Also known as: SPN
A substitution-permutation network (SPN) builds a block cipher by alternating two kinds of layer over many rounds: a substitution layer of S-boxes and a permutation layer that rearranges or mixes bits.1 The two layers deliver Shannon’s confusion and diffusion, and it is the structure behind AES.
How it works
Each round of an SPN applies three steps to the whole block:
- Key mixing — XOR in a round key derived from the master key.
- Substitution — split the block into small chunks and pass each through an S-box, a nonlinear lookup that supplies confusion by making the relationship between key and ciphertext complicated.
- Permutation — shuffle or linearly mix the bits across the block so that the local effect of each S-box spreads out, supplying diffusion.
Stacking many such rounds means a one-bit change at the input cascades, after a few rounds, into a change in roughly half the output bits (the avalanche effect). Unlike a Feistel network, an SPN transforms the entire block each round, so the substitution and permutation steps must themselves be invertible for decryption.
Relevance to SDR
The most important SPN for radio work is AES, used for P25 AES-256 voice encryption and as a DMR encryption option. The construction is therefore behind much of the strongest encrypted traffic GopherTrunk sees, and — as with any well-designed cipher — recovering that audio without the key is infeasible. The same S-box-plus-permutation vocabulary also frames how weaker, non-encryption obfuscation schemes are analyzed: the clean-room talker-alias work in issue #773 recovered a fixed substitution table from public data, the kind of nonlinear lookup an SPN would call an S-box.
Sources
-
Substitution–permutation network — Wikipedia, for the alternating substitution/permutation rounds and confusion/diffusion. ↩