Iran J Sci Technol Trans Electr Eng (2018) 42:219–238

https://doi.org/10.1007/s40998-018-0061-9 (0123456789().,-volV)(0123456789().,-volV)

RESEARCH PAPER

A Chaos-Based Substitution Box (S-Box) Design with Improved

Differential Approximation Probability (DP)
Muhammad Asif Khan1 • Asim Ali2 • Varun Jeoti3 • Shahid Manzoor4

Received: 4 January 2017 / Accepted: 24 April 2018 / Published online: 15 May 2018
 Shiraz University 2018

Abstract
Substitution box is a vital and the only nonlinear component of modern encryption algorithm. S-box is introduced as a
confusion component to resist against differential cryptanalysis. Chaos-based encryption is well liked because it exhibits
similarity like cryptography. However, chaotic S-boxes possess high maximum differential approximation probability,
measured using difference distribution table (DDT) for differential cryptanalysis. Therefore, this paper reports a systematic
design methodology to generate chaotic S-box utilizing DDT and that can be used in multimedia encryption algorithms.
DDT within the design loop is used to optimize differential approximation probability. The proposed S-box shows very low
differential approximation probability as compared to other chaos-based S-box designed recently, while maintaining good
cryptographic properties and high value of linear approximation probability. The strength of the proposed cryptographi-
cally strong S-box is vetted in the practical implementation of multimedia encryption.

Keywords Substitution box  Chaos  Differential cryptanalysis

1 Introduction cryptanalysis defines improved S-box design criteria

(Adams and Tavares 1990; Dawson and Tavares 1991b).
The cornerstone of any modern encryption algorithm is the Chosen plaintext attack is a very effective cryptanalysis
nonlinear S-box. It is also considered vital against differ- technique on block cipher known as differential crypt-
ential cryptanalysis (Heys 2002) for any secure commu- analysis. In this attack, cryptanalyst chooses difference Dx
nication system. An S-box is mapping, between plaintext pair (x, x0 ) and analyzes the propagation
S : fð0; 1Þn 7!ð0; 1Þm , where n ¼ m exhibits equalities— of pair through encryption. During the course of an attack,
input and output bits are the same and hence symmetric cryptanalyst searches and then studies cipher pair (y, y0 )
S-box. It is deployed in almost all conventional cryp- that has difference Dy ¼ Dx. The cryptanalyst searches the
tosystems, such as DES, DES like cryptosystems and AES. output differences (Dy) for all possible chosen input (Dx).
‘Confusion’ and ‘diffusion,’ considered fundamental for Later, input/output difference is tabulated in table known
designing modern cryptographic algorithms, were first as DDT, to study the differential analysis of a cipher (Heys
formulated by Shannon in his great seminal paper in 1949 2002). The following definition will help us to understand
(Shannon 1949). The introduction of differential the concept of DDT to measure DP (Biryukov and Perrin
2015).
& Muhammad Asif Khan Definition 1 (DDT and DP) Let S : fð0; 1Þn 7!ð0; 1Þm ,
masif.khan@uettaxila.edu.pk
where m = n, be substitution function. The DDT of S is a
1
University of Engineering and Technology, 2n  2n matrix where the integer value at row Dx and
Taxila 47050, Punjab, Pakistan column Dy is
2
University of Wah, Wah Cantt, Rawalpindi 47040, Punjab, dðDx;DyÞ ¼ #fx 2 X jSðxÞ  Sðx  DxÞ ¼ Dyg;
Pakistan
3
Universiti Teknologi Petronas, The maximum coefficient value in this table is the DP of
Bandar Seri Iskandar 31750, Perak, Malaysia S, which is defined as DP such that
 
