#### Abstract

Developing a substitution-box (S-box) generator that can efficiently generate a highly dynamic S-box with good cryptographic properties is a hot topic in the field of cryptography. Recently, elliptic curve (EC)-based S-box generators have shown promising results. However, these generators use large ECs to generate highly dynamic S-boxes and thus may not be suitable for lightweight cryptography, where the computational power is limited. The aim of this paper is to develop and implement such an S-box generator that can be used in lightweight cryptography and perform better in terms of computation time and security resistance than recently designed S-box generators. To achieve this goal, we use ordered ECs of small size and binary sequences to generate certain sequences of integers which are then used to generate S-boxes. We performed several standard analyses to test the efficiency of the proposed generator. On an average, the proposed generator can generate an S-box in 0.003 seconds, and from 20,000 S-boxes generated by the proposed generator, S-boxes have at least the nonlinearity 96. The linear approximation probability of 1000 S-boxes that have the best nonlinearity is in the range [0.117, 0.172] and more than 99% S-boxes have algebraic complexity at least 251. All these S-boxes have the differential approximation probability value in the interval [0.039, 0.063]. Computational results and comparisons suggest that our newly developed generator takes less running time and has high security against modern attacks as compared to several existing well-known generators, and hence, our generator is suitable for lightweight cryptography. Furthermore, the usage of binary sequences in our generator allows generating plaintext-dependent S-boxes which is crucial to resist chosen-plaintext attacks.

#### 1. Introduction

A substitution-box (S-box) is one of the fundamental components of several modern encryption algorithms [1, 2] such as Skipjack, data encryption standard (DES), and advance encryption standard (AES). The existing block ciphers, for example, AES uses a static S-box to create confusion in the plaintext. However, several researchers have proposed to use dynamic S-boxes instead of a static S-box to enhance the security of secret data against modern cryptanalysis [3–5]. Therefore, it is necessary to develop an S-box generator that can efficiently generate highly dynamic and cryptographically secure S-boxes. An S-box generator is suitable for cryptographic purposes if it can efficiently generate highly dynamic and cryptographically strong S-boxes. The cryptographic strength of an S-box against linear, differential, and algebraic attacks is tested by computing its nonlinearity (NL) [6], linear approximation probability (LAP) [7], algebraic complexity (AC) [8], differential approximation probability (DAP) [9], strict avalanche criterion (SAC) [10], and bit independent criterion (BIC) [10]. However, the dynamic behavior and computational efficiency of almost all (if not all) existing S-box generators have not been tested. In 2021, Azam et al. [11] proposed some necessary tests including singularity analysis, complexity analysis, variation analysis, sensitivity analysis, and confusion analysis to quantify the dynamic behavior of an S-box generator.

Recently, several S-box generators have been proposed based on different mathematical structures. For example, in [12–19], chaotic maps are used to generate S-boxes. Chaos-based S-box generation methods such as [12–19] have small computation time but generate S-boxes with low NL. Graph theory and algebraic structures are used to design S-box generators in [20–25]. Although algebraic methods generate S-boxes with high NL, they construct only a limited number of distinct dynamic S-boxes. For example, the generator in [26] generates 256 S-boxes, while the scheme in [27] generates total 16 strong S-boxes and the method in [28] constructs only one S-box. The skipjack algorithm introduced by Kim and Phan [29] constructs one S-box. Recently, quantum walks have been used to construct cryptographically strong S-boxes [30, 31]. Similarly, various optimization techniques are also used to design S-box generators [32–37]. However, these techniques require large computation time to construct S-boxes with high NL. Linear fractional transformations are used to generate key-dependent S-boxes in [38, 39]. In [40], Musheer et al. used chaotic heuristic search and group action to construct and improve the cryptographic features of generated S-boxes. Furthermore, in [41], the authors investigated security strength of an image cryptosystem based on a hyperchaotic system. El-Latif et al. [42] introduced an S-box-based cryptosystem for videos’ encryption and transmission of sensitive data over 5G networks for connected devices. In [43], an efficient and secure protocol based on quantum walks is represented for data protection and authentication over 5G networks. Wang et al. [44] successfully designed a secure user authentication scheme with low computation cost. In [45, 46], researchers suggested different authentication protocols for mobile devices and security of wireless sensor networks.

