S-Boxes used in cryptographic schemes¶
This module provides the following SBoxes:
- constructions
- BrackenLeander ([BraLea2008])
- CarletTangTangLiao ([CTTL2014])
- Gold ([Gol1968])
- Kasami ([Kas1971])
- Niho ([Dob1999a])
- Welch ([Dob1999b])
- 9 bit to 9 bit
- DryGASCON256 ([Rio2019])
- 8 bit to 8 bit
- AES (FlexAEAD [NX2019]) ([DR2002])
- Anubis ([BR2000a])
- ARIA_s2 ([KKPSSSYYLLCHH2004])
- BelT ([Bel2011])
- Camellia ([AIKMMNT2001])
- CMEA ([WSK1997])
- Chiasmus ([STW2013])
- CLEFIA_S0, CLEFIA_S1 ([SSAMI2007])
- Crypton_0_5 ([Lim])
- Crypton_1_0_S0, …, Crypton_1_0_S3 ([Lim2001])
- CS_cipher ([SV2000])
- CSA ([WW2005])
- CSS ([BD2004])
- DBlock ([WZY2015])
- E2 ([KMAUTOM2000])
- Enocoro ([WFYTP2008])
- Fantomas ([GLSV2014])
- FLY ([KG2016])
- Fox ([VJ2004])
- Iceberg ([SPRQL2004])
- Iraqi (Wikipedia article Iraqi_block_cipher)
- iScream ([GLSVJGK2014])
- Kalyna_pi0, …, Kalyna_pi3 ([OGKRKGBDDP2015])
- Khazad ([BR2000b])
- Kuznyechik (Kuznechik, Streebog, Stribog) ([Fed2015])
- Lilliput-AE ([ABCFHLLMRT2019])
- MD2 ([Kal1992])
- newDES ([Sco1985])
- Picaro ([PRC2012])
- Safer ([Mas1994])
- Scream ([CDL2015],[GLSVJGK2014]_)
- SEED_S0, SEED_S1 ([LLYCL2005])
- SKINNY_8 (ForkSkinny_8 [ALPRRV2019], Remus_8 [IKMP2019A], Romulus [IKMP2019B]) ([BJKLMPSSS2016])
- Skipjack ([U.S1998])
- SNOW_3G_sq ([ETS2006a])
- SMS4 ([Ltd06])
- Turing ([RH2003b])
- Twofish_p0, Twofish_p1 ([SKWWHF1998])
- Whirlpool ([BR2000c])
- Zorro ([GGNS2013])
- ZUC_S0, ZUC_S1 ([ETS2011])
- 7 bit to 7 bit
- Wage ([AAGMRZ2019])
- 6 bit to 6 bit
- Fides_6 ([BBKMW2013])
- APN_6 ([BDMW2010])
- SC2000_6 ([SYYTIYTT2002])
- 5 bit to 5 bit
- Ascon (ISAP [DEMMMPU2019]) ([DEMS2016])
- DryGASCON128 ([Rio2019])
- Fides_5 ([BBKMW2013])
- SC2000_5 ([SYYTIYTT2002])
- Shamash ([PM2019])
- SYCON ([SMS2019])
- 4 bit to 4 bit
- Elephant ([BCDM2019])
- KNOT ([ZDYBXJZ2019])
- Pyjamask_4 ([GJKPRSS2019])
- SATURNIN_0, SATURNIN_1 ([CDLNPPS2019])
- Spook (Clyde, Shadow) ([BBBCDGLLLMPPSW2019])
- TRIFLE ([DGMPPS2019])
- Yarara, Coral ([MP2019])
- DES_S1_1, …, DES_S1_4, …, DES_S8_4 ([U.S1999])
- Lucifer_S0, Lucifer_S1 ([Sor1984])
- GOST_1, …, GOST_8 (http://www.cypherpunks.ru/pygost/)
- GOST2_1, GOST2_2 (http://www.cypherpunks.ru/pygost/)
- Magma_1, …, Magma_8 ([Fed2015])
- GOST_IETF_1, …, GOST_IETF_8 (http://www.cypherpunks.ru/pygost/)
- Hummingbird_2_S1, …, Hummingbird_2_S4 ([ESSS2011])
- LBlock_0, …, LBlock_9 ([WZ2011])
