# HG changeset patch
# User Minh Van Nguyen <nguyenminh2@gmail.com>
# Date 1244063741 25200
# Node ID 689dd263587e61791ba6eecd8cdcf808921dae94
# Parent bd947776c71906b6235ea36126c5d32d27d2cfdc
trac 6139: reviewer patch
diff r bd947776c719 r 689dd263587e sage/crypto/mq/sbox.py
a

b


1  1  r""" 
2   SBoxes and Their Algebraic Representations. 
 2  SBoxes and Their Algebraic Representations 
3  3  """ 
4  4  
5  5  from sage.combinat.integer_vector import IntegerVectors 
… 
… 

38  38  Note that by default bits are interpreted in big endian 
39  39  order. This is not consistent with the rest of Sage, which has a 
40  40  strong bias towards little endian, but is consistent with most 
41   cryptographic literature.:: 
 41  cryptographic literature:: 
42  42  
43  43  sage: S([0,0,0,1]) 
44  44  [0, 1, 0, 1] 
… 
… 

236  236  """ 
237  237  Apply substitution to ``X``. 
238  238  
239   If X is a list, it is interpreted as a sequence of bits 
 239  If ``X`` is a list, it is interpreted as a sequence of bits 
240  240  depending on the bit order of this Sbox. 
241  241  
242   INPUT:: 
 242  INPUT: 
243  243  
244  244   ``X``  either an integer, a tuple of `\GF{2}` elements of 
245  245  length ``len(self)`` or a finite field element in 
… 
… 

374  374  The rows of ``A`` encode the differences ``Delta I`` of the 
375  375  input and the columns encode the difference ``Delta O`` for 
376  376  the output. The bits are ordered according to the endianess of 
377   this Sbox. The value at ``A[Delta I,Delta O]`` encoded how 
 377  this Sbox. The value at ``A[Delta I,Delta O]`` encodes how 
378  378  often ``Delta O`` is the actual output difference given 
379  379  ``Delta I`` as input difference. 
380  380  
… 
… 

469  469  [ 0 2 2 0 2 0 0 2] 
470  470  
471  471  According to this matrix the first bit of the input is equal 
472   to the third bit of the output 6 out of 8 times.:: 
 472  to the third bit of the output 6 out of 8 times:: 
473  473  
474  474  sage: for i in srange(8): print S.to_bits(i)[0] == S.to_bits(S(i))[2] 
475  475  False 
… 
… 

645  645  
646  646  We can get a direct representation by computing a 
647  647  lexicographical Groebner basis with respect to the right 
648   variable ordering, i.e. a variable orderings where the output 
 648  variable ordering, i.e. a variable ordering where the output 
649  649  bits are greater than the input bits:: 
650  650  
651  651  sage: P.<y0,y1,y2,x0,x1,x2> = PolynomialRing(GF(2),6,order='lex') 