BLOCK SYMMETRIC CIPHER WITH RANDOM S-BOXES

This paper describes a new 256-bit block symmetric substitution-permutation cipher, called managed substitution cipher. This is a cipher with single-layer permutated transformations in each cycle. The management of substituted transformations occur by including them in a chain so that the output value of the previous SL transform is fed to the input of the current fortified 32-bit substituted transformation (SL conversion) along with the current value of the input data block through the adder for modulo 2. This enables to activate almost all S-blocks of the second cycle and subsequent cycles and eventually improve the dynamic indicators of the arrival of the cipher to the state of random substitution. The results of the evaluation of randomness indicators and the possibility of using random S-blocks are given. It is shown that such construction of cycled function allows us to use random substitutions without any selection in a cipher without reducing its strength.


INTRODUCTION
In our work [1], we propose the design of MSC-1 (managed substitution cipher) with improved indicators of the arrival to a random setting.The improvement of the indicators of the randomness of this cipher was achieved by using the cyclic functions of controlled substitutions during its construction.When the operations of non-linear and linear transformation of substitution-permutation network (SPN) cipher were combined into one common inseparable operation, built on the basis of including enlarged S-blocks (SL transformations) of the cycle function into a chain so that the next segment of the input data block after its addition for modulo 2 with the result of passing of the previous enlarged S-block would enter the input of the current S-block, there is where the name comes from.Here, the result of passing of the previous S-box was considered as a control input.
In this work, in order to increase the efficiency of the cycle transformation, we applied the operation of adding modulo 2 at the input of the first SL conversion at the input of the cycle function and suggested that it would help to exclude activation of only one S-block in the first cycle.However, as it turned out during the research process, this approach has proven to be erroneous.It allowed to increase the number of the activated S-blocks by activating a cipher by a single-byte difference, but did not rule out the possibility of activating one S-block of the first cycle in the case of several nonzero differences of the input data block.For instance, for eight input X1 = X8 =  ≠ 0, X2 = X3 = X4 = X5 = X6 = X7 = 0.This means that the "improvement" given in [1] is redundant, it does not work.
In general, the assertion turned out to be true, that for SPN ciphers with cyclic functions that use single-layer permutation transformations, the minimum number of activated S-blocks of the first cycle is one.

THE PURPOSE OF THE RESEARCH
The aim of this work is further improvement of the structure of ciphers with the managed substitutions, and also the additional basis of the real possibility of constructing of the 256-bit SPN ciphers by using casual substitutions practically without their selection.It will be realized due to the increasing of a minimum number of S-blocks, which are activated on the first cycles of SPN of ciphers.
Increasing of minimum number of S-blocks, activated on the first cycles, allows us to create ciphers with the diminished number of cycles of enciphering.
The set problem is to clarify the positions of the work [1] and to cite additional arguments that confirm their authenticity.
In this work we propose the modernisation of MCS-1 cipher, which we named the MSC-1М cipher, where the supplementary additions of segments of entrance block of data on the entry of SL transformation of the first cycle are excluded.Additions of exit of the last SL transformation with exits of the previous one are also eliminated, except the adding up with the exit of the first SL transformation.
Here we also have the opportunity to correct a number of other assertions and estimates made in the process [1], which are related with the erroneous assumptions noted above, although the general considerations regarding efficiency improvements proposed in the process [1] are preserved.

