# Algorithm for Generating S-Boxes with Prescribed Differential Properties

^{*}

## Abstract

**:**

## 1. Introduction

- Nonlinearity, which measures the resistance against the linear cryptanalysis [3]. Nonlinearity is computed as a minimum distance to all affine functions, which can be efficiently implemented with a Fast Walsh–Hadamard transform. Cryptographic applications require S-boxes with nonlinearity that is as high as possible.
- Differential profile, which measures the resistance against the differential cryptanalysis [4]. The differential profile measures the probability of the difference propagation, and should be as flat as possible. In this article, we focus exclusively on the differential profile. We provide more details in the following text.
- Balancedness [5], which is required to achieve uniform distribution of output bits. A balanced Boolean function has the same number of zeroes and ones in its vector of values. Note that it is easy to show that Boolean permutation (bijective vectorial Boolean function) is always balanced.
- Algebraic immunity [8], which measures the resistance against algebraic attacks on symmetric ciphers.
- Multiplicative complexity [9], which measures the complexity of the S-box implementation in terms of the number of AND gates required to implement the S-box. High multiplicative complexity means that S-box implementation in hardware is more costly. On the other hand, S-boxes with low multiplicative complexity can be weak with respect to other criteria.
- Other criteria, such as differential profile with respect to addition modulo ${2}^{n}$ [10]. This can cover special cases required by non-standard cipher designs.

## 2. Methods for Generating Cryptographic S-Boxes

- (Pseudo-)random generation
- Stochastic search
- Mathematical construction
- Construction from smaller components.

#### 2.1. Random S-Boxes

#### 2.2. Stochastic Search

#### 2.3. Mathematical Construction

#### 2.4. Construction from Smaller Components

## 3. New Algorithm for Generating S-Boxes with Prescribed Differential Properties

#### 3.1. Partial DDT

Algorithm 1 Partial DDT construction algorithm. | |

Require: $X,Y$ | {Lists defining a partial S-box of the same length l.} |

Require: $n,m$ | {S-box dimensions.} |

$PDDT\leftarrow zero\_matrix({2}^{n},{2}^{m})$ | |

for all $i\in \{0,1,\dots ,l-1\}$ do | |

for all $j\in \{0,1,\dots ,l-1\}$ do | |

$xor\_x\leftarrow X\left[i\right]\u2a01X\left[j\right]$ | |

$xor\_y\leftarrow Y\left[i\right]\u2a01Y\left[j\right]$ | |

$P[xor\_x][xor\_y]\leftarrow P[xor\_x][xor\_y]+1$ | |

end for | |

end for | |

return $PDDT$ |

**true**if the partial DDT satisfies S-box criteria and

**false**otherwise. In our analyses, we use a simple function that only checks whether $PDD{T}_{a,b}\le \delta $ for each $a,b$.

#### 3.2. General Idea of the Algorithm

Algorithm 2 Randomized algorithm to construct S-boxes with prescribed differential table. | |

Require: $n>0$, S-box input size. | |

Require: $m>0$, S-box output size. | |

Require: $satisfies\_conditions\left(\right)$, a function that returns true if partial DDT satisfies criteria. | |

Require: $limit$, the maximum number of tries. | |

$X\leftarrow \left[\right],Y\leftarrow \left[\right]$ | |

$counter\leftarrow 0$ | |

while
$len\left(X\right)<{2}^{n}$ do | |

if $counter>limit$ then | |

return ∅ | |

end if | |

$a\leftarrow {\in}_{R}{\mathbf{F}}_{2}^{n}\backslash X$ | |

$b\leftarrow {\in}_{R}{\mathbf{F}}_{2}^{m}$ | {for bijective S-box use: $b\leftarrow {\in}_{R}{\mathbf{F}}_{2}^{m}\backslash Y$} |

