A Novel Method for Constructing the S-Box Based on Spatiotemporal Chaotic Dynamics

applied sciences

Article A Novel Method for Constructing the S-Box Based on Spatiotemporal Chaotic Dynamics

Liyan Liu 1, Yingqian Zhang 2,∗ and Xingyuan Wang 3,4

1 City Institute, Dalian University of Technology, Dalian 116600, China; [email protected] 2 School of Information Science & Technology, Xiamen University Tan Kah Kee College, Xiamen University Zhangzhou Campus, Zhangzhou 363105, China 3 Information Science & Technology College, Dalian Maritime University, Dalian 116026, China; [email protected] 4 Faculty of Electronic Information and Electrical Engineering, Dalian University of Technology, Dalian 116024, China * Correspondence: [email protected] or [email protected]; Tel.: +86-152-6067-0858

Received: 5 November 2018; Accepted: 11 December 2018; Published: 17 December 2018

Abstract: A novel construction method for a random S-box by using the spatiotemporal nonlinear chaotic system is proposed. The chaotic sequences of the spatiotemporal chaotic system are applied to construct an initial S-box. Then, the permutation operation between independent chaotic sequences is performed to shufﬂe the elements of the S-box randomly. In comparisons with the former schemes, the results of the performance analysis indicate that the obtained S-box has a better output bit independence criterion and a stronger ability to resist linear password attacks. It also has a high dimensional feature due to the spatiotemporal chaotic dynamical behaviors. The proposed scheme holds superior cryptographic features.

Keywords: chaos; S-box; coupled map lattices; non-adjacent coupled map lattices

1. Introduction With the development of communication technology [1–4], encryption algorithms for data transmission security have attracted extensive attention. Block encryption algorithms play an important role in modern cryptographic systems. The substitution box (S-box) has been widely employed in many block cryptosystems; for instance, Data Encryption Standard (DES), International Data Encryption Algorithm (IDEA), and Advanced Encryption Standard (AES). S-box provides a chaotic effect for the cryptosystem, and its security strength determines the security strength of the whole cryptosystem. Hence, S-box is an important nonlinear component for the security of cryptographic schemes. Currently, strong S-boxes have received intensive attention. Many S-box construction methods have been proposed [5–22]. In the literature, S-boxes should resist differential and linear attacks [5–9]. A new construction method for S-box was proposed in [10], which relies on exhaustive search, but the large values of n in the construction method result in it being time consuming. Recently, the theory of chaos has been broadly used for designing S-boxes due to the inherent features of the chaotic map; for instance, random-like behaviors and sensitivity to initial conditions. Jakimoski and Kocarev [11] constructed secure S-boxes using exponential and logistic chaotic maps. Amigó et al. [12] proposed a chaos-based approach to the design of cryptographically-secure substitutions. Tang et al. [13] designed 8 × 8 S-boxes using logistic and Baker chaotic maps. Chen et al. [14] presented an extended method for constructing S-boxes by the use of the Chebyshev map and the 3D Baker map. An effective and dynamic method for constructing the S-box was developed by using the tent map in [15]. Özkaynak and Özer [16] developed a generation method for S-boxes by using the random-like behaviors of the

Appl. Sci. 2018, 8, 2650; doi:10.3390/app8122650 www.mdpi.com/journal/applsci Appl. Sci. 2018, 8, 2650 2 of 13

Lorenz system. Hussain et al. [17] proposed an efficient S-box generation method by the use of a nonlinear chaotic algorithm. In [18], the Lorenz system and the Rössler system were employed to synthesize new S-boxes. Dragan [19] developed a new method of generating S-box by the use of chaotic tent map and composition method. Liu et al. [20] designed S-boxes by using 3D four-wing autonomous chaos system. Belazi and El-Latif [21] proposed an efficient method for generating S-boxes by the use of the chaotic sine map. In [22], the logistic-sine map was applied to construct S-boxes. In [23], S-boxes were generated by using the logistic-tent map and linear fractional transformation. Khan et al. [24] presented a novel technique for the construction of strong S-boxes based on chaotic Lorenz systems. In [25], a novel method to construct strong bijective substitution-boxes based on a 5D hyperchaotic system was presented. However, in these aforementioned chaotic S-box construction schemes, the output Bit Independence Criterion (BIC) and ability to resist linear password attacks were not ideal. Moreover, the applied chaotic systems are low dimensional systems. For the low dimensional chaotic system, the dynamical behaviors may degrade under finite precision computation in modern computers. This degradation can lead to periodic trajectories that affect the randomness of chaotic sequences. Actually, [26,27] have successfully cracked the encryption schemes that are based on the low dimensional chaotic system. To overcome the above drawbacks, we present a novel and efficient S-box construction method by using a spatiotemporal chaotic system. It can improve the BIC property of the S-box and its ability to resist linear password attacks. The spatiotemporal chaotic system contains multi-dimensional Lyapunov exponents that can resist the degradation under finite precision computation in modern computers. We summarize the three contributions of this work as follows:

1. We choose the Non-adjacent Coupled Map Lattices (NCML) [28] spatiotemporal chaos system for constructing the S-box. It has more dynamical features than the traditional CML [29] and the logistic map, such as better randomness, more chaotic sequences, and no periodic windows. Moreover, it can resist the degradation of ﬁnite precision computation due to its high dimensional feature, which can increase the randomness of elements in the S-box. Additionally, the NCML chaotic system has been used in secure communication schemes due to its cryptographic features [30,31]; 2. Since the chaotic sequences generated by the NCML system are independent, we apply these independent chaotic sequences to implement the permutation and shufﬂe of the S-box, which can improve its BIC property and ability to resist linear password attacks; 3. In the comparisons with the former schemes, the simulation and experimental results prove the superior properties of the proposed scheme. This scheme shows that the combination of the spatiotemporal chaotic system and S-box is a recommended approach for encryptions.

The rest of this paper is organized as follows. The NCML spatiotemporal system is introduced and analyzed, as well as the cryptographic features in dynamical behaviors in Section2. Section3 explains the construction process of the proposed S-box. Section4 veriﬁes the randomness of the constructed S-box. Section5 analyzes the performance of the constructed S-box. Section6 gives the concluding remarks.

2. Preliminaries The CML system [29] is presented as:

α y (s + 1) =(1 − α)µy (s)(1 − y (s)) + {µy (s)(1 − y (s)) + µy (s)(1 − y (s))}, (1) l l l 2 a a c c where s is the time parameter (s = 1, 2, 3, . . . ), α is the coupling coefﬁcient (0 ≤ α ≤ 1), µ ∈ (0, 4], l, a and c are the lattices (1 ≤ l, a, c ≤ N), a = l + 1, c = l − 1, and N is a count of all the lattices. The CML system is a spatiotemporal chaotic dynamics, which is coupled in adjacent lattices. Appl. Sci. 2018, 8, 2650 3 of 13

Different from the CML chaotic dynamics, the coupling method of the NCML chaotic system is non-adjacent. The NCML system [28] is presented as:

α y (s + 1) =(1 − α)µy (s)(1 − y (s)) + {µy (s)(1 − y (s)) + µy (s)(1 − y (s))}, (2) l l l 2 m m n n where m, n are also the lattices (1 ≤ m, n ≤ N) and the relations of l, m, n satisfy the Arnold cat map expressed by: " # m 1 b l = (mod N). (3) n d bd + 1 l

The NCML system has good chaotic features when the parameters µ, b, and d are assigned with proper values.

(1) Lyapunov exponents evaluate the divergence of nearby orbits and provide a qualitative view of the dynamical system. If a system has at least one positive Lyapunov exponent, the system is certainly in chaotic behaviors. The Lyapunov exponent of each lattice in the NCML system is positive, and between 0.0203 and 0.4351. This means that the NCML system’s dynamics is more complicated, which can resist the degradation under ﬁnite precision computation in modern computers. (2) In the bifurcation diagram of the NCML system, there is no periodic window, as shown in Figure1a. By contrast, there are periodic windows in the bifurcation diagram of the CML system, as shown in Figure1b. Therefore, the NCML system is more suitable for cryptography than the CML system due to no periodic windows. (3) The chaotic trajectory of NCML system is as random as that of the CML system, as shown in Figure2. The random chaotic sequences are suitable for the construction of a random S-box. (4) The NCML chaotic system has very small mutual information values between chaotic trajectories. Mutual information can be used to evaluate the independence of two chaotic trajectories (named s1 and s2), which is deﬁned as:

I(s1, s2) = H(s1) − H(s1/s2). (4)

(a) (b)

Figure 1. Bifurcation diagram. (a) The Non-adjacent Coupled Map Lattices (NCML) chaotic system; (b) the CML chaotic system.

The lower value of mutual information of s1 and s2 means the higher independence of chaotic trajectories. As shown in Figure3b, most of the mutual information values are equal to zero, which indicates that most of the chaotic trajectories generated by the NCML chaotic system are Appl. Sci. 2018, 8, 2650 4 of 13 independent and cannot be recovered by other trajectories. For the CML chaotic system, its mutual information values between chaotic trajectories are indicated in Figure3a. It can be noted that the NCML chaotic system holds smaller mutual information values between chaotic trajectories than the CML chaotic system. The independent chaotic trajectories are suitable for cryptography because they cannot be restored by other trajectories.

1 1

0.9 0.9

0.8 0.8

0.7 0.7

0.6 0.6 y2(s) y2(s) 0.5 0.5

0.4 0.4

0.3 0.3

0.2 0.2

0.1 0.1 200 220 240 260 280 300 200 220 240 260 280 300 s s (a) (b)

Figure 2. Chaotic trajectory. (a) The CML chaotic system; (b) the NCML chaotic system.

