Constructing 8 × 8 S-Boxes with Optimal Boolean Function Nonlinearity

Response to Reviewer 1 Comments

1. Summary

Thank you very much for taking the time to carefully review this manuscript. We sincerely appreciate your valuable feedback. We have thoroughly addressed each of your comments and provided detailed responses below. The corresponding highlighted changes can be found in the re-submitted files. We hope that our revisions meet your expectations and further enhance the quality of this article.

2. Point-by-point response to Comments and Suggestions for Authors

Comments 1: The abstract needs to be more informative. It is recommended that authors briefly outline the S-Box generation technique in one to two lines to convince the reader to understand the concepts. In addition, the authors should also include the results of side channel attack and key cryptographic metrics beyond the nonlinearity, to reflect the importance of the study.

Response 1: Thank you for your suggestion.

We have revised the abstract to include a brief description of the S-box generation technique and the results of side-channel attack analysis.

The side-channel attack metrics related to DPA are detailed in Table 11, while the results of the practical CPA attack have been added in Figures 1, 2 and 3.

Our main focus is on optimizing the nonlinearity of the Boolean functions. As shown in the comparison table, the other cryptographic parameters remain strong, although not always the best possible, since it is difficult to optimize all criteria simultaneously—improving one parameter often affects others. In addition, the Algebraic Complexity (AC) metric has been evaluated as per your recommendation (in a later comment).

These changes are highlighted in yellow in the revised manuscript.

Comments 2: The authors mentioned the use of an elliptic curve in the related work section, specifically in relation to S-Box construction. In that regard, the authors may include papers related to S-box generation based on elliptic curves, isomorphisms of elliptic curves, ordered elliptic curves, elliptic curves over rings to enrich their Introduction section.

Response 2:

Thank you for your suggestion. We have added the following references in the Introduction section as recommended.

[7] Alali, A.S.; Ali, R.; Jamil, M.K.; Ali, J.; Gulraiz. Dynamic S-Box Construction Using Mordell Elliptic Curves over Galois Field and Its Applications in Image Encryption. Mathematics 2024, 12, 587. https://doi.org/10.3390/math12040587.

[53] Khan, M.A.M.; Azam, N.A.; Hayat, U.; Kamarulhaili, H. A novel deterministic substitution box generator over elliptic curves for real-time applications. Journal of King Saud University - Computer and Information Sciences 2023, 35, 219–236.

https://doi.org/10.1016/j.jksuci.2022.11.012. 508.

[54] Khalid, I.; Jamal, S.S.; Shah, T.; Shah, D.; Hazzazi, M.M. A Novel Scheme of Image Encryption Based on Elliptic Curves Isomorphism and Substitution Boxes. IEEE Access 2021, 9, 77798–77810.

https://doi.org/10.1109/ACCESS.2021.3083151.

[55] Hayat, U.; Azam, N.A.; Gallegos-Ruiz, H.R.; Naz, S.; Batool, L. A Truly Dynamic Substitution Box Generator for Block Ciphers Based on Elliptic Curves Over Finite Rings. Arabian Journal for Science and Engineering 2021, 46, 8887–8899.

https://doi.org/10.1007/s13369-021-05666-9.

These clarifications have been added to Section 2, and Reference section in the revised manuscript. (highlighted in yellow).

Comments 3: It would be great if authors include a flowchart or pseudocode of the proposed S-Box generator, which would greatly improve the clarity and make it easier to follow the methodology.

Response 3: We have detailed Algorithm 1 in the manuscript and included the Python code used to produce the results.

You can select the values of SA, SB, SC, SD and the choice of irreducible polynomials to generate and print the results.

Because we previously provided a self-built .exe executable, it may have been flagged by security software. Please revisit the link and run the Python file to see the full, detailed evaluation of our S-box analysis.

Here is the full code for generating S-boxes; you can select different parameter sets and polynomials to reproduce our results (Sboxgenaration.py). The detailed evaluation program is provided in toolsbox.py. If you do not have Python installed, you can simply copy the code into an online tool such as https://www.online-python.com/  to run it and obtain the results.

# defined_sboxes1: S-boxes for f1(x) = x^4 + x + 1
defined_sboxes1 = [
 [0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15], # Identity mapping (no XOR)
 [0, 1, 4, 5, 3, 2, 7, 6, 12, 13, 8, 9, 15, 14, 11, 10], # 2 XOR gates
 [0, 1, 3, 2, 5, 4, 6, 7, 15, 14, 12, 13, 10, 11, 9, 8], # 5 XOR gates
 [0, 1, 11, 13, 9, 14, 6, 7, 12, 5, 8, 3, 15, 2, 4, 10], # Complexity (27,24)
 [0, 1, 5, 4, 2, 3, 7, 6, 10, 11, 15, 14, 8, 9, 13, 12], # 2 XOR gates
 [0, 1, 14, 9, 11, 13, 7, 6, 8, 3, 10, 4, 12, 5, 2, 15], # Complexity (30,26)
 [0, 1, 13, 11, 14, 9, 6, 7, 10, 4, 15, 2, 8, 3, 5, 12], # Complexity (28,26)
 [0, 1, 9, 14, 13, 11, 7, 6, 15, 2, 12, 5, 10, 4, 3, 8], # Complexity (22,23)
]

# defined_sboxes2: S-boxes for f2(x) = x^4 + x^3 + 1
defined_sboxes2 = [
    [0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15], # Identity mapping
    [0, 1, 4, 5, 9, 8, 13, 12, 15, 14, 11, 10, 6, 7, 2, 3], # 4 XOR gates
    [0, 1, 9, 8, 14, 15, 7, 6, 3, 2, 10, 11, 13, 12, 4, 5], # 4 XOR gates
    [0, 1, 7, 5, 12, 8, 2, 9, 15, 6, 10, 11, 14, 4, 13, 3], # Complexity (33,28)
    [0, 1, 14, 15, 2, 3, 12, 13, 5, 4, 11, 10, 7, 6, 9, 8], # 3 XOR gates
    [0, 1, 13, 3, 7, 5, 14, 4, 8, 12, 11, 10, 9, 2, 6, 15], # Complexity (30,26)
    [0, 1, 6, 15, 13, 3, 9, 2, 5, 7, 10, 11, 4, 14, 12, 8], # Complexity (34,27)
    [0, 1, 12, 8, 6, 15, 4, 14, 3, 13, 11, 10, 2, 9, 7, 5], # Complexity (32,26)
]

# defined_sboxes3: S-boxes for f3(x) = x^4 + x^3 + x^2 + x + 1
defined_sboxes3 = [
    [0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15], # Identity mapping
    [0, 1, 4, 5, 15, 14, 11, 10, 2, 3, 6, 7, 13, 12, 9, 8],
    [0, 1, 15, 14, 8, 9, 7, 6, 4, 5, 11, 10, 12, 13, 3, 2],
    [0, 1, 4, 7, 15, 10, 3, 14, 2, 11, 9, 5, 12, 13, 6, 8],
    [0, 1, 8, 9, 2, 3, 10, 11, 15, 14, 7, 6, 13, 12, 5, 4],
    [0, 1, 2, 11, 4, 7, 9, 5, 8, 6, 14, 3, 13, 12, 10, 15],
    [0, 1, 8, 6, 2, 11, 14, 3, 15, 10, 5, 9, 12, 13, 7, 4],
    [0, 1, 15, 10, 8, 6, 5, 9, 4, 7, 3, 14, 13, 12, 11, 2],
]

# Select S-boxes for the construction
S1 = defined_sboxes1[7]
S2 = defined_sboxes1[7]
S3 = defined_sboxes1[7]
S4 = defined_sboxes1[7]

# Multiplication in GF(16) with irreducible polynomial x^4 + x + 1 (0b10011)
def gf16_mul(a, b):
    """Multiply two 4-bit numbers in GF(2^4)."""
    result = 0
    for _ in range(4):
        if b & 1:
            result ^= a  # XOR if the lowest bit of b is 1
        b >>= 1  # Shift b to the right
        a <<= 1  # Shift a to the left
        # If overflow occurs (5th bit set), reduce with the polynomial
        if a & 0b10000:
            a ^= 0b10011
    return result & 0b1111  # Keep only 4 bits

def calculate_sbox():
    """Construct an 8×8 S-box from the selected 4-bit S-boxes."""
    sbox = []
    for x in range(256):
        # Split input x into two 4-bit parts
        x_i = (x >> 4) & 0xF  # High 4 bits
        y_i = x & 0xF         # Low 4 bits

        # Compute x_o
        if x_i != 0:
            x_o = gf16_mul(S1[y_i], x_i)  # Multiplication in GF(16)
        else:
            x_o = S2[y_i]

        # Compute y_o
        if x_o != 0:
            y_o = S3[gf16_mul(x_i, x_o)]
        else:
            y_o = S4[x_i]

        # Combine x_o and y_o into one 8-bit output
        y = (x_o << 4) | y_o
        y ^= 1  # Final XOR with 1 for additional transformation
        sbox.append(y)

    return sbox

# Compute the final S-box
SBOX = calculate_sbox()

# Print the S-box in hex format
print("MDPISBOX = [")
for i in range(0, len(SBOX), 16):
    row = ", ".join(f"0x{val:02X}" for val in SBOX[i:i+16])
    print(f"  {row},")
print("]")

Comments 4: The authors are encouraged to apply algebraic complexity (AC) analysis to the generated S-Box to test its resistance against algebraic attacks and compare the results with those in recent publications.

Response 4: Thank you for your suggestion.

Regarding this parameter, there are several different approaches to calculation depending on the construction of the polynomial. We developed a program to compute it and found that the results do not vary significantly across different S-boxes, with little distinction to include in the comparison table—similar to the case where the algebraic degree is uniformly 7. Nevertheless, we have added a note about this in the manuscript. The detailed computation program is also provided in the file AC.py in the link.

