Efficient and Secure Substitution Box and Random Number Generators Over Mordell Elliptic Curves

10/12/2019 ∙ by Ikram Ullah, et al. ∙ 0

Elliptic curve cryptography has received great attention in recent years due to its high resistance against modern cryptanalysis. The aim of this article is to present efficient generators to generate substitution boxes (S-boxes) and pseudo random numbers which are essential for many well-known cryptosystems. These generators are based on a special class of ordered Mordell elliptic curves. Rigorous analyses are performed to test the security strength of the proposed generators. For a given prime, the experimental results reveal that the proposed generators are capable of generating a large number of distinct, mutually uncorrelated, cryptographically strong S-boxes and sequences of random numbers in low time and space complexity. Furthermore, it is evident from the comparison that the proposed schemes can efficiently generate secure S-boxes and random numbers as compared to some of the well-known existing schemes over different mathematical structures.



There are no comments yet.


page 9

This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

I Introduction

Recent advancements in the field of communication systems and computational methods necessitate improvements in the traditional cryptosystems. Substitution box (S-box) and pseudo random number generator (PRNG) play an important role in many cryptosystems such as Data Encryption Standard (DES) [1], Advanced Encryption Standard (AES) [2], Twofish security system [3], Blowfish cryptosystem [4], International Data Encryption Algorithm (IDEA) [5] and the cryptosystems developed in [6, 7, 8, 9]. It has been pointed out by many researchers that the security of a cryptosystem can be improved by using dynamic S-boxes instead of a single static S-box, see for example [10, 11, 12, 13, 14, 15]. This fact necessitates the development of new S-box generators which can generate a large number of distinct and mutually uncorrelated S-boxes with high cryptographic properties in low time and space complexity [16].

Many researchers have proposed improved S-box generators and PRNGs to enhance the security of data against modern cryptanalysis. These improvements are mainly based on finite field arithmetic and chaotic systems. Khan and Azam [17, 18] developed two different methods to generate 256 cryptographically strong S-boxes by using Gray codes, and affine mapping. Jakimoski and Kocarev [19] used chaotic maps to develop a four-step method for the generation of an S-box. zkaynak and zer [20] introduced a new method based on a chaotic system to develop secure S-boxes. Unlike the traditional use of chaotic maps, Wang et al. [21] proposed an efficient algorithm to construct S-boxes using gnetic algorithm and chaotic maps. Yin et al. [22] proposed an S-box design technique using iteration of the chaotic maps. Tang and Liao [23] constructed S-boxes based on an iterating discretized chaotic map. Lambić [24] used a special type of discrete chaotic map to obtain bijective S-boxes. Özkaynak et al. [25] proposed a new S-box based on a fractional order chaotic Chen system. Zhang et al. [26] used I-Ching operators for the construction of highly non-linear S-boxes, and the proposed approach is very efficient.

Similarly, chaotic systems are used to generate pseudo random numbers (PRNs), see for example [27, 28, 29, 30, 31]. Francois et al. [27] presented a PRNG based on chaotic maps to construct multiple key sequences. Patidar and Sud [28] designed a PRNG with optimal cryptographic properties using chaotic logistic maps. Guyeux et al. [29] developed a chaotic PRNG with the properties of topological chaos which offers sufficient security for cryptographic purposes. Stojanovski and Kocarev [30] analyzed a PRNG based on a piecewise linear one dimensional chaotic map. Fan et al. [31] proposed a PRNG using generalized Henon map, and a novel technique is used to improve the characteristics of the proposed sequences.

It has been pointed out by Jia et al. [7] that the PRNs generated by a chaotic system can have small period due to the hardware computation issues and revealed that elliptic curve (EC) has high security than chaotic system. However, the computation over ECs is usually performed by group law which is computationally inefficient. Hayat and Azam [6] proposed an efficient S-box generator and a PRNG based on ECs by using a total order as an alternative to group law. This S-box generator is efficient than the other methods over ECs, however their time and space complexity are and , respectively, where is the prime of the underlying EC. Furthermore the S-box generator does not guarantee the generation of an S-box. The PRNG proposed by Hayat and Azam [6] also takes and time and space, respectively, to generate a sequence of pseudo random numbers (SPRNs) of size . Azam et al. [16] proposed an improved S-box generation method to generate bijective S-boxes by using ordered Mordell elliptic curves (MECs). The main advantage of this method is that its time and space complexity are and , respectively, where is the size of an S-box. Azam et al. [32] proposed another S-box generator to generate , where injective S-boxes which can generate a large number of distinct and mutually uncorrelated S-boxes by using the concept of isomorphism on ECs. The time and space complexity of this method are and , where and is the size of co-domain of the resultant S-box. A common draw back of these S-box generators is that the cryptographic properties of their optimal S-boxes are far from the theoretical optimal values.

