rk-aes: an improved version of aes using a new key

Research ArticleRK-AES An Improved Version of AES Using a New KeyGeneration Process with Random Keys

Rahul Saha 1 G Geetha 1 Gulshan Kumar 1 and Tai-hoon Kim2

1Lovely Professional University Jalandhar-Delhi GT Road Phagwara Punjab India2Department of Convergence Security Sungshin Womenrsquos University Seongbuk-gu 02844 Republic of Korea

Correspondence should be addressed to G Geetha gitaskumaryahoocom

Received 4 July 2018 Revised 12 October 2018 Accepted 25 October 2018 Published 6 November 2018

Academic Editor Clemente Galdi

Copyright copy 2018 Rahul Saha et al This is an open access article distributed under the Creative Commons Attribution Licensewhich permits unrestricted use distribution and reproduction in any medium provided the original work is properly cited

Advanced Encryption Standard (AES) is a standard algorithm for block ciphers for providing security services A number ofvariations of this algorithm are available in network security domain In spite of the strong security features this algorithm has beenrecently broken down by the cryptanalysis processes Therefore it is required to improve the security strength of this algorithm asAES is popular in commercial use In this paper we have shown the reasons of the loopholes in AES and also have provided asolution by using our Symmetric Random Function Generator (SRFG) The use of randomness in the key generation process inblock cipher is novel in this domain We have also compared our results with the original AES based upon some parameters suchas nonlinearity resiliency balancedness propagation characteristics and immunityThe results show that our proposed version ofAES is better in withstanding attacks

1 Introduction

Cryptology is an important domain of security measure forproviding confidentiality authentication and other services[1] It contains two major parts as cryptography and crypt-analysis With the progress of technology where the newcryptographic algorithms are emerging the cryptanalysisprocesses are also getting improved to countermeasure thosemore secure algorithms are getting developed So the cyclicprocess of cryptography and cryptanalysis goes onThe trendof converging to IoT exhibits an urge of improving thecryptographic algorithms for applications to be secure [2 3]Cryptographic algorithms are broadly categorized in twoways (a) block ciphers and stream ciphers depending uponthe format of the message processing (b) symmetric andasymmetric depending upon number of keys used for thealgorithms [1] Designing such algorithms is another concernwhere a number of principles are needed to be maintainedsuch as key size message size number of rounds roundfunction and so onThe selection of key and its size is amajorconcerning factor in cryptography A weak key can revealthe plaintext message with least time Though we know thatcryptographic algorithms face brute-force attacks problems

brute-force is not considered as its complexity is higher thanany other process of cryptanalysis The objective of a thirdparty attacker is to break the ciphertext code or to revealthe key or part of the key to get access of the plaintext Sothe weak keys must be avoided in the algorithms Further itmay happen that the previously considered strong key is nowmade weak by the sophisticated technology or large com-putational abilities of the attackers So the need of strengthanalysis towithstandwith attacksmakes the evolving changesin the cryptographic algorithms

Cryptographic algorithms primarily depend on the struc-ture of the algorithms and their corresponding functions [4]Apart from using basic gates such as AND OR NOT andXOR in the algorithms researchers also have shown somespecialized Boolean functions for the symmetric propertyThe generic Boolean functions have created the basic func-tionalities of generating any cryptographic function How-ever the technology progress and enhancing computationalability of the attackers have urged a need of introducingnew features in the function generators so that they canprovide more strength to the ciphers Physical UnclonableFunctions (PUFs) [5 6] are providing solutions for this butas per the cryptographic features requirements PUFs are

HindawiSecurity and Communication NetworksVolume 2018 Article ID 9802475 11 pageshttpsdoiorg10115520189802475

2 Security and Communication Networks

not efficient for cryptographic algorithms Further PUF isapplicable for FPGA implementation as it is more hardwareorientedThough the objective of the presented approach andPUF is same their orientation and process is totally differentMoreover it has been shown that PUF is used as seedwhich again leads to the tendency of pseudorandomness inkey generation process which is not desirable Balancednessnonlinearity resiliency immunity correlation and propaga-tion characteristics are some of the important parameters toevaluate the strength of the ciphers In this paper we haveconsidered Advanced Encryption Standard (AES) for ourexperimentation of randomness feature We have attributedthe key generation module of AES undergoing through ourSymmetric Random Function Generator (SRFG) [7] Wehave evaluated the modified AES with the parameters saidabove

The rest of the paper has been organized as followsSection 2 summarizes the various attacks on AES algorithmSection 3 describes the original AES algorithm Section 4shows the proposedmodification for AES and in Section 5 wehave explained its properties Section 6 analyses the securityand Section 7 compares the related results Finally Section 8concludes the paper

2 Related Work

One of the most popular and commercialized algorithmsis AES This algorithm provides the encryption for websecurity processes as used by different applications such ase-commerce router applications andWiFi security Being sorigorously used in real life applications AES faces a numberof attacks Some of the recent attacks are mentioned below

A new kind of fault base attack has been proposed in[8] which uses zero valued sensitivity model for maskedAES Combining the Faulty Sensitivity Analysis (FSA) andzero valued sensitivity the proposed method of cryptanalysisis able to break code of the S-boxes in masked AES Theattack procedure shows that the zero value input of S-boxreveals the key eventually The authors in the paper [9]have shown a differential faulty approach used in the mixcolumn component of AES The results show that AES-128is breakable by such process only using two faulty inputs ofciphertexts This attack has been proved better as comparedto other differential attacks on AES as shown in [10ndash12]Another improved version of faulty attack on AES has beenexecuted in the paper [13] The authors show that a singlerandom byte fault at the input of the eighth round of theAES algorithm is sufficient to deduce the block cipher keySimulations show that when two faulty ciphertexts pairsare generated the key can be exactly deduced without anybrute-force search The minimal fault against AES has beenused in [14] The authors show that AES-192 is breakableby using two pairs of correct and fault ciphertexts whereasAES-256 is broken by using three pairs of correct and faultciphertexts The work shown previously in [13] was havinga key space of 232 which has been reduced by the authors in[15] Key recovery attacks onAES have been described in [16]In this paper the authors have shown practical complexitybased attacks against AES-256 The use of two related keys

and 239 time complexity has been proved to be sufficientto recover the complete 256-bit key of a 9-round versionof AES-256 Another attack works on 10 round version ofAES-256 in 245 time complexity An improved version of theprevious related key attack has been shown in [17] againstround transformation and key expansion module in AESThe round has been now minimized from 9119905ℎ to 7119905ℎ whichmeans that AES is vulnerable even for the starting roundsThe complexity of the attack has also been reduced from 2192to 2104 Another voltage based fault induction method hasbeen introduced in [18]The authors show a fault model for aconstantly underfed RISC CPU The faults are described interms of position recurring patterns and timing then thecorresponding errors induced in the computation outcomesare specified The model also support multibit patterns Theuse of biased faults also provides an efficient way to for faultinjection attacks in cryptanalysis Such a procedure has beenshown in [19]

A collision based attack against AES-192256 has beenshown in [20] The authors have used 4-round distinguisherfor 7-round reduced AES In the paper [21] the authorshave used variable key for AES sing pseudorandom numbergenerator for providing better security to the algorithmbut the approach faces the problem of using biased keysagainst AES rounds Biased keys are able to reveal thepseudorandomness of the approach and the key is deducedfurther by applying differential methods or fault injectionas shown before Multiple deductions-based algebraic tracedriven cache attack on AES has been shown in [22] Thebehaviour of the cache reveals the input whole or partiallySame input to a particular module and the changes of thecache properties are the key features of this approach Theauthors have identified the causes of a bias fault and alsohave compared different biased fault attacks introduced tillQuantum related key attacks have been shown in [23]

A solution to the fault based injection attacks has beenprovided in [24] The proposed scheme is independent ofS-box and inverse S-box and achieves more than 95 faultcoverage A recent approach against fault injection or faultanalysis has been shown in [25] It combines the principles ofredundancy with that of fault space transformation to achievesecurity against both DFA and DFIA based attacks on AES-like block ciphers

After surveying the attacks on AES it is obvious thatfault injection attacks are more efficient in revealing thekey in AES Such fault injections are using the biasedinput too to distinguish the subkeys or other parts of thealgorithm Moreover as AES is depending upon finite fieldoperations of 8-bit bytes the attacks are also executablewith finite quantified complexities as we have seen aboveThe biased inputs along with fault bytes create error in theprocess and those are denoted for performing differentialanalysis or linear analysis Eventually the key is revealedTherefore to overcome such problems we have introducedthe randomness and the balanced symmetric feature in thefunctional output specifically in the keys We have namedthismodifiedAES asRandomKeyAES (RK-AES) As a resulteven though attackers are deducing a part of key or injecting a

Security and Communication Networks 3

＜00 ＜01 ＜02 ＜03

＜10 ＜11 ＜12 ＜13

＜20 ＜21 ＜22 ＜23

＜30 ＜31 ＜32 ＜33

Figure 1 State matrix representation

biased fault the fault will be converted to a symmetric outputrather than revealing the original key or plaintext

The main contributions of our research work are asfollows

(1) Use of randomness in key generation process of AES(2) Confirming high nonlinearity resiliency balanced-

ness propagation and immunity in key generationprocess

(3) Ensuring high confusion and avalanche effect in keygeneration

3 AES Algorithm

The Advanced Encryption Standard (AES) [26] was pub-lished by the National Institute of Standards and Technology(NIST) in 2001 AES is a symmetric block cipher where asingle key is used for both encryption and decryption processThe input and output for the AES algorithm each consist ofsequences of 128 bits The key used in this algorithm consistsof 128 192 or 256 bits AES operates on 8-bit bytes Thesebytes are interpreted as the elements of finite field using thefollowing polynomial representation

119891 (119909) = 119887119899minus1119909119899minus1 + 119887119899minus2119909119899minus2 + sdot sdot sdot + 1198871119909 + 1198870 = 119899minus1sum119894=0

119887119894119909119894 (1)

where each 119887119894 is having the value of 0 or 1The 128-bit input block of AES is arranged in a state

matrix of size 4 times 4 as shown in Figure 1 The elements of thematrix are represented by the variable 119887119894119895 where 0 le 119894 119895 le 3and ij denotes the row and column number respectivelyDepending upon the size of the bits in keys variables roundsare allowed for AES For our experimentation we have usedkey size of 256-bit concept and therefore the number ofrounds used is 14 rounds represented as 119873119903 Key schedulingalgorithm is also used in AES to provide keys to each of therounds The design of the key scheduling algorithm is suchthat the revealing any round key deduces the original inputkey from which the round keys are derived The input statematrix is processed by the various round transformsThe statematrix evolves as it passes through the various steps of the

cipher and finally produces the ciphertext Each round inAESfollows the following steps

SubBytes This is a nonlinear step in the AES It uses an S-boxapplied to the bytes of the state matrix Each byte of the statematrixes is replaced by its multiplicative inverse followed byan affine mapping as follows

