Aes

Rijndael s-box仿射映射中乘法多項式的選擇

  • March 15, 2018

Rijndael 規範在 7.2 節詳細介紹了 s-box的設計選擇。他們描述了仿射映射的選擇如下:

我們選擇了一個仿射映射,它本身俱有非常簡單的描述,但如果與“逆”映射結合使用,則會產生復雜的代數表達式。它可以看作是模多項式乘法,然後是加法:

$ b(x) = (x^7 + x^6 + x^2 + x) + a(x)(x^7 + x^6 + x^5 + x^4 + 1) $ $ mod $ $ x^8 + 1 $

已選擇模數作為可能的最簡單模數。乘法多項式已從與模互質的多項式集合中選擇,作為具有最簡單描述的多項式。常數的選擇方式使得 S-box 沒有固定點 (S-box( a ) = a ) 並且沒有“相反的固定點” (S-box( a ) = ā )。

乘法多項式是 $ x^7 + x^6 + x^5 + x^4 + 1 $ ,它是不可約的,因此與模數互質 $ x^8 + 1 $ . 逆映射乘法是 $ x^7 + x^5 + x^2 $ .

然而, $ x^7 + x + 1 $ 也是不可約的,並且具有更簡單的表示。它是最簡單的 7 次不可約多項式。它還具有更長的仿射週期(8 對 4),據說效果更好。對於添加的常數有許多有效的選擇,它們導致沒有固定或相反的固定點。逆映射乘法是 $ x^6 + x^5 + x^3 + x^2 + 1 $ ,它與模數互質。

是否有一些明顯的原因沒有使用更簡單的多項式?Rijndael 規範中的含義是它沒有最簡單的描述,但似乎並非如此。我的假設是生成的 s-box 或其逆中的代數表達式缺乏複雜性,但我沒有辦法確定是否是這種情況。

更新

認為原因可能是給定仿射多項式的 s-box 的統計性能,我將其與 $ x^7 + x + 1 $ ,結果如下:

                            AES        x^7 + x + 1
SAC Relative Error           12.5%      9.4%            lower is better
SAC Satisfaction %           67.2%      67.2%           higher is better
Distance to SAC              432        432             lower is better
Negative DSAC                176        152             lower is better

2nd order SAC Rel Err        12.5%      12.5%           lower is better
2nd order SAC Sat %          56.7%      61.2%           higher is better
Dist to 2nd order SAC        1664       1424            lower is better
Negative 2nd order DSAC      844        684             lower is better

AVAL Relative Error          3.52%      3.12%           lower is better
Guaranteed Avalanche         339.2      339.2           my own metric

Bit Independence Rel Err     13.412%    12.856%         lower is better
Bit Independence Sat %       56.2%      63.8%           my own metric

很明顯 $ x^7 + x + 1 $ 與所選多項式相比,在許多 s-box 性能指標上具有更好的結果。

在測試過程中,我還發現 Rijndael s-box 在 0x73 和 0x8F 處具有自逆映射,其中 s-box 和逆 s-box 的輸入產生相同的結果。這意味著可能沒有足夠仔細地選擇附加常數。最佳常數似乎是 0x15。

由於我錯誤地重複了您的問題並且我們都沒有答案,因此我請求幫助作者了解為什麼選擇這樣的參數。

仿射變換是向量空間運算 $ (\mathbb{F}_{2})^8 $ ,並且簡單性來自這樣一個事實,即從一堆可能的變換中,使用的變換也可以描述為多項式環模中的乘積 $ x^8+1 $ .

