Neural Computing and Applications

https://doi.org/10.1007/s00521-019-04207-8 (0123456789().,-volV)(0123456789().
,- volV)

ORIGINAL ARTICLE

Designing secure substitution boxes based on permutation

of symmetric group
Amir Anees1 • Yi-Ping Phoebe Chen1

Received: 13 November 2018 / Accepted: 11 April 2019

 Springer-Verlag London Ltd., part of Springer Nature 2019

Abstract
The strength of cryptosystems heavily relies on the substitution boxes. Cryptosystems with weak substitution boxes cannot
resist algebraic attacks, linear and differential cryptanalysis. In this paper, first, we propose a strong algebraic structure for
the construction of substitution boxes. The proposed substitution boxes have good algebraic properties and are able to resist
against algebraic attacks. Second, we propose a new method for creating multiple substitution boxes with the same
algebraic properties using permutation of symmetric group on a set of size 8 and bitwise XOR operation. Third, the
proposed substitution boxes with the same algebraic properties are then applied to images and it is observed that the
statistical properties of substituted images are different from each other. The simulation results and statistical and security
analysis for the proposed substitution boxes are very competitive. Also, it is shown in this work that the proposed
substitution boxes can resist differential and linear cryptanalysis and sustain algebraic attacks.

Keywords Substitution boxes  S-box  Projective general linear group  Cybersecurity  Algebraic attacks

1 Introduction synchronized with the system hardware. For a low-profile

The exponential growth of multimedia in recent years leads
to tremendous benefits for both consumers and utilities
such as streamlining of business processes, enhanced pro-
ductivity, ease of research, entertainment and so on.
However, at the same time, there are security concerns that
have to be properly addressed [1, 2]. Along with unethical
and improper conventions of industrial espionage, pirating,
hacking, online fraud and malicious destruction, the pro-
tection of personal digital data is the most important which
is often sent or downloaded through insecure communi-
cation channel. Moreover, the issue of unlawful data access
happens occasionally [3–5]. Along these lines, it is
imperative to develop strong security routines to secure the
substance of media data [6–8]. Also, beside for cipher to be
secure and robust, the power constraints [9–12] should also
be considered and the cipher should be having low gate
equivalents with low computational complexity to be
& Yi-Ping Phoebe Chen
phoebe.chen@latrobe.edu.au
1
Department of Computer Science and Information
Technology, La Trobe University, Melbourne, Australia
application, the designer of a lightweight cipher must cope
with the trade-offs between performance, security and cost,
though it is very difficult to optimize all three parameters at
once. The other concern for a construction of a good cipher
is: computer scientists normally do not realize the mathe-
matical tools they have and mathematicians often ignore
the real-time applications. It is important to build a strong
mathematical structure for a cipher that in meantime
addresses the real-time applications as well.
The strength of block ciphers heavily relies on the
confusion process executed by the substitution box (S-
box). S-boxes are the vector Boolean functions and are the
only nonlinear part of block ciphers. A function of the form
S : GFð2n Þ ! GFð2m Þ is known as n  m S-box which
accepts n binary bits as the input and expresses m binary
bits as the output. If each output binary bit is named the n-
variable Boolean function, then SðxÞ ¼ ½l1 ðxÞ;
l2 ðxÞ; . . .; lm ðxÞ, where x 2 GFð2n Þ and l1 ðxÞ; l2 ðxÞ; . . .;
lm ðxÞ are called component functions of S [11]. The con-
figuration of S-boxes with sound cryptographic attributes is
of most extreme significance for building effective block
ciphers. Furthermore, to guarantee a decent imperviousness
to linear attacks, S-box must have high nonlinearity as

