On the Search for Supersingular Elliptic Curves and Their Applications

Abstract

Elliptic curves with the special quality known as supersingularity have gained much popularity in the rapidly developing field of cryptography. The conventional method of employing random search is quite ineffective in finding these curves. This paper analyzes the search of supersingular elliptic curves in the space of curves over ${\mathbb{F}}_{p^2}$. We show that naive random search is unsuitable to easily find any supersingular elliptic curves when the space size is greater than ${10}^{13}$. We improve the random search using a necessary condition for supersingularity. As our main result, we define for the first time an objective function to measure the supersingularity in ordinary curves, and we apply local search and a genetic algorithm using that function. The study not only finds these supersingular elliptic curves but also investigates possible uses for them. These curves were used to create cycles inside the isogeny graph in one particular application. The research shows how the design of S-boxes may strategically use these supersingular elliptic curves. The key components of replacement, which is a fundamental step in the encryption process that shuffles and encrypts the data inside images, are S-boxes. This work represents a major advancement in effectively identifying these useful elliptic curves, eventually leading to their wider application and influence in the rapidly expanding field of cryptography.

1. Introduction

Modern society depends on electronic devices and how information is stored or exchanged securely. The field of cryptography defines protocols and systems to prevent confusion and diffusion of data when they are intercepted or stolen by a third party who is not authorized to access the information. Mathematical objects such as Vectorial Boolean functions (substitution boxes or S-boxes) and supersingular elliptic curves are essential components in most cryptographic procedures. S-boxes are commonly used in symmetric cryptography, while supersingular elliptic curves are used in asymmetric cryptography and post-quantum cryptography. These primitives can be constructed using algebra, can be generated using random algorithms, can be searched using metaheuristics, or can be defined by mixing the aforementioned methods.

In this sense, it is worth mentioning that Charles, Goren, and Lauter [1] proposed in 2006 to use supersingular isogeny graphs to construct hash functions. The Ramanujan graph families created by Lubotzky-Phillips-Sarnak and Pizer, respectively, are the two particular families of optimum expander graphs that the authors examine for proven collision resistant hash function implementations. Collision resistance results from the difficulty of calculating isogenies between supersingular elliptic curves when the hash function is built from one of Pizer’s Ramanujan graphs, which are the set of supersingular elliptic curves over ${\mathbb{F}}_{p^2}$. Jao, De Feo, and Plût [2] designed in 2011 a Diffie–Hellman key agreement scheme (SIDH) and a public key cryptosystem from a given supersingular graph. This scheme’s main technical idea is that the authors transmit the images of torsion bases under the isogeny despite the noncommutativity of the endomorphism ring, allowing the two parties to arrive at a common shared key despite the noncommutativity of the endomorphism ring. This work is motivated by the recent development of a subexponential-time quantum algorithm for constructing isogenies between ordinary elliptic curves, while the fastest known quantum attack remains exponential in the supersingular case, as the endomorphism ring is noncommutative. The authors provide a precise formulation of the relevant computational assumption and discuss its validity. Furthermore, in the call for new standards of quantum resistance proposed by NIST [3], an isogeny-based key exchange protocol like a SIDH named SIKE was presented [4]. The study [5] examines the relationships between elliptic curve selection and elliptic-curve cryptography security. In addition to discrete-logarithm calculations, attacks that take use of common implementation flaws are also taken into consideration. One of the fundamental problems in cryptography is the discrete logarithm issue [6] for elliptic curves. The most well-known methods for solving it all have exponential running times, indicating that the issue is often quite difficult. Nonetheless, the MOV attack is a sub-exponential solution technique for supersingular elliptic curves. The MOV approach uses the Weil pairing to convert a discrete logarithm of an elliptic curve to a logarithm over a finite field. With Index Calculus, the discrete logarithm issue in a finite field may be addressed effectively. The analysis of the MOV assault and the creation of instances to illustrate its effectiveness are the main topics of this thesis. For a more recent application, the oriented supersingular isogeny Diffie–Hellman protocol was proposed in [7]. In the case of S-boxes, examples of their use can be found in classical block cipher design like DES [8] or AES [9] and a more recent design for lightweight block ciphers like PRESENT [10].

In the last years, the search for S-boxes raises a new and interesting way to obtain good cryptographic primitives by using evolutionary computation [11,12,13]. This recent approach contrasts with the classic algebraic construction approach. Sometimes, both approaches have been merged [14,15] to carry on the best of each methodology. All those optimizations are performed in a solution space with exponential size, where an exhaustive search cannot be applied. For example, the size of the space is considered large starting from the 4x4 S-box permutation space, a total of 16! $(>$${10}^{13})$ solutions. Also, these primitives are mainly used in symmetric cryptosystems and under the design perspective. The properties to optimize are generally defined and/or deduced against attacks. However, in asymmetric cryptosystems, it seems like the absence of properties to optimize does not motivate the application of metaheuristics, which should be an open research issue in our opinion. In the particular case of elliptic curve cryptosystems, the research community prioritizes the use of random generation [16] and the verification of algebraic conditions [17,18]. Only the connection between elliptic curves and S-boxes has been flourishing for image encryption methods. Arshad et al. [19] established an isogeny that transfers the base curve’s components to the second curve. The base curve’s generators were the locations to which the maximal order subgroup of the elliptic curve points may be generated. In order to build the initial S-boxes, a group action was performed to the base curve’s makers. Initial S-boxes were created from the second curve using the generating points’ images, which were established by isogeny. The approach was computationally efficient because both curves shared the same prime field and only required a few generator points and matching pictures. The suggested approach [20] was based on the elliptic curve and Catalan number, which together form a special algorithm for an effective S-box design. Chaotic maps are gradually being used in generating S-boxes because of their complications and susceptibility to initial states. An efficient method for constructing S-boxes based on a class of elliptic curves over galois fields was proposed by Ali et al. [21]. Through careful analysis, the authors show how resilient their method is to various cryptographic challenges, emphasizing its usefulness in real-world scenarios. A comprehensive study is required to evaluate the freshly created S-box’s resistance to popular attack techniques, such as algebraic, differential, and linear assaults. Defenses against a variety of threats are greatly enhanced by an S-box with a high non-linearity value. Unfortunately, the computationally expensive aspect of building S-boxes limits the attainable encryption throughput. This highlights the need to develop new S-box generators with the highest strength and lowest processing demands in order to offer the greatest security. The authors [22] provided an effective method that makes use of the Mobius transformation of the Galois field and the composition of Frobenius automorphism. Two very nonlinear permutations that may generate millions of S-boxes with extremely high cryptographic strength were thus produced. By making clear the conditions for producing unique S-boxes and guaranteeing that the generated S-boxes had a uniform probability distribution, the dynamic behavior of the suggested generator was examined.