The aim of this paper is to propose an efficient S-box generator and a PRNG based on an ordered MEC to generate a large number of distinct, mutually uncorrelated S-boxes and PRNs with optimal cryptographic properties in low time and space complexity to overcome the above mentioned drawbacks. The rest of the paper is organized as follows: In Section II basic definitions are discussed. The proposed S-box generator is described in Section III. Section IV consists of security analysis and comparison of the S-box generator. The proposed algorithm for generating PRNs and some general results are given in Section V. The proposed SPRNs are analyzed in Section VI, while Section VII concludes the whole paper.

Ii Preliminaries

Throughout this paper, we denote a finite set simply by . A finite field over a prime number is the set denoted by with binary operations addition and multiplication under modulo . A non-zero integer is said to be quadratic residue (QR) if there exists an integer such that . A non-zero integer in which is not QR is said to be quadratic non-residue (QNR).

For a prime , non-negative and positive , the EC over a finite field is defined to be the collection of identity element

and ordered pairs

such that

In this setting, we call and the parameters of . The number of all such points can be calculated using Hasse’s theorem [34]

Two ECs and over are isomorphic if and only if there exists a non-zero integer such that and . In this case, is called isomorphism parameter between the ECs and . For an isomorphism parameter , each point is mapped on . Note that an isomorphism is an equivalence relation on all ECs over , and therefore all ECs can be divided into equivalence classes [32]. For the sake of simplicity we represent an arbitrary class by and assume that the class contains the EC . A non-negative integer such that is called representative of the class . Clearly, it holds that .

An EC with is said to be a Mordel elliptic curve. The following theorem is from [34, 6.6 (c), p. 188].

Theorem 1.

Let be a prime such that . For each non-zero , the MEC has exactly distinct points, and has each integer from exactly once as a -coordinate.

Furthermore, by [32, Lemma 1] it follows that there are only two classes of MECs when . Henceforth, we denote an MEC by simply and the term MEC stands for an MEC such that .

For a subset of and an ordered MEC , we define a total order on w.r.t. the ordered MEC such that for any two elements it holds that if and only if . For any two non-negative integers and such that , we define an -complete set to be a set of size such that for each element , it holds that , and no two elements of are congruent with each other under modulo , i.e., for each , it holds that . We denote an ordered set with a total order by an ordered pair . Let be an ordered set, for any two elements such that , we read as is smaller than or is greater than w.r.t. the order . For simplicity, we represent the elements of in the form of a non-decreasing sequence and denotes the -th element of the ordered set in its sequence representation. For an ordered MEC and an -complete set , we define the ordered -complete set with ordering due to and such that for any two element with and , where , it holds that if and only if .

For a given MEC , Azam et al. [16] defined three typical type of orderings natural , diffusion and modulo diffusion ordering based on the coordinates of the points on as

Iii The Proposed S-box Construction Scheme

For an ordered MEC , an -complete set and a non-negative integer , we define an -complete S-box due to , and to be a mapping from to such that , where is the -th element of the ordered -complete set in its sequence representation.

Lemma 2.

For any ordered MEC , an -complete set and a non-negative integer , the -complete S-box is a bijection.


Suppose on contrary that there exist such that . This implies that , where and and . This leads to a contradiction to the fact that is an -complete set. Thus, is a one-one mapping on the finite sets of same order, and hence it is a bijection. ∎

For prime and , an -complete subset of the MEC is given in Table I, while the -complete S-box due to the ordered MEC is presented in Table II in hexagonal format. Each entry of Table II is obtained from the corresponding entry of Table I by applying modulo operator.

