Professional Documents
Culture Documents
https://doi.org/10.1007/s00521-019-04207-8 (0123456789().,-volV)(0123456789().
,- volV)
ORIGINAL ARTICLE
Abstract
The strength of cryptosystems heavily relies on the substitution boxes. Cryptosystems with weak substitution boxes cannot
resist algebraic attacks, linear and differential cryptanalysis. In this paper, first, we propose a strong algebraic structure for
the construction of substitution boxes. The proposed substitution boxes have good algebraic properties and are able to resist
against algebraic attacks. Second, we propose a new method for creating multiple substitution boxes with the same
algebraic properties using permutation of symmetric group on a set of size 8 and bitwise XOR operation. Third, the
proposed substitution boxes with the same algebraic properties are then applied to images and it is observed that the
statistical properties of substituted images are different from each other. The simulation results and statistical and security
analysis for the proposed substitution boxes are very competitive. Also, it is shown in this work that the proposed
substitution boxes can resist differential and linear cryptanalysis and sustain algebraic attacks.
Keywords Substitution boxes S-box Projective general linear group Cybersecurity Algebraic attacks
123
Neural Computing and Applications
much as possible and to resist differential attacks, low the works on the hardware implementation and their
differential uniformity of S-box is mandatory. security analysis are listed in [18, 19].
In this work, an algebraic structure for constructing In the last decade, chaos [20, 21] based S-boxes have
S-boxes based on projective general linear group is pro- been presented in great numbers [22, 23]. The chaotic
posed. The constructed S-boxes can be used in block sequence numbers obtained from the maps are manipulated
ciphers for the application of securing real-time data for for the construction of a S-box. The numbers are first
better security and performance. The main contributions of transformed into large numbers by multiplying the original
this paper are summarized as follows: sequence with a large integer value; then, these values
truncated to integers followed by a modulo function of 256
1. A new algebraic structure for the designing of S-boxes
and finally picking the first 256 distinct integers values
based on projective general linear group and linear
forming up a S-box. The S-box resulted from chaotic
fractional transformation is proposed. The constructed
sequences lacks basic cryptographic features, remained
S-boxes have good algebraic properties and can resist
weak for attacks and cannot resist differential and linear
algebraic attacks.
cryptanalysis. Moreover, the serious dynamic degradation
2. A new method of creating multiple S-boxes having the
of chaotic maps in digital computer is there which weaken
same algebraic properties is proposed based on S8
the case for their application in cryptography as discussed
permutations and XOR operations. It is shown that by
in [24]. Also, it is shown in a work [25] that the chaotic
applying S8 permutations or XOR operations, the new
image encryption cannot resist against good attacks. Based
generated S-boxes have the same algebraic properties
on electrocardiography (ECG) and autoblocking chaotic
and thus, the new S-boxes can resist the algebraic
cryptosystem, the cryptanalysis of that cryptosystem is
attacks with the same intensity. The proposed method
performed. Another work on the cryptanalysis of a chaotic
of these operations will also break the algebraic
image cryptosystem performed by the same authors is
structure from which they are originally constructed
proposed in [26]. The proposed work [26] performed the
making cryptanalysis much more difficult.
in-detail and in-depth security analysis to evaluate the
3. It is shown through the simulations that although the
strength of image cryptosystem. However, there are several
constructed S-boxes have the same algebraic properties
proposals which claimed to be robust against standard
but different statistical properties when applied to
security attacks. In [27], a novel construction of multiple
images.
S-boxes is proposed based on the mixture of algebraic
The remaining of the manuscript is organized as fol- structure and chaos. The visual statistical and security
lows: Sect. 2 presents the related work on the topic, Sect. 3 analysis confirmed the strength and robustness of the pre-
explains the designing of S-boxes based on algebraic sented work. However, it is not stated whether the security
structure, Sect. 4 presents the proposed work on creating analysis is done on the stand-alone S-boxes or on their
multiple S-boxes with the same algebraic properties, application in encryption algorithms.
