Professional Documents
Culture Documents
https://doi.org/10.1007/s40998-018-0061-9 (0123456789().,-volV)(0123456789().,-volV)
RESEARCH PAPER
Received: 4 January 2017 / Accepted: 24 April 2018 / Published online: 15 May 2018
Shiraz University 2018
Abstract
Substitution box is a vital and the only nonlinear component of modern encryption algorithm. S-box is introduced as a
confusion component to resist against differential cryptanalysis. Chaos-based encryption is well liked because it exhibits
similarity like cryptography. However, chaotic S-boxes possess high maximum differential approximation probability,
measured using difference distribution table (DDT) for differential cryptanalysis. Therefore, this paper reports a systematic
design methodology to generate chaotic S-box utilizing DDT and that can be used in multimedia encryption algorithms.
DDT within the design loop is used to optimize differential approximation probability. The proposed S-box shows very low
differential approximation probability as compared to other chaos-based S-box designed recently, while maintaining good
cryptographic properties and high value of linear approximation probability. The strength of the proposed cryptographi-
cally strong S-box is vetted in the practical implementation of multimedia encryption.
123
220 Iran J Sci Technol Trans Electr Eng (2018) 42:219–238
The details of DDT generation with an example of method is available in the literature that is improved for
3 9 3 S-box are given in Sect. 4.2. Differential crypt- differential cryptanalysis.
analysis generates DDT to find high DP to unveil S-box Generally, S-box is an integral component of modern
structure. Therefore, cryptographers are generally looking encryption algorithm. Further, chaos-based image encryp-
for S-boxes with low value of DP. tion algorithms are favored because chaos shows highly
Though chaos possesses deterministic dynamics, it is a random behavior in design and are extremely sensitive to
phenomenon that exists in nonlinear dynamical systems. initial conditions. Lately, a great amount of research has
Chaos exhibits dynamics that are extremely sensitive to been carried out in chaos-based image encryption (Asim
initial parameters. For a dynamical system classified as and Jeoti 2007b; El Assad and Farajallah 2016; Khan and
chaotic, researchers agreed that it must have three prop- Jeoti 2010; Khan et al. 2010a, b; Parvees et al. 2016; Yavuz
erties of sensitivity to initial condition determined by et al. 2015). It is in order to efficiently de-correlate the
positive Lyapunov exponent, mixing property and ergod- adjacent pixels and to minimize statistical attacks. Images
icity (Hilborn 1994; Kocarev 2001). have high neighboring pixels correlation; thus, efficient
In the recent past, much attention was focused on chaos- shuffling is desired using S-box. Further, flat histogram of
based design. It is because chaotic orbits are boundedly encryption image is achieved using diffusion. The state-of-
aperiodic, unpredictable and sensitive to initial conditions. the-art image encryption demands speed, high security and
Researchers (Amigó et al. 2007; Kocarev 2001; Kocarev complexity. Recent research shows that utilizing S-box
and Jakimoski 2001; Masuda and Aihara 2002) find efficiently entails the state-of-the-art image encryption (El
remarkable similarities between chaos and cryptography; Assad and Farajallah 2016; Parvees et al. 2016; Yavuz
therefore, chaos is considered an alternative to design et al. 2015).
secure S-boxes that are deployed in cryptosystems using The paper is outlined as follows: Sect. 2 covers the
one-dimensional (ID) and higher-order chaotic maps contribution and related literature on chaos-based S-box,
(Behnia et al. 2007; Chen 2008; Chen et al. 2007; Kocarev Sect. 3 covers the design methodology of proposed S-box,
and Jakimoski 2001; Özkaynak and Özer 2010; Sect. 4 details the proposed algorithm design steps, Sect. 5
Szczepanski et al. 2005; Tang and Liao 2005; Tang et al. analyzes the proposed S-box based on performance
2005). parameters, Sect. 6 analyzes the suitability of proposed
However, there performance gap still exists between S-box in an image encryption algorithm, and Sect. 7 con-
chaos-based design and AES. Chaos-based design can cludes the paper.
improve cryptographic properties (Dawson and Tavares
1991a) of nonlinearity, bit independence criteria, strict
avalanche criteria, differential approximation probability 2 Contributions and Related Literature
and linear approximation probability to a certain limit, on Chaos-Based S-Box
especially in terms of linear and differential approximation
probabilities (LP & DP, respectively). S-box structure/po- The proposed S-box is compared with the recently pub-
sitions are based on chaotic trajectories generated through lished related work (Ahmad et al. 2015, 2016; Asim and
chaotic maps. These trajectories are random not systematic Jeoti 2008; Belazi et al. 2015; Chen 2008; Chen et al. 2007;
to improve cryptographic properties through design Hussain et al. 2012, 2015; Khan and Jeoti 2014; Laskari
methodology. With these challenges ahead, systematic et al. 2006; Özkaynak and Özer 2010; Wang 2015; Wang
design of S-box would be paramount to achieving the et al. 2012). The aim of the cryptographer is to design
desirable performance. Toward this end, a number of highly nonlinear S-box to resist against differential attacks.