4
UCSI Univeristy, Cheras 43200, Malaysia DP ¼ maxDx [ 0;Dy [ 0 dðDx;DyÞ .

123
220
The details of DDT generation with an example of
3 9 3 S-box are given in Sect. 4.2. Differential crypt-
analysis generates DDT to find high DP to unveil S-box
structure. Therefore, cryptographers are generally looking
for S-boxes with low value of DP.
Though chaos possesses deterministic dynamics, it is a
phenomenon that exists in nonlinear dynamical systems.
Chaos exhibits dynamics that are extremely sensitive to
initial parameters. For a dynamical system classified as
chaotic, researchers agreed that it must have three prop-
erties of sensitivity to initial condition determined by
positive Lyapunov exponent, mixing property and ergod-
icity (Hilborn 1994; Kocarev 2001).
In the recent past, much attention was focused on chaos-
based design. It is because chaotic orbits are boundedly
aperiodic, unpredictable and sensitive to initial conditions.
Researchers (Amigó et al. 2007; Kocarev 2001; Kocarev
and Jakimoski 2001; Masuda and Aihara 2002) find
remarkable similarities between chaos and cryptography;
therefore, chaos is considered an alternative to design
secure S-boxes that are deployed in cryptosystems using
one-dimensional (ID) and higher-order chaotic maps
(Behnia et al. 2007; Chen 2008; Chen et al. 2007; Kocarev
and Jakimoski 2001; Özkaynak and Özer 2010;
Szczepanski et al. 2005; Tang and Liao 2005; Tang et al.
2005).
However, there performance gap still exists between
chaos-based design and AES. Chaos-based design can
improve cryptographic properties (Dawson and Tavares
1991a) of nonlinearity, bit independence criteria, strict
avalanche criteria, differential approximation probability
and linear approximation probability to a certain limit,
especially in terms of linear and differential approximation
probabilities (LP & DP, respectively). S-box structure/po-
sitions are based on chaotic trajectories generated through
chaotic maps. These trajectories are random not systematic
to improve cryptographic properties through design
methodology. With these challenges ahead, systematic
design of S-box would be paramount to achieving the
desirable performance. Toward this end, a number of
techniques have been proposed to optimize S-box to
achieve near-optimal properties in terms of high nonlin-
earity (Clark et al. 2005; Fuller et al. 2005; Laskari et al.
2006; Millan 1998). Recently, optimization methods have
been merged with chaos-based techniques to optimize
S-box (Hussain et al. 2015; Wang et al. 2012). Incorpo-
rating chaos-based design with optimization methods can
improve a few desired properties. However, it seems
challenging to optimize all cryptographic properties
simultaneously. For example, there is not much improve-
ment for differential probabilities using chaos-based S-box.
Moreover, to the best of our knowledge, not a single design
123
Iran J Sci Technol Trans Electr Eng (2018) 42:219–238
method is available in the literature that is improved for
differential cryptanalysis.
Generally, S-box is an integral component of modern
encryption algorithm. Further, chaos-based image encryp-
tion algorithms are favored because chaos shows highly
random behavior in design and are extremely sensitive to
initial conditions. Lately, a great amount of research has
been carried out in chaos-based image encryption (Asim
and Jeoti 2007b; El Assad and Farajallah 2016; Khan and
Jeoti 2010; Khan et al. 2010a, b; Parvees et al. 2016; Yavuz
et al. 2015). It is in order to efficiently de-correlate the
adjacent pixels and to minimize statistical attacks. Images
have high neighboring pixels correlation; thus, efficient
shuffling is desired using S-box. Further, flat histogram of
encryption image is achieved using diffusion. The state-of-
the-art image encryption demands speed, high security and
complexity. Recent research shows that utilizing S-box
efficiently entails the state-of-the-art image encryption (El
Assad and Farajallah 2016; Parvees et al. 2016; Yavuz
et al. 2015).
The paper is outlined as follows: Sect. 2 covers the
contribution and related literature on chaos-based S-box,
Sect. 3 covers the design methodology of proposed S-box,
Sect. 4 details the proposed algorithm design steps, Sect. 5
analyzes the proposed S-box based on performance
parameters, Sect. 6 analyzes the suitability of proposed
S-box in an image encryption algorithm, and Sect. 7 con-
cludes the paper.
2 Contributions and Related Literature
on Chaos-Based S-Box
The proposed S-box is compared with the recently pub-
lished related work (Ahmad et al. 2015, 2016; Asim and
Jeoti 2008; Belazi et al. 2015; Chen 2008; Chen et al. 2007;
Hussain et al. 2012, 2015; Khan and Jeoti 2014; Laskari
et al. 2006; Özkaynak and Özer 2010; Wang 2015; Wang
et al. 2012). The aim of the cryptographer is to design
highly nonlinear S-box to resist against differential attacks.
In doing so, the cryptographic properties of bit indepen-
dence, maximum distance from linear Walsh coefficients,
strict avalanche criteria and linear and differential proba-
bility are investigated in detail. Those properties lead to a
design that fulfills confusion—nonlinearity in information
propagation. In other words, S-box based on the said cri-
teria may lead to low DP value, hence making the proba-
bility of input/output information prediction of a cipher
infeasible. The research presented in the literature except
(Khan and Jeoti 2014) S-box design aiming for desirable
cryptographic properties. However, the DP of all chaos-
based S-boxes is still very high. Likewise, counter based
DDT to measure DP for differential cryptanalysis has
Iran J Sci Technol Trans Electr Eng (2018) 42:219–238
never used within the design loop to optimize S-box. Khan
and Jeoti (2014) also uses DDT to design S-box to achieve
low DP value without counter based approach for opti-
mization. Herein, S-box methods are vetted and compared
in Table 1. The proposed S-box design further improves
the DP value as compared to Khan and Jeoti (2014), so that
the counter-based DDT is employed to have low value of
DP. The strength of proposed S-box is investigated for the
encryption of data. Various statistical and analytical
methods available in the literature (El Assad and Farajallah
2016; Parvees et al. 2016) are used to verify the suitability
of proposed S-box in information hiding.
The contribution of this paper is to design systematic
chaos-based S-box with improved/low value of DP using
DDT. The novelty of this work is the S-box design based
on reverse engineering, where counter-based DDT is used
within the loop of S-box design. It is an incremental design
technique to avoid bad S-box positions that cause high DP
and counter to choose lowest coefficient value to keep the
DP as low as possible. Typically, DDT table is generated
using S-box elements and is designed based on crypto-
graphic properties (Heys 2002). The problem statement
indicates that previously published chaos-based S-box
designs are haphazard rather than systematic. Moreover,
they suffer from high DP = 10, which is essential to resist
against differential cryptanalysis. Ideally, for perfect non-
linear S-box, DP value should be ‘2’ and that is still an
open research problem. The S-box positions are generated
using chaotic logistic map (presented in Sect. 4), and the
generation time is reasonable because of chaotic map’s
properties of mixing and ergodicity. Thus, the probability
is very high that S-box is generated in reasonable amount
of time. The DP is improved further because of counter-
based approach and optimized cryptographic properties,
which are not discussed in Khan and Jeoti (2014).
3 Design Methodology of Proposed S-Box
The design assumption is that, for a given input difference/
prediction, a good S-box entails distinct difference between
positions. DDT is generally used to measure that. The
objective is to design an S-box based on the said design
assumptions. A design based on this assumption usually
implies that in case a given S-box does not meet the cri-
terion that the repetition of any output difference is mini-
mum 2 for all input differences, one is forced to look for a
completely new S-box.
This work, on the other hand, proposes an incremental
design technique, where the S-box is built up incremen-
tally. An incremental procedure would entail starting with
some tentative initial S-box whose first two entries are first
tested. These entries are retained and next entry is tested
221
for how many repetitions of each output difference there
are for every input difference. If this entry also meets the
criteria that the repetition is not more than twice, the entry
is retained. Else one iterates the chaotic map to regenerate
new entries. The process continues. This conceptual flow
diagram is presented in Fig. 1.
Generally, differential cryptanalysis generates DDT to
measure output differentials, once an S-box has been
generated. Differential approximation probability (DP) is
one of the performance measures of an S-box, which is
computed using DDT.
Formally, the design objective is to first set frequency of
occurrence R of Dy = 2, which is called the mapping rule
S0 . Initially, set input difference Dx = 1 and generate first
two positions, s01 ; s02 , using chaotic map and place in
position vector P and make them fixed as
P ¼ fs01 ; s02 g ð1Þ
The positions are fixed in P that passes all the testing to
improve DP. Once all positions are generated, tested and
fixed, then this P is called our final S-box S. First measure
the difference between ðs01 ; s02 Þ as Dy = s01  s02 and
place in DDT. The positions are incrementally generated
one by one, as mentioned earlier. Now generate S-box
position s03 , and measure Dy for all possible Dx = [2, 3…
2n]. If s03 does not satisfy given mapping rule for any Dx,
then s03 is ignored and replaced with new S-box position
generated using chaotic map. Again set input difference
Dx = 1, so that new position s03 is tested to fall under
mapping rule S0 . If it satisfies mapping rule S0 , s03 is fixed
in P such as
P ¼ fs01 ; s02 ; s03 g ð2Þ
Now generate s04 and test for the mapping rule S0 . If s04
satisfies mapping rule, fix it in P and generate s05 . Simi-
larly, S-box positions are generated, tested and fixed if
satisfying given mapping rule; otherwise, they are ignored
and replaced such as
P ¼ fs01 ; s02 ; s03; s04 g ð3Þ
P ¼ fs01 ; s02 ; s03 ; s04 ; s05 g ð4Þ
P ¼ fs01 ; s02 ; s03 ; s04 ; s05 ; s06 ; . . .g ð5Þ
Our objective is to generate all S-box positions that fall
under mapping rule S0 . However, if positions do not
improve further under mapping rule S0 with fixed R = 2,
then R is incremented by 2 and called mapping rule S1 . The
S-box positions that fall under mapping rule S0 can be
written as
P ¼ fs01 ; s02 ; s03 ; s04 ; s05 ; . . .sa g ð6Þ
|fflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflffl{zfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflffl}
S0
where S0 can also be written as
123
 222

123
Table 1 Comparison of chaos-based S-boxes
Author/year Design Technique Cryptographic properties* Advantage Disadvantage
Avg. NL DAP

Asim and Jeoti (2008) Chaos-based design Logistic map 102.5 10/256 Bijective, good NL, SAC, BIC, LP High DP
Tang et al. (2005) Chaos-based design Baker map 103.5 10/256 Bijective, good NL, SAC, BIC, LP High DP
Peng et al. (2012) Chaos-based design Lorenz chaotic system 104 10/256 Bijective, good NL, SAC, BIC, LP High DP
Özkaynak and Özer (2010) Chaos-based design Chaotic Lorenz system 103.2 10/256 Bijective, good NL, SAC, BIC, LP High DP
Wang et al. (2009) Chaos Chaotic tent map 103.75 10/256 Bijective, good NL, SAC, BIC, LP High DP
Gang et al. (2009) Chaos Discretized generalized baker map 104 10/256 Bijective, good NL, SAC, BIC, LP High DP
Chen et al. (2007) Chaos Three-dimensional baker map 102.25 10/256 Bijective, good NL, SAC, BIC, LP High DP
Hao et al. (2010) Chaos Chaotic logistic map 103.5 10/256 Bijective, good NL, SAC, BIC, LP High DP
Zaibi et al. (2010) Chaos-based design ID PWLCM 102 10/256 Bijective, good NL, SAC, BIC, LP High DP
3D PWDCL
Jing et al. (2007) Chaos-based design Piecewise linear chaotic map 105.25 10/256 Bijective, good NL, SAC, BIC, LP High DP
Ahmad et al. (2016) Chaos ? optimization PWLCM ? travel salesman problem 107 10/256 Bijective, good NL, SAC, BIC, LP High DP
Soni et al. (2015) Chaos ? optimization Logistic map ? ant colony 107 10/256 Bijective, good NL, SAC, BIC, LP High DP
Hussain et al. (2015) Chaos-based S-box Logistic map 105 10/256 Bijective, good NL, SAC, BIC, LP High DP
Belazi et al.(2015) Chaos-based S-box Rossler Eq. 106 10/256 Bijective, good NL, SAC, BIC, LP High DP
Ahmad et al. (2015) Chaos-based S-box 1D PWLCM 105 10/256 Bijective, good NL, SAC, BIC, LP High DP
Khan and Jeoti (2014) Chaos ? optimization ID map ? DDT 106 08/256 Bijective, good NL, SAC, BIC, LP Moderate DP
Iran J Sci Technol Trans Electr Eng (2018) 42:219–238
Iran J Sci Technol Trans Electr Eng (2018) 42:219–238
Fig. 1 Conceptual flow diagram
of the proposed S-box design S-box posions generaon
using CLM
1. Discretize map, obtain
decimal values in the
range [1,256]
2. Generate initial few
positions, 2 in our case,
P ={ 01 , 02 }, and
place them in a position
vector of length 256.
3. For example these
arbitrary positions are
P= {9, 17} output 1
8. Generate requested
positions 03 (arbitrary
position is 12) and
11. Generate 04 (arbitrary
position is 20) and
14. Ignore 04 = 20 and
regenerate (new
arbitrary position is 42)
and place in P = {9, 17,
12, 42}.
S-box incremental outputs
Output1: P = {9, 17}
Output2: P = {9, 17, 12}
Output3: P = {9, 17, 12, 42}
. to 1
Posion vector P is then our final S-box with improved differenal
approximaon probability
S0 ¼ fs01 ; s02 ; s03 ; s04 ; s05 ; . . .sa g ð7Þ
The remaining positions,ðsaþ1 ; saþ2 ; . . .s2n Þ, are then gen-
erated using mapping rule S1 . The positions that fall under
mapping rule S1 can be written as
P ¼ fs01 ; s02 ; s03 ; s04 ; . . .sa ; s110 ; s120 ; s130 ; ; s140 ; . . .sb0 g ð8Þ
|fflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflffl{zfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflffl} |fflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflffl{zfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflffl}
S0 S1
where S1 can be written as
223
Improvement of S-box’s DP using DDT
4. For optimal DP, frequency of occurrence of
∆y, R =2, which is called mapping rule 0
5. First set ∆x=1, and frequency of occurrence
R=2,
6. First measure ∆y of 01 , 02 , and place them
in DDT, which is 9 ⊕ 17 = 8 for ∆x =1
7. Generate 03 using chaoc map, and
measure all ∆y for all possible input
difference ∆x,
9. If freq. of occurrence of ∆y <=R, increment
n
∆x=2, 3, …2
10. Check if 03 = 12 satisfy ∆y <= R for all
possible ∆x , if satisfying then fix 03 in
position vector = { 01, 02 , 03 } and
generate 04 using chaotic map and repeat
procedure of testing. 03 = 12 satisfying
condition for available ∆x = 2 such that
12⊕ 9=3, which is not repeating in DDT’s
12. Check 04 =20 with other positions to
measure freq .of occurrence
13. 04 =20 is not satisfying for ∆x=1 such that
20 ⊕ 12 = 8, which is repeated therefore
ignored and regenerated
15. New 04 = 42, satisfying ∆y<=R for all
possible ∆x. 04 = 42 is fixed in P and
05 is generated for testing. Output3
16. Repeat process until all positions are
generated under mapping rule 0
17. If positions cannot improve further,
increment R by 2 by changing mapping rule
18. Generate remaining positions, and if
necessary change mapping rule.
S1 ¼ f s110 s120 s130 s140    sb0 g ð9Þ
where saþi ¼ s1i0 . The mapping rule can be changed further
if necessary until all S-box positions are generated. The P
is our final S-box S once all positions are generated. The S
is the concatenation of all positions that fall under mapping
rules, such as:
S ¼ concatenationðS0 ; S1 ; . . .; Sn Þ ð10Þ
The said approach is explained as pseudo-code as follows:
123
224 Iran J Sci Technol Trans Electr Eng (2018) 42:219–238

