1 Introduction

Substitution box (S-box) is the most important element in any block cipher. Being the only nonlinear component of block cipher, a substitution box plays the vital role of inducing the non-linearity between the ciphertext and the secret key in block cipher encryption algorithms. Hence, the S-box (Anees and Ahmed 2015; Hussain et al. 2012a; Anees and Gondal 2015; Hussain et al. 2012b) is used as a tool in block ciphers to enhance their resistance against differential and linear cryptanalysis (Chu et al. Mar. 2014). The S-box of Advanced Encryption Standard (AES) (Daemen and Rijmen 2002) can be defined via the arrangement of eight Boolean functions with the domain and the range of each function as \(GF(2^8)\) and GF(2), respectively. Alvarez and Mcguire (2009) have provided some measures to analyze the cryptographic potency of S-box. These measures determine the cryptographic invulnerability of S-boxes against special categories of promising attacks. In literature, it can be seen that along with injective and surjective properties of S-boxes, only \(S_8\) S-boxes proposed by Hussain et al. (2012b), and AES S-box have high-quality values close to optimal readings for all of these criteria. The reason to get similar analysis of these boxes is that \(S_8\) S-boxes are permutation extension of AES S-box based on a symmetric group. A large number of papers have been devoted to studying finite field S-boxes and their applications. The reader is referred to Hussain et al. (2012a), Anees and Gondal (2015), Hussain et al. (2012b), Daemen and Rijmen (2002) and Alvarez and Mcguire (2009) for the literature on finite field S-boxes and their applications.

1.1 Algebraic structure of semifield

This paper investigates S-boxes over the algebraic structure of semifield, defined as follows.

Definition 1.1

A finite semifield consists of a finite set S with two binary operations “+” and “\(\cdot \)” such that the following axioms hold:

  • \((S,+)\) forms a group with identity element 0.

  • \(\forall a,b \in S\): If \(ab=0\) then \(a=0\) or \(b=0.\)

  • \(\forall a,b \in S\): \(a(b+c)=ab+ac\) and \((a+b)c=ac+bc.\)

  • \(\forall a \in S\) \(\exists \) a neutral element for \(\times \) denoted as e which satisfies: \(ea=ae=a.\)

For example the following system S is a proper semifield having order 16. Let us consider \(GF(2^2)=\left\{ 0, 1, \omega , \omega ^2 \right\} \) as a base field F for the construction of the semifield \(S_{2^4}.\) The form of the elements of semifield is \(u+\lambda v,\) where u\(v\in F.\) The addition in the semifield \(S_{2^4}\) is defined using the addition of field F as \( (u+\lambda v)+(x+\lambda y)=(u+v)+\lambda (x+y). \) Multiplication in the semifield \(S_{2^4}\) is defined in terms of the multiplication and addition of F,  in the following manner

$$\begin{aligned} (u+\lambda v)(x+\lambda y)=(ux+v^2y)+\lambda (vx+u^2y+v^2y^2). \end{aligned}$$

Semifields \(S_{2^4}\) with 16 elements is shown in Table 1.

Table 1 Semifields \(S_{2^4}\) with 16 elements
Full size table

In semifield, there is no associative property as contrary to let say Galois Field. This characteristic of having no associative property makes S-boxes way more difficult to break using linear or differential cryptanalysis. The known S-boxes based on finite fields are good enough against known algebraic attacks, yet there could be some unknown algebraic attacks that may weaken the confusion creating capability of finite field S-boxes. To overcome this possible weakness, Dumas and Orfila (2014) proposed to enhance the algebraic strength of S-boxes by considering finite semifields instead of finite fields to generate S-Boxes. The known classification of semifields is up to \(2^6;\) therefore, it is a challenge to use the small structure \(2^4\) for the construction of \(2^8\) S-boxes. Dumas and Orfila (2014) utilized pseudo-extensions of semifield of order \(2^4\) to construct 12,781 non-equivalent S-boxes with maximum cryptographic properties. In this paper, corresponding to each and every non-equivalent S-box of Dumas and Orfila (2014), we generate 8! S-boxes with same cryptographic properties. This is achieved by the action of symmetric group of permutation on every non-equivalent S-box of Dumas and Orfila (2014). Moreover, the non-equivalent S-boxes will behave like a set. Because all 12,781 S-boxes of Dumas and Orfila (2014) are non-equivalent, therefore, we have 12,781 mutually disjoint classes of S-boxes. Further, we have shown the application of these S-boxes in image encryption.

The paper is organized as follows. The necessary details about the chaotic maps employed in this work, along with their relevance to secure communication, are provided in Sect. 2. Section 3 is divided in two parts, giving the construction methodology of proposed S-boxes followed by analyses for evaluating their strength. Section 4 presents the proposed block cipher. The experimental and security analysis for the proposed cipher are presented in Sects. 5 and 6, respectively. Finally, Sect. 7 gives the conclusion.

2 Chaos and their significance in secure communication

In recent years, number of articles published on chaotic security (Anees and Siddiqui 2013) has proven to be weak against well-known attacks (Pecora and Carroll 1990; Kocarev 2001). This is due to the fact that the researchers did not analyze chaotic phenomena in detail with respect to secure communication (Volos et al. 1997; Anees et al. 2013). Although there are many similarities between chaotic behavior of chaotic maps and randomness required in security (Liua and Wang 2010), it still needs proper attention to be applied in this field.

