S-box Construction Based on Linear Fractional Transformation and Permutation Function

: Substitution boxes (S-box) with strong and secure cryptographic properties are widely used for providing the key property of nonlinearity in block ciphers. This is critical to be resistant to a standard attack including linear and di ﬀ erential cryptanalysis. The ability to create a cryptographically strong S-box depends on its construction technique. This work aims to design and develop a cryptographically strong 8 × 8 S-box for block ciphers. In this work, the construction of the S-box is based on the linear fractional transformation and permutation function. Three steps involved in producing the S-box. In step one, an irreducible polynomial of degree eight is chosen, and all roots of the primitive irreducible polynomial are calculated. In step two, algebraic properties of linear fractional transformation are applied in Galois Field GF (2 8 ). Finally, the produced matrix is permuted to add randomness to the S-box. The strength of the S-box is measured by calculating its potency to create confusion. To analyze the security properties of the S-box, some well-known and commonly used algebraic attacks are used. The proposed S-box is analyzed by nonlinearity test, algebraic degree, di ﬀ erential uniformity, and strict avalanche criterion which are the avalanche e ﬀ ect test, completeness test, and strong S-box test. S-box analysis is done before and after the application of the permutation function and the analysis result shows that the S-box with permutation function has reached the optimal properties as a secure S-box.


Introduction
With the rapid growth of digital communication and data exchange, there is hence an urgent need for the protection of data that is sensitive and confidential. The cryptographic encryption algorithms can be categorized as symmetric encryption algorithms and asymmetric encryption algorithms. The most well-known symmetric encryption algorithms are the Advanced Encryption Standard (AES) and Data Encryption Standard (DES) [1]. The DES was originally developed by International Business Machines (IBM) and later on adopted as a standard by the United States in 1977. The use of DES has now been withdrawn. The use of DES is permitted only as a component function of Triple DES (TDES) [2]. In 2001, the National Institute of Standards and Technology (NIST) announces the Rijndael cipher as a standard of AES. From 2001 until now AES has been successfully applied as a standard not only in the United States but also worldwide. The key size of any encryption algorithms is important for determining the strength of the algorithms. Thus, AES has the flexibility to have three keys that are 128 bits, 192 bits, and 256 bits.
The foundation of modern cryptography by Claude Shannon indicates that two properties that a good cryptosystem should have are confusion and diffusion [2]. An important component in cryptographic algorithms that provide confusion by the non-linear component is the S-box. In most