RELATED WORKS
Among leaders of technologies of the sectional symmetric enciphering in [1], two such developments were adopted: the Rijndael cipher, that won the AES and NESSIE competitions [2], and the IDEA NXT cipher, that appeared on the basis of the IDEA cipher (International Data Encryption Algorithm -the International algorithm of enciphering of data [3]), that was worked out as the offered standard of enciphering [4].
The work of Susan Landau [5], which is devoted to the analysis of the origins of the emergence of the new AES standard, the discussion and evaluation of the perspective of the major project decisions, that supported the standard by the world cryptographic community, was considered in the process of completing the review.This development became the appropriate result of development of world cryptographic idea.
In the cited work the attention is focused on projecting the sectional ciphers.The author observes the ways, which led to the Rijndael cipher, which is the last word in project and engineering solutions nowadays.This work-out became a result of development of world cryptographic thought.
A number of papers and proposals, performed on the way to Rijndael, are noted in [5].They should be mentioned here.
Willi Meier and Othmar Staffelbach suggested that certain examples of non-linearities, used by mathematicians, might be convenient for a cryptographic systems project [6].Based on these ideas, Josef Pieprzyk proposed algebraic methods for the construction of nonlinear functions [7,8].Kaisa Nyberg researched S-blocks and applied some of Pieprzyk's ideas, while designing S-blocks [9].Joan Daemen studied the cyclic functions from the point of view of differential and linear cryptanalysis of the cipher and proposed a new paradigm of the wide trace approach [10].He and other researchers used the wide footprint and Nyberg S-blocks in the SHARK cryptosystem [11].Thomas Jakobsen and Lars Knudsen found an "interpolation attack" against simple algebraic ciphers, such as SHARK [12].Two SHARK developers, Daemen and Vincent Rijmen, were opposed to the Square cryptosystem [13].Knudsen hacked Square, by using various attacking methods [14].Rijndael, as it was noted by the author of the cited work, rose from the ashes of Square.Further in the work it is traced, how these threads weaved Rijndael.
In the work, significant attention is paid to the analysis of the design methods of Rijndael of the new paradigm; an approach, that is considered to be developed by Joan Daemen, received the name of a broad-based strategy.
Saying about the broad-based strategy, Susan Landau notes that cryptanalysis is most easily performed when a single S-block is active in each cycle.Therefore, the designer of the cryptographic algorithm should strive to avoid the worst case of diffusion, when there is a single active S-block.Obviously, the best thing that the designer can do in reaching the upper limit, is that the number of branches B is equal to n + 1, where n is the number of connections (each link consists of m bits).The reverse linear mapping that achieves this effect is called optimal.Daemen and Rijmen managed to build such mapping.They showed that separable codes with a maximum minimum distance (MDV codes) provide a way to construct such optimal linear transformations.This mapping is much more effective than many other linear transformations, used in ciphers before.
Further we will consider in detail the principles of the construction and properties of block symmetric IDEAs of similar ciphers [14], and also highlight the features of the construction of the Muchomor ciphers [15,16], the block cipher from the Belarusian standard STB 34.101.31-2011, the new standard of block symmetric encryption of Ukraine Kalina-2 [17] and the new Russian standard "Kuznechik" [18].
The review of the features of constructing these well-known structures is given in [1], we focus on the conclusions we made.
The main ones are the following [19][20][21][22][23][24][25]: 1. Large achievement of modern design solutions referring to the construction of ciphers should be considered as the implementation of a broad-based strategy based on matrix multiplication in field extensions.
2. The design principles (noticed below), applied by the AES developers, are worthy of approval and support: -Simplicity of the specification and the analysis; -Transparency; -Efficiency.3. The newly promoted concept of flexible encryption is definitely a step forward in blocksymmetric encryption technologies and can be easily implemented by using many other developments, and not just with the help of the IDEA NXT family of ciphers.
4. The approaches and the results of evaluation of indicators of cipher strength to attacks of differential and linear cryptanalysis, given in the publications, is approximated and needed to be clarified.
5. Nowadays there is an approach that allows us to determine the exact indicators of strength of block symmetric ciphers to attacks of differential and linear cryptanalysis by computing way.According to this approach, the IDEA NXT ciphers, mentioned here, considering their indicators, are at the level of strength indicators implemented by many other ciphers.Nevertheless, the considered development, as well as the code Kalina-2, in this respect has some advantages over many others (Rijndael and another ciphers, presented on the Ukrainian competition.In these three mentioned developments (Muchomor, IDEA NXT, Kalina-2), it is possible to implement dynamic indicators of cipher arriving to a random substitution, reduced by one cycle, compared to other known solutions.
6.In recent developments (Muchomor, IDEA NXT) there is a desire to improve the dynamic characteristics of ciphers arrival to the established (stationary) values of the maxima of complete differentials and linear case on the basis of increasing the number of S-blocks, used in cyclic functions, and creating mechanisms for increasing the minimum number of S-blocks, that are activated in the first cycles.This allowed us to bring the avalanche indicators of the ciphers of the latest developments to the depth of the avalanche effect, which is equal to two cycles (but these are not SPN ciphers).
Next we want to express new ideas and proposals, aimed at further improving the technologies of designing and developing block symmetric ciphers.
Today, looking back over the past period of the development of technologies of block symmetric encryption, associated with allocated ciphers, it can be noted that there has already been accumulated critical material, which suggests that not all solutions used by developers in these ciphers are the most perfect.
