Counting active S-boxes is not enough

Orr Dunkelman, Abhishek Kumar, Eran Lambooij, Somitra Kumar Sanadhya

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review


Inspired by the works of Nyberg and Knudsen, the wide trail strategy suggests to ensure that the number of active S-boxes in a differential characteristic or a linear approximation is sufficiently high, thus, offering security against differential and linear attacks. Many cipher designers are relying on this strategy, and most new designs include analysis based on counting the number of active S-boxes. Unfortunately, this analysis is not always accurate and needs to be performed in a very delicate manner. To counter the common approach, we give an example of a 4-round Feistel construction with a very large number of active S-boxes that is expected to resist differential and linear cryptanalysis. However, we show that S-box counting arguments are insufficient in cases where one can find many differential characteristics with the same input and output difference. Namely, we show for a “provably” secure 128-bit block, 4-round Feistel with at least 36 active AES S-boxes, that one can construct differential characteristics with probability 2- 118 much higher than the bound of 2- 216. Even if we compare this 4-round Feistel construction to a random permutation we obtain a 10x factor in the probability of the characteristic.

Original languageEnglish
Title of host publicationProgress in Cryptology – INDOCRYPT 2020 - 21st International Conference on Cryptology in India 2020, Proceedings
EditorsKarthikeyan Bhargavan, Elisabeth Oswald, Manoj Prabhakaran
PublisherSpringer Science and Business Media Deutschland GmbH
Number of pages13
ISBN (Print)9783030652760
StatePublished - 2020
Event21st International Conference on Cryptology in India, INDOCRYPT 2020 - Bangalore, India
Duration: 13 Dec 202016 Dec 2020

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume12578 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349


Conference21st International Conference on Cryptology in India, INDOCRYPT 2020

Bibliographical note

Publisher Copyright:
© Springer Nature Switzerland AG 2020.


  • Differential cryptanalysis
  • Feistel ciphers
  • Wide trail

ASJC Scopus subject areas

  • Theoretical Computer Science
  • General Computer Science


Dive into the research topics of 'Counting active S-boxes is not enough'. Together they form a unique fingerprint.

Cite this