Multi-Objective Evolution of Strong S-Boxes Using Non-Dominated Sorting Genetic Algorithm-II and Chaos for Secure Telemedicine

There exist several performance criteria for cryptographically-strong substitution boxes (S-boxes), which are often conflicting with each other. Constructing S-boxes that satisfy multiple criteria with optimal tradeoffs is one of the challenging tasks for cryptographers. In practice, the existing S-box design algorithms are used to optimize performance according to a single performance criterion, mainly the nonlinearity, which usually results in weak scores for other equally-significant criteria. To overcome this problem, a multi-objective optimization-based method is presented in this paper. In this method, $8 \times 8$ S-boxes are constructed satisfying multiple criteria of balancedness, high nonlinearity, low differential uniformity, and low auto-correlation. Multiple objectives are fulfilled by applying the chaos-assisted non-dominated sorting genetic algorithm-II to introduce the S-boxes. The performance assessment of the proposed method and the comparative analysis with available optimization tools and other state-of-the-art algorithms demonstrate its proficiency in generating significantly-better S-box solutions with good Pareto-optimal security features. Eventually, the S-boxes with minimum nonlinearity (NL) of 110, differential uniformity (DU) as low as 8, and auto-correlation function (ACF) as low as 80 are obtained after the optimization. Furthermore, the obtained Pareto-optimal S-box is utilized to put forward a medical image encryption algorithm for secure telemedicine services. The suggested encryption algorithm uses an S-box to perform the required permutation and diffusion of images. The encryption performance assessment and comparison analyses validate its effectiveness for securing medical imagery data in telemedicine networks.


