CN101023621A - Substitution boxes - Google Patents

Substitution boxes Download PDF

Info

Publication number
CN101023621A
CN101023621A CN 200580031586 CN200580031586A CN101023621A CN 101023621 A CN101023621 A CN 101023621A CN 200580031586 CN200580031586 CN 200580031586 CN 200580031586 A CN200580031586 A CN 200580031586A CN 101023621 A CN101023621 A CN 101023621A
Authority
CN
China
Prior art keywords
bit
input
output
box
basic
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN 200580031586
Other languages
Chinese (zh)
Inventor
肖恩·欧奈尔
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
SYNAPTIC LAB Ltd
Original Assignee
SYNAPTIC LAB Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from AU2004905507A external-priority patent/AU2004905507A0/en
Application filed by SYNAPTIC LAB Ltd filed Critical SYNAPTIC LAB Ltd
Publication of CN101023621A publication Critical patent/CN101023621A/en
Pending legal-status Critical Current

Links

Images

Landscapes

  • Storage Device Security (AREA)

Abstract

The invention provides a multi-input multi-output S-box used for receiving a serially numbered input bits (101, 102, 103, 104 and 105) ranging from I1 to Ia, wherein, a is at least 4. The multi-input multi-output S-box is also used for outputting b serially numbered output bits (131, 132, 133, 134 and 135) ranging from O1 to Ob. The S-box comprises c basic S-boxes (121, 122 and 123) ranging from sb1 to sbc. Each basic S-box (121, 122 and 123) is provided with multi-input single-output Boolean functions ranging from f1 to fc which define the relation between multiple inputs and a single output. Each basic S-box (121, 122, 123) receives input bit sets ranging from sl1 to slc. Each of the input bit sets is selected from the input bits (101, 102, 103, 104 and 105), and comprises the bits ranging from s1 to sc. Each number from s11 to slc is within the range from 3 to (a-1), and the sum of the numbers from sl1 to slc is more than a. The b output bits (131, 132, 133, 134, 135) of the S-box are the outputs of the c Boolean functions.

