Abstract
There is a need of secure and robust encryption algorithm that can be implemented on each and diverse software and hardware platforms. In this paper, we investigate semifield substitution boxes using permutation of symmetric group on a set of size 8 \(S_8\) and establish an effective procedure for generating \(S_8\) semifield substitution boxes having same algebraic properties. Further, the strength analysis of the generated substitution boxes is carried out using the well-known standards, namely bijectivity, non-linearity, strict avalanche criterion, bit independence criterion, XOR table and differential invariant. As application, an encryption algorithm is proposed that can be employed to strengthen any kind of secure communication. The presented algorithm is mainly based on the Shannon idea of substitution–permutation network where the process of substitution is performed by the proposed \(S_8\) semifield substitution boxes and permutation operation is performed by the binary cyclic shift of substitution box transformed data. In addition, the proposed encryption algorithm utilizes two different chaotic maps. To ensure the appropriate utilization of these chaotic maps, we carry out in-depth analyses of their behavior in the context of secure communication and apply the pseudo-random sequences of chaotic maps in the proposed image encryption algorithm accordingly.
Similar content being viewed by others
Avoid common mistakes on your manuscript.
1 Introduction
Substitution box (S-box) is the most important element in any block cipher. Being the only nonlinear component of block cipher, a substitution box plays the vital role of inducing the non-linearity between the ciphertext and the secret key in block cipher encryption algorithms. Hence, the S-box (Anees and Ahmed 2015; Hussain et al. 2012a; Anees and Gondal 2015; Hussain et al. 2012b) is used as a tool in block ciphers to enhance their resistance against differential and linear cryptanalysis (Chu et al. Mar. 2014). The S-box of Advanced Encryption Standard (AES) (Daemen and Rijmen 2002) can be defined via the arrangement of eight Boolean functions with the domain and the range of each function as \(GF(2^8)\) and GF(2), respectively. Alvarez and Mcguire (2009) have provided some measures to analyze the cryptographic potency of S-box. These measures determine the cryptographic invulnerability of S-boxes against special categories of promising attacks. In literature, it can be seen that along with injective and surjective properties of S-boxes, only \(S_8\) S-boxes proposed by Hussain et al. (2012b), and AES S-box have high-quality values close to optimal readings for all of these criteria. The reason to get similar analysis of these boxes is that \(S_8\) S-boxes are permutation extension of AES S-box based on a symmetric group. A large number of papers have been devoted to studying finite field S-boxes and their applications. The reader is referred to Hussain et al. (2012a), Anees and Gondal (2015), Hussain et al. (2012b), Daemen and Rijmen (2002) and Alvarez and Mcguire (2009) for the literature on finite field S-boxes and their applications.
1.1 Algebraic structure of semifield
This paper investigates S-boxes over the algebraic structure of semifield, defined as follows.
Definition 1.1
A finite semifield consists of a finite set S with two binary operations “+” and “\(\cdot \)” such that the following axioms hold:
-
\((S,+)\) forms a group with identity element 0.
-
\(\forall a,b \in S\): If \(ab=0\) then \(a=0\) or \(b=0.\)
-
\(\forall a,b \in S\): \(a(b+c)=ab+ac\) and \((a+b)c=ac+bc.\)
-
\(\forall a \in S\) \(\exists \) a neutral element for \(\times \) denoted as e which satisfies: \(ea=ae=a.\)
For example the following system S is a proper semifield having order 16. Let us consider \(GF(2^2)=\left\{ 0, 1, \omega , \omega ^2 \right\} \) as a base field F for the construction of the semifield \(S_{2^4}.\) The form of the elements of semifield is \(u+\lambda v,\) where u,� \(v\in F.\) The addition in the semifield \(S_{2^4}\) is defined using the addition of field F as \( (u+\lambda v)+(x+\lambda y)=(u+v)+\lambda (x+y). \) Multiplication in the semifield \(S_{2^4}\) is defined in terms of the multiplication and addition of F,� in the following manner
Semifields \(S_{2^4}\) with 16 elements is shown in Table�1.
In semifield, there is no associative property as contrary to let say Galois Field. This characteristic of having no associative property makes S-boxes way more difficult to break using linear or differential cryptanalysis. The known S-boxes based on finite fields are good enough against known algebraic attacks, yet there could be some unknown algebraic attacks that may weaken the confusion creating capability of finite field S-boxes. To overcome this possible weakness, Dumas and Orfila (2014) proposed to enhance the algebraic strength of S-boxes by considering finite semifields instead of finite fields to generate S-Boxes. The known classification of semifields is up to \(2^6;\) therefore, it is a challenge to use the small structure \(2^4\) for the construction of \(2^8\) S-boxes. Dumas and Orfila (2014) utilized pseudo-extensions of semifield of order \(2^4\) to construct 12,781 non-equivalent S-boxes with maximum cryptographic properties. In this paper, corresponding to each and every non-equivalent S-box of Dumas and Orfila (2014), we generate 8! S-boxes with same cryptographic properties. This is achieved by the action of symmetric group of permutation on every non-equivalent S-box of Dumas and Orfila (2014). Moreover, the non-equivalent S-boxes will behave like a set. Because all 12,781�S-boxes of Dumas and Orfila (2014) are non-equivalent, therefore, we have 12,781 mutually disjoint classes of S-boxes. Further, we have shown the application of these S-boxes in image encryption.
