Constructing 8 × 8 S-Boxes with Optimal Boolean Function Nonlinearity

Abstract

Substitution boxes (S-Boxes) are the core components of modern block ciphers, responsible for introducing the essential nonlinearity that protects against attacks like linear and differential cryptanalysis. For an 8-bit S-Box, the highest possible nonlinearity for a balanced Boolean function is 116. The best results previously reported in the literature achieved an average nonlinearity of 114.5 across the coordinate Boolean functions of 8 × 8 S-boxes. Our proposed method surpasses this record, producing S-boxes whose coordinate functions exhibit an average nonlinearity of 116. This is a significant achievement as it reaches the best result to date for the nonlinearity of the coordinate Boolean functions of an S-Box. Our S-Box generation method is based on multiplication over the field $GF\left(2^4\right)$ and $4\times 4$ component S-Boxes. The approach is also highly effective, capable of producing a large number of S-Boxes with good cryptographic properties. Other cryptographic criteria, such as BIC, SAC, DAP, and LAP, though not fully optimal, remain within acceptable ranges when compared with other reported designs. In addition, a side-channel attack evaluation is presented, covering both parameter analysis and experimental results on a real system when applying the proposed S-Box in the AES algorithm. These results make it a leading solution for block cipher design.

1. Introduction

In modern block cipher algorithms, the substitution box (S-Box) is the fundamental nonlinear component that provides confusion and protects against classical cryptanalytic methods, such as linear cryptanalysis and differential cryptanalysis. Formally, an S-Box can be represented as a vectorial Boolean function. The cryptographic strength of an S-Box is, therefore, determined by the properties of these functions. Nonlinearity (NL) is the most fundamental indicator, as it measures the distance from affine functions and directly reflects resistance to linear approximation attacks.

For 8-variable Boolean functions, corresponding to $8\times 8$ S-Boxes, the highest nonlinearity mathematically discovered so far for balanced functions is 116 [1,2,3]. However, constructing balanced S-Boxes that reach this bound has long been considered a major challenge in cryptography. Previous works based on algebraic transformations [4,5,6,7,8,9,10,11,12,13,14,15,16], chaotic systems [17,18,19,20,21,22,23,24,25,26,27], and hybrid approaches [28,29,30,31,32,33,34,35,36,37] have achieved significant progress, where the average nonlinearity of the coordinate Boolean functions has remained at $114.5$ [29], i.e., still below the theoretical maximum.

In addition to nonlinearity, other research directions have focused on optimizing different cryptographic aspects. Several studies aim to maximize the Strict Avalanche Criterion (SAC) [38,39,40], while others emphasize efficiency in hardware implementation [41,42,43,44,45,46,47]. Research on S-Boxes has also focused on optimizing parameters related to side-channel resistance [30,48,49], while other studies target optimization against advanced cryptanalytic techniques such as the Boomerang attack [50] or Differential and Linear Branch Numbers [51].

Although previous studies have made important progress in the design of S-Boxes, the fundamental challenge of attaining the maximum possible nonlinearity for balanced $8\times 8$ S-Boxes remains unresolved. In this paper, we focus on bridging these gaps by optimizing nonlinearity in conjunction with hardware efficiency. The main contributions of this work are summarized as follows.

• A novel construction method: We developed a systematic approach for building 8 × 8 S-Boxes from smaller $4\times 4$ component S-Boxes, which allows for a modular and efficient design.
• Optimal nonlinearity: The constructed S-boxes achieve an average nonlinearity of 116 across their coordinate Boolean functions, representing the best results reported to date for 8-variable balanced Boolean functions.
• Comprehensive security analysis: Our analysis confirms that these new S-Boxes meet other critical security criteria, including the Strict Avalanche Criterion (SAC), Bit Independence Criterion (BIC), Differential Avalanche Probability (DAP), and Linear Avalanche Probability (LAP).
• Practical robustness: Side-channel attack experiments show that our S-Boxes offer resistance comparable to the Advanced Encryption Standard (AES) S-Box, proving their real-world applicability.
• Efficient hardware implementation: Our S-Boxes are designed for efficient hardware resource utilization, making them ideal for systems with limited resources.

The remainder of this paper is organized as follows. Section 2 reviews related works. Section 3 presents the theoretical background of Boolean functions and S-Box design criteria. Section 4 introduces the proposed construction method. Section 5 reports the cryptographic security analysis of the generated S-Boxes and presents the experimental results of a side-channel attack. Section 6 evaluates the hardware performance in terms of resource efficiency. Finally, Section 7 concludes this paper.

2. Related Works

A wide range of approaches have been proposed for the construction of S-Boxes, which can broadly be categorized into algebraic-based, chaotic-based, hybrid techniques, and composition methods using smaller substitution components. Below, we present some of the most recent studies in this field.

Several studies have exploited algebraic structures and mathematical transformations for S-Box construction. In [8], Möbius transformation combined with permutations was applied to design S-Boxes that enhance IoT multimedia security. The study in [9] proposed constructing S-Boxes based on power associative loops, which were later applied to text encryption. The work in [20] employed Delannoy-derived sequences to generate a new chaotic S-Box. Dimitrov and Baicheva [52] analyzed the classification of 8-bit-to-8-bit power mappings defined by pentanomials for S-Box generation. Waheed et al. [29] introduced S-Boxes constructed through a combination of linear fractional transformation and multilayer perceptrons, achieving the best reported nonlinearity of 114.5. Elliptic curve structures have also been widely explored for S-box design in recent years, including deterministic generators over elliptic curves for real-time applications [53], image encryption schemes based on elliptic curve isomorphisms [54], dynamic constructions using elliptic curves over finite rings [55], and more recently, Mordell elliptic curves over Galois fields for dynamic S-box generation [7].

Chaotic dynamical systems have also been widely adopted for constructing S-Boxes. Boobalan et al. [18] proposed dynamic S-Boxes derived from Lorenz and Chua chaotic systems for efficient image encryption. A dynamic scheme based on Mordell elliptic curves over Galois fields was presented in [7]. Group-action-based S-Box generation was described in [6]. The approach in [32] combined chaotic maps with bit-level permutations to construct S-Boxes for medical data security. Furthermore, Zhang Lijun et al. [56] introduced S-Boxes generated via quantum random walks controlled by a hyper-chaotic map. These methods provide advantages in randomness and applicability to image encryption, but the achieved nonlinearity typically remains at medium–high levels, in most cases below 112, and still far from the theoretical optimum.

Other studies have combined multiple methods or applied heuristic algorithms to strengthen S-Box properties. A cost-function-based approach for efficient S-Box construction was proposed in [5], while [31] employed a hybrid population-based hill climbing algorithm, where the nonlinearity stopped at 104. The work in [30] utilized rotation symmetry combined with heuristic search to generate S-Boxes. Malik et al. [33] constructed nonlinear components in the form of S-Boxes using hybrid pseudo-random binary sequences. In addition, Song and Zhao [17] focused on S-Box designs for secure image encryption, emphasizing a balance between robustness and efficiency.

