CN103634101A - Encryption processing method and encryption processing equipment - Google Patents

Abstract

An embodiment of the invention provides an encryption processing method and encryption processing equipment. The encryption processing method in the embodiment of the invention includes performing exclusive OR operation on first information of 64 bits and a key of a wheel of the 64 bits to acquire second information; inputting the second information into 16 parallel 4X4 S boxes of a nonlinear layer to acquire third information; linearly transforming a fourth-order iteration LFSR (linear feedback shift register) of a linear diffusion layer. The encryption processing method and the encryption processing equipment have the advantages that the exclusive OR operation can be performed on the updated key of the wheel after a specified number, such as 12, of cycles of iteration is carried out, so that encrypted messages can be acquired; 4 bits are inputted into each S box or outputted from the S box, accordingly, the S boxes are light; the fourth-order iteration LFSR is linearly and lightly transformed, and the linear transformation complexity is low, so that the encryption processing method can be applied on sensor nodes of a WSN (wireless sensor network).

Description

Cipher processing method and equipment

[technical field]

The present invention relates to the communication technology, relate in particular to a kind of cipher processing method and equipment.

[background technology]

Wireless sensor network (Wireless Sensor Network, WSN) is a kind of network being comprised of great quantity of small transducer.These Miniature Sensors are generally called sensor node (sensor node).

Due to sensor node, there is the resource-constrained shortcomings such as power supply energy, computing capability, communication capacity, memory space, therefore, in sensor node deploy security mechanism, need to design a kind of lightweight cryptographic algorithm that can well move on sensor node.

[summary of the invention]

Many aspects of the present invention provide a kind of cipher processing method and equipment, in order to can operate on the sensor node of WSN.

An aspect of of the present present invention, provides a kind of cipher processing method, comprising:

Wheel sub-key to the first information of 64 and 64 carries out xor operation, to obtain the second information;

4 * 4 the S box that 16 of described the second input informations are set up in parallel, to obtain the 3rd information;

4 * 4 the 2nd S box that 16 of described the 3rd input informations are set up in parallel, to obtain the 4th information; Wherein, 16 described the 2nd S boxes are that 16 described S boxes carry out 24 acquisitions of ring shift left;

By in described the 4th information every 16 be divided into one group, to obtain 4 grouping informations;

1 LFSR of grouping information input described in each is carried out to iteration 4 times, to obtain the 5th information; Wherein, the state-transition matrix of described LFSR $A=\left[\begin{array}{cccc}0& 1& 0& 0\\ 0& 0& 1& L\\ 0& 0& 0& 1\\ \mathrm{<figure-callout\; id="1"\; label="L"\; filenames="HDA0000429039290000021.png"\; state="\{\{state\}\}">L</figure-callout>}& 1& 0& 0\end{array}\right],$ Wherein, $L=\left[\begin{array}{cccc}0& 1& 1& 0\\ 0& 0& 1& 0\\ 0& 0& 0& 1\\ 1& 0& 0& 0\end{array}\right];$

Wherein, wheel sub-key is to be generated by 4 iterative operations, and each iterative operation comprises:

By in the initial key of 64 every 32 be divided into one group, to obtain 2 the first packet key;

The first packet key described in each is carried out to 4 of ring shift lefts, to obtain 2 the second packet key; Wherein, first second packet key is high 32, and second the second packet key is low 32;

By 1 described S box of high 4 inputs of first the second packet key, to obtain the new high 4 of first the second packet key;

Carry out xor operation with the iteration wheel number of described cipher processing method by high 4 of second the second packet key, to obtain the new high 4 of second the second packet key; Wherein, the iteration of described cipher processing method wheel number is less than or equal to 12 times;

New high 4 by second the second packet key, low 28 with, first the second packet key, combines, to generate first new second packet key;

New high 4 by first the second packet key, low 28 with, second the second packet key, combines, to generate second new the second packet key.

Another aspect of the present invention, provides a kind of encryption processing apparatus, comprising:

The first operating unit, carries out xor operation for the first information to 64 and 64 s' wheel sub-key, to obtain the second information;

The second operating unit, for 4 * 4 the S box that 16 of described the second input informations are set up in parallel, to obtain the 3rd information;

The 3rd operating unit, for 4 * 4 the 2nd S box that 16 of described the 3rd input informations are set up in parallel, to obtain the 4th information; Wherein, 16 described the 2nd S boxes are that 16 described S boxes carry out 24 acquisitions of ring shift left;

The 4th operating unit, for every 16 of described the 4th information is divided into one group, to obtain 4 grouping informations;

The 5th operating unit, for just described in each 1 LFSR of grouping information input carry out iteration 4 times, to obtain the 5th information; Wherein, the state-transition matrix of described LFSR $A=\left[\begin{array}{cccc}0& 1& 0& 0\\ 0& 0& 1& L\\ 0& 0& 0& 1\\ \mathrm{<figure-callout\; id="1"\; label="L"\; filenames="HDA0000429039290000021.png"\; state="\{\{state\}\}">L</figure-callout>}& 1& 0& 0\end{array}\right],$ Wherein, $L=\left[\begin{array}{cccc}0& 1& 1& 0\\ 0& 0& 1& 0\\ 0& 0& 0& 1\\ 1& 0& 0& 0\end{array}\right];$

Wherein, wheel sub-key is to be generated by 4 iterative operations, and each iterative operation comprises:

By in the initial key of 64 every 32 be divided into one group, to obtain 2 the first packet key;

The first packet key described in each is carried out to 4 of ring shift lefts, to obtain 2 the second packet key; Wherein, first second packet key is high 32, and second the second packet key is low 32;

By 1 described S box of high 4 inputs of first the second packet key, to obtain the new high 4 of first the second packet key;

Carry out xor operation with the iteration wheel number of described cipher processing method by high 4 of second the second packet key, to obtain the new high 4 of second the second packet key; Wherein, the iteration of described cipher processing method wheel number is less than or equal to 12 times;

New high 4 by second the second packet key, low 28 with, first the second packet key, combines, to generate first new second packet key;

New high 4 by first the second packet key, low 28 with, second the second packet key, combines, to generate second new the second packet key.

As shown from the above technical solution, the embodiment of the present invention is carried out xor operation by the first information to 64 and 64 s' wheel sub-key, to obtain the second information, the input of 4 * 4 the S box being set up in parallel as 16 of non-linear layers, to obtain the 3rd information, the linear transformation of 4 iteration LFSR by linear diffusion layer again, like this, through appointment wheel numerical example as, after 12 iteration of taking turns, can carry out xor operation with renewal wheel sub-key afterwards, to obtain ciphertext, because input and the output of this S box is 4, it is a kind of lightweight S box, and, the linear transformation of 4 iteration LFSR, complexity is not high, also be lightweight conversion, therefore, this cipher processing method can operate on the sensor node of WSN.

In addition, adopt technical scheme provided by the invention, by the cryptography performance test analysis to S box, can obtain 9 S boxes of cryptography function admirable, and without trapdoor, can effectively improve the fail safe of WSN.

[accompanying drawing explanation]

In order to be illustrated more clearly in the technical scheme in the embodiment of the present invention, to the accompanying drawing of required use in embodiment or description of the Prior Art be briefly described below, apparently, accompanying drawing in the following describes is some embodiments of the present invention, for those of ordinary skills, do not paying under the prerequisite of creative work, can also obtain according to these accompanying drawings other accompanying drawing.

The schematic flow sheet of the cipher processing method that Fig. 1 provides for one embodiment of the invention;

Fig. 2 is the design diagram of the linear diffusion layer in the embodiment that Fig. 1 is corresponding;

Fig. 3 is the generation schematic diagram of the wheel sub-key in the embodiment that Fig. 1 is corresponding;

Fig. 4 is the R in the embodiment that Fig. 1 is corresponding ₁=1 o'clock a kind of possible difference modes schematic diagram;

The structural representation of the encryption processing apparatus that Fig. 5 provides for another embodiment of the present invention;

The structural representation of the encryption processing apparatus that Fig. 6 provides for another embodiment of the present invention.

[embodiment]

For making object, technical scheme and the advantage of the embodiment of the present invention clearer, below in conjunction with the accompanying drawing in the embodiment of the present invention, technical scheme in the embodiment of the present invention is clearly and completely described, obviously, described embodiment is the present invention's part embodiment, rather than whole embodiment.Embodiment based in the present invention, those of ordinary skills, not making the every other embodiment obtaining under creative work prerequisite, belong to the scope of protection of the invention.

In addition, term "and/or", is only a kind of incidence relation of describing affiliated partner herein, and expression can exist three kinds of relations, and for example, A and/or B, can represent: individualism A exists A and B, these three kinds of situations of individualism B simultaneously.In addition, character "/", generally represents that forward-backward correlation is to liking a kind of relation of "or" herein.