First of all, we want to pay attention to the fact that, despite the progressiveness of the solutions, adopted by the developers of modern ciphers, not all potential opportunities ensuring the effectiveness of the implementation of initial cyclical transformations are realized in them.Thus, according to the dynamic indicators of the arrival of random substitution, the 128-bit Rijndael cipher becomes a random substitution of the differential indices in the third cycle, and according to linear indicators -only in the fourth [21,22].This is due to the fact, that one byte of the input of the first cycle activates only one S-block of the first cycle, on the second cycle it activates four S-blocks and on the third one -all sixteen S-blocks.As a result, in three cycles, there are 21 active S-blocks as minimum, that allows the cipher to reach the state of random substitution in the third cycle by the differential indicators.But the cipher needs an additional fourth cycle for achieving the state of random substitution on the linear indicators.The 256-bit AES cipher comes in the form of random substitution with differential metrics in 4 cycles, and with linear values in 5-th.So, the broad-based strategy, implemented in the Rijndael cipher, has a weakness (activating only part of the S-blocks of the second and other cycles), which leads to the delay in the process of achieving the state of random substitution by the cipher.Similar Rijndael ciphers have similar disadvantages.
The ciphers of Kalina-2, Muchomor and the cipher from the Belarusian standard refer to the most progressive of the considered designs.These ciphers implement indicators of reaching the state of random substitution, which are close to the limit indicators (Cousins of Flies and ciphers from the Belarusian standard are not SPN ciphers).
It should be mentioned that according to new method of estimating the evidence of the proof of block symmetric ciphers against the attacks of differential and linear cryptanalysis, has been proposed recently [1,22], all ciphers (including Rijndael) asymptotically become random substitutions, and their strength indicators are not related with the properties of the S-blocks included in the cipher.S-blocks influence the dynamics of the arrival of the cipher to the state of random substitution only (the number of cycles, required for the cipher to come to the random substitution indicators by differential and linear indicators).We also pay attention to the practice of designing modern ciphers: the number of encryption cycles in them is chosen in such a way, that they are three/four times the number of cycles, required for the cipher coming by the differential and linear properties to the indices of random substitution (the supply of strength).For the AES competition, according to its requirements, the authors fixed the minimum length of the encrypted block equal to 128 bits (in the form of a square (state matrix) of 4×4 bytes), and for the 128-bit key the number of cipher circles is equal to 10, that is on the verge of strength.The using of S-blocks with worse differential and linear values outputs a cipher beyond the established strength reserve.Increasing the length of the input block and the keys leads to the solutions with an increased number of encryption cycles (for 196 and 256-bit AES 12 and 14 cycles, respectively).As it turned out, the linear transformation in the form of matrix multiplication, which was the basis for the implementation of the new broad-track strategy, is not the only realized transformation (with the maximum number of branches).Taking into account the conclusion made in [1], it is concluded that the dynamic indicators of ciphers can be improved.
In our view, one more disadvantage is the complicated circuits of deploying the keys in the considered ciphers, which is also noted in the work [1].The desire to make schemes of deployment of key similar to the avalanche characteristics of the ciphers themselves, is not justified, in our opinion, as our experiments with reduced cipher models [1,20] showed that ciphers and zero cyclic connections come to random substitutions in the same number of cycles as with non-zero cyclic connections (in regular mode of operation).The randomness indicators of the S-blocks themselves are quite sufficient to make the cipher a random substitution regardless of the values of the key bits.
The presented and not presented results allow us to characterize the state of modern technologies of designing the BSS (focusing on the most progressive of them by the following basic provisions [1,[26][27][28][29][30][31][32][33][34][35]. 1.It is considered, that the indicators of cipher strength to attacks of differential and linear cryptanalysis are directly related to the values of differential and linear probabilities of nonlinear transformations (S-blocks) included in ciphers.Therefore, in the cryptographic literature, the scientific direction of research, related to the development and search of S-blocks with improved cryptographic indicators, has been developing intensively for a long time.
3. The practice of building block ciphers has determined the number of the used encryption cycles (strength reserve), which is three/four times the depth of the avalanche effect (the number of cycles required for the arrival of the cipher to the state of random substitution).
4. Constructs of cyclic transformations, applied in known ciphers, ensure the arrival of ciphers to the state of random substitution for a minimum number of cycles, exceeding three (the exception is the algorithm of block encryption from the Belarusian standard and the code of the Muholomor).
5. Almost all known developments are oriented on the use of S-blocks with boundary and close to the minimum achievable values of differential and linear indicators.
6. Achieved indicators on the speed of ciphers are characterized by the boundary values of specific costs of XOR operations (cycles), falling on one Sblock, close to two (without the cost of execution of the procedure for deployment of keys).
7. The existing concept of constructing key deployment schemes for block symmetric ciphers is focused on the implementation of procedures that approach their own properties to a single cipher transform.
In recent developments (the algorithm of block encryption from the Belarusian standard and also the code of the Muchomor) there is the desire to increase the minimum number of S-blocks of the cyclic functions, that are activated by increasing the number of layers of S-blocks, included in it; but all of them are oriented on using the S-blocks with the values, differential and linear probabilities close to the limit (minimum achievable).To sum up, the task is to increase the minimum number of S-blocks that are activated on the second and other cycles.This work [1] formulated the ideas, that have been put into the developing approach, which allows us to consider it as a new method of constructing block symmetric SPN ciphers, by using of which the code of MSC-1 was built.As it was already noted, further analysis showed the possibility and need for its modernization.We called this upgraded cipher the MSC-1M cipher and further material is devoted to the description of this advanced design.