The principal limitation of the current state of the art in curve generation is not to use metaheuristics. As was mentioned before, in asymmetric cryptosystems for elliptic curves, properties are defined as a conditions that can be met. In contrast, if a property can be defined as an objective function, it will define curves where, for example, the supersingular condition is “covered” to a certain degree, and it will allow the discovery of new search regions where a real supersingular curve should exist.

The above issues motivate us to carry out this research due to the following points:

• As far as we know, just one study presented in 2009 [23], attempted to use an evolutionary algorithm over elliptic curves. Despite the heuristic search being single-solution-based, the authors discuss main evolution concepts such as solution encoding and operators (crossover, mutation, selection), but no optimization was performed, no objective function was defined, and the verification of conditions remains.
• On the other hand, supersingular elliptic curves are nowadays a cryptographic primitive relevant to post-quantum protocols. The oriented supersingular isogeny Diffie–Hellman protocol is one of the latest proposed [7]. In this case, the supersingular curve acts as a starting point. It would be interesting if this curve is not always the same.
• This work aims to provide a different way to obtain an elliptic curve that holds the supersingular condition. We also are not addressing a generic algebraic approach to study supersingular elliptic curves such as those presented in [24,25]. Although we will focus on small primes, compared to the actual primes for post-quantum protocols, we think our study can open a new line of research that could help to discover new properties on the curves.

The novelty in this work is to start using heuristic methods in the search for supersingular elliptic curves. That will prepare the way to apply, in the future, all the methodology already gathered in the search of good cryptographic primitives, like:

• The study of the fitness landscape [26].
• The study of relationships between different properties of the cryptographic primitive [27].
• The study of fast property optimization hybrid methods [28].

In this paper, we show how difficult it is to find supersingular elliptic curves using naive random search, and then we introduce a new improvement to this type of search, which is the main result of this work: we define for the first time a property that can be seen as an objective function in the search for supersingularity and we study the behavior of the local search using the objective function. We apply genetic algorithms with the same objective function. In each case, we report the supersingular elliptic curves. Finally, we show two applications of the use of those curves, one for generating cycles in the isogeny graph and a second bigger application for generating S-boxes for image encryption.

The structure of the paper is as follows: Section 2 shows the preliminaries for supersingular elliptic curves and Section 3 shows the preliminaries for heuristic search. The main results will be found in Section 4, while the applications will be found in Section 5 and Section 6. At the end will be Section 9 for conclusions.

2. Preliminaries for Supersingular Elliptic Curves

This section presents some basic concepts that help understand the work’s supersingular elliptic curve part.

2.1. Elliptic Curves over a Finite Field

An elliptic curve E over a finite field ${\mathbb{F}}_q$, with $q=p^m$ and p prime, is defined as:

$$y^2=x^3+ax+b$$

(1)

where $a,b\in {\mathbb{F}}_q$ and $4a^3+27b^2\ne 0$. The set of points $(x,y)\in {\mathbb{F}}_q\times {\mathbb{F}}_q$ satisfying this equation together with a point at infinity is the set of points of the curve, denoted by $E/{\mathbb{F}}_q$. An additional binary operation given by the chord-tangent method endows the set of points of the curve E with an Abelian group structure [29,30,31,32,33].

The j-invariant of the elliptic curve $E/{\mathbb{F}}_q$ is given by

$$j(E/{\mathbb{F}}_q)=1728{\displaystyle \frac{4a^3}{4a^3+27b^2}}$$

(2)

Two Elliptic curves defined over the field ${\mathbb{F}}_q$ have the same j-invariant if and only if they are isomorphic over the algebraic closure of the field.

2.2. Supersingular Criteria

An elliptic curve E over a finite field ${\mathbb{F}}_q$ is supersingular when the prime p divides the trace t of the Frobenius endomorphism. Otherwise, the curve is said to be ordinary. If $E/{\mathbb{F}}_q$ is supersingular, then $j(E/{\mathbb{F}}_q)\in {\mathbb{F}}_{p^2}$. Such a curve can be expressed using a Legendre equation

$$E_{\lambda }:y^2=x(x-1)(x-\lambda ),\lambda \in {\mathbb{F}}_{p^2}$$

(3)

Therefore, its j-invariant is given by

$$j\left(E_{\lambda }\right)=2^8{\displaystyle \frac{{({\lambda }^2-\lambda +1)}^3}{{\lambda }^2{(\lambda -1)}^2}}.$$

(4)

Proposition 2.1 in [34], ensures the following necessary condition: If $E_{\lambda }$ it is supersingular, then $\lambda$ is a square in ${\mathbb{F}}_{p^2}$.