Deep development along with general fit calculation; people can obtain any needed Digital Services whenever and wherever possible, fast, pellucidly; due to various information datas in environment, to be people interconnected and shared; the safety problem of information also becomes and becomes increasingly complex with urgent; for example; be applied in the military Sensor Network of battlefield surroundings, how node is protected and by enemy, is not obtained this first-hand information in perception and when obtaining battlefield real time information.WSN is a focus of various countries' research always and is widely used in the fields such as military building-up, biologic medical, intelligent environment as the feeler of Internet of Things perception objective world.It has the advantages such as extensive deployment, unattended operation ,Wu center self-organizing and dynamic change network topology structure rapidly, the shortcomings such as yet sensor node energy is little, computing capability is low, a large difficulty that becomes the cryptographic algorithm of an operation thereon of design, traditional operation cryptographic algorithm is on the internet if DES, AES are because extensive, macrooperation amount cannot be implemented on the limited sensor node of computing capability.Therefore, need to design working that a kind of existing higher safe class again can be good on sensor node, for safety certification, encryption and safe route etc. provide the lightweight cryptographic algorithm of technical support.Traditional cryptographic algorithm for internet, for example, data encryption standard (Data Encryption Standard, DES), Advanced Encryption Standard (Advanced Encryption Standard, AES) etc., due to containing much information of processing, scale is large, be not suitable for use on the serious limited sensor node of energy and computing capability, so, the cryptographic algorithm that exigence is designed the lightweight that a class is new solves this difficult problem, good operates in this special environment, from the source of information, be encrypted, what ensure information security is sent to destination.

Encrypting virtual network (Secret Private Network, SPN) type structure, in, input clear packets first with expansion after wheel sub-key carry out an XOR, then through a nonlinear S box replacement, by the result of output, again through a linear transformation, the Output rusults obtaining is exactly to take turns SPN to encrypt, thereby after the iteration through a fixed wheel number, obtains final ciphertext of encrypting like this.SPN type structure is owing to having passed through S box and replacement operator, diffusivity is improved greatly, not only there is good Cryptographic Properties, and only with less wheel number, can reach best extended mode, have higher throughput, hence one can see that, and design lightweight cryptographic algorithm not only needs to consider the problem of safe class, comprised hard-wired efficiency, the two must integrate.

Nowadays, thing network sensing layer equipment is as radio-frequency (RF) identification (Radio Frequency Identification, RFID) label, WSN technology have spread all over every field, and in city management and control, the industries such as financial trade, health care even in military war degree of concern more outstanding.Therefore, there is a good safe class and can be applied in RFID label and sensor node environment under cryptographic algorithm to ensure information security, seem particularly important.Block cipher is an important branch in contemporary cryptology research as a kind of structure in DSE arithmetic, for its development and research, has important theory value and use value widely.The design of block cipher with and safety analysis be the process mutually relying on again two separate whiles, block cipher need to be usingd fail safe as considering standard in the process of design, comprise Cryptographic Properties, for example, nonlinearity, the difference uniformity, avalanche effect etc., thereby resist as linear analysis, the attack that difference analysis and above mutation are analyzed, and realize the hardware spending that its mentality of designing spends.

S box has important effect as non-linear component unique in block cipher structure for the robustness of cryptographic algorithm.Although there is now the S box that many security performances are higher, for example, Advanced Encryption Standard (Advanced Encryption Standard, AES) the S box in can be resisted as nearly all cryptographic attack means such as differential attack, linear attack, Algebraic Attacks, integration attacks, but because its S box of 8 * 8 needs 1000GEs(gate equivalents).But, sensor node has the shortcomings such as energy constraint, computing capability be limited, although large-scale S box has powerful fail safe, but the hardware that simultaneously can make whole cryptographic algorithm is realized and is become huge and complicated, will take resource limited on a large amount of sensor nodes like this, therefore, in the above-mentioned equipment such as sensor node that are not suitable on a large scale energy constraint.In addition, 6 * 4 the S box (120GEs) that 6 * 6 the S box (300GEs) using in AES-CF and data encryption standard (Data Encryption Standard, DES) adopt does not meet sensor node for algorithm lightweight demand yet.

Therefore, design the S box of a small scale, thereby the encryption moving for sensor node calculation becomes matter of utmost importance.

The schematic flow sheet of the cipher processing method that Fig. 1 provides for one embodiment of the invention, as shown in Figure 1.

101, the first information of 64 and the wheel sub-key of 64 are carried out to xor operation, to obtain the second information.

102,4 * 4 the S box 16 of described the second input informations being set up in parallel, to obtain the 3rd information.

103,4 * 4 the 2nd S box 16 of described the 3rd input informations being set up in parallel, to obtain the 4th information; Wherein, 16 described the 2nd S boxes are that 16 described S boxes carry out 24 acquisitions of ring shift left.

104, by described the 4th information every 16 be divided into one group, to obtain 4 grouping informations.

105,1 LFSR of grouping information input described in each is carried out to iteration 4 times, to obtain the 5th information; Wherein, the state-transition matrix of described LFSR $A=\left[\begin{array}{cccc}0& 1& 0& 0\\ 0& 0& 1& L\\ 0& 0& 0& 1\\ \mathrm{<figure-callout\; id="1"\; label="L"\; filenames="HDA0000429039290000021.png"\; state="\{\{state\}\}">L</figure-callout>}& 1& 0& 0\end{array}\right],$ Wherein, $L=\left[\begin{array}{cccc}0& 1& 1& 0\\ 0& 0& 1& 0\\ 0& 0& 0& 1\\ 1& 0& 0& 0\end{array}\right].$

Wherein, wheel sub-key is to be generated by 4 iterative operations, and each iterative operation can comprise the steps:

By in the initial key of 64 every 32 be divided into one group, to obtain 2 the first packet key;

The first packet key described in each is carried out to 4 of ring shift lefts, to obtain 2 the second packet key; Wherein, first second packet key is high 32, and second the second packet key is low 32;

By 1 described S box of high 4 inputs of first the second packet key, to obtain the new high 4 of first the second packet key;

Carry out xor operation with the iteration wheel number of described cipher processing method by high 4 of second the second packet key, to obtain the new high 4 of second the second packet key; Wherein, the iteration of described cipher processing method wheel number is less than or equal to 12 times;

New high 4 by second the second packet key, low 28 with, first the second packet key, combines, to generate first new second packet key;

New high 4 by first the second packet key, low 28 with, second the second packet key, combines, to generate second new the second packet key.

Like this, wheel sub-key by the first information to 64 and 64 carries out xor operation, to obtain the second information, the input of 4 * 4 the S box being set up in parallel as 16 of non-linear layers, to obtain the 3rd information, the linear transformation of 4 iteration LFSR by linear diffusion layer again, like this, through appointment wheel numerical example as, after 12 iteration of taking turns, can carry out xor operation with renewal wheel sub-key afterwards, to obtain ciphertext, because input and the output of this S box is 4, it is a kind of lightweight S box, and, the linear transformation of 4 iteration LFSR, complexity is not high, also be lightweight conversion, therefore, this cipher processing method can operate on the sensor node of WSN.

Alternatively, in one of the present embodiment possible implementation, before 102, can further include the operation of structure the one S box.The construction process of the one S box, this part, owing to being only described for a S box, therefore, for the purpose of simplifying the description, can directly be called S box by a S box.Particularly, specifically can be at finite field gf (2 ⁴) upper, utilize irreducible function, obtain the inverse element of input message, then, can utilize affine transformation method according to the inverse element of described input message, obtain the output information of S box.Wherein, galois field (Galois Field, GF), can also be called finite field.Finite field gf (2 ⁴) in, comprise 16 elements.

Like this, by finite field gf (2 ⁴) on, utilize irreducible function, obtain the inverse element of input message, make it possible to the inverse element according to described input message, utilize affine transformation method, obtain the output information of S box, because input and the output of this S box is 4, be a kind of lightweight S box, therefore, this S box can operate on the sensor node of WSN.

In the present embodiment, structure S box mainly can be divided into two reversible step:

The first step, by status word and GF(2 ⁴) in element corresponding and at GF(2 one by one ⁴) on obtain the inverse element of each status word.

Second step, according to the inverse element of each status word, then by an affine transformation, thereby constructing 4 * 4 S box, this affine transformation can be expressed as:

b(x)＝v(x)+(X ^-1)·μ(x)modm(x) (1)

Wherein,

X ^-1for the inverse element of described input message is the inverse element of each status word;

M (x) is finite field gf (2 ⁴) on any quartic polynomial;

μ (x) is any multinomial coprime with m (x);

V (x) is affine constant, for guaranteeing not exist fixed point and anti-fixed point.

According to Abstract Algebra relevant knowledge, known at finite field gf (2 ⁴) upper, only have three irreducible functions, be respectively x ⁴+ x+1, x ⁴+ x ³+ 1 and x ⁴+ x ³+ x ²+ x+1, obtains respectively the inverse element X of its each self-corresponding status word [0123456789ABCDEF] ^-1for

[019EDB76F2C5A438]；

[01C86F4E3DBA2975]；

[01FA8659473EDCB2]。

Wherein, in bracket, 16 systems by status word represent to obtain (X ^-1) value.

