A Novel Construction of Efficient Substitution-Boxes Using Cubic Fractional Transformation

A symmetric block cipher employing a substitution–permutation duo is an effective technique for the provision of information security. For substitution, modern block ciphers use one or more substitution boxes (S-Boxes). Certain criteria and design principles are fulfilled and followed for the construction of a good S-Box. In this paper, an innovative technique to construct substitution-boxes using our cubic fractional transformation (CFT) is presented. The cryptographic strength of the proposed S-box is critically evaluated against the state of the art performance criteria of strong S-boxes, including bijection, nonlinearity, bit independence criterion, strict avalanche effect, and linear and differential approximation probabilities. The performance results of the proposed S-Box are compared with recently investigated S-Boxes to prove its cryptographic strength. The simulation and comparison analyses validate that the proposed S-Box construction method has adequate efficacy to generate efficient candidate S-Boxes for usage in block ciphers.


Introduction
Cryptography helps individuals and organizations to protect their data. For this purpose, different symmetric and asymmetric ciphers have been designed. Symmetric ciphers possess simplicity and efficiency, and consume fewer computational resources as compared to asymmetric ciphers. Symmetric ciphers have two major categories as stream and block ciphers [1]. A stream cipher encrypts the plaintext in bit-by-bit fashion. On the other hand, a block cipher encrypts a plaintext block of a fixed size consisting of many bits simultaneously. Mostly, block ciphers are used for internet communication whereas stream ciphers are used in situations where computational resources are limited or efficiency is not the main concern.
A block cipher is particularly useful to achieve data confidentiality, which is one of the cryptography goals. It is considered as one of the most widely used tools for the provision of data security [2]. The most modern and popular symmetric ciphers, like AES, DES, Blowfish, RC2, RC5, and IDEA, are all block ciphers. Block ciphers are easily implemented, more general, and cryptographically stronger as compared to the stream ciphers [3]. Most of the block ciphers use either the Feistel structure or the substitution and permutation operations. Block ciphers based on the Feistel structure divide the plaintext block into two or more parts and perform different operations on these parts. DES, Blowfish, Camellia, Kasumi, RC5, TEA, 3DES, RC6, etc. are some example block ciphers that use the Feistel structure. Another type of popular block cipher is termed the substitution-permutation network (SPN) [4]. These ciphers convert plaintext blocks using sub-keys and different numbers of plaintext/ciphertext. The right 4-bits choose the S-Box and the left 4-bits act as the input to the S-Box. The authors also suggested a variation by dividing the 8-bits of the plaintext/ciphertext in two non-equal size parts and accordingly the size of the S-box and number of S-Boxes could be determined. This design of dynamic S-Box achieves the non-linear confusion and hence the cryptanalysis of the ciphertext becomes very difficult. Similarly, LiCi is a lightweight block cipher that uses the Feistel structure and active S-Boxes and is suitable for both software and hardware platforms, especially when energy is the main constraint [20]. It shows good resistance against many cryptanalytic attacks.
One of the desirable properties of modern block ciphers is the avalanche effect [21]. This property requires that a 1-bit change in key or the plaintext should produce substantial changes in the ciphertext. If the value of the avalanche effect is very small (at least 50% of the ciphertext bits are not changed), the block cipher is weak and cryptanalysis of the ciphertext becomes easy. The proposed cipher in [22] using a dynamic S-Box shows a good avalanche effect compared to the standard AES when a single bit is changed in the plaintext or the key. Shi et al. [23] analyzed in detail the avalanche effect of the AES S-Box and concluded that both S-Boxes of AES have a good avalanche effect. The authors in [21] analyzed five symmetric ciphers and concluded that AES has the highest avalanche effect. Mahmoud et al. [24] proposed a modification to generate an S-Box to be used for AES having a 128-bits key. The authors compared the correlation factor, avalanche effect, and time efficiency of the standard AES and the proposed one. The value of the correlation factor was between −0.3 and 0.3, which shows that the standard AES and proposed cipher have no dependence. The avalanche effect of the S-Box proposed in [24] has values between 0.41 and 0.61, which makes it resistant against linear and differential cryptanalysis. However, the standard AES is more efficient. Mar et al. [25] proposed three methods to evaluate and analyze the SAC of a given S-Box. These methods are very simple and check whether the given S-Box has an avalanche effect, possesses completeness, and is strong enough against cryptanalysis. Adams et al. [26] described an efficient process to generate S-Boxes, which possess the cryptographic properties of bijection, SAC, BIC, NL, etc. The authors also proved that a small change in the input guarantees nonlinearity and the inverse S-Boxes also fulfill the evaluation criteria. The generated S-Boxes are prospective contenders for SPN block ciphers.