$PDDT\leftarrow partial\_ddt(X+[a],Y+[b\left]\right)$ | |

if $satisfies\_conditions\left(PDDT\right)$ then | |

$X.append\left(a\right)$ | |

$Y.append\left(b\right)$ | |

end if | |

$counter\leftarrow counter+1$ | |

end while | |

return
$Sbox(X,Y)$ |

#### 3.3. Main Algorithm

Algorithm 3 Depth-first search algorithm to find S-boxes with prescribed differential table. | |

Require: $n>0$, S-box input size. | |

Require: $m>0$, S-box output size. | |

Require: $satisfies\_conditions\left(\right)$, a function that returns true if partial DDT satisfies criteria. | |

$Y\leftarrow \left[\right]$ | |

for all $x\in \{0,1,\dots ,{2}^{n}-1\}$ do | |

${Y}_{x}\leftarrow shuffle\left({\mathbb{Z}}_{2}^{m}\right)$ | {Store elements in random order.} |

end for | |

x ← 0 | |

while
$x<{2}^{n}$do | |

{If bijective S-boxes are required, use $y\in {Y}_{x}-Y$ instead.} | |

for all $y\in {Y}_{x}$ do | |

$PDDT\leftarrow partial\_ddt\left(\right[0,1,\dots ,x],Y+[y\left]\right)$ | |

if $satisfies\_conditions\left(PDDT\right)$ then | |

$x\leftarrow x+1$ | {Increse depth.} |

$Y.append\left(y\right)$ | |

else | |

${Y}_{x}.remove\left(y\right)$ | {Dead end, try other branches.} |

end if | |

end for | |

{Search failed?} | |

if $x=0$ and ${Y}_{0}=\left[\right]$ then | |

return ∅ | |

end if | |

{Backtracking needed?} | |

if ${Y}_{x}=\left[\right]$ then | |

${Y}_{x}\leftarrow shuffle\left({\mathbb{Z}}_{2}^{m}\right)$ | {Reset options on this level.} |