μ (x) can represent by a matrix U, and the S box because S box is 4 * 4, therefore makes U=[U ₃u ₂u ₁u ₀]:

U ₀＝[U ₃U ₂U ₁U ₀]·[0001] ^T＝(μ(x)·1)modm(x)

U ₁＝[U ₃U ₂U ₁U ₀]·[0010] ^T＝(μ(x)·x)modm(x)

U ₂＝[U ₃U ₂U ₁U ₀]·[0100] ^T＝(μ(x)·x ²)modm(x) (2)

U ₃＝[U ₃U ₂U ₁U ₀]·[1000] ^T＝(μ(x)·x ³)modm(x)

About v (x), as long as can guarantee in conversion process, there is not fixed point and anti-fixed point, b (x)=x and $b\left(x\right)=\stackrel{\&OverBar;}{x}.$

The output that finally can draw S box is as follows:

$\left[\begin{array}{c}{b}_3\\ b_2\\ b_1\\ b_0\end{array}\right]=\left[\begin{array}{c}{v}_3\\ v_2\\ v_1\\ v_0\end{array}\right]+\left[U_3{U}_2{U}_1{U}_0\right]\&CenterDot;\begin{array}{}\end{array}\left[\begin{array}{c}{x}_3^{-1}\\ x_2^{-1}\\ x_1^{-1}\\ x_0^{-1}\end{array}\right]---\left(3\right)$

By to finite field gf (2 ⁴) m (x), μ (x) under upper three irreducible functions and v (x) carry out exhaustive testing and can draw more than 4000 S box, wherein remove the S box residue that does not comprise fixed point and anti-fixed point and approximately have more than 600, it is best that yet the cryptography performance of not all more than 600 S boxes can reach, by following analysis, can show that performance best { m (x), μ (x), v (x) } is right, and then the S box of cryptography performance the best of structure.

The affine constant v (x) introducing during due to elimination fixed point and anti-fixed point does not affect the Cryptographic Properties of S box, so from formula (3), the parameter that determines the performance of S box is U matrix, be m (x) and μ (x), μ (x) and m (x) are coprime, hence one can see that, and the selection of m (x) is most important.The desirable x of m (x) ⁴+ 1, x ⁴+ x, x ⁴+ x ², x ⁴+ x ³, x ⁴+ x ²+ 1, x ⁴+ x ²+ x, x ⁴+ x ³+ x ², x ⁴+ x ³+ 1, x ⁴+ x ³+ x, x ⁴+ x ³+ x ²+ 1, x ⁴+ x ³+ x ²+ x, x ⁴+ x ²+ x+1, x ⁴+ x ³+ x+1 and x ⁴+ x ³+ x ²+ x+1.

In matrix U, if each row and column non-zero number is all identical, be called homogeneous matrix U.The S box that only has homogeneous matrix U to obtain, just can have best cryptography performance.

For above-mentioned multinomial m (x), can be divided into irreducible function, only be contained the multinomial of a factor and the multinomial that contains a plurality of factors.When m (x) is irreducible function, desirable any one multinomial of μ (x) is all coprime with it.Known according to formula (3), not existing a μ (x) to make U matrix is homogeneous matrix.When m (x), while only containing the multinomial of a factor, is easy to draw that this factor is x+1, now corresponding m (x) is x ⁴+ 1, now, when μ (x) gets the multinomial coprime with m (x), the U matrix obtaining is homogeneous matrix.When m (x) is that while containing the multinomial of a plurality of factors, the U matrix generating with μ (x) does not exist homogeneous matrix.

Proof: as m (x)=x ⁴+ 1 o'clock, from formula (1), U _imultinomial can be expressed as μ (x) x ⁱ; U _i-1multinomial can be expressed as μ (x) x ^i-1, due to μ (x) x ⁱ=(x μ (x) x ^i-1) mod (x ⁿ+ 1), the high reps of establishing μ (x) is j, and obviously, j<n, so μ (x) x ⁱhigh reps be ij.

When ij<n, μ (x) x ⁱ=u (x) << (n-ij), in like manner, μ (x) x ^i-1=u (x) << (n-(ij-1)), therefore, U _i=U _i-1<<1;

When ij>n, μ (x) x ⁱ=u (x) << (ij-n), in like manner, μ (x) x ^i-1=u (x) << ((ij-1)-n), therefore, U _i=U _i-1<<1.

So m=x ⁴+ 1 o'clock, can find following rule, in the matrix obtaining after the homogeneous matrix that different μ (x) generate and the inverse element of each status word multiply each other, every a line is mould 2 Hes of any three different status words.And there is not this rule while getting other multinomials in m (x), omit proof part herein, think that our searching password learns the S box of performance the best approach is provided.By this m (x) and all coprime μ (x) are with it carried out to the S box that exhaustive analysis has constructed avalanche effect and algebraic degree the best.

Cryptography performance test analysis through S box, proves and only has irreducible function x ⁴+ x ³+ x ²+ x+1, just can construct the S box of cryptography performance the best.Therefore, the present embodiment, below all at finite field gf (2 ⁴) upper irreducible function x ⁴+ x ³+ x ²under the condition of+x+1, describe.That is to say, described input message is hexadecimal status word [0123456789ABCDEF], correspondingly, and at finite field gf (2 ⁴) upper, utilize irreducible function x ⁴+ x ³+ x ²+ x+1, the inverse element X-1 that can obtain input message is [01FA8659473EDCB2].

Alternatively, in one of the present embodiment possible implementation, in 102, specifically can, according to the inverse element of described input message, utilize formula b (x)=v (x)+(X ^-1) μ (x) modm (x), the output information of acquisition S box; Wherein,

X ^-1inverse element for described input message;

M (x) is finite field gf (2 ⁴) on any quartic polynomial;

μ (x) is any multinomial coprime with m (x);

V (x) is affine constant, for guaranteeing not exist fixed point and anti-fixed point.

For example,, by the inverse element of described input message, m (x)=x ⁴+ 1, μ (x)=x ²+ x+1 and v (x)=x ²+ x+1, substitution formula b (x)=v (x)+(X ^-1) μ (x) modm (x), take obtain S box output information as [7082C4DBA3EF6159], as shown in table 1.

The S1 box of table 14 * 4

0	1	2	3	4	5	6	7	8	9	A	B	C	D	E	F
																7	0	8	2	C	4	D	B	A	3	E	F	6	1	5	9

Or, more for example, by the inverse element of described input message, m (x)=x ⁴+ 1, μ (x)=x ²+ x+1 and v (x)=x ³, substitution formula b (x)=v (x)+(X ^-1) μ (x) modm (x), take obtain S box output information as [8F7D3B245C109EA6], as shown in table 2.

The S2 box of table 24 * 4

0	1	2	3	4	5	6	7	8	9	A	B	C	D	E	F
																8	F	7	D	3	B	2	4	5	C	1	0	9	E	A	6

Or, more for example, by the inverse element of described input message, m (x)=x ⁴+ 1, μ (x)=x ³+ x ²+ x and v (x)=x ³, substitution formula b (x)=v (x)+(X ^-1) μ (x) modm (x), take obtain S box output information as [8672FED130B9A4C5], as shown in table 3.

The S3 box of table 34 * 4

0	1	2	3	4	5	6	7	8	9	A	B	C	D	E	F
																	8	6	7	2	F	E	D		1	3	0	B	9	A	4	C	5

Or, more for example, by the inverse element of described input message, m (x)=x ⁴+ 1, μ (x)=x ³+ x ²+ x and v (x)=x ², substitution formula b (x)=v (x)+(X ^-1) μ (x) modm (x), take obtain S box output information as [4ABE321DFC756809], as shown in table 4.

The S4 box of table 44 * 4

0	1	2	3	4	5	6	7	8	9	A	B	C	D	E	F
																4	A	B	E	3	2	1	D	F	C	7	5	6	8	0	9

Or, more for example, by the inverse element of described input message, m (x)=x ⁴+ 1, μ (x)=x ³+ x ²+ x and v (x)=x ³+ x+1, substitution formula b (x)=v (x)+(X ^-1) μ (x) modm (x), take obtain S box output information as [B541CDE2038A97F6], as shown in table 5.

The S5 box of table 54 * 4

0	1	2	3	4	5	6	7	8	9	A	B	C	D	E	F
																B	5	4	1	C	D	E	2	0	3	8	A	9	7	F	6

Or, more for example, by the inverse element of described input message, m (x)=x ⁴+ 1, μ (x)=x ³+ x ²+ x and v (x)=x ²+ x+1, substitution formula b (x)=v (x)+(X ^-1) μ (x) modm (x), take obtain S box output information as [798D012ECF465B3A], as shown in table 6.

The S6 box of table 64 * 4

0	1	2	3	4	5	6	7	8	9	A	B	C	D	E	F
																7	9	8	D	0	1	2	E	C	F	4	6	5	B	3	A

Or, more for example, by the inverse element of described input message, m (x)=x ⁴+ 1, μ (x)=x ³+ x+1 and v (x)=x, substitution formula b (x)=v (x)+(X ^-1) μ (x) modm (x), take obtain S box output information as [29D8FB74C0E6A135], as shown in table 7.

The S7 box of table 74 * 4

0	1	2	3	4	5	6	7	8	9	A	B	C	D	E	F
																2	9	D	8	F	B	7	4	C	0	E	6	A	1	3	5

Or, more for example, by the inverse element of described input message, m (x)=x ⁴+ 1, μ (x)=x ³+ x ²+ 1 and v (x)=1, substitution formula b (x)=v (x)+(X ^-1) μ (x) modm (x), take obtain S box output information as [1CE4FDB26073589A], as shown in table 8.

