From AES to Dynamic

Khoa học và Công nghệ trong lĩnh vực An toàn thông tin

From AES to Dynamic AES Pablo Freyre, Oristela Cuellar, Nelson Díaz and Adrián Alfonso Abstract—The cryptographic algorithm AES Other cryptographic algorithms have been (Advanced Encryption Standard) works with the proposed with dynamic transformations in transformations SubBytes, ShiftRows, terms of greater security in their design. Two MixColumns and AddRoundKey, all of them fixed examples are: the block cipher Twofish [19], and selected a priori. In this paper, we will show resulting a finalist in the AES competition, and dynamic variants of AES, where the new the block cipher Grand Cru [17], submitted to transformations are RandomSubBytes, RandomShiftRows, RandomMixColumns and the NESSIE process. RandomAffineTransfKey. The aim of this paper is to show dynamic Tóm tắt—Thuật toán mã hóa AES (Tiêu chuẩn variants of the block cipher AES, working in all mã hóa nâng cao) bao gồm các phép biến đổi cases with the transformations RandomSubBytes, SubBytes, ShiftRows, MixColumn và RandomShiftRows, RandomMixColumns and AddRoundKey. Tất cả các phép biến đổi này đều RandomAffineTransfKey, which are obtained at cố định và được chọn ưu tiên. Trong bài báo này, random from the set of all its possible choices. nhóm tác giả sẽ trình bày một số biến thể động của AES, trong đó các phép biến đổi mới là We also present the algorithms for the RandomSubBytes, RandomShiftRows, random generation of the dynamic RandomMixColumns và transformations cited above from RandomAffineTransfKey. pseudorandom sequences generated through Keywords—Block cipher; AES; Dynamic transformations. the key schedule of AES or any other pseudorandom number generator, and we Từ khóa—Mã khối; AES; Phép biến đổi động. explain how the transformations I. INTRODUCTION RandomSubBytes and RandomAffinTransfKey represent two different approaches. Rijndael is a cryptographic algorithm designed by the Belgian Joan Daemen and This work begins with a brief description of Vincent Rijmen and submitted to the AES the cryptographic algorithm AES, continue with competition in 1997. Announced as a winner in the explanation of the dynamic variants that we 2001, Rijndael was adopted as a standard [1] and propose, as well as the dynamic transformations named AES (Advanced Encryption Standard), used in the rounds, and conclude with the with some specifications in terms of block and presentation of the necessary algorithms for the key sizes. random generation of these transformations. AES works with the fixed transformations Our contributions: In this paper, fully dynamic SubBytes, ShiftRows, MixColumns and variants of the block cipher AES are presented, AddRoundKey, all of them selected a priori [2], where all original transformations are replaced by [3]; however, a large number of AES variants key-dependent transformations, selected at with dynamic transformations depending on random from the set of all its possible choices. A secret key can be seen in the specialized new algorithm for the random generation of MDS 8 literature [4]–[18]. matrices in 퐺퐿4푥4(퐺퐹(2 )), and a random key- dependent affine transformation as an alternative variant for the key addition are presented. This manuscript is received on May 22, 2020. It is commented on May 28, 2020 and is accepted on August 14, 2020 by the first reviewer. It is commented on June 31, 2020 and is accepted on August 18, 2020 by the second reviewer.

Số 1.CS (11) 2020 11 Journal of Science and Technology on Information security

II. THE BLOCK CIPHER AES for (i = 1; i < 푁푟; i++) The operations in the cryptographic algorithm { AES are performed in the Galois field 퐺퐹(28), so the input block and the output block are arrays of SubBytes(State); 16 bytes each one. ShiftRows(State); The bytes of the input block are located inside MixColumns(State); a matrix with 4 rows and 4 columns, named state matrix 푆 = (푠푖,푗), so that for every input block AddRoundKey(State, ExpandedKey[i]); 푝0푝1푝2, … , 푝15 we have 푠푖,푗 = 푝푖+4푗 , 0 ≤ 푖, 푗 < } 4. The last state is transformed into the output block 푐0푐1푐2푐3, … , 푐15 in the inverse sense SubBytes(State); 푐 = 푠 for every 0 ≤ 푖, 푗 < 4. 푖+4푗 푖,푗 ShiftRows(State); The secret key is another array of bytes, of size AddRoundKey(State, ExpandedKey[N ]); 16, 24 or 32, which is transformed into a matrix r of 4 rows and 푁푘 columns, where 푁푘 = 4, 푁푘 = } 6 or 푁푘 = 8 depending on the size of the key. The number of rounds 푁 also depends on the In AES, the S-box has been selected in such a 푟 way that the maximum correlation over it is at size of the key, and it is computed as 푁 = 푁 + 푟 푘 most 2−3 and the difference propagation 6, where 푁푘 rounds are added as security margin −6 according to the criteria of the designers [3]. probability is at most 2 . It is proven that the number of active S-boxes in four rounds of AES In each round a 16-byte-key is available. The is lower bounded by 25, it gives us a minimum 16-byte-keys are generated from the key schedule weight of 150 for any four-round differential independently of the encryption process, and the trail, and a maximum correlation contribution of following transformations act on the state matrix 2−75 for any four-round linear trail. offering confusion and diffusion: Hence, there are no eight-round trails with a 1. SubBytes, acting like an S-box on every byte weight below 300 or a correlation contribution of the state. less than 2−150. The designers of AES consider this sufficient to resist differential and linear 2. ShiftRows, performing cyclic rotations on the attacks; however, they added 푁 extra rounds as rows of the state. 푘 security margin. 3. MixColumns, multiplying every column of III. THE DYNAMIC AES the state by one MDS matrix. Dynamic encryption is a way to design block 4. AddRoundKey, adding all bytes of the state cipher algorithms, and AES has several dynamic with the round key. variants in specialized literature. This idea is The key schedule of AES can be seen in [2], formally presented in [18] and constitutes a [3] as well as any other detail of interest in its practical strength for block ciphers if the dynamic design criteria. We present next the pseudocode transformations satisfy the design requirements of the encryption process. of the original transformations, since the dynamic algorithm has at least the same security as the Encryption process of AES original algorithm [18], [20].