$x\leftarrow x-1$ | {Decrease search level.} |

$y\leftarrow Y.pop\left(\right)$ | {Remove last element of Y.} |

${Y}_{x}.remove\left(y\right)$ | {Explored, no suitable successors.} |

end if | |

end while | |

return $Sbox([0,1,\dots ,{2}^{n}-1],Y)$ | {Whole S-box is determined.} |

#### 3.4. Example Run of the Algorithm

## 4. Complexity Analysis

#### 4.1. Random Generation of S-Boxes

#### 4.2. Analysis of the Algorithm 3

## 5. Experimental Results

## 6. Discussion

## Author Contributions

## Funding

## Institutional Review Board Statement

## Informed Consent Statement

## Data Availability Statement

## Acknowledgments

## Conflicts of Interest

## Abbreviations

AES | Advanced Encryption Standard |

DDT | Difference Distribution Table |

MC | Multiplicative Complexity |

PDDT | Partial Difference Distribution Table |

S-box | Substitution box |

## References

- Shannon, C.E. Communication theory of secrecy systems. Bell Syst. Tech. J.
**1949**, 28, 656–715. [Google Scholar] [CrossRef] - Carlet, C. Boolean Functions for Cryptography and Coding Theory; Cambridge University Press: Cambridge, UK, 2021. [Google Scholar]
- Matsui, M. Linear cryptanalysis method for DES cipher. In Proceedings of the Advances in Cryptology—EUROCRYPT’93: Workshop on the Theory and Application of Cryptographic Techniques Lofthus, Norway, May 23–27, 1993 Proceedings 12; Springer: Berlin/Heidelberg, Germany, 1994; pp. 386–397. [Google Scholar]
- Biham, E.; Shamir, A. Differential cryptanalysis of DES-like cryptosystems. J. Cryptol.
**1991**, 4, 3–72. [Google Scholar] [CrossRef] - Chakrabarty, K.; Hayes, J. Balanced boolean functions. IEE Proc.-Comput. Digit. Tech.
**1998**, 145, 52–62. [Google Scholar] [CrossRef] - Webster, A.F.; Tavares, S.E. On the design of S-boxes. In Proceedings of the Advances in Cryptology—CRYPTO’85 Proceedings; Springer: Berlin/Heidelberg, Germany, 1985; pp. 523–534. [Google Scholar]
- Forrié, R. The strict avalanche criterion: Spectral properties of Boolean functions and an extended definition. In Proceedings of the Conference on the Theory and Application of Cryptography, Santa Barbara, CA, USA, 21–25 August 1988; pp. 450–468. [Google Scholar]
- Braeken, A.; Preneel, B. On the Algebraic Immunity of Symmetric Boolean Functions. In Proceedings of the Progress in Cryptology—INDOCRYPT 2005; Maitra, S., Veni Madhavan, C.E., Venkatesan, R., Eds.; Springer: Berlin/Heidelberg, Germany, 2005; pp. 35–48. [Google Scholar]
- Zajac, P.; Jókay, M. Multiplicative complexity of bijective 4× 4 S-boxes. Cryptogr. Commun.
**2014**, 6, 255–277. [Google Scholar] [CrossRef] - Zajac, P.; Jókay, M. Cryptographic properties of small bijective S-boxes with respect to modular addition. Cryptogr. Commun.
**2020**, 12, 947–963. [Google Scholar] [CrossRef] - Matheis, K.; Steinwandt, R.; Suárez Corona, A. Algebraic Properties of the Block Cipher DESL. Symmetry
**2019**, 11, 1411. [Google Scholar] [CrossRef] [Green Version] - Burwick, C.; Coppersmith, D.; D’Avignon, E.; Gennaro, R.; Halevi, S.; Jutla, C.; Matyas, S.M., Jr.; O’Connor, L.; Peyravian, M.; Safford, D.; et al. MARS-a candidate cipher for AES. NIST AES Propos.
**1998**, 268, 80. [Google Scholar] - Antal, E.; Eliáš, M. Evolutionary computation in cryptanalysis of classical ciphers. Tatra Mt. Math. Publ.
**2017**, 70, 179–197. [Google Scholar] [CrossRef] [Green Version] - Mariot, L.; Jakobovic, D.; Bäck, T.; Hernandez-Castro, J. Artificial intelligence for the design of symmetric cryptographic primitives. In Security and Artificial Intelligence: A Crossdisciplinary Approach; Springer: Berlin/Heidelberg, Germany, 2022; pp. 3–24. [Google Scholar]
- Clark, J.A.; Jacob, J.L. Two-stage optimisation in the design of Boolean functions. In Proceedings of the Australasian Conference on Information Security and Privacy, Brisbane, QLD, Australia, 10–12 July 2000; pp. 242–254. [Google Scholar]