Some works explored the construction of larger S-Boxes from smaller substitution components to achieve lightweight and efficient designs. The study in [45] introduced a Feistel-based composition method, while [47] extended the analysis to both Feistel and MISTY networks, highlighting their potential for the systematic generation of lightweight substitution layers. High differential and linear branch numbers were targeted in [51] to improve diffusion, whereas [46] investigated hardware-oriented S-Box constructions combined with masking techniques to resist side-channel attacks. More recently, Yan et al. [48] developed substitution layers based on small S-Boxes that are resilient to differential power analysis, confirming the practicality of this direction. Collectively, these contributions underline that the primary motivation of composition-based methods lies in hardware efficiency and deployability rather than maximizing theoretical cryptographic metrics.

In summary, recent research has significantly expanded the design space of S-Boxes through diverse approaches. However, the gap between the best known result (114.5) and the theoretical maximum (116) persists, leaving an open challenge that the present study aims to address.

3. Background

3.1. Boolean Functions and Nonlinearity

Boolean functions [57] are at the heart of symmetric cryptography, where they provide the nonlinearity required to secure block ciphers against algebraic and statistical attacks. An n-variable Boolean function is formally defined as a mapping $f:{\mathbb{F}}_2^n\to {\mathbb{F}}_2$, where ${\mathbb{F}}_2$ denotes the binary field. For an input vector $x=(x_1,x_2,\dots ,x_n)\in {\mathbb{F}}_2^n$, the function outputs a single bit $f\left(x\right)\in \{0,1\}$. One of the most important cryptographic indicators of a Boolean function is its nonlinearity, which quantifies the minimum Hamming distance between f and the set of all affine functions. Formally, the nonlinearity of f is defined as Equation (1) [58].

$$NL\left(f\right)=\underset{g\in A_n}{min}{d}_H(f,g),$$

(1)

where $A_n$ is the set of affine functions in n variables and $d_H$ is the Hamming distance. High nonlinearity ensures that f cannot be closely approximated by linear or affine expressions, thereby strengthening resistance against linear cryptanalysis. The theoretical maximum nonlinearity of an n-variable Boolean function is given by Equation (2) [58].

$$NL\left(f\right)\le 2^{n-1}-2^{{\displaystyle \frac{n}{2}}-1}.$$

(2)

Bent functions represent Boolean functions that achieve the maximum possible distance from all affine functions, thereby providing the highest nonlinearity. However, a fundamental limitation is that bent functions are never balanced, which makes them unsuitable for S-Box design since balancedness is required to avoid biased outputs. Importantly, bent functions exist only when n is even. For instance, with $n=8$, the theoretical upper bound for unbalanced Boolean functions is 120, achieved by bent functions, whereas the best attainable value for balanced functions is strictly lower, at 116 [1,2,3]. This bound of 116, therefore, constitutes the true optimal target for the coordinate functions of an $8\times 8$ S-Box.

The Walsh–Hadamard transform [59] is typically used to compute nonlinearity. For a Boolean function f, the Walsh spectrum is defined as Equation (3).

$$W_f\left(a\right)=\sum _{x\in {\mathbb{F}}_2^n}{(-1)}^{f\left(x\right)\oplus \langle a,x\rangle },$$

(3)

where $\langle a,x\rangle$ denotes the inner product of vectors a and x over ${\mathbb{F}}_2$. The nonlinearity can then be expressed equivalently as Equation (4).

$$NL\left(f\right)=2^{n-1}-{\displaystyle \frac{1}{2}}\underset{a\in {\mathbb{F}}_2^n}{max}\left|W_f\left(a\right)\right|.$$

(4)

From this perspective, minimizing the maximum Walsh coefficient directly maximizes the nonlinearity of f. This theoretical foundation highlights why constructing balanced 8-variable Boolean functions with nonlinearity 116 has been considered one of the most difficult open problems in symmetric cryptography.

3.2. Properties of Cryptographically Strong S-Boxes

Several well-established criteria are used to evaluate S-Box properties, including nonlinearity (NL), the Strict Avalanche Criterion (SAC), the Bit Independence Criterion (BIC), Differential Approximation Probability (DAP), Linear Approximation Probability (LAP), the algebraic degree (AD), and some parameters related to side-channel attacks, such as the Transparency Order (TO), Modified Transparency Order (MTO), Revised Transparency Order (RTO), Minimum Correlation Coefficient (MCC), Confusion Coefficient Variance (CCV), and Signal-to-Noise Ratio (SNR) [60,61,62,63,64,65,66]. The evaluation criteria for cryptographic S-Boxes have been presented in detail in many existing studies [21,67,68]. These metrics cover both classical cryptanalytic strength and resistance against side-channel attacks. For completeness, we provide, in

Table 1. Summary of the cryptographic criteria for S-Box evaluation.

Criterion	Definition/Meaning	Optimal Value
Bijectivity	One-to-one mapping between input and output, ensuring uniform distribution and balance.	Must be satisfied
NL	Distance from affine functions; higher NL strengthens resistance against linear cryptanalysis.	High
AD	Maximum degree of output Boolean functions; higher AD makes algebraic attacks harder.	High
DAP	Probability that a specific input difference leads to a specific output difference.	Low
LAP	Correlation between linear combinations of input and output bits.	Low
SAC	Probability that a single input bit flip changes each output bit.	0.5
BIC	Measures independence among output bits when an input bit is flipped.	High
TO, MTO, RTO	Indicators of resistance against DPA; lower values reduce leakage correlation.	Low
CCV, MCC	Correlation between leakage and key-dependent intermediates.	Low
SNR	Ratio of exploitable leakage to noise in side-channel signals.	Low

, a concise summary of the main properties and their desired values.

4. Proposed Method

4.1. Proposed Algorithm

In this study, we present a method to construct an 8 × 8 S-Box based on the combination of four $4\times 4$ S-Boxes and multiplication in the subfield $GF\left(2^4\right)$. The objective of the proposed method is to exploit both the strong nonlinearity of the $4\times 4$ lookup tables and the diffusion capability of finite field multiplication, thereby generating a mapping of sufficient complexity to resist modern cryptanalytic techniques. The algorithm takes as input an 8-bit word $x\in {\{0,1\}}^8$, and it produces an 8-bit output $y\in {\{0,1\}}^8$. For computation, the input is divided into two halves: the upper nibble $x[7:4]$ and the lower nibble $x[3:0]$. Similarly, the output is represented by $y[7:4]$ and $y[3:0]$. Four independent $4\times 4$ S-Boxes, denoted as $S_A, S_B, S_C,$ and $S_D$, are employed in the construction. These components provide nonlinearity in each transformation step, while multiplication in $GF\left(2^4\right)$, denoted by ⊗, ensures strong interdependence between the two halves of the data. The upper nibble of the output is computed as Equation (5).

$$y[7:4]=\left\{\begin{array}{cc}{S}_A\left(x[3:0]\right)\otimes x[7:4],\hfill & \mathrm{if}x[7:4]\ne 0,\hfill \\ S_B\left(x[3:0]\right),\hfill & \mathrm{if}x[7:4]=0,\hfill \end{array}\right.$$

(5)

where, when the upper nibble of the input is nonzero, $S_A$ is applied to the lower nibble and the result is multiplied with the upper nibble; otherwise, $S_B$ is applied to the lower nibble. Next, the lower nibble of the output is computed as Equation (6).

$$y[3:0]=\left\{\begin{array}{cc}{S}_C(x[7:4]\otimes y[7:4]),\hfill & \mathrm{if}y[7:4]\ne 0,\hfill \\ S_D\left(x[7:4]\right),\hfill & \mathrm{if}y[7:4]=0.\hfill \end{array}\right.$$

(6)

Thus, the lower nibble depends on both halves of the input through the intermediate value $y[7:4]$, ensuring complete diffusion across the entire 8-bit word. Finally, the complete output is adjusted with a simple XOR by one ($y\leftarrow y\oplus 1$) to remove possible fixed points. This algorithm requires only two $4\times 4$ S-Box lookups, two multiplications in $GF\left(2^4\right)$, and one XOR operation. As a result, it achieves strong nonlinearity with low implementation complexity, which is advantageous for hardware-oriented designs under resource constraints. The combination of nonlinear substitution and finite field multiplication ensures that the high and low nibbles of the data remain strongly correlated, thereby strengthening resistance against differential and linear cryptanalysis. More details on the proposed S-box generation method are presented in Algorithm 1.

