S-Boxes used in cryptographic schemes¶
This module provides the following SBoxes:
- constructions
- BrackenLeander ([BraLea2008]) 
- CarletTangTangLiao ([CTTL2014]) 
- Gold ([Gol1968]) 
- Kasami ([Kas1971]) 
- Niho ([Dob1999a]) 
- Welch ([Dob1999b]) 
 
- 9 bit to 9 bit
- DryGASCON256 ([Rio2019]) 
 
- 8 bit to 8 bit
- Anubis ([BR2000a]) 
- ARIA_s2 ([KKPSSSYYLLCHH2004]) 
- BelT ([Bel2011]) 
- Camellia ([AIKMMNT2001]) 
- CMEA ([WSK1997]) 
- Chiasmus ([STW2013]) 
- CLEFIA_S0, CLEFIA_S1 ([SSAMI2007]) 
- Crypton_0_5 ([Lim]) 
- Crypton_1_0_S0, …, Crypton_1_0_S3 ([Lim2001]) 
- CS_cipher ([SV2000]) 
- CSA ([WW2005]) 
- CSS ([BD2004]) 
- DBlock ([WZY2015]) 
- E2 ([KMAUTOM2000]) 
- Enocoro ([WFYTP2008]) 
- Fantomas ([GLSV2014]) 
- FLY ([KG2016]) 
- Fox ([VJ2004]) 
- Iceberg ([SPRQL2004]) 
- iScream ([GLSVJGK2014]) 
- Kalyna_pi0, …, Kalyna_pi3 ([OGKRKGBDDP2015]) 
- Khazad ([BR2000b]) 
- Kuznyechik (Kuznechik, Streebog, Stribog) ([Fed2015]) 
- Lilliput-AE ([ABCFHLLMRT2019]) 
- MD2 ([Kal1992]) 
- newDES ([Sco1985]) 
- Picaro ([PRC2012]) 
- Safer ([Mas1994]) 
- Scream ([CDL2015],[GLSVJGK2014]_) 
- SEED_S0, SEED_S1 ([LLYCL2005]) 
- SKINNY_8 (ForkSkinny_8 [ALPRRV2019], Remus_8 [IKMP2019A], Romulus [IKMP2019B]) ([BJKLMPSSS2016]) 
- Skipjack ([U.S1998]) 
- SNOW_3G_sq ([ETS2006a]) 
- SMS4 ([Ltd06]) 
- Turing ([RH2003b]) 
- Twofish_p0, Twofish_p1 ([SKWWHF1998]) 
- Whirlpool ([BR2000c]) 
- Zorro ([GGNS2013]) 
- ZUC_S0, ZUC_S1 ([ETS2011]) 
 
- 7 bit to 7 bit
- Wage ([AAGMRZ2019]) 
 
- 6 bit to 6 bit
- Fides_6 ([BBKMW2013]) 
- APN_6 ([BDMW2010]) 
- SC2000_6 ([SYYTIYTT2002]) 
 
- 5 bit to 5 bit
- Ascon (ISAP [DEMMMPU2019]) ([DEMS2016]) 
- DryGASCON128 ([Rio2019]) 
- Fides_5 ([BBKMW2013]) 
- SC2000_5 ([SYYTIYTT2002]) 
- Shamash ([PM2019]) 
- SYCON ([SMS2019]) 
 
