Understanding S-Box Security Assessment: A Practical Guide

Abstract

S-boxes are the core nonlinear components of ciphers, providing confusion and diffusion. As a result, cryptanalysts focus on analyzing these components to identify distinguishers and ultimately recover the secret key of the cipher. Although many constructions exist, the search for new S-boxes remains vital as advances in cryptanalysis expose new weaknesses. Evaluating their security is challenging, and the current literature often prioritizes technical depth over clarity for a broader audience. This raises questions that are not always clear, such as how the S-box and its construction affect a cipher’s resilience, how to assess the security of this nonlinear component, and what factors influence its robustness. In this paper, we address these concerns by providing a friendly introduction to the basic principles of S-box security evaluation, structured around four key aspects. First, the importance of the S-box in ensuring block cipher security is discussed. Second, the advantages and disadvantages of three classical S-box construction approaches are outlined. Third, the evaluation of S-boxes through the formal definition of their properties and their associated security implications is presented. Fourth, four S-box evaluation toolkits proposed in the literature are introduced. Finally, open research challenges in S-box design are highlighted.

1. Introduction

A substitution box (S-box) is a nonlinear component used in ciphers to provide the principles of confusion and diffusion. Confusion breaks the relationship between the secret key and the ciphertext, while diffusion disguises patterns from the plaintext within the ciphertext. Shannon proposed these principles to construct a cipher that ensures confidentiality [1].

Various shortcut attacks, including differential [2], linear [3], boomerang [4], and algebraic [5], aim to compromise the cipher by analyzing its main component: the S-box. If the security of this component is weak, the probability of recovering secret key bits or plaintext increases significantly. Thus, in the literature, S-boxes are often considered the “heart” of the cipher.

The first known S-box was introduced in the Lucifer cipher [6]; however, the S-boxes used in the DES cipher [7] popularized their use by demonstrating strong resistance to different attacks. In [8], E. Biham and A. Shamir show that although the DES cipher can be broken by differential attacks, its S-boxes offer high resistance to such attacks. Since then, many ciphers, including AES [8], TWINE [9], SERPENT [10], PRESENT [11], RECTANGLE [12], and SAND [13], have incorporated S-boxes into their designs.

Although many S-box constructions have been proposed, advances in shortcut attacks continue to expose new vulnerabilities in classical designs. This highlights the need for new S-boxes that can address emerging threats while also considering existing trade-offs between security and implementation. However, strengthening resistance against one type of attack may weaken it against another or increase implementation costs. For instance, several works indicate that improving resistance to a specific attack often requires compromising security against another [14,15,16].

Considering the previous examples, it is evident that the search for new components will remain a critical aspect of future cipher design. In trying to resolve earlier conflicts and meet updated security goals, new designs may introduce additional challenges. Taken together, these factors make S-box design a complex and nontrivial task, and the technical depth of the topic often makes it difficult for non-specialists to grasp the principles of S-box construction and evaluation. Therefore, this paper aims to introduce the fundamentals of S-box assessment and explain the basic evaluation principles, presented in a tutorial-style review, as this challenging process is a key step in the development of new components. The contributions of this work focus on answering the following questions:

1.

What is an S-box, and why is it a key component in the security of a cipher? This work presents the functionality of the S-box in a cipher and describes three approaches for constructing this component. It also explains how the structure and construction of the S-box impact the security of the cipher.

2.

How is the security level of an S-box determined, and what is its relationship with the principles of confusion and diffusion? The security level of an S-box is determined by various cryptographic properties, whose values are derived from mathematical formulas. Although these values are typically calculated using computer programs, differences in the notation of these formulas across different works can make it challenging to understand the fundamental concepts involved in evaluating S-boxes. Thus, this paper focuses on these variations and discusses their relationships in the context of S-box evaluation. Moreover, through specific examples, it shows how these formulas reveal the capacity of an S-box to contribute to the principles of confusion and diffusion.

3.

What conflicts influence the robustness of an S-box? This paper aims to explain the internal conflicts within the evaluation of an S-box’s security level. While it is not possible to design a perfect S-box, a high level of security can be achieved by carefully balancing various design trade-offs.

The rest of the paper presents the related work and addresses the previously stated questions. It is organized as follows: Section 2 establishes the differences between this work and others that introduce S-box evaluation. Section 3 and Section 4 correspond to the first question by introducing the concept and functionality of the S-box within a cipher, emphasizing its importance for security, and presenting three classical construction approaches. Section 5 is related to the second question and constitutes the most important part of the paper, as it describes the well-known properties used to evaluate the security of an S-box, provides illustrative examples, and explains how specific property values contribute to achieving confusion and diffusion. Section 6 focuses on the third question by discussing the conflicts that arise among these properties during the construction process and how they impact efforts to enhance the security level of the component. Section 7 introduces four toolkits for evaluating S-boxes. Section 8 offers an overview of the challenges in designing and finding new S-boxes. Finally, Section 9 presents the conclusions.

2. Related Work

S-boxes are essential for both cipher designers and adversaries: while designers must construct them to maximize security and protect the secret key, adversaries analyze them to uncover weaknesses and ultimately attempt to recover it. The literature has examined this component extensively, addressing diverse aspects such as S-box design for block ciphers [17,18,19], efficient implementation strategies [20,21,22], the introduction of new S-box properties [23,24,25], and the study of relationships among existing properties [14,15,26,27,28,29]. However, the majority of these works target specialist readers, assuming prior knowledge of S-box attacks, security properties, and design criteria. Moreover, the abundance of information can make it difficult to identify the fundamental concepts underlying S-box evaluation and design.

Considering these challenges, only a few works provide introductory material on this topic, and Table 1 lists these works. It evaluates five aspects of these studies, including their target audience, the S-box properties covered, the construction approaches discussed, and whether they address conflicts among properties. The key distinction appears in the second column, which shows that only two of these references are intended for non-specialist readers, as they aim to explain fundamental principles and motivate further exploration in the area. In contrast, the remaining works are oriented toward specialist audiences and attempt to condense the available information on S-boxes into a general overview.

The works in the first category are those by Boura [30] and Easttom [31]. Boura addresses the question of how to assess the security of these components by explaining different S-box representations and how to evaluate the properties related to differential, linear, and algebraic attacks. However, this work does not examine the most recent properties that consider cipher-specific features, such as boomerang-related properties, nor does it discuss how S-box properties contribute to confusion and diffusion. In [31], Easttom’s work focuses on explaining what an S-box is, how it can be constructed, and how its security level can be assessed by discussing diffusion-oriented properties, presenting three S-box construction approaches, and illustrating their application in DES and AES. Nevertheless, it does not analyze how construction choices affect security, nor does it address confusion-oriented properties or potential conflicts among properties that influence the design of this component.

Regarding the second category of works, which focus on compiling knowledge about S-boxes for specialist readers, the following observations can be made. Bao et al. [32] present a SoK article that explains how to assess the security level of the S-box by discussing confusion-oriented properties and implementation aspects (a topic not covered by the previously mentioned works). However, they do not explicitly analyze diffusion-related properties, the role of the S-box within the overall block cipher, or design conflicts among properties. Waheed et al. [33] survey several construction approaches, highlighting their strengths and listing desirable properties for S-box design. Still, their analysis remains largely descriptive and does not relate these strengths to a formal security framework. Canteaut’s lecture notes [34] and Perrin’s thesis [35] summarize the main S-box representations and define differential, linear, and algebraic properties. Perrin’s thesis additionally examines different construction methods and their motivations. Nonetheless, neither of these papers explains in detail how such properties support the diffusion and confusion principles, nor do they address the third research question concerning conflicts among properties.

In contrast, our work is intended for non-specialist readers and provides a unified perspective that integrates the motivation for S-box design with the fundamental principles of S-box construction and evaluation. This work addresses three fundamental questions: how the S-box and its construction affect a cipher’s resilience, how to assess the security of this nonlinear component, and which factors influence its robustness. Although related works attempt to answer the first two questions, they do not consider several key aspects, such as the importance of construction approaches in determining the security level, the appropriate selection of S-box properties based on cipher-specific requirements (including boomerang-related properties), the effect of confusion and diffusion properties on S-box design, and the conflicts among S-box properties and their implications for design. Finally, this work also identifies open research challenges related to S-box design and discusses four S-box evaluation toolkits from the literature.

Table 1. Discussion of related work on the basic principles of S-boxes. ✓ indicates that the corresponding properties/topics are explicitly addressed in the referenced work.

Tutorials/SoK/ Notes/Chapter	Target Audience	Properties Related to:					Construction Approaches	Conflicts Among S-Box Properties
		DAs	LAs	AAs	BAs	Diffusion
Bao et al. [32]	Specialist	✓	✓	✓	✓	✓		✓
Waheed et al. [33]	Specialist	✓	✓			✓	✓
Easttom [31]	Non-specialist					✓	✓
Boura [30]	Non-specialist	✓	✓
Canteaut [34]	Specialist	✓	✓	✓
Perrin [35]	Specialist	✓	✓	✓
This work	Non-specialist	✓	✓	✓	✓	✓	✓	✓

Table 1. Discussion of related work on the basic principles of S-boxes. ✓ indicates that the corresponding properties/topics are explicitly addressed in the referenced work.

Tutorials/SoK/ Notes/Chapter	Target Audience	Properties Related to:					Construction Approaches	Conflicts Among S-Box Properties
		DAs	LAs	AAs	BAs	Diffusion
Bao et al. [32]	Specialist	✓	✓	✓	✓	✓		✓
Waheed et al. [33]	Specialist	✓	✓			✓	✓
Easttom [31]	Non-specialist					✓	✓
Boura [30]	Non-specialist	✓	✓
Canteaut [34]	Specialist	✓	✓	✓
Perrin [35]	Specialist	✓	✓	✓
This work	Non-specialist	✓	✓	✓	✓	✓	✓	✓

3. The Functionality of the S-Box

This section addresses part of the first question raised in the introduction, specifically regarding the role of the S-box in a cipher and its importance in providing resilience against cryptographic attacks.

The confidentiality service enables two or more entities to securely exchange sensitive data over a public channel. Although an adversary can intercept the transmitted messages, it cannot understand them because the data are encrypted. In general, a cipher encrypts sensitive information using a secret key. To generate the ciphertext, the cipher applies nonlinear and linear layers over multiple rounds. S-boxes are used in the nonlinear layer to implement the principle of confusion, while bit permutations or matrices are commonly used in the linear layer to achieve diffusion [36]. However, as explained in Section 5.3, S-boxes also contribute to diffusion.

An $n\times m$ S-box is a vectorial Boolean function that maps n input bits to m output bits. If $m=1$, the S-box reduces to a Boolean function mapping n input bits to $\{0,1\}$. A formal definition is provided based on [22,37,38]:

Definition 1.

Substitution Box (S-box): An $n\times m$ S-box is defined as a vectorial boolean function that maps an n-dimension vector to an m-dimension vector, and is denoted as:

$$S:{\mathbb{F}}_2^n\to {\mathbb{F}}_2^m,$$

(1)

where n and m are positive integers. It can be seen that ${\mathbb{F}}_2$ is the finite field with two elements and ${\mathbb{F}}_2^n$ ($n\ge 2$) is the vector space of dimensions n on ${\mathbb{F}}_2$.

In a cipher, the S-box is a function that replaces n bits for m bits, sometimes $n=m$.