Algorithm 1 Proposed Construction $8\times 8$ S-Boxes.

INPUT: Four $4\times 4$ S-Boxes $S_A, S_B, S_C,S_D$; irreducible polynomial $f\left(x\right)$ defining multiplication ⊗ over $\mathrm{GF}\left(2^4\right)$ OUTPUT: $Sbox[0:255]$ – the generated $8\times 8$ S-Box 1: for $x\leftarrow 0$ to 255 do 2:    Split input x into two nibbles: $x_H\leftarrow (x\gg 4)\&0xF$, $x_L\leftarrow x\&0xF$ 3:    if $x_H\ne 0$ then 4:        $y_H\leftarrow S_A\left(x_L\right)\otimes x_H$ 5:    else 6:        $y_H\leftarrow S_B\left(x_L\right)$ 7:    end if 8:    if $y_H\ne 0$ then 9:        $y_L\leftarrow S_C\left(x_H\otimes y_H\right)$ 10:    else 11:      $y_L\leftarrow S_D\left(x_H\right)$ 12:    end if 13:    $y\leftarrow (y_H\ll 4)|y_L$ 14:    $y\leftarrow y\oplus 0x01$ {final XOR to remove fixed points} 15:    $Sbox\left[x\right]\leftarrow y$ 16: end for 17: return  $Sbox$

4.2. Experimental

To specify multiplication ⊗ in $GF\left(2^4\right)$, three irreducible polynomials of degree four over $GF\left(2\right)$ are employed as Equation (7).

$$f_1\left(x\right)=x^4+x+1,f_2\left(x\right)=x^4+x^3+1,f_3\left(x\right)=x^4+x^3+x^2+x+1.$$

(7)

Each polynomial defines a distinct representation of the finite field, which leads to different multiplication tables and, consequently, different sets of $4\times 4$ S-Boxes.

The $4\times 4$ S-Boxes are generated from power mappings in the multiplicative group $GF{\left(2^4\right)}^{*}$ of an order of 15. A mapping $x\mapsto x^k$ is bijective if and only if $gcd(k,15)=1$. Therefore, the valid exponents are $k\in \{1,2,4,7,8,11,13,14\}$. Each exponent produces one distinct $4\times 4$ S-Box. Hence, for each irreducible polynomial $f_i$, eight S-Boxes are obtained, denoted as $S1$ through $S8$.

Table 2. The $4\times 4$ S-Boxes generated from three irreducible polynomials.

Name	${\mathit{f}}_1\left(\mathit{x}\right)={\mathit{x}}^4+\mathit{x}+1$	${\mathit{f}}_2\left(\mathit{x}\right)={\mathit{x}}^4+{\mathit{x}}^3+1$	${\mathit{f}}_3\left(\mathit{x}\right)={\mathit{x}}^4+{\mathit{x}}^3+{\mathit{x}}^2+\mathit{x}+1$
S1	0, 1, 2, 3, 4, 5, 6, 7 8, 9, A, B, C, D, E, F	0, 1, 2, 3, 4, 5, 6, 7 8, 9, A, B, C, D, E, F	0, 1, 2, 3, 4, 5, 6, 7 8, 9, A, B, C, D, E, F
S2	0, 1, 4, 5, 3, 2, 7, 6 C, D, 8, 9, F, E, B, A	0, 1, 4, 5, 9, 8, D, C F, E, B, A, 6, 7, 2, 3	0, 1, 4, 5, F, E, B, A 2, 3, 6, 7, D, C, 9, 8
S3	0, 1, 3, 2, 5, 4, 6, 7 F, E, C, D, A, B, 9, 8	0, 1, 9, 8, E, F, 7, 6 3, 2, A, B, D, C, 4, 5	0, 1, F, E, 8, 9, 7, 6 4, 5, B, A, C, D, 3, 2
S4	0, 1, B, D, 9, E, 6, 7 C, 5, 8, 3, F, 2, 4, A	0, 1, 7, 5, C, 8, 2, 9 F, 6, A, B, E, 4, D, 3	0, 1, 4, 7, F, A, 3, E 2, B, 9, 5, C, D, 6, 8
S5	0, 1, 5, 4, 2, 3, 7, 6 A, B, F, E, 8, 9, D, C	0, 1, E, F, 2, 3, C, D 5, 4, B, A, 7, 6, 9, 8	0, 1, 8, 9, 2, 3, A, B F, E, 7, 6, D, C, 5, 4
S6	0, 1, E, 9, B, D, 7, 6 8, 3, A, 4, C, 5, 2, F	0, 1, D, 3, 7, 5, E, 4 8, C, B, A, 9, 2, 6, F	0, 1, 2, B, 4, 7, 9, 5 8, 6, E, 3, D, C, A, F
S7	0, 1, D, B, E, 9, 6, 7 A, 4, F, 2, 8, 3, 5, C	0, 1, 6, F, D, 3, 9, 2 5, 7, A, B, 4, E, C, 8	0, 1, 8, 6, 2, B, E, 3 F, A, 5, 9, C, D, 7, 4
S8	0, 1, 9, E, D, B, 7, 6 F, 2, C, 5, A, 4, 3, 8	0, 1, C, 8, 6, F, 4, E 3, D, B, A, 2, 9, 7, 5	0, 1, F, A, 8, 6, 5, 9 4, 7, 3, E, D, C, B, 2

lists all the resulting $4\times 4$ S-Boxes for the three polynomials.

During the experimentation, four S-Boxes were selected from each set of eight and assigned to $S_A, S_B, S_C,$ and $S_D$ in the proposed algorithm. For a single irreducible polynomial, this resulted in $8^4=4096$ possible configurations, and across the three considered polynomials, the total number of generated S-Boxes reached 12,288. The distribution of average Boolean function nonlinearities for these S-Boxes is summarized in

Table 3. The distribution of S-Boxes according to average Boolean function nonlinearity.

Average NL (${\mathit{f}}_{\mathit{i}}$)	Number of S-Boxes
108	768
110	1536
112	3072
114	4608
116	2304

. Among them, 2304 S-Boxes achieved the optimal nonlinearity of 116 for all coordinate Boolean functions. This outcome highlights both the strength and flexibility of the proposed construction method, as it yields a large set of secure candidates from which practical designs can be selected. From this collection, we prioritize configurations with the lowest implementation cost, which corresponds to the case where all four component S-Boxes $S_A, S_B, S_C,$ and $S_D$ are identical.