In this paper, we analyze a modified version of logistic chaotic map (Verhulst 1845) in detail with respect to secure communication and observe the regions of interest which can be applicable in communication security. There are works in the literature that employ logistic map for the encryption purposes (García-Martínez and Campos-Cantón 1845, 2015; Cassal-Quiroga and Campos-Cantón 2020; Campos-Cantón et al. 2011). We have employed two chaotic maps in our proposed encryption algorithm; modified logistic map and Tangent Delay Ellipse Reflecting Cavity Map System (TD-ERCS) (Sheng et al. 2004). The modified logistic chaotic map employed in our work is given as Wang and Chen (2013):

$$\begin{aligned} x_{n} = rx_{n-1}(1-x_{n-1}^{1-b}), \end{aligned}$$
(2.1)

where \(x_0 \in (0,1),\) \(b \in [0,1)\) and r (depending on b) are initial seed parameters. At \(b = 0,\) the above equation becomes the logistic map. At a specific value of br is a control parameter which specifies the overall behavior of this chaotic map. In physical terms, it can be defined as the heating in a convention or the growth rate of population of a typical bacteria type etc. Figure 1 presents the bifurcation diagram of modified logistic map which is a combined presentation of all the graphs plotted x against r for different values of b. Fig. 1a shows the bifurcation diagram at \(b = 0\) which is equivalent of the bifurcation diagram of logistic map. The range of the randomness in the bifurcation diagrams at all the values of b is almost same; the only difference between these figures is the shifting of the range for the values of r which is a significant advantage as compared to logistic map.

Fig. 1
figure 1

Bifurcation diagram of modified logistic map showing the plots of all the x-vectors graphed against r for different values of b. To observe the long-term impact of modified logistic map, the values of x are plotted after 500 iterations. a \(b = 0,\) b \(b = 0.2,\) c \(b = 0.4,\) d \(b = 0.5,\) e \(b = 0.6\) and f \(b = 0.8\)

Full size image

2.1 Chaotic range analysis

Taking the case \(b = 0.2\) (Fig. 1b), we analyze the ranges which are r dependable. Based on Fig. 1b, we can divide the interval for r into three segments:

  • When \(r \in [1, 3.5],\) the iteration sequence for x attains a constant value past some iterations displaying a stable behavior. Figure 2a shows the bifurcation diagram of modified logistic map for \(r = 1\) to \(r = 3.5,\) Fig. 2b demonstrates the iteration sequence for initial conditions \(r = 2.5,\) \(b = 0.2,\) \(x_0 = 0.5\) and Fig. 2c illustrates the iteration sequence for initial conditions \(r = 3.2,\) \(b = 0.2,\) \(x_0 = 0.5.\) It should be noted that the iteration sequences converge to a stable point beyond some iterations and hence are not suitable for utilization in secure communication.

  • When \(r \in (3.5, 4.2),\) the iteration sequence for x exhibits periodic behavior with different periodicity after some iterations. Figure 3a illustrates the bifurcation diagram of modified logistic map for \(r = 3.5\) to \(r = 4.2,\) Fig. 3b demonstrates the iteration sequence for initial conditions \(r = 3.7,\) \(b = 0.2,\) \(x_0 = 0.5\) and Fig. 3c displays the iteration sequence for initial conditions \(r = 4.1,\) \(b = 0.2,\) \(x_0 = 0.5.\) It is worth noticing that the iteration sequences exhibit periodic behavior after some iterations having periodicity 2 for Fig. 3b and 4 for Fig. 3c and thus are not suitable for usage in secure communication.

  • Whilst \(r \in [4.2, 4.6],\) the iteration sequence for x exhibits chaotic behavior. Figure 4a illustrates the bifurcation diagram of modified logistic map for \(r = 4.2\) to \(r = 4.6,\) Fig. 4b demonstrates the iteration sequence for initial conditions \(r = 4.3,\) \(b = 0.2,\) \(x_0 = 0.5,\) Fig. 4c illustrates the iteration sequence for initial conditions \(r = 4.5,\) \(b = 0.2,\) \(x_0 = 0.5\) and Fig. 4d illustrates the iteration sequence for initial conditions \(r = 4.56,\) \(b = 0.2,\) \(x_0 = 0.5.\) It should be noted that the iteration sequences are pseudo-random illustrating a chaotic behavior and, thus, can be used in secure communication. However, the whole range between \(r = 4.2\) to \(r = 4.6\) does not have a chaotic illustration. For example, when \(r = 4.41,\) it shows periodic behavior and thus is not suitable to be applicable in secure communication as can be seen in Fig. 4e displaying the iteration sequence for initial conditions of \(r = 4.41,\) \(b = 0.2,\) \(x_0 = 0.5.\) Furthermore, at \(r = 4.52,\) it shows periodic behavior and thus not suitable to be applicable in secure communication as can be seen in Fig. 4f that shows the iteration sequence for initial conditions of \(r = 4.52,\) \(b = 0.2,\) \(x_0 = 0.5.\)

Fig. 2
figure 2

a Bifurcation diagram of modified logistic map x plotted against \(r = 1\) to \(r = 3.5\) for \(b = 0.2.\) b, c The iteration sequence plotted, respectively, for the initial conditions (i) \(r = 2.5,\) \(b = 0.2,\) \(x_0 = 0.5\) and (ii) \(r = 3.2,\) \(b = 0.2,\) \(x_0 = 0.5\)

Full size image
Fig. 3
figure 3

a Bifurcation diagram of modified logistic map x plotted against \(r = 3.5\) to \(r = 4.2\) for \(b = 0.2.\) b, c The iteration sequence plotted, respectively, for the initial conditions (i) \(r = 3.7,\) \(b = 0.2,\) \(x_0 = 0.5\) and (ii) \(r = 4.1,\) \(b = 0.2,\) \(x_0 = 0.5\)

