A Novel Method to Design S-Boxes Based on Key-Dependent Permutation Schemes and its Quality Analysis

S-boxes are used in block ciphers as the important nonlinear components. The nonlinearity provides important protection against linear and differential cryptanalysis. The Sboxes used in encryption process could be chosen to be keydependent. In this paper, we have presented four simple algorithms for generation key-dependent S-boxes. For quality analysis of the key-dependent S-boxes, we have proposed eight distance metrics. We have assumed the Matlab function “randperm” as standard of permutation and compared it with permutation possibilities of the proposed algorithms. In the second section we describe four algorithms, which generate keydependent S-boxes. In the third section we analyze eight normalized distance metrics which we have used for evaluation of the quality of the key-dependent generation algorithms. Afterwards, we experimentally investigate the quality of the generated key-dependent S-boxes. Comparison results show that the key-dependent S-boxes have good quality and may be applied in cipher systems. Keywords—data encryption; substitution boxes; generation algorithms; distance metrics; quality analysis


INTRODUCTION
Cryptographic objects are private key algorithms, public key algorithms and pseudorandom generators.Block ciphers usually transform the 128 or 256 bits string of the plaintext to a string of the same length cipher text under control of the secret key.The private key cryptography, such as DES [1], 3DES, and Advanced Encryption Standard (AES) [2], uses the same key for the sender and for the receiver to encrypt the plaintext and to decrypt the ciphertext.The private key cryptography is more suitable for the encryption of a large amount of data.The public key cryptography, such as the Rivest-Shamir-Adleman algorithm defined by the National Institute of Standards and Technology of the Unite (RSA) or Elliptic Curve algorithms, uses different keys for encryption and decryption.The AES has been accepted to replace DES.AES overpasses DES in an improved security because of larger key sizes.AES is suitable for 8 bit microprocessor platforms and 32 bit processors [3].
The essential part of every block cipher is an S-box.To secure the cipher against attacks, the nonlinearity of the S-box should have a maximum nonlinearity, and the difference propagation probability should be minimum.Substitution is a nonlinear transformation that performs confusion of bits.A nonlinear transformation is important for every encryption algorithm and it is proved to be a strong cryptographic method against the linear and differential cryptanalysis.Nonlinear transformations are implemented as lookup tables (S-boxes).An S-box with p input bits and q output bits is denoted as p  q.The DES uses eight 6  4 S-boxes.S-boxes are designed for software implementation on 8-bit processors.The block ciphers with 8 8 S-boxes are SAFER, SHARK, and AES.For processors with 32-bit or 64-bit words, S-boxes with more output bits provide a high efficiency.The Snefru, Blowfish, CAST, and SQUARE use 8  32 S-boxes.The S- boxes can be selected at random as it is in Snefru, and can be computed using a chaotic map, or have some mathematical structure over a finite Galois field.Examples of the last approach are SAFER, SHARK, and AES.Key-dependent Sboxes are slower, but more secure than the key independent Sboxes [4].The use of the key independent chaotic S-boxes are analyzed in [5], in which the S-box is constructed with a transformation F((X+K) modM), where K is the key [6].
There are two ways to fight against the linear and differential cryptanalysis.The first one is to create S-boxes with low linear and differential probabilities.The other is to design the round transformation so that only trails with many active S-boxes would occur.The round transformation must be designed in such a way that differential steps with few active S-boxes would be followed by differential steps with many active S-boxes [6].
Two general principles of block ciphers are confusion and diffusion.Confusion is transformation that changes the dependence of the statistics of the cipher text on the statistics of the plaintext.Diffusion is spreading of the influence of one plaintext bit to many cipher text bits with the purpose to hide the statistical structure of the plaintext.In most cipher systems the confusion and diffusion are achieved by means of round repetition.Repeating a single round contributes to the cipher's simplicity [6].Modern block ciphers consist of four transformations: substitution, permutation, mixing, and keyadding [7], [8].
Block cipher systems depend on the S-boxes, which are fixed and have no relation with the secret key.So only a changeable parameter is the secret key.The only nonlinear www.ijacsa.thesai.orgcomponent of AES is S-boxes, so they are an important source of cryptographic strength.Research of the S-box design has focused on determination of S-box properties which yield cryptographically strong ciphers, with the aim of selecting a small number of good S-boxes for use in a block cipher DES and CAST [8].Some results have demonstrated that a randomly chosen S-box of sufficient size will have several of these desirable properties with a high probability [9].In [10] a dynamic AES-128 with a key-dependent S-box is designed and implemented.The paper of [11] presents a new AES-like design for key-dependent AES using the S-box rotation method.An approach for designing a key-dependent S-box defined over ) 2 ( 4 GF in AES is presented in [12].A keydependent S-box of AES algorithm using a variable mapping technique is analyzed in [13].A key-dependent S-box generation algorithm in AES block cipher system is proposed in the paper [14].Hamdy et al. [15] have proposed a customized version of the AES block cipher in which the keydependent S-box generation algorithm is used.In the paper Hosseinkhany et al. the dynamic S-box is generated in the AES cipher system using the secret key [16].Other systems, using key-dependent S-boxes were proposed in the past, the most well-known of which is Blowfish [7] and Khufu [17].Each of these two systems uses the cryptosystem itself to generate the S-boxes.In [19] for generation S-boxes an algorithm based on chaotic map and composition method is used.In [20] a method for the construction of block ciphers with multi-chaotic systems is proposed.In the paper of D. Lambic the security analysis and improvement of a block cipher with dynamic S-boxes based on tent map is analyzed [21].In the paper of Ozkaynak et al., is done analysis of a novel image fusion encryption algorithm based on DNA sequence operation and hyper-chaotic system [22].This paper outlines the work of the authors' investigation into the design of a new pseudo-randomly generated keydependent S-boxes.We have presented four simple algorithms for generation key-dependent S-boxes.For quality analysis of the key-dependent S-boxes, we have proposed to use eight distance metrics.Modeling results show, that the proposed algorithms have a good cryptographic strength, with an additional benefit that the algorithms are resistant to the linear and differential cryptanalysis, which require that the S-boxes be known.In the second section, we analyze four algorithms for generation of key-dependent S-boxes.In the third section we propose eight distance metrics for evaluation of the quality of key-dependent S-boxes.Afterwards, we discuss the experimental results and give conclusions.

