An analysis of a class of algorithms for S-box construction

We analyze a very general class of algorithms for constructingm-bit invertible S-boxes called bit-by-bit methods. The method builds an S-box one entry at a time, and has been proposed by Adams and Tavares [2] and Forre [11] to construct S-boxes that satisfy certain cryptographic properties such as nonlinearity and the strict avalanche criterion. We prove, both theoretically and empirically, that the bit-by-bit method is infeasible form>6. The author is currently employed by the Distributed System Technology Center (DSTC), Brisbane, Australia. Correspondence should be sent to ISRC, QUT Gardens Point, 2 George Street, GPO Box 2434, Brisbane, Queensland 4001, Australia.