An Injective S-Box Design Scheme over an Ordered Isomorphic Elliptic Curve and Its Characterization

Elliptic curves (ECs) are considered as one of the highly secure structures against modern computational attacks. In this paper, we present an efficient method based on an ordered isomorphic EC for the generation of a large number of distinct, mutually uncorrelated, and cryptographically strong injective S-boxes. The proposed scheme is characterized in terms of time complexity and the number of the distinct S-boxes. Furthermore, rigorous analysis and comparison of the newly developedmethod with some of the existing methods are conducted. Experimental results reveal that the newly developed scheme can efficiently generate a large number of distinct, uncorrelated, and secure S-boxes when compared with some of the well-known existing schemes.


Introduction
A lot of advancements have been made in the field of computation methods in the past few decades.These advancements necessitate the improvements in the cryptosystems, since their security strength highly depends on the computational power.A cryptosystem is considered to be secure if it can create enough confusion/diffusion in the data [1].Many wellknown and commonly used cryptosystems including Data Encryption Standard (DES), Advanced Encryption Standard (AES), Twofish security system [2], Blowfish cryptosystem [3], and International Data Encryption Algorithm (IDEA) [4] use substitution box (S-box) for the data scrambling.
It is easy to observe that the cryptosystems using a single S-box are unable to create enough confusion/diffusion in the modern data with high correlation such as digital images [5].Therefore, many cryptographers proposed the usage of multiple S-boxes for the encryption of such data.An S-box generation technique is said to be good for the encryption of highly correlated data, if it can efficiently generate a large number of secure and mutually uncorrelated S-boxes.
Many researchers have proposed different S-box generation schemes based on different mathematical structures.El-Ramly et al. [6] proposed an approach for the generation of strong S-boxes based on a Latin square.The length of the secret key used for these S-boxes is of 128 bits.Wu et al. [7] proposed Latin square doubly stochastic matrix to develop new S-boxes.Peng et al. [8] generated dynamic Sboxes using spatiotemporal chaotic system.Radhakrishnan et al. [9] developed an analytical approach to generate Sboxes.Wang et al. [10] proposed an S-box using chaos theory.Alkhaldi et al. [11] constructed S-boxes using tangent delay for ellipse cavity chaotic sequence and a particular permutation.The newly generated S-boxes have high resistance against linear and differential attacks.Khan and Azam [12] proposed a method for the construction of multiple S-boxes based on a group action and Gray codes.Similarly, Khan and Azam [13] presented another algorithm for the design of S-boxes based on affine and power mappings.It is shown computationally that all of the newly generated S-boxes have high security against modern attacks.However, each of these methods only generate 256 S-boxes.
Recently, elliptic curves (ECs) have received great attention in the field of cryptography.The ECs based cryptosystems provide higher security with smaller key size than classical cryptosystems [14][15][16][17][18]. Jung et al. [19] characterized Sboxes over hyperelliptic curves.Hayat et al. [20,21] proposed different methods for the generation of an 8 × 8 S-box by using an elliptic curve (EC) over a prime field.Actually, the scheme in [21] is a generalization of the scheme in [20].These techniques use -coordinates of the points on the EC followed by modulo 256 operation.Although, the schemes are capable of generating secure S-boxes, but each has time complexity O(), where  is the underlying prime.Furthermore, the output of these algorithms is uncertain in the sense that it may or may not generate an S-box for each input parameters, and are independent of the underlying EC.Azam et al. [22] used some typical type of orderings on a class of Mordell elliptic curve (MEC) over a finite field to design an 8 × 8 S-box in constant time.All these schemes can generate at most one S-box for a given EC.
The aim of this paper is to propose a novel method to efficiently construct a large number of distinct, mutually uncorrelated, and cryptographically strong injective S-boxes for a given EC.The proposed scheme uses -coordinates of the points on an ordered EC isomorphic to the given ordered MEC.The remaining part of the paper is arranged as follows: Section 2 contains some definitions and concepts which are necessary to understand this paper.The proposed algorithm and its characterization are given in Section 3. A detailed analysis and comparison of the newly developed method are given in Section 4. A summary of the paper is given in Section 5.

