Linear Redundancy in S-Boxes

  • Joanne Fuller
  • William Millan
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2887)


This paper reports the discovery of linear redundancy in the S-boxes of many ciphers recently proposed for standardisation (including Rijndael, the new AES). We introduce a new method to efficiently detect affine equivalence of Boolean functions, and hence we study the variety of equivalence classes existing in random and published S-boxes. This leads us to propose a new randomness criterion for these components. We present experimental data supporting the notion that linear redundancy is very rare in S-boxes with more than 6 inputs. Finally we discuss the impact this property may have on implementations, review the potential for new cryptanalytic attacks, and propose a new tweak for block ciphers that removes the redundancy. We also provide details of a highly nonlinear 8*8 non-redundant bijective S-box, which is suitable as a plug in replacement where required.


Equivalence Class Boolean Function Block Cipher Algebraic Degree Algebraic Attack 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Berlekamp, E.R., Welch, L.R.: Weight Distributions of the Cosets of the (32, 6) Reed-Muller Code. IEEE Transactions on Information Theory 18(1), 203–207 (1972)zbMATHCrossRefMathSciNetGoogle Scholar
  2. 2.
    Coppersmith, D.: Personal communication (September 2002)Google Scholar
  3. 3.
    Daemen, J., Knudsen, L., Rijmen, V.: The Block Cipher SQUARE. In: Biham, E. (ed.) FSE 1997. LNCS, vol. 1267, pp. 149–165. Springer, Heidelberg (1997)CrossRefGoogle Scholar
  4. 4.
    Daemen, J., Rijmen, V.: AES proposal: RijndaelGoogle Scholar
  5. 5.
    Denev, J.D., Tonchev, V.D.: On the Number of Equivalence Classes of Boolean Functions under a Transformation Group. IEEE Transactions on Information Theory 26(5), 625–626 (1980)zbMATHCrossRefMathSciNetGoogle Scholar
  6. 6.
    Ferguson, N., Schroeppel, R., Whiting, D.: A Simple Algebraic Representation of Rijndael. In: Vaudenay, S., Youssef, A.M. (eds.) SAC 2001. LNCS, vol. 2259, p. 103. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  7. 7.
    Fuller, J., Millan, W.: Linear redundancy in the aes s-box, manuscript 2002/111 on IACR E-print Archive (August 2002)Google Scholar
  8. 8.
    Garrido, E.: Personal communication (August 2002)Google Scholar
  9. 9.
    Liskov, M., Rivest, R., Wagner, D.: Tweakable Block Ciphers. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, p. 31. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  10. 10.
    Maiorana, J.A.: A Classificationn of the Cosets of the Reed-Muller code r(1, 6). Mathematics of Computation 57(195), 403–414 (1991)zbMATHMathSciNetGoogle Scholar
  11. 11.
    Mister, S.: Analysis of the building blocks of Serpent (2000)Google Scholar
  12. 12.
    National Bureau of Standards (U.S.). Data Encryption Standard (DES). Federal Information Processing Standards (1977)Google Scholar
  13. 13.
    Pasalic, E., Johansson, T., Maitra, S., Sarkar, P.: New constructions of resilient and correlation immune boolean functions achieving upper bounds on nonlinearity (2001)Google Scholar
  14. 14.
    Rijmen, V., Daemen, J., Preneel, B., Bosselaers, A., De Win, E.: The Cipher SHARK. In: Gollmann, D. (ed.) FSE 1996. LNCS, vol. 1039, pp. 99–111. Springer, Heidelberg (1996)Google Scholar
  15. 15.
    Rijmen, V.: Efficient Implementation of the Rijndael S-box. Presented at an AES conferenceGoogle Scholar
  16. 16.
    Shannon, C.E.: Communication theory of secrecy systems. Bell Systems Technical Journal 28, 656–715 (1949)zbMATHMathSciNetGoogle Scholar
  17. 17.
    Wagner, D.: Personal communication (August 2002)Google Scholar
  18. 18.
    The New European Schemes for Signatures, Integrity and Encryption (NESSIE) process maintains a web-site via,
  19. 19.
    The CRYPTREC process has a web-site at
  20. 20.
    The South Korean standards process has a web-site with downloads at

Copyright information

© Springer-Verlag Berlin Heidelberg 2003

Authors and Affiliations

  • Joanne Fuller
    • 1
  • William Millan
    • 1
  1. 1.Information Security Research CentreQueensland University of TechnologyBrisbaneAustralia

Personalised recommendations