Menu

Introducing the SEA S-Box: A High-Quality Substitution Box via Fractional Linear and Affine Transformations

Posted on March 12, 2026 by stoickish
Privacy

Introducing the SEA S-Box: A High-Quality Substitution Box via Fractional Linear and Affine Transformations

In symmetric cryptography, the substitution box (S-box) is the primary source of nonlinear confusion in block ciphers. The security of ciphers like AES depends critically on the cryptographic quality of their S-box. After an extensive automated search evaluating many candidates across 24 cryptographic quality metrics, I’m presenting the SEA S-Box — the Seasoned Encryption Algorithm substitution box — a candidate 8×8 S-box that meets or exceeds AES-class performance on nearly every major metric.

Construction: Fractional Linear + Affine Transformation (FLAT)

The SEA S-Box is constructed in two stages:

Stage 1 — Fractional Linear Transformation over GF(28):

The base permutation is generated using the fractional linear (Möbius) transformation:

S(x) = (ax + b) / (cx + d)

where a, b, c, d are elements of GF(28) and all arithmetic is performed in the finite field defined by an irreducible polynomial. The transformation is bijective when the determinant ad − bc ≠ 0 (where subtraction is XOR in GF(2)). At the single pole point where cx + d = 0, the output is assigned the unique missing value to complete the permutation.

Fractional linear transformations over finite fields are an established approach to S-box construction. Farwa, Shah, and Idrees (2016) demonstrated that S-boxes constructed via fractional linear transformations over GF(28) exhibit high nonlinearity, strong strict avalanche properties, and low differential approximation probability — confirming these mappings as a sound algebraic foundation for cryptographic permutations [Farwa et al., 2016].

Stage 2 — Affine Transformation over GF(2):

A raw fractional linear S-box has inherently low algebraic complexity (only 128 terms in its polynomial representation over GF(28)) due to its simple rational structure. To break this algebraic regularity, an invertible affine transformation is applied to every output byte:

y = M · S(x)  ⊕  k

where M is an invertible 8×8 binary matrix over GF(2) and k is a constant XOR byte. Each output bit i is computed as:

bit_i = popcount(row_i AND input_byte) mod 2

This is the same class of affine transformation used in the AES S-box itself — the AES specification applies a fixed affine map over GF(2) after the multiplicative inverse in GF(28) [FIPS 197, 2001]. The effectiveness of affine transformations for increasing algebraic complexity of S-boxes was demonstrated by Cui and Cao (2007), who introduced the Affine-Power-Affine (APA) structure. Their work showed that composing affine maps on both sides of the multiplicative inverse increases the forward algebraic complexity from 9 to 253 terms while preserving other cryptographic properties [Cui & Cao, 2007].

The SEA S-Box: Complete Specification

Irreducible Polynomial:

p(x) = x8 + x6 + x5 + x4 + x3 + x + 1    (0x17B)

Fractional Linear Parameters:

a = 4,  b = 151,  c = 230,  d = 19

Affine Transformation:

  • Matrix M — 8×8 circulant binary matrix, first row = 0x58 (01011000). Each subsequent row is a 1-bit right rotation of the previous:
        Col:  7 6 5 4 3 2 1 0
Row 0:        0 1 0 1 1 0 0 0   (0x58)
Row 1:        0 0 1 0 1 1 0 0   (0x2C)
Row 2:        0 0 0 1 0 1 1 0   (0x16)
Row 3:        0 0 0 0 1 0 1 1   (0x0B)
Row 4:        1 0 0 0 0 1 0 1   (0x85)
Row 5:        1 1 0 0 0 0 1 0   (0xC2)
Row 6:        0 1 1 0 0 0 0 1   (0x61)
Row 7:        1 0 1 1 0 0 0 0   (0xB0)
  • XOR constant k = 100 (0x64)

Resulting S-Box (256-byte lookup table):

