CN103701584A - Method for designing binary linear diffusion structure in symmetric ciphers - Google Patents

Abstract

The invention discloses a method for designing a binary linear diffusion structure in symmetric ciphers, and relates to a method used for designing ciphers. The scheme comprises the following steps: (1) calculating the upper bound and the lower bound of a Hamming weight value of a binary matrix, and meanwhile, generating a set consisting of candidate row vectors; (2) selecting elements from the row vector set to construct a binary invertible matrix which has theoretically optimal linear branches and high Hamming weight at the same time; (3) judging whether the differential branches of the matrix are theoretically optimal; (4) constructing a strong orthomorphic matrix by exchanging rows in pairs. The invention provides the method for designing the binary linear diffusion structure which has optimal differential branches and linear branches and strong full balance by utilizing strong orthomorphic replacement. Meanwhile, by the method, the highest value of the Hamming weight of the obtained binary linear matrix can also be ensured when the differential branches and the linear branches are optimal at the same time, so that data encryption security can be improved.

Description

The method for designing of the linear diffusion structure of binary system in a kind of symmetric cryptography

Technical field

The present invention relates to the method for password design, particularly the method for designing of the linear diffusion structure of binary system in a kind of symmetric cryptography.

Background technology

Within 1949, C.E.Shannon has proposed the two large design principles that symmetric cryptography need to meet: obscure principle and diffusion principle.Replacement theory is one of basic theories of field of cryptography, replacement theory both can for design symmetric cryptography obscure structure, also can be for the diffusion structure of design symmetric cryptography.In modern block ciphers (what block cipher was symmetric cryptography is a kind of), obscure structure, typical is exactly that S box juxtaposition by n m * m forms and obscures structure, for example AES, ARIA are formed by the S box juxtaposition of 16 8 * 8, and Camellia is formed by the S box juxtaposition of 88 * 8.The m bit of a S box output is only relevant with the m bit of its input, irrelevant with the input of other S boxes.And the effect of linear diffusion structure is exactly that the output of these S boxes is upset, make the m bit of output also relevant to the input of other S boxes as much as possible.The linear diffusion structure of binary system is a kind of conventional linear diffusion structure form, have and realize efficient advantage, but the Cryptographic Properties that the method for designing of the linear diffusion structure of existing binary system is considered is mainly differential branch number and linear branch number, and do not consider other Cryptographic Properties, therefore the linear diffusion structure universal security of existing binary system function singleness, " immunity " scarce capacity that the cryptographic algorithm that makes to construct is analyzed for novel cipher.The building method of the linear diffusion matrix of simultaneously existing binary system, can not guarantee its matrix obtaining meet differential branch number and linear branch number reach optimum in, Hamming weight is also for the highest, and the Hamming weight of binary system diffusion matrix is higher, snowslide effect is better, and snowslide effect is also an important Cryptographic Properties.

Orthomorphic permutation is a kind of special Boolean Permutation, is also a class Complete Mappings, has the good Cryptographic Properties such as complete equipilibrium, compares other common displacements and has stronger diffusion property.The round function of the WLAN (wireless local area network) commercial cipher algorithm SMS4 of China, based on orthomorphic permutation Generator Design.S box in the stream cipher arithmetic LOISS of China scientist design is also a non-linear orthomorphic permutation.In addition, China military takes much count of the application of orthomorphic permutation in cryptographic algorithm, and the National University of Defense technology, information engineering university of PLA and Xian Electronics Science and Technology University all continue research to it.

Summary of the invention

The object of the invention is to solve the linear diffusion structure of current binary system and only there is good differential branch number and linear branch number, and lack other outstanding Cryptographic Properties; The building method of the linear diffusion matrix of existing binary system, can not guarantee its matrix obtaining meet differential branch number and linear branch number reach optimum in, Hamming weight is also the highest problem and shortage.By utilizing strong orthomorphic permutation, a kind of both had optimum differential branch number and linear branch number are provided, the linear diffusion structure method for designing of binary system again with Cryptographic Properties such as strong complete equipilibriums, the method can also guarantee that the Hamming weight of resulting binary matrix reaches all peaks under optimal conditions of differential branch number and linear branch number simultaneously.