I I 1 1

0.8 0.8

0.6 0.6

0.4 0.4

0.2 0.2

0 0 0 0 20 20 40 40 100 100 80 60 60 80 60 i 60 i 80 40 80 40 20 20 j 1000 j 1000 (a) (b)

Figure 3. Mutual information. (a) The CML chaotic system; (b) the NCML chaotic system. 3. The Proposed Method for Constructing the S-Box To improve the BIC property of the S-box and its ability to resist linear password attacks, we propose a novel construction method for the S-box by using the NCML chaotic dynamics. A new sequence is constructed based on one of N chaotic sequences generated by the NCML system. Then, this sequence is sorted in ascending order, and another new sequence is obtained based on the sorted position of each element. Finally, the new sequence is reconverted to a matrix, and all the elements of the matrix are permuted by using N independent chaotic sequences. This permutation operation based on independent chaotic sequences helps to improve the BIC property of the obtained S-box and its ability to resist linear password attacks. Moreover, the high dimensional feature of the NCML system helps to increase the randomness of elements in the obtained S-box. The detailed construction procedures of our S-box are listed below. Step 1. Iterating Equation (2), we obtain N chaotic sequences. Step 2. Using the chaotic sequence ncml(10, 100 + i), we construct a new sequence by:

X(i) = mod(b(ncml(10, 100 + i) × 1014)c, 256), (5) Appl. Sci. 2018, 8, 2650 5 of 13

where i ∈ [1, 256] and ncml(10, 100 + i) denotes the (100 + i)th value of the 10th sequence of N chaotic sequences. Step 3. Putting the elements of X(1 × 256) in ascending order, we get a sorted sequence Y(1 × 256) and an address sequence Z(1 × 256) satisfying Y(Z(i)) = X(i). Step 4. Reconvert the sequence Z(1 × 256) to a matrix S(16 × 16). Step 5. We get the values of u and v by:  u =mod(b(ncml(mod(S((h − 1) × 16 + k), 100) + 1, 200  + (h − 1) × 16 + k) × 1014)c, 16) + 1 , (6)  v =mod(b(ncml(p, q) × 1014)c, 16) + 1

where h, k ∈ [1, 16] and the relations of h, k, p, q satisfy the Arnold cat map expressed by: " # p 1 b h = (mod N) . q d bd + 1 k

Step 6. With the help of Equation (6), we swap the values of S(h, k) and S(u, v).

S is the ﬁnal S-box. The whole construction process is illustrated by Figure4.

Begin Initial values Iterate the equation (2) L sequences Construct a new sequence X X(1×256) Sort X in ascend order Y(1×256) Obtain an address sequence Z Z(1×256) Reconvert form of Z S(16×16) Permute location S(16×16) Obtain S-box

Figure 4. The ﬂowchart of the construction process of the obtained S-box.

4. Randomness Tests of the Constructed S-Box The obtained S-box is listed in Table1. NIST-800-22 [ 32] statistical tests were used to test the randomness of the constructed S-box. NIST-800-22 statistical tests consist of 15 different tests. These tests focus on a variety of different types of non-randomness that could exist in a sequence. In the NIST-800-22 statistical tests, the results were evaluated according to the defined p-value. If the predefined p-value is 0.001, the resultant p-values must be greater than or equal to the predefined value 0.001 to pass the test successfully. Appl. Sci. 2018, 8, 2650 6 of 13

Table 1. The obtained S-box.

161 239 162 99 116 136 222 234 215 134 208 26 237 108 238 66 179 209 45 51 249 37 137 168 195 114 221 98 149 115 194 25 65 35 127 39 6 12 146 94 135 144 104 48 198 2 118 83 175 93 11 253 182 102 252 19 197 248 233 167 235 10 185 123 170 3 199 250 92 218 90 228 109 178 42 206 72 217 160 193 15 78 101 124 24 151 176 7 113 41 181 203 80 46 131 138 28 69 224 23 190 85 147 247 254 16 84 225 145 20 244 130 204 61 55 103 31 91 60 79 143 227 243 241 76 174 5 40 47 212 192 22 1 111 121 112 119 186 126 251 205 62 189 50 34 96 163 125 82 59 70 38 57 216 133 67 152 223 165 75 157 188 154 246 88 202 52 87 81 158 210 184 240 226 105 142 164 245 4 32 86 128 120 71 14 13 18 110 33 53 150 56 68 29 242 17 187 139 229 155 21 141 207 214 255 169 166 100 36 191 77 54 27 49 180 230 148 30 232 95 213 132 89 159 219 236 201 107 44 173 8 64 211 172 183 43 97 220 106 58 129 156 140 117 73 63 153 171 0 9 196 231 177 122 74 200

Tested ﬁles should contain binary sequences stored as either ASCII characters consisting of zeroes and ones or as binary data where each byte contains eight bits worth of zeroes and ones. We transform all the values of the constructed S-box into a binary sequence, which consists of 2048 bits stored in ASCII format. The tests are performed by using the NIST sts-2.1.2 on Red Hat Enterprise Linux 5. Without loss of generality, the parameters µ = 3.87, α = 0.2, b = 12, and d = 7 for the tests. The NIST-800-22 test results are listed in Table2. We ﬁnd that the 12 tests successfully passed. Moreover, the random excursions test, random excursions variant test, and universal statistical test were not applicable for the proposed S-box. This is because the sequence generated by an S-box only consists of 2048 bits. However, the random excursions test and random excursions variant test require a long sequence consisting of a minimum of 1,000,000 bits [32], and the universal statistical test also requires a long sequence consisting of a minimum of 387,840 bits [32].