MDPISBOX = [
0x01, 0x11, 0x91, 0xE1, 0xD1, 0xB1, 0x71, 0x61, 0xF1, 0x21, 0xC1, 0x51, 0xA1, 0x41, 0x31, 0x81, 0x00, 0x10, 0x93, 0xE2, 0xD5, 0xB4, 0x77, 0x66, 0xF9, 0x28, 0xCB, 0x5A, 0xAD, 0x4C, 0x3F, 0x8E, 0x08, 0x2C, 0x18, 0xF5, 0x90, 0x5D, 0xE9, 0xC4, 0xD3, 0x4E, 0xBA, 0xA7, 0x72, 0x8F, 0x6B, 0x36,0x0F, 0x3A, 0x84, 0x1F, 0x4B, 0xE0, 0x9E, 0xA5, 0x26, 0x6D, 0x73, 0xF8, 0xDC, 0xC7, 0x59, 0xB2,0x0C, 0x4F, 0x2E, 0xD0, 0x1C, 0xA2, 0xF3, 0xBD, 0x98, 0x86, 0x57, 0x79, 0xE5, 0x3B, 0xCA, 0x64, 0x0A, 0x58, 0xB0, 0x39, 0xC3, 0x1A, 0x82, 0xDB, 0x65, 0xAC, 0x94, 0x2D, 0x47, 0x7E, 0xF6, 0xEF, 0x06, 0x67, 0x3D, 0x2B, 0x8A, 0xFC, 0x16, 0x70, 0x44, 0xC2, 0xE8, 0xDE, 0x9F, 0xB9, 0xA3, 0x55, 0x07, 0x76, 0xAF, 0xC8, 0x5E, 0x49, 0x60, 0x17, 0xBC, 0xEB, 0x22, 0x85, 0x33, 0xF4, 0x9D, 0xDA, 0x0E, 0x8B, 0x46, 0x9C, 0x2F, 0x75, 0xD8, 0x52, 0x1E, 0x34, 0xA9, 0xE3, 0xF0, 0x6A, 0xB7, 0xCD, 0x03, 0x95, 0xD9, 0x7D, 0xF2, 0xC6, 0xAA, 0x3E, 0xE7, 0x13, 0x6F, 0xBB, 0x54, 0x20, 0x8C, 0x48, 0x0D, 0xAE, 0x5C, 0x63, 0xB8, 0x27, 0x35, 0x9A, 0xC0, 0x7F, 0x1D, 0x42, 0x89, 0xE6, 0xD4, 0xFB, 0x04, 0xB3, 0xC5, 0x87, 0x69, 0x9B, 0x4D, 0xFF, 0x32, 0x50, 0xD6, 0x14, 0x2A, 0xA8, 0xEE, 0x7C,0x0B, 0xC9, 0x62, 0x4A, 0x37, 0xDF, 0x24, 0xEC, 0x8D, 0xB5, 0xFE, 0x96, 0x1B, 0x53, 0x78, 0xA0, 0x05, 0xD2, 0xF7, 0xA4, 0xED, 0x6E, 0x5B, 0x88, 0x7A, 0x99, 0x3C, 0xCF, 0xB6, 0x15, 0x40, 0x23,  0x02, 0xE4, 0x7B, 0xBE, 0xA6, 0x83, 0xCC, 0x29, 0x5F, 0xFA, 0x45, 0x30, 0x68, 0xDD, 0x12, 0x97, 0x09, 0xFD, 0xEA, 0x56, 0x74, 0x38, 0xBF, 0x43, 0xAB, 0xD7, 0x80, 0x6C, 0xCE, 0x92, 0x25, 0x19]
from typing import List, Tuple, Optional, Callable

# ------------------- Config -------------------
MOD_POLY = 0x11B   # AES polynomial (change to 0x11D to compare)
USE_AES_DEFAULT = True
# ------------------- Helpers: GF(2^8) -------------------
def gf_mul(a: int, b: int, mod: int = MOD_POLY) -> int:
    a &= 0xFF; b &= 0xFF
    res = 0
    red = mod & 0xFF
    for _ in range(8):
        if b & 1:
            res ^= a
        b >>= 1
        carry = a & 0x80
        a = ((a << 1) & 0xFF)
        if carry:
            a ^= red
    return res

def gf_pow(a: int, e: int, mod: int = MOD_POLY) -> int:
    a &= 0xFF
    r = 1
    while e:
        if e & 1:
            r = gf_mul(r, a, mod)
        a = gf_mul(a, a, mod)
        e >>= 1
    return r

def gf_inv(a: int, mod: int = MOD_POLY) -> int:
    if a == 0:
        raise ZeroDivisionError("No inverse for 0 in GF(2^8)")
    return gf_pow(a, 254, mod)  # |GF(2^8)^*| = 255

def poly_eval_coeffs(coeffs: List[int], x: int, mod: int = MOD_POLY) -> int:
    # Horner over GF(2^8)
    acc = 0
    for i in reversed(range(len(coeffs))):
        acc = gf_mul(acc, x, mod) ^ (coeffs[i] & 0xFF)
    return acc & 0xFF

# ------------------- Interpolation (univariate) -------------------
def collect_samples(sbox: List[int]) -> Tuple[List[int], List[int]]:
    if len(sbox) != 256:
        raise ValueError("SBOX must have 256 entries.")
    for v in sbox:
        if not (0 <= v <= 255):
            raise ValueError("SBOX values must be in [0..255].")
    xs = list(range(256))
    ys = sbox[:]
    return xs, ys

def solve_vandermonde(xs: List[int], ys: List[int], mod_poly: int = MOD_POLY) -> List[int]:
    n = 256
    # Build Vandermonde V and RHS y
    V = [[0]*n for _ in range(n)]
    y = ys[:]

    for r, x in enumerate(xs):
        V[r][0] = 1
        if x == 0:
            for c in range(1, n): V[r][c] = 0
        else:
            p = 1
            for c in range(1, n):
                p = gf_mul(p, x, mod_poly)
                V[r][c] = p
    # Gauss–Jordan elimination in GF(2^8)
    row = 0
    for col in range(n):
        piv = None
        for r in range(row, n):
            if V[r][col] != 0:
                piv = r; break
        if piv is None:
            continue
        if piv != row:
            V[row], V[piv] = V[piv], V[row]
            y[row], y[piv] = y[piv], y[row]
        inv = gf_inv(V[row][col], mod_poly)
        for c in range(col, n):
            V[row][c] = gf_mul(V[row][c], inv, mod_poly)
        y[row] = gf_mul(y[row], inv, mod_poly)
        for r in range(n):
            if r == row: continue
            f = V[r][col]
            if f:
                for c in range(col, n):
                    V[r][c] ^= gf_mul(f, V[row][c], mod_poly)
                y[r] ^= gf_mul(f, y[row], mod_poly)
        row += 1
        if row == n: break

    a = [v & 0xFF for v in y]  # coefficients a0..a255
    return a

def ac_univariate(sbox: List[int], mod_poly: int = MOD_POLY) -> Tuple[int,int,bool,List[int]]:
    xs, ys = collect_samples(sbox)
    coeffs = solve_vandermonde(xs, ys, mod_poly)
    ac_incl_a0 = sum(1 for c in coeffs if c != 0)
    ac_excl_a0 = sum(1 for c in coeffs[1:] if c != 0)
    # verify
    ok = True
    for x in range(256):
        if poly_eval_coeffs(coeffs, x, mod_poly) != ys[x]:
            ok = False; break
    return ac_excl_a0, ac_incl_a0, ok, coeffs

# ------------------- ANF (Boolean) -------------------
def bit(x: int, i: int) -> int:
    return (x >> i) & 1

def anf_coefficients(truth_table: List[int]) -> List[int]:
    # Möbius transform (in-place variant on a copy)
    coeffs = truth_table[:]
    n = 8
    for i in range(n):
        step = 1 << i
        for j in range(256):
            if (j & step) != 0:
                coeffs[j] ^= coeffs[j ^ step]
    return coeffs

def ac_anf(sbox: List[int]):
    if len(sbox) != 256:
        raise ValueError("SBOX must have 256 entries.")
    total_terms = 0
    max_degree = 0
    terms_per_bit = []
    deg_per_bit = []

    for out_bit in range(8):
        tt = [bit(sbox[x], out_bit) for x in range(256)]
        coeffs = anf_coefficients(tt)
        cnt = sum(coeffs)
        terms_per_bit.append(cnt)
        total_terms += cnt
        deg = 0
        for u, c in enumerate(coeffs):
            if c:
                w = (u & 0xFF).bit_count()
                if w > deg:
                    deg = w
        deg_per_bit.append(deg)
        if deg > max_degree:
            max_degree = deg

    return total_terms, terms_per_bit, max_degree, deg_per_bit
# ------------------- Main -------------------
def main():
    # ====== INPUT SBOX ======
    if USE_AES_DEFAULT:
        SBOX = MDPISBOX     # dùng AES mặc định
    else:
         SBOX = [i for i in range(256)]
    # ----- (A) AC_univariate over GF(2^8) -----
    ac_excl_a0, ac_incl_a0, ok, coeffs = ac_univariate(SBOX, MOD_POLY)
    # ----- (B) AC_ANF (Boolean) -----
    total_terms, terms_per_bit, max_deg, deg_bits = ac_anf(SBOX)
    # ----- Print -----
    print("========== INPUT ==========")
    print(f"Using AES S-box: {USE_AES_DEFAULT}")
    print(f"GF(2^8) modulus: 0x{MOD_POLY:03X}")
    print("========== AC (univariate over GF(2^8)) ==========")
    print(f"AC  {ac_incl_a0} ")
    print(f"Interpolation verification: {'OK' if ok else 'FAILED'}")
    print("========== AC (ANF / Boolean) ==========")
    print(f"Total ANF terms (8 bits): {total_terms}")
    print(f"Terms per output bit   : {terms_per_bit}")
    print(f"Max algebraic degree   : {max_deg}")
    print(f"Degree per output bit  : {deg_bits}")
if __name__ == "__main__":
    main()

Comments 5: It is commendable that the authors applied side-channel attacks to the proposed S-Box and compared the results with existing S-Boxes. However, a brief discussion is provided, and it is suggested that the discussion of side-channel attacks be included in detail. Moreover, the comparison could be strengthened by emphasizing where the proposed S-box outperforms existing S-Boxes, as well as highlighting its weaknesses.

Response 4: Thank you for your comment.

As mentioned in our response to Comment 1 above, we have added the practical side-channel attack results. Regarding this issue, when comparing under the same unprotected mode, most S-boxes tend to be similar in terms of the required number of attack traces. We have also discussed this point in the manuscript.

The detailed explanations have been highlighted in blue in the side-channel attack section of the revised manuscript.

Comments 6: Consider including a discussion on the practical implications and potential applications of the proposed S-Box generator beyond hardware implementation.

Response 6:

We have added a discussion on how to select parameter sets to optimize other criteria such as Algebraic Immunity. For most S-boxes, this parameter typically has a value of 2, whereas with our proposed approach, it is possible to choose SA, SB, SC, and SD such that the AI reaches a value of 3.

SA = [0, 1, 14, 9, 11, 13, 7, 6, 8, 3, 10, 4, 12, 5, 2, 15]
SB = [0, 1, 9, 14, 13, 11, 7, 6, 15, 2, 12, 5, 10, 4, 3, 8]
SC = [0, 1, 13, 11, 14, 9, 6, 7, 10, 4, 15, 2, 8, 3, 5, 12]
SD = [0, 1, 9, 14, 13, 11, 7, 6, 15, 2, 12, 5, 10, 4, 3, 8]

This addition has been highlighted at the end of Section 4.