Description

Substitute box
Technical field
The present invention relates to substitute the configuration of box (S box, substitution box), and in hardware useful embodiment and in software useful embodiment.
Background technology
The application require in the sequence number that on September 24th, 2004 submitted to be 2004905507, the sequence number submitted in November, 2004 is 2004906543, the sequence number submitted on December 30th, 2004 is 2004907361, the sequence number submitted on December 31st, 2004 be 2004907374 and the sequence number submitted on April 29th, 2005 be the priority of 2005902136 Australian temporary patent application, above all the elements are included in the content of this paper with way of reference.
In this specification (comprising claim), word " comprise (comprises; comprising) " be used to illustrate the existence of feature, integral body, step or the part of being set forth, but do not get rid of the existence or the increase of one or more further feature, integral body, step, part; And " index position (index position) " P of bit i iBe used to represent the position of bit i in a continuous input bit set.
In this manual, word " probability process (probabilistic process) " is used for representing at random or pseudo-random process, wherein seed number (seed) is encrypted or be provided with to pseudo-random process with constant or key material, and wherein randomness source and pseudo-random algorithm are arbitrarily.Can use known Pseudo-random number generator or stream cipher arbitrarily for this purpose.
For delivering quoting of file, should not be regarded as permitting the technology beneficiary's that this content of having delivered file becomes this specification the total general knowledge of a part in this specification.
In order to make creationary feature of the present invention can be easier to be paid close attention to, some files of in the past delivering relevant with present technique are made following summary.
The definition of indistinct (confusion) and diffusion (diffusion) be 1949 by the article " Communication Theory of Secrecy Systems " of C.E.Shannon at him in open proposition first.
Substitute box (S-box) and receive a digitally coded input, and this input is converted to the numeral output of different coding, thereby obtain ambiguity.The receiving digitally encoded input of displacement box (P-box, permutation box), and return same bit as output, it does not change on value but has changed in the order, thereby obtains diffusion.
" avalanche effect " described an encryption feature, in its simplest form, and the variation of at least two bits during the variation of the individual bit in cyclical function (round function) input causes exporting.It is the required feature of box as an alternative, introduce by Horst Feistel, Horst Feistel in the Scientific American in May, 1973 Vol.228, has described the character of his password at him among " the Cryptography and Computer Privacy " that delivers on the Number 5.This piece article has shown, because technology limitation as 128 * 128, can't obtain completely substituting any (any-to-any) arbitrarily for big S-box.Therefore, as Shannon definition, selects the nonlinear S-box of very little actual scale (4 * 4) to spread, and select big P-box being connected to each other the output of S-box, thereby further diffusion is provided to provide part to contain mixed part.
Initial digital packet password (block cipher) is given the credit to Horst Feistel.Disclosed block cipher has used little 4 * 4 alternative box in the United States Patent (USP) of announcing on March 19th, 1,974 3,798,359 (Feistel), and combines the replacement operator that carries out on 64 or 128 bits.The S-box of design 4 * 4 is realized to utilize combinational logic.
S-box and P-box are as the part of most of Feistel type or so-called Feistel Network password and other encryption primitive.They also be used for public data encryption standard (DataEncryption Standard, DES), open in its United States Patent (USP) 3,958,081 of announcing on May 18th, 1976 people such as () Ehrsam.The DES password became u.s. federal standard in 1977.It should be noted that its S-box of having emphasized careful selection 6 * 4 guarantees that to use combinational logic its efficient hardware realizes, kept simultaneously and be not the important encryption criterion known to the public at that time.
The alternative computing of S-box is not arithmetic usually.Arithmetical operation such as but not limited to addition, multiplication and exponentiation, through being usually used in replacing non-arithmetic S-box, or combines with it.Based on substituting-permutation network of the combination of such arithmetical operation and non-arithmetic S-box, in base (word-based) processor architecture, be efficiently.Described an example of this type structure in the United States Patent (USP) of announcing on March 10th, 1,981 4,255,811 (Adler), wherein disclose a kind of password, this password uses arithmetic to add deduct with 2 nThe XOR of delivery, n bit width (XOR), static n bit permutation and the n bit keys twiddle operation (rotation operation) of being correlated with.The additional structure of similarity has been described in United States Patent (USP) of announcing on January 1st, 1,991 4,982,429 people such as () Takaragai and the United States Patent (USP) 5,103,479 announced on April 7th, 1992 people such as () Takaragai.The base nonlinear operation of arithmetic is used for cryptographic Hash function, for example at the md5 encryption hash function of being described in the Recommendation in April, 1992 Comment 1321 by Ron Rivest.
The important research of having delivered about (the P-box) of displacement box not, displacement box are left the designer for and are determined voluntarily, and in most of the cases are linear fully or select at random.
Feistel Network password also comprises pooled function (combiningfunction) in its structure, be linear under the most of situation of this function and facilitate diffusion.The example that replaces linear combiner (XOR) with non-linear arithmetical operation with high diffusivity; can find in (GOST 28147-89,1989) in so-called GOST password, information processing system, encipherment protection, the cryptographic algorithm of recommending by NationalSoviet Bureau of Standards.The GOST password also is to use the base twiddle operation to obtain a password example of bit diffusion between the S-box.
At John B.Kam and George I.Davida in IEEE Transactions onComputers in 1979, Vol.28, No.10, in the article of delivering on 747 " Structured Design ofSubstitution-permutation Encryption Networks ", defined " integrality " criterion first clearly.If each ciphertext (ciphertext) bit depends on all expressly (plaintext) bits, then encrypt conversion and be " complete ".Find in the United States Patent (USP) 4,275,265 that the password that satisfies the integrality criterion is to announce on June 23rd, 1981 people such as () Davida.The integrality criterion requires the S-box of M * N to have following form: make N example of the single output of M input Boolean function, necessary each all with the full set of M input bit as input.
In the article " Are Big S-Boxes Best " of nineteen eighty-two, J.Gordon and H.Retkin studied when select content as during the random permutation of the set that might export, the encryption feature of S-box.As if article is reached a conclusion, and work originally demonstrates, if the number of inlet is enough big, just might find the encryption character of multiple hope in the S-box of so selecting at random.For example, 2 64In individual reversible 6 * 6 the S-box that produces at random, can comprise available linearity less than a S-box.
Article " Probabilistic completeness of substitution-permutationencryption networks " in nineteen eighty-two, IEEEproceedings, 129 (5): among the 195-199, F.Ayoub reaches a conclusion, when stylish studies show that, under given conditions, can exempt the verification of presetting trapdoor as them by selecting to design alternative functions at random.Article has also been described, and when displacement also is when selecting at random, when promptly by the user key being set, the network that obtains is with the characteristic of very high being kept perfectly property of probability.That is, each output bit is the function of all input bits.
When the S-of the M that allows for us * 1 box was selected Boolean function at random, we were with reference to above two pieces of articles.
At A.F.Webster and S.E.Tavares, Department of Electrical Engineering, Queen ' s University, Kingston, Ont.Canada is published in LNCS no.218, in the Master's thesis of pp.523-534 (1986) " On the Design of S-Boxes ", the author has clearly defined " strict snowslide criterion (SAC) ".SAC has explained no matter when replenish single input bit, and each ciphertext output bit all should change with accurate 1/2nd probability.
This paper has been described the heuristic process of 4 * 4 the S-box that is used to select to satisfy following character: SAC and " the snowslide variable is independent " adeditive attribute.This process is at first selected all 4 * 1 potential reversible functions that satisfy SAC, and with it simultaneously in conjunction with to produce 4 * 4 alternative box.In paper, described the other suggestive technology that has,, come the optimized search process as choosing 4 * 1 Boolean functions in the family of functions by the limited quantity of generation " perfection " S-box from initial step.