1198871198941015840 = 119887119894 oplus 119887(119894+4) 119898119900119889 8 oplus 119887(119894+5) 119898119900119889 8 oplus 119887(119894+6) 119898119900119889 8oplus 119887(119894+7) 119898119900119889 8 oplus 119888119894 for 0 le 119894 lt 8 (2)

where 119887119894 is the 119894119905ℎ bit of the byte and 119888119894 is the 119894119905ℎ bit of a byte 119888with the value 63 or 01100011Thus the input byte 119909 is relatedto the output 119910 of the S-box by the relation 119910 = 119860119909minus1 + 119861where 119860 and 119861 are constant matrices [27]

Shift RowsThe last three rows of the state matrix is rotated bya certain number of byte positions It is executed as follows

1199041015840119903119888 = 119904(119903(119888+119904ℎ119894119891119905(119903+119873119887))119898119900119889 119873119887)for 0 lt 119903 lt 4 119886119899119889 0 lt 119888 lt 119873119887 (3)

where 119873119887 is the number of words in the state matrix (eachcolumn in the state matrix is considered as word) In AES119873119887= 4 always as the input size is 128 bits and arranged in statematrix of size 4 times 4 Each cell in the state matrix is denoted ass with the index of row 119903 and column 119888MixColumns This transformation operates on the statematrix column-by-column considering each column as afour-term polynomials over GF (28) and multiplied modulo1199094+1 with a fixed polynomial a(x) given by

119886 (119909) = 03 1199093 + 01 1199092 + 01 1199091 + 02 (4)

The multiplication process with the columns of state matrixis given by

1199041015840 (119909) = 119886 (119909) otimes 119904 (119909) (5)

where otimes is multiplication modulo of polynomials and s(x) isa state in the state matrix

AddRoundKey In this process a round key is added to thestate by a simple bitwise XOR operation Each round key ishaving the size of Nb words from the key scheduleThose119873119887words are each added to the columns of the state matrix tosatisfy the following condition

[11990410158400119888 11990410158401119888 11990410158402119888 11990410158403119888] = [1199040119888 1199041119888 1199042119888 1199043119888]oplus [119908119903119900119906119899119889times119873119887+119888]

for 0 le 119888 lt 119873119887(6)

where oplus is the bitwise XOR and round is the round numberat which round key is added and 0 le 119903119900119906119899119889 lt 119873119903

All these steps are performed for each of the round inthe AES excluding the last round In the last round the


Plaintext

Add round key

Substitute bytes

Shi rows

Mix columns

Add round key

Roun

d 1

to 1

3

14th round

Substitute bytes

Shi rows

Add round key

Ciphertext

Figure 2 Round function steps in 14-round AES

MixColumn step is not performed For a 14-round AES theround function process is shown in Figure 2 One of theimportant parts of the round function stages is adding ofround keys as these keys are generated by the key expansionroutine The key expansion generates a total of 119873119887(119873119903 + 1)words the algorithm requires an initial set of Nb words andeach of the 119873119903 rounds requires 119873119887 words of key data Theresulting key schedule consists of a linear array of 4-bytewords denoted by [119908119894] 0 le 119894 le 119873119887(119873119903 + 1) It uses afunction SubWord () that takes these 4-byte words as inputand applies S-box to each of these words Another functionRotword () is used to perform a circular permutation Theround constant array Rcon[i] contains the values specified as[119909119894minus1 00 00 00] with 119909119894minus1 powers of 119909 in the followingequation

119877119888119900119899 [119894] = 119909(119894minus4)4mod (1199098 + 1199094 + 1199093 + 119909 + 1) 119908ℎ119890119903119890 119894 119894119904 119905ℎ119890 119888119906119903119903119890119899119905 119903119900119906119899119889 (7)

The key expansion routine for 256-bit keys (119873119896= 8) is slightlydifferent than for 128- and 192-bit keys If119873119896 = 8 and i-4 is amultiple of119873119896 then SubWord () is applied to w[i-1] prior tothe XOR119873119896 is the number of 32-bit words of a key

4 RK-AES

Themain problem in the key expansion of the AES algorithmis that the words 119908119894 generated from the original key arerelated to each other If any word is traceable the overallkey is deduced by the differential method or liner methodsof cryptanalysis Though the XOR operation S-boxes andthe shifting in 119892 function shown in Figure 3 are providingthe confusion characteristics to the algorithm the reverseengineering process can easily get back to the original keyspace Moreover the biased inputs in the key space revealthe differences between the words to partially gain the keyspace To solve this problem in AES we have modified thekey expansion module of AES with Symmetric Random

Function Generator (SRFG) [7] SRFGproduces the symmet-ric balanced output in the sense of the number of 1rsquos and0rsquos in the output string irrespective of the input string Itoutputs a combined function comprised of universal GATEs(ANDOR NOT and XOR)The expression for the proposedcombined function generator is given as

119891119888 = otimes119891119871119894 (8)

where i = 1 2 4 four universal GATES AND OR NOTand XOR L represents the expression length (number ofterms in the combined function 119891119888) and otimes represents therandom combination In our experiments we have used L =5 To emphasize the randomness in such combined functiongenerator the above equation can be further expressed interms of119873 input variablesrsquo randomness in selection as shownin (2)

119891119888 (1198811 1198812 119881119873) = otimes119891119871119894 [rand (1198811 1198812 119881119873)] (9)

For our experimentation the above equation is rewritten as

119891119888 (1198811 1198812) = otimes1198915119894 [rand (1198811 1198812)] (10)

The main objective of adding SRFG in AES is to enable thekey expansion module with some randomness feature Thiswill help to prevent deducing the words of keys even thoughpartial key is in hand The modified key expansion modulehas been shown in Figure 4 the changes are highlighted inyellow colour The randomness of SRFG has been used inthree parts first in the function of g secondly the recursiveword generation from key spaces and thirdly but mostprominently addition of 119877119862119894 and SRFG for generating thewords from 1199080 to1199087 According to Figure 4(a) each columnin the key space is considered as119908119894 wordAs the key size is 256bits we shall have eight words 1199080 1199081 1199082 1199083 1199084 1199085 1199086 1199087in the very first step The 8119905ℎ word ie 1199087 is going througha function 119892 This function is also using SRFG just beforethe output of the function as in Figure 4(b) The outputof 119892 is then used to generate the other words processingthrough a series of SRFGs The same process is repeatedtill we get the required number of words for the 14 roundsin AES For the decryption process we have saved thegenerated words and used them reversely with the ciphertextto get back to the plaintext In future we shall work upondirect transmission of the keys rather than storing them fordecryption

5 Feature Analysis of RK-AES

We have emphasized the key generation module of AES-14round so that the effect of biased inputs in the key bytes canbe removed from deducing the overall key bytes The keysare deducing if the cryptanalysis process is able to infer alinear or differential equation out of thewords generated fromthe key expansion module For the cryptanalysis processit is not always necessary to have the whole key in handrather a single part of key if in the capture the relationshipbetween different words is sufficient in revealing the overallkey space With the progress of cryptanalysis technologies


g

g

Ｅ2 Ｅ6 Ｅ10 Ｅ14 Ｅ18 Ｅ22 Ｅ26 Ｅ30

Ｅ3 Ｅ7 Ｅ11 Ｅ15 Ｅ19 Ｅ23 Ｅ27 Ｅ31

Ｅ1 Ｅ5 Ｅ9 Ｅ13 Ｅ17 Ｅ21 Ｅ25 Ｅ29

Ｅ0 Ｅ4 Ｅ8 Ｅ12 Ｅ16 Ｅ20 Ｅ24 Ｅ28

Ｑ0 Ｑ1 Ｑ2 Ｑ3 Ｑ4 Ｑ5 Ｑ6 Ｑ7

Ｑ8 Ｑ9 Ｑ10 Ｑ11 Ｑ12 Ｑ13 Ｑ14 Ｑ15

Ｑ52 Ｑ53 Ｑ54 Ｑ55 Ｑ56 Ｑ57 Ｑ58 Ｑ59

(a) Word key generation

W

S S S

0 00

S

g

03

3210

21

２Ｄ

1 2

3 0

７

(b) g function

Figure 3 Key expansion for 14-round AES

g

g

is representing SRFG here

0 0 0２ i

Ｅ2 Ｅ6 Ｅ10 Ｅ14 Ｅ18 Ｅ22 Ｅ26 Ｅ30

Ｅ3 Ｅ7 Ｅ11 Ｅ15 Ｅ19 Ｅ23 Ｅ27 Ｅ31

Ｅ1 Ｅ5 Ｅ9 Ｅ13 Ｅ17 Ｅ21 Ｅ25 Ｅ29

Ｅ0 Ｅ4 Ｅ8 Ｅ12 Ｅ16 Ｅ20 Ｅ24 Ｅ28

Ｑ0 Ｑ1 Ｑ2 Ｑ3 Ｑ4 Ｑ5 Ｑ6 Ｑ7

Ｑ8 Ｑ9 Ｑ10 Ｑ11 Ｑ12 Ｑ13 Ｑ14 Ｑ15

Ｑ52 Ｑ53 Ｑ54 Ｑ55 Ｑ56 Ｑ57 Ｑ58 Ｑ59


W

S S S

0 00

S

g

SRFG

3210

２Ｄ

1 2

3 0

７

0321

(b) g function

Figure 4 Proposed key expansion for 14 round AES

generating such relations or deducing keys from subkeys isgetting faster with less complexity as we have seen in theliterature review We have identified some of the parametersfor our proposed key-expansion module for RK-AES such asnonlinearity balancedness resiliency propagation criterionand immunity Each word 119908119894 in the key space is comprisedof 32 bits (4 bytes) which is considered as 32-bit word vectorin our experimentation Let B2 be the set of all symmetricrandom combined functions on two variables of all thefunctions from 11986522 into 1198652 where 11986522 = (1199081 1199082) | 119908119894 isin 1198652 1198652

is the finite field of two elements 0 1 and oplus is any operationof the field 1198652

Any combined function119891119888 isin B2 of five terms is expressedas a polynomial which is basically termed as AlgebraicNormal Form (ANF) of the function and given as

119891119888 (1199081 1199082) = oplus 120582119906( 2prod119894=1

rand (119908119894)119906119894)119904

120582119906 isin 1198652 119906 isin 11986522 119886119899119889 119871 isin Z

(11)


120582119906 = oplus119891119888 (V) 119908 ⪯ 119906 forall119908119894 = 1199081198941 1199081198942 11990811989432 (12)

where

(1199081198941 1199081198942 11990811989432) ⪯ (1199061 1199062 11990632)119894119891119891 forall119894 119895 119908119894119895 le 119906119894 119886119899119889 119895 = 1 2 32 (13)

The output of 119891119888 depends on the weight of its input variables(number of 1s in the variable) As a result 119891119888 corresponds to afunction 119892119888 0 1 32 997888rarr 1198652 such that forall119909 isin 11986522 119891119888(119909) =119892119888(119908119905(119909)) The sequence 119892119888(119891119888) = (119892119888(0) 119892119888(1) 119892119888(32))for 32-bit word vector is considered as simplified value vectorof119891119888 To establish the relation between simplified value vectorand arithmetic normal form (11) can be rewritten as shownin (13)

119891119888 (1199081 1199082) = oplus120582119891 (119895) oplus ( 2prod119894=1

rand (119908119894)119906119894)119871

(14)