- 4 bit to 4 bit
- Elephant ([BCDM2019]) 
- KNOT ([ZDYBXJZ2019]) 
- Pyjamask_4 ([GJKPRSS2019]) 
- SATURNIN_0, SATURNIN_1 ([CDLNPPS2019]) 
- Spook (Clyde, Shadow) ([BBBCDGLLLMPPSW2019]) 
- TRIFLE ([DGMPPS2019]) 
- Yarara, Coral ([MP2019]) 
- DES_S1_1, …, DES_S1_4, …, DES_S8_4 ([U.S1999]) 
- Lucifer_S0, Lucifer_S1 ([Sor1984]) 
- GOST_1, …, GOST_8 (http://www.cypherpunks.ru/pygost/) 
- GOST2_1, GOST2_2 (http://www.cypherpunks.ru/pygost/) 
- Magma_1, …, Magma_8 ([Fed2015]) 
- GOST_IETF_1, …, GOST_IETF_8 (http://www.cypherpunks.ru/pygost/) 
- Hummingbird_2_S1, …, Hummingbird_2_S4 ([ESSS2011]) 
- LBlock_0, …, LBlock_9 ([WZ2011]) 
- SERPENT_S0, …, SERPENT_S7 ([BAK1998]) 
- KLEIN ([GNL2011]) 
- MIBS ([ISSK2009)] 
- Midori_Sb0 (MANTIS, CRAFT, WARP), Midori_Sb1 ([BBISHAR2015]) 
- Noekeon ([DPVAR2000]) 
- Piccolo ([SIHMAS2011]) 
- Panda ([YWHWXSW2014]) 
- PRESENT (CiliPadi [ZJRRS2019], PHOTON [BCDGNPY2019], ORANGE [CN2019]) ([BKLPPRSV2007]) 
- GIFT (Fountain_1, HYENA [CDJN2019], TGIF [IKMPSSS2019]) ([BPPSST2017]) 
- Fountain_1, Fountain_2, Fountain_3, Fountain_4 ([Zha2019]) 
- Pride ([ADKLPY2014]) 
- PRINCE ([BCGKKKLNPRRTY2012]) 
- Prost ([KLLRSY2014]) 
- Qarma_sigma0, Qarma_sigma1 (Qameleon [ABBDHR2019]), Qarma_sigma2 ([Ava2017]) 
- REC_0 (earlier version of [ZBLRYV2015]) 
- Rectangle ([ZBLRYV2015]) 
- SC2000_4 ([SYYTIYTT2002]) 
- SKINNY_4 (ForkSkinny_4 [ALPRRV2019], Remus_4 [IKMP2019A]) ([BJKLMPSSS2016]) 
- TWINE ([SMMK2013]) 
- Luffa_v1 ([DCSW2008]) 
- Luffa ([DCSW2008]) 
- BLAKE_1, …, BLAKE_9 ([AHMP2008]) 
- JH_S0, JH_S1 ([Wu2009]) 
- SMASH_256_S1, …, SMASH_256_S3 ([Knu2005]) 
- Anubis_S0, Anubis_S1 ([BR2000a]) 
- CLEFIA_SS0, …, CLEFIA_SS3 ([SSAMI2007]) 
- Enocoro_S4 ([WFYTP2008]) 
- Iceberg_S0, Iceberg_S1 ([SPRQL2004]) 
- Khazad_P, Khazad_Q ([BR2000b]) 
- Whirlpool_E, Whirlpool_R ([BR2000c]) 
- CS_cipher_F, CS_cipher_G ([SV2000]) 
- Fox_S1, …, Fox_S3 ([VJ2004]) 
- Twofish_Q0_T0, …, Twofish_Q0_T3, Twofish_Q1_T0, …, Twofish_Q1_T3 ([SKWWHF1998]) 
- Kuznyechik_nu0, Kuznyechik_nu1, Kuznyechik_sigma, Kuznyechik_phi ([BPU2016]) 
- UDCIKMP11 ([UDCIKMP2011]) 
- Optimal_S0, …, Optimal_S15 ([LP2007]) 
- Serpent_type_S0, …, Serpent_type_S19 ([LP2007]) 
- Golden_S0, …, Golden_S3 ([Saa2011]) 
- representatives for all 302 affine equivalence classes ([dCa2007]) 
 
- 3 bit to 3 bit
- SEA ([SPGQ2006]) 
- PRINTcipher ([KLPR2010]) 
- Pyjamask_3 ([GJKPRSS2019]) 
 
