A Review of Block Cipher’s S-Boxes Tests Criteria

The Symmetric Block cipher is a considerable encryption algorithm because of its straightforwardness, rapidity and strength and this cryptographic algorithm is employed in carrying out the encryption and decryption for most current security applications. The confusion properties are attained using the substitution-Box (S-Box). Substitution and permutation functions are normally used in block ciphers to make them much firmer and more effectual ciphers. The Security of S-Box is checked using S-Box test criteria and the randomness test. The objective of this paper is to give the researchers a specific knowledge (standards) for testing the ciphers’ S-Boxes. This paper includes survey or guide for the S-box test criteria.


Introduction
A block cipher converts plaintext blocks of a specific length into ciphertext blocks of the same size affected by a cipher key k; it is a set of Boolean permutations employed on n-bit vectors. This set includes a Boolean permutation for each value of the cipher key k. If the number of bits in the cipher key is denoted by k, a block cipher comprises of Boolean permutations (Daemen and Rijmen 2002). Block ciphers are frequently known as the work horses of cryptography, and they provide the strength of current protected communication . Generally, block ciphers are stated by an encryption algorithm, as the sequence of transformations to be implemented in the plaintext to obtain the ciphertext. These transformations are processes with a comparatively simple specification. The generating Boolean permutation relies on the cipher key, based on the fact that key substance, evaluated from the cipher key, is used in the transformation. Block cipher should meet two demands to achieve its goals and these are security and efficiency. Data or messages to be encrypted are usually termed as plaintext and referred to as (p), which, is represented by blocks of equal sizes of bits, These blocks, in addition to the key k are input to the encryption algorithm (E), and typically E is a set of rounds that work on the plaintext and the key producing the output ciphertext (C) as equal-sized blocks of encrypted data in indecipherable form.
The decryption process (D) takes the ciphertext in the form of equal sized blocks (C) and the key k as an input performing almost the same set of rounds of encryption, but in reverse order; and the output of the final round are equal sized blocks of the original plaintext (p). This is clearly shown as: As seen from the term, decryption process is the inverse of encryption process which can be expressed by . In today's information networks the block ciphers have many benefits since they can be easily regularized and regularly treated and passed on as blocks, thus making the synchronization easier in such a way that losing one block of the ciphertext will not affect the decryption process for the next block.
The defect block cipher does not conceal the input patterns, which are indistinguishable plaintext blocks that are shown as indistinguishable ciphertext blocks (Lai 1992). This weak point was addressed by using the block cipher modes, and this step treatment requires a small amount of memory for the encryption process (Standard 1977).
These Block ciphers are intended to grant data confidentiality by splitting a secret between communication blocks and converting plaintexts to ciphertexts using this secret in a manner that the adversary (having no information of the secret) is not able to attain the plaintext.
A block cipher can be represented as the function:

( )
These are equivalent to: It is clear from the notation that that E gets two inputs, and gives one output. The two inputs are k-bit and n-bit strings representing the key and the plaintext respectively, while the output is n-bit string which represents the ciphertext. The key-length k and the block length n are two parameters related to the block cipher, the parameters of which differ from one block cipher to another. According to the above the block cipher can be considered as a keyed permutation.
The design of encryption algorithms should be succinct and obvious to satisfy the Kerckhoff principles so as to make the cryptography algorithms more commercialized and thus, the generated algorithm for the cipher should be secure and simple. Diffusion and confusion are two concepts that the symmetric block cipher should possess (Knudsen and Robshaw 2011).
In 1949, Shannon declared the diffusion and confusion as the two basic characteristics to obliterate the wordiness in a plaintext message (Shannon 1949a).

Confusion
Confusion is defined as hiding the relation between the private key and the ciphertext. This indicates that the secret key does not refer in a simple manner to the ciphertext (Coskun and Memon 2006). This means it complicates the relationship between ciphertext and key as much as possible (William and Stallings 2006). It is considered as a first feature in generating a block cipher. The fine confusion means that the relationship statistics is so intricate that even a high degree of cryptanalysis would not succeed.
Confusion property can be supplied using non-linear transformation where the output is not straightforwardly corresponding to its input and each input bit is replaced by another output bit. The most well-known non-linear transformation is the substitution box (S-Box), which can be considered as a small substitution cipher.
The S-Box can be expressed as n × m substitution function, as n and m are not inevitably identical, and they could or could not be equal. Some S-Boxes are invertible while others are not Confusion property can be supplied using non-linear transformation where the output is not straightforwardly corresponding to its input and each input bit is replaced by another output bit. The most well-known non-linear transformation is the substitution box (S-Box), which can be considered as a small substitution cipher.