AES(State, CipherKey) In this section, we propose dynamic variants of the cryptographic algorithm AES, using the { random transformations RandomSubBytes, KeyExpansion(CipherKey, ExpandedKey); RandomShiftRows, RandomMixColumns and RandomAffinTransfKey, as is shown in the AddRoundKey(State, ExpandedKey[0]); next pseudocode.

12 No 1.CS (11) 2020 Khoa học và Công nghệ trong lĩnh vực An toàn thông tin

Encryption process of the dynamic variants AES designers taking in mind a complex algebraic expression; however, in the AESDynamicVariant(State, CipherKey); proposed dynamic variants, we consider to use a random S-box so that its algebraic { expression will be unknown. KeyExpansion(CipherKey, ExpandedKey) The first change that we propose is the generation of a random invertible matrix in 퐺퐿 (퐺퐹(2)) RandomSubBytes(sequence1, SubBytes) 8푥8 used to construct a key-dependent affine RandomShiftRows(sequence2, ShiftRows) transformation, this way RandomMatrix composed with 푆퐷푅 acts like a random S-box 푅푆퐷푅[푥]. RandomMixColumns(sequence3, MixColumns) The second change is to construct a random S- RandomAffineTransfKey(sequence4, TransfKey) box independent from 푆퐷푅 through a random AffineTransfKey(State, ExpandedKey[0]) permutation Π of the symmetric group 푆256, this way the transformation RandomPermutation acts for (i = 1; i < Nr; i++) like the random S-box 푅푆퐷푅[푥] = Π[푥]. { Both, RandomMatrix and SubBytes(State) RandomPermutation, can be used without worrying on the cryptographic properties of the ShiftRows(State) random S-box 푅푆퐷푅 if we use the encryption process in short plain texts or we use a rekeyed MixColumns(State) mode of operation for big plain texts. For the use AffineTransfKey(State, ExpandedKey[i]) of a block cipher in one of these modes, see for example [21] and [22]. } B. RandomShiftRows and RandomMixColumns SubBytes(State) The random transformations ShiftRows (State) RandomShiftRows and RandomMixColumns are AffineTransfKey(State, ExpandedKey[N ]) presented for the replacement of the fixed r transformations ShiftRows and MixColumns of } AES respectively, providing both diffusion as well as the original transformations. Here sequencei is a pseudorandom sequence for all 1 ≤ 푖 ≤ 4 that can be obtained from any ShiftRows acts on the rows of the state pseudorandom number generator or directly from cyclically rotating their bytes 0, 1, 2 or 3 positions the AES key schedule. to the left respectively, providing dispersion between the columns of the state. The random A. RandomSubBytes ShiftRows is a random diffusion optimal The random transformation RandomSubBytes permutation 푅 of the symmetric group 푆16 [3] so is presented for the replacement of the fixed that the bytes inside every column of the state transformation SubBytes of AES, but it is derived are located into different columns after 푅. into the two random transformations MixColumns acts on the state multiplying RandomMatrix and RandomPermutation with a every column by the MDS matrix different approach, each one of them used separately to provide confusion into the 02 03 01 01 encryption process. 01 02 03 01 [ ] 01 01 02 03 SubBytes acts like a S-box denoted as 푆퐷푅 on 03 01 01 02 every byte of the state, constructed through a non- affine transformation and an affine providing maximal local diffusion into the transformation. This S-box was selected by the columns of the state. The random MixColumn is 8 a random MDS matrix in 퐺퐿4푥4(퐺퐹(2 )). Số 1.CS (11) 2020 13 Journal of Science and Technology on Information security

C. RandomAffineTransfKey { In this paper, three ways to introduce the (SubBytes o L) (State) round key in the round function are proposed. The first way consists in a bitwise XOR like in ShiftRows(State) AES, the second way consists in a random key- MixColumns(State) dependent affine transformation on the state of the form: AddRoundKey(State, L−1(ExpandedKey[i])) 푆 ⋅ 푀 ⨁ ExpandedKey[t] } where 푆 is the state matrix and 푀 is a random (SubBytes o L)(State) invertible matrix in 퐺퐿 (퐺퐹(28)), and the 4푥4 ShiftRows (State) third way consists in a random key-dependent −1 affine transformation on every byte the state of AddRoundKey(State, L (ExpandedKey[Nr])) the form: } 퐿 ⋅ 푠푖,푗 ⨁ ExpandedKey[t]푖,푗 IV. THE RANDOM TRANSFORMATIONS where 퐿 is a random invertible matrix in The algorithms that we will present in this 퐺퐿 (퐺퐹(2)) for all 0 ≤ 푖, 푗 < 4. 8푥8 section allows the generation of The first two ways of AffineTransfKey were RandomSubBytes, RandomShiftRows, also proposed in [23] for the block cipher RandomMixColumns and SHARK and the pseudocode of the encryption RandomAffineTransfKey, all of them are process for the dynamic AES with these randomly generated from the set of all its transformation was given above. In the third way of possible choices. AffineTransfKey the two steps of the round function The pseudorandom sequences used to ( [ ]) AffineTransfKey State, ExpandedKey t and compute these transformations are generated ( ) SubBytes State can be computed as through the key schedule process or any other −1 pseudorandom number generator. The inverse (푅푆퐷푅 표 퐿) ⋅ 푠푖,푗 ⨁ 퐿 ( ExpandedKey[t]푖,푗) transformations are generated in a similar way. for all 0 ≤ 푖, 푗 < 4 , then in terms of a more efficient encryption process for this case the A. Random Invertible Matrices pseudocode of the encryption process that we First, we present an algorithm for the random propose is: generation of invertible matrices in 퐺퐿 (퐺퐹(2)), used for the transformations Encryption process of the dynamic variant 8푥8 RandomMatrix, in place of SubBytes, and AESDynamicVariant(State, CipherKey) RandomAffineTransfKey. { The theoretical bases and complexity analysis for the random generation of such matrices and KeyExpansion(CipherKey, ExpandedKey) their inverses can be found in [24].