Sect. 5 presents statistical analysis for substituted images A method for the designing of S-box based on the
resulting in applying different S-boxes having the same algebraic structure over a finite field proposed by the same
algebraic properties, Sect. 6 presents the comparison authors is presented in [28]. Furthermore, the presented S-
results, and Sect. 7 concludes the manuscript. box is applied in a new image encryption cryptosystem
which shows good security results. In [29], to construct a
robust S-box, a combination of a cellular automaton rule-
2 Related work based matrix approach and an algebraic structure over
GFð28 Þ is presented. To test the robustness of the con-
For designing S-boxes, numerous techniques are presented structed S-box in the application of cryptosystems, various
in the literature such as algebraic, chaos-based, heuristic analyses are performed which show superior performance
methods and pseudorandom [13–15]. Because of their over the previous works. In [30], the construction of S-box
exceptional cryptographic properties, S-boxes designed is presented based on the additional irreducible polynomial
based on algebraic structures such as inversion mapping and affine mapping. Opposite to the construction of S-box
became very famous [16]. Two methods for constructing employed in AES, different multiplicative inverse and
S-boxes with high nonlinearity are presented in [17]. The different affine mapping is used. From the irreducible
first method uses two vector Boolean functions from the polynomials having the highest nonlinearity value, the
Maiorana–McFarland, and the second method employs a multiplicative inverse is selected and based on affine
slightly suitable modification of bent functions. The pre- matrices, the affine mapping is selected. Based on scaled
sented S-boxes have very high nonlinearity of 116 and Zhongtang chaotic system and random number generator, a
have good algebraic and differential properties. Some of
123
Neural Computing and Applications
strong S-box is constructed in [31]. First, a new random that this cipher can resist against well-known attacks. The
number generator is proposed whose robustness is tested CLEFIA [38] is also a 128-bit block cipher with three
via NIST standard random number test suite. Then, with diverse key sizes: 128, 192 and 256 binary bits. It consists
the help of this random number generator, a new S-box is of four data lines, based on four-branch generalized Feistel
constructed whose robustness is tested through the standard structure and known as the extended version of traditional
security analysis. An interesting method for the designing two-branch Feistel structure [39, 40]. The instance ‘‘Gen-
of S-box based on the combination of teaching–learning- eralized type-2 transformation’’ is chosen inspired from
based optimization and chaotic map is presented in [32] [41]. It has two Feistel functions (F functions) for the four
which has eight rounds having two transformations: data lines in one round and is smaller than the traditional F
columnwise rotation and rowleft shifting. However, in each functions. There are two different S-boxes (constructed
round, the transformations are different from each other from two algebraic structures) used for the confusion
and are controlled by the initial conditions of the chaotic process. It is claimed that having two S-boxes increases the
map employed. These initial conditions used as the private immunity against the linear and differential attacks using
keys are optimized by using teaching–learning-based diffusion switching mechanism. The security analyses are
optimization which aims to construct a strong S-box. Some intensely done and shown enough resistance against tra-
of the other proposals for the designing of S-boxes based ditional attacks. Also, the design of CLEFIA can be easily
on chaos are presented in [33–35]. and effectively implemented in various software and
The AES [12] is a benchmark block cipher which has hardware environments. Both PRESENT and CLEFIA are
three versions, each with a block size of 128 bits, but with considered in ISO/IEC 29192 ‘‘Lightweight Cryptogra-
three dissimilar numbers of rounds: 10, 12 and 14 rounds phy’’ and are ready to use in practical systems.
for 128, 192 and 256 binary bits, respectively. It is still
unbreakable but might not be effective in certain applica-
tions. For instance, one requirement for a cipher can be the 3 Construction of S-boxes
distortion tolerant. The traditional good cryptosystems lack
this requirement as they cannot successfully decrypt the This section presents the basic mathematical structure of
noisy encrypted data, for example when a single bit of linear groups for constructing S-boxes. The algebraic
encrypted data of the AES is corrupted, then that noisy properties of these S-boxes remain the same when S8
encrypted data cannot be successfully decrypted by the symmetric group and XOR operations are applied. These
AES. This issue is usually taking care of by the channel operations followed with the statistical analysis of S-boxes
coding performed with encryption to detect and remove when applied to images are presented later.
noise errors at receiver. However, using error detecting and
correcting codes increases the overall size of encrypted 3.1 Linear groups
data and computational complexity as well at transmitter’s
and receiver’s side. Fawad et al. [36] proposed a noise- The important family of linear groups, the projective
tolerant image encryption scheme that shows very good general linear groups PGLðn; F Þ are discussed here. Let F
results in terms of security and also can resist the channel be any field. We denote GLðn; F Þ over F by the group of all
noise. invertible n n matrices of dimension n over F. This is the
The other requirement for a particular application hav- general linear group. For brevity, let write GLðn; F Þ instead
ing constraints on cost is the computational complexity. of GL n; Fq . It is always assumed that n 2 for GLð1; F Þ
The ciphers that are particularly suited for this purpose are is simply the multiplicative group F of F and is abelian
categorized in lightweight cryptography. The two of most (and cyclic if F is finite).
renown lightweight ciphers are PRESENT [37] and CLE-
FIA [38]. The block length of PRESENT [37] is 64 bits Theorem 1 jGLðn; qÞj ¼ ðqn 1Þðqn qÞ ðqn qn1 Þ.
supported with two different key lengths, 80 and 128 bits. Proof A matrix is invertible if and only if its rows are
The version of 80-bit key is recommended for low-profile linearly independent; this holds if and only if the first row
applications. It is based on substitution-permutation net- is nonzero and, for k ¼ 2; . . .; n (k represents the index of
work meeting the basic criteria of confusion and diffusion. rows), the kth row is not in the subspace spanned by the
It has 31 rounds, 17 more than the most complex version of first k 1 rows. The number of possible rows is qn , and the
the AES; however, the S-boxes used are 4-bit to 4-bit rather number lying in any i-dimensional subspace is qi . There-
than 8-bit to 8-bit which makes it much less complex than fore, the number of choices of the first row of an invertible
the AES. The implementation of both encryption and matrix is qn 1, while for k ¼ 2; . . .; n, the number of
decryption is still smaller than an encryption-only AES.