Preliminaries
An EC is one of the fundamental concepts in the field of arithmetic geometry and has many applications in the field of applied sciences.For a field  and two integers ,  ∈  such that 4 3 + 27 2 ̸ = 0, the elliptic curve  ,, over  is defined to be the set of a symbol ∞ (identity of  ,, ) and all points (, ) ∈  ×  satisfying the following cubic equation We call (3) ( − 1)/2, otherwise.
Let  F  ,, be an EC.A bound on the number # F  ,, of points on the EC  F  ,, can be computed using Hasse's theorem [24,25] Note that the bound is independent of the parameters  and .An EC  F  ,, over F  is said to be a Mordell elliptic curve (MEC), if  = 0.The following lemma gives the information of points on a special class of MECs.
We denote a MEC with  ≡ 2 ( mod 3) simply by  , and call it an EC unless stated otherwise.
An  ×  substitution box (S-box) is a mapping from F 2  to F 2  .Henceforth, S-box stands for injective S-box.
Azam et al. [22] defined three typical orderings namely natural N, diffusion D, and modulo diffusion M on a given EC for the generation of S-boxes.The main idea behind these ordering is the arrangement of the points with the same coordinates.For the points ( 1 ,  1 ), ( 2 ,  2 ) on a given EC  , , either  1 <  2 ; or  1 =  2 , and  1 <  2 ; (4) and  1 <  2 ; (5) The natural ordering is the lexicographical order defined so that the points with the same -coordinates appear consecutively, while the diffusion and modulo diffusion orderings diffuse the points with the same -coordinates.The effect of these three orderings on the points of  11,1 is shown in Table 1.

The Proposed Scheme and Its Characterization
In this section, we present a simple and efficient method to generate a large number of distinct, mutually uncorrelated, and secure injective × S-boxes based on the -coordinates of an EC for the encryption of highly correlated data.The proposed method takes inputs integers 0 <  ≤ , a prime  ≥ 2  , two non-negative integers  and   , a positive integer  such that ,   ,  ≤  − 1 and  6 ≡   (mod ) and a total order ≺ on the EC  , .The output of the method is an injective S-box  ,,≺ ,, over the EC  ,  isomorphic to  , .The algorithm generates  ,,≺ ,, by choosing the 2  coordinates, with values less than 2  , of the first 2  points on the EC  ,  with respect to the induced ordering ≺  .Mathematically,  ,,≺ ,, can be expressed as where Note that the condition of  ≥ 2  is imposed so that the underlying EC has at least 2  points.Remark 3. By Lemma 2, the proposed method always output an S-box for each input parameters.
Thus, by the group theoretic arguments we have where ( 3 ) −1 and  −1 are the multiplicative inverses of  3 and  in the field F  , respectively.Assuming that  is not a very large number,  −1 can be computed by using extended Euclidean algorithm in time O(log ).Therefore, finding   for each  and using them in the equation  2 ≡  3 +  (mod ), we can easily compute the set  in O(2  ).The sorting operation on  can be performed in time complexity O(2  ⋅ ).Hence,  ,,≺ ,, can be computed in O(2 We describe an efficient algorithm for the generation of proposed S-boxes based on Lemma 4 in Algorithm 1.
Let  , be an EC with ordering ≺ and integers 0 <  ≤  such that 2  ≤ .We denote # ,,≺ ,, to be the number of distinct  ×  S-boxes generated by all ECs isomorphic to  , by using the proposed method.In Lemma 5, we drive an upper bound for the number # ,,≺ ,, .
Proof.We know that in a MEC,  ̸ = 0. Also  ≡ 2 (mod 3), therefore 3 and 6 are not divisors of  − 1.Thus, by group theoretic argument F  \ {0} does not have an element of order 6.So by Lemma 1(iii), the number of ECs isomorphic to  , is ( − 1)/2, and hence the proposed algorithm can generate at most ( − 1)/2 distinct S-boxes by using  , .
Next, we prove a sufficient condition on  so that the number # ,, ,, of S-boxes generated due to the natural ordering  is equal to the upper bound given in Lemma 5. Lemma 6.For an integer  such that 2  ≥ ( + 1)/2, # ,, ,, is ( − 1)/2.
Proof.Without loss of generality, we assume that the points on  , are arranged in non-decreasing order with respect to the ordering N and (  ,   ) denotes its -th element.Note that, for a positive integer  such that  ≤ 2  − 1, ( − 1)/2 and   ∈ [1,  − 1], exactly one of the values ±   3 is greater than ( − 1)/2, since their -coordinates are same on the EC  , 6 .Thus, from the condition 2  ≥ ( − 1)/2 it follows that  ,, ,, () = min{   3 , −   3 }.The proof will complete, if we show that, for some  and any  1 , But, We show a contradiction for the case (13) and similar arguments can be used to prove for the case (14).
Based on the computational results, we propose a stronger version of Lemma 6 which is independent of the underlying ordering on the EC  , .But, we did not manage to prove it rigorously.

