CN101257383A - Method for detecting fast S kit transparent steps - Google Patents

Abstract

The invention discloses a fast detecting method for an S box MaxTransOrder, belonging to the information technology field. The method firstly sets an initial value of the MaxTransOrder and a ThredValue comparing a temporary value of the MaxTransOrder and the current value, when computing the temporary value of the MaxTransOrder, traversing each output vector, jumping out of the circulation if some computing point in the circulation can judge that the computed temporary value of the MaxTransOrder must be less than the current value of MaxTransOrder in the condition so as to stop the follow-up computation to accelerate computation. Compared with the prior technology, the speed raising effect is increased obviously followed S box dimension. The method has universality.

Description

A kind of kit transparent steps of S fast detection method

Technical field

The present invention proposes a kind of S kit transparent steps detection method, relate in particular to a kind of quick S kit transparent steps detection method that adopts threshold filtering, can be applicable to the fast detecting and the analysis of the transparent steps of S box in the cryptography scheme (perhaps other multiple-input and multiple-output Boolean function of equal value), belong to areas of information technology, be mainly used in the relevant password design and analysis of information security.

Background technology

The S box is a kind of extremely important non-linear components that is used to construct the modern password system.For example, most iteration type block cipher has all adopted the S box to obtain " obscuring " effect.The S box is the Boolean function with n bit input, m bit output of a class definition on two element field, is widely used in the multiple cryptography scheme.In other words, one $F_2^n\→F_2^m$ On the S box can be expressed as 2 ⁿThe bigit of individual m bit, note is made the S box of n * m.The characteristic of S box has determined to use the fail safe of the cryptographic system of these parts to a great extent.For example, the nonlinearity of S box and cryptographic algorithm burden sexual assault ability have direct relation, use the S box of high nonlinearity to help the burden sexual assault in block cipher; If use unbalanced S box, corresponding cryptography scheme then is subjected to statistical attack easily.

At present, be embedded into the attack that block cipher in the encryption device can be subjected to two major types usually.A kind of is to attack at the tradition of embedded cryptographic algorithm, such as linearity attack, differential attack; Another is the side-channel attack based on the leakage of information of password realization.In the whole bag of tricks of side-channel attack, (Differential Power Analysis is to the most effective a kind of attack method of iteration type block cipher DPA) in the differential power analysis.

Transparent steps (Transparency Order) is the quantisation metric index of portrayal S box opposing DPA attacking ability.For any one $F_2^n\→F_2^m$ The S box, its transparent steps T _SBe the real number between 0 and the m, it is defined as:

$T_S=\underset{\mathrm{\β}\∈F_2^m}{\max }\left(\right|m-2H\left(\mathrm{\β}\right)|-\frac{1}{2^{2n}-2^n}\underset{\mathrm{\α}\∈F_2^{n*}}{\mathrm{\Σ}}|\underset{H\left(v\right)=1}{\underset{v\∈F_2^m}{\mathrm{\Σ}}}{(-1)}^{v\·\mathrm{\β}}{W}_{D_{\mathrm{\α}}S}(0,v)\left|\right)---\left(1\right)$

Here,

Represent non-0 two element field;

The Hamming weight of the vectorial α of H (α) expression, wherein $\mathrm{\α}\∈F_2^n,$ n∈N；

V β represents the dot product of two vectors, $v\·\mathrm{\β}={\⊕}_{i=1}^m{v}_i{\mathrm{\β}}_i,$ v＝(V ₁，V ₂，…V _m)，β＝(β ₁，β ₂，…β _m)，

v _i∈ F ₂, β _i∈ F ₂, 1≤i≤m,

Expression " mould 2 adds " computing;

W _S(u, v) expression $F_2^n{\→F}_2^m$ The Walsh spectral transformation of S box;

$\mathrm{cor}(f,g)=\underset{x\∈F_2^n}{\mathrm{\Σ}}{(-1)}^{f\left(x\right)+g\left(x\right)}$ The coefficient correlation of representing two Boolean function f and g;

D _αThe S representative function $D\left(x\right)=S\left(x\right)\⊕S(x\⊕\mathrm{\α}),$ $\mathrm{\α}\∈F_2^n,$

In fact be exactly two Boolean function S (x) with

Coefficient correlation.

