2009 International Conference on Electronic Commerce and Business Intelligence

A Software for S-box Performance Analysis and Test

Yong Wang, Qing Xie

Yuntao Wu, Bing Du

College of economy and management

Chongqing university of posts and telecommunications
Chongqing, China
wangyong_cqupt@163.com

College of computer science

Chongqing university of posts and telecommunications
Chongqing, China

AbstractS-box (Substitution box) is one of the core

components in the block cipher and plays an important role in
the process of encrypting plaintext. In this paper, the
performance indexes of S-box are summarized and analyzed.
The corresponding numeric methods for calculating them are
presented. Then, the software is developed, which can not only
calculate the performance indexes of S-box but also find the
ones that satisfy the performance requirement from lots of Sboxes. Based on the simulation test, the conclusion can be
drawn that the software is very useful to aid the research of Sbox and gives a good support to design block cipher with high
security.

II.

PERFORMANCE INDEXES OF S-BOX

To avoid the suspicion that S-box maybe exist some

loophole, NSA gives some rules on how to evaluate the
cryptographic properties of S-box [1]. From then on, lots of
work has been done on designing and evaluating S-box [27]. The following performance indexes are widely accepted
as the important properties which are necessary for
cryptographically strong S-boxes.
A. Nonlinearity
Definition 1. Suppose f ( x) : F2n F2 is a Boolean
function, the nonlinearity Nf of f(x) is below:
N f = min d H ( f , l )
(1)

Keywords-S-box; Block cipher;E-business Security

l Ln

I.

where Ln is a affine function set, d H ( f , l ) is the Hamming

distance between f and l.
Definition 2. Suppose F2n F2m is a multi-output
function, the nonlinearity of S(x) can be defined as below
N s = min m d H (u i S ( x), l ( x))
(2)

INTRODUCTION

With the development and popularization of computer

and network, E-business security has become the common
focus of both academia and enterprises. Cryptography as one
of the most important fields of information security always
attracts the interests of researchers. In general, there are two
major classes of cryptosystems: stream cipher and block
cipher. In block cipher, S-box is one of the important
components. It was first presented in the encryption
algorithm Lucifer and became popular with the widely use of
DES. Nine algorithms among the 15 candidates of AES
employ S-boxes. Today, in many encryption algorithms, Sbox is the only nonlinear component providing the function
of confusion and diffusion. In some ways, the security of the
S-box determines the security of the whole cryptosystem.
How to evaluate the security of S-box and design S-boxes
with high performance is still one of the key issues in the
block cipher.
The remaining of this paper is organized as follows. In
Section II, the performance indexes are summarized and
analyzed. Meanwhile, the corresponding calculating methods
are presented. In Section III, the performance analysis
software is developed, which also can be used to select the
ones satisfying the performance requirements from lots of Sboxes. Finally, conclusions are drawn in Section .

978-0-7695-3661-3/09 $25.00 2009 IEEE

DOI 10.1109/ECBI.2009.15

lLn ,0 uF2

where u i S ( x) is the dot product of x and S(x). For the

convenience of calculation, we can get the nonlinearity by
calculating the Walsh spectrum.
Definition 3. The Walsh spectrum is defined as below.
(3)
S< f > ( ) = (1) f ( x ) x i
xGF (2n )

where GF (2n ) , xi is dot product between x and . So

the nonlinearity can also be calculated according to Eq. (4)
N f = 2n 1 (1 2 n max2 S< f > ( ) )
(4)
GF (2 )

B. The strict avalanche criterion

The strict avalanche criterion (SAC) was first introduced
by Webster and Tavares. It means that if a function satisfies
the strict avalanche criterion, each of its output bits should
change with a probability of a half whenever a single input
bit x is complemented. In order to ascertain whether a given
S-box fulfills the strict avalanche criterion (SAC), an
efficient method was introduced in [3] and shown as follows:
Step 1. an n-bit, random plaintext vector X is generated
and its corresponding m-bit ciphertext Y is obtained by
substitution.
125

Step 2. The set of n vectors (X1, X2, ..., Xn) is formed such
that X and Xj differ only in bit j. The ciphertext vectors (Y1,
Y2, ..., Yn) are then found where Yj = f(Xj), and they are used
to obtain the set of m-bit binary avalanche vectors (V1, V2, ...,
Vn) such that Vj = YYj.
Step 3. The value of bit i in Vj (either a 1 or 0) is added to
element ai,j in the mn dependence matrix.
Step 4. Randomly generate plaintext vectors X and repeat
Step 1 ~3 for a large number r. Finally, each element in
matrix is divided by r.
If each element and the mean value of the matrix are both
close to the ideal value 0.5, the S-box approximately fulfills
the SAC.

