An Innovative Design of Substitution-Boxes Using Cubic Polynomial Mapping

Abstract

In this paper, we propose to present a novel technique for designing cryptographically strong substitution-boxes using cubic polynomial mapping. The proposed cubic polynomial mapping is proficient to map the input sequence to a strong 8 × 8 S-box meeting the requirements of a bijective function. The use of cubic polynomial maintains the simplicity of S-box construction method and found consistent when compared with other existing S-box techniques used to construct S-boxes. An example proposed S-box is obtained which is analytically evaluated using standard performance criteria including nonlinearity, bijection, bit independence, strict avalanche effect, linear approximation probability, and differential uniformity. The performance results are equated with some recently scrutinized S-boxes to ascertain its cryptographic forte. The critical analyses endorse that the proposed S-box construction technique is considerably innovative and effective to generate cryptographic strong substitution-boxes.

1. Introduction

Recent technological innovations and their fruitful usage in real life have resulted in an immense growth in the volume of data being communicated. The sensitive nature of data demands for techniques to be developed and measures to protect from misuse. Before transmission, a user’s data must be transformed in such a form that is meaningless to an attacker. Symmetric block ciphers are among the most widely used techniques to fulfill this purpose due to the easy implementation and being the providers of much needed cryptographic strength [1,2]. One popular type of block cipher uses substitution and permutation operations. This type of block cipher transforms an input block of data (plaintext) into a meaningless output block (ciphertext) by using a symmetric key and different number of rounds. Generally, each round performs substitution and permutation processes on the input block of data. A substitution process replaces an input block with another output block using substitution box (S-box) [3]. Advanced Encryption Standard (AES), as an example, is most commonly used symmetric block cipher.

An S-box is a decisive component of recent block ciphers and generates a scrambled ciphertext from the given plaintext. An S-box, being the only nonlinear constituent of modern block ciphers, offers a complex relationship between the plaintext and the ciphertext. This relation is called confusion [4]. Whatever security a block cipher provides is reliant on the confusion in the ciphertext created by an S-box. As a result, many researchers are designing novel S-boxes and evaluating the strength of their respective S-boxes against some typical benchmarks such as bijective-ness, strict avalanche criterion (SAC), nonlinearity, bit independence criterion (BIC), linear and differential probabilities, etc. In [5,6,7], a number of properties have been suggested to be existent in an S-box to be able to resist various cryptanalytic attacks. An S-box possessing most of these properties provides more security.

2. Related Work

In literature, a number of techniques and tools are adopted for synthesis of cryptographically potent Substitution-boxes. L. R. Dragomir et al. [8] projected a technique to build repositories of vigorous and resistant S-boxes which can assist while customizing the block cryptosystems. An S-box having high nonlinearity provides more resistance against linear cryptanalysis [9]. AES employs highly nonlinear S-box in its various rounds for the encryption and decryption processes. Authors in [10,11,12,13] proposed different enrichments to the security presented by AES by optimizing the AES S-box in different aspects. A block cipher having a static S-box employs the unchanged S-box in each round. A static S-box allows the invaders to inspect S-box features, discover its flaws, and eventually get a chance of cryptanalysis of the muddled ciphertext produced by the block cipher [5,14,15]. Due to the limitations of static S-boxes, a large number of researchers have explored the ideas for S-box design such as randomness, dynamicity, and key-dependency. Mostly, a key-dependent and dynamic S-box improves the strength of the respective block cipher. For instance, Marcin Niemiec et al. [16] and K. Kazlauskas et al. [17] used key-dependent S-boxes and proposed methods to produce enormous quantity of strong S-Boxes. Authors [18,19,20,21] proposed key-dependent dynamic S-boxes and analyses show that proposed S-boxes are cryptographically very strong. C. Easttom [22] indicated various inefficiencies like added processing time, etc. and present in key-dependent S-boxes. Authors [23] proposed enhancements in AES by introducing key-dependent S-box.

The avalanche effect is one of the many needed landscapes of today’s block ciphers [24]. This feature of block ciphers necessitates that single bit modification in the plaintext or key should create significant variations in the resulting ciphertext. Small value of avalanche effect indicates a weaker block cipher, and hence the ciphertext produced by such cipher may be a victim of a cryptanalytic effort. Various simple methods proposed in [25] can be used efficiently to calculate SAC and investigate a given S-Box for completeness and cryptographic strength. Authors [24,26] analyzed AES and other S-boxes, evaluated their avalanche effect, and concluded that AES S-boxes have the maximum avalanche effect. Dynamic S-boxes proposed by [27,28] demonstrate respectable avalanche effect as compared to the standard AES S-boxes. Further analysis of the proposed and AES S-boxes reveals that AES and new ciphers are independent of each other and AES has more efficiency.