Full size image
Fig. 4
figure 4

a Bifurcation diagram of modified logistic map x plotted against \(r = 4.2\) to \(r = 4.6\) for \(b = 0.2\) and \(x_0 = 0.5.\) bf The iteration sequence plotted, respectively, for initial conditions b \(r = 4.3,\) c \(r = 4.5,\) d \(r = 4.56,\) e \(r = 4.41\) and f \(r = 4.52\)

Full size image

2.2 Randomness analysis

Similar to above, we can also analyze the ranges of bifurcation diagrams for the other values of b and can observe their chaotic ranges. Apart from visually analyzing the randomness of these ranges, we have tested the sequence using the NIST statistical analysis suite (Rukhin et al. 2010) which contains 15 statistical tests. Although these tests were primarily designed for a larger stream of binary bits (usually > 10,000), these tests can also be used on shorter streams as well as on integer values. We have converted the decimal values of the map into binary as follows: the binary value of 1 is assigned to the first iteration value. Then, the modulus 2 value will be assigned if the absolute value of the difference between the current and previous iteration value of chaotic map is greater than 0.25; otherwise, the previous binary value is assigned. The results of these tests on chaotic sequences are listed in Table 2 showing that the generated chaotic sequences pass the randomness tests.

Table 2 NIST statistical tests for checking the randomness of chaotic sequences obtained from modified logistic map for initial conditions \(r = 4.3,\) \(x_0 = 0.5\) and \(b = 0.2\)
Full size table

2.3 Sensitivity analysis

Fig. 5
figure 5

Chaotic sequence for modified logistic map, respectively, for initial conditions. a \(r = 4.5,\) \(x_0 = 0.5000000000,\) \(b = 0.2\) and \(x_0 = 0.5000000001,\) b \(r = 4.5000000000,\) \(x_0 = 0.5,\) \(b = 0.2\) and \(r = 4.5000000001\) and c \(r = 4.5,\) \(x_0 = 0.5,\) \(b = 0.2000000000\) and \(b = 0.2000000001\)

Full size image

Randomness alone is not enough for any chaotic sequence to be applied in secure communication (Pisarchika and Zaninb 2008; Anees et al. 2014a). It is necessary that the chaotic sequence should be sensitive to the initial conditions. For the example taken of modified logistic map, we have considered three scenarios for sensitivity analysis; one for each initial condition of each of the parameter \(x_0,\) r and b. For comparison, Fig. 5a displays the graphs of chaotic sequence for modified logistic map for initial conditions \(r = 4.5,\) \(x_0 = 0.5000000000,\) \(b = 0.2\) and for slightly changed initial conditions \(r = 4.5,\) \(x_0 = 0.5000000001,\) \(b = 0.2.\) It can be observed that both the sequences are similar initially for up to 15 iterations, but beyond that, both sequences become completely out of phase from each other. Moreover, the modified logistic map is sensitive to the initial conditions for r and b. Fig. 5b illustrates the chaotic sequence for initial conditions \(r = 4.5000000000,\) \(x_0 = 0.5,\) \(b = 0.2\) and in the same figure, a graph is plotted for initial conditions \(r = 4.5000000001,\) \(x_0 = 0.5,\) \(b = 0.2.\) Similarly, Fig. 5c displays the chaotic sequence for initial conditions \(r = 4.5,\) \(x_0 = 0.5,\) \(b = 0.2000000000\) and in the same figure, a graph is plotted for initial conditions \(r = 4.5,\) \(x_0 = 0.5,\) \(b = 0.2000000001.\) It can be observed that at the beginning the sequences in both the figures are nearly same but with increased number of iterations, all the sequences are individually recognizable. For the other chaotic map TD-ERCS, one can similarly show that it has same properties as modified logistic map. The TD-ERCS map provides two chaotic sequences, x and k,  given mathematically as (Sheng et al. 2004):

$$\begin{aligned} {\left\{ \begin{array}{ll} x_n =-\frac{2k_{n-1}y_{n-1}+x_{n-1} (\mu ^2-k_{n-1}^2)}{\mu ^2+k_{n-1}^2},\\ k_n =-\frac{2k_{n-m}^{'}-k_{n-1} +k_{n-1}k_{n-m}^{'2}}{1+2k_{n-1}k_{n-m}^{'}-k_{n-m}^{'2}}, \end{array}\right. } \end{aligned}$$
(2.2)

where

$$\begin{aligned} k_n^{'}= & {} -\frac{x_{n}}{y_{n}}\mu ^2, \end{aligned}$$
(2.3)
$$\begin{aligned} y_n= & {} k_{n-1}(x_n - x_{n-1})+y_{n-1}, \end{aligned}$$
(2.4)
$$\begin{aligned} k_{n-m}= & {} {\left\{ \begin{array}{ll} \frac{x_{n-1}}{y_{n-1}}\mu ^2 &{} \quad \text {if}\ n < m\\ \frac{x_{n-m}}{y_{n-m}}\mu ^2 &{} \quad \text {if}\ n \ge m. \end{array}\right. } \end{aligned}$$
(2.5)

The initial seed parameters are,

$$\begin{aligned} {\left\{ \begin{array}{ll} x_0\in [-1, 1],\\ \tan \alpha \in (-\infty , \infty ),\\ \mu \in (0.05, 1),\\ m = 2, 3,\ldots , n. \end{array}\right. } \end{aligned}$$
(2.6)

These initial parameters lead to

$$\begin{aligned} y_0= & {} \mu \sqrt{1-x_{0}^{2}}, \end{aligned}$$
(2.7)
$$\begin{aligned} k_{0}^{'}= & {} -\frac{x_0}{y_0}\mu ^2, \end{aligned}$$
(2.8)
$$\begin{aligned} k_{0}= & {} \frac{\tan \alpha +k_{0}^{'}}{1-k_{0}^{'}\tan \alpha }. \end{aligned}$$
(2.9)

3 Proposed S-boxes

The ideal scenario for the construction of \(8\times 8\) S-box based on semifield is to find a semifield with order 256. But unfortunately, the complete classification of semifield is still unknown and, in literature, the largest known classification of semifield with characteristic 2 is of order 64. Therefore, it is not possible to find a direct method to incorporate the nonlinear component S-box in block cipher based for this structure. But Dumas and Orfila (2014) have shown an indirect way for the construction of S-box based on semifield. Our proposed construction method in this work consists of two steps.