The S-Box Resistance Against Attacks

There are many ways to break the security of a cipher. In this work, we focus on two main objectives: distinguishing the cipher from a pseudorandom function, and recovering bits of the secret key. In the first case, the ciphertexts produced by the cipher should appear random; otherwise, an adversary may detect patterns that allow partial recovery of the plaintext. In the second case, the most basic method to recover the secret key (though extremely inefficient) is a brute-force search over all $2^{l_{sk}}$ possible keys, where $l_{sk}$ is the key length. However, there exists a class of attacks known as shortcuts [39], which can compromise the cipher more efficiently in both scenarios. These include several attacks, but in this work, we focus specifically on differential, linear, boomerang, and algebraic attacks.

In general, these types of attacks are divided into two phases:

• In the first phase, the attacker analyzes the nonlinear component (typically the S-box) to identify characteristics or patterns that enable the construction of distinguishers. These distinguishers allow the adversary to differentiate the cipher from a pseudorandom function.
• In the second phase, by using the distinguishers along with suitable pairs of plaintexts and ciphertexts, the adversary can recover some or all bits of the secret key.

It is noticeable that the S-box plays a fundamental role in ensuring the security of the cipher. If this component is weak, the probability of finding distinguishers increases significantly, which reduces the work factor required to recover the secret key [40]. Therefore, to assess whether an S-box offers a high level of security, several measurable properties are considered. The values of these properties determine the strength of the S-box. Section 5 explains this in detail; but first, we first present three approaches for constructing an S-box.

4. The Construction of an S-Box

This section complements the answer to the first question from Section 1 by introducing three approaches to constructing an S-box and how each can influence the security level of this component.

The search for an S-box is not a trivial task, as there exists a vast space of possible vectorial Boolean functions. Specifically, there are $2^{m{2}^n}$ possible options, where n is the input size and m is the output size of the S-box. As the size of the S-box increases, the search space grows exponentially, making it more challenging to find a suitable one. For this reason, many S-boxes are constructed using different approaches, including algebraic, heuristic, and random searching.

The algebraic approach analyzes common Boolean functions (including vectorial Boolean functions) against cryptographic attacks and selects the most suitable option. The most well-known example of this approach is the construction of the AES S-box (explained in Appendix A), proposed by Daemen and Rijmen [41]. They based this nonlinear component on a function known as Inverse $X^{-1}$, which was studied by Nyberg in [42]. This function achieves the highest known security levels (even as n increases) provided that $n=m$. When $n=m=4$, the S-box can achieve optimal values in various security properties, and for $n=m=8$, it attains the best-known values for the same properties (see Section 5.4 for details). As a result, many designers choose to either reuse the AES S-box or apply this method to construct S-boxes for other ciphers [9,43,44].

Despite the significant impact of this construction approach on S-box security, it presents two main drawbacks: vulnerability to algebraic attacks and limited diversity in the resulting S-boxes. In [5], Courtois demonstrates that S-boxes constructed using the inverse function can be vulnerable to algebraic attacks such as XL and XSL, as their algebraic structure is relatively simple [45]. It is well known that the resilience of S-boxes against various attacks remains unchanged under affine transformations. However, this invariance implies a limitation in diversity. Specifically, in [15], Leander and Poschmann show that all $4\times 4$ S-boxes constructed using this approach fall into a single equivalence class with the same security level, making it impossible to generate multiple distinct S-boxes using affine transformations alone. For these reasons, alternative construction approaches aim to mitigate these drawbacks and improve upon the algebraic approach.

The main purpose of the heuristic approach is to discover secure S-boxes through specific rules, utilizing various techniques such as chaotic maps [46], genetic algorithms [47], cellular automata [48], among others. The advantage of this approach is its ability to generate different S-boxes (that is, S-boxes which are not equivalent under transformations such as affine equivalence [15]) while simultaneously considering multiple cryptographic properties. Although this approach can be a viable option for constructing secure S-boxes with high nonlinearity, it faces several challenges that limit its competitiveness compared to the algebraic approach. One such challenge is that these S-boxes do not always achieve optimal values for the desired properties [47]. Another challenge is that, given the recently introduced properties and the size constraints, generating S-boxes using this approach is difficult [49]. Furthermore, these techniques are constrained by factors such as the selection of appropriate fitness/cost functions [50].

The random searching approach is often regarded as the simplest method, as it relies on the generation of random or pseudorandom numbers. Whereas this can result in high randomness, it typically falls short in achieving high levels of security [44,51]. An example of this approach is the construction of the Serpent S-boxes, which are resilient to differential and linear attacks. However, many of them are similar (i.e., affine equivalent) and are vulnerable to algebraic attacks [15,44].

Table 2. Advantages and disadvantages of algebraic, heuristic, and random construction approaches.

Approach	Main Purpose	Advantages	Disadvantages
Algebraic	Security	1. Optimal Values regardless of size 2. Produce the best S-boxes	1. Vulnerability to Algebraic attacks 2. Produce different S-boxes
Heuristic	Security	1. Produce different S-boxes 2. Consider multiple properties	1. S-boxes are less secure than algebraic approach
Random Searching	Searching	1. Simplest approach 2. High randomness	1. S-boxes are less secure than algebraic approach

summarizes this section by comparing the different approaches. The second column shows their main purpose: the algebraic and heuristic approaches aim to create secure S-boxes, whereas the main goal of random search is to generate S-boxes in a simple way. The third and fourth columns present the advantages and disadvantages of each method. As previously mentioned, the algebraic-inverse approach offers the highest known security against cryptographic attacks; however, it is vulnerable to algebraic attacks and struggles to produce diverse S-boxes. In contrast, other approaches may be more competitive in aspects such as implementation, diversity of S-boxes generated, and randomness. At this point, we have not yet explained how these non-linear components are evaluated. Therefore, the following section introduces the fundamental concepts and criteria used to assess the security of S-boxes by analyzing their properties.

5. S-Box Properties

This section addresses the second question presented in Section 1: how to determine the security level of the S-box. It is also the most important part of this work, as it introduces differential, linear, boomerang, and algebraic attacks to highlight the relevance of S-box properties. It then presents the classical properties used to measure resistance against these attacks, explores the relationships between their formulas, and provides examples for computing the corresponding values.

Both adversaries and designers employ S-box properties to assess the resistance of this component against cryptographic attacks. Usually, property classifications relate S-box properties to robustness against specific sets of attacks, but they do not indicate how these properties contribute to confusion or diffusion [30,32,34,35]. Hence, it is important to understand which properties are relevant to specific attacks and how they contribute to enhancing the security of the cipher. For example, differential uniformity (DU) and CarD1 measure the resistance of an S-box to differential attacks. However, DU is primarily associated with preventing information leakage about the secret key (confusion), whereas CarD1 helps break down message patterns that differ by one bit (diffusion). In addition, it is important to consider properties related to the S-box structure, as they can influence the security level of the nonlinear component.

Based on this distinction, we propose classifying S-box properties into three categories: confusion, diffusion, and structural. This classification helps clarify how different properties influence the security level of the S-box. Furthermore, we highlight the importance of structural properties (those related to the shape of the S-box) as they can impact the values of other properties (confusion and diffusion), and thereby affect the overall robustness of the cipher.

Figure 1 presents our classification, along with the properties discussed in the following subsections. Whereas the literature describes a wide range of S-box properties, we focus only on those shown in the figure. These were selected since they are considered classical and typically serve as the basis for many recently proposed ones. Moreover, presenting these properties helps build an understanding of the basic concepts behind the formulas, notations, and the notion of security level.

To illustrate how to obtain the values of S-box properties, we use the S-box from TWINE. This S-box is considered lightweight due to its 4-bit input and output, and it offers a high level of security as it was designed using the algebraic approach with the inverse function. In addition, its small size allows us to present compact equations and tables in this paper.

Table 3. LUT of the TWINE S-box.

X	0	1	2	3	4	5	6	7	8	9	A	B	C	D	E	F
S(X)	C	0	F	A	2	B	9	5	8	3	D	7	1	E	6	4

shows the values of the TWINE S-box. It is important to mention that this representation is known as a look up table (LUT). The LUT of an S-box is the table (or vector) that lists the output $S\left(x\right)$ for every input.

5.1. Structural Properties

Although these properties have been widely studied, no prior work (based on our review of the literature) has proposed their classification in the manner presented here. Nevertheless, as previously mentioned, they are fundamental to the construction of this component due to their impact on both the security level and implementation aspects (the reader may refer to Section 6 for a discussion of S-box conflicts). As a result, we include these properties in the S-box evaluation and describe them as follows:

1.

Size: This property presents the number of inputs n and outputs m of the S-box. The size of the S-box could be $n=m$ or $n\ne m$. The values of this variables is determined by the features of the cipher. For instance, lightweight S-boxes must satisfy $3\le n,m\le 8$ [19,22,52].

2.

Type of function: The S-box can be bijective and non-bijective. If $n=m$ and the output the S-box must be a permutation, then the S-box is bijective and balanced [15,53]. Bijective S-boxes are typically used in ciphers that require inversion for decryption, such as those based on Substitution Permutation Networks (SPNs) [12,41]. In contrast, Feistel network-based ciphers can use either bijective or non-bijective S-boxes, as they do not rely on inversion [7,13,54].

3.

Output: This property specifies the type of output produced by the S-box. The classical approach uses a static output, meaning that the same S-box is applied in every round. In contrast, a dynamic output is a more recent trend, where the S-box varies based on the key of the cipher [55,56]. In this case, a different S-box is used in each round, which can enhance security. However, in this work, we focus on evaluating the security of static S-boxes.

5.2. Confusion Properties: Resistance to Differential, Linear, Algebraic, and Boomerang Attacks

This section provides an overview of several properties related to confusion. It introduces properties associated with differential, linear, boomerang, and algebraic attacks. These attacks are among the most well-established and serve as the foundation for the development of new threats, as noted by Jim et al. in [38]. Differential and linear attacks are considered the most effective in breaking the security of a cipher. The boomerang attacks are an extension of the differential, but their characteristics make them specific to block ciphers; in addition, different S-box properties may apply depending on the cipher’s design. Finally, algebraic attacks are particularly important, as they can compromise the cipher regardless of the number of rounds.

5.2.1. Resistance to Differential Attacks

Differential attacks (DAs) aim to identify patterns by analyzing the nonuniform distribution of output differences when inputs are chosen to satisfy a fixed difference [2]. Figure 2 illustrates these attacks in a general form in three steps:

(a)

The adversary selects two messages or plaintexts ($M_1,M_2$) and obtains their corresponding ciphertexts ($E_1,E_2$).

(b)

The adversary computes the input difference, which is defined as $\Delta M=M_1\oplus M_2$, and the output difference, given by $\Delta E=E_1\oplus E_2$.

(c)

The adversary attempts to exploit these differences to find a high probability of $P(\Delta E|\Delta M)$.

As discussed in Section The S-Box Resistance Against Attacks, a requirement for cipher security is that the primitive behaves like a pseudorandom permutation. This condition holds if the probability that a particular output difference $\Delta E$ appears given a specific input difference $\Delta M$ is ${\displaystyle \frac{1}{2^{\mu }}}$, where $\mu$ is the length of the message $M_i$ in bits. Thus, if the adversary finds a high probability for this scenario, the attack is considered successful.

These attacks exploit differences in the nonlinear layers, such as S-boxes [39,57]. Then, DU and balance are two properties that a designer should consider to be resistant against these kinds of attacks. DU was proposed by Nyberg [42] and is obtained by using a tool called Differential Distribution Table [2]:

Definition 2.

