3

i read about linear cryptanalysis and about S-Box that there is not any ideal S-Box (ideal S-Box is a random S-Box in another words S-Box that bias of input and output bits is zero) then i read about implementation of S-Box in this post and understand that S-Box is implementing with Lookup tables,then read this post (e-sushi's answer) about non-linearity and randomness aspects of S-Box:

And you can trust in the fact that the chances that you’ll manage to create a good s-box randomly by using your current criteria are very minimal… very, very minimal!

but i don't understand that why is not there any random(ideal) S-Box? why can't lookup tables implement a random S-box? what is restriction(limitation) for it?

Community
  • 1

1 Answers1

3

It is important to understand that although a very large random function will only have linear biases with very low probability, this is simply not true of small random functions. If you choose a small random function, then it is unlikely that you will get one that is suitable for block cipher constructions. In addition, it is not enough to construct an S-box with low linear biases; one must also take into account differential cryptanalysis, and more.

Having said all of the above, this does raise an interesting question. Can we even define an ideal S-box? This doesn't necessarily mean we could find one; for example, the AES S-box has an 8-bit input and 8-bit output. This means that there are $2^{128}$ possible functions of this type, and this cannot be enumerated. Nevertheless, I would be interested to know if an "ideal" construction even exists, in terms of our best cryptanalysis knowledge.

Yehuda Lindell
  • 28,270
  • 1
  • 69
  • 86