- SERPENT_S0, …, SERPENT_S7 ([BAK1998])
- KLEIN ([GNL2011])
- MIBS ([ISSK2009)]
- Midori_Sb0 (MANTIS, CRAFT), Midori_Sb1 ([BBISHAR2015])
- Noekeon ([DPVAR2000])
- Piccolo ([SIHMAS2011])
- Panda ([YWHWXSW2014])
- PRESENT (CiliPadi [ZJRRS2019], PHOTON [BCDGNPY2019], ORANGE [CN2019]) ([BKLPPRSV2007])
- GIFT (Fountain_1, HYENA [CDJN2019], TGIF [IKMPSSS2019]) ([BPPSST2017])
- Fountain_1, Fountain_2, Fountain_3, Fountain_4 ([Zha2019])
- Pride ([ADKLPY2014])
- PRINCE ([BCGKKKLNPRRTY2012])
- Prost ([KLLRSY2014])
- Qarma_sigma0, Qarma_sigma1 (Qameleon [ABBDHR2019]), Qarma_sigma2 ([Ava2017])
- REC_0 (earlier version of [ZBLRYV2015])
- Rectangle ([ZBLRYV2015])
- SC2000_4 ([SYYTIYTT2002])
- SKINNY_4 (ForkSkinny_4 [ALPRRV2019], Remus_4 [IKMP2019A]) ([BJKLMPSSS2016])
- TWINE ([SMMK2013])
- Luffa_v1 ([DCSW2008])
- Luffa ([DCSW2008])
- BLAKE_1, …, BLAKE_9 ([AHMP2008])
- JH_S0, JH_S1 ([Wu2009])
- SMASH_256_S1, …, SMASH_256_S3 ([Knu2005])
- Anubis_S0, Anubis_S1 ([BR2000a])
- CLEFIA_SS0, …, CLEFIA_SS3 ([SSAMI2007])
- Enocoro_S4 ([WFYTP2008])
- Iceberg_S0, Iceberg_S1 ([SPRQL2004])
- Khazad_P, Khazad_Q ([BR2000b])
- Whirlpool_E, Whirlpool_R ([BR2000c])
- CS_cipher_F, CS_cipher_G ([SV2000])
- Fox_S1, …, Fox_S3 ([VJ2004])
- Twofish_Q0_T0, …, Twofish_Q0_T3, Twofish_Q1_T0, …, Twofish_Q1_T3 ([SKWWHF1998])
- Kuznyechik_nu0, Kuznyechik_nu1, Kuznyechik_sigma, Kuznyechik_phi ([BPU2016])
- UDCIKMP11 ([UDCIKMP2011])
- Optimal_S0, …, Optimal_S15 ([LP2007])
- Serpent_type_S0, …, Serpent_type_S19 ([LP2007])
- Golden_S0, …, Golden_S3 ([Saa2011])
- representatives for all 302 affine equivalence classes ([dCa2007])
- 3 bit to 3 bit
- SEA ([SPGQ2006])
- PRINTcipher ([KLPR2010])
- Pyjamask_3 ([GJKPRSS2019])
Additionally this modules offers a dictionary \(sboxes\) of all implemented above S-boxes for the purpose of easy iteration over all available S-boxes.
EXAMPLES:
We can print the S-Boxes with differential uniformity 2:
sage: from sage.crypto.sboxes import sboxes
sage: sorted(name for name, s in sboxes.items()
....: if s.differential_uniformity() == 2)
['APN_6',
'Fides_5',
'Fides_6',
'PRINTcipher',
'Pyjamask_3',
'SC2000_5',
'SEA',
'Shamash']
AUTHOR:
- Leo Perrin: initial collection of sboxes
- Friedrich Wiemer (2017-05-12): refactored list for inclusion in SAGE
- Lukas Stennes (2019-06-25): added NIST LWC round 1 candidates
-
sage.crypto.sboxes.
bracken_leander
(n)¶ Return the Bracken-Leander construction.