MATERIALS AND METHODS. DESCRIPTION OF CIPHER MSC-1M
Here we can mention the materials presented in [1] with respect to the MSC-1 cipher, since the design of the cipher MSC-1M is almost based on the elements of the design of the cipher MSC-1.

ALGORITHM PARAMETERS
MSC-1M supports a block length of 256 bits and encryption keys of 256 and 512 bits in length.
The encryption algorithm is a procedure consisting of an iterative encryption transform (cyclic transforms) and final randomization.The number of encryption cycles Nr = 9.

ENCRYPTION PROCEDURE
The input of the procedure is the cleartext and the encryption subkeys.The input data block is processed by the cyclic function a specified number of times (9 times), and finally, there is a randomization, which is performed by using an XOR operation with an additional (10th) cyclic subkey.The resulting data block is a ciphertext.

CYCLE TRANSFORMATION
The scheme of the cycle transformation MSC-1M is shown in Fig. 1.
The main transformation of the cyclic function is the SL transformation.It repeats the construction of the SL transformation of the Muchomor cipher.Its description is given in [1].
Other eight cycles repeat the construction of the first cycle (for the implementation of pipelined data processing, cycles, starting from the fourth one, are constructed without the addition of the operation of the output of the last SL transformation with the outputs of the previous SL transformations).

DECRYPTION PROCEDURE
The decryption algorithm is the inverse of the encryption algorithm.The ciphertext blocks and the encryption ciphers are supplied at the input of the algorithm.At the beginning of the decryption procedure, there is the removing of final randomization of the ciphertext, after that the cyclic functions process the received data block the necessary number of times (9 times) in the reverse order.The received data block is a cleartext block.It remains to be noted that when decrypting  the decryption plugs are also supplied in the reverse order;  inverse S-blocks are used as substitutions;  in the SL transformation we use the matrix, which is inverse for the matrix used by encrypting.A description of the key deployment procedure is also given in [1]. Ki