Using the irreducible polynomial $f_1\left(x\right)=x^4+x+1$, one representative S-Box is obtained with four identical $4\times 4$ components, which are defined as $S_8$ = [0, 1, 9, E, D, B, 7, 6, F, 2, C, 5, A, 4, 3, 8]. This S-Box corresponds to the configuration optimized for hardware resources, ensuring a compact implementation with reduced logic complexity while maintaining good cryptographic performance. The values of this S-Box are provided in

Table 4. The selected S-Box optimized for hardware efficiency ($S_{01}$).

i/j	0	1	2	3	4	5	6	7	8	9	A	B	C	D	E	F
0	01	11	91	E1	D1	B1	71	61	F1	21	C1	51	A1	41	31	81
1	00	10	93	E2	D5	B4	77	66	F9	28	CB	5A	AD	4C	3F	8E
2	08	2C	18	F5	90	5D	E9	C4	D3	4E	BA	A7	72	8F	6B	36
3	0F	3A	84	1F	4B	E0	9E	A5	26	6D	73	F8	DC	C7	59	B2
4	0C	4F	2E	D0	1C	A2	F3	BD	98	86	57	79	E5	3B	CA	64
5	0A	58	B0	39	C3	1A	82	DB	65	AC	94	2D	47	7E	F6	EF
6	06	67	3D	2B	8A	FC	16	70	44	C2	E8	DE	9F	B9	A3	55
7	07	76	AF	C8	5E	49	60	17	BC	EB	22	85	33	F4	9D	DA
8	0E	8B	46	9C	2F	75	D8	52	1E	34	A9	E3	F0	6A	B7	CD
9	03	95	D9	7D	F2	C6	AA	3E	E7	13	6F	BB	54	20	8C	48
A	0D	AE	5C	63	B8	27	35	9A	C0	7F	1D	42	89	E6	D4	FB
B	04	B3	C5	87	69	9B	4D	FF	32	50	D6	14	2A	A8	EE	7C
C	0B	C9	62	4A	37	DF	24	EC	8D	B5	FE	96	1B	53	78	A0
D	05	D2	F7	A4	ED	6E	5B	88	7A	99	3C	CF	B6	15	40	23
E	02	E4	7B	BE	A6	83	CC	29	5F	FA	45	30	68	DD	12	97
F	09	FD	EA	56	74	38	BF	43	AB	D7	80	6C	CE	92	25	19

.

Alternatively, with the same irreducible polynomial $f_1\left(x\right)=x^4+x+1$, another representative S-Box can be obtained by selecting different component S-Boxes, such as, for instance, $S_A=S_6$, $S_B=S_8$, $S_C=S_7$, and $S_D=S_8$. This configuration achieves an algebraic immunity (AI) of 3, offering stronger resistance against algebraic attacks; however, it is less hardware-efficient compared to the previous configuration optimized for resource usage. The S-Box corresponding to this AI-optimized configuration is presented in

Table 5. The selected S-Box optimized for algebraic immunity ($S_{02}$).

i/j	0	1	2	3	4	5	6	7	8	9	A	B	C	D	E	F
0	01	11	91	E1	D1	B1	71	61	F1	21	C1	51	A1	41	31	81
1	00	10	E4	95	B3	D2	76	67	8B	3A	AE	4F	C9	58	2C	FD
2	08	2F	F2	1C	5E	90	ED	C3	37	69	74	8A	B8	A6	4B	D5
3	0F	38	1A	83	E0	49	9B	A2	B4	5D	DF	C6	75	FC	6E	27
4	0C	4A	D0	2B	A4	1F	F5	BE	63	C8	E2	39	56	7D	87	9C
5	0A	5C	3D	B0	18	C5	84	D9	EA	F7	46	7B	93	2E	AF	62
6	06	66	29	3E	FF	88	17	70	52	A5	9A	BD	EC	DB	C4	43
7	07	77	CC	AA	4D	5B	60	16	D8	9E	35	F3	24	82	E9	BF
8	0E	89	9F	47	72	2A	DC	54	CE	B6	F0	68	AD	E5	33	1B
9	03	92	7E	DD	C7	F4	A8	3B	4C	8F	53	20	6A	B9	15	E6
A	0D	AB	65	5F	26	BC	32	98	F9	D3	8D	E7	1E	44	7A	C0
B	04	B5	86	C2	99	6D	4E	FA	7F	EB	28	AC	D7	13	50	34
C	0B	CD	48	64	DA	36	23	EF	A0	7C	19	55	FB	97	B2	8E
D	05	D4	A3	F6	6B	EE	59	8C	25	40	B7	12	3F	CA	9D	78
E	02	E3	BB	79	85	A7	CF	2D	96	14	6C	DE	42	30	F8	5A
F	09	FE	57	E8	3C	73	BA	45	1D	22	CB	94	80	6F	D6	A9

. It is worth noting that the coordinate Boolean functions of this S-Box maintain an average nonlinearity of 116, while the detailed evaluation of other cryptographic parameters is discussed in the next section.

5. Security Analysis

A variety of essential criteria for evaluating the cryptographic strength of S-Boxes have been discussed in [60,61,67,68]. Instead of restating the complete mathematical formulations for these metrics, we present only the corresponding analytical results, as the detailed definitions are readily available in the existing S-Box literature. To support reproducibility, a dedicated program for computing all evaluation parameters of the S-Box has been developed and is publicly accessible at https://github.com/dpp291187/S-Box-Cryptanalysis (accessed on 19 October 2025). In the following analysis, the detailed evaluation is presented for the S-Box $S_{01}$ (optimized for hardware efficiency), while the analysis for $S_{02}$ (optimized for algebraic immunity) follows the same procedure. The complete results for both S-Boxes are available in the provided link and are summarized in the final results table.

5.1. Nonlinearity

By applying the standard formula for computing the nonlinearity of Boolean functions to each coordinate function of the S-Box, the average coordinate function nonlinearity results are obtained as shown in

Table 6. Boolean function nonlinearity comparison with other studies.

S-Box	Year	${\mathit{f}}_1$	${\mathit{f}}_2$	${\mathit{f}}_3$	${\mathit{f}}_4$	${\mathit{f}}_5$	${\mathit{f}}_6$	${\mathit{f}}_7$	${\mathit{f}}_8$	Avg. NL (${\mathit{f}}_{\mathit{i}}$)	NL (S)
[4]	2025	112	112	112	112	112	112	112	112	112.00	096
[6]	2024	112	112	112	112	112	112	112	112	112.00	112
[7]	2024	104	104	106	106	106	104	108	104	105.25	094
[8]	2024	112	112	112	112	112	112	112	112	112.00	112
[9]	2024	112	112	112	112	112	112	112	112	112.00	094
[10]	2023	112	112	112	112	112	112	112	112	112.00	112
[17]	2025	112	112	112	112	112	112	112	112	112.00	112
[20]	2024	106	104	106	110	106	108	108	106	106.75	094
[22]	2023	106	104	106	110	106	108	108	106	106.75	094
[25]	2023	106	102	106	106	106	104	106	098	104.25	096
[29]	2024	116	114	116	114	114	114	114	114	114.50	094
[32]	2024	112	110	112	112	110	110	110	112	111.00	110
[33]	2024	112	112	112	110	112	112	112	112	111.75	110
[36]	2023	110	108	110	108	110	108	110	108	109.00	088
[56]	2024	104	106	106	104	110	106	112	104	106.50	092
[69]	2024	100	102	102	102	104	104	102	106	102.75	094
[70]	2001	112	112	112	112	112	112	112	112	112.00	112
$S_{01}$	2025	116	116	116	116	116	116	116	116	116.00	108
$S_{02}$	2025	116	116	116	116	116	116	116	116	116.00	108

. Most existing constructions achieve average nonlinearity values in the range of 100–112, with the best reported results reaching about 114.5 on average. In contrast, the proposed S-Box achieves the maximum balanced coordinate function nonlinearity of 116 uniformly across all eight Boolean functions, giving an average NL of 116.00. This uniform attainment of the theoretical optimum clearly surpasses all previously reported works and establishes a new benchmark for coordinate function-based S-Box design.