  1. Step 1:

    The first step involves construction method from Dumas and Orfila (2014), as explained below. Dumas and Orfila (2014) define a bijection T as T: (\(S_{2^4})^2 \rightarrow \) \((S_{2^4})^2.\) Basically, the finite field \(GF(2^8)\) is constructed with the help of quotient structure \(F_{2^8}=F_{2^4}[X]/P(X)\) where \(P(X)=X^2+ \alpha X +\beta ,\) with \(\alpha ,\) \(\beta \in F_{2^4},\) is an irreducible polynomial of degree 2. According to Dumas and Orfila (2014), the elements of \(F_{2^8}\) viewed as \(F_{2^4}[X]/P(X)\) are polynomials of degree 1 of the form \(aX+b,\) denoted as couple \((a,b) \in (F_{2^4})^2.\)

Theorem 3.1

Let \(P(X)=X^2+\alpha X+\beta \in F_{2^4}(X),\) P is irreducible if and only if \(\forall \) \(\gamma \in F_{2^4},\) \([(\alpha -\gamma )\gamma -\beta ]\ne 0\) (Dumas and Orfila 2014).

Definition:

Proposition 3.2

Let \(P(X)=X^2+ \alpha X +\beta \in S_{2^4}[X],\) P is pseudo-irreducible if and only if \(\forall \) \(\gamma \in F_{2^4},\) \([(\alpha -\gamma )\gamma -\beta ]\ne 0\) (Anees and Gondal 2015).

Theorem 3.3

Let \(P(X)=X^2+\alpha X+\beta \in S_{2^4}(X),\) be a pseudo-irreducible polynomial. The transformation : 

T :  \((S_{2^4})^2\rightarrow (S_{2^4})^2\) \((0,0)\rightarrow (0,0)\) \((0,b)\rightarrow (0,b^{-1})\) \((a,b)\rightarrow (a^{-1} c,a^{-1} d)\)

such that \(\gamma =a^{-1}b,\) \(c=[(\alpha -\gamma )\gamma -\beta ]^{-1},\) and \(d=c(\alpha -\gamma ),\) is a bijection.

The bijection T will give us semifield S-box shown in Table 3.

Table 3 S-box based on semifields pseudo-extensions by Dumas and Orfila (2014)
Full size table
  1. Step 2:

    In this step, the group action of \(S_8\) is applied on semifield S-box of Step 1. The semifield S-box behaves like a set. The group action leads to generation of 40,320 new S-boxes, because the order of \(S_8\) is 40,320 and corresponding to every single permutation we have a novel S-box. The process of synthesis is explained in Fig. 6 and mathematical expression is given below: The action \(S_8 \ \text {S-boxes}: \ S_8 \times \text {Semifield S-box} \rightarrow \text {Semifield S-boxes}\) defined as

    $$\begin{aligned} \mu (a_0 a_1 a_2 a_3 a_4 a_5 a_6 a_7) = (a'_0 a'_1 a'_2 a'_3 a'_4 a'_5 a'_6 a'_7), \end{aligned}$$

    where \( \mu \in S_8\) and

    $$\begin{aligned} (a_0 a_1 a_2 a_3 a_4 a_5 a_6 a_7), (a'_0 a'_1 a'_2 a'_3 a'_4 a'_5 a'_6 a'_7) \in \text {Semifield-S-box}. \end{aligned}$$
Fig. 6
figure 6

Graphical illustration of proposed algorithm

Full size image

Figure 6 explains the mathematical action in a simplified way with three steps. Initially, in Step 1, we have converted the elements of semifield S-box from decimal to binary values. So we have eight different Boolean functions \(F_0, F_1,F_2,F_3,F_4,F_5,F_6,F_7\) as shown in Fig. 6. In step 2, we have taken an arbitrary permutation (13246578) from \(S_8\) for the construction of one S-box. On applying this permutation on \(F_0, F_1,F_2,F_3,F_4,\) \(F_5,F_6,F_7,\), the effect of permutation on Boolean functions will give us a new arrangement which is as follows: \(F_0, F_2,F_1,F_3,F_5,F_4,F_6,F_7.\) At the end, the binary number is converted once again in the form of decimal values get new \(S_8\) semifield S-box.

3.1 Cryptographic strength analyses of S-box

To measure the good properties of S-box benchmark criteria are presented in literature like bijectivity, differential approximation probability (DP), strict avalanche criterion (SAC), bit independence criterion (BIC), non-linearity, and linear probability (LP). We carry out the security analysis of the proposed S-box of example given in Table 3 using these well-known criteria.

  1. 1.

    Bijectivity: (Dumas and Orfila 2014) If the linear sum of the Boolean function \(f_i\) of each component of the designed \(n \times n\) S-box is \(2^{n-1}\), then f is a bijection. Mathematically, we can write as

    $$\begin{aligned} wt(a_1f_1+a_2f_2+\cdots +a_n f_n), \end{aligned}$$
    (3.1)

    where \(a_i\in {0,1},\) \((a_1,a_2,\ldots ,a_n)\ne (0,0,\ldots ,0),\) wt() denotes the Hamming weight. In effect, an inverse is important specifically in a substitution network, therefore S-box should be bijective.