The S8 box of table 84 * 4

0	1	2	3	4	5	6	7	8	9	A	B	C	D	E	F
																1	C	E	4	F	D	B	2	6	0	7	3	5	8	9	A

Or, more for example, by the inverse element of described input message, m (x)=x ⁴+ 1, μ (x)=x ³+ x ²+ 1 and v (x)=x ³+ x ²+ x, substitution formula b (x)=v (x)+(X ^-1) μ (x) modm (x), take obtain S box output information as [E31B024D9F8CA765], as shown in table 9.

The S9 box of table 94 * 4

0	1	2	3	4	5	6	7	8	9	A	B	C	D	E	F
																E	3	1	B	0	2	4	D	9	F	8	C	A	7	6	5

Like this, adopt technical scheme provided by the invention, by the cryptography performance test analysis to S box, can obtain 9 S boxes of cryptography function admirable, and without trapdoor, can effectively improve the fail safe of WSN.Particularly, cryptography performance test analysis can adopt but be not limited to following performance test analysis, and the S1 box shown in table 1 of take carries out brief description as example.

1, nonlinear analysis

Nonlinearity has determined the ability of cryptographic algorithm opposing linear analysis, supposes S (x): GF (2) ⁿ→ GF (2) ⁿ, the nonlinearity of S box is:

$N_S=2^{n-1}(1-\underset{u\&Element;\mathrm{GF}{\left(2\right)}^n}{\max }\underset{v\&Element;\mathrm{GF}{\left(2\right)}^n}{\max }|S_{\left(S\right)}(u,v)\left|\right)---\left(4\right)$

Wherein,

S _(S)(u, v) is the generalized Walsh cyclic spectrum of S (x),

u and v are finite field gf (2 ⁴) in two elements, $u\&CenterDot;F\left(x\right)=\underset{i=0}{\overset{n-1}{\mathrm{\&Sigma;}}}{u}_{i}F{\left(x\right)}_i,v\&CenterDot;x=\underset{i=0}{\overset{n-1}{\mathrm{\&Sigma;}}}{v}_i{x}_i.$

Nonlinearity to S1 box solves, and can obtain following result N _s=4.

Because the nonlinearity upper bound is 2 ^n-1-2 ^n/2-1=6, therefore, although the nonlinearity of S1 box does not reach optimal values, but still there is good nonlinearity.

2, difference Uniformity Analysis

Less difference uniformity δ is the necessary condition that S box is resisted differential cryptanalysis.Because the difference uniformity can reflect with difference profile table, at this, calculated respectively the difference profile of S1 box, as shown in table 10, and the difference profile of the S box in PRESENT algorithm, as shown in table 11.Δ in table 10 and table 11 (x) represents input difference, and Δ (b) represents output difference, and Δ has represented Differential Characteristics value, and these two tables have all reflected that output difference corresponding when input difference gets 0 to F gets respectively 0 number that arrives F, are Differential Characteristics value.

The difference profile table of table 10S1 box

The difference profile table of the S box in table 11PRESENT algorithm

By table 10, can find out, the highest difference output of every a line in S1 box difference profile table (except Δ (x)=0 row) number is 4, and meeting Difference Uniformity is 4, and every row all has 7 difference output Δs (b) non-zero, first row does not comprise non-zero element simultaneously, is evenly distributed.Difference profile table (i.e. table 11) by the S box in the lightweight cryptographic algorithm PRESENT with existing classics is compared, although it is 4 that the S box in PRESENT algorithm also meets Difference Uniformity, but great majority row distributes all inhomogeneous, existence comprises the row that 1 above difference output number is 4, causes every row too much containing 0 number.Wherein the number of the 4th row (Δ (x)=1) and last column (Δ (x)=F) difference output non-zero is only 4, and non-zero number is minimum.In addition, when wt (Δ _i)=wt (Δ _o)=1 o'clock, the number of difference output is all 0, so be easily subject to differential attack.Although meet its structural environment, can improve avalanche effect, but can not effectively resist differential attack, because when input and output Hamming distance equals 1, in difference profile table, respective items is 0, institute, so that difference profile is inhomogeneous, has caused the possibility of differential attack.In a word, S1 box is better than the S box in PRESENT algorithm in this index of difference uniformity, can better resist differential attack.

3, avalanche effect analysis

The quality of S box avalanche effect can be measured by avalanche probability, changes 1 bit of input, the probability that output bit changes.When avalanche probability is 1/2, meet strict avalanche criterion (SAC), now avalanche effect is for the most desirable.Table 12 has been listed the avalanche probability table of S1 box, and wherein 0001 to 1000 represents respectively to get complementary operation from lowest order to highest order, and s1 represents to s4 the probability that the corresponding position of S box changes.

The avalanche probability table of table 12S1 box

Benefit is got in position	s0	s1	s2	s3
					0001	1/2	1/2	1/2	1/2
0010	1/2	1/2	1/2	1/2
					0100	1/2	1/2	1/2	1/2
1000	1/2	1/2	1/2	1/2

By table 12, can find out, the avalanche probability value of S1 box is 1/2, meets the condition of strict avalanche criterion, therefore, quickly input is diffused into output then in whole S box, has very strong avalanche effect.

4, algebraic degree and item number analysis

In prior art, 4 * 4 S box can be expressed as upper 4 Boolean equations of finite field gf (2): Sbox (x ₀..., x ₃)=(f ₀(x ₀..., x ₃) ... f ₃(x ₀..., x ₃)), further, S box can by 4 only comprise logical symbol with (AND) and the Boolean equation f of logical symbol XOR (XOR) _i(x ₀..., x ₃) (0≤i≤3) represent, that is:

$f_i(x_0,...,x_3)=a_0^{\left(i\right)}+a_1^{\left(i\right)}{x}_0+...+a_4^{\left(i\right)}{x}_3+a_5^{\left(i\right)}{x}_0{x}_1+...+a_{15}^{\left(i\right)}{x}_0{x}_1{x}_2{x}_3---\left(5\right)$

Wherein

it is coefficient to be determined.Can determine accordingly Boolean equation and the algebraic degree thereof of S1 box.

Boolean equation can be:

f ₀(x ₀,x ₁,x ₂,x ₃)＝x ₀+x ₁+x ₂+x ₀x ₂+x ₀x ₃+x ₁x ₂+x ₁x ₃+x ₂x ₃+x ₀x ₁x ₂

f ₁(x ₀,x ₁,x ₂,x ₃)＝1+x ₀+x ₂+x ₃+x ₀x ₁+x ₀x ₃+x ₁x ₂+x ₁x ₃+x ₂x ₃+x ₀x ₂x ₃

f ₂(x ₀,x ₁,x ₂,x ₃)＝1+x ₂+x ₃+x ₀x ₁+x ₀x ₃+x ₁x ₂+x ₁x ₃+x ₀x ₁x ₃+x ₁x ₂x ₃

f ₃(x ₀,x ₁,x ₂,x ₃)＝1+x ₀+x ₁+x ₂+x ₃+x ₀x ₁+x ₀x ₂+x ₁x ₂+x ₁x ₃+x ₂x ₃+x ₀x ₁x ₂+x ₀x ₁x ₃+x ₀x ₂x ₃+x ₁x ₂x ₃

The algebraic degree of Boolean equation can be:

D(f ₀)＝3，D(f ₁)＝3，D(f ₂)＝3，D(f ₃)＝3。

According to above analysis, can show that the algebraic degree of 4 Boolean equations of S1 box has all reached best (n-1), wherein, n=4, the item number of Boolean equation is respectively 9,10,9,14 simultaneously, and item number is more, and equation is complicated, therefore, effectively burden sexual assault and other correlation attacks.

Table 13 listed on the whole S1 box and with existing classical lightweight algorithm PRESENT algorithm in the contrast of cryptography performance parameter of S box.

The contrast table of the cryptography performance parameter of the S box in table 13S1 box and PRESENT algorithm

By table 13, can find out, S1 box reaches optimum value in avalanche effect and two indexs of algebraic degree, nonlinearity and the difference uniformity also keep with PRESENT algorithm in S box performance suitable, thereby provide strong technical support for the non-linear layer design of lightweight cryptographic algorithm.

Linear feedback shift register (Linear Feedback Shift Register, LFSR) essence represent a matrix of a linear transformation D, in order to make diffusion effect reach optimum, this matrix can divide (Maximum Distance Separable, MDS) code structure by ultimate range.The linear diffusion layer D of most of block ciphers can be expressed as D:v → v, and wherein, D realizes by some matrix of a linear transformation L, and v is GF(2) on one group of vector space.The effect of diffusion layer is weighed by a minute number, and for above-mentioned diffusion layer function, within its minute, number equals to input v and the minimum value of exporting the Hamming distance sum of D (v),

minute number has provided the lower bound of S box quantity movable in continuous two round transformations.The diffusion layer that is n for input S box number, a maximum minute number is n+1.If diffusion layer D reaches this upper bound, be referred to as optimal diffusion layer or ultimate range and can divide (Maximum Distance Separable, MDS) diffusion layer.

In general, for a linear code [m, s, d], its generator matrix G=[I _{s * s}d _{s * (m-s)}] be MDS code, the arbitrary order square formation in and if only if D is nonsingular matrix, and wherein D is finite field gf (2 ⁿ) on matrix.