Chaos is a prevalent spectacle with features of sensitivity, randomness, spread spectrum, periodicity, etc. These chaos topographies make chaotic systems as a choice for the development of modern ciphers and many researchers have used chaos in the design of S-boxes. Authors [29,30,31,32,33,34,35,36,37,38,39] suggested S-boxes based on chaotic map and analyzed these along with the other existing S-box design methods. Analyses disclosed that the proposed S-boxes are strong against different attacks and hence suggest their usage in modern block ciphers. Advanced form of chaos called hyperchaotic is solider than the chaos against cryptanalysis efforts due to its dynamic complexities. Using its strength, authors [40,41,42,43] designed a number of S-boxes based on hyperchaotic concepts while each S-box is very effective bearing the features like SAC, BIC, etc. [44] is another recently designed S-box using chaos and line equilibrium suitable for medical devices, etc.

Many other researchers have designed S-Boxes using several techniques and concepts like graph isomorphism [45], coset diagrams [46], linear fractional transformation [47,48,49,50], etc. Ciphers based on S-box are highly dependent on the security features of the used S-box. A tool is needed to critically analyze an S-box and check its security against some standard criteria. The authors of [51] have developed a program to evaluate the cryptographic performance of any S-box.

In this paper, an efficient technique to construct S-boxes has been suggested. The proposed technique is a pioneering one and diverse from the methods offered in the literature as we have recommended a cubic polynomial mapping and explored it for the design of robust S-Boxes. After the construction of an S-Box, its recital analysis has been carried out to evaluate its cryptographic strength. A comparison with other lately designed S-Boxes inspires about its strength. The analytical results stimulate the usage of the proposed S-Box in modern block ciphers.

The organization of the rest of the paper is as follows. Section 2 offers the design of the proposed S-Box. Performance analysis of the proposed S-Box against cryptographic landscapes is conferred in Section 3 and a comparison is made with some recently designed S-boxes. Section 4 completes the research paper with conclusions.

3. Proposed Substitution-Box Design

Most of the symmetric block ciphers use one or more S-boxes for substitution purpose to bring in the sufficient confusion. An S-box provides the confusion facility between the plaintext and the ciphertext through a nonlinear mapping. The researchers have comprehensively explored such nonlinear mappings to construct S-boxes having different cryptographic strength. However, the process of S-Box construction using these techniques is very complex and inefficient.

We present a very simple and efficient nonlinear mapping to construct strong S-boxes. We call this nonlinear mapping as Cubic Polynomial Mapping (CPM). The proposed cubic polynomial mapping is a function having the following general form:

$$\mathrm{C}\left(\mathrm{t}\right)=\left[{\mathrm{A}\ast \mathrm{t}}^3+\mathrm{B}\right]\left(\mathrm{mod}\left(2^{\mathrm{n}}+1\right)\right)\mathrm{t}\in \mathrm{N}.$$

(1)

where, N = {0, 1, ……, 2ⁿ −1}, mod operation gives the remainder, and both A and B ∈ N – {0} to construct an S-box of size n × n. A cubic polynomial mapping demonstrates a nonlinear behavior and is an inspiration for byte substitution. To ornate the erection of the proposed S-Box by Equation (1), let us have an explicit type of cubic polynomial function as specified in Equation (2). For n = 8, we have N = {0, 1, ……, 2ⁿ −1} = {0, 1, ……, 2⁸ −1} = {0, 1, ……, 255}. One can choose any values for A and B (A, B ∈ N – {0}) to be used in Equation (1). For the sake of an example here, we have chosen A = 69, and B = 100. CPM function C(t) specified in Equation (2) spawns values N – {31} when t ∈ N – {135}. When t = 135, C(t) calculates to 256 ∉ N. To preserve the function C(t) as bijective one, we explicitly describe the value of C(t) for t=135 as habituated in Equation (2). A CPM function C: N → N to generate 8 × 8 S-box is given as:

$$\mathrm{C}\left(\mathrm{t}\right)=\left\{\begin{array}{ll}\left[69{ \ast \mathrm{t}}^3+100\right]\left(\mathrm{mod}257\right)& \mathrm{t}\in \mathrm{N}-\left\{135\right\}\\ 31& \mathrm{t}=135\end{array}\right\}.$$

(2)

This particular cubic polynomial of Equation (2) produces values of our proposed 8 × 8 S-box which are arranged in 16 × 16 matrix as presented in

Table 1. Proposed S-Box.