This paper emphasized at United States Patent (USP) 4,275, and how the password of describing among 265 people such as () Davida does not satisfy SAC, and confirmed the latent defect that exists among the DES, and this defective was before pointed out by other researchers.Paper has also been emphasized, might be to satisfy the structure of SAC with the Structure Conversion that does not satisfy SAC by structure of iteration in several cycles.In described structure is to substitute under the situation of permutation network, and displacement wiring (permutation wiring) is at random in this network, just more likely realizes above-mentioned conversion.
At articles in 1989 " Nonlinearity Criteria for Cryptographic Functions ", among the Advances in Crytology-EUROCRYPT ' 89.549-562, introduce the perfect non-linear criterion of S-box first, the author is Meier and staffelbach.The author has stated perfect non-linear criterion influence diffusion, and in fact it is the requirement stronger than SAC.
At articles in 1992 " On immunity against Bilam and Shamir ' s DifferentialCryptanalysis ", Information Processing Letters, vol.41, Feb.14,1992, among the pp77-80, Carlisle M.Adams has described the method that generates the S-box that is not subjected to the practical scale that differential cryptanalysis influences.
Being published in purpose United States Patent (USP) 5,796,837 Augusts 18 in 1998 people such as () Kim discloses and has generated that not to be subjected to practical scale linear and that differential cryptanalysis influences be the method for the S-box of M * N.Be published in the United States Patent (USP) 6 on February 29th, 2000,031,911 people such as () Adams disclose the enlightening technology of the S-box of generation M * N, and this technology makes the S-box satisfy SAC and other criterion (being similar to the technology of being introduced by A.F.Webster and S.E.Tavares in above-mentioned paper " On theDesign ofS-Boxes ") fast in increasing process.
From to the above analysis of delivering material, we may safely draw the conclusion, being created in of the research of non-arithmetic S-box and non-arithmetic S-box is divided into 3 thought groups on the general direction, promptly select random permutation might export suitable big S-box, from known strong S-box generate the relevant S-box of key and find to upgrade and stricter heuristic criterion to guarantee the fixedly expectation encryption feature of S-box.In all cases, all consistent S-of the thinking box of 3 groups of non-arithmetic S-box generation must guarantee the integrality criterion with high probability at least.
We notice the following character about non-arithmetic S-box:
-can select to be used for M * 1 Boolean function of the balance of S-box structure randomly;
-can set up the S-box of M * N by oneself M * 1 Boolean function of balance at random, and carry out heuristic and improve to satisfy SAC;
-select M * NS-box by replacing fixing initial permutation randomly;
-can set up from the S-of one or more unique M * N box and encrypt a single cycle that substitutes displacement (SP) network, each S-box satisfies SAC individually, and SP network self can not satisfy SAC; With
-as mentioned above, when the single cycle of encrypting the SP network did not satisfy SAC, complete S P network can satisfy SAC after twice or more times iterative cycles.
In each case, for substitute-permutation network selects to have the S-box of the little practical scale of ideal characterisitics, be similar to other technical impossible big strong S-box, described ideal characterisitics comprises: as accessible high non-linearity, the highest accessible algebraically grade and the snowslide that can reach the soonest.
In the processor architecture of software or base, basic boolean calculation (AND, MOV-move/copy, NAND, NOR, NOT, OR, XNOR, XOR etc.) be the form of single-instruction multiple-data (SIMD) computing, the SIMD computing is carried out in the input of the parallel N bit width of strictness structure.For example, if we consider 32 general processors, as IBM Power PC or Intelx86 architecture, the input of 64 bits that boolean and (AND) instruction provide the block of registers of 32 bit wides, carry out 32 single step-by-step AND operations, discharge the output of 32 bits.
In software, the S-box of all M * N and M * 1 Boolean function or be embodied as look-up table, or realize by the suitable selection and the arrangement of basic SIMD computing.In cryptographic Hash function MD5, can find the example of SIMD computing, be used to encrypt and realize 32 concurrent effective two pairs one multiplexers of software.
The most tangible characteristic of SIMD instruction is their strict corresponding relationship: each bit of each input register only influences that bit of same position in the output---the least significant bit of each input register only influences the least significant bit of output, the highest significant position of each input register only influences the highest significant position of output, or the like.When this computing do not using (fixing or variable) rotation, byte exchange or other (fixing or variable) displacement, substitute or the situation of other arithmetical operation under when carrying out iteration or grouping, do not allow to surpass each output bit of a bit affects in the input register of each N bit width.Therefore, need fixing or variable rotation, byte exchange or other (fixing or variable) step-by-step displacement, step-by-step to substitute or arithmetical operation, introducing diffusion between the different bits of each input register, to use be essential for encrypting for it.
Following technology is used for the architecture of base, introduces the step-by-step in-place computation that the bit diffusion needs to finish:
-P-box is embodied as look-up table usually and combines with the S-box;
-fixing step-by-step twiddle operation, it appears among the GOST standard 28147-89 of announcement in 1989;
-key step-by-step the twiddle operation of being correlated with, it is at above-mentioned quote open in the United States Patent (USP) of announcing on March 10th, 1,981 4,255,811 (Adler);
-data the twiddle operation of being correlated with, open in its United States Patent (USP) 4,157,454 (Becker) that is to announce on June 5th, 1979;
-by bit mask AND computing, it combines with the step-by-step twiddle operation and as combinatorial operations such as OR, XOR or ADD computings, it is the United States Patent (USP) 4 that on December 19th, 1989 announced, 888,798 (Earnest) and the United States Patent (USP) of announcing on December 1st, 1,992 5, open among 168,521 people such as () Delaporte;
-displacement instruction, as by Ruby B.Lee, Z.J.Shi, Y.L.Yin, Ronald L.Rivest, the Group computing that M.J.B.Robshaw proposes in article " On permutation operation in cipher design ", as by R.B.Lee etc. at article " Efficient permutationinstructions for fast software cryptography ", IEEE Micro, 21 (6): 56-69, PPERM and the CROSS computing described in 12 months calendar year 2001s, or as by people such as Z.shi at " Arbitrary bit permutations in one or two cycles ", Proceedings of15 ThInternational Conference on Application-Specific Systems, Architectures and Processors, 237-247 page or leaf, the BFLY computing of describing in 2003 6 months;
The arithmetical operation of-base (ADD, SUB, MUL, DIV), it obtains in the GOST standard 28147-89 that announced in 1989;
-and owe general byte exchange, word exchange and bit order counter-rotating computing.
Static step-by-step displacement of describing in above-mentioned patent and extended arithmetic are directly realized as wiring displacement (wiring permutation) in hardware, do not use other logical circuit, realize irrelevant with the software that maybe will carry out that has proposed.Dynamically the step-by-step in-place computation comprises S-box, arithmetical operation and data relevant and key relevant (to optional key) rotation and displacement, realizes in hardware by the use of Boolean logic or as look-up table.
The position section (Bit slicing) that is proposed in being published in article " A Fast New DES Implementationin Software " in 1997 by Eli Biham has caused many passwords example of executed in parallel, and it has only used basic AND, OR, XOR, NOT Boolean function and move operation.As implied above, the position section does not generate interrelated between 32 or 64 different password examples.Position section is used directly the quoting of the register of different N bit width, and replaces the step-by-step displacement carried out in single processor register, thereby allows parallel faster software implementation.Position section has increased carries out the stand-by period in proper order realizing single password, but has significantly compensated the performance that descends.