For matrix D, can be the matrix of following form:

Consider the matrix on linear diffusion layer, D should be square formation, so m=2s, D is s * s rank square formations.Can obtain thus:

When any k(1<k<s in diffusion layer D) rank square formation is all nonsingular, this diffusion layer is optimal diffusion layer, divides number to reach maximum (d=n+1).

Textural at diffusion layer D, by pertinent literature is studied, we adopt a plurality of LFSR iteration diffusion scheme based on bundle, first construct the state-transition matrix A of a s * s, and by selecting iterations p, make D=A ^p, here, what the selection of state-transition matrix A must be enough is simple, and what the value of p should be tried one's best simultaneously is little, thus the iteration that complicated diffusion matrix D is converted into through several times simple matrix A completes, and reaches the standard of lightweight.The expression formula that has document to provide this lightweight matrix A makes D=A ^preach optimal diffusion:

Wherein " 0 " is 0 matrix of the upper 2n * 2n of finite field gf (2), $T=\left[\begin{array}{cc}0& 1\\ 0& 0\end{array}\right],$ $U_i=\left[\begin{array}{cc}0& 0\\ L_{2i-1}& L_{2i}\end{array}\right]$

So in the design of diffusion layer, can be divided into two steps: the first step, 16 S boxes are carried out to 24 of ring shift lefts (6 S boxes), to obtain 16 the 2nd S boxes; Second step, considers that input width is larger, and the complexity of diffusion layer matrix D is higher, and throughput is not caused to too much impact, 16 the 2nd S boxes can be divided into 4 groups, and then input is set up in parallel 4 LFSR respectively.The length that is input as 4 S boxes of every group of LFSR (16) like this, above-mentioned state-transition matrix is 4 rank square formations (s=4).Square formation A can further be expressed as:

$A=\left[\begin{array}{cccc}0& 1& 0& 0\\ 0& 0& L_3& L_4\\ 0& 0& 0& 1\\ L_1& L_2& 0& 0\end{array}\right]$

Now, work as L ₁, L ₂, L ₃, L ₄value be respectively L, 1,1, L, and result is best during p=4, as shown in Figure 2.Now, state-transition matrix $A=\left[\begin{array}{cccc}0& 1& 0& 0\\ 0& 0& 1& L\\ 0& 0& 0& 1\\ \mathrm{<figure-callout\; id="1"\; label="L"\; filenames="HDA0000429039290000021.png"\; state="\{\{state\}\}">L</figure-callout>}& 1& 0& 0\end{array}\right].$ By D=A ^pcan obtain:

$A^4=\left[\begin{array}{cccc}L& L^2+1& L& L^2\\ L^3& L^2+L& L^2+1& L^3+2L\\ L^2& L& L& L^2+1\\ L^3+L& 2L^2+1& L& L^2+L\end{array}\right]$

According to theorem 2, can calculate the determinant of D Arbitrary k-order square formation

L L+1 L ²+L+1

L ³+L+1 L ³+L ²+1 L ⁴+L ³+1 L ⁴+L ³+L ²+L+1

Be when nonsingular, can show that a L matrix is $L=\left[\begin{array}{cccc}0& 1& 1& 0\\ 0& 0& 1& 0\\ 0& 0& 0& 1\\ 1& 0& 0& 0\end{array}\right],$ The diffusion layer of therefore, being constructed by this L is best diffusion layer.

Consider that assailant's computing capability also weakens accordingly under the encryption environment of sensor network, therefore, for the taking of minimizing hardware space that guarantees to try one's best under the prerequisite of a suitable safe class is the meaning of key schedule.Adopt the initial key of the key length of 64 bits to carry out the generation of sub-key herein, and by this key schedule algorithm, reduce as much as possible the generation of weak key and semiweak key.The Arrangement algorithm of the wheel sub-key described in the present embodiment specifically can be as follows:

1, input the initial key of 64 bits;

2, the initial key of 64 bits of input is divided into two groups, every group by 84 bits

form,

first by every group of ring shift left 4 bits; Then by front four bits of first group

be input to a S box, by front 4 bits of second group

carry out xor operation with total iteration wheel number; Finally first group of 4 bit through a S box exported to front 4 bits of second group, export 4 bits of second group of 4 bit process xor operation front four bits of first group to simultaneously;

3, the operation of the 2nd step is carried out 4 times to iteration, be finally output as one and take turns sub-key

One takes turns the concrete generative process of sub-key as shown in Figure 3, before the key schedule algorithm that specifically adopts (on-the-fly key schedule) carries out in transmitting procedure wheel sub-key to generate replaces, by all, take turns the scheme that sub-key calculates in advance, thereby make algorithm more efficient quick.In wheel subkey key generation processes, adopt cyclic shift, non-linear (S box) operation and carry out with a constant appearance that xor operation is eliminated weak key and semiweak key, resisted such as key distribution schemes such as related-key attacks simultaneously.Consider that linear diffusion layer needs LFSR to carry out 4 iteration and just can reach optimal diffusion layer, therefore, in the generative process of wheel sub-key, also adopt iteration 4 times, such advantage not only takes full advantage of the space resources in clock aspect, and cyclic shift has also been passed through in the generation of wheel sub-key 4 times, 4 nonlinear operations and 4 xor operations, and only compare by 1 displacement, non-linear, xor operation in prior art, and fail safe also has very large lifting.

Due to the input grouping of lightweight cryptographic algorithm and key space relatively less, and the restriction due to hardware space, the complexity of non-linear layer and linear layer design has also been subject to restriction, therefore, need to compromise before the safe class of algorithm and hardware spending go to analyze considered, thereby accomplish that existing less hardware realizes usefulness, have and have good security performance.The fail safe of analyzing cipher processing method provided by the invention is as follows.

1, difference analysis

For the difference analysis of this algorithm, there is following theorem:

Theorem 1. arbitrary continuation four-wheel Differential Characteristics have 15 movable S boxes at least.

Proof: for without loss of generality, and consider under the worst condition, will carry out analytical proof from four kinds of situations:

R ₁=1, in four-wheel, the first round movable S box number is 1, and according to optimal diffusion layered scheme, the linear branch number of two-wheeled reaches maximum continuously, so R ₂=4.In third round, after the cyclic shift of 24, only there is a kind of situation: 4 S boxes are on average assigned in 2 iteration LFSR, and the S box number of at this moment third round activity is 3+3=6.In fourth round, 6 movable S boxes are assigned in 3 iteration LFSR after the cyclic shift of 24, therefore have three kinds of different situations:

(1) the 1st LFSR has 1 movable S box, and the 2nd LFSR has 1 movable S box, and the 3rd LFSR has 4 movable S boxes, and the S box number of now fourth round activity is 4+4+1=9;

(2) the 1st LFSR have 1 movable S box, and the 2nd LFSR has 2 movable S boxes, and the 3rd LFSR has 3 movable S boxes, and the S box number of now fourth round activity is 4+3+2=9;

(3) the 1st LFSR have 2 movable S boxes, and the 2nd LFSR has 2 movable S boxes, and the 3rd LFSR has 2 movable S boxes, and the S box number of now fourth round activity is 3+3+3=9;

Work as in summary R ₁=1 o'clock, movable S box number had 1+4+6+9=20>15.

R ₂=1, in four-wheel, second to take turns movable S box number be 1, and theoretical according to optimal diffusion so, it is maximum that a minute number reaches, R ₁+ R ₂=5.While R ₂+ R ₃=5, last takes turns according to the known movable S box number of above-mentioned conclusion is 6.Therefore, work as R ₂=1 o'clock, movable S box number had 5+5-1+6=15.

R ₃=1, theoretical according to optimal diffusion, it is maximum that a minute number reaches, R ₂+ R ₃=5, while R ₃+ R ₄=5.To take turns movable S box number be 4 due to second, and it is 6 that the first round can obtain movable S box number according to above-mentioned conclusion.Therefore, R ₃=1 o'clock, movable S box number had 5+5-1+6=15.

R ₄=1 and R ₁=1 analysis sequence is just in time contrary, so the total 20>15 of movable S box number.

Fig. 4 is R ₁=1 o'clock a kind of possible difference modes, wherein black S box is movable S box, shade S box is movable S box position after cyclic shift, as can be seen from the figure: 4 take turns movable S box has later reached 20, is greater than 15.

According to theorem 1 and in conjunction with concrete diffusion layer design, 12 take turns movable later S box has reached 45.In addition, the maximum differential probability of S box is 2 ^-2, therefore, single 12 to take turns Differential Characteristics probability be 2 ^-90.Known based on above result, cipher processing method algorithm provided by the invention can effectively be resisted difference cryptographic attack.

2, linear analysis

Identical with difference analysis, movable S box minimum under the condition based at a fixed wheel number is analyzed, and can obtain: arbitrary continuation 4 is taken turns the rarest 15 the movable S boxes of linear approximation.So 12 take turns linear approximation maximum deviation, be ${\mathrm{\&epsiv;}}_{12R}^l\&le;{\left(2^{-2}\right)}^{12\&times;15/4}\&ap;2^{-90}.$

3, key schedule analysis

The Theoretical Design target of key schedule is sub-key statistics independence and sensitivity.The former makes sub-key level off to statistics independently as far as possible; Sensitivity refers to the validity that key is changed, and changes a few bits of seed key, and corresponding sub-key should have the change of going up largely.Consider that two kinds of attack types that key is the most easily subject to are related-key attack (relate-key attack) and slide and attack (slide attack), in order to be the effectively above-mentioned cipher key attacks of opposing of key schedule, by shifting function, nonlinear operation and carry out with constant the self-similarity that xor operation destroys iteration password and defend to design, consider the constraint of hardware space simultaneously, adopt repeatedly the scheme of iteration to complete the generation of sub-key.