Table 2. NIST-800-22 test results of the obtained S-box.

NIST-800-22 Tests p-Value Result Frequency Test 1.000000 SUCCESS Block Frequency Test 0.102530 SUCCESS Cumulative Sums Test 0.984155 SUCCESS Runs Test 0.658531 SUCCESS Longest Run of Ones Test 1.000000 SUCCESS Rank Test 0.481248 SUCCESS Discrete Fourier Transform Test 0.208675 SUCCESS Nonperiodic Template Matchings Test 0.844144 SUCCESS Overlapping Template Matchings Test 0.282761 SUCCESS Approximate Entropy Test 0.024931 SUCCESS Serial Test 0.645337 SUCCESS Linear Complexity Test 0.481431 SUCCESS Random Excursions Test TEST NOT APPLICABLE Random Excursions Variant Test TEST NOT APPLICABLE Universal Statistical Test TEST NOT APPLICABLE

5. Performance Analysis of the Constructed S-Box Six criteria [13,14,16,21–25] are generally selected to test S-boxes. These are “bijective property, nonlinearity, Strict Avalanche Criterion (SAC), BIC, input/output XOR distribution, and Linear approximation Probability (LP)”. For testing the properties of the obtained S-box, we analyzed the above six criteria in detail. We also compared the results of the obtained S-box with those of other S-boxes proposed in [11,13,14,16–25]. Moreover, we also constructed an S-box by using the CML Appl. Sci. 2018, 8, 2650 7 of 13 system as we did based on the NCML system and compared the performance of S-boxes based on the two systems.

5.1. Bijective Property

Wang et al. [33] already developed a method to test the bijective property. When gi(1 ≤ i ≤ n) n n−1 satisﬁes h(∑i=1 εi gi) = 2 , it is bijective, where gi is the Boolean function of an S-box, εi ∈ {0, 1}, (ε1, ε2, ... , εn) 6= (0, 0, ... , 0), and h(·) is the Hamming weight. The Hamming weight of the obtained 8 × 8 S-box was 128. Hence, the obtained S-box had bijective performance.

5.2. Nonlinearity

Suppose a Boolean function is g(x). Its nonlinearity Ng [34] can be presented as:

n−1 −n Ng = 2 (1 − 2 maxϕ∈GF(2n)|S(g)(ϕ)|), (7)

x·ϕ⊕g(x) S(g)(ϕ) = ∑ (−1) , (8) ϕ∈GF(2n) where x · ϕ = x1 ⊕ ϕ1 + x2 ⊕ ϕ2 + ... + xn ⊕ ϕn. The higher the value of Ng, the stronger g(x)’s ability to resist linear attacks. Table3 gives the results of the nonlinearity analysis. The maximum nonlinearity was 108, the minimum 102, and the average 104.5. For the average values of nonlinearity in Table3, our S-box accords with other S-boxes. Hence, the obtained S-box had good nonlinearity property.

Table 3. The results of the comparison of nonlinearity.

S-Boxes Max Min Average The obtained S-box 108 102 104.5 S-box based on CML 106 100 103 S-box proposed in [11] 108 100 103.25 S-box proposed in [13] 109 103 104.88 S-box proposed in [14] 106 100 103 S-box proposed in [16] 106 100 103.25 S-box proposed in [17] 108 102 104.75 S-box proposed in [18] 108 98 103 S-box proposed in [19] 112 108 109.25 S-box proposed in [20] 108 104 105.8 S-box proposed in [21] 110 102 105.5 S-box proposed in [22] 108 102 105.25 S-box 2 proposed in [23] 108 102 106 S-box proposed in [24] 106 96 103 S-box proposed in [25] 110 106 108.5

5.3. Strict Avalanche Criterion The work in [5] ﬁrstly introduced the Strict Avalanche Criterion (SAC). If an S-box has the SAC property, all the output bits will vary with half the probability when complementing a single input bit. To check the SAC property, we always employed the dependence matrix. For an S-box satisfying the SAC property, all the values in its dependence matrix was close tothe optimal value of 0.5. We can estimate the offsets of the dependence matrix by:

1 1 − S(g) = 2 ∑ ∑ Qr,w(g) , (9) n 1≤r≤n 1≤w≤n 2 Appl. Sci. 2018, 8, 2650 8 of 13

( −n T 0, r 6= w T where Qr,w(g) = 2 ∑x∈Bn gw(x) ⊕ gw(x ⊕ er), er = [ϑr,1ϑr,2 ... ϑr,n] , ϑr,w = , and [·] 1, r = w denotes the transpose of a matrix. Table4 shows the obtained dependence matrix. These results were between 0.6406 and 0.4219, and the average value was 0.4980, which was close tothe ideal value of 0.5. Moreover, Table5 analyzes the SAC property of different S-boxes. It can be noted that the mean value of SAC of the obtained S-box is closer to the ideal value 0.5 than that of other S-boxes. Therefore, in comparisons with other S-boxes, the obtained S-box had better SAC performance.