Distribution Differential Table (DDT): Let S be an S-box, where $a\in {\mathbb{F}}_2^n$ and $b\in {\mathbb{F}}_2^m$. The DDT of S is a $2^n\times 2^m$ table where every cell contains the number of pairs $(a,b)$ that meet the following equation:

$$DD{T}_S(a,b)=\#\{x\in {\mathbb{F}}_2^n:S\left(x\right)\oplus S(x\oplus a)=b\},$$

(2)

where # symbol indicates the number of pairs that satisfy the equation.

Then, the DU property is defined as follows:

Definition 3.

Differential uniformity (DU): The DU of an S-box S is the maximum value of DDT:

$$DU(S)=\underset{a\ne 0}{max}\left(DD{T}_S\right(a,b\left)\right)$$

(3)

Smaller values in this property mean better resistance to DAs. In addition, there is a measure used to determine the probability of obtaining an output difference b given an input difference a, defined as [32]:

Definition 4.

Maximum differential probability (MDP): The MDP of an S-box S is the division of

$${\displaystyle \frac{DU\left(S\right)}{2^n}}$$

(4)

This measure (also known as the propagation ratio for a differential [58]) helps compare the security of S-boxes with different sizes (the reader can refer to Section Evaluation of Different S-Boxes to observe an example of this comparison using MDP). Then, to illustrate how get the DDT, DU, and MDP, Algorithm 1 outlines the steps to compute these values. As mentioned, each cell in the DDT represents the number of equations that satisfy condition (2). The algorithm iterates through all values of a, b, and x, increasing the counter i by 1 whenever the condition is met.

Algorithm 1 Differential Uniformity Computation

Require: int n, m, S-box S

Ensure: int $DU$, double $MDP$

1: Initialize ($DDT\left[2^n\right]\left[2^m\right]$) 2: for $a=0$ to $2^n-1$ do 3:     for $b=0$ to $2^m-1$ do 4:          for $x=0$ to $2^n-1$ do 5:               if $S\left(x\right)\oplus S(x\oplus a)=b$ then 6:                   $DDT\left[a\right]\left[b\right]++$ 7:               end if 8:           end for 9:      end for 10: end for 11: $DU\leftarrow {max}_{a\ne 0}DDT\left[a\right]\left[b\right]$ 12: $MDP\leftarrow {\displaystyle \frac{DU}{2^n}}$

As we can observe, this algorithm has an order of $O\left(2^{3n}\right)$ (when $n=m$). However, the implementation can be made more efficient if the algorithm does not explicitly compare $S\left(x\right)\oplus S(x\oplus a)=b$. If the program simply increments the corresponding cell when the condition is satisfied, the complexity can be reduced to $O\left(2^{2n}\right)$ [59]. Algorithm 2 only iterates over the values of a and x. When the condition is satisfied, the value of the corresponding cell is incremented as follows: $DDT\left[a\right]\left[S\right(x)\oplus S(x\oplus a\left)\right]++$.

Algorithm 2 More Efficient Differential Uniformity Computation

Require: int n, m, S-box S

Ensure: int $DU$, double $MDP$

1: Initialize ($DDT\left[2^n\right]\left[2^m\right]$) 2: for $a=0$ to $2^n-1$ do 3:    for $x=0$ to $2^n-1$ do 4:        $DDT\left[a\right]\left[S\right(x)\oplus S(x\oplus a\left)\right]++$ 5:    end for 6: end for 7: $DU\leftarrow {max}_{a\ne 0}DDT\left[a\right]\left[b\right]$ 8: $MDP\leftarrow {\displaystyle \frac{DU}{2^n}}$

Another property related to DAs is balance, which Carlet defines as follows [60]:

Definition 5.

Balance (B): An S-box S is said to be balanced if its outputs are uniformly distributed; in other words, it takes every value of ${\mathbb{F}}_2^m$ the same number ($2^{n-m}$) of times.

If an S-box is evaluated based on this property, it can be either balanced or unbalanced. A balanced S-box is desirable for resistance to DAs [61,62]. Additionally, this property enhances resistance to statistical attacks [37].

In this section, we obtain the DU and the B values of the TWINE S-box using its LUT presented in Table 3. To compute the DU, we first derive the DDT, where $a,b,x\in {\mathbb{F}}_2^4$ given that the S-box size is $n=m=4$.

Table 4. DDT of the TWINE S-box.

DDT	0	1	2	3	4	5	6	7	8	9	A	B	C	D	E	F
0	16	0	0	0	0	0	0	0	0	0	0	0	0	0	0	0
1	0	0	2	0	0	2	0	0	0	2	2	2	4	0	0	2
2	0	0	0	2	2	2	0	2	0	0	4	2	0	0	2	0
3	0	0	2	0	0	2	2	2	2	0	0	0	0	0	2	4
4	0	0	0	2	0	0	2	0	0	2	0	4	0	2	2	2
5	0	2	4	2	0	0	2	2	0	2	2	0	0	0	0	0
6	0	2	0	0	0	4	0	2	0	2	0	0	2	2	2	0
7	0	0	0	2	2	2	2	0	2	4	0	0	2	0	0	0
8	0	2	2	4	2	2	0	0	0	0	0	0	0	2	0	2
9	0	0	0	2	0	0	0	2	4	0	2	0	2	2	0	2
A	0	2	0	0	2	0	0	4	2	2	0	2	0	0	0	2
B	0	0	2	0	2	0	2	2	0	0	0	2	2	4	0	0
C	0	0	2	0	2	0	0	0	2	2	2	0	0	2	4	0
D	0	4	2	2	0	0	0	0	2	0	0	2	2	0	2	0
E	0	2	0	0	4	0	2	0	0	0	2	0	2	0	2	2
F	0	2	0	0	0	2	4	0	2	0	2	2	0	2	0	0

presents the DDT of TWINE, which has dimensions $2^4\times 2^4=16\times 16$. The highest entry in the table is 16; however, since DU is determined for $a\ne 0$, the highest relevant value in the DDT is 4. Moreover, its MDP is ${\displaystyle \frac{4}{2^4}}=0.25$.

The TWINE S-box is a permutation of the elements in ${\mathbb{F}}_2^4$, meaning it is balanced. However, by computing the equation presented in Definition 5, we observe that each value LUT of TWINE appears exactly $2^{n-m}=2^{4-4}=2^0=1$ time.

5.2.2. Resistance to Linear Attacks

Linear attacks exploit linear approximations of a cipher by forming linear combinations of the plaintext, ciphertext, secret key, and linear masks $(a,b,k)$ at the bit level [39,57]. Figure 3 illustrates how an adversary attempts to establish these approximations by constructing an equation with the variables mentioned. In the second phase, the adversary tries to determine the probability that evaluating certain combinations results in 0. If this probability is $0.5$, the cipher C appears to behave like a pseudorandom permutation. However, if the probability deviates significantly from $0.5$, the adversary can distinguish the function as a cipher. To achieve this, the adversary identifies linear distinguishers by combining linear approximations of individual components. Since such approximations are easily derived from linear components, the adversary focuses on the nonlinear elements of the cipher, particularly the S-boxes. These components are essential for resisting such approximations and, consequently, for preventing the success of linear distinguishers.

As previously mentioned, the S-box is a nonlinear component and its nonlinearity plays a central role in determining its resistance to linear attacks. To evaluate how well this component resists such attacks, two key properties are considered: nonlinearity and linearity. These properties may be presented separately or jointly in the literature, but they are inherently related. The following part explains how to compute them by introducing essential concepts such as the Linear Approximations Table (LAT), the Walsh–Hadamard transform, and bias. These concepts are essential for understanding the relationships between the properties and for interpreting their corresponding values correctly. For example, the LAT generated by the PEIGEN software (version 1.0, PEIGEN developers, online, Singapore/Japan) [32] differs in format from that produced by SageMath (version 10.8, SageMath Inc., online, USA) [63], although they represent the same information (see

Table 5. LAT of the TWINE S-box using PEIGEN.

LAT	0	1	2	3	4	5	6	7	8	9	A	B	C	D	E	F
0	16	0	0	0	0	0	0	0	0	0	0	0	0	0	0	0
1	0	0	4	4	0	0	4	4	4	4	8	8	4	4	0	0
2	0	4	0	4	8	4	0	4	0	4	0	4	8	4	0	4
3	0	4	4	0	0	4	4	8	4	8	0	4	4	0	0	4
4	0	0	0	8	0	8	0	0	4	4	4	4	4	4	4	4
5	0	0	4	4	8	0	4	4	8	0	4	4	0	0	4	4
6	0	4	8	4	0	4	0	4	4	0	4	0	4	0	4	8
7	0	4	4	0	0	4	4	0	8	4	4	0	8	4	4	0
8	0	0	0	0	4	4	4	4	4	4	4	4	0	8	0	8
9	0	0	4	4	4	4	0	8	0	0	4	4	4	4	8	0
A	0	4	0	4	4	0	4	0	4	8	4	0	0	4	8	4
B	0	4	4	8	4	0	8	4	0	4	4	0	4	0	0	4
C	0	8	0	0	4	4	4	4	0	0	8	0	4	4	4	4
D	0	8	4	4	4	4	0	0	4	4	0	8	0	0	4	4
E	0	4	8	4	4	0	4	0	0	4	0	4	4	8	4	0
F	0	4	4	0	4	8	8	4	4	0	0	4	0	4	4	0

and

Table 6. LAT of the TWINE S-box using SageMath.

LAT	0	1	2	3	4	5	6	7	8	9	A	B	C	D	E	F
0	8	0	0	0	0	0	0	0	0	0	0	0	0	0	0	0
1	0	0	2	−2	0	0	2	−2	−2	2	−4	−4	2	−2	0	0
2	0	2	0	2	4	−2	0	2	0	−2	0	−2	4	2	0	−2
3	0	2	2	0	0	2	−2	−4	2	−4	0	−2	−2	0	0	−2
4	0	0	0	4	0	4	0	0	−2	−2	−2	2	2	−2	2	2
5	0	0	2	2	−4	0	−2	2	−4	0	2	−2	0	0	−2	−2
6	0	2	4	2	0	−2	0	2	2	0	−2	0	−2	0	−2	4
7	0	2	−2	0	0	−2	2	0	−4	−2	−2	0	−4	2	2	0
8	0	0	0	0	2	2	−2	−2	−2	2	2	−2	0	4	0	4
9	0	0	−2	2	−2	−2	0	−4	0	0	−2	2	2	2	−4	0
A	0	2	0	2	−2	0	−2	0	2	4	−2	0	0	2	4	−2
B	0	2	−2	−4	−2	0	−4	2	0	−2	−2	0	2	0	0	2
C	0	4	0	0	−2	−2	2	−2	0	0	4	0	2	−2	2	2
D	0	−4	−2	2	−2	−2	0	0	2	−2	0	−4	0	0	2	2
E	0	−2	4	−2	−2	0	2	0	0	−2	0	2	2	4	2	0
F	0	−2	2	0	2	−4	−4	−2	−2	0	0	2	0	−2	2	0

for a comparison). Thus, this tool is defined as [3]:

Definition 6.

Linear Approximations Table (LAT): Let S be an S-box, and let $a\in {\mathbb{F}}_2^n$ and $b\in {\mathbb{F}}_2^m$ be linear masks. The LAT of S is a $2^n\times 2^m$ table where every cell contains the number of pairs $(a,b)$ that meet the following equation:

$$LA{T}_S(a,b)=\#\{x\in {\mathbb{F}}_2^n:a·x=b·S\left(x\right)\},$$

(5)

where the · operation is the inner product.

