An Improved Version of AES Using a New Key Generation Process with Random Keys

Home , Avalanche effect, Correlation attack, Correlation immunity

Hindawi Security and Communication Networks Volume 2018, Article ID 9802475, 11 pages https://doi.org/10.1155/2018/9802475

Research Article RK-AES: An Improved Version of AES Using a New Key Generation Process with Random Keys

Rahul Saha ,1 G. Geetha ,1 Gulshan Kumar ,1 and Tai-hoon Kim2

1 Lovely Professional University, Jalandhar-Delhi, G.T. Road, Phagwara, Punjab, India 2Department of Convergence Security, Sungshin Women’s University, Seongbuk-gu 02844, Republic of Korea

Correspondence should be addressed to G. Geetha; [email protected]

Received 4 July 2018; Revised 12 October 2018; Accepted 25 October 2018; Published 6 November 2018

Academic Editor: Clemente Galdi

Copyright © 2018 Rahul Saha et al. Tis is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

Advanced Encryption Standard (AES) is a standard algorithm for block ciphers for providing security services. A number of variations of this algorithm are available in network security domain. In spite of the strong security features, this algorithm has been recently broken down by the cryptanalysis processes. Terefore, it is required to improve the security strength of this algorithm as AES is popular in commercial use. In this paper, we have shown the reasons of the loopholes in AES and also have provided a solution by using our Symmetric Random Function Generator (SRFG). Te use of randomness in the key generation process in block cipher is novel in this domain. We have also compared our results with the original AES based upon some parameters such as nonlinearity, resiliency, balancedness, propagation characteristics, and immunity. Te results show that our proposed version of AES is better in withstanding attacks.

1. Introduction brute-force is not considered as its complexity is higher than any other process of cryptanalysis. Te objective of a third Cryptology is an important domain of security measure for party attacker is to break the ciphertext code or to reveal providing confdentiality, authentication, and other services the key or part of the key to get access of the plaintext. So, [1]. It contains two major parts as cryptography and crypt- the weak keys must be avoided in the algorithms. Further, it analysis. With the progress of technology, where the new may happen that the previously considered strong key is now cryptographic algorithms are emerging, the cryptanalysis made weak by the sophisticated technology or large com- processes are also getting improved; to countermeasure those putational abilities of the attackers. So, the need of strength more secure algorithms are getting developed. So, the cyclic analysis to withstand with attacks makes the evolving changes process of cryptography and cryptanalysis goes on. Te trend in the cryptographic algorithms. of converging to IoT exhibits an urge of improving the Cryptographic algorithms primarily depend on the struc- cryptographic algorithms for applications to be secure [2, 3]. ture of the algorithms and their corresponding functions [4]. Cryptographic algorithms are broadly categorized in two Apart from using basic gates such as AND, OR, NOT, and ways: (a) block ciphers and stream ciphers depending upon XOR in the algorithms, researchers also have shown some the format of the message processing; (b) symmetric and specialized Boolean functions for the symmetric property. asymmetric depending upon number of keys used for the Te generic Boolean functions have created the basic func- algorithms [1]. Designing such algorithms is another concern tionalities of generating any cryptographic function. How- where a number of principles are needed to be maintained ever, the technology progress and enhancing computational such as key size, message size, number of rounds, round ability of the attackers have urged a need of introducing function, and so on. Te selection of key and its size is a major new features in the function generators so that they can concerning factor in cryptography. A weak key can reveal provide more strength to the ciphers. Physical Unclonable the plaintext message with least time. Tough we know that Functions (PUFs) [5, 6] are providing solutions for this but cryptographic algorithms face brute-force attacks problems, as per the cryptographic features requirements; PUFs are 2 Security and Communication Networks

