Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
S-box
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
{{Short description|Basic component of symmetric key algorithms which performs substitution}} {{for|the video game engine and platform|S&box (game engine)}} In [[cryptography]], an '''S-box''' ('''substitution-box''') is a basic component of [[symmetric key algorithm]]s which performs substitution. In [[block cipher]]s, they are typically used to obscure the relationship between the key and the [[ciphertext]], thus ensuring [[Claude Shannon|Shannon's]] property of [[confusion and diffusion|confusion]]. Mathematically, an S-box is a nonlinear{{sfn|Daemen|Rijmen|2013|p=22}} [[vectorial Boolean function]].<ref name=":0">{{Citation|last=Carlet|first=Claude|title=Vectorial Boolean Functions for Cryptography|date=2010|url=https://www.cambridge.org/core/books/boolean-models-and-methods-in-mathematics-computer-science-and-engineering/vectorial-boolean-functions-for-cryptography/03F4D38804F8CE4ED2CC1939B515100B|work=Boolean Models and Methods in Mathematics, Computer Science, and Engineering|pages=398β470|editor-last=Hammer|editor-first=Peter L.|series=Encyclopedia of Mathematics and its Applications|place=Cambridge|publisher=Cambridge University Press|isbn=978-0-521-84752-0|access-date=2021-04-30|editor2-last=Crama|editor2-first=Yves}}</ref> In general, an S-box takes some number of input [[bit]]s, ''m'', and transforms them into some number of output bits, ''n'', where ''n'' is not necessarily equal to ''m''.<ref name="chandra-516">{{cite book|author=Chandrasekaran, J. |display-authors=etal |chapter=A Chaos Based Approach for Improving Non Linearity in the S-box Design of Symmetric Key Cryptosystems|editor=Meghanathan, N. |display-editors=etal|title=Advances in Networks and Communications: First International Conference on Computer Science and Information Technology, CCSIT 2011, Bangalore, India, January 2-4, 2011. Proceedings, Part 2|publisher=Springer|year=2011|isbn=978-3-642-17877-1|page=516|chapter-url=https://books.google.com/books?id=pXOS4ZTUJLYC&pg=PA516}}</ref> An ''m''Γ''n'' S-box can be implemented as a [[lookup table]] with 2<sup>''m''</sup> words of ''n'' bits each. Fixed tables are normally used, as in the [[Data Encryption Standard]] (DES), but in some [[cipher]]s the tables are generated dynamically from the [[cryptographic key|key]] (e.g. the [[Blowfish (cipher)|Blowfish]] and the [[Twofish]] encryption algorithms). == Example == One good example of a fixed table is the S-box from DES (S<sub>5</sub>), mapping 6-bit input into a 4-bit output: {| class="wikitable" align="center" ! rowspan="2" colspan="2" | S<sub>5</sub> || colspan="16" align="center" | Middle 4 bits of input |- ! 0000 !! 0001 !! 0010 !! 0011 !! 0100 !! 0101 !! 0110 !! 0111 !! 1000 !! 1001 !! 1010 !! 1011 !! 1100 !! style="background:#ffdead;" | 1101 !! 1110 !! 1111 |- ! rowspan="4" | Outer bits ! 00 | 0010 || 1100 || 0100 || 0001 || 0111 || 1010 || 1011 || 0110 || 1000 || 0101 || 0011 || 1111 || 1101 || style="background:#ffdead;" | 0000 || 1110 || 1001 |- ! style="background:#deffad;" | 01 | style="background:#deffad;" | 1110 || style="background:#deffad;" | 1011 || style="background:#deffad;" | 0010 || style="background:#deffad;" | 1100 || style="background:#deffad;" | 0100 || style="background:#deffad;" | 0111 || style="background:#deffad;" | 1101 || style="background:#deffad;" | 0001 || style="background:#deffad;" | 0101 || style="background:#deffad;" | 0000 || style="background:#deffad;" | 1111 || style="background:#deffad;" | 1010 || style="background:#deffad;" | 0011 || style="background:#fefe2d;" | 1001 || style="background:#deffad;" | 1000 || style="background:#deffad;" | 0110 |- ! 