techniques have been proposed to optimize S-box to In doing so, the cryptographic properties of bit indepen-
achieve near-optimal properties in terms of high nonlin- dence, maximum distance from linear Walsh coefficients,
earity (Clark et al. 2005; Fuller et al. 2005; Laskari et al. strict avalanche criteria and linear and differential proba-
2006; Millan 1998). Recently, optimization methods have bility are investigated in detail. Those properties lead to a
been merged with chaos-based techniques to optimize design that fulfills confusion—nonlinearity in information
S-box (Hussain et al. 2015; Wang et al. 2012). Incorpo- propagation. In other words, S-box based on the said cri-
rating chaos-based design with optimization methods can teria may lead to low DP value, hence making the proba-
improve a few desired properties. However, it seems bility of input/output information prediction of a cipher
challenging to optimize all cryptographic properties infeasible. The research presented in the literature except
simultaneously. For example, there is not much improve- (Khan and Jeoti 2014) S-box design aiming for desirable
ment for differential probabilities using chaos-based S-box. cryptographic properties. However, the DP of all chaos-
Moreover, to the best of our knowledge, not a single design based S-boxes is still very high. Likewise, counter based
DDT to measure DP for differential cryptanalysis has
123
Iran J Sci Technol Trans Electr Eng (2018) 42:219–238 221
never used within the design loop to optimize S-box. Khan for how many repetitions of each output difference there
and Jeoti (2014) also uses DDT to design S-box to achieve are for every input difference. If this entry also meets the
low DP value without counter based approach for opti- criteria that the repetition is not more than twice, the entry
mization. Herein, S-box methods are vetted and compared is retained. Else one iterates the chaotic map to regenerate
in Table 1. The proposed S-box design further improves new entries. The process continues. This conceptual flow
the DP value as compared to Khan and Jeoti (2014), so that diagram is presented in Fig. 1.
the counter-based DDT is employed to have low value of Generally, differential cryptanalysis generates DDT to
DP. The strength of proposed S-box is investigated for the measure output differentials, once an S-box has been
encryption of data. Various statistical and analytical generated. Differential approximation probability (DP) is
methods available in the literature (El Assad and Farajallah one of the performance measures of an S-box, which is
2016; Parvees et al. 2016) are used to verify the suitability computed using DDT.
of proposed S-box in information hiding. Formally, the design objective is to first set frequency of
The contribution of this paper is to design systematic occurrence R of Dy = 2, which is called the mapping rule
chaos-based S-box with improved/low value of DP using S0 . Initially, set input difference Dx = 1 and generate first
DDT. The novelty of this work is the S-box design based two positions, s01 ; s02 , using chaotic map and place in
on reverse engineering, where counter-based DDT is used position vector P and make them fixed as
within the loop of S-box design. It is an incremental design P ¼ fs01 ; s02 g ð1Þ
technique to avoid bad S-box positions that cause high DP
and counter to choose lowest coefficient value to keep the The positions are fixed in P that passes all the testing to
DP as low as possible. Typically, DDT table is generated improve DP. Once all positions are generated, tested and
using S-box elements and is designed based on crypto- fixed, then this P is called our final S-box S. First measure
graphic properties (Heys 2002). The problem statement the difference between ðs01 ; s02 Þ as Dy = s01 s02 and
indicates that previously published chaos-based S-box place in DDT. The positions are incrementally generated
designs are haphazard rather than systematic. Moreover, one by one, as mentioned earlier. Now generate S-box
they suffer from high DP = 10, which is essential to resist position s03 , and measure Dy for all possible Dx = [2, 3…
against differential cryptanalysis. Ideally, for perfect non- 2n]. If s03 does not satisfy given mapping rule for any Dx,
linear S-box, DP value should be ‘2’ and that is still an then s03 is ignored and replaced with new S-box position
open research problem. The S-box positions are generated generated using chaotic map. Again set input difference
using chaotic logistic map (presented in Sect. 4), and the Dx = 1, so that new position s03 is tested to fall under
generation time is reasonable because of chaotic map’s mapping rule S0 . If it satisfies mapping rule S0 , s03 is fixed
properties of mixing and ergodicity. Thus, the probability in P such as
is very high that S-box is generated in reasonable amount P ¼ fs01 ; s02 ; s03 g ð2Þ
of time. The DP is improved further because of counter-