This table shows how many equations reach a linear approximation of the S-box using two masks ($a,b$). The bias of a linear approximation is then [32]:

Definition 7.

Bias of the linear approximations: This table is obtained using the LAT:

$$ϵ(a,b)=\left|{\displaystyle \frac{LA{T}_S(a,b)}{2^n}}-{\displaystyle \frac{1}{2}}\right|$$

(6)

The smaller the values of the LAT and bias, the stronger the resistance to linear attacks.

We proceed to define concepts related to nonlinearity (NL). The NL of the S-box is measured using the Walsh-Hadamard transform of a vector Boolean function [64] that is defined as:

Definition 8.

Walsh-Hadamard transform: Let S be an S-box, $a\in {\mathbb{F}}_2^n$, and $b\in {\mathbb{F}}_2^m$; then, this transform is defined as

$$W_s(a,b)=\sum _{x\in {\mathbb{F}}_2^n}{(-1)}^{b·S\left(x\right)\oplus a·x}$$

(7)

This transform allows us to know the relation between the inputs and outputs of the S-box by using linear approximations ($a,b$). Then, NL is defined as:

Definition 9.

Nonlinearity (NL): The NL of an S-box S is calculated using the maximum value of the Walsh-Hadamard transform of a vector boolean function. The value of this property means the minimum Hamming distance between the set of its nontrivial components and the set of all affine functions.

$$NL\left(S\right)=2^{n-1}-{\displaystyle \frac{1}{2}}max\left|W_s(a,b)\right|$$

(8)

The higher the NL value, the greater the resistance to linear attacks. In [65], Nyberg proved the relation between Linearity (L) and NL properties:

$$NL\left(S\right)=2^{n-1}-{\displaystyle \frac{1}{2}}L\left(S\right)$$

(9)

Thus, the L property is defined as [65]:

Definition 10.

Linearity (L): The linearity of an S-box S is the maximum relation (maximum linearity) between its inputs and its outputs:

$$L\left(S\right)=\underset{a\in {\mathbb{F}}_2^n,0\ne b\in {\mathbb{F}}_2^m}{max}\left|\left(W_S(a,b)\right)\right|$$

(10)

In consequence, the probability of this linear approximation (LAP) is:

$$LAP\left(S\right)={\displaystyle \frac{L\left(S\right)}{2^{n+1}}}$$

(11)

In [32], Bao et al., introduce a relation between the Walsh transform and the bias:

$$W_S(a,b)=2^{n+1}·ϵ(a,b)$$

(12)

This relationship allows the authors to obtain the LAT using the coefficients of $W_S$, rather than relying on the formal definition of the LAT. In their software (PEIGEN), L is defined as follows:

Definition 11.

Linearity in PEIGEN: The linearity of an S-box S computed in this tool is the maximum value of the LAT:

$$L\left(S\right)=\underset{a,b\ne 0}{max}\left(LA{T}_S(a,b)\right)$$

(13)

The reader should not forget that in this case the maximum value is obtained using the table $W_S(a,b)$.

We can observe that the steps to compute L, NL, and even the LAT are similar to those used for determining the DU in Algorithm 1, as they all involve computing an equation (or evaluating a condition, in the case of the LAT) across all values of the variables $a\in {\mathbb{F}}_2^n$ and $b\in {\mathbb{F}}_2^m$. Therefore, the key is to modify the core of Algorithm 1 (specifically line 6) and adjust it to obtain the L (or NL).

To illustrate the values of the properties against linear attacks, we present the L and NL values of the TWINE S-box. The LAT of the S-box is presented in Table 5 (using PEIGEN). Observing that $a,b\ne 0$, we find that the maximum value of the LAT (L) is 8 (utilizing the Definition 11). Using (8), we can obtain the NL of this S-box, which is $NL\left(S\right)=2^{4-1}-{\displaystyle \frac{1}{2}}·8=2^3-4=8-4=4$.

Table 6 shows the LAT values computed using SageMath. Although the two LAT tables (Table 5 and Table 6) display different values, they follow the relation:

$$LA{T}_{S\_PEIGEN}(a,b)=2\left|LA{T}_{S\_SageMath}(a,b)\right|$$

(14)

Appendix B provides a detailed explanation of this relationship.

5.2.3. Resistance to Boomerang Attacks

Boomerang attacks (BAs) are considered an extension of DAs, as their main goal is to find differential characteristics by splitting the cipher (these attacks can be only applied to block ciphers) [4]. Figure 4 illustrates the general structure of these attacks in three steps:

(a)

The adversary generates a message $M_1$ and derives a second message $M_2$ using a difference a. Then both messages are encrypted.

(b)

Using the encrypted outputs of Step 1 and a new difference b, the adversary constructs messages $E_3$ and $E_4$. Then, he gets $M_3$ and $M_4$ by using D (the inverse of C).

(c)

Finally, the adversary analyzes the resulting differences, aiming to find a high probability of the event $P[M_3\oplus M_4=a]$.

BAs analyze the interaction of differential characteristics between the encryption and decryption processes. This is the reason why these attacks divide the cipher into three parts. Figure 5 illustrates this division, where the $C_m$ part represents an S-box layer. This layer plays an important role, as the adversary must determine the probability of differential characteristic interactions (Boomerang Switch) using BCT [23] or FBCT [24] tools. These tools are defined as follows:

Definition 12.

Boomerang Connectivity Table: Let S be an S-box, where $S:{\{0,1\}}^n\to {\{0,1\}}^n$ and $a,b\in {\mathbb{F}}_2^n$. Then every cell of BCT contains the number of pairs that meet the following equation:

$$BC{T}_S(a,b)=\#\left\{x\in {\mathbb{F}}_2^n:S^{-1}(S\left(x\right)\oplus b)\oplus S^{-1}(S(x\oplus a)\oplus b)=a\right\}.$$

(15)

Definition 13.

Feistel Boomerang Connectivity Table: Let S be an S-box, where $S:{\{0,1\}}^n\to {\{0,1\}}^m$ and $a,b\in {\mathbb{F}}_2^n$. Then every cell of FBCT contains the number of pairs that meet the following equation:

$$FBC{T}_S(a,b)=\#\left\{x\in {\mathbb{F}}_2^n:S\left(x\right)\oplus S(x\oplus a)\oplus S(x\oplus b)\oplus S(x\oplus a\oplus b)=0\right\}.$$

(16)

The lowest values in these tables indicate greater resistance to BAs. However, from a design perspective, the choice between BCT and FBCT is not optional but dictated by the cipher structure. Specifically, if the cipher requires the inverse of the S-box for decryption, the BCT tool must be used. Otherwise, if the same S-box is used for both encryption and decryption, the FBCT table should be applied.

Similar to the DDT, we can determine the maximum value of these tables (uniformity), which should be low. The uniformity of BCT and FBCT is defined as follows [23,24]:

Definition 14.

Boomerang uniformity (BU): The BU of an S-box S is the highest value of BCT without considering the row and the column of index 0:

$$BU\left(S\right)=\underset{ab\ne 0}{max}\left(BC{T}_S(a,b)\right).$$

(17)

Definition 15.

Feistel boomerang uniformity (FBU): The FBU of an S-box S is the maximum value of FBCT excluding entries where the row or column index is 0, or where the row and column indices are equal.

$$FBU\left(S\right)=\underset{ab(a+b)\ne 0}{max}\left(FBC{T}_S(a,b)\right).$$

(18)

In addition, similar to MDP, we can determine the probability of the boomerang effect [24]:

Definition 16.

Probability of the boomerang switch over a round (PBSR): The PBSR of an S-box S is the division of:

$${\displaystyle \frac{Un\left(S\right)}{2^n}},$$

(19)

where $Un$ is $BU\left(S\right)$ or $FBU\left(S\right)$, as appropriate.

The Algorithm 1 can also be used to describe the steps to compute the BU and FBU of an S-box. The steps for computing these properties and DU are similar, differing only in the equation (or condition) used in line 6 and in the considerations for obtaining the maximum value of the table.

Table 7. BCT of TWINE S-box.

BCT	0	1	2	3	4	5	6	7	8	9	A	B	C	D	E	F
0	16	16	16	16	16	16	16	16	16	16	16	16	16	16	16	16
1	16	0	2	0	0	6	0	0	0	6	2	2	4	0	0	2
2	16	0	0	2	6	2	0	2	0	0	4	2	0	0	6	0
3	16	0	2	0	0	2	2	6	6	0	0	0	0	0	2	4
4	16	0	0	2	0	0	6	0	0	2	0	4	0	6	2	2
5	16	6	4	6	0	0	2	2	0	2	2	0	0	0	0	0
6	16	2	0	0	0	4	0	2	0	6	0	0	6	2	2	0
7	16	0	0	2	2	6	2	0	2	4	0	0	6	0	0	0
8	16	6	6	4	2	2	0	0	0	0	0	0	0	2	0	2
9	16	0	0	2	0	0	0	6	4	0	2	0	2	2	0	6
A	16	2	0	0	2	0	0	4	6	2	0	2	0	0	0	6
B	16	0	2	0	2	0	6	2	0	0	0	6	2	4	0	0
C	16	0	2	0	6	0	0	0	2	2	6	0	0	2	4	0
D	16	4	6	6	0	0	0	0	2	0	0	2	2	0	2	0
E	16	2	0	0	4	0	2	0	0	0	6	0	2	0	6	2
F	16	2	0	0	0	2	4	0	2	0	2	6	0	6	0	0

and

Table 8. FBCT of TWINE S-box.

FBCT	0	1	2	3	4	5	6	7	8	9	A	B	C	D	E	F
0	16	16	16	16	16	16	16	16	16	16	16	16	16	16	16	16
1	16	16	0	0	0	0	4	4	0	0	0	0	0	0	0	0
2	16	0	16	0	0	0	0	0	0	0	0	0	4	0	4	0
3	16	0	0	16	0	0	0	0	0	4	4	0	0	0	0	0
4	16	0	0	0	16	0	0	0	0	0	0	4	0	0	0	4
5	16	0	0	0	0	16	0	0	4	0	0	0	0	4	0	0
6	16	4	0	0	0	0	16	4	0	0	0	0	0	0	0	0
7	16	4	0	0	0	0	4	16	0	0	0	0	0	0	0	0
8	16	0	0	0	0	4	0	0	16	0	0	0	0	4	0	0
9	16	0	0	4	0	0	0	0	0	16	4	0	0	0	0	0
A	16	0	0	4	0	0	0	0	0	4	16	0	0	0	0	0
B	16	0	0	0	4	0	0	0	0	0	0	16	0	0	0	4
C	16	0	4	0	0	0	0	0	0	0	0	0	16	0	4	0
D	16	0	0	0	0	4	0	0	4	0	0	0	0	16	0	0
E	16	0	4	0	0	0	0	0	0	0	0	0	4	0	16	0
F	16	0	0	0	4	0	0	0	0	0	0	4	0	0	0	16

show the BCT and FBCT values for the S-box of TWINE. The BU and FBU values of this S-box are 6 and 4. It is important to note that the FBU property and the FBCT tool are the appropriate elements to evaluate the TWINE S-box, as this cipher does not require the inverse of the S-box. If the designer does not take this into account, it may lead to a misunderstanding regarding the security level, as the probability of a boomerang switch over a round differs in both cases. For instance, computing this probability using BU gives $PBSR\left(S\right)={\displaystyle \frac{BU\left(S\right)}{2^n}}={\displaystyle \frac{6}{16}}$, whereas using FBU results in $PBSR\left(S\right)={\displaystyle \frac{FBU\left(S\right)}{2^n}}={\displaystyle \frac{4}{16}}$.