INDICATORS OF RANDOMNESS MSC -1M
In this section, we present the results of estimating the expected parameters of the transition of the MSC to the state of random substitution.
Here we use the considerations and calculations presented in our work [1].
As it is mentioned [1], the maximum values of linear and differential probabilities (strength indicators) for a cipher with a 256-bit input are obtained close to each other and equal to approximately 2 248 -2 250 .
According to the calculations in [1], for a cipher with a 256-bit input, it is required to reach the state of random substitution by differential indicators when using S-blocks with marginal indicators of uniformity equal to max DP  = 2 6 , (in accordance with equality 2 248 = (2 6 ) k ) more than kmin = 41 S-block.
Analogically, to reach the state of random substitution by linear indices when using S-blocks with nonlinearity indicators equal to max S-blocks (for S-blocks of Muchomor cipher with nonlinearity indicator max LP  = 2 5 , we have kmin = 62,25).In our case, there is one active S-blocks of the first cycle and the second cycle, there are 28+33, and then each SL transformation contains 4th S-blocks, except one or two MDR transitions of conversions to the number of active bytes less than four.Then there will be 60+65 active S-blocks on three cycles, which consist of single-layer substitution transformations.This means, that for S-blocks with limiting differential and linear exponents max , MSC-1M comes to a random substitution with a margin in three cycles.

ESTIMATION OF THE PROSPECTS FOR THE USE OF RANDOM S-UNITS IN THE MSC-1M
Here we use the results presented in [1].Calculations, performed in [1] for 48 active S-blocks when selecting the maximum probable transitions in the rows of the differential table, lead to the following result: This means that random S-blocks for this cipher are also provided for its three cycles to reach the state of random substitution.
For the linear approximation table of a random Sblock in [1], calculations were performed for 70 randomly taken rows of the LAT table.The corresponding result is: ).
In our cipher, the minimum number of active Sblocks on three cycles satisfies these boundaries with a large margin.
It should be mentioned in conclusion that the 256-bit Rijndael cipher comes to a state of random substitution, both in terms of differential and linear indices only on the fourth cycle.

INDICATORS OF COMPUTATIONAL COMPLEXITY
As in [1], when evaluating computational complexity, we will focus on the number of XOR operations performed by the cipher in the process of encryption and decryption.We will proceed from the fact that in order to perform SL transformation (matrix multiplication), three XOR operations are required [21,22].
Then, in accordance with the structure of the cycle transformation (Fig. 1) we need to perform 1 + 82 + 24 = 41 XOR operations in one cycle of MSC-1M.For 9 cycles we receive the result: 419 + 8 = 377.
But it does not take into account the consumption of the master-key deployment procedure.