A792 4A5C 9AF5 01C5 421 814D B3A2 5CA3 834B 9F90 1C7D BF6A 0A11 7A9D 9E91 6135
1D8D 9425 3F36 7954 1E1E 5B47 1420 71CA 8089 80C4 3150 12EF 36C3 BEA7 6170 2256
298A 005E 8032 0F00 270A 51D0 421C 942 6BDF 2848 87FC 4418 2BFB 121B 6F2D 11CC
886 8E53 6BD2 AC14 B65B 062B 37F1 B627 47D4 59A6 2878 7D76 76CB 7005 0CBE 8F8F
609E 7A83 61F4 23C0 3AC2 3502 BC40 88DE 3645 2EEC B8B3 BBD9 84D5 165F C061 0BE8
AE34 6431 906B 15E4 BE74 5423 10AA 4D75 B037 556F 6F99 242E 31AD C9F9 A679 3F82
749A 7F55 9267 AF29 33BC 1A0E 270D 2312 7857 B730 5C17 AAA4 7DF7 698B 7FDB 66AC
A203 B46D 7DE9 7E80 72B2 97E1 70D1 18D8 76ED 4677 7A4E 7F3F 96B8 8A94 91D3 8295
6E0F 7A0B 221A 11C7 A7A1 1563 33BB 15EA 62BA 0EB9 8041 6998 C260 127C 0B2F 38AE
7626 12A8 50D6 B0CE 67CD 766C 22BD 109F 4E4C CBF2 5CA5 2528 1964 4724 CAAF 966
A587 AE01 5584 0A3D 3859 7504 063E 5251 767B 0AFF 50E7 7765 2688 BC58 972A 0EE6
295A 0BB6 4B43 5906 476E C5C9 20A9 45AB C57A 1D07 694A B57F 0D15 1CBF ABFA C3B5
2096 B138 A671 A262 BAF3 4CB1 054F C5DD 9B85 C144 BBDC 7969 C85D 91C6 0A49 9DE2
C6DA 278C 1C13 29D7 708E 827E 0FC8 4FEB 4BEE 1F97 20FE 26E0 0E93 4E9C A2E5 841D
ADF0 B273 A6E3 440C AB08 3952 103A A472 C42C 36CF 9768 6809 0E22 C439 291F AEFD
A7C1 C23B 2FF6 A046 3BB4 ACA0 5A9B 95F8 7919 4381 A9B0 7110 7433 1816 39B7 1A3C
TABLE I: The -complete set
92 5C F5 C5 21 4D A2 A3 4B 90 7D 6A 11 9D 91 35
8D 25 36 54 1E 47 20 CA 89 C4 50 EF C3 A7 70 56
8A 5E 32 0 0A D0 1C 42 DF 48 FC 18 FB 1B 2D CC
86 53 D2 14 5B 2B F1 27 D4 A6 78 76 CB 5 BE 8F
9E 83 F4 C0 C2 2 40 DE 45 EC B3 D9 D5 5F 61 E8
34 31 6B E4 74 23 AA 75 37 6F 99 2E AD F9 79 82
9A 55 67 29 BC 0E 0D 12 57 30 17 A4 F7 8B DB AC
3 6D E9 80 B2 E1 D1 D8 ED 77 4E 3F B8 94 D3 95
0F 0B 1A C7 A1 63 BB EA BA B9 41 98 60 7C 2F AE
26 A8 D6 CE CD 6C BD 9F 4C F2 A5 28 64 24 AF 66
87 1 84 3D 59 4 3E 51 7B FF E7 65 88 58 2A E6
5A B6 43 6 6E C9 A9 AB 7A 7 4A 7F 15 BF FA B5
96 38 71 62 F3 B1 4F DD 85 44 DC 69 5D C6 49 E2
DA 8C 13 D7 8E 7E C8 EB EE 97 FE E0 93 9C E5 1D
F0 73 E3 0C 8 52 3A 72 2C CF 68 9 22 39 1F FD
C1 3B F6 46 B4 A0 9B F8 19 81 B0 10 33 16 B7 3C
TABLE II: The proposed -complete S-box

Next we present two efficient algorithms to compute an -complete S-box. The first algorithm is based on Theorem 1.