The security analysis is thoroughly done, and it is claimed
123
Neural Computing and Applications
choices for the kth row is qn qk1 . Multiplying these fixes all one-dimensional subspaces. Let e1 ; e2 ; . . .; en be
together gives the result. h the standard basis vectors. Then, ei A ¼ ai ei for i ¼
1; 2; . . .; n (for some a1 ; a2 ; . . .; an 2 F ), so A is a diagonal
The interesting point is in finding the order of
matrix. Also, ðei þ ej ÞA ¼ bðei þ ej Þ for some b 2 F ,
PGLð2; qÞ; also, PGLð2; qÞ is the image of GLðn; qÞ under
ei A þ ej A ¼ ai ei þ ai ej , so ai ¼ b ¼ aj . Thus, A is a scalar
a homomorphism whose kernel consists of nonzero scalar
matrix. Thus, it can be seen that ZðGLðn; FÞÞ is the group
matrices and so has order q 1.
of scalar matrices and is isomorphic to F (so is cyclic of
Theorem 2 The determinant map det: GLðn; F Þ ! F is a order q 1 if F ¼ Fq ). Now, the projective general and
homomorphism. special linear groups are defined by PGLðn; FÞ ¼
GLðn; FÞ=Z, PSLðn; FÞ ¼ SLðn; FÞ=ðZðn; FÞÞ, where Z ¼
Proof This is a simple fact from the linear algebra that
ZðGLðn; qÞÞ Thus, the projective groups are the images of
detðABÞ ¼ detðAÞ detðBÞ. The kernel of the determinant
the linear groups in the action on the projective space X, so
map is the set of n n matrices with determinant 1. This is
it can be thought of them as groups of permutations of this
denoted as SLðn; F Þ, the special linear group of dimension ðn;qÞj
n over F. Thus, SLðn; F Þ / GLðn; F Þ and space. We have jPGLðn; qÞj ¼ jGLq1 ¼ jSLðn; qÞj h
GLðn; F Þ=SLðn; F Þ ¼ F (the last fact follows from the
Remark The order of PGLðn; qÞ is
first isomorphism theorem, since it is easy to see that det is
onto; for every element u 2 F, there exists an n n matrix jPGLðn; qÞj ¼ ðqn 1Þðqn qÞ qn qn1 =ðq 1Þ:
A with detðAÞ ¼ u) h ð1Þ
In particular, it can be seen that Definition If Y is a set and G is a group, then the group
j SL ð n; q Þ ¼
j j GL ð n; q Þ j= ð q 1 Þ. Let X denote the set of action of G on Y is defined by a binary operator, . The
n
one-dimensional subspaces of F , the n-dimensional vector formal definition of this operator is : G Y ! Y. In
space over F. (The set X is the set of points of the n 1- addition,
dimensional projective space, denoted by PGðn 1; qÞ. In
ðg hÞ y ¼ g ðh yÞ; 8g; h 2 G; y 2 Y; ðe yÞ ¼ y; 8y 2 Y:
reality, it is a geometric object and has a lot of structure,
but we only need to regard it as a set.) Now, jXj ¼ ð2Þ
qn 1=q 1: There are qn 1 nonzero vectors in F n , each
of which spans a one-dimensional subspace, but each one-
dimensional subspace is spanned by any of its q 1 non- The group taken here for the synthesis process of new S-
zero vectors. There is an action of GLðn; F Þ on X; the boxes is projective linear group or PGLð2; GFð28 ÞÞ, where
matrix A maps the subspace v to the subspace vA. GFð28 Þ are the elements of Galois Field in which 2 2 P
and 8 2 Zþ . The set chosen to be a G-set, that is, GFð28 Þ.
Theorem 3 The following conditions on a matrix A 2
Also, the algebraic structure of GFð28 Þ employed here is
GLðn; F Þ are equivalent:
given as
(a) A 2 Z ðGLðn; F ÞÞ, Z2 ½ X
(b) A belongs to the kernel of the action of GLðn; F Þ on GFð28 Þ ¼ ; ð3Þ
ðPðxÞÞ
X,
(c) A is a scalar matrix, that is, A ¼ kA for some k 2 F . where PðxÞ is primitive irreducible polynomial, given as
PðxÞ ¼ x8 þ x4 þ x3 þ x2 þ 1: ð4Þ
Proof (a) , (c) Clearly, scalar matrices commute with
everything and so lie in the center of the group. Suppose The defined binary operator now can be stated as a
A 2 ZðGLðn; FÞÞ. If E is the matrix with entries 1 on the function: f : PGLð2; GFð28 ÞÞ GFð28 Þ ! GFð28 Þ. This
diagonal and in position ð1; 2Þ and zero elsewhere, then EA function f is a fractional linear transformation, known as
is obtained from A by adding the second row to the first, Möbious transformation, given as
while AE is obtained by adding the first column to the az þ b
second. If these are equal, then the first and second diag- f ðzÞ ¼ : ð5Þ
cz þ d
onal elements of A are equal, and the other entries in the
first column and second row are zero. Repeating the The transformation defined above is actually a map
argument for the ith row and jth column, we conclude that f :C~ ! C,
~ where a; b; c; d 2 C and its projective trans-
A is a scalar matrix. formation is PGLð2; CÞ. However, using here under the
(b) , (c) Again, it is clear that a scalar matrix fixes presented binary operator, f(z) is the projective
every one-dimensional subspace. Let A be a matrix which
123
Neural Computing and Applications
transformation of PGLð2; GFð28 ÞÞ, where a; b; c; d; z 2 4 S-boxes with the same algebraic
GFð28 Þ satisfying ad bc 6¼ 0, i.e., properties
a; b; c; d; z 2 GFð28 Þ ¼ ½0; 255: ð6Þ
The order or number of above constructed S-boxes can
The values defined above for the parameters a; b; c; d; z further be increased by applying the S8 permutation on 8
will be used as polynomials of their binary representations. bits of S-box elements. Specifically, the interest is not in
For instance, let consider a decimal number equivalent to 8- increasing the order but rather in keeping the algebraic
bit binary number b7 b6 b5 b4 b3 b2 b1 b0 ; then, its corresponding properties the same of above S-boxes. Some of the alge-
7
polynomial representation will be b7 x þ b6 x 6 þ braic properties are strict avalanche criterion, differential
b5 x5 þ b4 x4 þ b3 x3 þ b2 x2 þ b1 x þ b0 Þ, where þ denotes approximation probability, nonlinearity, linear approxi-
the XOR operation. Also, let w denote the root of polynomial mation probability and bit-independent criterion. The S8 is
PðxÞ; then, w8 ¼ w4 þ w3 þ w2 þ 1 ¼ 00011110. The val- a symmetric group on a set of size 8 in which r represents
ues for rest of the w’s can be calculated as the permutation of this set.
