1. Introdution

In cryptography, an S-box consists of a look up table with the corresponding 8-bit word for each possible input in a non-linear transformation, in which the input byte is considered the address of the table (Rodriguez-Henriquez, Saqib, Díaz & Koc 2007). The S-box represents a bricklayer non-linear function that can be decomposed in several boolean functions operating independently on a subset of bits from the input vector (Daemen & Rijmen, 2002). If the functions are linear they are called D-boxes.

The operation of an S-box is as follows: when a transformation is required for a certain input, this input enters the S-box and points, or directs to the previously calculated output of its transformation and then the input is replaced, as shown in fig.1, where the value ai,j is substituted for the value bi,j as it passes through the S-box.

Figure 1.
Graphic representation of the use of an S-box

Due to their importance, S-boxes are chosen and designed to be resistant to cryptanalysis, in literature several proposals with different characteristics are found, some of them based on neural networks, like the framework for the design of S-boxes used in ciphers based on neural networks by Noughabi (Noughabi & Sadeghiyan, 2010) and “a new scheme for implementing s-box based on neural network” by X. Zhang (Zhang, Chen, Chen, & Cao, 2015), others that optimize existing boxes such as the high speed implementation of S. Oukili for the AES S-box (Oukili, Bri & Kumar, 2016) and low-area S-box implementation of Thomson (Thomson, Siva, & Priya, 2014); even new proposals such as the evolutionary design of S-Box of M. Yang (Yang, Wang, Meng & Han, 2011) and the based on chaotics maps of C. I. Rı̂ncu (Rı̂ncu & Iana, 2014).

This article presents a substitution of the S-box for another module that calculates the AES S-box outputs with the use of a neural network and the multiplicative inverse on Galois field 2⁸ (GF (2⁸)) of the input value to transform, or S-box input value.

Section 2 introduces the AES algorithm giving a brief introduction to history and a complete description of the Rijndael-AES algorithm, in this section under the subsection “The Round Transformation” highlights the sub-Bytes function that describe how the values of the S-box are calculated. Section 3 describes the proposed method, this includes the neural network topology and the approach for hardware implementation. The simulations are presented in section 4, this section is an explanation of the implementation, behavior and results in MATLAB and HSPICE. Finally conclusions are given in section 5.

2. AES, Advance Encryption Standard

Developed by Joan Daemen and Vincent Rijimen, Rijndael was finally chosen on October 2000 by the National Institute of Standards and Technology (NIST) among other encryption algorithms in an open process organized by the same institute on January 1997 to become the new Advanced Encryption Standard (AES) to replace Data Encryption Standard (DES) and triple-DES as encryption standard (Daemen & Rijmen, 2002). Following NIST specifications, AES is a symmetric block cipher algorithm with variable length of 128 bits, 192 bits and 256 bits, with a variable length key of 128 bits, 192 bits y 256 bits and easy on hardware and software implementation (Daemen & Rijmen, 2002).

Although it is common to talk about AES and Rijndael indistinctly, being Rijndael the selected algorithm for AES, there is a difference among them in the range of values supported by the block length and key length to use. In Rijndael, the block length and key length can be independently specified to any multiple of 32 bits, with a minimum of 128 bits and a maximum of 256 bits. AES fixes the length block and the length key to 128, 192 o 256 bits only (Daemen & Rijmen, 1999).

Independently of technical differences in the length of block and key permitted, when talking about Rijndael or AES, we are talking about the same iterative block cipher algorithm. Inputs and outputs of Rijndael-AES are considered to be one-dimensional arrays of 8-bits. For encryption the input is a Plaintext block and a cipher key, and the output is a ciphertext block. For decryption the inputs is a ciphertext block and a cipher key, and the output is a Plaintext block (Daemen & Rijmen, 2002).

The cipher can be divided in two parts with different functionality: the transformation or encoding of the message, function called “The Round transformation” and denoted as “Round” and “FinalRound”, this encryption function is described in fig. 2 along with the functions that make it up, called steps; and the transformation of the key called “Key schedule” given by the function “KeyExpansion”.

Figure 2.
Flowchart of the AES encryption algorithm

The different transformation operates on an intermediate result called State which is represented as a rectangular array of bytes, with four rows and N_b number of columns

(1)

Similarly, the cipher key is represented as a rectangular array with four rows and Nk number of columns (Daemen & Rijmen, 1999), (Rodriguez-Henriquez et al., 2007), (Daemen & Rijmen, 2002), (Katz & Lindell, 2008), where

(2)

The number of rounds Nr depends on the values of N_band N_k as presented in the table 1. (Error 11: La referencia: Nk está ligada a un elemento que ya no existe)

Table 1.

Number Of Rounds N_r As Function Of N_b And N_k

2.1. The Round Transformation

As shown in the fig. 2, the round transformation is divided in Round and FinalRound. Round is formed by a sequence of four different and invertible mathematical transformations on GF(2⁸) which are called steps: 1) SubBytes, 2) ShiftRows, 3) MixColumn, 4) AddRoundKey (Daemen & Rijmen, 1999), (Rodriguez-Henriquez et al., 2007), (Daemen & Rijmen, 2002). The FinalRound is similar to round but without the MixColumns function.

2.1.1. subBytes.

It is a non-linear transformation where each input byte of the state matrix is replaced by another byte produced by the transformation. This Transformation is defined in two steps (Daemen & Rijmen, 1999):

• Multiplicative inverse:

  The input byte a is replaced by its multiplicative inverse x = a-¹ , with x = 0 for a = 0.

• Affine transformation:

  Defined by y = M × x ⊕ b, where M is a constant matrix of 8 × 8 bits, x represents the value to transform while b is a constant byte equal to 6316 (011000112 ) (Daemen & Rijmen, 2002).

The matrix representation of the transformation is shown in (3), where M is replaced by the constant matrix of 8×8 bits, x is expanded to the polynomial representation of a byte, starting with the most significant bit; and b the binary constant.

(3)

Another way to implement this transformation is to use the corresponding S-Box shown in fig. 3 replacing the input value (row, column) by the value that crosses them.

Figure 3.
AES S-box

The inverse operation, called InvSubBytes, consists of the use of the inverse S-Box of fig. 4 for each byte of the state.

Figure 4.
AES Inverse S-box

The inverse S-box is obtained by the applying the inverse of the affine transformation, shown in ec. 3 followed by taking the multiplicative inverse in GF(2⁸). The inverse of (3) is represented in (4) (Daemen & Rijmen, 2002).

(4)

2.1.2. ShiftRows

In ShiftRows, the rows of the state are shifted cyclically to the left in different proportions. Row 0 does not changes, but the remaining rows follow an offset of C₁ , C₂ and C₃ bytes respectively, this proportion depends only of the block length Nb (Daemen & Rijmen, 2002). The inverse operation, called InvShiftRows, consists in a cyclic shift of the three bottom rows over N_b − C₁ , N_b − C₂ y N_b − C₃ bytes respectively. The table 2 shows the value of C_n pereach possible N_b.

Table 2.

Shifted Bytes In Shiftrows Per Block Lenght

2.1.3. MixColumns

The MixColumns step is a bricklayer permutation operating on the state column by column. In Mixcolumns the state columns are considered as polynomials in GF (2⁸) and multiplied modulo x₄ + 1 with the fixed polynomial c(x) given by c(x) = (03₁₆ )x₃ + (01₁₆)x₂ + (01₁₆)x + 02₁₆ . This operation can be written as a matrix multiplication, let b(x) = c(x) a(x) mod x⁴ +1 as is show in (5)

(5)

The inverse of MixColumns is called InvMixColumns. It is similar to MixColumns. The transformation is performed by multiplying each column by the polynomial d(x) = (0B₁₆)x₃ + (0D₁₆)x₂ + (09₁₆)x + 0E₁₆, represented in (6) as a matrix multiplication (Daemen & Rijmen, 1999), (Daemen & Rijmen, 2002), (Parikh & Narkhede, 2016).

(6)

2.1.4. AddRoundKey

In this transformation the state is modified with the bitwise XOR operation with the round key derived from the cipher key and the function Key Schedule. The length of round key is equal to the block length N_b (Daemen & Rijmen, 1999). The inverse of AddRoundKey is called InvAddRoundKey, and is applied in the same way as AddRoundKey applying the keys in reverse order (Rodriguez-Henriquez et al., 2007).

2.2. Key Schedule

Consists in the expansion of the key and in the key selection round (Daemen & Rijmen, 2002). The key expansion specifies how the expanded key is calculated from the cipher key. The number of bits in the expanded key is equal to the block length multiplied by the number of rounds N_r plus one, generating a total of N_b × (N_r + 1) words, or N_r + 1 subkeys, one per each round (Bonadero, Liberatori, Bria & Villagarcı́a, 2005).

The cipher key is expanded inside of the Expanded key. Round keys are taken from Expanded key as follows: the first round key consists on the initial N_b words, the second on the subsequent N_b words, and so on (Daemen & Rijmen, 1999).

2.2.1 KeyExpansion.

Expanded Key is a four byte linear array denoted by W [N_b × (N_r + 1)]. The first Nk words contain the cipher key, while all other words are defined recursively. KeyExpansion depends of the N_k value and is calculated as in fig. 5, employing the functions subBytes, Rotbyte and Rcon (Daemen & Rijmen, 1999), (Daemen & Rijmen, 2002).

RotByte returns a word that results from a cyclical permutation from the input word, e.g., for an input {a,b,c,d} the output is {b,c,d,a}.

The constant Rcon is independent of N k and is defined in (7) as:

(7)

where RC[i] represents an element in GF (2⁸) with value x(i-1) such that:

(8)(9)(10)

Figure 5.
Flowchart diagram for KeyExpansion function

3. Proposed Method

The modification consists in substituting the AES S-box for an Artificial Neural Network (ANN) that solves the transformation using as input the corresponding multiplicative inverse value GF (2⁸) of the original S-box input value. To obtain the corresponding inverse a lookup table is used. The S-box is substituted for a module formed by a table with the inverse values obtained from (Pelzl & Paar, 2010), (Srebrny, Kościelny & Kurkowski, 2013) and a neural network as is shown in fig. 6. With this method two advantages are obtained, the first one is that the values of the S-box are hidden, and the second one is that it’s possible to change the values of the S-box just by a simply changing the weights.

Figure 6.
a) S-box representation. b) Representation of the S-box proposed

The neural network topology was proposed by means of observation. The transformation is performed bitwise, nevertheless another arrangement is also acceptable. The neural network consists of eight subnetworks, one per bit, each one as illustrated in fig. 7 is composed by seven perceptron neurons in three layers: input layer, hidden layer and output layer. Based on neural networks that perform AND and XOR behaviors each neuron has two inputs and a pulse activation function given by (11).

Figure 7.
Neural network with one bit output

(11)

The circuit implementation was developed in HSPICE which is an electric circuit simulator (synopsys, 2003), (Piuri, 1991). In hardware implementation, Operational Transconductance Amplifiers (OTA) are used as proposed in (Kawaguchi, Umeno & Ishii, 2014), (Ghosh, LaCour & Jackson, 1994) in order to manage current signals and simplify the sum of the synaptic weights.

The OTA is a voltage controlled current source (VCCS). Its main characteristics are high input impedance and high output impedance (Barclay & Wood, 1994), (Qing-Lin, Jian-You & Mei-Lun, 1991). The OTA macromodel is shown in fig. 8, where Vin₁ and Vin₂ are the voltage inputs, the voltage difference of these sources is reflected in nodes a and b.

Figure 8.
Macromodel for the Operational Transconductance Amplifier

The output current Iout is proportional to the difference between these voltages as in eqn. 12.

(12)

where g_m is the transconductance gain, V_in1 the positive input voltage, V_in2 the negative input voltage and I_out the output current.

The OTA is used to represent the neuron inputs, converting (in the input layer) or keeping (in the remaining layers) the input signal into a current signal and using the amplifiers gain (g_m) as the corresponding synaptic weight. The signals are summed by simply connecting the OTAs outputs to a wire line which is then the input to the activation function.

4. Simulations

The proposed network was simulated in Matlab, where it was tested and the expected operation for the S-box specified for AES was verified. An implementation using OTAs in HSPICE was performed, where the gain is equivalent to the corresponding weights. Simulating the electric behavior of the system. In the next subsections details of its implementation and results are given.

4.1. Simulation and Results in MATLAB

In the simulation the inverse value in GF(2⁸) was used as input of the system and the results were compared and verified with its corresponding S-box values. For a better visualization of the results, the binary values were converted to decimal and are presented in fig. 9 highlighting that the values obtained correspond to those expected with an error of 0%.

Figure 9.
Expected vs. obtained values. Inputs from 0 to 255

The synaptic weights used are shown in table 3, these values were obtained from neural networks with AND and XOR behaviors, hence there was no previous training of the network.

Table 3.

Synaptic Weight Values

4.2. HSPICE Implementation and Results

According to the structure proposed in fig. 7 the architecture shown in fig. 10 is implemented in HSPICE, where V1 through V8 represent the input signals, the weight, W, are represented by the transconductance of the OTAs, the sums are represented by linking the OTAs outputs, and finally the activation function described in (11) is applied (Error 7: La referencia: (11) está ligada a un elemento que ya no existe)

The structure in fig. 10 has one bit output, hence it’s necessary to replicate the structure in order to have an eight bit output. It should be noted that it is not necessary to replicate the voltage sources and their resistance, i.e. the inputs, only the current source, their resistance and the activation functions.

Figure 10.
S-box structure with 1 bit output

Circuit operation steps:

1. 1. The input value is placed in the voltage sources V1 through V8 for the S-box value that wants to be obtained.
2. 2. The voltage difference between nodes n11 and n12 is the voltage in source V1. This difference is multiplied by the gain (weight). This is repeated in voltage source V2 to V8.
3. 3. Since the outputs from the OTAs are given in current, they can be summed by joining them as follows:

   OTA1 output and OTA2 output are linked in Irl1

   OTA3 output and OTA4 output are linked in Irl2

   OTA5 output and OTA6 output are linked in Irl3

   OTA7 output and OTA8 output are linked in Irl4

4. 4. Activation function (11) is applied in Af1 through Af4. (Error 8: La referencia: (11) está ligada a un elemento que ya no existe)
5. 5. Af1 output is linked with Af2, and Af3 with Af4
6. 6. Activation function is applied in Af5 and Af6
7. 7. Af5 and Af6 outputs are linked
8. 8. Activation function is applied in Af7
9. 9. Af7 output corresponds to bit0

As mentioned previously, the structure is replicated to obtain the eight output bits, therefore the same steps are repeated to obtain bit1 to bit7.

To verify the circuit operation, tests were performed with the input values shown in table IV, the table displays some of the values found in the S-box and the result to those inputs, the next two columns show the input value for the proposed network which corresponds to the multiplicative inverse in GF(2⁸) and the result obtained from that input. The results obtained from the network are identical, thus the operation of the network is validated.

In figs. 11 and 12 the results obtained from the circuit for four inputs of the table are shown.

Figure 11.
Obtained result for input 00 16 and 80 16 in GF (28)

Figure 12.
Obtained result for input 34 16 and 11 16 in GF (28)

e.g. On the left side in fig. 11 the obtained result from the circuit to input 00 16 in GF(2⁸) is 63₁₆ , the result is verified in table 4. Similarly on the left side the result EC16 is obtained for an input 8016 in GF(2⁸).

Table 4.

Test Values For The Circuit Implemented In HSPICE

5. Conclusion

An implementation of an S-box using a neural network in MATLAB and HSPICE is presented, this neural network is based on the operations used to obtain the values of the S-box through 8 perceptron subnetworks and a lookup table with the inverse in GF(2⁸). Even if this method of calculating S-box values for AES does not present an advantage reducing resources, since storing the inverse values for each possible input represent hundred percent of the necessary resources to store the original S-box, the values computed by a neural network offers greater security by maintaining the transformation values hidden and using a distractor or an apparently S-box that contains the inverse values in GF(2⁸). The simulation results show that the implementation presents a null error, thereafter if the neural network were applied, it will not show changes in the results expected within the encryption algorithm because it simulates without error the operation of the S-box.

References

Barclay M. & Wood J., (1994) A SPICE macromodel for operational transconductance amplifiers. IEE Colloquium on Analogue Signal Processing, London, 1994, pp. 1/1-1/4.

Bonadero J., Liberatori M., Bria O. & Villagarcı́a-Wanza H. (2005) Expanción de la clave en rijndael: diseño y optimización en vhdl. In XI Workshop IBERSHIP.

Daemen J. & Rijmen V. (1999) AES proposal: Rijndael.