RandomSubBytes(sequence1, SubBytes) Input:

RandomShiftRows(sequence2, ShiftRows) - Primitive polynomials 푔1(푥), 푔2(푥), … , 푔7(푥) in 퐺퐹(2)[푥] selected a priori so that RandomMixColumns(sequence3, MixColumns) 푑푒푔(푔1(푥)) = 8, 푑푒푔(푔2(푥)) = 7, … , RandomMatrix(sequence , L) 4 푑푒푔(푔7(푥)) = 2. AddRoundKey(State, L−1(ExpandedKey[0]))

for (i = 1; i < Nr; i++)

14 No 1.CS (11) 2020 Khoa học và Công nghệ trong lĩnh vực An toàn thông tin

- Pseudorandom binary sequence written as matrix Output: 푏1,0 푏1,1 푏1,2 푏1,3 푏1,4 푏1,5 푏1,6 푏1,7 푟표푤1 푐 푏 푏 푏 푏 푏 푏 푏 2,0 2,0 2,1 2,2 2,3 2,4 2,5 2,6 푟표푤 Matrix 퐴 = ( 2) 푐3,0 푐3,1 푏3,0 푏3,1 푏3,2 푏3,3 푏3,4 푏3,5 ⋮ 푐 푐 푐 푏 푏 푏 푏 푏 푟표푤 4,0 4,1 4,2 4,0 4,1 4,2 4,3 4,4 8 푐 푐 푐 푐 푏 푏 푏 푏 5,0 5,1 5,2 5,3 5,0 5,1 5,2 5,3 B. Random Permutations 푐 푐 푐 푐 푐 푏 푏 푏 6,0 6,1 6,2 6,3 6,4 6,0 6,1 6,2 푐7,0 푐7,1 푐7,2 푐7,3 푐7,4 푐7,5 푏7,0 푏7,1 Now we present an algorithm for the random generation of a permutation in the symmetric [푐8,0 푐8,1 푐8,2 푐8,3 푐8,4 푐8,5 푐8,6 푏8,0] group 푆256 used for the transformation where 푏푘,0, 푏푘,1, ⋯ , 푏푘,8−푘 ≠ 0 for all 1 ≤ 푘 ≤ 8. RandomPermutation in place of SubBytes. The theoretical bases and the complexity analysis for { the random generation of a permutation in the Step 1: Computation of the first row symmetric group 푆푛 can be found in [25]. Input: Input: (푎0, 푎1, 푎2, ⋯ , 푎7) = (1, 0, . . . , 0, 0) 7 Pseudorandom sequence (훾 , 훾 , ⋯ , 훾 ) where â0 + â1 푥 + ⋯ + â7푥 1 2 255 7 훾 ∈ {푖, 푖 + 1, ⋯ , 256} for all 1 ≤ 푖 ≤ 255. = (푎0 + 푎1푥 + ⋯ + 푎7푥 ) 푖 (푏1,0 + 푏1,1푥 + ⋯ { 7 + 푏1,7푥 ) 푚표푑 푔1(푥) 훾256 = 256 (푎0, 푎1, ⋯ , 푎7) = (â0, â1, ⋯ , â7) for (푗 = 1; 푗 < 256; 푗++) Output: 푟표푤1 = (푎0, 푎1, ⋯ , 푎7) { Step 2: Computation of the row 2 ≤ 푗 ≤ 8 π[푗] = 푗 Input: (푎0, 푎1, ⋯ , 푎7) the 푗 – th canonical vector for (푖 = 푗; 푖 > 0; 푖--) for (푖 = 푗; 푖 > 1; 푖--) { { π[푗] = (π[푗] + 훾푖 − 푖) â0 = 푎0 + 푐푖,0푎푖−1 if π[푗] > 256 then π[푗] â1 = 푎1 + 푐푖,1푎푖−1 = (π[푗] + 푖 − 1) 푚표푑 256 ⋮ }

â푖−2 = 푎푖−2 + 푐푖,푖푎푖−1 }

8−푖 â푖−1 + â푖푥 + ⋯ + â7푥 } 8−푖 = (푎푖−1 + 푎푖푥 + ⋯ + 푎7푥 ) 8−푖 Output: (푏푖,0 + 푏푖,1푥+. . . +푏푖,8−푖푥 ) 푚표푑 푔푖(푥) 1 2 ⋯ 255 Permutation Π = ( ) (푎0, 푎1, ⋯ , 푎7) = (â0, â1, ⋯ , â7) 휋[1] 휋[2] ⋯ 휋[255] } C. Random Diffusion Optimal Permutations

Output: 푟표푤푗 = (푎0, 푎1, . . . , 푎7) Next we present an algorithm for the random generation of a diffusion optimal permutation in } the symmetric group 푆16 , used for the transformation RandomShiftRows in place of ShiftRows. The theoretical bases and the

Số 1.CS (11) 2020 15 Journal of Science and Technology on Information security complexity analysis for the random generation of 푑푒푔(푔1(푥)) = 4, 푑푒푔(푔2(푥)) = 3 and such permutations can be found in [26]. 푑푒푔(푔3(푥)) = 2. Input: - Pseudorandom sequence written as matrix 푏1,0 푏1,1 푏1,2 푏1,3 Sequence of random permutations 푅0, 푅1, ⋯ , 푅7 푐2,0 푏2,0 푏2,1 푏2,2 where 푅푖 ∈ S4 for all 0 ≤ 푖 < 8. (These can be 푀 = generated with the algorithm described above.) 푐3,0 푐3,1 푏3,0 푏3,1 [푐4,0 푐4,1 푐4,2 푏4,0] { 8 where 푐푖,푗, 푏푘,푡 ∈ 퐺퐹(2 ) and 푏푘,0, ⋯ , 푏푘,4−푘 ≠ for (푖 = 0; 푖 < 4; 푖++) 0 for all 2 ≤ 푖 ≤ 4, 1 ≤ 푘 ≤ 4 and 0 ≤ 푗 ≤ 푖 − 2, 0 ≤ 푡 ≤ 4 − 푘. { { for (푗 = 0; 푗 < 4;푗++) Step 1: Computation of the first row [ ] ( [ ]) 푅 4푖 + 푗 = 4 푅푖 푗 + 푅4+푅푖[푗][푖] Input: (푎0, 푎1, 푎2, 푎3) = (1, 0,0,0) } 2 3 â0 + â1푥 + â2푥 + â3푥 2 } = (푎0 + 푎1푥 + 푎2푥 3 2 Output: + 푎3푥 )(푏1,0 + 푏1,1푥 + 푏1,2푥 3 + 푏1,3푥 ) 푚표푑 푔1(푥) Diffusion optimal permutation (푎 , 푎 , 푎 , 푎 ) = (â , â , â , â ) 1 2 ⋯ 16 0 1 2 3 0 1 2 3 푅 = ( ) 푅[1] 푅[2] ⋯ 푅[16] Output: 푟표푤1 = (푎0, 푎1, 푎2, 푎3) Observations: The sequence of permutations Step 2: Computation of the row 2 ≤ 푗 ≤ 4 푅푖, where 0 ≤ 푖 < 8, can be applied directly on Input: (푎0, 푎1, 푎2, 푎3) the 푗-th canonical vector the state in such a way that 푅0, 푅1, 푅2 and 푅3 are applied on the columns of the state, and once the for (푖 = 푗; 푖 > 1; 푖--) resultant state is transposed, 푅4 , 푅5 , 푅6 and 푅7 are applied on the columns again. {

D. Random MDS Matrices â0 = 푎0 + 푐푖,0푎푖−1 â = 푎 + 푐 푎 In this subsection, we present two methods for 1 1 푖,1 푖−1 ⋮ the random generation of a MDS matrix in 8 â푖−2 = 푎푖−2 + 푐푖,푖−2푎푖−1 퐺퐿4푥4(퐺퐹(2 )). The complexity of both 4−푖 algorithms is very similar to the complexity of the â푖−1 + â푖푥 + ⋯ + â3푥 algorithms presented in [24] for the generation of = (푎푖−1 + 푎푖푥 + ⋯ 4−푖 an invertible matrix and its inverse with elements + 푎3푥 ) (푏푖,0 + 푏푖,1푥 + ⋯ 푘 4−푖 in 퐺퐹(푝 ), where 푝 is prime and 푘 ∈ ℕ. + 푏푖,4−푖푥 ) 푚표푑푔푖(푥) We present first, the algorithms for the (푎0, 푎1, 푎2, 푎3) = (â0, â1, â2, â3) random generation of an invertible matrix in 8 퐺퐿4푥4(퐺퐹(2 )) and its inverse, which also will } be used for RandomAffineTransfKey in place Output: 푟표푤 = (푎 , 푎 , 푎 , 푎 ) of AddRoundKey. 푗 0 1 2 3 Computation of an invertible matrix: } Input:

- Primitive polynomials 푔1(푥), 푔2(푥), and 푔3(푥) in 퐺퐹(28)[푥] selected a priori so that

16 No 1.CS (11) 2020 Khoa học và Công nghệ trong lĩnh vực An toàn thông tin

Output: â1 = 푎1 + 푐푖,1푎푖−1 ⋮ 푟표푤1 푟표푤 â푖−2 = 푎푖−2 + 푐푖,푖−2푎푖−1 Matrix 퐴 = ( 2) 푟표푤3 (푎0, 푎1, 푎2, 푎3) = (â0, â1, â2, â3) 푟표푤4 } Computation of the inverse matrix: Output: 푟표푤 = (푎 , 푎 , 푎 , 푎 ) Input: 푗 0 1 2 3 } - Primitive polynomials 푔1(푥), 푔2(푥) and 푔3(푥) in 퐺퐹(28)[푥] selected a priori so that Output: 푑푒푔(푔1(푥)) = 4, 푑푒푔(푔2(푥)) = 3 and 푟표푤1 푑푒푔(푔3(푥)) = 2. 푟표푤 Matrix 퐴−1 = ( 2) - Pseudorandom sequence written as matrix 푟표푤3 푏 푏 푏 푏 푟표푤4 1,0 1,1 1,2 1,3 푐 푏 푏 푏 푀 = 2,0 2,0 2,1 2,2 Now we are able to present the algorithms 푐3,0 푐3,1 푏3,0 푏3,1 necessary for the computation of a random MDS [푐4,0 푐4,1 푐4,2 푏4,0] matrix for RandomMixColumns. 8 Where 푐푖,푗, 푏푘,푡 ∈ 퐺퐹(2 ) and 푏푘,0, ⋯ , 푏푘,4−푘 ≠ The first method: 0 for all 2 ≤ 푖 ≤ 4, 1 ≤ 푘 ≤ 4 and 0 ≤ 푗 ≤ 푖 − Here we show as first method for the random 2, 0 ≤ 푡 ≤ 4 − 푘. generation of a MDS matrix a simpler { presentation of the algorithm described in [27], where the next definition of MDS matrix has Computation of the row 1 ≤ 푗 ≤ 4 been used: Step 1: Any 4x4 matrix over 퐺퐹(2푛) with all non-zero Input: (푎 , 푎 , 푎 , 푎 ) the 푗-th canonical vector elements is a MDS matrix if and only if all its 0 1 2 3 squares sub-matrices are not singular. 2 3 â0 + â1푥 + â2푥 + â3푥 2 Input: = (푎0 + 푎1푥 + 푎2푥 3) 2 + 푎3푥 (푏1,0 + 푏1,1푥 + 푏1,2푥 - Primitive polynomials 푔1(푥), 푔2(푥) and 푔3(푥) 3 −1 8 + 푏1,3푥 ) 푚표푑푔1(푥) in 퐺퐹(2 )[푥] selected a priori so that 푑푒푔(푔1(푥)) = 4, 푑푒푔(푔2(푥)) = 3 and (푎0, 푎1, 푎2, 푎3) = (â0, â1, â2, â3) 푑푒푔(푔3(푥)) = 2.

Output: (푎0, 푎1, 푎2, 푎3) - Pseudorandom sequence written as matrix Step 2: − 푏 푏 푏 1,1 1,2 1,3 푐2,0 푏2,0 푏2,1 푏2,2 Input: (푎0, 푎1, 푎2, 푎3) 푀 = 푐3,0 푐3,1 푏3,0 푏3,1 for (푖 = 2; 푖 ≤ 4; 푖 + +) [푐4,0 푐4,1 푐4,2 푏4,0] { 8 where 푐푖,푗, 푏푘,푡 ∈ 퐺퐹(2 ) and 푏푘,0, ⋯ , 푏푘,4−푘 ≠ 4−푖 0 for all 2 ≤ 푖 ≤ 4, 2 ≤ 푘 ≤ 4 and 0 ≤ 푗 ≤ 2, â푖−1 + â푖푥 + ⋯ + â3푥 0 ≤ 푡 ≤ 3, and also 푏 , 푏 and 푏 ≠ 0. = (푎푖−1 + 푎푖푥 + ⋯ 1,1 1,2 1,3 4−푖 + 푎3푥 )(푏푖,0 + 푏푖,1푥 + ⋯ { −1 + 푏 푥4−푖) 푚표푑푔 (푥) 푖,4−푖 푖 Step 1: Computation of the first row

â0 = 푎0 + 푐푖,0푎푖−1

Số 1.CS (11) 2020 17 Journal of Science and Technology on Information security

The first row of a matrix 퐴 is formed by 푏1,0, is randomly selected from matrix 푀, and the 푏1,1 , 푏1,2 and 푏1,3 .Values 푏1,1 , 푏1,2 and 푏1,3 are values 푎푖,푗 for all 0 ≤ 푗 ≤ 3 are computed again. taken from matrix 푀. The value 푏 will be 1,0 The second method: determined in step 3 of the present algorithm. This new method proposed for the random Step 2: Computation of the row 2 ≤ 푖 ≤ 4 generation of a MDS matrix uses the following From the values of the first row, matrix 푀 and proposition found in [28]: the previous algorithm for random generation of Any 4x4 matrix over 퐺퐹(2푛) with all non- an invertible matrix 퐴 = {푎 } , 푎 ∈ 푖,푗 4푥4 푖,푗 zero elements is a MDS matrix, if and only if it 8 퐺퐹(2 ), the values 푎푖,푗 are computed, leaving is full rank, the inverse matrix having all non- matrix 퐴 in the following way: zero elements and all its 2x2 sub-matrices are full rank. − 푏1,1 푏1,2 푏1,3 푎2,0 푎2,1 푎2,2 푎2,3 It is used the fact, if the polynomial 푓(푥) = 퐴 = [ ] 2 3 8 푎3,0 푎3,1 푎3,2 푎3,3 푏1,0 + 푏1,1푥 + 푏1,2푥 + 푏1,3푥 on 퐺퐹(2 ) is 푎4,0 푎4,1 푎4,2 푎4,3 such that 푏1,1, 푏1,2 and 푏1,3 ≠ 0 and 푏1,0 is unknown, then all the coefficients of the inverse • The values 푎 are linear functions of 푏 푖,푗 1,0 푓−1(푥) module 푔(푥), a primitive polynomial of and then if the values 푎푖,푗 become equal to degree 4, depend on 푏1,0. zero, linear equations with 푏1,0 as unknown are formed. Input:

• The determinants of all 2x2 sub-matrices are - Primitive polynomials 푔1(푥), 푔2(푥) and 푔3(푥) computed. If the determinants become equal in 퐺퐹(28)[푥] selected a priori so that to zero, then linear and quadratic equations 푑푒푔(푔1(푥)) = 4, 푑푒푔(푔2(푥)) = 3 and with 푏1,0 as unknown are formed. 푑푒푔(푔3(푥)) = 2. • The determinants of all 3x3 sub-matrices are - Pseudorandom sequence written as matrix computed. If the determinants become equal − 푏 푏 푏 to zero, then quadratic and cubic equations 1,1 1,2 1,3 푐2,0 푏2,0 푏2,1 푏2,2 with 푏1,0 as unknown are formed. 푀 = 푐3,0 푐3,1 푏3,0 푏3,1 • The values of 푏1,0 which do not satisfy the [푐4,0 푐4,1 푐4,2 푏4,0] mentioned equations are stored. 8 where 푐푖,푗, 푏푘,푡 ∈ 퐺퐹(2 )and 푏푘,0, ⋯ , 푏푘,4−푘 ≠ 0 Step 3: Random generation of a MDS matrix 퐴 for all 2 ≤ 푖 ≤ 4 , 2 ≤ 푘 ≤ 4 and 0 ≤ 푗 ≤ 2 , 0 ≤ 푡 ≤ 3, and also 푏1,1, 푏1,2 and 푏1,3 ≠ 0. From the values of 푏1,0 which do not satisfy the previous equations, one should be selected at { random leaving matrix 푀 full, and then matrix 퐴 is completed. Step 1: Computation of the first row

} The first row of a matrix 퐴 is formed by 푏1,0, 푏 , 푏 and 푏 . Values 푏 , 푏 and 푏 are Output: 1,1 1,2 1,3 1,1 1,2 1,3 taken from matrix 푀 . The value 푏1,0 will be 푏1,0 푏1,1 푏1,2 푏1,3 determined in step 6 of the present algorithm. 푎 푎 푎 푎 MDS matrix 퐴 = [ 2,0 2,1 2,2 2,3] Step 2: Computation of the row 2 ≤ 푖 ≤ 4 푎3,0 푎3,1 푎3,2 푎3,3 푎4,0 푎4,1 푎4,2 푎4,3 From the values of the first row, matrix 푀 and the previous algorithm for random generation of Observations: If any of the values of the matrix an invertible matrix 퐴 = {푎 } , 푎 ∈ 퐴 formed at the 푖-th row is zero, then a new value 푖,푗 4푥4 푖,푗 8 퐺퐹(2 ), the values 푎푖,푗 are computed, leaving matrix 퐴 in the following way: 18 No 1.CS (11) 2020 Khoa học và Công nghệ trong lĩnh vực An toàn thông tin

− 푏1,1 푏1,2 푏1,3 푏1,0 which do not satisfy the mentioned equations 푎 푎 푎 푎 are stored. 퐴 = [ 2,0 2,1 2,2 2,3] 푎3,0 푎3,1 푎3,2 푎3,3 Step 6: Random generation of a MDS matrix A. 푎4,0 푎4,1 푎4,2 푎4,3

From the values of 푏1,0 which do not satisfy • The values 푎푖,푗 are linear functions of 푏1,0 and then if the values 푎 become equal to the equations of steps 2 and 5, one should be 푖,푗 selected at random leaving matrix 푀 full, and zero linear equations with 푏 as unknown 1,0 then matrix 퐴 and its inverse are completed. are formed. } • The determinants of all 2x2 sub-matrices are computed. If the determinants become equal Output: to zero linear and quadratic equations with 푏 as unknown are formed. 푏1,0 푏1,1 푏1,2 푏1,3 1,0 푎 푎 푎 푎 MDS matrix 퐴 = [ 2,0 2,1 2,2 2,3] • The values of 푏1,0 which do not satisfy the 푎3,0 푎3,1 푎3,2 푎3,3 mentioned equations are stored. 푎4,0 푎4,1 푎4,2 푎4,3

Step 3: With the coefficients 푏1,1, 푏1,2 and 푏1,3 V. ABOUT THE IMPLEMENTATION of matrix 푀 and 푏1,0 as unknown, it is With the dynamic variants presented in this computed the coefficients 푑1,0 = 휆0(푏1,0) , paper, the AES-NI instruction set would seem no 푑1,1 = 휆1(푏1,0) , 푑1,2 = 휆2(푏1,0) and 푑1,3 = longer be applicable; however, the different steps −1 휆3(푏1,0) of the inverse 푓 (푥) = 푑1,0 + 푑1,1푥 + of the round function in these dynamic variants 2 3 푑1,2푥 + 푑1,3푥 module 푔1(푥). Thus, we can can be combined in look-up tables as form the matrix recommended in [3], allowing for very fast implementation on processors with word lengths 푑 푑 푑 푑 1,0 1,1 1,2 1,3 32 or greater. 푐 푏 푏 푏 2,0 2,0 2,1 2,2 푀′ = In AES, if we denote the input by 푎 and the 푐3,0 푐3,1 푏3,0 푏3,1 [푐 푐 푐 푏 ] output by 푑, then for every column 0 ≤ 푗 < 4 of 4,0 4,1 4,2 4,0 the state matrix we have Step 4: With matrix 푀′ and the algorithm 푑 described above to compute the inverse we 0,푗 can compute 푑1,푗 = 푇0[푎0,푗] + 푇1[푎1,(푗+1) 푚표푑 4] 푑2,푗 푑1,0 푑1,1 푑1,2 푑1,3 [푑3,푗] −1 푑2,0 푑2,1 푑2,2 푑2,3 퐴 = + 푇2[푎2,(푗+2) 푚표푑 4] 푑3,0 푑3,1 푑3,2 푑3,3 + 푇3[푎3,(푗+3) 푚표푑 4] [푑4,0 푑4,1 푑4,2 푑4,3] where the look-up tables 푇 , 푇 , 푇 and 푇 have Note that 푑 depends on 푏 , 푏 , 푏 and 0 1 2 3 푖,푗 1,0 1,1 1,2 each 256 four-bytes word and requiring 4KB of 푏1,3 for all 2 ≤ 푖 ≤ 4 and 0 ≤ 푗 ≤ 3, then matrix −1 storage space. In this case the tables are 퐴 turns performing as follow: 훿1,0(푏1,0) 훿1,1(푏1,0) 훿1,2(푏1,0) 훿1,3(푏1,0) 02푆 [푥] 03푆 [푥] 퐷푅 퐷푅 훿2,0(푏1,0) 훿2,1(푏1,0) 훿2,2(푏1,0) 훿2,3(푏1,0) [ ] [ ] 01푆퐷푅 푥 02푆퐷푅 푥 훿 (푏 ) 훿 (푏 ) 훿 (푏 ) 훿 (푏 ) 푇0[푥] = ; 푇1[푥] = 3,0 1,0 3,1 1,0 3,2 1,0 3,3 1,0 01푆퐷푅[푥] 01푆퐷푅[푥] [훿 (푏 ) 훿 (푏 ) 훿 (푏 ) 훿 (푏 )] 4,0 1,0 4,1 1,0 4,2 1,0 4,3 1,0 [03푆퐷푅[푥]] [01푆퐷푅[푥]] 01푆퐷푅[푥] 01푆퐷푅[푥] Step 5: If the values of 훿푖,푗(푏1,0) for all 1 ≤ 푖 ≤ 03푆퐷푅[푥] 01푆퐷푅[푥] 4 and 0 ≤ 푗 ≤ 3 become equal to zero, equations 푇2[푥] = [ ] ; 푇3[푥] = [ ] 02푆퐷푅[푥] 03푆퐷푅[푥] with 푏1,0 as unknown are formed. The values of 01푆퐷푅[푥] 02푆퐷푅[푥]

