Available online at www.sciencedirect.com

Information Sciences 178 (2008) 1603–1610

www.elsevier.com/locate/ins

Fast S-box security mechanism research basedon the polymorphic cipher q

Yifeng Yin *, Xinshe Li, Yupu Hu

Key Laboratory of Computer Network and Information Security of Xidian University, Xi’an 710071, People’s Republic of China

Received 1 November 2006; received in revised form 8 October 2007; accepted 4 November 2007

Abstract

In this study we propose a new design method for fast S-box construction. Its security is dependent upon the length ofpseudorandom numbers generated by two communication parties. As the S-box is being built, we demonstrate that Bool-ean functions play an important role in the design of both block and stream ciphers. To satisfy a variety of cryptographictest methods, such as strict avalanche criterion (SAC), bit independence criterion (BIC), and nonlinearity, we apply poly-morphic cipher (PMC) theory to the permutation function construction. Correlations among the test criteria in a real net-work environment are also evaluated.� 2007 Elsevier Inc. All rights reserved.

Keywords: S-box; Polymorphic cipher; Strict avalanche criterion; Bit independence criterion

1. Introduction

S-box differential distribution and linear analysis has been a key research focus for more than thirty years[3]. As a result, a variety of technologies have been proposed and several are currently under further investi-gation. It is well-known that the homogeneity of differential distribution is an important security criterion forcipher functions. In like manner, differential cryptanalysis is theoretically based on the inhomogeneity of theoverall cryptosystem. Our research shows how Boolean functions play an important role in designing blockand stream ciphers, while satisfying the following standards: bit independence criterion (BIC), non-linearity,strict avalanche criterion (SAC), and others [6,9].

If a simple function is multi-iterated, it can be defined as the iterative cipher. In order to fight back againstdifferential cryptanalysis and successfully design complicated iterative ciphers, Roellgen proposed a com-pletely new cryptographic method – the polymorphic cipher (PMC) [12]. This provides a set of simple func-tions {f1, f2, . . . , fn}, which take advantage of the parameters from the opponent’s attacks and causes these

0020-0255/$ - see front matter � 2007 Elsevier Inc. All rights reserved.

doi:10.1016/j.ins.2007.11.003

q This research was supported in part by the Nature Science Foundation of China under Grant 60473029 and the Open foundation ofBeijing Institute of Electronic Science and Technology.

* Corresponding author. Tel.: +86 029 84968630.E-mail addresses: yinyifeng@yeah.net (Y. Yin), lxf1995@126.com (X. Li), yphu8969@sohu.com (Y. Hu).

1604 Y. Yin et al. / Information Sciences 178 (2008) 1603–1610

functions to cross array. After several iterations, the output sequence can be acquired and, at the same time,satisfy our cryptography properties. The purpose of the polymorphic cipher design is to make the keysimmune to attacks. When the opponent attacks the cipher key generator, the random assortment of thesefunctions is weakened because the PMC is self-compiling. This automatically resets the cryptographic algo-rithm and keeps the attackers away from the true key. As a result, the new encryption is applied to the fastencryption disk files.

This paper takes a closer look at how the network characteristics found in the polymorphic cipher imple-mentation method are improved by using the peer data package byte as its parameters. Random number gen-erators are provided by combining the self-compiling of PMC to the design of a PRNG. Furthermore, theBoolean functions design result in an inexhaustible orderly differential array output sequence [5]. Both com-munication parties use their respective keys to design a half S-box and send it to the other to finish the fast-integrated S-box together.

2. S-box design standard

Naturally, S-box will become the target of all attackers, since the overall security of the encryption algo-rithm relies on S-box. Therefore, the S-box we design must satisfy bit independence criterion, nonlinearityand the strict avalanche criterion [10].

2.1. Bit independence criterion

Bit independence criterion is as important as the strict avalanche criterion. For the function f:GF(2)n ? GF(2)n, i, j, k 2 {1, 2,3, . . . ,n}, when the ith bit in the input sequence is reversed, the jth and kthbit in the output sequence is subsequently changed, we can then say that function f satisfies the bit indepen-dence criterion [2].