= oplus120582119891 (119895)X119895119873 (15)

where 120582119891(119895) 119906 isin 11986522 and 119871 isin Z 119895 = 1 2 X119895119873 isthe elementary polynomial of degree 119895 with 2 variables Thecoefficients of arithmetic normal form of 119891119888 are representedby 32-bit vector 120582(119891119888) = 120582119891(0) 120582119891(1) 120582119891(32) calledsimplified vector of ANF of 11989111988851 Nonlinearity Nonlinearity is an important design char-acteristic for cryptographic functions used in cryptographicalgorithms to prevent different types of correlation or linearattacks or even related attacks This feature is depending onthe bits of the word vectors 119908119894 119908119894 is also considered as theaffine transformations of the functions generated from theSRFG used The nonlinearity is calculated by the hammingdistance between two affine transformations For exampletwo word are 119908119894 and 119908119895 of 32 bits each

N119897 (119908119894119896 119908119895119896) =119899sum119896=1

119908119894119896 = 119908119895119896 119908ℎ119890119903119890 119899 = 32 (16)

Each of the rounds in AES is using 4 words (128 bits) assubkeys The nonlinearity between two subkeys used for anytwo rounds 119903119894 119903119895 can be measured as

N119897 (119903119894 119903119895) = 119899sum119896=1

119903119894119896 = 119903119895119896 119908ℎ119890119903119890 119899 = 128 (17)

52 Balancedness Balanced property of our proposed keyexpansion function 119891119888 exists if its simplified value vector 119892119888follows the following condition

forall119894 = 1 2 119892119888 (119894) = 119892119888 (2 minus 119894) ⊞ 1

119908ℎ119890119903119890 ⊞ 119894119904 119904119906119898 119900V119890119903 1198652(18)

The above equation also provides the feature of trivial bal-ancedness corresponding to symmetric functions Therefore119891119888 verifies the condition 1198631119891119888 = 1 The functions having1198631119891119888 = 1 do not exist for even values of 119899 (here n = 32 forwords and n = 128 for rounds) because for any word vector119908 such that 119908119905(119908) = 1198992 (where119908119905(119908) is the weight of wordvector defined as number of 1s in it) we can calculate the1198631119891119888as

1198631119891119888 = 119891119888 (119908) ⊞ 119891119888 (119908 + 1) = 119892119888 (1198992) ⊞ 119892119888 (1198992) = 0 (19)

53 Resiliency The correlation between the output of the keyexpansion function and a small subset of its input variablesleads to the correlation attack [28] linear or differentialcryptanalysis [29] Therefore it is necessary for the keyexpansion function to achieve the high resiliency property Afunction 119891119888 of119873 variables each of having 119899 bits is m-resilientif it remains balanced when any 119898 input variables are fixedand remaining (119899 minus 119898) bits are altered The function is moreresilient if119898 is higher The property of resiliency is related tothe weights of the restrictions of the 119891119888 to some subspacesforall119891119888 isin 1198612 and any affine any subspace S sub 11986522 therestriction of 119891119888 to S is the function given as

119891S S 997888rarr 1198652 (20)

119909 997888rarr 119891119888 (119909) forall119909 isin S (21)

where 119891S can be determined by the with a function ofdim(S) variables The subspace S is spanned by 119896 canonicalbasis vectors and its supplementary subspace is S Therestrictions of 119891119888 to S and to all its cosets are given bya+ S where 119886 isin S Being 119891119888 symmetric and balancedS is represented as S = (1199041 1199042 119904119896) and 119891119886+S becomessymmetric and balanced too Moreover for all 119904 isin S we canwrite the following

119891119886+S (119904) = 119891 (119886 + 119904) = 119892119888 (119908119905 (119886) + 119908119905 (119904)) (22)

which actually depends upon the weight of 119904 when 119886 is fixedThe simplified value vector and the simplified ANF vector of119891119886+S can be deduced from 119891119888 as given below

119892119888119891119886+S (119894) = 119892119888 (119894 + 119908119905 (119886)) forall119894 0 le 119894 le 119896 (23)

120582119888119891119886+S (119894) = oplus120582119891 (119894 + 119895) forall119894 0 le 119894 le 119896 119886119899119889 119895 ⪯ 119908119905 (119886) (24)

54 Propagation Criterion Propagation criterion is deter-mined by the cryptographic properties of the derivatives ofthe functions For the efficiency of a cryptographic functionthe function needs to propagate its properties to all itsderivatives All derivatives of the key expansion function arelinearly equivalent when they have a fixed hammingweight of1198992 [7] Our proposed approach of key expansion N variablesapplied from our previous work [7] satisfies the propagationcriterion of degree k and order m if any affine functionobtained from the outputs by keeping 119898 input bits constant


satisfies the propagation criterion of degree 119896 Consideringeach round for experimentation one has the following

Let 119891119888 isin B2 and let 119903119894 119903119895 isin 11986522 forall119894 119895 = 1 2 14 suchthat 119908119905(119903119894) = 119908119905(119903119895) = 1198992Then119863119903119894119891119888 and119863119903119895119891119888 are linearlyequivalent

This signifies that if we change the input variables witha linear permutation 120583 of 11986522 119863119903119894119891119888 = 119863119903119895119891119888 ∘ 120583 where ∘ iscomposite function The permutation 120583 exists on the variablein a way so that that 119903119895 = 120583(119903119894) Since 119891119888 is symmetric andbalanced we can have

119863119903119895119891119888 (120583 (119886)) = 119863119903119894119891119888 (119886) 119908ℎ119890119903119890 119886 isin S (25)

Let 119896 be an integer 1 le 119896 le 119899minus1 119911 isin 119908119894 = (1199081198941 1199081198942 119908119894119899minus119896 )and 120598119896 = 119908119899minus119896+1+sdot sdot sdot+119908119899Then for any 119911 = 119886+119903119895 with 119886 isin Sthen we can have the following

119908119905 (119911) = 119908119905 (119886) + 119908119905 (119903119895) (26)

119908119905 (119911 + 120598119896) = 119908119905 (119886) + 119908119905 (119903119895 + 120598119896)= 119908119905 (119886) + 119896 minus 119908119905 (119903119895) (27)

Thus forall 119886 isin 119881119863120598119896119891119888 (119886 + 119910) = 119891119888 (119886 + 119887) ⊞ 119891119888 (119886 + 120598119896 + 119903119895)

= 119908119905 (119886) + 119908119905 (119903119895 + 120598119896)= 119908119905 (119886) + 119896 minus 119908119905 (119903119895)= 119892119888 (119908119905 (119886) + 119908 (119903119895))

⊞ (119908119905 (119886) + 119896 minus 119908 (119903119895))

(28)

Equation (28) signifies that 119892119888 follows the symmetric prop-erty This means that partial derivatives of our proposed keyexpansion outputs are also propagated with the propagationfeatures

55 Immunity The proposed key expansion module dealswith the variables (words) with 32 bits (no modificationhas been done on bit size) Two types of immunity are inconcern correlation immunity and algebraic immunity Forcorrelation immunity considering each of the two inputvariables119908119894 as 32-bit binary vector the outputs are correlationimmune if

119875119903119900119887 (119891119888 = 119908119894) = 12 1 le 119894 le 32 (29)

The probability distribution must be equal for all the bits andtherefore the output words 119908119900 have the following property

10038161003816100381610038161003816min [1198720 (119908119900 (119908119900)119903) minus1198721 (119908119900 (119908119900)119903)]10038161003816100381610038161003816 = min [119898] 997888rarr0 (30)

where [1198720(119908119900 (119908119900)119903)] is the matching of output words fromthe key expansionprocess and its reversewith respect to value

0 and [1198721(119908119900 (119908119900)119903)] is the matching of output words fromthe key expansionprocess and its reversewith respect to value1 Following the above property an interesting feature of ourproposed key expansion module has been identified and theproposition has been given as follows

Proposition 1 In AES-256 if [1198720(119908119900 (119908119900)119903)] = 1198980 and[1198721(119908119900 (119908119900)119903)] = 1198981 then119873119897(119908119900 (119908119900)119903) = 1198980 + 1198981Algebraic immunity is related to the annihilator of a

function [30] To evaluate this property for our proposed keyexpansion we can consider the following

Given 119891119888 isin B2 any function of the set 119860(119891119888) = 119892 isin 1198612 |119892119891 = 0 is defined as the annihilator of the function 119891119888 Thealgebraic immunity of 119891119888 is denoted by 119860119868(119891119888) is minimumdegree of all nonzero annihilators of119891(119888) or119891(119888)+1The valueof 119860119868(119891119888) is given as

119860119868 (119891119888) = min [deg (119892)1003816100381610038161003816 119892 = 0119892 isin 119860 (119891119888) cup 119860 (119891119888 + 1) (31)

As we have used SRFG to generate the output words mini-mum degree is always 1198992Therefore the algebraic immunityof the outputs from it is always n2 which is always optimal

6 Security Analysis of RK-AES

In the above section we have analysed the overall features ofthe proposed key expansion modification in AES-256 usingthe SRFG To justify the features in this section we haveperformed the security analysis on our modified AES keyexpansion module We have considered two attacks relatedattacks and fault analysis attacks

61 Related Key Attack Analysis Related key attacks use thelinear relations or differential relations among the keys todeduce the original key

Let 119899119911 be a known nonzero word difference for input and119900 be an output difference of S-box for the input difference119899119911 To execute the attack with this differences the differenceo can be one of 214 minus 1 values because of the symmetry ofthe XOR operation as used in generic AES-256 algorithmand the 119899119911 difference can be one of 215 minus 1 differencesincluding whitening of keys Once these differences are in abounded value region the probability deducing of the key isalso higher In our proposed modified AES the nonlinearityfeature increases this difference and therefore the key spaceof searching also increases drastically For a 32-bit word inkey space the complexity of searching space increases withthe following formula

119862119900119898119901119897119890119909119894119905119910 119891119900119903 119896119890119910 119904119901119886119888119890 119904119890119886119903119888ℎ = 2322119873119897 (32)

where119873119897 is the value of nonlinearity in the proposed AES keyexpansion and the average value of119873119897 = 207 Therefore thecomplexity becomes 2527 which is more than the differentialattacks key searching complexities on AES This showsthat our proposed algorithm is preventive in differentialattacks


Furthermore the attacker uses four related but unknownkeys as 1198701199061 1198701199062 1198701199063 1198701199064 The objective of the attacker is torecover 1198701199061 The relation required to establish the attack is

1198701199062 = 1198701199061 oplus 119870lowast (33a)

1198701199063 = 1198701199061 oplus 1198701015840 (33b)

1198701199064 = 1198701199061 oplus 119870lowast oplus 1198701015840 (33c)

where 119870lowast is the cipher key difference used for the firstrelated-key differential 1198630 for 1 to 7 round and 1198701015840 isthe cipher key difference used for the second related-keydifferential 1198631 used for 8 to 14 round Assuming that theattacker only has the information regarding 119870lowast and 1198701015840the back tracing probability to recover any 32-bit words (anyword out of the 60 words) is calculated as

119875 (119908119894) = 1(2119899119894119875119871119871 2119881) (34)

For our proposed modified AES-256 key expansion numberof bits in each word is n = 32 total number of words includingwhitening key words is i = 60 total number of expressionlength L = 5 and total number variables used for eachoperation is V = 2 Using the values the probability becomesas