Due to the relevant criterion not designing about lightweight cryptographic algorithm key now, therefore to key schedule safety analysis in cipher processing method provided by the invention, because a generation of taking turns sub-key comprises four-wheel iterative process, and every wheel in iteration all through a nonlinear transformation (S box):

When key length is 64 bit, only need 4 to take turns and can make bits all in cipher key register all by a nonlinear transformation.

When key length is 64 bit, after third wheel 4, in cipher key register, the output of every 1 bit is at least relevant with the input of 4 bits.

By above-mentioned analysis, can think that this key schedule is highly resistant to address similar cipher key attacks.

4, Algebraic Attacks

Algebraic Attacks is that a cryptographic system is corresponding with an Algebraic Equation set in broad terms, attack problem to this cryptographic system is summed up as and solves corresponding with it Algebraic Equation set, its core technology is to solve multivariable polynomial system, although on computational complexity theory, solving MQ problem is NP-complete problem, but still can solve for the MQ problem of a certain class.At present, XL, XSL algorithm and F4, F5 serial algorithm become the main flow algorithm of Algebraic Attacks, and for having higher success rate than block cipher in the attack of stream cipher, yet for lightweight block encryption algorithm, be also necessary it to carry out the analysis of relevant Algebraic Attacks.

Therefore, in the S box of cipher processing method algorithm provided by the invention, each bit can be 3 by algebraic degree, and the multinomial that input variable is 4 represents, so for the input of 64 bits, each bit that calculates key needs very high complexity.For 12, take turns complete cipher processing method provided by the invention, in cryptographic operation and key schedule algorithm, comprise total S box number n=12 * 16+12 * 4=240, due on finite field gf (2), arbitrary 4 bit S boxes can be represented by least 21 quadratic equations, therefore, in cipher processing method provided by the invention, quadratic equation number is: n * 21=5040, variable number is: n * 8=1920.

By above safety analysis, can determine that opposing that this algorithm can be good is as cryptography attacks such as differential attack, linear attacks, key schedule attack, Algebraic Attacks.

The hardware efficiency of analyzing cipher processing method algorithm provided by the invention is as follows:

Use VHDL hardware program language the Realization of Simulation cipher processing method algorithm provided by the invention, and under 0.18 μ m CMOS technique, this algorithm is carried out comprehensively, the hardware resource that detects its hard-wired efficiency and take, we know, 1GEs(Gate Equivalents) equal the NAND(NAND gate of 2 passages), 1XOR door (XOR gate) needs about 2.66GEs to realize, store 1 bit data and need 6GEs hardware spending, 4 * 4S box takies 28GEs, now whole cipher processing method hardware algorithm space hold situation provided by the invention is analyzed and can be obtained: the clear packets of storing 64 needs 64 * 6=384GEs, the key of storing 64 need to take 64 * 6=384GEs, it is 16 * 28=448GEs that non-linear layer (S layer) operation takies resource, linear diffusion layer needs 2.66 * 4 * (2 * 4+2 * 1)=106.4GEs, counter logic is controlled: 40GEs, key displacement: 0GEs, key is through S box (i.e. a S box): 28GEs, key XOR: 2.66 * 4=10.64GEs, 64 groupings and 64 key keys carry out XOR and need to take 2.66 * 64=170.24GEs, other take about 4GEs.To sum up can calculate the hardware gate circuit number that cipher processing method provided by the invention takies is altogether 1575.28GEs.

The hardware space taking by analytical calculation cipher processing method provided by the invention, can find out that the hardware spending of cipher processing method provided by the invention is very low, with other similar lightweight cryptographic algorithm totally compare can obtain as shown in table 14.

Table 14 lightweight cryptographic algorithm realizes contrast

To sum up, cipher processing method provided by the invention not only has good fail safe, have ultralow hardware takes up room simultaneously, and throughput also more most of algorithms is high, so can yet be regarded as, the lightweight cryptographic algorithm of a function admirable, can well be applied in the equipment such as wireless sensor node and complete cryptographic tasks.

In the technical scheme that the present embodiment provides, main improvement comprises following three aspects:

First aspect: the lightweight based on finite field inverse operation is encrypted design and the selection of S box

S box should have good Cryptographic Properties as non-linear components unique in lightweight cryptographic algorithm, and its design criterion mainly contains orthogonality, completeness, nonlinearity, the difference uniformity, algebraic degree, avalanche effect and item number and distributes.

The design that lightweight is encrypted S box not only needs to consider the above research about Cryptographic Properties, the selection of the scale of S box is important too, the S box of the S box and 8 * 8 of 4 * 4 scales, 8 * 6 and 6 * 6 scales is compared, reduce significantly hardware spending, be applicable to the cryptographic calculation moving on sensor node completely.In addition, consider the existence of " trapdoor ", the present invention is based on finite field gf (2 ⁴) on inverse mapping construct the S box of a class suboptimum 4 * 4, first by solving finite field gf (2 ⁴) upper inverse element corresponding to irreducible function, thereby then through an affine transformation, draw a series of S boxes, the last S box that draws performance the best according to designing requirement screening.

Second aspect: the design of a plurality of LFSR optimal diffusion layered schemes based on bundle

In the SPN of block cipher type structure, replacement layer carries out nonlinear transformation by some S boxes to be realized, these S boxes are non-linear components unique in this cryptography architecture, therefore the design for S box is the emphasis of research always, yet, in the process of lightweight cryptographic algorithm design, due to the restriction of hardware space and the requirement of speed, the scale of S box also reduces thereupon, existing lightweight cryptographic algorithm (PRESENT, KLEIN, LED etc.) all adopt 4 * 4 S box, cause the nonlinear interaction of S box to fail to bring into play very large effect, so need in diffusion layer this Nonlinear Diffusion to larger degree, make as far as possible avalanche effect reach best.Diffusion layer in PRESENT is changed and is formed by 64 positions, but this displacement is only the order of having changed bit, cause avalanche effect very low, and the displacement of bit is difficult to realize on software.

The iteration diffusion layer scheme of a plurality of LFSR based on bundle is exported by a plurality of LFSR parallel iterations, makes linear branch number reach maximum (n+1) in the original throughput of basic guarantee PRESENT.Known and the similar algorithm KLEIN of the analysis of its hardware space, LED are compared simultaneously, reduced to a great extent the hardware spending that linear diffusion layer occupies.

The third aspect: take turns the design of iteration key schedule more

The Theoretical Design target of key schedule is sub-key statistics independence and sensitivity.The independent sub-key that makes as far as possible of statistics levels off to statistics independently.Sensitivity refers to the validity that key is changed, and changes a few bits of seed key, and corresponding sub-key should have the change of going up largely.

Before research and design key schedule, first need two kinds of attack types considering that key is the most easily subject to: related-key attack (relate-key attack) and the attack (slide attack) of sliding.Due to now, not about the relevant criterion of lightweight cryptographic algorithm key design, still can design a good key schedule system by resisting above two kinds of attack meanses.

Based on above-mentioned two kinds of cipher key attacks modes mentioning, need in key broadcast algorithm, add displacement and the operation such as non-linear, adopt a non-linear S box and will take turns number as XOR value, then carry out the process of the iteration of wheel more than, not only can reduce the hardware spending in key schedule scheme, the mutual irrelevance that has greatly increased sub-key, has reached object rapidly and efficiently simultaneously.

In the present embodiment, wheel sub-key by the first information to 64 and 64 carries out xor operation, to obtain the second information, the input of 4 * 4 the S box being set up in parallel as 16 of non-linear layers, to obtain the 3rd information, the linear transformation of 4 iteration LFSR by linear diffusion layer again, like this, through appointment wheel numerical example as, after 12 iteration of taking turns, can carry out xor operation with renewal wheel sub-key afterwards, to obtain ciphertext, because input and the output of this S box is 4, it is a kind of lightweight S box, and, the linear transformation of 4 iteration LFSR, complexity is not high, also be lightweight conversion, therefore, this cipher processing method can operate on the sensor node of WSN.

In addition, adopt technical scheme provided by the invention, by the cryptography performance test analysis to S box, can obtain 9 S boxes of cryptography function admirable, and without trapdoor, can effectively improve the fail safe of WSN.

It should be noted that, for aforesaid each embodiment of the method, for simple description, therefore it is all expressed as to a series of combination of actions, but those skilled in the art should know, the present invention is not subject to the restriction of described sequence of movement, because according to the present invention, some step can adopt other orders or carry out simultaneously.Secondly, those skilled in the art also should know, the embodiment described in specification all belongs to preferred embodiment, and related action and module might not be that the present invention is necessary.

In the above-described embodiments, the description of each embodiment is all emphasized particularly on different fields, in certain embodiment, there is no the part of detailed description, can be referring to the associated description of other embodiment.

