Ftp.cs.sjtu.edu.cn

Key-Dependent S-Box Manipulations
Sandy Harris1 and Carlisle Adams2 1 Kaya Consulting, 6 Beechwood Avenue, Suite 16 Vanier, Ontario,Canada, K1L 8B4 2 Entrust Technologies, 750 Heron Road Ottawa, Ontario, Canada, K1V 1A7 Abstract. This paper discusses a method of enhancing the security of
block ciphers which use s-boxes, a group which includes the ciphers DES,
CAST-128, and Blowfish. We focus on CAST-128 and consider Blowfish;
Biham and Biryukov [2] have made some similar proposals for DES.
The method discussed uses bits of the primary key to directly manipu-
late the s-boxes in such a way that their contents are changed but their
cryptographic properties are preserved. Such a strategy appears to sig-
nificantly strengthen the cipher against certain attacks, at the expense of
a relatively modest one-time computational procedure during the set-up
phase. Thus, a stronger cipher with identical encryption / decryption
performance characteristics may be constructed with little additional
overhead or computational complexity.
Both carefully-constructed and randomly-generated s-boxes have a place in sym-metric cipher design. Typically, a given cipher will use one or the other para-digm in its encryption "engine". This paper suggests that a mixture of the twoparadigms may yield beneficial results in some environments. In our examples, weuse the four 8 × 32 s-boxes which the Blowfish and CAST-128 ciphers employ,but variations of this technique could be applied to any cipher using s-boxes,whatever their number and sizes.
We propose using strong s-boxes and applying key-dependent operations to them at the time of key scheduling, before the actual encryption begins. The goalis to get the benefits of strong s-boxes (as in CAST-128) and of key-dependents-boxes (as in Blowfish) without the drawbacks of either.
The technique can be powerful. If a basic cipher can be broken in a second by exhaustive search over the key space and if key-dependent operations on thes-boxes add 32 bits to the effective key length, then breaking the improved cipherby brute force takes 232 seconds (just over a century). If these operations add64 effective bits, then it would take 232 centuries to break the improved cipher.
Key-dependent operations on s-boxes can use large numbers of bits. For 8×32 s-boxes, XORing constants into the inputs and outputs can use 40 bits per s-box.
S. Tavares and H. Meijer (Eds.): SAC'98, LNCS 1556, pp. 1999.
Springer-Verlag Berlin Heidelberg 1999 Sandy Harris and Carlisle Adams Permuting the inputs and outputs can use log2(8!) + log2(32!) > 130 bits pers-box. A cipher with four such s-boxes could use 680 bits of additional key withthese operations (although it is recognized that this will not necessarily be theincrease in the effective key length).
We start with the CAST-128 cipher and propose using between 148 and 256 additional key bits for s-box transformations. The increase in effective keylength (although difficult to compute precisely) is likely to be considerably lowerthan this, but the transformations still appear to be worthwhile in at least someapplications. In particular, the cost is moderate and the resulting cipher appearsto be more resistant to attacks that rely upon knowledge of the s-box contents.
It is important to note that the technique is inherently efficient in one sense: all the s-box transformations are done at set-up time. Thus, there is no increasein the per-round or per-block encryption time of the strengthened cipher.
The Extra Key Bits
The additional bits required for this proposal may come from one of two sources:derived key bits or primary key bits. As an example of the former, CAST-128[1] expands the 128-bit key to 1024 bits but does not use all of them. The actualencryption uses 37 bits per round (592 in the full 16 rounds) so that 432 bitsare generated by the key scheduling algorithm but are unused by the cipher.
These currently unused bits may be good candidates for the bits needed fors-box manipulation.
Alternatively, additional primary key bits may be used for the proposal in this paper. This has the advantage of increasing the key space for exhaustive searchattacks, at the cost of increased key storage and bandwidth requirements. Note,however, that in some environments the bandwidth required for key transfer orkey agreement protocols need not increase. In one common use of symmetricciphers, session keys are transmitted using a public key method such as RSA [5]or Diffie-Hellman [3]. Public key algorithms use large numbers of bits so that totransmit a 128-bit session key, you may need to encrypt, transmit and decrypt afull public-key block of 1024 bits or more. In such a case, any key up to severalhundred bits can be transmitted with no additional cost compared with a 128-bitkey.
Using derived key bits has no impact on primary key size, but depends upon a key scheduling algorithm that generates extra (i.e., currently unused) bits. Usingprimary key bits places no such requirement on the key scheduling algorithm, buthas storage and bandwidth implications, and may show some susceptibility tochosen-key-type attacks (since the two pieces of the primary key are "separable"in some sense).