5.2.4. Resistance to Algebraic Attacks

Algebraic attacks (AAs) aim to recover the secret key by exploiting the algebraic properties of the cipher [5]. Figure 6 illustrates the general form of these attacks:

(a)

The adversary attempts to describe the cipher using a system of simple equations ($f_C$) based on the plaintext (M), ciphertext (E), and secret key ($sk$).

(b)

The adversary tries to solve this system to extract the secret key, using known plaintext/ciphertext pairs ($M_i,E_i$).

Since the S-box S is a nonlinear function used to describe the system $fc$, the algebraic degree of S should be high to enhance security, as this forces the adversary to solve a system of equations of the same degree.

It is well known that an S-box S can be represented as a polynomial using the algebraic normal form (ANF) [60], which is defined as:

Definition 17.

Algebraic normal form (ANF): It is a representation of an S-box S by an n-variable polynomial:

$$ANF\left(S\right)=\underset{i\in {\mathbb{F}}_2^n}{\oplus }{a}_i\prod _{j=0}^{n-1}{x}_j^{i_j}$$

(20)

Then, the algebraic degree is obtained by using the ANF of an S-box.

Definition 18.

Algebraic degree (AD): The AD of S is the global degree of its ANF and is defined as:

$$AD\left(S\right)=max\left\{HW\left(i\right)\right|i\in {\mathbb{F}}_2^n,0\ne a_i\in F_2^m\mathrm{in}ANF\left(S\right)\},$$

(21)

where HW is the Hamming Weight.

Deriving the ANF and AD of the TWINE S-Box

In this section, a procedure for obtaining the ANF of the TWINE S-box is introduced by using the Möbius matrix. The process is summarized in Algorithm 3.

The ANF expresses a Boolean function as a sum (using XOR, denoted by ⊕) of products (ANDs) of input variables. In other words, it represents the function as a combination such as:

$$1\oplus x_1\oplus x_2\oplus ...\oplus x_n\oplus x_1{x}_2\oplus ...\oplus x_1{x}_n\oplus ...\oplus x_1{x}_2...x_n$$

(22)

However, to know what addends will be in the ANF, each addend is multiplied by a coefficient $a_i$. For a vectorial Boolean function, the coefficient is a vector $a_i\in {\mathbb{F}}_2^m$, whereas for a Boolean function the coefficient is a bit $a_i\in \{1,0\}$. The procedure begins with the introduction of the following definition [66]:

Definition 19.

Möbious Matrix: It is a $2^n\times 2^n$ Matrix, denoted by $T_n$ and is recursively defined as: $T_n=[\begin{array}{cc}{T}_{n-1}& T_{n-1}\\ 0& T_{n-1}\end{array}]$ where $T_0=\left[1\right]$.

To obtain the coefficients of a $4\times 4$ S-box, the $T_4$ Möbius transform is required. This is referenced in Algorithm 3 as Step 1.

$$T_4=\left[\begin{array}{cccccccccccccccc}1& 1& 1& 1& 1& 1& 1& 1& 1& 1& 1& 1& 1& 1& 1& 1\\ 0& 1& 0& 1& 0& 1& 0& 1& 0& 1& 0& 1& 0& 1& 0& 1\\ 0& 0& 1& 1& 0& 0& 1& 1& 0& 0& 1& 1& 0& 0& 1& 1\\ 0& 0& 0& 1& 0& 0& 0& 1& 0& 0& 0& 1& 0& 0& 0& 1\\ 0& 0& 0& 0& 1& 1& 1& 1& 0& 0& 0& 0& 1& 1& 1& 1\\ 0& 0& 0& 0& 0& 1& 0& 1& 0& 0& 0& 0& 0& 1& 0& 1\\ 0& 0& 0& 0& 0& 0& 1& 1& 0& 0& 0& 0& 0& 0& 1& 1\\ 0& 0& 0& 0& 0& 0& 0& 1& 0& 0& 0& 0& 0& 0& 0& 1\\ 0& 0& 0& 0& 0& 0& 0& 0& 1& 1& 1& 1& 1& 1& 1& 1\\ 0& 0& 0& 0& 0& 0& 0& 0& 0& 1& 0& 1& 0& 1& 0& 1\\ 0& 0& 0& 0& 0& 0& 0& 0& 0& 0& 1& 1& 0& 0& 1& 1\\ 0& 0& 0& 0& 0& 0& 0& 0& 0& 0& 0& 1& 0& 0& 0& 1\\ 0& 0& 0& 0& 0& 0& 0& 0& 0& 0& 0& 0& 1& 1& 1& 1\\ 0& 0& 0& 0& 0& 0& 0& 0& 0& 0& 0& 0& 0& 1& 0& 1\\ 0& 0& 0& 0& 0& 0& 0& 0& 0& 0& 0& 0& 0& 0& 1& 1\\ 0& 0& 0& 0& 0& 0& 0& 0& 0& 0& 0& 0& 0& 0& 0& 1\end{array}\right]$$

(23)

Also, the values of the S-box are converted into a bit-slice matrix, where each output bit of the S-box is placed in a separate column of the matrix (Step 2 of Algorithm 3).

$$B_{Sbox}=\left[\begin{array}{cccccccccccccccc}0& 0& 1& 0& 0& 1& 1& 1& 0& 1& 1& 1& 1& 0& 0& 0\\ 0& 0& 1& 1& 1& 1& 0& 0& 0& 1& 0& 1& 0& 1& 1& 0\\ 1& 0& 1& 0& 0& 0& 0& 1& 0& 0& 1& 1& 0& 1& 1& 1\\ 1& 0& 1& 1& 0& 1& 1& 0& 1& 0& 1& 0& 0& 1& 0& 0\end{array}\right]$$

(24)

Then, we multiply $B_{Sbox}\times T_4$, and the result is:

$$B_{ANF}=\left[\begin{array}{cccccccccccccccc}0& 0& 1& 1& 0& 1& 0& 0& 0& 1& 0& 0& 1& 1& 0& 0\\ 0& 0& 1& 0& 1& 0& 0& 0& 0& 1& 1& 0& 1& 0& 1& 0\\ 1& 1& 0& 0& 1& 1& 0& 1& 1& 1& 1& 0& 1& 0& 0& 0\\ 1& 1& 0& 1& 1& 0& 1& 1& 0& 0& 0& 1& 0& 0& 1& 0\end{array}\right]$$

(25)

Each column of $B_{ANF}$ is a coefficient $a_i$, thus the ANF of the TWINE S-box is:

$$\begin{array}{c}\hfill \left(0011\right)1\oplus \left(0011\right)x_0\oplus \left(1100\right)x_1\oplus \left(1001\right)x_0{x}_1\oplus \left(0111\right)x_2)\oplus \left(1010\right)x_0{x}_2\oplus \left(0001\right)x_1{x}_2\oplus \\ \hfill \left(0011\right)x_0{x}_1{x}_2\oplus \left(0010\right)x_3\oplus \left(1110\right)x_0{x}_3\oplus \left(0110\right)x_1{x}_3\oplus \left(0001\right)x_0{x}_1{x}_3\oplus \left(1110\right)x_2{x}_3\oplus \\ \hfill \left(1000\right)x_0{x}_2{x}_3\oplus \left(0101\right)x_1{x}_2{x}_3\oplus \left(0000\right)x_0{x}_1{x}_2{x}_3\end{array}$$

(26)

Following the Definition 18, the AD is the maximum HW of $i\in {\mathbb{F}}_2^4$ for which $a_i\ne 0$. In this case, the maximum degree is determined by the term $\left(0101\right)x_1{x}_2{x}_3$ which is 3. Moreover, using this ANF, we can determine the $m=4$ coordinates of this S-box by multiplying the corresponding bit of the $a_i$ coefficients with each term. For example, for the coordinate $y_0$, the leftmost bit of each coefficient is multiplied by every term in the ANF. Therefore, we get the coordinates $y_0,y_1,y_2$ and $y_3$:

$$\begin{array}{cc}\hfill y_0& =x_1\oplus x_0{x}_1\oplus x_0{x}_2\oplus x_0{x}_3\oplus x_2{x}_3\oplus x_0{x}_2{x}_3\hfill \end{array}$$

(27)

$$\begin{array}{cc}\hfill y_1& =x_1\oplus x_2\oplus x_0{x}_3\oplus x_1{x}_3\oplus x_2{x}_3\oplus x_1{x}_2{x}_3\hfill \end{array}$$

(28)

$$\begin{array}{cc}\hfill y_2& =1\oplus x_0\oplus x_2\oplus x_0{x}_2\oplus x_0{x}_1{x}_2\oplus x_3\oplus x_0{x}_3\oplus x_1{x}_3\oplus x_2{x}_3\hfill \end{array}$$

(29)

$$\begin{array}{cc}\hfill y_3& =1\oplus x_0\oplus x_0{x}_1\oplus x_2\oplus x_1{x}_2\oplus x_0{x}_1{x}_2\oplus x_0{x}_1{x}_3\oplus x_1{x}_2{x}_3\hfill \end{array}$$

(30)

Algorithm 3 Algebraic Degree Computation

Require: int $n,m$, Sbox S

Ensure: int $AD$

1: $Initialize\left(T_n\right)$ 2: $B_S=Convert\_Bit\_Slice\left(S\right)$ 3: $B_{ANF}=B_S\times T_n$ 4: $ANF=Get\_ANF\left(B_{ANF}\right)$ 5: $AD=get\_Ma{x}_{0\ne a_i\in {\mathbb{F}}_2^m}\left(ANF\right)$

Other properties related to this type of attack evaluate the algebraic immunity of an S-box. Algebraic immunity measures an S-box’s resistance to AAs through transformations, even if the S-box exhibits high AD values [53]. Generally, the objective of these transformations is to find a function g with a degree lower than $AD\left(S\right)$ such that $g\left(S\right)=0$. If there is a function g with these features, finding a solution for $g\left(S\right)=0$ would be easier than solving $S=0$, and this solution could also be a valid solution for S.

Different properties can measure this resistance; however, they are specific to certain cryptographic primitives. Algebraic immunity (AI) is exclusive to S-boxes used in stream ciphers [67], whereas graph algebraic immunity (GAI) [68] and degree-rank 2 (Dr2) [22] are specific to S-boxes used in block ciphers.

Among the properties related to AAs, the AD is fundamental, as it reflects the complexity of solving the system $S=0$. A low AD makes easier to solve the system, while a high AD increases computational difficulty. However, AD alone does not guarantee resistance, since transformations can reduce the degree of the nonlinear function. Properties such as AI, GAI, and Dr2 capture this aspect: AI and GAI assess the resistance of S-boxes by considering the degree of transformed functions, while Dr2 measures the number of linearly independent in the transformed system $g\left(S\right)=0$, revealing potential vulnerabilities even when AD is high.

5.2.5. Highlights on Confusion Properties

In summary, the main highlights of this subsection are that these attacks can identify patterns to produce distinguishers and potentially recover the secret key. The attacks exploit the S-box in different ways: DAs propagate differential patterns through the S-box; BAs propagate these patterns through the S-boxes of both the encryption and decryption processes; LAs approximate the S-box as a linear component; and AAs model the S-box as a system of equations to solve it. Therefore, it is essential to assess the security level of this nonlinear component to mitigate these vulnerabilities. This security level is determined by the values of various properties related to confusion. Section Relation Among Attacks, Property and Optimal Values summarizes the values that an S-box should achieve to be considered secure against these attacks.

