## Designing S-Boxes For Ciphers Resistant To Differential Cryptanalysis (1993)

Venue: | PROCEEDINGS OF THE 3RD SYMPOSIUM ON STATE AND PROGRESS OF RESEARCH IN CRYPTOGRAPHY |

Citations: | 28 - 1 self |

### BibTeX

@INPROCEEDINGS{Adams93designings-boxes,

author = {Carlisle M. Adams and Stafford E. Tavares},

title = {Designing S-Boxes For Ciphers Resistant To Differential Cryptanalysis},

booktitle = {PROCEEDINGS OF THE 3RD SYMPOSIUM ON STATE AND PROGRESS OF RESEARCH IN CRYPTOGRAPHY},

year = {1993},

pages = {181--190},

publisher = {}

}

### Years of Citing Articles

### OpenURL

### Abstract

This paper examines recent work in the area of bent-function-based substitution boxes in order to refine the relationship between s-box construction and immunity to the differential cryptanalysis attack described by Biham and Shamir. It is concluded that mxn s-boxes, m<n, which are partially bent-function-based are the most appropriate choice for private-key cryptosystems constructed as substitution-permutation networks (SPNs). Since s-boxes of this dimension and with this property have received little attention in the open literature, this paper provides a description of their construction and shows how they can be incorporated in a design procedure for a family of SPN cryptosystems with desirable cryptographic properties.

### Citations

3188 | A method for obtaining digital signatures and public-key cryptosystems
- Rivest, Shamir, et al.
- 1977
(Show Context)
Citation Context ...hanged to any (even) value. Finally, the number of rounds can be changed in the network to vary encryption/decryption speed. This design procedure truly represents a family of cryptosystems, like RSA =-=[14]-=- and several other systems - but unlike DES - because the parameters are so flexible (extending-DES from 64 bits (with a 56-bit key) to 128 bits (with a 112-bit key) requires some effort but is not pr... |

853 | Communication Theory of Secrecy Systems - Shannon - 1949 |

550 | DiĀ®erential Cryptanalysis of DES-like Cryptosystems
- Biham, Shamir
- 1991
(Show Context)
Citation Context ...ms with desirable cryptographic properties. 1. INTRODUCTION In [1] the relationship between substitution box (or s-box) construction and immunity against Biham and Shamir's differential cryptanalysis =-=[6] of DES-li-=-ke cryptosystems was discussed. It was stated that s-boxes with a flat distribution of so-called "Output XORS" would be immune to this attack 2 and it was proven that bent-function-based s-b... |

144 |
Cryptography and Computer Privacy
- Feistel
- 1973
(Show Context)
Citation Context ... the s-box will provide good "confusion" [ 16, 8], - requiring the sum (modulo 2) of any pair of rows to have approximately half zeros and half ones ensures that the s-box will provide good =-=avalanche [8, 10], and - us-=-ing bent vectors as the matrix columns ensures that each output bit will respond "ideally" (in the sense of highest-order Strict Avalanche Criterion [2, 4] 8 ) to changes in the input vector... |

115 | On the design of S-boxes
- Webster, Tavares
- 1986
(Show Context)
Citation Context ...sign may be to construct mxn s-boxes (mn) which are partially bent-function-based but which still satisfy other properties which have been deemed to be necessary ill the literature (see, for example, =-=[2, 7, 10, 12, 17, 19]-=-) - these are discussed in more detail in Section 3 below. This should provide resistance to differential cryptanalysis by ensuring that there are no high-probability Output XORs in the s-boxes which ... |

74 |
Perfect nonlinear S-boxes
- NYBERG
- 1991
(Show Context)
Citation Context ...unction-based s-boxes are guaranteed to possess this flat distribution. Since the initial submission of [1] (Jan., 1991), two researchers have published results which relate directly to this work. In =-=[11b]-=- Nyberg answers a question left open in the discussion at the end of [1], and in [5] Biham offers a counter-example which shows that for a particular 1 Note that Nyberg and Knudsen [11c] have recently... |

73 | Propagation characteristics of Boolean functions
- Preneel, Leekwijck, et al.
- 1991
(Show Context)
Citation Context ...gle input bit i is inverted, for all i, j, k [18, 19]. 7 Note that this is impossible if m>n but is quite feasible if 2 m 8 This has independently been called the Propagation Criterion of degree n in =-=[13]-=-. (further discussion of the above points will be given in the full paper). In other words, these sboxes appear to be perfectly suited for the approach to SPN cryptosystem design given below. 3.2. SPN... |

53 |
A Structured Design of Substitution-Permutation Encryption Networks
- Kam, Davida
- 1979
(Show Context)
Citation Context ...sign may be to construct mxn s-boxes (mn) which are partially bent-function-based but which still satisfy other properties which have been deemed to be necessary ill the literature (see, for example, =-=[2, 7, 10, 12, 17, 19]-=-) - these are discussed in more detail in Section 3 below. This should provide resistance to differential cryptanalysis by ensuring that there are no high-probability Output XORs in the s-boxes which ... |

