# Substitution box

﻿
Substitution box

In cryptography, a substitution box (or S-box) is a basic component of symmetric key algorithms. In block ciphers, they are typically used to obscure the relationship between the plaintext and the ciphertext &mdash; Shannon's property of confusion. In many cases, the S-boxes are carefully chosen to resist cryptanalysis.

In general, an S-box takes some number of input bits, "m", and transforms them into some number of output bits, "n": an "m"&times;"n" S-box can be implemented as a lookup table with 2"m" words of "n" bits each. Fixed tables are normally used, as in the Data Encryption Standard (DES), but in some ciphers the tables are generated dynamically from the key; e.g. the Blowfish and the Twofish encryption algorithms. Bruce Schneier describes IDEA's modular multiplication step as a key-dependent S-box.

One good example is this 6&times;4-bit S-box from DES (S5):

Given a 6-bit input, the 4-bit output is found by selecting the row using the outer two bits, and the column using the inner four bits. For example, an input "011011" has outer bits "01" and inner bits "1101"; the corresponding output would be "1001".

The 8 S-boxes of DES were the subject of intense study for many years out of a concern that a "backdoor" &mdash; a vulnerability known only to its designers &mdash; might have been planted in the cipher. The S-box design criteria were eventually published (Don Coppersmith, 1994) after the public rediscovery of differential cryptanalysis, showing that they had been carefully tuned to increase resistance against this specific attack. Other research had already indicated that even small modifications to an S-box could significantly weaken DES.

There has been a great deal of research into the design of good S-boxes, and much more is understood about their use in block ciphers than when DES was released.

ee also

* Boolean function
* Nothing up my sleeve number
* Substitution cipher
* Rijndael S-box

References

* cite conference
author = Kaisa Nyberg
title = Perfect nonlinear S-boxes
booktitle = Advances in Cryptology - EUROCRYPT '91
pages = 378&ndash;386
date = 1991
location = Brighton
url = http://dsns.csie.nctu.edu.tw/research/crypto/HTML/PDF/E91/378.PDF
format = PDF
accessdate = 2007-02-20

* cite journal
author = Don Coppersmith
title = The Data Encryption Standard (DES) and its strength against attacks
journal = IBM Journal of Research and Development
volume = 38
issue = 3
pages = 243&ndash;250
date = 1994
url = http://www.research.ibm.com/journal/rd/383/coppersmith.pdf
format = PDF
accessdate = 2007-02-20

* cite conference
author = S. Mister and C. Adams
title = Practical S-Box Design
booktitle = Workshop on Selected Areas in Cryptography (SAC '96) Workshop Record
pages = pp. 61&ndash;76
date = 1996
location = Queens University
format = PostScript
accessdate = 2007-02-20

* cite book
last = Schneier
first = Bruce
authorlink = Bruce Schneier
title = Applied Cryptography, Second Edition
publisher = John Wiley & Sons
date = 1996
pages = 296-298, 349
id = ISBN 0-471-11709-9