II. ALGORITHMS FOR GENERATION KEY-DEPENDENT S-BOXES
In this section we analyze four algorithms for generation of key-dependent S-boxes Sboxm.These algorithms use some key-dependent permutations of the elements of the initial substitution box Sbox to get key-dependent substitution box Sboxm.Algorithm 1 was proposed in the paper [18].
The initial substitution box Sbox may be the AES substitution box (table) or the ordered numbers 0,1,…,255, or these numbers mixed in any order.In all these cases the sender and the receiver must know these initial S-boxes.We assume that the S-boxes are rearranged according to the rows to the 256-size vectors, i.e., the initial substitution box Sbox(i), i = 0,1,…,255 and the key-dependent substitution box Sboxm(i), i = 0,1,…,255 are 256-size vectors of the different integer numbers (bytes) from the interval [0, 255].The indexes i of these vectors are also the integer numbers (bytes) from the interval [0, 255].In the encryption process, the indexes i of the vector Sbox (or Sboxm) are replaced by the corresponding values Sbox(i), (or Sboxm(i)).In the decryption process, the values of the vector Sbox(i), (or Sboxm(i)) are replaced by the corresponding indexes of the vector Sbox (or Sboxm).

Compute the initial value j, which depends on all the secret key's values key
for all i = 0,1,…,255 do 2. Compute the index j which depends on the values of the initial substitution box Sbox and on the values of the secret key key: The secret key key(i), i = 1,…, l is the vector of l integer numbers (bytes) from the interval [0, 255].

Replace the values Sbox(i) by the values Sbox(j), and the values Sbox(j) by the values Sbox(i):
The initial substitution box Sbox is (16x16)-size matrix of the different integer numbers (bytes) from the interval [0, 255].