The structural representation of the encryption processing apparatus that Fig. 5 provides for another embodiment of the present invention, as shown in Figure 5.The encryption processing apparatus of the present embodiment can comprise the first operating unit 51, the second operating unit 52, the 3rd operating unit 53, the 4th operating unit 54 and the 5th operating unit 55.Wherein, the first operating unit 51, carries out xor operation for the first information to 64 and 64 s' wheel sub-key, to obtain the second information; The second operating unit 52, for 4 * 4 the S box that 16 of described the second input informations are set up in parallel, to obtain the 3rd information; The 3rd operating unit 53, for 4 * 4 the 2nd S box that 16 of described the 3rd input informations are set up in parallel, to obtain the 4th information; Wherein, 16 described the 2nd S boxes are that 16 described S boxes carry out 24 acquisitions of ring shift left; The 4th operating unit 54, for every 16 of described the 4th information is divided into one group, to obtain 4 grouping informations; The 5th operating unit 55, for just described in each 1 LFSR of grouping information input carry out iteration 4 times, to obtain the 5th information; Wherein, the state-transition matrix of described LFSR $A=\left[\begin{array}{cccc}0& 1& 0& 0\\ 0& 0& 1& L\\ 0& 0& 0& 1\\ L& 1& 0& 0\end{array}\right],$ Wherein, $L=\left[\begin{array}{cccc}0& 1& 1& 0\\ 0& 0& 1& 0\\ 0& 0& 0& 1\\ 1& 0& 0& 0\end{array}\right];$

Wherein, wheel sub-key is to be generated by 4 iterative operations, and each iterative operation comprises:

By in the initial key of 64 every 32 be divided into one group, to obtain 2 the first packet key;

The first packet key described in each is carried out to 4 of ring shift lefts, to obtain 2 the second packet key; Wherein, first second packet key is high 32, and second the second packet key is low 32;

By 1 described S box of high 4 inputs of first the second packet key, to obtain the new high 4 of first the second packet key;

Carry out xor operation with the iteration wheel number of described cipher processing method by high 4 of second the second packet key, to obtain the new high 4 of second the second packet key; Wherein, the iteration of described cipher processing method wheel number is less than or equal to 12 times;

New high 4 by second the second packet key, low 28 with, first the second packet key, combines, to generate first new second packet key;

New high 4 by first the second packet key, low 28 with, second the second packet key, combines, to generate second new the second packet key.

Like this, by the first operating unit, the first information of 64 and the wheel sub-key of 64 are carried out to xor operation, to obtain the second information, the input of 4 * 4 the S box being set up in parallel as 16 of non-linear layers by the second operating unit, to obtain the 3rd information, again by the 3rd operating unit, the linear transformation of 4 iteration LFSR of the linear diffusion layer of the 4th operating unit and the 5th operating unit, like this, through appointment wheel numerical example as, after 12 iteration of taking turns, can carry out xor operation with renewal wheel sub-key afterwards, to obtain ciphertext, because input and the output of this S box is 4, it is a kind of lightweight S box, and, the linear transformation of 4 iteration LFSR, complexity is not high, also be lightweight conversion, therefore, this cipher processing method can operate on the sensor node of WSN.

Alternatively, in one of the present embodiment possible implementation, as shown in Figure 6, the encryption processing apparatus that the present embodiment provides can further include inverse element and obtains unit 61 and output acquisition unit 62.Wherein, inverse element obtains unit 61, at finite field gf (2 ⁴) upper, utilize irreducible function, obtain the inverse element of input message; Output obtains unit 62, for according to the inverse element of described input message, utilizes affine transformation method, obtains the output information of S box.

Like this, by inverse element, obtain unit at finite field gf (2 ⁴) on, utilize irreducible function, obtain the inverse element of input message, make output obtain unit and can utilize affine transformation method according to the inverse element of described input message, obtain the output information of S box, because input and the output of this S box is 4, be a kind of lightweight S box, therefore, this S box can operate on the sensor node of WSN.

In the present embodiment, structure S box mainly can be carried out by two unit respectively:

The first, inverse element obtains unit 61 by status word and GF(2 ⁴) in element corresponding and at GF(2 one by one ⁴) on obtain the inverse element of each status word.

The second, output obtains unit 62 according to the inverse element of each status word, then by an affine transformation, thereby constructing 4 * 4 S box, this affine transformation can be expressed as:

b(x)＝v(x)+(X ^-1)·μ(x)modm(x) (1)

Wherein,

X ^-1for the inverse element of described input message is the inverse element of each status word;

M (x) is finite field gf (2 ⁴) on any quartic polynomial;

μ (x) is any multinomial coprime with m (x);

V (x) is affine constant, for guaranteeing not exist fixed point and anti-fixed point.

According to Abstract Algebra relevant knowledge, known at finite field gf (2 ⁴) upper, only have three irreducible functions, be respectively x ⁴+ x+1, x ⁴+ x ³+ 1 and x ⁴+ x ³+ x ²+ x+1, inverse element obtains the inverse element X that its each self-corresponding status word [0123456789ABCDEF] can be obtained respectively in unit 61 ^-1for

[019EDB76F2C5A438]；

[01C86F4E3DBA2975]；

[01FA8659473EDCB2]。

Wherein, in bracket, 16 systems by status word represent to obtain (X ^-1) value.

μ (x) can represent by a matrix U, and the S box because S box is 4 * 4, therefore makes U=[U ₃u ₂u ₁u ₀]:

U ₀＝[U ₃U ₂U ₁U ₀]·[0001] ^T＝(μ(x)·1)modm(x)

U ₁＝[U ₃U ₂U ₁U ₀]·[0010] ^T＝(μ(x)·x)modm(x)

U ₂＝[U ₃U ₂U ₁U ₀]·[0100] ^T＝(μ(x)·x ²)modm(x) (2)

U ₃＝[U ₃U ₂U ₁U ₀]·[1000] ^T＝(μ(x)·x ³)modm(x)

About v (x), as long as can guarantee in conversion process, there is not fixed point and anti-fixed point, b (x)=x and $b\left(x\right)=\stackrel{\&OverBar;}{x}.$

Finally output obtains unit 62 can show that the output of S box is as follows:

$\left[\begin{array}{c}{b}_3\\ b_2\\ b_1\\ b_0\end{array}\right]=\left[\begin{array}{c}{v}_3\\ v_2\\ v_1\\ v_0\end{array}\right]+\left[U_3{U}_2{U}_1{U}_0\right]\&CenterDot;\begin{array}{}\end{array}\left[\begin{array}{c}{x}_3^{-1}\\ x_2^{-1}\\ x_1^{-1}\\ x_0^{-1}\end{array}\right]---\left(3\right)$

By to finite field gf (2 ⁴) m (x), μ (x) under upper three irreducible functions and v (x) carry out exhaustive testing and can draw more than 4000 S box, wherein remove the S box residue that does not comprise fixed point and anti-fixed point and approximately have more than 600, it is best that yet the cryptography performance of not all more than 600 S boxes can reach, by following analysis, can show that performance best { m (x), μ (x), v (x) } is right, and then the S box of cryptography performance the best of structure.

The affine constant v (x) introducing during due to elimination fixed point and anti-fixed point does not affect the Cryptographic Properties of S box, so from formula (3), the parameter that determines the performance of S box is U matrix, be m (x) and μ (x), μ (x) and m (x) are coprime, hence one can see that, and the selection of m (x) is most important.The desirable x of m (x) ⁴+ 1, x ⁴+ x, x ⁴+ x ², x ⁴+ x ³, x ⁴+ x ²+ 1, x ⁴+ x ²+ x, x ⁴+ x ³+ x ², x ⁴+ x ³+ 1, x ⁴+ x ³+ x, x ⁴+ x ³+ x ²+ 1, x ⁴+ x ³+ x ²+ x, x ⁴+ x ²+ x+1, x ⁴+ x ³+ x+1 and x ⁴+ x ³+ x ²+ x+1.

In matrix U, if each row and column non-zero number is all identical, be called homogeneous matrix U.The S box that only has homogeneous matrix U to obtain, just can have best cryptography performance.

For above-mentioned multinomial m (x), can be divided into irreducible function, only be contained the multinomial of a factor and the multinomial that contains a plurality of factors.When m (x) is irreducible function, desirable any one multinomial of μ (x) is all coprime with it.Known according to formula (3), not existing a μ (x) to make U matrix is homogeneous matrix.When m (x), while only containing the multinomial of a factor, is easy to draw that this factor is x+1, now corresponding m (x) is x ⁴+ 1, now, when μ (x) gets the multinomial coprime with m (x), the U matrix obtaining is homogeneous matrix.When m (x) is that while containing the multinomial of a plurality of factors, the U matrix generating with μ (x) does not exist homogeneous matrix.

M (x) is x ⁴+ 1 proof procedure specifically can, referring to the related content in embodiment corresponding to Fig. 1, repeat no more herein.

Cryptography performance test analysis through S box, proves and only has irreducible function x ⁴+ x ³+ x ²+ x+1, just can construct the S box of cryptography performance the best.Therefore, the present embodiment, below all at finite field gf (2 ⁴) upper irreducible function x ⁴+ x ³+ x ²under the condition of+x+1, describe.That is to say, described input message is hexadecimal status word [0123456789ABCDEF], correspondingly, and at finite field gf (2 ⁴) upper, utilize irreducible function x ⁴+ x ³+ x ²+ x+1, can obtain the inverse element X of input message ^-1for [01FA8659473EDCB2].