Chaotic cryptography is among the most interesting areas in the field of information security in the recent era as the chaotic systems possess the property of randomness [27]. Many researchers have used chaos to design ciphers with good cryptographic strength. Garg et al. [28] analyzed different techniques to design an S-Box and concluded that S-Boxes designed using a chaotic approach demonstrate good cryptographic strength. The authors in [29] proposed some chaotic map-based block ciphers using a different approach and then showed that the proposed ciphers were resilient to different attacks. Ahmad et al. [30] designed an efficient S-Box using the chaos and travelling salesman problem and analyzed its performance against cryptographic standards. The results indicate that the proposed S-Box is more effective when compared to its counterparts. The authors in [31][32][33][34][35] proposed strong S-Boxes based on the combination of chaotic maps and other different algorithms. The evaluation of the cryptographic performance of these S-Boxes against NL, SAC, BIC, etc. revealed that hyperchaotic systems are stronger than chaotic ones. Peng et al. [36] and Solami et al. [37] devised methods to generate an S-Box using a hyperchaotic system. The resultant S-Boxes demonstrate a good response to cryptographic properties, like BIC, SAC, DP, etc. The suggested methods have the capability to generate a huge number of S-Boxes.
Another popular area in cryptography is DNA computing, which is being considered as a possible solution to the design of resilient ciphers. Kadhim et al. [38] and Al-Wattar et al. [39] proposed efficient S-Boxes using DNA computing, analyzed the security of the proposed ciphers using different criteria, and showed that the ciphers passed the test criteria. Many other researchers have used DNA computing to design and propose block ciphers, such as [40][41][42][43].
Ciphers using S-Boxes highly depend on the security of the S-Boxes. Thus, the identification of a tool to evaluate and find an S-Box with high security that can also assist in the design of efficient S-Boxes is considered critical. Wang et al. [44] developed a software tool to analyze and test the performance of S-boxes. The software tool supports the design of good block ciphers. Albermany et al. [45] suggested random block cipher (RBC). It uses a master key of a length of 128 bits and 64 bits plaintext. Eight sub-keys are generated from the master key. The size of each sub-key is 16 bits. A bijective function, a new S-box, and binary operations are employed in this cipher. Thirty-two S-boxes are used and the length of the ciphertext is 128 bits. It is able to encrypt a large amount of plaintext data very efficiently. Many other authors have contributed to the design of various S-Boxes using different techniques. Tran et al. [46] proposed an S-Box using graph isomorphism and showed that their S-Box exhibits the desired cryptographic properties. Coset diagrams are a special type of graph that has real life applications. Razzaq et al. [47] used the coset diagram to propose a new S-Box, evaluated its strength against cryptanalysis, and showed that the results were promising. Novel techniques of cryptanalysis reveal that there are still some scarcities in the existing ciphers [48]. To provide better security, the complexity of a cipher is increased and as a result the efficiency of the respective cipher decreases. The authors proposed an efficient and more secure block cipher, which uses operations, like linear and non-linear mixing, by employing S-Box, capsulation, etc. for confusion and diffusion effects.
Linear fractional transformation (LFT) is another area which helps in the generation of better S-Boxes. Farwa et al. [49] proposed a modest and proficient algorithm to generate an S-Box based on LFT. The authors analyzed the strength of their S-Box against cryptographic properties, like SAC, BIC, NL, LP, DP, etc. The authors in [50][51][52] proposed efficient algorithms to design good S-Boxes based on LFT and the projective general linear group on Galois field, respectively. The proposed S-Boxes showed good performances when compared with other existing S-Boxes. Many researchers have exposed the cellular automata field to propose S-Boxes [53,54]. Authors have shown that their S-Boxes have good strength when critically analyzed.
The techniques and methods for the generation of S-Boxes presented in the literature are either suitable for the creation of static S-boxes or are very complicated and time-consuming. Static S-Boxes have their own limitations and weaknesses. These S-Boxes may help attackers in the cryptanalysis of the captured ciphertext and hence they may reach the original plaintext. On the other hand, the methods presented in the literature that generate dynamic and key-dependent S-boxes are very complex and less efficient. Thus, the need for a simple and efficient method to generate dynamic S-Boxes exists.
In this paper, a novel design method for the construction of efficient S-Boxes for block ciphers is proposed. The following considerations were kept in mind while designing the proposed S-Box: • An S-box that helps in the security enhancement of the block cipher and resists cryptanalysis; • An S-Box that is simple to construct; • An S-Box that is generated dynamically using sub-keys; • An S-Box that fulfills the most needed S-Box criteria, like NL, SAC, BIC, LP, DP, etc.
The method proposed in this paper for the construction of an S-Box is an innovative one and is quite different from the approaches presented in the literature. A cubic fractional transformation is proposed for the construction of strong S-Boxes. After the S-Box was designed, a performance analysis was performed to show its strength. The proposed S-Box demonstrated a very good cryptographic strength when compared with other recently designed S-Boxes. The results indicated that the proposed S-Box is a good choice for block ciphers.
The structure of the rest of the paper is as follows. Section 2 of this paper presents the design architecture of the proposed S-Box. The performance evaluation of the proposed S-Box against its cryptographic properties is discussed in Section 3 and a comparison is made with some S-boxes. Section 4 concludes the research paper.