123

much as possible and to resist differential attacks, low
differential uniformity of S-box is mandatory.
In this work, an algebraic structure for constructing
S-boxes based on projective general linear group is pro-
posed. The constructed S-boxes can be used in block
ciphers for the application of securing real-time data for
better security and performance. The main contributions of
this paper are summarized as follows:
1. A new algebraic structure for the designing of S-boxes
based on projective general linear group and linear
fractional transformation is proposed. The constructed
S-boxes have good algebraic properties and can resist
algebraic attacks.
2. A new method of creating multiple S-boxes having the
same algebraic properties is proposed based on S8
permutations and XOR operations. It is shown that by
applying S8 permutations or XOR operations, the new
generated S-boxes have the same algebraic properties
and thus, the new S-boxes can resist the algebraic
attacks with the same intensity. The proposed method
of these operations will also break the algebraic
structure from which they are originally constructed
making cryptanalysis much more difficult.
3. It is shown through the simulations that although the
constructed S-boxes have the same algebraic properties
but different statistical properties when applied to
images.
The remaining of the manuscript is organized as fol-
lows: Sect. 2 presents the related work on the topic, Sect. 3
explains the designing of S-boxes based on algebraic
structure, Sect. 4 presents the proposed work on creating
multiple S-boxes with the same algebraic properties,
Sect. 5 presents statistical analysis for substituted images
resulting in applying different S-boxes having the same
algebraic properties, Sect. 6 presents the comparison
results, and Sect. 7 concludes the manuscript.
2 Related work
For designing S-boxes, numerous techniques are presented
in the literature such as algebraic, chaos-based, heuristic
methods and pseudorandom [13–15]. Because of their
exceptional cryptographic properties, S-boxes designed
based on algebraic structures such as inversion mapping
became very famous [16]. Two methods for constructing
S-boxes with high nonlinearity are presented in [17]. The
first method uses two vector Boolean functions from the
Maiorana–McFarland, and the second method employs a
slightly suitable modification of bent functions. The pre-
sented S-boxes have very high nonlinearity of 116 and
have good algebraic and differential properties. Some of
123
Neural Computing and Applications
the works on the hardware implementation and their
security analysis are listed in [18, 19].
In the last decade, chaos [20, 21] based S-boxes have
been presented in great numbers [22, 23]. The chaotic
sequence numbers obtained from the maps are manipulated
for the construction of a S-box. The numbers are first
transformed into large numbers by multiplying the original
sequence with a large integer value; then, these values
truncated to integers followed by a modulo function of 256
and finally picking the first 256 distinct integers values
forming up a S-box. The S-box resulted from chaotic
sequences lacks basic cryptographic features, remained
weak for attacks and cannot resist differential and linear
cryptanalysis. Moreover, the serious dynamic degradation
of chaotic maps in digital computer is there which weaken
the case for their application in cryptography as discussed
in [24]. Also, it is shown in a work [25] that the chaotic
image encryption cannot resist against good attacks. Based
on electrocardiography (ECG) and autoblocking chaotic
cryptosystem, the cryptanalysis of that cryptosystem is
performed. Another work on the cryptanalysis of a chaotic
image cryptosystem performed by the same authors is
proposed in [26]. The proposed work [26] performed the
in-detail and in-depth security analysis to evaluate the
strength of image cryptosystem. However, there are several
proposals which claimed to be robust against standard
security attacks. In [27], a novel construction of multiple
S-boxes is proposed based on the mixture of algebraic
structure and chaos. The visual statistical and security
analysis confirmed the strength and robustness of the pre-
sented work. However, it is not stated whether the security
analysis is done on the stand-alone S-boxes or on their
application in encryption algorithms.
A method for the designing of S-box based on the
algebraic structure over a finite field proposed by the same
authors is presented in [28]. Furthermore, the presented S-
box is applied in a new image encryption cryptosystem
which shows good security results. In [29], to construct a
robust S-box, a combination of a cellular automaton rule-
based matrix approach and an algebraic structure over
GFð28 Þ is presented. To test the robustness of the con-
structed S-box in the application of cryptosystems, various
analyses are performed which show superior performance
over the previous works. In [30], the construction of S-box
is presented based on the additional irreducible polynomial
and affine mapping. Opposite to the construction of S-box
employed in AES, different multiplicative inverse and
different affine mapping is used. From the irreducible
polynomials having the highest nonlinearity value, the
multiplicative inverse is selected and based on affine
matrices, the affine mapping is selected. Based on scaled
Zhongtang chaotic system and random number generator, a
Neural Computing and Applications
strong S-box is constructed in [31]. First, a new random
number generator is proposed whose robustness is tested
via NIST standard random number test suite. Then, with
the help of this random number generator, a new S-box is
constructed whose robustness is tested through the standard
security analysis. An interesting method for the designing
of S-box based on the combination of teaching–learning-
based optimization and chaotic map is presented in [32]
which has eight rounds having two transformations:
columnwise rotation and rowleft shifting. However, in each
round, the transformations are different from each other
and are controlled by the initial conditions of the chaotic
map employed. These initial conditions used as the private
keys are optimized by using teaching–learning-based
optimization which aims to construct a strong S-box. Some
of the other proposals for the designing of S-boxes based
on chaos are presented in [33–35].
The AES [12] is a benchmark block cipher which has
three versions, each with a block size of 128 bits, but with
three dissimilar numbers of rounds: 10, 12 and 14 rounds
for 128, 192 and 256 binary bits, respectively. It is still
unbreakable but might not be effective in certain applica-
tions. For instance, one requirement for a cipher can be the
distortion tolerant. The traditional good cryptosystems lack
this requirement as they cannot successfully decrypt the
noisy encrypted data, for example when a single bit of
encrypted data of the AES is corrupted, then that noisy
encrypted data cannot be successfully decrypted by the
AES. This issue is usually taking care of by the channel
coding performed with encryption to detect and remove
noise errors at receiver. However, using error detecting and
correcting codes increases the overall size of encrypted
data and computational complexity as well at transmitter’s
and receiver’s side. Fawad et al. [36] proposed a noise-
tolerant image encryption scheme that shows very good
results in terms of security and also can resist the channel
noise.
The other requirement for a particular application hav-
ing constraints on cost is the computational complexity.
The ciphers that are particularly suited for this purpose are
categorized in lightweight cryptography. The two of most
renown lightweight ciphers are PRESENT [37] and CLE-
FIA [38]. The block length of PRESENT [37] is 64 bits
supported with two different key lengths, 80 and 128 bits.
The version of 80-bit key is recommended for low-profile
applications. It is based on substitution-permutation net-
work meeting the basic criteria of confusion and diffusion.
It has 31 rounds, 17 more than the most complex version of
the AES; however, the S-boxes used are 4-bit to 4-bit rather
than 8-bit to 8-bit which makes it much less complex than
the AES. The implementation of both encryption and
decryption is still smaller than an encryption-only AES.
The security analysis is thoroughly done, and it is claimed
that this cipher can resist against well-known attacks. The
CLEFIA [38] is also a 128-bit block cipher with three
diverse key sizes: 128, 192 and 256 binary bits. It consists
of four data lines, based on four-branch generalized Feistel
structure and known as the extended version of traditional
two-branch Feistel structure [39, 40]. The instance ‘‘Gen-
eralized type-2 transformation’’ is chosen inspired from
[41]. It has two Feistel functions (F functions) for the four
data lines in one round and is smaller than the traditional F
functions. There are two different S-boxes (constructed
from two algebraic structures) used for the confusion
process. It is claimed that having two S-boxes increases the
immunity against the linear and differential attacks using
diffusion switching mechanism. The security analyses are
intensely done and shown enough resistance against tra-
ditional attacks. Also, the design of CLEFIA can be easily
and effectively implemented in various software and
hardware environments. Both PRESENT and CLEFIA are
considered in ISO/IEC 29192 ‘‘Lightweight Cryptogra-
phy’’ and are ready to use in practical systems.
3 Construction of S-boxes
This section presents the basic mathematical structure of
linear groups for constructing S-boxes. The algebraic
properties of these S-boxes remain the same when S8
symmetric group and XOR operations are applied. These
operations followed with the statistical analysis of S-boxes
when applied to images are presented later.
3.1 Linear groups
The important family of linear groups, the projective
general linear groups PGLðn; F Þ are discussed here. Let F
be any field. We denote GLðn; F Þ over F by the group of all
invertible n  n matrices of dimension n over F. This is the
general linear group. For brevity, let write GLðn; F Þ instead
 
of GL n; Fq . It is always assumed that n  2 for GLð1; F Þ
is simply the multiplicative group F  of F and is abelian
(and cyclic if F is finite).
Theorem 1 jGLðn; qÞj ¼ ðqn  1Þðqn  qÞ    ðqn  qn1 Þ.
Proof A matrix is invertible if and only if its rows are
linearly independent; this holds if and only if the first row
is nonzero and, for k ¼ 2; . . .; n (k represents the index of
rows), the kth row is not in the subspace spanned by the
first k  1 rows. The number of possible rows is qn , and the
number lying in any i-dimensional subspace is qi . There-
fore, the number of choices of the first row of an invertible
matrix is qn  1, while for k ¼ 2; . . .; n, the number of
123

