A secure key dependent dynamic substitution method for symmetric cryptosystems

Existing substitution methods

To upgrade the static S-box structure of AES with dynamic properties, several efforts have been made in earlier years. In 2013, Das et al. proposed a key dependent S-box method (Das, Zaman & Ghosh, 2013) with constant and additive natured irreducible polynomials for generating of different S-boxes. In Kazlauskas, Vaicekauskas & Smaliukas (2015), designed S-boxes by performing different operations on round key. Initially, static S-box of AES was used in 1^st round to generate various S-boxes which retain the resistance against differential and linear cryptanalysis. However, the generated S-boxes were not only based on static S-box of AES but the avalanche properties of these generated s-boxes were also not optimum. The 1^st byte of round key (generated through key scheduling) with static s-box of AES was used in Nejad, Sabah & Jam (2014) to construct AES based key dependent substitution function, which was lacked in several aspects such as execution time, dynamic properties and resistance against modern attacks.

The two parameters (GNU-C and ISO-C) were used to generate S-box for symmetric cryptosystems in which instead of inverse S-box, a new transformation (shift row transformation) was introduced (Fahmy et al., 2005). The list of 30 irreducible polynomials with affine values ranging from 0 to 255 were used by Agarwal, Singh & Kilicman (2018) to generate 256 key dependent S-boxes. But the generated s-boxes were not effective in security as the both strict avalanche and bit independence criteria of S-boxes were not evaluated. In Sahoo, Kole & Rahaman (2012), utlized affine transformation to create static S-boxes. Time complexity was reduced by using affine values differently without the considerations of security parameters. Whereas, security may not compromised in cryptography. A round-key dependent S-box method was proposed in Partheeban & Kavitha (2018) which contains high non-linearity but this scheme is also based on static S-box of AES to generate new S-boxes. Similarly, the multi-operation S-box construction strategy as used in Desai & Nadaf (2012) and Anees & Chen (2019) is also dependent on the static S-box of AES. In Abd-ElGhafar et al. (2009), suggested the use of stream cipher (i.e. RC4) to generate key dependent S-box. Affine transformation was implemented using RC4 to generate final RC4 based S-box. The RC4 based S-box was used for performing substitution instead of static S-box by considering two keys (one for encryption and other for generating of S-box).

In Waqas et al. (2015), altered the affine matrix for creation of 46 S-boxes. From a list of 255 affine matrices, 190 matrices were invertible. These invertible affine matrices were used for S-boxes generation which were also static in nature. In Singh & Singh (2019), Harpreet and Paramvir created key-dependent S-box and also proposed a new key scheduling algorithm by performing different operations (e. XOR, left rotation, nibble swap and SHA256) on 128 bits of key. Their strategy to create dependency between key and S-box was also static. The dynamic S-boxes construction approach (Manjula & Mohan, 2017), in which the static S-box was just left rotated according to the resultant values of 16 bytes of round key after performing exclusive-OR operation. The pseudo random numbers were used in Maram & Gnanasekar (2016), Alabaichi & Salih (2015) and Maram & Gnanasekar (2018) to generate dynamic S-box values, however, these approaches were not effective in creating dynamicity, strict avalanche properties etc. as compare to the proposed S-box scheme. Moreover, the key dependent S-box solutions as discussed in Juremi et al. (2012) and Wenceslao (2015) were also lacked in computational efficiency, dynamicity, avalanche criteria.

The in-depth literature analysis reveals that some S-box methods only focus on improving computational efficiency but these are deficient in dynamicity and randomness (Wenceslao, 2015; Sahoo, Kole & Rahaman, 2012). Moreover few methods have not been tested well (Hosseinkhani & Haj Seyyed Javadi, 2012; Agarwal, Singh & Kilicman, 2018; Biham & Shamir, 1991; Cusick & Stanica, 2017) and all these are not seems to be effective in achieving of optimal dynamicity and avalanche properties in contrast with proposed S-box scheme. Most of existing S-box schemes are static in nature thereby, these are not effective in generating of dynamic S-boxes. Therefore, there is need to design a dynamic S-box solution to improve strict avalanche criteria with optimal dynamicity, randomness and other common cryptographic properties.

Structure and properties of AES based S-box

The S-box transformation or byte substitution is a non-linear operation which is performed independently on each byte. Therefore, the AES based S-box is invertible and can be constructed by composing two transformations (Gangadari & Ahamed, 2015).

