Cryptographic properties of small bijective S-boxes with respect to modular addition


We define affine equivalence of S-boxes with respect to modular addition, and explore its use in cryptanalysis. We have identified classes of small bijective S-boxes with respect to this new equivalence, and experimentally computed their properties.

This is a preview of subscription content, log in to check access.

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5


  1. 1.

    Note that the attacker can represent integers in \(\mathbb {Z}_{2^n}\) in other ways, e.g. changing the ordering of the bits in the binary expansion, or even choosing some completely different bijection between \(\mathbb {Z}_{2^n}\) and \(\mathbb {F}_{2^n}\). In practice, the representation chosen by the attacker needs to be compatible with other operations in the studied cipher. The effect of the choice of representation has an effect on which concrete S-boxes are identified as good or bad, but does not change the statistical results over the set of all S-boxes.

  2. 2.

    Similar to EA-equivalence, we can extend MAE by allowing the addition of an affine function in (2).

  3. 3.

    The S-box 019dae4852637bfc from optimal class G4 (with δF = 4, \(\mathcal {N}{\mathscr{L}}=4\)) has p(2,1) = 1/2. Another example is the S-box from the same class, 01e28abc9d35674f, which has p(10,5) = 11/16. None of the optimal S-boxes with D = 12 has the property pd,d/2 = 12/16.

  4. 4.

    An example is the optimal S-box 0169cf235be874ad with L = 10.

  5. 5.

    These results are for S-boxes represented in a standard natural binary expansion. For example, the GOST K8 S-box is given in [24] by the string 1fd057a4923e6b8c, which is represented as a permutation S(0) = 1,S(1) = 15, etc.


  1. 1.

    Biham, E., Anderson, R., Knudsen, L.: Serpent: a new block cipher proposal. In: International workshop on fast software encryption, pp 222–238. Springer (1998)

  2. 2.

    Biham, E., Shamir, A.: Differential cryptanalysis of DES-like cryptosystems. J Cryptol 4(1), 3–72 (1991)

    MathSciNet  Article  Google Scholar 

  3. 3.

    Bilgin, B., Nikova, S., Nikov, V., Rijmen, V., Stütz, G.: Threshold implementations of all 3× 3 and 4× 4 S-boxes. In: International workshop on cryptographic hardware and embedded systems, pp 76–91. Springer (2012)

  4. 4.

    Biryukov, A., Perrin, L., Udovenko, A.: Reverse-engineering the S-box of Streebog, Kuznyechik and STRIBOBr1. In: Annual international conference on the theory and applications of cryptographic techniques, pp 372–402. Springer (2016)

  5. 5.

    Bogdanov, A., Knudsen, L.R., Leander, G., Paar, C., Poschmann, A., Robshaw, M.J., Seurin, Y., Vikkelsoe, C.: PRESENT: an ultra-lightweight block cipher. Springer, Berlin (2007)

    Google Scholar 

  6. 6.

    Brunetta, C., Calderini, M., Sala, M.: On hidden sums compatible with a given block cipher diffusion layer. Discret. Math. 342(2), 373–386 (2019)

    MathSciNet  Article  Google Scholar 

  7. 7.

    Budaghyan, L., Carlet, C.: CCZ-equivalence of single and multi output Boolean functions. In: Post-proceedings of the 9th international conference on finite fields and their applications Fq, vol. 9, pp 43–54 (2010)

  8. 8.

    Calderini, M., Sala, M.: Elementary abelian regular subgroups as hidden sums for cryptographic trapdoors. arXiv:1702.00581 (2017)

  9. 9.

    Carlet, C.: Vectorial boolean functions for cryptography. Boolean Models and Methods in Mathematics, Computer Science, and Engineering 134, 398–469 (2010)

    Article  Google Scholar 

  10. 10.

    Civino, R., Blondeau, C., Sala, M.: Differential attacks: using alternative operations. Des. Codes Crypt. 87(2-3), 225–247 (2019)

    MathSciNet  Article  Google Scholar 

  11. 11.

    Daemen, J., Rijmen, V.: The design of Rijndael: AES-the advanced encryption standard. Springer, Berlin (2013)

    Google Scholar 

  12. 12.

    Fontanari, C., Pulice, V., Rimoldi, A., Sala, M.: On weakly APN functions and 4-bit S-boxes. Finite Fields and their Applications 18(3), 522–528 (2012)

    MathSciNet  Article  Google Scholar 

  13. 13.