I. INTRODUCTION
The field of information technology has gone through fast progression throughout the long term and has wound up consolidated into different fields that incorporate businesses, broadcasting, defence, medical care, medication, and so on. Data is stored on an advanced gadget, and data sharing is accomplished by broadcasting in a communication network.
The associate editor coordinating the review of this manuscript and approving it for publication was Sedat Akleylek .
The problem of getting safe data communication provokes multiplying interest of cryptographic designs, which is more capable of thwarting illegal and unauthorized consumption of private and personal data [1]. To handle the prominent security issues, the present-day block ciphers have been undertaking a significant role for the past couple of years. To have high resistance against attacks is very important for a cipher. During 1949, Claude E. Shannon put forward two properties for codes to hinder diffusion and cryptanalysis confusion. Diffusion conceals the connection between the plaintext and VOLUME 10, 2022 This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/ ciphertext. The connection between the cipher and the key is convoluted by confusion [2], [3]. These features have changed the foundations of the design of present-day block ciphers. The building block that helps in creating confusion in block ciphers is the S-box [4], [5]. Block cipher security intensely relies upon the power and cryptographic quality of the adopted S-boxes. These S-boxes are chief parts of the block security systems at substitution phases, which are intended to complete the nonlinear change and thus induce confusion. Weak S-boxes used in DES are responsible for making it frail under related cryptanalysis. On the other hand, strong cryptographic S-boxes provide resistance to relieve such attacks [6], [7]. Hence, the focal idea of S-boxes is that the security of cryptosystems has effectuated generous exploration in the design of stronger S-boxes. Consequently, the S-box generation techniques have acquired critical significance and are a prominent field of research in security [8]. An S-box of size n × n is a numerical 1 to 1 mapping S from bitstrings of {0, 1} n to {0, 1} n . It is likewise viewing a multi-input and multi-output Boolean function as S(x) is an n-variable capacity characterized as f i : {0, 1} n → {0, 1} [9]. An S-box with input and output bits of length n is also referred to as a bijective S-box. The quantity of pre-images of every output appears only once and must lie in the interval of {0, 1, 2, . . . , 2 n − 1}. S-boxes are fundamental parts of cryptosystems innately utilized in block ciphers. Their security significantly depends on the intensity mapping of S-boxes, nonlinearly changing plaintext into ciphertext. Finally, the symmetric cryptosystem power intensely relies upon the employed cryptographic strength of S-boxes, which weighs on their design method. Hence, for a good symmetric cryptosystem, designing strong S-boxes is truly fundamental [10]. The strategies dependent on algebraic methods are examined as they show solid properties like resilience to differential/linear cryptanalyses and nonlinearity whose value is high [11]. Ongoing mathematical cryptanalysis has uncovered that they are prune to algebraic attacks [12]. Accordingly, rather than focusing on algorithms based on algebraic methodologies, the researchers are investigating alternative S-box design methods to develop stronger S-boxes. Various optional methodologies have been explored in the recent years to produce S-boxes depending on various optimization techniques and chaotic systems [13], [14], [15], [16], [17], [18].
The literature work shows that a considerable number of S-box studies have been presented, depending on chaotic systems and transformative methods that can be utilized for producing better S-boxes. G. Chen used the concepts of chaotic swapping and the simulated annealing heuristic to pursue robust S-boxes, which fulfill the significant performance criteria in [19]. Wherein, the Baker map, which is chaotic in nature, is utilized to investigate the searchable topic for conceivable S-boxes. An efficient S-box has been generated based on the chaotic Chebyshev map. The use of genetic algorithms for S-box optimization was introduced by Wang et al. [20] and Guesmi et al. [21]. The initial population and control parameters for the genetic algorithms are spawned using a 1-D logistic map and a chaotic tent map [20]. In [21], 3D chaotic Lorenz system was used with the logistic map for mutation and crossover during the genetic algorithm operation. Optimization of insect colony was applied to create an optimized arrangement of 8 × 8 S-boxes [22]. For the generation of the initial S-box that is changed to a moving salesman problem via edge matrix, it is reiterated by a balanced chaotic tent map via the logistic map to show good resistance to attacks. Investigations of 6D hyper-chaotic and artificial optimization of bee colony algorithm were introduced for building sturdy 8 × 8 S-boxes [23]. Another strategy, including chaos and optimization based on teaching-learning for the S-boxes, was proposed by Farah et al. [24] to acquire keys for building S-boxs. In [25], Hussam et al. explored the firefly algorithm (FA) for enhancing an S-box produced from a discrete chaotic map. In [26], Zhang et al. innovatively utilized the operators known as I-Ching operators extracted from Chinese I-Ching literature to build optimized S-boxes. In most of the optimization-based S-box studies available in the literature, only a single performance parameter (usually the nonlinearity measure) has been adopted for optimal S-box design.
Image broadcasting and communication on uncertain channels is an indispensable task that should be considered because of the reformist extension of the Internet and communication networks. Interlopers might essentially recover the transmitted, broadcasted digital images because of the deficiency of protection on the Internet and telecommunication systems [27]. Accordingly, ensuring the security of the transmitted images has turned into a fundamental concern. The need to secure medical information, particularly clinical images, is expanding step by step [28]. The dependability, the wellbeing of capacity, and correspondence of digital images are significant worries in a few. The expert classification depends on electronic medical images. Thusly, because of the fast enhancement in the medical sector and telemedicine administrations, the transfer of electronic medical images distantly among a few hospitals is required. In applied telemedicine, the therapy, diagnosis, and treatment rely upon the clinical images of the person to be treated, which are imparted between different areas with modern communication networks [29], [30]. Because of the impact of noise and interlopers, erratic issues might influence the nature of the communicated images. Digital medical images should have a zero-tolerance, as they address trusted and private information [31], [32], [33]. An effective encryption scheme is needed in order to offer an adequate security of the sensitive data shared or exchanged over insecure channels in telemedicine networks. Here, a simple yet efficient encryption method based on generating strong S-boxes is advocated to secure the clinical imagery data exchanged between specialists and patients during tele-consultation for the correct case diagnosis as a secure telemedicine service.
In this paper, we introduce an approach that can satisfy multiple performance criteria instead of only one. Three crucial performance parameters of strong S-boxes have been optimized using the multi-objective optimization NSGA-II method. In addition, an image encryption scheme is suggested for securing clinical imagery data of patients in telemedicine networks. The significant contributions made in the paper are as follows: 1. A novel method for multi-parameter optimization for generating secure 8 × 8 S-boxes using NSGA-II is presented. 2. Three crucial performance parameters, namely nonlinearity (NL), differential uniformity (DU), and auto-correlation function (ACF), are considered for multi-objective optimization to obtain Pareto-optimal S-boxes. 3. A discrete chaotic map is utilized to generate initial populations and values of other variables of the proposed method. 4. The performance of the proposed method is analyzed and a comparison of the generated S-boxes with existing related S-boxs is also presented. 5. The designed S-boxes are applied to secure the digital medical imagery data used in the telemedicine environment to validate its suitability for the encryption of healthcare radiological and other imagery data. 6. The performance of medical image encryption is assessed against statistical analysis, confirming the good encryption quality.
The remaining parts of the paper are offered as follows.
The details of the NSGA-II are provided in Section II. Performance parameters chosen for multi-objective optimization of S-boxes are described in Section III. Section IV introduces the proposed method for getting Pareto-optimal S-boxes using NSGA-II. The performance of the proposed method is discussed, and the cryptographic strength of the proposed S-boxes is discussed in Section V. The application of the proposed S-box for the security of medical images in healthcare networks is presented in Section VI. Section VII gives the conclusion of the research work in this paper.

II. NON-DOMINATED SORTING GENETIC ALGORITHM-II
Non-dominated sorting genetic algorithm II is a multiobjective optimization algorithm, which was developed by Deb et al. [34]. It is one of the efficient algorithms to solve multi-objective problems (MOP), where there exist conflicting performance criteria. As a designer, it is not facetious to neglect one parameter over the other, while pursuing an efficient solution to a given problem under investigation. The NSGA-II holds several merits over the standard genetic algorithm (GA) in terms of steering towards optimal solutions. It has better diversity and time complexity. The basic norm of its operation begins with the generation of the initial population, like other meta-heuristic algorithms. The fitness values of each individual in the initially-spawned populations are determined as per the chosen performance parameters.
The initial population is sorted through the non-dominated sorting approach, decomposed into various fronts. The dominance is decided by the fitness value of the individuals. Nondominated individuals of the population reside on the very first front. The individuals of the former front are dominated by the individuals of the later fronts during any iteration and so on. In NSGA-II, the diversity is maintained through the crowding distance feature. Under this condition, the distance of individuals from their neighbors is computed. It has been argued that the mean crowding distance should be higher for diversity and significance of desired results [35]. This process is followed by the tournament selection operation, which aims to choose the parents on the basis of lower fitness values and higher crowding distances. Unlike the standard GA, the offsprings are formed through crossover and mutation operations. This causes the formation of new populations of offspring. Now, the non-dominated sorting is again executed to obtain the best individuals for the population size restriction. The motivation behind using NSGA-II is that it has fast and efficient convergence; can tackle problems that begin in non-feasible regions; can handle the non-penalty constraint effectively, and employs non-dominated sorting concepts to determine the optimal fronts along with crowding distance operation [36]. The basic flow of the NSGA-II is illustrated in Figure 1.