By taking multiplicative inverse in GF(2⁸), where(x′)⁻¹ as:

$x={\left(x^{\mathrm{\prime }}\right)}^{-1}=\{\begin{array}{c}{\left(x^{\mathrm{\prime }}\right)}^{-1}{x}^{\mathrm{\prime }}\ne 0\\ 0x^{\mathrm{\prime }}=0\end{array}$

By applying of affine transformation over GF(2) as:

$\left[\begin{array}{c}{S}_7\\ S_6\\ S_5\\ S_4\\ S_3\\ S_2\\ S_1\\ S_0\end{array}\right]=\left[\begin{array}{cccccccc}1& 1& 1& 1& 1& 0& 0& 0\\ 0& 1& 1& 1& 1& 1& 0& 0\\ 0& 0& 1& 1& 1& 1& 1& 0\\ 0& 0& 0& 1& 1& 1& 1& 1\\ 1& 0& 0& 0& 1& 1& 1& 1\\ 1& 1& 0& 0& 0& 1& 1& 1\\ 1& 1& 1& 0& 0& 0& 1& 1\\ 1& 1& 1& 1& 0& 0& 0& 1\end{array}\right]\left[\begin{array}{c}{C}_7\\ C_6\\ C_5\\ C_4\\ C_3\\ C_2\\ C_1\\ C_0\end{array}\right]\oplus \left[\begin{array}{c}0\\ 1\\ 1\\ 0\\ 0\\ 0\\ 1\\ 1\end{array}\right]$and

$b\left(x\right)=a\left(x\right)\left(x^4+x^3+x^2+x+1\right)+\left(x^6+x^5+x+1\right)mod\left(x^8+1\right)$

Where, a(x) and b(x) are algebraic expression. The design of AES based S-box is algebraic in nature having algebraic properties due to which algebraic attacks are most probably applicable.

Thus, algebraically, it is practically insignificant to construct a fully secure S-box due to bi-jective properties such as:

(X ⊕ Y = Y ⊕ X)

An S-box having order (m x n) is a mapping function $C=f\left(X\right)$, where $f:{\left\{0,1\right\}}^m\to {\left\{0,1\right\}}^n$, which is used to map m-bits input string X to n-bits output string C. it is lie under Boolean function and may be transformed to least sum (XOR⊕) of the products (AND •) as represented in Eq. (1). Therefore Boolean mapping: {0,1}^m → {0,1} set up an expression using Ӈ:∑^m→ {0,1}taking binary sequence Ӈ(Ƶ0), Ӈ (Ƶ1),………, Ӈ (Ƶ2ⁿ⁻¹) as lookup table of Ӈ. Some arrangement of Boolean expression: (−1) ^Ӈ(Ƶ1), (−1) ^{Ӈ (Ƶ2)},………….., (−1) ^{Ӈ (Ƶ2n−1)} is a subset of Ӈ. In case of ratio ½ of (0, 1) binary digits, the Boolean function provides a balanced transformation. However it can further be represented as

(1) $$\begin{array}{cc}Ӈ(\beta \mathrm{1\dots },\beta \mathrm{n})=& Ƶ0\oplus Ƶ1·\beta 1\oplus ···\oplus Ƶn·\beta n\oplus Ƶ1,2.\beta 1·\beta 2\oplus ······\oplus Ƶn-1,\\ & n·\beta n-1·\beta n\oplus ···\oplus Ƶ1,2...,n\beta 1·\beta 2...\beta n.\end{array}$$

The vector denoted with βn is the member of GF: $S{‘}_{box}$ = M • ${S_{box}}^{-1}$+ C and retains linear (one-to-one) relationship between βn and {0, 2ⁿ – 1}.

There are two different Boolean functions, denoted with (A and B ), where ᵴ ∈ A and ƫ ∈ B. The affine function’s set (F) and distance (D) will have non-linearity ( $\mathbb{N}$) as: $\mathbb{N}$ = $\mathrm{M}\mathrm{i}{\mathrm{n}}_{\mathrm{B}\in F_{ᵴ}}.$ Here F is set of affine functions upon £^ᵴ and ɭ_j is the linear function of X.