100	169	138	164	147	244	98	123	219	29	224	190	84	63	27	133
24	114	46	234	64	207	49	4	229	110	61	239	30	105	107	193
6	217	212	148	182	214	144	129	69	121	185	161	206	220	103	12
104	22	180	221	45	66	184	42	54	120	140	14	156	209	73	162
119	101	8	254	225	78	227	58	242	165	241	113	195	130	75	187
109	255	11	48	9	51	74	235	177	57	32	2	124	41	167	145
132	28	247	175	226	43	40	117	174	111	85	253	1	0	150	94
246	249	3	179	163	112	183	19	34	128	201	153	141	65	82	92
252	205	108	118	135	59	47	31	72	166	181	17	88	37	21	197
208	211	106	50	200	199	204	115	89	26	83	160	157	231	25	210
172	68	55	33	159	76	198	168	143	23	222	126	149	191	152	189
202	91	13	125	70	5	87	216	35	215	142	230	122	232	203	192
99	81	38	127	248	44	186	60	80	146	158	16	134	155	236	20
178	96	188	97	237	251	39	15	79	131	71	56	243	18	52	245
240	194	7	93	95	170	218	139	90	228	196	151	250	136	223	154
86	176	67	173	137	116	10	233	171	238	77	102	213	53	36	62

.

4. Performance Results

In this section, we investigate our novel technique and proposed S-box given in Table 1 for broadly established standard S-box performance benchmarks to measure its cryptographic strength.

4.1. Bijectiveness

For two sets X and Y, a function f: X → Y is bijective if and only if it is one-to-one and onto simultaneously. One-to-one mapping requires that each element of set X is matching with just one element of set Y. Onto mapping requires that each element of set Y has distinct pre-image in set X. CPM function C: N → N is bijective as it produces distinct output values for distinct input values having image(C) = N and pre-image(C) = N, where N = {0, 1, …, 254, 255}.

4.2. Strict Avalanche Criterion (SAC)

The SAC criterion [52,53] is an imperative feature for any cryptographic S-box which states that if a single bit is changed in the input, this change should modify half of the output bits. An S-box having a value of SAC closer to 0.5 has decent uncertainty. Dependency matrix providing the SAC values of proposed S-box is given in

Table 2. Dependency matrix for strict avalanche criterion (SAC) values.

0.500	0.469	0.500	0.516	0.547	0.453	0.563	0.469
0.531	0.578	0.453	0.500	0.453	0.484	0.531	0.531
0.531	0.484	0.547	0.531	0.594	0.469	0.516	0.484
0.469	0.531	0.500	0.516	0.453	0.547	0.531	0.516
0.438	0.531	0.406	0.500	0.500	0.453	0.547	0.484
0.563	0.500	0.453	0.500	0.531	0.453	0.468	0.547
0.563	0.516	0.531	0.547	0.469	0.422	0.531	0.531
0.547	0.563	0.438	0.578	0.516	0.516	0.516	0.500

. It is evident from Table 2 that the average SAC value of the S-Box is equal to 0.5. This SAC value is an indication that the proposed S-box gratifies SAC property in a respectable manner.

4.3. Nonlinearity

If an S-box is designed in such a way that it has linear mapping between the plaintext and the ciphertext, it becomes easy to launch a linear cryptanalysis attack on the ciphertext to get the original plaintext. To resist this attack, an S-box must be designed with high nonlinear mapping between its input and output. Equation (3) is used to calculate the nonlinearity of an n-bit Boolean function b(k) as:

$$\mathrm{NL}\left(\mathrm{b}\right)=\frac{1}{2}\left[2^{\mathrm{n}}-\left( \underset{\mathrm{h}\in {\left\{0,1\right\}}^{\mathrm{n}}}{\max }\left|\mathrm{W}{\mathrm{S}}_{\mathrm{b}}\left(\mathrm{h}\right)\right|\right)\right],$$

(3)

where, WS_b(h) = Walsh spectrum of function b, and it is calculated as:

$${\mathrm{WS}}_{\mathrm{b}}\left(\mathrm{h}\right)={\displaystyle \sum }_{\mathrm{k}\in {\left\{0,1\right\}}^{\mathrm{n}}}{\left(-1\right)}^{\mathrm{b}\left(\mathrm{k}\right)\oplus \mathrm{k}.\mathrm{h}},$$

where, h ∈ {0, 1}ⁿ and k.h denotes the dot product of k and h, calculated as:

k.h = (k₁ ⊕ h₁) + … + (k_n ⊕ h_n)

The nonlinearity values of our S-box are 106, 104, 106, 108, 108, 106, 108, and 108 with minimum of 104, maximum of 108, and average of 106.8. The nonlinearities of all eight constituent Boolean functions are also provided in

Table 3. Nonlinearities of constituent Boolean functions of proposed S-box.