8
< bi 8i 2 ½0; 7; Theorem 4 S8 -permuted S-boxes have the same algebraic
wi ¼ w4 þ w3 þ w2 þ 1 for i ¼ 8; ð7Þ properties.
:
w wi1 mod PðwÞ 8i 2 ½9; 255:
Proof Let S be an S-box and S01 ; S02 ; . . .; S0256 2 S be the
P
The one S-box comprising 256 distinct elements (inte- elements of S-box in which 7j¼0 Sij x j be the polynomial
gers) from 0 to 255 can be constructed from f ðzÞ by varying corresponding to S0i element, where i ¼ ð1; 2; . . .; 256Þ and
z from 0 to 255 for the fixed values of a; b; c; d 2 ½0; 255. sij are the binary bit of ith element at jth position. The
The numerator az þ b and denominator cz þ d are calcu- algebraic properties of S-box are calculated and dependent
lated first using polynomial operation under modulo Pð xÞ
upon the individual bits of its elements; Lj s1j ; s2j ; . . .; s256j
and represented in the power of w defined in Eq. (7). The
has no influence or dependence on Lj0 s1j0 ; s2j0 ; . . .; s256j0 ;
powers of w are then manipulated to get the respective
elements of S-box as shown in Table 1. The first column j 6¼ j0 where L represents an algebraic function for S-box.
represents the value of z varying from 0 to 255, second Let r 2 S8 be the permutation, then rðS0i Þ ¼
P
column shows the calculation of numerator and denomi- rð 7j¼0 Sij x j Þ ¼ rðSi0 x0 Þ þ rðSi1 x1 Þ þ rðSi2 x2 Þ þrðSi3 x3 Þ
nator of f ðzÞ under modulo PðxÞ, the decimal equivalent of þrðSi4 x4 Þ þ rðSi5 x5 Þ þrðSi6 x6 Þ þ rðSi7 x7 Þ; 8i. As the
f ðzÞ shows in third column, w0 s equivalent according to permutation is a linear function, thus, rðS0i Þ ¼ rðsi0 Þ þ
Eq. (7) is shown in column 4, and last column represents rðsi1 Þ þ rðsi2 Þ þrðsi3 Þ þ rðsi4 Þ þrðsi5 Þ þ rðsi6 Þ þ rðsi7 Þ;
the elements of S-box. The total number of distinct S-boxes 8i. Therefore, the S8 permutation will only change the
which can be constructed from f ðzÞ by varying the values positions of bits of each element and the average algebraic
of a; b; c; d is given by the order of PGLðn; qÞ defined in characteristics will remain the same. h
Eq. (1), which is more than 16.7 million.
Example 1 Let consider a S-box S10 with elements
ðS10 10 10
1 ; S2 ; . . .; S256 Þ1256 = ð202; 92; . . .; 97Þ1256 having
nonlinearity equal to 112. Let also consider a permutation
Table 1 Construction of a S-box using fractional transformation with parameters a ¼ 16; b ¼ 8; c ¼ 32; d ¼ 4
z f ðzÞ ¼ ððazþbÞ
czþdÞ
Dec w Eq. S-
box
123
Neural Computing and Applications
Fig. 1 Permutation sequence r ¼ ð41283657Þ applied to the elements of S-box 1 S10 to get the new elements of S-box 2 S20 . The algebraic
properties of S20 remain the same as compared to the properties of S10
sequence r ¼ ð41283657Þ having orbits: {1, 7}, {2, 5, 8, 4, nonlinearity equal to 103.75. Let us also consider an integer 45
3, 6} as shown in Fig. 1. The permutation sequence is to be bitwise XOR with each and every element of S10 to get
applied to 8 bits of each and every element of S10 to get new elements of second S-box S20 as shown in Fig. 3. For
new elements of second S-box S20 . For instance, r S10 1 instance, S10
1 45 ¼ 123 45 ¼ ð01111011Þ ð00101101Þ
¼ rð202Þ ¼ rð11001010Þ ¼ ð10110001Þ ¼ 177 ¼ S20 1. ¼ ð01010110Þ ¼ 86 ¼ S20 1 . This XOR operation applies to
This permutation applies to 256 elements of S10 to get new 256 elements of S10 to get new 256 elements of S20 as shown in
256 elements of S20 as shown in Fig. 1. The computational Fig. 3. As in the case of S8 permutation, the computational
complexity is very low for constructing a new S-box based complexity of XOR operation is also very low. This is due to
on S8 permutation as it only involves one logical operation the fact that the XOR operation is applied only once per bit per
per bit of each element of the S-box, and thus, the new S- element of the S-box. The algebraic properties mentioned
box can be generated on the go. The algebraic properties earlier remains the same for both these S-boxes, for instance
mentioned earlier remain the same for both these S-boxes, the nonlinearity for both S-boxes is 103.75.