39 not efcient for cryptographic algorithms. Further, PUF is and 2 time complexity has been proved to be sufcient applicable for FPGA implementation as it is more hardware to recover the complete 256-bit key of a 9-round version oriented. Tough the objective of the presented approach and of AES-256. Another attack works on 10 round version of 45 PUF is same their orientation and process is totally diferent. AES-256 in 2 time complexity. An improved version of the Moreover, it has been shown that PUF is used as seed previous related key attack has been shown in [17] against which again leads to the tendency of pseudorandomness in round transformation and key expansion module in AES. �ℎ �ℎ key generation process which is not desirable. Balancedness, Te round has been now minimized from 9 to 7 which nonlinearity, resiliency, immunity, correlation, and propaga- means that AES is vulnerable even for the starting rounds. 192 tion characteristics are some of the important parameters to Te complexity of the attack has also been reduced from 2 104 evaluate the strength of the ciphers. In this paper, we have to 2 . Another voltage based fault induction method has considered Advanced Encryption Standard (AES) for our been introduced in [18]. Te authors show a fault model for a experimentation of randomness feature. We have attributed constantly underfed RISC CPU. Te faults are described in the key generation module of AES undergoing through our terms of position, recurring patterns, and timing, then the Symmetric Random Function Generator (SRFG) [7]. We corresponding errors induced in the computation outcomes have evaluated the modifed AES with the parameters said are specifed. Te model also support multibit patterns. Te above. use of biased faults also provides an efcient way to for fault Te rest of the paper has been organized as follows. injection attacks in cryptanalysis. Such a procedure has been Section 2 summarizes the various attacks on AES algorithm. shown in [19]. Section 3 describes the original AES algorithm. Section 4 A collision based attack against AES-192/256 has been shows the proposed modifcation for AES and in Section 5 we shownin[20].Teauthorshaveused4-rounddistinguisher have explained its properties. Section 6 analyses the security for7-roundreducedAES.Inthepaper[21],theauthors and Section 7 compares the related results. Finally, Section 8 have used variable key for AES sing pseudorandom number concludes the paper. generator for providing better security to the algorithm, but the approach faces the problem of using biased keys 2. Related Work against AES rounds. Biased keys are able to reveal the pseudorandomness of the approach and the key is deduced One of the most popular and commercialized algorithms further by applying diferential methods or fault injection is AES. Tis algorithm provides the encryption for web as shown before. Multiple deductions-based algebraic trace security processes as used by diferent applications such as driven cache attack on AES has been shown in [22]. Te e-commerce, router applications, and WiFi security. Being so behaviour of the cache reveals the input whole or partially. rigorously used in real life applications, AES faces a number Same input to a particular module and the changes of the of attacks. Some of the recent attacks are mentioned below. cache properties are the key features of this approach. Te A new kind of fault base attack has been proposed in authors have identifed the causes of a bias fault and also [8] which uses zero valued sensitivity model for masked have compared diferent biased fault attacks introduced till. AES. Combining the Faulty Sensitivity Analysis (FSA) and Quantum related key attacks have been shown in [23]. zero valued sensitivity, the proposed method of cryptanalysis is able to break code of the S-boxes in masked AES. Te A solution to the fault based injection attacks has been attack procedure shows that the zero value input of S-box provided in [24]. Te proposed scheme is independent of reveals the key eventually. Te authors in the paper [9] S-box and inverse S-box and achieves more than 95% fault have shown a diferential faulty approach used in the mix coverage. A recent approach against fault injection or fault column component of AES. Te results show that AES-128 analysis has been shown in [25]. It combines the principles of is breakable by such process only using two faulty inputs of redundancy with that of fault space transformation to achieve ciphertexts. Tis attack has been proved better as compared security against both DFA and DFIA based attacks on AES- to other diferential attacks on AES as shown in [10–12]. like block ciphers. Another improved version of faulty attack on AES has been Afer surveying the attacks on AES, it is obvious that executed in the paper [13]. Te authors show that a single fault injection attacks are more efcient in revealing the random byte fault at the input of the eighth round of the key in AES. Such fault injections are using the biased AES algorithm is sufcient to deduce the block cipher key. input too to distinguish the subkeys or other parts of the Simulations show that when two faulty ciphertexts pairs algorithm. Moreover, as AES is depending upon fnite feld are generated, the key can be exactly deduced without any operations of 8-bit bytes, the attacks are also executable brute-force search. Te minimal fault against AES has been with fnite quantifed complexities as we have seen above. used in [14]. Te authors show that AES-192 is breakable Te biased inputs along with fault bytes create error in the by using two pairs of correct and fault ciphertexts whereas process and those are denoted for performing diferential AES-256 is broken by using three pairs of correct and fault analysis or linear analysis. Eventually, the key is revealed. ciphertexts. Te work shown previously in [13] was having Terefore, to overcome such problems, we have introduced 32 akeyspaceof2 which has been reduced by the authors in the randomness and the balanced symmetric feature in the [15]. Key recovery attacks on AES have been described in [16]. functional output, specifcally in the keys. We have named In this paper, the authors have shown practical complexity this modifed AES as Random Key AES (RK-AES). As a result, based attacks against AES-256. Te use of two related keys even though attackers are deducing a part of key or injecting a Security and Communication Networks 3

cipher and fnally produces the ciphertext. Each round in AES ＜00 ＜01 ＜02 ＜03 follows the following steps.

SubBytes. Tis is a nonlinear step in the AES. It uses an S-box ＜10 ＜11 ＜12 ＜13 applied to the bytes of the state matrix. Each byte of the state matrixes is replaced by its multiplicative inverse, followed by an afne mapping as follows: ＜20 ＜21 ＜22 ＜23 � �� =�� ⊕�(�+4) �� 8 ⊕�(�+5) �� 8 ⊕�(�+6) �� 8 (2) ＜＜＜＜ 30 31 32 33 ⊕�(�+7) �� 8 ⊕��, for 0≤�<8

�ℎ �ℎ where �� is the � bit of the byte and �� is the � bit of a byte � Figure 1: State matrix representation. with the value 63 or 01100011. Tus the input byte � is related −1 to the output � of the S-box by the relation, �=�.� +�, where � and � are constant matrices [27]. biased fault, the fault will be converted to a symmetric output rather than revealing the original key or plaintext. Shif Rows. Te last three rows of the state matrix is rotated by Te main contributions of our research work are as a certain number of byte positions. It is executed as follows: follows: � ��,� =�(�,(�+�ℎ��(�+��))�� ) (1) Use of randomness in key generation process of AES. (3) 0<�<4��0<�<�� (2) Confrming high nonlinearity, resiliency, balanced- for ness, propagation, and immunity in key generation where �� is the number of words in the state matrix (each process. column in the state matrix is considered as word). In AES, �� (3) Ensuring high confusion and avalanche efect in key = 4 always as the input size is 128 bits and arranged in state generation. matrix of size 4 × 4. Each cell in the state matrix is denoted as swiththeindexofrow� and column �.

3. AES Algorithm MixColumns. Tis transformation operates on the state matrix column-by-column, considering each column as a Te Advanced Encryption Standard (AES) [26] was pub- 8 four-term polynomials over GF (2 ) and multiplied modulo lished by the National Institute of Standards and Technology 4+1 (NIST) in 2001. AES is a symmetric block cipher where a � with a fxed polynomial a(x), given by single key is used for both encryption and decryption process. � (�) = {03} �3 + {01} �2 + {01} �1 + {02} Te input and output for the AES algorithm each consist of (4) sequences of 128 bits. Te key used in this algorithm consists Te multiplication process with the columns of state matrix of 128, 192, or 256 bits. AES operates on 8-bit bytes. Tese is given by bytes are interpreted as the elements of fnite feld using the � following polynomial representation: � (�) =�(�) ⊗�(�) (5) �−1 �−1 �−2 � where ⊗ is multiplication modulo of polynomials and s(x) is � (�) =��−1� +��−2� +⋅⋅⋅+�1�+�0 = ∑�� (1) �=0 a state in the state matrix. AddRoundKey. In this process, a round key is added to the where each �� is having the value of 0 or 1. state by a simple bitwise XOR operation. Each round key is Te 128-bit input block of AES is arranged in a state �� matrix of size 4 × 4 as shown in Figure 1. Te elements of the having the size of Nb words from the key schedule. Tose words are each added to the columns of the state matrix to matrix are represented by the variable �� where 0≤�,�≤3 and i,j denotes the row and column number, respectively. satisfy the following condition: Depending upon the size of the bits in keys variables rounds [�� ,�� ,�� ,�� ]=[� ,� ,� ,� ] are allowed for AES. For our experimentation we have used 0,� 1,� 2,� 3,� 0,� 1,� 2,� 3,� key size of 256-bit concept and therefore, the number of ⊕[� ], (6) rounds used is 14 rounds represented as ��.Keyscheduling ��×��+� algorithm is also used in AES to provide keys to each of the for 0≤�<�� rounds. Te design of the key scheduling algorithm is such that the revealing any round key deduces the original input where ⊕ is the bitwise XOR and round is the round number key from which the round keys are derived. Te input state at which round key is added and 0≤��<��. matrix is processed by the various round transforms. Te state All these steps are performed for each of the round in matrixevolvesasitpassesthroughthevariousstepsofthe the AES excluding the last round. In the last round the 4 Security and Communication Networks