Herein, will be according to D _αThe accumulated value of the Walsh spectral transformation value that the S function is tried to achieve

Note is made accumulation result 2, represents that with Sigma2 promptly Sigma2 is corresponding to some output vector β and some non-zero input vector α, is that 1 length is the vector v computing function D of m to all Hamming weights _αThe accumulated value of the Walsh spectral transformation of S; With end value

Note is made accumulation result 1, represents with Sigma1, and promptly Sigma1 is during corresponding to some output vector β, to the Sigma2 absolute value accumulation result of all non-zero input vector α.

Usually, the transparent steps that calculates the S box can adopt following method (the present invention is referred to as " original method "):

1. transparent steps initial value T is set _S← 0

2. for each β (from 0 to 2 ^m)

2.1 Sigma1 ← 0 is set

2.2 to each α (from 1 to 2 ⁿ), repeating step 2.2.1 is to step 2.2.3

2.2.1 Sigma2 ← 0 is set

2.2.2 be 1 v (from 1 to 2 to each Hamming weight ^m) calculate

$\mathrm{Sigma}2\←\mathrm{Sigma}2+{(-1)}^{v\·\mathrm{\β}}{W}_{D_{\mathrm{\α}}F}(0,v)$

2.2.3 calculate Sigma1 ← Sigma1+|Sigma2|

If 2.3 T _S≤ | m-2H (β) |-Sigma1/ (2 ²ⁿ-2 ⁿ), then calculate

T _S←|m-2H(β)|-Sigma1/(2 ²ⁿ-2 ⁿ)

3. return T _S

In above-mentioned " original method ", what calculate the transparent steps employing is that all output vector β of traversal, all non-zero input vector α and all Hamming weights are that 1 length is the vector v of m, accumulation calculating Value, find out maximum value as T according to formula (1) _SReturn results.Used among the step 2.2.2

As many as

Here the accumulative frequency of x is 2 ⁿ

To the analysis of original method as can be known, to one $F_2^n{\&RightArrow;F}_2^m$ The S box find the solution transparent steps, its calculating scale is approximately 2 ^m2 ⁿM2 ⁿ, corresponding complexity is O (2 ^2n+m).For example, for one ${\mathrm{<figure-callout\; id="2"\; label="F"\; filenames="A20081010290600141.png"\; state="\{\{state\}\}">F</figure-callout>}}_2^{10}{\&RightArrow;\mathrm{<figure-callout\; id="2"\; label="F"\; filenames="A20081010290600141.png"\; state="\{\{state\}\}">F</figure-callout>}}_2^{10}$ The S box of (brief note does 10 * 10, and is as follows) is found the solution transparent steps, and its complexity is about O (2 ³⁰); And along with the increase of S box scale, this computation complexity is exponential increase.Such computation complexity can't be used in practice.The present invention has provided a kind of method of threshold filtering that adopts and has obtained the S kit transparent steps fast from reducing the angle of cycle-index, reduction computation complexity.

Summary of the invention

By S kit transparent steps principle as can be known, the transparent steps of finally trying to achieve is a maximum under the various situations of traversal.So in the process of finding the solution, if the value that can judge the transparent steps that is calculated under this kind situation at some calculation levels of cyclic process is necessarily less than the value of current transparent steps, then can jump out this time circulation, thereby stop the subsequent calculations of this kind situation, so that reach the purpose of speed-up computation.

Here, incite somebody to action | m-2H (x) | note is made δ (x); Will

Note is made ξ _a, $\mathrm{\&xi;}\left(y\right)=\underset{\mathrm{\&alpha;}=1}{\overset{y}{\mathrm{\&Sigma;}}}{\mathrm{\&xi;}}_{\mathrm{\&alpha;}};$ With 2 ²ⁿ-2 ⁿNote is made C.