III. S-BOX PERFORMANCE PARAMETERS
The main target of using S-boxes in cryptosystems is to transform the input data into ciphertext data in a highly nonlinear VOLUME 10, 2022 fashion. That is, a nonlinear change is induced in the input secret data. The degree of the nonlinear transformation corresponds to the high nonlinearity score of the S-box, which in turn is also responsible for providing robustness against linear attacks or cryptanalysis. The NL of the S-box is deemed as the most crucial feature of the S-box for the designers. Therefore, it has been mainly deliberated as the deciding parameter, while designing S-boxes in almost all S-box studies investigated so far except a few [37]. Besides the NL, the DU is equally significant in resisting the potential cryptanalysis as stated by Biham et al. [38]. An S-box should have a low score of DU to leak no information or clue to the attackers. Moreover, the global Avalanche criteria (GAC) are examined as the decisive cryptographic quality metrics, which lead to effective diffusion [39]. The GAC characteristic of S-boxes is measured through the ACF. It is also known as the absolute indicator of the S-box. With this reasoning and motivation, the three vital performance parameters i.e., NL, DU, and ACF, have been adopted as optimization objectives using multi-objective meta-heuristic NSGA-II to generate optimal S-boxs. Specifically, these three parameters are discussed in what follows.

A. NONLINEARITY
The nonlinearity of a Boolean function f is calculated if we have the smallest distance of f known to the set of all relative affine functions [37]. Along these lines, the S-box constituent function f ought to have nonlinearity η f defined as: Here, the Walsh-Hadamard transform of the function f is WH max (f ) [40]. Any n-variable function is considered fragile on the off chance that it will generally have weak nonlinearity. The adjusted Boolean function maximization of nonlinearity is viewed as one of the desirable characteristics liable for giving power against any sort of attacks related to linearity [41].

B. DIFFERENTIAL UNIFORMITY
Differential uniformity is estimated to discover the S-box ability to resist the expected differential cryptanalysis. It is a picked plaintext attack outlined by Biham and Shamir to attack block ciphers, who are DES-like [38]. Differential uniformity (DU) addresses the maximum likelihood of creating an output differential y = y i ⊕y j , when the input differential is x = x i ⊕ x j . In this strategy, the XOR distribution among inputs and outputs of S is analyzed. Numerically, it is evaluated as: Its value ought to be as low as conceivable to resist the Biham and Shamir potential differential cryptanalysis.

C. AUTO-CORRELATION FUNCTION
Let α(t) and β(t) be Boolean functions, and the crosscorrelation of these two functions, denoted byĉ αβ (s), be demarcated as [42]: In the case of binary Boolean functions α, the auto-correlation is expressed asĉ αα (s), that is, the squares of values of the spectrum of α are the values of the spectrum of the ACF [42]. The ACF for GF(2 m ) → GF(2 n ) is designated asr α (s). The mathematical formulation to compute the ACF is accounted as:r The lower value of ACF is desirable for a strong S-box that satisfies GAC and effective diffusion [39].

IV. PROPOSED S-BOX GENERATION METHOD
Construction of cryptographic strong and robust S-boxes has been one of the challenging tasks for researchers, scholars, and security experts. Conventionally, the NL has been adopted for strong S-box design in almost all S-box studies investigated so far. In the literature, several optimizationbased S-box studies are available. They generate S-boxes with optimal NL only. In contrary, other equally-significant parameters have to be considered to enhance the security of S-boxes for usage in block ciphers. One feature of the S-box cannot be overlooked compared to the other features.
In addition, some trade-offs must be made for obtaining a suitable and strong configuration of the S-box. The decision of the optimal trade-off among features of S-boxes cannot be made, manually. To overcome these limitations and shortcomings of the existing methods, a novel S-box design method is suggested in this paper, which heuristically achieves a good trade-off among the adopted performance parameters to obtain the optimal S-boxes. The generation of optimal S-boxes that satisfy multiple performance parameters using an improved version of the NSGA-II is discussed as follows.