Elliptic curves (ECs) are algebraic structures that are used in cryptography and can provide high security with a relatively small key size. Recently, Hayat et al. [47] designed the first S-box generator based on ECs. Subsequently, some improved EC-based S-box generators have been proposed in [48–54]. These generators can output cryptographically strong S-boxes but they require, to generate or store, a precomputed EC. Furthermore, the number of distinct S-boxes obtained by these generators is directly proportional to the size of the underlying EC. Therefore, these generators cannot be used with ECs of large size and hence can generate a small number of S-boxes over an EC of small size. To address these limitations, Ibrahim and Abbas [55] designed an S-box generator based on an EC of large size by generating some points over an EC which are then used for creating a permutation code. This scheme does not require a complete EC but still needs to do some calculations over a large prime. Therefore, the scheme may not be suitable for lightweight cryptography which has low storage capacity and limited computational power [56, 57].

The aim of this paper is to design an EC-based S-box generator that can (i) be used for lightweight cryptography and (ii) efficiently generate highly dynamic S-boxes with good cryptographic strength. Our main contributions in this research are the following:(1)We proposed a new S-box generator that can efficiently generate cryptographically strong plaintext-dependent S-boxes based on an EC of small size and thus can be used for lightweight cryptography.(2)The generator constructs a large number of distinct and highly uncorrelated dynamic S-boxes.(3)The newly designed generator is highly sensitive to the input parameters. Hence, the generator is secure against sensitivity and differential attacks.(4)The computation time of the proposed generator is lower than the existing S-box generators over ECs. Furthermore, the generator constructs 1000 distinct S-boxes for a fixed EC in 0.181 seconds.(5)When compared with several existing modern S-box generators over ECs and other mathematical structures such as [13, 16, 24, 25, 29, 32], the proposed generator has high computation efficiency and security.

The rest of this paper is organized as follows. In Section 2, we review some preliminaries. A complete description of the proposed S-box generator is given in Section 3. In Section 4, a detailed analysis of the proposed S-box generator and its comparison with state-of-the-art existing generators is conducted. Conclusion and future directions are given in Section 5.

#### 2. Preliminaries

For a prime , suppose is a prime field with elements. In this paper, for any two integers , we have denoted an EC by and defined aswhere stands for the point at infinity. is nonsingular if . Equivalently, the polynomial has unique roots. The expression is called the discriminant of . Over a finite field , the size of an EC is finite. The total number of points over the EC is denoted by . Hesse’s theorem [58] gives an approximate bound about the points over :

If we restrict in (1) and , then it becomes a special type of EC known as Mordell elliptic curve (MEC). In this study, a MEC is denoted by and can be defined as

The MEC has a very useful property that, for a prime , the number of points lies on an are exactly , and for each integer value of in , there is only one integer value of in such that the point lies on [58]. For the generation of S-boxes, we use diffusion and natural orderings defined by Azam et al. in [50], and for convenience, we denote them by and , respectively. These orderings are used to arrange the points on a MEC. Let :

The two orderings are total order.

#### 3. The Proposed S-Box Generator

The existing EC-based S-box generators such as the generators in [47, 51, 55] require computation over large ECs to generate highly dynamic S-boxes. Therefore, such S-box generators are not suitable for lightweight cryptography where the computational power is limited. To overcome this problem, we proposed a new S-box generator that can efficiently generate highly dynamic and cryptographically strong S-boxes based on an EC with small size. We use an ordered EC to create randomness in the integers in and a binary sequence to generate a bijective S-box. The aim of the binary sequence is to generate plaintext-dependent S-boxes; for example, we can use SHA-256 hash function [59] to generate binary sequences for the plaintext which can be used in our generator to output plaintext-dependent S-boxes. Our generator has the following ten main steps to generate bijective S-boxes, where we denote by for notational convenience:(1)Select two sequences over the set of nonnegative integers, .(2)Select an EC with , , and two orderings , .(3)Select two sets , , such that and .(4)Compute the sets such that .(5)Now, to create randomness in , sort it w.r.t. such that is smaller than if is smaller than w.r.t. the ordering , .(6)Let , for , denote the sequences obtained from ordered after applying modulo , where .(7)Now, we generate an S-box such that(8)Generate a binary sequence of size and divide it from left to right into subsequences each of length . Now, convert these subsequences into decimal numbers , . Let be the sequence of integers obtained from the decimal form of the subsequences.(9)Define a total order on the integers in based on such that, for , it holds that if “” or “ and ”. Let denote the sequence obtained from the ordered set , where the entries are listed from smallest to largest w.r.t. .(10)Finally, for , we generate S-boxes such that

For given parameters , and , , the proposed S-box generator generates three S-boxes , , and . We observe that, for two different binary sequences and and fixed , and , the corresponding S-boxes are different, i.e., it holds that

This proposition follows from the fact that the sequences and that are obtained from and , respectively, in step (8) are different when .