Table 4. The obtained dependence matrix.

0.4844 0.5313 0.4844 0.4688 0.4844 0.5000 0.5938 0.4844 0.4219 0.4688 0.5313 0.5000 0.4688 0.4531 0.4531 0.4531 0.5469 0.5469 0.4531 0.4688 0.5156 0.5469 0.5156 0.4688 0.4844 0.4375 0.5000 0.4375 0.4688 0.5625 0.6406 0.4375 0.5000 0.5156 0.4688 0.5000 0.5313 0.5000 0.5313 0.4688 0.4688 0.5313 0.5781 0.4844 0.4844 0.4844 0.5000 0.4531 0.5000 0.4688 0.5000 0.5000 0.5313 0.4531 0.4688 0.4688 0.5000 0.5313 0.5469 0.5156 0.4688 0.5469 0.4844 0.5781

Table 5. The Strict Avalanche Criterion (SAC) analysis of different S-boxes.

S-Boxes Max Min Mean The obtained S-box 0.6406 0.4219 0.4980 S-box based on CML 0.6250 0.3750 0.5015 S-box proposed in [11] 0.5938 0.3750 0.5059 S-box proposed in [13] 0.5703 0.3984 0.4966 S-box proposed in [14] 0.6094 0.4219 0.5000 S-box proposed in [16] 0.5938 0.4219 0.5049 S-box proposed in [17] 0.5938 0.3906 0.5056 S-box proposed in [18] 0.5938 0.4063 0.5012 S-box proposed in [19] 0.5937 0.4375 0.5012 S-box proposed in [20] 0.5938 0.4219 0.4976 S-box proposed in [21] 0.5625 0.4375 0.5000 S-box proposed in [22] 0.5313 0.4297 0.4956 S-box 2 proposed in [23] - - 0.5020 S-box proposed in [24] 0.6250 0.3906 0.5039 S-box proposed in [25] 0.5937 0.4062 0.5017

5.4. Output Bits Independence Criterion The work in [5] also proposed the BIC. If an S-box satisfies the BIC property, all the avalanche variables should be pair-wise independent for a certain series of avalanche vectors produced by complementing a single plaintext bit. For an S-box satisfying the BIC property, its gr ⊕ gw(r 6= w, 1 ≤ r, w ≤ n) should fulfill the nonlinearity and the SAC, where gr denotes the Boolean function of the S-box. For the obtained S-box, we calculate the nonlinearity and the SAC of its gr ⊕ gw, respectively. The obtained results are listed in Tables6 and7. The mean values of BIC-nonlinearity and BIC-SAC of our S-box were respectively 104.64 and 0.5075. This indicates that the obtained S-box fulfilled the BIC performance. Moreover, Table8 analyzes the BIC property for different S-boxes. It can be noted that the mean value of BIC-SAC of the obtained S-box was consistent with that of other S-boxes, and the mean value of BIC-nonlinearity of the obtained S-box was higher than that of other S-boxes. Therefore, the obtained S-box had better BIC performance than other S-boxes. Appl. Sci. 2018, 8, 2650 9 of 13

Table 6. The Bit Independence Criterion (BIC)-nonlinearity analysis of our S-box.

- 106 106 106 106 104 102 104 106 - 100 100 106 104 108 102 106 100 - 106 108 106 104 108 106 100 106 - 100 104 108 104 106 106 108 100 - 104 108 106 104 104 106 104 104 - 102 102 102 108 104 108 108 102 - 106 104 102 108 104 106 102 106 -

Table 7. The BIC-SAC analysis of our S-box.

- 0.5332 0.4785 0.5117 0.5215 0.5059 0.5137 0.5078 0.5332 - 0.5117 0.5078 0.5137 0.5332 0.5137 0.5039 0.4785 0.5117 - 0.5195 0.5000 0.5098 0.5039 0.5098 0.5117 0.5078 0.5195 - 0.4961 0.5137 0.4922 0.5059 0.5215 0.5137 0.5000 0.4961 - 0.4766 0.5020 0.5020 0.5059 0.5332 0.5098 0.5137 0.4766 - 0.4902 0.5117 0.5137 0.5137 0.5039 0.4922 0.5020 0.4902 - 0.5195 0.5078 0.5039 0.5098 0.5059 0.5020 0.5117 0.5195 -

Table 8. The BIC analysis of different S-boxes.

