Construction Method and Performance Analysis of Chaotic S-Box Based on a Memorable Simulated Annealing Algorithm

: The substitution box (S-box) is the only nonlinear components in the symmetric block cipher. Its performance directly determines the security strength of the block cipher. With the dynamic characteristics degradation and the local periodic phenomenon of digital chaos, and the security problems caused by them becoming more and more prominent, how to efﬁciently generate an S-box with security guarantee based on chaos has gradually attracted the attention of cryptographers. In this paper, a chaotic S-box construction method is proposed based on a memorable simulated annealing algorithm (MSAA). The chaotic S-box set is produced by using the nonlinearity and randomness of the dynamic iteration of digital cascaded chaotic mapping. The composite objective function is constructed based on the analysis of the performance indexes of S-box. The MSAA is used to efﬁciently optimize the S-box set. The matrix segmentation and scrambling operations are carried out on the optimized S-box. The cryptographic performance of chaotic S-box is tested and analyzed, and compared with the mainstream chaotic S-box of the same kind. The results show that the S-box constructed in this paper can not only stably and efﬁciently generate chaotic S-box with better performance, but also make an effective exploration of the construction of chaotic S-boxes based on intelligent algorithms.


Introduction
The block cipher is an important branch of cryptography, which can be used not only to encrypt information directly, but also as an effective means to construct hash functions and digital signatures [1][2][3]. The block cipher has been widely applied to the field of information security because of high speed, easy standardization, and convenience for hardware and software implementation. S-box is the only nonlinear component in the symmetric block cipher. Its performance directly determines the security strength of the block cipher. Therefore, the construction of a secure and efficient S-box has become one of the key factors in the design of the block cipher [4][5][6].
In traditional cryptography, Advanced Encryption Standard (AES) uses algebraic methods to construct the S-box. Although high nonlinearity can be obtained because there are only nine algebraic formulas, its structure is too simple and the affine transformation period and iterative output period are too short, so the differential performance is relatively weak and it is difficult to resist algebraic attacks [7,8]. Meanwhile, the AES uses static S-box, and its form content is both public and unchanged, which is easy to be analyzed and utilized by the deciphers. Chaos is a deterministic, random-like process in nonlinear dynamic systems.With the deepening of S-box research and the development of chaos theory, dynamic S-box is constructed based on nonlinearity, randomness, initial sensitivity and unpredictability of chaos to realize information confusion, which has been gradually recognized by cryptographers and has made considerable development [9][10][11][12][13][14]. The inherent characteristic of the chaotic system provides a good foundation for constructing the S-box. However, the performance of S-box may be unstable due to the degradation of dynamic characteristics and local periodic phenomenon of digital chaos, so there are some security risks. With the dynamic characteristics degradation and the local periodic phenomenon of digital chaos, and the security problems caused by them becoming more and more prominent, the efficient generation of the chaotic S-box with security guarantees remains to be further studied.
In recent years, intelligent algorithms have been widely developed. Their feasibility and superiority in solving optimization problems have gradually attracted the attention of cryptographers, and have also provided a new idea for constructing the chaotic S-box. A design method of S-box based on chaos and genetic algorithm is proposed in the literature [15]. The crossover mutation of genetic algorithm is used to generate the chaotic S-box with better nonlinearity. The performance of generated S-box would be easily affected by the dynamic characteristics degradation of digital chaos. A construction method of S-box based on chaos and firefly algorithm is proposed in the literature [16]. The firefly algorithm is adopted to optimize the generated chaotic S-box set, but the construction efficiency is not high. The convergence time of the algorithm is long, and the performance is also restricted by the chaotic S-box set. A design scheme for constructing high nonlinear chaotic S-box based on genetic algorithm is proposed in the literature [17], which takes nonlinearity as the only optimization objective leads to little improvement in other cryptographic performances of the chaotic S-box.
Compared with the exhaustive search algorithm, the heuristic algorithm can use some of the searched information to change its own search strategy. If the parameters are set properly, the search efficiency of the heuristic algorithm is more efficient than the exhaustive algorithm [18,19]. MSAA is an improvement of the traditional simulated annealing algorithm (SAA). It can overcome the "forgetfulness" in the process of optimization by memorizing the optimal solution currently encountered. Thus, MSAA improves the efficiency and accuracy of global optimal search, which is especially suitable for solving combinatorial optimization problems. Compared to other heuristic algorithms, MSAA is a probabilistic local search method. It can efficiently find the approximate optimal solution of the problem due to its asymptotic convergence [20]. In this paper, the chaotic S-box set is generated iteratively by digital cascaded chaotic mapping, and the composite objective function is constructed based on the analysis of the S-box performance index. The MSAA is used to efficiently optimize the chaotic S-box set, which can not only obtain the S-box with relatively better cryptographic performance, but also ensure the stability of the S-box security performance. Meanwhile, the chaotic S-box obtained by optimization is transformed by matrix segmentation and scrambling operations to get rid of the performance restriction of the chaotic S-box set, and further enhance the cryptographic performance of the chaotic S-box.
The rest of this paper is as follows: the second section introduces the digital cascaded chaotic mapping. The third section describes the MSAA. The fourth section introduces a design scheme of chaotic S-box based on MSAA. The fifth section analyzes the evaluation indexes and experimental results of S-box performance. The sixth section gives the conclusions of this paper.