(2) $$\mathrm{D}\left(A,B\right)=2^{n-1}-{\displaystyle \frac{1}{2},}$$

(3) $$\mathbb{N}=2^n-{\displaystyle \frac{1}{2}Ma{x}_{j=0,1,\dots \dots ,2^{n-1}}\left\{\left|,{ɭ}_j\right|\right\}}$$

let A is a function over X_n and U,N ∈ X_n, the A satisfies the propagation properties of t(Ҫ_t). where if propagation properties are: ∀ U ∈ X_n :1≤ W(U) ≤ t, then the standards Ҫ₁ fulfills strict avalanche criteria(SAC) (Shoukat et al., 2020b). Let W(.) shows the hamming weight of vector, whose element is 1. The W(.) of A, B can be calculated as: $\mathrm{D}\left(A,B\right)={\sum }_{\mathrm{\forall }n:A\left(n\right)!=B\left(ƫ\right)}$ and the scalar product $U,N={\oplus }_{j=0}^{n-1}{U}_i,N_i$ bearing correlation immunity over U,N ∈ X_n only if A is balanced. The A consists of correlation immunity order t’(K1_t) over ∀ U ∈ X_n :1≤ W(U) ≤ t.

The p × q S-box (S) is treated as regular if ∀ N∈ X_q: | $S_{}^{-1}$(N)|= $2^{p-q}$ and p × p natured S is regular at bijective characteristic from (X_p → X_p ). EX-OR Table in contrast to S with dimensions (2^p × 2^q) of matrix with many elements:

$\mathrm{\forall }U\in$ $X_v$, $\mathrm{\forall }N\in$ $X_q$ : $D_{UN}$ = $\left|\left\{w\in X_v|S\left(w\right)\oplus S\left(w+U\right)=N\right\}\right|$Then assume that in EX-OR table if α is biggest number with non-zero γ in first row of the table then the both 2^p values present in the left side at the top of the table will be abandoned and differential attacking strength (Φ) of S will be as:

(4) $$\mathrm{\Phi }\left(S\right)=\left(1-{\displaystyle \frac{\gamma }{2^p}}\right)\left(1-{\displaystyle \frac{\alpha }{2^p}}\right)$$

Highest value of Φ(S) is good to resist against differential attacks.

Ideally, a good S-Box has to satisfy cryptographic properties, which include strict avalanche criteria, correlation coefficient and nonlinearity. If any S-Box satisfies these properties then it is considered as cryptographically secure (Gangadari & Ahamed, 2015).Therefore by making S-boxes dynamic and dependent on secret key these properties should necessarily be satisfied.

Operations used in proposed method

The proposed substitution method comprises of some simple but cryptographically significant mathematical operations or functions. The proposed method is not alike AES based S-box or its other variants because it does not utilize affine polynomials for generating of S-box values. In the proposed substitution method, S-boxes are created dynamically from 128-bits of the secret key by performing some simple operations such as circular shift followed by XOR and nibble swap.

In mathematics, “a circular shift is the operation of rearranging the numbers in a tuple” (Oshiba, 1972). A circular shift is an exceptional type of cyclic permutation (Gove, 1963). Formally, a permutation σ is a circular shift of n entries in each tuple such that:

(5) $$\sigma \left(i\right)\equiv \left(i+1\right)modulon,forallentriesi=1,\dots ,n$$

Exclusive OR is a logical operation that returns a true value as an output if and only if when both inputs are different i.e. one is true and other is false. Its symbol is as follows:

(6) $$AXORBiswrittenasA\oplus B$$

In nibble swap, the term nibble originally means “half a byte” or “half an octet”. The terms 'byte' and 'nibble' almost always refers to either 8-bits or 4-bits respectively. In nibble swap operation, a byte is separated form middle, into the two nibbles and then both nibbles change their position with each other. Dynamic S-boxes are created by using proposed method which is entirely different from static S-box of AES, as, it is constructed through mathematical operations to avoid algebraic attacks. The mathematical structure of the proposed method including these operations has been discussed in “Mathematical structure and step by step procedure”.

Mathematical structure and step by step procedure

This section illustrates mathematical structure of proposed method with their working flow to generate dynamic S-box values. The step by step working of proposed method is presented in Fig. 1.

