Hello,

On a article of Wikipedia (http://en.wikipedia.org/wiki/Substitution_box ), we can found a example of 6×4-bit S-box (from DES). So this S-box work with a input of 6-bit and and output of 4-bits and of cours we can see that:
input.length > output.length

But I can't imagine a 8×32-bit S-boxes, like in CAST-128 function (http://en.wikipedia.org/wiki/CAST-128) or in Blowfish (http://en.wikipedia.org/wiki/Blowfish_%28cipher%29), when the output length is bigger then the input length.

I you have a example, it should be very helpful.
Thanks you for your help.

Zang'

: Hello,
:
: On a article of Wikipedia
: (http://en.wikipedia.org/wiki/Substitution_box ), we can found a
: example of 6×4-bit S-box (from DES). So this S-box work with a input
: of 6-bit and and output of 4-bits and of cours we can see that:
: input.length > output.length
:
: But I can't imagine a 8×32-bit S-boxes, like in CAST-128 function
: (http://en.wikipedia.org/wiki/CAST-128) or in Blowfish
: (http://en.wikipedia.org/wiki/Blowfish_%28cipher%29), when the
: output length is bigger then the input length.
:
: I you have a example, it should be very helpful.
: Thanks you for your help.
:
: Zang'
:
The cypher uses a different part of the S-box for each different calculation. For example: CAST-128 uses each quarter of the S-box independently and combines the results using several bitwise calculations.

Thanks for your answer, but I don't very well understand it.

In fact I think if a S-box use a input.length < output.length, then it's beacause this S-box use some information about the input and therefore there is a redundancy, so this kind of S-box is not interesting.
That's the reason why I think it's impossible to do, and even if we try to, it's a bad idea.

: Thanks for your answer, but I don't very well understand it.
:
: In fact I think if a S-box use a input.length < output.length, then
: it's beacause this S-box use some information about the input and
: therefore there is a redundancy, so this kind of S-box is not
: interesting.
: That's the reason why I think it's impossible to do, and even if we
: try to, it's a bad idea.
:
Here's an example to clarify:
Take for example this S-box: abcd
and as input the byte 1.
A cypher could perform the following:
output = ((a xor 1) and (b xor 1)) or ((c xor 1) and (d xor 1))
after the output has been determined, the S-box is rotated (becoming cadb) and is ready to process the second byte.
As you can see the output is also 1 byte and the whole S-box (4 bytes) is used in the transformation.
As you also might see, there's no redundancy in the S-box.

Given that blowfish is considered to be a good blockcipher, I tend to disagree with your idea that having a larger S-box than the input is a bad idea.

: Here's an example to clarify:
: Take for example this S-box: abcd
: and as input the byte 1.
: A cypher could perform the following:
: output = ((a xor 1) and (b xor 1)) or ((c xor 1) and (d xor 1))
: after the output has been determined, the S-box is rotated (becoming
: cadb) and is ready to process the second byte.
: As you can see the output is also 1 byte and the whole S-box (4
: bytes) is used in the transformation.
: As you also might see, there's no redundancy in the S-box.
:
: Given that blowfish is considered to be a good blockcipher, I tend
: to disagree with your idea that having a larger S-box than the input
: is a bad idea.

Thank you very much for your explication. Now I see that's possible, thanks to some calculs (unlike in the S-box example on Wikipedia).

Regards.