S-box Analyzer Web Version

1. Non-linearity

1. Compute the truth table of $f$$f$ff$f$.
2. Construct all possible affine functions of the same dimension.
3. Calculate the Hamming distance between $f$$f$ff$f$ and each affine function.
4. The smallest Hamming distance obtained is the non-linearity of $f$$f$ff$f$.

2. Strict Avalanche Criterion (SAC)

1. Let $S$$S$SS$S$ be an S-box mapping $n$$n$nn$n$-bit inputs to $m$$m$mm$m$-bit outputs.
2. Denote the output bits of $S$$S$SS$S$ as $(f_1(x),f_2(x),\dots ,f_m(x))$$(f_1(x),f_2(x),\dots ,f_m(x))$(f_(1)(x),f_(2)(x),dots,f_(m)(x))(f_1(x), f_2(x), \ldots, f_m(x))$(f_1(x),f_2(x),\dots ,f_m(x))$ for an input $x$$x$xx$x$.

• $e_i$$e_i$e_(i)e_i$e_i$ is the $i$$i$ii$i$-th unit vector in $n$$n$nn$n$-dimensional space, indicating a flip in the $i$$i$ii$i$-th input bit.
• $x\oplus e_i$$x\oplus e_i$x o+e_(i)x \oplus e_i$x\oplus e_i$ denotes the input $x$$x$xx$x$ with the $i$$i$ii$i$-th bit flipped.
• $\oplus$$\oplus$o+\oplus$\oplus$ represents the XOR operation.

1. For each output bit $f_j$$f_j$f_(j)f_j$f_j$ and each input bit $x_i$$x_i$x_(i)x_i$x_i$:
   • Iterate over all possible inputs $x\in \{0,1{\}}^n$$x\in \{0,1{\}}^n$x in{0,1}^(n)x \in \{0, 1\}^n$x\in \{0,1{\}}^n$.
   • Flip the $i$$i$ii$i$-th input bit by using the vector $e_i$$e_i$e_(i)e_i$e_i$.
   • Compute the number of times $f_j(x)\ne f_j(x\oplus e_i)$$f_j(x)\ne f_j(x\oplus e_i)$f_(j)(x)!=f_(j)(x o+e_(i))f_j(x) \neq f_j(x \oplus e_i)$f_j(x)\ne f_j(x\oplus e_i)$.
2. Calculate the probability for each pair $(x_i,f_j)$$(x_i,f_j)$(x_(i),f_(j))(x_i, f_j)$(x_i,f_j)$.
3. Verify that these probabilities are close to 0.5 for all pairs.

3. Bit Independence Criterion (BIC)

1. Let $S$$S$SS$S$ be an S-box mapping $n$$n$nn$n$-bit inputs to $m$$m$mm$m$-bit outputs.
2. Denote the output bits of $S$$S$SS$S$ as $(f_1(x),f_2(x),\dots ,f_m(x))$$(f_1(x),f_2(x),\dots ,f_m(x))$(f_(1)(x),f_(2)(x),dots,f_(m)(x))(f_1(x), f_2(x), \ldots, f_m(x))$(f_1(x),f_2(x),\dots ,f_m(x))$ for an input $x$$x$xx$x$.

• $f_i$$f_i$f_(i)f_i$f_i$ and $f_j$$f_j$f_(j)f_j$f_j$ are output bit functions of the S-box.
• $e_k$$e_k$e_(k)e_k$e_k$ is the $k$$k$kk$k$-th unit vector in $n$$n$nn$n$-dimensional space, indicating a flip in the $k$$k$kk$k$-th input bit.
• $x\oplus e_k$$x\oplus e_k$x o+e_(k)x \oplus e_k$x\oplus e_k$ denotes the input $x$$x$xx$x$ with the $k$$k$kk$k$-th bit flipped.
• $\oplus$$\oplus$o+\oplus$\oplus$ represents the XOR operation.

1. For each pair of output bits $f_i$$f_i$f_(i)f_i$f_i$ and $f_j$$f_j$f_(j)f_j$f_j$:
   • Iterate over all possible inputs $x\in \{0,1{\}}^n$$x\in \{0,1{\}}^n$x in{0,1}^(n)x \in \{0, 1\}^n$x\in \{0,1{\}}^n$.
   • Flip each input bit $k$$k$kk$k$ by using the vector $e_k$$e_k$e_(k)e_k$e_k$.
   • Calculate the correlation between the bit changes.
2. Analyze the correlations: lower values indicate higher independence.

