WO2009104827A1

WO2009104827A1 - Method and apparatus for generating key stream for stream cipher, s-box for block cipher and method for substituting input vector using the s-box

Info

Publication number: WO2009104827A1
Application number: PCT/KR2008/000996
Authority: WO
Inventors: Hong-Yeop Song; Ju-Young Kim
Original assignee: Industry-Academic Cooperation Foundation, Yonsei University
Priority date: 2008-02-20
Filing date: 2008-02-20
Publication date: 2009-08-27
Also published as: KR101131167B1; KR20100115769A

Abstract

The present invention discloses a method and an apparatus for generating a key stream for a stream cipher, an S-box for a block cipher and a method for substituting an input vector using the S-box. According to the present invention, there is provided a method for generating a key stream for a stream encryption, comprising: receiving a vector that represents each state value of n(2≤n≤N) stages from an N-stage linear feedback shift register (LFSR) that generates a pseudo¬ random binary sequence; and outputting a key stream using a logarithmic function over a finite field having a primitive element of the finite field corresponding to a vector space that represents the vector as a base. With the present invention, high nonlinearity and optimal algebraic immunity can be obtained.

Description

METHOD AND APPARATUS FOR GENERATING KEY

STREAM FOR STREAM CIPHER, S-BOX FOR BLOCK CIPHER

AND METHOD FOR SUBSTITUTING INPUT VECTOR USING

THE S-BOX Technical Field

[1] The present invention relates to an encryption of data security, and more particularly to a method and apparatus for generating a key stream for a stream cipher, an S-box for a block cipher and a method for substituting an input vector using the S-box. Background Art

[2] As the necessity for data security grows with the development in science and technology, the importance of a stream cipher increased every day. As the representative method for the encryption, there are a stream cipher and a block cipher.

[3] The stream cipher is a method to accomplish a cipher text by generating a key stream having a length such as a plain text and by XOR-operating the plain text with the key stream in bits. In the stream cipher, a linear feedback shift register (LFSR) is mainly used in order to generate the key stream. If the LFSR is used, a key stream having a maximum period that can be accomplished by a finite state machine can be easily obtained and a mathematical analysis can be easily performed. However, if the LFSR is used in single, it is easily decrypted so that a key stream is commonly generated by nonlinearly coupling the state values of each state of the LFSR or by nonlinearly coupling the output of the plurality of LFSR.

[4] The block cipher is a method to accomplish a cipher text in a block unit by dividing a plain text in predetermined units in order to make a cipher text and by performing an encryption process for each unit. As standards for the block cipher, there are Data Encryption Standard (DES) and Advanced Encryption Standard (AES), etc. The block cipher is developed as a process forming a function not easily decrypted by mainly repeatedly applying a simple function, and such a repetition is represented by a round. In a block encryption, a process of substituting a block having a predetermined bit is generally performed for each round, and a module performing such a substitution is named as an S-box.

[5] As a function for nonlinear coupling in the stream cipher or a function for correspondence to the input or output in the S-box, a nonlinear Boolean function is used. The nonlinear Boolean function preferably has high nonlinearity. As the nonlinear Boolean function, Boolean power function is currently used and a Boolean inverse function, which is the sort of the Boolean power function is mainly used. The Boolean inverse function means a function that outputs the inverse of multiplication over a finite field rather than a predetermined input. The Boolean inverse function is known to have high nonlinearity.

[6] A cryptoanalysis means a process to find a plain text from a cipher text by finding an encryption key used in the encryption or supplement information, and may also be named as a cipher attack. In various cipher attack methods, as an algorithm that solves a multivariate high-order simultaneous equation known as a NP-complete problem has been known. A study on an algebraic attack has started. The algebraic attack is a method to use a basic algebraic equation of an inner algorithm with the known input/ output pairs and is a method to obtain variable values using the overdefined multivariate simultaneous equation and to restore a key using thereof.

[7] The degree strong against the algebraic attack is referred to as an algebraic immunity.