在矩陣(或多項式視圖中的被乘數常數)必須是可逆的並且向量(或加法常數)既避免固定點又不與固定點相反的標準之上,他們只是從集合中挑選了一些。

當動態計算 S-Box 時,計時功能很有用,但預先計算好它們的差異並不重要(我認為)。

更新: RichieFrame 的 Sbox比 AES Sbox 稍微複雜一些,見下文,在代數表達式下。

我已經在 Magma(在此處輸入連結描述)一個計算代數係統中對此進行了程式。我試圖讓它盡可能詳細。此程式碼可以在連結處的線上計算器上執行。

(a^7 + a^6)*W^255 + (a^6 + a^5 + a^3 + a + 1)*W^254 + (a^4 + a^3)*W^253 >+ (a^6 + a^5)*W^252 + (a^4 + a^2 + 1)*W^251 + (a^6 + a^5 + a^4 + a^2)*W ^250 + (a^3 + a^2 + a + 1)*W^249 + (a^5 + a^4 + a^2)*W^248 + (a^7 + a^6 + a^ 2 + 1)*W^247 + (a^5 + a^4 + a^3 + a^2 + a + 1)*W^246 + (a^7 + a^6 + a^5 + a^ 4 + a^2 + 1)*W^245 + (a^5 + a^4 + a^2)*W^244 + (a^5 + a^4 + a^2 + a + 1)*W ^243 + (a^7 + a^6 + a^5 + a^4 + a^3 + a^2 + a)*W^242 + (a^7 + a^6 + a^4 + a) *W^241 + (a^6 + a^5 + a^4 + a^3 + a + 1)*W^240 + (a^6 + a^5 + a^4 + a^3 + a^ 2)*W^239 + (a^6 + a^5 + a^4 + a + 1)*W^238 + (a^6 + a^5 + a^4 + a^2 + a)*W ^237 + (a^3 + a^2 + 1)*W^236 + (a^7 + a^4 + a^2 + 1)*W^235 + (a^5 + a^3 + a^ 2 + a + 1)*W^234 + (a^5 + a^4 + a^3 + a)*W^233 + (a^6 + a^5 + a^4 + a^3 + a^ 2 + a + 1)*W^232 + (a^7 + a^6 + a^4)*W^231 + (a^7 + a^5 + a^2 + 1)W^230 + a ^2W^229 + (a^7 + a + 1)*W^228 + (a^7 + a^6 +a^5 + a^4 + a^2 + 1)*W^227 + (a^7 + a^6 + a^3 + a^2 + a + 1)*W^226 + (a^6 + a^5 + a^4 + a^2 + 1)*W^225 + (a^7 + a^2 + a + 1)*W^224 + (a^7 + a^3 + a)*W ^223 + (a^5 + a^4 + a^3 + a^2 + a)*W^222 + (a^7 + a^6 + a^4 + a^3 + a^2)*W ^221 + (a^6 + a + 1)*W^220 + (a^6 + a^4 + a^3 + a^2 + a)*W^219 + (a^7 + a^6 + a^4 + a^2 + 1)*W^218 + (a^6 + a^5 + a^4 + a^2 + a + 1)*W^217 + (a^7 + a^5 + a^2 + a)*W^216 + (a^7 + a^6 + a^2)*W^215 + (a^7 + a^6 + a^5 + a^4 + a^3 + a^2 + a + 1)*W^214 + (a^5 + a^4 + 1)*W^213 + (a^7 + a^6 + a^2 + a + 1)*W^212 + (a^4 + a)*W^211 + (a^5 + a^3 + a)*W^210 + (a^7 + a^6 + a + 1)*W^209 + (a^ 7 + a^6 + a^5 + a^4)*W^208 + (a^3 + a^2 + a + 1)*W^207 + (a^6 + a^5 + a^3 + 1)*W^206 + (a^4 + a^3 + a^2 + 1)*W^205 + (a^6 + a^4 + a^3 + a + 1)*W^204 + ( a^4 + a^3 + a)*W^203 + (a^7 + a^3 + a^2 +a)*W^202 + (a^7 + a^6 + a^4 + a^3 + a^2 + 1)*W^201 + (a^7 + a^6 + a^5 + a^ 4 + a + 1)*W^200 + (a^7 + a^5 + a^4 + a)*W^199 + (a^7 + a^6 + a^5 + a^4)*W ^198 + (a^5 + a^4 + a^2)*W^197 + (a^5 + a^3)*W^196 + (a^3 + a + 1)*W^195 + ( a^6 + a^5 + a^3 + a^2 + a + 1)*W^194 + (a^7 + a + 1)*W^193 + (a^7 + a^6 + a^ 5 + a)*W^192 + (a^7 + a^6 + a^4 + a + 1)*W^191 + (a^5 + a^3 + a^2 + a)*W^190 + (a^7 + a^6 + a^2 + a + 1)*W^189 + (a^7 + a^5 + 1)*W^188 + (a^7 + a^6 + a^ 4 + a^2 + a)*W^187 + (a^5 + 1)*W^186 + (a^7 + a^3 + a^2 + a + 1)*W^185 + (a^ 7 + a^6 + a^5 + a^3 + a^2 + 1)*W^184 + (a^6 + 1)*W^183 + (a^7 + a^4 + a^3 + 1)*W^182 + (a^7 + a^5 + a^4 + a^3)*W^181 + (a^7 + a^4 + a)*W^180 + (a^7 + a^6 + a^5 + a^3 + a^2 + 1)*W^179 + (a^7 + a^6 + a^2)*W^178 + (a^7 + a^3) *W^177 + (a^7 + a^4 + a^2 + 1)*W^176 + (a^5 +1)*W^175 + (a^6 + a^5 + a^3)*W^174 + (a^6 + a^5 + a + 1)*W^173 + (a^7 + a^ 4 + a^3 + a^2)*W^172 + (a^6 + a^4 + a^3 + 1)*W^171 + (a^5 + a^4 + a + 1)*W ^170 + (a^7 + a^6 + a^4 + a^3 + 1)*W^168 + (a^6 + a^5 + a^4 + a^3 + a^2 + a + 1)*W^167 + (a^5 + a^3 + a + 1)*W^166 + (a^7 + a^2)*W^165 + (a^6 + a^5 + a^ 3 + a^2)*W^164 + (a^7 + a^6 + a^5 + a^4)*W^163 + (a^7 + a^3 + a)*W^162 + ( a^7 + a^4 + 1)*W^161 + (a^7 + a^6 + a^5 + a^4 + a^3 + a^2 + a + 1)*W^160 + ( a^7 + a^5 + a^3 + a^2 + a)*W^159 + (a^7 + a^6 + a^5 + a^4 + a^3 + a)*W^158 + (a^5 + a^4 + a^2 + 1)*W^157 + (a^7 + a^5 + a^4 + a + 1)W^156 + a^7W^155 + (a^5 + a)W^154 + a^4W^153 + (a^5 + a^4 + a^3 + a^2 + 1)*W^152 + (a^6 + a^5 + a^3 + 1)*W^151 + (a^6 + a^5 + a^3 + a + 1)*W^150 + (a^4 + a^2 + 1)*W ^149 + (a^6 + a^4 + a^3 + a + 1)*W^148 +(a^6 + a^4 + a^3)*W^147 + (a^6 + a^5 + a^4 + a^3 + a + 1)*W^146 + (a^4 + a ^3 + a^2 + 1)*W^145 + (a^6 + a^5 + a^4 + a^2 + 1)W^144 + (a^4 + a^3 + a) W^142 + (a^6 + a + 1)*W^141 + (a^7 + a^5 + a^3 + a^2 + a)W^140 + (a^6 + 1) W^139 + (a^7 + a^4 + a^2 + a)*W^138 + (a^6 + a^4 + a^3)*W^137 + (a^7 + a^3 + a)*W^136 + (a^7 + a^4 + a^2)*W^135 + (a^6 + a^4 + a^3 + a + 1)*W^134 + (a ^7 + a^6 + a^5 + a^4 + a^3 + a^2)*W^133 + (a^4 + a + 1)*W^132 + (a^7 + a^3 + a + 1)*W^131 + (a^6 + a^5 + 1)*W^130 + (a^7 + a^6 + a^5 + a^2 + a)*W^129 + (a^6 + a^5)*W^128 + (a^7 + a^5 + 1)*W^127 + (a^7 + a^6 + a^5 + 1)*W^126 + (a^6 + a^5 + a^4 + a + 1)*W^125 + (a^6 + a^4 + a)*W^124 + (a^7 + a^6)*W^ 123 + (a^6 + a^4 + a^2)*W^122 + (a^7 + a^6 + a^5 + a^3 + a^2 + a + 1)*W^121 + (a^7 + a^6 + a^4 + a^3 + a + 1)*W^120 + (a^6 +a^5 + a^4 + a^3 + a^2 + a + 1)*W^119 + (a^5 + a^4 + a^2 + 1)*W^118 + (a^6 + a^3 + 1)*W^117 + (a^7 + a^6 + a^5 + a)*W^116 + (a^7 + a^5 + a^3 + a^2 + 1) *W^114 + (a^6 + a^4 + a + 1)*W^113 + (a + 1)*W^112 + (a^4 + a^3 + a^2 + a)*W ^111 + (a^7 + a^6 + a^5 + a^2 + a + 1)*W^110 + (a^6 + a^4 + a)*W^109 + (a^7 + a^6 + a^5 + a^4 + a^2 + a)*W^108 + (a^7 + a^3 + a^2 + 1)*W^107 + (a^7 + a^ 6 + a^5 + a^3 + a^2 + a + 1)*W^106 + (a^7 + a^5 + a)*W^105 + (a^7 + a^6 + a^ 5 + a^2 + 1)*W^104 + (a^7 + a^6 + a^5 + a^2)*W^103 + (a^7 + a^5 + a^3 + a^ 2)*W^102 + (a^7 + a^6 + a^4 + a^3 + a^2 + a + 1)*W^101 + (a^4 + a^3 + a^2 + 1)*W^100 + (a^5 + a^3 + a^2 + 1)*W^99 + (a^6 + a^5 + a^3 + a^2 + a)*W^98 + (a^7 + a^4 + a^3 + a^2 + 1)*W^97 + (a^7 + a^5 + a^4 + a^2)*W^96 + (a^ 4 + a^3 + a^2 + 1)*W^95 + (a^6 + a^5 + a^3 +a^2)*W^94 + (a^6 + a^5 + a^3 + a^2 + 1)*W^93 + (a^6 + a^5 + a^2)*W^92 + (a^6 + a^5 + a^4 + a^2 + 1)*W^91 + (a^7 + a^3 + a^2 + a + 1)*W^90 + (a^ 6 + a^3 + a^2 + a + 1)*W^89 + (a^7 + a^3 + a)*W^88 + (a^5 + a^3 + 1)*W^87 + (a^7 + a^6 + a^5 + a^2 + a)*W^86 + (a^5 + a^4 + a^3 + a^2 + a)*W^85 + ( a^7 + a^6 + a)*W^84 + (a^7 + a^6 + a^2 + a)*W^83 + (a^7 + a^5 + a^2 + 1) *W^82 + (a^7 + a^5 + a^2)*W^81 + (a^7 + a^4 + a^3 + a + 1)*W^80 + (a^7 + a^6 + a^4 + a^2 + 1)*W^79 + (a^7 + a^6 + a^5 + a^3 + a^2 + 1)*W^78 + (a^ 7 + a^5 + a^3 + a^2 + a + 1)*W^77 + (a^6 + a^5 + a)*W^76 + (a^6 + a^5 + a^ 4)*W^75 + (a^7 + a^5 + a^4)*W^74 + (a^5 + a^4 + a^2 + a + 1)*W^73 + (a^ 7 + a^5 + a^4 + a^2 + 1)*W^72 + (a^6 + a^5 + a^2 + 1)*W^71 + (a^5 + a^4 + a^3 + a^2)*W^70 + (a^6 + a^5 + a^3 + a^2 + a + 1)*W^69 + (a^6 + a^5+ 1)*W^68 + (a^5 + a^4 + a^3 + a^2 + 1)W^67 + (a^6 + a^5 + a^3 + a^2) W^66 + (a^7 + a^5 + a^4 + a^3 + a^2 + 1)*W^65 + (a^7 + a^6 + a^5 + a^3 + a ^2)*W^64 + (a^6 + a^5 + a^4 + a^2 + a)*W^63 + (a^5 + a^4)*W^62 + (a^7 + a^6 + a^5 + a^3)W^61 + (a^7 + a^5 + a^2 + a + 1)W^60 + a^3W^59 + a^ 4W^58 + (a^4 + a + 1)*W^57 + (a^6 + a^5 + a^4 + a^3 + 1)W^56 + 一個W^55 + (a^6 + a + 1)*W^54 + (a^6 + a^5 + 1)*W^53 + (a^7 + a^6 + a^5 + a^4 + a^3 + 1)*W^52 + (a^7 + a)*W^51 + (a^7 + a^6 + a^5 + a^3 + 1)*W^50 + (a ^6 + a + 1)*W^49 + (a^5 + a^4 + a^3 + a^2)*W^48 + (a^7 + a^3 + 1)*W^47 + (a^7 + a^5 + a^3 + a^2 + a + 1)*W^46 + (a^7 + a^6 + a^4 + a^2 + a)*W^45 + (a^7 + a^6 + a^5 + a^4 + a^3 + 1)*W^44 + (a^7 + a^6 + a^4 + a^3 + 1)*W^ 43 + (a^7 + a^6 + a^5 + a^2 + a + 1)*W^42 + (a^7 + a^6 + a^3 + a)*W^41 + (a ^6 + a^5 + a^3 + a^2)*W^40 + (a^6 + a^5 + a^4 + a^3 + 1)*W^39 + (a^7 + a ^2 + a)*W^38 + (a^3 + a^2)*W^37 + (a^7 + a^4 + a)W^36 + (a^6 + a + 1) W^35 + (a^6 + a^4 + a^3 + 1)*W^34 + (a^7 + a^5 + a^2 + 1)*W^33 + (a^5 + a ^3 + a^2 + 1)*W^32 + (a^4 + a^3 + 1)*W^31 + (a^7 + a^6 + a^4 + a^3 + a^2 + 1)*W^30 + (a^5 + a^4 + a^3 + a^2)*W^29 + (a^4 + 1)*W^28 + (a^7 + a^6+ a^4)*W^27 + (a^6 + a^4 + a^3)*W^26 + (a^7 + a^5 + a^4 + a^3 + a)*W^ 25 + (a^5 + a^4 + a + 1)*W^24 + (a^4 + a^2)W^23 + (a^7 + a^6 + a^4 + a) W^22 + (a^6 + a^5 + a)*W^21 + (a^6 + a^5 + a^4 + a^2 + a + 1)*W^20 + (a^7 + a^6 + a^4 + a^3 + a + 1)*W^19 + (a^4 + a + 1)*W^18 + (a^7 + a^5 + a^4 + a ^2 + a)*W^17 + (a^7 + a^6 + a^3 + a^2 + a)W^16 + (a^6 + a^3 + a^2 + 1) W^15 + (a^4 + a^3)*W^14 + (a^4 + a^3)*W^13 + (a^7 + a^6 + a^5 + a^2 + a )*W^12 + (a^7 + a^6 + a^4 + a^3 + a^2)W^11 + (a^7 + a^4 + a^2 + a + 1) W^10 + (a^7 + a^5 + a^4 + 1)*W^9 + (a^7 + a^6 + 1)W^8 + a^6W^7 + (a ^7 + a^6 + a^5 + a^3 + a + 1)*W^6 + (a^7 + a^5 + a^4 + a)*W^5 + (a^7 + a ^4)*W^4 + (a^5 + a^4)*W^3 + (a^4 + a^3 + a^2 + a + 1)*W^2 + (a^6 + a ^5 + a^4 + a^3 + a + 1)*W + a^7 + a^6 + a^2 + aa^3)*W^26 + (a^7 + a^5 + a^4 + a^3 + a)*W^25 + (a^5 + a^4 + a + 1)*W^24 + (a^4 + a^2)*W^23 + (a^7 + a^6 + a^4 + a)*W^22 + (a^6 + a^5 + a)*W^21 + (a^6 + a^5 + a^4 + a^2 + a + 1)*W^20 + (a^7 + a^6 + a^4 + a^3 + a + 1)*W ^19 + (a^4 + a + 1)*W^18 + (a^7 + a^5 + a^4 + a^2 + a)*W^17 + (a^7 + a^6 + a^3 + a^2 + a)*W^16 + (a^6 + a^3 + a^2 + 1)*W^15 + (a^4 + a^3)*W^14 + ( a^4 + a^3)*W^13 + (a^7 + a^6 + a^5 + a^2 + a)*W^12 + (a^7 + a^6 + a^4 + a^3 + a^2)*W^11 + (a^7 + a^4 + a^2 + a + 1)*W^10 + (a^7 + a^5 + a^4 + 1) *W^9 + (a^7 + a^6 + 1)W^8 + a^6W^7 + (a^7 + a^6 + a^5 + a^3 + a + 1) *W^6 + (a^7 + a^5 + a^4 + a)*W^5 + (a^7 + a^4)*W^4 + (a^5 + a^4)*W ^3 + (a^4 + a^3 + a^2 + a + 1)*W^2 + (a^6 + a^5 + a^4 + a^3 + a + 1)*W + a ^7 + a^6 + a^2 + aa^3)*W^26 + (a^7 + a^5 + a^4 + a^3 + a)*W^25 + (a^5 + a^4 + a + 1)*W^24 + (a^4 + a^2)*W^23 + (a^7 + a^6 + a^4 + a)*W^22 + (a^6 + a^5 + a)*W^21 + (a^6 + a^5 + a^4 + a^2 + a + 1)*W^20 + (a^7 + a^6 + a^4 + a^3 + a + 1)*W ^19 + (a^4 + a + 1)*W^18 + (a^7 + a^5 + a^4 + a^2 + a)*W^17 + (a^7 + a^6 + a^3 + a^2 + a)*W^16 + (a^6 + a^3 + a^2 + 1)*W^15 + (a^4 + a^3)*W^14 + ( a^4 + a^3)*W^13 + (a^7 + a^6 + a^5 + a^2 + a)*W^12 + (a^7 + a^6 + a^4 + a^3 + a^2)*W^11 + (a^7 + a^4 + a^2 + a + 1)*W^10 + (a^7 + a^5 + a^4 + 1) *W^9 + (a^7 + a^6 + 1)W^8 + a^6W^7 + (a^7 + a^6 + a^5 + a^3 + a + 1) *W^6 + (a^7 + a^5 + a^4 + a)*W^5 + (a^7 + a^4)*W^4 + (a^5 + a^4)*W ^3 + (a^4 + a^3 + a^2 + a + 1)*W^2 + (a^6 + a^5 + a^4 + a^3 + a + 1)*W + a ^7 + a^6 + a^2 + a1)*W^24 + (a^4 + a^2)*W^23 + (a^7 + a^6 + a^4 + a)*W^22 + (a^6 + a^5 + a)*W^21 + (a^6 + a^5 + a^4 + a^2 + a + 1)*W^20 + (a^7 + a^6 + a^4 + a^3 + a + 1)*W^19 + (a^4 + a + 1)*W^18 + (a^7 + a^5 + a^4 + a^2 + a)*W^17 + (a^ 7 + a^6 + a^3 + a^2 + a)*W^16 + (a^6 + a^3 + a^2 + 1)*W^15 + (a^4 + a^3) *W^14 + (a^4 + a^3)*W^13 + (a^7 + a^6 + a^5 + a^2 + a)*W^12 + (a^7 + a^ 6 + a^4 + a^3 + a^2)*W^11 + (a^7 + a^4 + a^2 + a + 1)*W^10 + (a^7 + a^5 + a^4 + 1)*W^9 + (a^7 + a^6 + 1)W^8 + a^6W^7 + (a^7 + a^6 + a^5 + a^ 3 + a + 1)*W^6 + (a^7 + a^5 + a^4 + a)*W^5 + (a^7 + a^4)*W^4 + (a^5 + a^4)*W^3 + (a^4 + a^3 + a^2 + a + 1)*W^2 + (a^6 + a^5 + a^4 + a^3 + a + 1)*W + a^7 + a^6 + a^2 + a1)*W^24 + (a^4 + a^2)*W^23 + (a^7 + a^6 + a^4 + a)*W^22 + (a^6 + a^5 + a)*W^21 + (a^6 + a^5 + a^4 + a^2 + a + 1)*W^20 + (a^7 + a^6 + a^4 + a^3 + a + 1)*W^19 + (a^4 + a + 1)*W^18 + (a^7 + a^5 + a^4 + a^2 + a)*W^17 + (a^ 7 + a^6 + a^3 + a^2 + a)*W^16 + (a^6 + a^3 + a^2 + 1)*W^15 + (a^4 + a^3) *W^14 + (a^4 + a^3)*W^13 + (a^7 + a^6 + a^5 + a^2 + a)*W^12 + (a^7 + a^ 6 + a^4 + a^3 + a^2)*W^11 + (a^7 + a^4 + a^2 + a + 1)*W^10 + (a^7 + a^5 + a^4 + 1)*W^9 + (a^7 + a^6 + 1)W^8 + a^6W^7 + (a^7 + a^6 + a^5 + a^ 3 + a + 1)*W^6 + (a^7 + a^5 + a^4 + a)*W^5 + (a^7 + a^4)*W^4 + (a^5 + a^4)*W^3 + (a^4 + a^3 + a^2 + a + 1)*W^2 + (a^6 + a^5 + a^4 + a^3 + a + 1)*W + a^7 + a^6 + a^2 + aa^3 + a + 1)*W^19 + (a^4 + a + 1)*W^18 + (a^7 + a^5 + a^4 + a^2 + a)*W^17 + (a^7 + a^6 + a^3 + a^2 + a)*W^16 + (a^6 + a^3 + a^2 + 1)*W^15 + (a^4 + a^3)*W^14 + (a^4 + a^3)*W^13 + (a^7 + a^6 + a^5 + a^2 + a)*W^12 + (a^ 7 + a^6 + a^4 + a^3 + a^2)*W^11 + (a^7 + a^4 + a^2 + a + 1)*W^10 + (a^7 + a^5 + a^4 + 1)*W^9 + (a^7 + a^6 + 1)W^8 + a^6W^7 + (a^7 + a^6 + a^ 5 + a^3 + a + 1)*W^6 + (a^7 + a^5 + a^4 + a)*W^5 + (a^7 + a^4)*W^4 + ( a^5 + a^4)*W^3 + (a^4 + a^3 + a^2 + a + 1)*W^2 + (a^6 + a^5 + a^4 + a^ 3 + a + 1)*W + a^7 + a^6 + a^2 + aa^3 + a + 1)*W^19 + (a^4 + a + 1)*W^18 + (a^7 + a^5 + a^4 + a^2 + a)*W^17 + (a^7 + a^6 + a^3 + a^2 + a)*W^16 + (a^6 + a^3 + a^2 + 1)*W^15 + (a^4 + a^3)*W^14 + (a^4 + a^3)*W^13 + (a^7 + a^6 + a^5 + a^2 + a)*W^12 + (a^ 7 + a^6 + a^4 + a^3 + a^2)*W^11 + (a^7 + a^4 + a^2 + a + 1)*W^10 + (a^7 + a^5 + a^4 + 1)*W^9 + (a^7 + a^6 + 1)W^8 + a^6W^7 + (a^7 + a^6 + a^ 5 + a^3 + a + 1)*W^6 + (a^7 + a^5 + a^4 + a)*W^5 + (a^7 + a^4)*W^4 + ( a^5 + a^4)*W^3 + (a^4 + a^3 + a^2 + a + 1)*W^2 + (a^6 + a^5 + a^4 + a^ 3 + a + 1)*W + a^7 + a^6 + a^2 + aa^2 + a + 1)*W^10 + (a^7 + a^5 + a^4 + 1)*W^9 + (a^7 + a^6 + 1)W^8 + a ^6W^7 + (a^7 + a^6 + a^5 + a^3 + a + 1)*W^6 + (a^7 + a^5 + a^4 + a)*W ^5 + (a^7 + a^4)*W^4 + (a^5 + a^4)*W^3 + (a^4 + a^3 + a^2 + a + 1)*W ^2 + (a^6 + a^5 + a^4 + a^3 + a + 1)*W + a^7 + a^6 + a^2 + aa^2 + a + 1)*W^10 + (a^7 + a^5 + a^4 + 1)*W^9 + (a^7 + a^6 + 1)W^8 + a ^6W^7 + (a^7 + a^6 + a^5 + a^3 + a + 1)*W^6 + (a^7 + a^5 + a^4 + a)*W ^5 + (a^7 + a^4)*W^4 + (a^5 + a^4)*W^3 + (a^4 + a^3 + a^2 + a + 1)*W ^2 + (a^6 + a^5 + a^4 + a^3 + a + 1)*W + a^7 + a^6 + a^2 + a

