Abstract
Elliptic curves (ECs) are considered as one of the highly secure structures against modern computational attacks. In this paper, we present an efficient method based on an ordered isomorphic EC for the generation of a large number of distinct, mutually uncorrelated, and cryptographically strong injective Sboxes. The proposed scheme is characterized in terms of time complexity and the number of the distinct Sboxes. Furthermore, rigorous analysis and comparison of the newly developed method with some of the existing methods are conducted. Experimental results reveal that the newly developed scheme can efficiently generate a large number of distinct, uncorrelated, and secure Sboxes when compared with some of the wellknown existing schemes.
1. Introduction
A lot of advancements have been made in the field of computation methods in the past few decades. These advancements necessitate the improvements in the cryptosystems, since their security strength highly depends on the computational power. A cryptosystem is considered to be secure if it can create enough confusion/diffusion in the data [1]. Many wellknown and commonly used cryptosystems including Data Encryption Standard (DES), Advanced Encryption Standard (AES), Twofish security system [2], Blowfish cryptosystem [3], and International Data Encryption Algorithm (IDEA) [4] use substitution box (Sbox) for the data scrambling.
It is easy to observe that the cryptosystems using a single Sbox are unable to create enough confusion/diffusion in the modern data with high correlation such as digital images [5]. Therefore, many cryptographers proposed the usage of multiple Sboxes for the encryption of such data. An Sbox generation technique is said to be good for the encryption of highly correlated data, if it can efficiently generate a large number of secure and mutually uncorrelated Sboxes.
Many researchers have proposed different Sbox generation schemes based on different mathematical structures. ElRamly et al. [6] proposed an approach for the generation of strong Sboxes based on a Latin square. The length of the secret key used for these Sboxes is of 128 bits. Wu et al. [7] proposed Latin square doubly stochastic matrix to develop new Sboxes. Peng et al. [8] generated dynamic Sboxes using spatiotemporal chaotic system. Radhakrishnan et al. [9] developed an analytical approach to generate Sboxes. Wang et al. [10] proposed an Sbox using chaos theory. Alkhaldi et al. [11] constructed Sboxes using tangent delay for ellipse cavity chaotic sequence and a particular permutation. The newly generated Sboxes have high resistance against linear and differential attacks. Khan and Azam [12] proposed a method for the construction of multiple Sboxes based on a group action and Gray codes. Similarly, Khan and Azam [13] presented another algorithm for the design of Sboxes based on affine and power mappings. It is shown computationally that all of the newly generated Sboxes have high security against modern attacks. However, each of these methods only generate 256 Sboxes.
Recently, elliptic curves (ECs) have received great attention in the field of cryptography. The ECs based cryptosystems provide higher security with smaller key size than classical cryptosystems [14–18]. Jung et al. [19] characterized Sboxes over hyperelliptic curves. Hayat et al. [20, 21] proposed different methods for the generation of an Sbox by using an elliptic curve (EC) over a prime field. Actually, the scheme in [21] is a generalization of the scheme in [20]. These techniques use coordinates of the points on the EC followed by modulo 256 operation. Although, the schemes are capable of generating secure Sboxes, but each has time complexity , where is the underlying prime. Furthermore, the output of these algorithms is uncertain in the sense that it may or may not generate an Sbox for each input parameters, and are independent of the underlying EC. Azam et al. [22] used some typical type of orderings on a class of Mordell elliptic curve (MEC) over a finite field to design an Sbox in constant time. All these schemes can generate at most one Sbox for a given EC.
The aim of this paper is to propose a novel method to efficiently construct a large number of distinct, mutually uncorrelated, and cryptographically strong injective Sboxes for a given EC. The proposed scheme uses coordinates of the points on an ordered EC isomorphic to the given ordered MEC. The remaining part of the paper is arranged as follows: Section 2 contains some definitions and concepts which are necessary to understand this paper. The proposed algorithm and its characterization are given in Section 3. A detailed analysis and comparison of the newly developed method are given in Section 4. A summary of the paper is given in Section 5.
