A highly nonlinear substitution-box (S-box) design using action of modular group on a projective line over a finite field

Cryptography is commonly used to secure communication and data transmission over insecure networks through the use of cryptosystems. A cryptosystem is a set of cryptographic algorithms offering security facilities for maintaining more cover-ups. A substitution-box (S-box) is the lone component in a cryptosystem that gives rise to a nonlinear mapping between inputs and outputs, thus providing confusion in data. An S-box that possesses high nonlinearity and low linear and differential probability is considered cryptographically secure. In this study, a new technique is presented to construct cryptographically strong 8×8 S-boxes by applying an adjacency matrix on the Galois field GF(28). The adjacency matrix is obtained corresponding to the coset diagram for the action of modular group PSL(2,Z) on a projective line PL(F7) over a finite field F7. The strength of the proposed S-boxes is examined by common S-box tests, which validate their cryptographic strength. Moreover, we use the majority logic criterion to establish an image encryption application for the proposed S-boxes. The encryption results reveal the robustness and effectiveness of the proposed S-box design in image encryption applications.


Introduction
The significance of information security is expanding with time and the areas of communication and data transformation are becoming more and more complicated. It has now become very imperative to secure the transformation of essential data across insecure networks. The cryptographic algorithms provide the security and protection of the critical data and information getting transferred over insecure channels [1]. A block cipher is one of the most critical components of cryptography. Shannon [2] introduced the notion of modern cryptography in 1949. The block ciphers such as Data Encryption Standard (DES) [3] and Advanced well [37][38][39][40][41]. In [42], the authors proposed a novel method for image encryption in the Fresnelet domain. The proposed algorithm is dependent on the Fresnelet transform-based image decomposition along with an algebraic S-box. In [43], Shah et al. endorsed a standard norm to evaluate the fundamental types of S-boxes and analyze their competency for image encryption applications. Xiangjun et al. [44] presented a novel technique for color image encryption, which is based on coupled-map lattices (CML) and a fractional-order chaotic system. In this study, we proposed a novel and efficient technique for designing 8×8 S-boxes based on the action of modular group PSLð2; ZÞ on a projective line PL(F 7 ) over a finite field F 7 . For this purpose, we draw a coset diagram for the action of PSLð2; ZÞ on PL(F 7 ) and form its adjacency matrix [45]. Then, we apply the adjacency matrix on Galois field GF(2 8 ) elements using a set of different transformations to obtain bijective S-boxes. We inspect the cryptographic strength of the proposed S-boxes based on the NIST criteria using algebraic analyses such as nonlinearity, strict avalanche criterion, bit independent criterion, differential approximation probability, and linear approximation probability. Moreover, we utilized the proposed S-boxes for image encryption and perform statistical analyses on plain and encrypted images based on majority logic criterion [43,46].
The rest of the paper organization is as follows. Section 2 explains the proposed method for S-box construction. Section 3 provides a discussion and comparison of the cryptographic strength of the proposed S-boxes. Section 4 discusses the application of the proposed S-boxes in image encryption along with its results. Finally, Section 5 concludes the findings of this research paper.

Proposed method for S-box design
The proposed method for S-box construction is shown in Fig 1, which consists of four key steps. First, we perform an action of the modular group or projective special linear group PSLð2; ZÞ on a projective line PL(F 7 ) over a finite field F 7 to yield a permutation group G. After that, we draw a coset diagram for the permutation group G obtained corresponding to the action of PSLð2; ZÞ on PL(F 7 ). Then, we generate an adjacency matrix corresponding to the obtained coset diagram. Finally, we use this adjacency matrix and apply an affine transformation on the Galois field elements followed by the addition of an 8-bit number to generate the final S-box.
The following sections briefly explain the key steps involved in the proposed Sbox construction methodology.

Action of modular group PSLð2; ZÞ on projective line PL(F 7 )
The modular group PSLð2; ZÞ is a group comprises of all linear transformations ! azþb czþd , where a,b,c, and d are some integers satisfying the relation ad À bc ¼ 1: PSLð2; ZÞ is generated by linear fractional transformations x : z ! À 1 z and y : z ! zÀ 1 z , which satisfy the relations x 2 = y 3 = 1. Eq (1) gives the finite representation of the modular group PSLð2; ZÞ. A projective line over a Galois field F n adds an extra point 1 to F n and is represented by PL(F n ). Hence, a projective line PL(F 7 ) over a field F 7 contains eight points, which give rise to a coset diagram having eight vertices. Eq (2) defines a projective line PL(F 7 ) over a finite field F 7 .
PSLð2; ZÞ ¼< x; y : The action of PSLð2; ZÞ on PL(F 7 ) yields a permutation group G, which is generated by � x and � y given below.