    Grošek, O., Nemoga, K., Satko, L.: Generalized perfectly nonlinear functions. Tatra Mountains Pub. 20, 121–131 (2000)

    MathSciNet  MATH  Google Scholar 

  14. 14.

    Kumar, Y., Mishra, P., Pillai, N.R., Sharma, R.K.: Affine equivalence and non-linearity of permutations over \(\mathbb {Z}_{n}\). Applicable Algebra in Engineering, Communication and Computing 28(3), 257–279 (2017)

    MathSciNet  Article  Google Scholar 

  15. 15.

    Kutzner, S., Nguyen, P.H., Poschmann, A.: Enabling 3-share threshold implementations for all 4-bit S-boxes. In: International Conference on Information Security and Cryptology, pp 91–108. Springer (2013)

  16. 16.

    Leander, G., Poschmann, A.: On the classification of 4 bit S-boxes. In: International Workshop on the Arithmetic of Finite Fields, pp 159–176. Springer (2007)

  17. 17.

    Matsui, M.: Linear cryptanalysis method for DES cipher. In: Workshop on the Theory and Application of Cryptographic Techniques, pp 386–397. Springer (1993)

  18. 18.

    Nyberg, K.: Perfect nonlinear S-boxes. In: Workshop on the Theory and Application of Of Cryptographic Techniques, pp 378–386. Springer (1991)

  19. 19.

    Nyberg, K.: Differentially uniform mappings for cryptography. In: Workshop on the Theory and Application of Of Cryptographic Techniques, pp 55–64. Springer (1993)

  20. 20.

    Oliynykov, R., Gorbenko, I., Kazymyrov, O., Ruzhentsev, V., Kuznetsov, O., Gorbenko, Y., Dyrda, O., Dolgov, V., Pushkaryov, A., Mordvinov, R., et al.: A new encryption standard of Ukraine: The Kalyna block cipher. IACR Cryptology ePrint Archive 2015, 650 (2015)

    Google Scholar 

  21. 21.

    Picek, S., Ege, B., Papagiannopoulos, K., Batina, L., Jakobović, D.: Optimality and beyond: the case of 4× 4 S-boxes. In: 2014 IEEE International Symposium on Hardware-Oriented Security and Trust (HOST), pp 80–83. IEEE (2014)

  22. 22.

    Pott, A., Zhou, Y.: CCZ and EA equivalence between mappings over finite abelian groups. Designs, Codes and Cryptography 66(1-3), 99–109 (2013)

    MathSciNet  Article  Google Scholar 

  23. 23.

    Rejewski, M.: Mathematical solution of the Enigma cipher. Cryptologia 6(1), 1–18 (1982)

    MathSciNet  Article  Google Scholar 

  24. 24.

    Saarinen, M.J.O.: Cryptographic analysis of all 4× 4-bit S-boxes. In: International Workshop on Selected Areas in Cryptography, pp 118–133. Springer (2011)

  25. 25.

    Zabotin, I., Glazkov, G., Isaeva, V.: Cryptographic protection for information processing systems. Government Standard of the USSR. GOST, pp. 28, 147–89 (1989)

  26. 26.

    Zajac, P.: Constructing S-boxes with low multiplicative complexity. Stud. Sci. Math. Hung. 52(2), 135–153 (2015)

    MathSciNet  MATH  Google Scholar 

  27. 27.

    Zajac, P., Jókay, M.: Multiplicative complexity of bijective 4 × 4 S-boxes. Cryptogr. Commun. 6(3), 255–277 (2014)

    MathSciNet  Article  Google Scholar 

Download references


We would like to thank the anonymous reviewers for significantly improving the article during the review process.

Author information



Corresponding author

Correspondence to Pavol Zajac.

Additional information

Publisher’s note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

This article belongs to the Topical Collection: Boolean Functions and Their Applications IV

Guest Editors: Lilya Budaghyan and Tor Helleseth

This research was supported by grant VEGA 1/0159/17.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Zajac, P., Jókay, M. Cryptographic properties of small bijective S-boxes with respect to modular addition. Cryptogr. Commun. 12, 947–963 (2020).

Download citation


  • S-boxes
  • Cryptanalysis
  • Modular addition

Mathematics Subject Classification (2010)

  • 94A60
  • 11T71
  • 14G50