  2. 2.

    Non-linearity: The non-linearity of an S-box can be tested by the following formula:

    $$\begin{aligned} N_f=2^{-n}\left( 1-\max _{\omega \in GF(2^n)}\left| 2^{-n}\sum _{x\in GF(2^n)} (-1)^{f(x)\oplus x.\omega }\right| \right) , \end{aligned}$$
    (3.2)

    where \(\omega \in GF(2^8).\)

  3. 3.

    Strict avalanche criterion: This analysis depicts information that while one bit of eight lengths input byte of plaintext modifies, will yield a 0.5 probability of the outcomes changes in byte of 8 bits balanced for entries.

  4. 4.

    Bit independent criterion: For two Boolean function \(f_j,\) \(f_k,\) one can test the independence criterion of a substitution box by validating if, for any two output bits of the S-box, \(f_j \oplus f_k\) \((j \ne k)\) fulfills the SAC and non-linearity.

  5. 5.

    XOR table and differential invariant: XOR table of substitution box basically depends on the calculation of \(\rho _{L}(a,b)= \left\{ x\in GF(2^8): L(x)\oplus L(a\oplus x)= M\right\} \) \(\forall a,b \in GF(2^8).\) The differential invariant \(\rho _{L}(a,b)\) is found as follows: \(\rho _{L}(a,b) =\underbrace{\max }_{a,b \in GF(2^8), a \ne 0}\left| \left\{ x\in GF(2^8): L(x)\oplus L(a\oplus x)= M\right\} \right| .\)

3.2 Experimental results for proposed S-boxes

Table 4 Comparative analysis of proposed 40,320 \(S_8\) semifield S-boxes with prevailing S-boxes
Full size table

In Table 4, we have shown some analyses such as linear approximation probability, differential approximation probability, strict avalanche criterion, average bit independence criterion for non-linearity, average bit independence criterion for strict avalanche criterion and non-linearity of proposed \(S_8\) semifield S-boxes. Further, we have compared the cryptographic strength of presented 40,320 boxes with semifield S-box of Dumas and Orfila (2014) and advanced encryption standard (AES) S-box (Daemen and Rijmen 2002). It can be observed that all the properties of newly generated nonlinear components are almost equivalent to S-box of Dumas and Orfila (2014) and Daemen and Rijmen (2002). Hence, we can say that proposed 40,320 S-boxes are a powerful as AES S-box, which is known as one of the most invulnerable S-box against all kinds of differential and linear attacks.

4 Proposed lightweight block cipher

For the application of proposed S-boxes presented in the previous section, we have proposed a lightweight block cipher which utilizes these S-boxes and can be employed for low profile applications. The proposed cipher consists of basic confusion–diffusion network performed by substitution and permutation. The permutation is performed with the help of cyclic shift operation and substitution is done with the help of numerous proposed S-boxes having same algebraic properties. The top level block description of proposed lightweight block cipher is illustrated in Fig. 7.

Fig. 7
figure 7

A top level block description of proposed lightweight block cipher. The plaintext in blocks is encrypted through substitution–permutation (cyclic shift and substitution) network in six rounds to get the ciphertext

Full size image

The plaintext is divided and considered as individual blocks of 128-binary bits, let the representation of 128-binary bits block of plaintext be \(B_p.\) There is whitening step beside the confusion-diffusion network which is performed at the very beginning. The first block of plaintext is xored with the user supplied 128-binary bits key, \(K_1.\) After the xor operation (whitening), the xored block which is represented as \(B_x\) is the input to the substitution and permutation modules. The next blocks of plaintext are xored with the immediate previous blocks of ciphertext.

figure a

As mentioned earlier, binary cyclic shift is performed for the permutation. Let us take x to be the chaotic sequence obtained from modified logistic chaotic map for the initial values \(x_0,\) b and r. These initial values are considered as the first three secret keys of the proposed encryption algorithm which combines to give \(K_2\) as illustrated in Fig. 8, that is, \(k_2^{1} = x_0,\) \(k_2^{2} = b\) and \(k_2^{3} = r.\) The length of x is 128 which has values under modulo 8. Since the initial range of chaotic sequence is [0, 1], therefore we multiply that sequence with 100 to amplify the range and then limit the sequence under modulo 8. In parallel, let the binary representation of first 8 bits of xor block be \(P_x.\) For each \(P_x,\) there is a left cyclic shift of \(x_{q}\) binary bits which results in a cyclic shifted 8 bits, \(P_c\) and correspondingly cyclic shifted block, \(B_c.\) For instance, let \(P_x = 11010110\) and \(x_{q} = 3,\) then after cyclic shift, \(P_c = 10110110.\)

Fig. 8
figure 8

a Cameraman image having size of \(256\) is considered as plaintext. b Encrypted cameraman image when the proposed block cipher is applied on the original cameraman image, it can be observe that it is completely random and gives no information regarding the plainimage. c Histogram of cameraman image and d histogram of encrypted cameraman image

Full size image
Fig. 9
figure 9

a One-scale image which has only one gray value having perfect auto-correlation. b The encrypted version of this one-scale image. c Histogram of one-scale and d histogram of its encrypted version

