In cryptography, an **S-box** (**substitution-box**) is a basic component of symmetric key algorithms which performs substitution. In block ciphers, they are typically used to obscure the relationship between the key and the ciphertext — Shannon's property of confusion.

In general, an S-box takes some number of input bits, *m*, and transforms them into some number of output bits, *n*, where *n* is not necessarily equal to *m*.^{[1]} An *m*×*n* S-box can be implemented as a lookup table with 2^{m} words of *n* bits each. Fixed tables are normally used, as in the Data Encryption Standard (DES), but in some ciphers the tables are generated dynamically from the key (e.g. the Blowfish and the Twofish encryption algorithms).

One good example of a fixed table is the S-box from DES (S_{5}), mapping 6-bit input into a 4-bit output:

S_{5} |
Middle 4 bits of input | ||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|

0000 | 0001 | 0010 | 0011 | 0100 | 0101 | 0110 | 0111 | 1000 | 1001 | 1010 | 1011 | 1100 | 1101 | 1110 | 1111 | ||

Outer bits | 00 | 0010 | 1100 | 0100 | 0001 | 0111 | 1010 | 1011 | 0110 | 1000 | 0101 | 0011 | 1111 | 1101 | 0000 | 1110 | 1001 |

01 | 1110 | 1011 | 0010 | 1100 | 0100 | 0111 | 1101 | 0001 | 0101 | 0000 | 1111 | 1010 | 0011 | 1001 | 1000 | 0110 | |

10 | 0100 | 0010 | 0001 | 1011 | 1010 | 1101 | 0111 | 1000 | 1111 | 1001 | 1100 | 0101 | 0110 | 0011 | 0000 | 1110 | |

11 | 1011 | 1000 | 1100 | 0111 | 0001 | 1110 | 0010 | 1101 | 0110 | 1111 | 0000 | 1001 | 1010 | 0100 | 0101 | 0011 |

Given a 6-bit input, the 4-bit output is found by selecting the row using the outer two bits (the first and last bits), and the column using the inner four bits. For example, an input "**0**1101**1**" has outer bits "**01**" and inner bits "1101"; the corresponding output would be "1001".^{[2]}

The 8 S-boxes of DES were the subject of intense study for many years out of a concern that a *backdoor* — a vulnerability known only to its designers — might have been planted in the cipher. The S-box design criteria were eventually published (in Coppersmith 1994) after the public rediscovery of differential cryptanalysis, showing that they had been carefully tuned to increase resistance against this specific attack. Biham and Shamir found that even small modifications to an S-box could significantly weaken DES.^{[3]}

There has been a great deal of research into the design of good S-boxes, and much more is understood about their use in block ciphers than when DES was released.^{[citation needed]}

Any S-box where each output bit is produced by a bent function of the input bits, and where any linear combination of the output bits is also a bent function of the input bits, is a **perfect S-box**.^{[4]}

## See also

- Bijection, injection and surjection
- Boolean function
- Nothing up my sleeve number
- Permutation box (P-box)
- Permutation cipher
- Rijndael S-box
- Substitution cipher

## References

This article needs additional citations for verification. (March 2009) (Learn how and when to remove this template message) |

**^**Chandrasekaran, J. et al. (2011). "A Chaos Based Approach for Improving Non Linearity in the S-Box Design of Symmetric Key Cryptosystems". In Meghanathan, N. et al.*Advances in Networks and Communications: First International Conference on Computer Science and Information Technology, CCSIT 2011, Bangalore, India, January 2-4, 2011. Proceedings, Part 2*. Springer. p. 516. ISBN 978-3-642-17877-1.CS1 maint: Uses authors parameter (link) CS1 maint: Uses editors parameter (link)**^**Buchmann, Johannes A. (2001). "5. DES".*Introduction to cryptography*(Corr. 2. print. ed.). New York, NY [u.a.]: Springer. pp. 119–120. ISBN 978-0-387-95034-1.**^**Gargiulo's "S-Box Modifications and Their Effect in DES-like Encryption Systems" Archived 2012-05-20 at the Wayback Machine p. 9.**^**RFC 4086. Section 5.3 "Using S-Boxes for Mixing"

## Further reading

- Kaisa Nyberg (1991).
*Perfect nonlinear S-boxes*(PDF). Advances in Cryptology - EUROCRYPT '91. Brighton. pp. 378–386. Retrieved 2007-02-20.^{[permanent dead link]} - Coppersmith, Don (1994). "The Data Encryption Standard (DES) and its strength against attacks".
*IBM Journal of Research and Development*.**38**(3): 243–250. doi:10.1147/rd.383.0243. - S. Mister and C. Adams (1996).
*Practical S-Box Design*. Workshop on Selected Areas in Cryptography (SAC '96) Workshop Record. Queen's University. pp. 61–76. CiteSeerX 10.1.1.40.7715. - Schneier, Bruce (1996).
*Applied Cryptography, Second Edition*. John Wiley & Sons. pp. 296–298, 349. ISBN 978-0-471-11709-4.

- Easttom, Chuck (2018).
*A Generalized Methodology for Designing Non-Linear Elements in Symmetric Cryptographic Primitives*.*IEEE Computing and Communication Workshop and Conference (CCWC), 2018 IEEE 8th Annual. IEEE*. pp. 444–449. doi:10.1109/CCWC.2018.8301643. ISBN 978-1-5386-4649-6.