0xD3, 0x28, 0xBC, 0x94, 0xA0, 0x2F, 0xAD, 0xCC, 0x54, 0x3E, 0x60, 0xFD, 0x16, 0xDA, 0x39, 0x2C,
0x31, 0x2A, 0x9D, 0x0A, 0x5F, 0xE9, 0xD6, 0x51, 0x1A, 0x0D, 0x34, 0x67, 0xCE, 0x99, 0x6A, 0xAF,
0x5E, 0x77, 0x41, 0x8F, 0x9B, 0xD8, 0x59, 0x06, 0x52, 0xF8, 0xA7, 0x10, 0x29, 0xB9, 0x79, 0xEF,
0xB7, 0x1B, 0x2E, 0xB5, 0x5A, 0xA5, 0x72, 0x3D, 0x7E, 0x24, 0xAA, 0xE0, 0xF9, 0x71, 0xC2, 0x3B,
0x4B, 0x0B, 0xB6, 0x8E, 0x7A, 0x8B, 0xE6, 0x42, 0x36, 0x5D, 0x6F, 0xBF, 0x69, 0xC7, 0x5C, 0x89,
0xE2, 0x43, 0xF1, 0x57, 0x74, 0xD1, 0x87, 0x56, 0x48, 0x5B, 0xFC, 0x81, 0xC3, 0x1C, 0x55, 0x0E,
0xB1, 0x6B, 0x37, 0x11, 0x0C, 0x27, 0xB2, 0x23, 0xEC, 0x00, 0xBE, 0x93, 0x1D, 0xF7, 0x82, 0xB0,
0x73, 0x76, 0x50, 0x35, 0xDD, 0x09, 0xF0, 0xCF, 0xF3, 0x3C, 0xA4, 0x64, 0x20, 0x53, 0x4D, 0xF5,
0xA1, 0xAB, 0xE8, 0x2B, 0xAC, 0xC0, 0x0F, 0x07, 0x84, 0x46, 0xC5, 0x21, 0xAE, 0xDE, 0xE3, 0xC4,
0x3A, 0x9A, 0x85, 0xE7, 0x1E, 0x32, 0xA8, 0xFA, 0xB4, 0x88, 0x92, 0x91, 0x01, 0xC8, 0xFB, 0x58,
0x15, 0x04, 0xF4, 0xA9, 0x86, 0xB3, 0xCD, 0xD7, 0x14, 0x4A, 0x96, 0x66, 0x1F, 0xFE, 0x6D, 0x17,
0x8D, 0xDB, 0xD2, 0x9E, 0x13, 0x70, 0xB8, 0x9C, 0xBA, 0xC6, 0x6C, 0x03, 0x7D, 0x08, 0xDC, 0xF6,
0x12, 0xDF, 0xBB, 0xA3, 0x9F, 0xCB, 0xE1, 0x19, 0xEE, 0xD0, 0xE4, 0x8C, 0x68, 0x47, 0xA2, 0xFF,
0xA6, 0x26, 0x40, 0xBD, 0xEB, 0x75, 0x98, 0x45, 0x78, 0x3F, 0xE5, 0x97, 0xCA, 0xC1, 0x49, 0x30,
0x4C, 0xF2, 0x18, 0x7C, 0x44, 0xC9, 0x65, 0x2D, 0xD4, 0x95, 0x61, 0x83, 0x22, 0x90, 0x6E, 0x62,
0xED, 0x4F, 0x38, 0x4E, 0x63, 0x80, 0x05, 0x7B, 0x02, 0xD5, 0xD9, 0xEA, 0x25, 0x33, 0x7F, 0x8A,

Metric-by-Metric Comparison with AES

The following table compares the SEA S-Box against the AES (Rijndael) S-Box on all evaluated metrics. For each metric, the theoretical optimal value is listed alongside its importance. Green indicates the better value between the two; red indicates the worse.