Given x, y, make the resultant transparent steps nonce note of intermediate computations:

$T(x,y)=\mathrm{\&delta;}\left(x\right)-\frac{1}{C}\mathrm{\&xi;}\left(y\right)---\left(2\right)$

By (2) formula as can be seen, if given x, then δ (x) just can determine.ξ (y) is along with the increase of y is non-subtracting (increases or remain unchanged).And, δ (x) 〉=0, ξ (y) 〉=0.Therefore, under the situation of given x, along with the increase of y, (x y) is a nonincreasing function (constant or diminish) to T.

Fixing x is if exist a y ₁=y ' makes T (x, y ₁)≤T _F, so for y arbitrarily ₂During＞y ', T (x, y ₂)≤T _FWith the threshold value of y ' at this moment, if T (x, y ')≤T occurs as a termination subsequent calculations _F, then follow-up computing can be skipped.

In addition, because $\underset{v\&Element;F_2^m,H\left(v\right)=1}{\mathrm{\&Sigma;}}{(-1)}^{v\&CenterDot;\mathrm{\&beta;}}{W}_{D_{\mathrm{\&alpha;}}S}(0,v)=\underset{v\&Element;F_2^m,H\left(v\right)=1}{\mathrm{\&Sigma;}}{(-1)}^{v\&CenterDot;\mathrm{\&beta;}}\underset{x\&Element;F_2^n}{\mathrm{\&Sigma;}}{(-1)}^{v\&CenterDot;(S\left(x\right)\&CirclePlus;S(x\&CirclePlus;\mathrm{\&alpha;}))},$ And point multiplication operation institute time-consuming is longer than the time of directly calculating Hamming weight, and therefore, the present invention adopts a distortion of this formula:

$\underset{v\&Element;F_2^m,H\left(v\right)=1}{\mathrm{\&Sigma;}}{(-1)}^{v\&CenterDot;\mathrm{\&beta;}}{W}_{D_{\mathrm{\&alpha;}}S}(0,v)=[{n2}^n-2\underset{\mathrm{\&gamma;}\&Element;F_2^n}{\mathrm{\&Sigma;}}H(\mathrm{\&beta;}\&CirclePlus;D_{a}S\left(\mathrm{\&gamma;}\right))]---\left(3\right)$

By use formula (3), can be the computing of Hamming weight of adding up with the dot product result's that adds up operation transform.

Generally, finding the solution Hamming weight all adopts by the bit method for solving.This method is more directly perceived, but its shortcoming is to each byte, all needs 8 computings at least.Consider the storage characteristics of computer, the Hamming weight of storage integer value 0～255 in an integer array adopts when finding the solution Hamming weight the mode of byte-by-byte " tabling look-up " is calculated in advance.

Therefore, utilize formula (3) that transparent steps formula (1) is expressed as

$T_S=\underset{\mathrm{\&beta;}\&Element;F_2^m}{\max }\left(\right|m-2H\left(\mathrm{\&beta;}\right)|-\frac{1}{2^{2n}-2^n}\underset{\mathrm{\&alpha;}\&Element;F_2^{n*}}{\mathrm{\&Sigma;}}|n\&times;2^n-2\underset{\mathrm{\&gamma;}\&Element;F_2^n}{\mathrm{\&Sigma;}}H(\mathrm{\&beta;}\&CirclePlus;S\left(\mathrm{\&gamma;}\right)\&CirclePlus;S(\mathrm{\&gamma;}\&CirclePlus;\mathrm{\&alpha;}))\left|\right)---\left(4\right)$

Value with the accumulation calculating Hamming weight

Note is made accumulation result 3, represents that with Sigma3 in other words, Sigma3 is exactly according to current output vector β and non-zero input vector α, to all input domain F ₂ ⁿOn input vector γ accumulation calculating

Hamming weight.The transparent steps nonce note that obtains in the solution procedure is made t_transorder.

