A Novel Method for Constructing the S-Box Based on Spatiotemporal Chaotic Dynamics

Abstract

A novel construction method for a random S-box by using the spatiotemporal nonlinear chaotic system is proposed. The chaotic sequences of the spatiotemporal chaotic system are applied to construct an initial S-box. Then, the permutation operation between independent chaotic sequences is performed to shuffle the elements of the S-box randomly. In comparisons with the former schemes, the results of the performance analysis indicate that the obtained S-box has a better output bit independence criterion and a stronger ability to resist linear password attacks. It also has a high dimensional feature due to the spatiotemporal chaotic dynamical behaviors. The proposed scheme holds superior cryptographic features.

1. Introduction

With the development of communication technology [1,2,3,4], encryption algorithms for data transmission security have attracted extensive attention. Block encryption algorithms play an important role in modern cryptographic systems. The substitution box (S-box) has been widely employed in many block cryptosystems; for instance, Data Encryption Standard (DES), International Data Encryption Algorithm (IDEA), and Advanced Encryption Standard (AES). S-box provides a chaotic effect for the cryptosystem, and its security strength determines the security strength of the whole cryptosystem. Hence, S-box is an important nonlinear component for the security of cryptographic schemes.

Currently, strong S-boxes have received intensive attention. Many S-box construction methods have been proposed [5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22]. In the literature, S-boxes should resist differential and linear attacks [5,6,7,8,9]. A new construction method for S-box was proposed in [10], which relies on exhaustive search, but the large values of n in the construction method result in it being time consuming. Recently, the theory of chaos has been broadly used for designing S-boxes due to the inherent features of the chaotic map; for instance, random-like behaviors and sensitivity to initial conditions. Jakimoski and Kocarev [11] constructed secure S-boxes using exponential and logistic chaotic maps. Amigó et al. [12] proposed a chaos-based approach to the design of cryptographically-secure substitutions. Tang et al. [13] designed $8\times 8$ S-boxes using logistic and Baker chaotic maps. Chen et al. [14] presented an extended method for constructing S-boxes by the use of the Chebyshev map and the 3D Baker map. An effective and dynamic method for constructing the S-box was developed by using the tent map in [15]. Özkaynak and Özer [16] developed a generation method for S-boxes by using the random-like behaviors of the Lorenz system. Hussain et al. [17] proposed an efficient S-box generation method by the use of a nonlinear chaotic algorithm. In [18], the Lorenz system and the Rössler system were employed to synthesize new S-boxes. Dragan [19] developed a new method of generating S-box by the use of chaotic tent map and composition method. Liu et al. [20] designed S-boxes by using 3D four-wing autonomous chaos system. Belazi and El-Latif [21] proposed an efficient method for generating S-boxes by the use of the chaotic sine map. In [22], the logistic-sine map was applied to construct S-boxes. In [23], S-boxes were generated by using the logistic-tent map and linear fractional transformation. Khan et al. [24] presented a novel technique for the construction of strong S-boxes based on chaotic Lorenz systems. In [25], a novel method to construct strong bijective substitution-boxes based on a 5D hyperchaotic system was presented. However, in these aforementioned chaotic S-box construction schemes, the output Bit Independence Criterion (BIC) and ability to resist linear password attacks were not ideal. Moreover, the applied chaotic systems are low dimensional systems. For the low dimensional chaotic system, the dynamical behaviors may degrade under finite precision computation in modern computers. This degradation can lead to periodic trajectories that affect the randomness of chaotic sequences. Actually, [26,27] have successfully cracked the encryption schemes that are based on the low dimensional chaotic system.

To overcome the above drawbacks, we present a novel and efficient S-box construction method by using a spatiotemporal chaotic system. It can improve the BIC property of the S-box and its ability to resist linear password attacks. The spatiotemporal chaotic system contains multi-dimensional Lyapunov exponents that can resist the degradation under finite precision computation in modern computers. We summarize the three contributions of this work as follows:

• We choose the Non-adjacent Coupled Map Lattices (NCML) [28] spatiotemporal chaos system for constructing the S-box. It has more dynamical features than the traditional CML [29] and the logistic map, such as better randomness, more chaotic sequences, and no periodic windows. Moreover, it can resist the degradation of finite precision computation due to its high dimensional feature, which can increase the randomness of elements in the S-box. Additionally, the NCML chaotic system has been used in secure communication schemes due to its cryptographic features [30,31];
• Since the chaotic sequences generated by the NCML system are independent, we apply these independent chaotic sequences to implement the permutation and shuffle of the S-box, which can improve its BIC property and ability to resist linear password attacks;
• In the comparisons with the former schemes, the simulation and experimental results prove the superior properties of the proposed scheme. This scheme shows that the combination of the spatiotemporal chaotic system and S-box is a recommended approach for encryptions.