Chaotic System
Chaos is a deterministic, random-like phenomenon in nonlinear dynamic systems. This process is aperiodic, non-convergent but bounded and extremely sensitive to initial values [21]. In order to design a secure and efficient chaotic S-box, the application of chaotic systems should follow the following principles. One is that the selected chaotic system should be easy to implement and have efficient iteration, the other is that it can overcome the local periodic problem of the digitization process of the chaotic system. With the dynamic characteristics degradation and the local periodic phenomenon of digital chaos, the security problems caused by them become more and more prominent. The cryptographers are committed to the study of mathematical chaotic models with excellent performance, simple structure, and easy implementation, so that they can better play the chaotic characteristics in the construction of S-box.
To improve the pseudo-random performance and dynamic characteristics of digital chaotic sequences, a digital cascaded chaotic mapping has been proposed in the literature [22] based on one-dimensional discrete chaotic mappings Logistic and Tent. The iterative output of Logistic chaotic mapping is used as the iterative input of Tent chaotic mapping, and the iterative output of Tent chaotic mapping is used as the input of the next iteration of Logistic chaotic mapping. Then, the one-dimensional discrete chaotic mapping equation after cascading is In Equation (1), system parameter µ ∈ (0, 2), initial value x n ∈ (0, 1), substituting the real-valued chaotic sequence generated by cyclic iteration into Equation (2) for digital quantization. Then, the digital cascaded chaotic sequence can be obtained: In Equation (2), take a = 2 7 , T n ∈ [0, 255] , which exactly corresponds to the unsigned integer range represented by 8 bits.
The studies have shown that digital cascaded chaotic mapping has efficient iteration and is easy to implement. The mapping has higher complexity, larger parameter space, and stronger initial value sensitivity. A large number of pseudo-random sequences with excellent performance and the great difference can be obtained by tiny changes in initial values and system parameters. The S-box is constructed by using the nonlinearity and randomness of the dynamic iteration of the digital cascaded chaotic mapping. The construction method is simple to operate but can effectively enhance the confusion effect, thus providing a reliable guarantee for the security and efficiency of the S-box construction.

Optimization Process of MSAA
The traditional SAA jumps out of the local optimal solution through "probability judgment" and tends to the global optimal [23,24]. However, this method may also cause the algorithm to ignore the optimal solution currently encountered. It is difficult to ensure that the final solution must be the global optimal solution. The MSAA proposed by literature [25] can memorize the optimal solution encountered in the search process. When the search process is over, the searched optimal solution is compared with the memorized optimal solution, and the better one is taken as the final result. The accuracy of the optimization result would be further improved. Since the time required to realize the memory function is extremely short, the MSAA still has high search efficiency.
As shown in Figure 1, the optimization process of the MSAA is illustrated as follows: Step 1. In the solution space, set the initial solution S 0 , the initial temperature T 0 , the minimum temperature T min , the number of iterations L for each T value, and calculate the objective function f 0 of the initial solution S 0 . The attenuation function of temperature T is T k+1 = α · T k , where α ∈ (0,1), k = 0, 1, · · · , n.
Step 2. A new solution S * is randomly generated near the initial solution S 0 , and the objective function f * of the new solution S * is calculated.
Step 3. f * is compared with f 0 . If f * is better than f 0 , that is, ∆ f = f * − f 0 ≥ 0, then accept the new solution S * and assign S * and f * to S 0 and f 0 , respectively. Otherwise, memorize the current optimal solution S 0 , and accept the new solution S * according to the probability of Mctropolis criterion. The Mctropolis criterion takes ∆ f and temperature T as input, and the output is the acceptance probability between 0 and 1. Its expression is Step 4. If the number of iterations L is reached, it is judged whether the termination criterion is met. When the temperature is lower than the minimum temperature or the memorized optimal solution has no changes for multiple consecutive times, then the optimization search is terminated. Otherwise, return to step 2.
Step 5. If the number of iterations L is reached and the termination criterion is met, the searched optimal solution is compared with the memorized optimal solution, and the better one is output as the result. Otherwise, decrease the temperature, reset the number of iterations, and return to step 2.