An immediate application of our generator is to generate plaintext-dependent S-boxes which play an important role against known-plaintext and chosen-plaintext attacks in image encryption schemes. For example, we can use the SHA-256 hash function to generate a binary sequence of length 256 which can be converted to a binary sequence of length by simply replicating the SHA-256 hash sequence. Thus, for each image, we can get a different binary sequence , and hence, by equation (8), we can generate a different S-box for each image and can provide high security against known-plaintext and chosen-plaintext attacks.

A flowchart of the proposed S-box generator is given in Figure 1 and an example of a S-box generated by the proposed S-box generator is given in Figure 2, where we use an EC and diffusion ordering given in equation (4) and natural ordering given in equation (3).

#### 4. Security Analysis and Comparison

We conduct rigorous analysis to test the dynamic behavior and cryptographic properties of the proposed S-box generator in Sections 4.1 and 4.2, respectively. Furthermore, we have compared the computational results of the proposed generator with some of the existing generators based on different mathematical structures, as detailed in Sections 4.1 and 4.2.

##### 4.1. Analysis of Dynamic Behavior of the Proposed Generator

In this section, we analyze the dynamic behavior of the proposed S-box generator and compare it with some of the available schemes in [11, 27, 28, 47, 48, 51, 53]. For this purpose, we randomly generated two sets and each of size 10,000 of bijective S-boxes . Here, the set is generated by fixing an and randomly generated 10,000 sequences , and is generated by fixing a sequence and randomly generated 10,000 ECs as follows:(1)Fix and , .(2)Fix EC , two orderings diffusion ordering [50], and natural ordering [50] and randomly generate 10,000 binary sequences each of length . Each binary sequence is replicated 8 times to construct a binary sequence of length . Thus, we get 10,000 sequences of length and generate a set of S-boxes of size 10,000.(3)We generate another set of S-boxes of size 10,000, by fixing 011 001 001 110 010 010 001 000 100 011 101 011 011 100 001 001 010 110 001 011 000 011 0001 11 100 000 110 011 100 111 100 001 011 111 101 00110 1 001 100 000 101010 101 100 111 110 011 110 110 111 010 010 011 100 110 000 110 001 110 000 010 001 0100 10 011 111 101 101 010 000 001 110 101 001 001 110 110 101 000 110 110 010 100 000 0100, and randomly generate an EC by selecting parameters and , where orderings are diffusion ordering and natural ordering .

The details of the analysis are given in the following sections.

###### 4.1.1. Sensitivity Analysis

The efficiency of an S-box generator to generate significantly different S-boxes when the input parameters are slightly changed is called the sensitivity of an S-box generator [11]. An S-box generator is considered good against sensitivity and differential attacks if it is highly sensitive to the input parameters. The minimum, maximum, and average sensitivity of S-boxes in the sets and are listed in Table 1. We observe that the average sensitivity of the proposed S-box generator is 255 and 250 for the sets and , respectively, which is close to the optimal value 256. Hence, the proposed S-box generator is highly sensitive to the input parameters. Furthermore, we show the effect of the parameters , , and on the resultant S-boxes in Figure 3, which also implies that the proposed generator is highly sensitive to the input parameters.

**(a)**

**(b)**

**(c)**

**(d)**

###### 4.1.2. Singularity Analysis

A valid input for which an S-box generator is not able to output an S-box is called singularity of an S-box generator [11]. An S-box generator with no singularity is considered good for encryption purposes. The proposed S-box generator has no singularity and generates an S-box for each set of valid input parameters. The comparison of the singularity analysis of the proposed S-box generator with the generators in [28, 47, 51, 53] is given in Table 2. We observe that the proposed generator and the generator in [53] have no singularities; however, the generators in [28, 47, 51] have singularities. Hence, the proposed generator is better than the generators in [28, 47, 51].

###### 4.1.3. Variation Analysis

An S-box generation algorithm is considered cryptographically good if it can construct a large number of distinct S-boxes [11]. If an S-box generator has the ability to construct a large number of distinct S-boxes, then it has high resistance against brute force such as attacks. So, we have computed the number of distinct S-boxes by generating two sets and of S-boxes each of size 10,000 by fixing a binary sequence and EC , respectively. It has been observed that, for distinct 10,000 binary sequences , we have distinct 10,000 S-boxes, and also any change in parameters of an EC gives a new distinct S-box. We compare the results with the generators in [11, 27, 28, 47, 48, 51, 53]. The results of the distinct S-boxes analysis are shown in Figure 4(a), from which it is evident that the proposed S-box generator can generate a large number of distinct S-boxes when compared with existing S-box generators in [11, 27, 28, 47, 48, 51, 53], where, for convenience, we denote the total number of distinct S-boxes by # S-boxes.