The number of supersingular curves in the space of elliptic curves over ${\mathbb{F}}_{p^2}$ is approximately $p/12$ (see [35] Theorem V4.1). This suggests that the probability of finding one becomes small when p increases.

In this paper, we focus on the condition that $q=p^2$. And we will refer to an elliptic curve $E/{\mathbb{F}}_q$ simply as E.

3. Preliminaries for Heuristic Search

In this section, we present some basic concepts that help to understand the heuristic part of the work.

3.1. Heuristic Search

A heuristic search is a search that attempts to optimize some function in a solution space where the result of a global solution is not ensured. The goal is to at least obtain a local solution.

This kind of optimization is almost inspired by natural or physical processes. One of the major representatives is evolutionary computation, which includes genetic algorithms.

3.2. Random Search

Iterative random search is a primary search method in a solution space. It is very fast because it does not set any restrictions on the search process. In this approach, a limited number of solutions are randomly generated. The objective function is evaluated for all the solutions, and the best is the result of the search. Basic statistics can help to understand the distribution of the objective function values and give a primary sense of how difficult the search problem will be.

3.3. Local Search

Local search is a metaheuristic method. In the general scheme [36], the method starts from a random initial solution $s^{*}$, and it creates a set of neighborhood solutions $N\left(s^{*}\right)$ and it moves from one solution to another, while the objective function decreases (or increases in case of maximization). See Algorithm 1. No input is needed, and the output is an improved solution. The neighborhood construction depends on each problem. In this work, we use a new objective function to measure the supersingularity in elliptic curves.

Algorithm 1: General scheme of local search

Ensure: $s^{*}$ // Local optimum 1: $s^{*}\leftarrow random\left(\right)$ 2: search ← true 3: while search do 4:    search ← false 5:    for $s_i\in N\left(s^{*}\right)$ do 6:    if $f\left(s_i\right)<f\left(s^{*}\right)$ then 7:     $s^{*}\leftarrow s_i$ 8:     search ← true 9:    end if 10:    end for 11: end while  12: return $s^{*}$

3.4. Genetic Algorithm

The genetic algorithm is a metaheuristic that works with a population (set of solutions) instead of a single solution. Each solution is represented by an encoding. In particular, we use a binary integer genotype $(n,m)$ to represent a solution.

The evolution process consists of evolving the population from one generation to another. The main steps of this heuristic, at every evolution, are (see [37]):

• Selection;
• Recombination;
• Mutation;
• Replacement.

After several evolutions, it is expected that the solutions in the ultimate population have better characteristics than those in the initial population.

3.5. The Comparison of Heuristic Experiments and Their Results

The comparison of heuristic experiments depends on many parameters. The method schemata and executions differ from one heuristic to another. For example, one random execution does not give a good result by itself; however, running random iterations on a supercomputer could give better results than running a genetic algorithm on a personal computer.

A more actual way to compare heuristic methods is to explain how the exploration and exploitation concepts are applied. From [38], we cite “Exploration refers to the ability of a search algorithm to discover a diverse assortment of solutions spread within different regions of the search space. On the other hand, exploitation emphasizes the idea of intensifying the search process over-promising regions of the solution space to find better solutions or improve the existing ones”. We use a necessary condition to reduce the exploration in random iterations. We define different kinds of neighborhoods in local search and we vary the population size in genetic algorithms to obtain insights into both concepts: exploration and exploitation.

Also, for each heuristic experiment, there exists a particular way to measure the execution cost. In the case of random iterations, the execution cost is represented by the number of iterations, where an iteration implies the evaluation of the objective function only once. In the case of local search, the execution cost is represented by the number of attempts to improve the solution quality, where a single attempt needs to evaluate the objective function twice: for the actual solution and the neighbor solution. Finally, in the case of genetic algorithms, the execution cost is represented by the number of evolutions, where an evolution from the actual generation to the next will imply evaluating the objective function for each solution in the parent and child populations.

Then, our comparison and discussion of heuristic experiments and their results will be focused on:

• The ability to reach a supersingular elliptic curve.
• The application of exploration and exploitation concepts.
• The number of evaluations of the objective function.

In this work, we used the same personal computer to execute all the methods. The evaluation criteria that we defined are the number of iterations, number of attempts, or number of evolutions, and they do not depend on any particular computational infrastructure, as we mentioned before, it is more related to the exploration and exploitation concepts. We also emphasize that the main goal of this research is to find supersingular elliptic curves in the higher degree reached about the objective function.

4. Results and Discussion

In this section, we present the results and discussion.

4.1. Space Dimension

We analyze the space dimension of ${\mathbb{F}}_{p^2}$ about 16!. Table 1 shows that starting in prime p = 5,000,077, the solution space has a size greater than 16! So, in the rest of the work, we will focus on some primes between 5,000,077 and 100,000,081.

Table 1. Space the dimension comparison.