All the steps are performed to generate S-box; however, the procedure of generating of inverse S-box includes several steps such as:

• In 1^st step: 16 characters of 128 bits input encryption key (K) are converted into binary form. Then after counting 1s from 128-bits binary sequence, the left circular shift operation is applied on binary key according to the total number of ones. The circular shift permutation, has denoted with symbol “<<K₁₂₈”. This permutation is dynamic which creates resistance against different attacks.

• In 2^nd step: 128-bits key is partitioned into left and right halves each having binary length of 64 bits. Both halves are denoted as LK₆₄, RK₆₄ and XOR operation is applied on two halves of key. After performing XOR operation, the resultant 64-bits are stored at right side, however the previous right-half with 64-bits are swapped to left side to be considered as new left-half with 64 bits. ${\left(RK\right)}^{{}^{\prime }}=L{K}_{64}\oplus R{K}_{64}$ ${\left(LK\right)}^{{}^{\prime }}=R{K}_{64}$

• In 3^rd step: right side 64-bits are converted into 8-bytes in hexadecimal form as: $hex{\left(RK\right)}^{{}^{\prime }}=k_1{k}_2{k}_3{k}_4{k}_5{k}_6{k}_7{k}_8$. Where $k_1{k}_2{k}_3{k}_4{k}_5{k}_6{k}_7{k}_8=x_1{y}_1{x}_2{y}_2{x}_3{y}_3{x}_4{y}_4{x}_5{y}_5{x}_6{y}_6{x}_7{y}_7{x}_8{y}_8$ After that, nibble swap is performed on each byte of right-half that is given as: $x_1{y}_1{x}_2{y}_2{x}_3{y}_3{x}_4{y}_4{x}_5{y}_5{x}_6{y}_6{x}_7{y}_7{x}_8{y}_8=y_1{x}_1{y}_2{x}_2{y}_3{x}_3{y}_4{x}_4{y}_5{x}_5{y}_6{x}_6{y}_7{x}_7{y}_8{x}_8$ Nibble swap helps to break patterns to create non-linear values of S-box. All the 8-bytes of right-half are stored in an array followed by a loop for placing these bytes into the S-box as: $y_1{x}_1{y}_2{x}_2{y}_3{x}_3{y}_4{x}_4{y}_5{x}_5{y}_6{x}_6{y}_7{x}_7{y}_8{x}_8=S_1{S}_2{S}_3{S}_4{S}_5{S}_6{S}_7{S}_8$. After that, a conditional statement is used to ensure the uniqueness of S-box values to avoid any duplication.

• In step 4: after storing hex values of right-half in S-box, the right half is reconverted into binary (64-bits) as: ${\left(RK\right)}_{64}\leftarrow y_1{x}_1{y}_2{x}_2{y}_3{x}_3{y}_4{x}_4{y}_5{x}_5{y}_6{x}_6{y}_7{x}_7{y}_8{x}_8$. After that, both left and right halves rejoin here to make 128-bits binary sequence, and then control moves back to the step-1as: $K_{128}=(RK{)}_{64}+{\left(LK\right)}_{64}$. After that, all the operations are performed in previous order until the unique 256 values in hex form are stored in S-box. All the steps are controlled by the conditional statements under conditional loop which continue to run until the generation of dynamic S-box with 256 unique values.

• In step 5: a new loop is used to generate inverse S-box. For this purpose, indexes and values of generated S-box are swapped with each other to create inverse S-box.

As an example Tables 1 and 2 demonstrate the dynamic S-box and inverse S-box, which are created by applying the proposed substitution method on a key given in example 1.

Example 1: key value (in hex): 7468617473206D79206B756E67206675

Moreover, S-box and inverse S-box generation algorithm is given in Table 3. Only one example of S-box and inverse S-box is given in this research paper. While the proposed method is capable of generating unlimited S-boxes and their inverse S-boxes as well, because proposed method is key dependent and a single bit change in key significantly results an entirely different S-box with unique values.