Metric Optimal SEA AES What It Measures
Nonlinearity 120 112 112 Minimum Hamming distance from all affine functions, measuring resistance to linear cryptanalysis. Higher is better.
Vectorial Nonlinearity 120 112 112 Minimum nonlinearity across all non-trivial linear combinations of output bits. Ensures no linear combination creates a weak component function.
BIC-NL 128 112 112 Bit Independence Criterion for Nonlinearity. Measures the nonlinearity of the XOR of every pair of output bit component functions. Higher values mean output bits are more statistically independent.
Differential Uniformity 2 4 4 Maximum entry in the difference distribution table. Lower values provide stronger resistance to differential cryptanalysis.
Boomerang Uniformity 2 6 6 Maximum entry in the Boomerang Connectivity Table (BCT). Measures resistance to boomerang-style attacks that combine two short differentials.
Feistel Boomerang Uniformity 0 4 4 Variant of boomerang uniformity relevant to Feistel-structure ciphers. Measures the maximum value in the Feistel Boomerang Connectivity Table (FBCT).
Differential Branch Number 6 2 2 Minimum Hamming weight of (a ⊕ b, S(a) ⊕ S(b)) for all a ≠ b. Higher values guarantee faster diffusion in differential trails.
Linear Branch Number 7 2 2 Minimum Hamming weight of (a ⊕ b, L(a) ⊕ L(b)) in the linear approximation domain. Governs the minimum number of active S-boxes in linear trails.
Algebraic Degree 254 254 254 Degree of the univariate polynomial representation over GF(28). Higher degree means greater resistance to higher-order differential attacks.
Algebraic Complexity 255 253 9 Number of non-zero terms in the univariate polynomial representation. My measurement uses the conservative minimum across all 30 irreducible polynomials of GF(28); most published studies evaluate algebraic complexity under a single polynomial, so my values may be lower than those reported elsewhere for the same S-box. Higher complexity provides stronger resistance to interpolation attacks and algebraic attacks using Gröbner bases. AES has notoriously low algebraic complexity (9 terms) because it is the pure multiplicative inverse.
Inverse Algebraic Complexity 255 252 251
Total Algebraic Complexity 510 505 260 Sum of forward and inverse algebraic complexity. A holistic measure of algebraic resistance in both encryption and decryption directions.
Algebraic Immunity 4 2 2 Minimum degree of a non-zero annihilator of any component Boolean function. Higher values resist algebraic attacks that exploit low-degree equations.
Autocorrelation 0 32 32 Maximum absolute value of the autocorrelation function (excluding the zero shift). Measures the correlation between an S-box and shifted versions of itself; lower values resist attacks exploiting structural self-similarity.
SAC RMSE 0.0 0.0201 0.0317 Root Mean Square Error of the Strict Avalanche Criterion matrix from the ideal value of 0.5. Measures how closely flipping any single input bit causes each output bit to flip with probability 1/2. Lower is better.
SAC Mean 128.0 130.50 129.25 Average flip count across all input-bit/output-bit pairs in the SAC matrix. Ideal is 128.0 (each output bit flips with probability 0.5). Provides context for interpreting SAC RMSE — a mean near 128 with low RMSE indicates uniformly good avalanche behavior.
SAC Std Dev 0.0 0.0176 0.0314 Standard deviation of the SAC matrix entries (as fractions of 256). Lower values indicate more consistent avalanche behavior across all input-output bit pairs.
DSAC 0.0 232.0 432.0 Sum of absolute deviations of all SAC matrix entries from the ideal value of 128. A global measure of total SAC deviation; lower is better. Directly quantifies diffusion quality — lower DSAC means the S-box more closely satisfies SAC across all input-output bit pairs, reducing vulnerability to known-plaintext and differential attacks.
BIC-SAC RMSE 0.0 0.0284 0.0312 Root Mean Square Error of the Bit Independence Criterion for SAC. Measures how independently all pairs of output bits satisfy the avalanche criterion. Lower is better.
BIC-SAC Mean 0.5 0.5017 0.5046 Mean value of BIC-SAC correlation matrix. Ideal is 0.5, indicating perfect pairwise independence of output bit avalanche behavior.
BIC-SAC Std Dev 0.0 0.0284 0.0308 Standard deviation of the BIC-SAC correlation matrix. Lower values indicate more uniform bit independence across all output bit pairs.
VTO (reVisited Transparency Order) 0.0 7.2547 7.4583 Measures vulnerability to Differential Power Analysis (DPA) side-channel attacks. Lower VTO indicates better resistance to power-trace leakage exploitation.
Iterative Period 256 256 2 Number of times the S-box must be composed with itself before reaching the identity permutation. AES’s period of 2 (it is its own inverse) is a known structural property. A maximal period of 256 means the permutation generates the largest possible cyclic group, eliminating exploitable involution structure.
Number of Cycles 1 1 5 Number of disjoint cycles in the permutation. Fewer cycles (ideally 1, meaning a single 256-element cycle) indicate a permutation with maximal period and no short-cycle structure that could be exploited.