Algorithm: Design of S-box using chaos and DDT position of ‘1’ in row vector SSi denotes the position of ith
Notations: input element after substitution.
Initial state of CLM
+1 Next state of CLM SSi ðPi Þ ¼ 1 ð12Þ
x Current position of S-box
n Size of S-box
2 Total number of S-box positions where Pi denotes the position of ‘1’ in row vector SSi
Position counter to count position generation using CLM The proposed algorithm subcomponents are discussed in
∆x Input difference
∆y Output difference detail in the coming subsections.
R Allowable frequency of occurrence of ∆y for a given ∆x
Position vector to store S-box positions, i The main algorithm’s flow diagram is described in
( ) S-box positions, i Fig. 2. The details are also presented in a stepwise manner
DDT(i,j) Difference distribution table, i, j
Initialize parameters: as follows:
PC = 0 Set position counter
(1, 2 ) = 0 Set position vector empty 1. First step is to initialize S-box positions generation
R=2 Set allowable frequency of occurrence
Set any arbitrary initial condition/state of CLM using chaotic logistic map under given initial param-
eters as discussed in Sect. 4.1.
Algorithm subclass1 : S-box position generation using CLM
01: Do while PCi < = 2 // generate and optimize S-box position 2. Initialize difference distribution matrix D [2n, 2n]. The
02: Iterate CLM with
03: Set +1 = // next state becomes initial condition of
DDT is filled with generated S-box position’s output
04: // CLM differences Dy for a given input difference Dx.
05: P(PC) = P( ) // selected subdomain of PC using is the
06: // S-box position 3. The differential approximation probability is improved
07: PC = PC + 1 // increment counter to fill positions under proposed improvement conditions using DDT as
08: Return P(x)
09: Call algorithm subclass 2 discussed in Sect. 4.3.2.
10: End while
Algorithm subclass 2: Optimization of S-box using DDT
4. Each position is tested to examine if it falls under
11: If PC < 2 // generate min. two S-box positions given mapping rule Si using DDT to achieve best
12: Call algorithm subclass 1
13: Else
possible differential approximation probability. Other-
14: Do While (# ∆ < = ∆ <= 2 ) wise, the position is thrown away and regenerated
15: Set DDT (x⊕∆x, ∆x) = ∆y // place output diff. at ∆xth row
16: //and (x⊕∆x)th column again.
17: Set ∆x = ∆x + 1 5. The procedure is stopped once all positions are
18: If # ∆y = = 2
19: Set ∆x = ∆x + 1 generated and final S-box is displayed.
20: Else if ∆x = = 2
21: Set ∆x = 1 // increment ∆x to test new positions
22: Call algorithm subclass 1
23: End if # ∆ >R // check for condition 4.1 Initialize S-Box Generation
24: Set ∆x = 1 // increment ∆x to test new positions
25: Call algorithm subclass 1
26: Else if # ∆ > R & PC < 2 Utilizing the properties of chaos generates the S-box
27:
28: Set R = R + 2 // change condition positions. Chaotic logistic map is iterated under given
29: Set ∆x = 1 initial conditions. The detailed flow diagram of S-box
30: Call algorithm subclass 1
31: End if position generation steps is described in Fig. 3.
32: End while
33: End if 1. To generate the S-box positions, variables are
34 : Show generated S-box
initialized: Position counter PC counts the generated
positions and map’s initial parameters xn.
4 The Proposed Algorithm
2. The domain in the range [0.1, 0.9] is divided into 2N
equal intervals.
This section details the design steps of proposed S-box to
3. These intervals are then labeled sequentially in the
improve the differential approximation probability. The
range [1, 2N ] as position number PN.
main flow diagram of proposed S-box is described in
Fig. 2. The method to generate S-box positions using chaos 4. Initialize a position vector P of size 2N .
is described in Sect. 4.1. The initialization and improve- 5. The logistic map is iterated with arbitrary chosen
ment of differential approximation probability of proposed initial condition xn .
S-box using DDT is detailed in Sects. 4.2 and 4.3, The chaotic logistic map is a well-known 1-D
respectively. Our aim is to design bijective S-box; there- chaotic map and is simple to implement.
fore, we generate substitution matrix ‘S’ Chaotic logistic map is defined as
xnþ1 ¼ rxn ð1  xn Þ ð13Þ
S ¼ fSSi ; SSiþ1 ; . . .SS2n gT ð11Þ
where 0  xn  1 and 3:57\r  4
where SSi is substitution matrix’s row vector with ð2n  1Þ
By iterating the chaotic logistic map with a
zeros and only one 1. Substitution matrix S is of size
unique initial value 0\ x0 \1, one can generate a
ð2n ; 2n Þ where 2n denotes elements to be substituted. The

123
Iran J Sci Technol Trans Electr Eng (2018) 42:219–238
Fig. 2 Flow diagram of main
algorithm to improve
differential approximation
probability
unique sequence of random real numbers whose
values lie between 0 and 1. Chaotic logistic map
used with r = 4 is the only useful case in (13)
because the chaotic attractor is distributed uniformly
in chaotic domain region, which spans over [0, 1].
6. The chaotic logistic map is iterated under given
initial conditions.
225
7. The output of logistic map xnþ1 is checked in the
domain where it falls. The specific subdomain is
marked accordingly, and the corresponding subdo-
main number is stored in a row vector, which is
called as position vector P.
8. During the course of iteration, if the map’s output
falls in a visited subdomain, then this subdomain is
ignored.
123
226 Iran J Sci Technol Trans Electr Eng (2018) 42:219–238

Fig. 3 Flow diagram to initialize S-box to generate positions using chaos

9. If the position falls in an empty subdomain, the 11. Stop iterating chaotic logistic maps once all posi-
position is assigned to that subdomain. tions in position vector are filled.
10. The position is tested using improvement criteria
that exploit DDT and is explained in Sect. 4.3.2. If it
4.2 Introduction and Initialization of DDT
fulfills the proposed criteria, the position is fixed in
P; otherwise, regenerate this position and empty that
Before going into a detailed discussion on how DDT can be
subdomain.
used within the loop to improve DP, salient characteristics