The paper is organized as follows. The necessary details about the chaotic maps employed in this work, along with their relevance to secure communication, are provided in Sect.�2. Section 3 is divided in two parts, giving the construction methodology of proposed S-boxes followed by analyses for evaluating their strength. Section 4 presents the proposed block cipher. The experimental and security analysis for the proposed cipher are presented in Sects. 5 and 6, respectively. Finally, Sect. 7 gives the conclusion.
2 Chaos and their significance in secure communication
In recent years, number of articles published on chaotic security (Anees and Siddiqui 2013) has proven to be weak against well-known attacks (Pecora and Carroll 1990; Kocarev 2001). This is due to the fact that the researchers did not analyze chaotic phenomena in detail with respect to secure communication (Volos et al. 1997; Anees et al. 2013). Although there are many similarities between chaotic behavior of chaotic maps and randomness required in security (Liua and Wang 2010), it still needs proper attention to be applied in this field.
In this paper, we analyze a modified version of logistic chaotic map (Verhulst 1845) in detail with respect to secure communication and observe the regions of interest which can be applicable in communication security. There are works in the literature that employ logistic map for the encryption purposes (García-Martínez and Campos-Cantón 1845, 2015; Cassal-Quiroga and Campos-Cantón 2020; Campos-Cantón et al. 2011). We have employed two chaotic maps in our proposed encryption algorithm; modified logistic map and Tangent Delay Ellipse Reflecting Cavity Map System (TD-ERCS) (Sheng et al. 2004). The modified logistic chaotic map employed in our work is given as Wang and Chen (2013):
where \(x_0 \in (0,1),\) \(b \in [0,1)\) and r (depending on b) are initial seed parameters. At \(b = 0,\) the above equation becomes the logistic map. At a specific value of b, r is a control parameter which specifies the overall behavior of this chaotic map. In physical terms, it can be defined as the heating in a convention or the growth rate of population of a typical bacteria type etc. Figure 1 presents the bifurcation diagram of modified logistic map which is a combined presentation of all the graphs plotted x against r for different values of b. Fig.�1a shows the bifurcation diagram at \(b = 0\) which is equivalent of the bifurcation diagram of logistic map. The range of the randomness in the bifurcation diagrams at all the values of b is almost same; the only difference between these figures is the shifting of the range for the values of r which is a significant advantage as compared to logistic map.
2.1 Chaotic range analysis
Taking the case \(b = 0.2\) (Fig.�1b), we analyze the ranges which are r dependable. Based on Fig.�1b, we can divide the interval for r into three segments:
-
When \(r \in [1, 3.5],\) the iteration sequence for x attains a constant value past some iterations displaying a stable behavior. Figure�2a shows the bifurcation diagram of modified logistic map for \(r = 1\) to \(r = 3.5,\) Fig.�2b demonstrates the iteration sequence for initial conditions \(r = 2.5,\) \(b = 0.2,\) \(x_0 = 0.5\) and Fig.�2c illustrates the iteration sequence for initial conditions \(r = 3.2,\) \(b = 0.2,\) \(x_0 = 0.5.\) It should be noted that the iteration sequences converge to a stable point beyond some iterations and hence are not suitable for utilization in secure communication.
-
When \(r \in (3.5, 4.2),\) the iteration sequence for x exhibits periodic behavior with different periodicity after some iterations. Figure�3a illustrates the bifurcation diagram of modified logistic map for \(r = 3.5\) to \(r = 4.2,\) Fig.�3b demonstrates the iteration sequence for initial conditions \(r = 3.7,\) \(b = 0.2,\) \(x_0 = 0.5\) and Fig.�3c displays the iteration sequence for initial conditions \(r = 4.1,\) \(b = 0.2,\) \(x_0 = 0.5.\) It is worth noticing that the iteration sequences exhibit periodic behavior after some iterations having periodicity 2 for Fig.�3b and 4 for Fig.�3c and thus are not suitable for usage in secure communication.
-
Whilst \(r \in [4.2, 4.6],\) the iteration sequence for x exhibits chaotic behavior. Figure�4a illustrates the bifurcation diagram of modified logistic map for \(r = 4.2\) to \(r = 4.6,\) Fig.�4b demonstrates the iteration sequence for initial conditions \(r = 4.3,\) \(b = 0.2,\) \(x_0 = 0.5,\) Fig.�4c illustrates the iteration sequence for initial conditions \(r = 4.5,\) \(b = 0.2,\) \(x_0 = 0.5\) and Fig.�4d illustrates the iteration sequence for initial conditions \(r = 4.56,\) \(b = 0.2,\) \(x_0 = 0.5.\) It should be noted that the iteration sequences are pseudo-random illustrating a chaotic behavior and, thus, can be used in secure communication. However, the whole range between \(r = 4.2\) to \(r = 4.6\) does not have a chaotic illustration. For example, when \(r = 4.41,\) it shows periodic behavior and thus is not suitable to be applicable in secure communication as can be seen in Fig.�4e displaying the iteration sequence for initial conditions of \(r = 4.41,\) \(b = 0.2,\) \(x_0 = 0.5.\) Furthermore, at \(r = 4.52,\) it shows periodic behavior and thus not suitable to be applicable in secure communication as can be seen in Fig.�4f that shows the iteration sequence for initial conditions of \(r = 4.52,\) \(b = 0.2,\) \(x_0 = 0.5.\)
2.2 Randomness analysis
Similar to above, we can also analyze the ranges of bifurcation diagrams for the other values of b and can observe their chaotic ranges. Apart from visually analyzing the randomness of these ranges, we have tested the sequence using the NIST statistical analysis suite (Rukhin et al. 2010) which contains 15 statistical tests. Although these tests were primarily designed for a larger stream of binary bits (usually >�10,000), these tests can also be used on shorter streams as well as on integer values. We have converted the decimal values of the map into binary as follows: the binary value of 1 is assigned to the first iteration value. Then, the modulus 2 value will be assigned if the absolute value of the difference between the current and previous iteration value of chaotic map is greater than 0.25; otherwise, the previous binary value is assigned. The results of these tests on chaotic sequences are listed in Table�2 showing that the generated chaotic sequences pass the randomness tests.
