S-box

In cryptography, an S-box (substitution-box) is a basic component of symmetric key algorithms which performs substitution. In block ciphers, they are typically used to obscure the relationship between the key and the ciphertext, thus ensuring Shannon's property of confusion. Mathematically, an S-box is a nonlinear[1] vectorial Boolean function.[2]

In general, an S-box takes some number of input bits, m, and transforms them into some number of output bits, n, where n is not necessarily equal to m.[3] An m×n S-box can be implemented as a lookup table with 2^m words of n bits each. Fixed tables are normally used, as in the Data Encryption Standard (DES), but in some ciphers the tables are generated dynamically from the key (e.g. the Blowfish and the Twofish encryption algorithms).

Example

One good example of a fixed table is the S-box from DES (S₅), mapping 6-bit input into a 4-bit output:

S₅		Middle 4 bits of input
S₅		0000	0001	0010	0011	0100	0101	0110	0111	1000	1001	1010	1011	1100	1101	1110	1111
Outer bits	00	0010	1100	0100	0001	0111	1010	1011	0110	1000	0101	0011	1111	1101	0000	1110	1001
	01	1110	1011	0010	1100	0100	0111	1101	0001	0101	0000	1111	1010	0011	1001	1000	0110
	10	0100	0010	0001	1011	1010	1101	0111	1000	1111	1001	1100	0101	0110	0011	0000	1110
	11	1011	1000	1100	0111	0001	1110	0010	1101	0110	1111	0000	1001	1010	0100	0101	0011

Given a 6-bit input, the 4-bit output is found by selecting the row using the outer two bits (the first and last bits), and the column using the inner four bits. For example, an input "011011" has outer bits "01" and inner bits "1101"; the corresponding output would be "1001".[4]

Analysis and properties

When DES was first published in 1977, the design criteria of its S-boxes were kept secret to avoid compromising the technique of differential cryptanalysis (which was not yet publicly known). As a result, research in what made good S-boxes was sparse at the time. Rather, the eight S-boxes of DES were the subject of intense study for many years out of a concern that a backdoor (a vulnerability known only to its designers) might have been planted in the cipher. As the S-boxes are the only nonlinear part of the cipher, compromising those would compromise the entire cipher.[5]

The S-box design criteria were eventually published (in Coppersmith 1994) after the public rediscovery of differential cryptanalysis, showing that they had been carefully tuned to increase resistance against this specific attack such that it was no better than brute force. Biham and Shamir found that even small modifications to an S-box could significantly weaken DES.[6]

Any S-box where any linear combination of output bits is produced by a bent function of the input bits is termed a perfect S-box.[7]

S-boxes can be analyzed using linear cryptanalysis and differential cryptanalysis in the form of a Linear approximation table (LAT) or Walsh transform and Difference Distribution Table (DDT) or autocorrelation table and spectrum. Its strength may be summarized by the nonlinearity (bent, almost bent) and differential uniformity (perfectly nonlinear, almost perfectly nonlinear).[8][9][10][2]

