This section mainly deals with the structure of our S-box. Before we discuss the constituent algorithm, we need to go through some fundamental facts.
A function \(f: {\mathbb {F}}_{2}^{n}\rightarrow {\mathbb {F}}_{2}\) is called a Boolean function. We define a vectorial Boolean function
\(F: {\mathbb {F}}_{2}^{n}\rightarrow {\mathbb {F}}_{2}^{m}\) as
$$\begin{aligned} F(x)=(f_{1}(x),\,f_{2}(x),\ldots ,f_{m}(x)), \end{aligned}$$
where \(x=(x_{1},\, x_{2},\ldots ,x_{n})\in {\mathbb {F}}_{2}^{n}\) and each of \(f_{i}\)’s for \(1\le i\le m\) is a Boolean function referred to as coordinate Boolean function. An \(n \times n\) S-box is precisely defined as a vectorial Boolean function \(S: {\mathbb {F}}_{2}^{n}\rightarrow {\mathbb {F}}_{2}^{n}\).
At this stage, it seems quite practical to understand the structural properties of the Galois field used to construct an S-box. Generally for any prime p, Galois field \(GF(p^{n})\) is given by the factor ring \({\mathbb {F}}_{p}[X]/ <\eta (x)>\) where \(\eta (x)\in {\mathbb {F}}_{p}[X]\) is an irreducible polynomial of degree n.
For an \(8 \times 8\) S-box, we use \(GF(2^{8})\). In advanced encryption standards (AES), the construction of \(GF(2^{8})\) is based on the degree 8 irreducible polynomial \(\eta (x)=x^{8}+x^{4}+x^{3}+x+1\). In Hussain et al. (2013b), \(\eta (x)=x^{8}+x^{4}+x^{3}+x^{2}+x+1\) is used as the generating polynomial. Here we choose \(\eta (x)=x^{8}+x^{6}+x^{5}+x^{4}+1\) as the irreducible polynomial that generates the maximal ideal \(<\eta (x)>\) of the principal ideal domain \({\mathbb {F}}_{2}[X]\). It is important to note that we may choose any degree 8 irreducible polynomial for constructing \(GF(2^{8})\) however the choice of generating polynomial may affect our calculations as the binary operations are carried modulo the used polynomial (see Benvenuto 2012 for details).
Generally the construction of an S-box requires a nonlinear bijective map. In literature many algorithms based on such maps or their compositions are presented to synthesize cryptographically strong S-boxes. We present the construction of S-box based on an invertible nonlinear map known as the fractional linear transformation. It is a function of the form \(\frac{az+b}{cz+d}\) generally defined on the complex plain \({\mathbb {C}}\) such that a, b, c and \(d \in {\mathbb {C}}\) satisfy the non-degeneracy condition \(ad-bc\ne 0\). The set of these transformations forms a group under the composition. The identity element in this group is the identity map and the the inverse \(\frac{dz-b}{-cz+a}\) of \(\frac{az+b}{cz+d}\) is assured by the condition \(ad-bc\ne 0\). One can easily observe that the algebraic expression of this map has a combined effect of inversion, dilation, rotation and translation. The nonlinearity and algebraic complexity of the fractional linear transformation motivates the idea to employ this map for byte substitution.
For the proposed S-box we apply fractional linear transformation g on the Galois field discussed above, i.e. \(g:GF(2^{8})\rightarrow GF(2^{8})\) given by \(g(t)=\frac{at+b}{ct+d}\), where \(a,\, b,\, c\) and \(d\in GF(2^{8})\) such that \(ad-bc\ne 0\) and t varies from 0 to \(255 \in GF(2^{8})\). We may choose any values for parameters a, b, c and d that satisfy the condition \(ad-bc\ne 0\). Here, for calculations, we take \(a=29=00011101,\, b=15=00001111,\,c=8=00001000\) and \(d=9=00001001\). One may observe that as we are working on a finite field, g(t) needs to be explicitly defined at \(t=47\) (at which denominator vanishes), so in order to keep g bijective we may define the transformation as given below;
$$\begin{aligned} g(t): {\left\{ \begin{array}{ll} \frac{29t+15}{8t+9};&{}\quad t\ne 47\\ 149;&{}\quad t=47 \end{array}\right. } \end{aligned}$$
Following the binary operations defined on the Galois field (Benvenuto 2012), we calculate the images of g as shown in Table 1.
Thus the images of the above defined transformation yield the elements of the proposed S-box (see Table 2).
It is important to mention that an \(8 \times 8\) S-box has 8 constituent Boolean functions. A Boolean function f is balanced if \(\{x|f(x)=0\}\) and \(\{x|f(x)=1\}\) have same cardinality or the Hamming weight HW\((f)=2^{n-1}\). The significance of the balance property is that the higher the magnitude of a function’s imbalance, the more likelihood of a high probability linear approximation being obtained. Thus, the imbalance makes a Boolean function weak in terms of linear cryptanalysis. Furthermore, a function with a large imbalance can easily be approximated by a constant function. All the Boolean functions \(f_{i},\,i \le i \le 8\), involved in the S-box as shown in Table 2 satisfy the balance property. Hence, the proposed S-box is balanced. It might be of interest that in order to choose feasible parameters leading to balanced S-boxes satisfying all other desirable properties (as discussed in the next section), one can use constraint programming, a problem solving strategy which characterises the problem as a set of constraints over a set of variables (Kellen 2014; Ramamoorthy et al. 2011).
An S-box is used to convert the plain data into the encrypted data, it is therefore essential to investigate the comparative performance of the S-box. We, in the next section, analyse the newly designed S-box through various indices to establish the forte of our proposed S-box.