- Millan, W.; Clark, A.; Dawson, E. Smart hill climbing finds better boolean functions. In Proceedings of the Workshop on Selected Areas in Cryptology, Ottawa, ON, Canada, 11–12 August 1997; Volume 63. [Google Scholar]
- Millan, W.; Burnett, L.; Carter, G.; Clark, A.; Dawson, E. Evolutionary heuristics for finding cryptographically strong S-boxes. In Proceedings of the International Conference on Information and Communications Security, EUROCRYPT 1998, Espoo, Finland, 31 May–4 June 1998; pp. 263–274. [Google Scholar]
- Fuller, J.; Millan, W.; Dawson, E. Multi-objective optimisation of bijective S-boxes. New Gener. Comput.
**2005**, 23, 201–218. [Google Scholar] [CrossRef] - Kuznetsov, A.; Wieclaw, L.; Poluyanenko, N.; Hamera, L.; Kandiy, S.; Lohachova, Y. Optimization of a Simulated Annealing Algorithm for S-Boxes Generating. Sensors
**2022**, 22, 6073. [Google Scholar] [CrossRef] - Souravlias, D.; Parsopoulos, K.; Meletiou, G. Designing Bijective S-boxes Using Algorithm Portfolios with Limited Time Budgets. Appl. Soft Comput.
**2017**, 59, 475–486. [Google Scholar] [CrossRef] - Wang, J.; Zhu, Y.; Zhou, C.; Qi, Z. Construction Method and Performance Analysis of Chaotic S-Box Based on a Memorable Simulated Annealing Algorithm. Symmetry
**2020**, 12, 2115. [Google Scholar] [CrossRef] - Ivanov, G.; Nikolov, N.; Nikova, S. Reversed genetic algorithms for generation of bijective s-boxes with good cryptographic properties. Cryptogr. Commun.
**2016**, 8, 247–276. [Google Scholar] [CrossRef] [Green Version] - Picek, S.; Mariot, L.; Yang, B.; Jakobovic, D.; Mentens, N. Design of S-boxes defined with cellular automata rules. In Proceedings of the Computing Frontiers Conference, Siena, Italy, 15–17 May 2017; pp. 409–414. [Google Scholar]
- Mariot, L.; Picek, S.; Leporati, A.; Jakobovic, D. Cellular automata based S-boxes. Cryptogr. Commun.
**2019**, 11, 41–62. [Google Scholar] [CrossRef] [Green Version] - Freyre-Echevarría, A.; Alanezi, A.; Martínez-Díaz, I.; Ahmad, M.; Abd El-Latif, A.A.; Kolivand, H.; Razaq, A. An external parameter independent novel cost function for evolving bijective substitution-boxes. Symmetry
**2020**, 12, 1896. [Google Scholar] [CrossRef] - Tesař, P. A new method for generating high non-linearity s-boxes. Radioengineering
**2010**, 19, 23–26. [Google Scholar] - Gold, R. Maximal recursive sequences with 3-valued recursive cross-correlation functions (Corresp.). IEEE Trans. Inf. Theory
**1968**, 14, 154–156. [Google Scholar] [CrossRef] - Kasami, T. The weight enumerators for several classes of subcodes of the 2nd order binary Reed-Muller codes. Inf. Control
**1971**, 18, 369–394. [Google Scholar] [CrossRef] [Green Version] - Bracken, C.; Leander, G. A highly nonlinear differentially 4 uniform power mapping that permutes fields of even degree. Finite Fields Their Appl.
**2010**, 16, 231–242. [Google Scholar] [CrossRef] [Green Version] - Browning, K.; Dillon, J.; McQuistan, M.; Wolfe, A. An APN permutation in dimension six. Finite Fields Theory Appl.
**2010**, 518, 33–42. [Google Scholar] - Calderini, M. Differentially low uniform permutations from known 4-uniform functions. Des. Codes Cryptogr.
**2021**, 89, 33–52. [Google Scholar] [CrossRef] - Nyberg, K. Perfect nonlinear S-boxes. In Proceedings of the Workshop on the Theory and Application of Cryptographic Techniques, Brighton, UK, 8–11 April 1991; pp. 378–386. [Google Scholar]
- Zahid, A.H.; Arshad, M.J. An Innovative Design of Substitution-Boxes Using Cubic Polynomial Mapping. Symmetry
