A Novel Modular Approach Based Substitution-Box Design for Image Encryption

In modern-day block ciphers, the role of substitution-boxes is to transform the plaintext data nonlinearly to generate ciphertext data with sufficient confusion. It has been well-confirmed that the robustness and security of such block ciphers heavily based on the cryptographic strength of the underlying substitution-boxes. Reason being, they are the only components that are held responsible to bring required nonlinearity and complexity into the security system which can frustrate the attackers. Accordingly, a number of different concepts have been explored to construct strong S-boxes. To move forward with the same aim, a novel simple modular approach, the very first time, is investigated to construct nonlinear S-box in this paper. The proposed new modular approach consists of three operations such as new transformation, modular inverses, and permutation. A number of highly nonlinear S-boxes can be easily constructed with slight changes in the novel transformation parameters. An example S-box is presented whose critical performance assessment against some benchmarking criterions such as high nonlinearity, absence of fixed points, fulfillment of SAC and BIC properties, low differential uniformity and linear approximation probability and comparison with recent S-boxes demonstrate its upright cryptographic potentiality. In addition, an image encryption algorithm is also proposed wherein the generated S-box is applied to perform the pixels shuffling and substitution for strong statistical and differential encryption performance.


I. INTRODUCTION
Data and information communication has become very important ingredient of today's technological life and considered as significant assets of an individual or organization. If the confidentiality of information is compromised, then the information can be used for harmful purposes. Current innovations in information technology and their prolific applications in our life have caused in a gigantic growth in the size of the data being transmitted online. The private information being very sensitive assets require protection from attackers. Therefore, prior to its transmission, data demand its protection and needs methods for its transformation into a meaningless form for the invaders. Cryptographic algorithms are the mathematical methods and techniques that assist in the protection of data [1]. Stream ciphers transform the data in a bit-by-bit or byte-by-byte manner. Whereas, the block ciphers transform data in chunks which comprise large number of The associate editor coordinating the review of this manuscript and approving it for publication was Shuangqing Wei . bits or bytes at a time. In modern symmetric encryption, block ciphers are considered as one of the most effective tools for data protection [2]. Data Encryption Standard (DES), Blowfish, Advanced Encryption Standard (AES), RC5,etc. are examples of contemporary block ciphers. Precise implementations of block ciphers are easy and are more general in nature than the stream ciphers [3]. One category of prevalent block ciphers is known as the SP network-based block ciphers. These block ciphers use two major operations of substitution and permutation for the transformation of data into a perplexing form. A substitution operation substitutes a byte/block with another byte/block using a substitution table known as a substitution box or S-box [4], [5]. On the other hand, a permutation process shuffles the input bits or bytes in some linear fashion.
A substitution-box is a pivotal constituent of modern-day block ciphers that helps in the generation of a muddled ciphertext for the specified plaintext. Through the incorporation of S-box, a nonlinear mapping among the input and output data is established to create confusion [6]. The more confusion an S-box can create in the output data, the more secure a block cipher is. As a result, the provision of security by a block cipher employing one or more S-boxes directly depends on how much stronger S-boxes are. Block ciphers consist of many components in addition to one or more S-boxes. Contrary to other components, an S-box is the alone nonlinear component of block ciphers that supports the enhancement of data protection [7], [8].
Generally, a block cipher uses either a static S-box or one or more dynamic S-boxes. A static S-box is fixed for every incoming data and secret key which is used repeatedly in the block cipher. A block cipher based on a static S-box employs that S-box in all its rounds. A static S-box allows an attacker to inspect its characteristics, discover its fragilities, and eventually find the chance of getting plaintext from the respective ciphertext [9], [10]. As an example, static S-boxes employed in Data Encryption Standard (DES) were an easy target for the attackers. Consequently, to overcome the weaknesses due to static S-boxes, many cryptographers have explored innovative techniques to design dynamic S-boxes. Dynamic S-boxes are generated using cipher key and provide a way to augment the cryptographic power of a block cipher. Construction and usage of the key-dependent and dynamic S-boxes in a cipher enhance its cryptographic power. Blowfish cipher employs such dynamic S-boxes in its working [11].
