A mistake in the mq.Sbox.polynomials

[sagetrac-thecow]

There is a mistake in gens = (RR.column(ncols-1)[1<<m:]).list()
string. The rank of the system may be less than 2^m.

In that case this function doesn’t return any polynom. AES s-box has a lot of polynoms with degree=2 satisfying.

This is the minimal code to verify it. There should be much more than one polynomials (see http://link.springer.com/chapter/10.1007/3-540-36178-2_17 for example).

sage: S = mq.SBox([99, 124, 119, 123, 242, 107, 111, 197, 48, 1, 103, 43, 254, 215, 171, 118, 202, 130, 201, 125, 250, 89, 71, 240, 173, 212, 162, 175, 156, 164, 114, 192, 183, 253, 147, 38, 54, 63, 247, 204, 52, 165, 229, 241, 113, 216, 49, 21, 4, 199, 35, 195, 24, 150, 5, 154, 7, 18, 128, 226, 235, 39, 178, 117, 9, 131, 44, 26, 27, 110, 90, 160, 82, 59, 214, 179, 41, 227, 47, 132, 83, 209, 0, 237, 32, 252, 177, 91, 106, 203, 190, 57, 74, 76, 88, 207, 208, 239, 170, 251, 67, 77, 51, 133, 69, 249, 2, 127, 80, 60, 159, 168, 81, 163, 64, 143, 146, 157, 56, 245, 188, 182, 218, 33, 16, 255, 243, 210, 205, 12, 19, 236, 95, 151, 68, 23, 196, 167, 126, 61, 100, 93, 25, 115, 96, 129, 79, 220, 34, 42, 144, 136, 70, 238, 184, 20, 222, 94, 11, 219, 224, 50, 58, 10, 73, 6, 36, 92, 194, 211, 172, 98, 145, 149, 228, 121, 231, 200, 55, 109, 141, 213, 78, 169, 108, 86, 244, 234, 101, 122, 174, 8, 186, 120, 37, 46, 28, 166, 180, 198, 232, 221, 116, 31, 75, 189, 139, 138, 112, 62, 181, 102, 72, 3, 246, 14, 97, 53, 87, 185, 134, 193, 29, 158, 225, 248, 152, 17, 105, 217, 142, 148, 155, 30, 135, 233, 206, 85, 40, 223, 140, 161, 137, 13, 191, 230, 66, 104, 65, 153, 45, 15, 176, 84, 187, 22])
sage: S.polynomials()
[]

Component: cryptography

Keywords: sbox, rank, days94

Author: Friedrich Wiemer

Branch/Commit: d74a8da

Reviewer: Travis Scrimshaw

Issue created by migration from https://trac.sagemath.org/ticket/22453

[sagetrac-thecow]

comment:3

There is a file that works well:
https://github.com/alexkorovkov/sage/blob/master/src/sage/crypto/mq/sbox.py

[sagetrac-thecow]

Branch: u/thecow/a_mistake_in_the_mq_sbox_polynomials

[pfasante]

Changed branch from u/thecow/a_mistake_in_the_mq_sbox_polynomials to u/asante/a_mistake_in_the_mq_sbox_polynomials

[sagetrac-git]

Commit: 06ac820

[sagetrac-git]

Branch pushed to git repo; I updated commit sha1. New commits:

06ac820

add test for method if bug is fixed

[pfasante]

comment:8

The fix that was already included in the old branch was to change the computation of the spanning set, i.e.

        rankSize = A.rank() - 1

        [...]

        # extract spanning stet
        gens = (RR.column(ncols-1)[rankSize:]).list()

before, it was gens = (RR.column(ncols-1)[1<<m:]).list().

[pfasante]

Changed keywords from box, rank to sbox, rank, days94

[pfasante]

Author: Friedrich Wiemer

[tscrim]

Reviewer: Travis Scrimshaw

[tscrim]

comment:10

Some little things with the formatting:

        TESTS:

        Check that :trac:`22453` is fixed::

            sage: from sage.crypto.sboxes import AES
            sage: aes_polys = AES.polynomials()
            sage: p = aes_polys[0].parent("x3*y0 + x5*y0 + x7*y0 + x6*y1 + x2*y2"
            ....:                         " + x3*y2 + x4*y2 + x2*y3 + x3*y3 +"
            ....:                         " x5*y4 + x6*y4 + x3*y5 + x4*y5 + x4*y7"
            ....:                         " + x2 + x3 + y2 + y3 + y4 + 1")
            sage: p in aes_polys

Otherwise LGTM.

[sagetrac-git]

Branch pushed to git repo; I updated commit sha1. New commits:

d1ef281

reformatted the tests

[sagetrac-git]

Changed commit from 06ac820 to d1ef281

[sagetrac-git]

Changed commit from d1ef281 to d74a8da

[sagetrac-git]

Branch pushed to git repo; I updated commit sha1. New commits:

d74a8da

Merge remote-tracking branch 'origin/develop' into t/22453/a_mistake_in_the_mq_sbox_polynomials

[vbraun]

Changed branch from u/asante/a_mistake_in_the_mq_sbox_polynomials to d74a8da