For achieving the above object, the present invention adopts following solution: the present invention is based on vector space GF (2 ^m) ⁿon the linear diffusion structure of strong orthomorphic permutation design binary system, by following step, realize (H equals the Hamming gravimetric value of this binary matrix for 1≤n≤18 wherein, m > 1):

(1) calculate a upper bound and a lower bound of the Hamming gravimetric value of the linear diffusion matrix of n rank (n capable n row) binary system, and by this upper bound assignment to H, generate the set that candidate n dimension row vector forms simultaneously;

(2) be expert at and choose element in vector set and construct such n rank binary system invertible matrix: Hamming gravimetric value is H, and linear branch number reaches the theoretical optimal value under this kind of condition simultaneously.If find such matrix, carry out (3).If there is not such matrix, H is from subtracting 1, if now H is less than lower bound, program stops, otherwise continues to carry out (2);

(3) calculate the differential branch number of this binary matrix, if differential branch number also reaches theoretical optimal value, carry out (4), otherwise return to (2);

(4) by this matrix by row exchange between two (altogether can Individual matrix), often obtain a new matrix and just judge whether it is GF (2 ^m) on strong orthomorphic matrices (each linear strong orthomorphic permutation can be write as a strong orthomorphic matrices).If strong orthomorphic matrices is Output rusults, program stops, if this n! Individual matrix is not strong orthomorphic matrices, returns to (2).

Above-mentioned is a kind of based on vector space GF (2 ^m) ⁿon the method for the linear diffusion structure of strong orthomorphic permutation design binary system, it is characterized in that:

In described step (1), the method for the Hamming gravimetric value lower bound of calculating binary matrix is as follows:

Suppose that d is the minimum distance of binary linear code [2n, n, d], the implication of the d occurring is afterwards all with herein.

This binary matrix of hypothesis is n rank (the capable n row of n) now, and according to the corresponding relation of binary linear code [2n, n, d] and binary matrix, can obtain general lower bound is (d-1) n so.

In described step (1), the method in the Hamming gravimetric value upper bound of calculating binary matrix is as follows:

A general upper bound is

wherein

represent to be not more than the maximum integer of (*),

represent to be not less than the smallest positive integral of (*), occur afterwards

with

implication is all with herein.

The set that in described step (1), candidate row vector forms, is characterized in that:

Generate altogether (n-d+1) individual row vector set, in each row vector set, the Hamming of all row is equal in weight, and (n-d+1) the row vector Hamming weight value of individual row vector set is followed successively by d-1, d ..., n.

Described step (2) is expert at, and to choose the method for element in vector set as follows:

Suppose λ _ivalue equal in binary matrix Hamming weight be i(wherein i be natural number, and d-1≤i≤n) the quantity of row, can obtain following Indeterminate Equation Group so:

$\left\{\begin{array}{c}{\mathrm{\λ}}_i\≥0,d-1\≤i\≤n,\\ \underset{i=d-1}{\overset{n}{\mathrm{\Σ}}}{\mathrm{\λ}}_i=n\\ \underset{i=d-1}{\overset{n}{\mathrm{\Σ}}}i{\mathrm{\λ}}_i=H\end{array}\right.$

Solve this equation group and obtain all disaggregation { (λ _d-1, λ _d..., λ _n), then select at random wherein one group of solution (λ _d-1', λ _d' ..., λ _n'), the row vector set that is i from Hamming weight, choose λ _i' individual different rows structure binary matrix.

Described Indeterminate Equation Group, is characterized in that:

Suppose i, j, k, b is natural number.