119875 (119908119894) = 1(232 times 60 times 11987555 times 22) = 1239 times 225 (35)

The above result show that the probability is too less torecover a single word of AES-256 using our proposedapproach of key expansion

In Figure 4 it is shown that the words are generated usingSRFG rather than using simple XOR operation Therefore(33a) (33b) and (33c) will not be feasible for our proposedsolution of AES using SRFG It means the proposed solutionis related attack resistant Moreover 119870lowast and 1198701015840 are afactor in deducing the key But as our proposed solutionprovides a high nonlinearity 119870lowast and 1198701015840 are not suitableto recover the words of the key space From the observation ofor experimentation we have inferred a proposition as follows

Proposition 2 Considering 119870lowast is the cipher key differenceused for the first related-key differential 1198630 and 1198701015840 is thecipher key difference used for the second related-key differential1198631 nonlinearity is inversely proportional to the nonlinearity

1198630 ⊢ 119870lowast prop 1119873119897 119886119899119889 1198631 ⊢ 1198701015840 prop 1119873119897 (36)

there4 11986301198631 ⊢ 119870lowast 1198701015840 prop 11198731198972 (37)

62 Fault Injection Analysis In this part we have onlyconsidered the fault injection in the key bytes We assumethat the faulty key byte is injected in the key matrix for anyrandom original key byte The faulty input is inferred fromthe biased input of all 0 bits byte or all 1 bits byte In theoriginal AES using such faulty and biased inputs reveals

the relationship among word byte or even words of roundTherefore in original AES the key recovery space is reducedwith less complexity as we have seen in the literature review

Recollecting (11) and (12) we can have the followingproposition for AES-256

Proposition 3 For AES-256 using SRFG with two variablesand t expression terms the complexity of key recovery with anytwo random faulty byte is calculated as

119875119903119900119887 (119865119868) = 1sumoplus120582119906 (prod2119894=1rand (119908119894)119906119894)119905 119862602 (38)

For any random faulty key byte the output of the layeredSRFGs is always nonlinear and balancedTherefore accordingto Proposition 2 the differences andor the linear equationsbecome invalid as the fault is not further propagated to otherbytes Therefore our proposed key expansion is preventiveeven in fault injection bytes

7 Results of Comparison

We have compared our experimentation results of RK-AESwith the original AES algorithm The comparison is doneon the basis of some features nonlinearity balancednessresiliency propagation criterion correlation immunity andalgebraic immunity As we have modified only the keyexpansion module the results are derived only for keyexpansion only without involving the plaintext processingor transformations in round function We have compared215 data samples for each RK-AES and original AES Thecomparison results are shown in Table 1 by averaging all theresults

The comparison results in Table 1 signify that our pro-posed modification of key expansion is working efficientlyin AES in terms of the above said features Moreover thebalancedness and the correlation immunity are 0 in originalAES Our proposed modification is providing a higher valuefor balancedness which is useful for preventing bitsumattacks [31] The high correlation immunity will also help themodified AES to prevent correlation attacks [28]

Moreover we have compared the computation time forour experiments with the original AES algorithm In thiscomparison too we have assumed the time for plaintext pro-cessing and transformations in round function are constantas no modification has done on themTherefore Table 2 onlycompares the time taken for the key expansion process

The time comparison results show that using the SRFG inAES key expansion modification is increasing the time con-sumption in generating the key words and thus contributingto the trade-off between security and time consumption Tosupport this trade-off and overcome with the security issueswe have also compared the attack for both the original AESand the modified AES

Table 3 describes the fact that the cost of the attacks forour proposed RK-AES is much higher than the original AESdue to the use of randomness with SRFG in several layerThissignifies that RK-AES is better in terms of security


Table 1 Comparison of parameters

Order ofNon-linearity

Order ofBalancedness

Order ofResiliency

Order ofPropagationcriterion

Order ofCorrelationimmunity

Order ofAlgebraicimmunity

OriginalAES-256 1198992 minus log2119899 0 1198992 minus 2 log2119899 + 1198994 11989910 1198996ProposedRK-AES 1198992times 065+log25 1198992 1198992 minus 2 119899 times 073 + log25 119899 1198992

n is the value of bits in a word of key space

Table 2 Time consumption comparison

Hardware specification for computation CPU 26Ghz i3 6thGen with 16 GB RAMAverage Time Consumption (in milliseconds)

Schemes 32 bit key words 1199080 to1199087 32 bit key words 1199088 to 11990859 119892 functionOriginal AES 367 573 632RK-AES 678 887 933

Table 3 Comparison of cost of attacks

Differentialcryptanalysis

Linearcryptanalysis

Related keyanalysis

Fault injectionattack analysisin key space

Original AES 232 214 minus 1 232 226RK-AES 2527 260 2527 asymp 2129

Lastly we have compared two prime evaluation parame-ter of encryption algorithms confusion and avalanche effectConfusion property requires the statistical relationship ofbetween the ciphertext and key to be more complex Besidesavalanche effect requires change in the ciphertext bits ifany single bit is changed in the key We have calculatedconfusion property in terms of nonlinearity and resiliencyThe avalanche effect is measured in terms of propagationcriterion correlation immunity and algebraic immunity Thecalculation formula for confusion and avalanche effect havebeen given below

119862119900119899119891119906119904119894119900119899 = 1205961 times 119873119900119899119897119894119899119890119886119903119894119905119910 + 1205962 times 119877119890119904119894119897119894119890119899119888119910+ 1205963 times 119861119886119897119886119899119888119890119889119899119890119904119904 (39)

119860V119886119897119886119899119888ℎ119890 = 1205961 times 119875119903119900119901119886119892119886119905119894119900119899 119888119903119894119905119890119903119894119900119899 + 1205962times 119862119900119903119903119890119897119886119905119894119900119899 119894119898119898119906119899119894119905119910 + 1205963times 119860119897119892119890119887119903119886119894119888 119894119898119898119906119899119894119905119910

(40)

where 1205961 1205962 and 1205963 are the weights assigned to the featuresWe have considered for our experimentation of RK-AES1205961 = 1205962 = 1205963 = 033 and n = 32 bit

Therefore following Table 1 the values for confusion andavalanche effect in RK-AES are

119862119900119899119891119906119904119894119900119899119877119870minus119860119864119878 = 033 times (1198992 times 065 + log25)+ (033 times 1198992) + 033 times (1198992 minus 2)

cong 22621

119860V119886119897119886119899119888ℎ119890119877119870minus119860119864119878 = 033 times (n times 073 + log25)+ (033 times n) + (033 times 1198992)

cong 2431(41)

Similarly we have calculated the values for confusion andavalanche effect in original AES Considering the orders inTable 1 the values are as follows

119862119900119899119891119906119904119894119900119899119860119864119878 = 033 times (1198992 minus log2n) + (033 times 0)+ 033 times (1198992 minus 2) cong 759

(42)

119860V119886119897119886119899119888ℎ119890119860119864119878 = 033 times (log2n+1198994) + (033 times 11989910) + (033 times1198996) cong 15816 The similar result of Avalanche effect is alsoexperimented in the bit values of the data samples Table 4compares the avalanche effect

The comparison results of confusion property andavalanche effect also show the improvement of the parametersas compared to the original AES algorithm

8 Conclusion

AES is a popular symmetric block cipher used by differentcommercialization sectors But this algorithm is facing anumber of cryptanalysis effects as we have seen in the liter-ature review Therefore in this paper we have tried to solvethe problem by incorporating the changes in key expansion


Table 4 Avalanche effect comparison

Weighted value of Avalanche Average number of bits changedOriginal AES 15816 173 bits out of 32 bitsProposed RK-AES 24310 asymp 25 bits out of 32 bits

module The highlight of this work is to apply randomnessin the key generation Moreover as per our previous workusing SRFG as a cryptographic function in AES has beenproved beneficial The justification for the same has beenalready shown in the paper The results show that RK-AESis having three times better confusion property and 537better avalanche effect as compared to the original AES Thelimitation of our present work is about the time taken by themodified key expansion module which is actually creating atrade-off between security and time It is also known that boththese two cannot be achieved simultaneously Therefore if weignore the part of the time our proposed RK-AES is efficientin all respects of cryptographic algorithms Furthermorebeing a symmetric key algorithm AES uses the single keyfor both encryption and decryption In our present workthe round keys are stored separately as each round keys aregenerated randomly and are used for decryption accordinglyIn our future work we shall try to work on the trade-off andalso about the storing process of round keys

Data Availability

The data will be made available on request

Conflicts of Interest

The authors declare that there are no conflicts of interestregarding the publication of this paper

References

[1] W Stallings Cryptography and Network Security Principles andPractices Pearson 2005

[2] S Sciancalepore G Piro G Boggia andG Bianchi ldquoPublic keyauthentication and key agreement in iot devices with minimalairtime consumptionrdquo IEEE Embedded Systems Letters vol 9no 1 pp 1ndash4 2017

[3] S Raza L Seitz D Sitenkov and G Selander ldquoS3K Scalablesecurity with symmetric keys - DTLS key establishment for theinternet of thingsrdquo IEEE Transactions on Automation Scienceand Engineering vol 13 no 3 pp 1270ndash1280 2016

[4] TWCusick andP StanicaCryptographic Boolean functions andapplications ElsevierAcademic Press 2017

[5] J Zhang Y Lin Y Lyu and G Qu ldquoA PUF-FSM BindingScheme for FPGA IPProtection andPay-Per-Device LicensingrdquoIEEETransactions on Information Forensics and Security vol 10no 6 pp 1137ndash1150 2015

[6] J-L Zhang G Qu Y-Q Lv and Q Zhou ldquoA survey on siliconPUFs and recent advances in ring oscillator PUFsrdquo Journal ofComputer Science and Technology vol 29 no 4 pp 664ndash6782014

[7] R Saha and G Geetha ldquoSymmetric random function generator(SRFG) A novel cryptographic primitive for designing fast androbust algorithmsrdquo Chaos Solitons amp Fractals vol 104 pp 371ndash377 2017

[8] Q Wang A Wang L Wu and J Zhang ldquoA new zero valueattack combined fault sensitivity analysis on masked AESrdquoMicroprocessors and Microsystems vol 45 pp 355ndash362 2016

[9] G Piret and J Quisquater ldquoA differential fault attack techniqueagainst spn structures with application to the AES and khazadrdquoin Cryptographic Hardware and Embedded Systems - CHES2003 vol 2779 of Lecture Notes in Computer Science pp 77ndash88Springer Berlin Heidelberg Germany 2003

[10] J Blomer and J Seifert ldquoFault Based Cryptanalysis of theAdvanced Encryption Standard (AES)rdquo in Financial Cryptogra-phy vol 2742 of Lecture Notes in Computer Science pp 162ndash181Springer Berlin Heidelberg Berlin Heidelberg 2003

[11] P Dusart G Letourneux and O Vivolo ldquoDifferential FaultAnalysis on AESrdquo in Applied Cryptography and NetworkSecurity vol 2846 of Lecture Notes in Computer Science pp293ndash306 Springer Berlin Heidelberg Berlin Heidelberg 2003

[12] C Giraud ldquoDFA on AESrdquo in Proceedings of the 4th Int Conf AES2004 pp 27ndash41 2004

