On the Pentanomial Power Mapping Classification of 8-bit to 8-bit S-Boxes

Abstract

Substitution boxes, or S-boxes, are one of the most important mathematical primitives in modern symmetric cryptographic algorithms. Given their importance, in the past decades, they have been thoroughly analyzed and evaluated by the academic world. Thus, a lot of desirable characteristics a given S-box should possess have been found. This includes, as much as possible, higher nonlinearity and algebraic degrees as well as, as much as possible, lower values of differential uniformity, autocorrelation and sum of squares indicator values. In this work, we use power mappings over $GF(2^8)$ to generate, enumerate and evaluate all bijective S-boxes yielded by pentanomials of the form $f(x)=x^a+x^b+x^c+x^d+x^e$ given $0<a<b<c<d<e<256$. We find a total of 152,320 different bijective S-boxes, which are further classified into 41,458 different groups in terms of the aforementioned characteristics as well as the number of their fixed points. Having this data, an S-box designer can easily generate a bijective substitution S-box with parameters of their choice. By using pentanomials, we show how we can easily construct S-boxes with cryptographic properties similar to those found in some popular S-boxes like the Kuznyechik S-box proposed by the Russian Federation’s standardization agency as well as the Skipjack S-box proposed by the National Security Agency of the USA.

1. Introduction

Substitution boxes, or S-boxes, are one of the most important algebraic constructions for guaranteeing security in modern symmetric cryptographic algorithms. Being such a critical and significant mathematical structure, in the past decades, S-boxes have been thoroughly researched, analyzed and attacked. Throughout the literature, there are thousands of papers related to possible strategies for S-box construction. Those strategies can be logically divided into four major classes. The first one involves a straight algebraic construction, and an example of this S-box construction method is the well-known Rijndael S-box upon which the famous AES encryption algorithm [1] is based. The second class is based on a heuristic search that starts from a pseudo-randomly generated seed. Some examples of such constructions are the hill climbing method algorithm discussed in [2] and the simulated annealing approach presented in [3]. However, the heuristic routine could start with a highly competitive candidate instead of a pseudo-randomly generated one, which outlines the third construction method. An example of such a construction strategy is the modified immune algorithm proposed in [4]. Lastly, the fourth class is a collection of various hybrid approaches, which includes the generation of chaos-based S-boxes [5], cellular automata-based S-boxes [6] and other strategies that combine the classes above. Nevertheless, all these different strategies are trying to reach optimal or near-optimal S-boxes in terms of predetermined characteristics. The rule of thumb when searching for a secure S-box includes, but is not limited to, high nonlinearity value, low differential uniformity, high algebraic degree and low autocorrelation value.

One algebraic approach for constructing S-boxes with good cryptographic properties is based on power mappings. An enumeration of all 8-bit to 8-bit S-boxes with the trivial power mapping is presented in [7]. They are further classified to different classes by using their linear approximations and differential distribution tables. This method is further extended to higher-power functions like the binomial power functions discussed in [8]. In this work, we present a complete enumeration of all 8-bit to 8-bit S-boxes constructed by pentanomial power functions of the form $f(x)=x^a+x^b+x^c+x^d+x^e$ given $0<a<b<c<d<e<256$, and we further classify the results based on some important cryptographic characteristics. Then, we demonstrate how such a dataset could be utilized for finding power mapping equivalence approximations in terms of nonlinearity, $\delta$-uniformity, algebraic degree and autocorrelation value to achieve the same characteristics as popular S-boxes.

2. Preliminaries

For convenience, throughout this section, we define the set $B=\{0,1\}$.

Definition 1

(Boolean Function). A boolean function $f(x)$ of n variables $x_1,\dots ,x_n$ is a mapping $f:B^n\mapsto B$ from n binary inputs $x=(x_1,x_2,\cdots ,x_n)\in B^n$ to one binary output $y=f(x)\in B$. The binary truth table (BTT) of an n-variable boolean function $f(x)$ is the vector of all the consecutive outputs of the boolean function:

$$[f(x)]=[f(0,0,\cdots ,0),f(0,0,\cdots ,1),\cdots ,f(1,1,\cdots ,1)]$$

The polarity truth table (PTT) of an n-variable boolean function $f(x)$ is derived from the binary truth table. We define the PTT by $[\widehat{f}(x)]=[1-2f(x)]$. By the definition of the polarity truth table, it follows that:

$$f(x)=0\iff \widehat{f}(x)=1; f(x)=1\iff \widehat{f}(x)=-1$$

Example 1.