References

Daemen & Rijmen 2013, p. 22.
Carlet, Claude (2010), Hammer, Peter L.; Crama, Yves (eds.), "Vectorial Boolean Functions for Cryptography", Boolean Models and Methods in Mathematics, Computer Science, and Engineering, Encyclopedia of Mathematics and its Applications, Cambridge: Cambridge University Press, pp. 398–470, ISBN 978-0-521-84752-0, retrieved 2021-04-30
Chandrasekaran, J.; et al. (2011). "A Chaos Based Approach for Improving Non Linearity in the S-box Design of Symmetric Key Cryptosystems". In Meghanathan, N.; et al. (eds.). Advances in Networks and Communications: First International Conference on Computer Science and Information Technology, CCSIT 2011, Bangalore, India, January 2-4, 2011. Proceedings, Part 2. Springer. p. 516. ISBN 978-3-642-17877-1.
Buchmann, Johannes A. (2001). "5. DES". Introduction to cryptography (Corr. 2. print. ed.). New York, NY [u.a.]: Springer. pp. 119–120. ISBN 978-0-387-95034-1.
Coppersmith, D. (May 1994). "The Data Encryption Standard (DES) and its strength against attacks". IBM Journal of Research and Development. 38 (3): 243–250. doi:10.1147/rd.383.0243. ISSN 0018-8646.
Gargiulo's "S-box Modifications and Their Effect in DES-like Encryption Systems" Archived 2012-05-20 at the Wayback Machine p. 9.
RFC 4086. Section 5.3 "Using S-boxes for Mixing"
Heys, Howard M. "A Tutorial on Linear and Differential Cryptanalysis" (PDF).
"S-Boxes and Their Algebraic Representations — Sage 9.2 Reference Manual: Cryptography". doc.sagemath.org. Retrieved 2021-04-30.
Saarinen, Markku-Juhani O. (2012). "Cryptographic Analysis of All 4 × 4-Bit S-Boxes". In Miri, Ali; Vaudenay, Serge (eds.). Selected Areas in Cryptography. Lecture Notes in Computer Science. Vol. 7118. Berlin, Heidelberg: Springer. pp. 118–133. doi:10.1007/978-3-642-28496-0_7. ISBN 978-3-642-28496-0.

Sources

Daemen, Joan; Rijmen, Vincent (9 March 2013). "Bricklayer Functions". The Design of Rijndael: AES - The Advanced Encryption Standard (PDF). Springer Science & Business Media. pp. 22–23. ISBN 978-3-662-04722-4. OCLC 1259405449.

External links

This article is issued from Wikipedia. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.

[FOOTNOTEDaemenRijmen201322-1] Daemen & Rijmen 2013, p. 22.

[:0-2] Carlet, Claude (2010), Hammer, Peter L.; Crama, Yves (eds.), "Vectorial Boolean Functions for Cryptography", Boolean Models and Methods in Mathematics, Computer Science, and Engineering, Encyclopedia of Mathematics and its Applications, Cambridge: Cambridge University Press, pp. 398–470, ISBN 978-0-521-84752-0, retrieved 2021-04-30

[chandra-516-3] Chandrasekaran, J.; et al. (2011). "A Chaos Based Approach for Improving Non Linearity in the S-box Design of Symmetric Key Cryptosystems". In Meghanathan, N.; et al. (eds.). Advances in Networks and Communications: First International Conference on Computer Science and Information Technology, CCSIT 2011, Bangalore, India, January 2-4, 2011. Proceedings, Part 2. Springer. p. 516. ISBN 978-3-642-17877-1.

[4] Buchmann, Johannes A. (2001). "5. DES". Introduction to cryptography (Corr. 2. print. ed.). New York, NY [u.a.]: Springer. pp. 119–120. ISBN 978-0-387-95034-1.

[5] Coppersmith, D. (May 1994). "The Data Encryption Standard (DES) and its strength against attacks". IBM Journal of Research and Development. 38 (3): 243–250. doi:10.1147/rd.383.0243. ISSN 0018-8646.

[6] Gargiulo's "S-box Modifications and Their Effect in DES-like Encryption Systems" Archived 2012-05-20 at the Wayback Machine p. 9.

[7] RFC 4086. Section 5.3 "Using S-boxes for Mixing"

[8] Heys, Howard M. "A Tutorial on Linear and Differential Cryptanalysis" (PDF).

[9] "S-Boxes and Their Algebraic Representations — Sage 9.2 Reference Manual: Cryptography". doc.sagemath.org. Retrieved 2021-04-30.

[10] Saarinen, Markku-Juhani O. (2012). "Cryptographic Analysis of All 4 × 4-Bit S-Boxes". In Miri, Ali; Vaudenay, Serge (eds.). Selected Areas in Cryptography. Lecture Notes in Computer Science. Vol. 7118. Berlin, Heidelberg: Springer. pp. 118–133. doi:10.1007/978-3-642-28496-0_7. ISBN 978-3-642-28496-0.