If n ≠ 4 and n ≠ 12, work as so

time, (wherein

),

And if

(wherein 0≤j≤k),

When

time, if

(wherein

),

If n=4 or n=12, now d is even number, works as

$(n-\frac{d-2}{2}+(k+1))+(n-\frac{d-2}{2}-(k+1))\&times;(n-1)<H\&le;(n-\frac{d-2}{2}+k)+(n-\frac{d-2}{2}-k)\&times;(n-1)$ Time, (wherein $0\&le;k\&le;n-\frac{d-2}{2}-(d-1)-1$ ),

${\mathrm{\&lambda;}}_i=0,(n-\frac{d-2}{2}+(k+1))\&le;i\&le;(2n-2d+3),$

And if

(wherein 0≤j≤k),

${\mathrm{\&lambda;}}_b=0,(n-\frac{d-2}{2}-j)<b\&le;(n-\frac{d-2}{2}+k),b\&NotEqual;(n-\frac{d-2}{2}+j);$

When $(d-1)+(d-1)\&times;(n-1)\&le;H\&le;(n-\frac{d-2}{2}+n-\frac{d-2}{2}-(d-1))+(d-1)\&times;(n-1)=(2n-2d+3)+(d-1)\&times;(n-1)$ Time, if ${\mathrm{\&lambda;}}_{(n-\frac{d-2}{2}+i)}\&NotEqual;0,$ (wherein $0\&le;i\&le;n-\frac{d-2}{2}-(d-1)$ ),

${\mathrm{\&lambda;}}_j=0,(n-\frac{d-2}{2}-i)<j\&le;(2n-2d+3),j\&NotEqual;(n-\frac{d-2}{2}+i).$

Described Indeterminate Equation Group, is characterized in that:

If n ≠ 4 and n ≠ 12, work as so time, λ _ican only get 0 or 1; And if only if when d is even number,

can get the number that is greater than 1, when d is odd number,

the nonzero integer that can get only has 1.

If n=4 or n=12, obtain d by the knowledge of binary linear code and be even number, work as

time, λ _ican only get 0 or 1;

can get the number that is greater than 1.

Why described method, can generate the binary matrix that Hamming weight is high, and its reason is as follows:

First test the situation that Hamming weight is high, if can not find, just by H(matrix H amming weight and) certainly subtract 1, then again separate Indeterminate Equation Group, again choose row structural matrix, the Hamming weight that has so just guaranteed gained matrix is higher situation always.

The method of the strong orthomorphic matrices of structure in described step (4), its feature is as follows:

Generate all n! of 1 to n Plant and arrange, then utilize and arrange the row order of rearranging matrix.The generation of arranging can be calculated in advance, then stores precomputation result, in the time of use, directly calls.When utilizing an arrangement to rearrange row order, obtain, after a new matrix, calculating this poly, then detect finite field gf (2 ^m) (suppose GF (2 ^m) expression finite field gf (2 ^m), wherein m > 1, the implication of the m occurring is afterwards all with herein) on all nonzero elements whether be this root of polynomial, if be not all root, this matrix is strong orthomorphic matrices, and this result is exported.

The lower bound of binary matrix Hamming weight in described step (2), is characterized in that:

When H(matrix H amming weight and) certainly subtract 1 after, if the value of H is less than lower bound, program stops, and points out under this scale (for the m and the n that set) without the strong orthomorphic matrices meeting the demands.

Compared with prior art, the invention has the beneficial effects as follows:

(1) the Hamming weight that can guarantee resulting binary matrix reaches all peaks under optimal conditions of differential branch number and linear branch number, thereby reaches optimum snowslide effect, and prior art can not guarantee this point;

(2) suppose to design the binary system diffusion matrix on n rank, if test in order so from high to low the possible Hamming weight of binary matrix and situation, because this scope is larger, (scope is (0, n ²)), therefore need to reduce the scope; And for a specific Hamming weight and, the different situations that test are a lot (need to separate Indeterminate Equation Group) also, so also will reduce for a specific Hamming weight and need the different situations number of test.The present invention provided the possible Hamming weight of binary matrix and a general upper bound and a general lower bound, so just dwindled need the Hamming weight of test and scope; The present invention simultaneously for be in different interval binary matrix Hamming weight and Indeterminate Equation Group, all provided constraints, so just reduced the different situations number that will test, thereby reduced to a great extent amount of calculation.

(3) can make the linear diffusion matrix of the binary system that constructs there is strong complete equipilibrium, and the binary system diffusion matrix of prior art structure is without this character.