CAST's Strong S-Boxes
The CAST design procedure uses fixed s-boxes in the construction of each spe-cific CAST cipher. This allows implementers to build strong s-boxes, using bent Key-Dependent S-Box Manipulations Boolean functions for the columns and choosing combinations of columns forhigh levels of s-box nonlinearity and for other desirable properties. Details canbe found in Mister and Adams [4].
For example, the CAST-128 s-boxes appear to be strong but they are fixed and publicly-known. This may allow some theoretical attacks (e.g., linear ordifferential cryptanalysis) to be mounted against a given CAST cipher whichuses these s-boxes, although the computational cost of these attacks can bemade to be infeasibly high with a suitable choice in the number of rounds.
Blowfish's Key-Dependent S-Boxes
Blowfish generates key-dependent s-boxes at cipher set-up time. This means theattacker cannot know the s-boxes, short of breaking the algorithm that generatesthem.
There are at least two disadvantages, which can to some extent be traded off against each other. One is that generating the s-boxes has a cost. The other isthat the generated s-boxes are not optimized and may even be weak.
A Blowfish-like cipher might, with some increase in set-up cost, avoid spe- cific weaknesses in its s-boxes. Schneier discusses checking for identical rows inBlowfish [6, page 339] but considers this unnecessary. In general, it is clearlypossible to add checks which avoid weaknesses in randomly-generated s-boxesfor Blowfish-like ciphers, but it is not clear whether or when this is worth doing.
On the other hand, generating cryptographically strong s-boxes at run time in a Blowfish-like cipher is impractical, at least in software. Mister and Adams[4] report using 15 to 30 days of Pentium time to generate one 8 × 32 s-boxsuitable for CAST-128, after considerable work to produce efficient code. This isseveral orders of magnitude too slow for a run-time operation, even for one usedonly at set-up time and not in the actual cipher.
Resistance to Attack
Schneier [6, p.298] summarizes the usefulness of randomly-generated s-boxeswith respect to the most powerful statistical attacks currently known in hisintroduction to the Biham and Biryukov work on DES with permuted s-boxes[2]: "Linear and differential cryptanalysis work only if the analyst knows the composition of the s-boxes. If the s-boxes are key-dependent and chosen by acryptographically strong method, then linear and differential cryptanalysis aremuch more difficult. Remember, though, that randomly-generated s-boxes havevery poor differential and linear characteristics, even if they are secret." This inherent dilemma leads to the proposal presented in this paper: we suggest s-boxes that are key-dependent but are not randomly generated.
Sandy Harris and Carlisle Adams The Proposal
Start with carefully-prepared strong s-boxes, such as those described for CASTin Mister and Adams [4] and apply key-dependent operations to them beforeuse. The goal is to introduce additional entropy so that attacks which dependon knowledge of the s-boxes become impractical, without changing the propertieswhich make the s-boxes strong.
We apply the operations before encryption begins and use the modified s- boxes for the actual encryption, so the overhead is exclusively in the set-upphase. There is no increase in the per-block encryption cost.
It can be shown that important properties of strong s-boxes are preserved under carefully-chosen key-dependent operations. Given this, it is possible toprepare strong s-boxes off-line (as in CAST-128) and manipulate them at ci-pher set-up time to get provably strong key-dependent s-boxes (in contrast withciphers such as Blowfish).
The question is what operations are suitable; that is, what operations are key- dependent, reasonably efficient, and guaranteed not to destroy the cryptographicproperties of a strong s-box.
The first two requirements can be met relatively easily; simultaneously achiev- ing the third is somewhat more difficult. However, several classes of operationsmay be used.
– Permuting s-box columns
• this has the effect of permuting output bits.
– Adding affine functions to s-box columns
• this has the effect of complementing output bits, possibly depending upon the values of other output bits.
– Permuting s-box inputs
• this has the effect of producing certain s-box row permutations.
– Adding affine functions to s-box inputs
• this has the effect of producing other s-box row permutations, possibly depending upon the values of other input bits.
In general, then, the Boolean function for an s-box column may be modified f(x) = f(x1, x2, x3, . . , xm) , for binary variables xi, to f (P (g1 (x), g2(x), g3(x), . . , gm(x))) ⊕ h(x) , for some Boolean functions gi(x) and h(x) and a permutation P . The set ofcolumns may then be further permuted. We will consider the above classes ofoperations in the order presented.