choices for the kth row is qn  qk1 . Multiplying these
together gives the result. h the standard basis vectors. Then, ei A ¼ ai ei for i ¼
The interesting point is in finding the order of
PGLð2; qÞ; also, PGLð2; qÞ is the image of GLðn; qÞ under
a homomorphism whose kernel consists of nonzero scalar
matrices and so has order q  1.
Theorem 2 The determinant map det: GLðn; F Þ ! F  is a
homomorphism.
Proof This is a simple fact from the linear algebra that
detðABÞ ¼ detðAÞ  detðBÞ. The kernel of the determinant
map is the set of n  n matrices with determinant 1. This is
denoted as SLðn; F Þ, the special linear group of dimension
n over F. Thus, SLðn; F Þ / GLðn; F Þ and
GLðn; F Þ=SLðn; F Þ ¼ F  (the last fact follows from the
first isomorphism theorem, since it is easy to see that det is
onto; for every element u 2 F, there exists an n  n matrix
A with detðAÞ ¼ u) h ð1Þ
In particular, it can be seen that
j SL ð n; q Þ ¼
j j GL ð n; q Þ j= ð q  1 Þ. Let X denote the set of
n
one-dimensional subspaces of F , the n-dimensional vector
space over F. (The set X is the set of points of the n  1-
dimensional projective space, denoted by PGðn  1; qÞ. In
reality, it is a geometric object and has a lot of structure,
but we only need to regard it as a set.) Now, jXj ¼
qn  1=q  1: There are qn  1 nonzero vectors in F n , each
of which spans a one-dimensional subspace, but each one-
dimensional subspace is spanned by any of its q  1 non-
zero vectors. There is an action of GLðn; F Þ on X; the
matrix A maps the subspace v to the subspace vA.
Theorem 3 The following conditions on a matrix A 2
GLðn; F Þ are equivalent:
(a) A 2 Z ðGLðn; F ÞÞ,
(b) A belongs to the kernel of the action of GLðn; F Þ on
X,
(c) A is a scalar matrix, that is, A ¼ kA for some k 2 F  .
Proof (a) , (c) Clearly, scalar matrices commute with
everything and so lie in the center of the group. Suppose
A 2 ZðGLðn; FÞÞ. If E is the matrix with entries 1 on the
diagonal and in position ð1; 2Þ and zero elsewhere, then EA
is obtained from A by adding the second row to the first,
while AE is obtained by adding the first column to the
second. If these are equal, then the first and second diag-
onal elements of A are equal, and the other entries in the
first column and second row are zero. Repeating the
argument for the ith row and jth column, we conclude that
A is a scalar matrix.
(b) , (c) Again, it is clear that a scalar matrix fixes
every one-dimensional subspace. Let A be a matrix which
123
Neural Computing and Applications
fixes all one-dimensional subspaces. Let e1 ; e2 ; . . .; en be
1; 2; . . .; n (for some a1 ; a2 ; . . .; an 2 F  ), so A is a diagonal
matrix. Also, ðei þ ej ÞA ¼ bðei þ ej Þ for some b 2 F  ,
ei A þ ej A ¼ ai ei þ ai ej , so ai ¼ b ¼ aj . Thus, A is a scalar
matrix. Thus, it can be seen that ZðGLðn; FÞÞ is the group
of scalar matrices and is isomorphic to F  (so is cyclic of
order q  1 if F ¼ Fq ). Now, the projective general and
special linear groups are defined by PGLðn; FÞ ¼
GLðn; FÞ=Z, PSLðn; FÞ ¼ SLðn; FÞ=ðZðn; FÞÞ, where Z ¼
ZðGLðn; qÞÞ Thus, the projective groups are the images of
the linear groups in the action on the projective space X, so
it can be thought of them as groups of permutations of this
ðn;qÞj
space. We have jPGLðn; qÞj ¼ jGLq1 ¼ jSLðn; qÞj h
Remark The order of PGLðn; qÞ is
 
jPGLðn; qÞj ¼ ðqn  1Þðqn  qÞ    qn  qn1 =ðq  1Þ:
Definition If Y is a set and G is a group, then the group
action of G on Y is defined by a binary operator, . The
formal definition of this operator is  : G  Y ! Y. In
addition,
ðg  hÞ  y ¼ g  ðh  yÞ; 8g; h 2 G; y 2 Y; ðe  yÞ ¼ y; 8y 2 Y:
ð2Þ
The group taken here for the synthesis process of new S-
boxes is projective linear group or PGLð2; GFð28 ÞÞ, where
GFð28 Þ are the elements of Galois Field in which 2 2 P
and 8 2 Zþ . The set chosen to be a G-set, that is, GFð28 Þ.
Also, the algebraic structure of GFð28 Þ employed here is
given as
Z2 ½ X 
GFð28 Þ ¼ ; ð3Þ
ðPðxÞÞ
where PðxÞ is primitive irreducible polynomial, given as
PðxÞ ¼ x8 þ x4 þ x3 þ x2 þ 1: ð4Þ
The defined binary operator now can be stated as a
function: f : PGLð2; GFð28 ÞÞ  GFð28 Þ ! GFð28 Þ. This
function f is a fractional linear transformation, known as
Möbious transformation, given as
az þ b
f ðzÞ ¼ : ð5Þ
cz þ d
The transformation defined above is actually a map
f :C~ ! C,
~ where a; b; c; d 2 C and its projective trans-
formation is PGLð2; CÞ. However, using here under the
presented binary operator, f(z) is the projective
Neural Computing and Applications

transformation of PGLð2; GFð28 ÞÞ, where a; b; c; d; z 2
GFð28 Þ satisfying ad  bc 6¼ 0, i.e.,
a; b; c; d; z 2 GFð28 Þ ¼ ½0; 255:
The values defined above for the parameters a; b; c; d; z
will be used as polynomials of their binary representations.
For instance, let consider a decimal number equivalent to 8-
bit binary number b7 b6 b5 b4 b3 b2 b1 b0 ; then, its corresponding
 7
polynomial representation will be b7 x þ b6 x 6 þ
b5 x5 þ b4 x4 þ b3 x3 þ b2 x2 þ b1 x þ b0 Þ, where þ denotes
the XOR operation. Also, let w denote the root of polynomial
PðxÞ; then, w8 ¼ w4 þ w3 þ w2 þ 1 ¼ 00011110. The val-
ues for rest of the w’s can be calculated as
8
< bi 8i 2 ½0; 7;
wi ¼ w4 þ w3 þ w2 þ 1 for i ¼ 8; ð7Þ
: 
w  wi1 mod PðwÞ 8i 2 ½9; 255:
The one S-box comprising 256 distinct elements (inte-
gers) from 0 to 255 can be constructed from f ðzÞ by varying
z from 0 to 255 for the fixed values of a; b; c; d 2 ½0; 255.
The numerator az þ b and denominator cz þ d are calcu-
lated first using polynomial operation under modulo Pð xÞ
and represented in the power of w defined in Eq. (7). The
powers of w are then manipulated to get the respective
elements of S-box as shown in Table 1. The first column
represents the value of z varying from 0 to 255, second
column shows the calculation of numerator and denomi-
nator of f ðzÞ under modulo PðxÞ, the decimal equivalent of
f ðzÞ shows in third column, w0 s equivalent according to
Eq. (7) is shown in column 4, and last column represents
the elements of S-box. The total number of distinct S-boxes
which can be constructed from f ðzÞ by varying the values
of a; b; c; d is given by the order of PGLðn; qÞ defined in
Eq. (1), which is more than 16.7 million.
4 S-boxes with the same algebraic
properties
ð6Þ
The order or number of above constructed S-boxes can
further be increased by applying the S8 permutation on 8
bits of S-box elements. Specifically, the interest is not in
increasing the order but rather in keeping the algebraic
properties the same of above S-boxes. Some of the alge-
braic properties are strict avalanche criterion, differential
approximation probability, nonlinearity, linear approxi-
mation probability and bit-independent criterion. The S8 is
a symmetric group on a set of size 8 in which r represents
the permutation of this set.
Theorem 4 S8 -permuted S-boxes have the same algebraic
properties.