4. Differential Uniformity

1. Let $S$$S$SS$S$ map $n$$n$nn$n$-bit inputs to $m$$m$mm$m$-bit outputs.
2. Define the input difference $\mathrm{\Delta }x$$\mathrm{\Delta }x$Delta x\Delta x$\mathrm{\Delta }x$ and output difference $\mathrm{\Delta }y$$\mathrm{\Delta }y$Delta y\Delta y$\mathrm{\Delta }y$ as:$$\mathrm{\Delta }x=x\oplus x^{\prime }$$$$\mathrm{\Delta }x=x\oplus x^{\prime }$$Delta x=x o+x^(')\Delta x = x \oplus x'$$\mathrm{\Delta }x=x\oplus x^{\prime }$$$$\mathrm{\Delta }y=S(x)\oplus S(x^{\prime })$$$$\mathrm{\Delta }y=S(x)\oplus S(x^{\prime })$$Delta y=S(x)o+S(x^('))\Delta y = S(x) \oplus S(x')$$\mathrm{\Delta }y=S(x)\oplus S(x^{\prime })$$
3. Count the number of pairs $(x,x^{\prime })$$(x,x^{\prime })$(x,x^('))(x, x')$(x,x^{\prime })$ that produce each $\mathrm{\Delta }y$$\mathrm{\Delta }y$Delta y\Delta y$\mathrm{\Delta }y$ for a given $\mathrm{\Delta }x$$\mathrm{\Delta }x$Delta x\Delta x$\mathrm{\Delta }x$:$$DDT(\mathrm{\Delta }x,\mathrm{\Delta }y)=|\{x\in \{0,1{\}}^n\mid S(x)\oplus S(x\oplus \mathrm{\Delta }x)=\mathrm{\Delta }y\}|$$$$DDT(\mathrm{\Delta }x,\mathrm{\Delta }y)=\left|\{x\in \{0,1{\}}^n\mid S(x)\oplus S(x\oplus \mathrm{\Delta }x)=\mathrm{\Delta }y\}\right|$$DDT(Delta x,Delta y)=|{x in{0,1}^(n)∣S(x)o+S(x o+Delta x)=Delta y}|DDT(\Delta x, \Delta y) = \left| \{ x \in \{0, 1\}^n \mid S(x) \oplus S(x \oplus \Delta x) = \Delta y \} \right|$$DDT(\mathrm{\Delta }x,\mathrm{\Delta }y)=|\{x\in \{0,1{\}}^n\mid S(x)\oplus S(x\oplus \mathrm{\Delta }x)=\mathrm{\Delta }y\}|$$

1. Initialize a table $DDT$$DDT$DDTDDT$DDT$ of size $2^n\times 2^m$$2^n\times 2^m$2^(n)xx2^(m)2^n \times 2^m$2^n\times 2^m$ with zeros.
2. For each non-zero input difference $\mathrm{\Delta }x$$\mathrm{\Delta }x$Delta x\Delta x$\mathrm{\Delta }x$:
   • For each possible input $x\in \{0,1{\}}^n$$x\in \{0,1{\}}^n$x in{0,1}^(n)x \in \{0, 1\}^n$x\in \{0,1{\}}^n$:
     • Compute $x^{\prime }=x\oplus \mathrm{\Delta }x$$x^{\prime }=x\oplus \mathrm{\Delta }x$x^(')=x o+Delta xx' = x \oplus \Delta x$x^{\prime }=x\oplus \mathrm{\Delta }x$.
     • Compute the output difference $\mathrm{\Delta }y=S(x)\oplus S(x^{\prime })$$\mathrm{\Delta }y=S(x)\oplus S(x^{\prime })$Delta y=S(x)o+S(x^('))\Delta y = S(x) \oplus S(x')$\mathrm{\Delta }y=S(x)\oplus S(x^{\prime })$.
     • Increment the corresponding entry in the DDT: $DDT(\mathrm{\Delta }x,\mathrm{\Delta }y)$$DDT(\mathrm{\Delta }x,\mathrm{\Delta }y)$DDT(Delta x,Delta y)DDT(\Delta x, \Delta y)$DDT(\mathrm{\Delta }x,\mathrm{\Delta }y)$.
3. Identify the maximum value in the DDT for non-zero $\mathrm{\Delta }x$$\mathrm{\Delta }x$Delta x\Delta x$\mathrm{\Delta }x$, which is the differential uniformity $\delta$$\delta$delta\delta$\delta$.