Proposed Substitution Box
Modern block ciphers employ byte substitution to replace a complete byte (one element) of a matrix with another complete byte using the substitution box (S-Box). Generally, the design of an S-Box involves nonlinear mapping, which results in bijection. Many researchers have designed S-Boxes that are cryptographically strong using such mappings. One such mapping is linear fractional transformation (LFT), which was exhaustively explored for the construction of the S-boxes [49][50][51][52]. However, the process of generating these S-Boxes using LFT is very complicated and time consuming.
In this paper, we extend the idea of LFT and construct our new transformation to generate an S-Box using another nonlinear mapping method in a simple and efficient way. We call this extended transformation cubic fractional transformation (CFT). A cubic fractional transformation is a function of the form: where, Z = {0, 1, . . . . . . , 2 n − 1}, both α and β are not 0 at the same time, and α(z) 3 + β = 0 is used to construct the n × n S-box. The nonlinear nature of CFT stimulates its usage in byte substitution. The procedure to generate the proposed S-Box for n = 8 is illustrated in Figure 1. transformation (LFT), which was exhaustively explored for the construction of the S-boxes [49][50][51][52]. However, the process of generating these S-Boxes using LFT is very complicated and time consuming.
In this paper, we extend the idea of LFT and construct our new transformation to generate an S-Box using another nonlinear mapping method in a simple and efficient way. We call this extended transformation cubic fractional transformation (CFT). A cubic fractional transformation is a function of the form: where, Z = {0, 1, …..., 2 n − 1}, both α and β are not 0 at the same time, and α(z) 3 + β ≠ 0 is used to construct the n × n S-box. The nonlinear nature of CFT stimulates its usage in byte substitution. The procedure to generate the proposed S-Box for n = 8 is illustrated in Figure 1.

Cryptographic Properties of the Proposed S-Box
In this section, we analyze our method and S-Box given in Table 1 against widely accepted standard S-Box performance criteria to gauge its cryptographic strength.

Bijection
A function, f : X → Y , is bijective if and only if ∀ y∈Y , ∃ a unique x ∈ X, such that f (x) = y.

Nonlinearity
An S-Box operation should not be a linear mapping of an input to an output as it weakens the strength of any cipher. A high value of non-linearity provides resistance against linear cryptanalysis. The nonlinearity of an n-bit Boolean function, f, is calculated as [55,56]: where, W f (z) = Walsh spectrum of the coordinate Boolean function, f, which is measured as: Here, t.z is the dot product of t and z in bit-by-bit fashion and z ∈ {0, 1} n . The nonlinearity values, NL(f ), of the Boolean functions of our S-Box are given in Table 2.  Table 3 and Figure 2 give a comparison between the nonlinearity values of the proposed S-box and various other S-Boxes. It is obvious from Table 3 and Figure 2 that our S-Box has a greater capability for diluting the linearity, making the linear cryptanalysis very challenging.  f8 NL(f) 106 106 106 108 108 108 108 106 Table 3 and Figure 2 give a comparison between the nonlinearity values of the proposed S-box and various other S-Boxes. It is obvious from Table 3 and Figure 2 that our S-Box has a greater capability for diluting the linearity, making the linear cryptanalysis very challenging.

Strict Avalanche Criterion (SAC)
Webster et al. [65] introduced strict avalanche criteria as the important property for strong S-boxes. This property states that a single bit change in the input should change half of the output bits. An SAC value nearer to 0.5 is considered adequate. An S-Box should exhibit a strict avalanche effect to have good randomness. Table 4 provides the SAC values of our S-Box and it is obvious that the average SAC value of the proposed S-Box is equal to 0.5. This result indicates that our S-Box satisfies the SAC property very well.