0:  An ordered MEC , an -complete set  and a non-negative integer .
0:  The proposed -complete S-box .
1:  ; /*A set containing the points of with -coordinates from */
2:  for each  do
3:     ; No;
4:     while  No do
5:        ;
6:        if  then
7:            Yes;
8:        end if;
10:     end while
11:  end for;
12:  Sort w.r.t. the element of , i.e., sort w.r.t. the ordering ;
13:  ;
14:  for each integer  do
15:     , where is the -th element of the ordered -complete set
16:  end for;
17:  Output as the -complete S-box .
Algorithm 1 Constructing the proposed S-box
Lemma 3.

For an ordered MEC , an -complete set and a non-negative integer , the -complete S-box can be computed in time and space by using Algorithm 1.


In Algorithm 1 there is for-loop of size over the elements of , which has a nested while-loop to compute the subset of the MEC such that the points in has -coordinate in . This step is necessary to compute the ordered -complete set due to and . Note that the nested while-loop will iterate for at most -times, since by Theorem 1, for each there is a unique such that . Thus, this for-loop and while-loop take time in the worst case, while the sorting of takes time. Finally, there is another independent for-loop of size to compute the sequence which takes time. Thus, Algorithm 1 takes time to execute in the worst case. By using the fact that , since and and by the property of notation, the time complexity of Algorithm 1 is . Furthermore, Algorithm 1 only stores sets of size , and therefore its space complexity is . This completes the proof. ∎

Next we present another algorithm for the generation of -complete S-boxes on a fixed MEC. For this we prove the following results.

For a fixed ordered MEC , a positive integer and an integer , let Num denote the total number of -complete S-boxes, possibly with repetition, generated due to the ordered MEC, and .

Lemma 4.

For a fixed ordered MEC and a positive integer , the total number of -complete S-boxes, possibly with repetition, generated due to the MEC is equal to , where , and .


For a fixed integer , it holds by the definition of -complete S-box that the total number of -complete S-boxes, possibly with repetition, generated due to the ordered MEC, and is equal to the number of distinct -complete sets. If , where , then there are (resp., ) integers (resp., ) such that (resp., ). Thus, to construct an -complete set there are (resp., ) choices of an integers such that (resp., ). This implies that there are distinct -complete sets. Hence, the number of -complete S-boxes due to the MEC is , since . ∎

Observation 5.

For any subset of an MEC there exists a unique subset of either MEC or and a unique integer such that for each there exists a unique point for which it holds that and .

It is important to mention that for each subset such that the set of -coordinates of its points is an -complete set, the set of -coordinates of the points of is not necessarily be an -complete set. This is explained in Example 1.

Example 1.

Let be a subset of with an -complete set of -coordinates, where . Then for , there exists with -coordinates from the set which is not an -complete set.

By Observation 5, we can avoid the while-loop used in Algorithm 1 to find -coordinate for each element in an -complete set .

0:  An MEC , where , multiplicative inverse of in , where , a total order on the MEC , an -complete set and an integer .
0:  The proposed -complete S-box .
1:  ; /*A set containing the points of with -coordinates from the set */
2:  for each  do
3:     ;
4:     Find such that ;
5:     ;
6:  end for;
7:  Sort w.r.t. the element of ;
8:  ;
9:  for each integer  do
10:     , where is the -th element of the ordered -complete set
11:  end for;
12:  Output as the -complete S-box .
Algorithm 2 Constructing the proposed S-box using the EC isomorphism
Lemma 6.

For an ordered MEC , where for some and , an -complete set and a non-negative integer , the -complete S-box can be computed in time and space by using Algorithm 2.


There is a for-loop over the set of size for finding -coordinate for each element over the MEC . Note that at line 4 of Algorithm 2, can be computed in constant time, i.e., . This is due to Theorem 1 the MEC has each element of uniquely as -coordinate. Thus, the for-loop over can be computed in . The remaining part of Algorithm 2 takes time. Hence, with the aid of the property of notion, Algorithm 2 takes time. Moreover, Algorithm 2 stores only a set of size , other than inputs, and therefore its space complexity is . ∎

Note that using Algorithm 2 is practical, since Lemma 4 implies that for a given ordered MEC we can generate a large number of -complete S-boxes. However, , where , and for should be given as input for Algorithm 2. We know that , now the next important question is how to find the representative for the class of MECs. For this we prove the following results.

