This preview shows page 1. Sign up to view the full content.
Unformatted text preview: SBox Design
The strength of various Feistel networks—and specifically their resistance to differential and linear cryptanalysis—is tied directly to their Sboxes. This has prompted a spate of research on what constitutes a good Sbox. An Sbox is simply a substitution: a mapping of mbit inputs to nbit outputs. Previously I talked about one large lookup table of 64bit inputs to 64bit outputs; that would be a 64*64bit Sbox. An Sbox with an mbit input and an nbit output is called a m*nbit Sbox. Sboxes are generally the only nonlinear step in an algorithm; they are what give a block cipher its security. In general, the bigger they are, the better. DES has eight different 6*4bit Sboxes. Khufu and Khafre have a single 8*32bit Sbox, LoKI has a 12*8bit Sbox, and both Blowfish and CAST have 8*32bit Sboxes. In IDEA the modular multiplication step is effectively the Sbox; it is a 16*16bit Sbox. The larger this Sbox, the harder it is to find useful statistics to attack using either differential or linear cryptanalysis [653,729,1626]. Also, while random Sboxes are usually not optimal to protect against differential and linear attacks, it is easier to find strong Sboxes if the Sboxes are larger. Most random Sboxes are nonlinear, nondegenerate, and have strong resistance to linear cryptanalysis—and the fraction that does not goes down rapidly as the number of input bits decreases [1185,1186,1187]. The size of m is more important than the size of n. Increasing the size of n reduces the effectiveness of differential cryptanalysis, but greatly increases the effectiveness of linear cryptanalysis. In fact, if n d 2m – m, then there is definitely a linear relation of the input and output bits of the Sbox. And if n d 2m, then there is a linear relation of only the output bits [164]. Much of this work involves the study of Boolean functions [94,1098,1262,1408]. In order to be secure, the Boolean functions used in Sboxes must satisfy specific conditions. They should not be linear or affine, nor even close to linear or affine [9,1177,1178,1188]. There should be...
View
Full
Document
This note was uploaded on 10/18/2010 for the course MATH CS 301 taught by Professor Aliulger during the Fall '10 term at Koç University.
 Fall '10
 ALIULGER
 Cryptography

Click to edit the document details