based approach and optimized cryptographic properties, Now generate s04 and test for the mapping rule S0 . If s04
which are not discussed in Khan and Jeoti (2014). satisfies mapping rule, fix it in P and generate s05 . Simi-
larly, S-box positions are generated, tested and fixed if
satisfying given mapping rule; otherwise, they are ignored
3 Design Methodology of Proposed S-Box and replaced such as
P ¼ fs01 ; s02 ; s03; s04 g ð3Þ
The design assumption is that, for a given input difference/
prediction, a good S-box entails distinct difference between P ¼ fs01 ; s02 ; s03 ; s04 ; s05 g ð4Þ
positions. DDT is generally used to measure that. The P ¼ fs01 ; s02 ; s03 ; s04 ; s05 ; s06 ; . . .g ð5Þ
objective is to design an S-box based on the said design
assumptions. A design based on this assumption usually Our objective is to generate all S-box positions that fall
implies that in case a given S-box does not meet the cri- under mapping rule S0 . However, if positions do not
terion that the repetition of any output difference is mini- improve further under mapping rule S0 with fixed R = 2,
mum 2 for all input differences, one is forced to look for a then R is incremented by 2 and called mapping rule S1 . The
completely new S-box. S-box positions that fall under mapping rule S0 can be
This work, on the other hand, proposes an incremental written as
design technique, where the S-box is built up incremen- P ¼ fs01 ; s02 ; s03 ; s04 ; s05 ; . . .sa g ð6Þ
|fflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflffl{zfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflffl}
tally. An incremental procedure would entail starting with S0
some tentative initial S-box whose first two entries are first
tested. These entries are retained and next entry is tested where S0 can also be written as
123
222
123
Table 1 Comparison of chaos-based S-boxes
Author/year Design Technique Cryptographic properties* Advantage Disadvantage
Avg. NL DAP
Asim and Jeoti (2008) Chaos-based design Logistic map 102.5 10/256 Bijective, good NL, SAC, BIC, LP High DP
Tang et al. (2005) Chaos-based design Baker map 103.5 10/256 Bijective, good NL, SAC, BIC, LP High DP
Peng et al. (2012) Chaos-based design Lorenz chaotic system 104 10/256 Bijective, good NL, SAC, BIC, LP High DP
Özkaynak and Özer (2010) Chaos-based design Chaotic Lorenz system 103.2 10/256 Bijective, good NL, SAC, BIC, LP High DP
Wang et al. (2009) Chaos Chaotic tent map 103.75 10/256 Bijective, good NL, SAC, BIC, LP High DP
Gang et al. (2009) Chaos Discretized generalized baker map 104 10/256 Bijective, good NL, SAC, BIC, LP High DP
Chen et al. (2007) Chaos Three-dimensional baker map 102.25 10/256 Bijective, good NL, SAC, BIC, LP High DP
Hao et al. (2010) Chaos Chaotic logistic map 103.5 10/256 Bijective, good NL, SAC, BIC, LP High DP
Zaibi et al. (2010) Chaos-based design ID PWLCM 102 10/256 Bijective, good NL, SAC, BIC, LP High DP
3D PWDCL
Jing et al. (2007) Chaos-based design Piecewise linear chaotic map 105.25 10/256 Bijective, good NL, SAC, BIC, LP High DP
Ahmad et al. (2016) Chaos ? optimization PWLCM ? travel salesman problem 107 10/256 Bijective, good NL, SAC, BIC, LP High DP
Soni et al. (2015) Chaos ? optimization Logistic map ? ant colony 107 10/256 Bijective, good NL, SAC, BIC, LP High DP
Hussain et al. (2015) Chaos-based S-box Logistic map 105 10/256 Bijective, good NL, SAC, BIC, LP High DP
Belazi et al.(2015) Chaos-based S-box Rossler Eq. 106 10/256 Bijective, good NL, SAC, BIC, LP High DP
Ahmad et al. (2015) Chaos-based S-box 1D PWLCM 105 10/256 Bijective, good NL, SAC, BIC, LP High DP
Khan and Jeoti (2014) Chaos ? optimization ID map ? DDT 106 08/256 Bijective, good NL, SAC, BIC, LP Moderate DP
Iran J Sci Technol Trans Electr Eng (2018) 42:219–238
Iran J Sci Technol Trans Electr Eng (2018) 42:219–238 223
S0 ¼ fs01 ; s02 ; s03 ; s04 ; s05 ; . . .sa g ð7Þ S1 ¼ f s110 s120 s130 s140 sb0 g ð9Þ
The remaining positions,ðsaþ1 ; saþ2 ; . . .s2n Þ, are then gen- where saþi ¼ s1i0 . The mapping rule can be changed further
erated using mapping rule S1 . The positions that fall under if necessary until all S-box positions are generated. The P
mapping rule S1 can be written as is our final S-box S once all positions are generated. The S
P ¼ fs01 ; s02 ; s03 ; s04 ; . . .sa ; s110 ; s120 ; s130 ; ; s140 ; . . .sb0 g ð8Þ is the concatenation of all positions that fall under mapping
|fflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflffl{zfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflffl} |fflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflffl{zfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflffl} rules, such as:
S0 S1
S ¼ concatenationðS0 ; S1 ; . . .; Sn Þ ð10Þ
where S1 can be written as
The said approach is explained as pseudo-code as follows:
123
224 Iran J Sci Technol Trans Electr Eng (2018) 42:219–238
Algorithm: Design of S-box using chaos and DDT position of ‘1’ in row vector SSi denotes the position of ith
Notations: input element after substitution.