Related Work
Shannon has suggested two methods for a cryptographic algorithm to be resistant to cryptanalysis attacks. These methods are called confusion and diffusion [6]. The method of confusion in the cryptographic algorithm is to complicate the relationship between the ciphertext and symmetric key, meanwhile, the idea of diffusion is to hide the relationship between the ciphertext and the plaintext. The simplest way to achieve both confusion and diffusion in the cryptographic algorithm is to use a substitution function and permutation function. The most difficult step in verifying the strength of a cryptographic algorithm against cryptanalysis is the selection of cryptographically secure S-box. Therefore, understanding the design and properties of an S-box for applications in the encryption algorithm is essential [7]. Researchers have been challenged by the improved efficiency of the S-Box to develop confusion ability in the block cipher.
In literature, there are several methods and tools implemented for the construction of cryptographically powerful S-boxes. It is an extremely required property for S-box to demonstrate a good resistance towards linear and differential cryptanalysis [8,9]. The linear cryptanalysis is a known-plaintext attack based on finding an affine approximation to the action of a cipher which connects in one expression for some bits of the randomly chosen plaintext and fixed key [10]. By collecting known plaintext and ciphertext pairs the attack can try to guess the value of bits key, as more plaintext and ciphertext pairs are collected the guessing will become more reliable. Differential cryptanalysis is a process that analyzes the effect of different in plaintext pairs on the resulting pairs of ciphertext. Such differences can be used to assign probabilities and to identify the most likely key. Using the resulting ciphertext pairs this approach typically works on many pairs of plaintexts that have the same particular difference.
Mohamed et al. have suggested several properties to be present in an S-box to be able to resist various cryptanalytic attacks [11]. An S-box that has a majority of these properties offers greater security. To be considered as cryptographically strong and secure, an S-box requires high nonlinearity, low differential uniformity, high algebraic degree, balancing, low linear approximation, high algebraic complexity, and low/no fixed and opposite fixed points. An S-box has high nonlinearity will offer greater resistance to linear cryptanalysis [12]. AES uses extremely nonlinear S-box for the encryption and decryption processes in its various rounds. S-box of the AES is operating independently on each byte of the input, this S-box is invertible and developed by assembling two transformations: multiplication inverse and affine transformation [4]. In [13], Jie et al. have proposed an improved Symmetry 2020, 12, 826 3 of 16 of AES S-box by changing the affine transformation and adding an affine transformation. The other research that improved AES S-box is changing the complexity of the algebraic expression increases from 9 to 255 and preserve the existing irreducible polynomial, affine transformation matrix, and affine constant with the ability to resist against differential cryptanalysis invariable. Another research on constructing the S-box that caught attention is the S-box structure namely Affine-Power-Affine [3]. The S-box structure named Affine-Power-Affine aimed to increase the algebraic expressions term of AES S-box which is simple.
In [14], Mamadolimov et al. have proposed to develop an S-box from power and binomial functions over the finite field and the resulting S-box has Differential Uniformity (DU) 8 and Nonlinearity (NL) 102. This method has been extended and improved by expending the range of the power function into trinomial and including the addition and multiplication as the manipulation techniques [15]. The obtain S-box has improved the analysis results to DU 4 and NL 108. Zahid and Arshad proposed the cubic polynomial mapping to produce an 8 × 8 S-box. The tested strength of the S-box shows the maximum value of NL is 108 [16].
Construction of the S-box using linear fractional transformation has been introduced by [17][18][19]. The proposed S-box has been structured by a simple and direct algorithm with a single step function. The strength analysis shows that the S-box fits the criteria for cryptographically strong and is protected against differential and linear cryptanalysis.
In this work, we have applied the method in constructing the S-box that involves the technique of linear fractional transformation. Then applied permutation function to increase the non-linear properties of this S-box. Security analysis is done to the S-box before and after the application of the permutation function to observe the effectiveness of permutation function in increasing the security of the S-box.

Nonlinearity
The function of an S-box is to contribute nonlinearity properties to the encryption algorithm. To test how resistant an S-box is against this, the nonlinearity properties will be measure using this nonlinearity test [20][21][22][23]. The nonlinearity of a Boolean function is defined as the hamming distance between the function and the set of all affine functions. For the linearity criteria, the hamming distance should be minimum in which the NL parameter must be between 100 < NL ≤ 120 otherwise the S-box is vulnerable to linear cryptanalysis. It is also defined as there is no linear mapping between the input and output vector of the S-box. The nonlinearity of the S-box is calculated by creating the Boolean functions, f, and then applying Walsh Hadamard transformation (WHT) to test the correlation between linear functions and the Boolean functions. The larger the degree of the polynomial, n, makes it difficult to compute the nonlinearity.
The nonlinearity is formulated as:

Algebraic Degree
High algebraic degree (AD) is a property of a secure S-box where the higher is the algebraic degree, the better is the S-box. The higher the degree of a function, the greater the complexity of its algebraic and possible to resist to low approximation attack [24]. Preferable measurement of AD ≥ 4 is suggested to resist higher-order differential cryptanalysis. Consider a function f {0, 1} n → {0, 1} n , where n denotes the degree. The Algebraic Normal Form (ANF) is the representation of the Boolean where the coefficients a i ∈ {0, 1} form the elements of the truth table of the ANF of f (x). The algebraic degree is defined as the number of variables having a non-zero coefficient in the largest product term of the ANF function. In addition, the algebraic degree of an N-variable balanced Boolean function cannot exceed N-1 to satisfy AD < N.