Key-Dependent S-Box Manipulations Permuting S-Box Columns
Permuting s-box columns can be accomplished by permuting each row in thesame way (done in one loop through the s-box).
Various important properties are conserved under this operation. In partic- ular, if a column is bent, it will clearly remain so when moved; if a group ofcolumns satisfies the bit independence criterion, it will still do so after beingpermuted. Finally, since s-box nonlinearity is defined to be the minimum non-linearity of any function in the set of all non-trivial linear combinations of thecolumns (see [4], for example), then s-box nonlinearity is also conserved througha column permutation.
In carefully designed s-boxes, rearranging the columns in a key-dependent way does not degrade cryptographic strength. However, such an operation canmake it significantly more difficult to align characteristics in a linear crypt-analysis attack and so can increase the security of the cipher by raising thecomputational complexity of mounting this attack.
Adding Affine Functions to S-Box Columns
In the extreme case in which the affine functions are simply all-one vectors, theaddition can be done by XORing a constant into all rows (done in one loopthrough the s-box). More generally, other techniques (perhaps involving storageof specific affine vectors) may be necessary to accomplish this addition.
Various important properties are conserved under this operation. Because the nonlinearity of a Boolean function is unchanged by the addition of an affinefunction, s-box column bentness, s-box bit independence criterion, and s-boxnonlinearity are all conserved.
The addition of affine functions, therefore, does nothing to degrade cryp- tographic security in the s-boxes. However, such an operation, by modifyingthe contents of the s-boxes in a key-dependent way, can make it significantlymore difficult to construct characteristics in a differential cryptanalysis attack(because it cannot be computed in advance when the XOR of two given s-boxoutputs will produce one value or another). Hence, this operation can increasethe security of the cipher by raising the computational complexity of mountingthis attack.
Permuting S-Box Inputs
Permuting the rows of an s-box seems attractive because of its potential forthwarting linear and differential cryptanalysis. However, it is not always possibleto permute rows without compromising desirable s-box properties. In particular(e.g., for CAST-128 s-boxes), not all row permutations are permissible if columnbentness is to be preserved.
Biham and Biryukov [2] made only one small change to the s-box row order in the DES s-boxes: they used one key bit per s-box, controlling whether or notthe first two and the last two rows should be swapped. However, an operation Sandy Harris and Carlisle Adams that used more key bits and that provably could not weaken strong s-boxes maybe preferable in some environments.
One such operation is to use the subset of row permutations that result from a permutation on the s-box inputs. We will show that these do not damage thedesirable s-box properties.
Mister and Adams [4] introduce the notion of dynamic distance of order j for a function f f : {0, 1}m → {0, 1} DDj (f) = max 2m−1 − (f(x) ⊕ f(x ⊕ d)) where both d and x are binary vectors of length m, d ranges through all valueswith Hamming weight 1 ≤ wt(d) ≤ j and x ranges through all possible values.
It is shown in [4] that cryptographic properties such as Strict Avalanche Criterion (SAC) and Bit Independence Criterion (BIC), higher-order versionsof these (HOSAC and HOBIC), maximum order versions of these (MOSACand MOBIC), and distances from these (DSAC, DBIC, DHOSAC, DHOBIC,DMOSAC, and DMOBIC) can all be defined in terms of dynamic distance.
In an s-box, all bits are equal. There is no most- or least-significant bit in either the input or the output. Thus, permuting the bits of x in the formulaabove does not change the value of the summation term for a given d, providedwe apply the same permutation to d. Hence it does not change the maximum(the value of the dynamic distance).
Therefore, column properties defined in terms of dynamic distance (DSAC, DHOSAC, and DMOSAC) remain unchanged. In particular, if the columns arebent functions (i.e., DMOSAC = 0) then permuting inputs preserves bentness.
Furthermore, the s-box properties DBIC, DHOBIC, and DMOBIC also re- main unchanged because these are defined in terms of dynamic distance of aBoolean function f comprised of the XOR of a subset of s-box columns. (Notethat permuting the inputs of each of the column functions with a fixed permu-tation P is identical to permuting the inputs of the combined function f usingP.) By a similar line of reasoning, s-box nonlinearity is also unaffected by apermutation of its input bits.
Permuting inputs, therefore, does nothing to degrade cryptographic security in the s-boxes. However, such an operation, by rearranging the order of the s-boxrows in a key-dependent way, can make it significantly more difficult to constructlinear or differential characteristics (because specific outputs corresponding tospecific inputs cannot be predicted in advance). Hence, this operation can in-crease the security of the cipher by raising the computational complexity ofmounting these attacks.