Analysis and Comparison of the Proposed Method
A rigorous analysis of the proposed method is performed in this section.We used 8 × 8 S-boxes generated by natural ordering N, diffusion ordering D and modulo diffusion ordering M for the analysis, since they are most commonly used in modern cryptosystems.

Linear Attacks.
For a secure S-box it is necessary to have high security against linear cryptanalysis.The security of an  ×  S-box  against linear attacks is quantified by computing its linear approximation probability LAP(), nonlinearity NL(), and algebraic complexity AC().
The linear approximation probability LAP() is an approximation of  by calculating the coincidence between input and output bits.For ,  ∈ (2  ) \ {0}, the mathematical expression of LAP() is where "⋅" is the dot product over  (2).
The algebraic complexity AC() is the number of non-zero coefficients in the linear polynomial [35] representation of .
An S-box  is said to be highly secure against linear attacks if its LAP() is small, while NL() and AC() are large.The LAP, NL and AC of the listed S-boxes are presented in Table 5.
It is clear from the table that the LAP of the proposed S-boxes is low, while their NL and AC are high enough to resist the linear attacks efficiently.Note that the average value of LAP of the proposed S-boxes is 0.1445 which is less than that of the S-boxes in [21,22,27,31], while their average NL and AC are 106 and 254 which are higher than that of [20,26,27,29,[31][32][33] and [28,30,31], respectively.This implies that the proposed method is capable of generating S-boxes with high security against linear attacks than some of the listed S-boxes.

Differential Attacks.
In these attacks, the S-box  is approximated by understanding the effect of input differentials on the outputs.The differential approximation probability DAP() of  is a well-known method to measure its resistance against differential attacks.It is computed by finding the coincidence between the difference of outputs and the inputs differing with some value.For  in ,  out ∈ (2  ), The smaller is the DAP(), the higher is the resistance of  against differential attacks.The results of this test for the listed S-boxes are given in Table 5.The DAP of the newly generated S-boxes is 0.0391, while the DAP of the S-boxes in [20-22, 26-28, 31-34] is at least 0.0391.Thus it follows that S-boxes based on the presented technique have high resistance against differential attacks than the listed S-boxes.

Analysis of Boolean Functions.
It is essential for a secure S-box to create confusion/diffusion in the data up to a certain  An S-box satisfies the SAC and the BIC if all non-zero entries of   and   are close to 0.5.The results of these tests are represented by listing the maximum and minimum non-zero values of their matrices in Table 5.The average of maximum and minimum values of SAC and BIC of the newly constructed S-boxes are 0.5963 and 0.4114 and 0.52895 and 0.4694, respectively.This implies that the entries of   and   are approaching the optimal value 0.5.Hence, it is evident from the experiments that the proposed S-box design method is capable of generating cryptographically secure S-boxes.

Statistical Analysis.
Statistical analyses are performed on the proposed scheme to quantify its efficiency for the generation of dynamical S-boxes for the encryption of highly correlated data.