Plaintext Function Generator (SRFG) [7]. SRFG produces the symmetric balanced output in the sense of the number of 1’s and 0’s in the output string irrespective of the input string. It Add round key outputs a combined function comprised of universal GATEs (AND, OR, NOT, and XOR). Te expression for the proposed combined function generator is given as Substitute bytes 14th round � �� =⊗�� (8) Shi rows Substitute bytes where i =1,2,...,4,fouruniversalGATES:AND,OR,NOT, Mix columns Shi rows and XOR; L represents the expression length (number of Round 1 to 13 1 to Round terms in the combined function ��); and ⊗ represents the random combination. In our experiments we have used L = Add round key Add round key 5. To emphasize the randomness in such combined function generator, the above equation can be further expressed in � Ciphertext terms of input variables’ randomness in selection, as shown in (2). Figure 2: Round function steps in 14-round AES. � �� (�1,�2,...,��)=⊗�� [rand (�1,�2,...,��)] (9) For, our experimentation, the above equation is rewritten as MixColumn step is not performed. For a 14-round AES, the 5 round function process is shown in Figure 2. One of the �� (�1,�2) =⊗�� [rand (�1,�2)] (10) important parts of the round function stages is adding of round keys as these keys are generated by the key expansion Te main objective of adding SRFG in AES is to enable the routine. Te key expansion generates a total of ��(�� + 1) key expansion module with some randomness feature. Tis words: the algorithm requires an initial set of Nb words, and will help to prevent deducing the words of keys even though each of the �� rounds requires �� words of key data. Te partial key is in hand. Te modifed key expansion module resulting key schedule consists of a linear array of 4-byte has been shown in Figure 4; the changes are highlighted in words, denoted by [��], 0≤�≤��(��+1).Itusesa yellow colour. Te randomness of SRFG has been used in function SubWord () that takes these 4-byte words as input three parts: frst, in the function of g, secondly, the recursive and applies S-box to each of these words. Another function word generation from key spaces, and thirdly but most �� Rotword () is used to perform a circular permutation. Te prominently, addition of � and SRFG for generating the � � round constant array Rcon[i] contains the values specifed as words from 0 to 7. According to Figure 4(a), each column �−1 �−1 � [� , {00}, {00}, {00}] with � powers of � in the following inthekeyspaceisconsideredas � word.Asthekeysizeis256 bits, we shall have eight words �0,�1,�2,�3,�4,�5,�6,�7 equation: �ℎ in the very frst step. Te 8 word, i.e., �7,isgoingthrough (�−4)/4 8 4 3 � �� [�] =� mod (� +� +� +�+1), afunction . Tis function is also using SRFG just before (7) the output of the function as in Figure 4(b). Te output �ℎ�� ℎ� �� of � is then used to generate the other words processing through a series of SRFGs. Te same process is repeated Te key expansion routine for 256-bit keys (�� =8)isslightly till we get the required number of words for the 14 rounds diferent than for 128- and 192-bit keys. If �� =8andi-4isa in AES. For the decryption process, we have saved the multiple of ��,thenSubWord() is applied to w[i-1] prior to generated words and used them reversely with the ciphertext the XOR. �� is the number of 32-bit words of a key. to get back to the plaintext. In future, we shall work upon direct transmission of the keys rather than storing them for 4. RK-AES decryption. Te main problem in the key expansion of the AES algorithm 5. Feature Analysis of RK-AES is that the words �� generated from the original key are related to each other. If any word is traceable, the overall We have emphasized the key generation module of AES-14 key is deduced by the diferential method or liner methods round, so that the efect of biased inputs in the key bytes can of cryptanalysis. Tough the XOR operation, S-boxes, and be removed from deducing the overall key bytes. Te keys the shifing in � function, shown in Figure 3, are providing are deducing if the cryptanalysis process is able to infer a the confusion characteristics to the algorithm, the reverse linear or diferential equation out of the words generated from engineering process can easily get back to the original key the key expansion module. For the cryptanalysis process, space. Moreover, the biased inputs in the key space reveal it is not always necessary to have the whole key in hand; the diferences between the words to partially gain the key rather a single part of key if in the capture, the relationship space. To solve this problem in AES, we have modifed the between diferent words is sufcient in revealing the overall key expansion module of AES with Symmetric Random key space. With the progress of cryptanalysis technologies, Security and Communication Networks 5

Ｅ0 Ｅ4 Ｅ8 Ｅ12 Ｅ16 Ｅ20 Ｅ24 Ｅ28

Ｅ1 Ｅ5 Ｅ9 Ｅ13 Ｅ17 Ｅ21 Ｅ25 Ｅ29

Ｅ2 Ｅ6 Ｅ10 Ｅ14 Ｅ18 Ｅ22 Ｅ26 Ｅ30

Ｅ3 Ｅ7 Ｅ11 Ｅ15 Ｅ19 Ｅ23 Ｅ27 Ｅ31 W

＂0 ＂1 ＂2 ＂3 g Ｑ0 Ｑ1 Ｑ2 Ｑ3 Ｑ4 Ｑ5 Ｑ6 Ｑ7 g

＂1 ＂2 ＂3 ＂0

Ｑ8 Ｑ9 Ｑ10 Ｑ11 Ｑ12 Ｑ13 Ｑ14 Ｑ15 g S S S S

    ＂1 ＂2 ＂3 ＂0

２＃Ｄ 0 0 0

ＱＱＱＱＱＱＱＱ 52 53 54 55 56 57 58 59 ７

(a) Word key generation (b) g function Figure 3: Key expansion for 14-round AES.