Nonlinearity

Any good S-box should not have linear mapping from an input to an output because linear mapping weakens the cipher. Non-linearity with higher esteem makes the cipher more resistant to linear cryptanalysis (Zahid, Arshad & Ahmad, 2019; Partheeban & Kavitha, 2018). Non-linearity of S-boxes can be calculated as (Biham & Shamir, 1991; Cusick & Stanica, 2017):

(7) $$NL=2^{n-1}-{\displaystyle \frac{1}{2}\left(\underset{q\in {\left\{0,1\right\}}^n}{max}\left|W_f\left(q\right)\right|\right)}$$

Here, W_f (q) is Walsh-Hadamard spectrum and is measured as:

(8) $$W_f\left(q\right)=\sum _{pϵ{\left\{0,1\right\}}^n}{\left(-1\right)}^{f\left(p\right)\oplus p.q}$$

However, the q $ϵ${0,1}ⁿ. To validate non-linearity of proposed S-box method, several S-boxes were generated and their non-linearity was calculated. The non-linearity of proposed S-box method has been summarized in Table 4 in comparison with earlier dynamic natured S-box methods. The non-linearity values of proposed method (Min: 102, Max: 111 and Avg: 106.5) are significantly better than the non-linearity values of previous S-box methods (Kazlauskas, Smaliukas & Vaicekauskas, 2016; Hussain Alkhaldi, Hussain & Gondal, 2015; Hussain et al., 2011a; Hussain et al., 2011c). Thus, non-linearity is a good indicator for any s-box to resist linear attacks.

Linear approximation probability

Actually, the linear approximation probability was introduced in 1993 to break 8-rounds of DES (Matsui, 1994).The maximum value of imbalance of an event has been denoted with LP in which the parity of input bits selected by the mask A_u is equal to the parity of output bits selected by mask B_v as shown in Eq. (9).

(9) $$LP=\underset{A_{u,}{B}_v\ne 0}{max}\left|{\displaystyle \frac{\mathrm{\#}\left\{u\in U|u.A_u=S\left(u\right).B_v\right\}}{2^n}-{\displaystyle \frac{1}{2}}}\right|$$

In Eq. (9), U represents the set of all possible inputs, A_u is input mask, B_v is output mask and 2ⁿ is the number of elements with n = 8 (i.e. 2⁸ = 256). Different S-boxes were generated through proposed S-box method and their LP value was calculated by using formula as represented in Eq. (9). The LP results (Table 5) show that the maximum LP value of proposed substitution method is 0.109, which is better than maximum LP values of earlier S-box methods (Khan et al., 2012; Hussain et al., 2011b; Hussain et al., 2011a). Comparison shows that proposed substitution method retains significant linear approximation probability (LP) to resist linear attacks.

Differential approximation probability

In Biham & Shamir (1991) differential cryptanalysis of S-boxes was demonstrated by Biham and Shimar (Belazi, Rhouma & Belghith, 2015). The differential uniformity (Farwa et al., 2017) of any S-box can be measured through Eq. (10). According to it, an input differential ∆u_i should uniquely be mapped to an output differential ∆v_i, to ensure uniform mapping.

(10) $$DP\left(\mathrm{\Delta }u\to \mathrm{\Delta }\mathrm{v}\right)=max\left[{\displaystyle \frac{\mathrm{\#}\left\{u\in U|S\left(u\right)\oplus S\left(u\oplus \mathrm{\Delta }u\right)=\mathrm{\Delta }v\right\}}{2^n}}\right]$$

Here U is the set of all possible input values, ∆u represents input differentials, ∆v shows the output differentials and 2ⁿ represents the number of elements with n = 8 i.e. 2ⁿ = 256. All the differential approximation values of proposed substitution method have been summarized in Table 6. From Table 6, it is clear that the maximum value is 10 which appears only for nine times in Table 6 and when the value 10 is divided by 256, the differential probability (DP) value becomes 0.03906. The comparison of DP value of proposed method with DP value of other S-boxes has been represented in Table 7. The overall analysis shows that the maximum DP value of proposed method is better than maximum DP values of earlier S-box methods (Hussain et al., 2011b; Jakimoski, 2001; Wang et al., 2009; Özkaynak & Yavuz, 2013) as shown in Table 7. Thus, the proposed substitution method is strong enough to resist differential attacks.

Avalanche effect

Avalanche effect is an important measure for cryptographic algorithms. For any cryptographic algorithm, the avalanche effect needs to be satisfied in such a way, changing of one binary bit in an input should result significant change in an output binary sequence generated by the cryptographic algorithm. In Eq. (11), the standard formula for measuring avalanche effect has been represented.

