cryptography Cryptography, or cryptology (from "hidden, secret"; and ''graphein'', "to write", or ''-logy, -logia'', "study", respectively), is the practice and study of techniques for secure communication in the presence of Adversary (cryptography), ...

, an SP-network, or substitution–permutation network (SPN), is a series of linked mathematical operations used in

block cipher In cryptography, a block cipher is a deterministic algorithm that operates on fixed-length groups of bits, called ''blocks''. Block ciphers are the elementary building blocks of many cryptographic protocols. They are ubiquitous in the storage a ...

algorithms such as AES (Rijndael), 3-Way, Kalyna, Kuznyechik,

PRESENT The present is the period of time that is occurring now. The present is contrasted with the past, the period of time that has already occurred; and the future, the period of time that has yet to occur. It is sometimes represented as a hyperplan ...

, SAFER,

SHARK Sharks are a group of elasmobranch cartilaginous fish characterized by a ribless endoskeleton, dermal denticles, five to seven gill slits on each side, and pectoral fins that are not fused to the head. Modern sharks are classified within the ...

, and

Square In geometry, a square is a regular polygon, regular quadrilateral. It has four straight sides of equal length and four equal angles. Squares are special cases of rectangles, which have four equal angles, and of rhombuses, which have four equal si ...

. Such a network takes a block of the

plaintext In cryptography, plaintext usually means unencrypted information pending input into cryptographic algorithms, usually encryption algorithms. This usually refers to data that is transmitted or stored unencrypted. Overview With the advent of comp ...

and the key as inputs, and applies several alternating ''rounds'' or ''layers'' of substitution boxes (S-boxes) and permutation boxes (P-boxes) to produce the

ciphertext In cryptography, ciphertext or cyphertext is the result of encryption performed on plaintext using an algorithm, called a cipher. Ciphertext is also known as encrypted or encoded information because it contains a form of the original plaintext ...

block. The S-boxes and P-boxes transform of input bits into output bits. It is common for these transformations to be operations that are efficient to perform in hardware, such as

exclusive or Exclusive or, exclusive disjunction, exclusive alternation, logical non-equivalence, or logical inequality is a logical operator whose negation is the logical biconditional. With two inputs, XOR is true if and only if the inputs differ (on ...

(XOR) and bitwise rotation. The key is introduced in each round, usually in the form of " round keys" derived from it. (In some designs, the

S-box In cryptography, an S-box (substitution-box) is a basic component of symmetric key algorithms which performs substitution. In block ciphers, they are typically used to obscure the relationship between the key and the ciphertext, thus ensuring Clau ...

es themselves depend on the key.)

Decryption In cryptography, encryption (more specifically, encoding) is the process of transforming information in a way that, ideally, only authorized parties can decode. This process converts the original representation of the information, known as plai ...

is done by simply reversing the process (using the inverses of the S-boxes and P-boxes and applying the round keys in reversed order).

Components

substitutes a small block of bits (the input of the S-box) by another block of bits (the output of the S-box). This substitution should be one-to-one, to ensure invertibility (hence decryption). In particular, the length of the output should be the same as the length of the input (the picture on the right has S-boxes with 4 input and 4 output bits), which is different from S-boxes in general that could also change the length, as in

Data Encryption Standard The Data Encryption Standard (DES ) is a symmetric-key algorithm for the encryption of digital data. Although its short key length of 56 bits makes it too insecure for modern applications, it has been highly influential in the advancement of cryp ...

(DES), for example. An S-box is usually not simply a

permutation In mathematics, a permutation of a set can mean one of two different things: * an arrangement of its members in a sequence or linear order, or * the act or process of changing the linear order of an ordered set. An example of the first mean ...

of the bits. Rather, in a good S-box each output bit will be affected by every input bit. More precisely, in a good S-box each output bit will be changed with 50% probability by every input bit. Since each output bit changes with the 50% probability, about half of the output bits will actually change with an input bit change (cf. Strict avalanche criterion). A P-box is a

of all the bits: it takes the outputs of all the S-boxes of one round, permutes the bits, and feeds them into the S-boxes of the next round. A good P-box has the property that the output bits of any S-box are distributed to as many S-box inputs as possible. At each round, the round key (obtained from the key with some simple operations, for instance, using S-boxes and P-boxes) is combined using some group operation, typically XOR.

Properties

A single typical S-box or a single P-box alone does not have much cryptographic strength: an S-box could be thought of as a

substitution cipher In cryptography, a substitution cipher is a method of encrypting in which units of plaintext are replaced with the ciphertext, in a defined manner, with the help of a key; the "units" may be single letters (the most common), pairs of letters, t ...

, while a P-box could be thought of as a

transposition cipher In cryptography, a transposition cipher (also known as a permutation cipher) is a method of encryption which scrambles the positions of characters (''transposition'') without changing the characters themselves. Transposition ciphers reorder units ...

