# Efficient and Secure Substitution Box and Random Number Generators Over Mordell Elliptic Curves

Elliptic curve cryptography has received great attention in recent years due to its high resistance against modern cryptanalysis. The aim of this article is to present efficient generators to generate substitution boxes (S-boxes) and pseudo random numbers which are essential for many well-known cryptosystems. These generators are based on a special class of ordered Mordell elliptic curves. Rigorous analyses are performed to test the security strength of the proposed generators. For a given prime, the experimental results reveal that the proposed generators are capable of generating a large number of distinct, mutually uncorrelated, cryptographically strong S-boxes and sequences of random numbers in low time and space complexity. Furthermore, it is evident from the comparison that the proposed schemes can efficiently generate secure S-boxes and random numbers as compared to some of the well-known existing schemes over different mathematical structures.

## Authors

• 3 publications
• 5 publications
• 3 publications
• ### Efficient Construction of S-boxes Based on a Mordell Elliptic Curve Over a Finite Field

Elliptic curve cryptography (ECC) is used in many security systems due t...
09/28/2018 ∙ by Naveed Ahmed Azam, et al. ∙ 0

• ### An efficient image encryption scheme based on ordered quasi-resonant Rossby/drift wave triads and Mordell elliptic curves

We propose an image encryption scheme based on quasi-resonant Rossby/dri...
03/06/2020 ∙ by Ikram Ullah, et al. ∙ 0

• ### Random number generators produce ties: Why and how many

It seems surprising that when generating one million random numbers on m...
03/18/2020 ∙ by Marius Hofert, et al. ∙ 0

• ### Pseudo Random Number Generation: a Reinforcement Learning approach

Pseudo-Random Numbers Generators (PRNGs) are algorithms produced to gene...
12/15/2019 ∙ by Luca Pasqualini, et al. ∙ 0

• ### Random number generators produce collisions: Why, how many and more

It seems surprising that when applying widely used random number generat...
03/18/2020 ∙ by Marius Hofert, et al. ∙ 0

• ### Branching Processes for QuickCheck Generators

In QuickCheck (or, more generally, random testing), it is challenging to...
08/04/2018 ∙ by Agustín Mista, et al. ∙ 0

• ### A New Distribution Version of Boneh-Goh-Nissim Cryptosystem: Security and performance analysis

The aim of this paper is to provide two distributed versions of the Bone...
07/16/2019 ∙ by Oualid Benamara, et al. ∙ 0

##### This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

## I Introduction

Recent advancements in the field of communication systems and computational methods necessitate improvements in the traditional cryptosystems. Substitution box (S-box) and pseudo random number generator (PRNG) play an important role in many cryptosystems such as Data Encryption Standard (DES) [1], Advanced Encryption Standard (AES) [2], Twofish security system [3], Blowfish cryptosystem [4], International Data Encryption Algorithm (IDEA) [5] and the cryptosystems developed in [6, 7, 8, 9]. It has been pointed out by many researchers that the security of a cryptosystem can be improved by using dynamic S-boxes instead of a single static S-box, see for example [10, 11, 12, 13, 14, 15]. This fact necessitates the development of new S-box generators which can generate a large number of distinct and mutually uncorrelated S-boxes with high cryptographic properties in low time and space complexity [16].

Many researchers have proposed improved S-box generators and PRNGs to enhance the security of data against modern cryptanalysis. These improvements are mainly based on finite field arithmetic and chaotic systems. Khan and Azam [17, 18] developed two different methods to generate 256 cryptographically strong S-boxes by using Gray codes, and affine mapping. Jakimoski and Kocarev [19] used chaotic maps to develop a four-step method for the generation of an S-box. zkaynak and zer [20] introduced a new method based on a chaotic system to develop secure S-boxes. Unlike the traditional use of chaotic maps, Wang et al. [21] proposed an efficient algorithm to construct S-boxes using gnetic algorithm and chaotic maps. Yin et al. [22] proposed an S-box design technique using iteration of the chaotic maps. Tang and Liao [23] constructed S-boxes based on an iterating discretized chaotic map. Lambić [24] used a special type of discrete chaotic map to obtain bijective S-boxes. Özkaynak et al. [25] proposed a new S-box based on a fractional order chaotic Chen system. Zhang et al. [26] used I-Ching operators for the construction of highly non-linear S-boxes, and the proposed approach is very efficient.