Based on the aforementioned calculation principle, the present invention proposes and utilize threshold filtering to realize finding the solution the method (the present invention is referred to as " threshold filtering method ") of S kit transparent steps fast.It is 2 that the data of description of the S box of n * m is read a size ⁿArray S after, its treatment step is as follows:

1. transparent steps initial value MaxTransOrder ← 0 is set

2. travel through each output vector β (from 0 to 2 ^m) repeating step 2.1 is to step 2.6

2.1 threshold value ThredValue is set according to β and MaxTransOrder

2.2 if ThredValue＜0 then jumps to step 2, carry out operation to next output vector β

2.3 Sigma1 ← 0 is set

2.4 to each non-zero input vector α (from 1 to 2 ⁿ), repeating step 2.4.1 is to step 2.4.5

2.4.1 Sigma3 ← 0 is set

2.4.2 to each input vector γ (from 0 to 2 ⁿ) calculate

$\mathrm{Sigma}3\&LeftArrow;\mathrm{Sigma}3+H(\mathrm{\&beta;}\&CirclePlus;S\left(\mathrm{\&gamma;}\right)\&CirclePlus;S(\mathrm{\&gamma;}\&CirclePlus;\mathrm{\&alpha;}))$

2.4.3 calculate Sigma2 ← n * 2 ⁿ-2 * Sigma3

2.4.4 calculate Sigma1 ← Sigma1+|Sigma2|

2.4.5 if Sigma1＞ThredValue then jumps to step 2, carry out operation to next output vector β

2.5 calculate t_transorder=|m-2H (b) |-Sigma1/ (2 ²ⁿ-2 ⁿ)

If 2.6 MaxTransOrder＜t_transorder then calculates

MaxTransOrder←t_transorder

3. return MaxTransOrder.

Wherein, the method to set up of threshold value ThredValue is in the step 2.1, for current output vector β and current transparent steps MaxTransOrder, ThredValue=(| m-2H (β) |-MaxTransOrder) * (2 ²ⁿ-2 ⁿ).

Wherein, the method for the Hamming weight of a vector x of calculating is as follows in step 2.4.2 and the step 2.5:

1. initial value HanmingValue ← 0 of Hamming weight is set

2. to each byte from high to low of vector x, repeating step 2.1 is to step 2.3

2.1 read current byte in CurrentByte

2.2 computation of table lookup HanmingValue ← HanmingValue+HanmingTable[CurrentByte]

2.3 the current byte pointer of x is moved on to next byte

3. return HanmingValue

HanmingTable is that a size is 256 array, what store in x the unit of this array is the Hamming weight of the binary vector of correspondence, HanmingTable[0 for example]=0 (integer 0 corresponding vector 00000000), HanmingTable[15]=4 (integer 15 corresponding vectors 00001111), HanmingTable[255]=8 (integer 255 corresponding vectors 11111111).

To sum up analyze, technical scheme of the present invention is:

A kind of kit transparent steps of S fast detection method the steps include:

1) initial value and that transparent steps MaxTransOrder is set is used for the threshold value variable ThredValue of more transparent rank nonce and currency;

2) to first output vector β, execution in step 3) to the operation of step 5);

3) calculate and the value of judging current threshold value variable ThredValue whether less than set point IniValue, if less than set point IniValue, then skip to step 6);

4) the transparent steps nonce t_transorder of the current output vector of calculating;

5) upgrade the value of transparent steps MaxTransOrder according to nonce t_transorder;

6) transparent steps of the next output vector β of calculating, repeating step 3) to step 5);

7) travel through each output vector β, return the value of the MaxTransOrder that obtains at last.

The method of calculating described threshold value variable ThredValue is:

ThredValue=(δ (β)-MaxTransOrder) * (2 ²ⁿ-2 ⁿ), wherein δ (β)=| m-2H (β) |, H (β) is the Hamming weight of output vector β; Wherein, m is the output length of S box, and n is the input length of S box, and m, n are natural number.