The researchers, scholars, and academicians have explored and investigated various concepts to generate cryptographic strong S-boxes. They evaluated the strength using some typical criteria, such as nonlinearity, absence of fixed points, bit independence criterion (BIC), linear and differential probabilities, strict avalanche criterion (SAC), etc., that must an S-box satisfy to fight against various type of attacks. If an S-box possesses more of these characteristics, it provides more security to the block cipher. In particular, the nonlinearity has been considered as one of the significant measures to evaluate the strength of a given S-box. Any substitution box exhibiting a larger value of nonlinearity ensures more fight against the linear cryptanalytic attacks [12]. In particular, Du et al. [12] and Patil et al. [13] projected and investigated dynamic S-boxes based on Feistel structure. The subsequent S-boxes exhibited decent robustness against the attacks. In [14]- [16], different techniques to yield a huge number of dynamic and key-dependent S-boxes have been investigated and evaluated the quality of each resultant S-box. Performance results disclosed that the resultant S-boxes show considerate security strength. The authors in [17]- [21] suggested various enhancements to the sanctuary offered by AES while improving the AES S-box. Moreover, many investigators [22]- [29] have projected novel S-boxes based on chaos and demonstrated that the chaos-based S-boxes are adequately resilient to different attacks. Others have used the knowledge areas to design S-boxes like linear fractional transformation [30]- [32], DNA computing [5], [33], [34], elliptic curve [35], [36], graph theory [37], [38], optimization techniques [39]- [43], cellular automata [44], etc. Dynamic and key-dependent S-box construction techniques available in the literature are either complicated or consume considerable time to produce a strong S-box. Hence, there is a need for a method that is quite simple, efficient, and capable of generating dynamic strong S-boxes. In this paper, a simple scheme that assists in generating dynamic S-boxes is proposed. The novel scheme employs the idea of new transformation, multiplicative inverses, and permutation operations for generating the final S-box. The core contributions of this paper are as follows: • A novel and simple modular approach is explored to construct nonlinear S-boxes. A large number of robust S-boxes can be created straightforwardly with minute variations in the new transformation parameters.
• A novel and dynamic permutation operation is applied to the values of S-box to create more confusion. The dynamic nature of this operation depends upon the order of the values in the S-box and hence adds forte to the security of the ciphertext.
• Performance comparison analysis is carried out which validates the remarkable recital effort of the S-box with respect to several current S-boxes.
• A new image encryption algorithm using generated S-box based pixels permutation and substitution is also proposed which demonstrates its capability and landscape for securing sensitive data. The portion which is left to discuss is organized as follows. Section II provides description of the proposed modular-based approach for the generation of S-boxes. Security analysis of an example S-box is discussed and compared in section III. A new image encryption method based on generated S-box and encryption performance assessment and comparison is done in Section IV. The conclusions of the research study are made in Section V. VOLUME 8, 2020

II. PROPOSED MODULAR APPROACH FOR S-BOX DESIGN
The modern symmetric ciphers designed these days often use S-boxes that create more confusion for the invaders. S-boxes help in the provision of data security by creating jumbled ciphertext. An S-box design establishes a nonlinear relation between the input and output data in such a way that an attacker is unable to deduce input data from the output data. Research investigators have broadly explored such nonlinear mappings to produce strong S-boxes. The process of construction of an S-box should be simple and efficient. The construction process of most of the S-boxes presented in the literature is very time consuming and complicated. As an example, S-boxes generated with the help of linear fractional transformation (LFT) depend heavily on the use of the Galois field. LFT also known as the Mobius transformation is one of the many mappings that have been comprehensively applied for the creation of S-boxes [30]- [32]. However, the procedure of S-box construction using LFT is computationally inefficient and complicated too. Here, we outspread the awareness of LFT and construct a novel transformation to produce an S-box with good cryptographic features through a simple modular approach. The overall process of dynamic S-box construction involves three simple steps in sequence:

Action of permutation process
Each of these steps involved in the creation of final S-box candidate are described in what follows.