In the document [N. Courtois and W. Meier, "Algebraic Attacks on Stream Ciphers with Linear Feedback," EUROCRYPT 2003, LNCS 2656, pp. 346-359. Springer- Verlag, 2003.], it is known that the algebraic immunity against random Boolean function is equal to or less than the half of the number of an input vector, that is, n ~2

. In other document [Y. Nassir, G. Gong, and K.C. Gupta, "Upper Bounds on Algebraic Immunity of Boolean Power Functions," LNCS 4047, pp. 375-389, Springer- Verlag, 2006], it is known that the upper limit of the algebraic immunity, the Boolean power function can be increased in proportion to the square root of the number of an input vector. As n becomes larger, the square root of the number of the input vector has values smaller than the half of the number of the input vector. Therefore, when the number of the input vector becomes large, if the key stream is generated or the S-box is designed using the Boolean power function, a problem arises in that the algebraic immunity doen not increase in correspondece thereto. Disclosure of Invention Technical Problem

[8] An object of the present invention is to provide a method and an apparatus for generating a key stream for a stream cipher that has high nonlinearity and optimal algebraic immunity, an S-box for a block cipher and a method for substituting an input vector using the S-box. Technical Solution

[9] In order to accomplish the above object, according to an embodiment of the present invention, there is provided a method for generating a key stream for a stream encryption, comprising: receiving a vector x that represents each state value of n(2≤n≤N) stages from an N-stage linear feedback shift register (LFSR) that generates a pseudo-random binary sequence; and outputting a key stream using a logarithmic function over a finite field having a primitive element of the finite field

F. corresponding to a vector space

, which represents the vector x as a base. [10] The outputting the key stream comprises outputting a predetermined component of the vector that is the result value of the logarithmic function as the key stream. [11] The logarithmic function is represented by the following equation:

[12] [13]

LlUs # — oft i n other case

[14] where α represents the primitive element, x represents an element of the finite field F₂, corresponding to the vector x , and w represents an element of the vector space

F"₂ corresponding to w [15] At this time, the output of the key stream comprises outputting the result values of log Λ ⁽ *) according to the following equation as the key stream: [16]

¹¹⁷¹ iog )= (ϊ) - zoG-ω&ΦΪ)

[18] where

represents an inner product in the vector space, and

Θ represents addition in the vector space.

[19] Also, the outputting the key stream comprises outputting the result values of a function combined log Λ ⁽ x) that has primitive elements, different from each other, of the finite field

F₂, as bases, according to the following equation, as the key stream: [20]

[22] where

represents an inner product in the vector space, and

Θ represents addition in the vector space.

[23] In order to accomplish the above object, according to an embodiment of the present invention, there is provided a method for generating a key stream for a stream cipher, comprising: receiving a vector x that has the output values of each of n linear feedback shift register (LFSR)s that generate a pseudo-random binary sequence as components; and outputting a key stream using a logarithmic function over a finite field having a primitive element of the finite field

Fl corresponding to a vector space

*V that represents the vector x as a base.

[24] In order to accomplish the above object, according to an embodiment of the present embodiment, there is provided a method for substituting an input vector for a block cipher using a S-box, comprising: receiving a vector x having n components: and outputting a vector for which the vector x is substituted using a logarithmic function over a finite field having a primitive element of the finite field

corresponding to a vector space

that represents the vector x as a base.

[25] The logarithmic function is represented by the following equation:

[26]

i n other rase

[28] wherein the outputting the substituted vector comprises outputting the result values of

as the substituted vector, [29] where

(X represents the primitive element, x represents an element of the finite field

^₂" corresponding to the vector

w represents an element of the vector space

corresponding to w

, and

Θ represents addition in the vector space.

[30] The logarithmic function is represented by the following equation:

[31] [32]

{Wi a? — cfi i n other case

[33] wherein the outputting the substituted vector comprises outputting the result values of the function combined

that has primitive elements, different from each other, of the finite field

*V as bases, as the substituted vector, [34] where

*V corresponding to the vector

w represents an element of the vector space F"₂ corresponding to w , and

Θ represents addition in the vector space.

[35] The outputting the substituted vector comprises outputting the substituted vector using a lookup table corresponding to a vector to be substituted for the vector x according to the logarithmic function.

[36] In order to accomplish the above object, according to an embodiment of the present embodiment, there is provided a key stream generation apparatus for a stream cipher, comprising: an N-stage linear feedback shift register (LFSR) that generates a pseudorandom binary sequence; and an nonlinear module that receives a vector KK that represents each state value of n (2<n≤N) stages from the N-stage linear feedback shift register (LFSR) and outputs a key stream using a logarithmic function over a finite field having a primitive element of the finite field

^₂" corresponding to a vector space

that represents the vector x as a base.