2. Preliminaries
An EC is one of the fundamental concepts in the field of arithmetic geometry and has many applications in the field of applied sciences. For a field and two integers such that , the elliptic curve over is defined to be the set of a symbol (identity of ) and all points satisfying the following cubic equationWe call , and the elliptic curve parameters of the EC . Two ECs and over the field are isomorphic if and only if there exists an integer such that and . We call the isomorphism parameter between and . In this setting, the isomorphism maps onto . It is easy to observe that isomorphism is an equivalence relation on the family of all ECs over the field .
Let be a prime. It is wellknown that for prime there exists a unique finite field , up to the field isomorphism, with exactly elements. Note that the arithmetic operations over are performed with respect to the modulo (). There are total ECs over the field . The number of ECs isomorphic to a given EC over can be computed by Lemma 1 deduced from [23, Section 1.3  1.4].
Lemma 1. Let be a prime and be two integers. The number of ECs isomorphic to the EC is (1), if and has a nonzero element of group order 6;(2), if and has a nonzero element of group order 4;(3), otherwise.
Let be an EC. A bound on the number of points on the EC can be computed using Hasse’s theorem [24, 25]Note that the bound is independent of the parameters and . An EC over is said to be a Mordell elliptic curve (MEC), if . The following lemma gives the information of points on a special class of MECs.
Lemma 2 (see [25]). A MEC with () has exactly points with no repetition in their coordinates.
We denote a MEC with () simply by and call it an EC unless stated otherwise.
Let be an EC with a total order and be an EC isomorphic to with the isomorphism parameter . We define an induced total order on aswhere .
An substitution box (Sbox) is a mapping from to . Henceforth, Sbox stands for injective Sbox.
Azam et al. [22] defined three typical orderings namely natural N, diffusion D, and modulo diffusion M on a given EC for the generation of Sboxes. The main idea behind these ordering is the arrangement of the points with the same coordinates. For the points on a given EC ,The natural ordering is the lexicographical order defined so that the points with the same coordinates appear consecutively, while the diffusion and modulo diffusion orderings diffuse the points with the same coordinates. The effect of these three orderings on the points of is shown in Table 1.
3. The Proposed Scheme and Its Characterization
In this section, we present a simple and efficient method to generate a large number of distinct, mutually uncorrelated, and secure injective Sboxes based on the coordinates of an EC for the encryption of highly correlated data. The proposed method takes inputs integers , a prime , two nonnegative integers and , a positive integer such that and (mod ) and a total order on the EC . The output of the method is an injective Sbox over the EC isomorphic to . The algorithm generates by choosing the coordinates, with values less than , of the first points on the EC with respect to the induced ordering . Mathematically, can be expressed as where such that .
Note that the condition of is imposed so that the underlying EC has at least points.
Remark 3. By Lemma 2, the proposed method always output an Sbox for each input parameters.
Lemma 4. The proposed method can be implemented in time.
Proof. By Lemma 2, we know that all integers from the interval will uniquely appear as coordinate of the points on the EC . Thus, we can generate by finding and sorting the set with respect to the ordering .
Thus, by the group theoretic arguments we have where and are the multiplicative inverses of and in the field , respectively.
Assuming that is not a very large number, can be computed by using extended Euclidean algorithm in time . Therefore, finding for each and using them in the equation (mod ), we can easily compute the set in . The sorting operation on can be performed in time complexity . Hence, can be computed in .
We describe an efficient algorithm for the generation of proposed Sboxes based on Lemma 4 in Algorithm 1.

Let be an EC with ordering and integers such that . We denote to be the number of distinct Sboxes generated by all ECs isomorphic to by using the proposed method. In Lemma 5, we drive an upper bound for the number .
Lemma 5. The number of distinct Sboxes generated by the proposed scheme is at most .
Proof. We know that in a MEC, . Also (mod 3), therefore 3 and 6 are not divisors of . Thus, by group theoretic argument does not have an element of order 6. So by Lemma 1(iii), the number of ECs isomorphic to is , and hence the proposed algorithm can generate at most distinct Sboxes by using .
Next, we prove a sufficient condition on so that the number of Sboxes generated due to the natural ordering is equal to the upper bound given in Lemma 5.