Generation of coset diagram for permutation group G
After generating the permutation group G, we first draw a coset diagram using permutations � x and � y. A coset diagram is a graphical way of representing the permutation action of a finitelygenerated group [45]. Fig 2 shows the coset diagram obtained for the permutation group G. Since, � x and � y are of order 2 and 3 respectively, therefore, the generator � x is denoted by an edge and the generator � y is represented by a triangle. The vertices of the triangle are permuted counterclockwise and fixed points of � y are denoted by heavy dots in the coset diagram.

Adjacency matrix generation for coset diagram
Next, we generate an adjacency matrix M from the coset diagram for the action of the PSLð2; ZÞ on PL(F 7 ). The adjacency matrix for a directed graph G = (V,E), where V is the set of vertices and E is the set of edges, has a value 1 in its (i,j)th position if there exists an edge from v i to v j , where v 1 ,v 2 ,. . .,v n is an arbitrary listing of the vertices of the directed graph [47].
If we consider M = [m ij ] as the adjacency matrix for the directed graph, then m ij is defined as given below in Eq (3).
In the coset diagram shown in Fig 2, the vertices are labeled as 0,1,2,3,4,5,6, and 1. It can be seen from the figure that there exists an edge from 0 to 1, therefore in the adjacency matrix, the entry of the 1st row and 8 th column is taken as 1 and all the remaining entries are set equal to zero in the 1st row. Similarly, in the 2 nd row of the adjacency matrix, the 1 st and 7 th elements are 1 because there exists an edge from 1 to 0 and 1 to 6. All other entries are equal to zero in this row. In the same way, by filling up the remaining entries in the matrix, we form an adjacency matrix M as given below. we apply a transformation T on GF (2 8 ). In this aspect, we propose a set of transformations T k , which is applied on the Galois field GF(2 8 ) elements to generate multiple S-boxes, as shown in Eq (4).
where, t n represent the element of the Galois field GF(2 8 (4). Similarly, taking k = 7 provides us T 7 (t n ) = Mt n +t n+64(mod256) +t n+128 (mod 256). Table 1 shows the process of generating the S-box elements using transformation T 8 (i.e., for k = 8). Likewise, other transformations (i.e., T 1 to T 7 ) can be applied on the Galois field GF (2 8 ) elements to generate more S-boxes. T 7 (t n ) = Mt n +t n+64(mod256) +t n+128 (mod 256). Tables 2-9 present the proposed S-boxes generated as a result of applying transformations T 1 to T 8 on the Galois field GF(2 8 ) elements, respectively, using the proposed scheme.
The subscript d represents a number in decimal form, whereas the superscript t donates the transpose of a vector.

Performance analysis of proposed S-boxes
In this section, we validate the cryptographic strength of the proposed S-boxes (presented as S1-S8 in Tables 2-9, respectively) by commonly used parameters, which include: nonlinearity [48], bit independence criterion (BIC) [13,49], strict avalanche criterion (SAC) [49], linear and differential approximation probabilities [50]. The nonlinearity of an n-variable Boolean function represents the minimum distance of the reference function from the set of all n-variable affine functions. Mathematically, the relationship between the nonlinearity of an n-variable Boolean function and the Walsh Hadamard transform of that function is defined as N f ð Þ ¼ 2 nÀ 1 À 2 n 2 À 1 [48]. For GF(2 8 ), the optimal value of nonlinearity is 120. The BIC quantifies the independence between the avalanche variables. To test this criterion, the variables are compared pairwise to extract knowledge about the independence of these variables. The input bits are complemented individually, and the output vectors are analyzed for independence. The SAC depends upon the variation of the input outcomes and output bits. An S-box satisfies the SAC only if changing a single input bit yields a change in half of the output bits. An ideal S-box has the SAC value equal to one-half, i.e., 0.5 [49]. The linear approximation probability (LAP) identifies the probability of bias for a given S-box, whereas the differential approximation probability (DAP) measures the differential uniformity of an S-box [50]. The Table 1. Generation of the proposed S-box elements based on a transformation T 8 .
. . mathematical description of the LAP and DAP are given in Eqs (5) and (6) respectively.