Heuritic approach (being sometimes referred to as approximate data) is a probabilistic algorithm, and it finds the good solution to other reluctant problems fast.Such solution can be or can not be best, but for unmanageable problem is acceptable, for those unmanageable problems, find a good solution or prove that any given method in fact is best, on calculating, be infeasible.Can use the heuritic approach below any one at an easy rate, improve in preferred implementation of the present invention, use at random or pseudorandom wiring displacement or the Boolean function selected, it is judged by the specific encryption criterion as measuring quality, these algorithms are: Genetic algorithm, Greedy algorithm, Random Search, Tabu Search, Hill Climbing, Ant Colony Optimization, Simulated Annealing or their mixing and parallel the variation.Describe in the suitable algorithm works below:
Approximation Algorithms, Springer-Verlag, Heidelberg, 2001, ISBN:3-540-65367-8, author: Vijay V.VaziraniApproximation Algorithms for NP-hard Problems, PWS Publishing Co, Boston, 1996, ISBN:0-534-94968-1, author: D.S.HochbaumAutomated Cryptanlysis of Substitution Ciphers, be published in Cryptologia volXVII, No 4,1993, the 407-418 page or leaf, author: W.S.Forsyth and R.SafaviNainiAutomated Cryptanlysis of Transposition Ciphers, be published in The computerJounal vol XVII, No 4,1994, the author: J.P.Giddy and R.SafaviNainiTwo-Stage Optimisation in the Design of Boolean Functions, be published in Lecture Notes in Computer Science 1841 Springer 2000, ISBN:3-540-67772-9,242-254 page or leaf, author: John Andrew Clark and JeremyJacob
Summary of the invention
On the contrary, according to an aspect, the invention provides a kind of multiple-input and multiple-output S-box, it is suitable for:
The input bit I of a serial number of-reception 1, I 2, to I a, wherein a is at least 4, and
The output bit O of b serial number of-output 1, O 2, to O b,
The S-box comprises:
-c basic S-box sb 1, sb 2, to sb c, each basic S-box:
-have many input lists to export Boolean function f 1, f 2, to f c, these function definitions the relation between a plurality of inputs and the single output; With
-be suitable for receiving respectively input bit collection s 1, s 2, to s c, each such input bit collection all is selected from a the input bit that is input to the S-box, and comprises sl respectively 1, sl 2, to sl cIndividual bit makes:
-number sl 1, sl 2, to sl cIn each 3 to the scope of (a-1); And
-number sl 1, sl 2, to sl cAnd bigger than a,
And wherein export the output that bit comprises c Boolean function for the b of S-box.
According to another aspect, the invention provides a ciphering process, its:
The input bit I of a serial number of-reception 1, I 2, to I a, wherein a is at least 4, and
The output bit O of b serial number of-output 1, O 2, to O b,
This process comprises:
-c basic S-box computing sb 1, sb 2, to sb c, each basic S-box computing:
-have a multiple-input and multiple-output Boolean function f 1, f 2, to f c, these function definitions the relation between a plurality of inputs and the single output; With
-receive input bit collection s respectively 1, s 2, to s c, each such input bit collection all is selected from a the input bit that is input to encryption function, and comprises sl respectively 1, sl 2, to sl cIndividual bit makes:
-number sl 1, sl 2, to sl cEach 3 to the scope of (a-1); And
-number sl 1, sl 2, to sl cAnd bigger than a,
And wherein export the output that bit comprises c Boolean function for the b of encryption function.
Description of drawings
For the present invention is more readily understood, its preferred implementation is described with reference to the accompanying drawings, wherein Fig. 1,2,3 and 4 processes that illustrated according to preferred implementation of the present invention.
Embodiment
Fig. 1 has shown according to the key of preferred implementation of the present invention and data relevant (key-and-data-dependent) and has substituted-part of permutation network password.Fig. 1 can directly implement or emulation on base architecture as follows as circuit in hardware.
The input 100 of execution mode shown in Figure 1 is made up of 5 bits 101,102,103,104 and 105.Function 110 has shown imports 100 static state expansions by the factor 3, and it is also as the displacement of input bit.Function 120 comprises 5 examples of 3 * 1 alternative box, has only shown wherein 3 (121,122,123) among Fig. 1.Output 130 is made up of 5 bits 131,132,133,134 and 135.3 * 1 S-box 123 is chosen the unique set with 3 input bits from importing 100, and promptly following two bits 104 and 103 of bit 105 and circulation generate individual bit output 135.3 * 1 S-box 122 is chosen the unique set with 3 input bits from importing 100, and promptly following two bits 103 and 102 of bit 104 and circulation generate individual bit output 134.3 * 1 S-box 121 is chosen the unique set with 3 input bits from importing 800, and promptly following two bits 105 and 104 of bit 801 and circulation generate individual bit output 131.Each bit of output 130 is produced by 3 * 1 S-box, wherein each S-box is from importing 100 set that receive 3 input bits, wherein have in 5 set of 3 input bits each have no more than 2 with 5 set with 3 input bits in other any one identical bit.
Each of a plurality of S-box functions by reference number 120 mark all is made up of the single output of non-linear three inputs Boolean functions separately.In preferred implementation shown in Figure 1, each of a plurality of S-box functions of label 120 marks is carried out the non-linear Boolean function of balance of unique single output of three inputs.
Preferred implementation of the present invention shown in Figure 1 is compared with the alternative box of traditional M * N, it is redundant to have reduced wiring: in the zone by label 120 marks, L has any other L input identical to 1 Boolean function that is less than in L and regional 120 to each of 1 (L-to-1) Boolean function.On the contrary, the alternative box of M * N that all are traditional must have whole wiring redundancies, so that satisfy the integrality criterion: to 1 Boolean function, necessary and all other M in the S-box share its all M input to 1 Boolean function for each complete M that exports bit.
For illustrative purposes, select S-box 123,122 and 121 as two pairs one multiplexer functions, wherein bit 119,116 and 113 is selector inputs of each multiplexer, each multiplexer is respectively with sets of bits { 118,117}, 115,114} and { 112,111} imports as data.Selection and data input to S-box 120 are taken out from importing 100, and S-box 120 is forms of data related replacement.
Like this, embodiments of the present invention shown in Figure 1 comprise a plurality of input bit expansion displacements, multiplexer function and output bit permutation.Its obtain importing 1 pair of predetermined L expansion of 100, expansion intermediateness 110 predetermined step-by-step displacement and key and data are relevant substitutes 120, the L of the intermediateness 110 that is expanded is to 1 compression, return state 130 is as output.
Feed back to input 100 if will export 130, we are " nonlinear shift register with Parallel Feedback " or " Parallel Feedback NLFSR " with this structrual description.In preferred implementation of the present invention, the output of feedback 130 is as input 100.Because have the correlation of each bit of output 130 to two circulation bits on the right, the influence of bit circulates left.In this example, need minimum two circulations to obtain needed diffusion integrality.
We notice that hope is unanimous on the whole in the circuit of this process of enforcement for the critical path circuit delay of each bit of output 130.Form contrast with the present invention, there is strong inconsistent critical path circuit delay in enforcement usually based on the circuit of the alternative box of arithmetical operation, and this depends on the highest significant position of a series of carry computing.
Fig. 2 has shown according to another preferred embodiment of the present invention key and data are relevant and has substituted-part of dijection (bijective) variant of permutation network cryptographic processes.25 bits of zone 200 sign inputs.24 bits on 201 sign inputs, 252 left sides, zone.25 bits of zone 210 sign outputs.According to the zone 240 in shown in 20 5 pairs 1 S-box, the zone 211 the sign 20 output bits.(it should be noted that and have only one to show in the drawings in 20 S-boxes, be i.e. S-box of indicating) by label 241.Zone 221 has shown 5 input bits.Dijection (reversible) 5 * 5 according to 5 input bits 221 substitutes-displacement 222, and zone 223 has shown 5 output bits.
The Boolean functions 241 of the single output of the many inputs of zone each in 240 adopt from zone 201 as the predetermined set 230 of 5 bits of 231,232,233,234 and 235 as input, produce of the output of first input bit, generate bit 253 as output as the linear combiner (XOR/XNOR) 251 in 250.Input bit 252 is second that enters in two input bits of 251.For zone each linear combiner 251 in 250, the corresponding Boolean function in the zone 240 must be only receives from the zone on the second input bit left side that enters combiner to be imported, and this zone is designated as 201 in the drawings.