S-Boxes
The S-Box represents the significant part of non-linear transformation. For symmetric-key cryptographic algorithms which depend on substitutionpermutation (S-P) networks the robustness of the cryptosystem depends to a large extent on the quality of the S-Boxes as poor S-Boxes can lead to weak cryptosystems. (Shannon 1949b). The S-Box (substitution Box) is considered as a fundamental part since it represents the only non-linear component of symmetric encryption algorithms, that performed substitution (Kazlauskas and Kazlauskas 2009). Regularly, the cipher employs the S-Box to form the combination of the key and the cipher, which is termed confusion as claimed by Shannon (Braeken 2006). Based on the aforementioned, it is clear that the proper design of the S-Box can lead to an increase in the degree of cipher security and one of the very serious aspects in the assessment of the cipher security (Adams and Tavares 1990;Cui and Cao 2007; law Szaban and Seredynski).

S-Box tests criteria
The designing S-Box should satisfy these criteria in order to make the cryptosystem secure against possible attacks, particularly from linear and differential cryptanalysis.
There are several standards that the S-Boxes should fulfill to be deemed as being a perfect S-Box.
So, if the S-Boxes hold the equivalent number of zeros and ones, it shows that they are balanced, which is one of utmost significant properties of an S-Box.

B. Completeness
The S-Boxes are considered as complete if each output bit hinges on all of the feed in bits by (Webster and Tavares 1986 An n × n square s-box S: * + → * + is consider complete, if for all vectors, , -* + hw (A) = 1, there exists vector , -* + , such that S(W) and S(W A) are dissimilar on bit i for all i {n-1,…,1,0}. where the hamming weight hw of a binary vector W, described as hw(W), represents the number of ones within this vector or the number of ones it contains as: ( ) ∑

C. Avalanche criterion
The effect of this is a tremendously desirable characteristic of block ciphers hang out with the computing of diffusion. typically, a block cipher is take into consideration to expose the avalanche effect if for a sole alteration in a single bit of the feed in, the output differs radically (Feistel 1973;Feistel, et al. 1975;Webster and Tavares 1986). These relevancies could be defined by confirmed terms: is Vector, that all its elements are 0s, except for one bit i, with the value 1.
is a vector of avalanche denoting a variance within the production string represent an outcome for the changing of the bit (i) in the feed in text. The amount of avalanche must be between the values 0 and 1. The resulted value of the avalanche is 1/2, which indicates that (S) fulfils the avalanche criterion. Though, it is like better to consider the error interval {-A,+ A} into consideration for the test consequences (Vergili and Yücel 2001).
Also, the avalanche of the transformation function (S-Box) can be obtained by using the following evaluation (Ramanujam and Karuppiah 2011):

D. Strict avalanche (SAC)
As stated by A. Webster and S. E. Tavares (Webster and Tavares 1986) the S-Box fulfills the criterion of strict avalanche in case that each bit of its products bits is altered by a possibility of single half when a one bit of its products is completed. This standard combine both the avalanche and completeness criteria. , fulfills the SAC If completing single feed in bit d varies the product bit e by the probability of exactly single bisection (Webster and Tavares 1986

E. Non-linearity
it is the amount of space amidst the function in matter and the adjacent function which is leaner (Canteaut and Videau 2005;Meier and Staffelbach 1990;Pieprzyk and Finkelstein 1988;Webster and Tavares 1986 Stands for the function nonlinearity of the G(d) Bft by utilize the transformation of Walsh, and because n is the function f(d) we gain as highest nonlinearity (Carlet and Ding 2007;Gao, et al. 2012).
The non-linearity of G can be defined as the lowest value of the nonlinearities for the whole nonzero linear collections of the constitutive functions.
( ) Where G is a (n,m) S-Box

F. Bit independency (BIC)
it was stated by as standard employed to examine the security of the produced S-Boxes. A function * + * + such that all d,v,y ( ) as y ≠ l, fulfils the criterion of bit independence if completing feed in bit d forms the production bits e with l to overturn autonomously. Usually the amounts of it can be within 0 and 1 such: 0: The perfect occurrence is totally independent in the connection amid v and y bits. 1: the inferior occurrence is totally dependent on the connection amid v and y bits.