[13] D Mukhopadhyay ldquoAn improved fault based attack of theadvanced encryption standardrdquo Lect Notes Comput Sci(including Subser LectNotes Artif Intell Lect Notes Bioinfor-matics) vol 5580 pp 421ndash434 2009

[14] CH Kim ldquoDifferential fault analysis against AES-192 andAES-256 with minimal faultsrdquo in Proceedings of the 7th InternationalWorkshop on Fault Diagnosis and Tolerance in CryptographyFDTC 2010 pp 3ndash9 USA August 2010

[15] M Tunstall D Mukhopadhyay and S Ali ldquoDifferential faultanalysis of the advanced encryption standard using a singlefaultrdquo Inf Secur Theory Pract Secur Priv Mob Devices WirelCommun pp 224ndash233 2011

[16] A Biryukov O Dunkelman N Keller D Khovratovich and AShamir ldquoKey recovery attacks of practical complexity on AES-256 variants with up to 10 roundsrdquo in Advances in cryptologymdashEUROCRYPT 2010 vol 6110 of Lecture Notes in Comput Scipp 299ndash318 Springer Berlin 2010

[17] J Cui L Huang H Zhong andWYang ldquoImproved related-keyattack on 7-round AES-128256rdquo in Proceedings of the ICCSE2010 - 5th International Conference on Computer Science andEducation pp 462ndash466 2010

[18] A Barenghi G M Bertoni L Breveglieri and G Pelosi ldquoAfault induction technique based on voltage underfeeding withapplication to attacks against AES and RSArdquo The Journal ofSystems and Software vol 86 no 7 pp 1864ndash1878 2013

[19] N Farhady Ghalaty B Yuce and P Schaumont ldquoAnalyzingthe Efficiency of Biased-Fault Based Attacksrdquo IEEE EmbeddedSystems Letters vol 8 no 2 pp 33ndash36 2016

[20] J Kang K Jeong J Sung S Hong and K Lee ldquoCollisionattacks on AES-192256 Crypton-192256 mCrypton-96128and anubisrdquo Journal of Applied Mathematics vol 2013 ArticleID 713673 10 pages 2013


[21] S Sahmoud ldquoEnhancement the Security of AES Against Mod-ern Attacks by Using Variable Key Block Cipherrdquo Int Arab Je-Technol vol 3 pp 17ndash26 2013

[22] X Zhao S Guo F Zhang et al ldquoA comprehensive study ofmultiple deductions-based algebraic trace driven cache attackson AESrdquo Computers amp Security vol 39 pp 173ndash189 2013

[23] M Roetteler and R Steinwandt ldquoA note on quantum related-key attacksrdquo Information Processing Letters vol 115 no 1 pp40ndash44 2015

[24] H Mestiri F Kahri B Bouallegue and M Machhout ldquoAhigh-speed AES design resistant to fault injection attacksrdquoMicroprocessors and Microsystems vol 41 pp 47ndash55 2016

[25] S Patranabis A Chakraborty D Mukhopadhyay and P PChakrabarti ldquoFault Space Transformation AGeneric Approachto Counter Differential Fault Analysis and Differential FaultIntensity Analysis on AES-Like Block Ciphersrdquo IEEE Transac-tions on Information Forensics and Security vol 12 no 5 pp1092ndash1102 2017

[26] Specification for the Advanced Encryption Standard (AES)Federal InformationProcessing StandardsPublication 197 2001

[27] J Daemen and V Rijmen The Design of Rijndael AES-TheAdvanced Encryption Standard Springer Berlin Germany2002

[28] T Siegenthaler ldquoCorrelation-immunity of nonlinear combiningfunctions for cryptographic applicationsrdquo Institute of Electricaland Electronics Engineers Transactions on Information Theoryvol 30 no 5 pp 776ndash780 1984

[29] Y Wei and Y Hu ldquoLinear-differential cryptanalysis for SPNcipher structure and AESrdquoWuhan University Journal of NaturalSciences vol 12 no 1 pp 37ndash40 2007

[30] O R B de Oliveira ldquoAn Alternative Method for the Undeter-mined Coefficients and the AnnihilatorMethodsrdquo 2011 httpsarxivorgabs11104425

[31] Amandeep and G Geetha ldquoAnalysis of bitsum attack onblock ciphersrdquo Journal of Discrete Mathematical Sciences ampCryptography vol 19 no 4 pp 875ndash885 2016

International Journal of

AerospaceEngineeringHindawiwwwhindawicom Volume 2018

RoboticsJournal of

Hindawiwwwhindawicom Volume 2018


Active and Passive Electronic Components

VLSI Design



Shock and Vibration


Civil EngineeringAdvances in

Acoustics and VibrationAdvances in



Electrical and Computer Engineering

Journal of

Advances inOptoElectronics

Hindawiwwwhindawicom

Volume 2018

Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom

The Scientific World Journal

Volume 2018

Control Scienceand Engineering

Journal of



Journal ofEngineeringVolume 2018

SensorsJournal of



RotatingMachinery


Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018


Chemical EngineeringInternational Journal of Antennas and

Propagation




Navigation and Observation


Hindawi

wwwhindawicom Volume 2018

Advances in

Multimedia

Submit your manuscripts atwwwhindawicom


not efficient for cryptographic algorithms Further PUF isapplicable for FPGA implementation as it is more hardwareorientedThough the objective of the presented approach andPUF is same their orientation and process is totally differentMoreover it has been shown that PUF is used as seedwhich again leads to the tendency of pseudorandomness inkey generation process which is not desirable Balancednessnonlinearity resiliency immunity correlation and propaga-tion characteristics are some of the important parameters toevaluate the strength of the ciphers In this paper we haveconsidered Advanced Encryption Standard (AES) for ourexperimentation of randomness feature We have attributedthe key generation module of AES undergoing through ourSymmetric Random Function Generator (SRFG) [7] Wehave evaluated the modified AES with the parameters saidabove

The rest of the paper has been organized as followsSection 2 summarizes the various attacks on AES algorithmSection 3 describes the original AES algorithm Section 4shows the proposedmodification for AES and in Section 5 wehave explained its properties Section 6 analyses the securityand Section 7 compares the related results Finally Section 8concludes the paper

2 Related Work

One of the most popular and commercialized algorithmsis AES This algorithm provides the encryption for websecurity processes as used by different applications such ase-commerce router applications andWiFi security Being sorigorously used in real life applications AES faces a numberof attacks Some of the recent attacks are mentioned below

A new kind of fault base attack has been proposed in[8] which uses zero valued sensitivity model for maskedAES Combining the Faulty Sensitivity Analysis (FSA) andzero valued sensitivity the proposed method of cryptanalysisis able to break code of the S-boxes in masked AES Theattack procedure shows that the zero value input of S-boxreveals the key eventually The authors in the paper [9]have shown a differential faulty approach used in the mixcolumn component of AES The results show that AES-128is breakable by such process only using two faulty inputs ofciphertexts This attack has been proved better as comparedto other differential attacks on AES as shown in [10ndash12]Another improved version of faulty attack on AES has beenexecuted in the paper [13] The authors show that a singlerandom byte fault at the input of the eighth round of theAES algorithm is sufficient to deduce the block cipher keySimulations show that when two faulty ciphertexts pairsare generated the key can be exactly deduced without anybrute-force search The minimal fault against AES has beenused in [14] The authors show that AES-192 is breakableby using two pairs of correct and fault ciphertexts whereasAES-256 is broken by using three pairs of correct and faultciphertexts The work shown previously in [13] was havinga key space of 232 which has been reduced by the authors in[15] Key recovery attacks onAES have been described in [16]In this paper the authors have shown practical complexitybased attacks against AES-256 The use of two related keys

and 239 time complexity has been proved to be sufficientto recover the complete 256-bit key of a 9-round versionof AES-256 Another attack works on 10 round version ofAES-256 in 245 time complexity An improved version of theprevious related key attack has been shown in [17] againstround transformation and key expansion module in AESThe round has been now minimized from 9119905ℎ to 7119905ℎ whichmeans that AES is vulnerable even for the starting roundsThe complexity of the attack has also been reduced from 2192to 2104 Another voltage based fault induction method hasbeen introduced in [18]The authors show a fault model for aconstantly underfed RISC CPU The faults are described interms of position recurring patterns and timing then thecorresponding errors induced in the computation outcomesare specified The model also support multibit patterns Theuse of biased faults also provides an efficient way to for faultinjection attacks in cryptanalysis Such a procedure has beenshown in [19]

A collision based attack against AES-192256 has beenshown in [20] The authors have used 4-round distinguisherfor 7-round reduced AES In the paper [21] the authorshave used variable key for AES sing pseudorandom numbergenerator for providing better security to the algorithmbut the approach faces the problem of using biased keysagainst AES rounds Biased keys are able to reveal thepseudorandomness of the approach and the key is deducedfurther by applying differential methods or fault injectionas shown before Multiple deductions-based algebraic tracedriven cache attack on AES has been shown in [22] Thebehaviour of the cache reveals the input whole or partiallySame input to a particular module and the changes of thecache properties are the key features of this approach Theauthors have identified the causes of a bias fault and alsohave compared different biased fault attacks introduced tillQuantum related key attacks have been shown in [23]

A solution to the fault based injection attacks has beenprovided in [24] The proposed scheme is independent ofS-box and inverse S-box and achieves more than 95 faultcoverage A recent approach against fault injection or faultanalysis has been shown in [25] It combines the principles ofredundancy with that of fault space transformation to achievesecurity against both DFA and DFIA based attacks on AES-like block ciphers

After surveying the attacks on AES it is obvious thatfault injection attacks are more efficient in revealing thekey in AES Such fault injections are using the biasedinput too to distinguish the subkeys or other parts of thealgorithm Moreover as AES is depending upon finite fieldoperations of 8-bit bytes the attacks are also executablewith finite quantified complexities as we have seen aboveThe biased inputs along with fault bytes create error in theprocess and those are denoted for performing differentialanalysis or linear analysis Eventually the key is revealedTherefore to overcome such problems we have introducedthe randomness and the balanced symmetric feature in thefunctional output specifically in the keys We have namedthismodifiedAES asRandomKeyAES (RK-AES) As a resulteven though attackers are deducing a part of key or injecting a


＜00 ＜01 ＜02 ＜03

＜10 ＜11 ＜12 ＜13

＜20 ＜21 ＜22 ＜23

＜30 ＜31 ＜32 ＜33







3 AES Algorithm



119887119894119909119894 (1)








1199041015840119903119888 = 119904(119903(119888+119904ℎ119894119891119905(119903+119873119887))119898119900119889 119873119887)for 0 lt 119903 lt 4 119886119899119889 0 lt 119888 lt 119873119887 (3)


119886 (119909) = 03 1199093 + 01 1199092 + 01 1199091 + 02 (4)


1199041015840 (119909) = 119886 (119909) otimes 119904 (119909) (5)



[11990410158400119888 11990410158401119888 11990410158402119888 11990410158403119888] = [1199040119888 1199041119888 1199042119888 1199043119888]oplus [119908119903119900119906119899119889times119873119887+119888]

for 0 le 119888 lt 119873119887(6)