2.3 Sensitivity analysis
Randomness alone is not enough for any chaotic sequence to be applied in secure communication (Pisarchika and Zaninb 2008; Anees et al. 2014a). It is necessary that the chaotic sequence should be sensitive to the initial conditions. For the example taken of modified logistic map, we have considered three scenarios for sensitivity analysis; one for each initial condition of each of the parameter \(x_0,\) r and b. For comparison, Fig. 5a displays the graphs of chaotic sequence for modified logistic map for initial conditions \(r = 4.5,\) \(x_0 = 0.5000000000,\) \(b = 0.2\) and for slightly changed initial conditions \(r = 4.5,\) \(x_0 = 0.5000000001,\) \(b = 0.2.\) It can be observed that both the sequences are similar initially for up to 15 iterations, but beyond that, both sequences become completely out of phase from each other. Moreover, the modified logistic map is sensitive to the initial conditions for r and b. Fig. 5b illustrates the chaotic sequence for initial conditions \(r = 4.5000000000,\) \(x_0 = 0.5,\) \(b = 0.2\) and in the same figure, a graph is plotted for initial conditions \(r = 4.5000000001,\) \(x_0 = 0.5,\) \(b = 0.2.\) Similarly, Fig. 5c displays the chaotic sequence for initial conditions \(r = 4.5,\) \(x_0 = 0.5,\) \(b = 0.2000000000\) and in the same figure, a graph is plotted for initial conditions \(r = 4.5,\) \(x_0 = 0.5,\) \(b = 0.2000000001.\) It can be observed that at the beginning the sequences in both the figures are nearly same but with increased number of iterations, all the sequences are individually recognizable. For the other chaotic map TD-ERCS, one can similarly show that it has same properties as modified logistic map. The TD-ERCS map provides two chaotic sequences, x and k, given mathematically as (Sheng et al. 2004):
where
The initial seed parameters are,
These initial parameters lead to
3 Proposed S-boxes
The ideal scenario for the construction of \(8\times 8\) S-box based on semifield is to find a semifield with order 256. But unfortunately, the complete classification of semifield is still unknown and, in literature, the largest known classification of semifield with characteristic 2 is of order 64. Therefore, it is not possible to find a direct method to incorporate the nonlinear component S-box in block cipher based for this structure. But Dumas and Orfila (2014) have shown an indirect way for the construction of S-box based on semifield. Our proposed construction method in this work consists of two steps.
-
Step 1:
The first step involves construction method from Dumas and Orfila (2014), as explained below. Dumas and Orfila (2014) define a bijection T as T: (\(S_{2^4})^2 \rightarrow \) \((S_{2^4})^2.\) Basically, the finite field \(GF(2^8)\) is constructed with the help of quotient structure \(F_{2^8}=F_{2^4}[X]/P(X)\) where \(P(X)=X^2+ \alpha X +\beta ,\) with \(\alpha ,\) \(\beta \in F_{2^4},\) is an irreducible polynomial of degree 2. According to Dumas and Orfila (2014), the elements of \(F_{2^8}\) viewed as \(F_{2^4}[X]/P(X)\) are polynomials of degree 1 of the form \(aX+b,\) denoted as couple \((a,b) \in (F_{2^4})^2.\)
Theorem 3.1
Let \(P(X)=X^2+\alpha X+\beta \in F_{2^4}(X),\) P is irreducible if and only if \(\forall \) \(\gamma \in F_{2^4},\) \([(\alpha -\gamma )\gamma -\beta ]\ne 0\) (Dumas and Orfila 2014).
Definition:
Proposition 3.2
Let \(P(X)=X^2+ \alpha X +\beta \in S_{2^4}[X],\) P is pseudo-irreducible if and only if \(\forall \) \(\gamma \in F_{2^4},\) \([(\alpha -\gamma )\gamma -\beta ]\ne 0\) (Anees and Gondal 2015).
Theorem 3.3
Let \(P(X)=X^2+\alpha X+\beta \in S_{2^4}(X),\) be a pseudo-irreducible polynomial. The transformation�:�
T�:� \((S_{2^4})^2\rightarrow (S_{2^4})^2\) \((0,0)\rightarrow (0,0)\) \((0,b)\rightarrow (0,b^{-1})\) \((a,b)\rightarrow (a^{-1} c,a^{-1} d)\)
such that \(\gamma =a^{-1}b,\) \(c=[(\alpha -\gamma )\gamma -\beta ]^{-1},\) and \(d=c(\alpha -\gamma ),\) is a bijection.
The bijection T will give us semifield S-box shown in Table�3.