For example, if we have a boolean function with three variables $y(x_1,x_2,x_3)=x_1{x}_2{x}_3+x_1+x_2{x}_3+x_2+x_3$, then we have the following binary truth table:

$$(False,True,True,False,True,False,True,True)$$

Definition 2

(Algebraic Normal Form). The algebraic normal form of an n-variable boolean function $f(x)$, denoted by ${ANF}_f$, is given by the following equation: ${ANF}_f=a_0\oplus a_1{x}_1\oplus a_2{x}_2\oplus \cdots \oplus a_n{x}_n\oplus a_{1,2}{x}_1{x}_2\oplus \cdots \oplus a_{1,2,\cdots ,n}{x}_1{x}_2\cdots x_n$, where the coefficient a belongs to B.

Example 2.

The boolean function given in the previous example is in ANF form.

Definition 3

(Algebraic Degree). The algebraic degree of a boolean function $f(x)$, denoted by $deg(f)$, is equal to the number of variables in the longest item of its $AN{F}_f$.

Example 3.

The number of variables in the longest item of the ANF form of the boolean function given in Example 1 is 3.

Definition 4

(Hamming Distance). The Hamming distance between two n-variable boolean functions $f(x)$ and $g(x)$, denoted by $d_H(f,g)$, represents the number of differing elements in the corresponding positions of their truth tables.

Definition 5

(Linear Boolean Function). Any n-variable boolean function of the form

$$l_w(x)=<w,x>=w_1{x}_1\oplus w_2{x}_2\oplus \cdots \oplus w_n{x}_n,$$

where $w,x\in B^n$, is called a linear function.

Definition 6

(Affine Boolean Function). Any n-variable boolean function of the form:

$$l_w(x)=<w,x>=w_0\oplus w_1{x}_1\oplus w_2{x}_2\oplus \cdots \oplus w_n{x}_n,$$

where $w_0\in B$ and $w,x\in B^n$, is called an affine function.

Definition 7

(Walsh–Hadamard Transform). For an n-variable boolean function $f(x)$, represented by its polarity table $[\widehat{f}(x)]$, the Walsh–Hadamard transform, or WHT, ${\widehat{F}}_f:B^n\to Z$, is defined by:

$${\widehat{F}}_f(w)=\sum _{x\in B^n}\widehat{f}(x){(-1)}^{<w,x>}$$

Example 4.

For example, if we have the same boolean function given in Example 1, i.e., $y(x_1,x_2,x_3)=x_1{x}_2{x}_3+x_1+x_2{x}_3+x_2+x_3$, we have the following Walsh–Hadamard transform:

$$(2,2,-2,-2,-2,-2,2,-6)$$

Definition 8

(Absolute Indicator). For an n-variable boolean function $f(x)$, we denote the absolute indicator of f as ${\Delta }_f$. For all $u\in F_2^n$ except the zero vector, we write

$$\begin{array}{c}\hfill {\Delta }_f(u)=\sum _x{(-1)}^{f(x)+f(x+u)}\end{array}$$

The absolute indicator of f is calculated by

$$\begin{array}{c}\hfill {\Delta }_f=\underset{u}{max}\mid {\Delta }_f(u)\mid \end{array}$$

(1)

Example 5.

The absolute indicator of the boolean function given in Example 1 is 4.

Definition 9

(Vectorial Boolean Function–Substitution Table–S-box). An n-binary input to m-binary output mapping $S:B^n\iff B^m$, which assigns some $y=(y_1,y_2,\cdots ,y_m)\in B^m$ by $S(x)=y$ to each $x=(x_1,x_2,\cdots ,x_n)\in B^n$, is called an $(n,m)$ substitution table (S-box) and is denoted by $S(n,m)$.

Example 6.

An example of an $S(3,3)$ S-box in decimal notation is:

$$S_e=(3,6,0,2,4,5,1,7).$$

It can be described as follows. The input 000 is transformed to an output 011 in binary, which equals 3 in decimal. The next input, 001, is transformed to an output 110 in binary, which equals 6 in decimal, and so on.

Definition 10

(Bijective S-box). An S-box $S(n,m)$ is said to be bijective if it maps each input $x\in B^n$ to a distinct output $y=S(x)\in B^m$ and all possible $2^m$ outputs are present.

Example 7.

The S-box $S_e$ is bijective because it maps each input to a distinct output.

Definition 11

(S-box Extended WHT Spectrum Matrix (EWHTSM)). The extended Walsh–Hadamard transform spectrum matrix (EWHTSM) of an S-box $S(n,m)$ is a $(2^n,2^m)$ matrix ${\widehat{F}}_{ExtS}$ for which the columns are represented by the Walsh–Hadamard transform spectra $[{\widehat{F}}_{g_v}(w)]$ of the boolean functions $g_v(x)=v_1{f}_1(x)\oplus v_2{f}_2(x)\oplus \cdots \oplus v_m{f}_m(x)$, where w and v are arranged lexicographically in $B^n$ and $B^m$, respectively.