(11) $$AE={\displaystyle \frac{Bitsflippedinciphertext}{TotalbitsofCiphertext}\times 100}$$

The avalanche effect of proposed method has been tested several times through Eq. (11) and as result, the proposed method has shown average avalanche effect with 62.32% as depicted in Fig. 2. The earlier methods Maram & Gnanasekar (2016), Dara & Manochehri (2014), Dara & Manochehri (2013) and Kazlauskas & Kazlauskas (2009) retain 60% avalanche effect which is several time reduced than the avalanche effect (62.32%) of proposed method. When any cryptographic algorithm shows higher avalanche effect, it means the inside utilized mathematical functions and logic of that algorithm is cryptographically strong. According to Abd-ElGhafar et al. (2009) and Maram & Gnanasekar (2018), it is declared that, any cryptographic algorithm will be considered as secure against attacks as much as it will retain avalanche effect. Thus, the avalanche effect of proposed method is higher than others.

Strict avalanche criteria

The generated cipher fulfills strict avalanche criteria (SAC), if the output changes with probability of ½ by alteration of 1-bit in an input binary sequence of any cryptographic algorithm (Peng & Jin, 2013). For calculation of SAC, 10,000 samples of plaintext were encrypted by using dynamic S-boxes produced by proposed substitution method. Results show that the proposed method clearly satisfies strict avalanche criteria. The dependence matrix for the SAC of proposed method is calculated as represented in Table 8. A comparison of minimum, maximum and average SAC values of the proposed substitution method with the SAC values of existing S-boxes have been summarized in Table 9. Thus, the proposed method also satisfies strict avalanche criteria significantly in comparison with others.

Correlation coefficient

It is considered as the significant aspect for the block ciphers security (Alabaichi & Salih, 2015). Correlation coefficient deals with dependency between input and output bits (Salih, Alabaichi & Tuama, 2020). It is a good source to know that how the two variables can effect each other. Correlation coefficient is also used to scale the degree of dependency of two individual variables on each other. Confusion effect can also be determined by the use of correlation coefficient over the block ciphers. The correlation coefficient value lies between (−1) and (1). The value (−1) shows that there is a decreasing linear relationship where the value (1) shows an increasing linear relationship. In case the value is “0”, then it means that both variables are independent (Mahmoud et al., 2013).

Equations (12)–(14) show the standard formula for correlation coefficient (r) of the data pairs (X_i, Y_i).

(12) $$r_{x,y}={\displaystyle \frac{cov\left(X,Y\right)}{{\delta }_x{\delta }_y}}$$

Here,

(13) $$cov\left(X,Y\right)={\displaystyle \frac{1}{\left(n-1\right)}\sum _{i=1}^n\left(X_i-{\mu }_x\right)\left(Y_i-{\mu }_y\right)}$$

And

(14) $${\delta }_x{\delta }_y=\sqrt{{\displaystyle \frac{{\sum }_{i=1}^n{\left(X_i-{\mu }_x\right)}^2{\sum }_{i=1}^n{\left(Y_i-{\mu }_y\right)}^2}{{\left(n-1\right)}^2}}}$$

In Eq. (14), the X_i represents the values of the plaintext, Y_i represents the corresponding values of the cipher text and (μ_x, μ_y) are their mean values respectively. The correlation coefficient of 100 different sequences related to proposed method was calculated through standard correlation coefficient formula and resultant values have been depicted in Fig. 3. Average correlation coefficient (0.025) of the proposed method is close to zero which clearly invokes that both plaintext and the cipher-text are independent of each other without having linear relationship.

Bit independence criterion

A function (f) justifies bit-independence criterion (BIC) for input (x) and output (y, z), in such a way, if the input bit (x) is inverted then the output bits (y, z) should change independently (Webster & Tavares, 1986). Correlation must be calculated to measure the relationship between avalanche variable sets (Çavuşoğlu et al., 2017). The non-linearity based bit-independence-criterion (BIC-NL) of the proposed S-box method lies among this range (Min: 98, Max: 108, Average: 103.392) as summarized in Table 10. Moreover, the comparison of BIC-NL results of proposed method with existing S-box methods has been shown in Table 11. Thus, the BIC-NL based results show that the proposed S-box method significantly justifies non-linearity based bit-independence-criterion (BIC-NL).

