Periodicity Detection of the Substitution Box in the CBC Mode of Operation: Experiment and Study

This paper presents a technique for investigating the cyclic properties of substitution boxes (S-boxes) in the Cipher Block Chaining (CBC) mode of operation. S-boxes provide nonlinear transformations in encryption algorithms to create confusion and enhance cryptographic strength. The CBC mode design is used in block ciphers to hide periodic patterns and create a diffusion effect. The main objective of this study was to detect the periodicity of the bijective S-boxes in CBC mode to evaluate their cryptographic strength. The study of S-boxes using the presented technique allows us to examine them in a different manner and study their diffusion levels, the metrics of which are the periodicities of the S-box element sequences. To apply the diffusion effect of the CBC mode to the S-boxes, the encryption function used in the cryptographic ciphers was changed to a substitution function for the S-boxes used as an inner nonlinear component of the encryption function. The S-box used in the Advanced Encryption Standard (AES) was selected for experiment and study. In this study, the cyclic properties of the S-box were considered from two different aspects: periodicity detection of the S-box with respect to iterations and blocks. According to our study, the maximal periods of the AES S-box and various other S-boxes were found to be very large, indicating that the influence of the CBC mode spread over many iterations and blocks, thus confirming the high level of cryptographic strength of the S-boxes.


I. INTRODUCTION
Cryptography, which has its roots in ancient times, is in an essential position to perform in the field of information security. Currently, cryptography has changed. It differs significantly from cryptography, which existed until the twentieth century and is divided into classic and modern cryptography [1], [2], [3]. Modern cryptography tasks, which can be observed in applications such as electronic digital signatures, information authentication, information integrity control, electronic money, and secure network communications, have been extended. Therefore, security measures are being considered at the level of progress with the development The associate editor coordinating the review of this manuscript and approving it for publication was Ladislau Matekovits . of information technology and computing power. Modern cryptography is one of the most relevant sciences, in which advanced knowledge of mathematics and computer science is required. Current cryptography uses two approaches, symmetric and asymmetric [4], [5], [6]. Symmetric cryptography is divided into block and stream ciphers [7].
Block ciphers accept messages and produce fixed-length results called blocks under the action of a secret key. Currently, a block length of 128 bits is considered optimal for balancing the security and computational speed of encryption [8]. Not all data can be encrypted in a single block, because there are very large datasets. In such cases, various techniques, called modes of operation, are used to enhance the effects of encryption algorithms. The operating mode is a symmetric encryption scheme designed to encrypt an arbitrary length [9]. In many applications, block ciphers operate in one mode or the other. Various operating modes have been developed for this purpose [10], [11], [12]. However, some of these modes have advantages and disadvantages in their use. For example, in the Electronic Codebook (ECB), blocks perform independently of each other; they are repeated in both plaintext and ciphertext. The advantage is that the blocks are independent, which makes it possible to perform encryption operations in parallel. The disadvantage is that they are repeatable with respect to each identical block, which is a vulnerability to cryptographic attacks. To eliminate repetition, other modes have been developed including Cipher Block Chaining (CBC), Output Feedback (OFB), Cipher Feedback (CFB), and Counter Mode (CTR).
One of the main ways to provide nonlinear transformations in cryptographic ciphers is to use substitution boxes (S-boxes), which are Boolean vector functions with certain cryptographic and cyclic properties on which the cryptographic strength of the entire cipher depends [13], [14]. In most cases, they are represented in substitution tables formulated using various mathematical transformations.
This study investigated the bijective S-box used in the Rijndael encryption algorithm or the Advanced Encryption Standard (AES) [15], [16]. The purpose of our study was to detect the periodicity of the S-box with respect to iterations and blocks in the CBC mode. This provides an indication of the level of diffusion formation, by which we can investigate the cryptographic strength of the S-box as an additional criterion.
The remainder of this paper is organized as follows. Section II presents the related work. Section III describes the experiments and results, and Section IV concludes the study. In Section III, experiments and results are presented using two approaches. The first is the periodicity detection of the S-box in the CBC mode with respect to the iterations and the second is with respect to the blocks.