Initial state of CLM
+1 Next state of CLM SSi ðPi Þ ¼ 1 ð12Þ
x Current position of S-box
n Size of S-box
2 Total number of S-box positions where Pi denotes the position of ‘1’ in row vector SSi
Position counter to count position generation using CLM The proposed algorithm subcomponents are discussed in
∆x Input difference
∆y Output difference detail in the coming subsections.
R Allowable frequency of occurrence of ∆y for a given ∆x
Position vector to store S-box positions, i The main algorithm’s flow diagram is described in
( ) S-box positions, i Fig. 2. The details are also presented in a stepwise manner
DDT(i,j) Difference distribution table, i, j
Initialize parameters: as follows:
PC = 0 Set position counter
(1, 2 ) = 0 Set position vector empty 1. First step is to initialize S-box positions generation
R=2 Set allowable frequency of occurrence
Set any arbitrary initial condition/state of CLM using chaotic logistic map under given initial param-
eters as discussed in Sect. 4.1.
Algorithm subclass1 : S-box position generation using CLM
01: Do while PCi < = 2 // generate and optimize S-box position 2. Initialize difference distribution matrix D [2n, 2n]. The
02: Iterate CLM with
03: Set +1 = // next state becomes initial condition of
DDT is filled with generated S-box position’s output
04: // CLM differences Dy for a given input difference Dx.
05: P(PC) = P( ) // selected subdomain of PC using is the
06: // S-box position 3. The differential approximation probability is improved
07: PC = PC + 1 // increment counter to fill positions under proposed improvement conditions using DDT as
08: Return P(x)
09: Call algorithm subclass 2 discussed in Sect. 4.3.2.
10: End while
Algorithm subclass 2: Optimization of S-box using DDT
4. Each position is tested to examine if it falls under
11: If PC < 2 // generate min. two S-box positions given mapping rule Si using DDT to achieve best
12: Call algorithm subclass 1
13: Else
possible differential approximation probability. Other-
14: Do While (# ∆ < = ∆ <= 2 ) wise, the position is thrown away and regenerated
15: Set DDT (x⊕∆x, ∆x) = ∆y // place output diff. at ∆xth row
16: //and (x⊕∆x)th column again.
17: Set ∆x = ∆x + 1 5. The procedure is stopped once all positions are
18: If # ∆y = = 2
19: Set ∆x = ∆x + 1 generated and final S-box is displayed.
20: Else if ∆x = = 2
21: Set ∆x = 1 // increment ∆x to test new positions
22: Call algorithm subclass 1
23: End if # ∆ >R // check for condition 4.1 Initialize S-Box Generation
24: Set ∆x = 1 // increment ∆x to test new positions
25: Call algorithm subclass 1
26: Else if # ∆ > R & PC < 2 Utilizing the properties of chaos generates the S-box
27:
28: Set R = R + 2 // change condition positions. Chaotic logistic map is iterated under given
29: Set ∆x = 1 initial conditions. The detailed flow diagram of S-box
30: Call algorithm subclass 1
31: End if position generation steps is described in Fig. 3.
32: End while
33: End if 1. To generate the S-box positions, variables are
34 : Show generated S-box
initialized: Position counter PC counts the generated
positions and map’s initial parameters xn.
4 The Proposed Algorithm
2. The domain in the range [0.1, 0.9] is divided into 2N
equal intervals.
This section details the design steps of proposed S-box to
3. These intervals are then labeled sequentially in the
improve the differential approximation probability. The
range [1, 2N ] as position number PN.
main flow diagram of proposed S-box is described in
Fig. 2. The method to generate S-box positions using chaos 4. Initialize a position vector P of size 2N .
is described in Sect. 4.1. The initialization and improve- 5. The logistic map is iterated with arbitrary chosen
ment of differential approximation probability of proposed initial condition xn .
S-box using DDT is detailed in Sects. 4.2 and 4.3, The chaotic logistic map is a well-known 1-D
respectively. Our aim is to design bijective S-box; there- chaotic map and is simple to implement.
fore, we generate substitution matrix ‘S’ Chaotic logistic map is defined as
xnþ1 ¼ rxn ð1 xn Þ ð13Þ
S ¼ fSSi ; SSiþ1 ; . . .SS2n gT ð11Þ
where 0 xn 1 and 3:57\r 4
where SSi is substitution matrix’s row vector with ð2n 1Þ
By iterating the chaotic logistic map with a
zeros and only one 1. Substitution matrix S is of size
unique initial value 0\ x0 \1, one can generate a
ð2n ; 2n Þ where 2n denotes elements to be substituted. The
123
Iran J Sci Technol Trans Electr Eng (2018) 42:219–238 225
unique sequence of random real numbers whose 7. The output of logistic map xnþ1 is checked in the
values lie between 0 and 1. Chaotic logistic map domain where it falls. The specific subdomain is
used with r = 4 is the only useful case in (13) marked accordingly, and the corresponding subdo-
because the chaotic attractor is distributed uniformly main number is stored in a row vector, which is
in chaotic domain region, which spans over [0, 1]. called as position vector P.