**2019**, 11, 437. [Google Scholar] [CrossRef] [Green Version] - Juremi, J.; Mahmod, R.; Sulaiman, S. A proposal for improving AES S-box with rotation and key-dependent. In Proceedings of the 2012 International Conference on Cyber Security, Cyber Warfare and Digital Forensic (CyberSec), Kuala Lumpur, Malaysia, 26–28 June 2012; pp. 38–42. [Google Scholar] [CrossRef]
- Sahoo, O.; Kole, D.; Rahaman, H. An Optimized S-Box for Advanced Encryption Standard (AES) Design. In Proceedings of the 2012 International Conference on Advances in Computing and Communications, Cochin, India, 9–11 August 2012; pp. 154–157. [Google Scholar] [CrossRef]
- Wang, H.; Zheng, H.; Hu, B.; Tang, H. Improved Lightweight Encryption Algorithm Based on Optimized S-Box. In Proceedings of the 2013 International Conference on Computational and Information Sciences, Shiyang, China, 21–23 June 2013; pp. 734–737. [Google Scholar] [CrossRef]
- Cui, J.; Huang, L.; Zhong, H.; Chang, C.; Yang, W. An improved AES S-box and its performance analysis. Int. J. Innov. Comput. Inf. Control
**2011**, 7, 2291–2302. [Google Scholar] - Niemiec, M.; Machowski, L. A new symmetric block cipher based on key-dependent S-boxes. In Proceedings of the 2012 IV International Congress on Ultra Modern Telecommunications and Control Systems, St. Petersburg, Russia, 3–5 October 2012; pp. 474–478. [Google Scholar] [CrossRef]
- Kazlauskas, K.; Smaliukas, R.; Vaicekauskas, G. A Novel Method to Design S-Boxes Based on Key-Dependent Permutation Schemes and its Quality Analysis. Int. J. Adv. Comput. Sci. Appl.
**2016**, 7. [Google Scholar] [CrossRef] [Green Version] - Kazlauskas, K.; Vaicekauskas, G.; Smaliukas, R. An Algorithm for Key-Dependent S-Box Generation in Block Cipher System. Informatica
**2015**, 26, 51–65. [Google Scholar] [CrossRef] [Green Version] - Mathur, N.; Bansode, R. AES Based Text Encryption Using 12 Rounds with Dynamic Key Selection. Procedia Comput. Sci.
**2016**, 79, 1036–1043. [Google Scholar] [CrossRef] [Green Version] - Zobeiri, M.; Maybodi, B. Introducing a new method in cryptography by using dynamic P-Box and S-Box (DPS method) based on modular calculation and key encryption. ARPN J. Eng. Appl. Sci.
**2017**, 12, 2946–2953. [Google Scholar] - Gupta, M.; Sinha, A. Enhanced-AES encryption mechanism with S-box splitting for wireless sensor networks. Int. J. Inf. Technol.
**2021**, 13. [Google Scholar] [CrossRef] - Grošek, O.; Nemoga, K.; Satko, L. Ideal Difference Tables from an Algebraic Point of View. Cryptology and Information Security, Proc. of VI RECSI, Teneriffe, Spain 2000; pp. 51–58. Ammendment to Criptologia y Seguridad de la Informacion (P. Caballero-Gil, C. Hern´andez-Goya), RA-MA, Madrid. 2000. pp. 453–454. Available online: https://www.casadellibro.com/libro-criptologia-y-seguridad-de-la-informacion-vi-recsi-actas/9788478974313/727589 (accessed on 14 December 2022).
- Satko, L.; Grošek, O.; Nemoga, K. Extremal generalized S-boxes. Comput. Inform.
**2003**, 22, 85–99. [Google Scholar] - Zajac, P. Constructing S-boxes with low multiplicative complexity. Stud. Sci. Math. Hung.
**2015**, 52, 135–153. [Google Scholar] [CrossRef] - Bogdanov, A.; Knudsen, L.R.; Leander, G.; Paar, C.; Poschmann, A.; Robshaw, M.J.; Seurin, Y.; Vikkelsoe, C. PRESENT: An ultra-lightweight block cipher. In Proceedings of the International Workshop on Cryptographic Hardware and Embedded Systems, Vienna, Austria, 10–13 September 2007; pp. 450–466. [Google Scholar]
- Marsaglia, G.; Marsaglia, J.C. A New Derivation of Stirling’s Approximation to n! Am. Math. Mon.
**1990**, 97, 826–829. [Google Scholar] [CrossRef] - Marochok, S. Constructing S-Boxes with Prescribed Differential Distribution Table. Master’s Thesis, Slovak University of Technology in Bratislava, Bratislava, Slovakia, 2021. [Google Scholar]

