Cryptology ePrint Archive: Report 2003/184

What do DES S-boxes Say to Each Other ?

Nicolas T. Courtois and Guilhem Castagnos and Louis Goubin

Abstract: DES is not only very widely implemented and used today, but triple DES and other derived schemes will probably still be around in ten or twenty years from now. We suggest that, if an algorithm is so widely used, its security should still be under scrutiny, and not taken for granted. In this paper we study the S-boxes of DES. Many properties of these are already known, yet usually they concern one particular S-box. This comes from the known design criteria on DES, that strongly suggest that S-boxes have been chosen independently of each other. On the contrary, we are interested in properties of DES S-boxes that concern a subset of two or more DES S-boxes. For example we study the properties related to Davies-Murphy attacks on DES, recall the known uniformity criteria to resist this attack, and discuss a stronger criterion. More generally we study many different properties, in particular related to linear cryptanalysis and algebraic attacks. The interesting question is to know if there are any interesting properties that hold for subsets of S-boxes bigger than 2. Such a property has already been shown by Shamir at Crypto'85 (and independently discovered by Franklin), but Coppersmith et al. explained that it was rather due to the known S-box design criteria. Our simulations confirm this, but not totally. We also present several new properties of similar flavour. These properties come from a new type of algebraic attack on block ciphers that we introduce. What we find is not easily explained by the known S-box design criteria, and the question should be asked if the S-boxes of DES are related to each other, or if they follow some yet unknown criteria. Similarly, we also found that the s5DES S-boxes have an unexpected common structure that can be exploited in a certain type of generalised linear attack. This fact substantially decreases the credibility of s5DES as a DES replacement. This paper has probably no implications whatsoever on the security of DES.

Category / Keywords: secret-key cryptography / DES, S-box design, algebraic attacks on block ciphers

Publication Info: not published so far

Date: received 8 Sep 2003, last revised 4 May 2004

Contact author: courtois at minrank org

Available format(s): Postscript (PS) | Compressed Postscript (PS.GZ) | PDF | BibTeX Citation

Note: For DES, claims have beed revised, the observed properties are clearly not half as exceptionnal as they look. For S5DES the properties discovered have now allowed to propose extremely good bi-linear characterstics for reduced versions of S5DES.

Version: 20040504:173321 (All versions of this report)

Discussion forum: Show discussion | Start new discussion

[ Cryptology ePrint archive ]