New Directions in Cryptanalysis of Block Ciphers

: Problem statement: The algebraic expression of the Advanced Encryption Standard (AES) RIJNDAEL S-box involved only 9 terms. The selected mapping for RIJNDAEL S-box has a simple algebraic expression. This enables algebraic manipulations which can be used to mount interpolation attack. Approach: The interpolation attack was introduced as a cryptanalytic attack against block ciphers. This attack is useful for cryptanalysis using simple algebraic functions as S-boxes. Results: In this study, we presented an improved AES S-box with good properties to improve the complexity of AES S-box algebraic expression with terms increasing to 255. Conclusion: The improved S-box is resistant against interpolation attack. We can develop the derivatives of interpolation attack using the estimations of S-box with less nonlinearity.


INTRODUCTION
The interpolation attack is a technique for attacking block ciphers built from simple algebraic functions. A block cipher algorithm may not include any algebraic property that can be efficiently distinguishable, since an interpolation attack can be applied to such a block cipher which leads to the leakage of information about the secret key.
This mathematical property has effective implications using a block cipher with a fixed secret key. If the ciphertext is described as a polynomial -with unknown coefficients-of the plaintext, and if the degree of this polynomial is sufficiently low, then a limited number of plaintext-ciphertext pairs is capable to completely determine the encryption function [1] . Constructing this polynomial will not immediately yield the key. Actually this is a polynomial that emulates the encryption function. It produces valid ciphertexts from given plaintexts.
It can be applied by constructing an implicit polynomial expression involving parts of the plaintext and the ciphertext. Now, we can check the polynomial against another value that was not used in the construction to test it. If the polynomial produces the correct result, then we have guessed the key bits. This allows the cryptanalyst to encrypt and decrypt data for the unknown keywithout doing any key-recovery.
In this article, we first describe the main parts of AES (RIJNDAEL) which consists of the individual transformations and AES S-box. We will introduce the interpolation attack with considering of the points of weakness and strength in AES S-box. Finally, we will discuss the manner of doing interpolation attack using the different representations of AES S-box.