The rest of this paper is organized as follows. The NCML spatiotemporal system is introduced and analyzed, as well as the cryptographic features in dynamical behaviors in Section 2. Section 3 explains the construction process of the proposed S-box. Section 4 verifies the randomness of the constructed S-box. Section 5 analyzes the performance of the constructed S-box. Section 6 gives the concluding remarks.

2. Preliminaries

The CML system [29] is presented as:

$$\begin{array}{cc}\hfill y_l(s+1)=& (1-\alpha )\mu y_l\left(s\right)(1-y_l\left(s\right))+\frac{\alpha }{2}\{\mu y_a\left(s\right)(1-y_a\left(s\right))+\mu y_c\left(s\right)(1-y_c\left(s\right))\},\hfill \end{array}$$

(1)

where s is the time parameter (s = 1, 2, 3, …), $\alpha$ is the coupling coefficient ($0\le \alpha \le 1$), $\mu \in (0,4]$, l, a and c are the lattices ($1\le l,a,c\le N$), $a=l+1,c=l-1$, and N is a count of all the lattices. The CML system is a spatiotemporal chaotic dynamics, which is coupled in adjacent lattices.

Different from the CML chaotic dynamics, the coupling method of the NCML chaotic system is non-adjacent. The NCML system [28] is presented as:

$$\begin{array}{cc}\hfill y_l(s+1)=& (1-\alpha )\mu y_l\left(s\right)(1-y_l\left(s\right))+\frac{\alpha }{2}\{\mu y_m\left(s\right)(1-y_m\left(s\right))+\mu y_n\left(s\right)(1-y_n\left(s\right))\},\hfill \end{array}$$

(2)

where m, n are also the lattices ($1\le m,n\le N$) and the relations of l, m, n satisfy the Arnold cat map expressed by:

$$\left[\genfrac{}{}{0.0pt}{}{m}{n}\right]=\left[\begin{array}{cc}1& b\\ d& bd+1\end{array}\right]\left[\genfrac{}{}{0.0pt}{}{l}{l}\right](modN).$$

(3)

The NCML system has good chaotic features when the parameters $\mu$, b, and d are assigned with proper values.

(1)

Lyapunov exponents evaluate the divergence of nearby orbits and provide a qualitative view of the dynamical system. If a system has at least one positive Lyapunov exponent, the system is certainly in chaotic behaviors. The Lyapunov exponent of each lattice in the NCML system is positive, and between 0.0203 and 0.4351. This means that the NCML system’s dynamics is more complicated, which can resist the degradation under finite precision computation in modern computers.

(2)

In the bifurcation diagram of the NCML system, there is no periodic window, as shown in Figure 1a. By contrast, there are periodic windows in the bifurcation diagram of the CML system, as shown in Figure 1b. Therefore, the NCML system is more suitable for cryptography than the CML system due to no periodic windows.

(3)

The chaotic trajectory of NCML system is as random as that of the CML system, as shown in Figure 2. The random chaotic sequences are suitable for the construction of a random S-box.

(4)

The NCML chaotic system has very small mutual information values between chaotic trajectories. Mutual information can be used to evaluate the independence of two chaotic trajectories (named $s1$ and $s2$), which is defined as:

$$I(s1,s2)=H\left(s1\right)-H(s1/s2).$$

(4)

The lower value of mutual information of $s1$ and $s2$ means the higher independence of chaotic trajectories. As shown in Figure 3b, most of the mutual information values are equal to zero, which indicates that most of the chaotic trajectories generated by the NCML chaotic system are independent and cannot be recovered by other trajectories. For the CML chaotic system, its mutual information values between chaotic trajectories are indicated in Figure 3a. It can be noted that the NCML chaotic system holds smaller mutual information values between chaotic trajectories than the CML chaotic system. The independent chaotic trajectories are suitable for cryptography because they cannot be restored by other trajectories.