#{x | xix = S ( x)iy} 1

(7)

2n
2
where x and y are input and output masks, respectively; X
is the set of all possible inputs; and 2n is the number of its
elements.
LP = max

x , y 0

F. The bijective property

For nn S-box, a method is introduced in Ref. [6] to
check the bijective property. If the Boolean functions fi (1
i n) of an S-box such that

n
wt ai fi = 2n 1

i =1

C. The output bits independence criterion

The output bits independence criterion (BIC) was also
first introduced by Webster and Tavares [3], which is another
desirable property for any cryptographic design. It means
that all the avalanche variables should be pair-wise
independent for a given set of avalanche vectors generated
by the complementing of a single plaintext bit. In order to
measure the degree of independence between a pair of
avalanche variables, we can calculate their correlation
coefficient. For two variables A and B,

{A, B} =

cov{A, B}

{A}{B}

(8)

where ai {0,1} , (a1, a2, ..., an) (0, 0, . . . ,0) and wt() is the
Hamming weight, this allows us to say that every fi is
basically required to be 0/1 balanced and the S-box is
bijective.
III.

(5)

where { A, B} is the correlation coefficient of A and B,

cov(A, B) is the covariance of A and B, i.e. cov(A, B) =
E{AB}-E{A}E{B} and 2 { A} = E{ A2 } ( E{ A}) 2 .
In Ref.[3], it is pointed out that for the Boolean functions,
fj and fk (j k) of two output bits in an S-box, if the box met
BIC, fj fk (j k, 1 j, k n) should be highly nonlinear and
come close as possible to gratify the SAC. Therefore, we can
also verify the BIC by calculating the SAC and nonlinearity
of fj fk.
D. Differential Approximation Probability
The nonlinear transformation S-box should ideally have
differential uniformity. An input differential xi should
uniquely map to an output differential yi, thereby ensuring a
uniform mapping probability for each i. The differential
approximation probability of a given S-box (i.e. DPs) is a
measure for differential uniformity and is defined as
#{x X | S ( x) S ( x x ) = y}
DP s (x y ) =
(6)
2m

m
where X is the set of all possible input values, and 2 is the
number of its elements.

E. Linear Approximation Probability

The linear approximation probability is the maximum
value of the imbalance of an event. The parity of the input
bits selected by the mask x is equal to the parity of the
output bits selected by the mask y. According to Matsuis
original definition [9], linear approximation probability (or
probability of bias) of a given S-box is defined as

126

THE SOFTWARE FOR TESTING S-BOX

A. The software design

In this paper, the software for S-box performance
analysis is developed using VS.net. Based on the formulas or
numeric method in Section 2, each performance indexes are
implemented as a function using unmanaged C++ with high
efficiency. The head of each function and the corresponding
description is as follows:
int Nonlinearity(int BoolF[],int dim)
/* This function is used to obtain the Nonlinearity of Sbox. Parameter BoolF is the Boolean function; Parameter
dim is the dimension of the Boolean Function.*/
void SAC(int S[], int count, float A[][COL])
/* This function is used to calculating the dependent
matrix. Parameter S represents the S-box; Parameter count
represents the count of elements in array S; Parameter A is
used to store the calculation results.*/
float DP(int S[], int count)
/* This function is used to calculating the differential
approximation probability of the S-box. Parameter S
represents the S-box; Parameter count represents the count of
elements in array S. */
float LP(int S[], int count)
/* This function is used to calculating the linear
approximation probability. The parameters is the same as
that of function DP */
int Bijection(int S[], int count)
/* This function is used to check whether the S-box
satisfy the bijective property. The parameters is the same as
that of function DP */
For BIC index, we judge whether the S-box satisfy this
property by calling function Nonlinerarity( ) and SAC( ).
In order to make full use the functions mentioned above,
all of them are compiled as DLLs.
The user interface of the test software is implemented
using C#, for it has high efficiency in designing graphic
interface. In the process of designing the software, the index
functions and the user interface are two independent parts,

which not only make full use of the merits of unmanaged

C++ and C#, but also another part of software does not need
to be modified, when one part of software is amended, if the
communication interface between them is not changed.