$$\begin{array}{c}\hfill {\widehat{F}}_{ExtS}=\left[\begin{array}{cccc}{\widehat{F}}_{g_0}(0,0,\cdots ,0)& \cdots & & {\widehat{F}}_{g_{2^{m-1}}}(0,0,\cdots ,0)\\ {\widehat{F}}_{g_0}(0,0,\cdots ,1)& \cdots & & {\widehat{F}}_{g_{2^{m-1}}}(0,0,\cdots ,1)\\ ⋮& \ddots & & ⋮\\ {\widehat{F}}_{g_0}(1,1,\cdots ,0)& \cdots & & {\widehat{F}}_{g_{2^{m-1}}}(1,1,\cdots ,0)\\ {\widehat{F}}_{g_0}(1,1,\cdots ,1)& \cdots & & {\widehat{F}}_{g_{2^{m-1}}}(1,1,\cdots ,1)\end{array}\right]\end{array}$$

(2)

The importance of the S-box extended Walsh–Hadamard transform matrix is to quantitatively describe the distance with a special measure, similar to the Hamming distance, between each linear combination of coordinates in the given S-box and each possible linear function.

Definition 12

(Linear Approximation Table (LAT)). The linear approximation table of an S-box $S(n,m)$, denoted by ${LAT}_S$ or $S_{LAT}$, is a table with $2^n$ rows and $2^m$ columns for which the entries are given by:

$$\begin{array}{c}\hfill S_{LAT}[X][Y]={LAT}_S[X][Y]=2^{n-1}-d_H(X,Y),\end{array}$$

(3)

where Y is the consequent linear combination of the coordinates of the current S-box and X is the consequent linear function with length n.

Example 8.

The S-box $S_e$ has the following LAT:

$$\begin{array}{cccccccc}\hfill 4& \hfill 0& \hfill 0& \hfill 0& \hfill 0& \hfill 0& \hfill 0& \hfill 0\\ \hfill 0& \hfill 0& \hfill 2& \hfill 2& \hfill 2& \hfill -2& \hfill 0& \hfill 0\\ \hfill 0& \hfill 0& \hfill 0& \hfill 0& \hfill -2& \hfill -2& \hfill -2& \hfill 2\\ \hfill 0& \hfill 0& \hfill -2& \hfill 2& \hfill 0& \hfill 0& \hfill -2& \hfill -2\\ \hfill 0& \hfill 2& \hfill -2& \hfill 0& \hfill 2& \hfill 0& \hfill 0& \hfill 2\\ \hfill 0& \hfill -2& \hfill 0& \hfill 2& \hfill 0& \hfill 2& \hfill 0& \hfill 2\\ \hfill 0& \hfill -2& \hfill -2& \hfill 0& \hfill 0& \hfill -2& \hfill 2& \hfill 0\\ \hfill 0& \hfill -2& \hfill 0& \hfill -2& \hfill 2& \hfill 0& \hfill -2& \hfill 0\end{array}$$

Definition 13

(S-box Nonlinearity). The nonlinearity of an S-box $S(n,m)$, denoted by $S_{NL}$, is defined as:

$$\begin{array}{c}\hfill S_{NL}=2^{n-1}-max(\left\{\mid w_i\mid \right\}),\end{array}$$

(4)

where $\left\{\mid w_i\mid \right\}$ is the set of all absolute values of the elements in LAT except the uppermost left one.

Example 9.

The nonlinearity value of $S_e$ is 2.

Definition 14

(S-box Minimal Algebraic Degree). The minimal algebraic degree of an S-box $S(n,m)$ is the minimum algebraic degree among all component functions of S.

$$\begin{array}{cc}\hfill S_{DEG}=mi{n}_{(v\in B^m)}& deg(g_v)=\hfill \\ & =mi{n}_{((v_1,v_2,\cdots ,v_m)\in B^m)}deg(v_1{f}_1(x)\oplus v_2{f}_2(x)\oplus \cdots \oplus v_m{f}_m(x)),\hfill \end{array}$$

(5)

where $f_1, f_2, \cdots , f_m$ are the coordinate boolean functions of $S(n,m)$.

Example 10.

The minimal algebraic degree of $S_e$ is 2.

Definition 15

(S-box Absolute Indicator and Sum of Squares Indicator). The absolute indicator of a given S-box S, denoted as $S_{AC}$, is equal to the maximal absolute indicator among all absolute indicators of component functions of S, while the sum of squares indicator, denoted as $S_{SSI}$, is the maximum sum of squared values of absolute indicators of component functions of S.

Example 11.

The absolute and sum of squares indicators of $S_e$ equal 8 and 128, respectively.

Definition 16

(S-box Differential Uniformity). Differential uniformity, or δ-uniformity, of a given S-box $S(n,m)$, denoted by $S_{\delta }$, is defined by:

$$S_{\delta }=\underset{\alpha \in B^n\setminus \left\{0\right\}}{max}\underset{\beta \in B^m}{max}\left|\{x\in B^n\mid S(x)\oplus S(x\oplus \alpha )=\beta )\}\right|$$

Example 12.