Lemma 6. For an integer such that , is .
Proof. Without loss of generality, we assume that the points on are arranged in nondecreasing order with respect to the ordering N and denotes its th element. Note that, for a positive integer such that and , exactly one of the values is greater than , since their coordinates are same on the EC . Thus, from the condition it follows that . The proof will complete, if we show that, for some and any such that the ECs and are different, it holds that i.e., . Without loss of generality, suppose on the contrary thatThis implies thatBut, in (11), since is additive inverse of . Thus, we haveWe show a contradiction for the case (13) and similar arguments can be used to prove for the case (14).
From , we have This implies that or , since is a prime. But, , and therefore holds. Thus by applying the multiplicative inverse , we get , and by group theoretic argument, either or the group order of is 3. But the former implies that are same, while the latter implies that 3 is a divisor of for (mod 3), which are contradictions. This implies that, , for all . Hence, each EC isomorphic to will generate a distinct Sbox. Thus, by using Lemma 1, result follows.
Based on the computational results, we propose a stronger version of Lemma 6 which is independent of the underlying ordering on the EC . But, we did not manage to prove it rigorously.
Conjecture 7. For an integer such that , is .
4. Analysis and Comparison of the Proposed Method
A rigorous analysis of the proposed method is performed in this section. We used Sboxes generated by natural ordering N, diffusion ordering D and modulo diffusion ordering M for the analysis, since they are most commonly used in modern cryptosystems.
4.1. Security Analysis
We generated the Sboxes , and by sorting the ECs in nondecreasing order with respect to N, D, and M orderings for the security analysis. The Sboxes and are presented in Tables 2–4, respectively. A comparison of the experimental results with the strongest Sboxes generated by the algorithms in [20–22, 26–34] is also conducted in this section.
4.1.1. Linear Attacks
For a secure Sbox it is necessary to have high security against linear cryptanalysis. The security of an Sbox against linear attacks is quantified by computing its linear approximation probability LAP, nonlinearity NL(), and algebraic complexity AC.
The linear approximation probability LAP is an approximation of by calculating the coincidence between input and output bits. For , the mathematical expression of LAP iswhere “” is the dot product over .
The nonlinearity NL is the minimum distance of from all affine transformations on the Galois field , i.e.,where , , , and “” is the addition over .
The algebraic complexity AC is the number of nonzero coefficients in the linear polynomial [35] representation of .
An Sbox is said to be highly secure against linear attacks if its LAP is small, while NL and AC are large. The LAP, NL and AC of the listed Sboxes are presented in Table 5. It is clear from the table that the LAP of the proposed Sboxes is low, while their NL and AC are high enough to resist the linear attacks efficiently. Note that the average value of LAP of the proposed Sboxes is which is less than that of the Sboxes in [21, 22, 27, 31], while their average NL and AC are 106 and 254 which are higher than that of [20, 26, 27, 29, 31–33] and [28, 30, 31], respectively. This implies that the proposed method is capable of generating Sboxes with high security against linear attacks than some of the listed Sboxes.
4.1.2. Differential Attacks
In these attacks, the Sbox is approximated by understanding the effect of input differentials on the outputs. The differential approximation probability DAP of is a wellknown method to measure its resistance against differential attacks. It is computed by finding the coincidence between the difference of outputs and the inputs differing with some value. For ,The smaller is the DAP, the higher is the resistance of against differential attacks. The results of this test for the listed Sboxes are given in Table 5. The DAP of the newly generated Sboxes is 0.0391, while the DAP of the Sboxes in [20–22, 26–28, 31–34] is at least 0.0391. Thus it follows that Sboxes based on the presented technique have high resistance against differential attacks than the listed Sboxes.