Proof Let S be an S-box and S01 ; S02 ; . . .; S0256 2 S be the
P
elements of S-box in which 7j¼0 Sij x j be the polynomial
corresponding to S0i element, where i ¼ ð1; 2; . . .; 256Þ and
sij are the binary bit of ith element at jth position. The
algebraic properties of S-box are calculated and dependent
 
upon the individual bits of its elements; Lj s1j ; s2j ; . . .; s256j
 
has no influence or dependence on Lj0 s1j0 ; s2j0 ; . . .; s256j0 ;
j 6¼ j0 where L represents an algebraic function for S-box.
Let r 2 S8 be the permutation, then rðS0i Þ ¼
P
rð 7j¼0 Sij x j Þ ¼ rðSi0 x0 Þ þ rðSi1 x1 Þ þ rðSi2 x2 Þ þrðSi3 x3 Þ
þrðSi4 x4 Þ þ rðSi5 x5 Þ þrðSi6 x6 Þ þ rðSi7 x7 Þ; 8i. As the
permutation is a linear function, thus, rðS0i Þ ¼ rðsi0 Þ þ
rðsi1 Þ þ rðsi2 Þ þrðsi3 Þ þ rðsi4 Þ þrðsi5 Þ þ rðsi6 Þ þ rðsi7 Þ;
8i. Therefore, the S8 permutation will only change the
positions of bits of each element and the average algebraic
characteristics will remain the same. h
Example 1 Let consider a S-box S10 with elements
ðS10 10 10
1 ; S2 ; . . .; S256 Þ1256 = ð202; 92; . . .; 97Þ1256 having
nonlinearity equal to 112. Let also consider a permutation

Table 1 Construction of a S-box using fractional transformation with parameters a ¼ 16; b ¼ 8; c ¼ 32; d ¼ 4
z f ðzÞ ¼ ððazþbÞ
czþdÞ
Dec w Eq. S-
box

0 16ð0Þþ8 ðx4 Þð0Þþx3 x3 8 w3 2

32ð0Þþ4 ðx5 Þð0Þþx2 x2 4 w2 ¼ w32þ1
1 16ð1Þþ8 ðx4 Þð1Þþx3 x4 þx3 24 w28 59
32ð1Þþ4 ðx5 Þð1Þþx2 x5 þx2 36 w225
¼ w28225þ255þ1
2 16ð2Þþ8 ðx4 ÞðxÞþx3 x5 þx3 40 w53 207
32ð2Þþ4 ðx5 ÞðxÞþx2 x6 þx2 68 w102 ¼ w53102þ255þ1
: : : : : : :
253 16ð253Þþ8 ðx4 Þðx7 þx6 þx5 þx4 þx3 þx2 þ1Þþx3 x6 þx5 þxþ1 99 w163 16359þ1 105
32ð253Þþ4 ðx5 Þðx7 þx6 þx5 þx4 þx3 þx2 þ1Þþx2 x7 þx6 þx4 þx 210 w59
¼w
254 16ð254Þþ8 ðx4 Þðx7 þx6 þx5 þx4 þx3 þx2 þxÞþx3 6 4
x þx þxþ1 83 w206
251
32ð254Þþ4 ðx5 Þðx7 þx6 þx5 þx4 þx3 þx2 þxÞþx2 x7 þx5 þx4 þx 178 w211 ¼ w206211þ255þ1
255 16ð255Þþ8 ðx4 Þðx7 þx6 þx5 þx4 þx3 þx2 þxþ1Þþx3 x6 þxþ1 67 w98 201
32ð255Þþ4 ðx5 Þðx7 þx6 þx5 þx4 þx3 þx2 þxþ1Þþx2 x7 þx4 þx 146 w153
¼ w98153þ255þ1

123

Fig. 1 Permutation sequence r ¼ ð41283657Þ applied to the elements of S-box 1 S10 to get the new elements of S-box 2 S20 . The algebraic
properties of S20 remain the same as compared to the properties of S10
sequence r ¼ ð41283657Þ having orbits: {1, 7}, {2, 5, 8, 4,
3, 6} as shown in Fig. 1. The permutation sequence is
applied to 8 bits of each and every element of S10 to get
 
new elements of second S-box S20 . For instance, r S10 1 instance, S10
¼ rð202Þ ¼ rð11001010Þ ¼ ð10110001Þ ¼ 177 ¼ S20 1.
This permutation applies to 256 elements of S10 to get new
256 elements of S20 as shown in Fig. 1. The computational
complexity is very low for constructing a new S-box based
on S8 permutation as it only involves one logical operation
per bit of each element of the S-box, and thus, the new S-
box can be generated on the go. The algebraic properties
mentioned earlier remain the same for both these S-boxes,
for instance the nonlinearity for both S-boxes is 112.
Similarly, an illustration of extension of example 1 is given
in Fig. 2. Let us consider a S-box S10 with elements
ðS10 10 10
1 ; S2 ; . . .; S256 Þ1256 ¼ ð202; 92; . . .; 97Þ1256 having
nonlinearity equal to 112. There are four different permu-
tation sequences applied on S10 resulting in four different
S-boxes. However, the algebraic properties of all these five
S-boxes are the same, for instance the nonlinearity for all
these S-boxes is 112.
Theorem 5 The bitwise XOR operation of an integer m 2
½0; 255 on the S-box elements does not change the alge-
braic properties of that S-box.
Proof A bitwise XOR operation of bit bx on
 
s1j ; s2j ; . . .; s256j will not change the bits if bx ¼ 0 and
neither does the algebraic properties. In case of bx ¼ 1, the
bits of elements will change from 1 to 0 and vice versa,
 
denoted as s01j ; s02j ; . . .; s0256j . However, the number of 0 s
and 1 s and the hamming distance between them remain
 
