Stafford E. Tavares

On the Design of S-Boxes

The ideas of completeness and the avalanche effect were first introduced by Kam and Davida [1] and Feistel [2], respectively. If a cryptographic transformation is complete, then each ciphertext bit must depend on all of the plaintext bits. Thus, if it were possible to find the simplest Boolean expression for each ciphertext bit in terms of the plaintext bits, each of those expressions would have to contain all of the plaintext bits if the function was complete. Alternatively, if there is at least one pair of n-bit plaintext vectors X and Xi that differ only in bit i, and f(X) and f(Xi) differ at least in bit j for all

The structured design of cryptographically good s-boxes

\{ (i,j)|1 \leqslant i,j \leqslant n\}

Generating and counting binary bent sequences

then the function f must be complete.

An expanded set of S-box design criteria based on information theory and its relation to differential-like attacks

We show how to create a master key scheme for controlling access to a set of services. Each master key is a concise representation for a list of service keys, such that only service keys in this list can be computed easily from the master key. Our scheme is more flexible than others, permitting hierarchical organization and expansion of the set of services.

Good S-boxes are easy to find

We describe a design procedure for the s-boxes of private key cryptosystems constructed as substitution-permutation networks (DES-like cryptosystems). Our procedure is proven to construct s-boxes which are bijective, are highly nonlinear, possess the strict avalanche criterion, and have output bits which act (vitually) independently when any single input bit is complemented. Furthermore, our procedure is very efficient: we have generated approximately 60 such 4 × 4 s-boxes in a few seconds of CPU time on a SUN workstation.

Substitution-permutation networks resistant to differential and linear cryptanalysis

Multiplication in the finite field GF(2^{m} ) has particular computational advantages in data encryption systems. This paper presents a new algorithm for performing fast multiplication in GF(2^{m} ), which is O(m) in computation time and implementation area. The bit-slice architecture of a serial-in-serial-out modulo multiplier is described and the circuit details given. The design is highly regular, modular, and well-suited for VLSI implementation. The resulting multiplier will have application in algorithms based on arithmetic in large finite fields of characteristic 2, and which require high throughput.

Avalanche characteristics of substitution-permutation encryption networks

Two general classes of binary bent sequences, bent-based and linear-based, are introduced. Algorithms that allow easy generation of bent sequences from either class are given. Based on some simple computation and a computer search, the authors conjecture a lower bound on the total number of binary bent sequences of a given order. This lower bound is exact for bent sequences of order 16; a list is included from which all such sequences can be derived. >

New Method for Upper Bounding the Maximum Average Linear Hull Probability for SPNs

The security of DES-like cryptosystems depends heavily on the strength of the Substitution boxes (S-boxes) used. The design of new S-boxes is therefore an important concern in the creation of new and more secure cryptosystems. The full set of design criteria for the S-boxes of DES has never been released and a complete set has yet to be proposed in the open literature. This paper introduces a unified S-box design framework based on information theory and illustrates how it provides immunity to the differential attack.