**(a)**

**(b)**

**(c)**

###### 4.1.4. Fixed Point Analysis

Cryptographically, an S-box generator is good if resultant S-boxes have a small number of fixed points [11]. We computed the average number of fixed points of S-boxes in the sets and and S-boxes generated by the generators in [11, 27, 28, 47, 48, 51, 53]. These results are shown in Figure 4(b) from which it is clear that the proposed generator has a smaller number of fixed points than the generators in [47, 48, 51, 53] and is comparable with the generator in [11, 27, 28]; for convenience, we denote the total number of fixed points by # fixed points.

**(a)**

**(b)**

**(c)**

**(d)**

###### 4.1.5. Correlation Analysis

An S-box generator is considered good if it can generate S-boxes that are mutually uncorrelated [11]. The average correlation coefficient (CC) of S-boxes in and and S-boxes generated by the generators in [11, 27, 48, 51, 53] is given in Figure 4(c). The results in Figure 4(c) show that the proposed generator has smaller CC than the generators in [48, 51] and is comparable with the generators in [11, 27, 53].

###### 4.1.6. Computational Speed Analysis

An S-box generator can be used for real-time encryption if it has a low computational cost. We analyze the computation time of the proposed S-box generator over ECs of different sizes and compare it with other S-box generators in [47, 51, 53]. For experimental purpose, we use MATLAB R2016a on a system, Intel(R) Core(TM) i3-2370M CPU @ 2.40 GHz with 6 GB of RAM. For computational analysis, two S-boxes are generated by each of the generators in [47, 51, 53] and S-boxes and by the proposed generator, using the same aforementioned setup. For experimental setup, we have fixed the uncommon parameters and kept the overlapping parameters same for the each S-box generator. The computation time in seconds for these generators is listed in Table 3. The proposed S-box generator has the lowest running time among the listed generators. Therefore, the proposed S-box generator is suitable for lightweight cryptography and encryption purposes as compared to the generators in [47, 51, 53].

##### 4.2. Cryptographic Properties

In this section, we compute and compare the cryptographic properties of S-boxes in the sets and generated by the proposed S-box generator and the S-boxes generated by the generators in [3, 14, 15, 24, 51, 55] that are based on different mathematical structures.

###### 4.2.1. Nonlinearity (NL)

The idea of NL is introduced in [6] to measure the ability of an S-box against linear attacks. We have computed the NL of S-boxes in both sets and , and results are shown in Figures 5(a) and 5(b), respectively. We observe that more than 93% S-boxes in these sets have the NL at least 96. This implies that the proposed generator can generate S-boxes with high resistance against linear attacks. We compared the minimum, maximum, and average NL of the S-boxes in and and 10,000 S-boxes generated by the generators in [3, 14, 15, 24, 51, 55], and the results are listed in Table 4. We observe that the minimum (resp., maximum and average) NL of S-boxes obtained by the generators in [51] (resp., [3, 14, 15, 24]) is lower than the newly generated S-boxes. This implies that the proposed generator can generate S-boxes with high resistance against linear attacks as compared to the generators in [3, 14, 15, 24, 51, 55].

###### 4.2.2. Algebraic Complexity (AC)

For S-boxes, the idea of a linear polynomial was first proposed in [8]. The number of nonzero terms in a linear polynomial of an S-box represents the AC. We computed the AC of 1000 S-boxes in and that have the best NL and find that more than S-boxes have the AC at least 251. Histogram analysis of the AC is also illustrated in Figure 5(c).

###### 4.2.3. Linear Approximation Probability (LAP)

The LAP is first presented in [7] to manipulate linear relations between input and output bits. We computed the LAP of 1000 S-boxes and the results are shown in Figure 5(d). The LAP of S-boxes is in the range [0.117, 0.172]. This further justifies our claim that the proposed generator can generate S-boxes with high resistance against linear attacks.

###### 4.2.4. Differential Approximation Probability (DAP)

The DAP [9] is used to quantify the resistance of an S-box against differential attacks. We computed the DAP of 1000 S-boxes generated by the proposed generator and the results are given in Figure 6. All the S-boxes have the DAP value in the interval [0.039, 0.063] which are in the acceptable range. Therefore, the proposed generator can generate S-boxes with high resistance against differential attacks.