3. The Proposed Method for Constructing the S-Box

To improve the BIC property of the S-box and its ability to resist linear password attacks, we propose a novel construction method for the S-box by using the NCML chaotic dynamics. A new sequence is constructed based on one of N chaotic sequences generated by the NCML system. Then, this sequence is sorted in ascending order, and another new sequence is obtained based on the sorted position of each element. Finally, the new sequence is reconverted to a matrix, and all the elements of the matrix are permuted by using N independent chaotic sequences. This permutation operation based on independent chaotic sequences helps to improve the BIC property of the obtained S-box and its ability to resist linear password attacks. Moreover, the high dimensional feature of the NCML system helps to increase the randomness of elements in the obtained S-box. The detailed construction procedures of our S-box are listed below.

Step 1.

Iterating Equation (2), we obtain N chaotic sequences.

Step 2.

Using the chaotic sequence $ncml(10,100+i)$, we construct a new sequence by:

$$X\left(i\right)=mod(\lfloor (ncml(10,100+i)\times {10}^{14})\rfloor ,256),$$

(5)

where $i\in [1,256]$ and $ncml(10,100+i)$ denotes the (100 + i)th value of the 10th sequence of N chaotic sequences.

Step 3.

Putting the elements of $X(1\times 256)$ in ascending order, we get a sorted sequence $Y(1\times 256)$ and an address sequence $Z(1\times 256)$ satisfying $Y\left(Z\right(i\left)\right)=X\left(i\right)$.

Step 4.

Reconvert the sequence $Z(1\times 256)$ to a matrix $S(16\times 16)$.

Step 5.

We get the values of u and v by:

$$\left\{\begin{array}{c}\begin{array}{cc}\hfill u=& mod(\lfloor (ncml\left(mod\right(S\left(\right(h-1)\times 16+k),100)+1,200\hfill \\ & +(h-1)\times 16+k)\times {10}^{14})\rfloor ,16)+1\hfill \\ \hfill v=& mod(\lfloor (ncml(p,q)\times {10}^{14})\rfloor ,16)+1\hfill \end{array}\hfill \end{array}\right.,$$

(6)

where $h,k\in [1,16]$ and the relations of $h,k,p,q$ satisfy the Arnold cat map expressed by:

$$\left[\genfrac{}{}{0.0pt}{}{p}{q}\right]=\left[\begin{array}{cc}1& b\\ d& bd+1\end{array}\right]\left[\genfrac{}{}{0.0pt}{}{h}{k}\right](modN).$$

Step 6.

With the help of Equation (6), we swap the values of $S(h,k)$ and $S(u,v)$.

S is the final S-box. The whole construction process is illustrated by Figure 4.

4. Randomness Tests of the Constructed S-Box

The obtained S-box is listed in

Table 1. The obtained S-box.

161	239	162	99	116	136	222	234	215	134	208	26	237	108	238	66
179	209	45	51	249	37	137	168	195	114	221	98	149	115	194	25
65	35	127	39	6	12	146	94	135	144	104	48	198	2	118	83
175	93	11	253	182	102	252	19	197	248	233	167	235	10	185	123
170	3	199	250	92	218	90	228	109	178	42	206	72	217	160	193
15	78	101	124	24	151	176	7	113	41	181	203	80	46	131	138
28	69	224	23	190	85	147	247	254	16	84	225	145	20	244	130
204	61	55	103	31	91	60	79	143	227	243	241	76	174	5	40
47	212	192	22	1	111	121	112	119	186	126	251	205	62	189	50
34	96	163	125	82	59	70	38	57	216	133	67	152	223	165	75
157	188	154	246	88	202	52	87	81	158	210	184	240	226	105	142
164	245	4	32	86	128	120	71	14	13	18	110	33	53	150	56
68	29	242	17	187	139	229	155	21	141	207	214	255	169	166	100
36	191	77	54	27	49	180	230	148	30	232	95	213	132	89	159
219	236	201	107	44	173	8	64	211	172	183	43	97	220	106	58
129	156	140	117	73	63	153	171	0	9	196	231	177	122	74	200

. NIST-800-22 [32] statistical tests were used to test the randomness of the constructed S-box. NIST-800-22 statistical tests consist of 15 different tests. These tests focus on a variety of different types of non-randomness that could exist in a sequence. In the NIST-800-22 statistical tests, the results were evaluated according to the defined p-value. If the predefined p-value is 0.001, the resultant p-values must be greater than or equal to the predefined value 0.001 to pass the test successfully.