Ｅ0 Ｅ4 Ｅ8 Ｅ12 Ｅ16 Ｅ20 Ｅ24 Ｅ28 W

Ｅ1 Ｅ5 Ｅ9 Ｅ13 Ｅ17 Ｅ21 Ｅ25 Ｅ29 ＂0 ＂1 ＂2 ＂3 g Ｅ2 Ｅ6 Ｅ10 Ｅ14 Ｅ18 Ｅ22 Ｅ26 Ｅ30 ＥＥＥＥＥＥＥＥ２＃ 3 7 11 15 19 23 27 31 i 0 0 0

Ｑ0 Ｑ1 Ｑ2 Ｑ3 Ｑ4 Ｑ5 Ｑ6 Ｑ7 g ＂1 ＂2 ＂3 ＂0

SSS S Ｑ8 Ｑ9 Ｑ10 Ｑ11 Ｑ12 Ｑ13 Ｑ14 Ｑ15 g

    ＂1 ＂2 ＂3 ＂0

SRFG ２＃Ｄ 0 0 0 Ｑ52 Ｑ53 Ｑ54 Ｑ55 Ｑ56 Ｑ57 Ｑ58 Ｑ59

 is representing SRFG here ７

(a) Word key generation (b) g function Figure 4: Proposed key expansion for 14 round AES. generating such relations or deducing keys from subkeys is is the fnite feld of two elements 0, 1 and ⊕ is any operation getting faster with less complexity as we have seen in the of the feld �2. literature review. We have identifed some of the parameters Any combined function �� ∈ B2 of fve terms is expressed for our proposed key-expansion module for RK-AES such as as a polynomial which is basically termed as Algebraic nonlinearity, balancedness, resiliency, propagation criterion, Normal Form (ANF) of the function and given as � and immunity. Each word � in the key space is comprised 2 � � of 32 bits (4 bytes) which is considered as 32-bit word vector � (� ,� )=⊕� (∏ (� ) � ) , B � 1 2 � rand � in our experimentation. Let 2 be the set of all symmetric �=1 (11) random combined functions on two variables of all the 2 2 2 functions from �2 into �2 where �2 =(�1,�2)|�� ∈�2. �2 �� ∈�2,�∈�2 �� ∈ Z 6 Security and Communication Networks

� =⊕� V , � � ( ) Te above equation also provides the feature of trivial bal- (12) ancedness corresponding to symmetric functions. Terefore, �⪯�,∀�� =�� ,�� ,...,�� 1 2 32 �� verifes the condition �1�� =1. Te functions having � � =1 � where 1 � do not exist for even values of (here n = 32 for words and n = 128 for rounds) because for any word vector (� ,� ,...,� )⪯(�,� ,...,� ) � such that ��(�) = �/2 (where ��(�) is the weight of word �1 �2 �32 1 2 32 (13) vectordefnedasnumberof1sinit),wecancalculatethe�1 �� ∀�, �, � ≤� ��=1,2,...,32 �� as � � � � � =�(�) ⊞� (�+1) =� ( )⊞� ( )=0 Te output of � dependsontheweightofitsinputvariables 1 � � � � 2 � 2 (19) (number of 1s in the variable). As a result, �� corresponds to a 2 function �� :{0,,1,...,32}�→�2 such that ∀� ∈ � ,��(�) = 2 5.3. Resiliency. Te correlation between the output of the key ��(��(�)).Tesequence��(��)=(��(0), ��(1),...,��(32)) expansion function and a small subset of its input variables for 32-bit word vector is considered as simplifed value vector leads to the correlation attack [28], linear or diferential of ��. To establish the relation between simplifed value vector cryptanalysis [29]. Terefore, it is necessary for the key and arithmetic normal form, (11) can be rewritten as shown expansion function to achieve the high resiliency property. A in (13). function �� of � variables each of having � bits is m-resilient 2 � if it remains balanced when any � input variables are fxed �� (� − �) �� (�1,�2)=⊕�� (�) ⊕ (∏rand (��) ) (14) and remaining bits are altered. Te function is more �=1 resilient if � is higher. Te property of resiliency is related to the weights of the restrictions of the �� to some subspaces. =⊕�� (�) X�,� (15) 2 ∀�� ∈�2 and any afne any subspace S ⊂�2 ,the � S 2 restriction of � to is the function given as where ��(�), �∈�2 ,and�∈Z, � = {1, 2}. X�,� is � the elementary polynomial of degree with 2 variables. Te �S : S �→ � 2 (20) coefcients of arithmetic normal form of �� are represented by 32-bit vector, �(��)={��(0), ��(1),...,��(32)}, called ��→�� (�) ,∀�∈S (21) simplifed vector of ANF of ��. where, �S can be determined by the with a function of dim(S) variables. Te subspace S is spanned by � canonical 5.1. Nonlinearity. Nonlinearity is an important design char- S acteristic for cryptographic functions used in cryptographic basis vectors and its supplementary subspace is .Te restrictions of �� to S and to all its cosets are given by algorithms to prevent diferent types of correlation or linear S �∈S � attacks or even related attacks. Tis feature is depending on a+ where .Being � symmetric and balanced, � � S is represented as S =(�1,�2,...,��) and ��+S becomes the bits of the word vectors �. � is also considered as the �∈S afne transformations of the functions generated from the symmetric and balanced too. Moreover, for all ,wecan SRFG used. Te nonlinearity is calculated by the hamming write the following: distance between two afne transformations. For example, ��+S (�) =�(�+�) =�� (�� (�) +��(�)) (22) two word are �� and �� of 32 bits each. � � � which actually depends upon the weight of when is fxed. N�(� ,� )=∑� =�̸ ,�ℎ��=32 Te simplifed value vector and the simplifed ANF vector of �� (16) �=1 ��+S can be deduced from �� as given below.