Differential Uniformity
The S-box DU table provides details about the block cipher's security against differential cryptanalysis [25]. DU is defined as a test to examine the different pairs of input an S-box. The difference uniformity table compiled a complete XOR data for an S-box. Each element of the table shows the difference value of the output corresponding to the difference value of the input, observed the DU that shows the highest value. An S-box would be in the range of 2 ≤ DU ≤ 6, else the S-box is vulnerable to differential cryptanalysis.

Strict Avalanche Criterion
Strict Avalanche Criterion is the S-box testing method that was proposed by Mar and Latt [26]. The method highlighted three main properties which are avalanche effect, completeness, and strong function. Definitions of each property are described as follows:

Avalanche Effect
A function exhibits the avalanche effect if and only if an average of one-half of the output bits change whenever a single input bit is complemented.

Completeness
A function is complete if and only if each output bit depends on all the input bits. Thus, if it is possible to find the simplest Boolean expression output bit in terms of the input bits, each of these expressions would have to contain all of the input bits if the function is complete.

Strong SBox
An S-box is considered strong if and only if each of its output bits should change with a probability of one half whenever a single complemented.

Linear Fraction Transform
Linear fraction transformation [27][28][29] is also known as the Mobius transformation [20] is expressed as where a, b, c, and d belong to the given GF and it satisfies the condition ad − bc 0. Galois field (GF), also known as the finite field, contains a fixed number of elements. In a finite field GF(M n ) mathematical operations are applied to the data which is represented as a vector. A field has two operations, additions and multiplications. In the cryptographic encryption, M is chosen as 2. AES used the GF 2 8 . In this field, the elements are represented by bytes (8 bits) which are referred to as a polynomial with coefficients. The polynomial of each element has a degree n-1. GF 2 8 is expressed in the form of an irreducible polynomial as

Permutation Function
The permutation [30] is a rearrangement of the elements of function f from a set D into a set C is a map with first input from D and output from C such that each element of D has a unique output.
The function is onto if for each element c ∈ C, it is true that there is a d ∈ D with f(d) = c. A function that is both one-to-one and onto is called a bijection or a one-to-one correspondence. The number of permutations on a set of N elements is given by N!

Constructions of S-Box
To design an S-box, we utilized an algebraic property of linear fractional transformation and its application on GF (2 n ) where n = 8 having elements from 0 to 255. By using the properties of GF 2 8 , the produced S-box will be composed of 256-bit of elements. In AES, S-box is constructed based on the degree 8 irreducible polynomial P(y) = x 8 + x 4 + x 3 + x + 1 . In [17], P(y) = x 8 + x 6 + x 5 + x 4 + 1 is used as the generating polynomial. The chosen irreducible polynomial for construction of the S-box is P(y) = x 8 + x 4 + x 3 + x 2 + x + 1. Any degree 8 irreducible polynomial from the list given in Table 1 can be used for constructing GF 2 8 S-box, however, the choice of the polynomial may get different S-boxes with different algebraic and statistical properties.  x The first step of S-box construction is using an algebraic methodology for GF 2 8 , which is defined as  Table 2. This linear transformation will produce a 16 × 16 matrix by having elements from GF 2 8 which is given in Table 3. Table 2. Calculation of image f(z). The last step is to apply permutation as in Table 4 to the matrix ( Table 3). The resulting S-box is shown in Table 5.
The proposed S-box is constructed with the technique of linear fractional transformation and permutation function. The idea of added permutation function is to increase the non-linear properties of this S-box. Therefore, the security analysis is done to the S-box before and after the application of the permutation function to observe the effectiveness of the permutation function in increasing the security of the S-box. Figure 1 shows the block diagram of the proposed method for the construction of the new S-box.  The proposed S-box is constructed with the technique of linear fractional transformation and permutation function. The idea of added permutation function is to increase the non-linear properties of this S-box. Therefore, the security analysis is done to the S-box before and after the application of the permutation function to observe the effectiveness of the permutation function in increasing the security of the S-box. Figure 1 shows the block diagram of the proposed method for the construction of the new S-box.