In preferred implementation of the present invention shown in Figure 2, employed 5 couple's 1 substantially S-box 241 is made up of following part in the step shown in regional 240: 231~235, single Boolean functions of exporting and defining 5 couple 1 who concerns between input bit and the output bit of 5 inputs in the step shown in the zone 230, using, and the non-linear Boolean function 241 of each balance is selected at random.
Fig. 3 has shown the part according to the key of the base of a preferred embodiment of the present invention and relevant the substituting of data-permutation network.Data mode 310 is 15 bit widths, is divided into 3 words (or piece, sub-piece or register, depend on the statement of most convenient).Word 311 is made up of 5 bits 321,322,323,324 and 325; Word 312 is made up of 5 bits 331,332,333,334 and 335; Word 313 is made up of 5 bits 341,342,343,344 and 345.
Zone 350 has shown that the factor for data mode is 3 static state expansion displacement.Zone 360 has shown 3 * 1 non-linear alternative box function (only having shown among the figure).
Data mode 365 is 15 bits, is divided into 3 words.Word 366 is made up of 5 bits 371,372,373,374 and 375; Word 367 is made up of 5 bits 381,382,383,384 and 385; Word 368 is made up of 5 bits 391,392,393,394 and 395.
3 * 1 the alternative functions 361 that illustrates has adopted the unique set with 3 input bits, comprises a bit 352 of the bit 344 that stems from word 313, a bit 353 of bit 332 that stems from word 312 and a bit 351 that stems from the bit 325 of word 311.The S-box 361 that illustrates generates the individual bit output 385 in the word 367.
According to top template, for all 15 bits in the state 365, each 3 * 1 the S-box in 360 has been showed the unique set with 4 inputs.
According to preferred implementation of the present invention shown in Figure 3, the key of base and data are relevant to be substituted-and the permutation network password provides the direct way of the software performance of improving password.
Fig. 4 has shown the example that the software according to the password of preferred implementation of the present invention shown in Fig. 1 is realized.The process of Fig. 4 is carried out on a processor, and its word length is 5 bits.Word 400 is made up of 5 bits 401,402,403,404 and 405; Word 410 is made up of 5 bits 411,412,413,414 and 415; Word 430 is made up of 5 bits 431,432,433,434 and 435; Word 470 is made up of 5 bits 471,472,473,474 and 475.Word 400 expands to 3 words by being copied into word 410 and 430.
The circulation rotation 419 that use is carried out to highest significant position with a bit, word 410 is by static displacement.In this way, bit 411,412,413,414 and 415 is replaced as output 422,423,424,425 and 421 respectively.Output bit 421 to 425 usefulness are done the individual character input to 450.
The circulation rotation 439 that use is carried out to highest significant position with two bits, word 430 is by static displacement.In this way, bit 431,432,433,434 and 435 is replaced as 443,444,445,441 and 442 respectively.Output bit 441 to 445 usefulness are done the individual character input to 450.
Function of zone 450 signs, it adopts the input of 3 words, finishes a series of base instruction 460, is made up of the basic Boolean function of base, realizes multiplexer computing shown in Figure 1.A, word 420 are labeled as B, word 440 is labeled as C and word 470 is labeled as D if we are labeled as word 400,2 couple, 1 multiplexer that we can following expression 5 bit widths then, and wherein A is by selecting input to form, and B and C are made up of data input:
D=(A?AND?B)OR((NOT?A)AND?C)
Zone 481 has shown visually how bit 471 only depends on input 401,421 and 441.
Zone 482 to 485 has shown the correlation of bit 472 to 475 respectively.
If we utilize 5 bit variable A and D, the realization of the 5 complete bit widths of this process is described, then:
D=(A?AND(A?ROT?1))OR((NOT?A)AND(A?ROT?2))
In the pseudo-code of assembler, wherein general 5 bit register RA are inputs, and RB and RC are that temporary register and RD are output, can realize same algorithm in following 6 computings plainly:
RB=RA?rotate?left?1
RC=RA?and?RB
R?A=not?RA
RB=RB?rotate?left?1
RD=RA?and?RB
RD=RD?or?RC
Above process has shown how in-place computation is cascaded with being without loss of generality, and move/duplicates computing and how to be optimised.Other computing, as byte exchange, look-up table and binary masks computing, allowing the technical staff to realize being easy to realize in the software processes device of wiring displacement of wide region, the processor instruction of available short sequence is represented them, thereby obtains desired software performance and do not reduce hardware performance.
In the preferred implementation of the present invention shown in Fig. 1,2 and 3, the internal wiring displacement is selected at random, comprise the input bit 110,240 and 350 that respectively all input bits 100,201 and 301 is assigned to expansion, and will be assigned to all output bits in 130,210 and 365 to all output bits of 1 S-box from a plurality of basic L in 120,240 and 360 respectively.
In other preferred implementation of the present invention:
-use the relevant pseudo-random process of key to select the internal wiring displacement;
-select the internal wiring displacement according to mathematical formulae;
-improve the internal wiring displacement, with single cycle between the reduction input and output bit or the redundancy in multicycle polynomial relation heuristicly;
-according to the maximum wiring delay that the hardware circuit optimization is allowed, the restricted internal wiring is replaced;
-respectively with output 131,134,135,253 and 385 apart from aspect, restriction is to 121,122,123,241 and 361 input;
-respectively about zone each output bit in 130,210 and 365, in the identical relevant position of the input bit from zone 100,201 and 310, select the input to 1 S-box to each the basic L in the zone 120,240 and 360;
Some basic L in the-zone 120,240 or 360 are suitable for receiving one or more key bits as input to 1 S-box;
-be the different wiring displacement of each circulation selection of crypto-operation;
The width of-output 130,210 or 365 is different from the width of input 100,200 or 310 respectively;
The displacement of-internal wiring is limited to the displacement that can be embodied as 32 of short sequences, 64 or 128 general processor instructions;
-internal wiring displacement is suitable for merging byte exchange and rotation ordering, and the name of submitting on October 13rd, 2004 of pending trial is called in the Australian temporary patent application 2004905897 of " Process of and Apparatus forEncoding a digital signal " and can finds in us;
-at zone all basic L in 120,240 or 360 to 1 S-box, use single Boolean function;
-at the basic L of zone in 120,240 or 360 to 1 S-box, use a plurality of Boolean functions;
-to be used for zone 120,240 or 360 basic L be different to all Boolean functions of 1 S-box;
-use the relevant pseudo-random process of key, select to be used for some Boolean functions to 1 S-box at the basic L in zone 120,240 or 360;
-improve heuristicly and be used for the selection to the Boolean function of 1 S-box, to reduce single cycle between the input and output bit or the redundancy in multicycle polynomial relation at zone 120,240 or 360 basic L;
-in computing subsequently, only use original input variable (or processor register);
-in computing subsequently, use at least one or a plurality of intermediate variable (or processor register);
-in computing subsequently, only use intermediate variable (or processor register);
-the method for using the S-box also is suitable for merging two-way block chaining, and it can find in our patent application of following while pending trial:
Australian provisional application 2004906364 Hes of submitting on November 5th, 2004
The Australian provisional application of submitting on January 10th, 2,005 2005900087,
The title of the two is " A Method of Encoding a Signal ";
International Patent Application PCT/the IB2005/001499 that submits on May 10th, 2005,
Name is called " Methods of Encoding and Decoding Data ";
International Patent Application PCT/the IB2005/001487 that submits on May 10th, 2005, name is called " Process of and Apparatus for Encoding a Signal "; With the International Patent Application PCT/IB2005/001475 that submits on May 10th, 2005, name is called " A Method of and Apparatus for Encoding a Signal in aHashing Primitive ",
More than the content of each patent application all be included in the content of this paper with way of reference.
If the selection of wiring displacement of using in preferred implementation of the present invention and/or Boolean function depends on the key material that is called " family (family) " key, when being embodied as the permanent wiring with fixing basic Boolean logic, the hardware of this password (RFID, ASIC etc.) is implemented to remain valid.
Importantly, operate as shown in Figure 2, to be restricted to the only bit on 252 left sides uniquely to the selection of the input bit of 1 S-box 201 for basic L, in conjunction with the linear relationship between input bit 252 and the output bit 253, guaranteed dijection (reversible) computing, with 241 in the selection of Boolean function or middle wiring displacement irrelevant.