Construction Method of Chaotic S-Box
As shown in Figure 2, the iterated digital cascaded chaotic sequence is traversed and screened to generate the set of chaotic S-boxes. The set is optimized by MSAA to obtain the chaotic S-box with excellent performance. Then, the chaotic S-box obtained is segmented and scrambled to generate the final chaotic S-box. The specific construction process is described as follows: Step 1. Set the initial conditions of the digital cascaded chaotic mapping, that is, µ = 1.999, x n = 0.76, and the iterative operation is performed.
Step 2. The iterative interval of digital cascaded chaotic mapping is evenly divided into 256 intervals D i (i = 0, 1, · · · , 255). If the iterative output T n exists in the interval D i , the corresponding T n value is saved and the iteration continues; if T n does not exist in the interval D i or has already been saved, the T n value is not saved and the iteration continues until 256 intervals have been traversed.
Step 3. The outputs Y n are arranged line-by-line in the order of generation and converted into a table of 16 × 16, which is the constructed 8 × 8 S-box. By slightly changing the initial value, the set of chaotic S-boxes can be obtained through the dynamic iteration of the digital cascaded chaotic mapping.
Step 4. Set the initial conditions of the MSAA, the initial temperature is T = 100, the lowest temperature is T min = 0, the number of iterations for each T value is L = 10. In the generated chaotic S-box set, one S-box is randomly selected as the initial solution S 0 , other chaotic S-boxes encountered during the optimization process of MSAA will be used as new solution S * . The objective function of new solution f * would be compared with the objective function of initial solution f 0 . Since the nonlinearity and difference uniformity are the two most important performance indexes to measure the security performance of S-box, a composite objective function is constructed as In Equation (4), N f is the nonlinearity of the S-box, δ f is the difference uniformity of the S-box. The greater the nonlinearity of the S-box and the smaller the difference uniformity, the better its security performance. Therefore, the larger the composite objective function F(s) , the better the cryptographic performance of the S-box. Based on the constructed composite objective function, the MSAA is used to efficiently optimize the set of chaotic S-boxes, and a chaotic S-box with excellent cryptographic performance would be obtained.

Nonlinearity
Comprehensive analysis of existing research shows that the design of an S-box usually has five criteria: nonlinearity, difference uniformity, strict avalanche criterion (SAC), bit independence criterion (BIC), and bijectivity. The larger the nonlinearity value of the S-box, the stronger its ability to resist linear cryptographic attacks.
Although the S-boxes used in block ciphers are all presented in the form of tables, their essence is a nonlinear combination function of multiple inputs and multiple outputs mapping from F n 2 to F m 2 . A n × m S-box can generally be represented as S : {0, 1} n → {0, 1} m , which is composed of m n-bit Boolean functions f i (x 1 , x 2 , · · · , x n ), i = {1, 2, · · · , m}, that is, S(x) = ( f 1 (x 1 , x 2 , · · · , x n ), f 2 (x 1 , x 2 , · · · , x n ), · · · , f m (x 1 , x 2 , · · · , x n )). (11) Let Boolean function f (x) : F n 2 → F m 2 , x = (x 1 , x 2 , . . . , x n ), w = (w 1 , w 2 , . . . , w n ), x ∈ F n 2 , w ∈ F n 2 , and the dot product of x and w be defined as Then, the first-order Walsh cyclic spectrum of an n-ary Boolean function f (x) is defined as For the convenience of calculation, the nonlinearity of f (x) represented by the Walsh cyclic spectrum is defined as For the 8 × 8 chaotic S-box constructed in this paper, the Walsh cyclic spectrums output by eight Boolean functions are substituted into Equation (14), respectively. In turn, the nonlinearity values can be obtained. As shown in Table 2, the three chaotic S-boxes generated by the method of this paper are marked as S 1 -box, S 2 -box, and S 3 -box, the nonlinearities of which are all above 104 and the average values are 108, 108, and 107.5, respectively. The three chaotic S-boxes randomly generated based on the the digital cascaded chaotic sequence in this paper are marked as S 4 -box, S 5 -box, and S 6 -box, the average values of their nonlinearities are 103, 108, and 106.5, respectively. Through comparison, it can be seen that the method of this paper can overcome the instability of the S-box performance caused by the dynamic characteristics degradation and the local periodic phenomenon of digital chaos. At the same time, compared with other chaotic S-boxes generated based on intelligent algorithms, the chaotic S-box proposed has better and more stable nonlinear characteristics and can effectively resist the best linear approximation attack.