A. NOVEL TRANSFORMATION
The novel transformation employed in the production of an S-box having size n × n is a function expressed mathematically as:

B. MULTIPLICATIVE INVERSES
The S-box design method which uses linear fractional transformation (LFT) as the core of the S-box construction process needs to find the multiplicative inverse for each byte of the input data. Finding the multiplicative inverse of a value using Galois field is considerably complicated process as indicated in [45], [46]. Our technique of finding the multiplicative inverse using modular operator is very simple, straight forward, and above all efficient as compared to the multiplicative inverse calculation process used in Galois field domain.
This steps aims to compute the multiplicative inverse of each value produced in Step A using the following function given in Eq. (2). The detail of determining the inverse for any value z ∈ {0, 1, . . . . . . , 255} is presented through Algotihm and flowchart shown in Figure 1.
where, N = {0, 1, 2, . . . , 2 n − 1}. It may be noted that MI (0) = 0 and MI (1) = 1. Also, MI(256) is not used in this process as described in Figure 1. Steps A and B of the proposed approach as described above generate an initial S-box which is also demonstrated in Figure 2.
type of transformation as given in (3) Table 1. Using permutation process shown in Figure 3, the permutation table is generated which is operated to permute the values of initial S-box in a row by row fashion. Table 2 presents the permutation table generated for initial S-box given in Table 1. Through the permutation given in Table 2, the final S-box shown in Table 3 is obtained.

III. SECURITY ANALYSIS OF PROPOSED S-BOX
This section critically inspects the strength of generated S-box given in Table 3 against standard criteria that is used to quantify the cryptographic features of an S-box. An S-box is expected to satisfy the following criterions for good cryptographic strength [22]- [43], [48].
• Bijectiveness. • High nonlinearity. • Absence of any fixed points. • Strict avalanche criterion. • Output bits independence criterion. • Low differential uniformity • Low linear approximation probability.   We opted recently published S-box studies to make the performance comparison of our S-box.  Table 3 fulfills this criterion as the S-box has all possible distinct output values {0, . . . , 255}. Also, each coordinate Boolean function has equal number of 0's and 1's which is 128 [8], [11].

B. NONLINEARITY (NL)
An S-box provides a mapping between input and output bits. If generated S-box maps input and output in a linear fashion, the cryptographic strength of that S-box is very less. An S-box deemed strong if it is able to transform the inputs to outputs in highly nonlinear way. Such an S-box facilitates in protecting the plaintext data against linear cryptanalytic attacks. The nonlinearity of an n-bit Boolean function h is calculated as [48].
where, T max (h) represents Walsh-Hadamard Transform for a given n-bit Boolean function h. The coordinate Boolean  functions of our S-box and their respective nonlinearities are presented in Table 4. The nonlinearity test results indicates the minimum NL = 104, maximum NL = 110, and average NL = 107.5 is achieved. The nonlinearity strength of our proposed S-box is also compared in Table 5 with recent S-boxes studies investigated in [49]- [62]. The comparison table makes evident the better nonlinearity performance of our S-box over many recent S-boxes.

C. FIXED POINTS (FPs)
In cryptosystems involving the S-boxes, the existence of any fixed points (i.e. S(k) = k − 1) may be a weakness that can be exploited by the attacker to gain the knowledge of secret data. Accordingly, care has been taken by the AES block cipher designer to eliminate the fixed points by employing the concept of additive constant in AES S-box. Therefore, it is to be taken care that the S-boxes shouldn't have any fixed points [49]. We checked this test for our proposed S-box and found that there is not a single fixed point and this analysis is further compared with some other recent S-boxes in Table 5. The comparison states that there exist a number of recent S-box studies where the respective S-boxes are not free from existence of fixed points.