-
Step 2:
In this step, the group action of \(S_8\) is applied on semifield S-box of Step 1. The semifield S-box behaves like a set. The group action leads to generation of 40,320 new S-boxes, because the order of \(S_8\) is 40,320 and corresponding to every single permutation we have a novel S-box. The process of synthesis is explained in Fig.�6 and mathematical expression is given below: The action \(S_8 \ \text {S-boxes}: \ S_8 \times \text {Semifield S-box} \rightarrow \text {Semifield S-boxes}\) defined as
$$\begin{aligned} \mu (a_0 a_1 a_2 a_3 a_4 a_5 a_6 a_7) = (a'_0 a'_1 a'_2 a'_3 a'_4 a'_5 a'_6 a'_7), \end{aligned}$$where \( \mu \in S_8\) and
$$\begin{aligned} (a_0 a_1 a_2 a_3 a_4 a_5 a_6 a_7), (a'_0 a'_1 a'_2 a'_3 a'_4 a'_5 a'_6 a'_7) \in \text {Semifield-S-box}. \end{aligned}$$
Figure�6 explains the mathematical action in a simplified way with three steps. Initially, in Step 1, we have converted the elements of semifield S-box from decimal to binary values. So we have eight different Boolean functions \(F_0, F_1,F_2,F_3,F_4,F_5,F_6,F_7\) as shown in Fig.�6. In step 2, we have taken an arbitrary permutation (13246578) from \(S_8\) for the construction of one S-box. On applying this permutation on \(F_0, F_1,F_2,F_3,F_4,\) \(F_5,F_6,F_7,\), the effect of permutation on Boolean functions will give us a new arrangement which is as follows: \(F_0, F_2,F_1,F_3,F_5,F_4,F_6,F_7.\) At the end, the binary number is converted once again in the form of decimal values get new \(S_8\) semifield S-box.
3.1 Cryptographic strength analyses of S-box
To measure the good properties of S-box benchmark criteria are presented in literature like bijectivity, differential approximation probability (DP), strict avalanche criterion (SAC), bit independence criterion (BIC), non-linearity, and linear probability (LP). We carry out the security analysis of the proposed S-box of example given in Table�3 using these well-known criteria.
-
1.
Bijectivity: (Dumas and Orfila 2014) If the linear sum of the Boolean function \(f_i\) of each component of the designed \(n \times n\) S-box is \(2^{n-1}\), then f is a bijection. Mathematically, we can write as
$$\begin{aligned} wt(a_1f_1+a_2f_2+\cdots +a_n f_n), \end{aligned}$$(3.1)where \(a_i\in {0,1},\) \((a_1,a_2,\ldots ,a_n)\ne (0,0,\ldots ,0),\) wt() denotes the Hamming weight. In effect, an inverse is important specifically in a substitution network, therefore S-box should be bijective.
-
2.
Non-linearity: The non-linearity of an S-box can be tested by the following formula:
$$\begin{aligned} N_f=2^{-n}\left( 1-\max _{\omega \in GF(2^n)}\left| 2^{-n}\sum _{x\in GF(2^n)} (-1)^{f(x)\oplus x.\omega }\right| \right) , \end{aligned}$$(3.2)where \(\omega \in GF(2^8).\)
-
3.
Strict avalanche criterion: This analysis depicts information that while one bit of eight lengths input byte of plaintext modifies, will yield a 0.5 probability of the outcomes changes in byte of 8 bits balanced for entries.
-
4.
Bit independent criterion: For two Boolean function \(f_j,\) \(f_k,\) one can test the independence criterion of a substitution box by validating if, for any two output bits of the S-box, \(f_j \oplus f_k\) \((j \ne k)\) fulfills the SAC and non-linearity.
-
5.
XOR table and differential invariant: XOR table of substitution box basically depends on the calculation of \(\rho _{L}(a,b)= \left\{ x\in GF(2^8): L(x)\oplus L(a\oplus x)= M\right\} \) \(\forall a,b \in GF(2^8).\) The differential invariant \(\rho _{L}(a,b)\) is found as follows: \(\rho _{L}(a,b) =\underbrace{\max }_{a,b \in GF(2^8), a \ne 0}\left| \left\{ x\in GF(2^8): L(x)\oplus L(a\oplus x)= M\right\} \right| .\)
3.2 Experimental results for proposed S-boxes
In Table�4, we have shown some analyses such as linear approximation probability, differential approximation probability, strict avalanche criterion, average bit independence criterion for non-linearity, average bit independence criterion for strict avalanche criterion and non-linearity of proposed \(S_8\) semifield S-boxes. Further, we have compared the cryptographic strength of presented 40,320 boxes with semifield S-box of Dumas and Orfila (2014) and advanced encryption standard (AES) S-box (Daemen and Rijmen 2002). It can be observed that all the properties of newly generated nonlinear components are almost equivalent to S-box of Dumas and Orfila (2014) and Daemen and Rijmen (2002). Hence, we can say that proposed 40,320 S-boxes are a powerful as AES S-box, which is known as one of the most invulnerable S-box against all kinds of differential and linear attacks.
4 Proposed lightweight block cipher
For the application of proposed S-boxes presented in the previous section, we have proposed a lightweight block cipher which utilizes these S-boxes and can be employed for low profile applications. The proposed cipher consists of basic confusion–diffusion network performed by substitution and permutation. The permutation is performed with the help of cyclic shift operation and substitution is done with the help of numerous proposed S-boxes having same algebraic properties. The top level block description of proposed lightweight block cipher is illustrated in Fig.�7.