In addition to the coordinate function analysis, the vectorial nonlinearity of the S-Box, denoted by $NL\left(S\right)$, was also evaluated according to the standard definition:

$$NL\left(S\right)=\underset{v\ne 0}{min}NL(v·S).$$

The obtained result, $NL\left(S\right)=108$, corresponds to a linear approximation probability of $LAP=0.078$, which remains at a high level compared to recent studies. For instance, several recent algebraic and chaotic-map-based constructions report $NL\left(S\right)$ values between 104 and 112. Therefore, although our design does not reach the upper bound of 112 achieved by a few specific approaches, it still provides strong resistance against linear cryptanalysis with a near-optimal trade-off between vectorial nonlinearity and implementation simplicity.

The constructed S-Box also achieves the maximum algebraic degree of 7. Although this value is commonly obtained in many strong S-Box designs, it remains a critical feature that prevents low-degree polynomial representations, thereby reinforcing robustness against algebraic cryptanalysis.

5.2. Algebraic Complexity

Algebraic complexity (AC) is an important parameter for evaluating the resistance of an S-Box against interpolation attacks. If an S-Box can be represented by a univariate polynomial of a low degree with only a few non-zero coefficients, it may be vulnerable to algebraic exploitation. Formally, AC is defined as the number of non-zero coefficients in the univariate polynomial representation of the S-Box over the finite field, depending on the chosen irreducible polynomial $f\left(X\right)$ used to construct the field [56]. For example, with $f\left(X\right)=X^8+X^4+X^3+X^2+1$ in $GF\left(2^8\right)$, the coefficients can be determined through the discrete Fourier transform of the S-Box values, as described in [56].

In our experiments, the proposed S-Boxes achieve an algebraic complexity of AC = 253, which is very close to the theoretical maximum of 255. Since the AC values of all compared S-Boxes are nearly the same, with only negligible differences, this parameter is not included in the main comparison table.

5.3. Algebraic Immunity (AI)

The concept of algebraic immunity (AI), originally proposed for Boolean functions, has been extended to vectorial Boolean functions and S-Boxes in order to evaluate their resistance against algebraic and higher-order algebraic attacks. In this context, AI quantifies the minimum algebraic degree of any nontrivial multivariate polynomial relation linking the input and output bits of an S-Box.

Formally, for an $n\times m$ S-Box $S\left(x\right)=(f_1\left(x\right),f_2\left(x\right),\dots ,f_m\left(x\right))$, the algebraic immunity is defined as the smallest degree d of a nonzero vectorial Boolean function $G\left(x\right)=(g_1\left(x\right),g_2\left(x\right),\dots ,g_m\left(x\right))$ such that $S\left(x\right)·G\left(x\right)=0\mathrm{or}\left(S\right(x)+1)·G\left(x\right)=0$.

This generalization was introduced by Fischer and Meier [71], who demonstrated how algebraic relations among the coordinates of an S-Box can significantly reduce the complexity of algebraic cryptanalysis. Therefore, a high AI value indicates that the S-Box resists low-degree algebraic approximations, improving its robustness against algebraic and cube attacks.

In this study, the proposed S-Boxes have been analyzed for their algebraic immunity to ensure robustness against algebraic attacks. The first configuration ($S_{01}$), optimized for hardware efficiency, achieves an AI of 2, which already meets standard cryptographic requirements. Meanwhile, the second configuration ($S_{02}$), optimized specifically for algebraic immunity, attains an AI of 3, offering improved resistance at the cost of slightly higher implementation complexity. These results confirm the flexibility of the proposed construction method in balancing hardware efficiency and security strength.

5.4. Linear Redundancy

Let $S:{\mathbb{F}}_2^n\to {\mathbb{F}}_2^n$ and define the nonzero components $f_{\lambda }\left(x\right)=\lambda ·S\left(x\right)$ for all $\lambda \in {\mathbb{F}}_2^n\setminus \left\{0\right\}$ (there are $2^n-1$ of them, and for $n=8$, this is 255). Two Boolean functions $f,g$ are affine-equivalent if $g\left(x\right)=f(Dx\oplus a)\oplus (b·x)\oplus c$ for some invertible $D\in \mathrm{GL}(n,2)$ and $a,b\in {\mathbb{F}}_2^n$, $c\in {\mathbb{F}}_2$. Following [72], linear redundancy refers to many (or all) $f_{\lambda }$ lying in the same affine-equivalence class; the class-variety criterion, therefore, asks the components to occupy many, ideally distinct, classes. We group components using affine invariants—the algebraic degree, nonlinearity, and the absolute Walsh spectrum (optionally absolute autocorrelation)—since the degree and nonlinearity are preserved and the absolute spectra are permuted by affine maps.

Metrics in Our Table

• Class count ${\mathit{t}}_{\mathrm{lower}}$: the lower bound on the number of affine-equivalence classes obtained by invariant-based bucketing; $t_{\mathrm{lower}}=1$ means complete redundancy, larger values indicate less redundancy.
• Pair redundancy (UB): the upper bound on the fraction of equivalent pairs, computed as ${\sum }_i\left({\displaystyle \genfrac{}{}{0pt}{}{k_i}{2}}\right)/\left({\displaystyle \genfrac{}{}{0pt}{}{2^n-1}{2}}\right)$ from bucket sizes $k_i$; smaller values indicate less redundancy.
• Rank of $\mathbf{\left\{}{\mathit{f}}_{\mathit{\lambda }}\mathbf{\right\}}$: the GF(2) rank when viewing components as vectors in ${\mathbb{F}}_2^{2^n}$; for $8\times 8$ S-boxes, rank $=8$ is typical, while values below 8 indicate linear dependencies between output bits.

According to the results in

Table 7. Linear redundancy metrics for 8 × 8 S-boxes.

S-Box	${\mathit{t}}_{\mathbf{lower}}$ ↑	Pair Count (UB) ↓	Pair Ratio (UB) ↓	Rank of $\left\{{\mathit{f}}_{\mathit{\lambda }}\right\}$
[4]	5	9255	28.58%	8
[6]	1	32,385	100.00%	8
[7]	1	32,385	100.00%	8
[8]	1	32,385	100.00%	8
[9]	255	0	0%	8
[10]	253	2	0.01%	8
[17]	17	8449	26.09%	8
[20]	255	0	0%	8
[22]	255	0	0%	8
[25]	255	0	0%	8
[29]	255	0	0%	8
[32]	127	8003	24.71%	8
[33]	126	8004	24.72%	8
[36]	255	0	0%	8
[56]	255	0	0%	8
[69]	255	0	0%	8
[70]	1	32,385	100.00%	8
$S_{01}$	31	1203	3.71%	8
$S_{02}$	31	1203	3.71%	8

Note: $t_{\mathrm{lower}}$ is a lower bound on the number of affine-equivalence classes (Class Variety). “UB” denotes an upper bound computed from affine-invariant bucket sizes, where ↑ higher is better; ↓ lower is better; and Rank = 8 is normal/good.