Full size image

Take x and k be the two chaotic sequences obtained from TD-ERCS chaotic map having initial values \(x_0,\) \(\tan \alpha ,\) \(\mu \) and m. For simplicity and convenience, x is denoted as y. These four initial values are considered as next four secret keys of the proposed encryption algorithm, that is, \(k_3^{1} = x_0,\) \(k_3^{2} = \tan \alpha ,\) \(k_3^{3} = \mu \) and \(k_3^{4} = a\) which combine to give \(K_3.\) Since, we need only one chaotic sequence from this map, therefore we will only use y sequence. The sequence y has length 16 and values under modulo \(S_n,\) where \(S_n\) denotes the total number of S-boxes used. Initially the chaotic sequence has the range of \([-1, 1],\) so we amplify that range by first shifting the range from \([-1, 1]\) to [0, 2] and then multiplying that shifted sequence with 1000,  and finally limiting the sequence under modulo \(S_n.\) In parallel, for the substitution step, combinations of 8 bits in \(B_c\) are substituted with the 8 bits of one of the proposed S-boxes. The decision of choosing which S-box to utilize is taken by the chaotic sequence of y. Let the binary representation of first 8 bits of \(B_c\) be \(P_c.\) For each \(P_c,\) the eight bits are split into 4 Most Significant Bits (MSBs) and 4 Least Significant Bits (LSBs) first. These MSBs and LSBs are then converted into decimal and these decimal values corresponds to the row and column numbers of a particular S-box. The element at that position of specific S-box is converted into binary having 8 bits and will be substituted in place of \(P_c.\) For instance, let \(P_c = 10110110\) and \(y_{q} = 105,\) then the 4 MSBs are 1011 and 4 LSBs are 0110, the decimal value at 11th row and 5th column of 105th S-box will be substituted to get the 8 substituted binary bits \(P_s\) and correspondingly ciphertext block, \(C_p.\)

The proposed block cipher in form of pseudo-code is illustrated in Algorithm 1. It has only six rounds as contrary to other renown block ciphers which have more than 12 rounds. Despite few rounds, the results are very competitive to the benchmark algorithms due to the multiple S-boxes employed instead of a single S-box. The experimental, statistical and security analysis are presented in the next sections to illustrate the robustness and performance effectiveness of the proposed block cipher.

5 Experimental results and statistical analysis

For experiments, we have taken two dimensional digital images as plaintext. First, the cameraman image having size of \(256\) is considered as plaintext shown in Fig. 8a. This plainimage is then encrypted using proposed lightweight block cipher and encrypted cameraman image is shown in Fig. 8b which is completely random and gives no information regarding the original plainimage. To see the distribution of values (image pixels) in plainimage and cipherimage, we have plotted the histograms of these images shown in Fig. 8c, d, respectively. It can be observed that the distribution of the values of cipherimage is uniform showing good resistance against frequency analysis. We have also considered a one-scale image which has only one gray value having perfect auto-correlation as shown in Fig. 9a. The encrypted version of this one-scale image is shown in Fig. 9b. The histogram of one-scale and its encrypted version is plotted and shown in Fig. 9c, d, respectively. It can be seen that the histogram of the encrypted version is flat again, despite maximum auto-correlation in the plainimage.

5.1 Statistical analysis

For further examination of the visual strength of the proposed block cipher, we have performed different statistical analysis and have carried out a comparison of our results with the state-of-the-art block cipher. We have considered the following statistical analyses.

5.1.1 Correlation

For an image, the correlation is defined as (Anees et al. 2014b):

$$\begin{aligned} \text {Corr.} = \sum _{a, b} \frac{(a - \mu a)(b - \mu b)\rho (a, b)}{\varphi _{a}\varphi _{b}}, \end{aligned}$$
(5.1)

where ab refer to position of image pixels, \(\rho (a, b)\) represents the pixel value at ath row and bth column of image matrix, \(\mu \) and \(\varphi \), respectively, denote the variance and the standard deviation. The correlation analysis measures the extent to which two neighboring image pixels are similar, over the whole image. It has the range \([-1 \ 1]\), where the correlation value 1 means the ideal correlation.

5.1.2 Entropy

The image entropy is defined as (Anees et al. 2014b):

$$\begin{aligned} \text {Entropy} = -\sum _{a, b} pr(\rho (a, b)) \log _{2} pr(\rho (a, b)), \end{aligned}$$
(5.2)

where ab refer to position of image pixels, \(\rho (a, b)\) represents the pixel value at ath row and bth column of image matrix and \(pr(\rho (a, b))\) is the probability of image pixel. Entropy depicts the uncertainty of the image and has range \([0 \ 8]\) for an image with 256 gray scales. The more the amount of entropy is, the more the amount of uncertainty is.

5.1.3 Contrast

The image contrast is defined as (Anees et al. 2014b):

$$\begin{aligned} \text {Contrast} = \sum _{a, b} |a - b|^{2} \rho (a, b), \end{aligned}$$
(5.3)

where ab refer to position of image pixels, \(\rho (a, b)\) represents the pixel value at ath row and bth column of image matrix. The contrast analysis of the image is carried out for the purpose of identification of objects in texture of an image. The range of contrast values is \([0 \ (\text {size}(\text {Image})-1)^2].\) For a constant image, the contrast value is 0. The more the amount of contrast is, the more is the variation in image pixels.

5.1.4 Homogeneity

The image homogeneity is defined as (Anees et al. 2014b):

$$\begin{aligned} \text {Homo.} = \sum _{a, b}\frac{\rho (a, b)}{1 + |a - b|}, \end{aligned}$$
(5.4)

where ab refer to position of image pixels. The nearness of the distribution in the gray level cooccurrence matrix (GLCM) to GLCM diagonal is determined by homogeneity analysis. The homogeneity values range is \([0 \ 1].\)

5.1.5 Energy

The image energy is defined as Anees et al. (2014b):

$$\begin{aligned} \text {Energy} = \sum _{a, b} \rho (a, b)^{2}, \end{aligned}$$
(5.5)

where ab refer to position of image pixels. The energy analysis provides the sum of squared elements in the GLCM. The energy values have range \([0 \ 1].\) For a constant image, the energy value is 1.