. However, a well-designed SP network with several alternating rounds of S- and P-boxes already satisfies Shannon's

confusion and diffusion In cryptography, confusion and diffusion are two properties of a secure cipher identified by Claude Elwood Shannon, Claude Shannon in his 1945 classified report ''A Mathematical Theory of Cryptography''. These properties, when present, work toge ...

properties: * The reason for diffusion is the following: If one changes one bit of the plaintext, then it is fed into an S-box, whose output will change at several bits, then all these changes are distributed by the P-box among several S-boxes, hence the outputs of all of these S-boxes are again changed at several bits, and so on. Doing several rounds, each bit changes several times back and forth, therefore, by the end, the ciphertext has changed completely, in a

pseudorandom A pseudorandom sequence of numbers is one that appears to be statistically random, despite having been produced by a completely deterministic and repeatable process. Pseudorandom number generators are often used in computer programming, as tradi ...

manner. In particular, for a randomly chosen input block, if one flips the ''i''-th bit, then the probability that the ''j''-th output bit will change is approximately a half, for any ''i'' and ''j'', which is the strict avalanche criterion. Vice versa, if one changes one bit of the ciphertext, then attempts to decrypt it, the result is a message completely different from the original plaintext—SP ciphers are not easily

malleable Ductility refers to the ability of a material to sustain significant plastic deformation before fracture. Plastic deformation is the permanent distortion of a material under applied stress, as opposed to elastic deformation, which is reversi ...

. * The reason for confusion is exactly the same as for diffusion: changing one bit of the key changes several of the round keys, and every change in every round key

diffuse Diffusion is the net movement of anything (for example, atoms, ions, molecules, energy) generally from a region of higher concentration to a region of lower concentration. Diffusion is driven by a gradient in Gibbs free energy or chemical p ...

s over all the bits, changing the ciphertext in a very complex manner. * If an attacker somehow obtains one plaintext corresponding to one ciphertext—a

known-plaintext attack The known-plaintext attack (KPA) is an attack model for cryptanalysis where the attacker has access to both the plaintext (called a crib) and its encrypted version (ciphertext). These can be used to reveal secret keys and code books. The term " ...

, or worse, a

chosen plaintext Chosen or The Chosen may refer to: Books *The Chosen (Potok novel), ''The Chosen'' (Potok novel), a 1967 novel by Chaim Potok * ''The Chosen'', a 1997 novel by L. J. Smith (author), L. J. Smith *The Chosen (Pinto novel), ''The Chosen'' (Pinto nov ...

chosen-ciphertext attack A chosen-ciphertext attack (CCA) is an attack model for cryptanalysis where the cryptanalyst can gather information by obtaining the decryptions of chosen ciphertexts. From these pieces of information the adversary can attempt to recover the secr ...

—the confusion and diffusion make it difficult for the attacker to recover the key.

Performance

Although a

Feistel network In cryptography, a Feistel cipher (also known as Luby–Rackoff block cipher) is a symmetric structure used in the construction of block ciphers, named after the German-born physicist and cryptographer Horst Feistel, who did pioneering researc ...

that uses S-boxes (such as DES) is quite similar to SP networks, there are some differences that make either this or that more applicable in certain situations. For a given amount of

, an SP network has more "inherent parallelism" and so — given a CPU with many

execution unit In computer engineering, an execution unit (E-unit or EU) is a part of a processing unit that performs the operations and calculations forwarded from the instruction unit. It may have its own internal control sequence unit (not to be confused w ...

s — can be computed faster than a Feistel network."The Skein Hash Function Family"
2008 by Niels Ferguson, Stefan Lucks,

Bruce Schneier Bruce Schneier (; born January 15, 1963) is an American cryptographer, computer security professional, privacy specialist, and writer. Schneier is an Adjunct Lecturer in Public Policy at the Harvard Kennedy School and a Fellow at the Berkman ...

, Doug Whiting, Mihir Bellare, Tadayoshi Kohno, Jon Callas, Jesse Walker page 40. CPUs with few execution units — such as most

smart card A smart card (SC), chip card, or integrated circuit card (ICC or IC card), is a card used to control access to a resource. It is typically a plastic credit card-sized card with an Embedded system, embedded integrated circuit (IC) chip. Many smart ...

s — cannot take advantage of this inherent parallelism. Also SP ciphers require S-boxes to be invertible (to perform decryption); Feistel inner functions have no such restriction and can be constructed as

one-way function In computer science, a one-way function is a function that is easy to compute on every input, but hard to invert given the image of a random input. Here, "easy" and "hard" are to be understood in the sense of computational complexity theory, s ...

Components

Properties

Performance

See also

References

Further reading