Lemma 7.

An MEC is an element of the class if and only if there exists an integer such that .


Consider the MEC . Then for the equation is satisfied by . This implies that , and hence the required statement is true for the MEC . Let , where . Then there exists an isomorphism parameter between and such that . Hence, for each MEC there exists an integer such that .

To prove the converse, suppose on contrary that there is an MEC with a point for some and . This implies that there does not exist an integer such that . Thus, for all . But it follows from that for some which is a contradiction. Hence . ∎

Lemma 8.

For a prime , the representative of the class is a QNR integer in the field .


Let . Suppose on contrary that is a quadratic integer in the field i.e., for some integer . It follows from the equation that . By Lemma 7, it holds that , which is a contradiction to our assumption. So, is a QNR, and hence is a QNR. ∎

Euler’s Criterion is a well-known method to test if a non-zero element of the field is a QR or not. We state this test in Lemma 9.

Lemma 9.

[33, p. 1797] An element is a QR if and only if .

Iv Security Analysis and Comparison

In this section, a detailed analysis of the proposed S-box is performed. Most of the cryptosystems use S-boxes and therefore, we use -complete S-box given in Table II generated by the proposed method for experiments. The cryptographic properties of the proposed S-box are also compared with some of the well-known S-boxes developed by different mathematical structures.

Iv-a Linear Attacks

Linear attacks are used to exploit linear relationship between input and output bits. A cryptographically strong S-box is the one which can strongly resist linear attacks. The resistance of an S-box against linear attacks is evaluated by well-known tests including non-linearity [35]

, linear approximation probability 

[36] and algebraic complexity [37]. For a bijective S-box , the non-linearity NL, linear approximation probability LAP can be computed by Eqs. (1) and (2), respectively, while its algebraic complexity AC is measured by the number of non-zero terms in its linearized algebraic expression [38].


where , ,  and “” represents the inner product over

An S-box is said to be highly resistive against linear attacks if it has NL close to , low LAP and AC close to .

The experimental results of NL, LAP and AC of the proposed S-box and some of the well-known S-boxes are given in Table III. Note that the proposed S-box has NL, LAP and AC close to the optimal values. The of is greater than that of the S-boxes in [39, 32, 6, 16, 21, 40, 19, 20, 41, 26, 43, 42, 44] and equal to that of [2]. The of is less than that of the S-boxes in [39, 32, 6, 16, 21, 40, 19, 20, 41, 43, 26, 42, 44], and the AC of attains the optimal value, which is . Thus the proposed method is capable of generating S-boxes with optimal resistance against linear attacks as compared to some of the existing well-known S-boxes.

Iv-B Differential Attack

In this attack, cryptanalysts try to approximate the original message by observing a particular difference in output bits for a given input bits difference. The strength of an S-box can be measured by calculating its differential approximation probability DAP using Eq. (3).


where   and “” denotes bit-wise addition over .

An S-box is highly secure against differential attack if its DAP is close to . In Table III, the of and other existing S-boxes is given. Note that the DAP of the proposed S-box is which is close to the optimal value . Furthermore, it is evident from Table III that the DAP of the proposed S-box is less than the S-boxes in [39, 32, 6, 16, 21, 40, 19, 20, 41, 43, 26, 42, 44], and hence the proposed S-box scheme can generate S-boxes with high resistance against differential attack.

Iv-C Analysis of Boolean Functions

It is necessary to analyze the boolean functions of a given S-box to measure its confusion/diffusion creation capability. For an S-box, strict avalanche criterion SAC and bit independence criterion BIC are used to analyze its boolean functions. The SAC and the BIC are computed by two matrices and , respectively, such that




where is the hamming weight of , such that , and are -th and -th boolean functions of , respectively, and . An S-box satisfies the SAC and the BIC if each non-diagonal entry of and have value close to . The maximum and minimum values of the SAC (resp., BIC) of the proposed S-box are and (resp., and ). Note that these values are closed to , and hence the proposed S-box satisfies the SAC and the BIC. Similarly, the SAC and the BIC of some other S-boxes are listed in Table III and compared with the results of the proposed S-box. It is evident from Table III that the proposed S-box can generate more confusion and diffusion as compared to some of the listed S-boxes.

