On the Diiculty of Constructing Cryptographically Strong Substitution Boxes 1 Basic Deenitions

Two signiicant recent advances in cryptanalysis, namely the diierential attack put forward by Biham and Shamir BS91] and the linear attack by Matsui Mat94a, Mat94b], have had devastating impact on data encryption algorithms. An eminent problem that researchers are facing is to design S-boxes or substitution boxes so that an encryption algorithm that employs the S-boxes is immune to the attacks. In this paper we present evidence indicating that there are many pitfalls on the road to achieve the goal. In particular, we show that certain types of S-boxes which are seemingly very appealing do not exist. We also show that, contrary to previous perception, techniques such as chopping or repeating permutations do not yield cryptographically strong S-boxes. In addition, we reveal an important combinatorial structure associated with certain quadratic permutations, namely, the diierence distribution table of each diierentially 2-uniform quadratic permutation embodies a Hadamard matrix. As an application of this result, we show that chopping a diierentially 2-uniform quadratic permutation results in an S-box that is very prone to the diierential cryptanalytic attack. Denote by V n the vector space of n tuples of elements from GF(2). Let = (a 1 ; : : :; a n) and = (b 1 ; : : :; b n) be two vectors in V n. The scalar product of and , denoted by h; i, is deened by h; i = a 1 b 1 a n b n , where multiplication and addition are over GF(2). In this paper we consider Boolean functions from V n to GF(2) (or simply functions on V n). Let f be a function on V n. 1). f is said to be balanced if its truth table has 2 n?1 zeros (ones), and quadratic if its algebraic degree is 2. An aane function f on V n is a function that takes the form of f = a 1 x 1 a n x n c, where a j ; c 2 GF(2), j = 1; 2; : : :; n. Furthermore f is called a linear function if c = 0. The sequence of an aane (or linear) function is called an aane (or linear) sequence. A (1; ?1)-matrix H of order m is called a Hadamard matrix if HH t = mI m , where H t is the transpose of H and I m is the identity matrix of order m. …