The method of calculating described nonce t_transorder is:

1) also initializing variable Sigma1, Sigma2 are set; Described Sigma2 is corresponding to some output vector β and some non-zero input vector α, is that 1 length is the vector v computing function D of m to all Hamming weights _αThe accumulated value of the Walsh spectral transformation of S; Described Sigma1 is during corresponding to some output vector β, to the Sigma2 absolute value accumulation result of all non-zero input vector α;

2) nonce t_transorder=δ (the β)-Sigma1/ (2 of calculating transparent steps ²ⁿ-2 ⁿ).

The method of calculating described Sigma2 is: be provided with and initialization one variable Sigma3, described Sigma3 is according to current output vector β and non-zero input vector α, to all input domain F ₂ ⁿOn input vector γ accumulation calculating

Hamming weight

According to formula S igma2=n * 2 ⁿ-2 * Sigma3 calculates the value of described Sigma2.

Calculate in the process of described Sigma1, add up judge current Sigma1 behind the Sigma2 absolute value of each non-zero input vector α value whether greater than the currency of described threshold value variable ThredValue, if greater than the currency of described threshold value variable ThredValue then directly calculate the transparent steps of next output vector β.

The method of calculating the Hamming weight of described vector is:

1) Hamming weight initial value HanmingValue=0 is set;

2) needs are calculated each byte from high to low of the vector of Hamming weight, repeating step a～c;

A) read current byte in CurrentByte,

B) computation of table lookup HanmingValue=HanmingValue+HanmingTable[CurrentByte],

C) the current byte pointer with current vector moves on to next byte,

4) return HanmingValue.

The method of described renewal transparent steps MaxTransOrder is: judge that described nonce t_transorder is whether greater than the value of current transparent steps MaxTransOrder, if value greater than current transparent steps MaxTransOrder, then keep the value of current transparent steps MaxTransOrder, otherwise upgrade the value of current transparent steps MaxTransOrder value for nonce t_transorder.

The initial value of described transparent steps MaxTransOrder is zero, and set point IniValue is zero.

Good effect of the present invention:

Compared with prior art, the present invention has the detection speed of S kit transparent steps and significantly improves; As can be seen from Table 1, the lifting effect of detection speed of the present invention is obvious further along with the increase of S box scale; The threshold filtering method that the present invention simultaneously adopts has versatility, as can be seen from Table 2, method of the present invention detects the transparent steps of the S box of dissimilar and different scales, can both carry out fast processing, be compared to the efficient of raising, dissimilar S box institute time-consuming difference is very little.

Description of drawings

Fig. 1 S kit transparent steps quick calculation method flow chart;

Two kinds of methods of Fig. 2 are calculated institute's time-consuming comparison diagram to the S box of different scales.

Embodiment

Calculate $F_2^n\&RightArrow;F_2^m$ " threshold filtering method " treatment step following (flow chart is seen Fig. 1) of transparent steps of S box:

1. read S box data of description, be stored in the Sbox array

2. initial value MaxTransOrder ← 0 of transparent steps is set

To each from 0 to 2 ^mOutput vector β, repeating step 3.1 is to step 3.7

3.1 calculate the value of δ (β), here, δ (β) ← | m-2H (β) |

3.2 calculated threshold ThredValue ← (δ (β)-MaxTransOrder) * (2 ²ⁿ-2 ⁿ)

If 3.3 ThredValue＜0 then jumps to step 3

3.4 Sigma1 ← 0 is set

3.5 to each from 1 to 2 ⁿNon-zero input vector α, repeating step 3.5.1 is to step 3.5.5

3.5.1 Sigma3 ← 0 is set;

3.5.2 to each from 0 to 2 ⁿγ, repeating step 3.5.2.1 is to step 3.5.2.2

3.5.2.1 calculate $\mathrm{temp}\_\mathrm{sbox}\&LeftArrow;\mathrm{\&alpha;}\&CirclePlus;\mathrm{Sbox}\left[\mathrm{\&gamma;}\right]\&CirclePlus;\mathrm{Sbox}[\mathrm{\&gamma;}\&CirclePlus;\mathrm{\&beta;}];$

3.5.2.2 calculate Sigma3 ← Sigma3+H (temp_sbox)

3.5.3 calculate Sigma2 ← n * 2 ⁿ-2 * Sigma3

3.5.4 calculate Sigma1 ← Sigma1+|Sigma2|

If 3.5.5 Sigma1＞ThredValue then jumps to step 3

3.6 calculate t_transorder=δ (β)-Sigma1/ (2 ²ⁿ-2 ⁿ)

If 3.7 MaxTransOrder＜t_transorder then calculate

MaxTransOrder←t_transorder

4. return MaxTransOrder

Wherein, the step of calculating Hamming weight H (temp_sbox) is as follows among step 3.1 and the 3.5.2.2

1. initial value HanmingValue ← 0 of Hamming weight is set

2. to each byte from high to low of temp_sbox, repeating step 2.1 is to step 2.3

2.1 read current byte in CurrentByte

2.2 computation of table lookup HanmingValue ← HanmingValue+HanmingTable[CurrentByte]

2.3 the current byte pointer of temp_sbox is moved on to next byte

4. return HanmingValue

For the raising situation of " threshold filtering method " computational efficiency is described, Dell Gx260 machine (basic configuration is: CPU is Intel Pentium 4 Northwood Processor 2.40GHz, and RAM is 1.0GB) is gone up multiple scale, polytype S kit transparent steps is found the solution now.In addition, in order to illustrate that threshold filtering is introduced " optimization method " and compared improving the influence of computational efficiency among the present invention.Wherein, " original method " is the method that realizes according to original definition, " optimization method " is on the basis of " original method ", add and utilize the acceleration of tabling look-up to find the solution the method for Hamming weight, " threshold filtering method " then is to have added threshold filtering method (being the method among the present invention) on the basis of " optimization method ".Three kinds of methods of record use are calculated the time that is consumed to the transparent steps of the S box of various scales, and here, in order to make result of experiment have versatility and representativeness, the S box of employing is the S box of selecting at random.Experimental result is as shown in table 1.

Three kinds of method elapsed time contrasts of table 1 situation (unit: second)

Annotate: in this table, the time of mark # is evaluation time

By the contrast of table 1 as can be seen, " threshold filtering method " and " optimization method " have had significantly than the computational efficiency of " original method " and have promoted.Especially, " threshold filtering method " lifting effect is obvious.For example, 10 * 10 S box is being carried out the S box when detecting, original method needs for about 300 time, and " optimization method " needs about 67 seconds time, and " threshold filtering method " only needs about 0.1 second time.And this lifting effect is obvious further along with the increase of S box scale, and for example when the S box that calculates 8 * 8, " threshold filtering method " had nearly 450 times raising; Along with the increase of calculating S box scale, the improved efficiency effect of " threshold filtering method " is more remarkable.Especially, when the scale of S box reaches 16 * 16, use the performance of " threshold filtering method " to improve nearly 2 than the performance of using original method ¹⁷Doubly.

In addition, the contrast that improves multiple by the performance of table 1 " optimization method " and " threshold filtering method " as can be seen, two strategies that adopt in " threshold filtering method " relatively: look-up method improves and calculates Hamming weight computational efficiency and threshold filtering method minimizing cycle-index, is the threshold filtering method to raising the efficiency what play a decisive role.

In order to illustrate that the threshold filtering method that the present invention adopts has versatility, use " threshold filtering method " that the transparent steps of the S box of dissimilar and different scales is detected, in order to make result of experiment have versatility and representativeness, the S box of employing is the S box of selecting at random.The time consuming contrast of experiment institute is as shown in table 2.