Similarly, chaotic systems are used to generate pseudo random numbers (PRNs), see for example [27, 28, 29, 30, 31]. Francois et al. [27] presented a PRNG based on chaotic maps to construct multiple key sequences. Patidar and Sud [28] designed a PRNG with optimal cryptographic properties using chaotic logistic maps. Guyeux et al. [29] developed a chaotic PRNG with the properties of topological chaos which offers sufficient security for cryptographic purposes. Stojanovski and Kocarev [30] analyzed a PRNG based on a piecewise linear one dimensional chaotic map. Fan et al. [31] proposed a PRNG using generalized Henon map, and a novel technique is used to improve the characteristics of the proposed sequences.

It has been pointed out by Jia et al. [7] that the PRNs generated by a chaotic system can have small period due to the hardware computation issues and revealed that elliptic curve (EC) has high security than chaotic system. However, the computation over ECs is usually performed by group law which is computationally inefficient. Hayat and Azam [6] proposed an efficient S-box generator and a PRNG based on ECs by using a total order as an alternative to group law. This S-box generator is efficient than the other methods over ECs, however their time and space complexity are and , respectively, where is the prime of the underlying EC. Furthermore the S-box generator does not guarantee the generation of an S-box. The PRNG proposed by Hayat and Azam [6] also takes and time and space, respectively, to generate a sequence of pseudo random numbers (SPRNs) of size . Azam et al. [16] proposed an improved S-box generation method to generate bijective S-boxes by using ordered Mordell elliptic curves (MECs). The main advantage of this method is that its time and space complexity are and , respectively, where is the size of an S-box. Azam et al. [32] proposed another S-box generator to generate , where injective S-boxes which can generate a large number of distinct and mutually uncorrelated S-boxes by using the concept of isomorphism on ECs. The time and space complexity of this method are and , where and is the size of co-domain of the resultant S-box. A common draw back of these S-box generators is that the cryptographic properties of their optimal S-boxes are far from the theoretical optimal values.

The aim of this paper is to propose an efficient S-box generator and a PRNG based on an ordered MEC to generate a large number of distinct, mutually uncorrelated S-boxes and PRNs with optimal cryptographic properties in low time and space complexity to overcome the above mentioned drawbacks. The rest of the paper is organized as follows: In Section II basic definitions are discussed. The proposed S-box generator is described in Section III. Section IV consists of security analysis and comparison of the S-box generator. The proposed algorithm for generating PRNs and some general results are given in Section V. The proposed SPRNs are analyzed in Section VI, while Section VII concludes the whole paper.

## Ii Preliminaries

Throughout this paper, we denote a finite set simply by . A finite field over a prime number is the set denoted by with binary operations addition and multiplication under modulo . A non-zero integer is said to be quadratic residue (QR) if there exists an integer such that . A non-zero integer in which is not QR is said to be quadratic non-residue (QNR).

For a prime , non-negative and positive , the EC over a finite field is defined to be the collection of identity element

such that

 y2≡x3+ax+b(modp).

In this setting, we call and the parameters of . The number of all such points can be calculated using Hasse’s theorem [34]

 |#Ep,a,b−p−1|≤2√p.

Two ECs and over are isomorphic if and only if there exists a non-zero integer such that and . In this case, is called isomorphism parameter between the ECs and . For an isomorphism parameter , each point is mapped on . Note that an isomorphism is an equivalence relation on all ECs over , and therefore all ECs can be divided into equivalence classes [32]. For the sake of simplicity we represent an arbitrary class by and assume that the class contains the EC . A non-negative integer such that is called representative of the class . Clearly, it holds that .

An EC with is said to be a Mordel elliptic curve. The following theorem is from [34, 6.6 (c), p. 188].

###### Theorem 1.

Let be a prime such that . For each non-zero , the MEC has exactly distinct points, and has each integer from exactly once as a -coordinate.

Furthermore, by [32, Lemma 1] it follows that there are only two classes of MECs when . Henceforth, we denote an MEC by simply and the term MEC stands for an MEC such that .

For a subset of and an ordered MEC , we define a total order on w.r.t. the ordered MEC such that for any two elements it holds that if and only if . For any two non-negative integers and such that , we define an -complete set to be a set of size such that for each element , it holds that , and no two elements of are congruent with each other under modulo , i.e., for each , it holds that . We denote an ordered set with a total order by an ordered pair . Let be an ordered set, for any two elements such that , we read as is smaller than or is greater than w.r.t. the order . For simplicity, we represent the elements of in the form of a non-decreasing sequence and denotes the -th element of the ordered set in its sequence representation. For an ordered MEC and an -complete set , we define the ordered -complete set with ordering due to and such that for any two element with and , where , it holds that if and only if .