The plaintext is divided and considered as individual blocks of 128-binary bits, let the representation of 128-binary bits block of plaintext be \(B_p.\) There is whitening step beside the confusion-diffusion network which is performed at the very beginning. The first block of plaintext is xored with the user supplied 128-binary bits key, \(K_1.\) After the xor operation (whitening), the xored block which is represented as \(B_x\) is the input to the substitution and permutation modules. The next blocks of plaintext are xored with the immediate previous blocks of ciphertext.
As mentioned earlier, binary cyclic shift is performed for the permutation. Let us take x to be the chaotic sequence obtained from modified logistic chaotic map for the initial values \(x_0,\) b and r. These initial values are considered as the first three secret keys of the proposed encryption algorithm which combines to give \(K_2\) as illustrated in Fig. 8, that is, \(k_2^{1} = x_0,\) \(k_2^{2} = b\) and \(k_2^{3} = r.\) The length of x is 128 which has values under modulo 8. Since the initial range of chaotic sequence is [0, 1], therefore we multiply that sequence with 100 to amplify the range and then limit the sequence under modulo 8. In parallel, let the binary representation of first 8 bits of xor block be \(P_x.\) For each \(P_x,\) there is a left cyclic shift of \(x_{q}\) binary bits which results in a cyclic shifted 8 bits, \(P_c\) and correspondingly cyclic shifted block, \(B_c.\) For instance, let \(P_x = 11010110\) and \(x_{q} = 3,\) then after cyclic shift, \(P_c = 10110110.\)
Take x and k be the two chaotic sequences obtained from TD-ERCS chaotic map having initial values \(x_0,\) \(\tan \alpha ,\) \(\mu \) and m. For simplicity and convenience, x is denoted as y. These four initial values are considered as next four secret keys of the proposed encryption algorithm, that is, \(k_3^{1} = x_0,\) \(k_3^{2} = \tan \alpha ,\) \(k_3^{3} = \mu \) and \(k_3^{4} = a\) which combine to give \(K_3.\) Since, we need only one chaotic sequence from this map, therefore we will only use y sequence. The sequence y has length 16 and values under modulo \(S_n,\) where \(S_n\) denotes the total number of S-boxes used. Initially the chaotic sequence has the range of \([-1, 1],\) so we amplify that range by first shifting the range from \([-1, 1]\) to [0, 2] and then multiplying that shifted sequence with 1000, and finally limiting the sequence under modulo \(S_n.\) In parallel, for the substitution step, combinations of 8 bits in \(B_c\) are substituted with the 8 bits of one of the proposed S-boxes. The decision of choosing which S-box to utilize is taken by the chaotic sequence of y. Let the binary representation of first 8 bits of \(B_c\) be \(P_c.\) For each \(P_c,\) the eight bits are split into 4 Most Significant Bits (MSBs) and 4 Least Significant Bits (LSBs) first. These MSBs and LSBs are then converted into decimal and these decimal values corresponds to the row and column numbers of a particular S-box. The element at that position of specific S-box is converted into binary having 8 bits and will be substituted in place of \(P_c.\) For instance, let \(P_c = 10110110\) and \(y_{q} = 105,\) then the 4 MSBs are 1011 and 4 LSBs are 0110, the decimal value at 11th row and 5th column of 105th S-box will be substituted to get the 8 substituted binary bits \(P_s\) and correspondingly ciphertext block, \(C_p.\)
The proposed block cipher in form of pseudo-code is illustrated in Algorithm 1. It has only six rounds as contrary to other renown block ciphers which have more than 12 rounds. Despite few rounds, the results are very competitive to the benchmark algorithms due to the multiple S-boxes employed instead of a single S-box. The experimental, statistical and security analysis are presented in the next sections to illustrate the robustness and performance effectiveness of the proposed block cipher.
5 Experimental results and statistical analysis
For experiments, we have taken two dimensional digital images as plaintext. First, the cameraman image having size of \(256\) is considered as plaintext shown in Fig. 8a. This plainimage is then encrypted using proposed lightweight block cipher and encrypted cameraman image is shown in Fig. 8b which is completely random and gives no information regarding the original plainimage. To see the distribution of values (image pixels) in plainimage and cipherimage, we have plotted the histograms of these images shown in Fig. 8c, d, respectively. It can be observed that the distribution of the values of cipherimage is uniform showing good resistance against frequency analysis. We have also considered a one-scale image which has only one gray value having perfect auto-correlation as shown in Fig. 9a. The encrypted version of this one-scale image is shown in Fig. 9b. The histogram of one-scale and its encrypted version is plotted and shown in Fig. 9c, d, respectively. It can be seen that the histogram of the encrypted version is flat again, despite maximum auto-correlation in the plainimage.
5.1 Statistical analysis
For further examination of the visual strength of the proposed block cipher, we have performed different statistical analysis and have carried out a comparison of our results with the state-of-the-art block cipher. We have considered the following statistical analyses.
5.1.1 Correlation
For an image, the correlation is defined as (Anees et al. 2014b):
where a, b refer to position of image pixels, \(\rho (a, b)\) represents the pixel value at ath row and bth column of image matrix, \(\mu \) and \(\varphi \), respectively, denote the variance and the standard deviation. The correlation analysis measures the extent to which two neighboring image pixels are similar, over the whole image. It has the range \([-1 \ 1]\), where the correlation value 1 means the ideal correlation.