Strict Avalanche Criterion (SAC)
Webster et al. [65] introduced strict avalanche criteria as the important property for strong S-boxes. This property states that a single bit change in the input should change half of the output bits. An SAC value nearer to 0.5 is considered adequate. An S-Box should exhibit a strict avalanche effect to have good randomness. Table 4 provides the SAC values of our S-Box and it is obvious that the average SAC value of the proposed S-Box is equal to 0.5. This result indicates that our S-Box satisfies the SAC property very well.

Bit Independence Criterion (BIC)
The authors in [65] introduced this criterion. According to this criterion, if an input bit, x, is inverted; this changes the output bits, y and z, independently. For greater security, efforts are made to decrease the dependence between output bits. If a given S-Box satisfies the BIC, all the component Boolean functions possess high nonlinearity and meet the SAC [65]. Tables 5 and 6 demonstrate the possible values of nonlinearity and the SAC for the component Boolean functions of the proposed S-Box.  Considering the nonlinearities and SAC, the average BIC values are 103.5 and 0.5, respectively. If a given S-Box is non-linear and demonstrates the SAC, it fulfills BIC [26]. These values are an indication of a very week linear relationship between the output bits and hence fully justify the BIC of the proposed S-box.

Linear Probability
Modern block ciphers are designed to create as much diffusion and confusion of the bits as possible for the security of data and provide a shield against different approaches that cryptanalysts adopt to obtain the plaintext. Mostly, this is achieved by S-Boxes, which provide nonlinear transformations. If an S-Box is designed with a low linear probability (LP), it is a very good cryptographic tool against linear cryptanalysis.
The linear probability of an S-Box is calculated using the following equation [56]: where, A x and B x represent the input and output masks, respectively and Z = {0, 1, . . . ., 255}.
The maximum value of LP of our S-box is only 0.156, and thus our S-Box provides good resistance against linear cryptanalysis.

Differential Uniformity
Differential cryptanalysis is one of the most commonly used methods to reach the plaintext. Here, the differences in the original message (plaintext) and the differences in the ciphertext are obtained. The pairing of these differences may help reach some of the key values. To defy differential cryptanalysis, a small value of differential uniformity (DU) for a given S-Box is required. Differential uniformity is calculated as [56]: where, ∆x and ∆y are the input and output differentials, respectively. An S-box with smaller differentials is better at repelling differential cryptanalysis. Table 7 shows the differential uniformity values of the proposed S-box. The proposed S-box has a maximum value of DU as 10 and its count is only 7. So, the differential probability (DP) is 0.039. These smaller values of DU and DP provide evidence that the proposed S-Box has good resistance against differential cryptanalysis.     Table 8 shows the performance comparison of our S-Box with other S-Boxes based on the cryptographic properties. Our findings are:

Performance Comparison
• A high value of non-linearity provides resistance against linear cryptanalysis [55]. The average nonlinearity of the proposed S-Box is superior to the rest of the S-Boxes in Table 8. This results in decent confusion and makes the proposed S-box resilient against linear cryptanalysis. • An SAC value near 0.5 (the perfect value for SAC) is the ultimate goal of every S-Box designer. Any S-Box with a lesser value of differential probability is more resilient against differential cryptanalysis. The DP value of our S-Box is 0.039, which is better than the DP values of nine other S-Boxes and equal to the DP values of two other S-Boxes as shown in Table 8. This value of DP reflects the strength of our S-Box.

•
To defy linear cryptanalysis, a smaller value of LP for a given S-Box is desired by S-Box designers. The LP value of our S-Box is 0.156. Due to this small value, we can say that our S-box is resistant to linear cryptanalysis. From the above comparison it is evident that our S-Box fulfills the most needed S-Box criteria and benchmarks, like SAC, BIC, NL, LP, DP, etc., and hence possesses better cryptographic strength.

Conclusions
In this paper, we proposed a new transformation and suggested a novel method to construct efficient S-Boxes using cubic fractional transformation. The security strength of the proposed S-Box was studied using different standard criteria. The simulation results were in accordance with other relevant S-Boxes, rationalizing the performance of our S-Box method. The performance of our S-Box was good in most of the cases when compared with other recent S-Boxes. In particular, the scores of the SAC, BIC, nonlinearity, LP, and DP of the proposed S-Box provide evidence for it as a new alternative in the S-Box design domain. The promising results of the proposed S-Box analysis make it a potential candidate for usage in modern-day block ciphers. It is worth mentioning that our method is the first to explore the cubic fractional transformation for S-Box construction. Stronger S-boxes using cubic fractional transformation, like the proposed S-Box, are expected to emerge for usage in practical systems for secure communication.