2009 International Conference on Electronic Commerce and Business Intelligence

A Software for S-box Performance Analysis and Test

Yong Wang, Qing Xie
College of economy and management Chongqing university of posts and telecommunications Chongqing, China wangyong_cqupt@163.com

Yuntao Wu, Bing Du

College of computer science Chongqing university of posts and telecommunications Chongqing, China

AbstractS-box (Substitution box) is one of the core components in the block cipher and plays an important role in the process of encrypting plaintext. In this paper, the performance indexes of S-box are summarized and analyzed. The corresponding numeric methods for calculating them are presented. Then, the software is developed, which can not only calculate the performance indexes of S-box but also find the ones that satisfy the performance requirement from lots of Sboxes. Based on the simulation test, the conclusion can be drawn that the software is very useful to aid the research of Sbox and gives a good support to design block cipher with high security. Keywords-S-box; Block cipher;E-business Security

II.

PERFORMANCE INDEXES OF S-BOX

To avoid the suspicion that S-box maybe exist some loophole, NSA gives some rules on how to evaluate the cryptographic properties of S-box [1]. From then on, lots of work has been done on designing and evaluating S-box [27]. The following performance indexes are widely accepted as the important properties which are necessary for cryptographically strong S-boxes. A. Nonlinearity Definition 1. Suppose f ( x) : F2n F2 is a Boolean function, the nonlinearity Nf of f(x) is below: N f = min d H ( f , l ) (1)
l Ln

I.

INTRODUCTION

With the development and popularization of computer and network, E-business security has become the common focus of both academia and enterprises. Cryptography as one of the most important fields of information security always attracts the interests of researchers. In general, there are two major classes of cryptosystems: stream cipher and block cipher. In block cipher, S-box is one of the important components. It was first presented in the encryption algorithm Lucifer and became popular with the widely use of DES. Nine algorithms among the 15 candidates of AES employ S-boxes. Today, in many encryption algorithms, Sbox is the only nonlinear component providing the function of confusion and diffusion. In some ways, the security of the S-box determines the security of the whole cryptosystem. How to evaluate the security of S-box and design S-boxes with high performance is still one of the key issues in the block cipher. The remaining of this paper is organized as follows. In Section II, the performance indexes are summarized and analyzed. Meanwhile, the corresponding calculating methods are presented. In Section III, the performance analysis software is developed, which also can be used to select the ones satisfying the performance requirements from lots of Sboxes. Finally, conclusions are drawn in Section .

where Ln is a affine function set, d H ( f , l ) is the Hamming distance between f and l. Definition 2. Suppose F2n F2m is a multi-output function, the nonlinearity of S(x) can be defined as below N s = min m d H (u i S ( x), l ( x)) (2)
lLn ,0 uF2

where u i S ( x) is the dot product of x and S(x). For the convenience of calculation, we can get the nonlinearity by calculating the Walsh spectrum. Definition 3. The Walsh spectrum is defined as below. (3) S< f > ( ) = (1) f ( x ) x i
xGF (2n )

where GF (2n ) , xi is dot product between x and . So the nonlinearity can also be calculated according to Eq. (4) N f = 2n 1 (1 2 n max2 S< f > ( ) ) (4)
GF (2 )

B. The strict avalanche criterion The strict avalanche criterion (SAC) was first introduced by Webster and Tavares. It means that if a function satisfies the strict avalanche criterion, each of its output bits should change with a probability of a half whenever a single input bit x is complemented. In order to ascertain whether a given S-box fulfills the strict avalanche criterion (SAC), an efficient method was introduced in [3] and shown as follows: Step 1. an n-bit, random plaintext vector X is generated and its corresponding m-bit ciphertext Y is obtained by substitution.
125

978-0-7695-3661-3/09 $25.00 2009 IEEE DOI 10.1109/ECBI.2009.15

Authorized licensed use limited to: Air University. Downloaded on March 10,2010 at 00:42:09 EST from IEEE Xplore. Restrictions apply.