Plaintext

Add round key

Substitute bytes

Shi rows

Mix columns

Add round key

Roun

d 1

to 1

3

14th round

Substitute bytes

Shi rows

Add round key

Ciphertext



119877119888119900119899 [119894] = 119909(119894minus4)4mod (1199098 + 1199094 + 1199093 + 119909 + 1) 119908ℎ119890119903119890 119894 119894119904 119905ℎ119890 119888119906119903119903119890119899119905 119903119900119906119899119889 (7)


4 RK-AES



119891119888 = otimes119891119871119894 (8)


119891119888 (1198811 1198812 119881119873) = otimes119891119871119894 [rand (1198811 1198812 119881119873)] (9)


119891119888 (1198811 1198812) = otimes1198915119894 [rand (1198811 1198812)] (10)





g

g

Ｅ2 Ｅ6 Ｅ10 Ｅ14 Ｅ18 Ｅ22 Ｅ26 Ｅ30

Ｅ3 Ｅ7 Ｅ11 Ｅ15 Ｅ19 Ｅ23 Ｅ27 Ｅ31

Ｅ1 Ｅ5 Ｅ9 Ｅ13 Ｅ17 Ｅ21 Ｅ25 Ｅ29

Ｅ0 Ｅ4 Ｅ8 Ｅ12 Ｅ16 Ｅ20 Ｅ24 Ｅ28

Ｑ0 Ｑ1 Ｑ2 Ｑ3 Ｑ4 Ｑ5 Ｑ6 Ｑ7

Ｑ8 Ｑ9 Ｑ10 Ｑ11 Ｑ12 Ｑ13 Ｑ14 Ｑ15

Ｑ52 Ｑ53 Ｑ54 Ｑ55 Ｑ56 Ｑ57 Ｑ58 Ｑ59


W

S S S

0 00

S

g

03

3210

21

２Ｄ

1 2

3 0

７

(b) g function


g

g


0 0 0２ i

Ｅ2 Ｅ6 Ｅ10 Ｅ14 Ｅ18 Ｅ22 Ｅ26 Ｅ30

Ｅ3 Ｅ7 Ｅ11 Ｅ15 Ｅ19 Ｅ23 Ｅ27 Ｅ31

Ｅ1 Ｅ5 Ｅ9 Ｅ13 Ｅ17 Ｅ21 Ｅ25 Ｅ29

Ｅ0 Ｅ4 Ｅ8 Ｅ12 Ｅ16 Ｅ20 Ｅ24 Ｅ28

Ｑ0 Ｑ1 Ｑ2 Ｑ3 Ｑ4 Ｑ5 Ｑ6 Ｑ7

Ｑ8 Ｑ9 Ｑ10 Ｑ11 Ｑ12 Ｑ13 Ｑ14 Ｑ15

Ｑ52 Ｑ53 Ｑ54 Ｑ55 Ｑ56 Ｑ57 Ｑ58 Ｑ59


W

S S S

0 00

S

g

SRFG

3210

２Ｄ

1 2

3 0

７

0321

(b) g function





119891119888 (1199081 1199082) = oplus 120582119906( 2prod119894=1

rand (119908119894)119906119894)119904

120582119906 isin 1198652 119906 isin 11986522 119886119899119889 119871 isin Z

(11)


120582119906 = oplus119891119888 (V) 119908 ⪯ 119906 forall119908119894 = 1199081198941 1199081198942 11990811989432 (12)

where

(1199081198941 1199081198942 11990811989432) ⪯ (1199061 1199062 11990632)119894119891119891 forall119894 119895 119908119894119895 le 119906119894 119886119899119889 119895 = 1 2 32 (13)


119891119888 (1199081 1199082) = oplus120582119891 (119895) oplus ( 2prod119894=1

rand (119908119894)119906119894)119871

(14)

= oplus120582119891 (119895)X119895119873 (15)


N119897 (119908119894119896 119908119895119896) =119899sum119896=1

119908119894119896 = 119908119895119896 119908ℎ119890119903119890 119899 = 32 (16)


N119897 (119903119894 119903119895) = 119899sum119896=1

119903119894119896 = 119903119895119896 119908ℎ119890119903119890 119899 = 128 (17)


forall119894 = 1 2 119892119888 (119894) = 119892119888 (2 minus 119894) ⊞ 1

119908ℎ119890119903119890 ⊞ 119894119904 119904119906119898 119900V119890119903 1198652(18)


1198631119891119888 = 119891119888 (119908) ⊞ 119891119888 (119908 + 1) = 119892119888 (1198992) ⊞ 119892119888 (1198992) = 0 (19)


119891S S 997888rarr 1198652 (20)



119891119886+S (119904) = 119891 (119886 + 119904) = 119892119888 (119908119905 (119886) + 119908119905 (119904)) (22)


119892119888119891119886+S (119894) = 119892119888 (119894 + 119908119905 (119886)) forall119894 0 le 119894 le 119896 (23)







119863119903119895119891119888 (120583 (119886)) = 119863119903119894119891119888 (119886) 119908ℎ119890119903119890 119886 isin S (25)


119908119905 (119911) = 119908119905 (119886) + 119908119905 (119903119895) (26)

119908119905 (119911 + 120598119896) = 119908119905 (119886) + 119908119905 (119903119895 + 120598119896)= 119908119905 (119886) + 119896 minus 119908119905 (119903119895) (27)

Thus forall 119886 isin 119881119863120598119896119891119888 (119886 + 119910) = 119891119888 (119886 + 119887) ⊞ 119891119888 (119886 + 120598119896 + 119903119895)

= 119908119905 (119886) + 119908119905 (119903119895 + 120598119896)= 119908119905 (119886) + 119896 minus 119908119905 (119903119895)= 119892119888 (119908119905 (119886) + 119908 (119903119895))

⊞ (119908119905 (119886) + 119896 minus 119908 (119903119895))

(28)



119875119903119900119887 (119891119888 = 119908119894) = 12 1 le 119894 le 32 (29)








119860119868 (119891119888) = min [deg (119892)1003816100381610038161003816 119892 = 0119892 isin 119860 (119891119888) cup 119860 (119891119888 + 1) (31)






119862119900119898119901119897119890119909119894119905119910 119891119900119903 119896119890119910 119904119901119886119888119890 119904119890119886119903119888ℎ = 2322119873119897 (32)




1198701199062 = 1198701199061 oplus 119870lowast (33a)

1198701199063 = 1198701199061 oplus 1198701015840 (33b)



119875 (119908119894) = 1(2119899119894119875119871119871 2119881) (34)






1198630 ⊢ 119870lowast prop 1119873119897 119886119899119889 1198631 ⊢ 1198701015840 prop 1119873119897 (36)


















Order ofResiliency











Linearcryptanalysis

Related keyanalysis






(40)




cong 22621


cong 2431(41)



(42)



8 Conclusion






Data Availability




References



































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia



＜00 ＜01 ＜02 ＜03

＜10 ＜11 ＜12 ＜13

＜20 ＜21 ＜22 ＜23

＜30 ＜31 ＜32 ＜33







3 AES Algorithm



119887119894119909119894 (1)








1199041015840119903119888 = 119904(119903(119888+119904ℎ119894119891119905(119903+119873119887))119898119900119889 119873119887)for 0 lt 119903 lt 4 119886119899119889 0 lt 119888 lt 119873119887 (3)


119886 (119909) = 03 1199093 + 01 1199092 + 01 1199091 + 02 (4)


1199041015840 (119909) = 119886 (119909) otimes 119904 (119909) (5)



[11990410158400119888 11990410158401119888 11990410158402119888 11990410158403119888] = [1199040119888 1199041119888 1199042119888 1199043119888]oplus [119908119903119900119906119899119889times119873119887+119888]

for 0 le 119888 lt 119873119887(6)




Plaintext

Add round key

Substitute bytes

Shi rows

Mix columns

Add round key

Roun

d 1

to 1

3

14th round

Substitute bytes

Shi rows

Add round key

Ciphertext



119877119888119900119899 [119894] = 119909(119894minus4)4mod (1199098 + 1199094 + 1199093 + 119909 + 1) 119908ℎ119890119903119890 119894 119894119904 119905ℎ119890 119888119906119903119903119890119899119905 119903119900119906119899119889 (7)


4 RK-AES



119891119888 = otimes119891119871119894 (8)


119891119888 (1198811 1198812 119881119873) = otimes119891119871119894 [rand (1198811 1198812 119881119873)] (9)


119891119888 (1198811 1198812) = otimes1198915119894 [rand (1198811 1198812)] (10)





g

g

Ｅ2 Ｅ6 Ｅ10 Ｅ14 Ｅ18 Ｅ22 Ｅ26 Ｅ30

Ｅ3 Ｅ7 Ｅ11 Ｅ15 Ｅ19 Ｅ23 Ｅ27 Ｅ31

Ｅ1 Ｅ5 Ｅ9 Ｅ13 Ｅ17 Ｅ21 Ｅ25 Ｅ29

Ｅ0 Ｅ4 Ｅ8 Ｅ12 Ｅ16 Ｅ20 Ｅ24 Ｅ28

Ｑ0 Ｑ1 Ｑ2 Ｑ3 Ｑ4 Ｑ5 Ｑ6 Ｑ7

Ｑ8 Ｑ9 Ｑ10 Ｑ11 Ｑ12 Ｑ13 Ｑ14 Ｑ15

Ｑ52 Ｑ53 Ｑ54 Ｑ55 Ｑ56 Ｑ57 Ｑ58 Ｑ59


W

S S S

0 00

S

g

03

3210

21

２Ｄ

1 2

3 0

７

(b) g function


g

g


0 0 0２ i

Ｅ2 Ｅ6 Ｅ10 Ｅ14 Ｅ18 Ｅ22 Ｅ26 Ｅ30

Ｅ3 Ｅ7 Ｅ11 Ｅ15 Ｅ19 Ｅ23 Ｅ27 Ｅ31

Ｅ1 Ｅ5 Ｅ9 Ｅ13 Ｅ17 Ｅ21 Ｅ25 Ｅ29

Ｅ0 Ｅ4 Ｅ8 Ｅ12 Ｅ16 Ｅ20 Ｅ24 Ｅ28

Ｑ0 Ｑ1 Ｑ2 Ｑ3 Ｑ4 Ｑ5 Ｑ6 Ｑ7

Ｑ8 Ｑ9 Ｑ10 Ｑ11 Ｑ12 Ｑ13 Ｑ14 Ｑ15

Ｑ52 Ｑ53 Ｑ54 Ｑ55 Ｑ56 Ｑ57 Ｑ58 Ｑ59


W

S S S

0 00

S

g

SRFG

3210

２Ｄ

1 2

3 0

７

0321

(b) g function





119891119888 (1199081 1199082) = oplus 120582119906( 2prod119894=1

rand (119908119894)119906119894)119904

120582119906 isin 1198652 119906 isin 11986522 119886119899119889 119871 isin Z

(11)


120582119906 = oplus119891119888 (V) 119908 ⪯ 119906 forall119908119894 = 1199081198941 1199081198942 11990811989432 (12)

where

(1199081198941 1199081198942 11990811989432) ⪯ (1199061 1199062 11990632)119894119891119891 forall119894 119895 119908119894119895 le 119906119894 119886119899119889 119895 = 1 2 32 (13)