Results and Discussion
To obtain the S-box with proper confusion creating potency, we use a few commonly used analyses such as nonlinearity test, algebraic degree, differential uniformity, and strict avalanche

S-box analysis
Comparison of the analysis result

Results and Discussion
To obtain the S-box with proper confusion creating potency, we use a few commonly used analyses such as nonlinearity test, algebraic degree, differential uniformity, and strict avalanche 6.1. Nonlinearity Test Figure 2 shows the process that has been carried out to find the nonlinearity of S-box which is referred to linear cryptanalysis technique. Input all possible S-box values and evaluate the corresponding output values, the number of cases which hold true is finally observed.
Symmetry 2020, 12, x FOR PEER REVIEW 8 of 16 Figure 2 shows the process that has been carried out to find the nonlinearity of S-box which is referred to linear cryptanalysis technique. Input all possible S-box values and evaluate the corresponding output values, the number of cases which hold true is finally observed. The nonlinearity test is done to the S-box before and after the application of the permutation function. The result shows that the NL value of the S-box before the permutation function is 95, which is vulnerable to linear cryptanalysis. The NL value of the S-box after permutation function is 112, thus it is not susceptible to a linear cryptanalysis attack. The results of this NL value show that the added permutation function has contributed to increasing the nonlinear properties to the S-box. Figure 3 shows the NL analysis result for S-box after the permutation function. These bar charts represent the number of vectors (axis-y) corresponding to a specific value of the NL parameter (axis-x). Table 6 shows the results of the S-boxes nonlinearity test before the permutation function and with added permutation function. 6000 7000

Start
Step 1: S-box Step 2: Count number of cases holds true Step The nonlinearity test is done to the S-box before and after the application of the permutation function. The result shows that the NL value of the S-box before the permutation function is 95, which is vulnerable to linear cryptanalysis. The NL value of the S-box after permutation function is 112, thus it is not susceptible to a linear cryptanalysis attack. The results of this NL value show that the added permutation function has contributed to increasing the nonlinear properties to the S-box. Figure 3 shows the NL analysis result for S-box after the permutation function. These bar charts represent the number of vectors (axis-y) corresponding to a specific value of the NL parameter (axis-x). Table 6 shows the results of the S-boxes nonlinearity test before the permutation function and with added permutation function.
The nonlinearity test is done to the S-box before and after the application of the permutation function. The result shows that the NL value of the S-box before the permutation function is 95, which is vulnerable to linear cryptanalysis. The NL value of the S-box after permutation function is 112, thus it is not susceptible to a linear cryptanalysis attack. The results of this NL value show that the added permutation function has contributed to increasing the nonlinear properties to the S-box. Figure 3 shows the NL analysis result for S-box after the permutation function. These bar charts represent the number of vectors (axis-y) corresponding to a specific value of the NL parameter (axis-x). Table 6 shows the results of the S-boxes nonlinearity test before the permutation function and with added permutation function.  Table 6 shows the results of the S-boxes algebraic degree analysis. The result indicates that the algebraic degrees of output-bit functions for S-box before permutation function and S-box after permutation function are all equal to 7. The algebraic degree of the S-box

S-Box before Permutation Function S-box after Permutation Function
Nonlinearity Test 95 112 Algebraic degree 7 7 Difference uniformity 8 4 Table 6 shows the results of the S-boxes algebraic degree analysis. The result indicates that the algebraic degrees of output-bit functions for S-box before permutation function and S-box after permutation function are all equal to 7. The algebraic degree of the S-box GF(2) 8 → GF(2) 8 has reached the maximum: n − 1. The result of this algebraic degree shows that both S-box with or without permutation function has reached the optimum and maximum value which is 7, therefore the permutation function has not effected in the algebraic degree test.

