Saturday, June 05, 2004

S-Box Design: A Literature Survey

Now here's a resource to bring delight to crypto junkies everywhere!

Many block ciphers are based on the old Shannon idea of the sequential application of confusion and diffusion. Typically, confusion is provided by some form of substitution ("S-boxes"). So the obvious question is whether some substitutions are better than others. The obvious answer is "Yes," because one possible substitution maps every value onto itself, just as though there were no substitution at all.

So the hunt was on for measures which would distinguish between "bad" and "good" substitutions, and for techniques to construct "good" substitutions. But since weakness measures are related to attacks, new attacks often imply a need for new measures. And since we cannot know what attack an Opponent may use, how can we select a substitution which will defeat that attack?

Accordingly, this reviewer has a bias for randomly-selected and keyed S-boxes. While these cannot be expected to have optimum strength against whatever is being measured, they can be expected to have average strength against even unknown attacks: Where there is no systematic design, there can be no systematic weakness. And when S-boxes are chosen at random, everyone can be sure that no S-box "trap door" is present. Keying the S-boxes inevitably takes time, but some authors count this as an advantage in slowing attacks.


Anonymous Anonymous said...

seasonal baumgartner cartago stipulations intersection declination dying ally recipe distributes student
lolikneri havaqatsu

February 8, 2010 at 12:32 AM  

Post a Comment

<< Home