S-Boxes used in cryptographic schemes#

Additionally this modules offers a dictionary \(sboxes\) of all implemented above S-boxes for the purpose of easy iteration over all available S-boxes.

We can print the S-Boxes with differential uniformity 2:

sage: from sage.crypto.sboxes import sboxes sage: sorted(name for name, s in sboxes.items() . if s.differential_uniformity() == 2) ['APN_6', 'Fides_5', 'Fides_6', 'PRINTcipher', 'Pyjamask_3', 'SC2000_5', 'SEA', 'Shamash']

>>> from sage.all import * >>> from sage.crypto.sboxes import sboxes >>> sorted(name for name, s in sboxes.items() . if s.differential_uniformity() == Integer(2)) ['APN_6', 'Fides_5', 'Fides_6', 'PRINTcipher', 'Pyjamask_3', 'SC2000_5', 'SEA', 'Shamash']

Leo Perrin: initial collection of sboxes
Friedrich Wiemer (2017-05-12): refactored list for inclusion in Sage
Lukas Stennes (2019-06-25): added NIST LWC round 1 candidates

Return the Bracken-Leander construction.

For n = 4*k and odd k, the construction is \(x \mapsto x^ + 2^k + 1>\) over \(\GF\)

n – size of the S-Box

sage: from sage.crypto.sboxes import bracken_leander sage: sbox = bracken_leander(12); [sbox(i) for i in range(8)] [0, 1, 2742, 4035, 1264, 408, 1473, 1327]

>>> from sage.all import * >>> from sage.crypto.sboxes import bracken_leander >>> sbox = bracken_leander(Integer(12)); [sbox(i) for i in range(Integer(8))] [0, 1, 2742, 4035, 1264, 408, 1473, 1327]

sage.crypto.sboxes. carlet_tang_tang_liao ( n , c = None , bf = None ) [source] #

Return the Carlet-Tang-Tang-Liao construction.

See [CTTL2014] for its definition.

n – integer, the bit length of inputs and outputs, has to be even and >= 6
c – element of \(\GF>\) used in the construction (default: random element)
f – Function from \(\GF \to \GF\) or BooleanFunction on \(n-1\) bits (default: x -> (1/(x+1)).trace())

sage: from sage.crypto.sboxes import carlet_tang_tang_liao as cttl sage: cttl(6).differential_uniformity() in [4, 64] True

>>> from sage.all import * >>> from sage.crypto.sboxes import carlet_tang_tang_liao as cttl >>> cttl(Integer(6)).differential_uniformity() in [Integer(4), Integer(64)] True

sage.crypto.sboxes. gold ( n , i ) [source] #

Return the Gold function defined by \(x \mapsto x^\) over \(\GF\) .

n – size of the S-Box
i – a positive integer

sage: from sage.crypto.sboxes import gold sage: gold(3, 1) (0, 1, 3, 4, 5, 6, 7, 2) sage: gold(3, 1).differential_uniformity() 2 sage: gold(4, 2) (0, 1, 6, 6, 7, 7, 7, 6, 1, 7, 1, 6, 1, 6, 7, 1)

>>> from sage.all import * >>> from sage.crypto.sboxes import gold >>> gold(Integer(3), Integer(1)) (0, 1, 3, 4, 5, 6, 7, 2) >>> gold(Integer(3), Integer(1)).differential_uniformity() 2 >>> gold(Integer(4), Integer(2)) (0, 1, 6, 6, 7, 7, 7, 6, 1, 7, 1, 6, 1, 6, 7, 1)

sage.crypto.sboxes. kasami ( n , i ) [source] #

Return the Kasami function defined by \(x \mapsto x^ - 2^i + 1>\) over \(\GF\) .

n – size of the S-Box
i – a positive integer

sage: from sage.crypto.sboxes import kasami sage: kasami(3, 1) (0, 1, 3, 4, 5, 6, 7, 2) sage: from sage.crypto.sboxes import gold sage: kasami(3, 1) == gold(3, 1) True sage: kasami(4, 2) (0, 1, 13, 11, 14, 9, 6, 7, 10, 4, 15, 2, 8, 3, 5, 12) sage: kasami(4, 2) != gold(4, 2) True

>>> from sage.all import * >>> from sage.crypto.sboxes import kasami >>> kasami(Integer(3), Integer(1)) (0, 1, 3, 4, 5, 6, 7, 2) >>> from sage.crypto.sboxes import gold >>> kasami(Integer(3), Integer(1)) == gold(Integer(3), Integer(1)) True >>> kasami(Integer(4), Integer(2)) (0, 1, 13, 11, 14, 9, 6, 7, 10, 4, 15, 2, 8, 3, 5, 12) >>> kasami(Integer(4), Integer(2)) != gold(Integer(4), Integer(2)) True

sage.crypto.sboxes. monomial_function ( n , e ) [source] #

Return an S-Box as a function \(x^e\) defined over \(\GF\) .

n – size of the S-Box (i.e. the degree of the finite field extension)
e – exponent of the monomial function

sage: from sage.crypto.sboxes import monomial_function sage: S = monomial_function(7, 3) sage: S.differential_uniformity() 2 sage: S.input_size() 7 sage: S.is_permutation() True

>>> from sage.all import * >>> from sage.crypto.sboxes import monomial_function >>> S = monomial_function(Integer(7), Integer(3)) >>> S.differential_uniformity() 2 >>> S.input_size() 7 >>> S.is_permutation() True

sage.crypto.sboxes. niho ( n ) [source] #

Return the Niho function over \(\GF\) .

It is defined by \(x \mapsto x^\) with \(s = t/2\) if t is even or \(s = (3t+1)/2\) if t is odd.

n – size of the S-Box

sage: from sage.crypto.sboxes import niho sage: niho(3) (0, 1, 7, 2, 3, 4, 5, 6) sage: niho(3).differential_uniformity() 2

>>> from sage.all import * >>> from sage.crypto.sboxes import niho >>> niho(Integer(3)) (0, 1, 7, 2, 3, 4, 5, 6) >>> niho(Integer(3)).differential_uniformity() 2

sage.crypto.sboxes. v ( n ) [source] #

Return the Welch function defined by \(x \mapsto x^ + 3>\) over \(\GF\) .

n – size of the S-Box

sage: from sage.crypto.sboxes import welch sage: welch(3) (0, 1, 7, 2, 3, 4, 5, 6) sage: welch(3).differential_uniformity() 2

>>> from sage.all import * >>> from sage.crypto.sboxes import welch >>> welch(Integer(3)) (0, 1, 7, 2, 3, 4, 5, 6) >>> welch(Integer(3)).differential_uniformity() 2

sage.crypto.sboxes. welch ( n ) [source] #

Return the Welch function defined by \(x \mapsto x^ + 3>\) over \(\GF\) .

n – size of the S-Box

sage: from sage.crypto.sboxes import welch sage: welch(3) (0, 1, 7, 2, 3, 4, 5, 6) sage: welch(3).differential_uniformity() 2

>>> from sage.all import * >>> from sage.crypto.sboxes import welch >>> welch(Integer(3)) (0, 1, 7, 2, 3, 4, 5, 6) >>> welch(Integer(3)).differential_uniformity() 2