S-Boxes used in cryptographic schemes¶
This module provides the following SBoxes:
- constructions
BrackenLeander ([BraLea2008])
CarletTangTangLiao ([CTTL2014])
Gold ([Gol1968])
Kasami ([Kas1971])
Niho ([Dob1999a])
Welch ([Dob1999b])
- 9 bit to 9 bit
DryGASCON256 ([Rio2019])
- 8 bit to 8 bit
Anubis ([BR2000a])
ARIA_s2 ([KKPSSSYYLLCHH2004])
BelT ([Bel2011])
Camellia ([AIKMMNT2001])
CMEA ([WSK1997])
Chiasmus ([STW2013])
CLEFIA_S0, CLEFIA_S1 ([SSAMI2007])
Crypton_0_5 ([Lim])
Crypton_1_0_S0, …, Crypton_1_0_S3 ([Lim2001])
CS_cipher ([SV2000])
CSA ([WW2005])
CSS ([BD2004])
DBlock ([WZY2015])
E2 ([KMAUTOM2000])
Enocoro ([WFYTP2008])
Fantomas ([GLSV2014])
FLY ([KG2016])
Fox ([VJ2004])
Iceberg ([SPRQL2004])
iScream ([GLSVJGK2014])
Kalyna_pi0, …, Kalyna_pi3 ([OGKRKGBDDP2015])
Khazad ([BR2000b])
Kuznyechik (Kuznechik, Streebog, Stribog) ([Fed2015])
Lilliput-AE ([ABCFHLLMRT2019])
MD2 ([Kal1992])
newDES ([Sco1985])
Picaro ([PRC2012])
Safer ([Mas1994])
Scream ([CDL2015],[GLSVJGK2014]_)
SEED_S0, SEED_S1 ([LLYCL2005])
SKINNY_8 (ForkSkinny_8 [ALPRRV2019], Remus_8 [IKMP2019A], Romulus [IKMP2019B]) ([BJKLMPSSS2016])
Skipjack ([U.S1998])
SNOW_3G_sq ([ETS2006a])
SMS4 ([Ltd06])
Turing ([RH2003b])
Twofish_p0, Twofish_p1 ([SKWWHF1998])
Whirlpool ([BR2000c])
Zorro ([GGNS2013])
ZUC_S0, ZUC_S1 ([ETS2011])
- 7 bit to 7 bit
Wage ([AAGMRZ2019])
- 6 bit to 6 bit
Fides_6 ([BBKMW2013])
APN_6 ([BDMW2010])
SC2000_6 ([SYYTIYTT2002])
- 5 bit to 5 bit
Ascon (ISAP [DEMMMPU2019]) ([DEMS2016])
DryGASCON128 ([Rio2019])
Fides_5 ([BBKMW2013])
SC2000_5 ([SYYTIYTT2002])
Shamash ([PM2019])
SYCON ([SMS2019])
- 4 bit to 4 bit
Elephant ([BCDM2019])
KNOT ([ZDYBXJZ2019])
Pyjamask_4 ([GJKPRSS2019])
SATURNIN_0, SATURNIN_1 ([CDLNPPS2019])
Spook (Clyde, Shadow) ([BBBCDGLLLMPPSW2019])
TRIFLE ([DGMPPS2019])
Yarara, Coral ([MP2019])
DES_S1_1, …, DES_S1_4, …, DES_S8_4 ([U.S1999])
Lucifer_S0, Lucifer_S1 ([Sor1984])
GOST_1, …, GOST_8 (http://www.cypherpunks.ru/pygost/)
GOST2_1, GOST2_2 (http://www.cypherpunks.ru/pygost/)
Magma_1, …, Magma_8 ([Fed2015])
GOST_IETF_1, …, GOST_IETF_8 (http://www.cypherpunks.ru/pygost/)
Hummingbird_2_S1, …, Hummingbird_2_S4 ([ESSS2011])
LBlock_0, …, LBlock_9 ([WZ2011])
SERPENT_S0, …, SERPENT_S7 ([BAK1998])
KLEIN ([GNL2011])
MIBS ([ISSK2009)]
Midori_Sb0 (MANTIS, CRAFT, WARP), Midori_Sb1 ([BBISHAR2015])
Noekeon ([DPVAR2000])
Piccolo ([SIHMAS2011])
Panda ([YWHWXSW2014])
PRESENT (CiliPadi [ZJRRS2019], PHOTON [BCDGNPY2019], ORANGE [CN2019]) ([BKLPPRSV2007])
GIFT (Fountain_1, HYENA [CDJN2019], TGIF [IKMPSSS2019]) ([BPPSST2017])
Fountain_1, Fountain_2, Fountain_3, Fountain_4 ([Zha2019])
Pride ([ADKLPY2014])
PRINCE ([BCGKKKLNPRRTY2012])
Prost ([KLLRSY2014])
Qarma_sigma0, Qarma_sigma1 (Qameleon [ABBDHR2019]), Qarma_sigma2 ([Ava2017])
REC_0 (earlier version of [ZBLRYV2015])
Rectangle ([ZBLRYV2015])
SC2000_4 ([SYYTIYTT2002])
SKINNY_4 (ForkSkinny_4 [ALPRRV2019], Remus_4 [IKMP2019A]) ([BJKLMPSSS2016])
TWINE ([SMMK2013])
Luffa_v1 ([DCSW2008])
Luffa ([DCSW2008])
BLAKE_1, …, BLAKE_9 ([AHMP2008])
JH_S0, JH_S1 ([Wu2009])
SMASH_256_S1, …, SMASH_256_S3 ([Knu2005])