S-Boxes BIC-SAC BIC-Nonlinearity The obtained S-box 0.5075 104.64 S-box based on CML 0.5039 103.57 S-box proposed in [11] 0.5031 104.29 S-box proposed in [13] 0.5044 102.96 S-box proposed in [14] 0.5024 103.14 S-box proposed in [16] 0.5010 103.71 S-box proposed in [17] 0.5022 104.07 S-box proposed in [18] 0.4989 104.07 S-box proposed in [19] - 108.21 S-box proposed in [20] 0.5032 104.5 S-box proposed in [21] 0.4970 103.78 S-box proposed in [22] 0.4996 103.8 S-box 2 proposed in [23] 0.5050 103 S-box proposed in [24] 0.5010 100.36 S-box proposed in [25] 0.5006 104

5.5. The Equiprobable Input/Output XOR Distribution The work in [7] proposed differential cryptanalysis for an S-box using the imbalances in the input/output XOR distribution table. Output variations can be obtained from input variations. In the differential approximation table, the probability of all the input XOR values was the same as that of all the output XOR values. An S-box should have differential uniformity. To determine the differential uniformity of the obtained S-box, we calculated its differential probability (DP) by:

]{w ∈ W | g(w) ⊕ g(w ⊕ ∆w) = ∆z} DPg = max 6 , (10) ∆w=0,∆z 2n where 2n is a count of all the elements in the S-box and W contains all the input values. The smaller the value of DPg, the stronger the ability to resist differential attacks. Table9 is the differential approximation table. We can ﬁnd that the maximum value was 12. This indicates that our S-box has a strong ability to resist differential attacks. Moreover, the maximum DP for different S-boxes is analyzed in Table 10. For the maximum DP,the obtained S-box was consistent with other S-boxes. Hence, the obtained S-box had a good ability to resist differential attacks. Appl. Sci. 2018, 8, 2650 10 of 13

Table 9. Differential approximation table of our S-box.

6668668666866686 6886666666668668 6686866666686688 8666686668668686 4 6 6 8 8 6 8 6 6 6 10 8 6 6 8 6 6 6 6 6 8 8 6 6 6 8 6 6 8 10 6 6 8668686666688686 6666886668688886 8686668688686668 8 8 6 8 6 8 6 6 6 6 12 10 8 8 10 6 8 10 8 6 6 6 6 6 6 6 8 6 6 8 8 6 6866888888866886 8 6 10 6 8 6 6 6 8 6 6 8 6 6 6 8 6646668686886666 6886866866868666 866868666866886-

Table 10. The maximum differential probability (DP) analysis of different S-boxes.

S-Boxes MaxDP The obtained S-box 0.0469 S-box based on CML 0.0391 S-box proposed in [11] 0.0469 S-box proposed in [13] 0.0391 S-box proposed in [14] 0.0547 S-box proposed in [16] 0.0391 S-box proposed in [17] 0.0469 S-box proposed in [18] 0.0469 S-box proposed in [20] 0.0391 S-box proposed in [21] 0.0468 S-box proposed in [22] 0.0391 S-box 2 proposed in [23] 0.0469 S-box proposed in [24] 0.0391

5.6. Linear Approximation Probability Matsui [9] initially deﬁned the LP. For an S-box holding the LP property, the value of its LP is the maximum unbalance value, which is presented as: ]{z ∈ Z | z · γ1 = g(z) · γ2} 1 LP = max 6 − , (11) γ1,γ2 =0 2n 2 n where Z contains all the input values, 2 is a count of all the elements in the S-box, γ1 denotes the input mask, and γ2 denotes the output mask. The parity of the input bits chosen by the mask γ1 is equal to the parity of the output bits chosen by the mask γ2. The smaller the value of LP, the stronger the ability to resist linear password attacks. Table 11 gives an analysis of LP for different S-boxes. Compared with other S-boxes, the obtained S-box had a minimum value of LP. Therefore, the obtained S-box had a better ability to resist linear password attacks than other S-boxes. Appl. Sci. 2018, 8, 2650 11 of 13

Table 11. The Linear approximation Probability (LP) analysis of different S-boxes.

S-Boxes MaxLP The obtained S-box 0.1250 S-box based on CML 0.1406 S-box proposed in [11] 0.1250 S-box proposed in [13] 0.1328 S-box proposed in [14] 0.1328 S-box proposed in [16] 0.1328 S-box proposed in [17] 0.1250 S-box proposed in [18] 0.1484 S-box proposed in [21] 0.1250 S-box proposed in [22] 0.1562 S-box 2 proposed in [23] 0.1250 S-box proposed in [24] 0.1484

6. Conclusions and Future Research A novel generation method for S-boxes by using the NCML spatiotemporal system is presented in this paper. The high dimensional feature of the NCML system can not only resist the degradation of ﬁnite precision computation, but also increases the randomness of the constructed S-box. The randomness of the constructed S-box has been veriﬁed by using NIST-800-22 statistical tests. In the proposed method, one of chaotic sequences generated by the NCML system is employed to construct the initial S-box. Then, the permutation operation using independent chaotic sequences is performed, which improves the BIC and LP properties of the constructed S-box. According to the simulation results and the performance analysis, we know that the obtained S-box meets the six criteria. Hence, the proposed method is effective. Moreover, we also construct an S-box by using the CML system for comparisons. In comparisons with the former S-boxes, the proposed S-box has a better BIC property and a better ability to resist linear password attacks. Hence, the proposed scheme presents superior cryptographic performance. In future practical research work, we intend to apply the proposed method to image encryptions in a parallel process.