D. STRICT AVALANCHE CRITERION (SAC)
Webster et al. presented this criterion as the vital characteristic of any strong S-box [63]. This criterion requires that if an input has a single bit flip, it should flip n/2 bits out VOLUME 8, 2020 of n output bits. Consequently, a SAC score ≈ 0.5 is considered acceptable. The dependency matrix for SAC criteria is evaluated which is shown in Table 6. The SAC value of our S-box comes out as 0.498 which is fairly close to 0.5. Hence, it can deduce that the S-box presented in Table 3 gratifies the SAC requirement very well. The SAC performance is consistent with the recent S-boxes as evident from the SAC comparison made in Table 8.

E. BIT INDEPENDENCE CRITERION (BIC)
This criterion was presented by Webster et al. as an important property for any strong S-box. This criterion requires that any coordinate Boolean function must be mutually independent and possesses the features of high nonlinearity [64]. The BIC table for the nonlinearity of each of the Boolean functions h i ⊕ h j (i = j) is listed in Table 7. The BIC performance with respect to nonlinearity is averaged at 103.5. This value is an indication that our S-box satisfies the bit independence criterion quite well. The comparison of BIC performance is made in Table 8.

F. DIFFERENTIAL UNIFORMITY (DU)
Differential cryptanalysis is a valuable instrument that is used to obtain the input differential from the output differential. An attempt is made to obtain modifications in the input data and variations in the respective output data. Combining both variations help the attackers to know the whole or parts of the plaintext data or cipher key [65]. Efforts are made to have the difference of these two values to be very minimal. For this purpose, the differential uniformity of an S-box is usually assessed. To resist a differential cryptanalytic attempt, a less score of differential uniformity (DU) is preferred. To calculate differential uniformity, equation (6) is used [66].
where, G = {0, 1, . . . , 2 n − 1}. The differential distribution table (DDT) for proposed S-box shown in Table 9 is obtained. The differential uniformity of our S-box is evaluated to 10 only. This small value of DU shows that our S-box can defy the differential cryptanalytic efforts very well. The proposed S-box score is also compared with DU of recent S-boxes in Table 10 which shows better robustness to differential cryptanalysis than S-box studies in [50], [51], [61], [62] and comparable to [52]- [55], [58]- [60].

G. LINEAR APPROXIMATION PROBABILITY (LAP)
Block cipher designers try to muddle bits of input data as much as possible. A strong S-box assist in accomplishing this task as it provides a nonlinear mapping between plaintext and ciphertext. Linear cryptanalysis is an effort by attackers to expose the feeble relationship between plaintext and ciphertext. The strength of this mapping is measured by linear approximation probability (LAP) given in Eq. (7) [67]. (7) where, G = {0, 1, . . . , 2 n − 1}. The lower value of LAP for an S-box is the target to defy linear cryptanalytic effort. The LAP score of our S-box given in Table 3 is 0.140625 which is quite low. So, our S-box has sufficient potentiality to defy linear cryptanalysis. The LAP scores of some recent S-boxes are compared in Table 10 to demonstrate that our S-box has improved robustness against many recent S-boxes as well.
The performance assessment and the recital judgement make it clear that our S-box meets the required security standards and henceforth owns healthier cryptographic strength against different attacks compared to many recent S-boxes.

