On the Classification of 4 Bit S-Boxes

  • G. Leander
  • A. Poschmann
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4547)


In this paper we classify all optimal 4 bit S-boxes. Remarkably, up to affine equivalence, there are only 16 different optimal S-boxes. This observation can be used to efficiently generate optimal S-boxes fulfilling additional criteria. One result is that an S-box which is optimal against differential and linear attacks is always optimal with respect to algebraic attacks as well. We also classify all optimal S-boxes up to the so called CCZ equivalence. We furthermore generated all S-boxes fulfilling the conditions on nonlinearity and uniformity for S-boxes used in the block cipher Serpent. Up to a slightly modified notion of equivalence, there are only 14 different S-boxes. Due to this small number it is not surprising that some of the S-boxes of the Serpent cipher are linear equivalent. Another advantage of our characterization is that it eases the highly non-trivial task of choosing good S-boxes for hardware dedicated ciphers a lot.


S-box Vectorial Boolean function Affine equivalence Hardware Implementation 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. Biham, E., Shamir, A.: Differential cryptanalysis of des-like cryptosystems. In: Menezes, A., Vanstone, S.A. (eds.) CRYPTO 1990. LNCS, vol. 537, pp. 2–21. Springer, Heidelberg (1990)Google Scholar
  2. Biryukov, A., De Cannière, C., Braeken, A., Preneel, B.: A toolbox for cryptanalysis: Linear and affine equivalence algorithms. In: Biham, E. (ed.) Advances in Cryptology – EUROCRPYT 2003. LNCS, vol. 2656, pp. 33–50. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  3. Brinkman, M., Leander, G.: On the classification of apn functions up to dimension five. International Workshop on Coding and Cryptography (2007)Google Scholar
  4. Carlet, C., Charpin, P., Zinoviev, V.: Codes, bent functions and permutations suitable for des-like cryptosystems. Des. Codes Cryptography 15(2), 125–156 (1998)zbMATHCrossRefMathSciNetGoogle Scholar
  5. Courtois, N., Pieprzyk, J.: Cryptanalysis of block ciphers with overdefined systems of equations. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 267–287. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  6. Courtois, N., Pieprzyk, J.: Cryptanalysis of block ciphers with overdefined systems of equations. Cryptology ePrint Archive, Report 2002/044 (2002),
  7. Knudsen, L.: private communicationGoogle Scholar
  8. Lachaud, G., Wolfmann, J.: The weights of the orthogonals of the extended quadratic binary goppa codes. IEEE Transactions on Information Theory 36(3), 686 (1990)zbMATHCrossRefMathSciNetGoogle Scholar
  9. Lorens, C.S.: Invertible boolean functions. IEEE Trans. Electronic Computers 13(5), 529–541 (1964)zbMATHCrossRefMathSciNetGoogle Scholar
  10. Matsui, M.: Linear cryptoanalysis method for des cipher. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 386–397. Springer, Heidelberg (1993)Google Scholar
  11. Nyberg, K.: Perfect nonlinear s-boxes. In: EUROCRYPT 1991. LNCS, vol. 547, pp. 378–386. Springer, Heidelberg (1991)Google Scholar
  12. Nyberg, K.: Differentially uniform mappings for cryptography. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 55–64. Springer, Heidelberg (1994)Google Scholar
  13. Rothaus, O.S.: On ”bent” functions. J. Comb. Theory, Ser. A 20(3), 300–305 (1976)zbMATHCrossRefMathSciNetGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2007

Authors and Affiliations

  • G. Leander
    • 1
  • A. Poschmann
    • 2
  1. 1.GRIM, University ToulonFrance
  2. 2.Horst-Görtz-Institute for IT-Security, Ruhr-University BochumGermany

Personalised recommendations