6. The chaotic logistic map is iterated under given 8. During the course of iteration, if the map’s output
initial conditions. falls in a visited subdomain, then this subdomain is
ignored.
123
226 Iran J Sci Technol Trans Electr Eng (2018) 42:219–238
9. If the position falls in an empty subdomain, the 11. Stop iterating chaotic logistic maps once all posi-
position is assigned to that subdomain. tions in position vector are filled.
10. The position is tested using improvement criteria
that exploit DDT and is explained in Sect. 4.3.2. If it
4.2 Introduction and Initialization of DDT
fulfills the proposed criteria, the position is fixed in
P; otherwise, regenerate this position and empty that
Before going into a detailed discussion on how DDT can be
subdomain.
used within the loop to improve DP, salient characteristics
123
Iran J Sci Technol Trans Electr Eng (2018) 42:219–238 227
of DDT need to be discussed here. DDT is a tool that is Table 2 Difference distribution table DDT
useful in differential cryptanalysis of block cipher. The DX Difference (DY)
differential cryptanalysis uses DDT to seek high proba-
bility of occurrences of output S-box differential pairs 000 001 010 011 100 101 110 111
whose corresponding input pairs have particular difference. 000 8 0 0 0 0 0 0 0
In other words, to mount differential cryptanalysis, differ- 001 0 4 4 0 0 0 0 0
ence distribution table DDT of size [2n, 2n] is generated 010 0 0 0 0 2 2 2 2
using S-box’s output differences Dy for all possible input 011 0 0 0 0 2 2 2 2
differences Dx. The input to an S-box is referred to as 100 0 0 0 0 2 2 2 2
x ¼ ½x1 ; x2 ; x3 . . .xn , and output is referred to as 101 0 0 0 0 2 2 2 2
y ¼ ½y1 ; y2 ; y3 . . .yn . Each input and output of an S-box are 110 0 4 0 4 0 0 0 0
comprised of n bits. The total number of input combina- 111 0 0 4 4 0 0 0 0
tions of S-box is 2n . The input difference is denoted as
Dx ¼ x0 x00 , and corresponding output difference is
denoted as Dy ¼ y0 y00 . The elements ðx0 ; x00 Þand ðy0 ; y00 Þ generated with improved differential approximation prob-
are the input and out pairs, where ‘’ represents the bitwise ability by avoiding bad S-box positions. The input pairs
exclusive-OR. The input differences are in the range of that have distance Dx are represented by column in
½1; 2n . The pair (Dx; Dy) is called a differential pair. Table 2, and chosen output pairs of an S-box to measure
DDT possesses several properties. It has 2n rows and 2n Dy are shown by arrow lines. The differences occurred in
columns. The sum of output differences in a single row or pairs and therefore are shown with multiple arrow lines.
in a single column is 2n. All output differences Dy in DDT In Table 3, the input elements 000 and 001 have the
have even values because they occur in pairs. For example, difference of 1. The corresponding output difference is
0
input difference Dx, Dx ¼ x0 x00 ¼ x00 x . Moreover, calculated using the S-box positions at indices 000 and 001
input difference of Dx ¼ 0 leads to output difference of as Dy = 110 111 = 001 which is 1. The differences
Dy ¼ 0. In that case, for n-bit S-box, first element of first occurred in pairs, as described earlier; therefore, first two
column has the value 2n and other values in first row and positions in Dx = 001 column are 1 in Table 4. When input
first column are 0. For an ideal S-box that gives no infor- difference is 1, input pairs 001 and 010, 011 and 100, and
mation about output differential, all elements of DDT have 101 and 110 are not paired. Therefore, it can be concluded
the value of 1. In that case, the probability of occurrence of that all elements are not considered for pairing for a given
an output difference for a given input difference is input difference. All output differences are tabulated in
1 1 1 Table 3. The probability of occurrences of output differ-
2n ¼ 23 ¼ 8. However, it is not achievable because the dif-
ences is tabulated in Table 5. The rows show the input
ferentials always occur in pairs. The rows represent the
differences Dx, and columns show the output difference
input differences and columns represent the output differ-
Dy. When the input difference is 1, the output difference of
ences in DDT as shown in Table 2.
1 occurs 4 times; thus, second row and second column is
filled with 4. Similarly, when input difference is 3, the
4.3 Improving Differential Approximation
output of 7 occurs two times; therefore, the fourth row and
Probability Using DDT
last column is filled with 2. All probabilities are filled in a
similar fashion.