Comments 7: The authors are encouraged to add a brief discussion in one to two lines on potential future research directions.

Response 7:

Thank you for your suggestion. We have briefly added this point in the Conclusion section (yellow highlight).

4. Additional clarifications

In addition to addressing the reviewers' comments, we would like to emphasize the contributions of this paper:

Ÿ   We achieved the highest nonlinearity of the coordinate Boolean functions for an S-Box compared to all previous studies, reaching 116, which is the maximum attainable so far. This demonstrates that our primary research objective has been fully achieved.

Ÿ   The proposed algorithm is capable of generating a large number of S-Boxes and allows for the selection of different parameter sets to optimize various optional S-Box criteria.

Ÿ   While the optimization was focused on nonlinearity, the remaining cryptographic criteria are not fully optimal. Nevertheless, when compared with other studies, these values remain within secure bounds and are competitive with state-of-the-art results.

The proposed S-Boxes were comprehensively evaluated with respect to mathematical properties, hardware implementation cost estimates, and side-channel resistance through practical experiments. This level of holistic evaluation is rarely provided in the literature on S-Boxes (readers may verify this by examining almost any prior work on S-Boxes).

Response to Reviewer 2 Comments

1. Summary

Thank you very much for taking the time to carefully review this manuscript. We sincerely appreciate your valuable feedback. We have thoroughly addressed each of your comments and provided detailed responses below. The corresponding highlighted changes can be found in the re-submitted files. We hope that our revisions meet your expectations and further enhance the quality of this article.

2. Point-by-point response to Comments and Suggestions for Authors

Comments 1:

The Substitution-box (S-box) of a block cipher is a crucial component in the security of the cipher. In particular, the nonlinearity of an S-box serves as an important indicator of its resistance to linear cryptanalysis, and employing S-boxes with higher nonlinearity is essential to achieve stronger security against such attacks. For implementation efficiency, block ciphers are often designed with block sizes of powers of two, among which 8-bit ciphers are the most widely adopted. Consequently, designing secure S-boxes suitable for use in 8-bit block ciphers has become an important research topic, and indeed, several related studies have been published in recent years.

In this paper, the authors propose an 8-bit S-box with a nonlinearity of 116, which reaches the theoretically achievable maximum. I have verified that the proposed S-box indeed achieves a nonlinearity of 116. This result improves upon the previous best-known nonlinearity of 114.5 obtained by earlier designs. While the proposed S-Box achieves optimal nonlinearity and strong cryptographic metrics, the design appears to be empirically driven rather than grounded in a formal mathematical framework. Nevertheless, the fact that the authors have successfully constructed an S-box that achieves the theoretically maximal nonlinearity is meaningful in itself and, in my view, warrants publication. Therefore, I recommend the acceptance of this paper for publication in Cryptography.

Response 1:

Thank you for your positive evaluation of our work. We are grateful that you recognized the focus of our research on optimizing the nonlinearity of Boolean functions and acknowledged the correctness of our results. Your confirmation of our main findings encourages us greatly.

Comments 2:

Each DOI link in references does correctly redirect to the intended article, but I recommend that the authors correct the formatting of the DOI links in the references, where some entries contain a duplicated https://doi.org/ prefix.( references 5,6,7,15,16,25,26,27,29,43,64,65,69,72,74,76 etc.

Response 2: Thank you for this comment.

Thank you very much for pointing out these minor formatting issues. We have corrected all duplicated DOI entries in the updated version of the manuscript. The modifications can be found in the revised References section (highlighted in green). (highlighted in green).

3. Additional clarifications

As requested by other reviewers, we have also provided the full Python code as supplementary material, which allows analysis for any given S-box. The new revision mainly focuses on clarifying the results according to reviewers’ comments. The methodology and the main contributions remain unchanged.

Once again, we sincerely thank you for your careful reading and supportive evaluation of our work.

Response to Reviewer 3 Comments

1. Summary

Thank you very much for taking the time to carefully review this manuscript. We sincerely appreciate your valuable feedback. We have thoroughly addressed each of your comments and provided detailed responses below. The corresponding highlighted changes can be found in the re-submitted files. We hope that our revisions meet your expectations and further enhance the quality of this article.

2. Point-by-point response to Comments and Suggestions for Authors

Comments 1: The authors claim to construct 8×8 S-boxes achieving nonlinearity 116, the theoretical maximum for balanced Boolean functions. Independent analysis reveals significant discrepancies between claimed and actual cryptographic properties.

Major Issues

Misleading Nonlinearity Claims

The paper claims nonlinearity 116 based on averaging coordinate functions. This methodology is cryptographically meaningless. True nonlinearity must be measured across all 255 non-zero linear combinations of coordinate functions.

Actual results:

- Claimed nonlinearity: 116

- Actual nonlinearity: 108

- Maximum linear approximation probability: 20/256 = 0.078

The LAP value of 0.078 reported in Table 10 contradicts the nonlinearity claim of 116.

Response 1: Thank you for your comments..

First of all, we would like to emphasize that the nonlinearity results reported in our paper are entirely correct. The main focus of our work is the optimization of the nonlinearity of the coordinate Boolean functions of the S-box.

While some studies do use the method of calculating nonlinearity that you mentioned, it is important that comparisons are made fairly, under the same formulas and calculation methods.

To clarify this issue, we will provide a detailed explanation of our calculation approach along with the results we obtained for comparison. It should be noted that the studies we referenced are all very recent, from 2023 to 2025. In addition, many earlier works have also calculated and compared nonlinearity based on this same approach.

Please see in detail the way we calculate nonlinearity, which we have quoted verbatim from the most recent studies published by different publishers.

[6] Baowidan, S.A.; Alamer, A.; Hassan, M.; Yousaf, A. Group-Action-Based S-box Generation Technique for Enhanced Block Cipher Security and Robust Image Encryption Scheme. Symmetry 2024, 16. https://doi.org/10.3390/sym16080954.

[7] Alali, A.S.; Ali, R.; Jamil, M.K.; Ali, J.; Gulraiz. Dynamic S-Box Construction Using Mordell Elliptic Curves over Galois Field and Its Applications in Image Encryption. Mathematics 2024, 12. https://doi.org/https: //doi.org/10.3390/math12040587.

[8] Aribilola, I.; Lee, B.; Naveed Asghar, M. M¨obius Transformation and PermutationBasedS-BoxtoEnhanceIoT Multimedia Security. IEEE Access 2024, 12, 140792–140808. https://doi.org/10.1109/ACCESS.2024.3466930.

[20] Alabduallah, B.; Banga, A.; Iqbal, N.; Ikram, A.; Diab, H. Advancing Cryptographic Security With a New Delannoy-Derived Chaotic S-Box. IEEE Access 2024, 12, 82926–82937. https://doi.org/10.1109/ACCESS.20 24.3410668.

[25] Corona-Berm´udez, E.; Chimal-Egu´ıa, J.C.; Corona-Berm´udez, U.; Rivero- ´ Angeles, M.E. Chaos Meets Cryptography: Developing an S-Box Design with the R¨ossler Attractor. Mathematics 2023, 11. https: //doi.org/https://doi.org/10.3390/math11224575.

[29] Waheed, A.; Subhan, F.; Mohd Su’ud, M.; Mansoor Alam, M. Molding robust S-box design based on linear fractional transformation and multilayer Perceptron: Applications to multimedia security. Egyptian Informatics Journal 2024, 26, 100480.

https://doi.org/10.1016/j.eij.2024.100480.

[32] Hazzazi, M.M.; Baowidan, S.A.; Yousaf, A.; Adeel, M. An Innovative Algorithm Based on Chaotic Maps Amalgamated with Bit-Level Permutations for Robust S-Box Construction and Its Application in Medical Image Privacy. Symmetry 2024, 16.

https://doi.org/10.3390/sym16081070.

[33] Malik,D.S.; Shah, T.; Tehsin, S.; Nasir, I.M.; Fitriyani, N.L.; Syafrudin, M. Block Cipher Nonlinear Component Generation via Hybrid Pseudo-Random Binary Sequence for Image Encryption. Mathematics 2024, 12. https://doi.org/10.3390/math12152302.

[36] A. I. Lawah, A. A. Ibrahim, S. Q. Salih, H. S. Alhadawi and P. S. JosephNg, "Grey Wolf Optimizer and Discrete Chaotic Map for Substitution Boxes Design and Optimization," in IEEE Access, vol. 11, pp. 42416-42430, 2023, doi: 10.1109/ACCESS.2023.3266290.

[56] Zhang, L.; Ma, C.; Zhao, Y.; Zhao, W. A Novel Dynamic S-Box Generation Scheme Based on Quantum Random Walks Controlled by a Hyper-Chaotic Map. Mathematics 2024, 12. https://doi.org/10.3390/math1 2010084.

[69] Alqahtani, J.; Akram, M.; Ali, G.A.; Iqbal, N.; Alqahtani, A.; Alroobaea, R. Elevating Network Security: A Novel S-Box Algorithm for Robust Data Encryption. IEEE Access 2024, 12, 2123–2134. https://doi.org/10.1 109/ACCESS.2023.3348144.

Comments 2: Algebraic Structure Concerns

The proposed S-box exhibits algebraic immunity of 2, identical to AES. This severely limits resistance to algebraic attacks. The construction method using GF(2⁴) multiplication inherently produces algebraic structures. Critical omission: No algebraic immunity analysis is provided despite using algebraic construction methods.

Response 2: Thank you for your comment.

We are fully capable of evaluating this metric, but the S-boxes used for comparison all have a value of 2. Therefore, we have added a note about this in the manuscript.

It should be noted that we provide a wide range of S-boxes. In the paper, the chosen instance was optimized for the nonlinearity of the Boolean functions while prioritizing minimal resource usage. However, if the goal is to optimize Algebraic Immunity (AI), it is entirely possible to substitute different parameter sets in the algorithm, achieving AI = 3, which is better than AES with only 2.

We have included in the manuscript the selected set of 4×4 S-Boxes used to construct 8×8 S-Boxes optimized for the algebraic immunity (AI) criterion. Please see the highlighted yellow section at the end of Section 4.

The detailed code is provided below. If you don't have Python installed, you can go to the following website, paste the code there, and run it to see the results: online-python.com.