For a given MEC , Azam et al. [16] defined three typical type of orderings natural , diffusion and modulo diffusion ordering based on the coordinates of the points on as

## Iii The Proposed S-box Construction Scheme

For an ordered MEC , an -complete set and a non-negative integer , we define an -complete S-box due to , and to be a mapping from to such that , where is the -th element of the ordered -complete set in its sequence representation.

###### Lemma 2.

For any ordered MEC , an -complete set and a non-negative integer , the -complete S-box is a bijection.

###### Proof.

Suppose on contrary that there exist such that . This implies that , where and and . This leads to a contradiction to the fact that is an -complete set. Thus, is a one-one mapping on the finite sets of same order, and hence it is a bijection. ∎

For prime and , an -complete subset of the MEC is given in Table I, while the -complete S-box due to the ordered MEC is presented in Table II in hexagonal format. Each entry of Table II is obtained from the corresponding entry of Table I by applying modulo operator.

Next we present two efficient algorithms to compute an -complete S-box. The first algorithm is based on Theorem 1.

###### Lemma 3.

For an ordered MEC , an -complete set and a non-negative integer , the -complete S-box can be computed in time and space by using Algorithm 1.

###### Proof.

In Algorithm 1 there is for-loop of size over the elements of , which has a nested while-loop to compute the subset of the MEC such that the points in has -coordinate in . This step is necessary to compute the ordered -complete set due to and . Note that the nested while-loop will iterate for at most -times, since by Theorem 1, for each there is a unique such that . Thus, this for-loop and while-loop take time in the worst case, while the sorting of takes time. Finally, there is another independent for-loop of size to compute the sequence which takes time. Thus, Algorithm 1 takes time to execute in the worst case. By using the fact that , since and and by the property of notation, the time complexity of Algorithm 1 is . Furthermore, Algorithm 1 only stores sets of size , and therefore its space complexity is . This completes the proof. ∎

Next we present another algorithm for the generation of -complete S-boxes on a fixed MEC. For this we prove the following results.

For a fixed ordered MEC , a positive integer and an integer , let Num denote the total number of -complete S-boxes, possibly with repetition, generated due to the ordered MEC, and .

###### Lemma 4.

For a fixed ordered MEC and a positive integer , the total number of -complete S-boxes, possibly with repetition, generated due to the MEC is equal to , where , and .

###### Proof.

For a fixed integer , it holds by the definition of -complete S-box that the total number of -complete S-boxes, possibly with repetition, generated due to the ordered MEC, and is equal to the number of distinct -complete sets. If , where , then there are (resp., ) integers (resp., ) such that (resp., ). Thus, to construct an -complete set there are (resp., ) choices of an integers such that (resp., ). This implies that there are distinct -complete sets. Hence, the number of -complete S-boxes due to the MEC is , since . ∎

###### Observation 5.

For any subset of an MEC there exists a unique subset of either MEC or and a unique integer such that for each there exists a unique point for which it holds that and .

It is important to mention that for each subset such that the set of -coordinates of its points is an -complete set, the set of -coordinates of the points of is not necessarily be an -complete set. This is explained in Example 1.

###### Example 1.

Let be a subset of with an -complete set of -coordinates, where . Then for , there exists with -coordinates from the set which is not an -complete set.

By Observation 5, we can avoid the while-loop used in Algorithm 1 to find -coordinate for each element in an -complete set .

###### Lemma 6.

For an ordered MEC , where for some and , an -complete set and a non-negative integer , the -complete S-box can be computed in time and space by using Algorithm 2.

###### Proof.

There is a for-loop over the set of size for finding -coordinate for each element over the MEC . Note that at line 4 of Algorithm 2, can be computed in constant time, i.e., . This is due to Theorem 1 the MEC has each element of uniquely as -coordinate. Thus, the for-loop over can be computed in . The remaining part of Algorithm 2 takes time. Hence, with the aid of the property of notion, Algorithm 2 takes time. Moreover, Algorithm 2 stores only a set of size , other than inputs, and therefore its space complexity is . ∎

Note that using Algorithm 2 is practical, since Lemma 4 implies that for a given ordered MEC we can generate a large number of -complete S-boxes. However, , where , and for should be given as input for Algorithm 2. We know that , now the next important question is how to find the representative for the class of MECs. For this we prove the following results.