Additionally this modules offers a dictionary \(sboxes\) of all implemented above S-boxes for the purpose of easy iteration over all available S-boxes.
EXAMPLES:
We can print the S-Boxes with differential uniformity 2:
sage: from sage.crypto.sboxes import sboxes
sage: sorted(name for name, s in sboxes.items()
....:     if s.differential_uniformity() == 2)
['APN_6',
 'Fides_5',
 'Fides_6',
 'PRINTcipher',
 'Pyjamask_3',
 'SC2000_5',
 'SEA',
 'Shamash']
>>> from sage.all import *
>>> from sage.crypto.sboxes import sboxes
>>> sorted(name for name, s in sboxes.items()
...     if s.differential_uniformity() == Integer(2))
['APN_6',
 'Fides_5',
 'Fides_6',
 'PRINTcipher',
 'Pyjamask_3',
 'SC2000_5',
 'SEA',
 'Shamash']
AUTHOR:
- Leo Perrin: initial collection of sboxes 
- Friedrich Wiemer (2017-05-12): refactored list for inclusion in Sage 
- Lukas Stennes (2019-06-25): added NIST LWC round 1 candidates 
- sage.crypto.sboxes.bracken_leander(n)[source]¶
- Return the Bracken-Leander construction. - For n = 4*k and odd k, the construction is \(x \mapsto x^{2^{2k} + 2^k + 1}\) over \(\GF{2^n}\) - INPUT: - n– size of the S-Box
 - EXAMPLES: - sage: from sage.crypto.sboxes import bracken_leander sage: sbox = bracken_leander(12); [sbox(i) for i in range(8)] [0, 1, 2742, 4035, 1264, 408, 1473, 1327] - >>> from sage.all import * >>> from sage.crypto.sboxes import bracken_leander >>> sbox = bracken_leander(Integer(12)); [sbox(i) for i in range(Integer(8))] [0, 1, 2742, 4035, 1264, 408, 1473, 1327] 
- sage.crypto.sboxes.carlet_tang_tang_liao(n, c=None, bf=None)[source]¶
- Return the Carlet-Tang-Tang-Liao construction. - See [CTTL2014] for its definition. - INPUT: - n– integer; the bit length of inputs and outputs, has to be even and \(\geq 6\)
- c– element of \(\GF{2^{n-1}}\) used in the construction (default: random element)
- f– function from \(\GF{2^n} \to \GF{2}\) or BooleanFunction on \(n-1\) bits (default:- x -> (1/(x+1)).trace()))
 - EXAMPLES: - sage: from sage.crypto.sboxes import carlet_tang_tang_liao as cttl sage: cttl(6).differential_uniformity() in [4, 64] True - >>> from sage.all import * >>> from sage.crypto.sboxes import carlet_tang_tang_liao as cttl >>> cttl(Integer(6)).differential_uniformity() in [Integer(4), Integer(64)] True 
- sage.crypto.sboxes.chi(n)[source]¶
- Return the \(\chi\) function defined over \(\GF{2^n}\) used in the nonlinear layer of Keccak and Xoodyak. - INPUT: - n– size of the S-Box
 - EXAMPLES: - sage: from sage.crypto.sboxes import chi sage: chi(3) (0, 3, 6, 1, 5, 4, 2, 7) sage: chi(3).is_permutation() True sage: chi(4).is_permutation() False sage: chi(5) (0, 9, 18, 11, 5, 12, 22, 15, 10, 3, 24, 1, 13, 4, 30, 7, 20, 21, 6, 23, 17, 16, 2, 19, 26, 27, 8, 25, 29, 28, 14, 31) - >>> from sage.all import * >>> from sage.crypto.sboxes import chi >>> chi(Integer(3)) (0, 3, 6, 1, 5, 4, 2, 7) >>> chi(Integer(3)).is_permutation() True >>> chi(Integer(4)).is_permutation() False >>> chi(Integer(5)) (0, 9, 18, 11, 5, 12, 22, 15, 10, 3, 24, 1, 13, 4, 30, 7, 20, 21, 6, 23, 17, 16, 2, 19, 26, 27, 8, 25, 29, 28, 14, 31) 
- sage.crypto.sboxes.gold(n, i)[source]¶
- Return the Gold function defined by \(x \mapsto x^{2^i + 1}\) over \(\GF{2^n}\). - INPUT: - n– size of the S-Box
- i– positive integer
 - EXAMPLES: - sage: from sage.crypto.sboxes import gold sage: gold(3, 1) (0, 1, 3, 4, 5, 6, 7, 2) sage: gold(3, 1).differential_uniformity() 2 sage: gold(4, 2) (0, 1, 6, 6, 7, 7, 7, 6, 1, 7, 1, 6, 1, 6, 7, 1) - >>> from sage.all import * >>> from sage.crypto.sboxes import gold >>> gold(Integer(3), Integer(1)) (0, 1, 3, 4, 5, 6, 7, 2) >>> gold(Integer(3), Integer(1)).differential_uniformity() 2 >>> gold(Integer(4), Integer(2)) (0, 1, 6, 6, 7, 7, 7, 6, 1, 7, 1, 6, 1, 6, 7, 1) 