PIPELINE DATA PROCESSING
Pipeline processing can be applied in an iterative cipher, if the operations of its cyclic function do not cover the whole cyclic transformation.Such operation in the ciphers of the series of MSC is the operation of adding the output of the last SL transform to the output of the first SL transform.While this operation is not performed, the cyclic conversion is not completed.Pipelining requires that the cyclic function being built in such a way, that its individual operations can be performed together (at the same time).Therefore, the operations, covering the entire cyclic function, should be excluded.As the experiments have shown, it can be done for the MSC cipher after the cipher has come to the state of random substitution.In particular, in the cipher MSC-1M, after the first three encryption cycles, its other cycles can be built by excluding from the cycle functions the addition operations of the outputs of the last SL transformations with the outputs of the first SL transformations, i.e., cycle transformations on cycles, starting with the third one, should differ from cycle transformations of the first two cycles.
In this case, after forming the output of the first SL transform of the third cycle, we can immediately form the output of the second SL transform of the third cycle, generate the output of the first SL transform of the fourth cycle.After forming the output of the second SL transform of the fourth cycle, form the output of the first SL transform of the fifth cycle, etc.
If we assume, that for a 32-bit platform it is necessary to spend time T sec. to perform the SL conversion operation, then for a separate line (cycle) of m SL transformations, it will be necessary to spend m (T + TR) sec.Here TR is the time consuming on the performing adding operation of the data segments at the inputs of each of the SL transformations.
At pipelined processing, which start from the fourth cycle.
After the 1st SL transformation of the fourth cycle, while transforming the second SL of the fourth cycle, the first SL of the fifth cycle is calculated at the same time.
At the 3 SL transformation of the fourth cycle, the calculation of the second SL of the fifth cycle conversion and the first SL transformation of the sixth cycle are performed.
At the 4 SL transformation of the fourth cycle calculations of the third SL of the fifth cycle, the second SL of the sixth cycle and the first SL of the seventh cycle are performed.
At the 5 SL transformation of the fourth cycle, calculations of the fourth SL of the fifth cycle, the third SL of the sixth cycle, the second SL of the seventh cycle and the first SL of the eighth cycle are performed.
At the 6 SL transformation of the fourth cycle calculations of the fifth SL of the fifth cycle, the fourth SL of the sixth cycle, the third SL of the seventh cycle, the second SL of the sixth cycle and the first SL of the ninth cycle are performed.
At the 7 SL transformation the fourth cycle calculations of the sixth SL transform of the fifth cycle, the fifth SL transform of the sixth cycle, the fourth SL of the seventh cycle, the third SL of the eighth cycle and the second SL of the ninth cycle are performed.
At the 8 SL of the fourth cycle transformation, the calculations of the passage of the seventh SL of the fifth cycle, the sixth SL of the sixth cycle, the fifth SL of the seventh cycle, the fourth SL of the eighth cycle and the third SL of the ninth cycle are performed.
Then, counting of the transitions that go beyond the boundaries of the 4th cycle is done.
-on the next interval T + TR sec, the eighth SL transform of the fifth cycle, the seventh SL of the sixth cycle, the sixth SL of the seventh cycle and the fifth SL of the eighth cycle and fourth SL of the ninth cycle are calculated at the same time.
-on the next interval T + TR sec, the pass of the eighth SL of the sixth cycle, the seventh SL of the seventh cycle, the sixth SL of the eighth cycle and the fifth SL of the ninth cycle is calculated -on the next interval T + TR sec, the pass of the eighth SL of the seventh cycle, the seventh SL of the eighth cycle and the sixth SL of the ninth cycle is calculated.
-on the next interval T + TR sec, the pass of the eighth SL of the eighth cycle and the seventh SL of the ninth cycle is calculated.
-on the next interval T + TR sec, the pass of the eighth SL of the ninth cycle conversion is calculated, If the cipher is built by using 32-bit SL transformations, then we have a performance gain in calculating the last six encryption cycles for m = 8 SL transformations, l = 6 cycles As a result, the gain is close to two.So, the described cipher, called MSC, is presented as the most promising solution for constructing modern ciphers.

EXPERIMENTS
The first part of the experiments is devoted to assessing the randomness indicators of the proposed cipher design.Here are the results of determining the per-cycle laws of the distribution of the XOR maxima of transitions and maxima of the cipher offsets in the mode of its initialization with 16-bit input differences in accordance with the procedure in [1].
Table 1 shows the cyclic distribution law of the XOR difference of the differences for a 256-bit cipher Rijndael in the mode of its initialization by 16-bit differences in accordance with the procedure in work [1].
Calculations for the Rijndael cipher are made for 30 random encryption keys, and for the Cipher MSC-1M for one encryption key.It can be seen that for the Rijndael cipher, the data obtained for the reduced model of this cipher [1,22] are saved, and the cipher MSC-1M shows the boundary values already from the first cycle.
Indeed, for S-blocks of the cipher, the Amanita with the differential uniformity index = 2 5 , the avoidance of encryption for a 16-bit cipher is 2 12 = (2 5 ) k .This means that in order to reach the state of random substitution, a 16-bit byte S-block is enough for a 16-bit cipher.And if for the Rijndael cipher with XOR operation of introducing cyclic subkeys, the maximum transition value of the first cycle will be equal to 2048 (only one byte of input is enabled), then in the case of MSC-1M with a modular operation of introducing cyclic subkeys 2 32 , pass one of the input bytes using zero differences fail (in the overwhelming majority of cases two bytes of input are activated at once).But still the minimum number of activated S-blocks of the first cycle is kept equal to one, as in the larger version of the cipher.Experiments confirm that for the conversion of a 256-bit cipher in the usual mode of its application to the state of random substitution at least three cycles are required, and for the Rijndael cipher  four.
Table 2 shows the cyclic distribution law of the maxima of the LAT table offsets for a 256-bit cipher Rijndael also in the mode of its initialization with 16-bit non-zero input and output masks in accordance with the procedure [1,22].Calculations for the Rijndael cipher were performed using 10 different encryption keys.For the MSC cipher, one randomly taken key is used for the entire set of cyclic transformations.The fourth column of the table shows the data for the cipher, which uses the Muchomor [15] cipher S-blocks, and the fifth uses random S-blocks taken from the output of the random substitution generator without any filtering.The results show that even in this case, the MSC-1M cipher in the normal application mode comes to a state of random substitution in three cycles, which confirms the increased efficiency of this design.Experiments confirm the connection of the number of activated S-blocks in the first cycles with the minimum number of encryption cycles necessary for the cipher to reach the state of random substitution.