45 |
Provable security against a differential cryptanalysis
- Nyberg, Knudsen
- 1993
(Show Context)
Citation Context ...this work. In [11b] Nyberg answers a question left open in the discussion at the end of [1], and in [5] Biham offers a counter-example which shows that for a particular 1 Note that Nyberg and Knudsen =-=[11c]-=- have recently proposed a DES-like cipher with provable security against differential cryptanalysis. However, that system differs from ours in that it does not use s-boxes and at each round maps m bit... |

38 | Generating and Counting Binary Bent Sequences - Adams, Tavares - 1990 |

23 |
An expanded set of S-box design criteria based on information theory
- Dawson, Tavares
- 1991
(Show Context)
Citation Context ...cryptanalysis. However, that system differs from ours in that it does not use s-boxes and at each round maps m bits to n bits where m > n. 2 This was also (independently) stated by Dawson and Tavares =-=[7]-=- and by Nyberg [11b]. class of s-boxes the flat Output XOR distribution is not sufficient to guarantee immunity against differential cryptanalysis. In this paper we discuss these results in light of o... |

19 | Analysis and synthesis of bent sequences - Yarlagadda, Hershey - 1989 |

18 | The use of bent sequences to achieve higher-order strict avalanche criterion
- Adams, Tavares
- 1990
(Show Context)
Citation Context ...s-box will provide good avalanche [8, 10], and - using bent vectors as the matrix columns ensures that each output bit will respond "ideally" (in the sense of highest-order Strict Avalanche =-=Criterion [2, 4]-=- 8 ) to changes in the input vector response of a single output bit to any given input. Row i of M, 1 m , is therefore the n-bit output vector which results from the i th input vector. 6 The (output) ... |

18 |
Plaintext/Ciphertext Bit Dependencies in Cryptographic System
- Webster
- 1985
(Show Context)
Citation Context ... from the i th input vector. 6 The (output) Bit Independence Criterion (BIC) states that s-box output bits j and k should change independently when any single input bit i is inverted, for all i, j, k =-=[18, 19]-=-. 7 Note that this is impossible if m>n but is quite feasible if 2 m 8 This has independently been called the Propagation Criterion of degree n in [13]. (further discussion of the above points will be... |

17 |
A formal and practical design procedure for substitution-permutation network cryptosystems
- Adams
- 1990
(Show Context)
Citation Context ...sign may be to construct mxn s-boxes (mn) which are partially bent-function-based but which still satisfy other properties which have been deemed to be necessary ill the literature (see, for example, =-=[2, 7, 10, 12, 17, 19]-=-) - these are discussed in more detail in Section 3 below. This should provide resistance to differential cryptanalysis by ensuring that there are no high-probability Output XORs in the s-boxes which ... |

11 |
On Immunity against Biham and Shamir's "Differential Cryptanalysis
- Adams
- 1992
(Show Context)
Citation Context ...provides a description of their construction and shows how they can be incorporated in a design procedure for a family of SPN cryptosystems with desirable cryptographic properties. 1. INTRODUCTION In =-=[1]-=- the relationship between substitution box (or s-box) construction and immunity against Biham and Shamir's differential cryptanalysis [6] of DES-like cryptosystems was discussed. It was stated that s-... |

11 |
Constructions of bent functions and difference sets
- Nyberg
- 1990
(Show Context)
Citation Context ...near combinations (modulo 2) of these f i correspond to bent functions. We call s-boxes which satisfy the above theorem "bent-function-based s-boxes" (details regarding bent functions can be=-= found in [15, 20, 3, 11a, 13]-=-, for example). Although we had been looking specifically at mxn s-boxes (msstated at the end of [1] that it would also be interesting to determine whether 6x4 s-boxes satisfying the above theorem can... |

11 |
On the designs of SP networks from an information theoretic point of view
- Tavares, Sivabalan, et al.
- 1992
(Show Context)
Citation Context |

9 |
An analysis of product ciphers based on the properties of Boolean functions
- O'Connor
- 1992
(Show Context)
Citation Context ...fined as an (r+l)-tuple ( ) W D D D D X Y Y Y r , , ,..., 1 2 , where DX is a plaintext difference and the DY i are the ciphertext differences at each of r consecutive rounds of an R-round cipher, Rr =-=[12]-=-. it turns out that this can be a weakness for s-boxes with more input bits than output bits. Since bent-function-based mxn s-boxes only exist for m2n, it seems that without extra precautions this may... |

3 |
Analysis of a Feistel-Like Cipher Weakened by Having No Rotating Key
- Grossman, Tuckerman
- 1977
(Show Context)
Citation Context ...ncellation of s-box outputs). Note as well that the s*m key bits selected in round i should be different from the s*m key bits selected in round i+l (this is due to the work of Grossman and Tuckerman =-=[9]-=-, who showed that DES-like cryptosystems without a rotating key can be broken). Note finally that if any key bit is used in round R (the last round) for the first time then the network fails the key/c... |

1 |
Differential Cryptanalysis of Iterated Cryptosystems
- Biham
- 1992
(Show Context)
Citation Context ...ial submission of [1] (Jan., 1991), two researchers have published results which relate directly to this work. In [11b] Nyberg answers a question left open in the discussion at the end of [1], and in =-=[5]-=- Biham offers a counter-example which shows that for a particular 1 Note that Nyberg and Knudsen [11c] have recently proposed a DES-like cipher with provable security against differential cryptanalysi... |

1 | On "Bent - Rothaus - 1976 |