Prime p	${\mathit{p}}^2$	16!
600,073	360,087,605,329	20,922,789,888,000
5,000,077	25,000,770,005,929	20,922,789,888,000
100,000,081	10,000,016,200,006,561	20,922,789,888,000

4.2. Random Search

We applied iterative random search over the space, checking the supersingular criteria. We executed our code in a SageMath script, we used the $EllipticCurve(K,j=n+w\ast m)$ constructor to build the curve, and we checked the criteria with the $is\_supersingular$ method. The election of this constructor, instead of the polynomial one, was because we performed a performance comparison and the j-invariant constructor is faster. Also, it helps to keep n and m as integers.

Table 2 shows that iterative naive random search is incapable of giving supersingular elliptic curves, even in primes lower than 5,000,077. For the primes with 6 digits, we started at 50,000 iterations and grew up to 250,000, which gave us the sense that changing the number of iterations does not have too much influence on near primes. Then, we decided to go directly to p = 5,000,077. In this particular case, we increased the number of iterations up to 30,000,000, and still no supersingular curve was found.

Table 2. Random search results.

Prime	Number of Random Iterations	Supersingular Elliptic Curve
100,057	50,000	$y^2=x^3+($72,956$w+2158)x+($59,164$w+$ 88,784)
200,017	90,000	$y^2=x^3+($164,683$w+$173,186$)x+($108,771$w+$ 157,280)
300,073	1,000,000	Not found
400,009	2,500,000	Not found
500,029	2,500,000	Not found
600,073	2,500,000	Not found
5,000,077	30,000,000	Not found

Random Search Improvement

Our improvement in random search is the use of the necessary conditions. We ensure that the j-invariant passed to the constructor came from a $\lambda$ square, instead of directly constructing an elliptic curve and then evaluating the $is\_supersingular$ method.

In Table 3, it can be seen that we found an elliptic curve in the 5,000,077² space in less than 30,000,000 iterations. However, no curve was found for p$>=$ 60,000,013.

Table 3. Random Search results using necessary conditions.

Prime	Number of Random Iterations	Supersingular Elliptic Curve
5,000,077	5,380,000	$y^2=x^3 + ($3,744,971$w+$ 4,908,640$)x + ($1,644,933$w+$ 1,464,646)
20,000,077	6,550,000	$y^2=x^3 + ($9,232,742$w+$ 7,392,574$)x + ($11,103,591$w+$ 10,297,062)
50,000,017	22,230,000	$y^2=x^3 + ($12,080,893$w+$ 44,627,161$)x + ($29,686,507$w+$ 5,822,707)
60,000,013	30,000,000	Not found
100,000,081	30,000,000	Not found

4.3. Objective Function for Supersingular Criteria

We define a new property for an elliptic curve. The NonMultiplicity Distance (NMD) of an elliptic curve E over ${\mathbb{F}}_{p^2}$ is calculated by:

$$NMD\left(E\right)=min(tmodp,p-(tmodp\left)\right)$$

(5)

where t is the trace of Frobenius.

The objective function will have a value between 0 and $p/2$. When $NMD\left(E\right)=0$, then t is a multiple of p, which implies that the elliptic curve is supersingular. So, finding supersingular elliptic curves in the search space could be performed by minimizing an objective function $f=NMD$.

We ran 1,000,000 iterations of random search with p = 5,000,077, and we measured the value of the objective function. The minimum value was 3 and the maximum value was 2,500,037, so there is a big range of objective function values when the random search is used; also, the minimum value is very near to 0. We also ran 1,000,000 iterations with p = 100,000,081; the minimum value was 61 and the maximum value was 50,000,020. In Figure 1 and Figure 2, the respective two histograms with 100 bins show an almost uniform distribution of the objective function value, with a little degradation for small ones. This approximation of the uniform distribution indicates that searching for good solutions randomly is as good as searching for bad solutions.

Figure 1. Histogram of the objective function values in random search: 1,000,000 iterations with p = 5,000,077.

Figure 2. Histogram of the objective function values in random search: 1,000,000 iterations with p = 100,000,081.

4.4. Local Search

Our local search algorithm starts in a random curve and at each attempt, it checks if a neighbor improves the value of that actual $NMD$; in that case, we update the curve.

All the curves are represented in the same way as in a random search, by the j-invariant in the form $j=n+w$ ∗ m. The neighbor in improvement attempt k will be deduced from the actual curve using $j^{\prime }=(n+k)+w\ast (m+k)$.

We applied one run of the local search algorithm to the space of prime 400,009, with 2,000,000 attempts at improvement. We did not find any supersingular elliptic curves. This was a first sight that the method did not perform well. If we compare with iterative random search necessary condition, the prime, 400,009 is below the bound that we set for a minimal space size (p = 5,000,077). Moreover, the number of objective function evaluations in the local search was 4,000,000 = $2 \ast$ 2,000,000, near the number of iterations in the random search, 5,380,000.

Later, we modified the local search to include the necessary conditions. In this case, all the curves are represented by the j-invariant in the form of ${\lambda }^2$ where $\lambda =n+w\ast m$. The neighbor in iteration k will be deduced from the actual curve using a new ${\lambda }^{\prime }=(n+k)+w\ast (y+m)$.

Table 4 shows that even with the necessary condition, one run of the local search algorithm was not able to find a curve for prime 5,000,077. So, we can apply a similar analysis as the last one, compared with the iterative random search - necessary condition -.

Table 4. Local search (one run) results using necessary condition.