首先,我在 AES Sbox 的代數表達式上方顯示。看起來 W 的幾乎所有從 0 到 255 的冪都出現了

$$ I have checked and 253 of 256 coefficients are nonzero $$. 所以這個表達式在代數上非常複雜如果您將 SBox 映射作為表格提供,我也可以計算它的代數表達式,我們可以比較它們。

我找到了 RichieFrame 的 SBox 的代數表達式,它比 AES 多 2 個非零元素,所以它稍微複雜一些。我還沒有完成反向 SBox,因為我必須手動插入“,0x”類型的分隔符。

下面我解釋一下程式碼。

我從 SubBytes 的十六進制列表開始。

SBHex:=

$$ 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76, 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0, 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0, 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC, 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15, 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75, 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0, 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84, 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B, 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF, 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8, 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5, 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2, 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73, 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB, 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C, 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79, 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9, 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08, 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A, 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E, 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E, 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94, 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF, 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16 $$; “SubBytes 中的前幾個條目為整數”;SBHex

$$ 1..5 $$; //magma 將其轉換為整數 函式 Pad(u,n)

if (#u eq 8) 然後

返回 u;否則返回

$$ 0: k in [1..8-#u $$]貓你; 萬一; 結束函式;//用0填充到8位 SB列表:=

$$ Pad(IntegerToSequence(SBHex[k $$,2),8): k 英寸$$ 1..#SBHex $$]; “SubBytes 中的前幾個條目作為向量”;SB列表$$ 1..5 $$; R:=多項式環(GF(2)); m:=x^8+x^4+x^3+x+1;//AES 定義的欄位多項式 FF:=ext; //GF(2^8) 在 AES 中定義

SBLF:=

$$ [GF(2)!(IntegerRing(2)!SBList[k,i $$): 我在$$ 1..8 $$]: k 英寸$$ 1..#SBList $$]; “幾個隨機域元素,a是上面定義的m的根”;對於 k 在

$$ 1..3 $$做隨機(FF);結束; “作為向量和多項式的一些元素”;

對於 k 在

$$ 1..5 $$來自 SBLF$$ k $$; 序列到元素(SBLF$$ k $$,FF); 結束; SBFF:=

$$ SequenceToElement(SBLF[k $$,FF): k 英寸$$ 1..#SBList $$]; // 這個 GF(2^8) 的元素列表以 SubBytes 順序 Ident:=$$ [0 $$] 貓$$ Reverse(IntegerToSequence(k,2)): k in [1..255 $$]; 標識:=$$ Pad(Ident[k $$,8): k 英寸$$ 1..256 $$]; “以>正常順序替換之前的前幾個未排序(輸入到SBox)元素”;標識$$ 1..5 $$; IdentFF: =$$ SequenceToElement([GF(2)!(IntegerRing(2)!Ident[k,i $$): 我在$$ 1..8 $$],FF): k 在$$ 1..#SBList $$]; “這是 GF(2^8) 中未排序的元素列表”;“前幾個未排序的元素作為欄位元素”;標識FF$$ 1..5 $$; R2:=多項式環(FF);“將 W 定義為 FF 上多項式的不確定,即 AES 的 >GF(2^8)”; “SBox 的代數表達式”;插值(IdentFF,SBFF);

引用自:https://crypto.stackexchange.com/questions/17932

相關問答

Aes

您如何得出在伽羅瓦域中除以 3 的算法?

  • November 19, 2022
檢視問答
Aes

Rijndael S-box:在哪裡μμmu和ννnu多項式環元素從何而來?

  • October 23, 2020
檢視問答
Aes

rijndael sbox 的 23 個雙仿射方程和 39 個完全二次方程有什麼區別?

  • March 8, 2019
檢視問答
Aes

S-Box 仿射變換的 AES 替代方程

  • August 17, 2018
檢視問答
Aes

AES S-Box:用於計算 S-Box 值的常數的可能選項

  • March 10, 2018
檢視問答
Aes

Rijndael 的 S-Box 是如何生成的?

  • January 7, 2018
檢視問答