###### Lemma 7.

An MEC is an element of the class if and only if there exists an integer such that .

###### Proof.

Consider the MEC . Then for the equation is satisfied by . This implies that , and hence the required statement is true for the MEC . Let , where . Then there exists an isomorphism parameter between and such that . Hence, for each MEC there exists an integer such that .

To prove the converse, suppose on contrary that there is an MEC with a point for some and . This implies that there does not exist an integer such that . Thus, for all . But it follows from that for some which is a contradiction. Hence . ∎

###### Lemma 8.

For a prime , the representative of the class is a QNR integer in the field .

###### Proof.

Let . Suppose on contrary that is a quadratic integer in the field i.e., for some integer . It follows from the equation that . By Lemma 7, it holds that , which is a contradiction to our assumption. So, is a QNR, and hence is a QNR. ∎

Euler’s Criterion is a well-known method to test if a non-zero element of the field is a QR or not. We state this test in Lemma 9.

###### Lemma 9.

[33, p. 1797] An element is a QR if and only if .

## Iv Security Analysis and Comparison

In this section, a detailed analysis of the proposed S-box is performed. Most of the cryptosystems use S-boxes and therefore, we use -complete S-box given in Table II generated by the proposed method for experiments. The cryptographic properties of the proposed S-box are also compared with some of the well-known S-boxes developed by different mathematical structures.

### Iv-a Linear Attacks

Linear attacks are used to exploit linear relationship between input and output bits. A cryptographically strong S-box is the one which can strongly resist linear attacks. The resistance of an S-box against linear attacks is evaluated by well-known tests including non-linearity [35]

, linear approximation probability

[36] and algebraic complexity [37]. For a bijective S-box , the non-linearity NL, linear approximation probability LAP can be computed by Eqs. (1) and (2), respectively, while its algebraic complexity AC is measured by the number of non-zero terms in its linearized algebraic expression [38].

 NL(S)=minα,β,λ{x∈Fn2:α⋅S(x)≠β⋅x⊕λ}, (1)
 (2)

where , ,  and “” represents the inner product over

An S-box is said to be highly resistive against linear attacks if it has NL close to , low LAP and AC close to .

The experimental results of NL, LAP and AC of the proposed S-box and some of the well-known S-boxes are given in Table III. Note that the proposed S-box has NL, LAP and AC close to the optimal values. The of is greater than that of the S-boxes in [39, 32, 6, 16, 21, 40, 19, 20, 41, 26, 43, 42, 44] and equal to that of [2]. The of is less than that of the S-boxes in [39, 32, 6, 16, 21, 40, 19, 20, 41, 43, 26, 42, 44], and the AC of attains the optimal value, which is . Thus the proposed method is capable of generating S-boxes with optimal resistance against linear attacks as compared to some of the existing well-known S-boxes.

### Iv-B Differential Attack

In this attack, cryptanalysts try to approximate the original message by observing a particular difference in output bits for a given input bits difference. The strength of an S-box can be measured by calculating its differential approximation probability DAP using Eq. (3).

 (3)

where   and “” denotes bit-wise addition over .

An S-box is highly secure against differential attack if its DAP is close to . In Table III, the of and other existing S-boxes is given. Note that the DAP of the proposed S-box is which is close to the optimal value . Furthermore, it is evident from Table III that the DAP of the proposed S-box is less than the S-boxes in [39, 32, 6, 16, 21, 40, 19, 20, 41, 43, 26, 42, 44], and hence the proposed S-box scheme can generate S-boxes with high resistance against differential attack.

### Iv-C Analysis of Boolean Functions

It is necessary to analyze the boolean functions of a given S-box to measure its confusion/diffusion creation capability. For an S-box, strict avalanche criterion SAC and bit independence criterion BIC are used to analyze its boolean functions. The SAC and the BIC are computed by two matrices and , respectively, such that

 mij=12n⎛⎜⎝∑x∈Fn2w(Si(x⊕αj)⊕Si(x))⎞⎟⎠, (4)

and

 bij=12n(∑x∈Fn21≤r≠i≤nw(Si(x⊕αj)⊕Si(x)⊕Sr(x+αj)⊕Sr(x))), (5)

where is the hamming weight of , such that , and are -th and -th boolean functions of , respectively, and . An S-box satisfies the SAC and the BIC if each non-diagonal entry of and have value close to . The maximum and minimum values of the SAC (resp., BIC) of the proposed S-box are and (resp., and ). Note that these values are closed to , and hence the proposed S-box satisfies the SAC and the BIC. Similarly, the SAC and the BIC of some other S-boxes are listed in Table III and compared with the results of the proposed S-box. It is evident from Table III that the proposed S-box can generate more confusion and diffusion as compared to some of the listed S-boxes.