Accompanying drawing explanation

Fig. 1 is the rough flow chart of method for designing;

Fig. 2 is method for designing detail flowchart.

Embodiment

For making the object, technical solutions and advantages of the present invention clearer, below in conjunction with drawings and Examples, the present invention is further elaborated.Should be appreciated that specific embodiment described herein, only in order to explain the present invention, is not intended to limit the present invention.

Generally, the linear diffusion structure of block cipher can be with a GF (2 ^m) ⁿon linear orthomorphism represent, and a linear orthomorphism can represent with an invertible matrix, differential branch number and linear branch number: the θ that therefore can define as follows linear diffusion structure are GF (2 ^m) ⁿon a linear orthomorphism, x=(x ₀, x ₁..., x _n-1) ∈ GF (2 ^m) ⁿcolumn vector, θ (x)=Mx, M is GF (2 ^m) on n rank invertible matrix, claim ${\mathrm{\&beta;}}_D\left(\mathrm{\&theta;}\right)=\underset{x\&NotEqual;0}{\min }\{W_h\left(x\right)+W_h\left(\mathrm{Mx}\right)\}$ Differential branch number for θ; ${\mathrm{\&beta;}}_L\left(\mathrm{\&theta;}\right)=\underset{x\&NotEqual;0}{\min }\{W_h\left(x\right)+W_h\left(M^{T}x\right)\}$ Linear branch number for θ.Wherein (.) ^trepresent matrix transpose, x ₀, x ₁..., x _n-1in the non-vanishing number Hamming weight that is x, be designated as W _h(x).

A corresponding linear code of linear transformation, if θ is GF (2 ^m) ⁿon linear orthomorphism, and θ (x)=Mx, corresponding linear code is [2n, n, d], G=[I _n| M], and the differential branch number of θ equals the minimum distance d of linear code.And the bound of binary linear code minimum distance has provided in document [1], so given n, we just can obtain the theoretical optimal value of n rank binary matrix differential branch number, and the theoretical optimal value of linear branch number equates with the theoretical optimal value of differential branch number.The minimum distance d of common binary linear code [2n, n, d] is as following table:

The minimum distance d of table 1 binary linear code [2n, n, d]

n	d	n	d
				1	2	10	6
2	2	11	7
				3	3	12	8

4	4	13	7
				5	4	14	8
6	4	15	8
				7	4	16	8
8	5	17	8
				9	6	18	8

Lemma 1[2] suppose that M is GF (2 ^m) on n rank binary matrix, definition mapping

for GF (2 ^m) ⁿto GF (2 ^m) ⁿmapping and

for GF (2) ⁿto GF (2) ⁿmapping and

have

By lemma 1, can obtain judging fast whether binary matrix differential branch number reaches optimum theorem.

Theorem 1 is established a ₀, a ₁..., a _n-1n dimension binary column vector, matrix A=(a ₀, a ₁..., a _n-1) be an invertible matrix, and the maximum differential branch number of known n rank binary matrix is β _{d (n)}, the differential branch number of matrix A is β _{d (n)}sufficient and necessary condition be with lower inequality, form vertical, W _h(.) represents Hamming weight:

(0≤i ₁, i ₂, i _k< n and unequal mutually, 1≤k≤β _{d (n)}-2).

In like manner for linear branch number, can obtain following theorem.

Theorem 2 is established a ₀, a ₁..., a _n-1n dimension binary row vector, matrix A=(a ₀, a ₁..., a _n-1) ^tan invertible matrix, and the maximum linear of known n rank binary matrix to divide number be β _{l (n)}, the linear branch number of matrix A is β _{l (n)}sufficient and necessary condition be with lower inequality, form vertical:

(0≤i ₁, i ₂, i _k< n and unequal mutually, 1≤k≤β _{l (n)}-2).

By theorem 1 and theorem 2, we can judge whether the correlated branch number of a n rank binary system invertible matrix has reached optimum fast.

By document [3], known, the Hamming weight of binary matrix column vector and higher, snowslide effect is better, so we are except considering differential branch number and linear branch number, also need to make the Hamming weight of binary matrix high as much as possible.Said in Fig. 1 and Fig. 2 " determining the bound of binary matrix Hamming weight " related Hamming weight i.e. justice for this reason.

