Non-existence of Certain Quadratic S-boxes and Two Bounds on Nonlinear Characteristics of General S-boxes

Due to the success of diierential and linear attacks on a large number of encryption algorithms, it is important to investigate relationships among the various cryptographic, including diierential and linear, characteristics of an S-box (substitution box). After discussing a precise relationship among three tables, namely the diierence, auto-correlation and correlation immunity distribution tables, of an S-box, we develop a number of results on various properties of S-boxes. These results include: (1) an interesting equivalence relationship between a regular (balanced) S-box and a tight lower bound on the sum of elements in the leftmost column of its diierential distribution table, (2) a proof for the nonexistence of quadratic S-boxes with a uniformly half-occupied diierence distribution table for the case of n > = 2m?1. This serves as a piece of evidence that further supports an important and unproven conjecture, namely, for all n > m, there exist no n m S-boxes with a uniformly half-occupied diierence distribution table. Prior to this work, the best known result that supports the conjecture is that there exist no quadratic S-boxes with a uniformly half-occupied diierence distribution table if n or m is even, (3) a non-trivial and tight lower bound on the diierential uniformity of an S-box, and (4) two upper bounds on the nonlinearity of S-boxes (one for a general, not necessarily regular, S-box and the other for a regular S-box).