Author Contributions: L.L. and Y.Z. conceived and designed the experiments; L.L. performed the experiments; X.W. analyzed the data; Y.Z. contributed analysis tools; L.L. wrote the paper. Funding: This research was funded by the National Natural Science Foundation of China grant numbers [61672124, 61173183, and 61370145], the Program for New Century Excellent Talents in Fujian Province University, the Natural Science Foundation of Fujian Province of China grant number [2018J01100], the Zhangzhou Science and Technology Project grant number [ZZ2018J23], the Program for Liaoning Excellent Talents in University grant number [LR2012003], and the Password Theory Project of the 13th Five-Year Plan National Cryptography Development Fund grant number [MMJJ20170203]. Acknowledgments: This research is supported by the National Natural Science Foundation of China (Nos. 61672124, 61173183, and 61370145), the Program for New Century Excellent Talents in Fujian Province University, the Natural Science Foundation of Fujian Province of China (No. 2018J01100), the Zhangzhou Science and Technology Project (No. ZZ2018J23), the Program for Liaoning Excellent Talents in University (No: LR2012003), and the the Password Theory Project of the 13th Five-Year Plan National Cryptography Development Fund (No: MMJJ20170203). Conﬂicts of Interest: The authors declare no conﬂicts of interest.

References

1. Berry, M.V.; Lewis, Z.V.; Nye, J.F. On the Weierstrass-Mandelbrot fractal function. Proc. R. Soc. Lond. 1980, 370, 459–484. [CrossRef] 2. Guariglia, E. Entropy and Fractal Antennas. Entropy 2016, 18, 84. [CrossRef] 3. Guido, R.C.; Addison, P.S.; Walker, J. Introducing wavelets and time–frequency analysis. IEEE Eng. Med. Biol. Mag. 2009, 28, 13. [CrossRef][PubMed] 4. Guariglia, E. Harmonic Sierpinski Gasket and Applications. Entropy 2018, 20, 714. [CrossRef] Appl. Sci. 2018, 8, 2650 12 of 13