S-boxes Type Linear DAP Analysis of
of Attacks Boolean Functions
(max) (min) (max) (min)
Ref. [41] 102 0.133 254 0.039 0.562 0.359 0.535 0.467
Ref. [26] other 108 0.133 255 0.039 0.563 0.493 0.545 0.475
Ref. [2] 112 0.062 09 0.016 0.562 0.453 0.504 0.480
Ref. [44] 108 0.156 255 0.046 0.502 0.406 0.503 0.47
Ref. [21] 108 0.145 255 0.039 0.578 0.406 0.531 0.470
Ref. [40] 103 0.132 255 0.039 0.570 0.398 0.535 0.472
Ref. [19] Chaos 100 0.129 255 0.039 0.594 0.422 0.525 0.477
Ref. [20] 100 0.152 255 0.039 0.586 0.391 0.537 0.468
Ref. [43] 110 0.125 255 0.039 0.562 0.438 0.555 0.473
Ref. [42] 74 0.211 253 0.055 0.688 0.109 0.551 0.402
Ref. [39] 104 0.145 255 0.039 0.625 0.391 0.531 0.471
Ref. [6] 106 0.148 254 0.039 0.578 0.437 0.535 0.464
Ref. [32] EC 106 0.188 253 0.039 0.609 0.406 0.527 0.465
Ref. [16] 106 0.148 255 0.039 0.641 0.406 0.537 0.471
112 0.063 255 0.016 0.563 0.438 0.521 0.479
TABLE III: Comparison of the proposed and other existing S-boxes

Iv-D Distinct S-boxes

An S-box generator is useful to resist cryptanalysis if it can generate a large number of distinct S-boxes [16]. For the parameters and the number of -complete S-boxes Num is . It turned out with the computational results that all of these -complete S-boxes are distinct. However this is not the case in general.

An -complete S-box is said to be a natural -complete S-box if . For a prime and ordering , let denote the largest integer such that and there exists at least two ordered MECs and due to which the natural -complete S-boxes are identical, i.e., for any fixed the number of natural -complete S-boxes due to all ordered MECs with prime , ordering and is equal to . A plot of primes and the integers is given in Fig. 1, where the underlying ordering is the natural ordering . For the orderings and , such plots are similar as that of . It is evident from Fig. 1, that with the increase in the value of prime, there is no significant increase in the value of and the largest value of for these primes is . Hence, for each of these primes, each and , we can get distinct natural -complete S-boxes with .

Fig. 1: Plot of primes and their corresponding largest integers
Lemma 10.

Let be a fixed total order on all MECs in such that for each MEC it holds that the points , where is additive inverse of in , have indices from the set in the sequence representation of the MEC. Then for a fixed integer , the number of distinct natural -complete S-boxes generated by all MECs in are at least


Let be an MEC in , where . Then by Lemma 7, for some . Further by the fact that if then , where is the additive inverse of in the field , implies that . Moreover, by the group theoretic argument exactly one of the integers and belongs to the interval . Hence, for a fixed and the natural -complete S-box it holds that if have indices from the set in the sequence representation of . Note that a point cannot appear on two different MECs and , otherwise this implies that . Thus, for any two MECs in satisfying the conditions given in the lemma it holds that the natural -complete S-boxes and have different images at a fixed input . Thus implies the required result. ∎

For three different primes distinct S-boxes are generated by the proposed method, and compared with the existing schemes over ECs as shown in Table IV. It is evident that the proposed S-box generator performs better than other schemes.

1889 2111 2141
1888 1 7
Distinct S-boxes by the 32768 32768 32768
proposed method due to 31744 32704 30720
the ordering 15360 26748 21504
944 1055 1070
Distinct S-boxes by Ref. [32] 944 1055 1070
944 1055 1070
Distinct S-boxes by Ref. [6] 50 654 663
Distinct S-boxes by Ref. [39] 1 1 1
TABLE IV: Comparison of the number of distinct S-boxes generated by different schemes

The number stands for an integer greater than .