A. DISCRETE CHAOTIC MAP
In [35], random numbers with uniform distribution have been suggested for use in the NSGA-II. Recent research focused on the use of deterministic chaotic sequences from chaotic maps to augment the efficiency of the NSGA-II [43], [44]. Therefore, in order to proceed with such findings and to generate optimal S-boxes under the control of keys, we incorporated a simple but rich-in-dynamics chaotic map defined in Eqn. (4). The chaotic map is incorporated during the initial S-box population generation, tournament selection, crossover, and mutation operations.
where ε is the map bifurcation parameter, ψ i is a chaotic variable that lies in [0, 1]. This map converges to zero, when ε is an even integer. However, the analysis shows that this map has chaotic performance only when ε is floating-point and greater than unity. It has a positive Lyapunov exponent, which is a measure of the degree of chaos and the sensitivity to initial conditions, when ε > 1 [35].

B. ALGORITHM
The proposed algorithm for the design of optimal S-boxes satisfying multiple performance criteria simultaneously using multi-objective NSGA-II optimization is presented in this section. The multi-objective optimization of performance parameters is treated as a minimization problem. Hence, the suggested optimization process works by minimizing the negative of NL, minimizing the DU, and minimizing the ACF in addition to bijectivity criterion.

1) INITIAL POPULATION GENERATION
The NSGA-II is a population-based multi-objective optimization algorithm. Therefore, the proposed method requires spawning of a set of bijective 8 × 8 S-boxes as initial population to begin the processing. As mentioned earlier, the usage of deterministic chaos for effective NSGA-II is adopted and the initial N S-boxes are generated using the chaotic map defined in Eq. (4). The process of initial population generation is dynamic, deterministic and key-dependent, which makes it suitable for key-controlled cryptographic applications. The process of generating S-boxes of initial population is given in Algorithm 1.
As discussed earlier in section III, the three crucial performance parameters of S-boxes, namely the NL, DU, and ACF have been chosen as the parameters to be optimized for strong S-box generation at Pareto-fronts. These three parameters of S-boxs are responsible for providing strong resistance to pertinent cryptanalysis (like linear and differential attacks), and strong diffusion. During optimization, the maximization of NL, minimization of DU, and ACF is desired for strong S-box generation.

3) NON-DOMINATED SORTING
The non-dominated sorting is applied to the generated population of S-boxes so as to decide the dominance of solutions at each iteration. The dominance is definite by the fitness values of the individual S-boxes. It is worth mentioning that the dominance of solution vector U over solution vector V in multi-objective problems is decided iff where fit i is the i-th fitness value or objective of solution vectors. Non-dominated S-boxes of population reside into the first front. The S-boxes of former front are dominated by the S-boxes of the later fronts during any iteration and so on.

4) CROWDING DISTANCE
The NSGA-II maintains the diversity through the crowding distance operation. Here, the distance of individuals from their neighbors is calculated. A higher value of crowding distance is preferred for diversity and significance of the obtained results. This module computes the required crowding distances of individual S-boxes, which will help to make rational selection of S-boxes.

5) TOURNAMENT SELECTION
This operation selects the pool of parents having better leading factors based on fitness values or higher crowding distances. The two randomly-generated indices using chaotic map help to choose the individual S-boxes from the population. The S-box as a parent comes ahead in the pool if it has a better leading factor. If leading factors are the same then selection is based on the higher crowding distance compared to other individual S-boxs.

6) CROSSOVER
Crossover operation is applied to generate the new offspring S-boxes. In order to bring a diversity of solutions, the crossover is done on randomly-chosen parents from the pool maintained, earlier. The random generation of parent indices is again made with the help of a chaotic map. The number of crossover operations to generate offsprings depends on the crossover probability p.

7) MUTATION
Mutation operation supports to avoid trapping of solutions in local optima. It helps to have diversity and makes the optimization process faster to achieve global optima. In the proposed method, the mutation in an individual S-box of the pool is performed by swapping its two elements. The choice of an individual S-box and its two elements is made randomly with the help of a chaotic map. The mutation operation is made N × q times, where q is the mutation probability. The mutation probability is kept low as compared to the crossover probability.

8) ADJUSTMENT
Bijective nature is one of the main features of the proposed Sbox generation method. It entails that the elements of an 8 × 8 VOLUME 10, 2022 Algorithm 2 S-Box Generation Using NSGA-II With Multiple Parameter Optimization begin Initialization: 1. N = number of initial population 2. max_itr = number of iterations 3. ψ = initial value of chaotic map 4. ε = parameter of chaotic map Generate intial population of S-boxes: 5. ψ = chaotic_map(ψ, ε, 100 Perform crossover of parents from population, whose indices are obtained from pool array to get offsprings. 21.
Perform mutation on generated offsprings from 2N population, whose indices are also given in pool array.

end while
Output the best S-boxes: 32. Display the S-boxes from the first front end S-box should be all distinct and lie in the interval of [0, 2 8 − 1]. However, the crossover operations on parent S-boxes may lead to the generation of offsprings with disturbed bijectivity. Thus, an adjustment process on all offsprings is required to guarantee the bijective nature of the child S-boxes. Hence, after crossover and mutation operations, adjustments have to be done on the offsprings to restore the bijectivity of offspring S-boxes.
The proposed method for generating S-boxes using the multi-objective NSGA-II satisfying multiple performance parameters is given in Algorithm 2.