Anubis_S0, Anubis_S1 ([BR2000a])
CLEFIA_SS0, …, CLEFIA_SS3 ([SSAMI2007])
Enocoro_S4 ([WFYTP2008])
Iceberg_S0, Iceberg_S1 ([SPRQL2004])
Khazad_P, Khazad_Q ([BR2000b])
Whirlpool_E, Whirlpool_R ([BR2000c])
CS_cipher_F, CS_cipher_G ([SV2000])
Fox_S1, …, Fox_S3 ([VJ2004])
Twofish_Q0_T0, …, Twofish_Q0_T3, Twofish_Q1_T0, …, Twofish_Q1_T3 ([SKWWHF1998])
Kuznyechik_nu0, Kuznyechik_nu1, Kuznyechik_sigma, Kuznyechik_phi ([BPU2016])
UDCIKMP11 ([UDCIKMP2011])
Optimal_S0, …, Optimal_S15 ([LP2007])
Serpent_type_S0, …, Serpent_type_S19 ([LP2007])
Golden_S0, …, Golden_S3 ([Saa2011])
representatives for all 302 affine equivalence classes ([dCa2007])
- 3 bit to 3 bit
SEA ([SPGQ2006])
PRINTcipher ([KLPR2010])
Pyjamask_3 ([GJKPRSS2019])
Additionally this modules offers a dictionary \(sboxes\) of all implemented above S-boxes for the purpose of easy iteration over all available S-boxes.
EXAMPLES:
We can print the S-Boxes with differential uniformity 2:
sage: from sage.crypto.sboxes import sboxes
sage: sorted(name for name, s in sboxes.items()
....: if s.differential_uniformity() == 2)
['APN_6',
'Fides_5',
'Fides_6',
'PRINTcipher',
'Pyjamask_3',
'SC2000_5',
'SEA',
'Shamash']
>>> from sage.all import *
>>> from sage.crypto.sboxes import sboxes
>>> sorted(name for name, s in sboxes.items()
... if s.differential_uniformity() == Integer(2))
['APN_6',
'Fides_5',
'Fides_6',
'PRINTcipher',
'Pyjamask_3',
'SC2000_5',
'SEA',
'Shamash']
AUTHOR:
Leo Perrin: initial collection of sboxes
Friedrich Wiemer (2017-05-12): refactored list for inclusion in Sage
Lukas Stennes (2019-06-25): added NIST LWC round 1 candidates
- sage.crypto.sboxes.bracken_leander(n)[source]¶
Return the Bracken-Leander construction.
For n = 4*k and odd k, the construction is \(x \mapsto x^{2^{2k} + 2^k + 1}\) over \(\GF{2^n}\)
INPUT:
n
– size of the S-Box
EXAMPLES:
sage: from sage.crypto.sboxes import bracken_leander sage: sbox = bracken_leander(12); [sbox(i) for i in range(8)] [0, 1, 2742, 4035, 1264, 408, 1473, 1327]
>>> from sage.all import * >>> from sage.crypto.sboxes import bracken_leander >>> sbox = bracken_leander(Integer(12)); [sbox(i) for i in range(Integer(8))] [0, 1, 2742, 4035, 1264, 408, 1473, 1327]
- sage.crypto.sboxes.carlet_tang_tang_liao(n, c=None, bf=None)[source]¶
Return the Carlet-Tang-Tang-Liao construction.
See [CTTL2014] for its definition.
INPUT:
n
– integer; the bit length of inputs and outputs, has to be even and \(\geq 6\)c
– element of \(\GF{2^{n-1}}\) used in the construction (default: random element)f
– function from \(\GF{2^n} \to \GF{2}\) or BooleanFunction on \(n-1\) bits (default:x -> (1/(x+1)).trace())
)
EXAMPLES:
sage: from sage.crypto.sboxes import carlet_tang_tang_liao as cttl sage: cttl(6).differential_uniformity() in [4, 64] True
>>> from sage.all import * >>> from sage.crypto.sboxes import carlet_tang_tang_liao as cttl >>> cttl(Integer(6)).differential_uniformity() in [Integer(4), Integer(64)] True
- sage.crypto.sboxes.gold(n, i)[source]¶
Return the Gold function defined by \(x \mapsto x^{2^i + 1}\) over \(\GF{2^n}\).