In this work, we proposed an alternative solution to design
chaos-based S-box using DDT with improved differential Table 3 DDT of 3 9 3 randomly selected S-box
approximation probability. Toward this end, detailed
analysis on inherent structure of DDT has to be understood
in a manner such that DDT can be used within the loop to
improve S-box’s differential approximation probability.
For simplicity, the DDT is analyzed with the help of a
3 9 3 S-box. This case study will help in understanding
how DDT is utilized in a unique manner for 8 9 8 S-box.
123
228 Iran J Sci Technol Trans Electr Eng (2018) 42:219–238
Table 4 Output differential occurrence against each input difference 6. If DDT is not filled completely and positions cannot
X Y Output difference (DY)
improve further, the mapping rule is changed by
incrementing frequency of occurrence R of Dy by 2.
DX DX DX DX DX DX DX DX
000 001 010 011 100 101 110 111
123
Iran J Sci Technol Trans Electr Eng (2018) 42:219–238 229
n n
Inialize variables: DDT [2 , 2 ], posion
n
vector P [1, 2 ], input difference ∆X,
output difference ∆Y, posion counter
PC, difference repeon D = 0,
frequency of occurrence of ∆y, R=2
P4
No
While PC ≤ 2n
If first two No
END
posions of P
are filled
Yes
Set ∆X = 0
Compute ∆ = ⊕
Where
Increment ∆X
by 1
Yes If =
[ ⊕∆ ]>
No P2
P3 P1
* The flow diagram connues on next page
design methods and optimized chaos-based S-boxes to 1. Differential approximation probability (DP)
date. The chaos is used to generate the positions of S-box; 2. Linear approximation probability (LP)
therefore, one can generate good near-optimal S-box in 3. Nonlinearity (NL)
reasonable amount of time, because of chaotic properties of 4. Strict avalanche criteria (SAC)
mixing and ergodicity. Chaotic logistic map’s out
must traverse each subdomain in reasonable time during
the course of S-box position generation. The performance
parameters discussed and analyzed are as follows:
123
230 Iran J Sci Technol Trans Electr Eng (2018) 42:219–238
Fig. 4 continued
P1
No P2
if
∆ ≤2 −1
Yes
Check ∆Y in
DDT’s ∆X column
Yes
Does freq. of No
Posion override occurrence of
∆Y > R
No Does it Yes
require
Set DDT (PC, ∆X) = ∆Y
increment R?
P4
5.1 Differential Approximation Probability difference at some fixed intermediate stage of the block
cipher. The input difference of B0 ¼ ððB KÞÞ ððB
The objective of this work is to propose an S-box using KÞÞ ¼ ðB B Þ the S-box for a round does not depend on
chaos and DDT to improve differential approximation the round key: where B; B are inputs to S-box and B0 is
probability. Differential cryptanalysis was first published their corresponding difference.
by Biham and Shamir in 1991 (Biham and Shamir 1993). It The differential cryptanalysis uses DDT to measure
is a chosen plaintext attack in which a large number of differential pairs of an S-box. Analyzing the DDT in terms
plaintext–ciphertext pairs are used to determine the value of differential approximation probability highlights the
of key bits. It basically exploits the mapping properties of weaknesses in S-box structure. And, maximum differential
the differences within the cryptosystem, since not every approximation probability measures the probable differ-
input difference can be mapped to an output difference. ential characteristics.
Statistical key information is deduced from ciphertext Differential characteristic measures the occurrence of
blocks obtained by encrypting pairs of plaintext blocks highest number of output difference pairs whose input pairs
with a specific bitwise difference A0 under the target key. have a particular difference and is defined as:
The work factor of the attack, a measure of the amount of
#fx 2 X jSð xÞ Sðx DxÞ ¼ Dyg
work needed to suggest the correct key, depends critically DPðDy ! DxÞ ¼
0 2N
on the largest probability, max:prob B =A0 with B0 being a ð14Þ
123
Iran J Sci Technol Trans Electr Eng (2018) 42:219–238 231
Table 6 Comparison of DP
S-boxes (year) Maximum DP
123
232 Iran J Sci Technol Trans Electr Eng (2018) 42:219–238
DAP of CD S-boxes
8
0
0 50 100 150 200 250 300 350 400 450 500
# of CD S-boxes
statistical analysis on static data would not result in any where Cx and Cy are the input and output masks, respec-
change in output data.
tively, X denotes the set of all possible inputs, and 2N is the
number of its elements.