Key Advantages Over AES

The SEA S-Box matches AES on every differential, linear, and boomerang metric — these are the properties that most directly govern resistance to the dominant families of block cipher cryptanalysis. Where it surpasses AES is in four areas:

  1. Algebraic Complexity: This is the most dramatic improvement. AES has a total algebraic complexity of just 260 (9 forward + 251 inverse), because the AES S-box is a pure multiplicative inverse — an elegant algebraic object with a minimal polynomial representation. The SEA S-Box achieves 505 (253 + 252), nearly doubling AES. This directly increases resistance to interpolation attacks [Jakobsen & Knudsen, 1997] and algebraic attacks using Gröbner bases [Courtois & Pieprzyk, 2002].
  2. Permutation Structure: The SEA S-Box forms a single cycle of length 256 (iterative period = 256, number of cycles = 1), while AES decomposes into 5 cycles with a period of only 2 (the underlying multiplicative inverse is an involution). A single maximal-length cycle eliminates the potential for slide attacks or other techniques that exploit short permutation cycles.
  3. Diffusion Quality (DSAC): The SEA S-Box achieves a DSAC of 232 — to my knowledge, the lowest reported for any published 8×8 S-box. For comparison, the AES S-box has a DSAC of 432, the COBLAH S-box (2024) achieved 332 [Jawed & Sajid, 2024], and the Mishra-Singh-Delhibabu genetic algorithm search (2023) reported a best of 352 [Mishra et al., 2023]. DSAC directly quantifies how closely an S-box satisfies the Strict Avalanche Criterion across all input-output bit pairs. A lower value means better diffusion: small changes in the plaintext propagate more uniformly through the cipher, making the S-box more resistant to known-plaintext and differential attacks.
  4. Side-Channel Properties: The SEA S-Box has tighter SAC conformance (RMSE 0.0201 vs 0.0317), better BIC-SAC (RMSE 0.0284 vs 0.0312), and lower reVisited Transparency Order (7.25 vs 7.46), suggesting marginally better resistance to DPA side-channel attacks.

Comparison with Other Known S-Boxes

The following table compares the SEA S-Box against 57 published S-Boxes from the cryptographic literature across all evaluated metrics. S-Boxes are ranked by composite score across all metrics (lower is better). Green shading marks the best value in each column; red marks the worst.