Claims (96)

1. the S-box of a multiple-input and multiple-output, it is suitable for:
Receive the input bit I of a serial number 1, I 2, to I a, wherein a is at least 4, and the output bit O of b serial number of output 1, O 2, to O b,
Described S-box comprises:
C basic S-box sb 1, sb 2, to sb c, each basic S-box:
Has the single output of input more than Boolean function f 1, f 2, to f c, it has defined the relation between described many inputs and the single output; With
Be suitable for receiving respectively input bit collection s 1, s 2, to s c, each input bit collection all is selected from described a the input bit that is input to described S-box, and comprises sl respectively 1, sl 2, to sl cIndividual bit makes:
Described number sl 1, sl 2, to sl cIn each 3 to the scope of (a-1); And
Described number sl 1, sl 2, to sl cAnd bigger than a,
And described b output bit of wherein said S-box comprises the output of a described c Boolean function.
2. the S-box of the multiple-input and multiple-output described in arbitrary aforementioned claim wherein, is exported the output that bit is a described c basic S-box for described b of described S-box.
3. as the S-box of multiple-input and multiple-output described in arbitrary aforementioned claim, wherein, a is at least 16.
4. as the S-box of multiple-input and multiple-output described in arbitrary aforementioned claim, wherein, b is at least 16.
5. as the S-box of multiple-input and multiple-output described in arbitrary aforementioned claim, wherein, c is 12 in the scope of b, and 12 and in b is also included within.
6. as the S-box of multiple-input and multiple-output described in arbitrary aforementioned claim, wherein, for each i and the j from 1 to a, each pair set s iAnd s jHas no more than min (sl i, sl j)-1 an identical bit.
7. as the S-box of multiple-input and multiple-output described in arbitrary aforementioned claim, wherein, described digital sl 1, sl 2, to sl cDescribed and more than or equal to 1.5 times of a.
8. as the S-box of multiple-input and multiple-output described in arbitrary aforementioned claim, wherein, at least one among a, b and the c is prime number.
9. as the S-box of multiple-input and multiple-output described in arbitrary aforementioned claim, wherein, described digital a and b do not have identical greater than 1 approximate number.
10. as the S-box of multiple-input and multiple-output described in arbitrary aforementioned claim, wherein, described number sl 1, sl 2, to sl cIn at least two numbers be identical.
11. the S-box of multiple-input and multiple-output as claimed in claim 10, wherein, all described digital sl 1, sl 2, to sl cBe identical.
12. the S-box of the multiple-input and multiple-output described in arbitrary aforementioned claim wherein, utilizes the probability process to select each input bit collection s 1, s 2, to s c
13. the S-box of the multiple-input and multiple-output described in arbitrary aforementioned claim wherein, is used to select at least one described input bit collection s 1, s 2, to s cDescribed process key is set.
14., wherein, improve described input bit collection s heuristicly as the S-box of claim 12 or 13 described multiple-input and multiple-outputs 1, s 2, to s cSelection, to satisfy at least one criterion.
15. the S-box of the multiple-input and multiple-output described in arbitrary aforementioned claim wherein, utilizes the probability process to generate at least one described Boolean function f 1, f 2, to f c
16. the S-box of the multiple-input and multiple-output described in arbitrary aforementioned claim wherein, is used to generate at least one described Boolean function f 1, f 2, to f cDescribed process key is set.
17., wherein, improve at least one described Boolean function f heuristicly as the S-box of claim 15 or 16 described multiple-input and multiple-outputs 1, f 2, to f cSelection, to satisfy at least one criterion.
18. the S-box of the multiple-input and multiple-output described in arbitrary aforementioned claim, wherein, at least one described function f 1, f 2, to f cIt is the Boolean function of balance.
19. the S-box of multiple-input and multiple-output as claimed in claim 18, wherein, each described function f 1, f 2, to f cIt is the Boolean function of balance.
20. the S-box of the multiple-input and multiple-output described in arbitrary aforementioned claim, wherein, at least one described function f 1, f 2, to f cComprise 2 pairs 1 multiplexer function.
21. the S-box of the multiple-input and multiple-output described in claim 20, wherein, each described function f 1, f 2, to f cComprise 2 pairs 1 multiplexer function.
22. the S-box of the multiple-input and multiple-output described in arbitrary aforementioned claim, wherein, at least one described function f 1, f 2, to f cIt is unique Boolean function.
23. the S-box of the multiple-input and multiple-output described in claim 22, wherein, each described function f 1, f 2, to f cIt is unique Boolean function.
24. the S-box of the multiple-input and multiple-output described in claim 22 or 23, wherein, function f 1, f 2, to f cBetween difference be affine.
25. the S-box of the multiple-input and multiple-output described in arbitrary aforementioned claim, it was reconfigured in running time.
26. the S-box of the multiple-input and multiple-output described in arbitrary aforementioned claim, wherein, at least one input bit collection s 1To s cBe changed in running time.
27. the S-box of the multiple-input and multiple-output described in arbitrary aforementioned claim, wherein, at least one described function f 1, f 2, to f cBe reconfigured in running time.
28. as the S-box of multiple-input and multiple-output described in arbitrary aforementioned claim, wherein, for each i from (c-a) to a:
From described input bit I 1To I iMiddle selection is input to each basic S-box sb iSl iThe set of individual input bit; With
Described input bit I iAnd the relation between the described output bit is linear.
29. the S-box of multiple-input and multiple-output as claimed in claim 28, wherein, a bit I 1To I aThe subclass of set, have the individual bit of T=(a-c), be bit I 1To I T, be imported into the dijection mapping of T * T.
30. as the S-box of any described multiple-input and multiple-output of claim 1 to 29, wherein, for each i from (W+1) to a, W wherein is a constant:
From described input bit I (i-w)To I iMiddle selection is input to described basic S-box sb iSl iThe set of individual input bit; With
Described input bit I iWith described S-box sb iDescribed output bit between relation be linear.
31. the S-box of multiple-input and multiple-output as claimed in claim 30, wherein, W arrives in the scope of (a-1) 2.
32. as the S-box of claim 30 or 31 described multiple-input and multiple-outputs, wherein, W bit I 1To I WInput to the dijection mapping of W * W.
33., wherein, selecting described input bit collection s respectively as the S-box of any described multiple-input and multiple-output of claim 1 to 27 1, s 2, to s cDescribed sl 1, sl 2, to sl cDuring individual input bit:
Input bit I at described serial number 1, I 2, to I aSet in, described bit I aBe regarded as and described bit I 1With bit I (a-1)Continuously, make and to think described input bit I 1, I 2, to I aIt is the cycle set of bit; Think the input bit I of described serial number 1, I 2, to I aSet comprise the set w of bit window 1To w d, wherein d arrives in the scope of (c/3) 3, makes:
Each window has stem and afterbody window edge, and each window edge is at basic S-box sb iAnd sb I+1Between equidirectional on increase progressively the position of a bit: and
Output bit O at described serial number 1, O 2, to O bSet in, described bit O bBe regarded as and described bit O 1With bit O B-1Continuously, make and to think described output bit O 1, O 2, to O bIt is the cycle set of bit; With
For at described set sb 1To sb cIn each basic S-box sb k:
Be input to described basic S-box sb kIn described input bit comprise from except window w kAt least one bit of each at least two windows of input bit in addition.
34. the S-box of multiple-input and multiple-output as claimed in claim 33, wherein, for each basic S-box sb i, described window w 1To w dIn at least two be different size.
35., wherein, selecting described input bit set s respectively as the S-box of any described multiple-input and multiple-output of claim 1 to 27 1, s 2, to s cDescribed sl 1, sl 2, to sl cDuring individual input bit:
Input bit I at described serial number 1, I 2, to I aSet in, described bit I aBe regarded as and described bit I 1With bit I A-1Continuously, make and to think described input bit I 1, I 2, to I aIt is the cycle set of bit; Think the input bit I of described serial number 1, I 2, to I aSet comprise the set w of the continuous window of input bit 1To w d, wherein d arrives in the scope of (a/3) 2;
Output bit O at described serial number 1, O 2, to O bSet in, described bit O bBe regarded as and described bit O 1With bit O (b-1)Continuously, make and to think described output bit O 1, O 2, to O bIt is the cycle set of bit; With
Think the output bit O of described serial number 1, O 2, to O bSet comprise the set w of the continuous window of exporting bit 1To w dAnd
For at described basic S-box sb 1To sb cIn each basic S-box sb k:
The window w of output bit kComprise this basic S-box sb kThe output bit; With
Be input to described basic S-box sb kIn described input bit comprise from except window w kAt least one bit of each at least two windows of input bit in addition.
36. a structure that comprises at least two multiple-input and multiple-output S-boxes described in arbitrary aforementioned claim does not wherein have a pair of multiple-input and multiple-output S-box to share its input.
37. a structure that comprises at least two as the described multiple-input and multiple-output S-of claim 1 to 41 box, wherein at least one pair of multiple-input and multiple-output S-box is shared at least one in its input.
38. as claim 36 or 37 described structures, wherein at least two described multiple-input and multiple-output S-boxes are to adopt pipelining.
39. as each described structure of claim 36 to 38, wherein the input at least one multiple-input and multiple-output S-box comprises subclass, described subclass is less than or equal to described b output of another multiple-input and multiple-output S-box.
40. as each described structure of claim 36 to 39, wherein, before the input that is used as another multiple-input and multiple-output S-box, the subclass that is less than or equal to described b output of at least one multiple-input and multiple-output S-box is further processed.
41. as each described structure of claim 36 to 40, wherein, at least two described multiple-input and multiple-output S-boxes, wherein at least one:
The number of the input bit of a S-box is different from the number of the input bit of another S-box; With
The number of the output bit of a S-box is different from the number of the output bit of another S-box.
42. structure as claimed in claim 41, wherein, to the common not identical approximate number except that 1 of the number of the input bit of each in described at least two multiple-input and multiple-output S-boxes.
43. as claim 41 or 42 described structures, wherein, the number of the output bit of each does not have the identical approximate number except that 1 in described at least two multiple-input and multiple-output S-boxes.
44. each described structure as claim 41 to 43, wherein, the number of one input bit in described at least two multiple-input and multiple-output S-boxes is at least greater than another the number 50% of input bit in described at least two multiple-input and multiple-output S-boxes.
45. each described structure as claim 41 to 43, wherein, the number of one output bit in described at least two multiple-input and multiple-output S-boxes is at least greater than another the number 50% of output bit in described at least two multiple-input and multiple-output S-boxes.
46. as each described structure of claim 36 to 45, wherein, one described basic S-box sb in described at least two multiple-input and multiple-output S-boxes 1, sb 2To sb cIn at least one be different from another described basic S-box sb in described at least two multiple-input and multiple-output S-boxes 1, sb 2To sb c
47. the invention described in arbitrary aforementioned claim, the subclass input of another process of opposing that wherein is less than or equal to described b output of at least one multiple-input and multiple-output S-box.
48. multiple-input and multiple-output S-box as claimed in claim 47, wherein, before the input that is used as another process, the subclass that is less than or equal to described b output of at least one multiple-input and multiple-output S-box is further processed.
