Skip to content

Incorrect values due to using big endian in sbox's __call__  #38473

New issue
New issue
Open
Open
Incorrect values due to using big endian in sbox's __call__ #38473
Labels
c: cryptographyt: bug
@PTK12

Description

@PTK12
PTK12
opened on Aug 4, 2024

Steps To Reproduce

Run

# Part 1
from sage.crypto.sboxes import AES
F.<a> = GF(2^8, modulus=x^8 + x^4 + x^3 + x + 1)
poly = AES.interpolation_polynomial(F)
print(poly)

# Part 2
sr = mq.SR(1,2,2,4, allow_zero_inversions=True)
K = sr.k
S = sr.sbox(inversion_only=True)
print([k * S(k) for k in K])

Expected Behavior

First part:

(a^2 + 1)*x^254 + (a^3 + 1)*x^253 + (a^7 + a^6 + a^5 + a^4 + a^3 + 1)*x^251 + (a^5 + a^2 + 1)*x^247 + (a^7 + a^6 + a^5 + a^4 + a^2)*x^239 + x^223 + (a^7 + a^5 + a^4 + a^2 + 1)*x^191 + (a^7 + a^3 + a^2 + a + 1)*x^127 + a^6 + a^5 + a + 1

Second part:

[0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1]

Actual Behavior

First part:

(a^4 + a)*x^254 + (a^7 + a^6 + a^5)*x^253 + (a^4 + a^3)*x^252 + (a^7 + a^6 + a^5 + a^4 + a^2 + 1)*x^251 + (a^6 + a^3 + a^2)*x^250 + (a^7 + a^6 + a^5)*x^249 + (a^7 + a^6 + a^4 + a^3 + a^2)*x^248 + (a^7 + a + 1)*x^247 + (a^7 + a^5 + a^4 + a^3 + 1)*x^246 + (a^6 + a^4 + a^2)*x^245 + (a^2 + 1)*x^244 + a^3*x^243 + (a^4 + a^2 + 1)*x^242 + (a^7 + a^5 + a^2)*x^241 + (a^4 + a^2 + 1)*x^240 + (a^4 + a^3 + 1)*x^239 + (a^6 + a^4 + 1)*x^238 + (a^3 + a^2 + a + 1)*x^237 + (a^6 + a^5 + a^2 + a + 1)*x^236 + (a^4 + a^3 + a^2 + 1)*x^235 + (a^6 + a^5 + a^3 + a + 1)*x^234 + (a^7 + a^6 + a^4 + a^2 + a)*x^233 + a^7*x^232 + (a^7 + a^6 + a^4 + a^3 + a)*x^231 + (a^7 + a^4 + a^3 + a^2 + a + 1)*x^230 + (a^6 + a^5 + a + 1)*x^229 + (a^7 + a^4 + a^3 + a)*x^228 + (a^7 + a^6 + a^4 + a^3 + a + 1)*x^227 + (a^5 + a^4 + a^3 + a + 1)*x^226 + (a^6 + a^2 + 1)*x^225 + (a^4 + a^3 + 1)*x^224 + (a^7 + a^5 + a^4 + a)*x^223 + (a^7 + a^6 + a^5 + a^4 + a^3 + a^2 + a)*x^222 + (a^7 + a^6 + a^5 + a^4 + a^3 + a^2)*x^221 + (a^7 + a^6 + a^5 + a^4 + a^3 + a^2)*x^220 + (a^7 + a^5 + 1)*x^219 + (a^7 + a^6 + a^5 + a^2)*x^218 + a*x^217 + (a^5 + a^3 + a^2 + 1)*x^216 + (a^3 + a^2 + a + 1)*x^215 + (a^7 + a^2 + a + 1)*x^214 + (a^7 + a^5 + a^2)*x^213 + (a^7 + a^4 + a^2 + a + 1)*x^212 + (a^7 + a^6 + 1)*x^211 + (a^5 + a + 1)*x^210 + (a^5 + a^4 + a^3 + a^2 + a + 1)*x^209 + (a^6 + a^3 + a)*x^208 + (a^5 + a^3 + a^2 + a)*x^207 + (a^7 + a^5 + a^3)*x^206 + (a^7 + a^5 + a^2)*x^205 + (a^7 + a^4 + a^3 + a^2)*x^204 + (a^6 + a^5 + a^4 + a^2 + 1)*x^203 + (a^6 + a^2 + 1)*x^202 + (a^7 + a^6)*x^201 + (a^7 + a^6 + a^5 + a^2 + 1)*x^200 + (a^7 + a^5 + a^3 + a^2 + a)*x^199 + (a^7 + a^6 + a^3 + a)*x^198 + (a^7 + a^6 + a^3 + a^2 + 1)*x^197 + (a^6 + a^4 + a^2 + a)*x^196 + (a^6 + a^5 + a^2 + a + 1)*x^195 + (a^7 + a^6 + a^3 + 1)*x^194 + (a^6 + a^4 + a^3)*x^193 + (a^5 + a^4 + a^2 + a + 1)*x^192 + (a^3 + a + 1)*x^191 + (a^6 + a^5 + a^2)*x^190 + (a^4 + a^3 + a + 1)*x^189 + (a^6 + a^4 + a + 1)*x^188 + (a^6 + a^3 + a^2 + a + 1)*x^187 + (a^6 + a^5 + a^4 + a^3 + a^2 + 1)*x^186 + (a^4 + a^3 + a^2 + a + 1)*x^185 + (a^7 + a^6 + a^4 + a^3 + a^2 + 1)*x^184 + (a^7 + a^6 + a^3 + a + 1)*x^183 + (a^6 + a^5 + a^4 + a^3 + a^2 + 1)*x^182 + (a^7 + a^2 + a + 1)*x^181 + (a^6 + a^3 + a + 1)*x^180 + (a^6 + a^5 + a^3 + a^2)*x^179 + (a^4 + a^2 + a)*x^178 + (a^6 + a^4 + a^2 + a + 1)*x^177 + (a^2 + a + 1)*x^176 + (a^7 + a^5 + a^4 + a + 1)*x^175 + (a^7 + a^5 + a^4 + 1)*x^174 + (a^3 + a^2 + 1)*x^173 + (a^6 + a^2)*x^172 + (a^6 + a^5 + a^3 + a^2 + a + 1)*x^171 + (a^7 + a^6 + a^5 + a^4 + 1)*x^170 + (a^7 + a^5 + a^4 + a^2)*x^169 + (a^5 + a^4 + a + 1)*x^168 + (a^7 + a^4 + a^3 + 1)*x^167 + (a^7 + a^6 + a^5 + a^4)*x^166 + (a^5 + a^4 + a^3 + a^2)*x^165 + (a^7 + a^6 + a^4 + a^2 + 1)*x^164 + (a^7 + a^5 + a^3 + a + 1)*x^163 + (a^7 + a^4 + a^2 + a)*x^162 + (a^5 + a^4 + a + 1)*x^161 + (a^7 + a^6 + a^5 + a^3)*x^160 + (a^7 + a^6 + a^3 + a)*x^159 + (a^7 + a^6 + a^5 + a^3 + a)*x^158 + (a^7 + a^6 + a^4 + a)*x^157 + x^156 + (a^6 + a^5 + a^4)*x^155 + (a^7 + a^5 + a^3 + a)*x^154 + (a^7 + a^6 + a^5 + a^3 + a^2 + a)*x^153 + (a^7 + a^5 + a^2 + a + 1)*x^152 + (a^7 + a^6 + a^4 + a)*x^151 + (a^6 + a^2)*x^150 + x^149 + (a^6 + a^5 + a^4 + 1)*x^148 + (a^7 + a^4 + 1)*x^147 + (a^7 + a^4 + a^3 + a)*x^146 + (a^6 + a^2 + 1)*x^145 + (a^6 + a^5 + a^4 + a^3 + 1)*x^144 + (a^7 + a^5 + a^4 + a^3 + a^2)*x^143 + (a^7 + a^6 + a^5 + a^3)*x^142 + (a^7 + a^6 + a^5 + a^4 + a^2 + a)*x^141 + (a^7 + a^6 + a^4 + 1)*x^140 + (a^7 + a^6 + a^5 + a^4 + 1)*x^139 + (a^5 + a^4 + a^3 + a^2 + 1)*x^138 + (a^6 + a^5 + a^4 + a^2 + a)*x^137 + a^6*x^136 + (a^6 + a^5 + a^4 + a^3 + a^2)*x^135 + (a^5 + a^3 + 1)*x^134 + (a + 1)*x^133 + (a^6 + a^5 + a^3 + a + 1)*x^132 + (a^7 + a^6 + a^5 + a^2)*x^131 + (a^5 + a^2 + a + 1)*x^130 + (a^5 + 1)*x^129 + (a^7 + a^6 + a^5 + 1)*x^128 + (a^6 + a^5 + a^4 + a^2 + a + 1)*x^127 + (a^4 + a + 1)*x^126 + (a^6 + a^5 + a^4 + a^3 + a^2 + 1)*x^125 + (a^7 + a^6 + a)*x^124 + (a^7 + a^6 + a^5 + a^4 + a^3 + a^2)*x^123 + (a^5 + a^2 + 1)*x^122 + (a^7 + a^5 + a^3 + a + 1)*x^121 + (a^6 + a^4 + a^3 + a^2 + a + 1)*x^120 + (a^3 + a)*x^119 + (a^6 + a^4 + 1)*x^118 + (a^7 + a^4 + a^3 + a^2 + a)*x^117 + (a^6 + a^5 + 1)*x^116 + (a^7 + a^6 + a^5 + a^4 + a^2 + a + 1)*x^115 + (a^6 + a^5 + a^4 + a^3 + a^2)*x^114 + (a^7 + a^4 + a^3)*x^113 + (a^7 + a^5 + a)*x^112 + (a^4 + a^3 + a^2 + a)*x^111 + (a^6 + a^3 + a^2 + a)*x^110 + (a^6 + a^4 + a^2)*x^109 + (a^6 + a^4 + a^3 + a^2 + 1)*x^108 + (a^7 + a^6 + a^4 + a^3)*x^107 + (a^7 + a^4 + a^2 + 1)*x^106 + (a^7 + a^6)*x^105 + (a^6 + a^5 + 1)*x^104 + (a^6 + a^4 + 1)*x^103 + (a^3 + a^2)*x^102 + (a^6 + a^5 + a^4 + a^3 + a)*x^101 + (a^7 + a^2 + a)*x^100 + (a^5 + a^4 + a^2)*x^99 + (a^7 + a^4 + a^3 + a + 1)*x^98 + (a^7 + a^3 + a + 1)*x^97 + (a^5 + a^4 + a^2 + a)*x^96 + (a^7 + a^5 + a^4 + a^3 + a^2 + a)*x^95 + (a^6 + a^5 + a^3 + a^2 + a + 1)*x^94 + (a^6 + a^5 + a^4 + a^3 + a^2)*x^93 + (a^6 + a^5 + a^4 + a^3 + a^2 + a + 1)*x^92 + (a^6 + a^5 + a^4 + a^3 + a^2 + a + 1)*x^91 + (a^7 + a^6 + a^5 + a^2 + a + 1)*x^90 + a^3*x^89 + (a^7 + a^6 + a^5 + a^4 + a^2 + a + 1)*x^88 + (a^6 + a^5 + a^4 + a)*x^87 + (a^7 + a^6 + a^5 + a^3 + a^2)*x^86 + (a^7 + a^5 + a^4 + a^2)*x^85 + (a^7 + a^6 + a^4 + a^2 + a)*x^84 + (a^7 + a^2 + 1)*x^83 + a^6*x^82 + (a^7 + a^6 + a^5 + a^4)*x^81 + (a^5 + a^2 + 1)*x^80 + (a^6 + a^4 + a^3 + a^2)*x^79 + (a^7 + a^5 + a^4 + a + 1)*x^78 + (a^7 + a^6 + a^4 + a^3 + a)*x^77 + (a^7 + a^6 + a^4 + a^2 + a + 1)*x^76 + (a^7 + a^6 + a^5 + a^3 + a)*x^75 + (a^6 + a^4 + a^3 + 1)*x^74 + (a^6 + a^5 + 1)*x^73 + (a^5 + a^4 + a^3 + a^2)*x^72 + (a^4 + a^3 + a^2)*x^71 + (a^7 + a^6 + a^4 + a^3)*x^70 + (a^7 + a^4 + a^2)*x^69 + (a^7 + a^3 + a)*x^68 + (a^7 + a^4 + a^3 + a^2 + a)*x^67 + (a^7 + a^6 + a^4 + a + 1)*x^66 + (a^6 + a^4 + a^3 + a^2 + 1)*x^65 + (a^7 + a^5 + a^4 + a^3)*x^64 + (a^7 + a^4 + a^3 + a)*x^63 + (a^7 + a^6 + a^3 + 1)*x^62 + (a^6 + a^4 + a^3 + a^2)*x^61 + (a^5 + a^4 + a^2 + a + 1)*x^60 + (a^7 + a^5 + a^4 + a + 1)*x^59 + (a^7 + a^5 + a^4 + a^2 + a + 1)*x^58 + (a^7 + a^6 + a^5 + a^3 + a^2 + 1)*x^57 + (a^6 + a)*x^56 + (a^6 + a^4 + a^3 + 1)*x^55 + (a^4 + a^3 + a^2 + 1)*x^54 + (a^3 + a)*x^53 + (a^7 + a^6 + a^5 + a^4 + a^2 + a + 1)*x^52 + (a^7 + a^6 + a^4 + a^2)*x^51 + (a^4 + a^3 + a^2 + a + 1)*x^50 + (a^7 + a^5 + a^2 + 1)*x^49 + (a^7 + a^5 + a^4)*x^48 + (a^7 + a^4 + a^2)*x^47 + (a^6 + a^5)*x^46 + (a^5 + a^4 + a^3 + a + 1)*x^45 + (a^5 + a^4 + a^2 + 1)*x^44 + (a^5 + a^4 + a^3 + a)*x^43 + (a^4 + a^3 + a^2 + a + 1)*x^42 + (a^6 + a^5 + a^3 + a^2)*x^41 + (a^7 + a^6 + a^4 + a^3 + a)*x^40 + (a^7 + a^6 + a^4 + a^2 + a + 1)*x^39 + (a^4 + a^3 + a^2 + 1)*x^38 + (a^7 + a^6 + a^5 + a^4 + a^3 + a^2 + a + 1)*x^37 + a^3*x^36 + (a^7 + a^5 + a^4 + a^3 + a^2 + a + 1)*x^35 + (a^6 + a^5 + a^3)*x^34 + (a^7 + a^6 + a^4 + a^3)*x^33 + (a^6 + a^5 + a^2 + 1)*x^32 + (a^7 + a^3 + a^2 + 1)*x^31 + (a^6 + a^5 + a^4 + a)*x^30 + (a^6 + a^5 + a^4 + a^3 + 1)*x^29 + (a^7 + a^4 + a^3 + a^2 + 1)*x^28 + (a^4 + a^2 + a + 1)*x^27 + (a^7 + a^4 + a^3 + a^2 + a)*x^26 + (a^5 + a^3 + 1)*x^25 + (a^7 + a^6 + a^5 + a^4 + a^3 + 1)*x^24 + (a^5 + a^3 + a^2)*x^23 + (a^6 + a^2 + a + 1)*x^22 + (a^5 + a^4 + 1)*x^21 + (a^5 + a)*x^20 + (a^7 + a^6 + a^5 + a^3 + a^2)*x^19 + (a^7 + a^4 + a^3 + a + 1)*x^18 + (a^6 + a^5 + a^4 + a^3 + a + 1)*x^17 + (a^6 + a)*x^16 + (a^7 + a^6 + a^4 + a^3 + a^2 + a + 1)*x^15 + (a^5 + a^4 + a)*x^14 + (a^7 + a^6 + a^3)*x^13 + (a^5 + a^3 + a + 1)*x^12 + (a^6 + a^5 + a^3 + a + 1)*x^11 + (a^7 + a^6 + a + 1)*x^10 + (a^7 + a^6 + a^5 + a^4 + a^3 + a^2 + a + 1)*x^9 + (a^7 + a^6 + a^3 + a^2 + 1)*x^8 + (a^7 + a^6 + a^4 + a^3 + a^2 + 1)*x^7 + (a^6 + a^5 + a^4 + a + 1)*x^6 + (a^7 + a^4 + a^3 + a^2)*x^5 + (a^7 + a^5 + a^4 + a^3 + 1)*x^4 + (a^3 + a + 1)*x^3 + (a^6 + a^5 + a^4 + a^2 + a + 1)*x^2 + (a^7 + a^6 + a^5 + a^3)*x + a^7 + a^6 + a^2 + a

