Dierential Distribution Tables and Other Properties of Substitution Boxes

Due to the success of dierential and linear attacks on a large number of encryption algorithms, it is important t o investigate relationships among the various cryptographic, including dierential and linear, characteristics of an S-box (substitution box). After discussing a precise relationship among three tables, namely the dierence, auto-correlation and correlation immunity distribution tables, of an S-box, we develop a number of results on various properties of S-boxes. These results include: (1) an interesting equivalence relationship between a regular (balanced) S-box and a t i g h t l o wer bound on the sum of elements in the leftmost column of its dierential distribution table, (2) a proof for the nonexistence of quadratic S-boxes with a uniformly half-occupied dierence distribution table for the case of n > = 2m01. This serves as a piece of evidence that further supports an important and unproven conjecture, namely, for all n > m, there exist no n 2 m S-boxes with a uniformly half-occupied dierence distribution table. Prior to this work, the best known result that supports the conjecture is that there exist no quadratic S-boxes with a uniformly half-occupied dierence distribution table if n or m is even, (3) a non-trivial and tight l o wer bound on the differential uniformity of an S-box, and (4) two upper bounds on the nonlinearity o f S-b o xes (one for a general, not necessarily regular, S-box and the other for a regular S-box). I Introduction This paper deals with n 2 m S-boxes with n > m. Success of the notable dierential cryptanalysis on various block ciphers [4, 5] has motivated researchers to investigate properties of the dierence distribution tables of S-boxes. A core topic in the endeavor is to nd out relationships between dierential distribution tables and other properties of S-boxes. In this paper we r s t i n troduce two additional tables associated with an S-box, these being the auto-correlation and correlation immunity distribution tables. Then we establish a precise relationship among the three tables of an S-box (i.e., the dierence, auto-correlation and correlation immunity distribution tables). With this relationship as a basis, we s h o w t h a t an S-box is regular (or balanced) if and only if the sum of the values in the left-most column of its dierent distribution table is 2 2n0m. In a sense, this result complements a well-known fact about …