Additionally, this subsection presents algorithms to compute the S-box properties for analysis and evaluation purposes rather than for large-scale deployment. For clarity, the DDT computation can be implemented more efficiently with complexity $O\left(2^{2n}\right)$, while the other tables (e.g., LAT, BCT, FBCT) follow similar patterns to the naive DDT implementation (Algorithm 1) and still grow exponentially with n ($O\left(2^{3n}\right)$). These algorithms are practical for small S-boxes (e.g., $n\le 8$), while larger dimensions require substantially more computational time and memory, highlighting scalability limitations.

5.3. Diffusion Properties: Resistance to Differential and Linear Attacks

The idea behind these properties is to enhance security when an adversary complements a single bit, that is, inverts its value (e.g., changing a 1 to 0 or vice versa), between two otherwise similar messages. In such cases, the cipher should produce two distinct ciphertexts. However, this goal cannot be achieved using only the S-box. Figure 7 illustrates the limited diffusion provided by an S-box when encrypting two 16-bit messages ($M_1$ and $M_2$) that differ by just one bit (the least significant bit). We assume that the cipher applies a layer of four identical S-boxes, each corresponding to the TWINE S-box and computed in parallel. After this operation, the substituted bits remain the same in both cases, except for the last four bits (where the input difference occurred). This example shows that the diffusion achieved by the S-box alone is limited and must be reinforced by linear layers, such as bit permutation, to attain full diffusion.

Despite the limited diffusion that an S-box can provide, some designs propose specific properties for this component in relation to the diffusion layer, such as SAC [69], CarD1 [25], and CarL1 [70]. This subsection explains these properties.

5.3.1. Strict Avalanche Criterion (SAC)

This property establishes two main conditions. First, if an input bit of an S-box is complemented, then, on average, half of the output bits should change (the avalanche effect). Second, each output bit of the S-box must depend on all of the input bits (completeness principle). Thus, the strict avalanche criterion (SAC) [69] is defined as:

Definition 20.

Strict avalanche criterion(SAC): An S-box $S:{\mathbb{F}}_2^n\to {\mathbb{F}}_2^m$ satisfies SAC if, when a single input bit is complemented, each output bit changes with a probability of $0.5$. Moreover, for all $i(1\ge i\ge n)$ the following equation holds:

$$\sum _{x\in {\mathbb{F}}_2^n}S\left(x\right)\oplus S(x\oplus C_i^n)=(2^{n-1},2^{n-1},...,2^{n-1}),$$

(31)

where $C_i^n$ is an n dimensional vector with HW equal to 1 at the $i^{th}$ position, and the summation (∑) of the vectors is performed component-wise over the integers (${\mathbb{Z}}^m$).

It can be observed that this definition counts the number of output bits that change when a single input bit is complemented. This behavior is captured in the expression $S\left(x\right)\oplus S(x\oplus C_i^n)$, which compares the S-box output for input x with the output for a modified input where only the i-th bit of x has been flipped. The result of this XOR operation is a vector in ${\mathbb{F}}_2^m$ indicating which output bits differ. These vectors are then summed over all $x\in {\mathbb{F}}_2^n$, using component-wise addition over the integers. The sum accumulates the number of times each output bit changes in response to flipping the i-th input bit. Finally, the resulting vector is compared to $(2^{n-1},2^{n-1},...,2^{n-1})$ (a vector of dimension m). If this equality holds for every input bit position i, the S-box satisfies the SAC. The Algorithm 4 summarizes the procedure described above.

Different works, such as that of Tong et al. [22], only report whether the S-box satisfies the SAC or not. Others attempt to introduce a quantitative measure that indicates how close the S-box is to satisfying SAC [20]. In the latter case, the optimal value is $0.5$, which can be obtained by averaging the result vector from (31) and dividing by $n{2}^n$. We define this value as:

Definition 21.

Quantitative Measure of SAC Compliance ($SA{C}_{QM}$):

$$SA{C}_{QM}\left(S\right)={\displaystyle \frac{avg(\sum S\left(x\right)\oplus S(x\oplus C_i^n))}{n{2}^n}},$$

(32)

where $avg$ is the average of the result vector.

Algorithm 4 Strict Avalanche Criterion

Require: int $n,m$, Sbox S

Ensure: double $SA{C}_{QM}$

1: $Initialize\left(cont\right[m\left]\right)$ 2: for $x\leftarrow 0$ to $2^n-1$ do 3:     for $c\leftarrow 0$ to $2^n-1$ do 4:        if $HW\left(c\right)==1$ then 5:           $cont=cont+S\left(x\right)\oplus S(x\oplus c)$ 6:      end if 7:    end for 8: end for 9: $SA{C}_{QM}={\displaystyle \frac{avg\left(cont\right)}{n{2}^n}}$

5.3.2. CarD1 and CarL1

Block ciphers can achieve the diffusion principle by employing linear layers. One of the simplest approaches is the use of a bit permutation layer [36]:

Definition 22.

Bit permutation layer: This layer permutes every bit of the cipher state. For instance, bit i is moved to position $P\left(i\right)$.

This kind of layer is efficient for hardware implementation [10,36]; however, it may introduce vulnerabilities to differential and linear attacks. Figure 8 illustrates a potential problem when an adversary encrypts two messages ($M_1$ and $M_2$) that differ by a single bit (the least significant bit). The adversary’s goal is to identify distinguishers by detecting patterns in the S-box and the bit permutation. To do this, the adversary attempts to trace a difference through the cipher using $M_1$, $M_2$, and the DDT of the S-box. As in the previous example, we use four identical S-boxes, each corresponding to those used in the TWINE cipher. However, in this example, we also employ a bit permutation layer, as described in

Table 9. A BPL of 16 bits. Here, i represents the original position of a bit, and $P\left(i\right)$ denotes its new position after the BPL is applied.

i	0	1	2	3	4	5	6	7	8	9	A	B	C	D	E	F
P(i)	A	4	7	F	2	9	D	0	1	B	5	E	8	C	6	3

.

When the adversary analyzes the DDT (see Table 4) of the S-box, it finds that two input values satisfy the one-bit difference condition for $a=1$ and $b=2$ (i.e., $DD{T}_S[1,2]=2$). It determines that this occurs when the S-box input is $10=1010$ and $14=1110$. The adversary chooses $x=14$ and constructs two messages, $M_1=1100100111111110$ and $M_2=1100100111111111$, which differ by a single bit (Note that the last four bits of $M_1$ correspond to the number 14).

In Figure 8, $▵B_{1,2}$ shows the difference between the two messages as they pass through each component of the cipher. Initially, the two inputs differ in the last bit, $▵B_{1,2}=0000000000000001$. After processing through the S-boxes, the established difference of one bit remains unchanged $▵B_{1,2}=0000000000000010$. Note that the initial difference corresponds to $a=1=0001$, and the difference after the first layer of the S-boxes corresponds to $b=2=0010$. The adversary exploits this vulnerability found in the S-box DDT and attempts to preserve this difference through the subsequent components.

It can be observed that the difference persists even after applying the BPL. $▵B_{1,2}=0000001000000000$. However, after a second round of S-box processing, the difference expands to two bits $▵B_{1,2}=0000001100000000$. This indicates that the diffusion of differences relies primarily on the S-box. Since the adversary aims to preserve the same difference across multiple rounds, the BPL alone is insufficient (it cannot increase the number of differing bits) it merely repositions them. Therefore, it is the role of the S-box to disrupt the difference. In other words, the S-box must increase the number of active S-boxes (i.e., S-boxes receiving a nonzero input difference).

In the example shown in Figure 8, at least three out of four S-boxes remain inactive. One way to enhance the security of the cipher is to increase the number of difference bits using the S-box. Thus, the cells of the $DDT(a,b)$ where both a and b have Hamming weight one should contain a zero. This means that the S-box should not allow one-bit differences to map to one-bit differences. Instead, it must produce at least a two-bit difference, which increases the likelihood of activating at least two S-boxes in the next round.

The CarD1 property evaluates the difference propagation of an S-box when the cipher includes a BPL, and is defined as follows [25]:

Definition 23.

CarD1: Let $a\in {\mathbb{F}}_2^n$ be a nonzero input difference and $b\in {\mathbb{F}}_2^n$ be a nonzero output difference (generally $n=4$). Then, CarD1 denotes the number of nonzero entries in the DDT for which both a and b have Hamming weight equal to 1, as follows:

$$CarD1\left(S\right)=\#\left\{DDT\right(a,b\left)\right|HW\left(a\right)=HW\left(b\right)=1andDDT(a,b)\ne 0\}.$$

(33)

Smaller values of this property indicate greater resistance to differential attacks, and the optimal value is 0.

It is worth mentioning that the TWINE S-box was not designed for this type of cipher. Its value in $CarD1\left(S\right)$ is equal to 5. In contrast, the Serpent S-boxes [10] offer a more secure alternative against this kind of attack, as they achieve a CarD1 value of 0 (Serpent cipher uses a BPL).

Table 10. LUT of the Serpent $S_0$ taken from [15].

X	0	1	2	3	4	5	6	7	8	9	A	B	C	D	E	F
S(X)	3	8	F	1	A	6	5	B	E	D	4	2	7	0	9	C

shows the LUT of Serpent’s S-box $S_0$, whereas

Table 11. DDT of the Serpent S-box $S_0$.

DDT	0	1	2	3	4	5	6	7	8	9	A	B	C	D	E	F
0	16	0	0	0	0	0	0	0	0	0	0	0	0	0	0	0
1	0	0	0	2	0	2	2	2	0	0	0	2	2	0	4	0
2	0	0	0	0	0	0	0	0	0	2	2	0	4	2	2	4
3	0	2	2	2	0	0	0	2	0	4	0	2	2	0	0	0
4	0	0	0	0	0	0	0	0	0	4	4	0	0	4	4	0
5	0	0	2	0	4	2	0	0	2	0	2	2	0	0	2	0
6	0	2	2	4	0	2	2	4	0	0	0	0	0	0	0	0
7	0	0	2	0	4	2	0	0	2	2	0	2	0	2	0	0
8	0	0	0	2	0	2	2	2	0	0	0	2	2	4	0	0
9	0	2	2	0	0	2	2	0	0	2	2	0	0	2	2	0
A	0	2	2	2	0	0	0	2	0	0	4	2	2	0	0	0
B	0	2	2	0	0	2	2	0	0	0	0	0	4	0	0	4
C	0	2	0	0	4	0	2	0	2	2	0	2	0	2	0	0
D	0	0	0	4	0	0	0	4	4	0	0	0	0	0	0	4
E	0	2	0	0	4	0	2	0	2	0	2	2	0	0	2	0
F	0	2	2	0	0	2	2	0	4	0	0	0	0	0	0	4

presents its DDT. It can be observed that when $a=b$ and both are equal to 1, 2, 4, or 8 (i.e., when the HW of a is 1), the corresponding DDT entry $DDT(a,b)$ is equal to 0.

Figure 9 presents the same attack scenario as in Figure 8, but using Serpent $S_0$ as the S-box. It is evident that, while the first case (Figure 8) maintains either the same or a small difference, the second case (Figure 9) exhibits an increasing difference with each round of S-box processing. Moreover, the BPL positions the 1-bits in a way that activates more S-boxes in the next round, enhancing diffusion.