Rank S-Box NL Vec. NL BIC-NL DU BU FBU DBN LBN Deg AC Inv AC Total AC AI Auto SAC RMSE SAC Mean SAC SD DSAC BIC-SAC RMSE BIC-SAC Mean BIC-SAC SD VTO Period Cycles
Optimal 120 120 128 2 2 0 6 7 254 255 255 510 4 0 0.000 128.0 0.000 0.0 0.000 0.500 0.000 0.00 256 1
1 SEA [this work] (2026) 112 112 112 4 6 4 2 2 254 253 252 505 2 32 0.020100 130.50 0.017600 232.0 0.028400 0.501700 0.028400 7.2550 256 1
2 Cheng-Zhou-Miao-Hu F8 (2023) 112 112 112 4 6 4 2 2 254 252 251 503 2 32 0.024936 128.06 0.024935 324.0 0.031923 0.507324 0.031071 7.4333 256 1
3 Nitaj-Susilo-Tonien (2020) 112 112 112 4 6 4 2 2 254 252 251 503 2 32 0.025315 128.25 0.025297 328.0 0.031923 0.505650 0.031419 7.4333 256 1
4 Basha-Mohra-Diab-El Sobky (2022) 112 112 112 4 6 4 2 2 254 252 252 504 2 32 0.025088 128.31 0.025059 316.0 0.031320 0.501535 0.031282 7.4892 256 1
5 El Sobky et al. (2020) 112 112 112 4 6 4 2 2 254 252 252 504 2 32 0.028236 127.94 0.028235 372.0 0.031302 0.503836 0.031066 7.4588 256 1
6 CLEFIA S1 (Sony, 2007) 112 112 112 4 6 4 2 2 254 252 252 504 2 32 0.034939 126.88 0.034661 488.0 0.033063 0.503139 0.032914 7.4355 256 1
7 DVB-CSA 100 94 98 12 18 16 2 2 254 252 252 504 3 104 0.056235 125.81 0.055582 748.0 0.044660 0.500558 0.044657 7.4870 256 1
8 COBLAH 112 112 112 4 6 4 2 2 254 9 252 261 2 32 0.024316 128.94 0.024039 332.0 0.031889 0.500070 0.031889 7.4765 256 1
9 Duong-Pham S02 (2025) 116 108 108 6 14 16 2 2 253 247 250 497 3 64 0.031250 132.25 0.026475 368.0 0.031923 0.509277 0.030545 7.4846 4 8
10 DBlock 112 112 112 4 6 4 2 2 254 252 252 504 2 32 0.029941 127.44 0.029860 436.0 0.032582 0.505580 0.032100 7.4870 6 5
11 Chiasmus (BSI) 112 112 112 4 6 4 2 2 254 253 251 504 2 32 0.034554 128.31 0.034533 484.0 0.030899 0.504883 0.030511 7.4451 6 5
12 Camellia SBOX1 112 112 112 4 6 4 2 2 254 250 250 500 2 32 0.024316 127.56 0.024256 308.0 0.031889 0.503278 0.031720 7.4650 2 3
13 SM4 112 112 112 4 6 4 2 2 254 251 252 503 2 32 0.034554 127.94 0.034553 492.0 0.031040 0.504883 0.030654 7.4044 1 9
14 Kalyna π1 (DSTU 7624:2014) 104 104 104 8 16 8 2 2 254 252 252 504 3 72 0.037365 130.38 0.036195 496.0 0.037858 0.502441 0.037779 7.2806 8 4
15 Kalyna π0 (DSTU 7624:2014) 104 104 104 8 16 12 2 2 254 253 251 504 3 72 0.034166 129.00 0.033942 456.0 0.039768 0.501465 0.039741 7.5125 6 4
16 Kalyna π3 (DSTU 7624:2014) 104 104 104 8 16 12 2 2 254 252 252 504 3 72 0.037973 128.75 0.037860 512.0 0.038245 0.502372 0.038171 7.4257 4 4
17 CLEFIA S0 (Sony, 2007) 100 100 100 10 32 20 3 3 252 244 243 487 3 96 0.064424 138.00 0.051230 848.0 0.049806 0.515067 0.047472 7.4728 4 6
18 Picek Evolved (2014) 98 98 98 12 20 12 2 2 254 252 252 504 3 96 0.056133 125.00 0.054896 720.0 0.041786 0.501116 0.041771 4.6762 1 11
19 Kalyna π2 (DSTU 7624:2014) 104 104 104 8 18 12 2 2 254 251 252 503 3 72 0.041386 128.31 0.041368 508.0 0.037087 0.503209 0.036948 7.4637 4 6
20 Duong-Pham S01 (2025) 116 108 108 6 14 8 2 2 253 246 251 497 2 64 0.034939 131.25 0.032550 432.0 0.030041 0.510324 0.028211 7.5113 4 10
21 Kuznyechik Pi (GOST R 34.12-2015) 102 100 102 8 16 16 2 2 253 252 252 504 3 96 0.040642 131.19 0.038688 516.0 0.041406 0.494071 0.040979 7.4576 13 2
22 BelT (STB 34.101.31-2011) 104 102 102 8 20 36 2 2 254 252 250 502 3 88 0.034609 127.88 0.034606 480.0 0.033096 0.501604 0.033057 7.3363 7 4
23 E2 (NTT, 1998) 104 100 102 10 18 12 2 2 254 252 251 503 3 104 0.039014 129.31 0.038675 516.0 0.039781 0.506975 0.039165 7.3370 2 6
24 Turing 104 94 100 12 20 12 2 2 254 252 251 503 3 96 0.043586 128.62 0.043517 568.0 0.042149 0.500698 0.042143 7.4507 15 3
25 Enocoro 100 96 96 10 32 20 3 3 252 244 243 487 3 128 0.070961 136.75 0.062186 912.0 0.059388 0.508650 0.058755 7.3093 2 8
26 Skipjack (NSA, 1998) 104 100 102 12 20 16 2 2 254 252 252 504 3 96 0.048357 128.81 0.048253 676.0 0.047670 0.499651 0.047669 7.3777 2 5
27 CRYPTON v1.0 S0 104 96 96 10 22 16 3 3 252 243 244 487 2 96 0.052698 136.00 0.042433 656.0 0.047967 0.513881 0.045914 7.4007 1 4