[37] In order to accomplish the above object, according to an embodiment of the present embodiment, there is provided a key stream generation apparatus for a stream cipher, comprising: n linear feedback shift register (LFSR)s that generate a pseudo-random binary sequence as components; and an nonlinear module that receives a vector x that has the output values of each of the n linear feedback shift register (LFSR)s as components and outputs a key stream using a logarithmic function over a finite field having a primitive element of the finite field

corresponding to a vector space

Fl that represents the vector x as a base.

[38] In order to accomplish the above object, according to an embodiment of the present embodiment, there is provided a S -box for a block cipher which receives a vector x having n components and outputs a vector for which the vector KK is substituted using a logarithmic function over a finite field having a primitive element of the finite field r 2 " corresponding to a vector space

that represents the vector x as a base.

Advantageous Effects

[39] With the present invention as described above, a logarithmic function over a finite field having a primitive element of the finite field

corresponding to a vector space

that represents an input vector x as a base, making it possible to obtain high nonlinearity and optimal algebraic immunity. Brief Description of Drawings

[40] FIG. 1 is a schematic block diagram of a stream encryption apparatus including a key stream generation apparatus according to an embodiment of the present invention; [41] FIG. 2 is a schematic block diagram of a stream encryption apparatus including a key stream generation apparatus according to an embodiment of the present invention; and [42] FIG. 3 is a schematic block diagram of a block encryption apparatus including an S- box for a block cipher according to an embodiment of the present invention.

Best Mode for Carrying out the Invention [43] Hereinafter, the preferred embodiments of the present invention will be described in detail with reference to the accompanying drawings. The respective constituents substantially the same as in the description and the drawings hereinbelow are indicated using the same reference numerals and thus the overlapped explanation thereof will be omitted. Also, when explaining the present invention, if it is judged that the specific explanation on the related well-known constitution or function may make the gist of the present invention obscure, the detailed explanation thereof will be omitted.

[44] FIG. 1 is a schematic block diagram of a stream encryption apparatus including a key stream generation apparatus according to an embodiment of the present invention. The stream encryption apparatus according to the present invention includes an N-stage linear feedback shift register (LFSR) 11, an nonlinear module 12, and an XOR operator 13. The LFSR 11 and the nonlinear module 12 form a key stream generation apparatus for a stream cipher according to the present embodiment. In the present invention, the nonlinear module 12 may be an nonlinear filter generator.

[45] The LFSR 11 has N stages, that is, N registers, and generates a pseudo-random binary sequence in synchronization with a clock given from the external, having a predetermined period. A vector x that has the respective stage values

^XV ^{' "} '^Xn of a predetermed n(2≤n≤N) stage of stages of LFSR 11 as components is input to the nonlinear module 12 described to be later in synchronization with the clock. The respective stage values xv ^{' " ~}>^xn have 0 or 1. [46] The nonlinear module 12 receives the vector x to output a key stream value z, in synchronization with the clock, using the nonlinear Boolean function. [47] The XOR operator 13 outputs a cipher text

C ₁ by XOR-operating a plain text

with the key stream [48] In the nonlinear module 12, a logarithmic function over a finite field having a primitive element α of the finite field

corresponding to a vector space

that represents the vector x as a base is used as the nonlinear Boolean function. [49] Hereinafter, the logarithmic function over the finite field used in the nonlinear module 12 will be described in more detail. [50] The vector x= (x_v- -,x_n) is an element of the vector space

that represents a binary variable. If the primitive element of the finite field

corresponding to the vector space

is α

, the element of the finite field

corresponding to the vector

is represented by the following equation.

[51] [Equation 1]

[52] n

X =

[53] [54] Meanwhile, if an element of the vector space

corresponding to a non-negative integer

ΛV smaller than

2 "- l is w= (w_v - - ,w_n)

, the following equation is made.

[55] [Equation 2]

[56] n

i = l

[57] At this time, the logarithmic function

over the finite field having the primitive element α as the base, having the input vector as

and the output as w

, may be defined by the following equation.

[58] [Equation 3] [59]

1,«;, a? — Of¹", in other case

[60] In the logarithmic function

which is a

Boolean function, there exists a one-to-one correspondence between n bit input and n bit output. [61] For example, in case of n=3 and primitive polynomial of x

, the binary vectors corresponding to the element over the finite field

is represented by the following table.

