 1986.He worked as a senior
http://www.nist.gov/CryptoToolkit.4 scientist in R&D of ITI Ltd, Bangalore for about 24 years.
[3] Computer Security Objects Register (CSOR): He is currently working as a professor and head in the
http://csrc.nist.gov/csor/. department of Electronics and Communication,
[4] J. Daemen and V. Rijmen, AES Proposal: Rijndael, Madanapalle Institute of Technology & Science.
AES Algorithm Submission, September 3, 1999. Madanapalle. His current research areas in Cryptography
[5] J. Daemen and V. Rijmen, The block cipher Rijndael, and its application to wireless systems and network security.
Smart Card research and Applications, LNCS 1820, He has published and presented papers in journals,
Springer-Verlag, pp. 288-296. international and national level conferences.
[6] B. Gladman’s AES related home page
http://fp.gladman.plus.com/cryptography_tetechnolo/.
[7] A. Lee, NIST Special Publication 800-21, Guideline for
Implementing Cryptography in the Federal
Government, National Institute of Standards and
Technology, November 1999.
[8] A. Menezes, P. van Oorschot, and S. Vanstone,
Handbook of Applied Cryptography, CRC Press, New
York, 1997, p. 81-83.
[9] J. Nechvatal, Report on the Development of the
Advanced Encryption Standard (AES), National
Institute of Standards and Technology, October 2, 2000.
[10] Mohan H.S and A. Raji Reddy. " Diffusion Analysis of
Mars Encryption Algorithm","International conference
on current trends of information technology,MERG-
2005”,Bhimavaram, Andhrapradesh.
[11] Mohan H.S and A. Raji Reddy. "An Effective Defense
Against Distributed Denial of Service in Grid”, "IEEE
International conference on integrated intelligent
computing ICIIC-2010.SJBIT, Bangalore-60. ISBN
978-0-7695-4152-5, PP. 84-89.