Distinct S-
Boxes.An S-box generation technique is said to be good for the generation of dynamical S-boxes and highly resistive against the brute force attack, if it can generate a large number of distinct S-boxes.For a given prime  and for each EC  , , we have generated all distinct S-boxes by using all ECs isomorphic to  , .The number of distinct S-boxes for some primes is listed in Table 6.
Note that, with the increase in the value of , the number of S-boxes generated by the proposed method also increases.Thus, by choosing some large prime, the proposed method can generate a large number of dynamic S-boxes, and therefore it can easily resist the brute force attacks.For the comparison, the maximum possible number of S-boxes that can be generated by the other schemes [20][21][22] over an EC is also listed in Table 6.It is evident from Table 6 that the proposed method is more suitable for the generation of dynamic S-boxes than the listed schemes.

Correlation
Test.An S-box design technique is good for the encryption of highly correlated data, if its S-boxes can generate enough confusion/diffusion in the data.The confusion/diffusion creation capability of an S-box scheme can be evaluated by computing the correlation coefficient (CC) and the number of fixed points in its S-boxes.The CCs of distinct S-boxes for some values of  and  are shown in Figure 1.For each listed  and , the S-boxes are indexed in an increasing order with respect to their isomorphism parameter .
The average CCs between the S-boxes in Figures 1(a)-1(d) are 0.0085, 0.0026, 0.0015, and 0.00034, respectively, which are very close to 0. Therefore, the newly generated S-boxes are highly uncorrelated.Furthermore, we have calculated the average number of fixed points in all S-boxes for the primes used in Table 6.The results are shown in Table 7.
Experimental results show that the average number of the fixed points generated by the proposed method is at most 1 (by rounding to the nearest integer).Hence, by correlation test and fixed point test, it is evident that the proposed S-box design technique is capable of generating high confusion/diffusion in a highly correlated data.

Complexity Analysis.
It is necessary for a good S-box design scheme to generate secure S-boxes efficiently.By Lemma 4, the time complexity of the proposed method for the generation of 8 × 8 S-box is O(log ), where  is the underlying prime.A comparison of the time complexity of different S-box schemes over ECs is given in Table 8.It is evident from the comparison that the proposed S-box generation method is efficient than the techniques in [20,21].

Conclusion
An efficient method for the generation of a large number of distinct, uncorrelated, and cryptographically secure injective  ×  multiple S-boxes is presented in this paper.The proposed scheme uses an elliptic curve (EC) isomorphic to a given ordered Mordell elliptic curve (MEC)  , over F  , where  ≡ 2 (mod 3).It is proved that the proposed method can be implemented efficiently in O(2  ⋅ log  + log ).An upper bound is derived on the number of Sboxes generated by the proposed method for the EC  , .It is also shown that the upper bound can be achieved for the natural ordering if 2  ≥ ( + 1)/2.Furthermore, a detailed security analysis and comparison of the proposed method with some of the existing schemes is conducted.Experimental results reveal that the newly developed method can efficiently generate cryptographically secure, dynamic, and uncorrelated S-boxes.Hence, the proposed method is secure for the encryption of highly correlated data.
,, onto ( 2 ,  3 ) ∈  ,  ,  .It is easy to observe that isomorphism is an equivalence relation on the family of all ECs over the field .Let  be a prime.It is well-known that for prime  there exists a unique finite field F  , up to the field isomorphism, with exactly  elements.Note that the arithmetic operations over F  are performed with respect to the modulo  (mod ).There are total  2 −  ECs over the field F  .
, , and  the elliptic curve parameters of the EC  ,, .Two ECs  ,, and  ,  ,  over the field  are isomorphic if and only if there exists an integer  ∈  \ {0} such that  4 =   and  6 =   .We call  the isomorphism parameter between  ,, and  ,  ,  .In this setting, the isomorphism maps (, ) ∈

Table 5 :
Comparison of the cryptographic properties of some of the newly generated S-boxes with some of the existing S-boxes.  be -th Boolean function of  and   ∈ (2  ) with weight (  ) = 1.The SAC of  is implemented by computing the matrix   = [  ]  ( ⊕   ) ⊕   () ⊕   ( +   ) ⊕   ())) .

Table 6 :
Comparison of the number of all distinct 8 × 8 S-boxes generated by the proposed method and some of the existing methods over ECs on some primes.

Table 7 :
Comparison of the average number of the fixed points over all distinct 8 × 8 S-boxes for some primes.

Table 8 :
Comparison of time complexity of different S-box schemes over ECs.