###### 4.2.5. Strict Avalanche Criterion (SAC)

The capability of an S-box to create diffusion/confusion is measured by its Boolean functions. The SAC [10] is used to measure the strength of Boolean functions. We applied the SAC on 1000 S-boxes generated by the proposed generator and illustrated the average, minimum, and maximum values for each S-box obtained by SAC criterion in Figures 7(a) and 7(b). The minimum, maximum, and average values obtained by the SAC test are in the ranges [0.344, 0.453], [0.563, 0.703], and [0.486, 0.517], respectively. These ranges are near to the optimal value of 0.5, and hence, newly generated S-boxes pass the SAC test, so the newly designed S-boxes have good resistance against Boolean functions attacks.

###### 4.2.6. Bit Independence Criterion (BIC)

The BIC criterion [10] is also used to measure the strength of the S-box against Boolean function attacks. We computed the BIC of 1000 S-boxes generated by the proposed generator and illustrated the average, minimum, and maximum values for each S-box obtained by this criterion in Figures 7(c) and 7(d). The minimum, maximum, and average values obtained by the BIC tests are in the ranges [0.438, 0.490], [0.514, 0.568], and [0.431, 0.445], respectively. These ranges are near to the optimal value of 0.5, and hence, newly generated S-boxes pass the BIC test, and hence, they have good resistance against Boolean functions attacks. (Figure 7).

**(a)**

**(b)**

**(c)**

**(d)**

###### 4.2.7. Further Comparison

In this section, we further compare the cryptographic properties of the proposed S-box given in Table 5 and the S-boxes obtained by the generators in [12, 13, 16, 19, 24, 25, 28, 35, 47, 48, 50, 51, 53]. The cryptographic properties of these S-boxes are listed in Table 6. We list the key observations from these computational results as follows:(1)It is clear from Table 6 that the proposed S-box has better NL as compared to S-boxes in [12, 13, 16, 19, 24, 25, 29, 35, 47]. So, the proposed S-box is more secure against linear attacks as compared to S-boxes in [12, 13, 16, 19, 24, 25, 29, 35, 47].(2)On basis of the LAP listed in Table 6, it is concluded that the proposed S-box has a comparable LAP value with all existing schemes in Table 6. This finding indicates that the S-box generated by our scheme has high resistance against linear attacks.(3)The DAP value of the proposed S-box given in Table 6 shows that the proposed S-box is more secure against differential attacks than S-boxes in [12, 18, 24, 25, 29, 30, 48].(4)The AC of the S-box is 254 which is very close to the optimal value. This is evident that the proposed S-box has high security against algebraic attacks.(5)Table 6 shows that the minimum (resp., maximum) of the SAC for the proposed S-box is 0.422 (resp., 0.594) which is near to 0.5, the optimal SAC value. We observe that the proposed S-box has better SAC results as compared to S-boxes in [12, 13, 17, 19, 24, 29, 33, 35, 47, 48, 50, 53, 55]. Hence, the proposed S-box resists Boolean function cryptanalysis.(6)The BIC of the S-box is almost comparable to all the S-boxes in Table 6.

#### 5. Conclusion

To address the shortcomings of the existing S-box generators, we proposed a new generator based on ordered ECs and binary sequences. We tested and compared the efficiency of the proposed generator with several state-of-the-art existing generators that are based on different mathematical structures. From the rigorous analysis, we notice the following advantages of the proposed generator over the existing methods [3, 11, 14, 15, 24, 47, 48, 51, 53, 55]:(1)The proposed generator is better than the methods in [28, 47, 51] because they have singularities and are unable to generate an S-box for a valid set of input parameters; on the contrary, our method has no singularity.(2)From computational experiments, it is evident that the proposed generator generates a large number of highly uncorrelated S-boxes over an EC with a small size which is not possible in existing generators [11, 27, 28, 47, 48, 51, 53].(3)It is evident from Table 4 that our generator has better average NL when compared with generators in [3, 14, 15, 24, 51, 55].(4)The most important feature of the proposed generator that qualifies it for lightweight cryptography is its less computation time and use of small size ECs than generators in [47, 51, 53].(5)The detailed security analysis in Table 6 proves that the proposed generator can generate S-boxes with good cryptographic properties than the methods in [12, 13, 16, 18, 24, 25, 28, 35, 47, 48].

Due to the usage of binary sequences, a direct application of the proposed generator is to generate plaintext-dependent S-boxes to enhance the security of the existing cryptosystems against chosen-plaintext attacks.

It is left for future to develop new efficient cryptosystems based on the newly developed generator for the lightweight cryptography that can provide high security with limited computational resources.

#### Data Availability

The data used to support the findings of this study are available from the corresponding author upon request.

#### Conflicts of Interest

The authors declare that there are no conflicts of interest regarding the publication of this paper.

#### Acknowledgments

This research was partially funded by HEC (Project no. NRPU-7433) and Quaid-i-Azam University (Project no. URF-2015).