5.1.2 Entropy
The image entropy is defined as (Anees et al. 2014b):
where a, b refer to position of image pixels, \(\rho (a, b)\) represents the pixel value at ath row and bth column of image matrix and \(pr(\rho (a, b))\) is the probability of image pixel. Entropy depicts the uncertainty of the image and has range \([0 \ 8]\) for an image with 256 gray scales. The more the amount of entropy is, the more the amount of uncertainty is.
5.1.3 Contrast
The image contrast is defined as (Anees et al. 2014b):
where a, b refer to position of image pixels, \(\rho (a, b)\) represents the pixel value at ath row and bth column of image matrix. The contrast analysis of the image is carried out for the purpose of identification of objects in texture of an image. The range of contrast values is \([0 \ (\text {size}(\text {Image})-1)^2].\) For a constant image, the contrast value is 0. The more the amount of contrast is, the more is the variation in image pixels.
5.1.4 Homogeneity
The image homogeneity is defined as (Anees et al. 2014b):
where a, b refer to position of image pixels. The nearness of the distribution in the gray level cooccurrence matrix (GLCM) to GLCM diagonal is determined by homogeneity analysis. The homogeneity values range is \([0 \ 1].\)
5.1.5 Energy
The image energy is defined as Anees et al. (2014b):
where a, b refer to position of image pixels. The energy analysis provides the sum of squared elements in the GLCM. The energy values have range \([0 \ 1].\) For a constant image, the energy value is 1.
Table 5 shows the outcome of the above analyses for the proposed image encryption scheme. It also provides a comparative study with the benchmark blockcipher of AES. It is worth noticing that the presented scheme depicts competitive results despite significant lower computational complexity.
6 Security analysis
For the robustness and to check whether the proposed cipher can resist against known attacks, we have carried out series of security analysis that will ensure the effectiveness of proposed cipher.
6.1 Key space and key sensitivity
The total number of secure keys that can be used in the cipher is referred as key space. In our proposed work, we have used three keys, in which, the first one is the user provided 128-binary bit key, second and third are the combination of initial values of the two chaotic maps used. The total combination of these three secure keys is sufficiently large so, for checking all the combinations, any modern computer should take more than \(10^{10}\) years. Thus, the proposed cipher can resist to any brute force attack.
However, key space alone is not enough to guarantee the effectiveness of a cipher in this regard. It is necessary that with the key space, key sensitivity should be achieved as well. Key sensitivity refers to a property of cipher in which the decryption of ciphertext can not be successively achieved despite the fact that there is a minor change in the encryption and decryption keys. For the analysis, first, we have taken the cameraman image (shown in Fig. 8a) and encrypted with the proposed cipher (Fig. 8b shows the encrypted image). For the decryption, we have slightly changed the decryption keys and attempted decrypting the encrypted images with these slightly altered decryption keys. Figure 10a shows the decrypted image in which \(K_1\) is changed by a single binary bit. Figure 10b shows the decrypted image in which b of \(K_2\) is changed from \(b = 0.2000000000\) to \(b = 0.2000000001.\) Fig. 10c shows the decrypted image in which r of \(K_2\) is changed from \(r = 4.5000000000\) to \(r = 4.5000000001.\) Fig. 10d shows the decrypted image in which \(x_0\) of \(K_3\) is changed from \(x_0 = 0.5000000000\) to \(x_0 = 0.5000000001.\) It can be seen that, even for a small modification in the decryption keys, decryption is unsuccessful in all of considered images.
6.2 Avalanche analysis
The avalanche effect refers to an appealing characteristics of cryptosystems. The avalanche effect is evident when a slight change in the input (for instance, flipping a single bit) leads to a notable change in the output (like change in half the output bits). Mathematically, the avalanche effect can be determined by the following formulas for the number of pixel change rate (NPCR) and the unified average change intensity (UACI) (Wu et al. 2010).
where \(A_1\) and \(A_2\) are the two encrypted images acquired from the original image with the disparity of a single pixel, N and M represent the number of rows and columns of encrypted image matrix, and D(a, b) is defined as
NPCR yields the rate of change of number of pixels of encrypted image once a single pixel of original image is amended. UACI determines normal power of contrasts between original and encrypted images. The least required value for NPCR must be 50%. NPCR and UACI analysis is carried out for some standard images of image processing such as Lena, cameraman and baboon. We have taken three cases to analyze the NPCR and UACI cryptographic strength for proposed image encryption technique, for each of the considered images. For analysis, first a pixel is chosen in the first two rows of the original image and then the procedure is repeated for two other parts (roughly in middle and end) of the data. The comparative analysis of the proposed image encryption technique with the AES for NPCR and UACI is provided in Table�6. It can be seen that proposed algorithm is competing with the most widely applicable and economical block cipher cryptosystem.
Moreover, we have done NPCR and UACI analysis to analyze the key security of proposed key schedule. We consider following two cases.
-
Case I
We have applied two different encryption keys having a single bit difference on same original image to get two significantly different encrypted images having NPRC and UACI values 99.5298 and 33.6210, respectively.
-
Case II
Here, we have applied two different decryption keys having a single bit difference on same encrypted image to get two significantly different decrypted images having NPRC and UACI values 99.6210 and 33.3698, respectively.