28 CRYPTON v1.0 S2 104 96 96 10 22 16 3 3 252 244 243 487 2 96 0.052698 136.00 0.042433 656.0 0.047967 0.513881 0.045914 7.4007 1 4
29 MD2 (RFC 1319) 102 90 100 10 20 16 2 2 254 251 251 502 3 88 0.035156 128.12 0.035153 432.0 0.041955 0.502581 0.041875 7.4157 3 6
30 Whirlpool 100 100 100 8 18 12 2 2 253 251 251 502 3 96 0.042746 131.81 0.040068 532.0 0.046828 0.506975 0.046306 7.5007 2 12
31 CRYPTON v1.0 S1 104 96 96 10 22 16 3 3 252 242 243 485 2 96 0.052698 136.00 0.042433 656.0 0.047967 0.513881 0.045914 7.4007 3 8
32 CRYPTON v1.0 S3 104 96 96 10 22 16 3 3 252 243 242 485 2 96 0.052698 136.00 0.042433 656.0 0.047967 0.513881 0.045914 7.4007 3 8
33 newDES 98 92 98 12 22 16 2 2 254 250 251 501 3 96 0.044065 127.19 0.043950 588.0 0.044770 0.503976 0.044593 7.4882 1 4
34 Twofish p1 100 96 96 10 40 24 2 2 252 244 244 488 3 112 0.047842 128.12 0.047839 648.0 0.045602 0.505859 0.045224 7.4189 1 6
35 ZUC S1 (3GPP LTE) 112 112 112 4 6 4 2 2 254 9 252 261 2 32 0.032212 130.38 0.030847 456.0 0.031631 0.505859 0.031084 7.4507 16 5
36 Twofish p0 96 96 96 10 48 36 2 2 252 242 244 486 3 128 0.049526 125.44 0.048504 636.0 0.044794 0.496443 0.044653 7.4463 1 10
37 ICEBERG 100 96 96 8 24 12 2 2 253 251 251 502 3 96 0.037872 126.00 0.037058 488.0 0.047716 0.503557 0.047583 7.5169 2 128
38 SEED S0 112 112 112 4 6 4 2 2 254 9 252 261 2 32 0.033546 129.06 0.033288 476.0 0.030580 0.501674 0.030534 7.4333 1 5
39 AES (Rijndael) 112 112 112 4 6 4 2 2 254 9 251 260 2 32 0.031735 129.25 0.031357 432.0 0.031180 0.504604 0.030838 7.4583 2 5
40 Mishra-Singh-Delhibabu I1 112 112 112 4 6 4 2 2 254 9 249 258 2 32 0.026204 129.50 0.025540 352.0 0.032313 0.498744 0.032289 7.4828 4 7
41 SEED S1 112 112 112 4 6 4 2 2 254 8 252 260 2 32 0.031735 127.62 0.031701 448.0 0.030059 0.500907 0.030045 7.4897 1 7
42 Zorro 96 96 96 10 42 16 2 2 254 251 251 502 2 112 0.041981 126.12 0.041337 528.0 0.046349 0.502162 0.046298 7.4321 2 6
43 Anubis 96 94 96 8 18 16 2 2 253 250 250 500 3 96 0.046753 128.06 0.046752 620.0 0.041142 0.500349 0.041140 7.3760 2 128
44 ARIA SB2 112 112 112 4 6 4 2 2 254 9 251 260 2 32 0.029621 128.75 0.029475 400.0 0.032532 0.502999 0.032393 7.5390 2 7
45 Khazad 98 96 96 8 20 16 2 2 253 251 251 502 3 104 0.048750 122.81 0.044339 620.0 0.048867 0.495047 0.048616 7.3971 2 128
46 SNOW 3G sq (3GPP) 104 96 96 8 24 16 2 2 248 10 92 102 3 96 0.039403 128.69 0.039311 548.0 0.044782 0.499023 0.044771 7.4441 10 4
47 ZUC S0 (3GPP LTE) 96 96 96 8 256 32 2 2 248 216 216 432 2 128 0.055070 126.69 0.054831 588.0 0.087583 0.495117 0.087447 7.4488 25 2
48 CRYPTON v0.5 88 88 88 16 256 32 2 2 252 245 239 484 2 144 0.063589 125.00 0.062500 760.0 0.086996 0.493164 0.086727 7.4346 1 16
49 IDEA NXT (Fox) 96 96 96 16 256 72 2 2 252 244 244 488 2 256 0.054896 130.38 0.054107 688.0 0.054986 0.502511 0.054928 7.4480 1 8
50 Lilliput-AE 96 96 96 8 256 40 2 2 252 245 245 490 2 256 0.149895 122.75 0.148486 1392.0 0.082455 0.503906 0.082363 7.4186 4 16
51 FLY 96 96 96 16 256 128 3 3 248 215 215 430 2 256 0.124143 138.25 0.117509 1552.0 0.080597 0.510324 0.079933 7.0520 1 12
52 Scream 96 96 96 8 256 64 2 2 252 242 241 483 2 256 0.153491 127.62 0.153484 1424.0 0.084673 0.510882 0.083970 7.4755 8 12
53 Fantomas 96 96 96 16 160 128 2 2 248 215 245 460 2 256 0.213704 124.38 0.213235 2088.0 0.137061 0.509905 0.136703 7.3034 2 8
54 SAFER 94 82 86 128 256 112 2 2 254 252 251 503 3 256 0.147936 138.31 0.142345 1124.0 0.136471 0.480748 0.135107 7.1816 1 7
55 iSCREAM 96 96 96 16 256 64 2 2 252 242 242 484 2 256 0.154322 132.81 0.153172 1340.0 0.094808 0.504116 0.094718 7.3667 1 136
56 CS-cipher 96 96 96 16 256 128 2 2 248 216 216 432 2 256 0.168784 111.38 0.155791 2040.0 0.122872 0.494559 0.122751 7.4211 1 136
57 SKINNY-128 64 64 64 64 256 256 2 2 252 244 241 485 2 256 0.349866 81.00 0.297824 4640.0 0.269155 0.431222 0.260219 7.1088 1 12
58 CSS 64 0 0 128 256 256 2 2 240 154 154 308 1 256 0.375000 72.00 0.304587 5120.0 0.323899 0.419643 0.313773 6.7137 1 70

