''' Finding lower bounds on the number of active sboxes up to 10 rounds. It

1. '''
2. Finding lower bounds on the number of active sboxes up to 10 rounds.
3. It is used to prove a security bound.
4. '''
5.  
6. # global variables
7. bN = 4
8.  
9.  
10. def shiftRows(state):
11. '''
12. Doing shift rows.
13. '''
14.  
15. # row 1 goes one to left
16. tmp = state[1]
17. for j in range(4):
18. state[(1 + j * 4) % 16] = state[(1 + (j + 1) * 4) % 16]
19. state[13] = tmp
20.  
21. # row 2 goes two to left
22. for i in range(2):
23. tmp = state[2]
24. for j in range(4):
25. state[(2 + j * 4) % 16] = state[(2 + (j + 1) * 4) % 16]
26. state[14] = tmp;
27.  
28. # row 3 goes three to left (but easier to go one right here)
29. tmp = state[15]
30. for j in range(4):
31. state[(15 - j * 4) % 16] = state[(15 - (j + 1) * 4) % 16];
32. state[3] = tmp
33.  
34. return state
35.  
36.  
37. def mixColumn(state, nextD, fd):
38. '''
39. Doing MixColumn
40. '''
41.  
42. newState = [i for i in range(max(state)+1, max(state)+17)]
43.  
44. for i in range(4):
45. fd.write("p.add_constraint(x[{0}] + x[{1}] + x[{2}] + x[{3}] + x[{4}] + x[{5}] + x[{6}]+ x[{7}] >= {8}*d[{9}])\n".format(state[4*i], state[4*i+1], state[4*i+2], state[4*i+3], newState[4*i], newState[4*i+1], newState[4*i+2], newState[4*i+3], bN, nextD))
46. for j in range(4):
47. fd.write("p.add_constraint(x[{0}] <= d[{1}])\n".format(state[4*i+j], nextD))
48. fd.write("p.add_constraint(x[{0}] <= d[{1}])\n".format(newState[4*i+j], nextD))
49. fd.write("p.add_constraint(x[{0}] + x[{1}] + x[{2}] + x[{3}] >= d[{4}])\n".format(state[4*i], state[4*i+1], state[4*i+2], state[4*i+3], nextD))
50. fd.write("p.add_constraint(x[{0}] + x[{1}] + x[{2}] + x[{3}] >= d[{4}])\n\n".format(newState[4*i], newState[4*i+1], newState[4*i+2], newState[4*i+3], nextD))
51. nextD+=1
52. return newState, nextD
53.  
54.  
55. def main():
56. '''
57. Here we make/open a file and write the required equations in it.
58. Then we solve the equations in sage.
59. '''
60.  
61. double_shift = [True, False]
62. num_rounds = 7
63.  
64. with open("equations.sage",'w') as fd:
65.  
66. # the objective is to minimizing (maximization=False)
67. fd.write("# set the objective to minimizing ...\n")
68. fd.write('p = MixedIntegerLinearProgram(maximization=False, solver = "GLPK")\n')
69. fd.write("x = p.new_variable(binary=True)\n")
70. fd.write("d = p.new_variable(binary=True)\n")
71.  
72. for ds in double_shift:
73. for rounds in range(1, num_rounds):
74. nextD = 0
75.  
76. # initialize the state with 0 to 15
77. state = [i for i in range(16)]
78.  
79. # set the objective: x[0] + x[1] + ... + x[#rounds*16 - 1]
80. fd.write("p.set_objective(")
81. for i in range(rounds * 16):
82. fd.write("x[{0}]".format(i))
83. if(i < ((rounds * 16)-1)):
84. fd.write(" + ")
85. else: # last element
86. fd.write(")\n\n")
87.  
88. for i in range(rounds):
89. state = shiftRows(state) # do shiftrows
90. if(double_shift): # what is the double shift???
91. state = shiftRows(state)
92. state, nextD = mixColumn(state, nextD, fd) # do mixcolumn
93.  
94. # Constrains: make sure that there is one Aktive S-Box
95. fd.write("p.add_constraint(")
96. for i in range(16):
97. fd.write("x[{0}] ".format(i))
98. if(i < 15):
99. fd.write(" + ")
100. else:
101. fd.write(" >= 1)\n\n")
102.  
103. fd.write("print 'Rounds: {0} -> Active SBoxes: ' + str(p.solve()) + 'Double Shift: {1}'\n\n".format(rounds, ds))
104.  
105.  
106. if __name__ == '__main__':
107. main()