2.2. Nonlinearity

For function f: GF(2)n ? GF(2), if the constant a 2 GF(2)n, f(x) = a0 � a1x1 � a2x2 � � � � � anxn is an affinefunction, when a0 = 0, then f is a linear function. Let An be the set of all affine functions: g: GF(2)n ? GF(2),then the non-linearity of the function f can be defined as

nlðf Þ ¼ ming2An

wðf � gÞ: ð1Þ

2.3. The strict avalanche criterion

2.3.1. Definition

Avalanche characteristics were combined into the strict avalanche criterion by Webster and Tavares in 1985[16]. For function f: GF(2)n ? GF(2)m, when arbitrary a 2 GF(2)n, WH(a) = 1, then f(x + a) + f(x) is the bal-ance function, thus f satisfies the strict avalanche criterion. For the function y = f(x), let x and y be plaintextand cipher text respectively, when x is changed by any bit, y changes at random, and the average change is m/2bit, that is to say the change of y is even and discontinuous.

The strict avalanche criterion distance of function g: GF(2)n ? GF(2) is defined as follows:

DSACðgÞ ¼ maxi¼1;2;...;n

1

22n�1 �

X2n�1

X¼0

gðX Þ � gðX � aiÞ�����

����� ð2Þ

X is the input sequence; ai is the unit vector when input sequence X takes its i-bit value (X = 1).According to (2), the strict avalanche criterion distance of function f: GF(2)n ? GF(2)n can be defined as

DSACðf Þ ¼ maxi¼1;2;...;n

DSACðviÞ ð3Þ

In which vi is the function f: GF(2)n ? GF(2)n ith row.

Y. Yin et al. / Information Sciences 178 (2008) 1603–1610 1605

The ideal results of the strict avalanche criterion tests can be described as follows:Suppose that the function f has n-bit input k1,k2, . . . and m-bit output v1,v2, . . ., among which k1,k2 takes

the same values except at ith bit (k1 � k2 hamming weighted sum yields 1), that is k1 = k2 � ai, let v1 = f(k1),v2 = f(k2), according to (3), we can obtain two output sequences v1, v2 with the probability of every bit change

proutputðv1; v2Þ ¼wðv1 � v2Þ

m¼ DSACðf Þ

mð4Þ

which satisfies the strict avalanche criterion ideal output sequence with m/2 bit change, that is, proutput(v1,v2) = 0.5.

2.3.2. Avalanche tests

Function G belongs to hash functions, k1, k2 are n-bit input sequence respectively, ei is the unit vector withbit i equal to 1 and all other bits equal to 0, when k1 = ei � k2, thus the mth output sequence v1 = G(k1),v2 = G(k2), according to the strict avalanche criterion. Hamming distance between k1 and k2, dh(k1, k2) = 1,that is wh(k1 � k2) = 1.

Let

dinputðk1; k2Þ ¼whðk1 � k2ÞjGðk1Þj

; dinputðv1; v2Þ ¼whðv1 � v2Þjv1j

Suppose that jG(k1)j = jG(k2)j, jv1j = jv2j, when dinput(k1, k2) = 1/m, then doutput(v1, v2) = 1/2, which satisfiesthe strict avalanche criterion.

The S-box construction referred to in our paper must satisfy the strict avalanche criterion, therefore, theoutput values of S-box doutput(v1, v2) should approach 0.5.

3. The polymorphic cipher

The purpose of the polymorphic cipher is to randomize the encryption algorithm. The encryption algorithmrandom array is the core of the polymorphic encryption method, which also explains the history of polymor-phism [8,14]. The polymorphic cipher employs a pseudorandom numbers generator (PRNG) which is com-posed of many primitive random number generators. Making use of an extension factor [4] to enlarge thecollected random data for a long-cycled confusion output sequence is directly related to using XOR plaintextbits for plaintext encryption. Polymorphic ciphers are basically stream ciphers while actual implementationsare a mixture of block and stream ciphers.

A completely new cipher feedback mode is possible for self-compiling encryption algorithms. To make thispossible a generalized model for self-compiling crypto code is proposed. This can cause the polymorphiccipher algorithm to apply a self-compiling design method to the encryption algorithm randomization. ThePMC internal compiler converts the substitutable code segments, which uses the register in the processor inthe same way. CPU makes operations on the key data array, implementing substitution, modulo divisions,shift, and nonlinear operations, and choosing a completely new method to compile machine code by usingthe code segments (keys). To generate a machine instruction sequence for cipher use, these instructions areexecuted by the target machine processor, which defines a set of simple pseudorandom number generators,thus the whole random sequence compiler can be finished.

In contrast to most or all commonly known symmetric encryption algorithm designs (including the AEScandidates such as Rijndael and Twofish), polymorphic ciphers can be made immune to differential powerattack. All functions used by polymorphic ciphers are simple one-way functions with few complex operations,so polymorphic ciphers can realize fast encryption in contrast to common ciphers such as DES and AES.

4. PRNG design satisfying S-box criterion

Each peer executes its uploading and downloading operations, thus at every moment four relevant param-eters can be acquired: upload speed vui, total upload bytes tui, download speed vdi and total download bytestdi. The randomicity of the users operation makes the above four parameters the real stochastic source. In

1606 Y. Yin et al. / Information Sciences 178 (2008) 1603–1610

addition, the user’s broadband is restricted by the real network environment, therefore, the four parametersmentioned here are 32 bit. We have improved the polymorphic ciphers and divided them into two parts: thekeys provided by the encrypting party and the polymorphic algorithm implemented by the above parameters.

The algorithm implementation steps can be described as follows: (refer to Fig. 1)

Step 1: The user has an n-bit input m, let the counter r = 0, the primitive output value be m.Step 2: Get four parameters at Peeri at a time from the network source, upload speed vui, upload bytes sum

tui, download speed vdi, and download bytes sum tdi.Step 3: Refer to the polymorphic encryption method provided by Roellgen, offer 16 simple one-way func-

tions, the parameter is combined by input m and two of the four parameters from Step 2; divide m

into groups by 4-bit, thus we get

mðn=4�1Þð3Þmðn=4�1Þð2Þmðn=4�1Þð1Þmðn=4�1Þð0Þ . . . mi3mi2mi1mi0 . . . m13m12m11m10m03m02m01m00

Step 4: Calculate si ¼P3

j¼02jþ4i�mij

4i , when i = 0,1, . . . ,n/4 � 1, collate every 4-bit output with the 16 one-wayfunctions provided, get the ith one-way function, figure out the output of this round Outri, then takeOutri as the i + 1 input, then repeat Step 4 until i = n/4.

Step 5: r ¼ r þ 1, if r < n/32, then turn to Step 2, or turn to Step 6.Step 6: The final output sequence can be obtained.

4.1. Protocol steps

Step 1: As shown in Fig. 2, Alice and Bob are the two communication parties, each encrypting respective pri-vate keys. The four random seeds from P2P networks are taken as parameters of the PRNG, whereAlice gets the PRNG left-group parameters, which are then fed into the PRNG to design a S-box.

Peeri

vui vdi tui tdi

PRNG

Linear Congruential random number generator

Right-shift with carry

Add-with-carry generator

Multiply-with-carry generator

Left-shift with carry

se l f -compiler(Hash)

...

primitive sequence for the internal

state

key

Propagatedinternal state

out put sequence

Fig. 1. The strict avalanche criterion functions design.

vua

vda

tua

tda

vub

vdb

tub

tdb

ka kb

Sa Sb

Alice Bob

/self-compiler

Hash/

self-compilerHash

f0(parasa, parasb)

fi(parasa, parasb)

fn/4-1(parasa, parasb)

f1(parasa, parasb)

...

...

f0(parasa, parasb)

fi(parasa, parasb)

fn/4-1(parasa, parasb)

f1(parasa, parasb)

...

...

32 32

PRNG PRNG

Fig. 2. S-box designed by both communication parties.

Y. Yin et al. / Information Sciences 178 (2008) 1603–1610 1607

That is the left S-box Sa. Similarly, Bob gets the right-group parameters parasb, and then designs theright S-box Sb.

Step 2: Alice sends Sa to Bob through the public communication path, meanwhile Bob sends Sb to Alice.Step 3: Alice puts parasa{ka � G(vua),ka � G(vda),ka � G(tua),ka � G(tda)} into the left S-box Sb, then gets an

integrated S-box; simultaneously, Bob puts parasb{kb � G(vub), kb � G(vdb), kb � G(tub),kb � G(tdb)}into Sa, and gets the same S-box as Alice.

5. Security analysis

The purpose of attacking the carrier peer is to get the private keys and the random seeds of the other party[13]. The S-box designed by both parties can be broken by using the private keys or the random seed fromeither of the two parties, and subsequently the whole encryption system. Both parties can then send thesemi-finished S-box through a public path. It is possible Eve can get the pair of semi-finished S-boxes, whichare not running normally and have not realized the input and output sequence transposition tests. Eve has touse its own private keys and random seeds to complete the attack test. Because of the PMC self-compilingcharacteristics, the analyzing process causes a change of the internal instructions, resulting in an algorithmchange. The S-box designed here satisfies the strict avalanche criterion, causing Eve to obtain a completelydifferent S-box from that of the two parties.

It is impossible to create a joint S-box without getting the keys and random seeds from either of the twoparties. We have found that Eve cannot get the keys and the random seeds through attacking Alice orBob, because Eve’s attack causes the byte change of Alice or Bob network’s data package. That is to say,the attack becomes part of their random seeds, and it’s not possible to obtain a stochastic sequence group{vu, tu,vd, td}, from either party. In fact the two parties are then unable to obtain the former sequence again.Thanks to the role of private keys and the PRNG expansion factor, users get parameters with enough length,which are immune to numerous attacks.

6. Experiment results analysis

In 1991, Biham and Shamir published Differential Cryptanalysis [1], which allowed DES blocks ciphers totake a step forward in their development. In order to defend against differential cryptanalysis attacks, we musttest if the function satisfies the strict avalanche criterion by changing the input sequence bit by bit. According

Fig. 3. The bit change probability of the 2 output sequence.

1608 Y. Yin et al. / Information Sciences 178 (2008) 1603–1610

to (4), doutput is the probability of every bit change. Fig. 2 shows the corresponding bit change of the two out-put sequences when the difference of the two input sequences are 1-bit; as shown in Fig. 3, when the bit changeprobability of two output sequences reaches a certain level, we can obtain the necessary strict avalanche cri-terion statistical results (Table 1). The statistics show that the algorithm designed in this paper can satisfy thiscriterion quite well. It is important to note that a 1-bit change of input sequence causes close to 0.5 probabilityof each bit change per output sequence.

To test the differential distribution homogeneity and the linearity of the algorithm, we have conducted avariety of experiments in a real network environment (the broadband: 100 Mbps). All users involved in theexperiments have free access to various networks, including VOD, email, and Internet Explorer, etc. We havechosen six plaintext sequences of different lengths (32-bit, 64-bit, 128-bit, 256-bit, 512-bit and 1024-bit), after

Table 1Statistics of the strict avalanche criterion tests

n Average doutput Max. doutput Min. doutput

32 0.50198125 0.6875 0.312564 0.500992188 0.6875 0.4063

128 0.499885156 0.6250 0.3594256 0.495548047 0.5872 0.3997512 0.504370000 0.7813 0.2656

1024 0.49180000 0.7560 0.2783

Table 2Statistics of nonlinear tests

n Average. prnl Max. prnl Min. prnl

32 0.508818750 0.7500 0.281364 0.495131250 0.6719 0.2656

128 0.500492969 0.6797 0.3281256 0.495925781 0.7031 0.3398512 0.504711000 0.6152 0.4121

1024 0.484269000 0.6045 0.2998

Y. Yin et al. / Information Sciences 178 (2008) 1603–1610 1609

10-hours’ network data package random acquisition, we acquired approximately 1000 groups of PMC param-eters {vui, tui,vdi, tdis} [11]. We have let the length of four PMC parameters be 32-bit and the length of n neededin the experiment are all multiples of 32-bit, therefore we should calculate the collection times when we gatherthe network parameters. For instance, when n = 128, we need to collect four groups {{vui0, tui0,vdi0, tdi0},{vui1, tui1,vdi1, tdi1}, {vui2, tui2,vdi2, tdi2}, {vui3, tui3,vdi3, tdi3}} from the data package. We can combine the fourgroups into one group {vui, tui,vdi, tdi} according to Fig. 1. Note that we have made the statistics of our inputsequence change bit by bit. According to (1), prnl represents the probability of linear approximation, whichdemonstrates the nonlinear statistics seen in Table 2. The value of prnl approximates to 0.5, which shows thatit does not have a high enough bias, so it can be used to counteract the linear analysis.

