A Novel Method for Constructing the S-Box Based on Spatiotemporal Chaotic Dynamics

: A novel construction method for a random S-box by using the spatiotemporal nonlinear chaotic system is proposed. The chaotic sequences of the spatiotemporal chaotic system are applied to construct an initial S-box. Then, the permutation operation between independent chaotic sequences is performed to shufﬂe the elements of the S-box randomly. In comparisons with the former schemes, the results of the performance analysis indicate that the obtained S-box has a better output bit independence criterion and a stronger ability to resist linear password attacks. It also has a high dimensional feature due to the spatiotemporal chaotic dynamical behaviors. The proposed scheme holds superior cryptographic features.


Introduction
With the development of communication technology [1][2][3][4], encryption algorithms for data transmission security have attracted extensive attention. Block encryption algorithms play an important role in modern cryptographic systems. The substitution box (S-box) has been widely employed in many block cryptosystems; for instance, Data Encryption Standard (DES), International Data Encryption Algorithm (IDEA), and Advanced Encryption Standard (AES). S-box provides a chaotic effect for the cryptosystem, and its security strength determines the security strength of the whole cryptosystem. Hence, S-box is an important nonlinear component for the security of cryptographic schemes.
Currently, strong S-boxes have received intensive attention. Many S-box construction methods have been proposed [5][6][7][8][9][10][11][12][13][14][15][16][17][18][19][20][21][22]. In the literature, S-boxes should resist differential and linear attacks [5][6][7][8][9]. A new construction method for S-box was proposed in [10], which relies on exhaustive search, but the large values of n in the construction method result in it being time consuming. Recently, the theory of chaos has been broadly used for designing S-boxes due to the inherent features of the chaotic map; for instance, random-like behaviors and sensitivity to initial conditions. Jakimoski and Kocarev [11] constructed secure S-boxes using exponential and logistic chaotic maps. Amigó et al. [12] proposed a chaos-based approach to the design of cryptographically-secure substitutions. Tang et al. [13] designed 8 × 8 S-boxes using logistic and Baker chaotic maps. Chen et al. [14] presented an extended method for constructing S-boxes by the use of the Chebyshev map and the 3D Baker map. An effective and dynamic method for constructing the S-box was developed by using the tent map in [15]. Özkaynak and Özer [16] developed a generation method for S-boxes by using the random-like behaviors of the 1. We choose the Non-adjacent Coupled Map Lattices (NCML) [28] spatiotemporal chaos system for constructing the S-box. It has more dynamical features than the traditional CML [29] and the logistic map, such as better randomness, more chaotic sequences, and no periodic windows. Moreover, it can resist the degradation of finite precision computation due to its high dimensional feature, which can increase the randomness of elements in the S-box. Additionally, the NCML chaotic system has been used in secure communication schemes due to its cryptographic features [30,31]; 2. Since the chaotic sequences generated by the NCML system are independent, we apply these independent chaotic sequences to implement the permutation and shuffle of the S-box, which can improve its BIC property and ability to resist linear password attacks; 3. In the comparisons with the former schemes, the simulation and experimental results prove the superior properties of the proposed scheme. This scheme shows that the combination of the spatiotemporal chaotic system and S-box is a recommended approach for encryptions.
The rest of this paper is organized as follows. The NCML spatiotemporal system is introduced and analyzed, as well as the cryptographic features in dynamical behaviors in Section 2. Section 3 explains the construction process of the proposed S-box. Section 4 verifies the randomness of the constructed S-box. Section 5 analyzes the performance of the constructed S-box. Section 6 gives the concluding remarks.
Different from the CML chaotic dynamics, the coupling method of the NCML chaotic system is non-adjacent. The NCML system [28] is presented as: where m, n are also the lattices (1 ≤ m, n ≤ N) and the relations of l, m, n satisfy the Arnold cat map expressed by: The NCML system has good chaotic features when the parameters µ, b, and d are assigned with proper values.
(1) Lyapunov exponents evaluate the divergence of nearby orbits and provide a qualitative view of the dynamical system. If a system has at least one positive Lyapunov exponent, the system is certainly in chaotic behaviors. The Lyapunov exponent of each lattice in the NCML system is positive, and between 0.0203 and 0.4351. This means that the NCML system's dynamics is more complicated, which can resist the degradation under finite precision computation in modern computers. (2) In the bifurcation diagram of the NCML system, there is no periodic window, as shown in Figure 1a. By contrast, there are periodic windows in the bifurcation diagram of the CML system, as shown in Figure 1b. Therefore, the NCML system is more suitable for cryptography than the CML system due to no periodic windows. (3) The chaotic trajectory of NCML system is as random as that of the CML system, as shown in Figure 2. The random chaotic sequences are suitable for the construction of a random S-box. (4) The NCML chaotic system has very small mutual information values between chaotic trajectories.
Mutual information can be used to evaluate the independence of two chaotic trajectories (named s1 and s2), which is defined as: The lower value of mutual information of s1 and s2 means the higher independence of chaotic trajectories. As shown in Figure 3b, most of the mutual information values are equal to zero, which indicates that most of the chaotic trajectories generated by the NCML chaotic system are independent and cannot be recovered by other trajectories. For the CML chaotic system, its mutual information values between chaotic trajectories are indicated in Figure 3a. It can be noted that the NCML chaotic system holds smaller mutual information values between chaotic trajectories than the CML chaotic system. The independent chaotic trajectories are suitable for cryptography because they cannot be restored by other trajectories.