5.2 Linear Approximation Probabilities (LPs)
The maximum linear probabilities of S-box are defined
as:
Another important concept of linear cryptanalysis was
introduced by Mitsuru Matsui in 1993 (Matsui 1994). It LPSmax ¼ max LPS ðCx ! CxÞ ð17Þ
Cx;Cy6¼0
measures the linear approximation by XORing input bits
together, XORing output bits together and XORing the
input and output bit. Finally, XOR with the key bits mea- • Methodology to measure LP
sures the linear approximation probability. In other words,
it measures the maximum imbalance of an event: The The S-box is tested using well-defined measure of linear
parity of the input bits selected by the mask Cx is equal to approximation probability. All possible inputs are multi-
the parity of the output bits selected by the mask Cy. The plied with selected input masks to generate the input par-
linear approximation probability is defined as: ities. Similarly, all possible S-box positions are multiplied
with selected output masks to generate output parities. Both
LPðCy ! CxÞ
input and output parities are compared for equality.
max #fxjx Cx ¼ sð xÞ Cyg 1 ð16Þ Equation (16) is used to measure the equality and linear
¼
Cx; Cy 6¼ 0 2N 2 approximation probability.
123
Iran J Sci Technol Trans Electr Eng (2018) 42:219–238 233
123
234 Iran J Sci Technol Trans Electr Eng (2018) 42:219–238
Table 9 Nonlinearity
S-boxes (year) Nonlinearity
comparison
f0 f1 f2 f3 f4 f5 f6 f7 fmin Average
The proposed S-box 102 100 104 104 104 106 106 106 100 104
Hussain et al. (2015) 107 103 100 102 100 108 104 108 103 104
Wang et al. (2012) 105 105 104 100 107 105 106 107 105 104.87
Hussain et al. (2012) 108 108 108 108 108 108 108 108 108 108
Özkaynak and Özer (2010) 104 100 106 102 104 102 104 104 100 103.25
Soni et al. (2015) 108 106 106 106 106 110 106 108 106 107
Ahmad et al. (2016) 108 110 110 108 106 106 106 106 106 107.5
positions are named herein as vectors. The input vectors Table 11 Comparison of SAC
that differ at ith bit position Xi and corresponding S-box
S-boxes (year) Dependence matrix
positions are identified. The identified S-box positions are
XORed together to measure the avalanche vectors Vj. The Min. value Max. Value Mean Value
value of bit i, either 0 or 1, in Vj is placed at location Ai,j
The proposed S-box 0.4218 0.5781 0.4999
in dependence matrix A. The procedure continues for all
Hussain et al. (2015) 0.3804 0.5843 0.4823
input vectors and corresponding avalanche vectors. The
Wang et al. (2012) 0.4290 0.5850 0.5070
dependence matrix A is divided by large value ‘r.’ (For
Hussain et al. (2012) 0.4062 0.5781 0.4921
8*8 S-box, ‘r’ is 256.) This will give strength to the
Özkaynak and Özer (2010) 0.4219 0.5938 0.5078
relationship between plaintext bit i and ciphertext bit
Soni et al. (2015) 0.4218 0.5625 0.5014
j. The value of 1 in dependence matrix indicates that
Ahmad et al. (2016) 0.3945 0.5715 0.5036
whenever input bit i is complimented, output bit j is also
complimented. The value of 0 indicated that both input
and output bits are independent from each other. If all of
the values in dependence matrix are changed with nonzero
values, then it means that S-box structure is complete. 6 Suitability of Proposed S-Box for an Image
Most importantly, if S-box is said to comply with the Encryption
SAC, then all of the values in dependence matrix should
ideally be close to one half. The suitability of proposed systematic S-box is also ana-
The dependence matrix of our proposed S-box is listed lyzed in an image encryption algorithm. The methodology
in Table 10. The mean value of dependence matrix for our of key mixing and diffusion is obtained from Asim and
proposed S-box is 0.4999, which is very close to the ideal Jeoti (2007a). The S-box is compared in terms of image
value of 0.5000. The minimum and maximum values of histogram, correlation between plain and encrypted images
our proposed S-box are compared with the recently pub- and number of pixel change rate (NPCR). For simulations,
lished work and tabulated in Table 11. Our proposed plain image of size 256*256 has been taken. The plain
S-box fulfills SAC property and is nicely balanced for image is encrypted using both proposed S-box and selected
minimum and maximum values as compared to other chaos-based S-box from Asim and Jeoti (2007a) as shown
schemes. in Fig. 8a–c, respectively.
123
Iran J Sci Technol Trans Electr Eng (2018) 42:219–238 235
Fig. 8 a Plain image, b plain image encrypted with the proposed e histogram of other S-box-based encryption; f plain image correla-
S-box; c plain image encrypted with other S-box; d histogram of plain tion; g plain image correlation; h correlation of the proposed S-box-
image; e Histogram of the proposed S-box-based encryption; based cipher image; i correlation of other S-box-based cipher image
6.1 Image Histogram Analysis deviation from uniform probability distribution as shown in
Fig. 8e, f, 0.0014 and 0.0017, respectively.
An image histogram illustrates how pixels are distributed
in an image and frequency of pixels. A fairly uniform 6.2 Correlation Analysis
probability distribution function of the ciphered image is
desired in histogram analysis. A normalized mean square To perceive the randomness introduced in an encrypted
error (NMSE), a measure of the deviation from uniform image, correlation between neighboring pixels is measured.
probability distribution, is calculated for histogram as This is to analyze the S-box sequence nonlinearities that
follows: entail highly uncorrelated encrypted images.