10 | 0100 || 0010 || 0001 || 1011 || 1010 || 1101 || 0111 || 1000 || 1111 || 1001 || 1100 || 0101 || 0110 || style="background:#ffdead;" | 0011 || 0000 || 1110 |- ! 11 | 1011 || 1000 || 1100 || 0111 || 0001 || 1110 || 0010 || 1101 || 0110 || 1111 || 0000 || 1001 || 1010 || style="background:#ffdead;" | 0100 || 0101 || 0011 |} Given a 6-bit input, the 4-bit output is found by selecting the row using the outer two bits (the first and last bits), and the column using the inner four bits. For example, an input "'''0'''1101'''1'''" has outer bits "'''01'''" and inner bits "1101"; the corresponding output would be "1001".<ref>{{cite book|last=Buchmann|first=Johannes A.|title=Introduction to cryptography|url=https://archive.org/details/introductiontocr00buch_768|url-access=limited|year=2001|publisher=Springer|location=New York, NY [u.a.]|isbn=978-0-387-95034-1|pages=[https://archive.org/details/introductiontocr00buch_768/page/n131 119]β120|edition=Corr. 2. print.|chapter=5. DES}}</ref> == Analysis and properties == When DES was first published in 1977, the design criteria of its S-boxes were kept secret to avoid compromising the technique of [[differential cryptanalysis]] (which was not yet publicly known). As a result, research in what made good S-boxes was sparse at the time. Rather, the eight S-boxes of DES were the subject of intense study for many years out of a concern that a ''[[Backdoor (computing)|backdoor]]'' (a [[cryptanalysis|vulnerability]] known only to its designers) might have been planted in the cipher. As the S-boxes are the only nonlinear part of the cipher, compromising those would compromise the entire cipher.<ref>{{Cite journal |last=Coppersmith |first=D. |date=May 1994 |title=The Data Encryption Standard (DES) and its strength against attacks |url=https://ieeexplore.ieee.org/document/5389567 |journal=IBM Journal of Research and Development |volume=38 |issue=3 |pages=243β250 |doi=10.1147/rd.383.0243 |issn=0018-8646|url-access=subscription }}</ref> The S-box design criteria were eventually published (in {{harvnb|Coppersmith|1994}}) after the public rediscovery of differential cryptanalysis, showing that they had been carefully tuned to increase resistance against this specific attack such that it was no better than [[Brute-force attack|brute force]]. Biham and Shamir found that even small modifications to an S-box could significantly weaken DES.<ref>[http://www.sans.org/reading_room/whitepapers/vpns/s-box-modifications-effect-des-like-encryption-systems_768 Gargiulo's "S-box Modifications and Their Effect in DES-like Encryption Systems"] {{Webarchive|url=https://web.archive.org/web/20120520040808/http://www.sans.org/reading_room/whitepapers/vpns/s-box-modifications-effect-des-like-encryption-systems_768|date=2012-05-20}} p. 9.</ref> Any S-box where any linear combination of output bits is produced by a [[bent function]] of the input bits is termed a '''perfect S-box'''.<ref> RFC 4086. Section 5.3 "Using S-boxes for Mixing" </ref> S-boxes can be analyzed using [[linear cryptanalysis]] and [[differential cryptanalysis]] in the form of a [[Linear approximation table]] (LAT) or [[Walsh transform]] and ''Difference Distribution Table'' (DDT) or autocorrelation table and spectrum. Its strength may be summarized by the ''nonlinearity'' (bent, almost bent) and ''differential uniformity'' (perfectly nonlinear, almost perfectly nonlinear).<ref>{{Cite web|last=Heys|first=Howard M.