Editing Substitution–permutation network (section)

== Components ==
An [[S-box]] substitutes a small block of bits (the input of the S-box) by another block of bits (the output of the S-box). This substitution should be [[bijective|one-to-one]], to ensure invertibility (hence decryption). In particular, the length of the output should be the same as the length of the input (the picture on the right has S-boxes with 4 input and 4 output bits), which is different from S-boxes in general that could also change the length, as in [[Data Encryption Standard]] (DES), for example. An S-box is usually not simply a [[permutation]] of the bits. Rather, in a good S-box each output bit will be affected by every input bit. More precisely, in a good S-box each output bit will be changed with 50% probability by every input bit. Since each output bit changes with the 50% probability, about half of the output bits will actually change with an input bit change (cf. [[Strict avalanche criterion]]).<ref name="webster_tavares_1985">{{cite book|first1=A. F.|last1= Webster |first2=Stafford E. |last2=Tavares|chapter=On the design of S-boxes|title=Advances in Cryptology – Crypto '85 |series=Lecture Notes in Computer Science|volume=218|pages= 523–534|year=1985|isbn=0-387-16463-4|publisher=Springer-Verlag New York, Inc. |location= New York, NY}}</ref> 

A [[Permutation box|P-box]] is a [[permutation]] of all the bits: it takes the outputs of all the S-boxes of one round, permutes the bits, and feeds them into the S-boxes of the next round. A good P-box has the property that the output bits of any S-box are distributed to as many S-box inputs as possible.

At each round, the [[round key]] (obtained from the [[key (cryptography)|key]] with some simple operations, for instance, using S-boxes and P-boxes) is combined using some group operation, typically [[XOR]].