As used in this specification is GF (2 ^m) ⁿon strong orthomorphic permutation, be defined as follows:

It is GF (2 that σ is established in definition 1 ^m) ⁿon a displacement, if

be still GF (2 ^m) ⁿon a displacement, wherein k is GF (2 ^m) on arbitrary element, I is GF (2 ^m) ⁿon identical permutation, σ is GF (2 ^m) ⁿon strong orthomorphic permutation.

It is GF (2 that theorem 3 is established σ ^m) ⁿon a displacement, the corresponding GF (2 of σ ^m) on n * n rank invertible matrix M.If x ∈ GF (2 ^m) ⁿcolumn vector, σ (x)=Mx.σ is that the proper polynomial of strong orthomorphic permutation and if only if invertible matrix M is at GF (2 so ^m) on there is no root.When σ is strong orthomorphic permutation, we claim that M is now a strong orthomorphic matrices.

Strong orthomorphic matrices in Fig. 1 and Fig. 2 is exactly the linear strong corresponding matrix of orthomorphic permutation.

Then be the definition of strong complete equipilibrium:

If define 2 one GF (2 ^m) ⁿon displacement, can be by group

upper any one rank are 2 ^mn-1half of element of maximal subgroup be mapped to shape as kH(wherein k be GF (2 ^m) on any nonzero element) maximal subgroup, and second half is mapped in the supplementary set of maximal subgroup kH, claims that this displacement is GF (2 ^m) ⁿon the displacement of strong complete equipilibrium.

There is following cor-responding identified theorems:

4 one GF (2 of theorem ^m) ⁿon displacement be strong orthomorphic permutation, and if only if, and it is strong complete equipilibrium.

Note: the definition of strong orthomorphic permutation is derived from document [4], but definition in document [4] is orthomorphic permutation.Due to the form of strong orthomorphic permutation and common orthomorphic permutation have obviously different, so it has been re-started to definition in this specification.The visible document of proof [4] of theorem 4.

Be convenient to comparison, redefine GF (2 in document [4] here ^m) ⁿthe related notion of upper orthomorphic permutation:

It is GF (2 that σ is established in definition 3 ^m) ⁿon a displacement, if

be still GF (2 ^m) ⁿon a displacement, wherein I is GF (2 ^m) ⁿon identical permutation, σ is GF (2 ^m) ⁿon orthomorphic permutation.

If define 4 one GF (2 ^m) ⁿon displacement, can be by group upper any one rank are 2 ^mn-1half of element of maximal subgroup be mapped to this maximal subgroup, and second half is mapped in the supplementary set of this maximal subgroup, claims that this displacement is GF (2 ^m) ⁿon complete equipilibrium displacement.

5 one GF (2 of theorem ^m) ⁿon displacement be orthomorphic permutation, and if only if, and it is complete equipilibrium.

Can see, the balance of strong orthomorphic permutation is stronger than common orthomorphic permutation, and character is more excellent.

The principle of this method is described below in conjunction with concrete sample, and the method generates a differential branch number and linear branch number is all theoretical optimum, the highest strong orthomorphic matrices of while Hamming weight, and this matrix can be used as linear diffusion structure and uses.

Get m=8, n=8, according to learning in table 1 that the differential branch number of binary matrix and linear branch count maximum and be 5,, d=5 namely, according to Fig. 1 and Fig. 2, specific implementation step is as follows:

Step 1: utilize general Lower Bound Formula (d-1) n, calculating a lower bound is (5-1) * 8=32, utilizes general Upper Bound Formula

calculating a upper bound is

h is set to 49.

Then we generate (n-d+1)=(8-5+1)=4 set being comprised of n=8 dimension binary row vector, the Hamming weight of first set of rows vector is all d-1=4, the Hamming weight of second set is all d=5, the Hamming weight of the 3rd set is all d+1=6, the Hamming weight of the 4th set is all d+2=7, Hamming weight is that the row vector of n=8 only has one (being binary vector 11111111), need not generate separately.