**Figure 1.**Graphical representation of comparison of the results obtained using different generation methods and different prescribed maximal value for an S-Box size of $n=5$.

**Figure 2.**Graphical representation of comparison of the results obtained using different generation methods and different prescribed maximal value for an SBox size of $n=6$.

Step | $\mathit{x}$ | Available Items in ${\mathit{Y}}_{\mathit{x}}$ | Partial S-Box | max. Value in PDDT | Is Valid? |
---|---|---|---|---|---|

0 | - | {0, 1, 2, 3, 4, 5, 6, 7} | [ ] | 0 | - |

1 | 0 | {0} | [0] | 0 | true |

2 | 1 | {1} | [0, 1] | 2 | true |

3 | 2 | {2} | [0, 1, 2] | 2 | true |

4 | 3 | {5, 7, 3, 6} | [0, 1, 2, 5] | 2 | true |

5 | 4 | {4} | [0, 1, 2, 5, 4] | 2 | true |

6 | 5 | {6, 7, 3} | [0, 1, 2, 5, 4, 6] | 2 | true |

7 | 6 | {3, 7} | [0, 1, 2, 5, 4, 6, 3] | 4 | false |

8 | 6 | {3, 7} | [0, 1, 2, 5, 4, 6, 7] | 2 | true |

9 | 7 | {3} | [0, 1, 2, 5, 4, 6, 7, 3] | 2 | true |

**Table 2.**Estimated probabilities of random $\delta $-differentially uniform S-boxes using “bins and balls” method.

S-Box Size | $\mathit{\delta}=4$ | $\mathit{\delta}=6$ | $\mathit{\delta}=8$ | $\mathit{\delta}=10$ | $\mathit{\delta}=12$ |
---|---|---|---|---|---|

$n=4$ | 3.8% | 66.7% | 96.0% | 99.7% | 99.9% |

$n=6$ | 0.0% | 0.2% | 52.4% | 94.8% | 99.6% |

$n=8$ | 0.0% | 0.0% | 0.0% | 42.2% | 94.0% |

**Table 3.**Cumulative distribution of $\delta $-differentially uniform S-boxes based on a dataset of 10,000 randomly generated S-boxes.

S-Box Size | $\mathit{\delta}=4$ | $\mathit{\delta}=6$ | $\mathit{\delta}=8$ | $\mathit{\delta}=10$ | $\mathit{\delta}=12$ |
---|---|---|---|---|---|

$n=4$ | 5.15% | 65.53% | 95.03% | 99.36% | 99.98% |

$n=6$ | 0 | 0.23% | 50.09% | 94.05% | 99.51% |

$n=8$ | 0 | 0 | 0.33% | 39.88% | 93.93% |

**Table 4.**Comparison of random generation of S-boxes with the proposed method based on partial DDT for an S-box size of $n=4$.

Nr. of $\mathit{\delta}$-Uniform S-Boxes | Nonlinearity | |||||||||
---|---|---|---|---|---|---|---|---|---|---|

method | time [s] | n | ${\delta}_{max}$ | 4 | 6 | 8 | 10 | 0 | 2 | 4 |

P_DDT | 0.04398 | 4 | 4 | 100 | 0 | 0 | 0 | 0 | 44 | 56 |

P_DDT | 0.02742 | 4 | 6 | 5 | 95 | 0 | 0 | 0 | 91 | 9 |

P_DDT | 0.02582 | 4 | 8 | 3 | 59 | 38 | 0 | 3 | 92 | 5 |

P_DDT | 0.02295 | 4 | 10 | 5 | 60 | 27 | 8 | 2 | 92 | 6 |

Random | 0.00056 | 4 | - | 1 | 65 | 25 | 7 | 9 | 88 | 3 |

**Table 5.**Comparison of random generation of S-boxes with the proposed method based on partial DDT for an S-box size of $n=5$.

