Journal of Cryptology

, Volume 7, Issue 3, pp 133–151 | Cite as

An analysis of a class of algorithms for S-box construction

  • Luke O'Connor


We analyze a very general class of algorithms for constructingm-bit invertible S-boxes called bit-by-bit methods. The method builds an S-box one entry at a time, and has been proposed by Adams and Tavares [2] and Forre [11] to construct S-boxes that satisfy certain cryptographic properties such as nonlinearity and the strict avalanche criterion. We prove, both theoretically and empirically, that the bit-by-bit method is infeasible form>6.

Key words

Product ciphers S-boxes Permutations 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. [1]
    C. M. Adams. A formal and practical design procedure for Substitution-Permutation network cryptosystem. Ph.D. thesis, Department of Electrical Engineering, Queen's University, Kingston, Ontario, 1990.Google Scholar
  2. [2]
    C. M. Adams and S. E. Tavares. The structured design of cryptographically good S-boxes.Journal of Cryptology,3(1):27–41, 1990.CrossRefMathSciNetGoogle Scholar
  3. [3]
    E. F. Brickell, J. H. Moore, and M. R. Purtill. Structure in the S-boxes of DES.Advances in Cryptology, CRYPTO '86, Lecture Notes in Computer Science, vol. 263, A. M. Odlyzko, ed., Springer-Verlag, Berlin, pp. 3–8, 1987.Google Scholar
  4. [4]
    L. P. Brown, J. Pieprzyk, and J. Seberry. LOKI—a cryptograhic primitive for authentication and secrecy applications.Advances in Cryptology, AUSCRYPT '90, Lecture Notes in Computer Science, vol. 453, J. Seberry and J. Pieprzyk, eds., Springer-Verlag, Berlin, pp. 229–236, 1990.Google Scholar
  5. [5]
    K. Chang and P. Erdös. On the application of the Borel-Cantelli Lemma.Transaction of the American Mathematical Society,72:179–186, 1952.MathSciNetGoogle Scholar
  6. [6]
    M. Davio and J. M. Goethals. Elements of cryptology. InSecure Digital Communications, G. Longo, ed., pp. 1–57, 1983.Google Scholar
  7. [7]
    M. H. Dawson. A unified framework for substitution box design based on information theory. Master's thesis, Queen's University, Kingston, Ontario, 1991.Google Scholar
  8. [8]
    M. H. Dawson and S. E. Tavares. An expanded set of S-box design criteria based on information theory and its relation to differential-like attacks.Advances in Cryptology, EUROCRYPT '91, Lecture Notes in Computer Science, vol. 547, D. W. Davies, ed., Springer-Verlag, Berlin, pp. 352–367, 1991.Google Scholar
  9. [9]
    H. Feistel, W.A. Notz, and J. Lynn Smith. Some cryptographic techniques for machine-to-machine data communications.Proceedings of the IEEE,63(11):1545–1554, 1975.Google Scholar
  10. [10]
    W. Feller.An Introduction to Probability Theory with Applications, vol. 1, 3rd edn. Wiley, New York, 1968.Google Scholar
  11. [11]
    R. Forré. Methods and instruments for designing S-boxes.Journal of Cryptology,2(3):115–130, 1990.CrossRefMATHMathSciNetGoogle Scholar
  12. [12]
    R. Forré. The strict avalanche criterion: spectral properties of boolean functions and an extended definition.Advances in Cryptology, CRYPTO '88, Lecture Notes in Computer Science, vol. 403, S. Goldwasser, ed., Springer-Verlag, Berlin, pp. 450–468, 1990.Google Scholar
  13. [13]
    M. R. Garey and D. S. Johnson.Computers and Intractability, A Guide to the Theory of NP-Completeness. Freeman, San Francisco, 1979.Google Scholar
  14. [14]
    J. Gordon and H. Retkin. Are big S-boxes best? InCryptography, Proceedings, Burg Feuerstein, T. Beth, ed., pp. 257–262, 1982.Google Scholar
  15. [15]