V. EXPERIMENTAL RESULTS AND ANALYSIS
We performed a set of experiments and simulations to assess the performance of the proposed S-box generation method for triple-objective optimization in addition to bijectivity. The implementation has been done on Windows 8.1 Pro with Intel i5-4590 CPU @ 3.3GHz, 4GB RAM, and 500GB storage using Python programming. The default experimental settings are as follows: -  -max_itr = 5000 -crossover probability (p) = 0.7 -mutation probability (q) = 1 − p In what follows, we present the results and analysis of the proposed method for generating S-boxes, and its security compared with existing optimization-based S-box generation methods.  Figures 2, 3 and 4, respectively. Consequently, we obtained the finally-optimized S-boxes after completion of 5000 iterations. The proposed multi-objective evolution method strives sensibly to find good Pareto-optimal combination of three adopted objectives. The fitness values of objectives get better as a whole as the iterations progress with time. As can be seen from the figures, there are three optimized S-boxes (named as F 1 , F 2 , and F 3 ) found at the first front after 5000 iterations. One such final S-box from the final first front is given in Table 1. This S-box is chosen as the best one among the final three. The NL scores of all eight coordinate Boolean functions of the three 8 × 8 S-boxes are shown in Table 2. It is evident that these Sboxes have admirable NL performance as the minimum and maximum values are 110 and 112 for each of these S-boxes. Table 3 presents the optimized fitness values of all three final S-boxes for the proposed method.
The statistics show that as low as 8 and 80 DU and ACF scores, respectively, have been achieved through the proposed method unlike many optimization-based and chaos-based Sboxes generation methods available in the literature, which are merely better in NL.

B. QUALITY INDICATOR OF SOLUTION SETS
The multi-objective optimization method works on more than one objective function, simultaneously. It is evident that such objectives are often conflicting with each other, and hence VOLUME 10, 2022   it is difficult to have the best value of all the objectives under consideration. Instead of an optimal solution, there exists multiple Pareto-optimal solution sets. All generated Pareto-optimal solutions are not significant. Therefore, there is a need to evaluate the quality of the Pareto-optimal sets, while comparing the behavior of different optimizers or approaches. Focusing on the convergence aspect of solution sets, there is a quality indicator known as generational distance (GD), which evaluates the quality of the obtained where g(x k , PF) stands for the L 2 -norm Euclidean distance of x k to the Pareto front PF. In practice, a reference set which 112764 VOLUME 10, 2022 well represents the PF is utilized. It is worth mentioning that a minimum GD score is desired as it indicates that the solution set tends to show a better progress towards the PF i.e. the solution set has better convergence towards PF. To perform the GD analysis of the solution sets generated by the proposed method and to justify the selection of tri-objective optimization instead of bi-objective cases, we evaluated the GD for the three possible cases of bi-objective optimization. The GD evaluation and analysis is carried out for (1) NL and DU, (2) NL and ACF, (3) DU and ACF, and (4) NL, DU and ACF.
The obtained GDs and their behavior for the mentioned four scenarios are graphically shown in Figure 5. The analysis reveals that the tri-objective problem shows a lower score of 0.07 compared to other 3 cases of bi-objective problems.

C. OTHER CRYPTOGRAPHIC FEATURES OF GENERATED S-BOXES
In practice, there are few other security parameters to gauge the quality, power, and robustness of S-boxes. This section is focused on the analysis of S-boxes based on strict Avalanche criteria (SAC), bit independence criteria (BIC), and linear approximation probability (LAP).

1) STRICT AVALANCHE CRITERIA (SAC)
The SAC for S-boxes [45] was suggested by Webster and Tavares. For S-boxes, to fulfill SAC, the reversal of a single bit of the vector, which gives the input must prompt fifty percent of change in the vector, which gives the output. A value close to 0.5 is constantly seen as respectable. The computation of the dependency matrix is performed by the methodology mentioned in [46]. The values of the matrix reveal that every entry is close to 0.5. The mean of dependency matrices provides the SAC of three S-boxes F 1 , F 2 , and F 3 as 0.4995, 0.5032, and 0.4929, respectively. The SAC values close to 0.5 signify that the proposed S-boxes gracefully fulfill the the SAC.

2) BIT INDEPENDENCE CRITERIA (BIC)
One of the similarly critical criteria for strong S-boxes is the BIC. A strategy to check BIC was recommended by Adams and Tavares in [45] and [46]. Suppose that the Boolean VOLUME 10, 2022 function components of an 8 × 8 S-box are f 1 , f 2 , . . . , f 8 . If the S-box meets BIC, the Boolean function XOR(f j , f k ) (where, j = k and 1 ≤ j, k ≤ 8) ought to be exceptionally nonlinear [51], [52]. Thusly, BIC is confirmed by computing NL of each of such 56 XOR(f j , f k ) functions for any 8 × 8 bijective S-box. The potential scores of NL of functions for our three S-boxes are figured and displayed in Table 4. The scores of BIC for Sboxes F 1 , F 2 , and F 3 are found as 103.93, 103.93, and 104.21, respectively. The obtained scores reveal good satisfaction of BIC.

