LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

Why do DES's S-boxes look arbitrary, and what is differential cryptanalysis?

The S-boxes were deliberately chosen to resist differential cryptanalysis — an attack the designers already knew about roughly 15 years before it was publicly rediscovered, so the "random-looking" tables are actually carefully tuned.

Differential cryptanalysis is a chosen-plaintext attack: the analyst feeds in many pairs of plaintexts with a fixed difference and watches how that difference propagates to the ciphertext. If some input difference produces a particular output difference far more often than pure chance would allow, those statistics leak information about the key. Linear cryptanalysis is its cousin — it hunts for linear relations among plaintext, ciphertext, and key bits that hold slightly more often than 50% of the time. Both need huge numbers of pairs, which is exactly what strong confusion and the avalanche effect are meant to defeat.

Why this matters for DES:

  • DES's eight S-boxes look like arbitrary lookup tables, which fuelled decades of suspicion that a backdoor was hidden inside them.
  • When Biham and Shamir publicly described differential cryptanalysis around 1990, it emerged that DES's S-boxes were almost optimally chosen to resist it — IBM (with NSA input) had known the technique back in the 1970s and tuned the boxes against it.
  • Generalised DES variants that swap in "nicer", more regular-looking S-boxes turn out to be markedly easier to break.

Lesson: in cipher design, "looks more complicated or more random" does not mean "more secure." Each S-box value was picked for a precise mathematical reason, not aesthetics.

Tip: Differential = chase plaintext differences; linear = chase linear bit-relations. A cipher resists both by making every output bit depend complexly on many input and key bits.

Go deeper:

From Quiz: KRYPTOG / Symmetric Cryptography | Updated: Jul 14, 2026