Differential Uniformity
The process of this analysis is similar to the differential cryptanalysis method as depicted in Figure 4. The result shows that the DU value of the S-box before permutation function is 8 (as shown in Table 7), which is vulnerable to cryptanalysis. The DU value of the S-box after permutation function is 4 (as shown in Table 7) thus it is not susceptible to attack. Table 6 shows the results of the S-boxes differential uniformity test before and after the added permutation function. The results have shown that the added permutation function has contributed to improving the DU value to the S-box. The process of this analysis is similar to the differential cryptanalysis method as depicted in Figure 4. The result shows that the DU value of the S-box before permutation function is 8 (as shown in Table 7), which is vulnerable to cryptanalysis. The DU value of the S-box after permutation function is 4 (as shown in Table 7) thus it is not susceptible to attack. Table 6 shows the results of the S-boxes differential uniformity test before and after the added permutation function. The results have shown that the added permutation function has contributed to improving the DU value to the S-box.

Strict Avalanche Criterion
Strict avalanche criterion test uses Hamming Weight for Frequency Analysis to evaluate if the S-box satisfies the property of Avalanche, completeness, and strong S-box.

Avalanche Effect
A function demonstrates the effect of an avalanche if an average of one-half of the output bits shift each time a one input bit is added. Various Hamming Weight Frequency Analysis is used to decide whether it matches Avalanche's properties. This method aims to track the total number of changes in a bit at each output. Output values were chosen to which two inputs correspond. Use the

Start
Step 1: S-box

Strict Avalanche Criterion
Strict avalanche criterion test uses Hamming Weight for Frequency Analysis to evaluate if the S-box satisfies the property of Avalanche, completeness, and strong S-box.

Avalanche Effect
A function demonstrates the effect of an avalanche if an average of one-half of the output bits shift each time a one input bit is added. Various Hamming Weight Frequency Analysis is used to decide whether it matches Avalanche's properties. This method aims to track the total number of changes in a bit at each output. Output values were chosen to which two inputs correspond. Use the XOR function to measure the differential value of these two outputs and obtain the differential value for the hamming. Repeat the above steps for the appropriate test count. The frequency of different differential values at each output was evaluated by counting 1s. The process of the avalanche effect test is shown in Figure 5. XOR function to measure the differential value of these two outputs and obtain the differential value for the hamming. Repeat the above steps for the appropriate test count. The frequency of different differential values at each output was evaluated by counting 1s. The process of the avalanche effect test is shown in Figure 5. If the frequency of testing result graph shows normal distribution shape (bell shape), the S-box satisfies the avalanche effect property. Figures 6 and 7 show the result of hamming weights and frequency for S-box before and after the permutation function, respectively. From this result, the graph shows a normal distribution shape. It is verified that both S-box appeared to satisfy the avalanche effect property.  If the frequency of testing result graph shows normal distribution shape (bell shape), the S-box satisfies the avalanche effect property. Figures 6 and 7 show the result of hamming weights and frequency for S-box before and after the permutation function, respectively. From this result, the graph shows a normal distribution shape. It is verified that both S-box appeared to satisfy the avalanche effect property. If the frequency of testing result graph shows normal distribution shape (bell shape), the S-box satisfies the avalanche effect property. Figures 6 and 7 show the result of hamming weights and frequency for S-box before and after the permutation function, respectively. From this result, the graph shows a normal distribution shape. It is verified that both S-box appeared to satisfy the avalanche effect property.

Completeness
A function is considered complete only if all bit of output depends on every bit of the input. Thus, if the simplest Boolean expression for output bit in terms of the input bits is possible to be found, all of these Boolean expressions would have to include all the input bits when the function is completed. Process of the completeness test as shown in Figure 8.