III. DISTANCE METRICS FOR EVALUATION OF THE QUALITY
OF S-BOXES We introduce several distance metrics that are able to calculate a distance between the given initial S-box Sbox and the key-dependent S-box Sboxm.We assume that the S-boxes are rearranged according to the rows to the N-size vectors.The key-dependent S-box Sboxm is key-dependent permutations without repetition of a given set of N integer elements of the initial box Sbox.The initial S-box Sbox and the key-dependent S-box Sboxm have the same length.For AES S-box N = 256.The i-th integer element of S-box is represented as Sbox(i).
We have normalized all distances between the S-boxes.The smaller the value of the normalized distance, the more similar are the Sbox and Sboxm, and vice versa.For example, the normalized distance between Sbox and Sbox is equal to 0. For convenience, in this chapter we use indexes of S-boxes from 1 to N instead of from 0 until N-1.
1) The Hamming distance.The Hamming (H) distance between two S-boxes of equal length is defined as a number of not equal elements in the same positions in the initial S-box Sbox and in the key-dependent S-box Sboxm 2) Spearman's distance.Spearman's (S) distance is an absolute distance between two rank vectors , ( (3) S distance is the summation of the absolute differences between two ranks of all equal elements from Sbox and Sboxm.S distance is similar to the Manhattan distance that used for quantitative variables.The mean of the S distance is equal to 3 / 2

N
. , for even N. (4) 3) Squared Spearman's distance.The squared Spearman's (SS) distance assigns a larger distance when deviations between equal elements of two S-boxes are larger.It is defined as follows: The mean of the SS distance is equal to 3 / 3

N
. The maximal SS distance is equal to 3 . The normalized SS distance is defined as The SS distance is similar to Spearman's rank correlation coefficient, a metric often used in statistics to calculate the correlation between two rankings.
4) The T distance.The T distance is the number of transpositions required to transform Sbox into Sboxm.
5) Kendall distance.The Kendall (K) distance is given by This distance is equal to the number of pair-wise adjacent permutations required to transform Sbox into Sboxm.The mean of the The normalized K distance lies in the interval [0,1].For example, the normalized K distance 0.3 indicates that 30 % of the pairs of S-boxes elements differ in ordering between Sbox and Sboxm.

6) Correlation coefficient distance. We introduce the correlation (C) coefficient distance as follows: normalize
and define the correlation coefficient of Sboxm elements as where mean is the arithmetic mean, std is the standard deviation, corr(  ) is the correlation function of y.We assume, that corr(0) = 0.The maximal value of the correlation coefficient is N-1.We define the normalized correlation coefficient distance as follows: Pearson's correlation coefficient distance between initial S-box Sbox and key-dependent S-box Sboxm can be rescaled to a distance measure of range [0 -1] by: The Pearson's correlation coefficient distance between two S-boxes P d = 1 if correlation coefficient r is equal to zero and P d = 0 if correlation coefficient r is equal to . 1  8) The longest common subsequence distance.The length of the longest common subsequence (LCS) is a measure of the similarity between Sbox and Sboxm.The minimum length of the LCS is equal to one and the maximum is equal to N. We define the LCS distance LCS d (Sbox, Sboxm) as N minus the length of the longest common subsequence.The LCS distance lies between 0 and N-1.The normalized longest common subsequence distance LCS d is defined as

IV. EXPERIMENTAL RESULTS AND DISCUSSION
A. Experiment 1 Consider the 128 bit length secret key in hexadecimal form: key = {CA, 6A, C5, 21, 5B, 46, 50, 3D, 98, 19, F0, 72, 6D, 41, 43, C7}.(17) We have generated the key-dependent S-box Sboxm using Algorithm 2 and key (17).The initial S-box Sbox is the AES S-box (Table I).The key-dependent S-box Sboxm is given in Table II.We have assumed that S-boxes are rearranged www.ijacsa.thesai.orgaccording to the rows to the 256-size vectors, i.e., the initial substitution box Sbox(i), i = 0,1,…,255 and the keydependent substitution box Sboxm(i), i = 0,1,…,255 are 256size vectors of the different integer numbers from the interval [0, 255].Thus, AES S-box (Table I) is the 256-size vector in hexadecimal form: {63, 7C,…,76; CA, 82,…,C0; … ; 8C, A1,…,16} and the permuted key-dependent S-box Sboxm (Table II) is the 256-size vector {56, D6,…, 6A; 45, DD,…, CC;…; C5, 52,…, 47}.Using eight metrics, we have calculated normalized distances between these two vectors.The normalized distances between initial AES S-box Sbox and the key-dependent S-boxes Sboxm are given in Table III.In the row "Algorithm2" of the Table III we have used algorithm A2 for key-dependent permutation of the AES S-box, while in the row "randperm" of the Table III we have used Matlab function "randperm" for permutation of the AES S-box.From Table III we can see that all distances between the Sbox and Sboxm for algorithm "randperm" and for algorithm A2 are similar.It follows that the proposed algorithm A2 permutes the bytes of the AES S-box no worse than the Matlab function "randperm".It confirms the good quality of the proposed keydependent permutation algorithm A2.