Key-Dependent S-Box Manipulations Adding Affine Functions to S-Box Inputs
Adding selected affine functions to s-box inputs is another effective way of pro-ducing a subset of row permutations that does not reduce the cryptographicsecurity of the s-box.
In the extreme case in which the affine functions are constant values, the addition simply complements some of the s-box input bits. Inverting some inputbits is equivalent to XORing a constant binary vector into the input, makingthe summation in the dynamic distance f(x ⊕ c) ⊕ f(x ⊕ c ⊕ d) Clearly (x ⊕ c) goes through the same set of values that x goes through, sothis does not change the sum and, consequently, does not change the dynamicdistance. Therefore, column properties and s-box properties are unchanged.
In the more general case in which the affine functions are not constant val- ues, the addition conditionally complements some of the s-box inputs (dependingupon the particular values of some subset of input variables). Consider the follow-ing restriction. Choose any k input variables and leave these unchanged. For theremaining m-k input variables, augment each with the same randomly-chosen,but fixed, affine function of the chosen k input variables. For example, in a 4 × ns-box, we may choose input variables x1 and x2 to be unchanged and augment x3and x4 with the affine function g(x1, x2) = x2 ⊕ 1 so that the Boolean functionfi(x1, x2, x3, x4) defining each s-box column i becomes fi(x1, x2, x3⊕g(x1, x2), x4⊕g(x1, x2)) = fi (x1, x2, (x3 ⊕ x2 ⊕ 1), (x4 ⊕ x2 ⊕ 1)) . With the operation restricted in this way it is not difficult to see that as the chosen k variables go through their values, at each stage the remaining m-kvariables go through all their values (either all simultaneously complemented,or all simultaneously not complemented, depending upon the binary value ofthe affine function). Thus, rewriting the summation in the dynamic distanceequation as f(x0) ⊕ f(x0 ⊕ d) where x0 is in accordance with the restriction as specified, we see that x0 goesthrough the full set of values that x goes through, so the sum is unchanged andthe resulting dynamic distance is unchanged.
Adding affine functions (restricted as specified abov) to s-box inputs, there- fore, does not degrade cryptographic security in the s-boxes. Like permutinginputs, this operation, by rearranging the order of the s-box rows in a key-dependent way, can make it significantly more difficult to construct linear or 1 Note that other restrictions on the type and number of affine functions that may be added to preserve s-box properties may also exist. This area is for further research.
Sandy Harris and Carlisle Adams differential characteristics. The security of the cipher may therefore be increasedby raising the computational complexity of mounting these attacks.
Other Possible Operations
Other key-dependent operations that preserve s-box properties are also possible.
For example, it is theoretically possible to construct strong s-boxes with morethan 32 columns and select columns for actual use at set-up time, but this wouldlikely be prohibitively expensive in practice since Mister and Adams [4] reportthat s-box generation time doubles for each additional column.
Another possibility is to order the s-boxes in a key-dependent way. This is not particularly useful with only four s-boxes since only 4! orders are possible, addingless than five bits of entropy to the key space. However, with the eight s-boxesin CAST-128, this operation becomes somewhat more attractive. A CAST-143might be created in a very straightforward way: log2(8!) = 15 bits of key putsthe eight s-boxes into some key-dependent order (cheaply by adjusting pointers),and then key expansion and encryption proceeds exactly as in CAST-128 exceptwith the s-boxes in the new order. The overhead (set-up time) is quite low andthe new cipher uses 15 extra bits of unexpanded key.
Limitations in Key-Dependent Operations
Ciphers With XOR-Only Round Functions A cipher which combines s-
box outputs with XOR, such as the CAST example in Applied Cryptography
[2, page 334]), does not work well with some types of s-box manipulation. For
example, permuting the order of the four round function s-boxes is of no benefit
in such a cipher, since XOR is commutative.
XORing different constants into the four s-boxes in such a cipher has exactly the same effect as XORing a single constant into each round function output, orinto any one s-box.
Furthermore, if the cipher's round function combines its input and the round key with XOR, then XORing a constant into the output of one round is equiva-lent to XORing that constant into the key of the next round. If the round keysare already effectively random, unrelated, and unknown to the attacker (as theyshould be), then XORing them with a constant does not improve them.
