Computation of the cryptographic transformation function 134 

It is proposed the use of a substitution box, or S-Box, as the transformation function to produce the dynamic pin. A Substitution Box (S-Box) is a component extensively used in cryptosystems to perform substitutions in a way that the relations between the output and the input bits of the S-Box are highly non-linear. This is known as the Shannon’s confusion property [126] and ensures a level of protection against linear and differential cryptanalysis.

One of the most well-known S-Boxes specifically designed to be resistant to cryptanalysis attacks is the Rijndael S-Box [127]. It is part of the Advanced Encryption Standard (AES) [128], an industry standard algorithm, selected to replace the Data Encryption Standard (DES) and later Triple DES. The selection decision was made balancing factors including security and computational efficiency.

The security strength of a crypto-algorithm based on substitution boxes can be improved in different ways. For example, by increasing the number of rounds performed by an S-Box, or by changing the S-Box dynamically. In the latter case, Blowfish [129] and Twofish [70] are two well-known examples of this approach and the main advantage is that by dynamically changing the S-Box it becomes more difficult to carry out cryptanalysis attacks since the attacker would not know what S-Box to associate to an S-Box’s output for a given session.

135

In order to increase the pseudo-randomness of the dynamic pin, it is required to use an S-Box that can be obtained dynamically but that at the same time complies with strong security design criteria and crypto-properties. In addition, the S-Box needs to be generated using a deterministic technique, that is, it must be computed based on parameters known to both user's device and the server, and in synchrony.

Barkan et al. [130] show that by replacing the irreducible polynomial and the affine transformation in the Rijndael S-Box it is possible to produce new dual ciphers with the same cryptographic properties of the original S-Box. This result is used to propose an indexing technique that allows selecting a new dual cipher dynamically based on the history of authentication attempts, authentication factors and image object seeds.

In the next subsections the mathematical definitions that support the formulation of the indexing technique are presented along with the proposed indexing function(s).

6.6.4.1 Rijndael S-box[127]

The Rijndael S-box is an algebraic operation that takes in an element of the Galois Field 2 and outputs another element of 2 , where 2 is viewed as the finite field of polynomials over the finite field 2 reduced modulo by the

polynomial 1. The operation has 2 steps:

1. Find the multiplicative inverse of the input over (0 is sent to 0).

2. Apply the affine transformation where is the result of the first step, (in Rijndael) is a specific 8 8 matrix with entries in 2 and is a specific vector with 8 entries in 2 .

The constants were specifically chosen to make it resistant to linear and differential cryptanalysis.

One of the main advantages of the Rijndael S-Box is computational efficiency since elements in the finite field 2 can be represented as bytes and all transformations can be pre- computed and represented as a lookup matrix. Figure 50 shows the forward Rijndael S-Box as a lookup table of hexadecimal values.

136

Figure 50 Forward Rijndael S-Box matrix multiplication

6.6.4.2 Dual Ciphers[130]

Two ciphers and ′ are called Dual Ciphers if they are isomorphic, that is to say there exists three invertible transformations , , such that

∀ , (6.13a)

where P is the plain text and K is the key. Another formulation of this would be to say:

∀ , (6.13b)

The benefit of dual ciphers it that a different cipher can be created from an original cipher, but where the new cipher will keep the original's algebraic properties because of the isomorphism.

6.6.4.3 Square Dual Cipher of the Rijndael S-box[130]

If the constants of the Rijndael S-box (denote the Rijndael S-box ) are replaced such that:

 It is replaced with where is not simply the square of the matrix, it is equal to where Q is an 8 8 matrix chosen such that for all . As a side result

this also means that .

137

Hence it can be shown that these transformations result in a dual cipher (let it be denoted ). It can be seen that

(6.14)

For an extended discussion on dual ciphers and mathematical proofs of these results refer to [130].

Hence making these transformations (and creating the square dual cipher) is equivalent to applying a pre and post matrix multiplication on the original Rijndael S-box.

This same transformation can be applied to the square dual cipher to obtain and

similarly for , , , and ( ).

6.6.4.4 Modifying the polynomial of the Rijndael S-box[130]

Recall that the first operation of the Rijndael S-box is to find the multiplicative inverse of the input over . There are a total of 30 irreducible polynomials of degree 8 over 2 , of which the Rijndael selected 1 . As different fields for different irreducible polynomials of the same degree are isomorphic, there exist a linear transformation which can be represented as a binary matrix such that takes an element of the Rijndael case and outputs an element of the new case with the changed polynomial. The matrix is of the form 1, , , , , , , where ′ are computed modulo the new irreducible polynomial. Hence can be used in the same way as was used in the previous: applying a pre and post matrix multiplication on the original

Rijndael S-box .

As there are 30 irreducible polynomials, each of which has the 8 squared ciphers this totals 8 30 240 different dual ciphers. In the book of Rijndaels [131] the 240 dual ciphers of Rijndael are presented including the matrices and the . Here they are used in the following way on the original Rijndael S-box to create a new S-box:

(6.15)

138

6.6.4.5 Indexing the dual ciphers of the Rijndael S-box

In the proposed system, an indexing technique is used for the 240 distinct dual ciphers of Rijndael. The advantages of this are that it is computational efficient and that dual-ciphers have the same crypto-properties of the well-studied AES Rijndael S-box which is widely used and has so far proved to be resistant to cryptanalysis attacks. In this work the number of ciphers is limited to 240 although in [132] the number of possible dual ciphers based on Rijndael has been extended to 9120. As it will be shown in the next section the calculation of the dynamic pin uses the S-box on a random parameter, the , and on the , to further increases the pseudo-randomness of the proposed approach; hence 240 ciphers are sufficient for the purpose of this work.

More precisely, an indexing function is defined, i.e. , to determine what dual cipher, out of the 240, to use to generate a new S-Box, i.e. . The indexing function takes as parameters one or more authentication tokens , the seeds associated to the set of the challenge, the seeds associated to the set of the challenge, and the index value of the last successful authentication. In addition, the proposed indexing function has two variants depending on whether the user is asked to recognise in order or unordered mode the secret images on the challenge.

Let , , , , … , , be the vector of Dual

Ciphers’ matrices , where 0 240

The two indexing function are defined as follows:

Combination (unordered) recognition mode:

240

(6.16a)

139 | | 240 (6.16b) where, , , ⊂ , | | , ∖ , | | , and ∈ , , … , 1 .

Notice that the indexing function in ordered selection mode multiplies each by the index forcing the result to depend on the order of the seeds.

Both variants of the indexing function output an integer between 0 and 239 that is

used to select , ∈ , and to determine the new S-

Box transformation:

(6.17)

takes as input a byte and outputs another byte.