4.1.3. Analysis of Boolean Functions
It is essential for a secure Sbox to create confusion/diffusion in the data up to a certain level [1]. The confusion/diffusion creation capabilities of an Sbox are measured by analyzing its Boolean functions. The strict avalanche criterion (SAC) and the bit independence criterion (BIC) are the two standard methods to analyze these capabilities. Let be th Boolean function of and with weight The SAC of is implemented by computing the matrix , whereSimilarly, the BIC is applied by calculating the matrix , whereAn Sbox satisfies the SAC and the BIC if all nonzero entries of and are close to . The results of these tests are represented by listing the maximum and minimum nonzero values of their matrices in Table 5. The average of maximum and minimum values of SAC and BIC of the newly constructed Sboxes are and and 0.52895 and 0.4694, respectively. This implies that the entries of and are approaching the optimal value . Hence, it is evident from the experiments that the proposed Sbox design method is capable of generating cryptographically secure Sboxes.
4.2. Statistical Analysis
Statistical analyses are performed on the proposed scheme to quantify its efficiency for the generation of dynamical Sboxes for the encryption of highly correlated data.
4.2.1. Distinct SBoxes
An Sbox generation technique is said to be good for the generation of dynamical Sboxes and highly resistive against the brute force attack, if it can generate a large number of distinct Sboxes. For a given prime and for each EC , we have generated all distinct Sboxes by using all ECs isomorphic to . The number of distinct Sboxes for some primes is listed in Table 6.
Note that, with the increase in the value of , the number of Sboxes generated by the proposed method also increases. Thus, by choosing some large prime, the proposed method can generate a large number of dynamic Sboxes, and therefore it can easily resist the brute force attacks. For the comparison, the maximum possible number of Sboxes that can be generated by the other schemes [20–22] over an EC is also listed in Table 6. It is evident from Table 6 that the proposed method is more suitable for the generation of dynamic Sboxes than the listed schemes.
4.2.2. Correlation Test
An Sbox design technique is good for the encryption of highly correlated data, if its Sboxes can generate enough confusion/diffusion in the data. The confusion/diffusion creation capability of an Sbox scheme can be evaluated by computing the correlation coefficient (CC) and the number of fixed points in its Sboxes. The CCs of distinct Sboxes for some values of and are shown in Figure 1. For each listed and , the Sboxes are indexed in an increasing order with respect to their isomorphism parameter .
(a) , , and 
(b) , , and 
(c) , , and 
(d) , , and 
The average CCs between the Sboxes in Figures 1(a)–1(d) are 0.0085, 0.0026, 0.0015, and 0.00034, respectively, which are very close to 0. Therefore, the newly generated Sboxes are highly uncorrelated. Furthermore, we have calculated the average number of fixed points in all Sboxes for the primes used in Table 6. The results are shown in Table 7.
Experimental results show that the average number of the fixed points generated by the proposed method is at most 1 (by rounding to the nearest integer). Hence, by correlation test and fixed point test, it is evident that the proposed Sbox design technique is capable of generating high confusion/diffusion in a highly correlated data.
4.3. Complexity Analysis
It is necessary for a good Sbox design scheme to generate secure Sboxes efficiently. By Lemma 4, the time complexity of the proposed method for the generation of Sbox is , where is the underlying prime. A comparison of the time complexity of different Sbox schemes over ECs is given in Table 8. It is evident from the comparison that the proposed Sbox generation method is efficient than the techniques in [20, 21].
5. Conclusion
An efficient method for the generation of a large number of distinct, uncorrelated, and cryptographically secure injective multiple Sboxes is presented in this paper. The proposed scheme uses an elliptic curve (EC) isomorphic to a given ordered Mordell elliptic curve (MEC) over , where (mod 3). It is proved that the proposed method can be implemented efficiently in . An upper bound is derived on the number of Sboxes generated by the proposed method for the EC . It is also shown that the upper bound can be achieved for the natural ordering if . Furthermore, a detailed security analysis and comparison of the proposed method with some of the existing schemes is conducted. Experimental results reveal that the newly developed method can efficiently generate cryptographically secure, dynamic, and uncorrelated Sboxes. Hence, the proposed method is secure for the encryption of highly correlated data.
Data Availability
All formulas and parameters for the data used in this paper are given. Therefore, one can easily generate the data.
Conflicts of Interest
There are no conflicts of interest regarding the publication of this article.
Acknowledgments
This project is partially funded by JSPS KAKENHI Grant no. 18J23484.