Step 2. The set of n vectors (X1, X2, ..., Xn) is formed such that X and Xj differ only in bit j. The ciphertext vectors (Y1, Y2, ..., Yn) are then found where Yj = f(Xj), and they are used to obtain the set of m-bit binary avalanche vectors (V1, V2, ..., Vn) such that Vj = YYj. Step 3. The value of bit i in Vj (either a 1 or 0) is added to element ai,j in the mn dependence matrix. Step 4. Randomly generate plaintext vectors X and repeat Step 1 ~3 for a large number r. Finally, each element in matrix is divided by r. If each element and the mean value of the matrix are both close to the ideal value 0.5, the S-box approximately fulfills the SAC. C. The output bits independence criterion The output bits independence criterion (BIC) was also first introduced by Webster and Tavares [3], which is another desirable property for any cryptographic design. It means that all the avalanche variables should be pair-wise independent for a given set of avalanche vectors generated by the complementing of a single plaintext bit. In order to measure the degree of independence between a pair of avalanche variables, we can calculate their correlation coefficient. For two variables A and B,

#{x | xix = S ( x)iy} 1 (7) 2n 2 where x and y are input and output masks, respectively; X is the set of all possible inputs; and 2n is the number of its elements. LP = max
x , y 0

F. The bijective property For nn S-box, a method is introduced in Ref. [6] to check the bijective property. If the Boolean functions fi (1 i n) of an S-box such that

n wt ai fi = 2n 1 i =1

(8)

where ai {0,1} , (a1, a2, ..., an) (0, 0, . . . ,0) and wt() is the Hamming weight, this allows us to say that every fi is basically required to be 0/1 balanced and the S-box is bijective. III. THE SOFTWARE FOR TESTING S-BOX

{A, B} =

where { A, B} is the correlation coefficient of A and B, cov(A, B) is the covariance of A and B, i.e. cov(A, B) = E{AB}-E{A}E{B} and 2 { A} = E{ A2 } ( E{ A}) 2 . In Ref.[3], it is pointed out that for the Boolean functions, fj and fk (j k) of two output bits in an S-box, if the box met BIC, fj fk (j k, 1 j, k n) should be highly nonlinear and come close as possible to gratify the SAC. Therefore, we can also verify the BIC by calculating the SAC and nonlinearity of fj fk. D. Differential Approximation Probability The nonlinear transformation S-box should ideally have differential uniformity. An input differential xi should uniquely map to an output differential yi, thereby ensuring a uniform mapping probability for each i. The differential approximation probability of a given S-box (i.e. DPs) is a measure for differential uniformity and is defined as #{x X | S ( x) S ( x x ) = y} DP s (x y ) = (6) 2m m where X is the set of all possible input values, and 2 is the number of its elements.

{A}{B}

cov{A, B}

(5)

E. Linear Approximation Probability The linear approximation probability is the maximum value of the imbalance of an event. The parity of the input bits selected by the mask x is equal to the parity of the output bits selected by the mask y. According to Matsuis original definition [9], linear approximation probability (or probability of bias) of a given S-box is defined as

A. The software design In this paper, the software for S-box performance analysis is developed using VS.net. Based on the formulas or numeric method in Section 2, each performance indexes are implemented as a function using unmanaged C++ with high efficiency. The head of each function and the corresponding description is as follows: int Nonlinearity(int BoolF[],int dim) /* This function is used to obtain the Nonlinearity of Sbox. Parameter BoolF is the Boolean function; Parameter dim is the dimension of the Boolean Function.*/ void SAC(int S[], int count, float A[][COL]) /* This function is used to calculating the dependent matrix. Parameter S represents the S-box; Parameter count represents the count of elements in array S; Parameter A is used to store the calculation results.*/ float DP(int S[], int count) /* This function is used to calculating the differential approximation probability of the S-box. Parameter S represents the S-box; Parameter count represents the count of elements in array S. */ float LP(int S[], int count) /* This function is used to calculating the linear approximation probability. The parameters is the same as that of function DP */ int Bijection(int S[], int count) /* This function is used to check whether the S-box satisfy the bijective property. The parameters is the same as that of function DP */ For BIC index, we judge whether the S-box satisfy this property by calling function Nonlinerarity( ) and SAC( ). In order to make full use the functions mentioned above, all of them are compiled as DLLs. The user interface of the test software is implemented using C#, for it has high efficiency in designing graphic interface. In the process of designing the software, the index functions and the user interface are two independent parts,