5. Webster, A.F.; Tavares, S.E. On the design of S-boxes. In Advances in Cryptology, Proceedings of the Conference on the Theory and Application of Cryptographic Techniques (CRYPTO_85), Santa Barbara, CA, USA, 18–22 August 1985; Springer: Berlin/Heidelberg, Germany, 1986; pp. 523–534. 6. Detombe, J.; Tavares, S. Constructing large cryptographically strong S-boxes. In Advances in Cryptology, Proceedings of the International Workshop on the Theory and Application of Cryptographic Techniques (AUSCRYPT ’92), Gold Goast, QLD, Australia, 13–16 December 1992; Springer: Berlin/Heidelberg, Germany, 1992; pp. 165–181. 7. Biham, E.; Shamir, A. Differential cryptanalysis of DES-like cryptosystems. J. Cryptol. 1991, 4, 3–72. [CrossRef] 8. Dawson, M.H.; Tavares, S.E. An expanded set of S-box design criteria based on information theory and its relation to differential-like attacks. In Advances in Cryptology, Proceedings of the Workshop on the Theory and Application of of Cryptographic Techniques (EURO-CRYPT_91), Brighton, UK, 8–11 April 1991; Springer: Berlin/Heidelberg, Germany, 1991; pp. 352–367. 9. Matsui, M. Linear cryptanalysis method of DES cipher. In Advances in Cryptology, Proceedings of the Workshop on the Theory and Application of of Cryptographic Techniques (EURO-CRYPT_93), Lofthus, Norway, 23–27 May 1993; Springer: Berlin/Heidelberg, Germany, 1994; pp. 386–397. 10. Adams, C.; Tavares, S. Good S-boxes are easy to find. In Advances in Cryptology, Proceedings of the Conference on the Theory and Application of Cryptology (CRYPTO_89), Santa Barbara, CA, USA, 20–24 August 1989; Springer: New York, NY, USA, 1989; pp. 612–615. 11. Jakimoski, G.; Kocarev, L. Chaos and cryptography: Block encryption ciphers based on chaotic maps. IEEE Trans. Circuits Syst. I Fundam. Theory Appl. 2001, 48, 163–169. [CrossRef] 12. Amigó, J.M.; Szczepanski, J.; Kocarev, L. A chaos-based approach to the design of cryptographically secure substitutions. Phys. Lett. A 2005, 343, 55–60. [CrossRef] 13. Tang, G.; Liao, X.; Chen, Y. A novel method for designing S-boxes based on chaotic maps. Chaos Solitons Fractals 2005, 23, 413–419. [CrossRef] 14. Chen, G.; Chen, Y.; Liao, X. An extended method for obtaining S-boxes based on three-dimensional chaotic baker maps. Chaos Solitons Fractals 2007, 31, 571–579. [CrossRef] 15. Wang, Y.; Wong, K.W.; Liao, X.; Xiang, T. A block cipher with dynamic S-boxes based on tent map. Commun. Nonlinear Sci. Numer. Simul. 2009, 14, 3089–3099. [CrossRef] 16. Özkaynak, F.; Özer, A.B. A method for designing strong S-boxes based on chaotic Lorenz system. Phys. Lett. A 2010, 374, 3733–3738. [CrossRef] 17. Hussain, I.; Shah, T.; Gondal, M.A. A novel approach for designing substitution-boxes based on nonlinear chaotic algorithm. Nonlinear Dyn. 2012, 70, 1791–1794. [CrossRef] 18. Khan, M.; Shah, T.; Mahmood, H.; Gondal, M.A. An efficient method for the construction of block cipher with multi-chaotic systems. Nonlinear Dyn. 2013, 71, 489–492. [CrossRef] 19. Lambić,D. A novel method of S-box design based on chaotic map and composition method. Chaos Solitons Fractals 2014, 58, 16–21. [CrossRef] 20. Liu, G.; Yang, W.; Liu, W.; Dai, Y. Designing S-boxes based on 3-D four-wing autonomous chaotic system. Nonlinear Dyn. 2015, 82, 1867–1877. [CrossRef] 21. Belazi, A.; Ellatif, A.A.A. A simple yet efficient S-box method based on chaotic sine map. Optik 2017, 130, 1438–1444. [CrossRef] 22. Belazi, A.; Khan, M.; El-Latif, A.A.A.; Belghith, S. Efficient cryptosystem approaches: S-boxes and permutation substitution-based encryption. Nonlinear Dyn. 2017, 87, 337–361. [CrossRef] 23. Ullah, A.; Jamal, S.S.; Shah, T. A novel construction of substitution box using a combination of chaotic maps with improved chaotic range. Nonlinear Dyn. 2017, 88, 2757–2769. [CrossRef] 24. Khan, M.; Shah, T.; Mahmood, H.; Gondal, M.A.; Hussain, I. A novel technique for the construction of strong S-boxes based on chaotic Lorenz systems. Nonlinear Dyn. 2012, 70, 2303–2311. [CrossRef] 25. Al Solami, E.; Ahmad, M.; Volos, C.; Najam Doja, M.; Mohd Sufyan Beg, M. A New Hyperchaotic System-Based Design for Efficient Bijective Substitution-Boxes. Entropy 2018, 20, 525. [CrossRef] 26. Zhang, Y.Q.; Wang, X.Y. Analysis and improvement of a chaos-based symmetric image encryption scheme using a bit-level permutation. Nonlinear Dyn. 2014, 77, 687–698. [CrossRef] 27. Li, C.; Lin, D.; Lü, J.; Hao, F. Cryptanalyzing an image encryption algorithm based on autoblocking and electrocardiography. IEEE MultiMedia 2018.[CrossRef] 28. Zhang, Y.Q.; Wang, X.Y. Spatiotemporal chaos in Arnold coupled logistic map lattice. Nonlinear Anal. Model. Control 2013, 4, 526–541. Appl. Sci. 2018, 8, 2650 13 of 13

29. Kaneko, K. Theory and Applications of Coupled Map Lattices, 1st ed.; Wiley: New York, NY, USA, 1993. 30. Zhang, Y.Q.; Wang, X.Y. A new image encryption algorithm based on non-adjacent coupled map lattices. Appl. Soft Comput. J. 2015, 26, 10–20. [CrossRef] 31. Zhang, Y.; Wang, X.; Liu, L.; Liu, J. Fractional order spatiotemporal chaos with delay in spatial nonlinear coupling. Int. J. Bifurc. Chaos 2018, 28, 1850020. [CrossRef] 32. Bassham, L.E., III; Rukhin, A.L.; Soto, J.; Nechvatal, J.R.; Smid, M.E.; Barker, E.B.; Leigh, S.D.; Levenson, M.; Vangel, M.; Banks, D.L.; et al. SP 800-22 Rev. 1a. A Statistical Test Suite for Random and Pseudorandom Number Generators for Cryptographic Applications. Appl. Phys. Lett. 2010, 22, 1645–1679. 33. Wang, Y.; Xie, Q.; Wu, Y.; Du, B. A Software for S-box Performance Analysis and Test. In Proceedings of the International Conference on Electronic Commerce and Business Intelligence, Beijing, China, 6–7 June 2009; pp. 125–128. 34. Cusick, T.W.; Stanicˇ a,ˇ P. Cryptographic Boolean Functions and Applications; Academic Press: San Diego, CA, USA, 2009.

c 2018 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).