�� (�) =�� (�+��(�)) ,∀�,0≤�≤� Each of the rounds in AES is using 4 words (128 bits) as ��+S (23) subkeys. Te nonlinearity between two subkeys used for any � � �� (�) =⊕�� (� + �) , two rounds �, � can be measured as ��+S (24) � ∀�,0≤�≤��⪯��(�) N�(�,� )=∑� =�̸ , �ℎ�� = 128 � � �� (17) �=1 5.4. Propagation Criterion. Propagation criterion is determined by the cryptographic properties of the derivatives of 5.2. Balancedness. Balanced property of our proposed key the functions. For the efciency of a cryptographic function, expansion function �� exists if its simplifed value vector �� the function needs to propagate its properties to all its follows the following condition: derivatives. All derivatives of the key expansion function are ∀� = {1, 2} , linearly equivalent when they have a fxed hamming weight of �/2 [7]. Our proposed approach of key expansion N variables �� (�) =�� (2−�) ⊞1, (18) applied from our previous work [7] satisfes the propagation criterion of degree k and order m if any afne function �ℎ�� ⊞ �� V�� 2 obtained from the outputs by keeping � input bits constant Security and Communication Networks 7

� satisfes the propagation criterion of degree �.Considering 0and[�1(��,(��) )] is the matching of output words from each round for experimentation, one has the following. the key expansion process and its reverse with respect to value 2 Let �� ∈ B2 and let ��,�� ∈�2 , ∀�,� = 1,2,...,14such 1. Following the above property, an interesting feature of our ��(� )=��(�)=�/2 � � � � that � � .Ten, �� and �� are linearly proposed key expansion module has been identifed and the equivalent. proposition has been given as follows. Tis signifes that if we change the input variables with � 2 Proposition 1. In AES-256, if [�0(��,(��) )] = �0 and a linear permutation � of �2 , �� =�� ∘�,where∘ is � � � � [�1(��,(��) )] = �1,then��(��,(��) )=�0 +�1. composite function. Te permutation � exists on the variable � =�(�) � in a way so that that � � .Since � is symmetric and Algebraic immunity is related to the annihilator of a balanced, we can have function [30]. To evaluate this property for our proposed key expansion we can consider the following. �� (� (�)) =�� (�) ,�ℎ��∈S (25) � � Given, �� ∈ B2, any function of the set �(��)={�∈�2 | �� = 0} is defned as the annihilator of the function ��.Te Let � be an integer, 1≤�≤�−1, �∈�� =(�� ,�� ,...,�� ), 1 2 �−� algebraic immunity of �� is denoted by ��(��) is minimum � =� +⋅⋅⋅+� �=�+� �∈S and � �−�+1 �.Tenforany �,with , degree of all nonzero annihilators of �(�) or �(�)+1.Tevalue then we can have the following: of ��(��) is given as �� (�) =��(�) +��(�) � � (26) �� (��)=min [deg (�)� �=0, ̸ (31) �� (� + ��)=��(�) +��(�� +��) �∈�(��)∪�(�� +1) (27) =��(�) +�−��(��) As we have used SRFG to generate the output words, minimum degree is always �/2. Terefore, the algebraic immunity Tus, ∀�∈�, of the outputs from it is always n/2 which is always optimal. � � (� + �) = � (�+�) ⊞� (� + � +�) �� 6. Security Analysis of RK-AES

=��(�) +��(�� +��) In the above section, we have analysed the overall features of the proposed key expansion modifcation in AES-256 using =��(�) +�−��(��) (28) the SRFG. To justify the features, in this section we have performed the security analysis on our modifed AES key =�� (�� (�) +�(��)) expansion module. We have considered two attacks: related attacks and fault analysis attacks. ⊞(��(�) +�−�(��)) 6.1. Related Key Attack Analysis. Related key attacks use the Equation (28) signifes that �� follows the symmetric prop- linear relations or diferential relations among the keys to erty. Tis means that partial derivatives of our proposed key deduce the original key. expansion outputs are also propagated with the propagation Let �� be a known nonzero word diference for input and features. � be an output diference of S-box for the input diference ��. To execute the attack with this diferences, the diference 214 −1 5.5. Immunity. Te proposed key expansion module deals ocanbeoneof values, because of the symmetry of the XOR operation as used in generic AES-256 algorithm with the variables (words) with 32 bits (no modifcation 15 has been done on bit size). Two types of immunity are in and the �� diferencecanbeoneof2 −1diferences concern: correlation immunity and algebraic immunity. For, including whitening of keys. Once these diferences are in a correlation immunity, considering each of the two input bounded value region, the probability deducing of the key is variables �� as 32-bit binary vector the outputs are correlation also higher. In our proposed modifed AES, the nonlinearity immune if feature increases this diference and therefore, the key space 1 of searching also increases drastically. For a 32-bit word in �� (�� =��)= , 1≤�≤32 (29) key space, the complexity of searching space increases with 2 the following formula:

Te probability distribution must be equal for all the bits and 32 �� ℎ= 2 .2 (32) therefore, the output words �� have the following property: � � � � where �� is the value of nonlinearity in the proposed AES key �min [�0 (��,(��) )−�1 (��,(��) )]� = min [�] �→ � � expansionandtheaveragevalueof�� = 20.7. Terefore, the (30) 52.7 0 complexity becomes 2 which is more than the diferential attacks key searching complexities on AES. Tis shows � where [�0(��,(��) )] is the matching of output words from that our proposed algorithm is preventive in diferential the key expansion process and its reverse with respect to value attacks. 8 Security and Communication Networks