Second part:

[0, a^2 + 1, a, a^3 + a^2, a^3 + a^2 + a + 1, a, a, a^2 + 1, a^3 + a^2 + a + 1, a^3 + a + 1, a, a, a^3 + a^2 + a + 1, a^3 + a + 1, a, a^3 + a^2 + a + 1]

Additional Information

The first part should give the correct polynomial for AES. This can be found online such as here: https://crypto.stackexchange.com/questions/18199/polynomial-representation-of-the-affine-part-of-the-aes-s-box. Instead, the polynomial returned is much longer that it should be.

In the second part, the returned sbox should be $x^{-1}$ for every $x$ substituted into it, or 0 if $x$ is 0. Therefore, multiplying the output of the sbox with the input should always be 1 or 0.

When investigating #38298, I discovered the above problems. They all rely on the __call__ function of the sbox where finite field elements are in big endian instead of little endian. The change to big endian was mentioned in #25633. Unfortunately, some existing older code was not updated and led to the problems seen here. (#25633 (comment) foreshadows this.) It is no longer easy to change back to little endian since the newer PRESENT and DES modules now rely on the sbox module being big endian.

Possible solutions?

  1. Change back to using little endian for finite field elements + update new code
  2. Move handling finite field elements to a separate function that is always little endian
  3. Support the option to use both big endian and little endian in older code

I like solution 1 because I prefer to work in little endian and it avoids weird results such as...

K(1) == 1 # True
S(K(1)) == S(1) # False

... where the output of the sbox depends on the input's type rather than its value. However, I am aware that changing it again would probably cause more problems.

Environment

- **OS**: Debian
- **Sage Version**: 10.5.beta1

Also tested on https://sagecell.sagemath.org/

Checklist

  • I have searched the existing issues for a bug report that matches the one I want to file, without success.
  • I have read the documentation and troubleshoot guide

Metadata

Metadata

Assignees

No one assigned

    Labels

    c: cryptographyt: bug

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions