Design of Nonlinear Component of Block Cipher Using Gravesian Octonion Integers

Being the only nonlinear component in many cryptosystems, an S-box is an integral part of modern symmetric ciphering techniques that creates randomness and increases confidentiality at the substitution stage of the encryption. The ability to construct a cryptographically strong S-box solely depends on its construction scheme. The primary purpose of an S-box in encryption standards is to establish confusion between the <inline-formula> <tex-math notation="LaTeX">$m$ </tex-math></inline-formula>-bit input into the <inline-formula> <tex-math notation="LaTeX">$n$ </tex-math></inline-formula>-bit output (both <inline-formula> <tex-math notation="LaTeX">$m, n >= 2$ </tex-math></inline-formula>). This article proposed a robust way to construct S-boxes based on the Gravesian octonion integers. We chunk the paper into threefold: firstly, a comprehensive technique for constructing S-box using affine mapping is described. The presented work is developed in such a way that for every valid input, it generates two S-boxes. Secondly, the strength of the newly generated S-box is evaluated by passing through a rigorous security analysis. Finally, a thorough comparison of the newly developed method with some well-known existing schemes is conducted. We mainly targeted some elliptic curve-based S-boxes in comparison by taking the same parameters in our scheme. The computational results and performance analysis reveal that the propose algorithm can construct a large number of distinct S-boxes that are cryptographically secured and create high resistance against various cryptanalysis attacks.


I. INTRODUCTION
We are living in the information age where information is considered an asset, just like other assets. In the past few decades, the security of confidential data has attained reputable attention and vastly opened new research directions in the area of cryptography. Researchers proposed several types of data security schemes based on different mathematical structures. The main idea of these techniques is to transform confidential data into an unreadable and non-understandable form to protect it from unauthorized access. Most of the traditional symmetric cryptosystems, like Advance Encryption Standard (AES), International Data Encryption Algorithm The associate editor coordinating the review of this manuscript and approving it for publication was S. K. Hafizul Islam .
(IDEA), and Data Encryption Standard (DES), practically rely on the usage of substitution boxes (S-boxes) to achieve confusion in the input data up to a certain level [1]. Therefore, the efficiency of these systems primarily depends only on the cryptographic properties of their S-boxes. An S-box plays a pivotal role in strengthening the quality of encryption. It has always remained a goal of cryptosystem designers to construct an S-box with strong cryptographic performance.

A. RELATED WORK
Researchers have proposed several methods to construct highly nonlinear S-boxes. An efficient S-box is constructed by Lambić in [2] based on discrete chaotic maps. Çavuşoǧlu et al. [3] described an S-box construction technique based on a chaotic scaled Zhongtang system. A new S-box construction method using triangle groups was proposed by Khan et al. in [4]. Furthermore, some investigations on the S-boxes based on chaotic neural networks and hyperchaotic systems are conducted [5], [6]. Altaleb et al. in [7] proposed the construction of an S-box by using the projective general linear group. An efficient approach to assembling S-boxes based on a Latin square is presented by El-Ramly et al. [8]. Wu et al. [9] proposed the construction of S-boxes by Latin square doubly stochastic matrix. Peng et al. [10] developed dynamic S-boxes using a spatiotemporal chaotic system. An S-box construction based on chaos theory is proposed by Wang et al. [11]. Alkhaldi et al. [12] proposed an approach for constructing S-boxes using tangent delay for ellipse chaotic sequence and a particular permutation. The resultant S-boxes showed high resistance against various cryptanalysis attacks. Khan and Azam [13] proposed an algorithm for constructing S-Boxes using affine and power mappings. Meanwhile, Khan and Azam [14] discussed the generation of multiple S-boxes based on group action and Gray code. In a study by Ahmed et al. [15], innovative construction of an S-box based on Gaussian distribution and linear fractional transformation is proposed. Similarly, Khan et al. [16] developed a systematic technique to generate an S-box using a difference distribution table. Meanwhile, Isa et al. [17] established a heuristic method called the bee waggle dance for assembling an S-box. An S-box retrieval system using artificial bee colony and optimization and the chaotic map was introduced by Ahmad et al. [18]. Zahid et al. [19] presented an innovative scheme for constructing an S-box through cubic polynomial mapping. Moreover, Tian et al. [20] suggested a method for an S-box designing based on the intertwining logistic map and bacterial foraging optimization. Furthermore, Shahzad et al. [21] developed an algorithm for designing an S-box using the action of the quotient of the modular group for multimedia security. In addition, Belazi and El-Latif [22] proposed a simple algorithm for constructing an S-box using sine chaotic maps. Furthermore, Musheer et al. [43] proposed an algorithm to assemble an S-box using generalized fusion fractal structure. Elliptic curves (ECs) have recently gained reputable attention in cryptography and are being used to design strong cryptosystems. Some cryptographers have developed algorithms for constructing S-boxes using elliptic curves [23], [24], [25], [26], [27]. Jung et al. [23] constructed S-boxes over hyperelliptic curves. Furthermore, Azam et al. [24], [26] used an elliptic curve over an ordered isomorphic elliptic curve and used typical orderings on a class of Mordell elliptic curves over a finite field and assembled 8×8 S-boxes, respectively. Hayat et al. [25], [27] developed different methods for constructing 8×8 S-boxes using an elliptic curve over prime fields. All these schemes based on elliptic curves can generate at most one S-box either on x or y-coordinates [24], [25], [26], [27].

B. OUR CONTRIBUTION
In this manuscript, we proposed a robust way for constructing S-boxes using Gravesian octonion integers. In general, octonions are non-commutative and non-associative [34], but under certain conditions, they are commutative; we discussed that study throughout this paper. The presented work is developed so that for every valid input, it yields two S-Boxes with strong cryptographic properties, while in [24], [25], [26], and [27], there is no guarantee of establishing S-boxes on both coordinates. The rest of the paper is arranged as follows: Section II comprises some definitions and concepts necessary to understand the article. The newly proposed algorithm for the construction of S-boxes is discussed in Section III. A comprehensive analysis and detailed comparison of the newly established S-boxes with some existing schemes are given in Section IV. The summary of the obtained results is highlighted in Section V.

A. OCTONION INTEGERS
After the discovery of quaternion algebra, Cayley and Graves independently discovered octonion algebra. The octonions O(R) are an eight-dimensional normed division algebra over R, a kind of hypercomplex number system, with basis elements e 0 , e 1 , e 2 , . . . , e 7 twice as the number of dimensions of quaternion, O(R) is an extension of quaternion algebra. It is non-commutative and non-associative unital algebra; however, it is power associative. In the basis set e 0 is the unit element so that it can be denoted as 1. Any h ∈ O(R) can be written as a linear combination of unit octonions, i.e., We may write an octonion h as the sum of its real part R(h) and its vector part υ(h), likewise quaternion and Gaussian integers: An octonion is said to be pure if its real part is 0. i.e., h = 0 + h = 0 + υ(h). Addition and subtraction of any two octonions are done simply by adding and subtracting the coefficients of corresponding elements, likewise, quaternions. However, the multiplication is complex like quaternions and is discussed briefly in the following sub-section.

B. THE PRODUCT OF OCTONIONS
For any two octonions m and n given by, m = 7 i=0 m i e i , n = 7 i=0 n i e i , their product o = m·n = 7 i=0 o i e i . There are two methods for multiplying octonions: by using a table explained later and via matrix multiplication [38]. We have used the table method for multiplying two octonions. Let (O, * ) be the VOLUME 11, 2023  classical real algebra of the octonions with the basis elements e 0 , e 1 , e 2 , . . . , e 7 and multiplication table 1: Where e 0 is the identity element. From the above table, by bilinearity, the multiplication of any two octonions can be attained. The multiplication of the octonions is verified by using an example from [39] In general, the commutative property of multiplication does not hold for octonion integers; however, commutativity holds if the vector parts of octonion integers are parallel to each other. [34], the commutativity property of multiplications holds over O(K).
In the exhibited Table 1, one can easily observe that:  Table 1 can be expressed more generally as, where δ ij is the Kronecker delta (equal to 1 if and only if (i = j) and ε ijk is a completely antisymmetric tensor with value 1 when ijk = 123, 145, 176, 246, 257, 347, 365 and equal zero in the remaining cases [35].
The plane mnemonic totally describes the algebra structure of the octonions and the previous octonion multiplication table. In figure 1, one can see a little gadget with 7 points and 7 lines. The lines are the sides of a triangle, its altitudes, and the circle containing all midpoints of the sides. Each pair of distinct points lie on a unique line. Each line contains three points, and each of these triplets has a cyclic ordering shown by the arrows [36]. Some notations and results related to octonions are presented in the next sub-sections.

C. CONJUGATE AND NORM OF OCTONIONS
Furthermore, for any m, n ∈ O(R), this shows that the octonionic norm is multiplicative. In this work, we focus on Gravesian octonion integers O(Z), the octonions with all coordinates in Z [34].
We have successfully extended some of the results of Hamiltonian quaternion integers [40], which are applicable for the above discussed associative and commutative ring ∨ where ∨ ⊂ O (Octavian integers) [34].
+ 7b 2 and p is a prime. Proof: Suppose that a and b are positive integers and relatively prime to each other, and b is relatively prime to a 2 + 7b 2 , clearly without any loss of generality 2 , clearly, f is surjective and preserve addition.
This shows that f also preservers multiplication, however because where · denotes the ideal generated by the element x and y are rational numbers, since, This makes y an integer, now multiplying the equation bc − ad ≡ 0 by ab yields ac − ab −1 2 · bd ≡ 0, ⇒ ac − (−7) · bd ≡ 0, so ac + 7 · bd ≡ 0, proving that x is also an integer. Thus, we conclude that Ker Similarly, observation2 is also an extension from the results of Hamiltonian quaternions, which are applicable for the above-discussed subring ∨ of Octavian integers O(Z).

D. RESIDUE CLASS OF O(K) MODULO u k
Let O(K) u k be the residue class of O(K) modulo u k , where k is any positive integer and u is prime octonion integer. According to modulo function µ : where p = u.u and p is an odd prime, u k can be replaced by u 1 · u 2 · u 3 · · · u k in equation (1), where u 1 , u 2 , u 3 , · · · , u k are distinct octonion prime integers.

III. PROPOSED SCHEME FOR THE CONSTRUCTION OF S-BOXES
This section presents the algebraic structure and the proposed scheme used to construct the S-boxes. The S-boxes have been generated using the field elements built by a mapping f explained earlier. The detailed steps of the proposed method are described briefly in the steps given below, Step 1: Select a prime octonion or an octonion u = a + b · 7 i=1 e i such that the coefficients of real and vector parts are relatively prime, i.e., (a, b) = 1 and N (u) = prime = p.
Step 2: Choose a primitive octonion integer v = 1 + t. 7 i=1 e i , such that N (v) < N (u), taking real part as one yields efficient results in the construction of the field.
Step 3: Construct field G by using the map f → f − f u k uu k u k which is described briefly in earlier section.
Step 6: Choose A = [a b b b b b b b] such that a and b are relatively prime and B without any condition from G * and apply the affine transformation as AX −1 Step 7: After that, enforce mod 256 on the results obtained from step 6 to restrict the values between 0 to 255.
Step 8: Separate the real and vector parts and consider them as x and y coordinates.
Step 9: Apply unique command to get two arrays of random numbers between 0 to 255, then reshape the resulted elements of both coordinates into 16 by 16 matrices (lookup tables), VOLUME 11, 2023   these are the resulting S-boxes. More generally, the flowchart of the construction of the proposed S-box is presented in figure 2.  Repeating step 6 by using all the possible distinct values of A, B from G * yields a large number of distinct and cryptographically strong S-boxes; experimental results reveal that for each appropriate input of A, and B, one can obtain two S-boxes.    For comparing the results with some elliptic curve-based S-boxes, the algorithm is implemented for some specific prime octonions, of course, those having their norms as prime, including 2557, 3413, 3613, and 3917. The newly generated S-boxes are illustrated in tables 3-10. Elements obtained after the implementation of the algorithm are described in table 2.
Elementary representation of the scheme using u = 5+22.

IV. SECURITY ANALYSIS
After constructing the S-boxes, it is necessary to investigate their performance. In this section, we evaluated the cryptographic strength of the newly generated S-boxes by passing them through some rigorous security analysis. Generally, six parameters exist in the literature [22] that are used to examine the effectiveness of an S-box: Bijective, NL, SAC, BIC, LAP, and DAP. A brief explanation of these analyses and a thorough comparison of the resulting S-boxes with some of the recently developed S-boxes are presented in sub-sections A to G.

A. BIJECTIVE
An n × n S-box is bijective if it has every integer value from 0 to 2 n − 1 [2]. In our case, when n=8, an S-box is bijective if it has all distinct values from the interval [0, 255]. All the proposed S-boxes are experimentally verified to hold the bijective property; the claim can be verified from tables 3-10.

B. NONLINEARITY
In order to ensure that the data is safe from an adversary, an S-box must induce a certain level of data confusion. The confusion-generating ability of an S-box over the Galois field GF 2 8 is assessed by its nonlinearity N (S), defined as: where ϕ ∈ GF 2 8 , µ ∈ GF 2 8 \0, ω ∈ GF(2) and ''.'' represent the dot product over GF (2). A highly nonlinear S-box is strong enough to generate an up to level of confusion in the data. However, Meier and Staffelbach demonstrated that an S-box with a high NL might lack other cryptographic characteristics [42]. The upper bound of nonlinearity is N(f ) = 2 n−1 −2 n 2 −1 for S-box in GF (2 n ), as S-box used in AES, is in GF 2 8 , so the optimal value of N is 120 . It is observed that the proposed S-box has the considerable capability to produce confusion if evaluated in terms of nonlinearity analysis. The NL of some of the newly established S-boxes is listed in

C. BIT INDEPENDENCE CRITERION
Webster and Tavares were the first who introduced the criterion of bit independence [41], which is used to assess the behaviour of bit patterns at the output. The criterion's primary objective is to evaluate the dependency of a pair of output bits on an inverted input bit. An S-box is considered to have strong diffusion creation capability if all non-diagonal entries of its BIC matrix are closer to 0.5. The BIC of an S-box S over the GF (2 n ) with S i Boolean functions are evaluated by computing an n-dimensional matrix, i.e., N (S) = n ij , measured as shown in the equation at the bottom of the next page, surely n ii = 0.

D. STRICT AVALANCHE CRITERION
The idea of the Strict Avalanche Criterion was firstly presented by Webster and Tavares [41], which calculates the  diffusion creation strength of an S-box. It is the measure of change in output bits when a single input bit is altered; all of the output bits vary with a probability of 1 2 . In general, a function F : F n 2 → F n 2 is said to fulfill SAC if for a change in an input bit i ∈ {1, 2, 3, . . . , n}, the probability of change in the output bit j ∈ {1, 2, 3, . . . , n} is 1 2 . The offset of the dependence matrix of our proposed S-box is 0.0352, while the minimum, maximum and average values of SAC of the proposed S-box are 0.3906, 0.6406, and 0.4931, respectively. The average value of SAC is much closer to 0.5, which is considered an ideal SAC value.

E. LINEAR APPROXIMATION PROBABILITY
Linear approximation probability configures the strength of an S-box S in terms of resistance against linear attacks. An S-box with a smaller LAP value is considered to have strong properties and vice versa. The LAP of the newly generated S-box L(S) is mathematically expressed as shown in the equation at the bottom of the next page.
The LAP of the proposed S-boxes is 0.125, 0.1563, 0.1328, 0.125, respectively, which are comparatively lesser than those of [24] and [25]. This shows that the presented algorithm can construct robust and cryptographically secure S-boxes that are highly resistant against linear attacks.

F. DIFFERENTIAL APPROXIMATION PROBABILITY
Biham and Shamir [42] figured out the differential cryptanalysis for an S-box based on the imbalance in the input/output XOR distribution. The resistance of an S-box against differential attacks is assessed by measuring its DAP. An S-box with a smaller value of DAP is considered to have the greater capability to resist differential attacks. The results of the Approximation Probabilities are demonstrated in table 19. The DAP of an S-box S is expressed as, where y and z are input and output differentials, respectively.

G. RUN TIME TO CONSTRUCT TWO S-BOXES
We used a PC with a processor: Intel R core i-5-6300U CPU @ 2.40 GHz 2.50 GHz, Memory: 8GB (7.89 usable)  and MATLAB version R2021a to run the proposed algorithm for the construction of S-boxes. It has been observed that the algorithm's run time solely depends on the prime chosen; the larger the prime we take, the more time the algorithm will take for execution. The list of the average computation time in seconds for construction of the S-boxes averaged over ten times can be observed clearly in table 20, from prime 2557 to 3917. The time efficiency of our scheme is much better than the final S-box generation in [48] and lesser than [49].

H. COMPARISON WITH S-BOXES BASED ON ELLIPTIC CURVE AND SOME OTHER SCHEMES
In this section, we compare the strength of the proposed S-boxes with some elliptic curve-based S-boxes constructions schemes by discussing two critical aspects: the S-box generation capacity and the cryptographic properties of both schemes. While designing an S-box generation scheme, ensuring that the algorithm yields distinct S-boxes for every valid input is essential.
In this proposed scheme, whenever one chooses A = [a  b b b b b b b] such that a and b are relatively prime, a large number of distinct S-boxes resulted regardless of any condition on the selection of B. On the other hand, the results by schemes [24], [25], [26], [27] are uncertain and do not ensure the generation of S-boxes for every given input. Like, in [24] and [27], there is no guarantee of establishing S-boxes on both coordinates x and y. Furthermore, in [24] and [26], Azam et al. constructed S-boxes using y coordinates of the points satisfying the elliptic curve. Similarly, in [25] and [27], Hayat et al. proposed a technique that uses x-coordinates of the points satisfying elliptic curves; in our proposed algorithm, S-boxes obtained on both real and vector parts named as x and y-coordinates, irrespective of having good results from either x or y-coordinates. Results have revealed that both ends can generate S-boxes having sufficiently strong cryptographic characteristics at one time. Lastly, as we targeted similar parameters, specific primes from [24], [25], [26], and [27], for a thorough comparison, i.e., 2557, 3413, 3613, and 3917, it has been revealed that the nonlinearity of the proposed S-box is comparable with [24], [25], [26], [27], [28], [29], [30], [31], [32], [33], and [47]. The minimum nonlinearity of S 2557 are 104, 104, 106, 104 respectively, while on the other side with the same primes, the NLs in [24], [25], [26], [27], and [47] are 106, 104, 106, 104, 106 respectively, which are almost similar to the proposed S-box. In addition, the cryptographic properties of proposed S-boxes are better. Furthermore, we also compared the properties of newly established S-boxes with some already existing schemes [28], [29], [30], [31], [32], [33], [44], [45], [46], [47] in table 21. The proposed S-boxes are capable of creating better confusion likewise other schemes. This shows that the proposed scheme can produce up-to-level confusion along with the existing techniques based explicitly on elliptic curves and others.

V. CONCLUSION
In this work, a robust technique for constructing a large number of distinct and dynamic S-boxes is presented; the proposed work is developed to generate two S-boxes for each valid input. The proposed scheme solely depends upon selecting prime octonion u, primitive octonion v, A and B. By changing these parameters, several dynamic and secure S-boxes can be obtained, which can be used efficiently in various cryptosystems, including symmetric and asymmetric ciphers for encryption purposes.
In addition, the strength of the proposed S-boxes is assessed by applying various security analyses. Furthermore, a detailed comparison of the newly constructed S-boxes with elliptic curve-based and some existing S-boxes is conducted. The computational results and performance analysis reveal that the proposed algorithm is capable of generating a large number of distinct dynamic S-boxes that are cryptographically strong against various attacks and are helpful for secure data communication purposes. The understudy work is based on commutative Gravesian octonion integers; for future research, one can work on its non-commutative side that will yield eight S-boxes against a single input. Furthermore, the work can be extended to sedenions; 16-dimensional algebra, which is non-associative and non-commutative. More secure and dynamic S-boxes can be produced by working in these directions. AMJAD REHMAN (Senior Member, IEEE) received the dual Ph.D. degree (Hons.) from the Faculty of Computing, Universiti Teknologi Malaysia, with a specialization in forensic documents analysis and security, in 2010 and 2011, respectively. He is currently a Senior Researcher with the Artificial Intelligence and Data Analytics Laboratory, CCIS, Prince Sultan University, Riyadh, Saudi Arabia. He received Rector Award for 2010 best student in the university. Currently, he is a PI in several funded projects and also completed projects funded from MOHE, Malaysia, Saudi Arabia. His research interests include data mining, health informatics, and pattern recognition. He is the author of more than 200 ISI journals and conference papers. SAEED ALI BAHAJ received the Ph.D. degree from Pune University, India, in 2006. He is currently an Associate Professor with Hadhramaut University, Hadhramaut, Yemen. He is also an Associate Prof. with the MIS Department, CBA, PSAU, Al-Kharj, Saudi Arabia. His research interests include artificial intelligence, information management, forecasting, information engineering, big data mining, and information security. VOLUME 11, 2023