Editing Substitution–permutation network (section)

== Properties ==
A single typical S-box or a single P-box alone does not have much cryptographic strength: an S-box could be thought of as a [[substitution cipher]], while a P-box could be thought of as a [[transposition cipher]]. However, a well-designed SP network with several alternating rounds of S- and P-boxes already satisfies '''Shannon's [[confusion and diffusion]] properties''':

* The reason for '''diffusion''' is the following: If one changes one bit of the plaintext, then it is fed into an S-box, whose output will change at several bits, then all these changes are distributed by the P-box among several S-boxes, hence the outputs of all of these S-boxes are again changed at several bits, and so on. Doing several rounds, each bit changes several times back and forth, therefore, by the end, the ciphertext has changed completely, in a [[pseudorandom]] manner. In particular, for a randomly chosen input block, if one flips the ''i''-th bit, then the probability that the ''j''-th output bit will change is approximately a half, for any ''i'' and ''j'', which is the [[strict avalanche criterion]]. Vice versa, if one changes one bit of the ciphertext, then attempts to decrypt it, the result is a message completely different from the original plaintext—SP ciphers are not easily [[malleability (cryptography)|malleable]].
* The reason for '''confusion''' is exactly the same as for diffusion: changing one bit of the key changes several of the round keys, and every change in every round key [[diffuse]]s over all the bits, changing the ciphertext in a very complex manner.
* If an attacker somehow obtains one plaintext corresponding to one ciphertext—a [[known-plaintext attack]], or worse, a [[chosen plaintext]] or [[chosen-ciphertext attack]]—the confusion and diffusion make it difficult for the attacker to recover the key.