S-Boxes used in cryptographic schemes

This module provides the following SBoxes:

constructions
9 bit to 9 bit
8 bit to 8 bit
7 bit to 7 bit
6 bit to 6 bit
5 bit to 5 bit
4 bit to 4 bit
3 bit to 3 bit

Additionally this modules offers a dictionary \(sboxes\) of all implemented above S-boxes for the purpose of easy iteration over all available S-boxes.

EXAMPLES:

We can print the S-Boxes with differential uniformity 2:

sage: from sage.crypto.sboxes import sboxes
sage: sorted(name for name, s in sboxes.items()
....:     if s.differential_uniformity() == 2)
['APN_6',
 'Fides_5',
 'Fides_6',
 'PRINTcipher',
 'Pyjamask_3',
 'SC2000_5',
 'SEA',
 'Shamash']
>>> from sage.all import *
>>> from sage.crypto.sboxes import sboxes
>>> sorted(name for name, s in sboxes.items()
...     if s.differential_uniformity() == Integer(2))
['APN_6',
 'Fides_5',
 'Fides_6',
 'PRINTcipher',
 'Pyjamask_3',
 'SC2000_5',
 'SEA',
 'Shamash']

AUTHOR:

  • Leo Perrin: initial collection of sboxes

  • Friedrich Wiemer (2017-05-12): refactored list for inclusion in Sage

  • Lukas Stennes (2019-06-25): added NIST LWC round 1 candidates

sage.crypto.sboxes.bracken_leander(n)[source]

Return the Bracken-Leander construction.

For n = 4*k and odd k, the construction is \(x \mapsto x^{2^{2k} + 2^k + 1}\) over \(\GF{2^n}\)

INPUT:

  • n – size of the S-Box

EXAMPLES:

sage: from sage.crypto.sboxes import bracken_leander
sage: sbox = bracken_leander(12); [sbox(i) for i in range(8)]
[0, 1, 2742, 4035, 1264, 408, 1473, 1327]
>>> from sage.all import *
>>> from sage.crypto.sboxes import bracken_leander
>>> sbox = bracken_leander(Integer(12)); [sbox(i) for i in range(Integer(8))]
[0, 1, 2742, 4035, 1264, 408, 1473, 1327]
sage.crypto.sboxes.carlet_tang_tang_liao(n, c=None, bf=None)[source]

Return the Carlet-Tang-Tang-Liao construction.

See [CTTL2014] for its definition.

INPUT:

  • n – integer; the bit length of inputs and outputs, has to be even and \(\geq 6\)

  • c – element of \(\GF{2^{n-1}}\) used in the construction (default: random element)

  • f – function from \(\GF{2^n} \to \GF{2}\) or BooleanFunction on \(n-1\) bits (default: x -> (1/(x+1)).trace()))

EXAMPLES:

sage: from sage.crypto.sboxes import carlet_tang_tang_liao as cttl
sage: cttl(6).differential_uniformity() in [4, 64]
True
>>> from sage.all import *
>>> from sage.crypto.sboxes import carlet_tang_tang_liao as cttl
>>> cttl(Integer(6)).differential_uniformity() in [Integer(4), Integer(64)]
True
sage.crypto.sboxes.gold(n, i)[source]

Return the Gold function defined by \(x \mapsto x^{2^i + 1}\) over \(\GF{2^n}\).

INPUT:

  • n – size of the S-Box

  • i – positive integer

EXAMPLES:

sage: from sage.crypto.sboxes import gold
sage: gold(3, 1)
(0, 1, 3, 4, 5, 6, 7, 2)
sage: gold(3, 1).differential_uniformity()
2
sage: gold(4, 2)
(0, 1, 6, 6, 7, 7, 7, 6, 1, 7, 1, 6, 1, 6, 7, 1)
>>> from sage.all import *
>>> from sage.crypto.sboxes import gold
>>> gold(Integer(3), Integer(1))
(0, 1, 3, 4, 5, 6, 7, 2)
>>> gold(Integer(3), Integer(1)).differential_uniformity()
2
>>> gold(Integer(4), Integer(2))
(0, 1, 6, 6, 7, 7, 7, 6, 1, 7, 1, 6, 1, 6, 7, 1)
sage.crypto.sboxes.kasami(n, i)[source]

Return the Kasami function defined by \(x \mapsto x^{2^{2i} - 2^i + 1}\) over \(\GF{2^n}\).