[62] [Table 1]

[63] ϋ O O ϋ

O O 1

A¹ O 1 O

1 (J O o³ O 1 1

1 1 O a^' 1 1 1

1 O 1

[64] At this time, in case of x=(l, 1,0) in equation 3, the corresponding element of the finite field

is

4 X=(X so that the non-negative integer w =4 and the corresponding element of the vector space

^=(1,0,0) are obtained.

[65] Meanwhile, in

, there also exist a one-to-one correspondence. In the present embodiment, logΛ ⁽ _*) according to the following equation is input as a key stream.

[66] [Equation 4]

dj-i∞i^Uθi) [68] Here,

represents an inner product in the vector space, and

Θ represents addition in the vector space. [69] The reason why the inner product is performed on

and

(T) in the vector space is to output a certain components of the output vector of

as the key stream. [70] If the inner product is performed on

and

(T) in the vector space, left-most component of the output vector of

is obtained. Other component of the output vector of

may also be obtained as the key stream and in this case, the vector on which the inner product is performed uses a proper vector other than

(T)

[71] It can be appreciated that the output values according to Equation 4 have the same number of 0 and 1 for all input vectors

[72] Also, in a modified embodiment of the present invention, an nonlinear module 12 may output values of a function combined with a Boolean function that has primitive elements, different from each other, of a finite field

corresponding to a vector space that represents an input vector x as bases, respectively, according to Equation 4, as a key stream. For example, if the primitive elements, different from each other, of the finite field

*V are α and β

, the values of the function in which log Λ ⁽ *) is linearly combined with log l"\ x) may be output as a key stream. Assuming that

is a linearly combined random function, the values of the key stream output will be represented as

/(log^x

[73] FIG. 2 is a schematic block diagram of a stream encryption apparatus including a key stream generation apparatus according to an embodiment of the present invention. The stream encryption apparatus according to the present invention includes n linear feedback shift register (LFSR)s 21-1, 21-2, ..., and 21-n, an nonlinear module 22, and an XOR operator 23. The n LFSRs 21-1, 21-2, ..., and 21-n and the nonlinear module 22 form a key stream generation apparatus for a stream cipher according to the present embodiment. In the present invention, the nonlinear module 22 may be a nonlinear combination generator.

[74] Differently from the stream encryption apparatus in FIG. 1, in the stream encryption apparatus according to the present embodiment, each of the n LFSRs 21-1, 21-2, ..., and 21-n generates a pseudo-random binary sequence in synchronization with a clock given from the outside, having a predetermined period, and inputs the pseudo-random binary sequence to the nonlinear module 22. In other words, a vector X having bit values

output from each of the n LFSRs 21-1, 21-2,..., and 21-n for each clock as components are input to the nonlinear module 22. Other operations of the nonlinear module 22 and the XOR operation 23 are the same as those of the nonlinear module 12 and the XOR operation 13 in FIG. 1, such that the detailed explanation thereof will be omitted.

[75] FIG. 3 is a schematic block diagram of a block encryption apparatus including an S- box for a block cipher according to an embodiment of the present invention. The block encryption apparatus according to the present invention is based on the Advanced Encryption Standard (AES), wherein a permutation of several rounds and a substitution using a S-box are applied to a plain text block. For convenience, only i round permutation and substitution and i+l^st round permutation are shown in FIG. 3. With the present embodiment, a block is divided into s sub-blocks for a substitution and thus a substation is applied to each sub-block using a S-box. The S-box according to the present embodiment is not limited to the block encryption apparatus according to the structure shown in FIG. 3, but may also be applied to any block encryption to which a substitution in block unit is applied.

[76] Vectors

— (Ϊ— I)₅ I —(z- l), s

W , ^m " i ^w corresponding to each of the s sub-blocks are input to the ith permutation 31 from the i-l^st round. The i permutation 31 applies permutation to the s sub-blocks to output the vectors

— z, l — z, s

. In the present embodiment, one plain text block has n X s bits, and the vectors

-(Z- I)₅ I -Cz- I)₅ S S

W , ^• - - , W and

— z, l — z, s

X , ' - ' , X each have n components. [77] The vectors

— z, l — z, s are input to a first S-box, ..., and s S-box 32-1, ..., and 32-s, respectively. The first S- box, ..., and the s S-box 32-1, ..., and 32-s use a nonlinear Boolean function for the vectors input to output the substituted vectors