# Select S-boxes for the construction
SA = [0, 1, 14, 9, 11, 13, 7, 6, 8, 3, 10, 4, 12, 5, 2, 15]
SB = [0, 1, 9, 14, 13, 11, 7, 6, 15, 2, 12, 5, 10, 4, 3, 8]
SC = [0, 1, 13, 11, 14, 9, 6, 7, 10, 4, 15, 2, 8, 3, 5, 12]
SD = [0, 1, 9, 14, 13, 11, 7, 6, 15, 2, 12, 5, 10, 4, 3, 8]

# Multiplication in GF(16) with irreducible polynomial x^4 + x + 1 (0b10011)
def gf16_mul(a, b):
    """Multiply two 4-bit numbers in GF(2^4)."""
    result = 0
    for _ in range(4):
        if b & 1:
            result ^= a  # XOR if the lowest bit of b is 1
        b >>= 1  # Shift b to the right
        a <<= 1  # Shift a to the left
        # If overflow occurs (5th bit set), reduce with the polynomial
        if a & 0b10000:
            a ^= 0b10011
    return result & 0b1111  # Keep only 4 bits

def calculate_sbox():
    """Construct an 8×8 S-box from the selected 4-bit S-boxes."""
    sbox = []
    for x in range(256):
        # Split input x into two 4-bit parts
        x_i = (x >> 4) & 0xF  # High 4 bits
        y_i = x & 0xF         # Low 4 bits
        # Compute x_o
        if x_i != 0:
            x_o = gf16_mul(SA[y_i], x_i)  # Multiplication in GF(16)
        else:
            x_o = SB[y_i]
        # Compute y_o
        if x_o != 0:
            y_o = SC[gf16_mul(x_i, x_o)]
        else:
            y_o = SD[x_i]
        # Combine x_o and y_o into one 8-bit output
        y = (x_o << 4) | y_o
        y ^= 1  # Final XOR with 1 for additional transformation
        sbox.append(y)
    return sbox
# Compute the final S-box
SBOX = calculate_sbox()
# Print the S-box in hex format
print("MDPISBOX = [")
for i in range(0, len(SBOX), 16):
    row = ", ".join(f"0x{val:02X}" for val in SBOX[i:i+16])
    print(f"  {row},")
print("]")

And here is the code for evaluating AI.

# # Algebraic Immunity for 8x8 S-boxes — BOTH notions:
# #   (A) AI_comp(S):  min_a AI(<a,S>)    [component algebraic immunity]
# #   (B) AI_gr(S):    min d: ∃ g(x,y)≠0, deg(g)≤d, g(x,S(x))=0  [graph AI]

# # ----------------------- INPUT S-BOX ----------------------
#AI=2 , in paper
MDPISBOX = [
   0x01, 0x11, 0x91, 0xE1, 0xD1, 0xB1, 0x71, 0x61, 0xF1, 0x21, 0xC1, 0x51, 0xA1, 0x41, 0x31, 0x81,
   0x00, 0x10, 0x93, 0xE2, 0xD5, 0xB4, 0x77, 0x66, 0xF9, 0x28, 0xCB, 0x5A, 0xAD, 0x4C, 0x3F, 0x8E,
   0x08, 0x2C, 0x18, 0xF5, 0x90, 0x5D, 0xE9, 0xC4, 0xD3, 0x4E, 0xBA, 0xA7, 0x72, 0x8F, 0x6B, 0x36,
   0x0F, 0x3A, 0x84, 0x1F, 0x4B, 0xE0, 0x9E, 0xA5, 0x26, 0x6D, 0x73, 0xF8, 0xDC, 0xC7, 0x59, 0xB2,
   0x0C, 0x4F, 0x2E, 0xD0, 0x1C, 0xA2, 0xF3, 0xBD, 0x98, 0x86, 0x57, 0x79, 0xE5, 0x3B, 0xCA, 0x64,
   0x0A, 0x58, 0xB0, 0x39, 0xC3, 0x1A, 0x82, 0xDB, 0x65, 0xAC, 0x94, 0x2D, 0x47, 0x7E, 0xF6, 0xEF,
   0x06, 0x67, 0x3D, 0x2B, 0x8A, 0xFC, 0x16, 0x70, 0x44, 0xC2, 0xE8, 0xDE, 0x9F, 0xB9, 0xA3, 0x55,
   0x07, 0x76, 0xAF, 0xC8, 0x5E, 0x49, 0x60, 0x17, 0xBC, 0xEB, 0x22, 0x85, 0x33, 0xF4, 0x9D, 0xDA,
   0x0E, 0x8B, 0x46, 0x9C, 0x2F, 0x75, 0xD8, 0x52, 0x1E, 0x34, 0xA9, 0xE3, 0xF0, 0x6A, 0xB7, 0xCD,
   0x03, 0x95, 0xD9, 0x7D, 0xF2, 0xC6, 0xAA, 0x3E, 0xE7, 0x13, 0x6F, 0xBB, 0x54, 0x20, 0x8C, 0x48,
   0x0D, 0xAE, 0x5C, 0x63, 0xB8, 0x27, 0x35, 0x9A, 0xC0, 0x7F, 0x1D, 0x42, 0x89, 0xE6, 0xD4, 0xFB,
   0x04, 0xB3, 0xC5, 0x87, 0x69, 0x9B, 0x4D, 0xFF, 0x32, 0x50, 0xD6, 0x14, 0x2A, 0xA8, 0xEE, 0x7C,
   0x0B, 0xC9, 0x62, 0x4A, 0x37, 0xDF, 0x24, 0xEC, 0x8D, 0xB5, 0xFE, 0x96, 0x1B, 0x53, 0x78, 0xA0,
   0x05, 0xD2, 0xF7, 0xA4, 0xED, 0x6E, 0x5B, 0x88, 0x7A, 0x99, 0x3C, 0xCF, 0xB6, 0x15, 0x40, 0x23,
   0x02, 0xE4, 0x7B, 0xBE, 0xA6, 0x83, 0xCC, 0x29, 0x5F, 0xFA, 0x45, 0x30, 0x68, 0xDD, 0x12, 0x97,
   0x09, 0xFD, 0xEA, 0x56, 0x74, 0x38, 0xBF, 0x43, 0xAB, 0xD7, 0x80, 0x6C, 0xCE, 0x92, 0x25, 0x19]
 # AI=3 when aiming to optimize this parameterr)
MDPISBOX2 =[
    0x01, 0x11, 0x91, 0xE1, 0xD1, 0xB1, 0x71, 0x61, 0xF1, 0x21, 0xC1, 0x51, 0xA1, 0x41, 0x31, 0x81,
    0x00, 0x10, 0xE4, 0x95, 0xB3, 0xD2, 0x76, 0x67, 0x8B, 0x3A, 0xAE, 0x4F, 0xC9, 0x58, 0x2C, 0xFD,
    0x08, 0x2F, 0xF2, 0x1C, 0x5E, 0x90, 0xED, 0xC3, 0x37, 0x69, 0x74, 0x8A, 0xB8, 0xA6, 0x4B, 0xD5,
    0x0F, 0x38, 0x1A, 0x83, 0xE0, 0x49, 0x9B, 0xA2, 0xB4, 0x5D, 0xDF, 0xC6, 0x75, 0xFC, 0x6E, 0x27,
    0x0C, 0x4A, 0xD0, 0x2B, 0xA4, 0x1F, 0xF5, 0xBE, 0x63, 0xC8, 0xE2, 0x39, 0x56, 0x7D, 0x87, 0x9C,
    0x0A, 0x5C, 0x3D, 0xB0, 0x18, 0xC5, 0x84, 0xD9, 0xEA, 0xF7, 0x46, 0x7B, 0x93, 0x2E, 0xAF, 0x62,
    0x06, 0x66, 0x29, 0x3E, 0xFF, 0x88, 0x17, 0x70, 0x52, 0xA5, 0x9A, 0xBD, 0xEC, 0xDB, 0xC4, 0x43,
    0x07, 0x77, 0xCC, 0xAA, 0x4D, 0x5B, 0x60, 0x16, 0xD8, 0x9E, 0x35, 0xF3, 0x24, 0x82, 0xE9, 0xBF,
    0x0E, 0x89, 0x9F, 0x47, 0x72, 0x2A, 0xDC, 0x54, 0xCE, 0xB6, 0xF0, 0x68, 0xAD, 0xE5, 0x33, 0x1B,
    0x03, 0x92, 0x7E, 0xDD, 0xC7, 0xF4, 0xA8, 0x3B, 0x4C, 0x8F, 0x53, 0x20, 0x6A, 0xB9, 0x15, 0xE6,
    0x0D, 0xAB, 0x65, 0x5F, 0x26, 0xBC, 0x32, 0x98, 0xF9, 0xD3, 0x8D, 0xE7, 0x1E, 0x44, 0x7A, 0xC0,
    0x04, 0xB5, 0x86, 0xC2, 0x99, 0x6D, 0x4E, 0xFA, 0x7F, 0xEB, 0x28, 0xAC, 0xD7, 0x13, 0x50, 0x34,
    0x0B, 0xCD, 0x48, 0x64, 0xDA, 0x36, 0x23, 0xEF, 0xA0, 0x7C, 0x19, 0x55, 0xFB, 0x97, 0xB2, 0x8E,
    0x05, 0xD4, 0xA3, 0xF6, 0x6B, 0xEE, 0x59, 0x8C, 0x25, 0x40, 0xB7, 0x12, 0x3F, 0xCA, 0x9D, 0x78,
    0x02, 0xE3, 0xBB, 0x79, 0x85, 0xA7, 0xCF, 0x2D, 0x96, 0x14, 0x6C, 0xDE, 0x42, 0x30, 0xF8, 0x5A,
    0x09, 0xFE, 0x57, 0xE8, 0x3C, 0x73, 0xBA, 0x45, 0x1D, 0x22, 0xCB, 0x94, 0x80, 0x6F, 0xD6, 0xA9,
]