Difference Uniformity
Differential analysis is one of the most effective attacks of block ciphers. In order to measure the ability of a cipher to resist the differential analysis, the concept of difference uniformity has been introduced. The differential analysis mainly realizes the attack through the imbalance of the input/output XOR distribution. If the S-box has an equal probability of input/output XOR distribution, it can effectively resist the differential analysis.
In practice, the input/output XOR distribution of f (x) is generally described by difference approximation probability In Equation (15), DP f means the maximum probability that the output difference is ∆y when the input difference is ∆x. X represents the set of all possible inputs of x, and 2 n is the number of all elements in the set X. The smaller the value of the difference approximation probability DP f of S-box, the stronger its ability to resist differential attacks.
For the given input difference ∆x = 0, 1, 2, · · · 255, calculate x to take all possible values and maximum number for ∆y = 0, 1, 2, · · · 255 in turn. Then, the table of final difference uniformity distribution can be obtained. As shown in Table 3, the maximum of the input and output difference of the chaotic S 1 -box in this paper is 10. As shown in Table 4, the difference approximation probabilities of the three chaotic S-boxes generated by the method of this paper are all 3.9062%. The difference approximation probabilities of the three chaotic S-boxes randomly generated based on the cascaded chaotic sequence in this paper are 4.6875%, 3.9062%, and 3.9062%, respectively. Through comparison, it can be seen that the method of this paper can overcome the instability of the S-box performance caused by the dynamic characteristics degradation and the local periodic phenomenon of digital chaos. At the same time, compared with other chaotic S-boxes generated based on intelligent algorithms, the chaotic S-box proposed has better and more stable difference approximation probabilities, indicating that it has excellent and stable ability to resist differential attacks [28].  Table 4.
Comparison of DP f .

Strict Avalanche Criterion
In order to resist the attack method based on relatively large change in the output caused by the input change, the SAC is proposed in the literature [29]. Half of the output result would be changed if one input bit is changed, and the construction of a correlation matrix to judge whether f (x) meets the SAC. Each element value a ij of the correlation matrix represents the correlation strength between the i bit of the ciphertext and the j bit of the plaintext. If the values of each element of the correlation matrix are all close to 0.5, it can indicate that f (x) meets the SAC. The correlation matrix of the chaotic S 1 -box generated by the method of this paper is shown in Table 5, as shown in Table 6, the average values of the correlation matrix of the three chaotic S-boxes in this paper are 0.5007, 0.5007, and 0.5008, respectively, which are all closer to 0.5. The SAC performances of the three chaotic S-boxes randomly generated based on the cascaded chaotic sequence in this paper are 0.4836, 0.5012, and 0.5048, respectively. Through comparison, it can be seen that the method of this paper can overcome the instability of the S-box performance caused by the dynamic characteristics degradation and the local periodic phenomenon of digital chaos. At the same time, compared with other chaotic S-boxes generated based on intelligent algorithms, the chaotic S-box proposed has better and more stable SAC performance.   Table 6. Comparison of the average values of the correlation matrix.