— i, 1 — i, s w ,^• - - , w

[78] The vectors

— i, 1 — i, s w ,- - - , w are input to the i+l^st permutation 33, and the i+l^st permutation 31 outputs vectors

— (i+ l), l —(ι+ l),s by applying the permutation thereto, in the same manner as the i permutation 31. [79] The operations of the first S-box, ..., and the s S-box 32-1, ..., and 32-s are all the same and the forms of the input vectors, that is,

— i, 1 — i,s

Jb 5 " " " 5 "^ and

— i, 1 — i, s w , ^{■ ■ •} , »

, has the n components. Therfore, the first S-box, ..., and the s S-box 32-1, ..., and 32-s will be called S-box 32, x and w below. [80] For the vector x input, the S-box 32 uses the nonlinear Boolean function to output a vector w for which the vector x is substituted. In particular, as the nonlinear Boolean function, the S-box 32 uses a logarithmic function over a finite field having a primitive element of the finite field

corresponding to a vector space

Fl that represents the vector x as a base. Here, as the logarithmic function,

LOG^^{ {x) according to equations 1 to 3 described above is used and in the present embodiment, the S-box 32 outputs the vector w that is substituted according to a one-to-one correspondence function

[81] For example, if n=4, a primitive polynomial is x H-Jf -I- 1 , and a primitive element is α

, binary vectors corresponding to an element over the finite field

*V are represented by the following table. [82] [Table 2]

[83]

l y i 'j

i iw

[84] At this time, the result values of the function

for the binary vectors are represented by the following table.

[85] [Table 3]

[86] 0000 0000(0⁾ 0100 1000(8) lϋOO 1110(14) 1 100 1101(13)

0001 1111(15) 0101 0010(2) 1001 0011 C3) 1 101 0110(6)

0010 0100(4) 0110 1010(10) 1010 0111(7) 1 110 1100(12)

0011 0001(1) 0111 0101(5) 1011 1001(9) 1 111 1011(11)

[87] In the present embodiment, the S-box 32 stores a lookup table provided in order that the vector

input corresponds to a vector to be substituted according to the function

LOG^KxΦΪ , and outputs the vector for which the vector x is substituted using the lookup table. In this case, if there are 4 bit-input and 4-bit output, the table 3 may be used as a lookup table in the S-box 32.

[88] Also, in a modified embodiment of the present invention, the S-box 32 may output values of a function combined with a Boolean function that has primitive elements, different from each other, of a finite field

corresponding to a vector space

that represents an input vector x as bases, respectively, according to the function

LOGtKxΦΪ) . For example, if the primitive elements, different from each other, of the finite field

*V are α and β , the values of the function in which

is linearly combined with

may be output as a key stream. Assuming that

is a linearly combined random function, the values of the vector output will be represented as

[89] Regarding n of 4<n<19 in the embodiments as described above, after comparing nonlinearity between the function log Λ ^{ *) according to equation 4 and the Boolean inverse function, it can be appreciated that the nonlinearity of the function log i"\ x) is equal to or higher than that of the Boolean inverse function. [90] Regarding n of 6<n<18, after comparing algebraic immunity between the function log : ⁽ \^~χ) according to equation 4 and the Boolean inverse function, it can be appreciated that the algebraic immunity of the function log iⁿ\ x) is more excellent than that of the Boolean inverse function and furthermore, it matches with the maximum algebraic immunity

Tl

^~2 that a random Boolean function can have

[91] With the present invention as described above, a logarithmic function over a finite field having a primitive element of the finite field

corresponding to a vector space

that represents an input vector x as a base, making it possible to obtain high nonlinearity and optimal algebraic immunity.

[92] Although the preferred embodiment of the present invention is described, it will be apparent to those skilled in the art that various modifications and variations can be made in the present invention without departing from the spirit or scope of the inventions. Thus, it is intended that the present invention covers the modifications and variations of this invention provided they come within the scope of the appended claims and their equivalents.

Claims

[1] A method for generating a key stream for a stream encryption, comprising: receiving a vector x that represents each state value of n(2=n=N) stages from an N-stage linear feedback shift register (LFSR) that generates a pseudo-random binary sequence; and outputting a key stream using a logarithmic function over a finite field having a primitive element of the finite field

corresponding to a vector space

that represents the vector x as a base.