the same and thus, Lj s1j ; s2j ; . . .; s256j
 
¼ L0j s01j ; s02j ; . . .; s0256j
Example 2 Let us consider a S-box S10 with elements
ðS10 10 10
1 ; S2 ; . . .; S256 Þ1256 = ð123; 112; . . .; 118Þ1256 having
123
Neural Computing and Applications
nonlinearity equal to 103.75. Let us also consider an integer 45
to be bitwise XOR with each and every element of S10 to get
new elements of second S-box S20 as shown in Fig. 3. For
1 45 ¼ 123 45 ¼ ð01111011Þ ð00101101Þ
¼ ð01010110Þ ¼ 86 ¼ S20 1 . This XOR operation applies to
256 elements of S10 to get new 256 elements of S20 as shown in
Fig. 3. As in the case of S8 permutation, the computational
complexity of XOR operation is also very low. This is due to
the fact that the XOR operation is applied only once per bit per
element of the S-box. The algebraic properties mentioned
earlier remains the same for both these S-boxes, for instance
the nonlinearity for both S-boxes is 103.75.
S-boxes with the same algebraic properties are quite
appropriate and useful in terms of their application in
cryptosystems. Also, it is worth mentioning here that by
applying the permutation and XOR operations, these will
not only kept algebraic properties the same of the new S-
boxes, but these operations will also break the algebraic
structure f ðzÞ from which these S-boxes are originally
constructed making it a tough job for the cryptanalysis.
5 Statistical analysis
The statistical analyses are applied on the substituted
images resulted from applying the proposed S-boxes on the
plain image. Table 2 shows a S-box constructed from
proposed function f ðzÞ with parameters
a ¼ 176; b ¼ 77; c ¼ 121; d ¼ 34. The permutation
sequence r ¼ ð43576128Þ with addition of XOR operation
of integer 135 is applied on S-box of Table 2, and the
resulted S-box is shown in Table 3. The algebraic proper-
ties of both these S-boxes are the same.
These S-boxes are then applied separately on a camera-
man image (plain image) of size 256 9 256 using Algorithm
1 to get the substituted images. The process of substituting an
image pixel with one of the elements of a S-box is defined as
Neural Computing and Applications

Fig. 2 S-box S10 with elements ðS10 10 10

1 ; S2 ; . . .; S256 Þ1256 ¼ ð202; 92;
S-boxes. However, the algebraic properties of all these five S-boxes
. . .; 97Þ1256 having nonlinearity equal to 112. There are four different are the same, for instance the nonlinearity for all these S-boxes is 112
permutation sequences applied on S10 resulting in four different

where the intensity of an image pixel is denoted as qði; jÞ,

the image pixel locations are defined by ith row and jth
column of an image, l is the variance and u is the standard
deviation. For an image, the correlation depicts the simi-
larity between the adjacent image pixels with the value
range of [0 1] and 1 shows the perfect correlation.
• Entropy
For an image, the entropy is defined as [42]
X
Entropy ¼  prðqði; jÞÞ log2 prðqði; jÞÞ; ð9Þ
i;j

where the intensity of an image pixel is denoted as qði; jÞ,

Fig. 3 Bitwise XOR operation of integer 45 with the elements of S- the image pixel locations are defined by ith row and jth
box 1 S10 results in the new elements of S-box 2 S20 . The algebraic
column of an image and prðqði; jÞÞ is the probability of
properties of S20 remain the same as compared to the properties of S10
image pixel. For a digital image having 256 scales, the
follows. The image pixel of an original image is taken and entropy measures the randomness with the value range of
converted into binary with eight binary bits. Those eight bits [0 8]. The value of entropy nearer to 8 shows high
are then divided into two sections, each having four bits: the randomness.
most significant bits (MSBs) and least significant bits
(LSBs). These two groups of binary bits are then converted
back into decimal values which correspond to a specific row
number and a specific column number of a specific S-box.
The element placed at that position will be substituted in
place of that image pixel. This process will take place for the
whole image to achieve the substituted image. The statistical
analyses are then obtained for both substituted images to
manipulate the quantitative values of image pixels. These
analyses assist in examining the visual and quantitative
qualities of plain and substituted images.
• Correlation
For an image, the correlation is defined as [42]
X ði  liÞðj  ljÞqði; jÞ
Corr: ¼ ; ð8Þ
i;j
ui uj

123

• Contrast
For an image, the contrast is defined as [42]
X In this section, we have presented the comparative results
Contrast ¼ ji  jj2 qði; jÞ; ð10Þ
i;j
where the intensity of an image pixel is denoted as qði; jÞ
and the image pixel locations are defined by ith row and jth
column of an image. For an image, the contrast analysis
shows the texture with the value range of
½ 0 ðsizeðImageÞ  1Þ2 . For an image having perfect
autocorrelation, the contrast value is 0 and similarly greater
value of contrast shows high variance in the values of
image pixels.
• Homogeneity
For an image, the homogeneity is defined as [42]
X qði; jÞ
Homo: ¼ ; ð11Þ
i;j
1 þ ji  jj
where the intensity of an image pixel is denoted as qði; jÞ
and the image pixel locations are defined by ith row and jth
column of an image. For an image, the homogeneity
analysis describes the familiarity of the distribution in the
gray level cooccurrence matrix (GLCM) to GLCM diago-
nal with the range of ½ 0 1 .
• Energy
For an image, the energy is defined as [42]
X performed some standard security analyses on the proposed
Energy ¼ qði; jÞ2 ; ð12Þ
i;j
where the intensity of an image pixel is denoted as qði; jÞ
and the image pixel locations are defined by ith row and jth
column of an image. For an image, the energy shows the
sum of squared image pixels with the range of ½ 0 1 .
The comparative results for both the S-boxes for these
analyses are listed in Table 4. The results of these analyses
except entropy are different for these two S-boxes which
have the same algebraic properties. The entropy of a sub-
stituted image is always equal to the entropy of the plain
image; therefore, the entropy remains the same for sub-
stituted images regardless of whichever S-box is used for
the same plain image. For the rest of the analysis, the
values are different from each other depicting diverse
visual properties of the substituted images and thus adding
in difficulty for the cryptanalysis.
123
Neural Computing and Applications
6 Comparisons with the other works
of statistical analysis of encrypted images when different
S-boxes are applied and security analysis shows the
robustness of proposed S-boxes against well-known
attacks.
6.1 Majority logic criterion
We have compared the performance of the proposed S-box
with the well-known state of art-presented S-boxes. First,
we have taken the majority logic criterion which consists of
visual statistical analysis of energy, entropy, contrast,
correlation and homogeneity described before. However,
this time, the analysis is not performed on stand-alone
S-boxes; instead, we have employed S-boxes in encryption
algorithms and then examine these statistical analyses on
the encrypted images, rather than on the substituted ima-
ges. Table 5 shows the comparative results of proposed
S-box with the other works when S-box is employed in
encryption algorithms. It can be visualized that the pro-
posed S-box has outperformed the other works.
6.2 Security analysis
To check the strength and robustness against the security
attacks, and linear and differential cryptanalysis, we have
S-box and compare the performance with the other works
as well.
6.2.1 Nonlinearity
The nonlinearity is the most important parameter to check
the strength of a given S-box. It is defined as the number of
binary bits which must be changed in the truth table of a
Boolean function to approach the nearest affine function.
The maximum value of the nonlinearity for a S-box rep-
m
resented in GF(2^m) is N ¼ 2m1  2 2 1 . For m ¼ 8, the
theoretical upper bound on nonlinearity is 120. The more
the value of nonlinearity for S-box closer to 120, the more
secure S-box is. Table 6 shows the nonlinearity of eight
individual binary bits of the elements of proposed and other
S-boxes, and the average nonlinearity as well. It can be
seen that the nonlinearity of the proposed S-box is very
close to the optimum value and very competitive to the
other works.
Neural Computing and Applications