Tested files should contain binary sequences stored as either ASCII characters consisting of zeroes and ones or as binary data where each byte contains eight bits worth of zeroes and ones. We transform all the values of the constructed S-box into a binary sequence, which consists of 2048 bits stored in ASCII format. The tests are performed by using the NIST sts-2.1.2 on Red Hat Enterprise Linux 5. Without loss of generality, the parameters $\mu =3.87$, $\alpha =0.2$, $b=12$, and $d=7$ for the tests.

The NIST-800-22 test results are listed in

Table 2. NIST-800-22 test results of the obtained S-box.

NIST-800-22 Tests	p-Value	Result
Frequency Test	1.000000	SUCCESS
Block Frequency Test	0.102530	SUCCESS
Cumulative Sums Test	0.984155	SUCCESS
Runs Test	0.658531	SUCCESS
Longest Run of Ones Test	1.000000	SUCCESS
Rank Test	0.481248	SUCCESS
Discrete Fourier Transform Test	0.208675	SUCCESS
Nonperiodic Template Matchings Test	0.844144	SUCCESS
Overlapping Template Matchings Test	0.282761	SUCCESS
Approximate Entropy Test	0.024931	SUCCESS
Serial Test	0.645337	SUCCESS
Linear Complexity Test	0.481431	SUCCESS
Random Excursions Test		TEST NOT APPLICABLE
Random Excursions Variant Test		TEST NOT APPLICABLE
Universal Statistical Test		TEST NOT APPLICABLE

. We find that the 12 tests successfully passed. Moreover, the random excursions test, random excursions variant test, and universal statistical test were not applicable for the proposed S-box. This is because the sequence generated by an S-box only consists of 2048 bits. However, the random excursions test and random excursions variant test require a long sequence consisting of a minimum of 1,000,000 bits [32], and the universal statistical test also requires a long sequence consisting of a minimum of 387,840 bits [32].

5. Performance Analysis of the Constructed S-Box

Six criteria [13,14,16,21,22,23,24,25] are generally selected to test S-boxes. These are “bijective property, nonlinearity, Strict Avalanche Criterion (SAC), BIC, input/output XOR distribution, and Linear approximation Probability (LP)”. For testing the properties of the obtained S-box, we analyzed the above six criteria in detail. We also compared the results of the obtained S-box with those of other S-boxes proposed in [11,13,14,16,17,18,19,20,21,22,23,24,25]. Moreover, we also constructed an S-box by using the CML system as we did based on the NCML system and compared the performance of S-boxes based on the two systems.

5.1. Bijective Property

Wang et al. [33] already developed a method to test the bijective property. When $g_i(1\le i\le n)$ satisfies $h\left({\sum }_{i=1}^n{\epsilon }_i{g}_i\right)=2^{n-1}$, it is bijective, where $g_i$ is the Boolean function of an S-box, ${\epsilon }_i\in \{0,1\}$, $({\epsilon }_1,{\epsilon }_2,\dots ,{\epsilon }_n)\ne (0,0,\dots ,0)$, and $h(·)$ is the Hamming weight. The Hamming weight of the obtained $8\times 8$ S-box was 128. Hence, the obtained S-box had bijective performance.

5.2. Nonlinearity

Suppose a Boolean function is $g\left(x\right)$. Its nonlinearity $N_g$ [34] can be presented as:

$$N_g=2^{n-1}(1-2^{-n}ma{x}_{\phi \in GF\left(2^n\right)}\left|S_{\left(g\right)}\left(\phi \right)\right|),$$

(7)

$$S_{\left(g\right)}\left(\phi \right)=\sum _{\phi \in GF\left(2^n\right)}{(-1)}^{x·\phi \oplus g\left(x\right)},$$

(8)

where $x·\phi =x_1\oplus {\phi }_1+x_2\oplus {\phi }_2+\dots +x_n\oplus {\phi }_n$. The higher the value of $N_g$, the stronger $g\left(x\right)$’s ability to resist linear attacks.

Table 3. The results of the comparison of nonlinearity.