IV. IMAGE ENCRYPTION METHOD USING GENERATED S-BOX
In this section, we present our proposed method for encrypting the multimedia gray-scale images using the proposed S-box given in Table 3. We employed our S-box to execute the permutation-substitution operations purely based on the S-box. The following image encryption method exemplifies one specific use of proposed S-box. The steps of proposed encryption method are as follows: 1. Generate the S-box using the proposed modular approach discussed. 2. Read the input plain-image PP, S-box S and C(0) 3. Find row and column of PP as M and N, respectively. 4. Scale the permutation sequence of S to the size of M , take it as S1. Similarly, scale the permutation sequence of S to the size of N , take it as S2. 5. Perform the permutation of pixels of image PP using the sequences S1 and S2 as follows: for k = 1 to M PS(S1(k),:) = PP(k,:) end PP = PS for k = 1 to N PS(:, S2(k)) = PP(:, k) end 6. Reshape permuted image PS to 1-D array. 7. Repeat the following operations for all pixels of permuted image PS starting from first pixel to last pixel where, t is the pixel number. 8. Reshape encrypted image C to 2-D form.
The suggested image encryption method is also described through the flowchart shown in Figure 4. The decryption method is very similar to the above mentioned steps of encryption but should be followed in reverse order.
In the next subsections, we evaluate the encryption performance of our proposed algorithm and S-box as well for gray-scale images, but the same algorithm can also be extended for color images as well by decomposing the different color channels which can be encrypted by following the steps mentioned. We performed simulation and analyses on the benchmark images (such as Lena, Baboon, Cameraman, Peppers, Tree, Barbara) shown in Figure 5 which are taken from USC-SIPI image dataset selectively so that we can make a fair comparison of encryption strength with recent S-box based image encryption methods. MATLAB is used for experimentation and simulation on Intel core i7 CPU @ 2.2GHz with 4GB RAM and Windows 8. The encrypted images obtained using our encryption procedure are depicted in Figure 6. It is quite clear from the encrypted images that    the visual distortion is pretty good as they are highly indistinguishable and distorted. It is very difficult for the attacker to guess or know any pattern or partial information of respective plain-images.

A. HISTOGRAM ANALYSIS
Histogram of an image is a graphical description of its pixels distribution. For a strong cryptographic sense, it is always desired that the distribution of elements in an encrypted content should have uniform distribution i.e. each of the element is equally likely probable. The histograms of plain-images and encrypted-images are shown in Figure 7. The histogram enables us to study distribution of pixels in both plain-image and encrypted-images [68]. Also, the comparison of their histograms makes evident the huge difference between the characteristics of such a pair of images. It is clear from the Figure 7 that the histograms of encrypted images are considerably different than their respective plainimages. Moreover, the encrypted images have uniform and fairly flat type of histograms. The variances of histograms are computed to show the difference between the pairs of histograms statistically. The variance of histogram of an 8-bit encoded gray-scale image is expressed as follows [53]: where, g m denotes the number of image pixels having gray value of m. The obtained scores of variances for plain-images and encrypted images are listed in Table 11 and the same are compared with corresponding results of encrypted images analyzed in [53], [69]- [71]. Our results demonstrate the consistent performance of the proposed encryption method. Hence, our encryption method can resist the histogram-based statistical attacks.

B. DIFFERENCE, ERROR, SIMILARITY ANALYSIS
It is advisable to quantify the perceptual comparison of encrypted images with respect to their plain-images. For this, the statistical measures used to assess the difference (via mean absolute difference), errors (via mean square error), peak signal to noise ratio, and similarity index (via structural similarity index) [49]. Mathematically, they are calculated as per the following governing formulas expressed through Eq. (9) to (12), respectively.
(P(m, n)−C(m, n)) 2 (10) where, µ P and µ C represents the mean value of plain-image P and encrypted image C, σ 2 denotes the variance and σ PC denotes the covariance of images P and C. The c1 and c2 are constants which are set as c 1 = (K 1 ×L) 2 , and c 2 = (K 2 ×L) 2 , where K 1 = 0.01, K 2 = 0.03 and L = 2 8 = 256 for 8-bit coded images.
The scores of these statistical measures for the pair of plain-images and encrypted images available in Figure 5 and Figure 6 are listed in Table 12. The obtained values demonstrate that the encrypted contents are considerably different from their plain-images statistically in addition to visual inspections. Our results are also compared with recently investigated encryption algorithm outcomes in Table 13 and it is observed that both are consistent in performance on the ground of these statistical measures.