Table 5 shows the outcome of the above analyses for the proposed image encryption scheme. It also provides a comparative study with the benchmark blockcipher of AES. It is worth noticing that the presented scheme depicts competitive results despite significant lower computational complexity.

Table 5 Comparative statistical analysis of proposed and AES cipher
Full size table

6 Security analysis

For the robustness and to check whether the proposed cipher can resist against known attacks, we have carried out series of security analysis that will ensure the effectiveness of proposed cipher.

6.1 Key space and key sensitivity

The total number of secure keys that can be used in the cipher is referred as key space. In our proposed work, we have used three keys, in which, the first one is the user provided 128-binary bit key, second and third are the combination of initial values of the two chaotic maps used. The total combination of these three secure keys is sufficiently large so, for checking all the combinations, any modern computer should take more than \(10^{10}\) years. Thus, the proposed cipher can resist to any brute force attack.

However, key space alone is not enough to guarantee the effectiveness of a cipher in this regard. It is necessary that with the key space, key sensitivity should be achieved as well. Key sensitivity refers to a property of cipher in which the decryption of ciphertext can not be successively achieved despite the fact that there is a minor change in the encryption and decryption keys. For the analysis, first, we have taken the cameraman image (shown in Fig. 8a) and encrypted with the proposed cipher (Fig. 8b shows the encrypted image). For the decryption, we have slightly changed the decryption keys and attempted decrypting the encrypted images with these slightly altered decryption keys. Figure 10a shows the decrypted image in which \(K_1\) is changed by a single binary bit. Figure 10b shows the decrypted image in which b of \(K_2\) is changed from \(b = 0.2000000000\) to \(b = 0.2000000001.\) Fig. 10c shows the decrypted image in which r of \(K_2\) is changed from \(r = 4.5000000000\) to \(r = 4.5000000001.\) Fig. 10d shows the decrypted image in which \(x_0\) of \(K_3\) is changed from \(x_0 = 0.5000000000\) to \(x_0 = 0.5000000001.\) It can be seen that, even for a small modification in the decryption keys, decryption is unsuccessful in all of considered images.

Fig. 10
figure 10

Decrypted image in which \(K_1\) is changed by a single binary bit. Decrypted image for which, the decryption key of b of \(K_2\) is changed from \(b = 0.2000000000\) to \(b = 0.2000000001.\) Decrypted for which, the decryption key of r of \(K_2\) is changed from \(r = 4.5000000000\) to \(r = 4.5000000001.\) Decrypted for which, the decryption key of \(x_0\) of \(K_3\) is changed from \(x_0 = 0.5000000000\) to \(x_0 = 0.5000000001\)

Full size image

6.2 Avalanche analysis

The avalanche effect refers to an appealing characteristics of cryptosystems. The avalanche effect is evident when a slight change in the input (for instance, flipping a single bit) leads to a notable change in the output (like change in half the output bits). Mathematically, the avalanche effect can be determined by the following formulas for the number of pixel change rate (NPCR) and the unified average change intensity (UACI) (Wu et al. 2010).

$$\begin{aligned} \text {NPCR}= & {} \frac{\sum _{a,b}D(a,b)}{N \times M}\times 100 \%, \end{aligned}$$
(6.1)
$$\begin{aligned} \text {UACI}= & {} \frac{1}{N \times M}\left[ \sum _{a,b}\frac{|A_1(a,b) - A_2(a,b)|}{255}\right] \times 100 \%, \end{aligned}$$
(6.2)

where \(A_1\) and \(A_2\) are the two encrypted images acquired from the original image with the disparity of a single pixel, N and M represent the number of rows and columns of encrypted image matrix, and D(ab) is defined as

$$\begin{aligned} D(a,b) = \left\{ \begin{array}{l l} 0 &{} \quad \text {if } A_1(a,b) = A_2(a,b),\\ 1 &{} \quad \text {if } A_1(a,b) \ne A_2(a,b). \end{array} \right. \\ \end{aligned}$$

NPCR yields the rate of change of number of pixels of encrypted image once a single pixel of original image is amended. UACI determines normal power of contrasts between original and encrypted images. The least required value for NPCR must be 50%. NPCR and UACI analysis is carried out for some standard images of image processing such as Lena, cameraman and baboon. We have taken three cases to analyze the NPCR and UACI cryptographic strength for proposed image encryption technique, for each of the considered images. For analysis, first a pixel is chosen in the first two rows of the original image and then the procedure is repeated for two other parts (roughly in middle and end) of the data. The comparative analysis of the proposed image encryption technique with the AES for NPCR and UACI is provided in Table 6. It can be seen that proposed algorithm is competing with the most widely applicable and economical block cipher cryptosystem.

Table 6 Comparative NPCR and UACI analysis of proposed cipher with AES on the images of cameraman, lena and baboon for three cases: a single bit change in first pixel, in mid pixel and in last pixel
Full size table

Moreover, we have done NPCR and UACI analysis to analyze the key security of proposed key schedule. We consider following two cases.

  1. Case I

    We have applied two different encryption keys having a single bit difference on same original image to get two significantly different encrypted images having NPRC and UACI values 99.5298 and 33.6210, respectively.

  2. Case II

    Here, we have applied two different decryption keys having a single bit difference on same encrypted image to get two significantly different decrypted images having NPRC and UACI values 99.6210 and 33.3698, respectively.

The comparative analysis of the proposed image encryption technique with the AES for key sensitivity using NPCR and UACI is given in Table 6. The values of the analysis show that the proposed key schedule is invulnerable for image encryption.

6.3 Cryptanalysis

To analyze the full cryptographic strength of proposed image cryptosystem against known attacks, it is required to pass plainimage through complete rounds. The known attacks are as follows.