The differential uniformity value of $S_e$ is 2.

Definition 17

(S-box Fixed Points). The fixed points of a given bijective S-box $S(n,n)$ are the set of those points x for which $S(x)=x$.

Example 13.

The set of fixed points of $S_e$ is $\left\{4,5,7\right\}$.

Definition 18

(Power Mapping and Power Functions). Let us define a finite field $F=GF(N)$. The power mapping of a given function $x^d$ for some fixed $d\in GF(N)$ consists of all the mappings from x to $x^d$ for all $x\in GF(N)$. We can further define the sum of arbitrary power mappings as the power function.

Example 14.

Let us define a finite field $F=GF(2^8)$ and a function $y=x^7$. We can easily construct the power mapping of x to y in F:

$$x=0\Rightarrow y=0^7(mod256)=0$$

$$x=1\Rightarrow y=1^7(mod256)=1$$

$$x=2\Rightarrow y=2^7(mod256)=128$$

$$x=3\Rightarrow y=3^7(mod256)=139$$

$$\cdots$$

$$x=255\Rightarrow y={255}^7(mod256)=255$$

3. Classification of Pentanomial Power Functions in $\mathit{GF}({\mathbf{2}}^{\mathbf{8}})$

Since all same-sized finite fields are isomorphic, we could take any irreducible polynomial to construct the finite field $GF(2^8)$. The irreducible polynomial we used during our enumeration is $p(x)=x^8+x^6+x^5+x^4+1$. Then, for all possible elements $x\in GF(2^8)$, we consequently enumerate all possible pentanomials of the form $f(x)=x^a+x^b+x^c+x^d+x^e$ given $0<a<b<c<d<e<256$ such that $a,b,c,d,e\in N$. If $f(x)$ is a bijective S-box, its corresponding characteristics are calculated. We enumerated a total of 41,458 different classes distinguished by nonlinearity, differential uniformity, algebraic degree, autocorrelation value, fixed points and square of sum indicators. During the enumeration routine, we extracted a total of 152,320 different pentanomial power mappings that generate bijective S-boxes.

The overview and pseudo-code of our algorithm used throughout the enumeration routine is presented in Algorithm 1. In

Table 1. Some pentanomial power mapping classes found in this work.

S Pentanomial Power Mapping	${\mathit{S}}_{\mathit{NL}}$	${\mathit{S}}_{\mathit{\delta }}$	${\mathit{S}}_{\mathit{DEG}}$	${\mathit{S}}_{\mathit{AC}}$	Fixed Points	${\mathit{S}}_{\mathit{SSI}}$
$x^1+x^{16}+x^{124}+x^{199}+x^{241}$	112	16	5	56	16	188,416
$x^{31}+x^{124}+x^{199}+x^{227}+x^{248}$	112	16	5	56	12	188,416
$x^{62}+x^{124}+x^{227}+x^{241}+x^{248}$	112	16	5	56	10	188,416
$x^{31}+x^{62}+x^{124}+x^{143}+x^{241}$	112	16	5	56	8	188,416
$x^{31}+x^{62}+x^{124}+x^{227}+x^{241}$	112	16	5	56	4	188,416
$x^{62}+x^{143}+x^{199}+x^{241}+x^{248}$	112	16	5	56	2	188,416
$x^1+x^{16}+x^{107}+x^{181}+x^{182}$	112	16	5	48	16	188,416
$x^{107}+x^{109}+x^{181}+x^{214}+x^{218}$	112	16	5	48	12	188,416
$x^{91}+x^{107}+x^{109}+x^{182}+x^{218}$	112	16	5	48	10	188,416
$x^{91}+x^{181}+x^{182}+x^{214}+x^{218}$	112	16	5	48	8	188,416
$x^{91}+x^{173}+x^{181}+x^{214}+x^{218}$	112	16	5	48	4	188,416
$x^{107}+x^{109}+x^{173}+x^{182}+x^{214}$	112	16	5	48	2	188,416
$x^{191}+x^{223}+x^{247}+x^{251}+x^{253}$	112	4	7	32	12	133,120
$x^{191}+x^{239}+x^{247}+x^{253}+x^{254}$	112	4	7	32	10	133,120
$x^{127}+x^{191}+x^{223}+x^{247}+x^{253}$	112	4	7	32	6	133,120
$x^{127}+x^{191}+x^{239}+x^{251}+x^{254}$	112	4	7	32	4	133,120
$x^{191}+x^{223}+x^{239}+x^{247}+x^{254}$	112	4	7	32	2	133,120
$x^{11}+x^{26}+x^{161}+x^{206}+x^{251}$	108	6	7	64	6	182,272
$x^{22}+x^{52}+x^{67}+x^{157}+x^{247}$	108	6	7	64	4	182,272
$x^{104}+x^{134}+x^{179}+x^{194}+x^{254}$	108	6	7	64	2	182,272
$x^{29}+x^{44}+x^{89}+x^{224}+x^{239}$	108	6	7	64	10	169,216
$x^{101}+x^{116}+x^{131}+x^{176}+x^{191}$	108	6	7	64	6	169,216
$x^7+x^{97}+x^{127}+x^{202}+x^{232}$	108	6	7	64	4	169,216
$x^{88}+x^{103}+x^{163}+x^{178}+x^{193}$	108	6	5	64	28	194,560
$x^{14}+x^{29}+x^{59}+x^{149}+x^{194}$	108	6	5	64	10	194,560
$x^{71}+x^{101}+x^{131}+x^{176}+x^{206}$	108	6	5	64	6	194,560
$x^{22}+x^{112}+x^{172}+x^{217}+x^{232}$	108	6	5	64	4	194,560
$x^{44}+x^{89}+x^{179}+x^{209}+x^{224}$	108	6	5	64	2	194,560
$x^{11}+x^{26}+x^{101}+x^{116}+x^{146}$	108	6	4	64	6	223,232
$x^7+x^{52}+x^{97}+x^{142}+x^{172}$	108	6	4	64	4	223,232
$x^{29}+x^{89}+x^{134}+x^{164}+x^{194}$	108	6	4	64	2	223,232
$x^{11}+x^{71}+x^{86}+x^{161}+x^{251}$	106	10	7	64	6	209,536
$x^{43}+x^{133}+x^{163}+x^{208}+x^{253}$	106	10	7	64	4	209,536
$x^{29}+x^{44}+x^{89}+x^{134}+x^{239}$	106	10	7	64	2	209,536
$x^{26}+x^{101}+x^{131}+x^{161}+x^{191}$	106	8	7	96	6	192,640
$x^{52}+x^{67}+x^{112}+x^{172}+x^{247}$	106	8	7	96	4	192,640
$x^{14}+x^{104}+x^{134}+x^{149}+x^{254}$	106	8	7	96	2	192,640
$x^{44}+x^{59}+x^{134}+x^{224}+x^{254}$	106	8	7	96	10	186,880
$x^{11}+x^{56}+x^{161}+x^{191}+x^{206}$	106	8	7	96	6	186,880
$x^{13}+x^{88}+x^{118}+x^{193}+x^{253}$	106	8	7	96	4	186,880
$x^{14}+x^{104}+x^{179}+x^{194}+x^{239}$	106	8	7	96	2	186,880
$x^{13}+x^{88}+x^{163}+x^{178}+x^{223}$	106	8	7	80	28	182,272
$x^{11}+x^{86}+x^{116}+x^{161}+x^{251}$	106	8	7	80	6	182,272
$x^{43}+x^{58}+x^{133}+x^{208}+x^{253}$	106	8	7	80	4	182,272
$x^{29}+x^{104}+x^{149}+x^{194}+x^{254}$	106	8	7	80	2	182,272
$x^{41}+x^{101}+x^{161}+x^{206}+x^{251}$	106	8	7	72	6	216,064
$x^{37}+x^{52}+x^{127}+x^{172}+x^{217}$	106	8	7	72	4	216,064
$x^{74}+x^{89}+x^{104}+x^{179}+x^{254}$	106	8	7	72	2	216,064
$x^{56}+x^{86}+x^{116}+x^{176}+x^{251}$	106	8	7	72	6	202,624
$x^{133}+x^{163}+x^{178}+x^{193}+x^{223}$	106	8	7	72	4	202,624
$x^{89}+x^{194}+x^{209}+x^{224}+x^{239}$	106	8	7	72	2	202,624
$x^{101}+x^{206}+x^{221}+x^{236}+x^{251}$	106	8	7	72	6	194,176
$x^{157}+x^{187}+x^{202}+x^{217}+x^{247}$	106	8	7	72	4	194,176
$x^{59}+x^{119}+x^{149}+x^{179}+x^{239}$	106	8	7	72	2	194,176
$x^{101}+x^{116}+x^{161}+x^{176}+x^{251}$	106	8	7	72	6	185,344
$x^{58}+x^{88}+x^{178}+x^{208}+x^{253}$	106	8	7	72	4	185,344
$x^{134}+x^{149}+x^{194}+x^{209}+x^{239}$	106	8	7	72	2	185,344
$x^{71}+x^{86}+x^{101}+x^{176}+x^{251}$	106	8	7	64	6	204,928
$x^{43}+x^{88}+x^{163}+x^{178}+x^{253}$	106	8	7	64	4	204,928
$x^{44}+x^{89}+x^{149}+x^{209}+x^{254}$	106	8	7	64	2	204,928
$x^{11}+x^{26}+x^{161}+x^{191}+x^{206}$	106	8	7	64	6	193,408
$x^{52}+x^{67}+x^{97}+x^{217}+x^{247}$	106	8	7	64	4	193,408
$x^{44}+x^{59}+x^{104}+x^{134}+x^{254}$	106	8	7	64	2	193,408
$x^{41}+x^{56}+x^{101}+x^{116}+x^{251}$	106	8	7	64	6	192,640
$x^{28}+x^{58}+x^{148}+x^{178}+x^{253}$	106	8	7	64	4	192,640
$x^{149}+x^{164}+x^{209}+x^{224}+x^{239}$	106	8	7	64	2	192,640