for instance the nonlinearity for both S-boxes is 112.
S-boxes with the same algebraic properties are quite
Similarly, an illustration of extension of example 1 is given
appropriate and useful in terms of their application in
in Fig. 2. Let us consider a S-box S10 with elements cryptosystems. Also, it is worth mentioning here that by
ðS10 10 10
1 ; S2 ; . . .; S256 Þ1256 ¼ ð202; 92; . . .; 97Þ1256 having applying the permutation and XOR operations, these will
nonlinearity equal to 112. There are four different permu- not only kept algebraic properties the same of the new S-
tation sequences applied on S10 resulting in four different boxes, but these operations will also break the algebraic
S-boxes. However, the algebraic properties of all these five structure f ðzÞ from which these S-boxes are originally
S-boxes are the same, for instance the nonlinearity for all constructed making it a tough job for the cryptanalysis.
these S-boxes is 112.
Theorem 5 The bitwise XOR operation of an integer m 2
½0; 255 on the S-box elements does not change the alge- 5 Statistical analysis
braic properties of that S-box.
The statistical analyses are applied on the substituted
Proof A bitwise XOR operation of bit bx on images resulted from applying the proposed S-boxes on the
s1j ; s2j ; . . .; s256j will not change the bits if bx ¼ 0 and plain image. Table 2 shows a S-box constructed from
neither does the algebraic properties. In case of bx ¼ 1, the proposed function f ðzÞ with parameters
bits of elements will change from 1 to 0 and vice versa, a ¼ 176; b ¼ 77; c ¼ 121; d ¼ 34. The permutation
denoted as s01j ; s02j ; . . .; s0256j . However, the number of 0 s sequence r ¼ ð43576128Þ with addition of XOR operation
of integer 135 is applied on S-box of Table 2, and the
and 1 s and the hamming distance between them remain
resulted S-box is shown in Table 3. The algebraic proper-
the same and thus, Lj s1j ; s2j ; . . .; s256j ties of both these S-boxes are the same.
¼ L0j s01j ; s02j ; . . .; s0256j These S-boxes are then applied separately on a camera-
man image (plain image) of size 256 9 256 using Algorithm
Example 2 Let us consider a S-box S10 with elements 1 to get the substituted images. The process of substituting an
ðS10 10 10
1 ; S2 ; . . .; S256 Þ1256 = ð123; 112; . . .; 118Þ1256 having image pixel with one of the elements of a S-box is defined as
123
Neural Computing and Applications
123
Neural Computing and Applications
stituted image is always equal to the entropy of the plain resented in GF(2^m) is N ¼ 2m1 2 2 1 . For m ¼ 8, the
image; therefore, the entropy remains the same for sub- theoretical upper bound on nonlinearity is 120. The more
stituted images regardless of whichever S-box is used for the value of nonlinearity for S-box closer to 120, the more
the same plain image. For the rest of the analysis, the secure S-box is. Table 6 shows the nonlinearity of eight
values are different from each other depicting diverse individual binary bits of the elements of proposed and other
visual properties of the substituted images and thus adding S-boxes, and the average nonlinearity as well. It can be
in difficulty for the cryptanalysis. seen that the nonlinearity of the proposed S-box is very
close to the optimum value and very competitive to the
other works.
123
Neural Computing and Applications
Table 2 Presentation of proposed S-box in 16 9 16 matrix resulted from fractional transformation f ðzÞ with parameters
a ¼ 176; b ¼ 77; c ¼ 121; d ¼ 34
R/C 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
45 104 52 27 252 251 5 153 163 118 157 201 222 63 249 43
244 178 137 62 214 232 93 99 133 147 47 199 94 200 98 124
177 162 248 13 240 211 115 20 183 58 121 231 12 129 144 233
128 97 87 209 26 208 91 37 174 136 100 40 212 54 250 41
237 51 101 243 142 39 241 60 171 1 18 111 195 79 221 253
245 131 242 191 127 46 78 149 207 159 151 24 53 225 34 114
182 29 197 6 161 32 81 14 82 55 187 210 194 185 205 152
176 179 234 247 150 59 148 227 246 125 215 0 172 229 204 228
138 141 70 83 3 167 90 169 192 71 31 102 88 145 89 113
33 135 56 120 30 156 48 236 7 235 107 130 132 123 165 112
186 72 126 75 16 190 168 239 158 110 38 166 92 9 203 28
11 80 74 216 23 175 2 76 61 146 206 44 238 122 64 96
220 189 108 230 109 36 25 226 181 143 22 217 8 105 21 67
155 140 49 69 106 77 42 202 4 134 86 196 188 50 84 173
139 73 255 180 85 103 218 224 170 184 198 15 117 223 193 219
213 17 35 10 66 65 164 57 199 154 116 160 254 95 19 68
Table 3 Presentation of S-box in 16 9 16 matrix resulted from applying permutation sequence r ¼ ð43576128Þ with addition of XOR operation
of integer 135 on S-box shown in Table 1. The algebraic properties of S-box shown in Table 1 remain the same as compared to the properties of
S-box shown in this table
R/C 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
6.2.2 Strict avalanche criterion (SAC) S-box in comparison with the other works are mentioned in
Table 7.