AES cryptosystem (RIJNDAEL cipher):
The RIJNDAEL cipher, designed by Daemen and Rijmen [2] in 1998, is a successor of SQUARE. It was submitted to the US National Institute of Standards and Technology (NIST) in response to an open call for 128 bit block ciphers. It was, together with 14 other candidates, extensively evaluated during two years, before NIST announced in 2000 that RIJNDAEL would replace DES and become the new AES. Just as its predecessor SQUARE, RIJNDAEL was specifically designed to resist differential and linear cryptanalysis.
In RIJNDAEL cipher, the individual transformations SubBytes, ShiftRows, MixColumns, and AddRoundKey process the state [3] . The SubBytes transformation is a non-linear byte substitution that operates independently on each byte of the state using a substitution table (S-box). AES S-box is presented in hexadecimal form in Fig. 1.
Actually, S-box is non-linear substitution table which used in several byte substitution transformations and in the Key Expansion routine to perform a one-forone substitution of a byte value. This S-box is invertible and constructed by composing two transformations: • Take the multiplicative inverse in the finite field GF(2 8 ) • Apply the following affine transformation over GF (2): for 0 i 8 ≤ ≤ , where b i and c j are the i th bit of the b and c, respectively.
In Matrix form, the affine transformation element of the S-box can be written as: The design principle for the RIJNDAEL S-box is influenced by linear and differential cryptanalysis and also interpolation attacks. The designers considered these criteria: • Invertibility • Minimization of the largest non-trivial correlation between linear combinations of input bits and linear combination of output bits • Minimization of the largest non-trivial value in the XOR table • Complexity of its algebraic expression in GF (2 8 ) • Simplicity of description The affine transformation (1) does not affect the properties with respect to the first 3 criteria, but if properly chosen, allows the S-box to satisfy the 4rth criterion.
We have chosen an affine mapping which has a very simple algebraic expression. It can be seen as modular polynomial multiplication followed by an addition: Interpolation attack: The interpolation attacks depend only on the number of S-boxes and number of rounds in the cipher. This attack is independent of the sizes of the S-boxes. Based on the following theorem, Jakobsen and Knudsen [4] introduced the interpolation attack in 1997.
Theorem 1: Let R be a field. Given 2n elements x 1 ,x 2 ,…,x n∈R , y 1 ,y 2 ,…,y n∈R , where the x i s are distinct. Define: Then f(x) is the only polynomial over R of degree at most n-1 such that f(x j ) = y j for 1≤i≤n. This equation is known as the Lagrange interpolation formula.
Based on this theorem, in the cipher algorithm, every ciphertext is describable as polynomial inclusive of plaintext, which its coefficients are the specific functions of the key. It means that the ciphertext can be interpolated by a polynomial in the plaintext and key variables, i.e., by Lagrange interpolation.
If the message length be m, and the describer polynomial of the cipher consists of nonzero coefficients {n | n<2 m }, then the interpolation attack is done, with having n plaintexts and corresponding ciphertexts.
Actually, if the number of terms in polynomial be less, then we can get the coefficients of polynomial, instead of the key variables. If the number of nonzero coefficients is n, then we can form an equations system by n equations and n unknowns, with having n plaintexts and corresponding ciphertexts. With solving of such system, we will find the coefficients and we will have a specific polynomial from input to output. Using this polynomial, we can recover the ciphertext without the knowledge about key.
The performing of interpolation attack over AES Sbox: Using the interpolation attack, SHARK cryptosystem [5] was analyzed by Knudsen and Jakobsen [4] . This cryptosystem was designed by AES designers, whereas they had enough information about the interpolation attack. But this is not certain reason for resistance of SHARK against interpolation attack. In this cryptosystem, a carefully chosen S-box imposes most number of terms on the equations. Since in the polynomial representation of S-box, the all possible terms will be with hamming weights 7.With forming of the equation for one round cipher, we have: 1 2 S(x k ) k y + + = (3) x = Plaintext y = Cipher text which x and y are known but, k 1 and k 2 are unknowns. Using extension (3), we can find a polynomial in terms of x with 255 terms of degree 254, such that all possible powers of x appear in it. So, the interpolation attack is not possible. Since in the AES, S-box equation has the all possible terms with hamming weights 7, it can be seen that all terms appear in the representation of other rounds and the number of terms cannot be less than 2 m , so the interpolation attack is impossible even on one round. Now, we can express this question: Is interpolation attack possible using S-box estimation? As an example, if we form the describer polynomial of one round using S 85 (x) estimation, then we will have 31 terms with nonzero coefficients instead of 255 terms, namely, we can get the coefficients with using 31 suitable texts instead of using 255 texts. Since the probability of truth for every pair is: We thus need (31×3 = 93) pairs of plaintext and ciphertext for solving of this probable equation, which is less than 255. The computational complexity of this attack is more than exhaustive key search attack, so it is not successful.

RESULTS AND DISCUSSION
Jakobsen and Knudsen presented interpolation attacks in [4] as a reaction to ciphers using algebraically constructed S-Boxes such as those proposed by Nyberg [6] . In fact, interpolation attacks were the first demonstration of successful polynomial-based algebraic attacks against block ciphers. Interpolation attacks work by expressing the relationship between the plaintext and ciphertext for a fixed key as either one or as a vector of polynomials. If the degree of these polynomials is low enough, the coefficients of the polynomials can be interpolated from a number of plaintext/ciphertext pairs. A key-dependent equivalent of the encryption or the decryption algorithm has then been determined. In [4] upper bounds on the data complexity-the number of required pairs for known-plaintext interpolation attacks-are given for selected examples. In general, this number increases exponentially with the degree of the polynomial function describing the S-Box, the number of rounds and the number of elements in the internal state.
Since AES provides "full diffusion" after only two rounds, so it can be considered resistant against the interpolation attack.