Similar to CarD1, there is another property used to evaluate the resistance of an S-box in a cipher that includes a BPL, called CarL1. It is defined as follows [25]:

Definition 24.

CarL1: Let a and b be linear masks; then, CarL1 contains the cardinality of

$$CarL1\left(S\right)=\#\left\{LA{T}_S(a,b)\right|HW\left(a\right)=HW\left(b\right)=1andLA{T}_S(a,b)\ne 0\}.$$

(34)

Additionally, smaller values of this property indicate greater resistance to linear attacks, as they imply a lower probability of finding a linear approximation using only one input and one output bit. The optimal value is 0.

5.3.3. Highlights on Diffusion Properties

For this subsection, the main highlights are that, in certain cases (generally when the cipher uses a BPL), the S-box contributes to the diffusion principle. The examples in this subsection show that even if the S-box achieves a good SAC, it may produce only limited diffusion. However, when the cipher incorporates a BPL, it should reach low values in CarD1 and CarL1 to help dissipate differential characteristics.

5.4. Relation Among Attacks, Property and Optimal Values

The main purpose of this subsection is to provide an overview of the previous ones by establishing the relationship between the S-box properties and attacks, including the property values that enable an S-box to achieve a high level of security. To explain this relationship, it is necessary to introduce two important types of functions considered optimal for S-box design. The concepts related to the first type are defined as follows:

Definition 25.

Perfect Nonlinear (PN) S-boxes [71]: An S-box $S:{\mathbb{F}}_2^n\to {\mathbb{F}}_2^m$ is perfect nonlinear if for every $a\in {\mathbb{F}}_2^n\setminus \left\{0\right\}$ and $b\in {\mathbb{F}}_2^m$, the follow equation is satisfied $DDT(a,b)=2^{n-m}$.

However, PN S-boxes only exist when $n\ge 2m$, which implies that PN functions are not possible for permutation S-boxes (i.e., $n=m$). This limitation leads to the use of another class of functions for permutation (balanced) S-boxes [72]:

Definition 26.

Almost Perfect Nonlinear (APN) S-boxes: An S-box $S:{\mathbb{F}}_2^n\to {\mathbb{F}}_2^n$ is APN if its $DU\left(S\right)$ is 2.

APN S-boxes exist when n is odd. When n is even, there are three relevant cases:

• For $n=4$, there is no APN S-box [15].
• For $n=6$, there are APN S-boxes [73].
• For $n=8$, it is still unknown whether there is an APN S-box.

The concepts related to the second type of optimal function are defined as follows:

Definition 27.

Bent functions (BN) [74]: An S-box $S:{\mathbb{F}}_2^n\to {\mathbb{F}}_2^m$ is called Bent if for all $a\in {\mathbb{F}}_2^n$ and $b\in {\mathbb{F}}_2^m\setminus \left\{0\right\}$ the number of equations in every cell of $W_S(a,b)$ is $2^{n/2}$.

However, Bent functions are not balanced and only exist when the number of variables is even. As with the motivation behind APN functions (balanced S-boxes with low DU) an alternative known as almost bent functions was introduced. These functions aim to achieve near-optimal L while maintaining balance [26]:

Definition 28.

Almost Bent (AB) S-boxes: An S-box $S:{\mathbb{F}}_2^n\to {\mathbb{F}}_2^n$ is called AB if $L\left(S\right)\ge 2^{(n+1)/2}$ and $NL\left(S\right)\le 2^{n-1}-2^{(n+1)/2-1}$.

AB functions exist only when n is odd; the corresponding AB S-boxes are also APN, and the converse also holds.

Table 12. Summary of S-box properties, evaluation tools, related attacks, acceptable thresholds, and optimal values for $n=4$, $n=8$, and odd n. ✓ indicates that the property can be achieved in the respective case.

Property/ Measure	Tool	Attack	Acceptable/ Value	Optimal Value
				$\mathit{n}=4$	$\mathit{n}=8$	AB ($\mathit{n}$ Odd)
B	Definition 5	Differential	✓	✓	✓	✓
DU	DDT	Differential	Small	4	4	2
MDP	DDT	Differential	Small	$0.25$	$0.015625$	$2^{n-1}$
CarD1	DDT	Differential	Small	0	0	0
L	LAT	Linear	Small	8	32	≥$2^{(n+1)/2}$
LAP	LAT	Linear	Small	$0.25$	$0.0625$	≥$2^{-(n+1)/2}$
CarL1	LAT	Linear	Small	0	0	0
NL	WH	Linear	High	4	112	≤$2^{n-1}-2^{(n+1)/2-1}$
BU	BCT	Boomerang	Small	6	6	2
PBSR	BCT	Boomerang	Small	$0.375$	$0.0234375$	$2^{n-1}$
FBU	FBCT	Boomerang	Small	4	4	0
PBSR (FBU)	FBCT	Boomerang	Small	$0.25$	$0.015625$	0
AD	ANF	Algebraic	High	3	7	$n-1$
SAC	Refer to (31)	Statistical	Near to $0.5$	$0.5$	$0.5$	$0.5$

provides an overview of the relationships among S-box properties, attacks, and the acceptable or optimal values that designers may consider when constructing a nonlinear component for a block cipher. The first column lists all the properties (and probabilities) reviewed in this paper, and the second column presents the tools (typically equations/tables) used to compute each specific property. The third column identifies the attacks that each property helps to evaluate. As shown, providing resistance against a particular type of attack may require satisfying multiple properties. Furthermore, some properties, such as CarL1 and CarD1, are specific to certain ciphers that use a BPL. The fourth column indicates the target value that a property should achieve to ensure a high level of security. Finally, the last three columns show the optimal values for three specific cases: $n=4$, $n=8$, and the AB functions (APN functions with odd n).

For $n=4$, there is no S box that achieves all optimal values simultaneously, but several offer high security by meeting many of the target values. These include the S-boxes used in TWINE, RECTANGLE, SERPENT, and PRESENT, as well as those proposed by Tong et al. [22] and Li et al. [20].

Since the existence of an $8\times 8$ APN S-box remains an open problem, the fifth column lists the best-known achievable values for this size, many of which correspond to the AES S-box. However, if an APN function existed for $n=8$, the optimal values could be those shown in the seventh column.

While there is no strict order for selecting and computing security properties, it can be observed in the literature on S-boxes that designers often follow the following high-level guideline to structure the evaluation process:

1.

Determine the target S-box (structural properties) based on the cipher’s structure and application.

2.

Evaluate classical properties related to linear, differential, and algebraic attacks.

3.

Assess additional resistance against novel or cipher-specific attacks, such as boomerang or advanced algebraic attacks.

4.

Consider conflicts among properties, recognizing that improving one property may degrade another.

5.

Incorporate implementation constraints, including hardware or software costs and efficiency considerations.

This paper places particular emphasis on structural properties, which determine the achievable security level of an S-box. As mentioned in Section 5.2, classical properties form the basis for resisting various attacks and are essential not only for block ciphers but also for other cryptographic primitives.

Highlights on Relation Between Attacks and S-Box Properties

For this subsection, it is important to recap that an S-box is a vectorial Boolean function, and two types of functions provide the best resistance to cryptographic attacks: the PN and BF functions. However, the size restrictions of S-boxes prevent these functions from being implemented directly. For this reason, it is necessary to reduce the security level to produce practical S-boxes that are bijective and have an even number of input and output bits. Considering this, Table 12 shows the optimal values of the properties that an ideal bijective S-box should achieve. However, conflicts exist between these properties, making it difficult to reach optimal values for all of them. The following Section provides more details on these conflicts.

6. Conflicts Among S-Box Properties

This section discusses the conflicts that influence the robustness of the S-box, which corresponds to the third question presented in Section 1.

An ideal S-box would be a perfectly nonlinear component in which the property values achieve the optimal or best-known values. However, this is impossible because there are conflicts in reaching these values. These constraints affect aspects of security, cost, and performance. In the context of an S-box, achieving a high-security level means that the property values must be close to their optimal values; cost refers to the memory or energy required by the device to implement the nonlinear component; and performance relates to the speed and latency involved in computing the S-box.

Figure 10 illustrates several conflicts related to S-box properties and other design considerations. The first set of bullets (a–d) highlights trade-offs between S-box properties in the pursuit of strong security. These trade-offs typically arise when two properties aim for optimal values, but improving one tends to degrade the other. The second set of bullets (e–i) presents compromises that affect security, cost, and performance, particularly when structural and implementation aspects are taken into account. A detailed description of these conflicts is presented below:

(a)

Bijective vs. Non-bijective S-boxes: Bijective S-boxes are balanced and generally more secure than non-bijective ones [37]. Non-bijective S-boxes can only be used in ciphers that do not require the inverse of the component, such as Feistel constructions. However, non-bijective functions can achieve optimal NL values because they are not required to be balanced.

(b)

High NL vs. balance: This is a classic trade-off [16]. Balanced S-boxes cannot achieve perfect NL; therefore, some proposals prioritize achieving balance while slightly compromising NL [10,15,41].

(c)

CarL1 vs. DU: For a $4\times 4$ S-box, the optimal DU value is 4, but in that case, CarL1 equals 2. If we aim for $CarL1\left(S\right)=1$, then DU increases to 6. Furthermore, achieving $CarL1\left(S\right)=0$ results in $DU\left(S\right)=16$, which implies $MDP\left(S\right)=1$ [70]. This trade-off extends one proposed by Zhang et al. in [25]. An optimal $4\times 4$ S-box (S reaches balance, its $DU$ is 4, and its L is 8 [15]) exhibits $CarL1\left(S\right)\ge 2$.

(d)

APN for bijective S-boxes whenn is even: As previously mentioned, there is no APN S-box for $n=4$, and for $n=8$, the existence of such functions remains an open problem.

(e)

Large vs. Small S-boxes: Large S-boxes offer higher security but consume more device resources. This effect can be observed in Table 12, which shows the MDP of an S-box with $n=4$ compared to the MDP of an S-box with $n=8$. Higher MDP values indicate a greater probability of finding differential distinguishers. However, storing LUT or computing a large S-box requires significantly more memory and computational resources than a smaller S-box. A common recommendation for implementing small nonlinear components in ciphers is to increase the number of rounds [52], although this results in higher latency when processing the ciphertext.

(f)

Dynamic vs. Static S-boxes: S-boxes with dynamic outputs offer improved security but require more resources, as a new S-box must be generated for each round [56]. This process may also introduce additional latency

(g)

CS S-boxes vs. Static S-boxes: Computed S-boxes (CS-boxes) do not require memory to store S-box values, whereas LUT-based S-boxes offer the best performance. Alternatively, hybrid solutions combine both approaches to achieve a good trade-off between cost and performance [75].

(h)

Small L and DU vs. Less circuit area: Achieving small L and DU values requires greater circuit area usage [21].

(i)

Single vs. Multiple S-boxes: Multiple S-boxes provide higher security levels by achieving greater diffusion within a round [76] and increased robustness against algebraic attacks [44]. However, implementing multiple S-boxes requires more device resources.

These are some of the conflicts a designer must consider when constructing an S-box. As more properties or implementation aspects are introduced, additional challenges arise, requiring the formulation of new trade-offs. This is another reason why the search for suitable S-boxes remains an important challenge.