Table 2 uses " threshold filtering method " to calculate the time consuming contrast situation of transparent steps of dissimilar S boxes (unit: second)

As can be seen from Table 2, to dissimilar S boxes, " threshold filtering method " can both carry out fast processing, is compared to the efficient of raising, and dissimilar S box institute time-consuming difference is very little.For example, find the solution transparent steps, optimize multiple and be about 450 times, and the S box time phase difference of different types only is 1.25 times at S box to 8 * 8.And this species diversity is linear the increasing along with the increase of S box scale not.Therefore, the threshold filtering method in this invention has versatility.

Claims (8)

1. a S kit transparent steps detection method fast the steps include:

1) initial value and that transparent steps MaxTransOrder is set is used for the threshold value variable ThredValue of more transparent rank nonce and currency;

2) to first output vector β, execution in step 3) to the operation of step 5);

3) calculate and the value of judging current threshold value variable ThredValue whether less than set point IniValue, if, then skip to step 6) less than setting the IniValue value;

4) the transparent steps nonce t_transorder of the current output vector of calculating;

5) upgrade the value of transparent steps MaxTransOrder according to nonce t_transorder;

6) transparent steps of the next output vector β of calculating, repeating step 3) to step 5);

7) travel through each output vector β, return the value of the MaxTransOrder that obtains at last.

2. the method for claim 1 is characterized in that the method for calculating described threshold value variable ThredValue is:

ThredValue=(δ (β)-MaxTransOrder) * (2 ²ⁿ-2 ⁿ), wherein δ (β)=| m-2H (β) |, H (β) is the Hamming weight of output vector β; Wherein, m is the output length of S box, and n is the input length of S box, and m, n are natural number.

3. method as claimed in claim 2 is characterized in that the method for calculating described nonce t_transorder is:

1) also initializing variable Sigma1, Sigma2 are set; Described Sigma2 is corresponding to some output vector β and some non-zero input vector α, is that 1 length is the vector v computing function D of m to all Hamming weights _αThe accumulated value of the Walsh spectral transformation of S; Described Sigma1 is during corresponding to some output vector β, to the Sigma2 absolute value accumulation result of all non-zero input vector α;

2) nonce t_transorder=δ (the β)-Sigma1/ (2 of calculating transparent steps ²ⁿ-2 ⁿ).

4. method as claimed in claim 3 is characterized in that the method for calculating described Sigma2 is: be provided with and initialization one variable Sigma3, described Sigma3 is according to current output vector β and non-zero input vector α, to all input domain F ₂ ⁿOn input vector γ accumulation calculating

Hamming weight According to formula S igma2=n * 2 ⁿ-2 * Sigma3 calculates the value of described Sigma2.

5. method as claimed in claim 3, it is characterized in that calculating in the process of described Sigma1, add up judge current Sigma1 behind the Sigma2 absolute value of each non-zero input vector α value whether greater than the currency of described threshold value variable ThredValue, if greater than the currency of described threshold value variable ThredValue then directly calculate the transparent steps of next output vector β.

6. as claim 2 or 4 described methods, the method that it is characterized in that calculating the Hamming weight of described vector is:

1) Hamming weight initial value HanmingValue=0 is set;

2) needs are calculated each byte from high to low of the vector of Hamming weight, repeating step a～c;

A) read current byte in CurrentByte,

B) computation of table lookup HanmingValue=HanmingValue+HanmingTable[CurrentByte],

C) the current byte pointer with current vector moves on to next byte,

4) return HanmingValue.

7. the method for claim 1, the method that it is characterized in that described renewal transparent steps MaxTransOrder is: judge that described nonce t_transorder is whether greater than the value of current transparent steps MaxTransOrder, if value greater than current transparent steps MaxTransOrder, then keep the value of current transparent steps MaxTransOrder, otherwise upgrade the value of current transparent steps MaxTransOrder value for nonce t_transorder.

8. the method for claim 1, the value that it is characterized in that described set point IniValue are zero.

Images