B. Experiment 2
In order to evaluate the performance of our four algorithms, we have generated initial S-box Sboxordered integer numbers {0,1,…,255}.Then, using Matlab function "randperm" and Algorithms A1 -A4, we have calculated randomly permuted integer numbers (bytes) without repetition, i.e. key-dependent S-boxes Sboxm.After, we have evaluated eight normalized distances between initial Sbox and generated key-dependent S-boxes Sboxm for function "randperm" and for A1 -A4 algorithms.Such experiments we have repeated 1000 times with different randomly generated keys and have calculated the means and standard deviations of these normalized distances.We have used 128bit length 1000 random keys, which we have generated using Matlab function "randperm".We have assumed the Matlab function "randperm" as standard of permutation of the integer numbers.Hence, we could evaluate the performance of our four algorithms comparing the averaged normalized distances i d (i =1,…,8) of the function "randperm" with the averaged normalized distances ) ( j i d (i = 1,…,8; j = 1,…,4) of the proposed four algorithms using the measure (18) % 100 8 in which i d is the normalized mean of i-th distance between initial Sbox and Sboxm in case we have used for permutation of the initial S-box "randperm" function; ) ( j i d is the normalized mean of i-th distance between initial Sbox and key-dependent Sboxm in case we have used for permutation of the initial S-box j-th algorithm.

V. CONCLUSIONS
This paper proposes a new simple algorithms to generate key-dependent S-boxes.The generated key-dependent S-boxes can be used in block ciphers such as AES cipher.We suggest for testing key-dependent S-boxes to apply eight distance metrics.The results of the experiments and tests show that the new generated S-boxes are truly random.Using our algorithms, we can get 256! different substitution values instead of 256 values as it is in AES S-box.It increases the encryption complexity and aggravate the cryptanalysis process.It was established that for any changing secret key, the structure of the key-dependent S-boxes are changing essentially.Also it was shown that this is achieved with negligible time delay.For example, if we use algorithm A1, 1000 S-boxes were generated during 0.0940 sec.These algorithms will increase the security of the cipher systems.As compared with algorithm in the paper [14], these algorithms generate S-boxes about eight times faster.For measure of the quality of the permuted S-boxes we have proposed to use eight distance metrics.The distances between initial S-boxes and key-dependent S-boxes of our algorithms we have compared with appropriate distances of the Matlab function "randperm".We have assumed this function as standard of permutation of the integer numbers (bytes) of S-boxes.Also it was found that the proposed new correlation distance metric c d as compared with Pearson distance metric P d is about eight times more accurate.
The result is the intermediate substitution box Sbox 1 .In that case, the initial substitution box Sbox is the input of the Algorithm 1.The output of the Algorithm 1 is the intermediate substitution box Sboxm1.The input of the Algorithm 2 is the intermediate substitution box Sboxm1.Finally, the output of the Algorithm 2 is the output of Algorithm 3, i.e., Sboxm.Algorithm 4 is a mixed version of Algorithm 2 and Algorithm 1.In that case, the initial substitution box Sbox is the input of the Algorithm 2. The output of the Algorithm 2 is the intermediate substitution box Sboxm2.The input of the Algorithm 1 is the intermediate substitution box Sboxm2.

TABLE II .
(17)DEPENDENT S-BOX SBOXM.GENERATION ALGORITHM IS A2.INITIAL S-BOX IS AES S-BOX.SECRET KEY IS AS IN(17)

TABLE V .
GENERATION TIME OF 1000 KEY-DEPENDENT S-BOXES S-BOXM WITH COMPUTER AMD ATHLON-X2, 2.59 MHZ