119891119888 (1199081 1199082) = oplus120582119891 (119895) oplus ( 2prod119894=1

rand (119908119894)119906119894)119871

(14)

= oplus120582119891 (119895)X119895119873 (15)


N119897 (119908119894119896 119908119895119896) =119899sum119896=1

119908119894119896 = 119908119895119896 119908ℎ119890119903119890 119899 = 32 (16)


N119897 (119903119894 119903119895) = 119899sum119896=1

119903119894119896 = 119903119895119896 119908ℎ119890119903119890 119899 = 128 (17)


forall119894 = 1 2 119892119888 (119894) = 119892119888 (2 minus 119894) ⊞ 1

119908ℎ119890119903119890 ⊞ 119894119904 119904119906119898 119900V119890119903 1198652(18)


1198631119891119888 = 119891119888 (119908) ⊞ 119891119888 (119908 + 1) = 119892119888 (1198992) ⊞ 119892119888 (1198992) = 0 (19)


119891S S 997888rarr 1198652 (20)



119891119886+S (119904) = 119891 (119886 + 119904) = 119892119888 (119908119905 (119886) + 119908119905 (119904)) (22)


119892119888119891119886+S (119894) = 119892119888 (119894 + 119908119905 (119886)) forall119894 0 le 119894 le 119896 (23)







119863119903119895119891119888 (120583 (119886)) = 119863119903119894119891119888 (119886) 119908ℎ119890119903119890 119886 isin S (25)


119908119905 (119911) = 119908119905 (119886) + 119908119905 (119903119895) (26)

119908119905 (119911 + 120598119896) = 119908119905 (119886) + 119908119905 (119903119895 + 120598119896)= 119908119905 (119886) + 119896 minus 119908119905 (119903119895) (27)

Thus forall 119886 isin 119881119863120598119896119891119888 (119886 + 119910) = 119891119888 (119886 + 119887) ⊞ 119891119888 (119886 + 120598119896 + 119903119895)

= 119908119905 (119886) + 119908119905 (119903119895 + 120598119896)= 119908119905 (119886) + 119896 minus 119908119905 (119903119895)= 119892119888 (119908119905 (119886) + 119908 (119903119895))

⊞ (119908119905 (119886) + 119896 minus 119908 (119903119895))

(28)



119875119903119900119887 (119891119888 = 119908119894) = 12 1 le 119894 le 32 (29)








119860119868 (119891119888) = min [deg (119892)1003816100381610038161003816 119892 = 0119892 isin 119860 (119891119888) cup 119860 (119891119888 + 1) (31)






119862119900119898119901119897119890119909119894119905119910 119891119900119903 119896119890119910 119904119901119886119888119890 119904119890119886119903119888ℎ = 2322119873119897 (32)




1198701199062 = 1198701199061 oplus 119870lowast (33a)

1198701199063 = 1198701199061 oplus 1198701015840 (33b)



119875 (119908119894) = 1(2119899119894119875119871119871 2119881) (34)






1198630 ⊢ 119870lowast prop 1119873119897 119886119899119889 1198631 ⊢ 1198701015840 prop 1119873119897 (36)


















Order ofResiliency











Linearcryptanalysis

Related keyanalysis






(40)




cong 22621


cong 2431(41)



(42)



8 Conclusion






Data Availability




References



































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia



Plaintext

Add round key

Substitute bytes

Shi rows

Mix columns

Add round key

Roun

d 1

to 1

3

14th round

Substitute bytes

Shi rows

Add round key

Ciphertext



119877119888119900119899 [119894] = 119909(119894minus4)4mod (1199098 + 1199094 + 1199093 + 119909 + 1) 119908ℎ119890119903119890 119894 119894119904 119905ℎ119890 119888119906119903119903119890119899119905 119903119900119906119899119889 (7)


4 RK-AES



119891119888 = otimes119891119871119894 (8)


119891119888 (1198811 1198812 119881119873) = otimes119891119871119894 [rand (1198811 1198812 119881119873)] (9)


119891119888 (1198811 1198812) = otimes1198915119894 [rand (1198811 1198812)] (10)





g

g

Ｅ2 Ｅ6 Ｅ10 Ｅ14 Ｅ18 Ｅ22 Ｅ26 Ｅ30

Ｅ3 Ｅ7 Ｅ11 Ｅ15 Ｅ19 Ｅ23 Ｅ27 Ｅ31

Ｅ1 Ｅ5 Ｅ9 Ｅ13 Ｅ17 Ｅ21 Ｅ25 Ｅ29

Ｅ0 Ｅ4 Ｅ8 Ｅ12 Ｅ16 Ｅ20 Ｅ24 Ｅ28

Ｑ0 Ｑ1 Ｑ2 Ｑ3 Ｑ4 Ｑ5 Ｑ6 Ｑ7

Ｑ8 Ｑ9 Ｑ10 Ｑ11 Ｑ12 Ｑ13 Ｑ14 Ｑ15

Ｑ52 Ｑ53 Ｑ54 Ｑ55 Ｑ56 Ｑ57 Ｑ58 Ｑ59


W

S S S

0 00

S

g

03

3210

21

２Ｄ

1 2

3 0

７

(b) g function


g

g


0 0 0２ i

Ｅ2 Ｅ6 Ｅ10 Ｅ14 Ｅ18 Ｅ22 Ｅ26 Ｅ30

Ｅ3 Ｅ7 Ｅ11 Ｅ15 Ｅ19 Ｅ23 Ｅ27 Ｅ31

Ｅ1 Ｅ5 Ｅ9 Ｅ13 Ｅ17 Ｅ21 Ｅ25 Ｅ29

Ｅ0 Ｅ4 Ｅ8 Ｅ12 Ｅ16 Ｅ20 Ｅ24 Ｅ28

Ｑ0 Ｑ1 Ｑ2 Ｑ3 Ｑ4 Ｑ5 Ｑ6 Ｑ7

Ｑ8 Ｑ9 Ｑ10 Ｑ11 Ｑ12 Ｑ13 Ｑ14 Ｑ15

Ｑ52 Ｑ53 Ｑ54 Ｑ55 Ｑ56 Ｑ57 Ｑ58 Ｑ59


W

S S S

0 00

S

g

SRFG

3210

２Ｄ

1 2

3 0

７

0321

(b) g function





119891119888 (1199081 1199082) = oplus 120582119906( 2prod119894=1

rand (119908119894)119906119894)119904

120582119906 isin 1198652 119906 isin 11986522 119886119899119889 119871 isin Z

(11)


120582119906 = oplus119891119888 (V) 119908 ⪯ 119906 forall119908119894 = 1199081198941 1199081198942 11990811989432 (12)

where

(1199081198941 1199081198942 11990811989432) ⪯ (1199061 1199062 11990632)119894119891119891 forall119894 119895 119908119894119895 le 119906119894 119886119899119889 119895 = 1 2 32 (13)


119891119888 (1199081 1199082) = oplus120582119891 (119895) oplus ( 2prod119894=1

rand (119908119894)119906119894)119871

(14)

= oplus120582119891 (119895)X119895119873 (15)


N119897 (119908119894119896 119908119895119896) =119899sum119896=1

119908119894119896 = 119908119895119896 119908ℎ119890119903119890 119899 = 32 (16)


N119897 (119903119894 119903119895) = 119899sum119896=1

119903119894119896 = 119903119895119896 119908ℎ119890119903119890 119899 = 128 (17)


forall119894 = 1 2 119892119888 (119894) = 119892119888 (2 minus 119894) ⊞ 1

119908ℎ119890119903119890 ⊞ 119894119904 119904119906119898 119900V119890119903 1198652(18)


1198631119891119888 = 119891119888 (119908) ⊞ 119891119888 (119908 + 1) = 119892119888 (1198992) ⊞ 119892119888 (1198992) = 0 (19)


119891S S 997888rarr 1198652 (20)



119891119886+S (119904) = 119891 (119886 + 119904) = 119892119888 (119908119905 (119886) + 119908119905 (119904)) (22)


119892119888119891119886+S (119894) = 119892119888 (119894 + 119908119905 (119886)) forall119894 0 le 119894 le 119896 (23)







119863119903119895119891119888 (120583 (119886)) = 119863119903119894119891119888 (119886) 119908ℎ119890119903119890 119886 isin S (25)


119908119905 (119911) = 119908119905 (119886) + 119908119905 (119903119895) (26)

119908119905 (119911 + 120598119896) = 119908119905 (119886) + 119908119905 (119903119895 + 120598119896)= 119908119905 (119886) + 119896 minus 119908119905 (119903119895) (27)

Thus forall 119886 isin 119881119863120598119896119891119888 (119886 + 119910) = 119891119888 (119886 + 119887) ⊞ 119891119888 (119886 + 120598119896 + 119903119895)

= 119908119905 (119886) + 119908119905 (119903119895 + 120598119896)= 119908119905 (119886) + 119896 minus 119908119905 (119903119895)= 119892119888 (119908119905 (119886) + 119908 (119903119895))

⊞ (119908119905 (119886) + 119896 minus 119908 (119903119895))

(28)



119875119903119900119887 (119891119888 = 119908119894) = 12 1 le 119894 le 32 (29)








119860119868 (119891119888) = min [deg (119892)1003816100381610038161003816 119892 = 0119892 isin 119860 (119891119888) cup 119860 (119891119888 + 1) (31)






119862119900119898119901119897119890119909119894119905119910 119891119900119903 119896119890119910 119904119901119886119888119890 119904119890119886119903119888ℎ = 2322119873119897 (32)




1198701199062 = 1198701199061 oplus 119870lowast (33a)

1198701199063 = 1198701199061 oplus 1198701015840 (33b)



119875 (119908119894) = 1(2119899119894119875119871119871 2119881) (34)






1198630 ⊢ 119870lowast prop 1119873119897 119886119899119889 1198631 ⊢ 1198701015840 prop 1119873119897 (36)


















Order ofResiliency











Linearcryptanalysis

Related keyanalysis






(40)




cong 22621


cong 2431(41)



(42)



8 Conclusion






Data Availability




References



































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia



g

g

Ｅ2 Ｅ6 Ｅ10 Ｅ14 Ｅ18 Ｅ22 Ｅ26 Ｅ30

Ｅ3 Ｅ7 Ｅ11 Ｅ15 Ｅ19 Ｅ23 Ｅ27 Ｅ31

Ｅ1 Ｅ5 Ｅ9 Ｅ13 Ｅ17 Ｅ21 Ｅ25 Ｅ29

Ｅ0 Ｅ4 Ｅ8 Ｅ12 Ｅ16 Ｅ20 Ｅ24 Ｅ28

Ｑ0 Ｑ1 Ｑ2 Ｑ3 Ｑ4 Ｑ5 Ｑ6 Ｑ7

Ｑ8 Ｑ9 Ｑ10 Ｑ11 Ｑ12 Ｑ13 Ｑ14 Ｑ15

Ｑ52 Ｑ53 Ｑ54 Ｑ55 Ｑ56 Ｑ57 Ｑ58 Ｑ59


W

S S S

0 00

S

g

03

3210

21

２Ｄ

1 2

3 0

７

(b) g function


g

g


0 0 0２ i

Ｅ2 Ｅ6 Ｅ10 Ｅ14 Ｅ18 Ｅ22 Ｅ26 Ｅ30

Ｅ3 Ｅ7 Ｅ11 Ｅ15 Ｅ19 Ｅ23 Ｅ27 Ｅ31

Ｅ1 Ｅ5 Ｅ9 Ｅ13 Ｅ17 Ｅ21 Ｅ25 Ｅ29

Ｅ0 Ｅ4 Ｅ8 Ｅ12 Ｅ16 Ｅ20 Ｅ24 Ｅ28

Ｑ0 Ｑ1 Ｑ2 Ｑ3 Ｑ4 Ｑ5 Ｑ6 Ｑ7

Ｑ8 Ｑ9 Ｑ10 Ｑ11 Ｑ12 Ｑ13 Ｑ14 Ｑ15

Ｑ52 Ｑ53 Ｑ54 Ｑ55 Ｑ56 Ｑ57 Ｑ58 Ｑ59


W

S S S

0 00

S

g

SRFG

3210

２Ｄ

1 2

3 0

７

0321

(b) g function





119891119888 (1199081 1199082) = oplus 120582119906( 2prod119894=1

rand (119908119894)119906119894)119904

120582119906 isin 1198652 119906 isin 11986522 119886119899119889 119871 isin Z

(11)