Hamming distance

It is a way of measuring dissimilarity between two equal strings by counting the all positions at which corresponding digits or characters of given strings are different. The different input sample texts as available in Maram & Gnanasekar (2018) have been used to measure the hamming distance of proposed method. Hamming distance values of the proposed method have been compared with the values of AES based static S-box including the previously published S-box method as discussed in Maram & Gnanasekar (2018). All the hamming distance related results of proposed method with existing S-box methods have been summarized in Table 12. The overall hamming distance analysis shows that the proposed method has higher values of hamming distances in comparison with others. Higher hamming distance is a good trait for any cryptographic method to generate cryptographically strengthened cipher-text.

Balanced output

It means the cipher-text generated by any cryptographic method should have equal probability of both 0’s and 1’s. The balanced output test was performed on different ciphers, which were generated through proposed method. The balanced output results have been shown in Table 13, which clearly show that the cipher generated by the proposed method holds 0’s and 1’s with almost equal probability. A cipher having balanced output is considered to be a stronger cipher than others in resisting of linear attacks (Maram & Gnanasekar, 2016).

Difference percentage

This is a very important factor to analyze the strength of the S-boxes. This test analyzes that how many values are rearranged at a different position from previously generated S-box, when only a single bit of the key is altered. Another important property of this test is that it increases the avalanche effect to enhance its security. For apply this test, 1,000 S-boxes were generated by using 1,000 different keys and then again 1,000 more s-boxes were generated by changing 1-bit of each key out of 1,000 different keys. Thus all newly generated S-boxes were compared with previous S-boxes. It was found that the proposed method is capable of generating new S-box completely with unique values by changing just single bit of input key. As an example the S-box generated by the proposed method with this encryption key: 7468617473206D79206B756E67206675 is shown in Table 1. However, after changing only 1-bit in given encryption key, the proposed method generates totally different and unique S-box as represented in Table 14. Thus, the comparison of Table 1 and Table 14 shows that, the proposed method completely fulfills the criteria of difference percentage in generating of new S-box with different values even after changing of 1-bit in an encryption key.

NIST statistical tests

National Institute of Standard and Technology (NIST) recommends Statistical Testing Suit (STS) with several standard tests to verify the randomness and statistical properties of the cipher-text generated through a newly developed cryptosystem. All those standard tests which are based on verifying the probability (p) of occurring 0 and 1 in any given binary sequence require that p-value should remain in between (0.01–1.00). While performing any NIST standard test, once the p-values lie from 0.01 to 1.00 then it means the test is successful to fulfill the required level of randomness as set by the NIST. In case, if the cipher-text generated through any cryptosystem fails to fulfill the criteria of p-values ( $0.01<p-value\le 1.00$) then it is considered as un-successful (fail). Therefore, the cipher-text generated by the proposed method has been tested with several statistical tests (“Frequency (Mono-bit) Test”, “Frequency Test within a Block”, “Runs test”, “Test for Longest-Run-of-Ones in a Block”, “Non-overlapping Template Matching Test” and “Overlapping Template Matching Test”) recommended by NIST to verify its randomness properties.

Side-channel attack

The S-boxes generated by proposed method are fully dynamic and cryptographically strong as it has been justified through several experimentations. The advantage of dynamic substitution over static s-box is that, the dynamic s-boxes can resist linear, differential as well as side channel attacks significantly as witnessed in Suana (2018). Static s-boxes help the cracker to launch side channel attacks (Kazlauskas & Kazlauskas, 2009) due to the leakage of information acquires from static natured secret parameters. Moreover, static substitution, allows an attacker to exploit the leakage and to extract the secret information e.g. key (Chen, Chen & Liao, 2007). As the proposed substitution method does not have any static S-box, instead the S-boxes are created dynamically at time of execution of the algorithm. So the secret and dynamic s-box values of proposed method is not known to cracker, which saves the proposed method from side channel attacks. Although AES and other known algorithms with static substitution are resistant to many attacks but still side channel attacks are possible with AES based static S-boxes as discussed in Sasdrich et al. (2015) and Carlet et al. (2020). Whereas in proposed substitution method every time S-box generates different and unique values according to different keys and attackers will not be able to guess the S-box values. The dynamic S-boxes generated by proposed substitution method are more resistant against attacks, as the dynamic values help to resist side-channel attacks (Sasdrich et al., 2015). Bits leakage side-channel attack scenario for static and dynamic substitutions are shown in Fig. 4, this scenario is presented in Carlet et al. (2020) also. Figure 4 clearly shows that dynamic values help to resist side-channel attacks.