The comparative analysis of the proposed image encryption technique with the AES for key sensitivity using NPCR and UACI is given in Table 6. The values of the analysis show that the proposed key schedule is invulnerable for image encryption.
6.3 Cryptanalysis
To analyze the full cryptographic strength of proposed image cryptosystem against known attacks, it is required to pass plainimage through complete rounds. The known attacks are as follows.
6.3.1 Linear cryptanalysis
Th linear approximation probability (LP) is utilized to measure the discrepancy of an event. This test is useful in determining the optimum value of discrepancy in the outcome of event. The two masks, \(\Gamma y\) and \(\Gamma x,\) are utilized for parity of the output and input bits, respectively. For the nonlinear component of block cipher, LP is defined as Matsui (1994):
where all possible unique inputs are contained in the set X and the cardinality of X is \(2^{n}.\) The average maximum value of LP of proposed cryptosystem having 1 round and 8 S-boxes is \( \text {LP}_{\textrm{max}} = 2^{-4.21}.\) Furthermore, the generalization of proposed cryptosystem with 256 active S-Boxes and 4-rounds will give us average maximum value \(\text {LP}_{\textrm{max}}^{4r} = 2^{-4.21 \times 256} = 2^{-1077}.\) It is worth mentioning that to a certain extent, it is difficult to launch linear cryptanalysis against proposed cryptosystem.
6.3.2 Differential cryptanalysis
With a specific end goal to guarantee uniform mapping, the differential at input should exceptionally guide to an output differential. These attributes ensure uniform mapping probability for each input bit i. The differential approximation probability scheme for S-Box determines the differential uniformity, defined as (Biham and Shamir 1993):
where \(\Delta y\) and \(\Delta x\) are output and input differential, respectively. We have applied 256 S-boxes with good cryptographic properties and have extended proposed algorithm for 4 rounds to get good results against DP. \(\text {DP}_{\textrm{max}} = 2^{-4.05}\) is the average maximum DP of the S-Boxes used. The value of DP of the proposed cryptosystem guarantees the cryptographic strength of the proposed algorithm against differential cryptanalysis.
Further, to demonstrate the security strength of the proposed work, we have done the state-of-the-art security analysis and compared with the known works. Table 7 shows the comparative results strict avalanche criterion, bit independent criterion, BIC for SAC, linear approximation probability, and differential approximation probability of proposed and other S-boxes demonstrating the superiority of our proposed S-Box.
6.4 Computational time
One of the important factors to demonstrate the strength of any encryption algorithm is its computational complexity, i.e., how many gate equivalents are required for its hardware implementation. If the computational complexity is too high, then the encryption algorithm might not be appropriate for certain applications. We have computed the computational time for the proposed encryption algorithm that corresponds to the gate equivalents and then compared this computational time with the state-of-the-art works. Table 8 shows the comparative results of computational time of proposed and other works demonstrating the superiority of our proposed work. The time is computed on a desktop machine using MATLAB software on Windows 10 with i7 processor and 16 GB RAM.
7 Conclusion
This paper is concerned with the study of S-boxes based on semifield and their application to develop a block cipher that can be employed for low profile applications. Although the currently known S-boxes based on finite fields perform well against known algebraic attacks, it is possible that there could be some unknown algebraic attacks that may beat the confusion creating capability of finite field S-boxes. In Dumas and Orfila (2014), it was proposed to consider finite semifields instead of finite fields to generate S-Boxes to to enhance the algebraic strength of S-boxes against unknown algebraic attacks. The algebraic structure of semifield is not commonly used in block cipher cryptography because it does not have complete classification up to finite order. In fact, the known classification of semifields is up to \(2^6.\) This makes it challenging to use the small structure \(2^4\) for the construction of \(2^8\) S-boxes. Dumas and Orfila (2014) utilized pseudo-extensions of semifield of order \(2^4\) to construct 12,781 non-equivalent S-boxes with good cryptographic properties. Here we establish an effective procedure for generating \(S_8\) semifield S-boxes having same algebraic properties. Utilizing the action of symmetric group of permutation on every non-equivalent S-box of Dumas and Orfila (2014), corresponding to each and every non-equivalent S-box of Dumas and Orfila (2014), we generate 8! S-boxes with same cryptographic properties. In total, this leads to 51,532,9920 new S-boxes based on semifield and symmetric group.
As application, a block cipher is proposed utilizing \(S_8\) semifield substitution boxes and two chaotic maps. The proposed cipher consists of three modules which are operated for six rounds. These three modules are substitution, permutation and XOR whitening. In the substitution process, multiple proposed S-boxes are used to get desired confusion between the ciphertext and secret key. This module enhances security, and the desired security is attained in less number of rounds as compared to conventional block ciphers. Each module is applied in agreement with the specific chaotic sequence generated through a distinct chaotic map. Security analysis is performed and the simulation results confirm that the proposed algorithm is secure against well-known attacks.
Finally, the proposed encryption algorithm is flexible that can be adapted to changes as required. For instance, it is possible to increase or decrease the number of rounds and S-boxes as well as to replace semifield S-boxes with other S-boxes.