$x^{22}+x^{112}+x^{217}+x^{232}+x^{247}$	106	8	7	64	28	191,872
$x^{11}+x^{56}+x^{116}+x^{236}+x^{251}$	106	8	7	64	6	191,872
$x^7+x^{97}+x^{127}+x^{142}+x^{157}$	106	8	7	64	4	191,872
$x^{44}+x^{179}+x^{209}+x^{224}+x^{239}$	106	8	7	64	2	191,872
$x^{28}+x^{58}+x^{178}+x^{223}+x^{253}$	106	8	4	72	28	223,232
$x^{56}+x^{101}+x^{116}+x^{191}+x^{251}$	106	8	4	72	6	223,232
$x^7+x^{127}+x^{142}+x^{172}+x^{247}$	106	8	4	72	4	223,232
$x^{149}+x^{209}+x^{224}+x^{239}+x^{254}$	106	8	4	72	2	223,232
$x^{13}+x^{43}+x^{193}+x^{223}+x^{253}$	106	8	4	72	28	206,848
$x^{26}+x^{86}+x^{131}+x^{191}+x^{251}$	106	8	4	72	6	206,848
$x^{28}+x^{178}+x^{208}+x^{223}+x^{253}$	106	8	4	72	4	206,848
$x^{14}+x^{89}+x^{104}+x^{239}+x^{254}$	106	8	4	72	2	206,848
$x^{69}+x^{154}+x^{205}+x^{222}+x^{239}$	106	6	7	120	18	212,224
$x^{21}+x^{55}+x^{106}+x^{123}+x^{191}$	106	6	7	120	6	212,224
$x^{77}+x^{111}+x^{162}+x^{230}+x^{247}$	106	6	7	120	4	212,224
$x^{84}+x^{169}+x^{220}+x^{237}+x^{254}$	106	6	7	120	2	212,224
$x^{11}+x^{56}+x^{86}+x^{176}+x^{191}$	106	6	7	96	6	197,248
$x^{28}+x^{43}+x^{88}+x^{133}+x^{223}$	106	6	7	96	4	197,248
$x^{14}+x^{44}+x^{149}+x^{194}+x^{239}$	106	6	7	96	2	197,248
$x^{29}+x^{44}+x^{104}+x^{164}+x^{239}$	106	6	7	96	10	194,944
$x^{11}+x^{26}+x^{41}+x^{71}+x^{251}$	106	6	7	96	6	194,944
$x^{37}+x^{67}+x^{97}+x^{127}+x^{232}$	106	6	7	96	4	194,944
$x^{74}+x^{134}+x^{194}+x^{209}+x^{254}$	106	6	7	96	2	194,944
$x^{56}+x^{71}+x^{86}+x^{101}+x^{191}$	106	6	7	96	6	191,488
$x^{112}+x^{127}+x^{142}+x^{172}+x^{202}$	106	6	7	96	4	191,488
$x^{29}+x^{89}+x^{149}+x^{224}+x^{254}$	106	6	7	96	2	191,488
$x^{11}+x^{41}+x^{116}+x^{161}+x^{251}$	106	6	7	96	6	191,104
$x^{13}+x^{73}+x^{88}+x^{163}+x^{223}$	106	6	7	96	4	191,104
$x^{44}+x^{134}+x^{164}+x^{209}+x^{239}$	106	6	7	96	2	191,104
$x^{11}+x^{26}+x^{41}+x^{71}+x^{191}$	106	6	7	96	6	188,416
$x^{88}+x^{118}+x^{193}+x^{223}+x^{238}$	106	6	7	96	4	188,416
$x^{74}+x^{134}+x^{194}+x^{209}+x^{239}$	106	6	7	96	2	188,416
$x^{11}+x^{26}+x^{41}+x^{116}+x^{251}$	106	6	7	96	6	185,728
$x^{22}+x^{52}+x^{82}+x^{232}+x^{247}$	106	6	7	96	4	185,728
$x^{44}+x^{104}+x^{164}+x^{209}+x^{239}$	106	6	7	96	2	185,728
$x^{11}+x^{71}+x^{101}+x^{161}+x^{251}$	106	6	7	80	6	184,192
$x^{13}+x^{43}+x^{58}+x^{88}+x^{223}$	106	6	7	80	4	184,192
$x^{89}+x^{104}+x^{194}+x^{209}+x^{254}$	106	6	7	80	2	184,192
$x^{37}+x^{52}+x^{112}+x^{127}+x^{217}$	106	6	7	80	28	180,736
$x^{26}+x^{56}+x^{146}+x^{191}+x^{236}$	106	6	7	80	6	180,736
$x^{103}+x^{148}+x^{193}+x^{208}+x^{253}$	106	6	7	80	4	180,736
$x^{74}+x^{104}+x^{179}+x^{224}+x^{254}$	106	6	7	80	2	180,736
$x^{89}+x^{104}+x^{164}+x^{209}+x^{239}$	106	6	7	72	10	206,848
$x^{26}+x^{41}+x^{86}+x^{116}+x^{251}$	106	6	7	72	6	206,848
$x^{52}+x^{82}+x^{172}+x^{232}+x^{247}$	106	6	7	72	4	206,848
$x^{29}+x^{74}+x^{134}+x^{149}+x^{254}$	106	6	7	72	2	206,848
$x^{89}+x^{149}+x^{191}+x^{239}+x^{251}$	106	6	7	64	18	208,384
$x^{43}+x^{178}+x^{191}+x^{251}+x^{253}$	106	6	7	64	12	208,384
$x^{86}+x^{101}+x^{127}+x^{247}+x^{251}$	106	6	7	64	6	208,384
$x^{43}+x^{127}+x^{178}+x^{223}+x^{247}$	106	6	7	64	4	208,384
$x^{89}+x^{127}+x^{149}+x^{239}+x^{247}$	106	6	7	64	2	208,384
$x^{44}+x^{134}+x^{149}+x^{209}+x^{239}$	106	6	7	64	10	188,800
$x^{26}+x^{71}+x^{86}+x^{176}+x^{191}$	106	6	7	64	6	188,800
$x^{13}+x^{43}+x^{88}+x^{163}+x^{223}$	106	6	7	64	4	188,800
$x^{29}+x^{89}+x^{104}+x^{194}+x^{254}$	106	6	7	64	2	188,800
$x^{26}+x^{56}+x^{146}+x^{176}+x^{191}$	106	6	7	64	6	185,344
$x^{13}+x^{28}+x^{73}+x^{88}+x^{223}$	106	6	7	64	4	185,344
$x^{74}+x^{104}+x^{194}+x^{224}+x^{254}$	106	6	7	64	2	185,344
$x^{11}+x^{146}+x^{206}+x^{236}+x^{251}$	106	6	7	64	6	182,656
$x^{82}+x^{97}+x^{127}+x^{157}+x^{217}$	106	6	7	64	4	182,656
$x^{59}+x^{164}+x^{179}+x^{194}+x^{254}$	106	6	7	64	2	182,656
$x^{28}+x^{58}+x^{103}+x^{193}+x^{253}$	106	6	7	64	28	180,352
$x^{56}+x^{71}+x^{131}+x^{191}+x^{236}$	106	6	7	64	6	180,352
$x^7+x^{112}+x^{157}+x^{232}+x^{247}$	106	6	7	64	4	180,352
$x^{14}+x^{59}+x^{209}+x^{224}+x^{239}$	106	6	7	64	2	180,352
$x^{89}+x^{134}+x^{224}+x^{239}+x^{254}$	106	6	4	64	18	206,848
$x^{26}+x^{101}+x^{131}+x^{191}+x^{251}$	106	6	4	64	6	206,848
$x^{67}+x^{112}+x^{127}+x^{172}+x^{247}$	106	6	4	64	4	206,848
$x^{14}+x^{104}+x^{149}+x^{239}+x^{254}$	106	6	4	64	2	206,848