|title=A Tutorial on Linear and Differential Cryptanalysis|url=https://ioactive.com/wp-content/uploads/2015/07/ldc_tutorial.pdf}}</ref><ref>{{Cite web|title=S-Boxes and Their Algebraic Representations β Sage 9.2 Reference Manual: Cryptography|url=https://doc.sagemath.org/html/en/reference/cryptography/sage/crypto/sbox.html|access-date=2021-04-30|website=doc.sagemath.org}}</ref><ref>{{Cite book|last=Saarinen|first=Markku-Juhani O.|title=Selected Areas in Cryptography |chapter=Cryptographic Analysis of All 4 Γ 4-Bit S-Boxes |date=2012|editor-last=Miri|editor-first=Ali|editor2-last=Vaudenay|editor2-first=Serge|series=Lecture Notes in Computer Science|volume=7118|language=en|location=Berlin, Heidelberg|publisher=Springer|pages=118β133|doi=10.1007/978-3-642-28496-0_7|isbn=978-3-642-28496-0|doi-access=free}}</ref><ref name=":0" /> ==See also== * [[Bijection, injection and surjection]] * [[Boolean function]] * [[Nothing-up-my-sleeve number]] * [[Permutation box]] (P-box) * [[Permutation cipher]] * [[Rijndael S-box]] * [[Substitution cipher]] ==References== {{Reflist}} ==Further reading== * {{cite conference |author = Kaisa Nyberg |author-link = Kaisa Nyberg |title = Perfect nonlinear S-boxes |conference = Advances in Cryptology β [[EUROCRYPT]] '91 |pages = 378–386 |date = 1991 |location = [[Brighton]] |doi =10.1007/3-540-46416-6_32 |doi-access= free }} * {{cite conference | author = S. Mister and [[Carlisle Adams|C. Adams]] | title = Practical S-box Design | conference = Workshop on [[Selected Areas in Cryptography]] (SAC '96) Workshop Record | pages = 61–76 | date = 1996 | location = [[Queen's University at Kingston|Queen's University]] | citeseerx = 10.1.1.40.7715 }} * {{cite book | ref = CITEREFSchneier1994 | last = Schneier | first = Bruce | author-link = Bruce Schneier | title = Applied Cryptography, Second Edition | url = https://archive.org/details/appliedcryptogra00schn_328 | url-access = limited | publisher = [[John Wiley & Sons]] | year = 1996 | pages = [https://archive.org/details/appliedcryptogra00schn_328/page/n295 296]–298, 349 | isbn = 978-0-471-11709-4 }} * {{cite book |last1 = Chuck Easttom |chapter = A generalized methodology for designing non-linear elements in symmetric cryptographic primitives |title = 2018 IEEE 8th Annual Computing and Communication Workshop and Conference (CCWC) |date = 2018 |pages = 444β449 |doi = 10.1109/CCWC.2018.8301643|isbn= 978-1-5386-4649-6 |s2cid = 3659645 |author1-link = Chuck Easttom }} ==Sources== * {{cite book | first1 = Joan | last1 = Daemen | first2 = Vincent | last2 = Rijmen | date = 9 March 2013 | title = The Design of Rijndael: AES - The Advanced Encryption Standard | publisher = Springer Science & Business Media | pages = 22β23 | chapter = Bricklayer Functions | isbn = 978-3-662-04722-4 | oclc = 1259405449 | url = https://cs.ru.nl/~joan/papers/JDA_VRI_Rijndael_2002.pdf}} == External links == * [http://www.ciphersbyritter.com/RES/SBOXDESN.HTM A literature survey on S-box design] * [http://www.quadibloc.com/crypto/co4513.htm John Savard's "Questions of S-box Design"] * [https://ieeexplore.ieee.org/document/8618346 "Substitution Box Design based on Gaussian Distribution"] {{Cryptography navbox | block}} [[Category:S-box| ]] [[Category:Cryptographic algorithms]]
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)
Pages transcluded onto the current version of this page
(
help
)
:
Template:Citation
(
edit
)
Template:Cite book
(
edit
)
Template:Cite conference
(
edit
)
Template:Cite journal
(
edit
)
Template:Cite web
(
edit
)
Template:Cryptography navbox
(
edit
)
Template:For
(
edit
)
Template:Harvnb
(
edit
)
Template:Reflist
(
edit
)
Template:Sfn
(
edit
)
Template:Short description
(
edit
)
Template:Webarchive
(
edit
)