Trac #22453: A mistake in the mq.Sbox.polynomials

There is a mistake in `gens = (RR.column(ncols-1)[1<<m:]).list()` string. The rank of the system may be less than 2^m. In that case this function doesn’t return any polynom. AES s-box has a lot of polynoms with degree=2 satisfying. This is the minimal code to verify it. There should be much more than one polynomials (see http://link.springer.com/chapter/10.1007/3-540-36178-2_17 for example). {{{#!sage sage: S = mq.SBox([99, 124, 119, 123, 242, 107, 111, 197, 48, 1, 103, 43, 254, 215, 171, 118, 202, 130, 201, 125, 250, 89, 71, 240, 173, 212, 162, 175, 156, 164, 114, 192, 183, 253, 147, 38, 54, 63, 247, 204, 52, 165, 229, 241, 113, 216, 49, 21, 4, 199, 35, 195, 24, 150, 5, 154, 7, 18, 128, 226, 235, 39, 178, 117, 9, 131, 44, 26, 27, 110, 90, 160, 82, 59, 214, 179, 41, 227, 47, 132, 83, 209, 0, 237, 32, 252, 177, 91, 106, 203, 190, 57, 74, 76, 88, 207, 208, 239, 170, 251, 67, 77, 51, 133, 69, 249, 2, 127, 80, 60, 159, 168, 81, 163, 64, 143, 146, 157, 56, 245, 188, 182, 218, 33, 16, 255, 243, 210, 205, 12, 19, 236, 95, 151, 68, 23, 196, 167, 126, 61, 100, 93, 25, 115, 96, 129, 79, 220, 34, 42, 144, 136, 70, 238, 184, 20, 222, 94, 11, 219, 224, 50, 58, 10, 73, 6, 36, 92, 194, 211, 172, 98, 145, 149, 228, 121, 231, 200, 55, 109, 141, 213, 78, 169, 108, 86, 244, 234, 101, 122, 174, 8, 186, 120, 37, 46, 28, 166, 180, 198, 232, 221, 116, 31, 75, 189, 139, 138, 112, 62, 181, 102, 72, 3, 246, 14, 97, 53, 87, 185, 134, 193, 29, 158, 225, 248, 152, 17, 105, 217, 142, 148, 155, 30, 135, 233, 206, 85, 40, 223, 140, 161, 137, 13, 191, 230, 66, 104, 65, 153, 45, 15, 176, 84, 187, 22]) sage: S.polynomials() [] }}} URL: https://trac.sagemath.org/22453 Reported by: thecow Ticket author(s): Friedrich Wiemer Reviewer(s): Travis Scrimshaw
sagemath · Jul 4, 2018 · aae829b · aae829b
2 parents 4f2c67c + d74a8da
commit aae829b
Showing 1 changed file with 17 additions and 1 deletion.
diff --git a/src/sage/crypto/sbox.py b/src/sage/crypto/sbox.py
@@ -764,6 +764,20 @@ def polynomials(self, X=None, Y=None, degree=2, groebner=False):
             [y0 + x0*x1 + x0*x2 + x0 + x1*x2 + x1 + 1,
              y1 + x0*x2 + x1 + 1,
              y2 + x0 + x1*x2 + x1 + x2 + 1]
+
+        TESTS:
+
+        Check that :trac:`22453` is fixed::
+
+            sage: from sage.crypto.sboxes import AES
+            sage: aes_polys = AES.polynomials()
+            sage: p = aes_polys[0].parent("x3*y0 + x5*y0 + x7*y0 + x6*y1 + x2*y2"
+            ....:                         " + x3*y2 + x4*y2 + x2*y3 + x3*y3 +"
+            ....:                         " x5*y4 + x6*y4 + x3*y5 + x4*y5 + x4*y7"
+            ....:                         " + x2 + x3 + y2 + y3 + y4 + 1")
+            sage: p in aes_polys
+            True
+
         """
         def nterms(nvars, deg):
             """
@@ -824,13 +838,15 @@ def nterms(nvars, deg):
                 A[row,col] = mul([bits[col][i] for i in range(len(exponent)) if exponent[i]])
             row +=1
 
+        rankSize = A.rank() - 1
+
         for c in range(ncols):
             A[0,c] = 1
 
         RR = A.echelon_form(algorithm='row_reduction')
 
         # extract spanning stet
-        gens = (RR.column(ncols-1)[1<<m:]).list()
+        gens = (RR.column(ncols-1)[rankSize:]).list()
 
         if not groebner:
             return gens