S-Boxes	Max	Min	Average
The obtained S-box	108	102	104.5
S-box based on CML	106	100	103
S-box proposed in [11]	108	100	103.25
S-box proposed in [13]	109	103	104.88
S-box proposed in [14]	106	100	103
S-box proposed in [16]	106	100	103.25
S-box proposed in [17]	108	102	104.75
S-box proposed in [18]	108	98	103
S-box proposed in [19]	112	108	109.25
S-box proposed in [20]	108	104	105.8
S-box proposed in [21]	110	102	105.5
S-box proposed in [22]	108	102	105.25
S-box 2 proposed in [23]	108	102	106
S-box proposed in [24]	106	96	103
S-box proposed in [25]	110	106	108.5

gives the results of the nonlinearity analysis. The maximum nonlinearity was 108, the minimum 102, and the average 104.5. For the average values of nonlinearity in Table 3, our S-box accords with other S-boxes. Hence, the obtained S-box had good nonlinearity property.

5.3. Strict Avalanche Criterion

The work in [5] firstly introduced the Strict Avalanche Criterion (SAC). If an S-box has the SAC property, all the output bits will vary with half the probability when complementing a single input bit. To check the SAC property, we always employed the dependence matrix. For an S-box satisfying the SAC property, all the values in its dependence matrix was close tothe optimal value of 0.5.

We can estimate the offsets of the dependence matrix by:

$$S\left(g\right)=\frac{1}{n^2}\sum _{1\le r\le n}\sum _{1\le w\le n}\left|\frac{1}{2}-Q_{r,w}\left(g\right)\right|,$$

(9)

where $Q_{r,w}\left(g\right)=2^{-n}{\sum }_{x\in B^n}{g}_w\left(x\right)\oplus g_w(x\oplus e_r)$, $e_r={[{\vartheta }_{r,1}{\vartheta }_{r,2}\dots {\vartheta }_{r,n}]}^T$, ${\vartheta }_{r,w}=\left\{\begin{array}{c}0,r\ne w\hfill \\ 1,r=w\hfill \end{array}\right.$, and ${[·]}^T$ denotes the transpose of a matrix.

Table 4. The obtained dependence matrix.

0.4844	0.5313	0.4844	0.4688	0.4844	0.5000	0.5938	0.4844
0.4219	0.4688	0.5313	0.5000	0.4688	0.4531	0.4531	0.4531
0.5469	0.5469	0.4531	0.4688	0.5156	0.5469	0.5156	0.4688
0.4844	0.4375	0.5000	0.4375	0.4688	0.5625	0.6406	0.4375
0.5000	0.5156	0.4688	0.5000	0.5313	0.5000	0.5313	0.4688
0.4688	0.5313	0.5781	0.4844	0.4844	0.4844	0.5000	0.4531
0.5000	0.4688	0.5000	0.5000	0.5313	0.4531	0.4688	0.4688
0.5000	0.5313	0.5469	0.5156	0.4688	0.5469	0.4844	0.5781

shows the obtained dependence matrix. These results were between 0.6406 and 0.4219, and the average value was 0.4980, which was close to the ideal value of 0.5. Moreover,

Table 5. The Strict Avalanche Criterion (SAC) analysis of different S-boxes.

S-Boxes	Max	Min	Mean
The obtained S-box	0.6406	0.4219	0.4980
S-box based on CML	0.6250	0.3750	0.5015
S-box proposed in [11]	0.5938	0.3750	0.5059
S-box proposed in [13]	0.5703	0.3984	0.4966
S-box proposed in [14]	0.6094	0.4219	0.5000
S-box proposed in [16]	0.5938	0.4219	0.5049
S-box proposed in [17]	0.5938	0.3906	0.5056
S-box proposed in [18]	0.5938	0.4063	0.5012
S-box proposed in [19]	0.5937	0.4375	0.5012
S-box proposed in [20]	0.5938	0.4219	0.4976
S-box proposed in [21]	0.5625	0.4375	0.5000
S-box proposed in [22]	0.5313	0.4297	0.4956
S-box 2 proposed in [23]	-	-	0.5020
S-box proposed in [24]	0.6250	0.3906	0.5039
S-box proposed in [25]	0.5937	0.4062	0.5017

analyzes the SAC property of different S-boxes. It can be noted that the mean value of SAC of the obtained S-box is closer to the ideal value 0.5 than that of other S-boxes. Therefore, in comparisons with other S-boxes, the obtained S-box had better SAC performance.