123
Iran J Sci Technol Trans Electr Eng (2018) 42:219–238 227

of DDT need to be discussed here. DDT is a tool that is Table 2 Difference distribution table DDT
useful in differential cryptanalysis of block cipher. The DX Difference (DY)
differential cryptanalysis uses DDT to seek high proba-
bility of occurrences of output S-box differential pairs 000 001 010 011 100 101 110 111
whose corresponding input pairs have particular difference. 000 8 0 0 0 0 0 0 0
In other words, to mount differential cryptanalysis, differ- 001 0 4 4 0 0 0 0 0
ence distribution table DDT of size [2n, 2n] is generated 010 0 0 0 0 2 2 2 2
using S-box’s output differences Dy for all possible input 011 0 0 0 0 2 2 2 2
differences Dx. The input to an S-box is referred to as 100 0 0 0 0 2 2 2 2
x ¼ ½x1 ; x2 ; x3 . . .xn , and output is referred to as 101 0 0 0 0 2 2 2 2
y ¼ ½y1 ; y2 ; y3 . . .yn . Each input and output of an S-box are 110 0 4 0 4 0 0 0 0
comprised of n bits. The total number of input combina- 111 0 0 4 4 0 0 0 0
tions of S-box is 2n . The input difference is denoted as
Dx ¼ x0  x00 , and corresponding output difference is
denoted as Dy ¼ y0  y00 . The elements ðx0 ; x00 Þand ðy0 ; y00 Þ generated with improved differential approximation prob-
are the input and out pairs, where ‘’ represents the bitwise ability by avoiding bad S-box positions. The input pairs
exclusive-OR. The input differences are in the range of that have distance Dx are represented by column in
½1; 2n . The pair (Dx; Dy) is called a differential pair. Table 2, and chosen output pairs of an S-box to measure
DDT possesses several properties. It has 2n rows and 2n Dy are shown by arrow lines. The differences occurred in
columns. The sum of output differences in a single row or pairs and therefore are shown with multiple arrow lines.
in a single column is 2n. All output differences Dy in DDT In Table 3, the input elements 000 and 001 have the
have even values because they occur in pairs. For example, difference of 1. The corresponding output difference is
0
input difference Dx, Dx ¼ x0  x00 ¼ x00  x . Moreover, calculated using the S-box positions at indices 000 and 001
input difference of Dx ¼ 0 leads to output difference of as Dy = 110  111 = 001 which is 1. The differences
Dy ¼ 0. In that case, for n-bit S-box, first element of first occurred in pairs, as described earlier; therefore, first two
column has the value 2n and other values in first row and positions in Dx = 001 column are 1 in Table 4. When input
first column are 0. For an ideal S-box that gives no infor- difference is 1, input pairs 001 and 010, 011 and 100, and
mation about output differential, all elements of DDT have 101 and 110 are not paired. Therefore, it can be concluded
the value of 1. In that case, the probability of occurrence of that all elements are not considered for pairing for a given
an output difference for a given input difference is input difference. All output differences are tabulated in
1 1 1 Table 3. The probability of occurrences of output differ-
2n ¼ 23 ¼ 8. However, it is not achievable because the dif-
ences is tabulated in Table 5. The rows show the input
ferentials always occur in pairs. The rows represent the
differences Dx, and columns show the output difference
input differences and columns represent the output differ-
Dy. When the input difference is 1, the output difference of
ences in DDT as shown in Table 2.
1 occurs 4 times; thus, second row and second column is
filled with 4. Similarly, when input difference is 3, the
4.3 Improving Differential Approximation
output of 7 occurs two times; therefore, the fourth row and
Probability Using DDT
last column is filled with 2. All probabilities are filled in a
similar fashion.
In this work, we proposed an alternative solution to design
chaos-based S-box using DDT with improved differential Table 3 DDT of 3 9 3 randomly selected S-box
approximation probability. Toward this end, detailed
analysis on inherent structure of DDT has to be understood
in a manner such that DDT can be used within the loop to
improve S-box’s differential approximation probability.
For simplicity, the DDT is analyzed with the help of a
3 9 3 S-box. This case study will help in understanding
how DDT is utilized in a unique manner for 8 9 8 S-box.

4.3.1 An Example of 3 3 3 S-Box

The objective herein is to analyze DDT structure. DDT

utilizes S-box elements to form the DDT. S-box is

123
228 Iran J Sci Technol Trans Electr Eng (2018) 42:219–238

Table 4 Output differential occurrence against each input difference 6. If DDT is not filled completely and positions cannot
X Y Output difference (DY)
improve further, the mapping rule is changed by
incrementing frequency of occurrence R of Dy by 2.
DX DX DX DX DX DX DX DX
000 001 010 011 100 101 110 111

000 S0 = 110 0 1 4 6 5 7 3 2 1. To improve S-box’s differential approximation

001 S1 = 111 0 1 7 5 6 4 3 2 probability using DDT, first initialize required
010 S2 = 010 0 2 4 5 7 6 1 3 variables that are used during the course of opti-
011 S3 = 000 0 2 7 6 4 5 1 3 mization such as frequency of occurrence of Dy = 2,
100 S4 = 011 0 2 6 7 5 4 1 3 position counter PC = 1, Dx = 1.
101 S5 = 001 0 2 5 4 6 7 1 3 2. Initialize S-box generation procedure described in
110 S6 = 101 0 1 6 4 7 6 3 2
Sect. 4.1
111 S7 = 100 0 1 5 7 4 5 3 2
3. First generate two S-box positions and place them in
position vector P and set position counter PC to 2.
4. Generate S-box difference pairs of P[PC]th and
P[PC  Dx[i]]th S-box positions to measure output
difference Dy for all possible input difference Dx,
Table 5 DDT of randomly selected 3 9 3 S-box
where i is a variable ranging [0, 2n].
DX Difference (DY) 5. Ignore output pair if P[PC  Dx[i]]th subdomain in
000 001 010 011 100 101 110 111 position vector P is empty. It means P[PC  Dx[i]]
position is not generated yet. Therefore, in improve-
000 8 0 0 0 0 0 0 0 ment conditions we ignore downward arrow pairs.
001 0 2 2 0 0 0 0 0 6. For each PCth position, and for all possible input
010 0 0 2 2 2 2 2 2 difference Dx [1, 2n], check frequency of occurrence
011 0 2 0 2 2 2 2 2 R of Dy in any of the DDT columns.
100 0 0 2 0 2 2 2 2 7. If # Dy [ R, then PCth position in P has to be
101 0 2 2 0 2 2 2 2 regenerated; otherwise, set DDT location DDT [PC,
110 0 0 0 2 0 0 0 0 Dx[i]], increment PC and generate next position.
111 0 2 0 2 0 0 0 0 8. Moreover, if # Dy [ 2 in any DDT columns and
positions cannot improve further, then change map-
ping rule Si and allow repetition of Dy in each DDT
column by incrementing R = 2.
4.3.2 Proposed Conditions to Improve Differential 9. Stop iterating map once all positions are generated
Approximation Probability Using DDT and position vector P is filled.
10. Position vector P is our final S-box that is improved
This research has given us insight into how S-box positions for difference approximation probability.
are chosen to measure output differences Dy. To improve
differential approximation probability, conditions are pre-
sented as follows and description of algorithm is presented 5 Performance Evaluation for Proposed
as flow diagram in Fig. 4 S-Box
1. Only upward arrow lines pairs are chosen to measure
the output difference pairs This section evaluates the performance of proposed S-box.
2. As differences occur in pairs, downward arrow lines A set of rules is defined by national security agency (NSA)
pair’s differences can be ignored. to analyze S-box. The widely used and well-established
3. S-box positions are generated one by one and gener- cryptographic properties to evaluate S-box performance are
ated pairs are chosen to measure Dy and placed in bijective, nonlinearity, bit independence criteria (BIC),
DDT. strict avalanche criteria (SAC) and differential and linear
4. Initially set frequency of occurrence R of Dy = 2 is approximation probabilities. Among those differential
called mapping rule S0 . approximations, probability property is chosen to improve
5. If output difference Dy in any of the columns is the S-box designed using chaos and DDT. It is shown that
repeated, generated position is ignored and proposed scheme is designed to improve differential
regenerated. probability as compared with other chaos-based S-box

123
Iran J Sci Technol Trans Electr Eng (2018) 42:219–238 229

Fig. 4 Flow diagram of

optimization of difference START
distribution table using DDT

n n
Inialize variables: DDT [2 , 2 ], posion
n
vector P [1, 2 ], input difference ∆X,
output difference ∆Y, posion counter
PC, difference repeon D = 0,
frequency of occurrence of ∆y, R=2

P4

Inialize S-box posion generaon

in secon 4.1
Increment PC

No
While PC ≤ 2n

Output the final

Yes
S-box

If first two No
END
posions of P
are filled

Yes

Set ∆X = 0

Compute ∆ = ⊕

Where
Increment ∆X
by 1
Yes If =
[ ⊕∆ ]>

No P2
P3 P1
* The flow diagram connues on next page

design methods and optimized chaos-based S-boxes to 1. Differential approximation probability (DP)
date. The chaos is used to generate the positions of S-box; 2. Linear approximation probability (LP)
therefore, one can generate good near-optimal S-box in 3. Nonlinearity (NL)
reasonable amount of time, because of chaotic properties of 4. Strict avalanche criteria (SAC)
mixing and ergodicity. Chaotic logistic map’s out
must traverse each subdomain in reasonable time during
the course of S-box position generation. The performance
parameters discussed and analyzed are as follows:

123
230 Iran J Sci Technol Trans Electr Eng (2018) 42:219–238

Fig. 4 continued
P1

No P2
if
∆ ≤2 −1

Yes

Check ∆Y in
DDT’s ∆X column

Yes
Does freq. of No
Posion override occurrence of
∆Y > R

No Does it Yes
require
Set DDT (PC, ∆X) = ∆Y
increment R?