, both $S_{01}$ and $S_{02}$ have the same profile: $t_{\mathrm{lower}}=31$ and pair count (UB) $=1203/32385$ (pair ratio (UB) $=3.71\%$). This indicates substantial class variety with only a small fraction of potentially equivalent pairs. Compared with AES ($t_{\mathrm{lower}}=1$, $100\%$), $S_{01}$/$S_{02}$ markedly reduce linear redundancy; although not matching the best entries ($t_{\mathrm{lower}}=255$, $0\%$), the outcome is limited yet acceptable given their algebraic construction.

5.5. Strict Avalanche Criterion

One of the fundamental measures of diffusion in an S-Box is the Strict Avalanche Criterion (SAC), which evaluates whether flipping a single input bit produces random-like changes across the output bits with a probability close to 50%. When the SAC values approach 0.5, the S-Box is considered to exhibit strong randomness. Using the method described in [51], the SAC values for each coordinate function of the proposed S-Box were determined, and the outcomes are summarized in

Table 8. The SAC values of the proposed S-Box.

i/j	1	2	3	4	5	6	7	8
1	0.5000	0.5000	0.5000	0.5000	0.5469	0.5469	0.5313	0.5469
2	0.5000	0.5000	0.4375	0.5000	0.5313	0.5313	0.5313	0.5469
3	0.5000	0.4375	0.5000	0.5000	0.5313	0.5313	0.5469	0.5469
4	0.4375	0.5000	0.5000	0.5000	0.5313	0.5469	0.5469	0.5313
5	0.5469	0.5469	0.5313	0.5469	0.4375	0.5000	0.5000	0.5000
6	0.5313	0.5313	0.5313	0.5469	0.4375	0.5000	0.5000	0.5000
7	0.5313	0.5313	0.5469	0.5469	0.4375	0.5000	0.5000	0.5000
8	0.5313	0.5469	0.5469	0.5313	0.4375	0.5000	0.5000	0.5000

. The overall average value obtained was 0.5126, which is essentially optimal.

5.6. Bit Independence Criterion

The Bit Independence Criterion (BIC) serves as an important indicator of whether the output bits of an S-Box behave independently when a single input bit is modified. It is typically examined through two perspectives: the avalanche effect (BIC-SAC) and resistance to linear approximation (BIC-NL). The computed results, summarized in

Table 9. The nonlinearity BIC results (BIC-NL) of the proposed S-Box.

i/j	1	2	3	4	5	6	7	8
1	-	116	116	116	110	108	108	108
2	116	-	116	116	108	108	108	108
3	116	116	-	116	108	110	108	108
4	116	116	116	-	110	108	108	108
5	110	108	108	110	-	116	116	116
6	108	108	110	108	116	-	116	116
7	108	108	108	108	116	116	-	116
8	108	108	108	108	116	116	116	-

and

Table 10. The Strict Avalanche Criterion values for BIC (BIC-SAC).

i/j	1	2	3	4	5	6	7	8
1	-	0.5176	0.5156	0.5078	0.4902	0.5117	0.5059	0.5020
2	0.5176	-	0.5137	0.5156	0.5039	0.5117	0.5332	0.5117
3	0.5156	0.5137	-	0.5156	0.5059	0.5176	0.5254	0.5039
4	0.5078	0.5156	0.5156	-	0.4941	0.5195	0.5078	0.5117
5	0.4902	0.5039	0.5059	0.4941	-	0.5098	0.5078	0.5078
6	0.5117	0.5117	0.5176	0.5195	0.5098	-	0.5059	0.5078
7	0.5059	0.5332	0.5254	0.5078	0.5078	0.5059	-	0.5078
8	0.5020	0.5117	0.5039	0.5117	0.5078	0.5078	0.5078	-

, show that the proposed S-Box attains an average BIC-NL of 111.64 and an average BIC-SAC of 0.5103. These values confirm that the design satisfies the independence requirement and exhibits strong cryptographic quality.

5.7. Differential Approximation Probability

An S-Box’s resistance to differential cryptanalysis is commonly evaluated through its differential uniformity, which reflects how evenly output differences are distributed when input differences are applied [61,67]. This behavior is summarized using the XOR distribution table, as shown in

Table 11. XOR distribution table of the proposed S-Box.

0	6	4	4	4	4	4	4	4	4	4	4	4	4	4	4
6	4	4	4	4	4	4	4	4	6	4	6	4	6	6	4
4	4	4	6	4	4	4	4	4	4	4	4	4	4	6	4
4	4	6	4	4	4	4	4	4	6	4	4	4	4	4	4
4	4	4	4	4	6	4	4	4	4	4	6	4	4	4	4
4	4	4	4	6	4	4	4	4	4	4	4	4	6	4	4
4	6	4	4	4	4	4	4	4	4	4	4	4	4	4	4
4	6	4	4	4	4	4	4	4	4	4	4	4	4	4	4
4	4	4	4	6	4	4	4	4	4	4	6	4	4	4	6
4	4	4	6	6	4	6	6	4	4	6	6	6	4	4	4
4	4	6	4	4	4	4	4	4	4	4	4	6	4	6	4
4	4	6	4	6	4	6	6	6	4	4	4	4	4	6	6
4	4	4	6	4	4	4	4	4	6	4	4	4	4	4	4
4	4	4	6	4	6	6	6	6	6	4	4	4	4	4	6
4	4	6	4	4	6	6	6	4	4	6	4	6	6	4	4
4	4	4	4	4	6	4	4	6	4	4	4	4	6	4	4

, where each entry shows the frequency of specific input–output difference pairs.

Table 12. Comparison with alternative S-Boxes.

S-Box	Year	Avg. NL (${\mathit{f}}_{\mathit{i}}$)	BIC-NL	SAC	BIC-SAC	DAP	LAP	NL (S)	AI	FP	OFP
[4]	2025	112.00	107.14	0.5009	0.4780	0.070	0.125	096	2	0	0
[6]	2024	112.00	112.00	0.5049	0.5046	0.016	0.063	112	2	2	1
[7]	2024	105.25	104.21	0.5066	0.4989	0.047	0.133	094	3	2	1
[8]	2024	112.00	112.00	0.5044	0.5047	0.016	0.063	112	2	1	1
[9]	2024	112.00	103.07	0.5014	0.4979	0.039	0.133	094	3	0	0
[10]	2023	112.00	112.00	0.4892	0.5017	0.016	0.063	112	2	0	1
[17]	2025	112.00	112.00	0.5042	0.5033	0.023	0.063	112	2	0	2
[20]	2024	104.25	104.29	0.5056	0.5001	0.055	0.133	094	3	1	2
[22]	2023	106.75	103.57	0.5026	0.5019	0.039	0.133	094	3	2	0
[25]	2023	104.25	104.00	0.5029	0.5026	0.047	0.125	096	3	0	0
[29]	2024	114.50	103.29	0.4976	0.5050	0.039	0.133	094	3	2	1
[32]	2024	111.00	111.43	0.5017	0.5034	0.023	0.070	110	2	2	0
[33]	2024	111.75	111.00	0.5034	0.5050	0.023	0.070	110	2	3	2
[36]	2023	109.00	103.86	0.4936	0.5057	0.039	0.156	088	3	0	1
[56]	2024	106.50	103.21	0.5034	0.5040	0.039	0.148	092	3	1	0
[69]	2024	102.75	103.93	0.5051	0.5027	0.039	0.133	094	3	1	2
[70]	2001	112.00	112.00	0.5048	0.5046	0.016	0.063	112	2	0	0
$S_{01}$	2025	116.00	111.64	0.5126	0.5103	0.023	0.078	108	2	0	0
$S_{02}$	2025	116.00	111.57	0.5166	0.5093	0.023	0.078	108	3	0	1
Ideal value	–	High	High	0.5000	0.5000	Low	Low	High	High	0	0