6.3.1 Linear cryptanalysis

Th linear approximation probability (LP) is utilized to measure the discrepancy of an event. This test is useful in determining the optimum value of discrepancy in the outcome of event. The two masks, \(\Gamma y\) and \(\Gamma x,\) are utilized for parity of the output and input bits, respectively. For the nonlinear component of block cipher, LP is defined as Matsui (1994):

$$\begin{aligned} \text {LP} = \max _{\Gamma x \Gamma y \ne 0}\left| \frac{\#\left\{ x/X \bullet \Gamma x = S(x)\bullet \Gamma y = \Delta y\right\} }{2^{n}} - \frac{1}{2}\right| , \end{aligned}$$
(6.3)

where all possible unique inputs are contained in the set X and the cardinality of X is \(2^{n}.\) The average maximum value of LP of proposed cryptosystem having 1 round and 8 S-boxes is \( \text {LP}_{\textrm{max}} = 2^{-4.21}.\) Furthermore, the generalization of proposed cryptosystem with 256 active S-Boxes and 4-rounds will give us average maximum value \(\text {LP}_{\textrm{max}}^{4r} = 2^{-4.21 \times 256} = 2^{-1077}.\) It is worth mentioning that to a certain extent, it is difficult to launch linear cryptanalysis against proposed cryptosystem.

6.3.2 Differential cryptanalysis

With a specific end goal to guarantee uniform mapping, the differential at input should exceptionally guide to an output differential. These attributes ensure uniform mapping probability for each input bit i. The differential approximation probability scheme for S-Box determines the differential uniformity, defined as (Biham and Shamir 1993):

$$\begin{aligned} \text {DP}(\Delta x\rightarrow \Delta y) = \left[ \frac{\#\left\{ x\in X /S(x)\oplus S(x\oplus \Delta x) = \Delta y\right\} }{2^{m}}\right] , \end{aligned}$$
(6.4)

where \(\Delta y\) and \(\Delta x\) are output and input differential, respectively. We have applied 256 S-boxes with good cryptographic properties and have extended proposed algorithm for 4 rounds to get good results against DP. \(\text {DP}_{\textrm{max}} = 2^{-4.05}\) is the average maximum DP of the S-Boxes used. The value of DP of the proposed cryptosystem guarantees the cryptographic strength of the proposed algorithm against differential cryptanalysis.

Further, to demonstrate the security strength of the proposed work, we have done the state-of-the-art security analysis and compared with the known works. Table 7 shows the comparative results strict avalanche criterion, bit independent criterion, BIC for SAC, linear approximation probability, and differential approximation probability of proposed and other S-boxes demonstrating the superiority of our proposed S-Box.

Table 7 Comparative analysis of strict avalanche criterion, bit independent criterion, BIC for SAC, linear approximation probability, and differential approximation probability of proposed and other S-boxes
Full size table

6.4 Computational time

One of the important factors to demonstrate the strength of any encryption algorithm is its computational complexity, i.e., how many gate equivalents are required for its hardware implementation. If the computational complexity is too high, then the encryption algorithm might not be appropriate for certain applications. We have computed the computational time for the proposed encryption algorithm that corresponds to the gate equivalents and then compared this computational time with the state-of-the-art works. Table 8 shows the comparative results of computational time of proposed and other works demonstrating the superiority of our proposed work. The time is computed on a desktop machine using MATLAB software on Windows 10 with i7 processor and 16 GB RAM.

Table 8 Comparative results of computational time of proposed and other works demonstrating the superiority of our proposed work
Full size table

7 Conclusion

This paper is concerned with the study of S-boxes based on semifield and their application to develop a block cipher that can be employed for low profile applications. Although the currently known S-boxes based on finite fields perform well against known algebraic attacks, it is possible that there could be some unknown algebraic attacks that may beat the confusion creating capability of finite field S-boxes. In Dumas and Orfila (2014), it was proposed to consider finite semifields instead of finite fields to generate S-Boxes to to enhance the algebraic strength of S-boxes against unknown algebraic attacks. The algebraic structure of semifield is not commonly used in block cipher cryptography because it does not have complete classification up to finite order. In fact, the known classification of semifields is up to \(2^6.\) This makes it challenging to use the small structure \(2^4\) for the construction of \(2^8\) S-boxes. Dumas and Orfila (2014) utilized pseudo-extensions of semifield of order \(2^4\) to construct 12,781 non-equivalent S-boxes with good cryptographic properties. Here we establish an effective procedure for generating \(S_8\) semifield S-boxes having same algebraic properties. Utilizing the action of symmetric group of permutation on every non-equivalent S-box of Dumas and Orfila (2014), corresponding to each and every non-equivalent S-box of Dumas and Orfila (2014), we generate 8! S-boxes with same cryptographic properties. In total, this leads to 51,532,9920 new S-boxes based on semifield and symmetric group.

As application, a block cipher is proposed utilizing \(S_8\) semifield substitution boxes and two chaotic maps. The proposed cipher consists of three modules which are operated for six rounds. These three modules are substitution, permutation and XOR whitening. In the substitution process, multiple proposed S-boxes are used to get desired confusion between the ciphertext and secret key. This module enhances security, and the desired security is attained in less number of rounds as compared to conventional block ciphers. Each module is applied in agreement with the specific chaotic sequence generated through a distinct chaotic map. Security analysis is performed and the simulation results confirm that the proposed algorithm is secure against well-known attacks.

Finally, the proposed encryption algorithm is flexible that can be adapted to changes as required. For instance, it is possible to increase or decrease the number of rounds and S-boxes as well as to replace semifield S-boxes with other S-boxes.