120582119906 = oplus119891119888 (V) 119908 ⪯ 119906 forall119908119894 = 1199081198941 1199081198942 11990811989432 (12)

where

(1199081198941 1199081198942 11990811989432) ⪯ (1199061 1199062 11990632)119894119891119891 forall119894 119895 119908119894119895 le 119906119894 119886119899119889 119895 = 1 2 32 (13)


119891119888 (1199081 1199082) = oplus120582119891 (119895) oplus ( 2prod119894=1

rand (119908119894)119906119894)119871

(14)

= oplus120582119891 (119895)X119895119873 (15)


N119897 (119908119894119896 119908119895119896) =119899sum119896=1

119908119894119896 = 119908119895119896 119908ℎ119890119903119890 119899 = 32 (16)


N119897 (119903119894 119903119895) = 119899sum119896=1

119903119894119896 = 119903119895119896 119908ℎ119890119903119890 119899 = 128 (17)


forall119894 = 1 2 119892119888 (119894) = 119892119888 (2 minus 119894) ⊞ 1

119908ℎ119890119903119890 ⊞ 119894119904 119904119906119898 119900V119890119903 1198652(18)


1198631119891119888 = 119891119888 (119908) ⊞ 119891119888 (119908 + 1) = 119892119888 (1198992) ⊞ 119892119888 (1198992) = 0 (19)


119891S S 997888rarr 1198652 (20)



119891119886+S (119904) = 119891 (119886 + 119904) = 119892119888 (119908119905 (119886) + 119908119905 (119904)) (22)


119892119888119891119886+S (119894) = 119892119888 (119894 + 119908119905 (119886)) forall119894 0 le 119894 le 119896 (23)







119863119903119895119891119888 (120583 (119886)) = 119863119903119894119891119888 (119886) 119908ℎ119890119903119890 119886 isin S (25)


119908119905 (119911) = 119908119905 (119886) + 119908119905 (119903119895) (26)

119908119905 (119911 + 120598119896) = 119908119905 (119886) + 119908119905 (119903119895 + 120598119896)= 119908119905 (119886) + 119896 minus 119908119905 (119903119895) (27)

Thus forall 119886 isin 119881119863120598119896119891119888 (119886 + 119910) = 119891119888 (119886 + 119887) ⊞ 119891119888 (119886 + 120598119896 + 119903119895)

= 119908119905 (119886) + 119908119905 (119903119895 + 120598119896)= 119908119905 (119886) + 119896 minus 119908119905 (119903119895)= 119892119888 (119908119905 (119886) + 119908 (119903119895))

⊞ (119908119905 (119886) + 119896 minus 119908 (119903119895))

(28)



119875119903119900119887 (119891119888 = 119908119894) = 12 1 le 119894 le 32 (29)








119860119868 (119891119888) = min [deg (119892)1003816100381610038161003816 119892 = 0119892 isin 119860 (119891119888) cup 119860 (119891119888 + 1) (31)






119862119900119898119901119897119890119909119894119905119910 119891119900119903 119896119890119910 119904119901119886119888119890 119904119890119886119903119888ℎ = 2322119873119897 (32)




1198701199062 = 1198701199061 oplus 119870lowast (33a)

1198701199063 = 1198701199061 oplus 1198701015840 (33b)



119875 (119908119894) = 1(2119899119894119875119871119871 2119881) (34)






1198630 ⊢ 119870lowast prop 1119873119897 119886119899119889 1198631 ⊢ 1198701015840 prop 1119873119897 (36)


















Order ofResiliency











Linearcryptanalysis

Related keyanalysis






(40)




cong 22621


cong 2431(41)



(42)



8 Conclusion






Data Availability




References



































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia



120582119906 = oplus119891119888 (V) 119908 ⪯ 119906 forall119908119894 = 1199081198941 1199081198942 11990811989432 (12)

where

(1199081198941 1199081198942 11990811989432) ⪯ (1199061 1199062 11990632)119894119891119891 forall119894 119895 119908119894119895 le 119906119894 119886119899119889 119895 = 1 2 32 (13)


119891119888 (1199081 1199082) = oplus120582119891 (119895) oplus ( 2prod119894=1

rand (119908119894)119906119894)119871

(14)

= oplus120582119891 (119895)X119895119873 (15)


N119897 (119908119894119896 119908119895119896) =119899sum119896=1

119908119894119896 = 119908119895119896 119908ℎ119890119903119890 119899 = 32 (16)


N119897 (119903119894 119903119895) = 119899sum119896=1

119903119894119896 = 119903119895119896 119908ℎ119890119903119890 119899 = 128 (17)


forall119894 = 1 2 119892119888 (119894) = 119892119888 (2 minus 119894) ⊞ 1

119908ℎ119890119903119890 ⊞ 119894119904 119904119906119898 119900V119890119903 1198652(18)


1198631119891119888 = 119891119888 (119908) ⊞ 119891119888 (119908 + 1) = 119892119888 (1198992) ⊞ 119892119888 (1198992) = 0 (19)


119891S S 997888rarr 1198652 (20)



119891119886+S (119904) = 119891 (119886 + 119904) = 119892119888 (119908119905 (119886) + 119908119905 (119904)) (22)


119892119888119891119886+S (119894) = 119892119888 (119894 + 119908119905 (119886)) forall119894 0 le 119894 le 119896 (23)







119863119903119895119891119888 (120583 (119886)) = 119863119903119894119891119888 (119886) 119908ℎ119890119903119890 119886 isin S (25)


119908119905 (119911) = 119908119905 (119886) + 119908119905 (119903119895) (26)

119908119905 (119911 + 120598119896) = 119908119905 (119886) + 119908119905 (119903119895 + 120598119896)= 119908119905 (119886) + 119896 minus 119908119905 (119903119895) (27)

Thus forall 119886 isin 119881119863120598119896119891119888 (119886 + 119910) = 119891119888 (119886 + 119887) ⊞ 119891119888 (119886 + 120598119896 + 119903119895)

= 119908119905 (119886) + 119908119905 (119903119895 + 120598119896)= 119908119905 (119886) + 119896 minus 119908119905 (119903119895)= 119892119888 (119908119905 (119886) + 119908 (119903119895))

⊞ (119908119905 (119886) + 119896 minus 119908 (119903119895))

(28)



119875119903119900119887 (119891119888 = 119908119894) = 12 1 le 119894 le 32 (29)








119860119868 (119891119888) = min [deg (119892)1003816100381610038161003816 119892 = 0119892 isin 119860 (119891119888) cup 119860 (119891119888 + 1) (31)






119862119900119898119901119897119890119909119894119905119910 119891119900119903 119896119890119910 119904119901119886119888119890 119904119890119886119903119888ℎ = 2322119873119897 (32)




1198701199062 = 1198701199061 oplus 119870lowast (33a)

1198701199063 = 1198701199061 oplus 1198701015840 (33b)



119875 (119908119894) = 1(2119899119894119875119871119871 2119881) (34)






1198630 ⊢ 119870lowast prop 1119873119897 119886119899119889 1198631 ⊢ 1198701015840 prop 1119873119897 (36)


















Order ofResiliency











Linearcryptanalysis

Related keyanalysis






(40)




cong 22621


cong 2431(41)



(42)



8 Conclusion






Data Availability




References



































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia






119863119903119895119891119888 (120583 (119886)) = 119863119903119894119891119888 (119886) 119908ℎ119890119903119890 119886 isin S (25)


119908119905 (119911) = 119908119905 (119886) + 119908119905 (119903119895) (26)

119908119905 (119911 + 120598119896) = 119908119905 (119886) + 119908119905 (119903119895 + 120598119896)= 119908119905 (119886) + 119896 minus 119908119905 (119903119895) (27)

Thus forall 119886 isin 119881119863120598119896119891119888 (119886 + 119910) = 119891119888 (119886 + 119887) ⊞ 119891119888 (119886 + 120598119896 + 119903119895)

= 119908119905 (119886) + 119908119905 (119903119895 + 120598119896)= 119908119905 (119886) + 119896 minus 119908119905 (119903119895)= 119892119888 (119908119905 (119886) + 119908 (119903119895))

⊞ (119908119905 (119886) + 119896 minus 119908 (119903119895))

(28)



119875119903119900119887 (119891119888 = 119908119894) = 12 1 le 119894 le 32 (29)








119860119868 (119891119888) = min [deg (119892)1003816100381610038161003816 119892 = 0119892 isin 119860 (119891119888) cup 119860 (119891119888 + 1) (31)






119862119900119898119901119897119890119909119894119905119910 119891119900119903 119896119890119910 119904119901119886119888119890 119904119890119886119903119888ℎ = 2322119873119897 (32)




1198701199062 = 1198701199061 oplus 119870lowast (33a)

1198701199063 = 1198701199061 oplus 1198701015840 (33b)



119875 (119908119894) = 1(2119899119894119875119871119871 2119881) (34)






1198630 ⊢ 119870lowast prop 1119873119897 119886119899119889 1198631 ⊢ 1198701015840 prop 1119873119897 (36)


















Order ofResiliency











Linearcryptanalysis

Related keyanalysis






(40)




cong 22621


cong 2431(41)



(42)



8 Conclusion






Data Availability




References



































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia




1198701199062 = 1198701199061 oplus 119870lowast (33a)

1198701199063 = 1198701199061 oplus 1198701015840 (33b)



119875 (119908119894) = 1(2119899119894119875119871119871 2119881) (34)






1198630 ⊢ 119870lowast prop 1119873119897 119886119899119889 1198631 ⊢ 1198701015840 prop 1119873119897 (36)


















Order ofResiliency











Linearcryptanalysis

Related keyanalysis






(40)




cong 22621


cong 2431(41)



(42)



8 Conclusion






Data Availability




References



































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia






Order ofResiliency











Linearcryptanalysis

Related keyanalysis






(40)




cong 22621


cong 2431(41)



(42)



8 Conclusion






Data Availability




References



































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia






Data Availability




References



































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia
















RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia


rk-aes: an improved version of aes using a new key

Documents