Table 2 Presentation of proposed S-box in 16 9 16 matrix resulted from fractional transformation f ðzÞ with parameters
a ¼ 176; b ¼ 77; c ¼ 121; d ¼ 34
R/C 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

45 104 52 27 252 251 5 153 163 118 157 201 222 63 249 43
244 178 137 62 214 232 93 99 133 147 47 199 94 200 98 124
177 162 248 13 240 211 115 20 183 58 121 231 12 129 144 233
128 97 87 209 26 208 91 37 174 136 100 40 212 54 250 41
237 51 101 243 142 39 241 60 171 1 18 111 195 79 221 253
245 131 242 191 127 46 78 149 207 159 151 24 53 225 34 114
182 29 197 6 161 32 81 14 82 55 187 210 194 185 205 152
176 179 234 247 150 59 148 227 246 125 215 0 172 229 204 228
138 141 70 83 3 167 90 169 192 71 31 102 88 145 89 113
33 135 56 120 30 156 48 236 7 235 107 130 132 123 165 112
186 72 126 75 16 190 168 239 158 110 38 166 92 9 203 28
11 80 74 216 23 175 2 76 61 146 206 44 238 122 64 96
220 189 108 230 109 36 25 226 181 143 22 217 8 105 21 67
155 140 49 69 106 77 42 202 4 134 86 196 188 50 84 173
139 73 255 180 85 103 218 224 170 184 198 15 117 223 193 219
213 17 35 10 66 65 164 57 199 154 116 160 254 95 19 68

Table 3 Presentation of S-box in 16 9 16 matrix resulted from applying permutation sequence r ¼ ð43576128Þ with addition of XOR operation
of integer 135 on S-box shown in Table 1. The algebraic properties of S-box shown in Table 1 remain the same as compared to the properties of
S-box shown in this table
R/C 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

29 205 148 10 252 104 23 46 33 208 62 111 250 24 108 9

244 160 47 152 242 237 94 65 55 34 25 80 218 239 193 220
36 161 236 31 228 98 64 150 48 136 76 113 159 39 166 109
167 69 82 102 138 230 74 21 185 175 213 141 246 144 232 13
125 0 85 96 187 17 100 156 41 7 130 89 99 91 126 124
116 35 224 56 88 153 219 54 123 58 50 142 20 101 129 192
176 30 119 147 37 133 70 155 194 16 40 226 227 44 127 174
164 32 233 112 178 8 182 97 240 92 114 135 189 117 255 245
171 63 211 66 3 49 202 45 231 83 26 209 206 38 78 68
5 51 140 204 154 190 132 253 19 105 73 163 183 72 53 196
168 207 216 75 134 184 173 121 186 217 145 177 222 15 107 158
11 198 203 238 18 57 131 223 28 162 251 157 249 200 199 197
254 60 221 241 93 149 14 225 52 59 146 110 143 77 22 67
42 191 4 87 201 95 137 235 151 179 210 247 188 128 214 61
43 79 120 180 86 81 234 229 169 172 243 27 84 122 103 106
118 6 1 139 195 71 181 12 115 170 212 165 248 90 2 215

6.2.2 Strict avalanche criterion (SAC)
For a S-box employed in an encryption algorithm, if we
change just a single bit, then there should be a significant
change in the output bits [29]. The strict avalanche crite-
rion is used to test the change in the output bits. The ideal
value should be equal to the half of the total input/output,
i.e., 50%. The numerical values of SAC of the proposed
S-box in comparison with the other works are mentioned in
Table 7.
6.2.3 Bit-independent criterion (SAC)
The bit-independent criterion is the same to SAC as it is
also used to examine the change in output bits when a
single bit of input is changed [29]. However, the change is

123
 Neural Computing and Applications

Table 4 Comparative statistical analysis on the substituted images of 6.2.5 Differential approximation probability (DP)
cameraman resulted from applying S-box 1 (Table 1) and S-box 2
(Table 2). The algebraic properties of both S-boxes are the same, but
Differential approximation probability (DP) is used to
values of statistical analysis are different
determine how a modification is represented in results of
Analysis Corr. Entropy Homo. Contrast Energy change in input. The differential approximation probability
S-box 1 0.2871 7.1028 0.5767 6.2403 0.0272 (DP) is given as [29]
2 n o3
S-box 2 0.2634 7.1028 0.5733 6.6900 0.0271 X
# x 2 SðxÞ Sðx DxÞ ¼ Dy
DPðDx ! DyÞ ¼ 4 5;
2m
examined in each round of the encryption algorithm. The
numerical values of BIC of the proposed S-box in com- ð14Þ
parison with the other works are mentioned in Table 7. where Dx and Dy are input differential and output differ-
ential, respectively. It is required that the value of DP
6.2.4 Linear approximation probability (LP) should be close to zero for the strong S-box. The numerical
values of DP of the proposed S-box in comparison with the
Linear approximation probability (LP) is used to examine other works are mentioned in Table 7.
the imbalance of the event. At the input, several masks are
applied to examine and determine the pattern of output bits.
The linear approximation probability is given as [29] 7 Conclusions
 
#fx=X  Cx ¼ SðxÞ  Cy ¼ Dyg 1
LP ¼ max    ; ð13Þ
CxCy6¼0 2n 2 The S-box is of great importance regarding the security in
block ciphers. In this paper, a new algebraic method for the
where the set X contains all possible inputs, 2n is number of construction of S-boxes is proposed. The proposed alge-
its elements and x and y are two masks applied to parity of braic structure for construction of S-boxes is sophisticated
input bits and output bits, respectively. The numerical and secure against algebraic attacks, linear and differential
values of LP of the proposed S-box in comparison with the cryptanalysis. Moreover, a method of applying permutation
other works are mentioned in Table 7. of symmetric group on a set of size 8 and XOR operations