5. Linear Uniformity

1. Define the linear approximation of an input $x$$x$xx$x$ and an output $y$$y$yy$y$ as:
   $${\mathcal{L}}_{\alpha ,\beta }(x,y)=\alpha \cdot x\oplus \beta \cdot y$$$${\mathcal{L}}_{\alpha ,\beta }(x,y)=\alpha \cdot x\oplus \beta \cdot y$$L_(alpha,beta)(x,y)=alpha*x o+beta*y\mathcal{L}_{\alpha, \beta}(x, y) = \alpha \cdot x \oplus \beta \cdot y$${\mathcal{L}}_{\alpha ,\beta }(x,y)=\alpha \cdot x\oplus \beta \cdot y$$
   where $\alpha$$\alpha$alpha\alpha$\alpha$ and $\beta$$\beta$beta\beta$\beta$ are non-zero $n$$n$nn$n$-bit and $m$$m$mm$m$-bit vectors, respectively, and $\cdot$$\cdot$*\cdot$\cdot$ denotes the dot product.
2. Calculate the correlation between input and output bit combinations:
   $$LAT(\alpha ,\beta )=\sum _{x\in \{0,1{\}}^n}(-1{)}^{{\mathcal{L}}_{\alpha ,\beta }(x,S(x))}$$$$LAT(\alpha ,\beta )=\sum _{x\in \{0,1{\}}^n} (-1{)}^{{\mathcal{L}}_{\alpha ,\beta }(x,S(x))}$$LAT(alpha,beta)=sum_(x in{0,1}^(n))(-1)^(L_(alpha,beta)(x,S(x)))LAT(\alpha, \beta) = \sum_{x \in \{0, 1\}^n} (-1)^{\mathcal{L}_{\alpha, \beta}(x, S(x))}$$LAT(\alpha ,\beta )=\sum _{x\in \{0,1{\}}^n}(-1{)}^{{\mathcal{L}}_{\alpha ,\beta }(x,S(x))}$$
3. The linear uniformity $LU$$LU$LULU$LU$ is defined as:
   $$LU=\underset{\alpha \ne 0,\beta }{max}|LAT(\alpha ,\beta )|$$$$LU=\underset{\alpha \ne 0,\beta }{max} |LAT(\alpha ,\beta )|$$LU=max_(alpha!=0,beta)|LAT(alpha,beta)|LU = \max_{\alpha \neq 0, \beta} |LAT(\alpha, \beta)|$$LU=\underset{\alpha \ne 0,\beta }{max}|LAT(\alpha ,\beta )|$$

1. Initialize a table $LAT$$LAT$LATLAT$LAT$ of size $2^n\times 2^m$$2^n\times 2^m$2^(n)xx2^(m)2^n \times 2^m$2^n\times 2^m$ with zeros.
2. For each non-zero $\alpha \in \{0,1{\}}^n$$\alpha \in \{0,1{\}}^n$alpha in{0,1}^(n)\alpha \in \{0, 1\}^n$\alpha \in \{0,1{\}}^n$:
   • For each $\beta \in \{0,1{\}}^m$$\beta \in \{0,1{\}}^m$beta in{0,1}^(m)\beta \in \{0, 1\}^m$\beta \in \{0,1{\}}^m$:
     • Compute the sum $\sum _{x\in \{0,1{\}}^n}(-1{)}^{\alpha \cdot x\oplus \beta \cdot S(x)}$$\sum _{x\in \{0,1{\}}^n} (-1{)}^{\alpha \cdot x\oplus \beta \cdot S(x)}$sum_(x in{0,1}^(n))(-1)^(alpha*x o+beta*S(x))\sum_{x \in \{0, 1\}^n} (-1)^{\alpha \cdot x \oplus \beta \cdot S(x)}$\sum _{x\in \{0,1{\}}^n}(-1{)}^{\alpha \cdot x\oplus \beta \cdot S(x)}$ and store it in $LAT(\alpha ,\beta )$$LAT(\alpha ,\beta )$LAT(alpha,beta)LAT(\alpha, \beta)$LAT(\alpha ,\beta )$.
3. Identify the maximum absolute value in the $LAT$$LAT$LATLAT$LAT$, which is the linear uniformity $LU$$LU$LULU$LU$.