#AES AI=2
AES = [
    0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5, 0x30, 0x01, 0x67, 0x2b, 0xfe, 0xd7, 0xab, 0x76,
    0xca, 0x82, 0xc9, 0x7d, 0xfa, 0x59, 0x47, 0xf0, 0xad, 0xd4, 0xa2, 0xaf, 0x9c, 0xa4, 0x72, 0xc0,
    0xb7, 0xfd, 0x93, 0x26, 0x36, 0x3f, 0xf7, 0xcc, 0x34, 0xa5, 0xe5, 0xf1, 0x71, 0xd8, 0x31, 0x15,
    0x04, 0xc7, 0x23, 0xc3, 0x18, 0x96, 0x05, 0x9a, 0x07, 0x12, 0x80, 0xe2, 0xeb, 0x27, 0xb2, 0x75,
    0x09, 0x83, 0x2c, 0x1a, 0x1b, 0x6e, 0x5a, 0xa0, 0x52, 0x3b, 0xd6, 0xb3, 0x29, 0xe3, 0x2f, 0x84,
    0x53, 0xd1, 0x00, 0xed, 0x20, 0xfc, 0xb1, 0x5b, 0x6a, 0xcb, 0xbe, 0x39, 0x4a, 0x4c, 0x58, 0xcf,
    0xd0, 0xef, 0xaa, 0xfb, 0x43, 0x4d, 0x33, 0x85, 0x45, 0xf9, 0x02, 0x7f, 0x50, 0x3c, 0x9f, 0xa8,
    0x51, 0xa3, 0x40, 0x8f, 0x92, 0x9d, 0x38, 0xf5, 0xbc, 0xb6, 0xda, 0x21, 0x10, 0xff, 0xf3, 0xd2,
    0xcd, 0x0c, 0x13, 0xec, 0x5f, 0x97, 0x44, 0x17, 0xc4, 0xa7, 0x7e, 0x3d, 0x64, 0x5d, 0x19, 0x73,
    0x60, 0x81, 0x4f, 0xdc, 0x22, 0x2a, 0x90, 0x88, 0x46, 0xee, 0xb8, 0x14, 0xde, 0x5e, 0x0b, 0xdb,
    0xe0, 0x32, 0x3a, 0x0a, 0x49, 0x06, 0x24, 0x5c, 0xc2, 0xd3, 0xac, 0x62, 0x91, 0x95, 0xe4, 0x79,
    0xe7, 0xc8, 0x37, 0x6d, 0x8d, 0xd5, 0x4e, 0xa9, 0x6c, 0x56, 0xf4, 0xea, 0x65, 0x7a, 0xae, 0x08,
    0xba, 0x78, 0x25, 0x2e, 0x1c, 0xa6, 0xb4, 0xc6, 0xe8, 0xdd, 0x74, 0x1f, 0x4b, 0xbd, 0x8b, 0x8a,
    0x70, 0x3e, 0xb5, 0x66, 0x48, 0x03, 0xf6, 0x0e, 0x61, 0x35, 0x57, 0xb9, 0x86, 0xc1, 0x1d, 0x9e,
    0xe1, 0xf8, 0x98, 0x11, 0x69, 0xd9, 0x8e, 0x94, 0x9b, 0x1e, 0x87, 0xe9, 0xce, 0x55, 0x28, 0xdf,
    0x8c, 0xa1, 0x89, 0x0d, 0xbf, 0xe6, 0x42, 0x68, 0x41, 0x99, 0x2d, 0x0f, 0xb0, 0x54, 0xbb, 0x16
]


from itertools import combinations
from typing import List, Tuple

# --------------------------- GF(2) Linear Algebra -----------
def gf2_rank(rows: List[int]) -> int:

    basis: List[int] = []
    for v in rows:
        x = v
        # Reduce x by current basis (pivot by highest set bit)
        for b in basis:
            if x == 0:
                break
            hb_x = x.bit_length()
            hb_b = b.bit_length()
            if hb_x == hb_b:
                x ^= b
            elif hb_x < hb_b:
                continue
        if x:
            basis.append(x)
            # Keep basis ordered by decreasing highest-bit position to speed up reduction
            basis.sort(key=lambda z: z.bit_length(), reverse=True)
    return len(basis)
# ----------------------------- Monomial Handling ------------
def monomials_xy_masks_upto_deg(nx: int, ny: int, d: int) -> List[Tuple[int, int]]:

    mons: List[Tuple[int, int]] = []
    for wx in range(0, min(d, nx) + 1):
        for X in combinations(range(nx), wx):
            mask_x = 0
            for i in X:
                mask_x |= (1 << i)
            # For each chosen x-weight wx, choose y-weight wy so that wx + wy ≤ d
            for wy in range(0, min(d - wx, ny) + 1):
                for Y in combinations(range(ny), wy):
                    mask_y = 0
                    for j in Y:
                        mask_y |= (1 << j)
                    mons.append((mask_x, mask_y))
    return mons

def build_rows_graph_annihilator(sbox: List[int], mons_xy: List[Tuple[int, int]]) -> List[int]:

    rows: List[int] = []
    for x in range(256):
        y = sbox[x]
        row = 0
        for j, (mx, my) in enumerate(mons_xy):
            # monomial equals 1 iff all variables in its support are 1
            if (x & mx) == mx and (y & my) == my:
                row |= (1 << j)
        rows.append(row)
    return rows
# -------------------- Core Computation ------------
def sbox_ai_graph(sbox: List[int], max_degree: int = 4) -> Tuple[int, int]:
    if len(sbox) != 256:
        raise ValueError("S-box must have exactly 256 entries (integers in [0..255]).")
    if any((v < 0 or v > 255) for v in sbox):
        raise ValueError("All S-box entries must be integers in [0..255].")

    nx = ny = 8  # x has 8 vars, y has 8 vars
    for d in range(0, max_degree + 1):
        mons = monomials_xy_masks_upto_deg(nx, ny, d)
        mcols = len(mons)
        rows = build_rows_graph_annihilator(sbox, mons)
        rnk = gf2_rank(rows)
        if rnk < mcols:
            # Nontrivial nullspace exists => graph annihilator(s) of degree ≤ d found
            return d, (mcols - rnk)
    return max_degree + 1, 0

# ------------------------------------ Main ------------------
def main():

    SBOX = MDPISBOX
    ai_gr, nullity = sbox_ai_graph(SBOX, max_degree=4)
    print("==== Graph Algebraic Immunity ====")
    print(f"AI_gr(S)          : {ai_gr}")
    print(f"Nullity (solutions): {nullity}")

if __name__ == "__main__":
    main()

Comments 3: Linear Redundancy Issues

The S-box shows linear redundancy of 31, indicating structural weaknesses. This parameter is not discussed in the paper.

Response 3: We are not certain how you derived this parameter and obtained the value 31. For resistance against linear attacks, we have already provided a detailed analysis of the LAT. Since the table size is 256×256, we did not include it in the manuscript. However, you can refer to the file LAT.py, which outputs the full table, and we have followed common practice by using the LAP as the comparison metric, consistent with other studies.

Therefore, we did not discuss this parameter (Linear Redundancy) in the paper.

Comments 4: Questionable Experimental Setup

Multiple concerning factors undermine credibility:

- All coordinate functions allegedly achieve exactly NL=116, which is statistically improbable

- GitHub repository contains potentially malicious files

- Incomplete algorithmic description prevents reproducibility

- No theoretical justification for achieving maximum nonlinearity

Response 4:

1. All coordinate functions allegedly achieve exactly NL=116, which is statistically improbable.

In fact, we have achieved this result, and we provide you with the detailed calculation method.

2. GitHub repository contains potentially malicious files

Since we initially provided an .exe program, some security software may have blocked it. We have now updated the GitHub repository with the complete calculation and analysis code, which you can review in detail.

3. Incomplete algorithmic description prevents reproducibility

The formulas in the paper are fairly straightforward to implement. Nevertheless, we have added a supplementary algorithm in the manuscript and also provided the code so that you can generate the S-box yourself as mentioned in Comment 2. You only need to select SA, SB, SC, SD from the table and run the program to print the S-box.

4. No theoretical justification for achieving maximum nonlinearity

The theoretical maximum nonlinearity for 8-bit Boolean functions is 120. For balanced functions, we do not claim it is the absolute maximum; rather, we state that, to date, the best-known results have reached 116. We have cited this fully in the paper. We kindly ask you to review it again.

Comments 5: Comparison Methodology Flaws

Table 5 compares against works not targeting maximum nonlinearity. This creates false superiority claims. Moreover, the comparison ignores that achieving true NL=116 would represent a major breakthrough requiring rigorous theoretical foundation.

Response 4: Thank you.

We have compared our work with the most recent studies available. In particular, we noted that the average nonlinearity of Boolean functions has so far only been reported as high as 114.5 in study [29] (Waheed, A.; Subhan, F.; Mohd Su’ud, M.; Mansoor Alam, M. Molding robust S-box design based on linear fractional transformation and multilayer Perceptron: Applications to multimedia security. Egyptian Informatics Journal, 2024, 26, 100480. https://doi.org/10.1016/j.eij.2024.100480).

If nonlinearity were calculated in the way you suggested, this study would also not report 114.5. Many works compute nonlinearity using the average value, while others use the minimum nonlinearity among coordinate functions. In our case, achieving 116 for all coordinate Boolean functions represents the distinctive and superior result of our work.

Comments 6: Performance Trade-offs Understated

While claiming optimality in nonlinearity, the S-box shows:

- Differential uniformity: 6 (acceptable but not optimal)

- SAC deviation: 0.030665 (reasonable)

- BIC: 0.156556 (poor compared to AES).

Response 6:

Thank you for your comment. We kindly ask for a fair view when considering the comparison table.

Among 18 studies, while our primary objective of optimizing nonlinearity (NL) has been achieved with the best results, our DAP (DU=6) and LAP values rank 6th out of 18. Other parameters, such as the number of fixed points, are also favorable. Metrics like BIC and SAC may deviate slightly or perform somewhat worse, but the differences are not significant compared to other works.

The main focus of this paper is the optimization of nonlinearity. In addition, our design choices were made with the aim of hardware efficiency to support practical applications.

Comments 7: Required Corrections

1) Correct nonlinearity reporting: State actual nonlinearity of 108, not 116

2) Include algebraic immunity analysis: Report AI=2 and discuss implications

3) Address linear redundancy: Explain high linear redundancy value

4) Revise comparison methodology: Compare against appropriate baselines

5) Provide complete algorithm: Enable independent verification

6) Acknowledge limitations: Discuss algebraic structure vulnerabilities.

Response 7:

Thank you.

1) Correct nonlinearity reporting: State actual nonlinearity of 108, not 116

We confirm that the nonlinearity of all coordinate Boolean functions is 116, and we have used the same calculation method as in recent studies to ensure a fair comparison.

2) Include algebraic immunity analysis: Report AI=2 and discuss implications

We have added the result of AI = 2. This is the same as other S-boxes—neither better nor worse—so it does not carry much weight for comparison.

3) Address linear redundancy: Explain high linear redundancy value

Unfortunately, we are unable to address this particular request. We would kindly ask you to point out any recent S-box studies that provide explicit formulas and analysis of this parameter, as the latest works we used for comparison in our table did not discuss it.

4) Revise comparison methodology: Compare against appropriate baselines

Comparing our work with the most recent results is appropriate. While we could reference older works, doing so would not be very meaningful since the previously best-reported result was 114.5. Surpassing this benchmark is the central goal of our research.

5) Provide complete algorithm: Enable independent verification

We have provided complete resources, including the code for generating S-boxes and detailed analysis programs that can be easily verified—even online without needing to install Python.

6) Acknowledge limitations: Discuss algebraic structure vulnerabilities.

We have acknowledged the limitations that not all parameters can be simultaneously optimized. In cryptographic design, improving one parameter often comes at the expense of others. However, as shown in the comparison table, our results are overall competitive and, compared to the most recent studies, deserve recognition.