Boolean Function	b1	b2	b3	b4	b5	b6	b7	b8
Nonlinearity	106	104	106	108	108	106	108	108

.

In

Table 4. Different S-boxes and the respective nonlinearity values.

S-box Method	Minimum	Maximum	Average
[17]	98	108	102.5
[28]	96	110	104.3
[30]	102	108	105.3
[38]	102	108	105.3
[43]	102	108	104.5
[44]	104	110	106
[48]	98	108	104
[54]	98	108	104
[55]	102	106	104
[56]	102	108	105.3
[57]	100	110	105.5
[58]	104	106	105.3
[59]	100	108	105.7
[60]	100	108	104.8
[61]	94	104	99.5
[62]	96	108	103.5
[63]	100	106	103.3
[64]	84	106	100
[65]	100	108	104.5
Proposed	104	108	106.8

, we make a comparison of proposed S-box and other recent S-boxes with respect to nonlinearity metric. It can be seen that proposed S-box has the right competence to insipid the linearity and thus the linear cryptanalysis is an uphill task for the attacker.

4.4. Bit Independence Criterion (BIC)

According to this criterion [52,53], the inversion of an input bit p modifies output bits q and r without any dependence on each other. An S-box that makes the output bits independent of each other strengthens the security. If an S-box fulfills BIC property, all the constituent Boolean functions of that S-Box own high nonlinearity and also meet SAC very well.

Table 5. Bit independence criterion (BIC) results for nonlinearity.

Boolean Function	b1	b2	b3	b4	b5	b6	b7	b8
b1	-	104	106	106	104	104	102	102
b2	104	-	104	102	108	104	104	100
b3	106	104	-	104	102	104	108	106
b4	106	102	104	-	106	106	100	102
b5	104	108	102	106	-	108	106	100
b6	104	104	104	106	108	-	98	106
b7	102	104	108	100	106	98	-	104
b8	102	100	106	102	100	106	104	-

and

Table 6. BIC results for SAC.

Boolean Function	b1	b2	b3	b4	b5	b6	b7	b8
b1	-	0.502	0.510	0.506	0.500	0.504	0.484	0.477
b2	0.502	-	0.512	0.479	0.510	0.488	0.512	0.518
b3	0.510	0.512	-	0.479	0.520	0.492	0.461	0.500
b4	0.506	0.479	0.479	-	0.504	0.518	0.520	0.467
b5	0.500	0.510	0.520	0.504	-	0.521	0.498	0.510
b6	0.504	0.488	0.492	0.518	0.521	-	0.488	0.512
b7	0.484	0.512	0.461	0.520	0.498	0.488	-	0.504
b8	0.477	0.518	0.500	0.467	0.510	0.512	0.504	-

exhibit the nonlinearity and SAC values for constituent Boolean functions of the proposed S-Box.

It is evident from Table 5 and Table 6 that average nonlinearity and SAC values for BIC are 103.9 and 0.5, respectively. According to [53], if an S-box exhibit nonlinearity and SAC, it fulfills BIC. The obtained scores of 103.9 and 0.5 for proposed S-box clearly indicate an extremely weak linear association among the output bits and thus fully validate BIC of our S-box.

4.5. Linear Probability

The cryptologist of modern block ciphers tries to create ample confusion and diffusion of bits to secure the data against cryptanalytic efforts. Strong S-boxes help in achieving these requirements through nonlinear mapping between input and output. An S-box having low linear probability (LP) indicates higher nonlinear mapping and provides resistance against the linear cryptanalysis. Mathematically, Equation (4) is used to calculate the linear probability of an S-box:

$$\mathrm{LP}=\underset{{\mathsf{\alpha }}_z,{\mathsf{\beta }}_z\ne \mathbf{0} }{\mathbf{max}}\left|\frac{\#\left\{\mathrm{z}\in \mathrm{N}\right|\mathrm{z}·{\mathsf{\alpha }}_{\mathrm{z}}=\mathrm{S}\left(\mathrm{z}\right)·{\mathsf{\beta }}_{\mathrm{z}}\}}{2^{\mathrm{n}}}-\frac{1}{2}\right|.$$

(4)

where, α_z and β_z are the corresponding input and output masks and N = {0,1,…, 255}. Maximum value of LP of our S-box is only 0.140, and thus provides good resistance against linear cryptanalysis.