Prime	Number of Attempts	Supersingular Elliptic Curve
500,029	2,000,000	Found at 1,800,000: $y^2=x^3+($105,909$w+$ 250,572$)x+($166,507$w+$ 336,754)
600,073	2,000,000	Found at 1,940,000: $y^2=x^3+($338,705$w+$ 547,935$)x+($405,267$w+$ 76,126)
5,000,077	2,000,000	Not found

However, using the local search with the necessary conditions is better than the iterative naive random search for p = 5,000,077. Different from iterative random search, increasing the number of attempts in local search does not produce the same effect because the search could be stuck around a local optimum. In this case, it is better to perform several runs. For example, 30 runs will be equivalent to 120,000,000 = $30\ast$ 4,000,000 objective function evaluations.

After applying 34 runs in a new experiment of the local search—necessary condition—, we found five supersingular elliptic curves. The minimum value of the objective function was 0, the maximum value was 6 and the average was 2.2. One of the elliptic curves found was $y^2=x^3+($3,402,052 $\ast w+$ 1,513,899$)\ast x+($2,671,589 $\ast w+$ 3,715,944). Moreover, Table 5 shows the comparison of the mentioned results with the results of other two experiments that follow the same structure but different ways of calculating neighborhood, in which five supersingular elliptic curves were also found and with an average of the objective function 2.4 and 2.7 respectively.

Table 5. Local search comparison.

Neighborhood	Min	Max	Avg
$n+k$, $m+k$	0	6	2.205882353
$n·k$, $m·k$	0	9	2.470588235
$n·k^2$, $m·k^2$	0	10	2.705882353

Still, we think that even in this case of rounds of experiments, the results were not better than the ones on iterative random search with the necessary conditions. The neighborhoods that we defined are simple, intuitive, and integer-related. The neighborhood change did not produce too much value in exploitation or exploration. In the case of exploration, the same number of supersingular elliptic curves were found, while in the case of exploitation, the average of the objective function does not differ too much. We conclude that just keeping the + operator is sufficient to apply the local search method.

4.5. Genetic Algorithm

We performed the genetic algorithm in the same way that we applied local search. The only difference here was the measure of the percent of solutions where $NMD<10$, taking into account that all belong to a population under an evolutionary process.

First, we ran a simple genetic algorithm with integer encoding, three-tournament selection, and 51 candidates. We selected a low population size, low number of tournaments, and low mutation rate to keep a simple setting and not have too much computational effort in the personal computer. See Table 6. This algorithm performs better than the iterative naive random method. With a few numbers of evolutions, for p = 300,073 and p = 400,009, 100 percent of the solutions have a very low objective function value.

Table 6. Genetic Algorithm results.

Prime	Number of Evolutions	% of $\mathit{N}\mathit{M}\mathit{D}<10$	Supersingular Elliptic Curves
300,073	180,000	100%	Not Found
300,073	200,000	100%	$y^2=x^3+($92,238$w+$ 201,572$)x+($272,482$w+$ 210,541)
400,009	200,000	100%	Not Found
400,009	500,000	100%	$y^2=x^3+($262,889$w+$ 176,115$)x+($137,579$w+$ 369,291)
5,000,017	150,000	15%	Not Found
5,000,017	180,000	9%	Not Found

Later, we ran the genetic algorithm using the necessary conditions. We kept the same number of evolutions for all the primes. See Table 7. Making a comparison against the iterative random search under the necessary condition, we can see that for p = 60,000,013, several 30,000,000 random iterations (function evaluations) cannot produce any supersingular elliptic curves; however, the genetic algorithm in $(51+$ 500,000 $\ast 17)=$ 8,500,051 function evaluations produces $3\%$ of elliptic curves with $NMD<10$ and a success rate was also reached for $p<$ 60,000,013. That made us think it will be possible to find the supersingular ones if we increase the exploitation or increase the function evaluations.

Table 7. Genetic algorithm results with necessary condition.

Prime	Number of Evolutions	% of $\mathit{N}\mathit{M}\mathit{D}<10$	Supersingular Elliptic Curves
500,029	500,000	100%	$y^2=x^3+(96,837w+478,291)x+(15,978w+393,580)$
600,073	500,000	100%	$y^2=x^3+(355,563w+332,085)x+(60,662w+293,296)$
5,000,077	500,000	45%	$y^2=x^3+(1,463,062w+4,361,697)x+(2,909,560w+4,998,295)$
6,000,061	500,000	49%	$y^2=x^3+(1,027,356w+5,044,543)x+(1,406,640w+4,349,758)$
60,000,013	500,000	3%	Not found
100,000,081	500,000	0%	Not found

Then, we reduced the population size from 51 to 48, decreasing the initial exploration (to increase the tournament exploitation), and for the case p = 100,000,081, we found the elliptic curve defined by $y^2=x^3+(\mathrm{81,651,727}\ast w+\mathrm{28,754,642})\ast x+(\mathrm{65,536,260}\ast w+\mathrm{83,652,983})$ over a finite field in w of size ${100000081}^2$. Still, we did not reach exploitation. As can be seen in Figure 3, where 1 represents the experiment with a population size of 51 and 2 represents the experiment with a population size of 48, there was more exploration than exploitation for the second experiment. The objective function values were very near to 0 in both cases if we remark that the value of p is high.

Figure 3. Boxplots of the objective function values for the respective population sizes 51 and 48. Number of evolutions is 500,000.

Again, in comparison with the iterative random search, the genetic algorithm found a supersingular elliptic curve with only 8,500,051 function evaluations, whereas 30,000,000 random iterations did not.