5.4. Output Bits Independence Criterion

The work in [5] also proposed the BIC. If an S-box satisfies the BIC property, all the avalanche variables should be pair-wise independent for a certain series of avalanche vectors produced by complementing a single plaintext bit.

For an S-box satisfying the BIC property, its $g_r\oplus g_w(r\ne w,1\le r,w\le n)$ should fulfill the nonlinearity and the SAC, where $g_r$ denotes the Boolean function of the S-box. For the obtained S-box, we calculate the nonlinearity and the SAC of its $g_r\oplus g_w$, respectively. The obtained results are listed in

Table 6. The Bit Independence Criterion (BIC)-nonlinearity analysis of our S-box.

-	106	106	106	106	104	102	104
106	-	100	100	106	104	108	102
106	100	-	106	108	106	104	108
106	100	106	-	100	104	108	104
106	106	108	100	-	104	108	106
104	104	106	104	104	-	102	102
102	108	104	108	108	102	-	106
104	102	108	104	106	102	106	-

and

Table 7. The BIC-SAC analysis of our S-box.

-	0.5332	0.4785	0.5117	0.5215	0.5059	0.5137	0.5078
0.5332	-	0.5117	0.5078	0.5137	0.5332	0.5137	0.5039
0.4785	0.5117	-	0.5195	0.5000	0.5098	0.5039	0.5098
0.5117	0.5078	0.5195	-	0.4961	0.5137	0.4922	0.5059
0.5215	0.5137	0.5000	0.4961	-	0.4766	0.5020	0.5020
0.5059	0.5332	0.5098	0.5137	0.4766	-	0.4902	0.5117
0.5137	0.5137	0.5039	0.4922	0.5020	0.4902	-	0.5195
0.5078	0.5039	0.5098	0.5059	0.5020	0.5117	0.5195	-

. The mean values of BIC-nonlinearity and BIC-SAC of our S-box were respectively 104.64 and 0.5075. This indicates that the obtained S-box fulfilled the BIC performance. Moreover,

Table 8. The BIC analysis of different S-boxes.

S-Boxes	BIC-SAC	BIC-Nonlinearity
The obtained S-box	0.5075	104.64
S-box based on CML	0.5039	103.57
S-box proposed in [11]	0.5031	104.29
S-box proposed in [13]	0.5044	102.96
S-box proposed in [14]	0.5024	103.14
S-box proposed in [16]	0.5010	103.71
S-box proposed in [17]	0.5022	104.07
S-box proposed in [18]	0.4989	104.07
S-box proposed in [19]	-	108.21
S-box proposed in [20]	0.5032	104.5
S-box proposed in [21]	0.4970	103.78
S-box proposed in [22]	0.4996	103.8
S-box 2 proposed in [23]	0.5050	103
S-box proposed in [24]	0.5010	100.36
S-box proposed in [25]	0.5006	104

analyzes the BIC property for different S-boxes. It can be noted that the mean value of BIC-SAC of the obtained S-box was consistent with that of other S-boxes, and the mean value of BIC-nonlinearity of the obtained S-box was higher than that of other S-boxes. Therefore, the obtained S-box had better BIC performance than other S-boxes.

5.5. The Equiprobable Input/Output XOR Distribution

The work in [7] proposed differential cryptanalysis for an S-box using the imbalances in the input/output XOR distribution table. Output variations can be obtained from input variations. In the differential approximation table, the probability of all the input XOR values was the same as that of all the output XOR values. An S-box should have differential uniformity. To determine the differential uniformity of the obtained S-box, we calculated its differential probability (DP) by:

$$D{P}_g=ma{x}_{\Delta w\ne 0,\Delta z}\left(\frac{♯\{w\in W\mid g(w)\oplus g(w\oplus \Delta w)=\Delta z\}}{2^n}\right),$$

(10)

where $2^n$ is a count of all the elements in the S-box and W contains all the input values. The smaller the value of $D{P}_g$, the stronger the ability to resist differential attacks.

Table 9. Differential approximation table of our S-box.

