We know the DES sbox features two design points: they work to produce strength as a non-linear component of a wider system, and they work with the permutation to distribute the flows. One sees how this all codes up some cayley graphs (whose nature one can treat mathematically). But what of the interesting fact that the DES round function never uses the reversibility property of the sboxes?

lets assume that a backdooring intelligence agency (urr, cannot think of any names right off, this morning) has two missions: snoop, and prevent others from snooping. IN the case of the DES sbox reverisibility feature, lets assume it has BOTH missions – remembering that it is NOT applied in either encryption or decryption processes.

So what would be its pro-forma mission, when counter this or that attack on the cipher?

remember the example of the Russian rotor-era cipher in which a key tape, at 12 bits, interacts with a 5 bit tape using two matrices that conjugate. The outputs then paramaterize the non-linear component – a 5×5 sbox, influencing the input value AND the output value (in terms of swaps); and indeed the mutual relation between output bits.

so where in DES does one have the conjugation matrices (speaking abstractedly)? Well I tend to think of it in dimensional terms, where 3 rounds of des are the conjugation matrix sandwich whose result only exists in the d+1 world (d being dimension). In that computation, which is the same for encryption or decryption, now ask, what if one flipped the 4×4 sbox and computed the reverse non-linear function?

Of course, the answer has to be that nothing of use should come about, to one doing differential cryptanalysis. Unless you are not looking for the differentials… in that direction.

so lets recall, from tunny, that it is the combination of bulges due to different runs that lets the cryptanalytical “reactor” refine in quantum-state space the expectation values so the weaknesses of the algorithm can be detected. Its forcing a convergence, in a special L2 space, that is. Now ask, could certain DES “runs” through the algorithms construction be similarly priming the reactor?

So how do run bulges combine, from Tunny? well we know that the algebra of proportional bulges is basically convolution using WHT with a 2-bit field. Said prosaically, the addition of differential trails CAN occur to the point where, assuming one has guessed enough of the keybits correctly (requiring lots of horsepower), such convolution gets the detected “just-passed” a fractal bifurcation point allowing the next stage process to repeat, with differentials in d+1 space. For those still stuck in d space, not having passed into the next dimension’s tanner graph and its hugely larger edge set and consequentially more more powerful sum-product/message-passing reactor, one “sees” nothing.

Well, nice tone poem, Peter – to help wake up the idea center of the brain. Remember, total bullshit, folks.