The Proposed Method for Constructing the S-Box
To improve the BIC property of the S-box and its ability to resist linear password attacks, we propose a novel construction method for the S-box by using the NCML chaotic dynamics. A new sequence is constructed based on one of N chaotic sequences generated by the NCML system. Then, this sequence is sorted in ascending order, and another new sequence is obtained based on the sorted position of each element. Finally, the new sequence is reconverted to a matrix, and all the elements of the matrix are permuted by using N independent chaotic sequences. This permutation operation based on independent chaotic sequences helps to improve the BIC property of the obtained S-box and its ability to resist linear password attacks. Moreover, the high dimensional feature of the NCML system helps to increase the randomness of elements in the obtained S-box. The detailed construction procedures of our S-box are listed below.
Step 5. We get the values of u and v by: where h, k ∈ [1,16] and the relations of h, k, p, q satisfy the Arnold cat map expressed by: Step 6. With the help of Equation (6), we swap the values of S(h, k) and S(u, v).
S is the final S-box. The whole construction process is illustrated by Figure 4.
Iterate the equation (2) Construct a new sequence X Sort X in ascend order Obtain an address sequence Z

Permute location
Initial values L sequences Begin Obtain S-box
The NIST-800-22 test results are listed in Table 2. We find that the 12 tests successfully passed. Moreover, the random excursions test, random excursions variant test, and universal statistical test were not applicable for the proposed S-box. This is because the sequence generated by an S-box only consists of 2048 bits. However, the random excursions test and random excursions variant test require a long sequence consisting of a minimum of 1,000,000 bits [32], and the universal statistical test also requires a long sequence consisting of a minimum of 387,840 bits [32].

Performance Analysis of the Constructed S-Box
Six criteria [13,14,16,[21][22][23][24][25] are generally selected to test S-boxes. These are "bijective property, nonlinearity, Strict Avalanche Criterion (SAC), BIC, input/output XOR distribution, and Linear approximation Probability (LP)". For testing the properties of the obtained S-box, we analyzed the above six criteria in detail. We also compared the results of the obtained S-box with those of other S-boxes proposed in [11,13,14,[16][17][18][19][20][21][22][23][24][25]. Moreover, we also constructed an S-box by using the CML system as we did based on the NCML system and compared the performance of S-boxes based on the two systems.

Nonlinearity
Suppose a Boolean function is g(x). Its nonlinearity N g [34] can be presented as: where The higher the value of N g , the stronger g(x)'s ability to resist linear attacks. Table 3 gives the results of the nonlinearity analysis. The maximum nonlinearity was 108, the minimum 102, and the average 104.5. For the average values of nonlinearity in Table 3, our S-box accords with other S-boxes. Hence, the obtained S-box had good nonlinearity property. Table 3. The results of the comparison of nonlinearity.