Regenerate posion Increment R P3

P4

5.1 Differential Approximation Probability
The objective of this work is to propose an S-box using
chaos and DDT to improve differential approximation
probability. Differential cryptanalysis was first published
by Biham and Shamir in 1991 (Biham and Shamir 1993). It
is a chosen plaintext attack in which a large number of
plaintext–ciphertext pairs are used to determine the value
of key bits. It basically exploits the mapping properties of
the differences within the cryptosystem, since not every
input difference can be mapped to an output difference.
Statistical key information is deduced from ciphertext
blocks obtained by encrypting pairs of plaintext blocks
with a specific bitwise difference A0 under the target key.
The work factor of the attack, a measure of the amount of
work needed to suggest the correct key, depends critically
 0 
on the largest probability, max:prob B =A0 with B0 being a
difference at some fixed intermediate stage of the block
cipher. The input difference of B0 ¼ ððB  KÞÞ  ððB 
KÞÞ ¼ ðB  B Þ the S-box for a round does not depend on
the round key: where B; B are inputs to S-box and B0 is
their corresponding difference.
The differential cryptanalysis uses DDT to measure
differential pairs of an S-box. Analyzing the DDT in terms
of differential approximation probability highlights the
weaknesses in S-box structure. And, maximum differential
approximation probability measures the probable differ-
ential characteristics.
Differential characteristic measures the occurrence of
highest number of output difference pairs whose input pairs
have a particular difference and is defined as:
 
#fx 2 X jSð xÞ  Sðx  DxÞ ¼ Dyg
DPðDy ! DxÞ ¼
2N
ð14Þ

123
Iran J Sci Technol Trans Electr Eng (2018) 42:219–238 231

where X denotes all possible input values and 2N denotes

total number of elements. In general, DP is the probability
of having Dy, when the input difference is Dx:
The maximum differential of S-box is defined as:
DPSmax ¼ max DPS ðDx ! DyÞ ð15Þ
Dx6¼0;Dy

To measure the differential approximation probability,

DDT is required for proposed S-box. The input pairs with
all possible input distances Dx are grouped together. The
corresponding output differences Dy are measured using
Eq. (14). Once all differences are placed in DDT, maxi-
mum occurrence of differential approximation probability
is measured using Eq. (15). In this work, DDT is used in a
unique manner. Therefore, DDT is also generated along Fig. 6 Difference distribution histogram of chaos-based S-box (x-axis
input XOR’s, y-axis output XOR’s, z-axis number of occurrences)
with S-box generation. This work follows Eq. (15) while
filling the DDT. Figure 5 shows the histogram of differ-
compared to our proposed S-box. Our proposed S-box uses
ential approximation probability of proposed S-box gen-
chaos to generate initial S-box positions. Small change in
erated with an arbitrary initial condition. The x-axis
initial condition of chaotic map can generate a number of
denotes the input difference Dx, whereas y-axis represents
S-boxes with good cryptographic properties. In order to
the output difference, Dy, and z-axis shows the number of
show that the proposed S-box retains low differential
occurrences of input and output differential (Dx; Dy).
approximation probability, 500 S-boxes are generated with
Moreover, the histogram of chaos-based S-box using
slight change in initial condition of chaotic logistic map at
logistic map (Asim and Jeoti 2008) is also presented in
fourth decimal digit. The maximum approximation proba-
Fig. 6. It is evident from the histogram that all differentials
bility of all generated S-boxes is plotted in Fig. 7. The
are uniformly distributed as compared to chaos-based
histogram ensures that all S-boxes retain differential
design method. The differential of our proposed S-box
6
approximation probability of 8/256. It also ensures that
occurs with the maximum probability of 256 98% in the proposed method is not dependent on initial condition but
DDT. Almost all of the differentials are in the range of 0, 2, rather on inherent design that improves and retains low
4 and 6, and are uniformly distributed as compared to the differential approximation probability.
recently published S-boxes, where all of the entries are in To demonstrate the cryptographic properties of bijec-
the range of 6, 8, 10, and in some cases 12. For compar- tive, nonlinearity, SAC, BIC, and linear approximation
ison, the differential approximation probability (DP) of our probability, S-box (given in Table 7) is generated using
proposed S-box and the recently published chaos-based arbitrary initial condition. This S-box is chosen as an
S-boxes are listed in Table 6. The recently published example to demonstrate performance parameters analyzed
10 12
S-boxes have higher maximum DPs of 256 and 256 as in this paper. Generally, multiple rounds of iteration are
considered if input data are changing in each round, ran-
dom input data being used. However, in this work, we
consider only one S-box, and its elements do not change
during the course of performance analysis. Therefore, the

Table 6 Comparison of DP
S-boxes (year) Maximum DP

Proposed S-box 6*/256

Hussain et al. (2015) 10/256
Wang et al. (2012) 10/256
Hussain et al. (2012) 10/256
Özkaynak and Özer (2010) 10/256
Fig. 5 Difference distribution histogram of the proposed S-box (x- Soni et al. (2015) 10/256
axis input XOR’s, y-axis output XOR’s, z-axis number of Ahmad et al. (2016) 10/256
occurrences)

123
232 Iran J Sci Technol Trans Electr Eng (2018) 42:219–238

Fig. 7 Maximum differential 12

approximation probabilities vs
S-box 10

DAP of CD S-boxes
8

0
0 50 100 150 200 250 300 350 400 450 500
# of CD S-boxes

Table 7 Proposed S-box design

S-box 1 2 3 4 5 6 7 8 9 10 a b c d e f
using arbitrary initial condition
1 126 3 17 208 12 146 86 7 93 183 163 232 121 96 45 97
2 32 30 132 4 118 250 238 105 114 100 138 249 185 67 176 171
3 172 167 5 143 50 150 44 115 104 43 152 8 248 128 22 73
4 55 38 16 78 200 15 174 18 74 196 181 48 153 169 162 83
5 220 187 130 82 224 81 237 11 13 108 84 101 92 221 151 31
6 184 246 58 64 36 198 98 25 80 203 23 228 159 107 65 106
7 251 116 226 52 182 177 37 42 76 219 149 165 69 87 241 214
8 102 71 170 189 252 157 240 195 161 211 197 39 168 201 111 70
9 2 247 49 243 127 212 134 75 21 173 223 129 141 26 47 57
10 89 112 193 233 218 164 46 51 9 61 160 215 180 158 206 140
a 41 19 35 253 244 28 204 148 33 110 10 213 144 202 222 133
b 194 139 256 234 255 6 242 209 63 29 229 155 179 117 188 27
c 236 53 227 137 94 91 90 207 235 62 245 131 231 124 175 95
d 145 217 166 24 14 34 186 122 147 60 59 225 54 40 205 72
e 20 239 88 68 125 178 191 56 1 230 120 154 210 190 103 123
f 142 136 199 113 119 77 99 254 85 216 135 66 156 192 79 109

statistical analysis on static data would not result in any where Cx and Cy are the input and output masks, respec-
change in output data.
tively, X denotes the set of all possible inputs, and 2N is the
number of its elements.
5.2 Linear Approximation Probabilities (LPs)
The maximum linear probabilities of S-box are defined
as:
Another important concept of linear cryptanalysis was
introduced by Mitsuru Matsui in 1993 (Matsui 1994). It LPSmax ¼ max LPS ðCx ! CxÞ ð17Þ
Cx;Cy6¼0
measures the linear approximation by XORing input bits
together, XORing output bits together and XORing the
input and output bit. Finally, XOR with the key bits mea- • Methodology to measure LP
sures the linear approximation probability. In other words,
it measures the maximum imbalance of an event: The The S-box is tested using well-defined measure of linear
parity of the input bits selected by the mask Cx is equal to approximation probability. All possible inputs are multi-
the parity of the output bits selected by the mask Cy. The plied with selected input masks to generate the input par-
linear approximation probability is defined as: ities. Similarly, all possible S-box positions are multiplied
with selected output masks to generate output parities. Both
LPðCy ! CxÞ
  input and output parities are compared for equality.
max #fxjx  Cx ¼ sð xÞ  Cyg 1 ð16Þ Equation (16) is used to measure the equality and linear
¼ 
Cx; Cy 6¼ 0 2N 2 approximation probability.

