Is the order of applying transformations in SP cryptosystems significant?

Question

SP-cryptosystems Is the order of applying transformations in SP cryptosystems matter? What will change if we first apply the P-transformation and then the S-transformation? Will cryptographic strength be less? And if yes, why?

Answer 1

Let call the Substitution by $S$ and Permutation by $P$ in the Substitution Permutation Network (SPN). Let consider an SPN block cipher with $4$ rounds where $K$ represents the $\oplus$ round key.

• With $S$ applied first

  |KSP|KSP|KSP|KSP|

  The last $P$ has no effect on security. The attackers simply discard it. So we can consider it like;

  |KSP|KSP|KSP|KS|

• With $P$ applied first

  |KPS|KPS|KPS|KPS|

  The initial permutation has no effect in the view of the attacker. Similarly, we can consider it with some changes in the key schedule.

  |KS|KPS|KPS|KPS|

Now we can swap K and P that will require a change in the key schedule.

|KSP|KSP|KSP|KS|

That is turned into the simplified version of S applied first. Consequently, they did not differ.

Answer 2

It depends on the cryptosystem if the order of transformations matters to security.

---

In the example of DES, we can't quite exchange S and P as considered in the question. That's because the input of S (which is 48-bit) is wider than it's output and the input and output of P (which are 32-bit). However we can exchange P and the combination of: expansion E (which input is 32-bit and output is 48-bit), XOR with subkeys (48 bits), and S (input 48-bit, output 32-bit). Then moving P does not modify security at all, because we can obtain such modified DES from regular DES as follows: on the 64-bit input block apply IP, P^-1 on both 32-bit halves, IP^-1, regular DES with the unmodified key, IP^-1, P on both 32-bit halves, IP.

On the other hand, there are many cases where the order of transformations matters to security. For example consider the transformations of a byte

1. Add key byte K modulo 2⁸
2. Apply an 8-bit substitution S-table (such at that of AES)
3. Subtract key byte K modulo 2⁸

Here, order matters. Any reordering moving 2 is a disaster, since the key byte becomes immaterial to the result, which is a block cipher might remove all security.