49., wherein, be input to c basic S-box sb as each described multiple-input and multiple-output S-box of claim 1 to 40 1To sb cInput bit collection s 1, s 2, to s cSelect by heuristic process, this process comprises:
C ordered set P of the index position of the input bit that the selection of probability ground is taken out from a bit 1To P c, each gathers P 1To P cComprise sl respectively 1, sl 2, to sl cIndividual element;
Described c ordered set P to index position 1To P cEach, if any two so same positions that are integrated into comprise identical element, then exchange in these elements one with an index position, described index position is from described set P 1To P cAnother in probability select;
Described c set P to index position 1To P cEach repeat following operation:
Determine other P of described set and index position 1To P cThe number of the identical element that each had of set;
Described c set P for index position with arbitrary number t identical element 1To P cIn per two element P iAnd P k, rearrange P by following operation i(t+1)/2 element:
With described c set P 1To P cThe individual set of remainder (c-2), have and P according to them iThe rank order of the number of identical element;
From described (c-2) individual set, select a set P m, it has a minimal amount and P iIdentical element;
Select described set P iAnd P kIn an identical element;
With element and the described set P that selects mThe exchange of element.
50. a process, its emulation such as the described invention of arbitrary aforementioned claim.
51. process as claimed in claim 51, it is realized on the general processor of base.
52. as each the described process in the claim 49 to 51, it uses binary masks to carry out the step-by-step in-place computation, and described computing comprises at least one in static step-by-step in-place computation, the relevant relevant step-by-step in-place computation with data of step-by-step in-place computation of key.
53. process as claimed in claim 52, it uses binary masks carrying out described step-by-step in-place computation, and these step-by-step in-place computations are used for to finish at least one of following operation:
Select described set s 1, s 2, to s cElement;
Replace the output of a described c Boolean function;
Wherein, described binary masks is used for finishing down at least one of column operations:
Static step-by-step in-place computation;
The step-by-step in-place computation that key is relevant; With
The step-by-step in-place computation that data are relevant.
54. it is auxiliary that process as claimed in claim 53, wherein said step-by-step in-place computation are hardware.
55. process as claimed in claim 54, the auxiliary step-by-step in-place computation of wherein said hardware is selected in a group, and described group is made up of Group Operation (GRP), its inverse operation, omega-flip network (OMFLIP), PPERM, CROSS and BELY computing.
56. as each the described process in the claim 50 to 53, it uses the auxiliary step-by-step twiddle operation of hardware to carry out described step-by-step in-place computation.
57. as each the described process in the claim 50 to 53, it uses the auxiliary step-by-step shift operation of hardware to carry out described step-by-step in-place computation.
58. as each the described process in the claim 50 to 53, it uses the auxiliary byte commutative operation of hardware to carry out described step-by-step in-place computation.
59. as each the described process in the claim 50 to 58, its by use look-up table to carry out to substitute and the step-by-step in-place computation at least one.
60. as each the described process in the claim 50 to 59, it is carried out by the basic Boolean function that uses at least one base and substitutes computing.
61. circuit, it comprises the cyclical function of block cipher, stream cipher, Pseudo-random number generator or hash function, described encrypted circuit comprises that at least one substitutes box as each the described multiple-input and multiple-output in the claim 1 to 49, in described circuit, have complete arithmetic carry logic chain, scope be zero up to and be included in the described input of described at least one multiple-input and multiple-output S-box and 6 kinds of carry computings between the described output.
62. a ciphering process, its:
Receive the input bit I of a serial number 1, I 2, to I a, wherein a is at least 4, and the output bit O of b serial number of output 1, O 2, to O b,
Described process comprises:
C basic S-box computing sb 1, sb 2, to sb c, each basic S-box computing:
Has the single output of many inputs Boolean function f 1, f 2, to f c, it has defined the relation between described many inputs and the single output; With
Receive input bit collection s respectively 1, s 2, to s c, each input bit collection all is selected from described a the input bit that is input to described encryption function, and comprises sl respectively 1, sl 2, to sl cIndividual bit makes:
Described number sl 1, sl 2, to sl cEach 3 to the scope of (a-1);
And
Described number sl 1, sl 2, to sl cAnd bigger than a,
And described b output bit of wherein said encryption function comprises the output of a described c Boolean function.
63. ciphering process as claimed in claim 62, described b output bit of wherein said S-box is the described output of described c basic S-box computing.
64. as claim 62 or 63 described ciphering process, wherein a is at least 16.
65. as each described ciphering process of claim 62 to 64, wherein b is at least 16.
66. as each described ciphering process of claim 62 to 65, wherein c is 12 in the scope of b, and 12 and in b is also included within.
67. as each described ciphering process of claim 62 to 66, wherein for each i and j from 1 to a, each pair set s iAnd s jHas no more than min (sl i, sl j)-1 an identical bit.
68. as each described ciphering process of claim 62 to 67, wherein, described number sl 1, sl 2, to sl cDescribed and more than or equal to 1.5 times of a.
69. as each described ciphering process of claim 62 to 68, wherein, at least one among a, b and the c is prime number.
70. as each described ciphering process of claim 62 to 69, wherein, described number a and b do not have the identical approximate number greater than 1.
71. as each described ciphering process of claim 62 to 70, wherein, described number sl 1, sl 2, to sl cIn at least two be identical.
72. as the described ciphering process of claim 71, wherein, all described number sl 1, sl 2, to sl cBe identical.
73., wherein utilize the probability process to select each input bit collection s as each described ciphering process of claim 62 to 72 1, s 2To s c
74., wherein, be used to select described input bit collection s as each described ciphering process of claim 62 to 73 1, s 2, to s cIn at least one described process key is set.
75., wherein, improve described input bit collection s heuristicly as claim 73 or 74 described ciphering process 1, s 2, to s cSelection, to satisfy at least one criterion.
76., wherein, utilize the probability process to generate at least one described Boolean function f as each described ciphering process of claim 62 to 75 1, f 2, to f c
77., wherein, be used to generate at least one described Boolean function f as each described ciphering process of claim 62 to 76 1, f 2, to f cDescribed process key is set.
78., wherein, improve at least one described Boolean function f heuristicly as claim 76 or 77 described ciphering process 1, f 2, to f cSelection, to satisfy at least one criterion.
79. as each described ciphering process of claim 62 to 78, wherein, at least one described function f 1, f 2, to f cIt is the Boolean function of balance.
80. as the described ciphering process of claim 79, wherein, each described function f 1, f 2, to f cIt is the Boolean function of balance.
81. as each described ciphering process of claim 62 to 80, wherein, at least one described function f 1, f 2, to f cComprise 2 pairs 1 multiplexer function.
82. as the described ciphering process of claim 81, wherein, each described function f 1, f 2, to f cComprise 2 pairs 1 multiplexer function.
83. as each described ciphering process of claim 62 to 82, wherein, at least one described function f 1, f 2, to f cIt is unique Boolean function.
84. as the described ciphering process of claim 83, wherein, each described function f 1, f 2, to f cIt is unique Boolean function.
85. as claim 83 or 84 described ciphering process, wherein, function f 1, f 2, to f cBetween difference be affine.
86. as each described ciphering process of claim 62 to 85, it was reconfigured in running time.
87. as each described ciphering process of claim 62 to 86, wherein, at least one described input bit collection s 1, s 2, to s cBe changed in running time.
88. as each described ciphering process of claim 62 to 87, wherein, at least one described function f 1, f 2, to f cBe reconfigured in running time.
89. as each described ciphering process of claim 62 to 88, wherein, for each i from (c-a) to a:
From described input bit I 1To I iMiddle selection is input to each basic S-box computing sb iSl iThe set of individual input bit; With
Described input bit I iAnd the relation between the described output bit is linear.
90. as the described ciphering process of claim 89, wherein, a bit I 1To I aThe subclass of set, have the individual bit of T=(a-c), be bit I 1To I T, be imported into the dijection mapping of T * T.
91. as each described ciphering process of claim 62 to 90, wherein, for each i from (W+1) to a, W wherein is a constant:
From described input bit I (i+w)To I iThe middle selection to described basic S-box computing sb iSl iThe set of individual input bit; With
Described input bit I iWith described S-box sb iDescribed output bit between relation be linear.
92. as the described ciphering process of claim 91, wherein, W arrives in the scope of (a-1) 2.
93. as claim 91 or 92 described ciphering process, wherein, W bit I 1To I WInput to the dijection mapping of W * W.
94., wherein, selecting described input bit collection s respectively as each described ciphering process of claim 62 to 88 1, s 2, to s cDescribed sl 1, sl 2, to sl cDuring individual input bit:
Input bit I at described serial number 1, I 2, to I aSet in, described bit I aBe regarded as and described bit I 1With bit I (a-1)Continuously, make and to think described input bit I 1, I 2, to I aIt is the cycle set of bit; Think the input bit I of described serial number 1, I 2, to I aSet comprise the set w of bit window 1To w d, wherein d arrives in the scope of (c/3) 3, makes:
Each window has stem and afterbody window edge, and each window edge is at basic S-box computing sb iAnd sb I+1Between equidirectional on increase progressively the position of a bit; With output bit O at described serial number 1, O 2, to O bSet in, described bit O bBe regarded as and described bit O 1With bit O B-1Continuously, make and to think described output bit O 1, O 2, to O bIt is the cycle set of bit; With
For at described set sb 1To sb cIn each basic S-box computing sb k:
Be input to described basic S-box computing sb kIn described input bit comprise from except window w kAt least one bit of each at least two windows of input bit in addition.
95. as the described ciphering process of claim 94, wherein, for each basic S-box computing sb i, described window w 1To w dAt least two be different size.
96., wherein, selecting described input bit collection s respectively as each described ciphering process of claim 62 to 88 1, s 2, to s cDescribed sl 1, sl 2, to sl cDuring individual input bit:
Input bit I at described serial number 1, I 2, to I aSet in, described bit I aBe regarded as and described bit I 1With bit I A-1Continuously, make and to think described input bit I 1, I 2, to I aIt is the cycle set of bit; Think the input bit I of described serial number 1, I 2, to I aSet comprise the set w of the continuous window of input bit 1To w d, wherein d arrives in the scope of (a/3) 2;
Output bit O at described serial number 1, O 2, to O bSet in, described bit O bBe regarded as and described bit O 1With bit O (b-1)Continuously, make and to think described output bit O 1, O 2, to O bIt is the cycle set of bit; With
Think the output bit O of described serial number 1, O 2, to O bSet comprise the set w of the continuous window of exporting bit 1To w dWith
For at described basic S-box computing sb 1To sb cIn each basic S-box computing sb k:
The window w of output bit kComprise this basic S-box sb kThe output bit; With
Be input to described basic S-box sb kIn described input bit comprise from except window w kAt least one bit of each at least two windows of input bit in addition.
CN 200580031586 2004-09-24 2005-09-20 Substitution boxes Pending CN101023621A (en)