123
Iran J Sci Technol Trans Electr Eng (2018) 42:219–238 233

Table 8 Comparison of LP nonlinearity of S-box’s component functions is then mea-

S-boxes (year) Maximum LP
sured using (19).
The nonlinearity values greater than 98 are considered
The proposed S-box 0.1094 good for bijective 8 9 8 S-box (Mamadolimov et al.
Hussain et al. (2015) 0.1121 2010). The nonlinearity values for perfect nonlinearity of
Wang et al. (2012) 0.1406 120 are considered optimal. However, achieving this range
Hussain et al. (2012) 0.1151 with bijective S-box is not possible. It requires certain
Özkaynak and Özer (2010) 0.1289 arrangement of Walsh coefficients. The Walsh coefficient
Soni et al. (2015) 0.1438 values for perfect nonlinearity are only possible if S-box
Ahmad et al. (2016) 0.1311 component function’s values (0, 1) are not symmetric.
The nonlinearity of proposed S-box is compared with
the recently proposed chaos-based S-boxes. The selected
The LP of proposed S-box and the recently published
S-box shown in Table 6 is used to demonstrate nonlinearity
S-boxes is compared and listed in Table 8. The LP of
results. The input parameters are S-box and its size. The
proposed S-box is 0.1094, which is considered very low.
S-box’s component functions are fed as an input, and
Our proposed S-box is not improved using the knowledge
mathematical formulas are used to measure the nonlin-
of linear approximation probability; rather, it is improved
earity. The nonlinearity of our proposed S-box is listed in
during the course of differential approximation probability
Table 9. For chaos-based S-box, the nonlinearity above
using DDT as explained earlier. However, the inherent and
100 is considered good. In the literature, the published
efficient improvement of S-box positions using DDT
S-box design methods are specifically optimized for non-
results in improved values of linear approximation proba-
linearity but lack the optimization for other cryptographic
bility as compared to the recently published S-box
properties. Moreover, their computational complexity is
techniques.
quite high. The nonlinearity of the recently published
S-boxes is also listed in Table 9. It is noticeable that our
5.3 Nonlinearity
proposed design retains high nonlinearity that is well above
the limits required for good cryptographic S-box design.
The nonlinearity measures the unpredictable, highly ran-
Wang’s S-box shows improvement because the S-box is
dom, behavior of an S-box. It is measured using Walsh
improved for nonlinearity; thus, it achieves slightly higher
spectrum. The S-box can be represented as multi-vectorial
nonlinearity.
Boolean function fi ð xÞ, where 1  i  n. The Walsh spec-
Our proposed S-box has maximum nonlinearity of 106.
trum is defined as:
X Most of the component functions of proposed S-box have
Sf ð w Þ ¼ ð1Þf ðxÞx:w ð18Þ nonlinearity in the range of 104–106. The minimum
Sf ðwÞ achieved nonlinearity of proposed S-box is 100, which is
well above the minimum required nonlinearity limit for
where GFð2n Þ and x  w denotes the n points galois field in
8 9 8 S-box.
eq. (19) and dot product of vectors respectively. The
nonlinearity is defined as:
  5.4 Strict Avalanche Criteria
1 n
NL ¼
2  max n Sf ðwÞ ð19Þ
2 w2GFð2 Þ Webster and Tavares (1986) first introduced an efficient
method of SAC to test the performance of an S-box. If
S-box satisfies this criterion, then each of its outputs should
• Methodology to measure nonlinearity change with the probability of half whenever single input
bit is complimented. According to this method, dependence
In our analysis, we choose 8 9 8 S-box. The nonlin-
matrix is generated to measure the change in S-box com-
earity of each component function of proposed S-box is
ponent functions bits. The method of dependence matrix
independently measured using Walsh matrix. The Walsh
generation is described in Webster and Tavares (1986). If
matrix has a linear structure that provides the basis to
S-box complies with SAC, it ensures that it has good bound
measure the distance of nonlinear S-box component func-
of nonlinearity.
tions from Walsh matrix. The component functions are
achieved after converting S-box from decimal to binary. • Methodology to measure SAC
We proposed 8-bit S-box; therefore, we have 8 distinct
The avalanche vectors of proposed S-box are measured
component functions. The Walsh coefficients of each
in order to analyze the SAC. The positions of S-box are
component function are measured using (18). The achieved
converted from decimal to binary. The input and S-box

123
234 Iran J Sci Technol Trans Electr Eng (2018) 42:219–238

Table 9 Nonlinearity
S-boxes (year) Nonlinearity
comparison
f0 f1 f2 f3 f4 f5 f6 f7 fmin Average

The proposed S-box 102 100 104 104 104 106 106 106 100 104
Hussain et al. (2015) 107 103 100 102 100 108 104 108 103 104
Wang et al. (2012) 105 105 104 100 107 105 106 107 105 104.87
Hussain et al. (2012) 108 108 108 108 108 108 108 108 108 108
Özkaynak and Özer (2010) 104 100 106 102 104 102 104 104 100 103.25
Soni et al. (2015) 108 106 106 106 106 110 106 108 106 107
Ahmad et al. (2016) 108 110 110 108 106 106 106 106 106 107.5

Table 10 Dependence matrix

0.53125 0.515625 0.5 0.46875 0.515625 0.53125 0.5625 0.515625
0.5 0.5 0.546875 0.515625 0.53125 0.5625 0.484375 0.5
0.515625 0.453125 0.515625 0.421875 0.53125 0.484375 0.46875 0.46875
0.453125 0.453125 0.515625 0.546875 0.546875 0.53125 0.53125 0.5
0.53125 0.515625 0.515625 0.5 0.484375 0.484375 0.5625 0.4375
0.515625 0.484375 0.5625 0.46875 0.53125 0.546875 0.46875 0.5
0.46875 0.484375 0.4375 0.53125 0.46875 0.53125 0.5 0.578125
0.515625 0.453125 0.484375 0.578125 0.5625 0.515625 0.5625 0.46875

positions are named herein as vectors. The input vectors Table 11 Comparison of SAC
that differ at ith bit position Xi and corresponding S-box
S-boxes (year) Dependence matrix
positions are identified. The identified S-box positions are
XORed together to measure the avalanche vectors Vj. The Min. value Max. Value Mean Value
value of bit i, either 0 or 1, in Vj is placed at location Ai,j
The proposed S-box 0.4218 0.5781 0.4999
in dependence matrix A. The procedure continues for all
Hussain et al. (2015) 0.3804 0.5843 0.4823
input vectors and corresponding avalanche vectors. The
Wang et al. (2012) 0.4290 0.5850 0.5070
dependence matrix A is divided by large value ‘r.’ (For
Hussain et al. (2012) 0.4062 0.5781 0.4921
8*8 S-box, ‘r’ is 256.) This will give strength to the
Özkaynak and Özer (2010) 0.4219 0.5938 0.5078
relationship between plaintext bit i and ciphertext bit
Soni et al. (2015) 0.4218 0.5625 0.5014
j. The value of 1 in dependence matrix indicates that
Ahmad et al. (2016) 0.3945 0.5715 0.5036
whenever input bit i is complimented, output bit j is also
complimented. The value of 0 indicated that both input
and output bits are independent from each other. If all of
the values in dependence matrix are changed with nonzero
values, then it means that S-box structure is complete. 6 Suitability of Proposed S-Box for an Image
Most importantly, if S-box is said to comply with the Encryption
SAC, then all of the values in dependence matrix should
ideally be close to one half. The suitability of proposed systematic S-box is also ana-
The dependence matrix of our proposed S-box is listed lyzed in an image encryption algorithm. The methodology
in Table 10. The mean value of dependence matrix for our of key mixing and diffusion is obtained from Asim and
proposed S-box is 0.4999, which is very close to the ideal Jeoti (2007a). The S-box is compared in terms of image
value of 0.5000. The minimum and maximum values of histogram, correlation between plain and encrypted images
our proposed S-box are compared with the recently pub- and number of pixel change rate (NPCR). For simulations,
lished work and tabulated in Table 11. Our proposed plain image of size 256*256 has been taken. The plain
S-box fulfills SAC property and is nicely balanced for image is encrypted using both proposed S-box and selected
minimum and maximum values as compared to other chaos-based S-box from Asim and Jeoti (2007a) as shown
schemes. in Fig. 8a–c, respectively.

