Anomalies and Vector Space Search: Tools for S-Box Analysis

  • Xavier Bonnetain
  • Léo PerrinEmail author
  • Shizhu Tian
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11921)


S-boxes are functions with an input so small that the simplest way to specify them is their lookup table (LUT). How can we quantify the distance between the behavior of a given S-box and that of an S-box picked uniformly at random?

To answer this question, we introduce various “anomalies”. These real numbers are such that a property with an anomaly equal to a should be found roughly once in a set of \(2^{a}\) random S-boxes. First, we present statistical anomalies based on the distribution of the coefficients in the difference distribution table, linear approximation table, and for the first time, the boomerang connectivity table.

We then count the number of S-boxes that have block-cipher like structures to estimate the anomaly associated to those. In order to recover these structures, we show that the most general tool for decomposing S-boxes is an algorithm efficiently listing all the vector spaces of a given dimension contained in a given set, and we present such an algorithm.

Combining these approaches, we conclude that all permutations that are actually picked uniformly at random always have essentially the same cryptographic properties and the same lack of structure.


S-box Vector space search BCT Shannon effect Anomaly Boolean functions 



We thank Jérémy Jean for shepherding this paper. We also thank Florian Wartelle for fruitful discussions about vector space search, and Anne Canteaut for proofreading a first draft of this paper. The work of Xavier Bonnetain receives funding from the European Research Council (ERC) under the European Union’s Horizon 2020 research and innovation programme (grant agreement no. 714294 – acronym QUASYModo). The work of Shizhu Tian is supported by the National Science Foundation of China (No. 61772517, 61772516).