    R. L. Graham, D. E. Knuth, and O. Patshnik.Concrete Mathematics, A Foundation for Computer Science. Addison-Wesley, Reading, MA, 1989.Google Scholar
  16. [16]
    R. W. Hamming.Coding and Information Theory. Prentice-Hall, Englewood Cliffs, NJ, 1980.Google Scholar
  17. [17]
    M. Hofri.Probabilistic Analysis of Algorithms. Springer-Verlag, New York, 1987.Google Scholar
  18. [18]
    J. B. Kam and G. I. Davida. A structured design of substitution-permutation encryption networks.IEEE Transactions on Computers,28(10):747–753, 1979.MathSciNetGoogle Scholar
  19. [19]
    R. Kemp.Fundamentals of the Average Case Analysis of Particular Algorithms. Wiley-Teubner Series in Computer Science, Wiley, New York, 1984.Google Scholar
  20. [20]
    K. Kim, T. Matsumoto, and H. Imai. On generating cryptographically desirable substitutions.Transactions of the IEICE, E73(7):1031–1035, 1990.Google Scholar
  21. [21]
    A. Konheim.Cryptography: A Primer. Wiley, New York, 1981.Google Scholar
  22. [22]
    C. H. Meyer and S. M. Matyas.Cryptography: A New Dimension in Computer Security. Wiley, New York, 1982.Google Scholar
  23. [23]
    D. S. Mitrinović.Analytic Inequalities. Springer-Verlag, New York, 1970.Google Scholar
  24. [24]
    National Bureau of Standards. Data Encryption Standard. FIPS PUB 46, Washington, DC (January 1977).Google Scholar
  25. [25]
    K. Nyberg. Perfect nonlinear S-boxes.Advances in Cryptology, EUROCRYPT '91, Lecture Notes in Computer Science, vol. 547, D. W. Davies, ed., Springer-Verlag, Berlin, pp. 378–386, 1991.Google Scholar
  26. [26]
    J. Pieprzyk and G. Finkelstein. Towards effective nonlinear cryptosystem design.IEE Proceedings, E,135(6):325–335, 1988.Google Scholar
  27. [27]
    B. Preneel, W. Van Leekwijck, L. Van Linden, R. Govaerts, and J. Vandewalle. Propagation characteristics of boolean functions.Advances in Cryptology, EUROCRYPT '90, Lecture Notes in Computer Science, vol. 473, I. B. Damgård, ed., Springer-Verlag, Berlin, pp. 161–173, 1991.Google Scholar
  28. [28]
    E. M. Reingold, J. Nievergeld, and N. Deo.Combinatorial Algorithms: Theory and Practice. Prentice-Hall, Englewood Cliffs, NJ, 1976.Google Scholar
  29. [29]
    O. S. Rothaus. On bent functions.Journal of Combinatorial Theory, Series A,20:300–305, 1976.CrossRefMATHMathSciNetGoogle Scholar
  30. [30]
    R. A. Rueppel.Design and Analysis of Stream Ciphers. Springer-Verlag, New York, 1986.Google Scholar
  31. [31]
    C. E. Shannon. Communication theory of secrecy systems.Bell System Technical Journal,28:656–175, 1949.MathSciNetGoogle Scholar
  32. [32]
    T. Siegenthaler. Correlation-immunity of nonlinear combining functions for cryptographic applications.IEEE Transactions on Information Theory,30(5):776–779, 1984.CrossRefMATHMathSciNetGoogle Scholar
  33. [33]
    A. Sorkin. LUCIFER: a cryptographic algorithm.Cryptologia,8:(1)22–35, 1984.Google Scholar
  34. [34]
    A. F. Webster. Plaintext/ciphertext bit dependencies in cryptographic algorithms. Master's thesis, Department of Electrical Engineering, Queen's University, Kingston, Ontario, 1985.Google Scholar
  35. [35]
    A. F. Webster and S. E. Tavares. On the design of S-boxes.Advances in Cryptology, CRYPTO '85, H. C. Williams, ed., Lecture Notes in Computer Science, vol. 218, Springer-Verlag, Berlin, pp. 523–534, 1986.Google Scholar

Copyright information

© International Association for Cryptologic Research 1994

Authors and Affiliations

  • Luke O'Connor
    • 1
  1. 1.University of WaterlooWaterlooCanada

Personalised recommendations