- sage.crypto.sboxes.inversion(n)[source]¶
- Return the S-Box constructed from the inversion mapping over \(\GF{2^n}\) extending \(0 \mapsto 0\). - INPUT: - n– size of the S-Box
 - EXAMPLES: - sage: from sage.crypto.sboxes import inversion sage: S4 = inversion(4) sage: S4.differential_uniformity() 4 sage: S5 = inversion(5) sage: S5.differential_uniformity() 2 - >>> from sage.all import * >>> from sage.crypto.sboxes import inversion >>> S4 = inversion(Integer(4)) >>> S4.differential_uniformity() 4 >>> S5 = inversion(Integer(5)) >>> S5.differential_uniformity() 2 
- sage.crypto.sboxes.kasami(n, i)[source]¶
- Return the Kasami function defined by \(x \mapsto x^{2^{2i} - 2^i + 1}\) over \(\GF{2^n}\). - INPUT: - n– size of the S-Box
- i– positive integer
 - EXAMPLES: - sage: from sage.crypto.sboxes import kasami sage: kasami(3, 1) (0, 1, 3, 4, 5, 6, 7, 2) sage: from sage.crypto.sboxes import gold sage: kasami(3, 1) == gold(3, 1) True sage: kasami(4, 2) (0, 1, 13, 11, 14, 9, 6, 7, 10, 4, 15, 2, 8, 3, 5, 12) sage: kasami(4, 2) != gold(4, 2) True - >>> from sage.all import * >>> from sage.crypto.sboxes import kasami >>> kasami(Integer(3), Integer(1)) (0, 1, 3, 4, 5, 6, 7, 2) >>> from sage.crypto.sboxes import gold >>> kasami(Integer(3), Integer(1)) == gold(Integer(3), Integer(1)) True >>> kasami(Integer(4), Integer(2)) (0, 1, 13, 11, 14, 9, 6, 7, 10, 4, 15, 2, 8, 3, 5, 12) >>> kasami(Integer(4), Integer(2)) != gold(Integer(4), Integer(2)) True 
- sage.crypto.sboxes.monomial_function(n, e)[source]¶
- Return an S-Box as a function \(x^e\) defined over \(\GF{2^n}\). - INPUT: - n– size of the S-Box (i.e. the degree of the finite field extension)
- e– exponent of the monomial function
 - EXAMPLES: - sage: from sage.crypto.sboxes import monomial_function sage: S = monomial_function(7, 3) sage: S.differential_uniformity() 2 sage: S.input_size() 7 sage: S.is_permutation() True - >>> from sage.all import * >>> from sage.crypto.sboxes import monomial_function >>> S = monomial_function(Integer(7), Integer(3)) >>> S.differential_uniformity() 2 >>> S.input_size() 7 >>> S.is_permutation() True 
- sage.crypto.sboxes.niho(n)[source]¶
- Return the Niho function over \(\GF{2^n}\). - It is defined by \(x \mapsto x^{2^t + 2^s - 1}\) with \(s = t/2\) if t is even or \(s = (3t+1)/2\) if t is odd. - INPUT: - n– size of the S-Box
 - EXAMPLES: - sage: from sage.crypto.sboxes import niho sage: niho(3) (0, 1, 7, 2, 3, 4, 5, 6) sage: niho(3).differential_uniformity() 2 - >>> from sage.all import * >>> from sage.crypto.sboxes import niho >>> niho(Integer(3)) (0, 1, 7, 2, 3, 4, 5, 6) >>> niho(Integer(3)).differential_uniformity() 2 
- sage.crypto.sboxes.v(n)[source]¶
- Return the Welch function defined by \(x \mapsto x^{2^{(n-1)/2} + 3}\) over \(\GF{2^n}\). - INPUT: - n– size of the S-Box
 - EXAMPLES: - sage: from sage.crypto.sboxes import welch sage: welch(3) (0, 1, 7, 2, 3, 4, 5, 6) sage: welch(3).differential_uniformity() 2 - >>> from sage.all import * >>> from sage.crypto.sboxes import welch >>> welch(Integer(3)) (0, 1, 7, 2, 3, 4, 5, 6) >>> welch(Integer(3)).differential_uniformity() 2 
- sage.crypto.sboxes.welch(n)[source]¶
- Return the Welch function defined by \(x \mapsto x^{2^{(n-1)/2} + 3}\) over \(\GF{2^n}\). - INPUT: - n– size of the S-Box
 - EXAMPLES: - sage: from sage.crypto.sboxes import welch sage: welch(3) (0, 1, 7, 2, 3, 4, 5, 6) sage: welch(3).differential_uniformity() 2 - >>> from sage.all import * >>> from sage.crypto.sboxes import welch >>> welch(Integer(3)) (0, 1, 7, 2, 3, 4, 5, 6) >>> welch(Integer(3)).differential_uniformity() 2