Furthermore, the attacker uses four related but unknown the relationship among word byte or even words of round. keys as ��1,��2,��3,��4. Te objective of the attacker is to Terefore in original AES, the key recovery space is reduced recover ��1. Te relation required to establish the attack is with less complexity as we have seen in the literature review. Recollecting (11) and (12), we can have the following � =� ⊕△�∗ �2 �1 (33a) proposition for AES-256. � ��3 =��1 ⊕△� (33b) Proposition 3. For AES-256, using SRFG with two variables and t expression terms, the complexity of key recovery with any � =� ⊕△�∗ ⊕△�� 4 �1 (33c) two random faulty byte is calculated as ∗ where △� isthecipherkeydiferenceusedforthefrst 0 � 1 related-key diferential � for 1 to 7 round and △� is �� (��) = � 2 �� 60 (38) thecipherkeydiferenceusedforthesecondrelated-key ∑⊕�� (∏�=1rand (��) ) .�2 1 diferential � used for 8 to 14 round. Assuming that the ∗ � attacker only has the information regarding △� and △� , For any random faulty key byte, the output of the layered the back tracing probability to recover any 32-bit words (any SRFGs is always nonlinear and balanced. Terefore according word out of the 60 words) is calculated as to Proposition 2 the diferences and/or the linear equations 1 become invalid as the fault is not further propagated to other � (� ) = bytes. Terefore, our proposed key expansion is preventive � (2�.�.��.2�) (34) � even in fault injection bytes. For our proposed modifed AES-256 key expansion, number of bits in each word is n = 32, total number of words including 7. Results of Comparison whiteningkeywordsisi=60,totalnumberofexpression length L = 5, and total number variables used for each We have compared our experimentation results of RK-AES operation is V = 2. Using the values, the probability becomes with the original AES algorithm. Te comparison is done as on the basis of some features: nonlinearity, balancedness, 1 1 resiliency, propagation criterion, correlation immunity, and �(�)= = algebraic immunity. As we have modifed only the key � (232 ×60×�5 ×22) 239 × 225 (35) 5 expansion module, the results are derived only for key expansion only without involving the plaintext processing Te above result show that the probability is too less to or transformations in round function. We have compared recover a single word of AES-256 using our proposed 215 data samples for each RK-AES and original AES. Te approach of key expansion. comparison results are shown in Table 1 by averaging all the In Figure 4, it is shown that the words are generated using results. SRFG rather than using simple XOR operation. Terefore, Te comparison results in Table 1 signify that our pro- (33a), (33b), and (33c) will not be feasible for our proposed posed modifcation of key expansion is working efciently solution of AES using SRFG. It means, the proposed solution △�∗ △�� in AES in terms of the above said features. Moreover, the is related attack resistant. Moreover, and are a balancedness and the correlation immunity are 0 in original factorindeducingthekey.But,asourproposedsolution △�∗ △�� AES. Our proposed modifcation is providing a higher value provides a high nonlinearity, and are not suitable for balancedness which is useful for preventing bitsum to recover the words of the key space. From the observation of attacks [31]. Te high correlation immunity will also help the or experimentation, we have inferred a proposition as follows. modifed AES to prevent correlation attacks [28]. ∗ Moreover,wehavecomparedthecomputationtimefor Proposition 2. Considering △� is the cipher key diference 0 � our experiments with the original AES algorithm. In this used for the frst related-key diferential � and △� is the comparison too, we have assumed the time for plaintext pro- cipher key diference used for the second related-key diferential �1 cessing and transformations in round function are constant , nonlinearity is inversely proportional to the nonlinearity. as no modifcation has done on them. Terefore, Table 2 only 1 1 compares the time taken for the key expansion process. �0 ⊢△�∗ ∝ �� 1 ⊢△�� ∝ �� (36) Te time comparison results show that using the SRFG in AES key expansion modifcation is increasing the time con- 0 1 ∗ � 1 ∴�.� ⊢△� .△� ∝ (37) sumption in generating the key words and thus contributing ��2 to the trade-of between security and time consumption. To support this trade-of and overcome with the security issues, 6.2. Fault Injection Analysis. In this part, we have only we have also compared the attack for both the original AES considered the fault injection in the key bytes. We assume and the modifed AES. that the faulty key byte is injected in the key matrix for any Table 3 describes the fact that the cost of the attacks for random original key byte. Te faulty input is inferred from our proposed RK-AES is much higher than the original AES the biased input of all 0 bits byte or all 1 bits byte. In the duetotheuseofrandomnesswithSRFGinseverallayer.Tis original AES, using such faulty and biased inputs reveals signifes that RK-AES is better in terms of security. Security and Communication Networks 9

Table 1: Comparison of parameters.

Order of Order of Order of Order of Order of Order of Propagation Correlation Algebraic Non-linearity Balancedness Resiliency criterion immunity immunity Original �/2 − log2� 0 �/2 − 2 log2� + �/4 �/10 �/6 AES-256 Proposed �/2 × 0.65+log25 �/2 �/2−2 �×0.73+log25� �/2 RK-AES nisthevalueofbitsinawordofkeyspace

Table 2: Time consumption comparison.

Hardware specifcation for computation: CPU: 2.6Ghz, i3 6th,Gen with 16 GB RAM Average Time Consumption (in milliseconds)

Schemes 32 bit key words �0 to �7 32 bit key words �8 to �59�function Original, AES 3.67 5.73 6.32 RK-AES 6.78 8.87 9.33

Table3:Comparisonofcostofattacks.