6	6	6	8	6	6	8	6	6	6	8	6	6	6	8	6
6	8	8	6	6	6	6	6	6	6	6	6	8	6	6	8
6	6	8	6	8	6	6	6	6	6	6	8	6	6	8	8
8	6	6	6	6	8	6	6	6	8	6	6	8	6	8	6
4	6	6	8	8	6	8	6	6	6	10	8	6	6	8	6
6	6	6	6	8	8	6	6	6	8	6	6	8	10	6	6
8	6	6	8	6	8	6	6	6	6	6	8	8	6	8	6
6	6	6	6	8	8	6	6	6	8	6	8	8	8	8	6
8	6	8	6	6	6	8	6	8	8	6	8	6	6	6	8
8	8	6	8	6	8	6	6	6	6	12	10	8	8	10	6
8	10	8	6	6	6	6	6	6	6	8	6	6	8	8	6
6	8	6	6	8	8	8	8	8	8	8	6	6	8	8	6
8	6	10	6	8	6	6	6	8	6	6	8	6	6	6	8
6	6	4	6	6	6	8	6	8	6	8	8	6	6	6	6
6	8	8	6	8	6	6	8	6	6	8	6	8	6	6	6
8	6	6	8	6	8	6	6	6	8	6	6	8	8	6	-

is the differential approximation table. We can find that the maximum value was 12. This indicates that our S-box has a strong ability to resist differential attacks. Moreover, the maximum DP for different S-boxes is analyzed in

Table 10. The maximum differential probability (DP) analysis of different S-boxes.

S-Boxes	MaxDP
The obtained S-box	0.0469
S-box based on CML	0.0391
S-box proposed in [11]	0.0469
S-box proposed in [13]	0.0391
S-box proposed in [14]	0.0547
S-box proposed in [16]	0.0391
S-box proposed in [17]	0.0469
S-box proposed in [18]	0.0469
S-box proposed in [20]	0.0391
S-box proposed in [21]	0.0468
S-box proposed in [22]	0.0391
S-box 2 proposed in [23]	0.0469
S-box proposed in [24]	0.0391

. For the maximum DP, the obtained S-box was consistent with other S-boxes. Hence, the obtained S-box had a good ability to resist differential attacks.

5.6. Linear Approximation Probability

Matsui [9] initially defined the LP. For an S-box holding the LP property, the value of its LP is the maximum unbalance value, which is presented as:

$$LP=ma{x}_{{\gamma }_1,{\gamma }_2\ne 0}\left(\frac{♯\{z\in Z\mid z·{\gamma }_1=g\left(z\right)·{\gamma }_2\}}{2^n}-\frac{1}{2}\right),$$

(11)

where Z contains all the input values, $2^n$ is a count of all the elements in the S-box, ${\gamma }_1$ denotes the input mask, and ${\gamma }_2$ denotes the output mask. The parity of the input bits chosen by the mask ${\gamma }_1$ is equal to the parity of the output bits chosen by the mask ${\gamma }_2$. The smaller the value of LP, the stronger the ability to resist linear password attacks.

Table 11. The Linear approximation Probability (LP) analysis of different S-boxes.

S-Boxes	MaxLP
The obtained S-box	0.1250
S-box based on CML	0.1406
S-box proposed in [11]	0.1250
S-box proposed in [13]	0.1328
S-box proposed in [14]	0.1328
S-box proposed in [16]	0.1328
S-box proposed in [17]	0.1250
S-box proposed in [18]	0.1484
S-box proposed in [21]	0.1250
S-box proposed in [22]	0.1562
S-box 2 proposed in [23]	0.1250
S-box proposed in [24]	0.1484

gives an analysis of LP for different S-boxes. Compared with other S-boxes, the obtained S-box had a minimum value of LP. Therefore, the obtained S-box had a better ability to resist linear password attacks than other S-boxes.

6. Conclusions and Future Research

A novel generation method for S-boxes by using the NCML spatiotemporal system is presented in this paper. The high dimensional feature of the NCML system can not only resist the degradation of finite precision computation, but also increases the randomness of the constructed S-box. The randomness of the constructed S-box has been verified by using NIST-800-22 statistical tests. In the proposed method, one of chaotic sequences generated by the NCML system is employed to construct the initial S-box. Then, the permutation operation using independent chaotic sequences is performed, which improves the BIC and LP properties of the constructed S-box. According to the simulation results and the performance analysis, we know that the obtained S-box meets the six criteria. Hence, the proposed method is effective. Moreover, we also construct an S-box by using the CML system for comparisons. In comparisons with the former S-boxes, the proposed S-box has a better BIC property and a better ability to resist linear password attacks. Hence, the proposed scheme presents superior cryptographic performance. In future practical research work, we intend to apply the proposed method to image encryptions in a parallel process.