123
Iran J Sci Technol Trans Electr Eng (2018) 42:219–238
Fig. 8 a Plain image, b plain image encrypted with the proposed
S-box; c plain image encrypted with other S-box; d histogram of plain
image; e Histogram of the proposed S-box-based encryption;
6.1 Image Histogram Analysis
An image histogram illustrates how pixels are distributed
in an image and frequency of pixels. A fairly uniform
probability distribution function of the ciphered image is
desired in histogram analysis. A normalized mean square
error (NMSE), a measure of the deviation from uniform
probability distribution, is calculated for histogram as
follows:
 2
1 X Xk  X
NMSE ¼ ð20Þ
N k X ðAmn  AÞ
where N is the number of bins, equal to 256. Xk is the
frequency of occurrence of each bin and X is the mean
frequency or ideal frequency of each bin. It is evident from
Fig. 8e, f that histograms of encrypted image using pro-
posed S-box and other chaos-based S-box are fairly uni-
form as compared to plain image. The NMSE shows the
235
e histogram of other S-box-based encryption; f plain image correla-
tion; g plain image correlation; h correlation of the proposed S-box-
based cipher image; i correlation of other S-box-based cipher image
deviation from uniform probability distribution as shown in
Fig. 8e, f, 0.0014 and 0.0017, respectively.
6.2 Correlation Analysis
To perceive the randomness introduced in an encrypted
image, correlation between neighboring pixels is measured.
This is to analyze the S-box sequence nonlinearities that
entail highly uncorrelated encrypted images.
P P
 
r ¼ r m n ðAmn  AÞðBmn  BÞ
ffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi
P P   P P ffi ð21Þ
2 ðBmn  BÞ 2
m n m n
where A and B represent the corresponding mean values.
Here, r represents the normalized correlation between
images Amn and Bmn pixel by pixel. Figure 8g shows the
adjacent pixel correlation of plain image. The band of
pixels in diagonal shows the strong correlation between
neighboring pixel values. On the other hand, Fig. 8h, i
123
236
shows correlation between adjacent pixel values of plain
image encrypted using the proposed S-box and other chaos-
based S-box. It shows that pixel values are uniformly dis-
tributed in an internal 0–255. The normalized correlation,
r, of encrypted image using proposed S-box and other
chaos-based S-box is - 0.00012129 and - 0.00134129,
respectively, which is quite negligible.
6.3 Number of Pixel Change Rate (NPCR)
In this subsection, sensitivity of the proposed S-box
incorporated in image encrypted to the change in plain
image is investigated. In general, the attacker may make a
slight change (modify only one pixel) to the plain image
and then observe the change in the result. Thus, he may be
able to find out a meaningful relationship between the plain
image and the cipher image. These types are used to initiate
differential attacks. Hence, if small perturbation (one pixel)
in the plain image can cause a significant change in the
cipher image, then this differential attack would become
very inefficient and practically useless.
In order to test the influence of one-pixel change on the
whole image encrypted by the proposed S-box-based
algorithm, pixels change rate (NPCR) is considered a good
measure to be calculated. Let us start by denoting two
cipher images, whose corresponding plain images have
only one-pixel difference, denoted by C1 and C2 , respec-
tively. Label the grayscale values of the pixels at grid (i,
j) of C1 and C2 by C1 ði; jÞ and C2 ði; jÞ, respectively. Define
a bipolar array D, with the same size as image C1 and C2
Then, D(I, j) is computed by the following sub-program.
if C1 ði; jÞ ¼ C2 ði; jÞ; then
Dði; jÞ ¼ 1;
ð22Þ
otherwise
Dði; jÞ ¼ 0:
The NPCR is defined as:
P approximation probability give the probability of a good or
i;j Dði; jÞ
NPCR ¼  100% ð23Þ
W H
where W and H are the width and height of C1 and C2 . The
NPCR measures the percentage of pixels different between
the two images. We perform only one round to see how
much diffusion occurs with change in S-box. The proposed
S-box-based encryption is shown to have superior results
and change nearly 80% in cipher image as compared to
chaos-based design that achieves 60% change in pixel
values. Alternatively, NPCR values are 20 and 40% with
the proposed and other chaos-based S-boxes.
123
Iran J Sci Technol Trans Electr Eng (2018) 42:219–238
7 Discussion
In Sect. 5, extensive analysis is carried out to investigate
the suitability of proposed S-box in an image encryption
algorithm. The proposed systematic S-box effectively
randomizes the plain images, and correlation between
neighboring pixels of ciphered image is negligible after
encryption. Therefore, it also fulfills the avalanche property
at the level of image and hence proves to be sensitive to a
single change in one pixel. Chaos is used to generate keys
in the chosen algorithm; therefore, key sensitivity
requirements and hence one bit of change in secret key lead
to totally different ciphered images. The low values of DP
ensure that the proposed S-box-based encrypted algorithm
effectively distributes input differentials (difference
between two plain images A and B). In addition, the his-
togram of a mask image constructed using the ciphered
images of A and B is also shown to be uniform. Therefore,
it is concluded that proposed S-box is highly suitable to be
used in an encryption algorithm.
8 Conclusion
This work reports a novel approach to systematically
design S-box using counter-based DDT coefficient opti-
mization that entails low DP. The proposed counter-based
DDT is used purposely to optimize S-box. Our proposed
S-box achieves high level of randomness that entails high
level of security vetted using security analysis results. The
security analysis of image encryption investigates resis-
tance against attacks and confusion introduced using the
proposed S-box. In doing so, properties of nonlinearity, bit
independence and strict avalanche criteria are calculated
from the proposed S-box. Those properties give specific
cryptographic propagation pattern to information from
input to output. The properties of differential and linear
bad prediction by a cryptanalyst in an iterative process. The
cryptographic properties of S-box introduce nonlinearity in
the design. Moreover, low values of DP and LP resist
against modern attacks. The 98% of DDT coefficients of
the proposed S-box have value of 2 and 4, which is very
low. The proposed S-box is compared with the recently
published S-boxes. The performance evaluation ensures
that proposed algorithm is highly suitable for hiding
information and can be a part of modern encryption
algorithms.
Iran J Sci Technol Trans Electr Eng (2018) 42:219–238 237