3) LINEAR APPROXIMATION PROBABILITY (LAP)
The strategy for linear approximation probability is useful in computing the imbalance of an event. Matsui in [47] presented the largest value of imbalance of an event measured with the assistance of examination. There should be no distinction of bit uniformity among the output and the input. Each of the input bits along with the corresponding output bits is analyzed independently. On the off-chance that each of the input components is 2 n , d is the class of all potential inputs and the masks applied on the correspondence of output and input bits are individually m a and m b . At that point, the most extreme linear guess is the greatest number of similar outcomes, and it is mathematically determined as follows: The fact that the S-box is more competent to battle against linear cryptanalysis is attributed to the low value of likelihood. The LAP scores of the three designed S-boxes come out as being the same with a value of 0.140625. This score is low, and it allows resistance of linear cryptanalysis.

D. PERFROMANCE COMPARISON WITH OTHER OPTIMIZATION-BASED S-BOXES
In order to assess the proposed Pareto-optimized S-boxes, the designed S-boxes have been compared with other existing S-boxes, which are based on meta-heuristics. The literature reveals that a number of meta-heuristics have been investigated to obtain the optimized 8 × 8 S-boxes. Both Tiki-Taka algorithm (TTO) [48], Bacteria foraging optimization (BFO) [49], fireworks algorithm [50], Jaya optimization [51], Cuckoo search (CS) [52], human behaviour based optimization (HBBO) [53], genetic algorithms (GA) [20], sine-cosine optimization (SCO) [54], firefly algorithm [24], teachinglearning based optimization (TLBO) [25], I-Chings optimization (ICO) [26], ant colony optimization (ACO) [22], artificial bee colony optimization (ABC) [23], and particle swarm optimization (PSO) [55] have been considered. The Paretooptimal S-boxes from the first front for the proposed method are compared. The comparative analysis on standard performance parameters is presented in Table 5. Besides, optimized fitness objectives i.e. NL, DU, ACF, and other security metrics are also compared. It is evident from the comparison study that Pareto-optimal S-boxes obtained with the proposed multi-objective optimization method have reached high NL scores compared to other optimization-based S-boxes. On the basis of resistance to differential cryptanalysis, the S-box F 3 has a low score of DU of 8, thereby showing a better robustness against DC attack compared to all other S-box studies. Moreover, the generated S-boxes F 1 , F 2 , and F 3 also have good ACF scores, as desired for good diffusion, compared to all other existing optimization-based S-boxes. We picked S-box F 3 as the best candidate which is generated from the given experimental settings among all three of the first front as it shows a trade-off among the three objective parameters.
In addition, it is important to consider the performance of the S-box generation using the GA and chaos as investigated by Wang et al. [20]. Wherein, the authors utilized the 1D logistic and PWLCM map to generate the initial population, and their experimental results showed that N = 5000 populations were initially generated. This value of N is too large compared to N = 250 in the proposed method. Moreover, the authors worked only on the NL during the optimization phase of the GA and achieved a minimum NL of 108, which is quite less compared to our minimum NL of 110. Unfortunately, the other equally-significant security metrics like DU = 10 and ACF = 96 were poor, which shows low diffusion for the generated S-box by Wang [20] compared to the proposed S-box. We were able to achieve a DU as low as 8 and an ACF as low as 80 with the proposed multi-objective NSGA-II and chaos method. The comparative analysis based on NL, DU, and ACF with various S-box optimization methods is also graphically depicted in Figure 6. It is clear that the proposed S-box generation method through the multi-objective optimization is able to yield S-boxes with high cryptographic robustness and security strength.