In terms of the difficulty of an attack, then, the net effect of XORing four constants into the s-boxes is equivalent to XORing a single constant into theoutput of the last round, for a cipher which uses XOR both to combine s-boxoutputs and to combine round input with the round key.
Ciphers With Mixed Operations Combining S-Box Outputs A cipher
which uses operations other than XOR to combine s-box outputs, such as Blow-
fish or CAST-128, will give different round outputs if the order of the s-boxes is
changed or if a constant is XORed into each row. This makes these operations
more attractive in such ciphers.
Key-Dependent S-Box Manipulations Even in such ciphers, however, the precise cryptographic strength of XORing a constant into the rows is unclear. Certainly it is an inexpensive way to mixmany key bits (128 if the cipher uses four m × 32 s-boxes) into the encryption,but it is not clear exactly how much this increases the effective key length.
Ciphers With Mixed Operations Combining Key and Input In Blowfish
and in some CAST ciphers, the round input is XORed with the round key at the
start of a round, then split into four bytes which become inputs to the four s-
boxes. XORing an 8-bit constant into each s-box input is equivalent to XORing a
32-bit constant (the concatenation of the 8-bit constants) into each of the round
keys.
Suppose an attack exists that discovers the round keys when the s-boxes are known. Then the same attack works against the same cipher with s-boxes thatare known but have had their rows permuted in this way. The attack discoversa different set of round keys equivalent to the real ones XORed with a 32-bitconstant, but it still breaks the cipher, and with no extra work for the attacker.
However, for ciphers that use other operations to combine the round input and the round key (CAST-128, for example, which uses addition and subtractionmodulo 232 for input masking in some of its rounds), such an operation seemsto add value.
Options For both inputs and outputs, the addition of affine functions appears
stronger than just XORing with a constant, and performing permutations ap-
pears to be stronger again (but at much higher computational cost). In a practi-
cal cipher, however, there appears to be no disadvantage to using XOR (for both
input and output if mixed operations are used everywhere in the round function)
because it is inexpensive and offers some protection against the construction of
iterated characteristics.
Stage One
Since XORing a constant into the s-box rows is the cheapest way to bring manyextra key bits into play; we should do that if we're going to use this approach atall. The cipher's round function should use operations other than XOR to mixs-box outputs so that this will be effective.
If we are iterating through the s-box rows for that, it makes sense to permute the columns in the same loop. We suggest simply rotating each row under controlof 5 bits of key. A CAST-128 implementation will have code for this, since thesame rotation is used in the round function, and rotation is reasonably efficient.
At this point, we have used 37 bits per s-box, 148 bits in all. In many appli- cations, this will be quite sufficient.
Costs of this are minimal: 1024 XOR and rotation operations. This is much less than CAST-128's round key generation overhead, let alone Blowfish's workto generate s-boxes and round keys.
Sandy Harris and Carlisle Adams Stage Two
To go beyond that, you can add affine functions to s-box columns or you canpermute s-box rows in a manner equivalent to permuting the input bits.
The choice would depend upon the relative strength of these two methods, along with the relation between their overheads and the resources available in aparticular application. In our suggested implementation, using affine functionsrequires more storage while permuting the rows involves more computation.
Neither operation looks prohibitively expensive in general, but either might beproblematic in some environments.
For purposes of this paper, we will treat permuting the inputs as the next thing to add, and then go on to look at adding affine functions.
To permute the rows in a manner equivalent to permuting the input bits we add the following mechanism. We use a 256-row array, each row composed of an8-bit index and a 32-bit output. We can rearrange rows as follows: – put the (256*32)-bit s-box in the output part of the array;
– fill the index part with the 8-bit values in order from hex 00 to FF;
– operate in some way on the index parts (without affecting the 32-bit s-box
rows) so as to give each row a new index; – sort the 256 rows so that the index parts are again in order (00 to FF),
moving the s-box rows along with the indexes so they are in a new order; – discard the index portion.
This results in a cryptographically identical s-box with rows in the new order.
The operations permitted in the third step for changing the 8-bit values arejust those which are equivalent to permuting and inverting the s-box inputs. Wecan XOR a constant into all index rows or we can permute index columns. Nei-ther operation alters the XOR difference between index rows, so cryptographicproperties are conserved as shown earlier.
XORing a constant into each index row is of little benefit. This is also true of rotation, which uses only 3 bits per s-box (hardly enough to justify the overheadof sorting the s-boxes).
To operate usefully on the inputs, then, we should do a full permutation on the index columns. In code, this would need a function to permute 8-bit valuesunder control of a 15-bit key. It would use 15 key bits per s-box.