II. RELATED WORK
The foundation of modern cryptography was laid by the American scientist Shannon [1], [17], who formulated two important conditions for the strength of cryptographic ciphers: confusion and diffusion. The entire point of confusion is to make it difficult to find statistical and analytical connections between the bits of the secret key and the ciphertext. Diffusion refers to the spread of the influence of one bit of plaintext over several bits of ciphertext. S-boxes used in cryptographic ciphers are required to create confusion. For S-boxes to affect the bit confusion, they must satisfy cryptographic criteria or properties. There are different cryptographic criteria, such as balancedness, algebraic degree, nonlinearity, correlation immunity, algebraic immunity, avalanche criteria, and complexity parameters [18], [19], [20], to evaluate the resistance of encryption algorithms to various cryptographic attacks [21], [22], [23].
It is well known that S-boxes do not provide high results for all the above criteria. Therefore, there is great interest in finding optimal S-boxes in combination with the limit values of the criteria. Finding the optimal S-boxes is an actual problem in cryptography. Currently, there is considerable interest in designing new S-boxes. For example, in [24], the authors proposed a method to improve cryptographic properties, including the distance to the strict avalanche criterion (DSAC) of an existing AES S-box by modifying and adding affine transformations. DSAC is 372. For more details on DSAC, see [25]. In the study [25] a function for F 2 8 , which is a new S-box for AES, was proposed. The function is defined for byte x as: where A is an 8 × 8 invertible matrix of bits and α, β are two different bytes. The proposed S-box exhibits improved cryptographic properties. For example, DSAC is 328, which is better than that of AES S-box, which is 432.
To evaluate cryptographic strength against existing cryptographic attacks, it is also important to investigate the cyclic properties of the cipher's internal components, including the S-box. The weaknesses of the cryptographic cipher are the short periods and presence of fixed and opposite fixed points. In [26], using certain input data, the authors studied the output data of the AES in the ECB, CBC, OFB, and CFB modes and detected characteristic periodic patterns in the output data of the four modes. The authors of [27] investigated the cyclic properties of the internal components of AES. They stated that the periods of the linear and non-linear functions of the AES were short; however, when these functions were combined, the period increased dramatically to approximately 2 110 . In another study [28], new period results were obtained using a combination of four internal functions of the AES, with a very large period (greater than 10 205 ). [29]. In CBC mode, each plaintext block is operated using a Boolean logical XOR operation with a previous ciphertext block.

Ehrsam et al. created a CBC operation mode in 1976
The general calculation formulas for encryption are derived using the following formulas for ECB: and for CBC: where i is the block number, P i is the plaintext of the i-th block, C i is the ciphertext of the i-th block, k is the encryption key, E k is the encryption function, IV is the initialization vector, and n is the total number of blocks. VOLUME 11, 2023  In the proposed technique for investigating the nonlinear layer of S-boxes, we replaced the encryption function E k used in block ciphers with a substitution function for the S-boxes used as an inner nonlinear component of the encryption function E k , denoted by S to study the effect of diffusion in the CBC mode on S-boxes. By changing the encryption function to a substitution function, we can write (1) and (2) for ECB as follows: and for CBC: Algorithm 1, in which formulas (3) and (4) are applied, is as follows:

A. PERIODICITY DETECTION OF THE S-BOX IN CBC MODE WITH RESPECT TO THE ITERATIONS
To demonstrate the proposed technique, we selected the bijective S-box consisting of 256 elements (bytes) used in AES as an example. Definition 1: The process of repeatedly applying the same function is called iteration.
Definition 2: A cyclic or iterated function is the identity function when iterated a finite number of times: where f n is the n-th iterate of function f .For example, every permutation of a finite set is a cyclic function, according to this definition.

Algorithm 1 Algorithm for the Substitution Function in the ECB and CBC Modes of Operation
Input: P -plaintext, IV -initialization vector, l -length of block, n -number of blocks, modeoption of one of the two modes: ''ECB'' or ''CBC'', sbox − the option of a specific S-box, for example, an AES S-box). Output: C -ciphertext, presented as matrix (n × l) Function Substitution (P, IV , l, n, mode, sbox) 1: if (mode = "ECB") then 2: for i ← 1 to n 3: for j ← 1 to l 4: end for 6: end for 5: else if (mode = "CBC") then 6: for i ← 1 to n 7: for j ← 1 to l 8: if (i = 1) then 9:  Permutations of a finite set should be considered when investigating the cyclic properties of the bijective S-boxes [30]. For more details on LCM, see [31]. The proofs of Theorems 1 and 2 are provided in [32]. In our study, terms such as order, cycle length, and period are interchangeable.
Let us review the cyclic properties of the AES S-box, its cycle structure includes five disjoint cycles with lengths of 59, 81, 87, 27, and 2 (see Table 1). For the disjoint cycles of the AES S-box and the length of each cycle, refer to [27]. The AES S-box period can be found in [25] and [28]. By calculating the LCM of the cycle lengths of the disjoint cycles, we obtained the order of an arbitrary element of From this, we can conclude that any plaintext within one block transformed through the AES S-box after 277182 iterations returns to the plaintext again: where P is the plaintext, S is the substitution function, C i is the ciphertext at the i-th iteration.
To detect periodicity and calculate the order of an arbitrary element of the S-box, that is, the maximal period of the S-box with respect to iterations, we present Algorithms 2 and 3, respectively.
To determine the periodicity of the S-box with respect to the iterations, we set some input data: all plaintexts and initialization vectors consist of only one block each, all blocks contain only one element each in hexadecimal notation, and the range of change of elements is from 0 to 255 (see Table 2).
By implementing Algorithms 2 and 3, we obtained the maximal periods for each element of the AES S-box in ECB mode with respect to the iterations (see Table 3).
In case of ECB mode, by calculating the LCM of the periods in Table 3, in Algorithm 3 denoted by the variable L, we found that the maximal period with respect to the iterations, the denoted by variable G, was 277182 iterations.
The next part of the study examined the AES S-box in the CBC mode. By implementing Algorithms 2 and 3 for the input data (5), the periods for each element in CBC mode were equal to the maximal periods for each element in ECB mode (see Table 3).
In the case of input data (6), we already obtained other periods (see Table 4).
The period values in Table 4 are already different because all the elements operate using a Boolean logical XOR operation with initialization vector IV = [01]. Therefore, by changing the initialization vector IV = [k], k = 00, FF, we obtained the maximal periods for each element in the CBC mode (see Table 5). In Algorithm 3, we denoted by variable L. By calculating the LCM of the values for each element, we obtained the maximal period of the AES S-Box in CBC mode with respect to the iterations (see Table 6), denoted by variable G. The maximal period was approximately 9.68 × 10 89 iterations.