4.6. Differential Probability

Differential cryptanalysis is considered as a useful tool to grasp the original plaintext. During this effort, variances in the plaintext and the ciphertext are found. The coupling of these variances assists the attackers to attain some part of the key. A low value of differential probability helps in resisting this attack. Differential probability (DP) is calculated as:

$$\mathrm{DP}=\underset{ {∆}_z\ne \mathbf{0}, {∆}_y }{\max }\left[\frac{\#\{\mathrm{z}\in \mathrm{N}|\mathrm{S}\left(\mathrm{z}\right)\oplus \mathrm{S}\left(\mathrm{z}\oplus ∆\mathrm{z}\right)=∆\mathrm{y}}{2^{\mathrm{n}}}\right].$$

(5)

where, Δz and Δy are corresponding input and output differentials. An S-box with smaller differentials is sturdier to deter differential cryptanalysis.

Table 7. Performance comparison of different S-boxes.

S-box Method	Nonlinearity Min. Max. Average			SAC	BIC-NL	LP	DP
[17]	98	108	102.5	0.492	103.3	0.141	0.062
[28]	96	110	104.3	0.497	103.4	0.133	0.047
[30]	102	108	105.3	0.491	103.6	0.133	0.039
[38]	102	108	105.3	0.496	103.8	0.156	0.039
[43]	102	108	104.5	0.498	104.6	0.125	0.047
[44]	104	110	106	0.520	104.2	0.132	0.039
[48]	98	108	104	0.505	103.4	0.133	0.250
[54]	98	108	104	0.507	102.9	0.086	0.047
[55]	102	106	104	0.498	102.9	0.148	0.039
[56]	102	108	105.3	0.502	103.7	0.125	0.047
[57]	100	110	105.5	0.499	106	0.133	0.125
[58]	104	106	105.3	0.504	104.6	0.133	0.039
[59]	100	108	105.7	0.498	104.3	0.109	0.047
[60]	100	108	104.8	0.501	105.1	0.125	0.125
[61]	94	104	99.5	0.516	101.7	0.132	0.281
[62]	96	108	103.5	0.494	103.6	0.152	0.039
[63]	100	106	103.3	0.505	103.7	0.133	0.039
[64]	84	106	100	0.481	101.9	0.180	0.063
[65]	100	108	104.5	0.498	103.6	0.141	0.047
Proposed	104	108	106.8	0.507	103.9	0.140	0.054

shows that the proposed S-box has value of differential probability as 0.054. This small value indicates that the proposed S-Box provides respectable resistance to differential cryptanalytic efforts.

4.7. Performance Comparison

Using cryptographic features, a performance comparison of proposed S-box and other S-boxes is given in Table 7. Our verdicts are given below:

• Our S-box has average value of nonlinearity greater than the other S-boxes in Table 7. As a result, proposed S-box provides good resistance against linear cryptanalysis.
• Table 7 validates that SAC value (0.507) of proposed S-box is very near to ideal value of SAC (0.5). We can say that our S-box is gratifying SAC in a respectable manner.
• It can be observed from Table 5, Table 6 and Table 7 that the BIC value of the proposed S-box is quite good ensuing gratification of the BIC test.
• Differential probability value of proposed S-box is just 0.054. This small value of DP reveals the cryptographic strength of our S-box.
• Proposed S-Box has LP value equal to 0.140. This small value guarantees that our S-box has the potential to confront the linear cryptanalysis.

5. Conclusions

In this paper, using a new nonlinear mapping (cubic polynomial mapping), we have suggested an innovative and simple method to design efficient S-Boxes. Then the proposed S-Box is tested for cryptographic strength using different standard benchmarks. The analysis results are in harmony with the related S-boxes to justify our method. Recital of our S-Box sounds good when we compare it with topical S-boxes. The promising scores of BIC, nonlinearity, SAC, and other criteria of our S-Box reflect its potential candidature for future block ciphers. It is worth declaring that our proposed method is the pioneer one to explore the cubic polynomial mapping for S-Box design. One can expect the emergence of stronger S-boxes for secure transmission of data using cubic polynomial mapping in real life.