VI. SECURE TELEMEDICINE APPLICATIONS
Telemedicine services such as telediagnosis and teleconsultation demand data interchange over unsecure public open networks. Protection of the integrity and confidentiality of medical images has been a problem in the governance of medical services [56], [57]. Confidentiality means that unauthorized coalitions should not be granted to access medical images during transmission. Integrity means that sensitive images should not be altered any how during communication.
In general, a medical image consists of two parts, an image header and an image body. The nominative data header of the delicate patient data needs to be facilely safeguarded by all  protection means, while the issue of major concern for the medical images is image integrity. A medical image is distributed among opus of clinicians in telediagnosis, and every one of them has all the data related to patient's medical case [58]. Revealing the secret clinical data about a momentous medical ailment of patients to each of the clinicians is a challenging protection concern. Authorizations for guarantying health data protection have been allotted by the civil regimen alike as Health Insurance Portability and Responsibility Act (HIPAA), where medical institutes are favored to take felicitous moves to guarantee that patient's data is only handed to people who possess a legal access. Telemedicine image protection is all about to preserve privacy of the patient critical information in the image and to console data truthfulness that prevents others from illegal alterations in the medical images in telemedicine networks [59], [60]. This section is dedicated to put forward an image encryption scheme based on our Pareto-optimal S-box for realization of strong and fast medical image protection in telemedicine environments. Our proposed encryption scheme employs the S-box based on shuffling and substitution in a novel and simple manner. The operations performed under the suggested encryption scheme include the following.
Step 1. Generate S-Box SB using the proposed method discussed in Section IV.
Step 2. Take as input a pending plain-image P.
Step 3. Evaluate 512-bit hash code H of the plain-image P using the SHA-512 hash function.
Step 4. Convert the hash code H into 64 bytes i.e. as a block K consisting of 64 bytes. VOLUME 10, 2022 Step 5. Convert the input image to a 2D vector of size 256 × L. The image has 256 rows and L columns. Step 6. Perform shuffling of rows through the generated S-box SB by moving row at index ω to row at index SB(ω), where ω = 1, 2, . . . , 256.
Step 7. Decompose the image into W blocks of 64 bytes.
Step 8. Perform substitution of blocks in forward direction (from first block to last one) using S-Box SB and hash code K as: where x is the block number in the shuffled image PA, y is the quarter of the S-Box SB, and it takes values as y = (x)mod(4). Step 11. Decompose the image into blocks of 64 bytes.
Step 13. Display C as the encrypted image.
The suggested encryption scheme based on Pareto-optimal S-box generated using the proposed method is also described through a flowchart shown in Figure 7. The decryption algorithm is applied in a reverse manner to get the decrypted image with correct key values. An encryption scheme makes drastic modifications in the content of the encrypted image body. The magnitude of distortions that take place in the image determines the quality of encryption offered by the anticipated scheme. It needs to be quantified statistically and compared with the state-of-theart methods [61], [62]. We applied the proposed encryption scheme to encrypt some medical images and Lena image, which are shown in Figure 8a. Several performance metrics have been evaluated in order to assess statistically the encryption strength of the proposed encryption scheme. The standard set of performance metrics that have been chosen for assessment of our scheme includes histogram analysis through Chi-square test, visual security analysis, adjacent pixel correlation analysis, information entropy analysis, differential attack (plain-image sensitivity) analysis, and speed analysis. The obtained performance results are also compared to those of some recent S-box based image encryption schemes.

A. HISTOGRAM ANALYSIS
Statistical attacks exploit some information leakage, which is evident through the distribution of the encrypted content. To mitigate such attacks, the distribution of encrypted data should be as uniform as possible. Likewise, a strong image encryption algorithm should be able to bring randomness into the encrypted information. One way to visualize the scattering of image information is its histogram. A histogram is used to depict the frequency of image pixels per their intensity levels. Hence, the histograms of encrypted images should have uniform frequencies of all their pixel levels. Intuitively, the histogram should be as flat and uniform as possible to showcase the effectiveness of the encryption algorithm in making the statistical attack complicated to the assailants [63]. The histograms of encrypted images shown in Figure 9b demonstrate the uniform distribution of pixels. Hence, the encrypted images seem not to leak information of the plain images. The histograms of encrypted images are fairly flat and uniform similar to perfectly-random or noiselike images. The measure of chi-square χ 2 is computed to quantify and verify the uniform distribution of image pixels in the encrypted images. Mathematically, the chi-square is accounted as: where p 0 = numPixels/256, numPixels is the total number of pixels in the image, and p i is frequency of the gray intensity i. A score of less than 293.2478 at a significance level of 0.05 denotes the expected value of χ 2 measure [64]. We compute the χ 2 scores for both the pending plain-images and the encrypted images as well. The results obtained are displayed in Table 6. It is quite evident that the χ 2 scores for plain-images are extremely high, thereby showing the high imbalance among the pixel gray level frequencies. On the other hand, the encrypted images have χ 2 scores, which are close to the expected value, and hence the proposed encryption scheme passes the χ 2 test, and it can be said that the proposed encryption scheme does not leak information for statistical analysis of the attackers.

B. VISUAL SECURITY ANALYSIS
The basic requirement of any encryption scheme is to provide the visual protection of the plain-text data to hide the real content or information against any unwanted acquisition. The encrypted images obtained from the proposed encryption scheme are displayed in Figure 9a. One can easily observe that the encrypted images are highly distorted and indistinguishable compared to their respective plain-images. Unauthorized observers cannot get idea of the real content through visual description [64]. To quantify the degree of visual content security, we calculated the mean square errors (MSE), peak signal-to-noise ratio (PSNR), and structure similarity index measure (SSIM) for the pair of plain and encrypted images. The results obtained are depicted in Table 7. The high MSE scores, small PSNR and extremely low SSIM indicate that the plain images and encrypted images are highly different and dissimilar. Hence, the proposed encryption scheme is competent enough to secure the real information visually. VOLUME 10, 2022

C. CORRELATION ANALYSIS
The measurement of similarity of pixel groups is done through correlation coefficient. There exists a solid correlation between adjoining pixels in plain images. The correlation among pixels can be decreased through the encryption schemes [65]. Uncorrelated pixel patches are better over an insecure channel. The coefficients of correlation between two pixel patches are estimated as: Here, i and j determine the patches to be compared. The µ and σ represent the mean and standard deviation, respectively. The correlation coefficients for plain and encrypted images are shown in Table 8.

D. ENTROPY ANALYSIS
The progressive idea of data entropy was instituted by Claude E. Shannon in 1948. Entropy is the measure of arbitrariness of data, which is innate in potential outcomes of variables [66]. It is measured in bits, relating to base 2. It is numerically given as: Here, p(x i ) is the probability of a symbol of message source x. The distribution of pixels is more uniform with higher entropy values. In this event, the entropy of the scrambled image is close to 8, revealing good randomness of encrypted images. The entropies for plain and encrypted images are shown in Table 9.