C. MAJORITY LOGIC CRITERIA ANALYSIS
Majority logic criteria (MLC) suite is the exploration of different set of analyses which enables us to determine the suitability of substitution-boxes for image encryption applications. This set of tools also provides to assess the encryption effect and compare the encrypted content with the plainimages [38], [55], [56]. The complete suite of MLC analysis includes different component measures such as entropy, correlation, contrast, energy, and homogeneity. An S-box based encrypted image deemed strong if encrypted images tend to show high entropy close to 8, low correlation close to 0, high contrast, low energy, and low homogeneity. These individual components of MLC suite are mathematically defined as follows: VOLUME 8, 2020 FIGURE 7. Histograms of test images: plain-images (first column) and encrypted-images (second column). VOLUME 8, 2020 Information entropy is used to measure the randomness content in data. If the data is having uniformly distributed elements then the entropy of data will be high [72], [73]. The entropy is expressed as:

150336
where, p(s i ) is the probability of pixel's gray-value s i (i = 0 ∼ 255) of an image source. The meaningful imagery data have high correlation within neighboring pixels. A strong image cryptosystem should have efficacy to diminish the existence of any such correlation within the encrypted content [74]. The correlation coefficient is defined as: where, i represents the position of row and j indicates its column value of image under examination. The parameters µ and σ are the variance and standard deviation, respectively. The contrast is related to the intensity difference among the neighboring pixels of an image. A good encryption method tends to bring high contrast in the encrypted image [75]. It is computed as: where, p(i, j) represents the position of pixels in gray level co-occurrence matrix (GLCM). The energy of an image measures the rate of change in color or brightness of the pixels in an image. Accordingly, an encrypted image is expected to have low energy [76]. The energy is evaluated as: where, η(i, j) is the number of GLCM matrices. Homogeneity of region is related to the changes in intensities that appear in that region of images [77], [78]. The homogeneity is calculated as: We applied this suite of statistical analysis to evaluate the stability and suitability of our generated S-box based image encryption method performance. The MLC analysis is performed on the four test images and results obtained for plain-images and encrypted-images from our method are shown in Table 14. We make the comparison of our S-box encryption results with some recently investigated S-boxes based image encryption algorithms. Table 15 reports the comparison of MLC results on standard Lena image. Whereas, the comparison of the MLC results for Baboon image is made in Table 16. It is quite clear that our S-box based image encryption method is fairly better than many other S-box based image encryption algorithm performances.

D. ENCRYPTION TIME ANALYSIS
The encryption time is amongst the imperative factors for its practicability and suitability for wireless sensor networkbased systems, Internet of Things and other lightweight security applications. An image cryptosystem should con- sume negligible time to encrypt or decrypt the images. The proposed image encryption algorithm performs M rearrangements of rows, N re-arrangements of columns during the pixels permutation phase. Whereas, the algorithm needs to perform 6L mod(.), L floor(.), 2L bitxor(.), and L circshift(.) operations during the substitution-phase, here L = M × N . To perform the encryption time analysis, we computed the time taken by our S-box based image encryption method. We found that it takes only 0.3732 secs to encrypt an 8-bit encoded gray-scale image of size 256×256, and 1.3605 secs to encrypt 512×512 sized images. This provides a throughput of more than 1370 kbps. The encryption time comparison analysis made in Table 17 indicates that our encryption method is considerably faster in generating the encrypted images. The encryption time is shorter than many recent encryption algorithms investigated in [53], [62], [69]- [71], [76], [80], [81].

V. CONCLUSION
In this paper, we have proposed a simple and efficient technique for S-box construction using the idea of novel transformation, modular inverse and permutation. An example S-box was evaluated and analyzed to verify its cryptographic forte using standard criteria. Then, its performance was analyzed by comparing it with other recently projected S-boxes. The investigation outcomes are in synchronization with the required benchmarks to validate our technique and the performance of the proposed S-box hums decent when it was equated with other S-boxes. An image encryption method is also suggested based on the generated S-box. Image encryption method involves pixels permutation and substitution using our S-box. The different statistical performance measures indicate the suitability of proposed S-box for image encryption applications.