For a S-box employed in an encryption algorithm, if we
change just a single bit, then there should be a significant 6.2.3 Bit-independent criterion (SAC)
change in the output bits [29]. The strict avalanche crite-
rion is used to test the change in the output bits. The ideal The bit-independent criterion is the same to SAC as it is
value should be equal to the half of the total input/output, also used to examine the change in output bits when a
i.e., 50%. The numerical values of SAC of the proposed single bit of input is changed [29]. However, the change is
123
Neural Computing and Applications
Table 4 Comparative statistical analysis on the substituted images of 6.2.5 Differential approximation probability (DP)
cameraman resulted from applying S-box 1 (Table 1) and S-box 2
(Table 2). The algebraic properties of both S-boxes are the same, but
Differential approximation probability (DP) is used to
values of statistical analysis are different
determine how a modification is represented in results of
Analysis Corr. Entropy Homo. Contrast Energy change in input. The differential approximation probability
S-box 1 0.2871 7.1028 0.5767 6.2403 0.0272 (DP) is given as [29]
2 n o3
S-box 2 0.2634 7.1028 0.5733 6.6900 0.0271 X
# x 2 SðxÞ Sðx DxÞ ¼ Dy
DPðDx ! DyÞ ¼ 4 5;
2m
examined in each round of the encryption algorithm. The
numerical values of BIC of the proposed S-box in com- ð14Þ
parison with the other works are mentioned in Table 7. where Dx and Dy are input differential and output differ-
ential, respectively. It is required that the value of DP
6.2.4 Linear approximation probability (LP) should be close to zero for the strong S-box. The numerical
values of DP of the proposed S-box in comparison with the
Linear approximation probability (LP) is used to examine other works are mentioned in Table 7.
the imbalance of the event. At the input, several masks are
applied to examine and determine the pattern of output bits.
The linear approximation probability is given as [29] 7 Conclusions
#fx=X Cx ¼ SðxÞ Cy ¼ Dyg 1
LP ¼ max ; ð13Þ
CxCy6¼0 2n 2 The S-box is of great importance regarding the security in
block ciphers. In this paper, a new algebraic method for the
where the set X contains all possible inputs, 2n is number of construction of S-boxes is proposed. The proposed alge-
its elements and x and y are two masks applied to parity of braic structure for construction of S-boxes is sophisticated
input bits and output bits, respectively. The numerical and secure against algebraic attacks, linear and differential
values of LP of the proposed S-box in comparison with the cryptanalysis. Moreover, a method of applying permutation
other works are mentioned in Table 7. of symmetric group on a set of size 8 and XOR operations
123
Neural Computing and Applications
Table 6 Comparative analysis of nonlinearity of proposed S-box with encouraging to do the analysis of proposed work before its
the other works immediate deployment. The intended application can be
Methods 0 1 2 3 4 5 6 7 Ave. cloud computing where different domains communicate
with each other on insecure communication channel. In this
Ref [46] 98 100 100 104 104 106 106 108 103.2
work, the focus is on confidentiality of data circulated in
Ref [44] 106 106 106 104 108 102 106 104 105.25 cloud computing and network security is not considered
Ref [43] 102 108 106 102 106 106 106 98 104.25 here. The network security is one of the prime areas and
Ref [25] 100 103 104 104 105 105 106 109 104.5 still has a lot of room for work to be done.
Ref [47] 100 102 103 104 106 106 106 108 104.3
Ref [48] 108 104 106 106 102 98 104 108 104
Ref [49] 112 112 112 112 112 112 112 112 112
Ref [45] 104 108 108 108 108 104 104 106 105.75 Compliance with ethical standards
Ref [12] 112 112 112 112 112 112 112 112 112
Conflict of interest We have no conflict of interest to declare.
