Score:1

Is it possible to use words of bits as entries in S-Boxes bigger than 4/8 bits and achive similar security/speed in SPN block ciphers?

pf flag

Blowfish splits a 32-bit word into 4 sets of 8-bits (1 byte) and use them as entries in its S-Boxes.

Kuznyechick splits two 64-bits words in many nibbles (4-bits chunks), use them as entries in its S-Boxes and XOR each modified nibble with the next nibble in their sequence.

Kalyna does the same as Kuznyechik but it uses entire bytes instead of nibbles.

My question is:

Can entire words (32 or 64-bits) be used as entries in a S-Box set as well as 1 byte or a nibble and still retaining some security?

And about speed of the cipher created like this, would entire words entered as entries in S-Boxes be processed with the same speed of 1 byte or a single nibble?

fgrieu avatar
ng flag
Hint: what would be the memory size required for an arbitrary S-box with 64-bit input and, say, 4-bit output?
Score:3
ru flag

There's an ambiguity in the term S-box as to whether it means a general look-up table or specifically a bijective substitution function. I've seen both uses.

If we mean a general look-up table, then there are examples of ciphers that use 32-bit words as entries. A good example is MARS which uses a 512-long table of 32-bit values. MARS was one of the AES finalists and so has had cryptanalytic attention but no significant security weaknesses have been found that I know of. If I recall correctly though, MARS was not as efficient as AES.

If we mean a bijective substitution function, as @fgrieu comments, memory constraints mean that large look up tables are not feasible. However, in the recent Chinese Association for Cryptographic Research block cipher competition, one of the entries SPRING implemented a bijective 32-bit function in hardware as a component of the block cipher and this component was described as an S-box despite not being implemented as a look up table. I don't know how much analysis has been done of SPRING, but I'm not aware of any sub exhaustive attacks. In terms of performance, the SPRING authors' claim that their design is particularly suited to hardware implementation and give competitive timing data.

An argument against large S-boxes is that they are harder to analyse than the typical 4-bit and 8-bit S-boxes. Cryptographers require that S-boxes have strong non-linear properties to resist linear and difference cryptanalysis and these properties can be exhaustively tested for a given 4-bit or 8-bit S-box (indeed Saarinen has essentially exhausted all possible 4-bit S-boxes to find the ones with the best properties). Such exhaustive testing is very expensive for large S-boxes and the computation to find a good, large S-box can be prohibitive.

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.