Strict Avalanche Criterion
The work in [5] firstly introduced the Strict Avalanche Criterion (SAC). If an S-box has the SAC property, all the output bits will vary with half the probability when complementing a single input bit. To check the SAC property, we always employed the dependence matrix. For an S-box satisfying the SAC property, all the values in its dependence matrix was close tothe optimal value of 0.5.
We can estimate the offsets of the dependence matrix by: where Q r,w (g) = 2 −n ∑ x∈B n g w (x) ⊕ g w (x ⊕ e r ), e r = [ϑ r,1 ϑ r,2 . . . ϑ r,n ] T , ϑ r,w = 0, r = w 1, r = w , and [·] T denotes the transpose of a matrix. Table 4 shows the obtained dependence matrix. These results were between 0.6406 and 0.4219, and the average value was 0.4980, which was close to the ideal value of 0.5. Moreover, Table 5 analyzes the SAC property of different S-boxes. It can be noted that the mean value of SAC of the obtained S-box is closer to the ideal value 0.5 than that of other S-boxes. Therefore, in comparisons with other S-boxes, the obtained S-box had better SAC performance.

Output Bits Independence Criterion
The work in [5] also proposed the BIC. If an S-box satisfies the BIC property, all the avalanche variables should be pair-wise independent for a certain series of avalanche vectors produced by complementing a single plaintext bit.
For an S-box satisfying the BIC property, its g r ⊕ g w (r = w, 1 ≤ r, w ≤ n) should fulfill the nonlinearity and the SAC, where g r denotes the Boolean function of the S-box. For the obtained S-box, we calculate the nonlinearity and the SAC of its g r ⊕ g w , respectively. The obtained results are listed in Tables 6 and 7. The mean values of BIC-nonlinearity and BIC-SAC of our S-box were respectively 104.64 and 0.5075. This indicates that the obtained S-box fulfilled the BIC performance. Moreover, Table 8 analyzes the BIC property for different S-boxes. It can be noted that the mean value of BIC-SAC of the obtained S-box was consistent with that of other S-boxes, and the mean value of BIC-nonlinearity of the obtained S-box was higher than that of other S-boxes. Therefore, the obtained S-box had better BIC performance than other S-boxes.

The Equiprobable Input/Output XOR Distribution
The work in [7] proposed differential cryptanalysis for an S-box using the imbalances in the input/output XOR distribution table. Output variations can be obtained from input variations. In the differential approximation table, the probability of all the input XOR values was the same as that of all the output XOR values. An S-box should have differential uniformity. To determine the differential uniformity of the obtained S-box, we calculated its differential probability (DP) by: where 2 n is a count of all the elements in the S-box and W contains all the input values. The smaller the value of DP g , the stronger the ability to resist differential attacks. Table 9 is the differential approximation table. We can find that the maximum value was 12. This indicates that our S-box has a strong ability to resist differential attacks. Moreover, the maximum DP for different S-boxes is analyzed in Table 10. For the maximum DP, the obtained S-box was consistent with other S-boxes. Hence, the obtained S-box had a good ability to resist differential attacks.  Table 10. The maximum differential probability (DP) analysis of different S-boxes.

Linear Approximation Probability
Matsui [9] initially defined the LP. For an S-box holding the LP property, the value of its LP is the maximum unbalance value, which is presented as: where Z contains all the input values, 2 n is a count of all the elements in the S-box, γ 1 denotes the input mask, and γ 2 denotes the output mask. The parity of the input bits chosen by the mask γ 1 is equal to the parity of the output bits chosen by the mask γ 2 . The smaller the value of LP, the stronger the ability to resist linear password attacks. Table 11 gives an analysis of LP for different S-boxes. Compared with other S-boxes, the obtained S-box had a minimum value of LP. Therefore, the obtained S-box had a better ability to resist linear password attacks than other S-boxes. Table 11. The Linear approximation Probability (LP) analysis of different S-boxes.

Conclusions and Future Research
A novel generation method for S-boxes by using the NCML spatiotemporal system is presented in this paper. The high dimensional feature of the NCML system can not only resist the degradation of finite precision computation, but also increases the randomness of the constructed S-box. The randomness of the constructed S-box has been verified by using NIST-800-22 statistical tests. In the proposed method, one of chaotic sequences generated by the NCML system is employed to construct the initial S-box. Then, the permutation operation using independent chaotic sequences is performed, which improves the BIC and LP properties of the constructed S-box. According to the simulation results and the performance analysis, we know that the obtained S-box meets the six criteria. Hence, the proposed method is effective. Moreover, we also construct an S-box by using the CML system for comparisons. In comparisons with the former S-boxes, the proposed S-box has a better BIC property and a better ability to resist linear password attacks. Hence, the proposed scheme presents superior cryptographic performance. In future practical research work, we intend to apply the proposed method to image encryptions in a parallel process.