2 P P
1 X Xk X r ¼ r m n ðAmn AÞðBmn BÞ
ffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi
NMSE ¼ ð20Þ P P P P ffi ð21Þ
N k X ðAmn AÞ 2 ðBmn BÞ 2
m n m n
where N is the number of bins, equal to 256. Xk is the
frequency of occurrence of each bin and X is the mean where A and B represent the corresponding mean values.
frequency or ideal frequency of each bin. It is evident from Here, r represents the normalized correlation between
Fig. 8e, f that histograms of encrypted image using pro- images Amn and Bmn pixel by pixel. Figure 8g shows the
posed S-box and other chaos-based S-box are fairly uni- adjacent pixel correlation of plain image. The band of
form as compared to plain image. The NMSE shows the pixels in diagonal shows the strong correlation between
neighboring pixel values. On the other hand, Fig. 8h, i
123
236 Iran J Sci Technol Trans Electr Eng (2018) 42:219–238
123
Iran J Sci Technol Trans Electr Eng (2018) 42:219–238 237
123
238 Iran J Sci Technol Trans Electr Eng (2018) 42:219–238
Matsui M (1994) Linear cryptanalysis method for DES cipher Tang G, Liao X (2005) A method for designing dynamical S-boxes
advances in cryptology—EUROCRYPT’93. In: Helleseth T (ed) based on discretized chaotic map. Chaos, Solitons Fractals
Lecture notes in computer science, vol 765. Springer, Berlin, 23:1901–1909. https://doi.org/10.1016/j.chaos.2004.07.033
pp 386–397. https://doi.org/10.1007/3-540-48285-7_33 Tang G, Liao X, Chen Y (2005) A novel method for designing
Millan W (1998) How to improve the nonlinearity of bijective S-boxes based on chaotic maps. Chaos, Solitons Fractals
S-boxes information security and privacy. In: Boyd C, Dawson E 23:413–419. https://doi.org/10.1016/j.chaos.2004.04.023
(eds) Lecture notes in computer science, vol 1438. Springer, Wang Y (2015) A method for constructing bijective S-box with high
Berlin, pp 181–192. https://doi.org/10.1007/bfb0053732 nonlinearity based on chaos and optimization. Int J Bifurc Chaos
Özkaynak F, Özer AB (2010) A method for designing strong S-boxes 25:15. https://doi.org/10.1142/S0218127415501278
based on chaotic Lorenz system. Phys Lett A 374:3733–3738. Wang Y, Wong K-W, Liao X, Xiang T (2009) A block cipher with
https://doi.org/10.1016/j.physleta.2010.07.019 dynamic S-boxes based on tent map. Commun Nonlinear Sci
Parvees MYM, Samath JA, Bose BP (2016) Secured medical Numer Simul 14:3089–3099. https://doi.org/10.1016/j.cnsns.
images—a chaotic pixel scrambling approach. J Med Syst 2008.12.005
40:1–11. https://doi.org/10.1007/s10916-016-0611-5 Wang Y, Wong K-W, Li C, Li Y (2012) A novel method to design
Peng J, Liao X, Zhang D (2012) A novel approach for designing S-box based on chaotic map and genetic algorithm. Phys Lett A
dynamical S-boxes using hyperchaotic system. Int J Cogn 376:827–833. https://doi.org/10.1016/j.physleta.2012.01.009
Inform Nat Intell 6:100–119. https://doi.org/10.4018/jcini. Webster AF, Tavares SE (1986) On the design of S-boxes. Paper
2012010105 presented at the Advances in Cryptology
Shannon CE (1949) Communication theory of secrecy systems*. Bell Yavuz E, Yazıcı R, Kasapbaşı MC, Yamaç E (2015) A chaos-based
Syst Tech J 28:656–715. https://doi.org/10.1002/j.1538-7305. image encryption algorithm with simple logical functions.
1949.tb00928.x Comput Electr Eng. https://doi.org/10.1016/j.compeleceng.
Soni AK, Lobiyal DK, Ahmad M, Bhatia D, Hassan Y (2015) A novel 2015.11.008
ant colony optimization based scheme for substitution box Zaibi G, Peyrard F, Kachouri A, Fournier-Prunaret D, Samet M
design. Procedia Comput Sci 57:572–580. https://doi.org/10. (2010) A new design of dynamic S-box based on two chaotic
1016/j.procs.2015.07.394 maps. Paper presented at the proceedings of the ACS/IEEE
Szczepanski J, Amigo JM, Michalek T, Kocarev L (2005) Crypto- international conference on computer systems and applica-
graphically secure substitutions based on the approximation of tions—AICCSA 2010
mixing maps. IEEE Trans Circuits Syst I Regul Pap 52:443–453.
https://doi.org/10.1109/tcsi.2004.841602
123