Comments 8: Recommendation

The paper requires major revision before publication. The construction method produces reasonable but not exceptional S-boxes. Claims of achieving theoretical maximum nonlinearity are unsupported by independent analysis.

The work's value lies in demonstrating a systematic construction approach, not in cryptographic superiority over existing designs. Authors must acknowledge these limitations and present results honestly.

Response 8: Thank you for your recommendation.

1. The main objective of our paper is to optimize the nonlinearity of the coordinate Boolean functions of the S-box, and we have achieved the best results compared to other studies in recent years.

2. The analysis and evaluation of S-boxes are straightforward, with many available tools for verification. We have also provided our detailed code to enable independent evaluation.

3. We kindly ask for a more objective assessment when reviewing the results of this work. The way you calculate nonlinearity differs from ours, and also from the methods used in the studies we cited in the comparison table. Therefore, drawing conclusions about the correctness of our results may be premature. We have carefully used the term nonlinearity of Boolean functions and made fair comparisons following the same methodology as other studies.

4. When looking at the overall comparison, it is clear that optimizing one parameter inevitably means that not all others can be simultaneously optimal. The comparison table transparently shows both the strengths and the limitations, which readers can clearly observe.

5. The detailed results of our analysis are as follows, and you can substitute any S-box to verify them. In particular, we have printed out the Boolean functions, so you can use any nonlinearity calculation tool to cross-check the results.

================ BOOLEAN FUNCTIONS (BINARY & HEX) =========

Coordinate Boolean functions (n=8, bit0=LSB):

  f0(x)  BINARY: 1111111111111111001010101010101000010110100101101001100101100110010000110011110000011001100110010111000000001111101001010101101001001100001100111111000011110000100101100110100101111111000000001100110011001100101010100101010100100101101001011100001111000011

  f0(x)     HEX: 0xFFFF2AAA16969966433C1999700FA55A4C33F0F096697F00CCCCAA5525A5C3C3

  f1(x)  BINARY: 0000000000000000001100110011001100000000111111111101101010100101011001100110011010001111000011111101101001011010111010010110100111101001100101101000111111110000010101010101010101010101101010101011110000111100011001101001100110111100110000110011001111001100

  f1(x)     HEX: 0x0000333300FFDAA566668F0FDA5AE969E9968FF0555555AABC3C6699BCC333CC

  f2(x)  BINARY: 0000000000000000000011110000111101010101010101011011001111001100111010010110100100000000111111111110011010011001111010011001011010111100110000110101010110101010111001100110011010110011001100110000111111110000101111000011110001011010101001010101101001011010

  f2(x)     HEX: 0x00000F0F5555B3CCE96900FFE699E996BCC355AAE666B3330FF0BC3C5AA55A5A

  f3(x)  BINARY: 0000000000000000000000001111111111100110011001101101101001011010111010011001011011010101010101010011110000111100001111001100001111011010101001010011001100110011111010010110100100001111000011111101010110101010000011111111000000110011110011001110011010011001

  f3(x)     HEX: 0x000000FFE666DA5AE996D5553C3C3CC3DAA53333E9690F0FD5AA0FF033CCE699

  f4(x)  BINARY: 0110111010010010011011101001001000111100101010010101001000111011000110111011010001110101001001100010011100011101010010011000111100010111110010100111100101011000001010110110001101000101111100010000110001111110011000101110110000110000110101110101111001000101

  f4(x)     HEX: 0x6E926E923CA9523B1BB47526271D498F17CA79582B6345F10C7E62EC30D75E45

  f5(x)  BINARY: 0001011111001010000101111100101001010010001110110100010111110001001001110001110100110000110101110111010100100110011000101110110000001100011111100001101110110100010111100100010101001001100011110010101101100011001111001010100101111001010110000110111010010010

  f5(x)     HEX: 0x17CA17CA523B45F1271D30D7752662EC0C7E1BB45E45498F2B633CA979586E92

  f6(x)  BINARY: 0001101110110100000110111011010000010111110010100000110001111110010100100011101101001001100011110100010111110001010111100100010100100111000111010011110010101001001100001101011100101011011000110111010100100110011011101001001001100010111011000111100101011000

  f6(x)  HEX: 0x1BB41BB417CA0C7E523B498F45F15E45271D3CA930D72B6375266E9262EC7958

  f7(x)  BINARY: 0011110010101001001111001010100100011011101101000010011100011101000101111100101000101011011000110000110001111110001100001101011101010010001110110110111010010010010010011000111101110101001001100100010111110001011110010101100001011110010001010110001011101100

  f7(x) HEX:

 0x3CA93CA91BB4271D17CA2B630C7E30D7523B6E92498F752645F179585E4562EC

================ PER-FUNCTION NL & SAC (COORDS) ===========

f0: NL=116 | SAC_vector=[0.5000, 0.5000, 0.5000, 0.5000, 0.5469, 0.5469, 0.5312, 0.5469] | SAC_avg=0.5215

f1: NL=116 | SAC_vector=[0.5000, 0.5000, 0.4375, 0.5000, 0.5312, 0.5312, 0.5312, 0.5469] | SAC_avg=0.5098

f2: NL=116 | SAC_vector=[0.5000, 0.4375, 0.5000, 0.5000, 0.5312, 0.5312, 0.5469, 0.5469] | SAC_avg=0.5117

f3: NL=116 | SAC_vector=[0.4375, 0.5000, 0.5000, 0.5000, 0.5312, 0.5469, 0.5469, 0.5312] | SAC_avg=0.5117

f4: NL=116 | SAC_vector=[0.5469, 0.5469, 0.5312, 0.5469, 0.4375, 0.5000, 0.5000, 0.5000] | SAC_avg=0.5137

f5: NL=116 | SAC_vector=[0.5312, 0.5312, 0.5312, 0.5469, 0.4375, 0.5000, 0.5000, 0.5000] | SAC_avg=0.5098

f6: NL=116 | SAC_vector=[0.5312, 0.5312, 0.5469, 0.5469, 0.4375, 0.5000, 0.5000, 0.5000] | SAC_avg=0.5117

f7: NL=116 | SAC_vector=[0.5312, 0.5469, 0.5469, 0.5312, 0.4375, 0.5000, 0.5000, 0.5000] | SAC_avg=0.5117

Response to Reviewer 4 Comments

1. Summary

Thank you very much for taking the time to carefully review this manuscript. We sincerely appreciate your valuable feedback. We have thoroughly addressed each of your comments and provided detailed responses below. The corresponding highlighted changes can be found in the re-submitted files. We hope that our revisions meet your expectations and further enhance the quality of this article.

2. Point-by-point response to Comments and Suggestions for Authors

Comments 1:

The manuscript proposes a composition technique that builds 8×8 S-Boxes from four 4×4 components combined with multiplication in GF(2^4). The authors claim that many instances produced by this method are bijective, reach algebraic degree 7, and, crucially, that every coordinate Boolean function attains nonlinearity 116, which they position as the balanced optimum. They further report differential uniformity 6, maximum linear probability about 0.078, near-ideal SAC and BIC figures, modest CPA improvements over AES in an unprotected setting, and competitive hardware cost under a simple gate-equivalent model. The paper is clearly written and the idea is appealing. However, I recommend Major Revision for the following reasons.

1. Add a theorem that characterizes when the construction yields a permutation and proves degree 7 for the coordinates of your representative instance. Provide proofs or counterexamples for the general case across choices of SA, SB, SC, SD and the three irreducible polynomials.

Response 1: We would like to thank you for your comments and provide the following clarifications.

First, in the Proposed Method (Section 4), we presented the mathematical condition ensuring the bijectivity of the 4×4 component S-boxes. Specifically, the 4×4 S-boxes are constructed from power mappings in the multiplicative group

??(2^4)^∗, which has order 15. The mapping ? ->?^k is bijective if and only if gcd(k,15)=1. This condition allows us to determine the set of valid exponents and ensures that each selected component S-box possesses the permutation property. This serves as the mathematical foundation of our method.

Second, based on the component S-boxes that are proven bijective, we construct 8×8 S-boxes using formulas (5) and (6). In our investigation, for each irreducible polynomial, we obtained 8 component S-boxes. Choosing four S-boxes ??, ??, ??, ?? results in 4096 configurations per polynomial. With three irreducible polynomials, this yields a total of 12,288 different 8×8 S-boxes. Statistical analysis shows that 2,304 of these S-boxes achieve nonlinearity 116 for all coordinate Boolean functions.

Third, regarding algebraic degree, we verified and confirmed that all coordinate functions of the constructed S-boxes reach algebraic degree 7—the maximum possible for Boolean functions of 8 variables.

We have supplemented the manuscript with a detailed description of the proposed algorithm (Algorithm 1, as suggested by another reviewer). With the algorithm, the corresponding formulas, and the provided code, the results can be easily reproduced. In our work, we applied the construction by selecting to meet two criteria: first, maximizing the nonlinearity of the coordinate Boolean functions, and second, minimizing hardware resource usage. Our approach is therefore experimental in nature—we focused on searching and evaluating results rather than developing deeper theoretical foundations.

For verification, please kindly check the programs that we have uploaded at the following link: https://github.com/dpp291187/S-box-Cryptanalysis. We believe this addition clarifies the reproducibility of our work and strengthens the presentation of our proposed method.

Comments 2: 2.    Re-run differential, linear, and side-channel comparisons against AES and at least two strong published 8×8 S-Boxes under a unified evaluation framework. Report DU, LP, branch numbers, BCT metrics, wide-trail bounds, and comprehensive CPA/TVLA statistics with confidence intervals. Rework the claims to reflect measured strengths and weaknesses.

Response 2:

We have already provided a complete evaluation program that computes all metrics — simply plug in an S-box and it prints the analysis results. You do not need to install Python; the code can also be run directly with an online tool (example: https://www.online-python.com/).

Ÿ  The DU and LP results match exactly the values previously reported.

Ÿ  We have added the Branch Number (BN) evaluation; the BN evaluation code is included in the file BN.py. All the S-boxes have the same branch number of 2, so there is no distinction. Therefore, we discussed this aspect separately rather than including it in the comparison table.

Ÿ  We provide a complete evaluation program for the Boolean Connectivity Table (BCT) and the full BCT (FBCT) analyses (please see BCT.py)

Ÿ  For side-channel analysis, in addition to the mathematical metrics relevant to DPA, we supplemented the paper with detailed CPA attack experiments (see Figure 1). Because the 16 bytes behave similarly, we show representative results for only one byte. The full experimental program is provided.

Ÿ  We discussed strengths and weaknesses: our design meets the stated goal of optimizing nonlinearity and outperforms other reported results on that metric. Some other parameters remain weaker, but overall — when compared with the most recent studies — our S-boxes still show competitive performance.