INPUT:

  • n – size of the S-Box

  • i – positive integer

EXAMPLES:

sage: from sage.crypto.sboxes import kasami
sage: kasami(3, 1)
(0, 1, 3, 4, 5, 6, 7, 2)
sage: from sage.crypto.sboxes import gold
sage: kasami(3, 1) == gold(3, 1)
True
sage: kasami(4, 2)
(0, 1, 13, 11, 14, 9, 6, 7, 10, 4, 15, 2, 8, 3, 5, 12)
sage: kasami(4, 2) != gold(4, 2)
True
>>> from sage.all import *
>>> from sage.crypto.sboxes import kasami
>>> kasami(Integer(3), Integer(1))
(0, 1, 3, 4, 5, 6, 7, 2)
>>> from sage.crypto.sboxes import gold
>>> kasami(Integer(3), Integer(1)) == gold(Integer(3), Integer(1))
True
>>> kasami(Integer(4), Integer(2))
(0, 1, 13, 11, 14, 9, 6, 7, 10, 4, 15, 2, 8, 3, 5, 12)
>>> kasami(Integer(4), Integer(2)) != gold(Integer(4), Integer(2))
True
sage.crypto.sboxes.monomial_function(n, e)[source]

Return an S-Box as a function \(x^e\) defined over \(\GF{2^n}\).

INPUT:

  • n – size of the S-Box (i.e. the degree of the finite field extension)

  • e – exponent of the monomial function

EXAMPLES:

sage: from sage.crypto.sboxes import monomial_function
sage: S = monomial_function(7, 3)
sage: S.differential_uniformity()
2
sage: S.input_size()
7
sage: S.is_permutation()
True
>>> from sage.all import *
>>> from sage.crypto.sboxes import monomial_function
>>> S = monomial_function(Integer(7), Integer(3))
>>> S.differential_uniformity()
2
>>> S.input_size()
7
>>> S.is_permutation()
True
sage.crypto.sboxes.niho(n)[source]

Return the Niho function over \(\GF{2^n}\).

It is defined by \(x \mapsto x^{2^t + 2^s - 1}\) with \(s = t/2\) if t is even or \(s = (3t+1)/2\) if t is odd.

INPUT:

  • n – size of the S-Box

EXAMPLES:

sage: from sage.crypto.sboxes import niho
sage: niho(3)
(0, 1, 7, 2, 3, 4, 5, 6)

sage: niho(3).differential_uniformity()
2
>>> from sage.all import *
>>> from sage.crypto.sboxes import niho
>>> niho(Integer(3))
(0, 1, 7, 2, 3, 4, 5, 6)

>>> niho(Integer(3)).differential_uniformity()
2
sage.crypto.sboxes.v(n)[source]

Return the Welch function defined by \(x \mapsto x^{2^{(n-1)/2} + 3}\) over \(\GF{2^n}\).

INPUT:

  • n – size of the S-Box

EXAMPLES:

sage: from sage.crypto.sboxes import welch
sage: welch(3)
(0, 1, 7, 2, 3, 4, 5, 6)
sage: welch(3).differential_uniformity()
2
>>> from sage.all import *
>>> from sage.crypto.sboxes import welch
>>> welch(Integer(3))
(0, 1, 7, 2, 3, 4, 5, 6)
>>> welch(Integer(3)).differential_uniformity()
2
sage.crypto.sboxes.welch(n)[source]

Return the Welch function defined by \(x \mapsto x^{2^{(n-1)/2} + 3}\) over \(\GF{2^n}\).

INPUT:

  • n – size of the S-Box

EXAMPLES:

sage: from sage.crypto.sboxes import welch
sage: welch(3)
(0, 1, 7, 2, 3, 4, 5, 6)
sage: welch(3).differential_uniformity()
2
>>> from sage.all import *
>>> from sage.crypto.sboxes import welch
>>> welch(Integer(3))
(0, 1, 7, 2, 3, 4, 5, 6)
>>> welch(Integer(3)).differential_uniformity()
2