7. Toolkits to Analyze S-Boxes

The reader has two options for evaluating an S-box. The first option is to implement its own algorithms to compute cryptographic properties. The second is to use existing toolkits available in the literature. This section presents three commonly used toolkits (PEIGEN [32], SageMath [63], and DLS [77]), together with an additional publicly available implementation, that is referenced as ABS (“Block Cipher Testing”, version 1.0, M. Abrar, GitHub repository; https://github.com/abrari/block-cipher-testing, accessed on 26 November 2025) that supports the evaluation of S-boxes according to well-known cryptographic properties. It is important to clarify that, in this article we use the term toolkit to refer to a software implementation of algorithms used to evaluate S-boxes. However, in the literature, this concept is sometimes referred to simply as a tool [32,59]. This can cause misunderstanding, as the term tool is also used in other works [24,77,78,79] (and in this paper) to describe the cryptographic properties or tables themselves.

PEIGEN(version 1.0, PEIGEN developers, online, Singapore/Japan) is a C++ platform (for Linux) designed to evaluate, search for, and generate nonlinear functions. SageMath (version 10.8, SageMath Inc., online, USA) for S-boxes is a Python-based framework that supports both the analysis and construction of S-boxes. DLS (version 2.0, FBU_FBDU_Sbox developers, online, Mexico) is a C++ (for Linux) toolkit aimed at evaluating S-boxes used in Feistel-based ciphers, with a focus on resistance to differential and boomerang attacks. Finally, ABS (version 1.0, M. Abrar, online, N/A) is a collection of C++ programs (cross-platform) for assessing properties such as the SAC and NL, among others.

Table 13. Analysis of four toolkits for evaluating S-boxes. The DLS toolkit supports CarD1 and CarL1 only when $n=m=4$. ✓ indicates that the corresponding property is implemented in the referenced toolkit.

Toolkits	Structural	Confusion											Diffusion
	Size	DU	B	MDP	L	NL	LAP	BU	PBSR (BU)	FBU	PBSR (FBU)	AD	SAC	CarD1	CarL1
PEIGEN (2019) [32]	$n=m$	✓	✓		✓			✓				✓		✓	✓
SageMath [63]	$n=m$ $n\ne m$	✓	✓	✓	✓	✓	✓	✓				✓
DLS (2023) [77]	$n=m$ $n\ne m$	✓								✓	✓			✓	✓
ABS	$n=m$	✓			✓	✓							✓

presents an analysis of the selected toolkits, showing both the sizes of S-boxes they support (column 2) and which properties, discussed in this article, they can evaluate (remaining columns). It can be observed that PEIGEN and ABS only accept S-boxes where $n=m$ (with PEIGEN being exclusive to permutation S-boxes), whereas SageMath and DLS can evaluate S-boxes where $n=m$ and $n\ne m$. This distinction is important, as some toolkits are limited in their ability to assess the security of different types of S-boxes.

The main objective of this analysis is to demonstrate that these toolkits address different perspectives of S-box evaluation and that, when combined, they cover a broader range of cryptographic criteria. In addition, the reader should keep in mind that although these implementations support many S-box properties, they do not yet include more recent or advanced criteria such as GAI, Dr2, c-differential uniformity [80], c-boomerang uniformity [81], and Feistel boomerang extended uniformity [28], among others. Therefore, the development and extension of existing toolkits remain essential to support the evaluation of S-boxes against new and more sophisticated attacks.

Evaluation of Different S-Boxes

This subsection presents the assessment of various S-boxes using the toolkits reviewed in this section and the cryptographic properties discussed throughout this article.

Table 14. Evaluation of different S-boxes with respect to their cryptographic properties using the available toolkits.

S-Box	Size	Function	Output	DU	B	MDP	L	NL	LAP	BU	FBU	PBSR	AD	SAC	CarD1	CarL1
AES	$8\times 8$	Bijective	Static	4	✓	0.015625	32	112	0.0625	6	n/a	n/a	7	0.504883	n/a	n/a
TWINE	$4\times 4$	Bijective	Static	4	✓	0.25	8	4	0.25	n/a	4	0.25	3	0.57	n/a	n/a
RECTANGLE	$4\times 4$	Bijective	Static	4	✓	0.25	8	4	0.25	16	n/a	n/a	3	0.671	2	2
SERPENT $S_0$	$4\times 4$	Bijective	Static	4	✓	0.25	8	4	0.25	16	n/a	n/a	3	0.640	0	8
PRESENT	$4\times 4$	Bijective	Static	4	✓	0.25	8	4	0.25	16	n/a	n/a	3	0.625	0	8
Tong et al. [22]	$4\times 4$	Bijective	Static	4	✓	0.25	8	4	0.25	6	4	0.25	3	0.5	8	10
Li et al. [20]	$4\times 4$	Bijective	Static	4	✓	0.25	8	4	0.25	6	4	0.25	3	0.5	10	10
SAND	$4\times 8$	Non-bijective	Static	4	✗	0.25	8	4	0.25	n/a	8	0.5	3	—	n/a	n/a
DES $S_1$	$6\times 4$	Non-bijective	Static	16	✓	0.25	36	14	0.28125	n/a	24	0.375	5	—	—	—

shows the evaluation of widely studied S-boxes, including those from AES, DES ($S_1$), TWINE, SERPENT ($S_0$), RECTANGLE, PRESENT, and SAND, as well as others proposed by Tong et al. [22] and Li et al. [20], which are often regarded as highly secure S-boxes.

The main purpose of this table is to demonstrate the functionality of the toolkits in evaluating different S-boxes. Direct comparison between these S-boxes is not meaningful, as they are used in different contexts and their security levels vary due to structural differences, such as size and type of function. Columns two to four show that, collectively, these toolkits can evaluate both bijective and non-bijective S-boxes of various sizes, provided the output of the component is static. The remaining columns report the values of specific properties for each S-box. Each cell in these columns presents either a value (indicating the security level with respect to the corresponding property) or a special mark. For example, ✓ or ✗ marks indicate whether the S-box is balanced. The “n/a” mark represents that a property is not applicable due to the cipher’s structure. For instance, the BU property is only applicable to S-boxes whose cipher uses the inverse of the component. Lastly, the “—” mark denotes that none of the toolkits can evaluate the property. For example, no toolkit can compute the SAC value for DES $S_1$ or SAND, since the input and output sizes differ ($n\ne m$).

8. Open Research Challenges

This section outlines several open challenges in the design of S-boxes. Although S-boxes have been extensively studied, fundamental questions remain unanswered: What is the optimal S-box when $n=m=8$? How can new tools be developed to evaluate emerging S-box properties? Which S-box designs offer the highest security in contexts such as lightweight cryptography?

These questions highlight gaps related to three core aspects: construction, evaluation, and conflicts among properties (as introduced in Section 1). Accordingly, the open challenges presented here are organized as follows: the first three relate to construction, while the fourth concerns evaluation, and the fifth addresses trade-offs that affect robustness.

1.

Analysis of Boolean functions for S-box construction: Identifying and analyzing suitable Boolean functions remains an ongoing challenge in the development of stronger S-box designs. This open problem is related to the algebraic construction discussed in Section 4, which notes that the inverse function achieves optimal results for certain S-box sizes. However, the uncertainty about its optimality when $n=8$, combined with its known vulnerability to algebraic attacks, highlights the need to investigate alternative functions. For example, several functions from finite field theory, such as the Gold and Bracken-Leander functions, are actively studied as potential candidates that may offer improved resistance and better cryptographic properties [27,29,82,83,84].

2.

S-boxes for enhanced cryptanalytic attacks: As mentioned in Section 5.2, cryptographic attacks continue to evolve, such as BAs, extensions of DAs, or modifications of AAs through transformations of the S-box. Consequently, designing S-boxes that remain secure against these advanced threats is an ongoing and essential research challenge. This is evident in several studies that, using newly proposed S-box properties, have revealed vulnerabilities in existing implementations [15,22,25,77].

3.

S-box evaluation for cryptographic attacks: While classical DAs, LAs, and AAs, are well-studied, evaluating S-box security against attacks, such as higher-order differential [85] and integral [86], is difficult due to the lack of established analytical design methodologies [38,87]. Developing tools and methods to assess resistance against these advanced attacks is therefore essential for ensuring robust S-box constructions.

4.

Developing a new construction approach starting from cryptographic property tables: An extension of the previous challenge concerns enhancing the security of S-boxes, as adversaries can exploit vulnerabilities by analyzing the full structure of cryptographic property tables, not merely their maximum values [88]. To address this, several studies have proposed innovative approaches that operate directly on these tables [59,89,90,91]. These methods involve populating the tables based on specific design objectives and then searching for an S-box that satisfies the resulting constraints. Although this approach has been used to construct S-boxes from different tables (such as the DDT, LAT, and BCT) the existing proposals still rely on known tables (i.e., where the S-box is already given). This limitation opens multiple lines of inquiry, including how to characterize these tables to enable the generation of new S-boxes, or how to construct S-boxes by simultaneously using two or more property tables, rather than relying on a single one.

5.

Determine the security level of dynamic S-boxes: As mentioned earlier (Section 5), dynamic S-boxes are generally considered more resistant than static S-boxes. However, one of the open problems is how to accurately determine the security level of dynamic S-boxes with respect to different cryptographic properties. For example, as discussed in [55], there are methods to evaluate the security of these components against DAs and LAs. Nevertheless, it remains necessary to assess the resistance of dynamic S-boxes against more novel attacks, such as BAs.

6.

Development of new evaluation toolkits: As cryptographic requirements evolve and new S-box properties are introduced, the development of evaluation toolkits remains essential for supporting the analysis of these nonlinear components. Section 7 demonstrates that, although some toolkits provide broader functionality, none currently support several recently proposed properties.

7.

Design of lightweight S-boxes: Although numerous lightweight S-box designs have been proposed, identifying one that simultaneously achieves strong security and minimizes resource consumption remains a significant challenge. This difficulty arises from the need to balance multiple factors, including size, function type, area, energy efficiency, and overall performance, as discussed in Section 5.

9. Conclusions

This work arises from the need to provide a clear and accessible introduction to the fundamentals of S-box evaluation. While existing works provide valuable overviews of S-box properties and construction approaches, they are primarily oriented toward a specialist audience and place limited emphasis on design choices related to construction requirements, property conflicts, and S-box assessments. In contrast, our work aims to provide nonspecialist readers with a unified perspective that connects the motivation, construction, and evaluation of S-boxes.

This paper presents a practical guide for evaluating the security of S-boxes by addressing three research questions: how the structure and construction of the S-box affect the cipher’s resilience, how the evaluation of these nonlinear components determines their security levels, and which conflicts influence the robustness of the S-box. Regarding the first question, algebraic approaches for generating larger S-boxes provide the highest known levels of security; however, such S-boxes remain vulnerable to algebraic attacks. Concerning the second question, the core of this paper, a tutorial that explains how to determine the security level of this component is introduced. It also showed how these S-boxes contribute to achieving the principles of confusion and diffusion through illustrative examples. For the third question, this paper presented an analysis of the conflicts and trade-offs among S-box properties while taking into account factors such as implementation costs and performance, as well as how these factors influence S-box robustness. In addition, this paper reviewed the PEIGEN, SageMath, DLS, and ABS toolkits, showing that they collectively cover a broad range of cryptographic properties by addressing different perspectives of S-box evaluation.

Finally, several open research challenges were discussed, including the design of new S-boxes to withstand increasingly sophisticated cryptographic attacks, support lightweight applications, or offer alternatives that outperform those created through algebraic approaches. Addressing these challenges may help answer open questions, such as what is the optimal S-box when $n=m=8$.