Application of proposed S-box in image encryption
As an application of the proposed S-boxes, we perform image encryption using proposed Sboxes and assess their strength and robustness in image encryption based on the majority logic criterion (MLC) [43,46]. We take a standard 8-bit Baboon image of size 512 × 512 as a plain gray-level image and encrypt this image independently using AES S-box and the proposed Sboxes (i.e., S2, S5, and S7). For this purpose, we substitute every pixel value in the image with the corresponding value in the S-box, which scrambles the visual information in the image and provides image encryption. We perform one round encryption on plain Lena image and carry out some statistical analyses on plain and encrypted images. These analyses include entropy, energy, correlation, contrast, and homogeneity analysis [46]. Table 11 provides a brief description of these statistical parameters, which are computed using a gray-level cooccurrence matrix (GLCM) [46]. The numerical results of these parameters are provided in Table 12. It can be observed from Table 12 that the proposed S-box (i.e., S2, S5, S7, and S8) provides effective image encryption results and the obtained parameters are mostly comparable to the AES S-box. The entropy value obtained for the encrypted images using the proposed S-boxes is 7.358, which is near to the ideal value of 8. As the entropy measures the randomness in an image, hence, the nonlinear substitution of input and output elements in the image amplifies its randomness. The energy measure value of the plain Baboon image is 0.089. After encrypting this plain image with the proposed S-boxes, we achieve an energy value of 0.016, which is comparable to the AES S-box energy value. The smaller energy measure indicates the efficient performance of the proposed S-boxes in image encryption. To show the linear independence between the plain and encrypted images, we find out the correlation coefficient between both images. A coefficient value near 0 represents no or weak linear correlation between both images. In the case of image encryption with the proposed S-boxes, the correlation between the plain image and its encrypted form is 0.018, 0.011, 0.006, and 0.026 using S2, S5, S7, and S8 S-boxes, respectively, as shown in Table 12. These statistics represent that there is a weak linear correlation among the input and output pixel values. Hence, the proposed S-boxes provide good encryption properties such as confusion and diffusion. Moreover, the proposed S-boxes achieve a high contrast value (more than 9.8). A constant image has a contrast value of 0. Generally, a high value of contrast means more randomness in the image. Due to the nonlinearity of mapping, the objects in the image are distorted entirely after applying the S-box. That is why the high value of contrast in the encrypted image shows strong encryption. Finally, we perform the homogeneity analysis to measure the closeness of the distributed elements of GLCM to its diagonal. Table 12 also displays the results of this statistical analysis, where the proposed S-boxes achieve an acceptable homogeneity value, which results in the favor of having better encryption. So, overall, the image encryption results obtained for the proposed Sboxes are comparable to the state-of-the-art results as shown in Table 12. Fig 3 provides a visual demonstration of encrypted images using different S-boxes. It can be observed from the figure that the proposed S-boxes effectively hide the visual information contained in the plain image, which indicates their excellent performance in image encryption. Therefore, we conclude that the proposed S-box design can be successfully utilized for image encryption applications.

Conclusions
In this paper, we present a novel matrix-based approach for the construction of highly nonlinear S-boxes. For this purpose, we first construct an adjacency matrix of size 8×8 corresponding to the coset diagram obtained for the action of projective special linear group PSLð2; ZÞ on a projective line PL(F 7 ) over a finite field F 7 . Afterward, we apply this adjacency matrix on the Galois field GF(2 8 ) using a set of algebraic transformations to generate the final 8×8 S-boxes. We analyze the algebraic strength of the proposed S-boxes with common S-box tests, which validate their cryptographic strength. Furthermore, we also utilize the proposed S-boxes for image encryption and use statistical analyses to investigate the performance of our proposed Sboxes, which demonstrate the effectiveness of the proposed S-box design in image encryption applications. In the future, the proposed scheme can be expanded to generate n×n S-boxes using different action groups and adjacecy matrices of size n×n.