Fault injection Diferential Linear Related key attack analysis cryptanalysis cryptanalysis analysis in key space 32 14 32 26 Original AES 2 2 −1 2 2 52.7 60 52.7 129 RK-AES 2 2 2 ≈2

Lastly, we have compared two prime evaluation parame- �V��ℎ��−�� =0.33×(n ×0.73+log25) ter of encryption algorithms: confusion and avalanche efect. � + (0.33 × ) + (0.33 × ) Confusion property requires the statistical relationship of n 2 between the ciphertext and key to be more complex. Besides, avalanche efect requires change in the ciphertext bits if ≅ 24.31 any single bit is changed in the key. We have calculated (41) confusion property in terms of nonlinearity and resiliency. Te avalanche efect is measured in terms of propagation Similarly, we have calculated the values for confusion and criterion, correlation immunity, and algebraic immunity. Te avalanche efect in original AES. Considering the orders in calculation formula for confusion and avalanche efect have Table 1, the values are as follows: been given below. � �� = � ×��+� × �� =0.33×( − )+(0.33 × 0) 1 2 �� 2 log2n (39) (42) +� × �� 3 +0.33×( − 2) ≅ 7.59 2 �V��ℎ� = �1 × �� + �2 �V��ℎ�� =0.33×(log2n +�/4)+(0.33×�/10)+(0.33× × �� + � 3 (40) �/6) ≅ 15.816. Te similar result of Avalanche efect is also × �� experimented in the bit values of the data samples. Table 4 compares the avalanche efect. where �1,�2,and�3 are the weights assigned to the features. Te comparison results of confusion property and We have considered for our experimentation of RK-AES, avalanche efect also show the improvement of the parameters �1 =�2 =�3 =0.33,andn=32bit. as compared to the original AES algorithm. Terefore, following Table 1, the values for confusion and avalanche efect in RK-AES are � 8. Conclusion ��−�� =0.33×( ×0.65+log25) 2 AESisapopularsymmetricblockcipherusedbydiferent � � commercialization sectors. But this algorithm is facing a + (0.33 × ) + 0.33 × ( −2) 2 2 number of cryptanalysis efects as we have seen in the literature review. Terefore, in this paper we have tried to solve ≅ 22.621 the problem by incorporating the changes in key expansion 10 Security and Communication Networks

Table 4: Avalanche efect comparison.

Weighted value of Avalanche Average number of bits changed Original AES 15.816 17.3 bits out of 32 bits Proposed RK-AES 24.310 ≈ 25 bits out of 32 bits module. Te highlight of this work is to apply randomness [7] R. Saha and G. Geetha, “Symmetric random function generator in the key generation. Moreover, as per our previous work, (SRFG): A novel cryptographic primitive for designing fast and using SRFG as a cryptographic function in AES has been robust algorithms,” Chaos, Solitons & Fractals,vol.104,pp.371– proved benefcial. Te justifcation for the same has been 377, 2017. already shown in the paper. Te results show that RK-AES [8]Q.Wang,A.Wang,L.Wu,andJ.Zhang,“Anewzerovalue is having three times better confusion property and 53.7% attack combined fault sensitivity analysis on masked AES,” better avalanche efect as compared to the original AES. Te Microprocessors and Microsystems, vol. 45, pp. 355–362, 2016. limitation of our present work is about the time taken by the [9] G. Piret and J. Quisquater, “A diferential fault attack technique modifed key expansion module which is actually creating a against spn structures, with application to the AES and khazad,” trade-of between security and time. It is also known that both in Cryptographic Hardware and Embedded Systems - CHES these two cannot be achieved simultaneously. Terefore, if we 2003,vol.2779ofLecture Notes in Computer Science, pp. 77–88, Springer, Berlin, Heidelberg, Germany, 2003. ignore the part of the time, our proposed RK-AES is efcient in all respects of cryptographic algorithms. Furthermore, [10] J. Bl¨omer and J. Seifert, “Fault Based Cryptanalysis of the Advanced Encryption Standard (AES),” in Financial Cryptogra- being a symmetric key algorithm AES uses the single key phy,vol.2742ofLecture Notes in Computer Science, pp. 162–181, for both encryption and decryption. In our present work, Springer Berlin Heidelberg, Berlin, Heidelberg, 2003. the round keys are stored separately as each round keys are [11] P. Dusart, G. Letourneux, and O. Vivolo, “Diferential Fault generated randomly and are used for decryption accordingly. Analysis on A.E.S,” in Applied Cryptography and Network In our future work, we shall try to work on the trade-of and Security,vol.2846ofLecture Notes in Computer Science,pp. also about the storing process of round keys. 293–306, Springer Berlin Heidelberg, Berlin, Heidelberg, 2003. [12] C. Giraud, “DFA on AES,”in Proceedings of the 4th Int Conf AES Data Availability 2004, pp. 27–41, 2004. [13] D. Mukhopadhyay, “An improved fault based attack of the Te data will be made available on request. advanced encryption standard,” Lect. Notes Comput. Sci. (including Subser. Lect.Notes Artif. Intell. Lect. Notes Bioinfor- matics),vol.5580,pp.421–434,2009. Conflicts of Interest [14] C. H. Kim, “Diferential fault analysis against AES-192 and AES- 256 with minimal faults,” in Proceedings of the 7th International Te authors declare that there are no conficts of interest Workshop on Fault Diagnosis and Tolerance in Cryptography, regarding the publication of this paper. FDTC 2010,pp.3–9,USA,August2010. [15] M. Tunstall, D. Mukhopadhyay, and S. Ali, “Diferential fault References analysis of the advanced encryption standard using a single fault,” Inf. Secur. Teory Pract. Secur. Priv. Mob. Devices Wirel. [1] W.Stallings, Cryptography and Network Security: Principles and Commun, pp. 224–233, 2011. Practices,Pearson,2005. [16]A.Biryukov,O.Dunkelman,N.Keller,D.Khovratovich,andA. [2]S.Sciancalepore,G.Piro,G.Boggia,andG.Bianchi,“Publickey Shamir, “Key recovery attacks of practical complexity on AES- authentication and key agreement in iot devices with minimal 256 variants with up to 10 rounds,”in Advances in cryptology— airtime consumption,” IEEE Embedded Systems Letters,vol.9, EUROCRYPT 2010, vol. 6110 of Lecture Notes in Comput. Sci., no.1,pp.1–4,2017. pp.299–318,Springer,Berlin,2010. [17] J. Cui, L. Huang, H. Zhong, and W.Yang, “Improved related-key [3]S.Raza,L.Seitz,D.Sitenkov,andG.Selander,“S3K:Scalable attack on 7-round AES-128/256,” in Proceedings of the ICCSE security with symmetric keys - DTLS key establishment for the 2010 - 5th International Conference on Computer Science and internet of things,” IEEE Transactions on Automation Science Education, pp. 462–466, 2010. and Engineering,vol.13,no.3,pp.1270–1280,2016. [18]A.Barenghi,G.M.Bertoni,L.Breveglieri,andG.Pelosi,“A [4] T.W.CusickandP.Stanica,Cryptographic Boolean functions and fault induction technique based on voltage underfeeding with applications, Elsevier/Academic Press, 2017. application to attacks against AES and RSA,” Te Journal of [5]J.Zhang,Y.Lin,Y.Lyu,andG.Qu,“APUF-FSMBinding Systems and Sofware,vol.86,no.7,pp.1864–1878,2013. Scheme for FPGA IP Protection andPay-Per-Device Licensing,” [19] N. Farhady Ghalaty, B. Yuce, and P. Schaumont, “Analyzing IEEE Transactions on Information Forensics and Security,vol.10, the Efciency of Biased-Fault Based Attacks,” IEEE Embedded no. 6, pp. 1137–1150, 2015. Systems Letters,vol.8,no.2,pp.33–36,2016. [6]J.-L.Zhang,G.Qu,Y.-Q.Lv,andQ.Zhou,“Asurveyonsilicon [20]J.Kang,K.Jeong,J.Sung,S.Hong,andK.Lee,“Collision PUFs and recent advances in ring oscillator PUFs,” Journal of attacks on AES-192/256, Crypton-192/256, mCrypton-96/128, Computer Science and Technology,vol.29,no.4,pp.664–678, and anubis,” Journal of Applied Mathematics,vol.2013,Article 2014. ID 713673, 10 pages, 2013. Security and Communication Networks 11