Please refer to the analyses highlighted in light blue in the manuscript.

These clarifications have been added to Section 5, 6 in the revised manuscript. (highlighted in blue).

Comments 3: Provide synthesis results for your RTL and two baselines with the same toolchain and library, reporting area, delay, power, and energy per substitution. If you rely on GE counting, add a sensitivity analysis that shows how conclusions change under alternative gate-weight models.

Response 3: Thank you for your comment.

Ÿ  As stated, our primary objective is to optimize nonlinearity. In our experiments, we obtained many S-boxes with nonlinearity 116; therefore, we selected those with the smallest estimated hardware cost.

Ÿ  Implementing S-boxes under logic-gate models, as done in other studies, provides a fair basis for comparison. This approach is independent of a specific technology, since the results can be normalized into a common parameter such as Gate Equivalents (GE) depending on the library used. We believe this ensures fairness in evaluation and allows direct comparison with other published works.

Ÿ  We regret that it is not feasible to implement all S-boxes in hardware in order to measure the full set of parameters you requested. However, our evaluation table clearly demonstrates the hardware efficiency of the selected S-boxes, which we consider a meaningful result. Moreover, similar estimation-based evaluations are also widely used in the literature: in fact, even recent works published between 2023 and 2025 (see our comparison table) typically do not provide complete synthesis results, but rather present estimates in the same way as we did.

Ÿ  You can select the values of SA, SB, SC, SD and the choice of irreducible polynomials to generate and print the results. Because we previously provided a self-built .exe executable, it may have been flagged by security software. Please revisit the link and run the Python file to see the full, detailed evaluation of our S-box analysis.

Comments 4: Normalize notation, fix table formatting, state hexadecimal tables cleanly, and add a concise background subsection that explains why 116 is the accepted balanced optimum for n = 8, with precise references. Temper language such as “sets the new standard” and replace with evidence-based phrasing.

Response 4: Thank you for your suggestion.

Ÿ   We have corrected the hexadecimal values in Table 2.

Ÿ   We only state that the value 116 is the currently known optimum nonlinearity for balanced 8-variable Boolean functions, as supported by the cited references. The fact that our constructed S-box achieves nonlinearity 116 simultaneously for all 8 coordinate functions is therefore a strong result. According to our survey, the best previous work [29] (Waheed, A.; Subhan, F.; Mohd Su’ud, M.; Mansoor Alam, M. Molding robust S-box design based on linear fractional transformation and multilayer Perceptron: Applications to multimedia security. Egyptian Informatics Journal 2024, 26, 100480.https://doi.org/10.1016/j.eij.2024.100480.) achieved an average of 114.5, which was considered the state-of-the-art before our contribution.

Ÿ   The phrase “sets the new standard” has been moderated and replaced with more neutral, evidence-based wording in Abstract.

4. Additional clarifications

In addition to addressing the reviewers' comments, we would like to emphasize the contributions of this paper:

Ÿ   We achieved the highest nonlinearity of the coordinate Boolean functions for an S-Box compared to all previous studies, reaching 116, which is the maximum attainable so far. This demonstrates that our primary research objective has been fully achieved.

Ÿ   The proposed algorithm is capable of generating a large number of S-Boxes and allows for the selection of different parameter sets to optimize various optional S-Box criteria.

Ÿ   While the optimization was focused on nonlinearity, the remaining cryptographic criteria are not fully optimal. Nevertheless, when compared with other studies, these values remain within secure bounds and are competitive with state-of-the-art results.

Ÿ   The proposed S-Boxes were comprehensively evaluated with respect to mathematical properties, hardware implementation cost estimates, and side-channel resistance through practical experiments. This level of holistic evaluation is rarely provided in the literature on S-Boxes (readers may verify this by examining almost any prior work on S-Boxes).

Response to Reviewer 3 Comments

1. Summary

Thank you very much for taking the time to carefully review this manuscript. We sincerely appreciate your valuable feedback. We have thoroughly addressed each of your comments and provided detailed responses below. The corresponding highlighted changes can be found in the re-submitted files. We hope that our revisions meet your expectations and further enhance the quality of this article.

2. Point-by-point response to Comments and Suggestions for Authors

Comments 1: The Nonlinearity Metric Confusion

The authors defend their nonlinearity calculation by citing recent papers (2023-2025) that use similar methodology. However, this defense misses the point. There are two distinct concepts:

- Coordinate function nonlinearity: The average (or minimum) nonlinearity of the 8 individual Boolean functions f₁, f₂, ..., f₈ that comprise the S-box outputs. This is what the authors measure.

- S-box nonlinearity: The minimum nonlinearity across all 255 non-trivial linear combinations of the coordinate functions. This is what determines resistance to linear cryptanalysis.

The authors achieve the first but have not demonstrated the second. For a vectorial Boolean function S: F₂⁸ → F₂⁸, the cryptographically relevant nonlinearity is:

NL(S) = min_{v≠0} NL(v·S)

where v ranges over all 255 non-zero vectors in F₂⁸, and v·S denotes the linear combination of coordinate functions.

The authors cite papers that report coordinate function nonlinearity, but if you trace back through those citation chains, earlier works properly distinguished these metrics. Recent papers have gradually dropped the distinction, but this doesn't make the coordinate-only metric cryptographically meaningful for S-box applications..

Response 1: Thank you for your comment.

We have revised this section according to the reviewer’s suggestion (highlighted in yellow in the manuscript).

In the updated version, we clearly distinguish between the two nonlinearity metrics and report both values. Specifically, in Section 5.1 (highlighted in yellow), we state that:

The coordinate Boolean-function nonlinearity of all eight coordinate functions

??(?) is 116, representing the theoretical maximum for balanced 8-variable Boolean functions.

The vectorial S-box nonlinearity ??(?) has been computed by exhaustively scanning all 255 non-trivial linear masks, resulting in NL(S) = 108 and LAP = 0.078.

To ensure there is no confusion between these two concepts, the main comparison table in Section 5 now includes two separate columns: one for Avg. NL(fᵢ) and another for NL(S). The entries for our proposed S-boxes S01 and S02 (highlighted in yellow) show 116.00 for coordinate nonlinearity and 108 for vectorial nonlinearity.

Additionally, throughout the manuscript, every mention of the value 116 is now explicitly described as “coordinate Boolean-function nonlinearity,” while NL(S) = 108 is referred to as the vectorial nonlinearity, which is the cryptographically relevant metric for linear cryptanalysis.

For reproducibility, the file toolsbox10_2025.py (available at https://github.com/dpp291187/S-box-Cryptanalysis/blob/main/toolsbox10_2025.py) performs a complete calculation of NL(S) by evaluating all 255 masks for each S-box, and outputs both NL(S) and LAP using the same analysis framework applied in this paper.

Comments 2: The LAP Contradiction Remains Unresolved

Table 10 in the revised paper reports LAP = 0.078 for the proposed S-box. This creates a mathematical inconsistency with the claimed nonlinearity of 116.

Using the standard formula:

NL = 2⁸(1/2 – LAP)

If LAP = 0.078, this means the NL = 108 (as I indicated in the first review), not 116.

The authors need to either:

- Recalculate their LAP value using the actual S-box nonlinearity metric

- Explain this discrepancy mathematically

- Acknowledge that the 116 figure applies only to coordinate functions

This isn't a minor detail. It's a direct mathematical contradiction in their own results table.

Response 1: Thank you for your comment.

We have revised this section according to the reviewer’s suggestion (highlighted in yellow in the manuscript).

In the updated version, we carefully verified and mathematically reconciled the relationship between LAP and nonlinearity (NL). Using the standard formula NL = 2⁸(1/2 – LAP)

a value of LAP = 0.078 corresponds precisely to NL(S) = 108. Therefore, there is no inconsistency in our results. The previously mentioned value of 116 refers only to the coordinate Boolean-function nonlinearity (i.e., the average nonlinearity of the 8 coordinate functions, while NL(S) = 108 is the correct value for the vectorial nonlinearity of the entire S-box.

This clarification has been explicitly added and highlighted in Section 5.1, where both values now appear side by side, making the distinction clear to the reader. The mathematical consistency between LAP and NL(S) is also mentioned in the text (highlighted in yellow), showing that the two parameters are in complete agreement when computed under the correct definition.

Comments 3: Linear Redundancy Dismissal

The authors state they are "not certain how you derived this parameter" and decline to discuss it because "other studies" don't include it. This response is inadequate.

Linear redundancy is a well-established cryptographic criterion, formalized by Fuller and Millan (2003) specifically for S-box analysis:

- J. Fuller and W. Millan, “Linear Redundancy in S-Boxes,” in Fast Software Encryption, vol. 2887, T. Johansson, Ed., in Lecture Notes in Computer Science, vol. 2887. , Berlin, Heidelberg: Springer Berlin Heidelberg, 2003, pp. 74–86. doi: 10.1007/978-3-540-39887-5_7.

- J. E. Fuller, “Analysis of affine equivalent boolean functions for cryptography,” phd, Queensland University of Technology, 2003. Accessed: Apr. 18, 2021. [Online]. Available: https://eprints.qut.edu.au/15828/

It measures the dimension of the affine subspace containing the S-box coordinate functions. High linear redundancy (31 out of a maximum 255) indicates that many coordinate functions can be expressed as affine combinations of others, creating structural weaknesses.

This is particularly relevant here because the S-box construction uses algebraic methods (GF(2⁴) multiplication and 4×4 S-boxes). Such constructions inherently risk introducing algebraic structure. Linear redundancy quantifies exactly this type of weakness.

The authors cannot dismiss this by saying "we haven't seen it in recent papers." The parameter exists in the cryptographic literature, is computable from their S-box, and is relevant to their algebraic construction method. They should either:

- Calculate and report it

- Explain why it's irrelevant to their specific construction

- Acknowledge it as a limitation

Simply refusing to engage with the metric is not acceptable..

Response 3:

In the updated version, we have added a new subsection titled “Linear Redundancy (LR)” in Section 5.4 and cited the two foundational works by Fuller and Millan (2003):

[72] J. Fuller and W. Millan, “Linear Redundancy in S-Boxes,” Fast Software Encryption (FSE 2003), Lecture Notes in Computer Science, vol. 2887, Springer, pp. 74–86, 2003.

This references (highlighted in yellow) are now included in the updated Reference section (Ref. [72]) to ensure proper attribution to the original definition of the LR criterion.

Following these references, we have added a complete explanation of the LR metric and its relevance to algebraically constructed S-boxes. Specifically, we describe that Linear Redundancy (LR) measures the dimension of the smallest affine subspace containing the set of coordinate Boolean functions of an S-box. A lower LR value indicates less structural dependency among coordinate functions, which is desirable for cryptographic strength.