References
Alvarez R, Mcguire G (2009) S-boxes, APN functions and related codes. NATO science for peace and security series-D: information and communication security, pp 49–62
Anees A, Ahmed Z (2015) A technique for designing substitution box based on Van der Pol oscillator. Wirel Personal Commun 82(3):1497–1503
Anees A, Gondal MA (2015) Construction of nonlinear component for block cipher based on one-dimensional chaotic map. 3D Res. https://doi.org/10.1007/s13319-015-0049-4
Anees A, Siddiqui AM (2013) A technique for digital watermarking in combined spatial and transform domains using chaotic maps. In: IEEE 2nd national conference on information assurance (NCIA), pp 119–124. https://doi.org/10.1109/NCIA.2013.6725335
Anees A, Khan WA, Gondal MA, Hussain I (2013) Application of mean of absolute deviation method for the selection of best nonlinear component based on video encryption. Zeitschrift für Naturforschung A 68(a):479–482
Anees A, Siddiqui AM, Ahmed F (2014a) Chaotic substitution for highly autocorrelated data in encryption algorithm. Commun Nonlinear Sci Numer Simul 19(9):3106–3118
Anees A, Siddiqui AM, Ahmed J, Hussain I (2014b) A technique for digital steganography using chaotic maps. Nonlinear Dyn 75(4):807–816
Belazi A, Khan M, El-Latif AAA, Belghith S (2017) Efficient cryptosystem approaches: S-boxes and permutation-substitution-based encryption. Wirel Personal Commun 87(1):337–361
Biham E, Shamir A (1993) Differential cryptanalysis of the data encryption standard. Springer, Berlin
Campos-Cantón E, Femat R, Pisarchik AN (2011) A family of multimodal dynamic maps. Commun Nonlinear Sci Numer Simul 16(9):3457–3462
Cassal-Quiroga BB, Campos-Cantón E (2020) Generation of dynamical S-boxes for block ciphers via extended logistic map. Math Probl Eng 2020:2702653
Chu Y-M, Huang N-F, Lin S-H (2014) Quality of service provision in cloud-based storage system for multimedia delivery. IEEE Syst J 8(1):292–303
Daemen J, Rijmen V (2002) The design of Rijndael: AES—the advanced encryption standard. Springer, Berlin
Dumas J-G, Orfila J-B (2014) Generating S-boxes from semi-fields pseudo-extensions. arXiv:1411.2503
García-Martínez M, Campos-Cantón E (1845) Pseudo-random bit generator based on lag time series. Int J Mod Phys C 25(4):1350105
García-Martínez M, Campos-Cantón E (2015) Pseudo-random bit generator based on multi-modal maps. Nonlinear Dyn 82:2119–2131
Hussain I, Shah T, Gondal MA, Mahmood H (2012a) An efficient approach for the construction of LFT S-boxes using chaotic logistic map. Nonlinear Dyn 71(1–2):133–140
Hussain I, Shah T, Mahmood H, Gondal MA (2012b) Construction of \(S_8\) Liu J S-boxes and their applications. Comput Math Appl 64(8):2450–2458
Khan M, Shah T, Batool SI (2016) Construction of S-box based on chaotic Boolean functions and its application in image encryption. Neural Comput Appl 27(3):667–685
Kocarev L (2001) Chaos-based cryptography: a brief overview. IEEE Circuits Syst Mag 1(3):6–21
Liua H, Wang X (2010) Color image encryption based on one-time keys and robust chaotic maps. Comput Math Appl 59(10):3320–3327
Matsui M (1994) Linear cryptanalysis of the data encryption standard. In: Eurocrypt’93. LNCS, vol 765. Springer, Berlin, pp 386–397
Pecora LM, Carroll TL (1990) Synchronization in chaotic systems. Phys Rev Lett 64(8):821–824
Pisarchika AN, Zaninb M (2008) Image encryption with chaotically coupled chaotic maps. Phys D: Nonlinear Phenom 237(20):2638–2648
Rukhin A et al (2010) A statistical test suite for random and pseudorandom number generators for cryptographic applications. National Institute of Standards and Technology
Sheng L-Y, Sun K-H, Li C-B (2004) Study of a discrete chaotic system based on tangent-delay for elliptic reflecting cavity and its properties. Acta Phys Sin 53(9):2871–2876
Ullah S, Jamal S, Shah T (2017) A novel construction of substitution box using a combination of chaotic maps with improved chaotic range. Nonlinear Dyn 88(4):2757–2769
Verhulst PF (1845) Recherches mathématiques sur la loi d’accroissement de la population. Nouveaux mémoires de l’Académie Royale des Sciences et Belles-Lettres de Bruxelles 18:14–54
Volos C, Kyprianidis I, Stouboulos I (1997) Image encryption process based on chaotic synchronization phenomena. Signal Process 93:1328–1367
Wang X, Chen D (2013) A parallel encryption algorithm based on piecewise linear chaotic map. Math Probl Eng 2013:1–7
Wu Y, Noonan JP, Agaian S (2010) NPCR and UACI randomness tests for image encryption. Cyber J: Multidiscip J Sci Technol J Sel Areas Telecommun, pp 31–38
Funding
Open Access funding provided by the Qatar National Library.
Author information
Authors and Affiliations
Corresponding author
Additional information
Communicated by Thomas Aaron Gulliver.
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article’s Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article’s Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.
About this article
Cite this article
Hussain, I., Anees, A. & Al-Maadeed, T.A. A novel encryption algorithm using multiple semifield S-boxes based on permutation of symmetric group. Comp. Appl. Math. 42, 80 (2023). https://doi.org/10.1007/s40314-023-02208-x
Received:
Revised:
Accepted:
Published:
DOI: https://doi.org/10.1007/s40314-023-02208-x