The standard problem in cryptographic work is to make ciphers difficult to read without the key, but easy to read with the key. Our only reliable tool to do this is randomness--entropy--but the problem is we normally want to use a cipher to stretch a little bit of randomness (like a password) across a long sequence of messages. Clearly we really want:

- "Entropy preservation": we don't lose randomness as the algorithm progresses. If you give up some key randomness with each crypto operation, you're giving up security--run long enough, and you'll converge to a single key (often zero).
- "Nonlocality": if we flip one bit of the input, lots of bits
in the output change (ideally half).

- "Inverses": each crypto operation needs an inverse function, or else we'll have a hard time building the decryption function!
- "Analysis": it shouldn't be easy to look at the output of the
function and determine the inputs.

Here are the properties of some commonly used operations:

Operation |
Inverse |
Entropy Preservation |
Nonlocality |
Analysis for fixed K |

Addition C=P+K; |
Subtraction P=C-K; |
Perfect (even with wraparound). |
Poor--except for carries, totally bit-local. |
Trivial: compare plaintext and ciphertext
histograms. |

Multiplication C=P*K; |
Division P=C/K; |
Depends on high bits: throwing away high bits
loses entropy; modulo a large relatively prime value can
preserve it. |
Good, especially with wraparound. |
Trivial--every ciphertext value differs by a
multiple of the key. |

Bit rotation C=(P>>K) | (P<<(bits-K)); |
Rotate other way |
Perfect |
Terrible--bits are in 1:1 correspondence. |
Trivial: compare plaintext and ciphertext
*bit* histograms. |

Bitwise XOR C=P^K; |
Bitwise XOR again P=C^K; |
Perfect |
Terrible (bitwise) |
Trivial if K is reused. |

Bitwise AND C=P&K; |
Does not exist |
Not good--zeros in either input will cancel
out any entropy in the other input. |
Terrible (bitwise) |
Not invertible. |

Bitwise OR C=P|K; |
Does not exist |
Not good--ones in either input cancel entropy
in other input. |
Terrible (bitwise) |
Not invertible. |

Either-or C=(P1&K) | (P2&~K); |
Does not exist |
Actually good, although either P1 or P2 is
thrown away. |
Terrible (bitwise) |
Not invertible. |

Substitution table ("S box") C=T[P,K]; |
Inverse table C=I[P,K]; |
Perfect (it's typically a permutation). | Good with a well-designed table. |
For a reasonably big well-designed table, analysis can be hard. |

S boxes would be used more often, except that locality-free table lookups are not high performance operations on most computers, so S boxes are limited to a small size, typically only 8-10 bits of input with modern ciphers. Often folks combine several of these operations, for example using an S box to make analysis more difficult, then a bit permutation to reduce locality by mixing bits from different boxes.