In our work, the LR values were computed for all proposed and reference S-boxes using the newly implemented LR.py script. The obtained results are:

Proposed S01/S02: ?_lower=31, pair redundancy upper bound ≈ 3.71%

AES S-box: ?_lower=1, pair redundancy = 100%

These results indicate that our S-boxes show significantly lower linear redundancy compared to AES, suggesting weaker affine dependency among coordinate functions, even though both use algebraic transformations over GF(2⁴). This supports the claim that our construction, while algebraic, does not introduce critical structural weaknesses.

All explanatory text and numerical values for LR are highlighted in yellow in Section 5.4 (pages 10–11), together with a short paragraph explaining how the LR parameter was computed and how it complements other metrics such as NL(S) and AI.

Reproducibility:

The LR.py file (available in our GitHub repository at https://github.com/dpp291187/S-box-Cryptanalysis/blob/main/LR.py) contains the complete algorithm for LR computation. It can also be executed through the unified evaluation script toolsbox10_2025.py, ensuring consistent measurement across all S-boxes reported in the tables.

Comments 4: Algebraic Immunity Response Is Insufficient

The authors acknowledge AI = 2 (matching AES) but then claim they "could achieve AI = 3" by selecting different component S-boxes. This misses the point in two ways:

First, if AI = 3 configurations exist, why weren't they presented in the paper? The paper claims to present S-boxes with optimal properties, yet acknowledges that better algebraic immunity is possible within the same framework.

Second, the issue isn't just the numerical value but the lack of analysis. The construction uses GF(2⁴) multiplication, which inherently creates algebraic structure. The paper needed to either:

- Analyze why AI = 2 is acceptable given this algebraic approach

- Present the AI = 3 variants as the main contribution

- Discuss the tradeoffs between coordinate function nonlinearity and algebraic immunity

The revised paper simply adds a footnote about AI = 2 without this analysis.

Response 4: Thank you for your comment.

We have revised this section according to the reviewer’s suggestion (highlighted in yellow in the manuscript).

In fact, we have achieved this result, and we provide you with the detailed calculation method.

In the updated version, we provide a complete analysis of the Algebraic Immunity (AI) of the proposed S-boxes, together with a systematic study of the possible trade-offs between AI and coordinate-function nonlinearity.

A new detailed discussion has been added to Section 5.3 “Algebraic Immunity” (highlighted in yellow), supported by experimental data and code verification.

First, we clarify that our construction framework is capable of producing multiple configurations with different algebraic immunity values. Specifically, we have tested all possible combinations of four 4×4 S-boxes selected from eight initial S-boxes under three irreducible polynomials of GF(2⁴). Through this exhaustive analysis, two representative configurations were selected and reported:

S01: The hardware-optimized configuration, achieving AI = 2, equivalent to the AES S-box, and offering minimal hardware cost.

S02: The security-oriented configuration, achieving AI = 3, which represents an improvement in algebraic resistance while maintaining Avg. NL(fᵢ) = 116.

Both configurations are now presented in the paper, along with their analytical justification.

The results and explanation are highlighted in Section 5.3 (pages 9–10), where we explicitly state that AI = 3 is achievable within our method and discuss the trade-off between nonlinearity and hardware efficiency.

Second, we analyze why AI = 2 is acceptable in algebraically constructed S-boxes. Since the design employs GF(2⁴) multiplication, a certain degree of algebraic regularity is inevitable. However, achieving AI = 2 (matching AES) ensures that no non-trivial low-degree annihilator exists, and this level of immunity is considered adequate for practical block ciphers, provided that other properties (NL, SAC, BIC, and LR) remain strong.

For S02, the configuration with AI = 3 demonstrates that stronger immunity can be achieved at the cost of hardware — this balance between security and implementation cost has been thoroughly discussed in the added text.
Add a reference on Algebraic Immunity:

[71] Fischer, S.; Meier, W. Algebraic Immunity of S-Boxes and Augmented Functions. In Proceedings of Fast Software Encryption, Biryukov, A., Ed.; Springer Berlin Heidelberg: Berlin, Heidelberg, 2007; pp. 366–381.

Reproducibility:

The AI computation is fully automated in AI.py, available in our GitHub repository at https://github.com/dpp291187/S-box-Cryptanalysis/blob/main/AI.py.

Comments 5: The "Theoretical Maximum" Claim Needs Clarification

The authors repeatedly state that 116 is "the best result to date" and "the theoretical maximum for balanced functions." This is true for individual 8-variable Boolean functions. However:

- The paper title and abstract claim this for "S-Boxes," not "Boolean functions"

- An S-box is a vectorial Boolean function, not 8 independent Boolean functions

- The security of an S-box depends on all 255 linear combinations, not just the 8 coordinate functions

The paper conflates achieving optimal coordinate functions with achieving an optimal S-box. These are not the same thing.

Consider this analogy: You could construct an 8×8 S-box from 8 bent functions (each with NL = 120). This would give "better" coordinate function nonlinearity than the authors' 116. But the resulting S-box would likely be cryptographically weak because bent functions are unbalanced and the combination wouldn't coordinate properly for vectorial nonlinearity.

The point is that coordinate function quality is necessary but not sufficient for S-box quality.

Response 5: Thank you.

We have revised all statements referring to the “theoretical maximum” nonlinearity in the Abstract, Contributions, Section 1 (Introduction), Section 5.1 (Nonlinearity), and Conclusion, all highlighted in yellow.

The revised text now specifies that NL = 116 is the optimal value for balanced 8-variable coordinate Boolean functions, while the overall S-box nonlinearity is NL(S) = 108.

These changes make clear that our claim applies only to the coordinate functions, not to the entire S-box.

For clarification here: bent functions, although they can reach NL = 120, are unbalanced and thus cannot be used for bijective S-box construction. Therefore, the “theoretical maximum” mentioned in our paper refers strictly to balanced Boolean functions, which are suitable for secure and bijective S-box design.

Additionally, we noted that this coordinate-function nonlinearity metric remains important, as it is widely used in recent S-box comparison studies (2023–2025) for evaluating Boolean component quality.

Comments 6: Comparison Methodology Remains Flawed

The authors defend their comparison table by saying they use "recent studies." But this creates several problems:

- Citation chain degradation: Early papers in this research line properly reported both S-box nonlinearity and coordinate function averages, clearly distinguishing them. More recent papers dropped the S-box nonlinearity metric and report only coordinate functions. The authors have followed this trend, but the trend itself is methodologically problematic.

- Selective metric reporting: Table 5 compares "Boolean function nonlinearity" across papers. But different papers in that table may be calculating this differently. Some report coordinate function averages, some report minimums, some report S-box nonlinearity. Without verifying what each cited paper actually measured, the comparison is potentially meaningless.

- Security relevance: Even if all papers use the same metric, if that metric is coordinate function nonlinearity rather than S-box nonlinearity, then the entire table is comparing a parameter that doesn't directly determine security. It's like comparing cars based on individual tire quality while ignoring how the complete vehicle performs.

Response 6:

We have revised the comparison section and updated all related tables in Section 5.3 (Results and Discussion), with the modifications highlighted in yellow.

In this revision, we have added the requested parameters to the comparison tables and clearly stated that the comparison is based on both coordinate-function nonlinearity and overall S-box nonlinearity NL(S) for completeness.

All compared S-boxes from previous works have been retested under identical conditions using our evaluation program toolsbox10_2025.py, available at:

https://github.com/dpp291187/S-box-Cryptanalysis/blob/main/toolsbox10_2025.py.

The program includes the full list of S-boxes cited in the paper and evaluates all criteria (NL, DAP, LAP, SAC, BIC, AI, LR, etc.) under the same computational environment.

For transparency, the complete numerical results obtained from these evaluations are also provided in the output file:

https://github.com/dpp291187/S-box-Cryptanalysis/blob/main/SboxMDPI.txt.

,so that reviewers and readers can directly verify or rerun all comparisons.

This ensures full fairness and reproducibility, since all S-boxes—both ours and those from related works—were analyzed using the same Python-based tool and identical formulas.

The updated Table 6, 12 now include both NL(S) and average coordinate-function NL for all referenced works, providing a fair and comprehensive comparison.

Comments 7: Incomplete Reproducibility

While the authors added code, the core algorithm description remains unclear about several details:

- The exact selection criteria for SA, SB, SC, SD from the 8 available options

- Whether the "identical 4×4 S-boxes" configuration was chosen for optimality or just convenience

- How the 2,304 candidates with NL=116 were screened for other properties.

Response 7:Thank you.

We would like to clarify that the experimentation and selection process was already fully described in the paper, specifically in Section 4.2 (Proposed Method).

As stated there, four S-boxes were selected from each set of eight and assigned to SA, SB, SC, and SD, resulting in 8⁴ = 4096 configurations for each irreducible polynomial, and with three polynomials, a total of 12,288 S-boxes were generated and analyzed.

For each generated S-box, we computed Boolean function nonlinearity and classified them according to cryptographic performance, as summarized in Table 3 and the following sections.

This process was fully exhaustive, meaning that all possible combinations were tested rather than a partial selection.

Therefore, the methodology is already complete and reproducible, and readers can confirm these details directly in Section 4.2, which explicitly presents the full experimental procedure.

In addition, the Python code Sboxgenaration.py, available at

https://github.com/dpp291187/S-box-Cryptanalysis/blob/main/Sboxgenaration.py.

allows anyone to freely reproduce the experiment, replace the parameters or polynomials, and generate and analyze all S-box configurations in the same way as described in the paper.

Comments 8: Side-Channel Analysis Interpretation

The authors show their S-box requires more traces than AES for CPA (≈17,000 vs ≈11,000). They present this as evidence of "comparable" resistance. However:

- This is unprotected implementation only

- The difference is relatively small (≈55% more traces)

- The theoretical SCA parameters in Table 11 show mixed results, not clear superiority

- The conclusion of "comparable resistance" may be overselling marginal improvements.

Response 8: Thank you for your recommendation.

We appreciate this observation and would like to clarify that we did not claim superiority over AES in terms of side-channel resistance.

In both the text and conclusion, we have explicitly stated that our S-Box exhibits “comparable resistance” rather than higher resistance, since the difference in required CPA traces is relatively small.

This interpretation is meant to reflect a conservative and humble assessment, consistent with the fact that the evaluation was conducted on unprotected hardware implementations.

In our updated manuscript, we did not modify the corresponding section, because the original version already clearly described this stance.

We also note that side-channel resistance depends largely on hardware design choices, such as masking, hiding, randomization,….

Thus, even small numerical differences in CPA trace counts cannot be directly interpreted as cryptographic strength differences between S-Boxes.