### Iv-D Distinct S-boxes

An S-box generator is useful to resist cryptanalysis if it can generate a large number of distinct S-boxes [16]. For the parameters and the number of -complete S-boxes Num is . It turned out with the computational results that all of these -complete S-boxes are distinct. However this is not the case in general.

An -complete S-box is said to be a natural -complete S-box if . For a prime and ordering , let denote the largest integer such that and there exists at least two ordered MECs and due to which the natural -complete S-boxes are identical, i.e., for any fixed the number of natural -complete S-boxes due to all ordered MECs with prime , ordering and is equal to . A plot of primes and the integers is given in Fig. 1, where the underlying ordering is the natural ordering . For the orderings and , such plots are similar as that of . It is evident from Fig. 1, that with the increase in the value of prime, there is no significant increase in the value of and the largest value of for these primes is . Hence, for each of these primes, each and , we can get distinct natural -complete S-boxes with .

###### Lemma 10.

Let be a fixed total order on all MECs in such that for each MEC it holds that the points , where is additive inverse of in , have indices from the set in the sequence representation of the MEC. Then for a fixed integer , the number of distinct natural -complete S-boxes generated by all MECs in are at least

 (6)
###### Proof.

Let be an MEC in , where . Then by Lemma 7, for some . Further by the fact that if then , where is the additive inverse of in the field , implies that . Moreover, by the group theoretic argument exactly one of the integers and belongs to the interval . Hence, for a fixed and the natural -complete S-box it holds that if have indices from the set in the sequence representation of . Note that a point cannot appear on two different MECs and , otherwise this implies that . Thus, for any two MECs in satisfying the conditions given in the lemma it holds that the natural -complete S-boxes and have different images at a fixed input . Thus implies the required result. ∎

For three different primes distinct S-boxes are generated by the proposed method, and compared with the existing schemes over ECs as shown in Table IV. It is evident that the proposed S-box generator performs better than other schemes.

The number stands for an integer greater than .

### Iv-E Fixed Point Test

An S-box construction scheme is cryptographically good if the average number of fixed points in the constructed S-boxes is as small as possible [16]. The average number of fixed points of the above generated S-boxes are shown in Table V. The experimental results indicate that the proposed S-box generator generates S-boxes with a very small number of fixed points. Furthermore, the average number of fixed points in the proposed S-boxes are comparable with that of the existing schemes over ECs.

### Iv-F Correlation Test

The correlation test is used to analyze the relationship among the S-boxes generated by any scheme. A robust scheme generates S-boxes with low correlation [16]. The proposed method is evaluated by determining the correlation coefficients (CCs) of the designed S-boxes. The lower and upper bounds for their CCs are listed in Table VI, which reveal that the proposed scheme is capable of constructing S-boxes with very low correlation as compared to the other schemes over ECs.

### Iv-G Time and Space Complexity

For a good S-box generator it is necessary to have low time and space complexity [16]. Time and space complexity of the newly proposed method are compared with some of the existing methods in Table VII. It follows that for a fixed prime the proposed method can generate an S-box with low complexity and space as compared to other listed schemes. This fact makes the proposed S-box generator more efficient and practical.

## V The Proposed Random Numbers Generation Scheme

For an ordered MEC , a subset , an integer and a non-negative integer , we define a sequence of pseudo random numbers (SPRNs) to be a sequence of length whose -th term is defined as , where is the -th element of the ordered set in its sequence representation.
One of the differences in the definition of an -complete S-box and the proposed SPRNs is that an -complete set is required as an input for the S-box generation, since an S-box of length is a permutation on the set . Furthermore, Algorithm 1 and 2 can be used for the generation of the proposed SPRNs, however, we propose an other algorithm which is more efficient than Algorithm 2 for its generation. This new algorithm is also based on Observation 5, but there is no constraint on to be an -complete set, and hence we can generate all proposed SPRNs for a given prime by using , where .