[2] The method according to claim 1, wherein the output of the key stream comprises outputting a certain component of the vector that is the result value of the logarithmic function as the key stream.

[3] The method according to claim 1, wherein the logarithmic function is represented by the following equation:

in other case where

corresponding to the vector x , and w represents an element of the vector space

corresponding to w

[4] The method according to claim 3, wherein the outputting the key stream comprises outputting the result values of log : ⁽ \^~χ) according to the following equation as the key stream:

where

represents an inner product in the vector space, and

Θ represents addition in the vector space.

[5] The method according to claim 3, wherein the outputting the key stream comprises outputting the result values of a function combined log i"\ x) that has primitive elements, different from each other, of the finite field

as bases, according to the following equation, as the key stream:

where

represents an inner product in the vector space, and

Θ represents addition in the vector space.

[6] A method for generating a key stream for a stream cipher, comprising: receiving a vector x that has the output values of each of n linear feedback shift register (LFSR)s that generates a pseudo-random binary sequence as components; and outputting a key stream using a logarithmic function over a finite field having a primitive element of the finite field

corresponding to a vector space

that represents the vector x as a base.

[7] The method according to claim 6, wherein the outputting the key stream comprises outputting a certain component of the vector that is the result value of the logarithmic function as the key stream.

[8] The method according to claim 6, wherein the logarithmic function is represented by the following equation:

i n other case where

OC represents the primitive element, x represents an element of the finite field

corresponding to the vector x , and w represents an element of the vector space

corresponding to w

[9] The method according to claim 8, wherein the outputting the key stream comprises outputting the result values of _ according to the following equation as the key stream:

where

represents an inner product in the vector space, and

Θ represents addition in the vector space.

[10] The method according to claim 8, wherein the outputting the key stream comprises outputting the result values of a function combined log i"\ x) that has primitive elements, different from each other, of the finite field

as bases, according to the following equation, as the key stream:

where

represents an inner product in the vector space, and

Θ represents addition in the vector space.

[11] A method for substituting an input vector for a block cipher using a S-box, comprising: receiving a vector x having n components: and outputting a vector for which the vector x is substituted using a logarithmic function over a finite field having a primitive element of the finite field

corresponding to a vector space

that represents the vector x as a base.

[12] The method according to claim 11, wherein the logarithmic function is represented by the following equation:

wherein the outputting the substituted vector comprises outputting the result values of

LOGJ aTKXΘΪ as the substituted vector, where α represents the primitive element,

X represents an element of the finite field

corresponding to the vector

w represents an element of the vector space F"₂ corresponding to w , and

Θ represents addition in the vector space.

[13] The method according to claim 11, wherein the logarithmic function is represented by the following equation:

{Wi SC — Of¹", i n other case wherein the outputting the substituted vector comprises outputting the result values of the function combined

LOG^Kxθϊ that has primitive elements, different from each other, of the finite field

*V as bases, as the substituted vector, where

^₂" corresponding to the vector

w represents an element of the vector space

corresponding to

ΛV

, and

Θ represents addition in the vector space.

[14] The method according to claim 11, wherein the outputting the substituted vector comprises outputting the substituted vector using a lookup table corresponding to a vector to be substituted for the vector x according to the logarithmic function. [15] A key stream generation apparatus for a stream cipher, comprising: an N-stage linear feedback shift register (LFSR) that generates a pseudo-random binary sequence; and a nonlinear module that receives a vector x that represents each state value of n(2≤n≤N) stages from the N-stage linear feedback shift register (LFSR) and outputs a key stream using a logarithmic function over a finite field having a primitive element of the finite field corresponding to a vector space

that represents the vector x as a base. [16] A key stream generation apparatus for a stream cipher, comprising: n linear feedback shift register (LFSR)s that generate a pseudo-random binary sequence as components; and a nonlinear module that receives a vector x that has the output values of each of the n linear feedback shift register (LFSR)s as components and outputs a key stream using a logarithmic function over a finite field having a primitive element of the finite field

corresponding to a vector space

F\ that represents the vector x as a base. [17] An S-box for a block cipher which receives a vector x having n components and outputs a vector for which the vector x is substituted using a logarithmic function over a finite field having a primitive element of the finite field

corresponding to a vector space

F"₂ that represents the vector x as a base.