3

The $Sage$ code for the AES $S-box$ is below and a link is here: Polynomial representation of the affine part of the AES S-box. An online version of $Sage$ to test this is here.

I understand most of it but I cannot understand where the polynomials for $a$ to $h$ come from. Can anyone give a simple example? Even for just one of the polynomials if this will suffice.

enter image description here

Red Book 1
  • 1,025
  • 10
  • 26

2 Answers2

2

This might be a bit off-topic, but I can not yet add a comment:

Note that you can also use the SBox object, included in recent Sage versions (from >= 8.2, I think):

sage: from sage.crypto.sboxes import AES
sage: AES
...

This offers you methods for cryptanalysis etc.

asante
  • 334
  • 3
  • 7
0

$a$ through $h$ are the coefficients of the polynomials for the algebraic expression of the s-box, as determined through Lagrange interpolation.

$S(y) = {'63'} + {'05'}y^{254} + {'09'}y^{253} + {'f9'}y^{251} + {'25'}y^{247} + {'f4'}y^{239} + {'01'}y^{223} + {'b5'}y^{191} + {'8f'}y^{127}$

where $v$ is the affine vector 63, $a$ through $h$ are $05$ through $8f$, and $y$ is the input to the s-box, all in in polynomial form.

Richie Frame
  • 13,097
  • 1
  • 25
  • 42
  • I think my question should have been clearer, apologies. I can see what they are but I don't know 'why' they are so. For example, $a=x^2+1$ but how does this polynomial come to be? Specifically, if I were to change the irreducible polynomial to say $m = x^8+x^4+x^3+x^2+1$ or $m = x^8+x^5+x^4+x^3+1$, how can I work out the polynomials $a$ to $h$? – Red Book 1 Dec 07 '17 at 03:28
  • @RedBook1 through Lagrange interpolation, that is the end result, the formula that produces all s-box entries correctly. If you change the modulus, the s-box generated will be different, but so will the rest of the cipher. You need the s-box elements first before you can interpolate – Richie Frame Dec 07 '17 at 06:52
  • I have only a little knowledge on Lagrange interpolations. For example, given some function, say, $f(x)=x^2$ and some points $x_0 = 1, x_1=2$ etc. But in this case I don't know where to begin. Would you mind giving an example for $a=x^2+1$ (or one of the other polynomials) just to start me off? – Red Book 1 Dec 07 '17 at 08:44
  • @RedBook1 Sage can perform LI, but I think the field of an 8-bit s-box is too large, and it gives an error. (i think i tried before) – Richie Frame Dec 07 '17 at 09:42
  • I am not familiar with Sage. All I need to know is how any one of these polynomials came about. Why is $a= x^2+1$ for instance? Or can I just leave these polynomials, $a$ to $h$, as they are and use a different polynomial? – Red Book 1 Dec 07 '17 at 11:27
  • 1
    I posted the question on AskSage and received this answer https://ask.sagemath.org/question/40008/how-can-we-make-the-aes-s-box-using-lagrange-interpolation/ – Red Book 1 Dec 29 '17 at 10:49