Step 2: suppose that the binary matrix that will generate comprises that Hamming weight is that the row of i has λ _iindividual (d-1≤i≤n, i.e. 4≤i≤8), obtain following Indeterminate Equation Group:

$\left\{\begin{array}{c}{\mathrm{\&lambda;}}_i\&GreaterEqual;\mathrm{0,4}\&le;i\&le;8\\ \underset{i=4}{\overset{8}{\mathrm{\&Sigma;}}}{\mathrm{\&lambda;}}_i=8\\ \underset{i=4}{\overset{8}{\mathrm{\&Sigma;}}}i{\mathrm{\&lambda;}}_i=H\end{array}\right.$

According to the versatility conclusion of summary of the invention part, bring parameter n=8 into, d=5, obtains:

When 43 < H≤49, λ ₈=0;

When 32≤H≤43,

If λ ₈≠ 0, λ ₆=λ ₇=0,

If λ ₇≠ 0, λ ₈=0;

λ ₇and λ ₈the nonzero integer that can get can only be 1.

The initial value of H is 49 now, λ ₈=0, λ ₇can only get 0 or 1.So just reduced the number of the different situations that will test.Solve equation now, obtain all disaggregation { (λ ₄, λ ₅, λ ₆, λ ₇, λ ₈=0) }

For each group, separate, the row vector set that is i from Hamming weight, choose λ _iindividual row, obtain a linear diffusion matrix of 8 rank binary system (irrelevant with row order), then utilize theorem 2 to judge whether the linear branch number of this matrix reaches optimum, whether reaching optimum, to detect this matrix be that invertible matrix (can be by calculating this determinant of a matrix, it is invertible matrix that determinant is not 0), that invertible matrix continues to carry out next step, if linear branch number does not reach optimum or is not the row that invertible matrix is selected other.If this group solution is proved to be as invalid, continues to get other concentrated solutions of solution and detect.If disaggregation is proved to be as invalid, H is subtracted to 1, if now H is less than 32, program stops, otherwise continues execution step 2.

By this step, calculate, work as H=49,, all do not exist linear branch number optimum and simultaneously can at 48,47,46,45 o'clock

Contrary binary matrix.Work as H=44, the row vector combination that has two groups of solutions existence to meet the demands:

{ (λ ₄=0, λ ₅=4, λ ₆=4, λ ₇=0, λ ₈=0) } and { (λ ₄=1, λ ₅=3, λ ₆=3, λ ₇=1, λ ₈=0) }.

Step 3: utilize the differential branch number of theorem 1 judgment matrix whether to reach optimum, if continue to carry out next step, return to if not execution step 2.

After tested, { (λ ₄=1, λ ₅=3, λ ₆=3, λ ₇=1, λ ₈=0) the row vector combination of } separating is all denied in this step,

{ (λ ₄=0, λ ₅=4, λ ₆=4, λ ₇=0, λ ₈=0) the row vector combination of } separating detects by differential branch number, enters next step.

Step 4: this matrix is exchanged between two by row, often obtain the proper polynomial that a new matrix computations goes out it, then according to theorem 3, detect successively GF (2 ⁸) whether upper all nonzero elements are roots (being that root represents that this matrix is not strong orthomorphic matrices) of this characteristic value, if be not root this matrix be GF (2 ⁸) on strong orthomorphic matrices, Output rusults, program stops.If root continues to attempt other row, exchange combination, if all 8! Individual matrix is not strong orthomorphic matrices, returns to execution step 2.

By carrying out above step, when H=44, by { (λ ₄=0, λ ₅=4, λ ₆=4, λ ₇=0, λ ₈=0) the strong orthomorphic matrices of 8 rank binary system following (can generate a lot of strong orthomorphic matrices, only select as example) of the row vector combination producing of } separating:

$\left[\begin{array}{cccccccc}1& 1& 0& 1& 1& 1& 0& 0\\ 1& 1& 1& 0& 1& 0& 1& 0\\ 0& 0& 1& 1& 1& 0& 1& 1\\ 1& 0& 0& 1& 0& 1& 1& 1\\ 0& 1& 1& 1& 1& 1& 1& 0\\ 1& 0& 1& 1& 1& 1& 0& 1\\ 1& 1& 0& 0& 1& 1& 1& 1\\ 1& 1& 1& 1& 0& 0& 1& 1\end{array}\right]$

The differential branch number of this matrix and linear branch number are all that theoretical optimal value 5,44 is also possible maximum Hamming weight, also have strong complete equipilibrium simultaneously.

Above-mentioned embodiment describes the present invention with preferred embodiments, but the example of this visualization of just lifting for the ease of understanding should not be considered to be the restriction of the scope of the invention.Equally, within the spirit and principles in the present invention all, any modification of doing, be equal to replacement, improvement etc., within all should being included in protection scope of the present invention.

List of references

[1]Brouwer?A?E,Verhoeff?T.An?updated?table?of?minimum-distance?bounds?for?binary?linear?codes[J].Information?Theory,IEEE?Transactions?on,1993,39(2):662-677.

[2] Cui Ting, Chen Heshan, Jin Chenhui. some annotation [J] of block cipher binary diffusion structure. Journal of Software, 2012,23 (9): 2430-2437.

[3]Kanda?M,Takashima?Y,Matsumoto?T,Aoki?K,Ohta?K.A?Strategy?for?Constructing?Fast?Round?Functions?with?Practical?Security?Against?Differential?and?Linear?Cryptanalysis[A].In：Tavares?S,Meijer?H.proceedings?of?the?Selected?Areas?in?Cryptography[C].Berlin/Heidelberg:Springer,1999,1556:264-279.

[4] virgin speech, Zhang Huanguo, the clear .GF (2 of Han Hai ⁿ) ^mon linear orthomorphic permutation [J]. Wuhan University Journal (Edition), 2010,56 (2): 235-239.

Claims (10)

1. a method for designing for the linear diffusion structure of binary system in symmetric cryptography, is characterized in that, described method comprises:

(1) calculate the upper bound and the lower bound of binary matrix Hamming gravimetric value, generate the set that candidate row vector forms simultaneously;

(2) be expert at and choose element structure linear branch number in vector set and reach theoretical optimum, the high binary system invertible matrix of Hamming weight simultaneously;

(3) it is theoretical optimum whether the differential branch number that judges this matrix also reaches;

(4) by row is exchanged between two, construct strong orthomorphic matrices;

Binary matrix is that matrix element is 0 or 1 matrix, and the binary matrix Hamming gravimetric value here equals the number that in this matrix, element is 1.

2. the method for designing of the linear diffusion structure of binary system in a kind of symmetric cryptography according to claim 1, is characterized in that:

Suppose the scale of n representing matrix, and 1≤n≤18, d is the minimum distance of binary linear code [2n, n, d], the n occurring afterwards and the implication of d are all with herein;

This binary matrix of hypothesis is n rank now, and according to the corresponding relation of binary linear code [2n, n, d] and binary matrix, can obtain general lower bound is (d-1) n so.

3. the method for designing of the linear diffusion structure of binary system in a kind of symmetric cryptography according to claim 1, is characterized in that:

A general upper bound is

wherein

represent to be not more than the maximum integer of (*), represent to be not less than the smallest positive integral of (*), occur afterwards

with

implication is all with herein.

4. the method for designing of the linear diffusion structure of binary system in a kind of symmetric cryptography according to claim 1, is characterized in that:

Generate altogether the set of (n-d+1) individual n dimension row vector, in each row vector set, the Hamming of all row is equal in weight, and (n-d+1) the row vector Hamming weight value of individual row vector set is followed successively by d-1, d ..., n.

