ISSN 1995-0802, Lobachevskii Journal of Mathematics, 2013, Vol. 34, No. 4, pp. 316–318. c© Pleiades Publishing, Ltd., 2013.

Application of Composition Primitive Polynomialsfor Implementation of Large-Scale S-Boxes

Hoang Duc Tho*

(Submitted by F. M. Ablayev)Kazan Federal University, Kazan, Tatarstan, Russia

Received February 24, 2013

Abstract—In this paper, the method of constructing algorithm for the implementation of large-scaleS-box is proposed. Method is based on the composition primitive polynoms under GF (2) allowing tomaximize the performance of S-box of a given implementation on different platforms, or to minimizethe complexity of a given speed.

DOI: 10.1134/S1995080213040136

Keywords and phrases: Cryptography, S-box, Finite Fields.

1. INTRODUCTION

The problem of developing algorithms for the implementation of large-scale S-boxes (n ≥ 16),allowing to maximize the performance of S-box of a given implementation on different platforms, orto minimize the complexity of a given speed, is actual.

Currently, the known algorithms for the implementation of S-boxes are divided into hardware andsoftware. The software based algorithms most often represent an array of memory (usually RAM),consisting of 2n cell, n bits capacity each, or successively compute S-box “on the fly”, as in the standardof cryptographic AES [5]. In the hardware implementation, S-box is either a ROM or the switchingcircuit implementing boolean functions of n, each on n inputs. In all the above cases, when increasing thedimension of S-boxes, there appear implementation problems, or an excessive increase in the requiredamount of memory (number of logic elements), or with a significant increase in computation time of theoutput values of S-box.

In this regard, it is necessary to study the possibility of constructing algorithms for the implementa-tion of large-scale S-boxes, so as to maximize the performance of S-box of a given implementation ondifferent platforms, or to minimize the complexity of its realization at a given speed.

2. SOLUTIONS

To implement the set of linearly (affinely) equivalent S-boxes having linear characteristics [3, 4] onecan use the property of linear (affine) equivalence B−1S1(Ax⊕ a)⊕ b = S2(x),∀x ∈ {0, 1}n (2.1), whereA, B are nonsingular square matrixes [1]. The complexity of software implementation of multiplyinga vector by a matrix in accordance with [2] consists in n2 logical multiplication, n(n − 1) logicalnonlinearity of the addition, sn selection of binary digits, and additions, as well as O(n) operations inthe transition from vector to the result of multiplication, where s is the word length of the calculator.Hardware implementation of the expression (2.1) is shown in Figure 1. It uses no less than 2n2 + 2nmemory elements and the same number of logic elements.

When the S-boxes should have a large non-linearity, then the major problem is how to implementthe simplest representative of the S1 from a required set of affine-equivalent S-boxes. For large n, it iscomplicated to search for the simplest S-box. Therefore, we shall consider its specific solutions.

*E-mai: alexander.ksu@gmail.com

316

APPLICATION OF COMPOSITION PRIMITIVE POLYNOMIALS 317

x

n

– 1

x

1

x

0

(

S

2

xn

– 1, . . . ,

S

2

x

1,

S

2

x

0

)

S

1

a

00

a

01

a

0,

n

– 1

a

10

a

11

a

1,

n

– 1

a

n

– 1, 0

a

n

– 1, 1

a

n

– 1,

n

– 1

a

n

– 1

S

1

xn

– 1

S

1

yn

– 1

b

n

– 1,

n

– 1

b

0,

n

– 1

b

10

b

11

b

1,

n

– 1

b

n

– 1, 0

b

n

– 1, 1

a

1

S

2

yn

– 1

b

n

– 1

b

1

S

2

y

1

S

1

y

1

S

1

x

1

b

01

b

00

b

0

S

2

y

0

S

1

y

0

S

1

x

0

a

0

+

+

+

+

+

+

Fig. 1. Schema of hardware implementation of S-box.

Input Output

1

2

...

...

...

55

240

255

0

1

...

...

...

0

1

1

1

0

0

1

1

0

0

1

0

1

0

0

1

1

0

0

0

1

1

0

0

0

1

0

1

0

0

0

1

1

0

0

1

1

1

Output

0

0

4

5

6

...

...

...

1

C

A

0

D

...

...

...

Fig. 2. S-boxes are received by reversal of the field elements modulo h(x) and H(x).

To implement the large-scale S-boxes in the construction of symmetric ciphers, by analogy withthe S-boxes of AES, primitive polynomials of the appropriate degree with coefficients from GF (2) asshown in the left side of the table are used. However, when the degree is n ≥ 16, there are problems inimplementation. One requires either a large memory of RAM, or the computation time of the reversevalue exceeds all the admissible limits.

Another specific solution of the problem can be received by applying the composition primitivepolynomials, as shown in the right side of the table.

LOBACHEVSKII JOURNAL OF MATHEMATICS Vol. 34 No. 4 2013

318 HOANG DUC THO

Parameters of S-boxes received using h(x) and H(x) polynomials

Generator of GF (28) for AES Generator of GF (24∗2)

3 4

h(x) = x8 + x4 + x3 + x2 + 1 h(x) = x4 + x + 1

H(x) = x2 + 3x + 4

Nonlinearity of the S-box received by the reversalof field elenents modulo h(x) [3, 4]: 112

Nonlinearity of the S-box received by the reversalof field elenents modulo H(x) [3, 4]: 112

Value of the maximum differential [3, 4]

4 4

Value of the maximum linear analogue [3, 4]

16 16

Example of receiving S-boxes with the application of primitive polynomials with coefficients fromGF (2) and GF (2m) is presented in Figure 2.

Operations of reverse multiplication and addition polynomial modulo in the case of the compositionpolynomial can be performed much faster at a less amount of memory [2].

3. CONCLUSION

Thus, the application for solving the problem of constructing large-scale S-boxes of compositionpolynomials in the GF (2m∗n) allowed to set an optimization problem. By changing m and n, dependingon your platform, there appeared a possibility to “pump over” time in the amount of RAM andinversely [3].

REFERENCES1. Alex Biryukov, Christophe De Cannire, An Braeken, and Bart Preneel, A toolbox for cryptanalysis: Linear and

affine equivalence algorithms. In Advances in Cryptology—EUROCRYPT 2003, volume 2656 (Springer,2003).

2. A. A. Bolotov, A. B. Frolov, A. A. Chasovskikh, and S. B. Gashkov, An elementary introduction to ellipticcryptography: protocols of elliptic curve cryptography (Moscow, 2011).

3. V. V. Yashchenko, O. A. Logachev, and A. A. Salnikov, Boolean functions and coding theory andcryptography (Moscow, 2004).

4. E. D. Mahovenko and A. G. Rostovtsev, Theoretical cryptography (St. Petersburg, 2005).5. M. A. Ivanov and O. S. Zenzin, Advanced Encryption Standard–AES: Finite Fields (Moscow, KUDITS

IMAGE, 2002).

LOBACHEVSKII JOURNAL OF MATHEMATICS Vol. 34 No. 4 2013