E. DIFFERENTIAL ATTACK ANALYSIS
The fundamental objective of assailant is to acquire fractional or complete information on privileged information, which is securely encrypted on the sender side for a veritable client at the collector side. The ordinary act of aggressors is to roll out certain patterns in the images, obtain the encoded images, and dissect the sets to accomplish the objective. To rule out this methodology of attackers is to make the encryption procedure exceptionally plain-image subordinate. So, a noiselike image can be collected at the receiver side [67]. Any encryption scheme that has this feature is considered ready to relieve such assaults for ill-conceived admittance of restricted information [68]. The proposed encryption scheme has the ability of beating the cryptanalytic attempts of assailants. There exist metrics to evaluate differential analysis to be specific: number of pixels change rate (NPCR) and unified average changing intensity (UACI). The NPCR gives the pace of altered pixels which are adjusted in the encrypted content when slim modification is made in the plain information.
On the other hand, UACI measures the difference between plain and encrypted images caused due to minute changes. The calculation methodology includes two images, which have dissimilarity of one pixel in particular. Let their corresponding encrypted images be C 1 and C 2 . The numerical estimation of NPCR and UACI follows the formulas given below.
The scores of NPCR/UACI acquired for the suggested Sbox based encryption scheme are introduced in Table 10.
As can be seen, the acquired value of NPCR is over 99.6% and UACI is also above 33.4%. The anticipated analysis justifies the robustness, consistent and acceptable performance of the proposed encryption scheme, which makes the differential attacks ineffective.

F. COMPARISON ANALYSIS
Of late, there is a trend to utilize S-boxes for efficient image cryptosystem designs. The underlying challenges include strong encryption quality, simple structure, short encryption time, etc. The performance of the proposed Pareto-optimal S-box based medical image encryption scheme is compared with recent S-box based encryption schemes to validate its optimal and competitive performance. All the performance metrics like chi-square χ 2 , MSE, PSNR, SSIM, correlation coefficients, information entropy, NPCR, and UACI discussed and quantified in previous sections are compared for the encryption schemes investigated in [69], [70], [71], [72], and [73] in Table 11. The comparison analysis indicates that the proposed encryption scheme achieves near optimal values of all the performance metrics. The χ 2 results show the uniform distribution of pixels in encrypted content. Our scheme offers excellent visual distortion and indistinguishability proven by low PSNR and SSIM scores. The encrypted images have high randomness in the content due to high entropy scores. The adjacent pixels in encrypted images are highly uncorrelated with each other, which destroys the chances of guessing any sensitive information secured by the proposed encryption scheme. Near optimal scores of NPCR and UACI indicate that our scheme has high resistance to differential attacks due to the high plain text sensitivity feature. The comparison made in Table 11 demonstrates the competitive and consistent standing of the suggested scheme, which makes it suitable to secure medical imagery in telemedicine networks.

G. SPEED ANALYSIS
For real-time security applications, the encryption time is a significant metric. As a shorter encryption time of an algorithm along with statistically sound encryption performance is always preferred and desired. The proposed S-box based encryption scheme meant for secure telemedicine services is implemented using MATLAB tool, which runs on Windows 7 having 8GB RAM and Intel core i5-4590 CPU operating at 3.3GHz. Table 12 presents the time (in milliseconds) taken VOLUME 10, 2022  by our Pareto-optimal S-box based encryption scheme. A comparison of encryption speeds of different competing Sbox based encryption schemes is also introduced in the same Table. It is found that an encryption time of 325.16 ms and a throughput of 1574.6 kbps are better compared to those of many recent similar encryption schemes. Hence, the presented encryption scheme is quite faster and better compared to competitive schemes and this justifies its suitability for real-time security applications.

VII. CONCLUSION
This paper provided a novel multi-objective evolution method for creating cryptographically-strong S-boxes. Existing methods strived to construct S-boxes by focusing on achieving high values of nonlinearity. Unfortunately, an Sbox with good nonlinearity score may be susceptible to differential and correlation based cryptanalysis. This paper presented a method to yield S-boxes that can satisfy multiple performance parameters instead of only nonlinearity. The performance parameters such as bijectivity, nonlinearity, differential uniformity, and auto-correlation function have been optimized, simultaneously. The proposed method involves the non-dominated sorting algorithm-II, which is assisted with the chaotic map to obtain Pareto-optimal S-boxes. The performance assessment and comparison analyses showed that the proposed method is sufficiently better than many of the competitive optimization-based S-box construction methods available in the literature. Moreover, the Paretooptimal S-box obtained from the proposed method has been applied in the area of telemedicine services to protect the medical imagery for secure tele-diagonosis and protection of sensitive patient data. Specifically, a new image encryption scheme is suggested, which is based on the Pareto-optimal S-box. The strength, robustness, and speed of the proposed encryption scheme have been compared with those of similar S-box based encryption schemes to justify its consistency, suitability and competence for the security of imagery data in telemedicine environment.