Ref [27] 106 108 106 108 106 106 106 108 106.75
Ref [27] 106 106 102 108 108 106 106 106 106
Proposed 112 112 112 112 112 112 112 112 112 References
The results of other methods are from the original papers
1. Chen J, Han F, Qian W, Yao Y-D, Zhu Z- (2018) Cryptanalysis
and improvement in an image encryption scheme using combi-
nation of the 1D chaotic map. Nonlinear Dyn 93(4):2399–2413
2. Ahmed F, Anees A (2015) Hash-based authentication of digital
Table 7 Comparative analysis of strict avalanche criterion, bit-inde- images in noisy channels. In: Živić N (ed) Robust image
pendent criterion, BIC for SAC, linear approximation probability and authentication in the presence of noise. Springer, Cham. https://
differential approximation probability of proposed and other S-boxes doi.org/10.1007/978-3-319-13156-6_1
3. Anees A, Khan WA, Gondal MA, Hussain I (2013) Application
Methods SAC BIC BIC/SAC Max Val/Max LP DP of mean of absolute deviation method for the selection of best
nonlinear component based on video encryption. Z Naturforsch A
Ref [29] 0.4998 112 0.504 144/0.0625 0.0156
68(a):479–482
Ref [12] 0.4999 112 0.504 144/0.0625 0.0156 4. Liu X, Dong M, Ota K, Yang LT, Liu A (2018) Trace malicious
Ref [43] 0.4864 104 0.504 144/0.1563 0.0172 source to guarantee cyber security for mass monitor critical
Ref [27] 0.4939 107 0.504 160/0.0625 0.0625 infrastructure. J Comput Syst Sci 98:1–26
5. Anees A, Gondal MA (2015) Construction of nonlinear compo-
Ref [27] 0.5020 103 0.505 160/0.1250 0.0469 nent for block cipher based on one-dimensional chaotic map. 3D
Ref [27] 0.5040 112 0.504 144/0.0625 0.0156 Res 6(2):17. https://doi.org/10.1007/s13319-015-0049-4
Ref [27] 0.5040 112 0.504 144/0.0625 0.0156 6. Anees A, Siddiqui AM (2013) A technique for digital water-
marking in combined spatial and transform domains using chaotic
Ref [27] 0.5040 112 0.504 144/0.0625 0.0156
maps. In: IEEE 2nd national conference on information assurance
Proposed 0.4999 112 0.504 144/0.0625 0.0156 (NCIA), pp 119–124. https://doi.org/10.1109/ncia.2013.6725335
The results of other methods are from the original papers 7. Jung Y, Festijo E (2014) One-time packet key exchange
scheme for secure real-time multimedia applications. J Comput
Syst Sci 80(8):1584–1596
8. Anees A, Siddiqui AM, Ahmed J, Hussain I (2014) A technique
for digital steganography using chaotic maps. Nonlinear Dyn
is proposed that applied on constructed S-boxes to maintain 75(4):807–816
their algebraic properties and break their algebraic struc- 9. Anees A (2015) An image encryption scheme based on Lorenz
system for low profile applications. 3D Res 6(3):1–10
ture. The S-boxes with the same algebraic properties are of
10. Potlapally NR, Ravi S, Raghunathan A, Jha NK (2006) A study of
great importance. In block ciphers, multiple S-boxes can be the energy consumption characteristics of cryptographic algo-
applied instead of a single S-box. For instance, in AES, rithms and security protocols. IEEE Trans Mobile Comput
instead of a single and the same S-box for each round, 5(2):128–143
11. Anees A, Siddiqui AM, Ahmed F (2014) Chaotic substitution for
different S-boxes can be applied with the same algebraic
highly autocorrelated data in encryption algorithm. Commun
properties that will enhance the security and performance Nonlinear Sci Numer Simul 19(9):3106–3118
of AES keeping the computational complexity as it is. 12. Daemen J, Rijmen V (2002) The design of Rijndael: AES—the
Similarly, for the digital images as plaintext, the statistical advanced encryption standard. Springer, Berlin
13. Chen G (2008) A novel heuristic method for obtaining S-boxes.
analysis of two substituted images is different when two
Chaos, Solitons Fractals 36(4):1028–1036
S-boxes with the same algebraic properties are applied to 14. Özkaynaka F, Özer AB (2010) A method for designing strong
the same image. S-boxes based on chaotic Lorenz system. Phys Lett A
As mentioned, the proposed work is efficient and 374(36):3733–3738
effective; however, like all new proposals, it is strongly
123
Neural Computing and Applications
15. Hussain I, Shah T, Mahmood H, Gondal MA (2013) A projective 33. Lambić D (2017) A novel method of S-box design based on
general linear group based algorithm for the construction of discrete chaotic map. Nonlinear Dyn 87(4):2407–2413
substitution box for block ciphers. Neural Comput Appl 34. Li Y, Ge G, Xia D (2016) Chaotic hash function based on the
22(6):1085–1093 dynamic S-box with variable parameters. Nonlinear Dyn
16. Hussain I, Shah T, Gondal MA, Khan WA, Mahmood H (2013) A 84(4):2387–2402
group theoretic approach to construct cryptographically strong 35. Ye T, Zhimao L (2018) Chaotic S-box: six-dimensional fractional
substitution boxes. Neural Comput Appl 23(1):97–104 Lorenz-Duffing chaotic system and O-shaped path scrambling.