, several examples of pentanomial power mappings that yield distinguished classes are given. The first column of the table reveals the actual pentanomial that maps to a given S-box S. The next columns correspond, respectively, to the nonlinearity value of S, i.e., $S_{NL}$, to the differential uniformity, or $\delta$-uniformity of S, i.e., $S_{\delta }$, to the algebraic degree of S, i.e., $S_{DEG}$, to the autocorrelation value of S, i.e., $S_{AC}$, to the number of fixed points in S as well as to the square of sum indicator of S, i.e., $S_{SSI}$. The classes are sorted by the aforementioned characteristics from left to right. For example, the pentanomial $x^{191}+x^{223}+x^{239}+x^{247}+x^{254}$ under power mapping over $GF(2^8)$ and by using the irreducible polynomial $p(x)=x^8+x^6+x^5+x^4+1$ yields the bijective S-box S shown in Figure 1.

Algorithm 1 An Algorithm for Pentanomial Power Mapping Classification.
Require: $F=GF(2^8)$ with irreducible polynomial $p(x)$
Ensure: $p(x)=x^8+x^6+x^5+x^4+1$
$\mathcal{C}=\varnothing$	▹ An empty set of classes
for $\forall a,b,c,d,e:0<a<b<c<d<e<256$ do
$S=[]$	▹ The empty array
for $\forall x\in F$ do
$e=x^a+x^b+x^c+x^d+x^e$ over F
$S.append(e)$
end for
if S is bijective then
Calculates $S_{NL}$	▹ Nonlinearity
Calculates $S_{\delta }$	▹ Differential uniformity
Calculates $S_{DEG}$	▹ Minimal algebraic degree
Calculates $S_{AC}$	▹ Absolute indicator
Calculates $S_{FP}$	▹ Fixed points
Calculates $S_{SSI}$	▹ Square of sum indicator
if $\left(S_{NL},S_{\delta },S_{DEG},S_{AC},S_{FP},S_{SSI}\right)\notin \mathcal{C}$ then
add $\left(S_{NL},S_{\delta },S_{DEG},S_{AC},S_{FP},S_{SSI}\right)$ in $\mathcal{C}$	▹ New class is found
end if
end if
end for