INPUT:
n
– size of the S-Boxi
– positive integer
EXAMPLES:
sage: from sage.crypto.sboxes import gold sage: gold(3, 1) (0, 1, 3, 4, 5, 6, 7, 2) sage: gold(3, 1).differential_uniformity() 2 sage: gold(4, 2) (0, 1, 6, 6, 7, 7, 7, 6, 1, 7, 1, 6, 1, 6, 7, 1)
>>> from sage.all import * >>> from sage.crypto.sboxes import gold >>> gold(Integer(3), Integer(1)) (0, 1, 3, 4, 5, 6, 7, 2) >>> gold(Integer(3), Integer(1)).differential_uniformity() 2 >>> gold(Integer(4), Integer(2)) (0, 1, 6, 6, 7, 7, 7, 6, 1, 7, 1, 6, 1, 6, 7, 1)
- sage.crypto.sboxes.kasami(n, i)[source]¶
Return the Kasami function defined by \(x \mapsto x^{2^{2i} - 2^i + 1}\) over \(\GF{2^n}\).
INPUT:
n
– size of the S-Boxi
– positive integer
EXAMPLES:
sage: from sage.crypto.sboxes import kasami sage: kasami(3, 1) (0, 1, 3, 4, 5, 6, 7, 2) sage: from sage.crypto.sboxes import gold sage: kasami(3, 1) == gold(3, 1) True sage: kasami(4, 2) (0, 1, 13, 11, 14, 9, 6, 7, 10, 4, 15, 2, 8, 3, 5, 12) sage: kasami(4, 2) != gold(4, 2) True
>>> from sage.all import * >>> from sage.crypto.sboxes import kasami >>> kasami(Integer(3), Integer(1)) (0, 1, 3, 4, 5, 6, 7, 2) >>> from sage.crypto.sboxes import gold >>> kasami(Integer(3), Integer(1)) == gold(Integer(3), Integer(1)) True >>> kasami(Integer(4), Integer(2)) (0, 1, 13, 11, 14, 9, 6, 7, 10, 4, 15, 2, 8, 3, 5, 12) >>> kasami(Integer(4), Integer(2)) != gold(Integer(4), Integer(2)) True
- sage.crypto.sboxes.monomial_function(n, e)[source]¶
Return an S-Box as a function \(x^e\) defined over \(\GF{2^n}\).
INPUT:
n
– size of the S-Box (i.e. the degree of the finite field extension)e
– exponent of the monomial function
EXAMPLES:
sage: from sage.crypto.sboxes import monomial_function sage: S = monomial_function(7, 3) sage: S.differential_uniformity() 2 sage: S.input_size() 7 sage: S.is_permutation() True
>>> from sage.all import * >>> from sage.crypto.sboxes import monomial_function >>> S = monomial_function(Integer(7), Integer(3)) >>> S.differential_uniformity() 2 >>> S.input_size() 7 >>> S.is_permutation() True
- sage.crypto.sboxes.niho(n)[source]¶
Return the Niho function over \(\GF{2^n}\).
It is defined by \(x \mapsto x^{2^t + 2^s - 1}\) with \(s = t/2\) if t is even or \(s = (3t+1)/2\) if t is odd.
INPUT:
n
– size of the S-Box
EXAMPLES:
sage: from sage.crypto.sboxes import niho sage: niho(3) (0, 1, 7, 2, 3, 4, 5, 6) sage: niho(3).differential_uniformity() 2
>>> from sage.all import * >>> from sage.crypto.sboxes import niho >>> niho(Integer(3)) (0, 1, 7, 2, 3, 4, 5, 6) >>> niho(Integer(3)).differential_uniformity() 2
- sage.crypto.sboxes.v(n)[source]¶
Return the Welch function defined by \(x \mapsto x^{2^{(n-1)/2} + 3}\) over \(\GF{2^n}\).
INPUT:
n
– size of the S-Box
EXAMPLES:
sage: from sage.crypto.sboxes import welch sage: welch(3) (0, 1, 7, 2, 3, 4, 5, 6) sage: welch(3).differential_uniformity() 2
>>> from sage.all import * >>> from sage.crypto.sboxes import welch >>> welch(Integer(3)) (0, 1, 7, 2, 3, 4, 5, 6) >>> welch(Integer(3)).differential_uniformity() 2
- sage.crypto.sboxes.welch(n)[source]¶
Return the Welch function defined by \(x \mapsto x^{2^{(n-1)/2} + 3}\) over \(\GF{2^n}\).
INPUT:
n
– size of the S-Box
EXAMPLES:
sage: from sage.crypto.sboxes import welch sage: welch(3) (0, 1, 7, 2, 3, 4, 5, 6) sage: welch(3).differential_uniformity() 2
>>> from sage.all import * >>> from sage.crypto.sboxes import welch >>> welch(Integer(3)) (0, 1, 7, 2, 3, 4, 5, 6) >>> welch(Integer(3)).differential_uniformity() 2