At this point, we are using 52 bits per s-box, 208 bits in all, and are permuting both rows and columns or both inputs and outputs. Again, this would be quitesufficient for many applications.
Stage Three
We can, however, go further by adding affine functions to the columns.
There are exactly 512 affine Boolean functions of 8 variables. In theory, it would be possible to add a key-selected affine function to each s-box column,using 9 bits of key per column, or 1152 bits for a set of four 8 × 32 s-boxes, butthis seems unacceptably expensive in practice.
Key-Dependent S-Box Manipulations Since the inverse of an affine function is also affine, we need only store half of the 512 possible functions to have them all available. Consider a (256*256)-bitBoolean array with affine functions in all columns and no two columns eitheridentical or inverses. From this, create four 256 × 32 arrays. This can be done key bits, but implementing this would also be expensive. As a more practical alternative, using log 13 bits of key to select eight of sixteen "chunks of 16 columns" from the original array may be a reasonablecompromise.
Putting It All Together
Given four 256 × 32 arrays of affine functions, we add a few operations insidethe loop that runs through each s-box. The inner loop ends up as follows (inpseudo-C with "<<<" for rotation and " " for XOR): unsigned *s, *a ; // pointers to s-box & affine array unsigned char *p; // pointer into index array // initialize pointers here.
for( i = 0 ; i < 256 ; i++, s++, a++, p++ ) {*s = (*s <<< k1) (*a <<< k2) k3; // 5+5+32 key bits*p = permute8(*p, k4) ; This uses 57 key bits per s-box inside the loop. With the 13 used outside the loop setting up the A-boxes, and another 15 used in re-arranging the original 8s-boxes, we have 256 key bits in total exclusively used for s-box manipulations.
Further Work
Further work in this area can be done both on the theoretical side and on thepractical side. For example, a formal characterization of the set of affine func-tions that can be added to an s-box without reducing its cryptographic strength(beyond the subset specified in this paper) would be of interest. As well, sincefactorials do not correspond to powers of 2, more precise practical specificationsneed to be given to convert expressions such as "log2(8!)" to bit lengths (i.e.,it needs to be stated exactly which particular permutation corresponds to eachvalue of a 15-bit key segment).
This paper has proposed the concept of using key-dependent s-box manipula-tions to strengthen specific block ciphers against attacks which depend uponknowledge of the s-box contents (such as linear and differential cryptanalysis Sandy Harris and Carlisle Adams and their variations). The manipulations described include a permutation of theoutput bits, a permutation of the input bits, the addition of affine functions tothe s-box columns, and the addition of a restricted set of affine functions to thes-box inputs. It has been shown (using the concept of dynamic distance [4]) thatsuch manipulations do not degrade the cryptographic properties of carefully-constructed s-boxes, and therefore do not degrade the cryptographic strength ofthe corresponding ciphers with respect to existing analysis. On the contrary, itis possible that cryptographic strength may be substantially increased by suchmanipulations because the most effective cryptanalytic attacks to date wouldappear to require a significant exhaustive search phase in addition to their cur-rent complexity in order to be mounted against ciphers with such "hidden" s-boxcontents.
Some implementation considerations for this proposal were also discussed, and options were presented with respect to the level of complexity that mightbe employed in various environments.
1. C. Adams, "Constructing Symmetric Ciphers Using the CAST Design Procedure", Designs, Codes and Cryptography, vol.12, no.3, Nov. 1997, pp.71-104.
2. E. Biham and A. Biryukov, "How to Strengthen DES Using Existing Hardware" Advances in Cryptology - ASIACRYPT 94 Proceedings.
3. W. Diffie and M. Hellman, "New Directions in Cryptography", IEEE Transactions on Information Theory, vol.22, 1976, pp.644-654.
4. S. Mister and C. Adams, "Practical s-box Design", Workshop Record of the Work- shop on Selected Areas in Cryptography (SAC '96), Queen's University, Kingston,Ontario, Aug. 1996, pp.61-76.
5. R. Rivest, A. Shamir, and L. Adelman, "A Method for Obtaining Digital Signatures and Public-Key Cryptosystems", Communications of the ACM, v. 21, n. 8, Feb.
1978, page 120.
6. B. Schneier, Applied Cryptography, Second Edition, John Wiley & Sons, 1996.

Source: ftp://ftp.cs.sjtu.edu.cn:990/sandy/My%20papers/Key_dep.pdf