Table 5 The comparative

Images Methods Corr. Entropy Homo. Contrast Energy
results of proposed S-box with
the other works when S-box is Pepper Plaintext 7.5909 0.2760 ? 0.9383 0.1288 0.9024
employed in encryption
algorithms. It can be visualized Ref [27] 7.9823 8.6727 - 0.0043 0.0173 0.4076
that the proposed S-box has Ref [27] 7.9832 8.5753 - 0.0048 0.0175 0.4090
outperformed the other works Ref [27] 7.9830 8.3215 ? 0.0013 0.0177 0.4116
Ref [27] 7.9843 8.4317 - 0.0069 0.0177 0.4102
Ref [27] 7.9827 8.5739 ? 0.0027 0.0174 0.4091
Ref [43] 7.9562 8.3129 ? 0.0103 0.0180 0.4219
Ref [44] 7.9233 8.1423 - 0.0112 0.0286 0.4648
Ref [45] 7.7561 7.7058 ? 0.1205 0.0239 0.4708
Proposed 7.9245 7.5598 ? 0.0357 0.0201 0.4658
Baboon Plaintext 7.1273 0.7179 ? 0.6782 0.1025 0.7669
Ref [27] 7.9824 8.7348 - 0.0043 0.0172 0.4074
Ref [27] 7.9822 8.5823 - 0.0064 0.0175 0.4071
Ref [27] 7.9815 8.5027 - 0.0062 0.0175 0.4090
Ref [27] 7.9826 8.4487 - 0.0088 0.0178 0.4099
Ref [27] 7.9832 8.6023 - 0.0045 0.0174 0.4071
Ref [43] 7.9612 8.1213 - 0.0512 0.0210 0.4011
Ref [44] 7.9252 8.0391 ? 0.0119 0.0222 0.4428
Ref [45] 7.8051 7.0158 ? 0.0925 0.0293 0.4991
Proposed 7.9248 7.5601 ? 0.0348 0.0204 0.4649
The results of other methods are from the original papers

123
Neural Computing and Applications

Table 6 Comparative analysis of nonlinearity of proposed S-box with encouraging to do the analysis of proposed work before its
the other works immediate deployment. The intended application can be
Methods 0 1 2 3 4 5 6 7 Ave. cloud computing where different domains communicate
with each other on insecure communication channel. In this
Ref [46] 98 100 100 104 104 106 106 108 103.2
work, the focus is on confidentiality of data circulated in
Ref [44] 106 106 106 104 108 102 106 104 105.25 cloud computing and network security is not considered
Ref [43] 102 108 106 102 106 106 106 98 104.25 here. The network security is one of the prime areas and
Ref [25] 100 103 104 104 105 105 106 109 104.5 still has a lot of room for work to be done.
Ref [47] 100 102 103 104 106 106 106 108 104.3
Ref [48] 108 104 106 106 102 98 104 108 104
Ref [49] 112 112 112 112 112 112 112 112 112
Ref [45] 104 108 108 108 108 104 104 106 105.75 Compliance with ethical standards
Ref [12] 112 112 112 112 112 112 112 112 112
Conflict of interest We have no conflict of interest to declare.
Ref [27] 106 108 106 108 106 106 106 108 106.75
Ref [27] 106 106 102 108 108 106 106 106 106
Proposed 112 112 112 112 112 112 112 112 112 References
The results of other methods are from the original papers
1. Chen J, Han F, Qian W, Yao Y-D, Zhu Z- (2018) Cryptanalysis
and improvement in an image encryption scheme using combi-
nation of the 1D chaotic map. Nonlinear Dyn 93(4):2399–2413
2. Ahmed F, Anees A (2015) Hash-based authentication of digital
Table 7 Comparative analysis of strict avalanche criterion, bit-inde- images in noisy channels. In: Živić N (ed) Robust image
pendent criterion, BIC for SAC, linear approximation probability and authentication in the presence of noise. Springer, Cham. https://
differential approximation probability of proposed and other S-boxes doi.org/10.1007/978-3-319-13156-6_1
3. Anees A, Khan WA, Gondal MA, Hussain I (2013) Application
Methods SAC BIC BIC/SAC Max Val/Max LP DP of mean of absolute deviation method for the selection of best
nonlinear component based on video encryption. Z Naturforsch A
Ref [29] 0.4998 112 0.504 144/0.0625 0.0156
68(a):479–482
Ref [12] 0.4999 112 0.504 144/0.0625 0.0156 4. Liu X, Dong M, Ota K, Yang LT, Liu A (2018) Trace malicious
Ref [43] 0.4864 104 0.504 144/0.1563 0.0172 source to guarantee cyber security for mass monitor critical
Ref [27] 0.4939 107 0.504 160/0.0625 0.0625 infrastructure. J Comput Syst Sci 98:1–26
5. Anees A, Gondal MA (2015) Construction of nonlinear compo-
Ref [27] 0.5020 103 0.505 160/0.1250 0.0469 nent for block cipher based on one-dimensional chaotic map. 3D
Ref [27] 0.5040 112 0.504 144/0.0625 0.0156 Res 6(2):17. https://doi.org/10.1007/s13319-015-0049-4
Ref [27] 0.5040 112 0.504 144/0.0625 0.0156 6. Anees A, Siddiqui AM (2013) A technique for digital water-
marking in combined spatial and transform domains using chaotic
Ref [27] 0.5040 112 0.504 144/0.0625 0.0156
maps. In: IEEE 2nd national conference on information assurance
Proposed 0.4999 112 0.504 144/0.0625 0.0156 (NCIA), pp 119–124. https://doi.org/10.1109/ncia.2013.6725335
The results of other methods are from the original papers 7. Jung Y, Festijo E (2014) One-time packet key exchange
scheme for secure real-time multimedia applications. J Comput
Syst Sci 80(8):1584–1596
8. Anees A, Siddiqui AM, Ahmed J, Hussain I (2014) A technique
for digital steganography using chaotic maps. Nonlinear Dyn
is proposed that applied on constructed S-boxes to maintain 75(4):807–816
their algebraic properties and break their algebraic struc- 9. Anees A (2015) An image encryption scheme based on Lorenz
system for low profile applications. 3D Res 6(3):1–10
ture. The S-boxes with the same algebraic properties are of
10. Potlapally NR, Ravi S, Raghunathan A, Jha NK (2006) A study of
great importance. In block ciphers, multiple S-boxes can be the energy consumption characteristics of cryptographic algo-
applied instead of a single S-box. For instance, in AES, rithms and security protocols. IEEE Trans Mobile Comput
instead of a single and the same S-box for each round, 5(2):128–143
11. Anees A, Siddiqui AM, Ahmed F (2014) Chaotic substitution for
different S-boxes can be applied with the same algebraic
highly autocorrelated data in encryption algorithm. Commun
properties that will enhance the security and performance Nonlinear Sci Numer Simul 19(9):3106–3118
of AES keeping the computational complexity as it is. 12. Daemen J, Rijmen V (2002) The design of Rijndael: AES—the
Similarly, for the digital images as plaintext, the statistical advanced encryption standard. Springer, Berlin
13. Chen G (2008) A novel heuristic method for obtaining S-boxes.
analysis of two substituted images is different when two
Chaos, Solitons Fractals 36(4):1028–1036
S-boxes with the same algebraic properties are applied to 14. Özkaynaka F, Özer AB (2010) A method for designing strong
the same image. S-boxes based on chaotic Lorenz system. Phys Lett A
As mentioned, the proposed work is efficient and 374(36):3733–3738
effective; however, like all new proposals, it is strongly

