Is it fatal if a blockcipher uses a sbox with a fixed point at 0?

DannyNiu

5/8/24, 12:46 PM

In a previous question, I asked how to implement arbitrary s-box in side-channel-free fashion. The code I posted in the question loops over all 256 values of a byte to avoid timing channel, and I want to change it to loop over the values of a word.

Before getting carried away and lost, I'm considering lazy-initializing the s-box table. Specifically:

write byte-for-byte (i.e. 8-bit) sbox table.
on the first invocation of the sbox on that table, multiply all entries of that table with 0x01010101 to make it 32-bit.
loop over the words and mask each bytes individually to get whole word substituted.

Now. The purpose of this question has nothing to do with coding technique ^{(a serious drawback of this approach is that, what was previously constant data is now variable, and some dyld optimization is no longer applicable)}. The said technique assumes that a fixed point at 0 in the sbox is something that should never happen in any secure blockcipher, so comparing this value against 256 can tell whether the initialization had occured before or needs to be done.

This question wants to ask, whether and how fatal it is, to have a fixed point at 0 in the sbox of a block cipher?

1 + 0

cryptanalysis

s-boxes

implementation

block-cipher

Score:0

Crypto

poncho

5/8/24, 1:02 PM

This question wants to ask, whether and how fatal it is, to have a fixed point at 0 in the sbox of a block cipher?

Whether a fixed point at 0 in an sbox is fatal would depend on the cipher. For AES, it is fatal, because the AES sbox is fixed and expects a value of 0x63 at location 0.

On the other hand, it is also irrelevant; if you want to encode an sbox with the above technique, then what you can do (assuming that the sbox you want has 0x63 at location 0) is actually encode sbox[] ^ 0x63 with the above technique. Then, after you've evaluated the modified sbox, xor in a constant 0x63636363 to the result, and that'd give the original sbox.

+ 4

DannyNiu

5/8/24, 2:33 PM

I think you missed my point. The initialization checks sbox[0x00]>=256, so a fixed point here will cause initialization to repeat endlessly, as sbox[0x00]==0. So if this technique is to be used, 0 must not map to itself. And I think there should be security concern with this particular fixed point.

DannyNiu

5/8/24, 2:43 PM

If a blockcipher gets all-0 for input, and it doesn't use some kind of round constants like keccak or chacha, and it has this particular fixed point, then I think it'll probably output all-0.

poncho

5/8/24, 5:11 PM

Oh, you insist that sbox[0] != 0. In that case, you can use the same trick (except in reverse; if sbox[0] == 0, you xor'ed in a nonzero value in both the sbox and at the end)

poncho

5/8/24, 5:12 PM

And, if a blockcipher doesn't have a per round constant (that is, all the rounds are identical), it's probably vulnerable to a slide attack...

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Is it fatal if a blockcipher uses a sbox with a fixed point at 0?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.