highlights the distribution of differences across the S-Box. The largest entry, denoted as the differential uniformity, shows the maximum probability of a specific difference pair occurring. Smaller values indicate stronger resistance against differential cryptanalysis. Based on the table, the maximum observed frequency leads to a differential uniformity of 6. Consequently, the DAP, obtained by normalizing this value over the full input space, equals $6/256=0.0234$.

5.8. Linear Approximation Probability

Another important property is the linear approximation probability, which evaluates the likelihood of the linear relations existing between the selected input and output bits of the S-Box [61,67]. This measure reflects vulnerability to linear cryptanalysis, where smaller values correspond to better resistance. The analysis shows that the S-Box under study achieves a maximum linear probability of 0.078, indicating that no strong linear correlations or structures are present. This outcome suggests that the transformation is resistant to linear approximations, thereby improving the overall cryptographic strength.

5.9. Branch Number

The branch number (BN) is a classical diffusion criterion used to evaluate how input differences or masks propagate through an S-Box [51]. It is commonly measured in terms of the differential branch number (DBN) and the linear branch number (LBN). In general, most $8\times 8$ S-Boxes, including the AES S-Box, achieve only a branch number of 2. Our proposed S-Boxes also have a branch number of 2, which is consistent with other well-known designs. Therefore, this parameter does not offer a distinguishing feature and was not included in the main comparison table.

5.10. Boomerang Attack Resistance

The boomerang attack is a variant of differential cryptanalysis, and its resistance can be assessed using the Boomerang Connectivity Table (BCT) [73] for SPN ciphers and the Feistel BCT (FBCT) [74] for Feistel structures. The key parameter derived from these tables is the boomerang uniformity (BU) [75], with the Feistel counterpart (FBU) defined analogously. Following the methods in [73,74], we evaluated both BCT and FBCT for the proposed S-Boxes. The results show that the boomerang uniformity (BU) and Feistel boomerang uniformity (FBU) of our S-Boxes are 14 and 8, respectively, which are weaker than those of the AES S-Box (6 and 4). Nevertheless, the obtained values still demonstrate acceptable resistance against boomerang attacks.

According to Table 12, the proposed S-boxes $S_{01}$ and $S_{02}$ achieve the highest average component nonlinearity in the comparison (Avg. NL ($f_i$) $=116.00$ for both). Their correlation-based score BIC-NL is close to the best entries (111.64 for $S_{01}$; 111.57 for $S_{02}$), while SAC and BIC-SAC stay near the ideal $0.5$ (0.5126/0.5103 for $S_{01}$; 0.5166/0.5093 for $S_{02}$). The avalanche leakages are small (DAP $=0.023$, LAP $=0.078$); although slightly weaker than AES, they are lower than or comparable to most alternatives, indicating a favorable differential/linear trade-off. The whole–S-box nonlinearity is moderate (NL (S) $=108$ for both), slightly below the best reported value (112), and the algebraic immunity is 2 ($S_{01}$) and 3 ($S_{02}$). Overall, $S_{01}$/$S_{02}$ are competitive in correlation resistance and diffusion, with the main trade-off being a modest NL(S).

Another noteworthy strength of the proposed S-Box is the complete elimination of both fixed points and opposite fixed points. In this design, the number of fixed points is zero ($FP=0$), and likewise, the number of opposite fixed points is also zero ($OFP=0$). A fixed point corresponds to an input x such that $S\left(x\right)=x$, while an opposite fixed point arises when $S\left(x\right)=\overline{x}$, with $\overline{x}$ denoting the bitwise complement of x. The presence of such properties can weaken security by introducing predictable structures that are exploitable by adversaries. The absence of both FP and OFP in our construction ensures that no trivial input–output patterns exist, thereby enhancing unpredictability and reinforcing the overall cryptographic strength of the proposed S-Box.

5.11. Side-Channel Attack Analysis

In addition to conventional cryptographic criteria, it is essential to assess the resistance of an S-Box against side-channel attacks. For this purpose, we computed several commonly used parameters, including TO. When making comparisons across different designs, however, the normalized forms $T{O}_0$, $MT{O}_0$, and $RT{O}_0$ are typically used, together with MCC, CCV, and SNR. These metrics provide a fair basis for evaluating how effectively an S-Box can mitigate leakage exploitable by power analysis or related techniques.

The results summarized in

Table 13. Comparison of the SCA parameter with alternative S-Boxes.

S-Box	Year	${\mathit{TO}}_0$	${\mathit{MTO}}_0$	${\mathit{RTO}}_0$	MCC	CCV	SNR
[4]	2025	7.930	6.906	7.501	0.781	0.101	9.894
[6]	2024	7.860	6.870	7.458	0.820	0.111	9.600
[7]	2024	7.796	6.759	7.340	0.703	0.175	8.208
[8]	2024	7.852	6.853	7.450	0.770	0.122	9.326
[9]	2024	7.833	6.833	7.373	0.738	0.148	8.731
[10]	2023	7.853	6.888	7.468	0.808	0.109	9.664
[17]	2025	7.856	6.884	7.490	0.799	0.102	9.866
[20]	2024	7.804	6.815	7.431	0.805	0.125	9.247
[22]	2023	7.820	6.850	7.440	0.820	0.117	9.436
[25]	2023	7.797	6.810	7.409	0.820	0.129	9.147
[29]	2024	7.854	6.903	7.441	0.804	0.115	9.489
[32]	2024	7.852	6.853	7.439	0.820	0.120	9.373
[33]	2024	7.858	6.865	7.463	0.820	0.109	9.659
[36]	2023	7.812	6.820	7.466	0.750	0.113	9.565
[56]	2024	7.807	6.794	7.401	0.785	0.143	8.836
[69]	2024	7.795	6.781	7.417	0.805	0.124	9.251
[70]	2001	7.860	6.869	7.458	0.820	0.111	9.600
$S_{01}$	2025	7.908	6.967	7.511	0.801	0.092	10.153
$S_{02}$	2025	7.910	6.962	7.484	0.813	0.099	9.949
Ideal value	–	Low	Low	Low	Low	Low	Low

show that the proposed design achieves parameter values that are closely aligned with those of AES and other recent strong constructions. The variations observed across different schemes are minimal, which indicates that, at the theoretical level, most modern S-Box designs, including the one proposed here, demonstrate a comparable degree of robustness against basic side-channel attacks. This also confirms that the cryptographic improvements obtained in the proposed S-Box do not compromise its side-channel security.

Since theoretical analysis alone cannot fully capture practical leakage behavior, the next section turns to hardware implementation and experimental attacks to provide a more reliable evaluation of the proposed S-Box in realistic scenarios.

To evaluate the resistance of the proposed S-Box against side-channel attacks, a trace acquisition scenario similar to [4] was conducted. Trace acquisition was performed according to the setup illustrated in Figure 1. AES-128 was implemented on the Sakura-X FPGA board with a single-cycle-per-round architecture. Random plaintexts were generated on a computer and encrypted using a fixed 128-bit key. During encryption, the oscilloscope recorded the power consumption of the FPGA, while the corresponding ciphertexts were synchronized and stored on the computer. In total, 30,000 power traces were collected for the analysis.

After trace acquisition, a Correlation Power Analysis (CPA) [76,77] targeting the last round of AES was performed. For each key byte, hypotheses were generated using the Hamming distance power model, and the correlation coefficient between the hypothetical power values and the measured traces was computed. The correct key value was identified when its correlation clearly exceeded that of other hypotheses.

The evaluation considered two scenarios: AES with the standard Rijndael S-Box, and AES with the proposed S-Box.

• With the AES S-Box, approximately 9000 traces were sufficient to recover 14 out of 16 key bytes, with the most difficult byte requiring about 11,000 traces.
• With the proposed S-Box, around 12,000 traces were necessary to recover 12 out of 16 key bytes. The proposed S-Box required up to 17,000 traces to recover all key bytes, with Byte 5 being the hardest (17,000 traces) and Byte 9 the easiest (9000 traces).

Figure 2 shows the correlation coefficient for recovering key Byte 5, where the correct key is revealed by the peak value. Figure 3 illustrates how the correlation evolves with the number of traces. Since other bytes exhibited similar behavior, only representative results are presented here.

As illustrated in Figure 4, the proposed S-Box requires more traces than the AES S-Box for successful key recovery. This suggests a marginal improvement in resistance to CPA; however, the difference remains insignificant in the unprotected evaluation setting. Overall, the results indicate that both S-Boxes exhibit comparable levels of side-channel resistance in practice.

6. Implementation

After selecting a representative configuration with four identical 4 × 4 S-Boxes that achieves both optimal nonlinearity and minimal implementation cost in the previous section, this section provides a detailed description of the hardware implementation in order to evaluate resource utilization. Since the 4 × 4 S-Box and the multiplication over $GF\left(2^4\right)$ are fundamental building blocks, the estimation of hardware cost is straightforward. According to Equations (5) and (6), the proposed architecture can be implemented with two 4 × 4 S-Box blocks, two multiplications in $GF\left(2^4\right)$, and two 2:1 multiplexers (each with 4-bit inputs). The overall hardware design is illustrated in Figure 5. In this figure, the two 4 × 4 S-Boxes are placed separately to compute output. However, to optimize resource usage, in practical implementation, a single S-Box circuit can be reused sequentially for both computations through appropriate scheduling. In this way, the overall architecture not only reflects the algebraic definitions accurately, but also achieves high efficiency in terms of hardware resource consumption.

Table 14. Logic gate utilization comparison of the proposed S-Box with prior designs.

Studies	XOR/XNOR	NAND/NOR	AND	OR	NOT	MUX21	GE (*)
[43]	76	56	0	0	0	0	208.00
[44]	107	10	38	7	5	8	301.75
[78]	91	36	0	0	0	0	218.00
[79]	87	0	54	0	0	0	241.50
[80]	79	41	0	0	0	0	199.00
[43]	57	80	0	0	0	0	194.00
[81]	154	0	36	0	0	8	369.00
[82]	64	23	4	0	0	6	168.00
[83]	90	0	79	28	29	0	342.25
Proposed S-Box	43	0	39	6	0	8	159.75

* GE estimation: XOR/XNOR = 2, AND = 1.25, OR = 1.5, NAND/NOR = 1, NOT = 0.75, and MUX21 = 2 (based on STM 65nm parameters [80]).

presents a benchmark of the logic gate utilization for the proposed S-Box in comparison with several other established designs. The proposed structure is composed of 43 XOR/XNOR gates, 39 AND gates, 6 OR gates, and 8 multiplexers ($2\times 4$ MUX21), while entirely avoiding NAND, NOR, and NOT gates. This configuration results in a compact circuit with moderate overall complexity.

Among these components, XOR gates are generally regarded as the most resource demanding in terms of hardware cost. The proposed S-Box achieves a significant reduction in XOR usage compared to most prior works. For instance, Zhang [81] reports 154 XOR gates, Canright [78] 91 XOR gates, and Rashidi [43] 57 XOR gates, whereas our design only employs 43 XOR gates. This reduction is particularly important for hardware implementations, as it directly translates into a lower area and power consumption.

The normalized hardware cost, expressed in Gate Equivalents (GE) based on STM 65 nm technology parameters [80], further highlights the efficiency of the proposed design. The GE count of the proposed S-Box is calculated to be 159.75, which is smaller than most of the compared studies, including Canright (218.00 GE), Zhang (369.00 GE), and Kuznyechik (342.25 GE). Compared with the most efficient prior design by Maximov (168.00 GE), the proposed S-Box achieves a modest improvement, reducing the GE count by about 8.25. The results indicate that the proposed S-Box exhibits lower hardware resource consumption compared to most existing designs. While the main focus of this study lies in optimizing nonlinearity, the proposed S-Box simultaneously achieves improvements in hardware efficiency.

Overall, these results confirm that the proposed S-Box achieves an attractive balance between low gate complexity and strong cryptographic criteria. The significant reduction in XOR gates and the smallest GE count among all compared implementations highlight its suitability for resource-constrained environments, such as embedded systems and lightweight cryptographic applications.

7. Conclusions

This paper presents a novel method for constructing 8 × 8 S-Boxes from smaller $4\times 4$ components, representing a significant advance in cryptographic design. Key findings and contributions are as follows.

• Optimal Nonlinearity: Each coordinate-balanced Boolean function of the proposed S-Box achieves the optimal nonlinearity of 116, representing the highest possible value for 8-variable Boolean functions. However, the overall S-Box attains a nonlinearity of 108, which is slightly below the optimal value of 112 but still considered high and satisfactory for secure cryptographic design. Furthermore, the proposed method is also capable of generating S-Boxes optimized for algebraic immunity; however, in this work, the focus has been placed on achieving better hardware efficiency for practical implementation.
• Comprehensive Security: Beyond optimal nonlinearity, the S-Boxes also satisfy other key cryptographic criteria, including the Strict Avalanche Criterion (SAC), Bit Independence Criterion (BIC), Differential Approximation Probability (DAP), and Linear Approximation Probability (LAP), all reaching satisfactory levels.
• Proven Robustness and Efficiency: Practical evaluations show that these S-Boxes are highly resilient. They offer side-channel attack resistance comparable to the AES S-Box and are designed for efficient hardware implementation, making them suitable for resource-constrained systems.

In summary, this research presents a significant advancement by introducing a new S-Box construction method that satisfies both theoretical cryptographic criteria and hardware efficiency requirements, making it well suited for practical implementation in modern block ciphers and data protection systems. In the future, we intend to enhance this research by refining the proposed approach and employing machine learning methods to support more advanced S-Box construction.