123

15. Hussain I, Shah T, Mahmood H, Gondal MA (2013) A projective
general linear group based algorithm for the construction of
substitution box for block ciphers. Neural Comput Appl
22(6):1085–1093
16. Hussain I, Shah T, Gondal MA, Khan WA, Mahmood H (2013) A
group theoretic approach to construct cryptographically strong
substitution boxes. Neural Comput Appl 23(1):97–104
17. Zhang W, Pasalic E (2014) Highly nonlinear balanced S-boxes
with good differential properties. IEEE Trans Inf Theory
60(12):7970–7979
18. Jithendra KB, Shahana TK (2016) High-security pipelined elastic
substitution box with embedded permutation facility. In: Saini H,
Sayal R, Rawat S (eds) Innovations in computer science and
engineering, vol 413. Springer, Singapore, pp 79–86
19. Picek A, Batina L, Jakobović D, Ege B, Golub M (2014) S-box,
SET, match: a toolbox for S-box analysis. In: Information secu-
rity theory and practice. Securing the internet of things, vol 8501.
Springer, Berlin, pp 140–149
20. Lorenz EN (1963) Deterministic nonperiodic flow. J Atmos Sci
20:130–141
21. Anees A, Hussain I (2019) A novel method to identify initial
values of chaotic maps in cybersecurity. Symmetry 11(2):1–21
22. Hussain I, Anees A, Al-Maadeed TA, Mustafa MT (2019) Con-
struction of S-Box based on chaotic map and algebraic structures.
Symmetry 11(3):1–11
23. Hussain I, Shah T, Gondal MA, Mahmood H (2012) An efficient
approach for the construction of LFT S-boxes using chaotic
logistic map. Nonlinear Dyn 71(1–2):133–140
24. Li C, Feng B, Li S, Kurths J, Chen G (2019) Dynamic analysis of
digital chaotic maps via state-mapping networks. IEEE Trans
Circuits Syst I Regul Pap Early Access. https://doi.org/10.1109/
TCSI.2018.2888688
25. Li C, Lin D, Lü J, Hao F (2018) Cryptanalyzing an image
encryption algorithm based on autoblocking and electrocardiog-
raphy. IEEE Multimedia 25(4):46–56
26. Li C, Lin D, Feng B, Lü J, Hao F (2018) Cryptanalysis of a
chaotic image encryption algorithm based on information
entropy. IEEE Access 6:75834–75842
27. Ullah A, Jamal SS, Shah T (2017) A novel construction of sub-
stitution box using a combination of chaotic maps with improved
chaotic range. Nonlinear Dyn 88(4):2757–2769
28. Ullah A, Jamal SS, Shah T (2018) A novel scheme for image
encryption using substitution box and chaotic system. Nonlinear
Dyn 91(1):359–370
29. Aboytes-González JA, Murguı́a JS, Mejı́a-Carlos M, González-
Aguilar H, Ramı́rez-Torres MT (2018) Design of a strong S-box
based on a matrix approach. Nonlinear Dyn 94(3):2003–2012
30. Alamsyah, Bejo A, Adji TB (2018) The replacement of irre-
ducible polynomial and affine mapping for the construction of a
strong S-box. Nonlinear Dyn 93(4):2105–2118
31. Çavuşoğlu Ü, Zengin A, Pehlivan I, Kaçar S (2017) A novel
approach for strong S-box generation algorithm design based on
chaotic scaled Zhongtang system. Nonlinear Dyn
87(2):1081–1094
32. Farah T, Rhouma R, Belghith S (2017) A novel method for
designing S-box based on chaotic map and teaching-learning-
based optimization. Nonlinear Dyn 88(2):1059–1074
123
Neural Computing and Applications
33. Lambić D (2017) A novel method of S-box design based on
discrete chaotic map. Nonlinear Dyn 87(4):2407–2413
34. Li Y, Ge G, Xia D (2016) Chaotic hash function based on the
dynamic S-box with variable parameters. Nonlinear Dyn
84(4):2387–2402
35. Ye T, Zhimao L (2018) Chaotic S-box: six-dimensional fractional
Lorenz-Duffing chaotic system and O-shaped path scrambling.
Nonlinear Dyn 94(3):2115–2126
36. Ahmed F, Anees A, Abbas VU, Siyal MY (2014) A noisy channel
tolerant image encryption scheme. Wirel Pers Commun
77(4):2771–2791
37. Bogdanov A, Knudsen LR, Leander G, Paar C, Poschmann A,
Robshaw MJB, Seurin Y, Vikkelsoe C (2007) PRESENT: an
ultra-lightweight block cipher. In: Cryptographic hardware and
embedded systems, vol 4727. Springer, pp 450–466
38. Shirai T, Shibutani K, Akishita T, Moriai S, Iwata T (2007) The
128-bit Blockcipher CLEFIA (Extended Abstract). In: Fast soft-
ware encryption, vol 4593. Springer, pp 181–195
39. Shirai T, Shibutani K (2006) On Feistel structures using a dif-
fusion switching mechanism. In: Fast software encryption, vol
4047. Springer, pp 41–56
40. Diffie W, Hellman ME (1977) Exhaustive cryptanalysis of the
NBS data encryption standard. Computer 10(6):74–84
41. Zheng Y, Matsumoto T, Imai H (1989) On the construction of
block ciphers provably secure and not relying on any unproved
hypotheses. In: Advances in cryptology, vol 435. Springer,
pp 461–480
42. Anees A, Ahmed Z (2015) A technique for designing substitution
box based on Van der pol oscillator. Wirel Pers Commun
82(3):1497–1503
43. Khan M, Shah T, Batool SI (2016) Construction of S-box based
on chaotic Boolean functions and its application in image
encryption. Neural Comput Appl 27(3):677–685
44. Belazi A, Khan M, El-Latif AAA, Belghith S (2017) Efficient
cryptosystem approaches: S-boxes and permutation-substitution-
based encryption. Wirel Pers Commun 87(1):337–361
45. Skipjack and Kea (1998) Algorithm specifications version, vol 2,
pp 1–23. http://csrc.nist.gov/CryptoToolkit/. Updated 10 Oct
2018
46. Jakimoski G, Kocarev L (2001) Chaos and cryptography: block
encryption ciphers based on chaotic maps. IEEE Trans Circuits
Syst I Fundam Theory Appl 48(2):163–169
47. Chen G, Chen Y, Liao X (2017) An extended method for
obtaining S-boxes based on three-dimensional chaotic Baker
maps. Chaos, Solitons Fractals 31(3):571–579
48. Alkhaldi H, Hussain I, Gondal MA (2015) A novel design for the
construction of safe S-boxes based on TDERC sequence. Alex
Eng J 54(1):65–69
49. Cui L, Cao Y (2007) A new S-box structure named Affine-Power-
Affine. Int J Innov Comput Inf Control 3(3):751–759
Publisher’s Note Springer Nature remains neutral with regard to
jurisdictional claims in published maps and institutional affiliations.