In 1994, Langford and Hellman proposed the Differential-Linear Cryptanalysis [7] that was followed by thewell-known Linear Cryptanalysis [15] by Mitsuru Matsui; both of these can be applied to any iterative cipher.The polymorphic encryption method mentioned in this paper belongs to an iterative encryption system, andwe are now able to decide the rounds according to output bit n. Because the 16 functions mentioned here aresimple one-way functions, we must test if there are any linear probability relationships between the iterativestate of the final round and the input sequence.

7. Conclusions

We have found that its possible for the peer to execute the uploading and downloading process in such away that the users’ random operation will affect how the four parameters can create a pseudorandom numbersgenerator. In order to devise and realize a fast and more convenient model in designing functions which satisfythe strict avalanche criterion, we used the polymorphic encryption method. This can quickly create a largeamount of encryption sequences. The next step is to optimize the polymorphic ciphers combinational func-tions, which would cause proutput and prn to approach 0.5. Given that we are able to construct a fast S-boxdesign for a large amount of fast keys between two communication parties, we can then take advantage ofthe Polymorphic Cipher’s immunity to key attacks to increase the overall security of the system.

Acknowledgements

The authors would like to thank our anonymous reviewers for their insightful comments on this paper.Their valuable suggestions have improved the paper with regards to both its technical aspects and overall

1610 Y. Yin et al. / Information Sciences 178 (2008) 1603–1610

readability. The authors are also grateful to Baocang Wang, Yining Quan, Lihua Dong and Jie Chen for theircritical review of the manuscript.

References

[1] E. Biham, A. Shamir, Differential cryptanalysis of DES-like cryptosystems, Journal of Cryptology 4 (1) (1991) 3–72.[2] M. Bucci, R. Luzzi, Design of Testable Random Bit Generators, in: CHES 2005, Springer-Verlag, Edinburgh, UK, 2005, pp. 147–156.[3] J.A. Clark, J.L. Jacob, S. Stepney, The design of S-boxes by simulated annealing, New Generation Computing 23 (3) (2005) 219–231.[4] O. Goldreich, Foundations of Cryptography Basic Tools, Press Syndicate of the University of Cambridge, 2001, pp. 75–89.[5] K.C. Gupta, P. Sarkar, Improved construction of nonlinear resilient S-boxes, IEEE Transactions on Information Theory 51 (1) (2005)

339–348.[6] Y.P. Hu, Y.Q. Zhang, G.Z. Xiao, Symmetric Cryptography, Engineering Industry Press, Beijing, 2002, pp. 56–57.[7] S.K. Langford, M.E. Hellman, Differential-linear cryptanalysis, in: CRYOTO’94, Springer-Verlag, Berlin, Heidelberg, 1994, pp. 5–12.[8] W. Mao, Modern Cryptography Theory and Practice, Person Education, New Jersey, 2004, pp. 231–244.[9] M. Matsui, Linear Cryptanalysis Method for DES Cipher, in: Eurocrypt’93, Springer-Verlag, Berlin, 1993, pp. 386–397.

[10] S. Mister, C.M. Adams, Practical S-box Design, in: SAC’96, Queen’s University, Kingston, Ontario, 1996, pp. 61–76.[11] M. Molina, S. Niccolini, N.G. Duffield, A comparative experimental study of hash functions applied to packet sampling, in:

Proceedings of ITC-19, Beijing, China, 2005.[12] C.B. Roellgen, Polymorphic Cipher Theory, 2003. <http://www.ciphers.de/technology/description_polymorphic_cryptography.pdf>.[13] A.D. Santis, A.L. Ferrara, B. Masucci, Enforcing the security of a time-bound hierarchical key assignment scheme, Information

Sciences 176 (12) (2006) 1684–1694.[14] B. Schneier, Applied Cryptography Second Edition: Protocols, Algorithms, and Source Code in C, John Wiley & Sons, New York,

1996, pp. 201–206.[15] D.R. Stinson, Cryptography Theory and Practice, second ed., CRC Press, London, 2003, pp. 127–135.[16] A.F. Webster, S.E. Tavars, On the Design of S-boxes, in: CRYPTO’85, Springer-Verlag, Berlin, 1986, pp. 523–534.