Column key: NL = Nonlinearity, Vec. NL = Vectorial Nonlinearity, BIC-NL = Bit Independence Criterion Nonlinearity, DU = Differential Uniformity, BU = Boomerang Uniformity, FBU = Feistel Boomerang Uniformity, DBN = Differential Branch Number, LBN = Linear Branch Number, Deg = Algebraic Degree, AC = Algebraic Complexity, Inv AC = Inverse Algebraic Complexity, Total AC = Total Algebraic Complexity, AI = Algebraic Immunity, Auto = Autocorrelation, SAC RMSE = Strict Avalanche Criterion Root Mean Square Error, SAC Mean = Strict Avalanche Criterion Mean, SAC SD = Strict Avalanche Criterion Standard Deviation, DSAC = Distance to Strict Avalanche Criterion, BIC-SAC RMSE = Bit Independence Criterion for Strict Avalanche Criterion Root Mean Square Error, BIC-SAC Mean = Bit Independence Criterion for Strict Avalanche Criterion Mean, BIC-SAC SD = Bit Independence Criterion for Strict Avalanche Criterion Standard Deviation, VTO = reVisited Transparency Order, Period = Iterative Period.

The SEA S-Box achieves the best overall composite score of any S-Box in this comparison set. It is worth noting that the Duong-Pham S-Boxes achieve a higher nonlinearity of 116, but at the cost of weaker differential uniformity (6 vs 4), higher boomerang uniformity (14 vs 6), and much shorter iterative periods — illustrating the inherent trade-offs in S-Box design. The Picek Evolved S-Box stands out for having the best VTO (4.676), meaning the highest resistance to DPA side-channel attacks, but it pays heavily in nonlinearity (98), differential uniformity (12), and autocorrelation (96).

SKINNY-128 is intentionally designed for low-latency hardware implementation rather than maximal cryptographic strength per S-box, and so its inclusion here is for reference rather than direct comparison.

Conclusion

The SEA S-Box demonstrates that fractional linear transformations over GF(28), when composed with a carefully chosen affine transformation, can produce S-Boxes that are competitive with — and in several important metrics superior to — the AES S-Box. The construction is fully specified by just 7 parameters (4 field elements, a polynomial, a matrix seed, and a XOR constant), making it compact, reproducible, and amenable to formal analysis.