The characteristics of the S-box S shown in Figure 1 are $S_{NL}=112$, $S_{\delta }=4$, $S_{DEG}=7$, $S_{AC}=32$, $S_{SSI}=$ 133,120 and a total of two fixed points (the first two points of the permutation representation, i.e., the zero and the one). It should be noted that this specific S-box is equivalent to the Rijndael S-box used in AES.

The full enumeration of the pentanomial power mappings yielded a rich spectrum of combinations of different S-box characteristics. Having this in mind, in

Table 2. Pentanomial power mapping approximations of popular S-boxes.

S	${\mathit{S}}_{\mathit{NL}}$	${\mathit{S}}_{\mathit{\delta }}$	${\mathit{S}}_{\mathit{DEG}}$	${\mathit{S}}_{\mathit{AC}}$
Kuznyechik [9]	100	8	7	96
$x^3+x^{83}+x^{123}+x^{143}+x^{223}$	100	8	7	96
${\mathrm{Twofish}}_{{\pi }_1}$ [10]	96	10	6	112
$x^{104}+x^{159}+x^{174}+x^{184}+x^{244}$	96	10	6	112
${\mathrm{Crypton}}_{0,5}$ [11]	88	16	4	128
$x^1+x^{13}+x^{52}+x^{58}+x^{160}$	88	16	4	128
Iceberg [12]	96	8	7	96
$x^{132}+x^{147}+x^{222}+x^{237}+x^{247}$	96	8	7	96
iScream [13]	96	16	4	128
$x^{53}+x^{63}+x^{108}+x^{168}+x^{243}$	96	16	4	128
FLY [14]	96	16	3	128
$x^{131}+x^{136}+x^{146}+x^{191}+x^{251}$	96	16	3	128
Zorro [15]	96	10	5	112
$x^{116}+x^{161}+x^{191}+x^{206}+x^{254}$	96	10	5	112
Khazad [16]	96	8	7	104
$x^{107}+x^{131}+x^{158}+x^{173}+x^{239}$	96	8	7	104
E2 [17]	100	10	6	104
$x^{33}+x^{53}+x^{63}+x^{103}+x^{203}$	100	10	6	104
Skipjack [18]	100	12	6	96
$x^{129}+x^{149}+x^{189}+x^{239}+x^{254}$	100	12	6	96
Whirlpool [19]	100	8	7	96
$x^{141}+x^{181}+x^{191}+x^{226}+x^{231}$	100	8	7	96

, we show some pentanomial power mapping equivalents in terms of nonlinearity, $\delta$-uniformity, algebraic degree and autocorrelation value that approximate popular S-boxes. For example, the Skipjack S-box proposed by the National Security Agency (NSA) of the USA has nonlinearity equal to 100, $\delta$-uniformity of 12, an algebraic degree equal to 6 and an autocorrelation value of 96. An example of a pentanomial that yields a bijective S-box with exactly the same characteristics is $x^{129}+x^{149}+x^{189}+x^{239}+x^{254}$. It should be noted that non-zero values of fixed points in a given S-box $S_f$ are an undesirable feature. However, we could easily transform $S_f$ to some other equivalent S-box with zero fixed points and without affecting its characteristics by applying an affine transformation. The same routine is applied in AES.

4. Conclusions

In this paper, we successfully enumerated all possible power mappings of bijective 8-bit to 8-bit S-boxes using pentanomials of the form $f(x)=x^a+x^b+x^c+x^d+x^e$ given $0<a<b<c<d<e<256$. Based on various mathematical characteristics, we found a total of 41,458 different classes. The flexibility of the presented S-box generation strategy could be successfully utilized for constructing S-boxes with fine-grained characteristics of our choice. Furthermore, the data presented in this paper could be applied to reverse engineer S-boxes with unknown designs. The complete enumeration and dataset are provided as Supplementary Materials.