C. Simulation Test
The S-box presented in AES is used as the test example.
The performance indexes of this S-box are calculated by
using our software. The results are shown in Figure 3 ~ 8. By
comparing with the corresponding data presented in Ref.
[10], we may conclude that the results given by our software
are correct.

B. The software introduction

The software for S-box performance analysis has the
following two main functions.
Function 1: calculates the performance indexes for the
given S-box.
Function 2: selects the ones satisfying the performance
requirement from a large amount of S-boxes, which can be
used to find S-boxes with high performances.
The MDI graphic interface is employed in this software
and shown in Figure 1 and 2. The software is very useful to
evaluate the S-box and aid to the design of the block cipher.

Figure 3. The results of nonlinearity

Figure 1.

The user interface of evaluating single S-box

Figure 4. The results of SAC

Figure 2. The user interface of selecting S-boxes satisfying the

performance requirement

Figure 5. The differential approximation probability

127

IV.

CONCLUSION

In this paper, the performance properties of S-box are

summarized. The corresponding formulas or numeric method
for calculating them are presented. Then, the software for
testing the performance indexes of S-box is developed,
which is very useful to evaluate the S-box and find the ones
with high cryptographic performance. It is a good tool to aid
the S-box research and the design of the block cipher.
V.

ACKNOWLEDGEMENTS

The work described in this paper was supported by the

National Natural Science Foundation of China (No.
60703035), the Foundation of Chongqing Education
Committee (No.KJ070503), the Natural Science Foundation
of CQ CSTC and the Natural Science Foundation of
Chongqing University of Posts and Telecommunications
(A2007-26).

Figure 6. The linear approximation probability

REFERENCES
[1]

Branstad D K, Gait J and Katzke S, "Report on the Workshop on

Cryptography in Support of Computer Security", NBSIR, 1977.
[2] Adms C.M., Tavares S.E., "The Structured Design of
Cryptographically Good S-Boxes". Journal of Cryptology, Vol,3, No.
1, 1990, pp. 27-41
[3] Webster A.F and Tavares S.E., "On the Design of S-Boxes", in
Advances in Cryptology: Proc. of CRYPTO'85, Springer-Verlag,
New York, 1986, pp.523-534.
[4] Adamas C., Tavares S., "Good S-boxes Are Easy to Find", Advances
in cryptology, Proc. of CRYPTO89, Lecture Notes in Computer
Science, 1989, pp.612-615
[5] Dawson M. and Tavares S. E. "An Expanded Set of S-Box Design
Criteria Based on Information Theory and its Relation to DifferentialLike Attacks", in Advances in Cryptology: Proc. of Eurocrypt91,
Springer-Verlag, 1991, pp. 352-367.
[6] Detombe J., Tavares S., "Constructing Large Cryptographically
Strong S-boxes", Advances in Cryptology, Proc. of CRYPTO92,
Lecture Notes in Computer Science 1992, pp. 165-181.
[7] Fuller Joanne, Millan William, "On Linear Redundancy in the AES SBox", http://eprint.iacr.org/2002/111.ps.gz.
[8] Muhammad Asim, and Varun Jeoti, " Efficient and Simple Method
for Designing Chaotic S-Boxes", ETRI Journal, vol.30, no.1, Feb.
2008, pp.170-172.
[9] M. Matsui, "Linear Cryptanalysis Method of DES Cipher", Advances
in Cryptology, Proc. Eurocrypt93, LNCS 765, 1994, pp. 386-397.
[10] "Announcing the advanced encryption standard (AES)",
http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf

Figure 7. The nonlinearity in BIC

Figure 8. The dependent matrix in BIC

128