DISCUSSION
In our view, a random substitution from the output of random substitute's generator can be a good S-block with the great probability.This is confirmed by numerous experiments.But taking into account still small research of using the random substitutions for constructing ciphers and the rather critical attitude of most specialists to this model, it is proposed to consider a random substitution from the output of the random substitute generators as an improved model of random substitution, which is tested for compliance with a minimum of four indicators of the S-block and Boolean functions that form it: 1.The maximum value of the XOR transition is in the range of 8-10.
2. The maximum value of the displacement of LAT is in the range 32-34 (that is, the nonlinearity is equal to 94-96).
3. Algebraic degree of Boolean functions is not less than 7.
4. The indicator of algebraic immunity of the Sblock is not less than 3.
It is interesting that, as the experiments have shown in [1], random substitutions obtained without any restrictions, with a very high probability proved to be suitable in terms of cryptographic applications.They allowed to provide dynamic indicators of output of ciphers with strong linear transformations to asymptotic indicators of random substitutions, which are not inferior to the best (selected by special methods) S-blocks of practically all modern ciphers.
From the previous results of determining the randomness of the considered cipher, we can conclude that the proposed construction of the cipher really allows to use in it random S-blocks without any reduction of strength [21,22,[36][37][38][39][40].The algebraic properties of S-blocks of modern block ciphers are investigated in [23][24][25], their influence on sustainability to algebraic cryptanalysis is shown.In [22,27], combinatorial properties of non-linear knots in the context of the security evaluation of various encryption modes and key schedules were investigated.In [22,[30][31][32][33][34][35][36], the influence of Sblocks on avalanche effects, differential and linear properties of block ciphers is investigated.The papers [35,37] are dedicated to the study of the properties of nonlinear replacement nodes in modern stream ciphers in comparison with the "Strumok" algorithm proposed as a new standard of stream encryption in Ukraine [37].
As a conclusion, we should mention two more our works [39,40], which are devoted to the further development of this approach.Here we are talking about the improvement of existing designs of modern ciphers, based on using a new structure of the first cycle, constructed by using managed substitutions (enlarged S-blocks).
This research might promote the improvement of various methods of information security, as well as other practical use [41][42][43].In particular, the suggested cipher MSC-1 promotes developing the new way in creating symmetric algorithms [1].The usual of managed substitutions improves dynamic characteristics, that is, in our opinion, increases the speed of promising ciphers on the basis of MSC.

CONCLUSIONS
The new cipher, described in this work, is called MSC and seems to be a promising solution for building a modern 256 bit SPN cipher.It possesses the best known SPN cipher dynamic indicators to reach the state of random substitution.According to other indicators of strength, this cipher has all the important indicators of the Muchomor cipher [15].We also should note an important feature of the cipher, that is, in the cipher the random S-blocks can be taken in almost without reducing the dynamic indicators of its transition to a random substitution.

Figure 1 -
Figure 1 -Block diagram of the cycle transformation MSC-1M