Moreover, we repeated the experiment with population size 48 and p = 60,000,013, but now with 750,000 evolutions. We found the elliptic curve defined by $y^2=x^3+(\mathrm{59,843,081}\ast w+\mathrm{21,626,179})\ast x+(\mathrm{46,755,621}\ast w+\mathrm{18,166,067})$ over a finite field in w of size 60,000,013². In Figure 4, the second boxplot represents the results for the population with 48 candidates, and it shows the success of the exploitation in comparison with boxplot 1, and 12% of the objective function values were under 10.

Figure 4. Boxplots of the objective function values for the respective population sizes 51 and 48. Number of evolutions is 750,000.

5. The Search of Cycles into the Isogeny Graph

As we mention in the introduction section, supersingular elliptic curves are starting points to search cycles in the isogeny graph. We took the elliptic curve defined by $y^2=x^3+(\mathrm{3,744,971}w+\mathrm{4,908,640})x+(\mathrm{1,644,933}w+\left(\mathrm{1,464,646}\right)$ over a finite field in w of size ${\mathrm{5,000,077}}^2$, and we applied the classical method for constructing cycles using random walks [39]. We found the following cycle:

$$\begin{array}{c}{y}^2=x^3+(\mathrm{4,597,586}w+\mathrm{3,476,831})x+(\mathrm{4,073,147}w+\mathrm{420,949})\hfill \\ y^2=x^3+(\mathrm{1,166,616}w+\mathrm{1,205,981})x+(\mathrm{78,929}w+\mathrm{4,456,086})\hfill \\ y^2=x^3+(\mathrm{2,012,293}w+\mathrm{1,520,436})x+(\mathrm{503,709}w+\mathrm{3,020,123})\hfill \\ y^2=x^3+(\mathrm{3,665,625}w+\mathrm{4,295,465})x+(\mathrm{51,379}w+\mathrm{185,115})\hfill \\ y^2=x^3+(\mathrm{1,963,921}w+\mathrm{55,030})x+(\mathrm{3,353,240}w+\mathrm{4,180,616})\hfill \\ y^2=x^3+(\mathrm{4,597,586}w+\mathrm{3,476,831})x+(\mathrm{4,073,147}w+\mathrm{420,949})\hfill \\ y^2=x^3+(\mathrm{900,251}w+\mathrm{2,000,925})x+(\mathrm{1,087,049}w+\mathrm{2,536,901})\hfill \\ y^2=x^3+(\mathrm{3,560,298}w+\mathrm{628,449})x+(\mathrm{677,404}w+\mathrm{1,940,351})\hfill \\ y^2=x^3+(\mathrm{1,015,030}w+2202)x+(\mathrm{86,534}w+\mathrm{516,926})\hfill \\ y^2=x^3+(\mathrm{1,963,921}w+\mathrm{55,030})x+(\mathrm{3,353,240}w+\mathrm{4,180,616})\hfill \end{array}$$

This cycle is the remaining intersection of the random walks. Above it can be seen two paths that have the same start and end, but only those curves are shared.

6. Application in S-Box Generation

Building robust and adaptable S-boxes is essential for developing significant cryptographic systems since they are used to carry out nonlinear transformations that measure the efficiency of well-designed encryption algorithms. Consequently, creating dynamic S-boxes with the best cryptographic properties is very important in contemporary cryptography. To overcome the drawbacks of existing S-box creation techniques and produce a set of S-boxes, a new strategy based on supersingular elliptic curves (ECs) over Galois fields and the algebraic operations that go along with them is introduced. The improvement gained from using this strategy relies on the large number of points that the supersingular curve provides due to the big prime. The proposed algorithm can be described in the following steps:

• Choose a supersingular elliptic curve over $y^2=x^3+(\mathrm{3,744,971}w+\mathrm{4,908,640})x+(\mathrm{1,644,933}w+\mathrm{1,464,646})$ over a finite field in w of size ${\mathrm{5,000,077}}^2$.
• Generate elliptic curve points $(x,y)$, which satisfy the equation of the curve.
• Define the function $f(x,y)=y$ where $(x,y)\in F_{p^2}\times F_{p^2}$ satisfying curve.
• Apply modulo 256 on y to reduce entries in set $\{0,1,2,\dots ,255\}$ and convert into the elements of the Galois field using the primitive irreducible polynomial $p\left(t\right)=t^8+t^5+t^3+t^2+1$.
• Define the function $\zeta$ on the y coordinates by $\zeta \left(t\right)=\left\{\begin{array}{cc}{\displaystyle \frac{1}{at+b}}\hfill & :t\ne {\displaystyle \frac{b}{a}}\hfill \\ 0& :t={\displaystyle \frac{b}{a}}\end{array}\right.$.
• Fix $a=8,b=9$ and reshape the images of $\zeta$ into a $16\times 16$ matrix.

7. Performance Analysis of Proposed S-Box

Using well-established metrics like nonlinearity (NL), strict avalanche criteria (SAC), bit independence criteria (BIC), linear approximation probability (LP), and differential approximation probability (DAP), the cryptographic strength of the S-boxes created for the encryption process was assessed. These outcomes are often used to evaluate how successful S-boxes are. The performance indices of the created S-boxes are shown below.

7.1. Nonlinearity

Pieprzyk and Finkelstein introduced the concept of “nonlinearity” in 1988. This concept determines the difference between the set of all affine functions with n variables and the n-variable Boolean function. For S-boxes created using $GF\left(2^8\right)$, the highest possible nonlinearity is 120. The literature shows that the highest nonlinearity achieved until now is 112, which is also attained by our proposed S-box of Table 8. The nonlinearity of all constituent Boolean functions of an S-box can be computed by using the following formula:

$$NL\left(f\right)=2^{n-1}-{\displaystyle \frac{max|WH{T}_f|}{2}}$$

where $WH{T}_f$ represents the Walsh–Hadmard transformation of the polarity truth table of Boolean function f.

Table 8. S-box.

205	227	5	126	151	131	187	190	117	113	49	35	53	220	191	201
212	107	143	10	127	194	244	158	216	96	184	26	121	132	71	88
21	45	249	30	97	169	198	150	84	68	27	221	229	248	29	90
214	120	102	167	170	149	9	41	85	19	6	13	130	224	100	200
80	154	74	1	31	141	182	233	70	238	133	166	109	16	108	245
37	93	32	223	203	188	52	105	222	144	206	112	73	181	185	51
28	47	111	254	237	235	174	162	75	65	44	178	118	25	189	72
195	239	193	164	177	134	95	236	247	104	42	7	23	231	33	161
183	219	156	196	226	94	77	125	38	119	176	217	209	60	40	58
207	59	39	98	67	24	15	175	50	241	81	157	92	83	230	215
116	91	202	82	179	171	197	140	228	103	211	251	234	122	210	139
199	124	106	142	145	180	136	146	3	110	225	129	78	89	186	163
20	159	64	114	192	34	43	240	173	165	152	61	54	55	128	66
172	115	213	17	138	14	69	4	208	2	8	135	12	255	155	160
56	63	48	153	243	18	252	86	253	46	87	250	22	232	242	204
148	168	11	218	36	79	57	76	99	246	62	137	0	147	123	101

7.2. Strict Avalanche Criteria

The strict avalanche criteria (SAC) are used to evaluate the degree to which changes in the input of an S-box propagate through the output of the S-box or in other words, how well an S-box demonstrates the avalanche effect. The avalanche effect describes the tendency for little adjustments to the input of a cryptographic function to have a big impact on the function’s output. The rigorous avalanche conditions for S-boxes stipulate that flipping a single input bit of an S-box should on average flip half of the output bits. To calculate the dependence matrix D of the SAC, we can use the following equation.

$$D\left(k\right)={\displaystyle \frac{{\sum }_{i=1}^{8}f\left(k\right)\oplus f(k\oplus c_i)}{256}}$$

where $HWT\left(c_i\right)=1$ and $i=1,2,3\dots 8$. SAC is considered satisfied if all entries in the SAC matrix are within a small neighborhood of $0.5$. Table 9 displays the SAC findings of the suggested S-box, together with comparisons to current schemes, proving that the proposed S-box satisfies the SAC.

Table 9. Analysis and comparison of proposed S-box.

S-Boxes	Nonlinearity	SAC	BIC-NL	BIC-SAC	LAP	DAP	No. of Fixed Points
Proposed S-box	112	0.5010	112	0.5000	0.0625	0.0156	0
AES	112	0.5049	112	0.5046	0.062	0.0156	0
$S_8$ AES	112	0.504	112	0.502	0.062	0.0156	3
[21]	112	0.5032	112	0.5059	0.0625	0.0156	1
[40]	112	0.5071	112	0.5034	0.0625	0.0156	2
[41]	112	0.4988	112	0.5008	0.0625	0.0156	1
[42]	112	0.4971	112	0.4997	0.0625	0.0156	0
[43]	112	0.4980	112	0.5017	0.0625	0.0156	-
Skipjack	105.75	0.503	104.14	0.499	0.109	0.0468	-
Residue prime	99.5	0.515	101.71	0.502	0.132	0.281	-

7.3. Bit Independence Criteria (BIC)

Let $f_a$ and $f_b$ be two-bit outputs of an S-box if $f_a\oplus f_b(a\ne b,1\le a,b\le n)$ is highly nonlinear and satisfies the strict avalanche criteria; then, the S-box satisfies the BIC. This indicates that if one input bit is reversed, the correlation coefficient for each output bit may approach zero and the S-box satisfies the BIC. To put it another way, the bit independence criteria (BIC) is a feature of an S-box that ensures each output bit is statistically independent of each input bit and output bit. If the values in the BIC matrix of an S-box are near $0.5$, it satisfies the BIC criteria. Table 9 displays the BIC findings of the suggested S-box and a few chosen S-boxes that already exist.

7.4. Linear Approximation Probability (LAP)

Given a particular number of input-output pairs, the probability of linear approximation for an S-box is the likelihood that its inputs will approximate its outputs linearly. A higher linear approximation probability indicates a weaker S-box, as it makes the S-box more vulnerable to linear attacks. On the other hand, a lower linear approximation probability indicates a stronger S-box. Due to this, the S-box exhibits greater resilience against linear attacks. The following formula can be used to calculate linear approximation probability:

$$L{P}_S=\underset{\alpha ,\beta \ne 0}{max}\left|{\displaystyle \frac{|\{u\in GF\left(2^m\right)|\alpha .S\left(u\right)=\beta .S\left(v\right)\}|-2^{m-1}}{2^m}}\right|$$

considering $u,v$ to be the input and output masks, respectively. Table 9 presents the results of the LP analysis, which show that the suggested S-box successfully thwarts linear cryptanalysis.

7.5. Differential Approximation Probability (DAP)

A measure of how likely an S-box is to propagate a difference in its inputs to a corresponding difference in its outputs is called the differential approximation probability. By comparing the number of input-output pairs with the specific input difference and output difference to the number of input-output pairs without that specific difference, the probability of differential approximation for an S-box is determined. It is calculated by

$$DP(\mathsf{\Delta }u,\mathsf{\Delta }v)={\displaystyle \frac{\left|\right\{u\in GF\left(2^m\right)|S\left(u\right)\oplus S(u\oplus \mathsf{\Delta }u)=\mathsf{\Delta }v\}|}{2^m}},$$

where $\mathsf{\Delta }u$ is the input and $\mathsf{\Delta }v$ is the output differential. As seen in Table 9, the DAP analysis of the suggested S-boxes shows almost optimal values.

8. Majority Logic Criterion

In this part, we will encrypt photos using the suggested S-box and the majority logic criterion will be used to evaluate the effectiveness of the image encryption method. We substituted the suggested S-box for the AES S-box when encrypting images using the CBC mode of the AES Algorithm 2. The assessment procedure will include calculating several metrics for the plain and cipher images, including entropy, correlation, homogeneity, energy, and contrast, and then comparing the findings with a few commonly used S-boxes. We have used four images: Lena, F-16, Cameraman, and Baboon for encryption as shown in Figure 5. Figure 6 represents the cipher images of Lena, F-16, Cameraman, and Baboon, while Figure 7, Figure 8, Figure 9 and Figure 10 represent the histogram of plain and corresponding cipher images. The results of the MLC are shown in Table 10.

Figure 5. Host images of Lena, F-16, Cameraman, and Mandrill Baboon.

Figure 6. Cipher Images of (a) Lena. (b) F-16. (c) Cameraman. (d) Mandrill Baboon.

Figure 7. Lena.

Figure 8. F-16.

Figure 9. Cameraman.

Figure 10. Baboon.

Table 10. Results of majority logic criterion for host and cipher images.

Image	S-Box	Entropy	Contrast	Correlation	Energy	Homogeneity
Lena	Host Image	7.4467	0.3563	0.92195	0.12269	0.88174
	Proposed S-box	7.9994	10.5613	−0.0031	0.0156	0.3880
	AES	7.7302	7.3221	0.0879	0.0245	0.4835
	$S_8$ AES	7.7095	8.1685	0.2310	0.0227	0.4870
	Skipjack	7.6739	6.8051	0.1958	0.0261	0.4951
	Residue Prime	7.6596	6.3684	0.0996	0.0261	0.4985
	APA	7.6884	7.7369	0.2168	0.0229	0.4863
F-16	Host Image	6.5478	0.1295	0.9636	0.2650	0.9579
	Proposed S-box	7.9996	10.5518	−0.0040	0.0156	0.3887
	AES	7.9211	7.5509	0.0554	0.0202	0.4662
	Skipjack	7.7561	7.7058	0.1205	0.0239	0.4708
	Residue Prime	7.7059	8.1003	0.0090	0.0158	0.4940
	Xyi	7.7619	8.1945	0.0517	0.0158	0.4960
Cameraman	Host Image	6.9046	0.9630	0.9113	0.2202	0.8682
	Proposed S-box	7.9977	10.4994	−0.0001	0.0156	0.3892
	AES	7.9122	9.2322	0.0813	0.0172	0.4337
	Skipjack	7.7561	7.7058	0.1205	0.0239	0.4708
	Residue Prime	7.7059	8.1003	0.0090	0.0158	0.4940
	Xyi	7.7619	8.1945	0.0517	0.0158	0.4960

Algorithm 2: Grayscale Image Encryption Process

1: Initialization and Setup  2: Load the grayscale image data 3: Generate a random 256-bit encryption key 4: Define a custom S-box and MixColumns transformation matrix 5: Preparation 6: Flatten the image into a one-dimensional array of byte values 7: Apply padding to ensure the length is a multiple of 16 bytes 8: Divide the padded data into 128-bit segments for processing 9: Encryption Process 10: Initialize a “previous block” with random bytes for CBC mode 11: for each 128-bit block in the image data do 12:    Perform XOR between the current block and the previous block (CBC mode) 13:    Add the round key to the current block 14:    Perform byte substitution on the block using the S-box 15:    Apply the row-shifting transformation 16:    Execute column mixing using the predefined matrix 17:    Set the “previous block” to the current encrypted block for the next iteration 18: end for 19: Post-processing 20: Combine the encrypted blocks back into a single data array 21: Reshape the array to match the original grayscale image dimensions 22: The final encrypted image is the resulting processed data

9. Conclusions and Outlook

The search for supersingular elliptic curves over ${\mathbb{F}}_{p^2}$ is an interesting problem. The solution space has exponential size, the probability of finding an optimum is small, and a naive random search is not suitable to apply. As can be seen in this work, the use of an objective function considerably helps in the search for supersingular elliptic curves; it brings value to every curve in the space, and the notion of supersingular provides a new way of generating curves about the testing approach [17,18,44]. In the case of metaheuristics, the local search does not perform well, and our improved random search has good results. On the other hand, the genetic algorithm seems to be a good meta-heuristic for solving this problem too. The curves found could be used to generate cycles in the isogeny graph and to generate S-boxes for image encryption with good properties. Future research could be focused on the search for paths of supersingular curves in the isogeny graph. Also, we think that the search space can be reduced to the $\lambda$ squares space, which will imply the creation of new binary and unary operations between lambdas. Finally, if a hybrid approach of metaheuristics is designed, it will provide a better balance between exploration and exploitation; the found curves should be considered for sequence generation.