Daemen J. & Rijmen V. (2002) The design of Rijndael: AES - the Advanced Encryption Standard. Springer-Verlag.

Ghosh J., LaCour P. & Jackson S. (1994) Ota based neural network architectures with on-chip tuning of synapses. In Proceedings of 7th International Conference on VLSI Design, pages 71–76.

Katz J. & Lindell Y. (2008) Introduction to Modern Cryptography. Chapman & Hall/CRC cryptography and Network Security.

Kawaguchi M., Umeno M. & Ishii N. (2014) The two-stage analog neural network model and hardware implementation. In 2014 IIAI 3rd International Conference on Advanced Applied Informatics, pages 936–941.

Noughabi M. N. A. & Sadeghiyan B. (2010) Design of s-boxes based on neural networks. In 2010 International Conference on Electronics and Information Engineering, volume 2, pages V2–172–V2–178.

Oukili S., Bri S., & Kumar A. V. S. (2016) High speed efficient fpga implementation of pipelined aes s-box. In 2016 4th IEEE International Colloquium on Information Science and Technology (CiSt), pages 901–905.

Parikh P. & Narkhede S. (2016) High performance implementation of mixing of column and inv mixing of column for aes on fpga. In 2016 International Conference on Computation of Power, Energy Information and Commuincation (ICCPEIC), pages 174–179./

Pelzl J. & Paar C.. (2010) Understanding Cryptography - A Textbook for Students and Practitioners. Springer-Verlag Berlin Heidelberg, 1 edition.

Piuri V. (1991) The use of the electrical simulator spice for behavioral simulation of artificial neural networks. In 1991 Proceedings of the 24th Annual Simulation Symposium, pages 18–29.

Qing-Lin Sun, Jian-You Liu & Mei-Lun Liu, (1991) An improved nonlinear macromodel of OTA, 1991 International Conference on Circuits and Systems, Shenzhen, China. pp. 906-908 vol.2.

Rı̂ncu C. & Iana V. (2014) S-box design based on chaotic maps combination. In 2014 10th International Conference on Communications (COMM), pages 1–4.

Rodriguez-Henriquez F., Saqib N.A., Dı́az A., & Koc CK. (2007) Cryptographic Algorithms on Reconfigurable Hardware. US: Springer.

Srebrny M., Kościelny C. & Kurkowski M. (2013) Modern Cryptography Primer, Theoretical Foundations and Practical Applications. Springer-Verlag Berlin Heidelberg, 1 edition.

synopsys. (2003) HSPICE Simulation and Analysis User Guide.

Thomson K, Siva. N, & Priya S. (2014) Implementation of low-area s-box based on normal basis. In 2014 International Conference on Electronics and Communication Systems (ICECS), pages 1–4.

Yang M., Wang Z., Meng Q., & Han L. (2011) Evolutionary design of s-box with cryptographic properties. In 2011 IEEE Ninth International Symposium on Parallel and Distributed Processing with Applications Workshops, pages 12–15.

Zhang X., Chen F., Chen B., & Cao Z. (2015) A new scheme for implementing s-box based on neural network. In 2015 International Conference on Computational Science and Computational Intelligence (CSCI), pages 571–576.

Author notes

Jaime David Rios Arrañaga received the B. degree in Eng. in communications and electronics in 2014, currently pursuing a M.Sc. degree in electronics and computer science engineering at the University of Guadalajara. His current research is on cryptographic systems in reconfigurable hardware.

Janneth Alejandra Salamanca Chavarin received the B. degree in Eng. In communications and electronics in 2014, currently pursuing a M.Sc. degree in electronics and computer science engineering at the University of Guadalajara. Her current research interest is biological neural networks.

Juan José Raygoza Panduro Ph.D. in Computer Science and Telecommunications from Autonomous University of Madrid, Spain. He specializes in the design of digital architecture based on FPGAs, Microprocessors, VLSI, embedded system and bioelectronics, Neuroengineering. Research Professor at University of Guadalajara.

Edwin C. Becerra Alvarez Ph.D. degree in Microelectronics from University of Seville, Spain. His current research interests are on integrated CMOS design, transceiver design and embedded systems. Research Professor at CUCEI; University of Guadalajara

Alternative link

http://recibe.cucei.udg.mx/ojs/index.php/ReCIBE/article/view/77/75 (html)