The complete S-Box specification is public domain.

References

  1. NIST, “Advanced Encryption Standard (AES),” FIPS 197, 2001. doi:10.6028/NIST.FIPS.197-upd1
  2. S. Farwa, T. Shah, and L. Idrees, “A highly nonlinear S-box based on a fractional linear transformation,” SpringerPlus 5, 1658, 2016. doi:10.1186/s40064-016-3298-7
  3. L. Cui and Y. Cao, “A new S-box structure named Affine-Power-Affine,” Int. J. Innov. Comput. Inf. Control, 3(3), 751–759, 2007.
  4. N. Courtois and J. Pieprzyk, “Cryptanalysis of Block Ciphers with Overdefined Systems of Equations,” ASIACRYPT 2002, LNCS 2501, pp. 267–287. doi:10.1007/3-540-36178-2_17
  5. T. Jakobsen and L.R. Knudsen, “The Interpolation Attack on Block Ciphers,” FSE 1997, LNCS 1267, pp. 28–40. doi:10.1007/BFb0052332
  6. A. Nitaj, W. Susilo, and J. Tonien, “A New Improved AES S-box with Enhanced Properties,” ACISP 2020, LNCS 12248, pp. 125–141. doi:10.1007/978-3-030-55304-3_7
  7. H. Li, Y. Zhou, J. Ming, G. Yang, and C. Jin, “The notion of transparency order, revisited,” The Computer Journal 63(12), pp. 1915–1938, 2020. doi:10.1093/comjnl/bxaa069
  8. J. Daemen and V. Rijmen, The Design of Rijndael: AES — The Advanced Encryption Standard, Springer, 2002. doi:10.1007/978-3-662-04722-4
  9. P.-P. Duong and C.-K. Pham, “Constructing 8×8 S-Boxes with Optimal Boolean Function Nonlinearity,” Cryptography 9(4), 67, 2025. doi:10.3390/cryptography9040067
  10. R. Mishra, B. Singh, and R. Delhibabu, “Searching for S-boxes with better Diffusion using Evolutionary Algorithm,” IACR Cryptology ePrint Archive, 2023/353, 2023. eprint.iacr.org/2023/353
  11. M.S. Jawed and M. Sajid, “COBLAH: A chaotic OBL initialized hybrid algebraic-heuristic algorithm for optimal S-box construction,” Computer Standards & Interfaces, 2024. https://doi.org/10.1016/j.csi.2024.103890
  12. R. Cheng, Y. Zhou, X. Miao, and J. Hu, “Analysis of a New Improved AES S-Box Structure,” in Security and Privacy in New Computing Environments (SPNCE 2022), LNICST vol 496, Springer, 2023. doi:10.1007/978-3-031-30623-5_8
  13. H.A.M.A. Basha, A.S.S. Mohra, T.O.M. Diab, and W.I. El Sobky, “Efficient Image Encryption Based on New Substitution Box Using DNA Coding and Bent Function,” IEEE Access 10, pp. 66409–66429, 2022. doi:10.1109/ACCESS.2022.3183990
  14. W.I. El Sobky, A.R. Mahmoud, A.S. Mohra, and T. El-Garf, “Enhancing Hierocrypt-3 Performance by Modifying Its S-Box and Modes of Operations,” Journal of Communications 15(12), pp. 905–912, 2020. doi:10.12720/jcm.15.12.905-912
  15. S. Picek, K. Papagiannopoulos, B. Ege, L. Batina, and D. Jakobovic, “Confused by Confusion: Systematic Evaluation of DPA Resistance of Various S-boxes,” in Progress in Cryptology — INDOCRYPT 2014, LNCS vol 8885, Springer, 2014, pp. 374–390. doi:10.1007/978-3-319-13039-2_22
  16. C. Beierle, J. Jean, S. Kölbl, G. Leander, A. Moradi, T. Peyrin, Y. Sasaki, P. Sasdrich, and S.M. Sim, “The SKINNY Family of Block Ciphers and Its Low-Latency Variant MANTIS,” in Advances in Cryptology — CRYPTO 2016, LNCS vol 9815, Springer, 2016, pp. 123–153. doi:10.1007/978-3-662-53008-5_5
Tags: , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *

Terms and Conditions - Privacy Policy