Bit Independence Criterion
The BIC is one of the essential analysis elements in the design of the S-box. For the Boolean functions f i (x) and f j (x)(i = j, 1 ≤ i, j ≤ n) between any two output bits of the S-box, if the S-box meets the BIC-nonlinearity, f i (x) ⊕ f j (x) should meet the characteristics of nonlinearity. If the S-box meets BIC-SAC, f i (x) ⊕ f j (x) should meet the SAC.
As shown in Table 7, the nonlinearity value of f i (x) ⊕ f j (x) of the chaotic S 1 -box is larger, indicating that it meets the characteristics of nonlinearity. As shown in Table 8, the values of each element of the correlation matrix of f i (x) ⊕ f j (x) of the chaotic S 1 -box are all close to 0.5, indicating that it meets the SAC. As shown in Table 9, the BIC-nonlinearity average values of the three chaotic S-boxes generated by the method of this paper are 104.21, 104.21, and 104.20, respectively, the BIC-SAC average values of the three chaotic S-boxes are 0.5012, 0.5012, and 0.5011, respectively. The BIC-nonlinearity averages of the three chaotic S-boxes randomly generated based on the cascaded chaotic sequence in this paper are 101.90, 104.21, and 103.53, respectively, and the BIC-SAC averages are 0.4954, 0.5016, and 0.5038, respectively. Through comparison, it can be seen that the method of this paper can overcome the instability of the S-box performance caused by the dynamic characteristics degradation and the local periodic phenomenon of digital chaos. At the same time, compared with other chaotic S-boxes generated based on intelligent algorithms, the chaotic S-box proposed has better and more stable BIC.   [15] 103.86 0.5034 Ref. [16] 104.35 0.4982 Ref. [17] 104.07 0.5021 Ref. [26] 104.21 0.5016 Ref. [27] 103.18 0.4992
The standard value of bijectivity of an S-box is 128. It can be seen from the calculation that the sums of linear operations of the Boolean function of each component of the chaotic S-box in this paper are all 128 and have different output values between [0,255], so bijectivity is satisfied.

Implementation Efficiency
The S-box construction should also consider implementation performance. The experiment is performed on a computer whose central processing unit (CPU) is Intel Core i5-6200 2.4 GHz (Manufacturer location: Santa Clara, California, USA). The function simulation of S-box is carried out on ModelSim-Altera SE 6.6d (Manufacturer location: Santa Clara, California, USA) software using Verilog HDL, and the execution time is about 0.050 s. Under the same conditions, the execution time for SubBytes of AES is 55.067 s. The calculation of SubBytes transformation is obtained by taking the inverse of the multiplication in GF(2 8 ) and performing affine transformation. Generally speaking, the SubBytes transformation is often implemented in look-up-tables (LUT). The execution time of LUT implementation is 0.059 s. Therefore, the required storage space by the method in this paper is less than by LUT and SubBytes of AES.
The hardware is realized by using the storage blocks integrated within field programmable gate array (FPGA) to generate LUT. The target device is Altera Cyclone III EP3C16F484C6 (Manufacturer location: San Jose, CA, USA). The Altera Quartus II 11.0 software is used for a logic synthesis test of the designed S-box. As shown in Table 10, the chaotic S-box proposed consumes 73 logic elements (LEs), and the highest clock frequency is 192.93 MHz. Compared with the typical LUT-based S-boxes and logic circuits of the SubBytes in AES, the chaotic S-box proposed has less area consumptions and higher clock frequency.

Conclusions
A construction method of chaotic S-box based on MSAA is proposed in this paper. The dynamic iteration of the digital cascaded chaotic mapping is used to generate the chaotic S-box set, which effectively alleviates the adverse effect of the dynamic characteristics degradation of digital chaos on the security performance of the S-box. The construction of the composite objective function and the application of the MSAA improve the accuracy and efficiency of the optimization of the chaotic S-box set. The matrix segmentation and scrambling operations are adopted to further enhance the confusion of chaotic S-box, which makes it get rid of the restriction of the performance of the chaotic S-box set. The chaotic S-boxes constructed by this method are tested and analyzed for five cryptographic performances, and compared with other chaotic S-boxes generated based on intelligent algorithms. The results show that the method proposed in this paper can stably and efficiently generate chaotic S-boxes with better cryptographic performance, thus providing a reliable security guarantee for its application.