References El Assad S, Farajallah M (2016) A new chaos-based image encryption

system. Sig Process Image Commun 41:144–157. https://doi.org/
10.1016/j.image.2015.10.004
Adams C, Tavares S (1990) Good S-boxes are easy to find advances
Fuller J, Millan W, Dawson E (2005) Multi-objective optimisation of
in cryptology—CRYPTO’ 89 proceedings. In: Brassard G (ed)
bijective s-boxes. New Gener Comput 23:201–218. https://doi.
Lecture notes in computer science, vol 435. Springer, Berlin,
org/10.1007/bf03037655
pp 612–615. https://doi.org/10.1007/0-387-34805-0_56
Gang X, Geng Z, Lequan M (2009) An extended method for obtaining
Ahmad M, Ahmad F, Nasim Z, Bano Z, Zafar S (2015) Designing
S-boxes based on discrete chaos map system. In: International
chaos based strong substitution box. In: 2015 eighth international
conference on computational intelligence and security, 2009.
conference on contemporary computing (IC3), 20–22 Aug 2015,
CIS ‘09, 11–14 Dec 2009, pp 298–302. https://doi.org/10.1109/
pp 97–100. https://doi.org/10.1109/ic3.2015.7346660
cis.2009.146
Ahmad M, Mittal N, Garg P, Khan MM (2016) Efficient crypto-
Hao Y, Longyan L, Yong W (2010) An S-box construction algorithm
graphic substitution box design using travelling salesman
based on spatiotemporal chaos. In: 2010 international conference
problem and chaos. Perspect Sci 8:465–468
on communications and mobile computing (CMC), 12–14 April
Amigó JM, Kocarev L, Szczepanski J (2007) Theory and practice of
2010, pp 61–65. https://doi.org/10.1109/cmc.2010.48
chaotic cryptography. Phys Lett A 366:211–216. https://doi.org/
Heys HM (2002) A tutorial on linear and differential cryptanalysis.
10.1016/j.physleta.2007.02.021
Cryptologia 26:189–221. https://doi.org/10.1080/0161-
Asim M, Jeoti V (2007a) Hybrid chaotic image encryption
110291890885
scheme based on S-box and ciphertext feedback. In: 2007
Hilborn RC (1994) Chaos and nonlinear dynamics, vol 2. Oxford
international conference on intelligent and advanced systems,
University Press, New York
ICIAS 2007, pp 736–741
Hussain I, Shah T, Mahmood H, Gondal MA (2012) Construction of
Asim M, Jeoti V (2007b) On image encryption: comparison between
S8 Liu J S-boxes and their applications. Comput Math Appl
AES and a novel chaotic encryption scheme. In: Proceedings of
64:2450–2458. https://doi.org/10.1016/j.camwa.2012.05.017
ICSCN 2007: international conference on signal processing
Hussain I, Gondal M, Hussain A (2015) Construction of substitution
communications and networking, pp 65–69
box based on piecewise linear chaotic map and S8 group. 3D Res
Asim M, Jeoti V (2008) Efficient and simple method for designing
6:1–5. https://doi.org/10.1007/s13319-014-0032-5
chaotic S-boxes. ETRI J 30:170
Jing Q, Xiaofeng L, Ping W (2007) A method to construct dynamic
Behnia S, Akhshani A, Ahadpour S, Mahmodi H, Akhavan A (2007)
S-box based on chaotic map. In: Eighth ACIS international
A fast chaotic encryption scheme based on piecewise nonlinear
conference on software engineering, artificial intelligence,
chaotic maps. Phys Lett A 366:391–396. https://doi.org/10.1016/
networking, and parallel/distributed computing, 2007. SNPD
j.physleta.2007.01.081
2007, 30 July 2007–1 Aug 2007, pp 522–525. https://doi.org/10.
Belazi A, Rhouma R, Belghith S (2015) A novel approach to
1109/snpd.2007.317
construct S-box based on Rossler system. In: 2015 international
Khan MI, Jeoti V (2010) A blind watermarking scheme using bitplane
wireless communications and mobile computing conference
of DC component for JPEG compressed images. In: Proceed-
(IWCMC), 24–28 Aug 2015, pp 611–615. https://doi.org/10.
ings—2010 6th international conference on emerging technolo-
1109/iwcmc.2015.7289153
gies, ICET 2010, pp 150–154
Biham E, Shamir A (1993) Differential cryptanalysis of the full
Khan MA, Jeoti V (2014) A novel design of chaos based S-box using
16-round DES. Springer, Berlin
difference distribution table (CD S-box). In: Martı́nez Pérez G,
Biryukov A, Perrin L (2015) On reverse-engineering S-boxes with
Thampi SM, Ko R, Shu L (eds) Recent trends in computer
hidden design criteria or structure. In: Gennaro R, Robshaw M
networks and distributed systems security: second international
(eds) Advances in cryptology—CRYPTO 2015: 35th annual
conference, SNDS 2014, Trivandrum, India, 13–14 March 2014,
cryptology conference, Santa Barbara, CA, USA, August 16–20
proceedings. Springer, Berlin, pp 223–230. https://doi.org/10.
2015, proceedings, part I. Springer, Berlin, pp 116–140. https://
1007/978-3-642-54525-2_20
doi.org/10.1007/978-3-662-47989-6_6
Khan MI, Jeoti V, Malik AS (2010a) Designing a joint perceptual
Chen G (2008) A novel heuristic method for obtaining S-boxes.
encryption and blind watermarking scheme compliant with JPEG
Chaos, Solitons Fractals 36:1028–1036. https://doi.org/10.1016/
compression standard. In: ICCAIE 2010–2010 international
j.chaos.2006.08.003
conference on computer applications and industrial electronics,
Chen G, Chen Y, Liao X (2007) An extended method for obtaining
pp 688–691
S-boxes based on three-dimensional chaotic Baker maps. Chaos,
Khan MI, Jeoti V, Malik AS (2010b) On perceptual encryption:
Solitons Fractals 31:571–579. https://doi.org/10.1016/j.chaos.
variants of DCT block scrambling scheme for JPEG compressed
2005.10.022
images, vol 123 CCIS
Clark JA, Jacob JL, Stepney S (2005) The design of S-boxes by
Kocarev L (2001) Chaos-based cryptography: a brief overview. IEEE
simulated annealing. New Gener Comput 23:219–231. https://
Circuits Syst Mag 1:6–21. https://doi.org/10.1109/7384.963463
doi.org/10.1007/bf03037656
Kocarev L, Jakimoski G (2001) Logistic map as a block encryption
Dawson MH, Tavares SE (1991a) An expanded set of design criteria
algorithm. Phys Lett A 289:199–206. https://doi.org/10.1016/
for substitution boxes and their use in strengthening DES-like
s0375-9601(01)00609-0
cryptosystems. In: IEEE pacific rim conference on communica-
Laskari EC, Meletiou GC, Vrahatis MN (2006) Utilizing evolutionary
tions, computers and signal processing, 1991, 9–10 May 1991,
computation methods for the design of S-boxes. In: International
vol 191, pp 191–195. https://doi.org/10.1109/pacrim.1991.
conference on computational intelligence and security, 2006,
160713
3–6 Nov 2006, pp 1299–1302. https://doi.org/10.1109/iccias.
Dawson MH, Tavares SE (1991b) An expanded set of S-box design
2006.295267
criteria based on information theory and its relation to differ-
Mamadolimov A, Isa H, Mohamad MS (2010) Bijective substitution
ential-like attacks. Paper presented at the proceedings of the 10th
box. WO Patent 2,010,151,103
annual international conference on theory and application of
Masuda N, Aihara K (2002) Cryptosystems with discretized chaotic
cryptographic techniques, Brighton, UK
maps. IEEE Trans Circuits Syst I Fundam Theory Appl
49:28–40. https://doi.org/10.1109/81.974872

123
238
Matsui M (1994) Linear cryptanalysis method for DES cipher
advances in cryptology—EUROCRYPT’93. In: Helleseth T (ed)
Lecture notes in computer science, vol 765. Springer, Berlin,
pp 386–397. https://doi.org/10.1007/3-540-48285-7_33
Millan W (1998) How to improve the nonlinearity of bijective
S-boxes information security and privacy. In: Boyd C, Dawson E
(eds) Lecture notes in computer science, vol 1438. Springer,
Berlin, pp 181–192. https://doi.org/10.1007/bfb0053732
Özkaynak F, Özer AB (2010) A method for designing strong S-boxes
based on chaotic Lorenz system. Phys Lett A 374:3733–3738.
https://doi.org/10.1016/j.physleta.2010.07.019
Parvees MYM, Samath JA, Bose BP (2016) Secured medical
images—a chaotic pixel scrambling approach. J Med Syst
40:1–11. https://doi.org/10.1007/s10916-016-0611-5
Peng J, Liao X, Zhang D (2012) A novel approach for designing
dynamical S-boxes using hyperchaotic system. Int J Cogn
Inform Nat Intell 6:100–119. https://doi.org/10.4018/jcini.
2012010105
Shannon CE (1949) Communication theory of secrecy systems*. Bell
Syst Tech J 28:656–715. https://doi.org/10.1002/j.1538-7305.
1949.tb00928.x
Soni AK, Lobiyal DK, Ahmad M, Bhatia D, Hassan Y (2015) A novel
ant colony optimization based scheme for substitution box
design. Procedia Comput Sci 57:572–580. https://doi.org/10.
1016/j.procs.2015.07.394
Szczepanski J, Amigo JM, Michalek T, Kocarev L (2005) Crypto-
graphically secure substitutions based on the approximation of
mixing maps. IEEE Trans Circuits Syst I Regul Pap 52:443–453.
https://doi.org/10.1109/tcsi.2004.841602
123
Iran J Sci Technol Trans Electr Eng (2018) 42:219–238
Tang G, Liao X (2005) A method for designing dynamical S-boxes
based on discretized chaotic map. Chaos, Solitons Fractals
23:1901–1909. https://doi.org/10.1016/j.chaos.2004.07.033
Tang G, Liao X, Chen Y (2005) A novel method for designing
S-boxes based on chaotic maps. Chaos, Solitons Fractals
23:413–419. https://doi.org/10.1016/j.chaos.2004.04.023
Wang Y (2015) A method for constructing bijective S-box with high
nonlinearity based on chaos and optimization. Int J Bifurc Chaos
25:15. https://doi.org/10.1142/S0218127415501278
Wang Y, Wong K-W, Liao X, Xiang T (2009) A block cipher with
dynamic S-boxes based on tent map. Commun Nonlinear Sci
Numer Simul 14:3089–3099. https://doi.org/10.1016/j.cnsns.
2008.12.005
Wang Y, Wong K-W, Li C, Li Y (2012) A novel method to design
S-box based on chaotic map and genetic algorithm. Phys Lett A
376:827–833. https://doi.org/10.1016/j.physleta.2012.01.009
Webster AF, Tavares SE (1986) On the design of S-boxes. Paper
presented at the Advances in Cryptology
Yavuz E, Yazıcı R, Kasapbaşı MC, Yamaç E (2015) A chaos-based
image encryption algorithm with simple logical functions.
Comput Electr Eng. https://doi.org/10.1016/j.compeleceng.
2015.11.008
Zaibi G, Peyrard F, Kachouri A, Fournier-Prunaret D, Samet M
(2010) A new design of dynamic S-box based on two chaotic
maps. Paper presented at the proceedings of the ACS/IEEE
international conference on computer systems and applica-
tions—AICCSA 2010