B. PERIODICITY DETECTION OF THE S-BOX IN CBC MODE WITH RESPECT TO THE BLOCKS
Our study shows that by applying the substitution function, we can determine the periods in CBC mode with respect to the blocks. We applied the CBC mode construction used in block ciphers to investigate the cyclic properties of AES S-box.
Consider the example of finding the maximal period of the AES S-box in CBC mode with respect to the blocks for the input data presented in Table 7.
In the input data, all plaintexts consist of 257 blocks each, initialization vectors consist of only one block each, all blocks contain a single element in hexadecimal notation, and the range of elements changes from 0 to 255. The selection of 257 blocks was sufficient because the periods for each S-box element individually in CBC mode ranged from 1 to 256 with respect to the blocks.
Algorithm 4 presents an algorithm to calculate the maximal period of the S-box with respect to the blocks. By implementing Algorithm 4 on the input data of (7), we obtained the results for the AES S-box.
These results are the values of the ciphertexts in the ECB and CBC modes, showing periodicity with respect to the blocks 75690 VOLUME 11, 2023 Authorized licensed use limited to the terms of the applicable license agreement with IEEE. Restrictions apply. The periods of each element of the AES S-box in the CBC mode for input data of (6).

TABLE 5.
The approximate values of the maximal periods for each element of the AES S-box in the CBC mode for the input data of Table 2. (see Table 8). Fig.1 shows the visualization periodicity of the ciphertexts with respect to the blocks for input data (7) in decimal notation.  Table 9 presents the periods with input data for the case in which   (8).
Based on the input data in Table 7, the maximal periods for each element in the CBC mode are listed in Table 10, denoted by variable L in Algorithm 4. By calculating the LCM for each element in Table 10, we obtained that the maximal period of the AES S-box in the CBC mode with respect to the blocks, indicated by the variable G, was approximately 9.68×10 89 blocks, which yielded the same result with respect to the iterations. The exact value of the maximal period is shown in Table 6. 75692 VOLUME 11, 2023 Authorized licensed use limited to the terms of the applicable license agreement with IEEE. Restrictions apply.  The periods for each element of the AES S-box in the CBC mode for input data of (8).  Table 11 presents the maximal periods of the various S-boxes used in encryption algorithms, such as Skipjack [33], SMS4 [34], Kuznyechik [35], Camellia [36], CLE-FIA [37], and SEED [38], as well as those constructed using different methods and techniques proposed by the authors [24], [25], [39], [40], [41], [42], [43], [44], [45], [46], [47], [48], and [49]. To determine the maximal periods for these S-boxes with respect to the blocks, we used the input data listed in Table 7. The best results, namely the approximate values of the maximal periods of the S-boxes in the CBC mode with respect to the blocks exceeding 10 100 > 2 332 were shown Skipjack (2.6 × 10 101 ), Camellia S 1 (1.2 × 10 100 ) and proposed by Hussain et al. (2.9 × 10 104 ) [45]. VOLUME 11, 2023

IV. CONCLUSION
In this paper, we investigate the diffusion effect of the CBC mode on the bijective AES S-box by detecting its periodicity in two ways. The periods of the S-box element sequences in the CBC were calculated with respect to iterations using Algorithms 2 and 3 (Tables 3, 4, and 5), and with respect to blocks using Algorithm 4 (Tables 9 and 10). In our study, the maximal periods of the AES S-box with respect to iterations and blocks showed the same result, which was approximately 9.68 × 10 89 (Table 6).
For comparative analysis in our study, we determined the maximal periods for other S-boxes in the CBC mode with respect to the blocks (Table 11). It should be noted that in the case of cryptographically and cyclically good S-boxes, the maximal periods showed very large intervals (more than 10 77 > 2 255 ), indicating that the influence of the CBC mode spread over a considerable number of iterations and blocks, confirming the high level of cryptographic strength of the S-boxes.