Số 1.CS (11) 2020 19 Journal of Science and Technology on Information security

Here 푆퐷푅 is the S-box of AES, working as the In the case of the transformation SubBytes, we transformation SubBytes, then if we compute the show two possible replacements of the S-box, dynamic S-box 푅푆퐷푅 and the dynamic MDS and for the transformation AddRoundKey, we matrix 퐵 = (푏푖,푗)4푥4 we can construct the key- show three possible variants. On the other hand, dependent look-up tables we show two methods for the random generation of MDS matrices to replace the original MDS 푏 푅푆 [푥] 0,0 퐷푅 matrix used in the transformation 푏 푅푆 [푥] MixColumns. The second method is new in 푇 [푥] = 1,0 퐷푅 0 푏 푅푆 [푥] specialized literature. 2,0 퐷푅 [푏3,0푅푆퐷푅[푥]] With the proposed changes, the design 푏 푅푆 [푥] 0,1 퐷푅 strategy of the block cipher AES was carefully 푏1,1푅푆퐷푅[푥] fulfilled, RandomShiftRows is a random 푇1[푥] = 푏2,1푅푆퐷푅[푥] diffusion optimal permutation as the transformation ShiftRows, RandomMixColumns [푏3,1푅푆퐷푅[푥]] 푏 푅푆 [푥] is a random MDS matrix like the transformation 0,2 퐷푅 MixColumns. The random matrices used in 푏 푅푆 [푥] 푇 [푥] = 1,2 퐷푅 RandomAffineTransfKey are invertible matrices 2 푏 푅푆 [푥] 2,2 퐷푅 and for the second proposal of this transformation [푏3,2푅푆퐷푅[푥]] we do not consider necessary adding extra round 푏 푅푆 [푥] functions like in AES. 0,3 퐷푅 푏 푅푆 [푥] 1,3 퐷푅 푇3[푥] = The most polemic change may be the random 푏2,3푅푆퐷푅[푥] transformation RandomSubBytes, which can turn [푏3,3푅푆퐷푅[푥]] occasionally into a random S-box with bad properties contrary to SubBytes; however, we generated in the key schedule. This way the believe this is compensated by the output 푑 can be computed as unknowingness of the S-box and we recommend 푑 using a rekeyed block cipher mode of operation 0,푗 푑 to encrypt long plain texts. 1,푗 = 푇 [푎 ] + 푇 [푎 ] 푑 0 푅0[푗],푅4+푗[0] 1 푅1[푗],푅4+푗[1] 2,푗 VII. APPENDIX [푑 ] 3,푗 Inverse of a polynomial of degree 3 + 푇2 [푎푅2[푗],푅4+푗[2]] We present next an example of the inverse + 푇 [푎 ]. 8 3 푅3[푗],푅4+푗[3] of a polynomial in 퐺퐹(2 )[푥] with degree 3, so that it can be used in the random generation of VI. CONCLUSION a MDS matrix through the second method In this paper, we presented dynamic variants described before. of the cryptographic algorithm AES, in which the Let 푓(푥) be the polynomial transformations SubBytes, ShiftRows, MixColumns, and AddRoundKey, all of them are 푥3 + 푥2 + 푥 + 푧 fixed and selected a priori, were replaced by random key-dependent transformations, and let 푔(푥) be the primitive polinomial RandomSubBytes, RandomShiftRows, 푥4 + 푧9푥3 + 푧2푥 + 푧13 RandomMixColumns and RandomAffineTransfKey respectively. in 퐺퐹(28)[푥], where 푧 ∈ 퐺퐹(28) is a primitive element module the irreducible polynomial used These transformations can be chosen from the to construct the field 퐺퐹(28) in Rijndael set of all its possible choices, and can be generated from pseudorandom sequences 푃(푦) = 푦8 + 푦4 + 푦3 + 푦 + 1 obtained through the key schedule of AES or any pseudorandom number generator.