  1. 1.
    Advanced Encryption Standard (AES). National Institute of Standards and Technology (NIST), FIPS PUB 197, U.S. Department of Commerce, November 2001Google Scholar
  2. 2.
    Biham, E., Shamir, A.: Differential cryptanalysis of DES-like cryptosystems. In: Menezes, A.J., Vanstone, S.A. (eds.) CRYPTO 1990. LNCS, vol. 537, pp. 2–21. Springer, Heidelberg (1991). Scholar
  3. 3.
    Biham, E., Shamir, A.: Differential cryptanalysis of feal and N-hash. In: Davies, D.W. (ed.) EUROCRYPT 1991. LNCS, vol. 547, pp. 1–16. Springer, Heidelberg (1991). Scholar
  4. 4.
    Biryukov, A., De Cannière, C., Braeken, A., Preneel, B.: A toolbox for cryptanalysis: linear and affine equivalence algorithms. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 33–50. Springer, Heidelberg (2003). Scholar
  5. 5.
    Biryukov, A., Leurent, G., Perrin, L.: Cryptanalysis of Feistel networks with secret round functions. In: Dunkelman, O., Keliher, L. (eds.) SAC 2015. LNCS, vol. 9566, pp. 102–121. Springer, Cham (2016). Scholar
  6. 6.
    Biryukov, A., Perrin, L.: On reverse-engineering S-boxes with hidden design criteria or structure. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015, Part I. LNCS, vol. 9215, pp. 116–140. Springer, Heidelberg (2015). Scholar
  7. 7.
    Biryukov, A., Perrin, L., Udovenko, A.: Reverse-engineering the S-box of Streebog, Kuznyechik and STRIBOBr1. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016, Part I. LNCS, vol. 9665, pp. 372–402. Springer, Heidelberg (2016). Scholar
  8. 8.
    Biryukov, A., Shamir, A.: Structural cryptanalysis of SASAS. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 395–405. Springer, Heidelberg (2001). Scholar
  9. 9.
    Blondeau, C., Canteaut, A., Charpin, P.: Differential properties of \(x \mapsto x^{2^t-1}\). IEEE Trans. Inf. Theory 57(12), 8127–8137 (2011)CrossRefGoogle Scholar
  10. 10.
    Bonnetain, X., Perrin, L., Tian, S.: Anomalies and vector space search: tools for S-box analysis (full version). Cryptology ePrint Archive, Report 2019/528 (2019).
  11. 11.
    Boura, C., Canteaut, A.: On the influence of the algebraic degree of \(f^{-1}\) on the algebraic degree of \(g \circ f\). IEEE Trans. Inf. Theory 59(1), 691–702 (2013)MathSciNetCrossRefGoogle Scholar
  12. 12.
    Boura, C., Perrin, L., Tian, S.: Boomerang uniformity of popular S-box constructions. In: WCC 2019: The Eleventh International Workshop on Coding and Cryptography (2019)Google Scholar
  13. 13.
    Browning, K.A., Dillon, J., McQuistan, M.T., Wolfe, A.J.: An APN permutation in dimension six. In: Post-proceedings of the 9th International Conference on Finite Fields and Their Applications, vol. 518, pp. 33–42. American Mathematical Society (2010)Google Scholar
  14. 14.
    Canteaut, A., Daum, M., Dobbertin, H., Leander, G.: Finding nonnormal bent functions. Discret. Appl. Math. 154(2), 202–218 (2006). coding and CryptographyMathSciNetCrossRefGoogle Scholar
  15. 15.
    Canteaut, A., Perrin, L.: On CCZ-equivalence, extended-affine equivalence, and function twisting. Finite Fields Appl. 56, 209–246 (2019)MathSciNetCrossRefGoogle Scholar
  16. 16.
    Carlet, C., Charpin, P., Zinoviev, V.: Codes, bent functions and permutations suitable for DES-like cryptosystems. Des. Codes Cryptogr. 15(2), 125–156 (1998)MathSciNetCrossRefGoogle Scholar
  17. 17.
    Cid, C., Huang, T., Peyrin, T., Sasaki, Y., Song, L.: Boomerang connectivity table: a new cryptanalysis tool. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018, Part II. LNCS, vol. 10821, pp. 683–714. Springer, Cham (2018). Scholar
  18. 18.
    Daemen, J., Rijmen, V.: Probability distributions of correlation and differentials in block ciphers. J. Math. Cryptol. 1(3), 221–242 (2007)MathSciNetCrossRefGoogle Scholar
  19. 19.
    Developers, T.S.: SageMath, the Sage Mathematics Software System (Version 7.5.1) (2017).
  20. 20.
    Diffie, W., (translators), G.L.: SMS4 encryption algorithm for wireless networks. Cryptology ePrint Archive, Report 2008/329 (2008).
  21. 21.
    Dinur, I.: An improved affine equivalence algorithm for random permutations. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018, Part I. LNCS, vol. 10820, pp. 413–442. Springer, Cham (2018). Scholar
  22. 22.
    Federal Agency on Technical Regulation and Metrology: Information technology – data security: Hash function (2012). English version available at
  23. 23.
    Federal Agency on Technical Regulation and Metrology: Information technology – data security: Block ciphers (2015). English version available at
  24. 24.
    Helleseth, T. (ed.): EUROCRYPT 1993. LNCS, vol. 765. Springer, Heidelberg (1994). CrossRefzbMATHGoogle Scholar
  25. 25.
    Kazymyrov, O., Kazymyrova, V., Oliynykov, R.: A method for generation of high-nonlinear S-boxes based on gradient descent. Cryptology ePrint Archive, Report 2013/578 (2013).
  26. 26.
    Li, K., Qu, L., Sun, B., Li, C.: New results about the boomerang uniformity of permutation polynomials. CoRR abs/1901.10999 (2019). Scholar
  27. 27.
    Liu, F., et al.: Analysis of the SMS4 block cipher. In: Pieprzyk, J., Ghodosi, H., Dawson, E. (eds.) ACISP 2007. LNCS, vol. 4586, pp. 158–170. Springer, Heidelberg (2007). Scholar
  28. 28.
    Lupanov, O.B.: On networks consisting of functional elements with delays. In: Lyapunov, A.A. (ed.) Systems Theory Research, pp. 43–83. Springer, New York (1973). Scholar
  29. 29.
    Matsui, M.: Linear cryptanalysis method for DES cipher. In: Helleseth [24], pp. 386–397CrossRefGoogle Scholar
  30. 30.
    Minaud, B., Derbez, P., Fouque, P.A., Karpman, P.: Key-recovery attacks on ASASA. J. Cryptol. 31(3), 845–884 (2018)MathSciNetCrossRefGoogle Scholar
  31. 31.
    Nyberg, K.: Differentially uniform mappings for cryptography. In: Helleseth [24], pp. 55–64Google Scholar
  32. 32.
    O’Connor, L.: On the distribution of characteristics in bijective mappings. In: Helleseth [24], pp. 360–370Google Scholar
  33. 33.
    O’Connor, L.: Properties of linear approximation tables. In: Preneel, B. (ed.) FSE 1994. LNCS, vol. 1008, pp. 131–136. Springer, Heidelberg (1995). Scholar
  34. 34.
    Perrin, L.: Partitions in the S-box of Streebog and Kuznyechik. IACR Trans. Symm. Cryptol. 2019(1), 302–329 (2019)Google Scholar
  35. 35.
    Perrin, L., Udovenko, A., Biryukov, A.: Cryptanalysis of a theorem: decomposing the only known solution to the big APN problem. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016, Part II. LNCS, vol. 9815, pp. 93–122. Springer, Heidelberg (2016). Scholar
  36. 36.
    Perrin, L., Wiemer, F.: S-Boxes used in cryptographic schemes (2017).
  37. 37.
    Schejbal, J., Tews, E., Wälde, J.: Reverse engineering of CHIASMUS from GSTOOL. Presentation at the Chaos Computer Club (CCC) (2013)Google Scholar
  38. 38.
    Schuster, F.: Reverse engineering of CHIASMUS from GSTOOL. Presentation at the HGI-Kolloquium, January 2014. Slides available at
  39. 39.
    Shannon, C.E.: The synthesis of two-terminal switching circuits. Bell Syst. Tech. J. 28(1), 59–98 (1949)MathSciNetCrossRefGoogle Scholar
  40. 40.
    Tardy-Corfdir, A., Gilbert, H.: A known plaintext attack of FEAL-4 and FEAL-6. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 172–182. Springer, Heidelberg (1992). Scholar
  41. 41.
    Wagner, D.: The boomerang attack. In: Knudsen, L. (ed.) FSE 1999. LNCS, vol. 1636, pp. 156–170. Springer, Heidelberg (1999). Scholar

Copyright information

© International Association for Cryptologic Research 2019

Authors and Affiliations

  1. 1.InriaParisFrance
  2. 2.Collège DoctoralSorbonne UniversitéParisFrance
  3. 3.State Key Laboratory of Information Security, Institute of Information EngineeringChinese Academy of SciencesBeijingChina
  4. 4.School of Cyber SecurityUniversity of Chinese Academy of SciencesBeijingChina

Personalised recommendations