Completeness
A function is considered complete only if all bit of output depends on every bit of the input. Thus, if the simplest Boolean expression for output bit in terms of the input bits is possible to be found, all of these Boolean expressions would have to include all the input bits when the function is completed. Process of the completeness test as shown in Figure 8.
If the frequencies of the hamming weight of differential output are uniformly distributed, the result shows the completeness property. Figure 9 is the result of the S-box before the permutation function, the graph is not uniformly distributed. Therefore, it is shown that the frequencies of differential output are random. Figure 10 is the result of the S-box after the permutation function, the graph is uniformly distributed. Therefore, it is verified that the S-box after permutation function appeared to satisfy the completeness property.

Completeness
A function is considered complete only if all bit of output depends on every bit of the input. Thus, if the simplest Boolean expression for output bit in terms of the input bits is possible to be found, all of these Boolean expressions would have to include all the input bits when the function is completed. Process of the completeness test as shown in Figure 8. If the frequencies of the hamming weight of differential output are uniformly distributed, the result shows the completeness property. Figure 9 is the result of the S-box before the permutation function, the graph is not uniformly distributed. Therefore, it is shown that the frequencies of differential output are random. Figure 10 is the result of the S-box after the permutation function, the graph is uniformly distributed. Therefore, it is verified that the S-box after permutation function appeared to satisfy the completeness property.

Start
Step 1: S-box

Strong S-Box
An S-box is deemed strong only if each of its output bits changes with a probability of one-half when complemented by a single one. Process of the strong S-box test as shown in Figure 11.

Strong S-Box
An S-box is deemed strong only if each of its output bits changes with a probability of one-half when complemented by a single one. Process of the strong S-box test as shown in Figure 11. Symmetry 2020, 12, x FOR PEER REVIEW 13 of 16 If the frequencies of the hamming weight of differential output according to the bit position are uniformly distributed, the result shows the strong S-box property. If the frequency is random, the tested S-box is considered poor. Figure 12 shows the result of the S-box before the permutation function is not uniformly distributed. Figure 13 shows the graph is a uniform distribution shape. Therefore, it is verified that the S-box after the permutation function appeared to satisfy the strong Sbox property.   If the frequencies of the hamming weight of differential output according to the bit position are uniformly distributed, the result shows the strong S-box property. If the frequency is random, the tested S-box is considered poor. Figure 12 shows the result of the S-box before the permutation function is not uniformly distributed. Figure 13 shows the graph is a uniform distribution shape. Therefore, it is verified that the S-box after the permutation function appeared to satisfy the strong S-box property. If the frequencies of the hamming weight of differential output according to the bit position are uniformly distributed, the result shows the strong S-box property. If the frequency is random, the tested S-box is considered poor. Figure 12 shows the result of the S-box before the permutation function is not uniformly distributed. Figure 13 shows the graph is a uniform distribution shape. Therefore, it is verified that the S-box after the permutation function appeared to satisfy the strong Sbox property.   If the frequencies of the hamming weight of differential output according to the bit position are uniformly distributed, the result shows the strong S-box property. If the frequency is random, the tested S-box is considered poor. Figure 12 shows the result of the S-box before the permutation function is not uniformly distributed. Figure 13 shows the graph is a uniform distribution shape. Therefore, it is verified that the S-box after the permutation function appeared to satisfy the strong Sbox property.   The result of the strict avalanche criterion analysis is shown in Table 8. Table 8. Results of the S-boxes strict avalanche criterion analysis.

Conclusions
In this paper, we approach the problem of designing the S-box using linear fractional transformation and next trying to add the permutation function. we compare the result of the S-box that is constructed using linear fractional transformation and S-box with permutation function. The analysis of the S-boxes is based on algebraic attacks. The result shows that the S-box constructed by linear fractional transformation with the addition of permutation function produces a better S-box analysis result. The proposed S-box has satisfied the security properties of cryptographically strong S-box.
However, this S-box has not been implemented in any block cipher to analyses the security of the whole cipher. A block cipher will be chosen to be modified to use the proposed S-box and given a comparison between the original algorithm and the proposed algorithm for future studies. The comparison shall also include the implementation computational for performance analysis.