For n = 4*k and odd k, the construction is \(x \mapsto x^{2^{2k} + 2^k + 1}\) over \(\GF{2^n}\)
INPUT:
n
– size of the S-Box
EXAMPLES:
sage: from sage.crypto.sboxes import bracken_leander sage: sbox = bracken_leander(12); [sbox(i) for i in range(8)] [0, 1, 2742, 4035, 1264, 408, 1473, 1327]
-
sage.crypto.sboxes.
carlet_tang_tang_liao
(n, c=None, bf=None)¶ Return the Carlet-Tang-Tang-Liao construction.
See [CTTL2014] for its definition.
INPUT:
n
– integer, the bit length of inputs and outputs, has to be even and >= 6c
– element of \(\GF{2^{n-1}}\) used in the construction- (default: random element)
f
– Function from \(\GF{2^n} \to \GF{2}\) or BooleanFunction on \(n-1\) bits- (default:
x -> (1/(x+1)).trace())
EXAMPLES:
sage: from sage.crypto.sboxes import carlet_tang_tang_liao as cttl sage: cttl(6).differential_uniformity() 4
-
sage.crypto.sboxes.
gold
(n, i)¶ Return the Gold function defined by \(x \mapsto x^{2^i + 1}\) over \(\GF{2^n}\).
INPUT:
n
– size of the S-Boxi
– a positive integer
EXAMPLES:
sage: from sage.crypto.sboxes import gold sage: gold(3, 1) (0, 1, 3, 4, 5, 6, 7, 2) sage: gold(3, 1).differential_uniformity() 2 sage: gold(4, 2) (0, 1, 6, 6, 7, 7, 7, 6, 1, 7, 1, 6, 1, 6, 7, 1)
-
sage.crypto.sboxes.
kasami
(n, i)¶ Return the Kasami function defined by \(x \mapsto x^{2^{2i} - 2^i + 1}\) over \(\GF{2^n}\).
INPUT:
n
– size of the S-Boxi
– a positive integer
EXAMPLES:
sage: from sage.crypto.sboxes import kasami sage: kasami(3, 1) (0, 1, 3, 4, 5, 6, 7, 2) sage: from sage.crypto.sboxes import gold sage: kasami(3, 1) == gold(3, 1) True sage: kasami(4, 2) (0, 1, 13, 11, 14, 9, 6, 7, 10, 4, 15, 2, 8, 3, 5, 12) sage: kasami(4, 2) != gold(4, 2) True
-
sage.crypto.sboxes.
monomial_function
(n, e)¶ Return an S-Box as a function \(x^e\) defined over \(\GF{2^n}\).
INPUT:
n
– size of the S-Box (i.e. the degree of the finite field extension)e
– exponent of the monomial function
EXAMPLES:
sage: from sage.crypto.sboxes import monomial_function sage: S = monomial_function(7, 3) sage: S.differential_uniformity() 2 sage: S.input_size() 7 sage: S.is_permutation() True
-
sage.crypto.sboxes.
niho
(n)¶ Return the Niho function over \(\GF{2^n}\).
It is defined by \(x \mapsto x^{2^t + 2^s - 1}\) with \(s = t/2\) if t is even or \(s = (3t+1)/2\) if t is odd.
INPUT:
n
– size of the S-Box
EXAMPLES:
sage: from sage.crypto.sboxes import niho sage: niho(3) (0, 1, 7, 2, 3, 4, 5, 6) sage: niho(3).differential_uniformity() 2
-
sage.crypto.sboxes.
v
(n)¶ Return the Welch function defined by \(x \mapsto x^{2^{(n-1)/2} + 3}\) over \(\GF{2^n}\).
INPUT:
n
– size of the S-Box
EXAMPLES:
sage: from sage.crypto.sboxes import welch sage: welch(3) (0, 1, 7, 2, 3, 4, 5, 6) sage: welch(3).differential_uniformity() 2
-
sage.crypto.sboxes.
welch
(n)¶ Return the Welch function defined by \(x \mapsto x^{2^{(n-1)/2} + 3}\) over \(\GF{2^n}\).
INPUT:
n
– size of the S-Box
EXAMPLES:
sage: from sage.crypto.sboxes import welch sage: welch(3) (0, 1, 7, 2, 3, 4, 5, 6) sage: welch(3).differential_uniformity() 2