On the Difficulty of Constructing Cryptographically Strong Substitution Boxes

Two signi cant recent advances in cryptanalysis, namely the di erential attack put forward by Biham and Shamir [BS91] and the linear attack by Matsui [Mat94a, Mat94b], have had devastating impact on data encryption algorithms. An eminent problem that researchers are facing is to design S-boxes or substitution boxes so that an encryption algorithm that employs the S-boxes is immune to the attacks. In this paper we present evidence indicating that there are many pitfalls on the road to achieve the goal. In particular, we show that certain types of S-boxes which are seemingly very appealing do not exist. We also show that, contrary to previous perception, techniques such as chopping or repeating permutations do not yield cryptographically strong S-boxes. In addition, we reveal an important combinatorial structure associated with certain quadratic permutations, namely, the di erence distribution table of each di erentially 2-uniform quadratic permutation embodies a Hadamard matrix. As an application of this result, we show that chopping a di erentially 2-uniform quadratic permutation results in an S-box that is very prone to the di erential cryptanalytic attack.