126

Authorized licensed use limited to: Air University. Downloaded on March 10,2010 at 00:42:09 EST from IEEE Xplore. Restrictions apply.

which not only make full use of the merits of unmanaged C++ and C#, but also another part of software does not need to be modified, when one part of software is amended, if the communication interface between them is not changed. B. The software introduction The software for S-box performance analysis has the following two main functions. Function 1: calculates the performance indexes for the given S-box. Function 2: selects the ones satisfying the performance requirement from a large amount of S-boxes, which can be used to find S-boxes with high performances. The MDI graphic interface is employed in this software and shown in Figure 1 and 2. The software is very useful to evaluate the S-box and aid to the design of the block cipher.

C. Simulation Test The S-box presented in AES is used as the test example. The performance indexes of this S-box are calculated by using our software. The results are shown in Figure 3 ~ 8. By comparing with the corresponding data presented in Ref. [10], we may conclude that the results given by our software are correct.

Figure 3. The results of nonlinearity

Figure 1.

The user interface of evaluating single S-box

Figure 4. The results of SAC

Figure 2. The user interface of selecting S-boxes satisfying the performance requirement

Figure 5. The differential approximation probability

127

Authorized licensed use limited to: Air University. Downloaded on March 10,2010 at 00:42:09 EST from IEEE Xplore. Restrictions apply.

IV.

CONCLUSION

In this paper, the performance properties of S-box are summarized. The corresponding formulas or numeric method for calculating them are presented. Then, the software for testing the performance indexes of S-box is developed, which is very useful to evaluate the S-box and find the ones with high cryptographic performance. It is a good tool to aid the S-box research and the design of the block cipher. V.
Figure 6. The linear approximation probability

ACKNOWLEDGEMENTS

The work described in this paper was supported by the National Natural Science Foundation of China (No. 60703035), the Foundation of Chongqing Education Committee (No.KJ070503), the Natural Science Foundation of CQ CSTC and the Natural Science Foundation of Chongqing University of Posts and Telecommunications (A2007-26). REFERENCES
[1] Branstad D K, Gait J and Katzke S, "Report on the Workshop on Cryptography in Support of Computer Security", NBSIR, 1977. [2] Adms C.M., Tavares S.E., "The Structured Design of Cryptographically Good S-Boxes". Journal of Cryptology, Vol,3, No. 1, 1990, pp. 27-41 [3] Webster A.F and Tavares S.E., "On the Design of S-Boxes", in Advances in Cryptology: Proc. of CRYPTO'85, Springer-Verlag, New York, 1986, pp.523-534. [4] Adamas C., Tavares S., "Good S-boxes Are Easy to Find", Advances in cryptology, Proc. of CRYPTO89, Lecture Notes in Computer Science, 1989, pp.612-615 [5] Dawson M. and Tavares S. E. "An Expanded Set of S-Box Design Criteria Based on Information Theory and its Relation to DifferentialLike Attacks", in Advances in Cryptology: Proc. of Eurocrypt91, Springer-Verlag, 1991, pp. 352-367. [6] Detombe J., Tavares S., "Constructing Large Cryptographically Strong S-boxes", Advances in Cryptology, Proc. of CRYPTO92, Lecture Notes in Computer Science 1992, pp. 165-181. [7] Fuller Joanne, Millan William, "On Linear Redundancy in the AES SBox", http://eprint.iacr.org/2002/111.ps.gz. [8] Muhammad Asim, and Varun Jeoti, " Efficient and Simple Method for Designing Chaotic S-Boxes", ETRI Journal, vol.30, no.1, Feb. 2008, pp.170-172. [9] M. Matsui, "Linear Cryptanalysis Method of DES Cipher", Advances in Cryptology, Proc. Eurocrypt93, LNCS 765, 1994, pp. 386-397. [10] "Announcing the advanced encryption standard (AES)", http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf

Figure 7. The nonlinearity in BIC

Figure 8. The dependent matrix in BIC

128

Authorized licensed use limited to: Air University. Downloaded on March 10,2010 at 00:42:09 EST from IEEE Xplore. Restrictions apply.