20 No 1.CS (11) 2020 Khoa học và Công nghệ trong lĩnh vực An toàn thông tin

−1 2 Let 푓 (푥) = 푑1,0 + 푑1,1푥 + 푑1,2푥 + Journal of Theoretical and Applied Information 3 Technology, Vol. 53, No. 2, 2013. 푑1,3푥 be the inverse of 푓(푥) module 푔(푥), so that 푑 = 휆 (푏 ), 푑 = [11] Freyre P, Díaz N and Cuellar O. “Variations to 1,0 0 1,0 1,1 the cryptographic algorithms AES and Twofish”. 휆1(푏1,0), 푑1,2 = 휆2(푏1,0) , 푑1,3 = 휆3(푏1,0) . If IACR e-print archive, No. 1080, 2015. we take 푧 = 푦 + 1 then [12] Nidhinraj P. and George J. “DNA-based 푑 ≡ 푧137mod(푃(푦)) Approach of AES with Key Dependent 1,3 ShiftRows”. International Journal of Control 215 Theory and Applications, Vol. 9, No. 43, 2016. 푑1,2 ≡ 푧 mod(푃(푦)) [13] Sachdeva, S. Doctoral dissertation "Improving 61 푑1,1 ≡ 푧 mod(푃(푦)) AES-128 Using Multiple Cipher Keys and Key 155 Dependent S-Boxes”. Thapar Institute of 푑1,0 ≡ 푧 mod(푃(푦)) Engineering and Technology, 2018. [14] Al-Dweik, A., et al. "A Novel Method to Generate Key-Dependent S-Boxes with Identical REFERENCES Algebraic Properties." arXiv preprint arXiv:1908.09168. 2019. [1] Federal Information Processing Standard. [15] Partheeban, P. and Kavitha, V. "Dynamic key Announcing the Advanced Encryption Standard dependent AES S-box generation with optimized (AES). FIPS Publication 197, 2001. quality analysis". Cluster Computing, Vol. 22, [2] Daemen J. and Rijmen V. “The Rijndael block Springer, 2019. cipher. AES proposal”. 1999. [16] Singh, A., Agarwal, P. and Chand, M. "Image [3] Daemen J. and RijmenV. “The design of Encryption and Analysis using Dynamic AES”. Rijndael: AES - The Advanced Encryption 5th International Conference on Optimization Standard”. Second Edition. Springer. 2020. and Applications ICOA. pp. 1-6, IEEE, 2019. [4] Fahmy A., Shaarawy M., El-Hadad K., [17] Borst J. The block cipher: Grand Cru. available Salama G. and Hassanain K. “A Proposal For in: http://cryptonessie.org. Accessed on A Key-Dependent AES”. Proceedings of the 01/9/2020. SETIT-2005. [18] Knudsen L. Dynamic Encryption. Journal of [5] Krishnamurthy G. and Ramaswamy V. “Making Cyber Security. Vol. 3, 357-370, 2015. AES Stronger: AES with Key Dependent S- [19] Schneier B. et al. “Twofish: A 128-bit block Box”. International Journal of Computer Science cipher”. NIST AES Proposal, 15(1).1998. and Network Security, Vol. 8, No. 9, 2008. [20] Rijmen V. Comment on dynamic encryption. [6] El Ghafar A., Rohiem A., Diaa A. and available in: https://www.dencrypt.dk/wp- Mohammed F. “Generation of AES Key content/uploads/2017/05/Dencrypt-Vincent- Dependent S-Boxes using RC4 Algorithm”. Rijmen-opinion-on-Dynamic-Encryption.pdf. Proceedings of the ASAT-13, 2009. Accessed on 01/9/2020. [7] Hosseinkhani R. and Seyyed H. “Using Cipher [21] Abdalla M. and Bellare M. “Increasing the life Key to Generate Dynamic S-Box in AES Cipher time of a key: a comparative analysis of the System”. International Journal of Computer security of re-keying techniques". International Science and Security, Vol. 6, Issue 1, 2012. Conference on the Theory and Application of [8] Ismail I., Galal-Edeen G., Khattab S. and Cryptology and Information Security. Springer, Moustafa M. “Performance Examination of AES Berlin, Heidelberg, 2000. Encryption Algorithm with Constant and [22] Lavrikov I. and Shishkin V. How much data may Dynamic Rotation”. International Journal of be safely processed on one key in different Reviews in Computing, 2012. modes?. Mathematical Aspects of Cryptography. [9] Ahmed F. and Elkamchouchi D. “Strongest AES Vol. 10, 2019. with S-Boxes bank and dynamic key MDS [23] Rijmen V., Daemen J., Preneel B., Bosselaers A. matrix (SDK-AES)”. International Journal of and De Win E. The cipher SHARK. LNCS 1039, Computer and Communication Enginee-ring, pp. 99–111. Springer, 1996. Vol. 2, No. 4, 2013.

[10] Arrag S., Hamdoun A., Tragha A. and Khamlich S. “Implementation of Stronger AES by using Dynamic S-box Dependent of Master Key”.

Số 1.CS (11) 2020 21 Journal of Science and Technology on Information security

[24] Freyre P, Díaz N and Morgado E. R. “Some PhD. Oristela Cuellar Justiz algorithms related to matrices with entries in a Workplace: Center for the Study of finite field”. Journal of Discrete Mathematical Computational Mathematics. Sciences & Cryptography. Vol. 12, No. 5, pp. University of Informatics Sciences. 509–519. 2009. Email: [email protected] [25] Freyre P and Díaz N. “Generación aleatoria de Education process: Graduated of permutaciones del grupo simétrico o del grupo Mathematics and Physics in 1987; alternado”. Revista Investigación Operacional. received Doctor's degree in 2016. Vol. 36, No. 2, 2015. Current research direction: symmetric cryptography, [26] Alfonso A. and Freyre P. Random mathematical aspects of cryptography and DiffusionOptimal Permutations with a Look in information security. Dynamic Rijndael. Revista Ciencias Matemáticas. Vol. 32, 2018. MSc. Nelson Díaz Pérez [27] Freyre P, Díaz N, Díaz R and Pérez C. Workplace: Institute of “Random generation of MDS matrices”. Cryptography. University of Havana. Proceedings of CurrentTrends in Cryptology Education process: Graduated of CTCrypt2014. 2014. Mathematics in 1985; received [28] Gupta K. C. and Ray I. G. “On constructions Master's degree in 2006. of MDS matrices from companion matrices Current research direction: for lightweight cryptography”. In CD- symmetric cryptography, mathematical aspects of ARES.2013 Workshop: MOCrySEn, pp. 29- cryptography and information security. 43, Springer. 2013.

MSc. Adrián Alfonso Peñate ABOUT THE AUTHORS Workplace: Institute of PhD. Pablo Freyre Arrozarena Cryptography. University of Havana. Workplace: Institute of Cryptography. Education process: Graduated of University of Havana. Mathematics in 2014; received Email: [email protected] Master's degree in 2018. Education process: Graduated of Current research direction: Mathematics in 1988; received symmetric cryptography, mathematical aspects of Doctor's degree in 1998. cryptography and information security. Current research direction: symmetric cryptography, mathematical aspects of cryptography and information security.

22 No 1.CS (11) 2020