17. Zhang W, Pasalic E (2014) Highly nonlinear balanced S-boxes Nonlinear Dyn 94(3):2115–2126
with good differential properties. IEEE Trans Inf Theory 36. Ahmed F, Anees A, Abbas VU, Siyal MY (2014) A noisy channel
60(12):7970–7979 tolerant image encryption scheme. Wirel Pers Commun
18. Jithendra KB, Shahana TK (2016) High-security pipelined elastic 77(4):2771–2791
substitution box with embedded permutation facility. In: Saini H, 37. Bogdanov A, Knudsen LR, Leander G, Paar C, Poschmann A,
Sayal R, Rawat S (eds) Innovations in computer science and Robshaw MJB, Seurin Y, Vikkelsoe C (2007) PRESENT: an
engineering, vol 413. Springer, Singapore, pp 79–86 ultra-lightweight block cipher. In: Cryptographic hardware and
19. Picek A, Batina L, Jakobović D, Ege B, Golub M (2014) S-box, embedded systems, vol 4727. Springer, pp 450–466
SET, match: a toolbox for S-box analysis. In: Information secu- 38. Shirai T, Shibutani K, Akishita T, Moriai S, Iwata T (2007) The
rity theory and practice. Securing the internet of things, vol 8501. 128-bit Blockcipher CLEFIA (Extended Abstract). In: Fast soft-
Springer, Berlin, pp 140–149 ware encryption, vol 4593. Springer, pp 181–195
20. Lorenz EN (1963) Deterministic nonperiodic flow. J Atmos Sci 39. Shirai T, Shibutani K (2006) On Feistel structures using a dif-
20:130–141 fusion switching mechanism. In: Fast software encryption, vol
21. Anees A, Hussain I (2019) A novel method to identify initial 4047. Springer, pp 41–56
values of chaotic maps in cybersecurity. Symmetry 11(2):1–21 40. Diffie W, Hellman ME (1977) Exhaustive cryptanalysis of the
22. Hussain I, Anees A, Al-Maadeed TA, Mustafa MT (2019) Con- NBS data encryption standard. Computer 10(6):74–84
struction of S-Box based on chaotic map and algebraic structures. 41. Zheng Y, Matsumoto T, Imai H (1989) On the construction of
Symmetry 11(3):1–11 block ciphers provably secure and not relying on any unproved
23. Hussain I, Shah T, Gondal MA, Mahmood H (2012) An efficient hypotheses. In: Advances in cryptology, vol 435. Springer,
approach for the construction of LFT S-boxes using chaotic pp 461–480
logistic map. Nonlinear Dyn 71(1–2):133–140 42. Anees A, Ahmed Z (2015) A technique for designing substitution
24. Li C, Feng B, Li S, Kurths J, Chen G (2019) Dynamic analysis of box based on Van der pol oscillator. Wirel Pers Commun
digital chaotic maps via state-mapping networks. IEEE Trans 82(3):1497–1503
Circuits Syst I Regul Pap Early Access. https://doi.org/10.1109/ 43. Khan M, Shah T, Batool SI (2016) Construction of S-box based
TCSI.2018.2888688 on chaotic Boolean functions and its application in image
25. Li C, Lin D, Lü J, Hao F (2018) Cryptanalyzing an image encryption. Neural Comput Appl 27(3):677–685
encryption algorithm based on autoblocking and electrocardiog- 44. Belazi A, Khan M, El-Latif AAA, Belghith S (2017) Efficient
raphy. IEEE Multimedia 25(4):46–56 cryptosystem approaches: S-boxes and permutation-substitution-
26. Li C, Lin D, Feng B, Lü J, Hao F (2018) Cryptanalysis of a based encryption. Wirel Pers Commun 87(1):337–361
chaotic image encryption algorithm based on information 45. Skipjack and Kea (1998) Algorithm specifications version, vol 2,
entropy. IEEE Access 6:75834–75842 pp 1–23. http://csrc.nist.gov/CryptoToolkit/. Updated 10 Oct
27. Ullah A, Jamal SS, Shah T (2017) A novel construction of sub- 2018
stitution box using a combination of chaotic maps with improved 46. Jakimoski G, Kocarev L (2001) Chaos and cryptography: block
chaotic range. Nonlinear Dyn 88(4):2757–2769 encryption ciphers based on chaotic maps. IEEE Trans Circuits
28. Ullah A, Jamal SS, Shah T (2018) A novel scheme for image Syst I Fundam Theory Appl 48(2):163–169
encryption using substitution box and chaotic system. Nonlinear 47. Chen G, Chen Y, Liao X (2017) An extended method for
Dyn 91(1):359–370 obtaining S-boxes based on three-dimensional chaotic Baker
29. Aboytes-González JA, Murguı́a JS, Mejı́a-Carlos M, González- maps. Chaos, Solitons Fractals 31(3):571–579
Aguilar H, Ramı́rez-Torres MT (2018) Design of a strong S-box 48. Alkhaldi H, Hussain I, Gondal MA (2015) A novel design for the
based on a matrix approach. Nonlinear Dyn 94(3):2003–2012 construction of safe S-boxes based on TDERC sequence. Alex
30. Alamsyah, Bejo A, Adji TB (2018) The replacement of irre- Eng J 54(1):65–69
ducible polynomial and affine mapping for the construction of a 49. Cui L, Cao Y (2007) A new S-box structure named Affine-Power-
strong S-box. Nonlinear Dyn 93(4):2105–2118 Affine. Int J Innov Comput Inf Control 3(3):751–759
31. Çavuşoğlu Ü, Zengin A, Pehlivan I, Kaçar S (2017) A novel
approach for strong S-box generation algorithm design based on Publisher’s Note Springer Nature remains neutral with regard to
chaotic scaled Zhongtang system. Nonlinear Dyn jurisdictional claims in published maps and institutional affiliations.
87(2):1081–1094
32. Farah T, Rhouma R, Belghith S (2017) A novel method for
designing S-box based on chaotic map and teaching-learning-
based optimization. Nonlinear Dyn 88(2):1059–1074
123