5. the method for designing of the linear diffusion structure of binary system in a kind of symmetric cryptography according to claim 1, is characterized in that:

Suppose that H equals the Hamming gravimetric value of this binary matrix, λ _ivalue equals the quantity of the row that in binary matrix, Hamming weight is i, can obtain following Indeterminate Equation Group so:

$\left\{\begin{array}{c}{\mathrm{\&lambda;}}_i\&GreaterEqual;0,d-1\&le;i\&le;n,\\ \underset{i=d-1}{\overset{n}{\mathrm{\&Sigma;}}}{\mathrm{\&lambda;}}_i=n\\ \underset{i=d-1}{\overset{n}{\mathrm{\&Sigma;}}}i{\mathrm{\&lambda;}}_i=H\end{array}\right.$

Solve this equation group and obtain all disaggregation { (λ _d-1, λ _d..., λ _n), then select at random wherein one group of solution (λ _d-1', λ _d' ..., λ _n'), the row vector set that is i from Hamming weight, choose λ _i' individual different rows structure binary matrix.

6. the method for designing of the linear diffusion structure of binary system in a kind of symmetric cryptography according to claim 5, is characterized in that:

Suppose i, j, k, b is natural number.

If n ≠ 4 and n ≠ 12, work as so

time, wherein

?

And if 0≤j≤k wherein,

When

time, if wherein

?

If n=4 or n=12, now d is even number, works as

$(n-\frac{d-2}{2}+(k+1))+(n-\frac{d-2}{2}-(k+1))\&times;(n-1)<H\&le;(n-\frac{d-2}{2}+k)+(n-\frac{d-2}{2}-k)\&times;(n-1)$ Time, wherein $0\&le;k\&le;n-\frac{d-2}{2}-(d-1)-1,$ ?

${\mathrm{\&lambda;}}_i=0,(n-\frac{d-2}{2}+(k+1))\&le;i\&le;(2n-2d+3),$

And if

0≤j≤k wherein,

${\mathrm{\&lambda;}}_b=0,(n-\frac{d-2}{2}-j)<b\&le;(n-\frac{d-2}{2}+k),b\&NotEqual;(n-\frac{d-2}{2}+j);$

When $(d-1)+(d-1)\&times;(n-1)\&le;H\&le;(n-\frac{d-2}{2}+n-\frac{d-2}{2}-(d-1))+(d-1)\&times;(n-1)=(2n-2d+3)+(d-1)\&times;(n-1)$ Time, if ${\mathrm{\&lambda;}}_{(n-\frac{d-2}{2}+i)}\&NotEqual;0,$ Wherein $0\&le;i\&le;n-\frac{d-2}{2}-(d-1),$ ?

${\mathrm{\&lambda;}}_j=0,(n-\frac{d-2}{2}-i)<j\&le;(2n-2d+3),j\&NotEqual;(n-\frac{d-2}{2}+i).$

7. the method for designing of the linear diffusion structure of binary system in a kind of symmetric cryptography according to claim 6, is characterized in that:

If n ≠ 4 and n ≠ 12, work as so

time, λ _ican only get 0 or 1; And if only if when d is even number,

can get the number that is greater than 1, when d is odd number,

the nonzero integer that can get only has 1.

If n=4 or n=12, obtain d by the knowledge of binary linear code and be even number, work as

time, λ _ican only get 0 or 1;

can get the number that is greater than 1.

8. the method for designing of the linear diffusion structure of binary system in a kind of symmetric cryptography according to claim 1, is characterized in that:

First test the situation that Hamming weight is high, if can not find, just by H from subtracting 1, then again separate the indeterminate equation in claim 5, again choose row structural matrix, the Hamming weight that has so just guaranteed gained matrix is higher situation always.

9. the method for designing of the linear diffusion structure of binary system in a kind of symmetric cryptography according to claim 1, is characterized in that:

Generate all n! of 1 to n Plant and arrange, then utilize and arrange the row order of rearranging matrix.The generation of arranging can be calculated in advance, then stores precomputation result, in the time of use, directly calls.When utilizing an arrangement to rearrange row order, obtain, after a new matrix, calculating this poly, then detect finite field gf (2 ^m) on all nonzero elements whether be this root of polynomial, if be not all root, this matrix is strong orthomorphic matrices, by the output of this result.

10. according to the method for designing of the linear diffusion structure of binary system in a kind of symmetric cryptography described in claim 1 and 8, it is characterized in that:

When H is after subtracting 1, if the value of H is less than lower bound, program stops, and points out under this scale without the strong orthomorphic matrices meeting the demands.

Images