Iv-E Fixed Point Test

An S-box construction scheme is cryptographically good if the average number of fixed points in the constructed S-boxes is as small as possible [16]. The average number of fixed points of the above generated S-boxes are shown in Table V. The experimental results indicate that the proposed S-box generator generates S-boxes with a very small number of fixed points. Furthermore, the average number of fixed points in the proposed S-boxes are comparable with that of the existing schemes over ECs.

1889 2111 2141
1888 1 7
Avg. # fixed points by the 1.1298 1.0844 1.0972
proposed method due to 0.9471 0.8569 0.9393
the ordering 0.8361 1.1847 1.0025
1.77 0.9735 0.9785
Avg. # fixed points by Ref. [32] 1.932 0.9716 0.9561
1.332 1.0019 1.0150
Avg. # fixed points by Ref. [6] 2.04 0.8976 0.9351
Avg. # fixed points by Ref. [39] 2 3 0
TABLE V: Comparison of average number of the fixed points in the S-boxes generated by different schemes

Iv-F Correlation Test

The correlation test is used to analyze the relationship among the S-boxes generated by any scheme. A robust scheme generates S-boxes with low correlation [16]. The proposed method is evaluated by determining the correlation coefficients (CCs) of the designed S-boxes. The lower and upper bounds for their CCs are listed in Table VI, which reveal that the proposed scheme is capable of constructing S-boxes with very low correlation as compared to the other schemes over ECs.

Scheme Ordering Correlation
Lower Average Upper
1889 1888 -0.2685 0.0508 0.2753
Proposed 1889 1888 -0.2263 0.0523 0.2986
1889 1888 -0.2817 0.0506 0.2902
2111 1 -0.2718 0.0504 0.2600
Proposed 2111 1 -0.2596 0.0531 0.3025
2111 1 -0.2779 0.0507 0.2684
2141 7 -0.2682 0.0503 0.2666
Proposed 2141 7 -0.2565 0.0517 0.2890
2141 7 -0.2744 0.0503 0.2858
1889 1888 -0.2782 0.0503 0.2756
Ref. [32] 1889 1888 -0.4637 -0.0503 0.2879
1889 1888 -0.2694 0.0501 0.4844
2111 1 -0.2597 0.0504 0.2961
Ref. [32] 2111 1 -0.3679 0.0500 0.3996
2111 1 -0.2720 0.0499 0.3019
2141 7 -0.2984 0.0500 0.3301
Ref. [32] 2141 7 -0.2661 0.0500 0.2639
2141 7 -0.2977 0.0501 0.2975
Ref. [6] 1889 1888 -0.0025 0.2322 0.9821
Ref. [6] 2111 1 -0.2932 0.0785 0.9988
Ref. [6] 2141 7 -0.2723 0.0629 0.9999
TABLE VI:  Comparison of CCs of S-boxes generated by different schemes

Iv-G Time and Space Complexity

For a good S-box generator it is necessary to have low time and space complexity [16]. Time and space complexity of the newly proposed method are compared with some of the existing methods in Table VII. It follows that for a fixed prime the proposed method can generate an S-box with low complexity and space as compared to other listed schemes. This fact makes the proposed S-box generator more efficient and practical.

S-box Ref. [39] Ref. [6] Ref. [32] Proposed method
Algorithm 1 Algorithm 2
Time complexity
Space complexity
TABLE VII: Comparison of time and space complexity of different S-box generators over ECs

V The Proposed Random Numbers Generation Scheme

For an ordered MEC , a subset , an integer and a non-negative integer , we define a sequence of pseudo random numbers (SPRNs) to be a sequence of length whose -th term is defined as , where is the -th element of the ordered set in its sequence representation.
One of the differences in the definition of an -complete S-box and the proposed SPRNs is that an -complete set is required as an input for the S-box generation, since an S-box of length is a permutation on the set . Furthermore, Algorithm 1 and 2 can be used for the generation of the proposed SPRNs, however, we propose an other algorithm which is more efficient than Algorithm 2 for its generation. This new algorithm is also based on Observation 5, but there is no constraint on to be an -complete set, and hence we can generate all proposed SPRNs for a given prime by using , where .

0:  An MEC , where , an integer , a total order on the MEC and a subset .
0:  The proposed SPRNs .
1:  ; /*A set containing the points of with -coordinates from the set */
2:  for each  do
3:     Find such that