H. Invertability
The S-Box fulfils the invertability states, if: G ( ) = G ( ) in case that for all inputs ,and . As G S-Box

Practical examples for S-Box Test Criteria
This section includes some tests for S-boxes shown in Figure (1) were generated using a proposed method to generate a key dependent-S-Boxes, where a keys were used to generate these S-Boxes, the results of the tests Criteria will be shown in the next figures.

Balanced
The experimental outcomes illustrate that whole resulted S-Boxes have the equal amounts of zeroes and ones, representing that the S-Boxes are balanced. For generated S-Boxes, the experimental results illustrated that this S-Box fulfils the completeness feature because every bit of the produced S-Boxes is subjected to the whole of the input bits.

Avalanche criterion
According to Equation 7, the avalanche criterion was evaluated for produced S-Boxes, the experiment outcomes illustrated that the S-Boxes' avalanche values are within 0.46, and 0.49. This indicates all the generated S-Boxes satisfy the avalanche effect with a value close to the ideal value since the ideal avalanche value is equal to 0.5. as shown in Figure 2.

Strict avalanche (SAC)
The experimental results showed that the SAC values range between 122 and 132. This indicates that all these generated S-Boxes satisfy the SAC with a value close to the ideal value of 128, where the probabilistic approach is 0.5, for n = 8, as whenever a single bit of inputs is inverted, its corresponding output bit will inverse with the probability of approaching 0.5 (Cui, et al. 2011).

Nonlinearity
According to Equation 12, the nonlinearity criterion, NL(S) for the keydependent S-Boxes (rounds S-Boxes).
The experimental results showed that the nonlinearity values for all generated S-Box, are not less 108, with all positive values. This indicates that most of these S-Boxes are very close to NL(S) of the perfect nonlinear function, proving that they have good resistance against linear cryptanalysis (Cui, et al. 2011). This indicates that these S-Boxes have respectable nonlinearity because the perfect nonlinearity amount for n is equal to 8 (n represents the number of input bits) is 120, as (Wen, et al. 2000) mentioned that the NL(S) of perfect nonlinear function should be NL(S) = = 120 (for n = 8), The S-Boxes are not a perfect nonlinearity function, but NL is very close to the NL(S) of perfect nonlinear function, and provided the amount of nonlinearity is greater than 100, this indicates it has respectable resistance against the linear cryptanalysis since the resistance against linear cryptanalysis is measured by Nonlinearity (Hussain, et al. 2011;Kazymyrov, et al.).

Bit independence (BIC)
According to Equation 15, the bit independence criterion was evaluated for the S-Boxes. For the produced S-Boxes, the experimental results showed that the BIC values range between 0.025, and 0.078125. This indicates that produced S-Boxes are secure enough since they have BIC values far from 1, (the worst state for BIC), and close to 0, (the ideal state for BIC) (Webster and Tavares 1986).

Differential uniformity
According to Equation 17, the Differential Uniformity criterion was evaluated for the key-dependent S-Boxes, the results illustrated that the ( ) values are not more than 10. It's known that AES S-Box has δ(G) lower of 10 as well as the impedance against differential cryptanalytics can be evaluated by ( ) The results indicates the safety of the formed S-Boxes (Mamadolimov, et al. 2013), resistance against the differential cryptanalysis as reading the tiny value of ( ) shows its stands against differential attack (Cui, et al. 2011) (Tan, et al. 2015).

Invertability
The results of the produced S-Boxes showed that all of them fulfilled this criterion.

Non-contradiction
The experimental results showed that all the proposed S-Boxes that keydependent S-Boxes have the non-contradiction criterion, as all the tested S-Boxes had only one non repeated value in every cell of the table.

Conclusion
This article provides information can be used as a guide for the researchers that concern with the designing and implementation of block ciphers especially the substitution unit (S-Box). The use of these criteria is essential in evaluating the designing any encryption algorithm.