Nr. of $\mathit{\delta}$-Uniform S-Boxes | Nonlinearity | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|

method | time [s] | n | ${\delta}_{max}$ | 4 | 6 | 8 | 10 | 2 | 4 | 6 | 8 |

P_DDT | 1.52535 | 5 | 4 | 100 | 0 | 0 | 0 | 0 | 0 | 9 | 91 |

P_DDT | 0.07977 | 5 | 6 | 0 | 100 | 0 | 0 | 0 | 2 | 45 | 53 |

P_DDT | 0.07214 | 5 | 8 | 0 | 19 | 81 | 0 | 0 | 2 | 56 | 42 |

P_DDT | 0.06545 | 5 | 10 | 0 | 22 | 58 | 20 | 0 | 5 | 58 | 37 |

Random | 0.00051 | 5 | - | 0 | 20 | 66 | 14 | 1 | 2 | 66 | 31 |

**Table 6.**Comparison of random generation of S-boxes with the proposed method based on partial DDT for an S-box size of $n=6$.

Nr. of $\mathit{\delta}$-Uniform S-Boxes | Nonlinearity | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|

method | time [s] | n | ${\delta}_{max}$ | 6 | 8 | 10 | 12 | 14 | 16 | 18 | 20 |

P_DDT | 0.50702 | 6 | 6 | 100 | 0 | 0 | 0 | 2 | 21 | 69 | 8 |

P_DDT | 0.30852 | 6 | 8 | 0 | 100 | 0 | 0 | 1 | 36 | 58 | 5 |

P_DDT | 0.35756 | 6 | 10 | 0 | 40 | 60 | 0 | 3 | 36 | 60 | 1 |

Random | 0.00055 | 6 | - | 0 | 52 | 43 | 5 | 3 | 42 | 53 | 2 |

**Table 7.**Comparison of random generation of S-boxes with the proposed method based on partial DDT for an S-box size of $n=7$.

Nr. of $\mathit{\delta}$-Uniform S-Boxes | Nonlinearity | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|

method | time [s] | n | ${\delta}_{max}$ | 6 | 8 | 10 | 12 | 34 | 36 | 38 | 40 | 42 | 44 |

P_DDT | 7.46739 | 7 | 6 | 100 | 0 | 0 | 0 | 0 | 0 | 5 | 17 | 57 | 21 |

P_DDT | 0.31956 | 7 | 8 | 0 | 100 | 0 | 0 | 0 | 2 | 7 | 41 | 47 | 3 |

P_DDT | 0.30249 | 7 | 10 | 0 | 4 | 96 | 0 | 1 | 0 | 7 | 36 | 47 | 9 |

Random | 0.00056 | 7 | - | 0 | 5 | 77 | 18 | 0 | 3 | 8 | 33 | 48 | 8 |

**Table 8.**Comparison of random generation of S-boxes with the proposed method based on partial DDT for on S-box size of $n=8$.

Nr. of $\mathit{\delta}$-Uniform S-Boxes | Nonlinearity | ||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|

method | time [s] | n | ${\delta}_{max}$ | 8 | 10 | 12 | 14 | 16 | 86 | 88 | 90 | 92 | 94 | 96 | 98 |

P_DDT | 2.71275 | 8 | 8 | 100 | 0 | 0 | 0 | 0 | 1 | 0 | 13 | 23 | 47 | 15 | 1 |

P_DDT | 2.29923 | 8 | 10 | 0 | 100 | 0 | 0 | 0 | 1 | 4 | 11 | 39 | 31 | 14 | 0 |

Random | 0.00073 | 8 | - | 0 | 46 | 46 | 7 | 1 | 1 | 5 | 10 | 26 | 50 | 8 | 0 |

Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content. |

© 2023 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).

## Share and Cite

**MDPI and ACS Style**

Marochok, S.; Zajac, P.
Algorithm for Generating S-Boxes with Prescribed Differential Properties. *Algorithms* **2023**, *16*, 157.
https://doi.org/10.3390/a16030157

**AMA Style**

Marochok S, Zajac P.
Algorithm for Generating S-Boxes with Prescribed Differential Properties. *Algorithms*. 2023; 16(3):157.
https://doi.org/10.3390/a16030157

**Chicago/Turabian Style**

Marochok, Stanislav, and Pavol Zajac.
2023. "Algorithm for Generating S-Boxes with Prescribed Differential Properties" *Algorithms* 16, no. 3: 157.
https://doi.org/10.3390/a16030157