Linear Redundancy in S-Boxes

Abstract: Abstract. This paper reports the discovery of linear redundancy in the S-boxes of many ciphers recently proposed for standardisation (including Rijndael, the new AES). We introduce a new method to efficiently detect affine equivalence of Boolean functions, and hence we study the variety of equivalence classes existing in random and published S-boxes. This leads us to propose a new randomness criterion for these components. We present experimental data supporting the notion that linear redundancy is very rare i… Show more

“…Since S-boxes are usually implemented as look up tables, they are attractive for fast software encryption algorithms [3]. Most of popular block ciphers and some of stream ciphers have adopted various S-boxes and a lot of research has been given to designing "better" S-boxes.…”

“…There have been proposed [3] several methods to generate cryptographically useful S-boxes, such as the selection of nearly optimal (for differential [2] and linear [9] attacks) boolean functions as components of the S-boxes, random generation, using finite field operations and heuristic algorithms. Among these, finite field power operation based S-boxes achieve [3] several security criteria simultaneously, and have been used in many cipher proposals including Rijndael [14,15], major portfolio of NESSIE [19], ARIA [17] in Korea, and CRYPTREC [18] in Japan, mentioned only a few.…”

“…Among these, finite field power operation based S-boxes achieve [3] several security criteria simultaneously, and have been used in many cipher proposals including Rijndael [14,15], major portfolio of NESSIE [19], ARIA [17] in Korea, and CRYPTREC [18] in Japan, mentioned only a few.…”

“…There have been some progress in the research of algebraic aspect of Rijndael S-box. It is known [13,3,7] that every component function of Rijndael S-box is a single term trace function on finite field GF(256), and has a property of algebraic linear redundancy that is inherent in finite field exponentiation. At the same time, researchers successively have proposed several improved S-boxes.…”

“…At the same time, researchers successively have proposed several improved S-boxes. In [7], the research effort has focused on the S-boxes with no simple algebraic expression while Fuller and Millan in [3] concentrates on the S-boxes with no linear redundancy. This paper is organized as follows.…”

Improved Rijndael-Like S-Box and Its Transform Domain Analysis

“…Since S-boxes are usually implemented as look up tables, they are attractive for fast software encryption algorithms [3]. Most of popular block ciphers and some of stream ciphers have adopted various S-boxes and a lot of research has been given to designing "better" S-boxes.…”

“…There have been proposed [3] several methods to generate cryptographically useful S-boxes, such as the selection of nearly optimal (for differential [2] and linear [9] attacks) boolean functions as components of the S-boxes, random generation, using finite field operations and heuristic algorithms. Among these, finite field power operation based S-boxes achieve [3] several security criteria simultaneously, and have been used in many cipher proposals including Rijndael [14,15], major portfolio of NESSIE [19], ARIA [17] in Korea, and CRYPTREC [18] in Japan, mentioned only a few.…”

“…Among these, finite field power operation based S-boxes achieve [3] several security criteria simultaneously, and have been used in many cipher proposals including Rijndael [14,15], major portfolio of NESSIE [19], ARIA [17] in Korea, and CRYPTREC [18] in Japan, mentioned only a few.…”

“…There have been some progress in the research of algebraic aspect of Rijndael S-box. It is known [13,3,7] that every component function of Rijndael S-box is a single term trace function on finite field GF(256), and has a property of algebraic linear redundancy that is inherent in finite field exponentiation. At the same time, researchers successively have proposed several improved S-boxes.…”

“…At the same time, researchers successively have proposed several improved S-boxes. In [7], the research effort has focused on the S-boxes with no simple algebraic expression while Fuller and Millan in [3] concentrates on the S-boxes with no linear redundancy. This paper is organized as follows.…”

Improved Rijndael-Like S-Box and Its Transform Domain Analysis

Dragon: A Fast Word Based Stream Cipher

New Cryptographic Applications of Boolean Function Equivalence Classes