[21] S. Sahmoud, “Enhancement the Security of AES Against Mod- ern Attacks by Using Variable Key Block Cipher,” Int. Arab J. e-Technol,vol.3,pp.17–26,2013. [22]X.Zhao,S.Guo,F.Zhangetal.,“Acomprehensivestudyof multiple deductions-based algebraic trace driven cache attacks on AES,” Computers & Security,vol.39,pp.173–189,2013. [23] M. Roetteler and R. Steinwandt, “A note on quantum related- key attacks,” Information Processing Letters,vol.115,no.1,pp. 40–44, 2015. [24] H. Mestiri, F. Kahri, B. Bouallegue, and M. Machhout, “A high-speed AES design resistant to fault injection attacks,” Microprocessors and Microsystems,vol.41,pp.47–55,2016. [25] S. Patranabis, A. Chakraborty, D. Mukhopadhyay, and P. P. Chakrabarti, “Fault Space Transformation: A Generic Approach to Counter Diferential Fault Analysis and Diferential Fault Intensity Analysis on AES-Like Block Ciphers,” IEEE Transac- tions on Information Forensics and Security,vol.12,no.5,pp. 1092–1102, 2017. [26] Specifcation for the Advanced Encryption Standard (AES), Federal Information Processing Standards Publication 197,2001. [27] J. Daemen and V. Rijmen, Te Design of Rijndael: AES-Te Advanced Encryption Standard, Springer, Berlin, Germany, 2002. [28] T. Siegenthaler, “Correlation-immunity of nonlinear combining functions for cryptographic applications,” Institute of Electrical and Electronics Engineers Transactions on Information Teory, vol. 30, no. 5, pp. 776–780, 1984. [29] Y. Wei and Y. Hu, “Linear-diferential cryptanalysis for SPN cipher structure and AES,” Wuhan University Journal of Natural Sciences,vol.12,no.1,pp.37–40,2007. [30] O. R. B. de Oliveira, “An Alternative Method for the Undeter- mined Coefcients and the Annihilator Methods,”2011, https:// arxiv.org/abs/1110.4425. [31] Amandeep and G. Geetha, “Analysis of bitsum attack on block ciphers,” Journal of Discrete Mathematical Sciences & Cryptography,vol.19,no.4,pp.875–885,2016. International Journal of Rotating Advances in Machinery Multimedia

Journal of The Scientifc Journal of Engineering World Journal Sensors Hindawi Hindawi Publishing Corporation Hindawi Hindawi Hindawi www.hindawi.com Volume 2018 http://www.hindawi.comwww.hindawi.com Volume 20182013 www.hindawi.com Volume 2018 www.hindawi.com Volume 2018 www.hindawi.com Volume 2018

Journal of Control Science and Engineering

Advances in Civil Engineering Hindawi Hindawi www.hindawi.com Volume 2018 www.hindawi.com Volume 2018

Submit your manuscripts at www.hindawi.com

Journal of Journal of Electrical and Computer Robotics Engineering Hindawi Hindawi www.hindawi.com Volume 2018 www.hindawi.com Volume 2018

VLSI Design Advances in OptoElectronics International Journal of Modelling & International Journal of Simulation Aerospace Navigation and in Engineering Observation Engineering

Hindawi Hindawi Hindawi Hindawi Volume 2018 www.hindawi.com Volume 2018 www.hindawi.com Volume 2018 Volume 2018 Hindawi www.hindawi.com www.hindawi.com www.hindawi.com Volume 2018

International Journal of International Journal of Antennas and Active and Passive Advances in Chemical Engineering Propagation Electronic Components Shock and Vibration Acoustics and Vibration

Hindawi Hindawi Hindawi Hindawi Hindawi www.hindawi.com Volume 2018 www.hindawi.com Volume 2018 www.hindawi.com Volume 2018 www.hindawi.com Volume 2018 www.hindawi.com Volume 2018