Applications Claiming Priority (6)

Application Number Priority Date Filing Date Title
AU2004905507 2004-09-24
AU2004905507A AU2004905507A0 (en) 2004-09-24 Substitution boxes
AU2004906543 2004-11-16
AU2004907361 2004-12-30
AU2004907374 2004-12-31
AU2005902136 2005-04-29

Publications (1)

Publication Number Publication Date
CN101023621A true CN101023621A (en) 2007-08-22

Family

ID=38710459

Family Applications (1)

Application Number Title Priority Date Filing Date
CN 200580031586 Pending CN101023621A (en) 2004-09-24 2005-09-20 Substitution boxes

Country Status (1)

Country Link
CN (1) CN101023621A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102355407A (en) * 2011-08-16 2012-02-15 无锡东集电子有限责任公司 Configurable bit replacement computation system and method
CN108055126A (en) * 2017-12-11 2018-05-18 哈尔滨理工大学 The method of anti-power consumption attack based on random addition chain
CN109981256A (en) * 2019-04-03 2019-07-05 华南师范大学 Whitepack block cipher building method and system based on FeisitelBox structure

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102355407A (en) * 2011-08-16 2012-02-15 无锡东集电子有限责任公司 Configurable bit replacement computation system and method
CN102355407B (en) * 2011-08-16 2014-02-19 无锡东集电子有限责任公司 Configurable bit replacement computation system and method
CN108055126A (en) * 2017-12-11 2018-05-18 哈尔滨理工大学 The method of anti-power consumption attack based on random addition chain
CN109981256A (en) * 2019-04-03 2019-07-05 华南师范大学 Whitepack block cipher building method and system based on FeisitelBox structure

Similar Documents

Publication Publication Date Title
EP1820295B1 (en) Substitution boxes
CN108463968A (en) The quick format of variable length data retains encryption
KR100800468B1 (en) Hardware cryptographic engine and method improving power consumption and operation speed
Sikka et al. Speed optimal FPGA implementation of the encryption algorithms for telecom applications
Sani et al. Creation of S-box based on a hierarchy of Julia sets: image encryption approach
Li et al. The adjacency graphs of LFSRs with primitive-like characteristic polynomials
Lee et al. High-throughput low-area design of AES using constant binary matrix-vector multiplication
CN106982116A (en) A kind of local file encryption method of the AES based on reversible logic circuits
Mariot Hip to be (Latin) square: maximal period sequences from orthogonal cellular automata
Deb et al. Design and analysis of LFSR-based stream cipher
EP1456994B1 (en) Programmable data encryption engine for advanced encryption standard algorithm
CN101023621A (en) Substitution boxes
Bahadori et al. FPGA implementations of 256-Bit SNOW stream ciphers for postquantum mobile security
Beighton et al. Algebraic attacks on Grain-like keystream generators
Pyrgas et al. A very compact architecture of CLEFIA block cipher for secure IoT systems
Miroschnyk et al. Practical methods for de Bruijn sequences generation using non-linear feedback shift registers
Praveen et al. Implementation of DES using pipelining concept with skew core key scheduling in secure transmission of images
Saqib et al. A compact and efficient FPGA implementation of the DES algorithm
Lu et al. The research and efficient FPGA implementation of Ghash core for GMAC
Mariot et al. On the linear components space of s-boxes generated by orthogonal cellular automata
Sarkar On Approximating addition by exclusive Or
Niederreiter The independence of two randomness properties of sequences over finite fields
Schubert et al. Reusable cryptographic VLSI core based on the SAFER K-128 algorithm with 251.8 Mbit/s throughput
Zhang et al. On the linear complexity of feedforward clock-controlled sequence
Vidhya Secure Format Preserving Encryption for Multiple Data Fields

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C02 Deemed withdrawal of patent application after publication (patent law 2001)
WD01 Invention patent application deemed withdrawn after publication

Open date: 20070822