Alternatively, in one of the present embodiment possible implementation, described output obtains unit 62, specifically can, for according to the inverse element of described input message, utilize formula b (x)=v (x)+(X ^-1) μ (x) modm (x), the output information of acquisition S box; Wherein,

X ^-1inverse element for described input message;

M (x) is finite field gf (2 ⁴) on any quartic polynomial;

μ (x) is any multinomial coprime with m (x);

V (x) is affine constant, for guaranteeing not exist fixed point and anti-fixed point.

For example, described output obtains unit 62, specifically for by the inverse element of described input message, m (x)=x ⁴+ 1, μ (x)=x ²+ x+1 and v (x)=x ²+ x+1, substitution formula b (x)=v (x)+(X ^-1) μ (x) modm (x), take obtain S box output information as [7082C4DBA3EF6159], as shown in table 1.

Or more for example, described output obtains unit 62, specifically for by the inverse element of described input message, m (x)=x ⁴+ 1, μ (x)=x ²+ x+1 and v (x)=x ³, substitution formula b (x)=v (x)+(X ^-1) μ (x) modm (x), take obtain S box output information as [8F7D3B245C109E A6], as shown in table 2.

Or more for example, described output obtains unit 62, specifically for by the inverse element of described input message, m (x)=x ⁴+ 1, μ (x)=x ³+ x ²+ x and v (x)=x ³, substitution formula b (x)=v (x)+(X ^-1) μ (x) modm (x), take obtain S box output information as [8672FED130B9A4C5], as shown in table 3.

Or more for example, described output obtains unit 62, specifically for by the inverse element of described input message, m (x)=x ⁴+ 1, μ (x)=x ³+ x ²+ x and v (x)=x ², substitution formula b (x)=v (x)+(X ^-1) μ (x) modm (x), take obtain S box output information as [4ABE321DFC756809], as shown in table 4.

Or more for example, described output obtains unit 62, specifically for by the inverse element of described input message, m (x)=x ⁴+ 1, μ (x)=x ³+ x ²+ x and v (x)=x ³+ x+1, substitution formula b (x)=v (x)+(X ^-1) μ (x) modm (x), take obtain S box output information as [B541C D E2038A97F6], as shown in table 5.

Or more for example, described output obtains unit 62, specifically for by the inverse element of described input message, m (x)=x ⁴+ 1, μ (x)=x ³+ x ²+ x and v (x)=x ²+ x+1, substitution formula b (x)=v (x)+(X ^-1) μ (x) modm (x), take obtain S box output information as [798D012E C F465B3A], as shown in table 6.

Or more for example, described output obtains unit 62, specifically for by the inverse element of described input message, m (x)=x ⁴+ 1, μ (x)=x ³+ x+1 and v (x)=x, substitution formula b (x)=v (x)+(X ^-1) μ (x) modm (x), take obtain S box output information as [29D8FB74C0E6A135], as shown in table 7.

Or more for example, described output obtains unit 62, specifically for by the inverse element of described input message, m (x)=x ⁴+ 1, μ (x)=x ³+ x ²+ 1 and v (x)=1, substitution formula b (x)=v (x)+(X ^-1) μ (x) modm (x), take obtain S box output information as [1CE4FDB26073589A], as shown in table 8.

Or more for example, described output obtains unit 62, specifically for by the inverse element of described input message, m (x)=x ⁴+ 1, μ (x)=x ³+ x ²+ 1 and v (x)=x ³+ x ²+ x, substitution formula b (x)=v (x)+(X ^-1) μ (x) modm (x), take obtain S box output information as [E31B024D9F8CA765], as shown in table 9.

Like this, adopt technical scheme provided by the invention, by the cryptography performance test analysis to S box, can obtain 9 S boxes of cryptography function admirable, and without trapdoor, can effectively improve the fail safe of WSN.Particularly, cryptography performance test analysis can adopt but be not limited to nonlinear analysis, difference Uniformity Analysis, avalanche effect analysis, algebraic degree and item number and the performance test analysis such as be analyzed as follows, and the S1 box shown in table 1 of take carries out brief description as example.Detailed description can, referring to the related content in embodiment corresponding to Fig. 1, repeat no more herein.

The detailed description of linear feedback shift register (Linear Feedback Shift Register, LFSR) can, referring to the related content in embodiment corresponding to Fig. 1, repeat no more herein.

In the design of diffusion layer, can be divided into two steps: the first step, the 3rd operating unit 53 carries out 24 of ring shift lefts (6 S boxes) by 16 S boxes, to obtain 16 the 2nd S boxes; Second step, consider that input width is larger, the complexity of diffusion layer matrix D is higher, and throughput is not caused to too much impact, can 16 the 2nd S boxes be divided into 4 groups by the 4th operating unit 54, then by the 5th operating unit 55, input respectively and be set up in parallel 4 LFSR.The length that is input as 4 S boxes of every group of LFSR (16) like this, above-mentioned state-transition matrix is 4 rank square formations (s=4).Square formation A can further be expressed as:

$A=\left[\begin{array}{cccc}0& 1& 0& 0\\ 0& 0& L_3& L_4\\ 0& 0& 0& 1\\ L_1& L_2& 0& 0\end{array}\right]$

Now, work as L ₁, L ₂, L ₃, L ₄value be respectively L, 1,1, L, and result is best during p=4, as shown in Figure 2.Now, state-transition matrix $A=\left[\begin{array}{cccc}0& 1& 0& 0\\ 0& 0& 1& L\\ 0& 0& 0& 1\\ \mathrm{<figure-callout\; id="1"\; label="L"\; filenames="HDA0000429039290000021.png"\; state="\{\{state\}\}">L</figure-callout>}& 1& 0& 0\end{array}\right].$ By D=A ^pcan obtain:

$A^4=\left[\begin{array}{cccc}L& L^2+1& L& L^2\\ L^3& L^2+L& L^2+1& L^3+2L\\ L^2& L& L& L^2+1\\ L^3+L& 2L^2+1& L& L^2+L\end{array}\right]$

According to theorem 2, can calculate the determinant of D Arbitrary k-order square formation

L L+1 L ²+L+1

L ³+L+1 L ³+L ²+1 L ⁴+L ³+1 L ⁴+L ³+L ²+L+1

Be when nonsingular, can show that a L matrix is $L=\left[\begin{array}{cccc}0& 1& 1& 0\\ 0& 0& 1& 0\\ 0& 0& 0& 1\\ 1& 0& 0& 0\end{array}\right],$ The diffusion layer of therefore, being constructed by this L is best diffusion layer.

Consider that assailant's computing capability also weakens accordingly under the encryption environment of sensor network, therefore, for the taking of minimizing hardware space that guarantees to try one's best under the prerequisite of a suitable safe class is the meaning of key schedule.Adopt the initial key of the key length of 64 bits to carry out the generation of sub-key herein, and by this key schedule algorithm, reduce as much as possible the generation of weak key and semiweak key.The Arrangement algorithm of the wheel sub-key described in the present embodiment specifically can be as follows:

1, input the initial key of 64 bits;

2, the initial key of 64 bits of input is divided into two groups, every group by 84 bits

form,

first by every group of ring shift left 4 bits; Then by front four bits of first group be input to a S box, by front 4 bits of second group

carry out xor operation with total iteration wheel number; Finally first group of 4 bit through a S box exported to front 4 bits of second group, export 4 bits of second group of 4 bit process xor operation front four bits of first group to simultaneously;

3, the operation of the 2nd step is carried out 4 times to iteration, be finally output as one and take turns sub-key

One takes turns the concrete generative process of sub-key as shown in Figure 3, before the key schedule algorithm that specifically adopts (on-the-fly key schedule) carries out in transmitting procedure wheel sub-key to generate replaces, by all, take turns the scheme that sub-key calculates in advance, thereby make algorithm more efficient quick.In wheel subkey key generation processes, adopt cyclic shift, non-linear (S box) operation and carry out with a constant appearance that xor operation is eliminated weak key and semiweak key, resisted such as key distribution schemes such as related-key attacks simultaneously.Consider that linear diffusion layer needs LFSR to carry out 4 iteration and just can reach optimal diffusion layer, therefore, in the generative process of wheel sub-key, also adopt iteration 4 times, such advantage not only takes full advantage of the space resources in clock aspect, and cyclic shift has also been passed through in the generation of wheel sub-key 4 times, 4 nonlinear operations and 4 xor operations, and only compare by 1 displacement, non-linear, xor operation in prior art, and fail safe also has very large lifting.

Due to the input grouping of lightweight cryptographic algorithm and key space relatively less, and the restriction due to hardware space, the complexity of non-linear layer and linear layer design has also been subject to restriction, therefore, need to compromise before the safe class of algorithm and hardware spending go to analyze considered, thereby accomplish that existing less hardware realizes usefulness, have and have good security performance.The fail safe of analyzing cipher processing method provided by the invention can, referring to the related content in embodiment corresponding to Fig. 1, repeat no more herein.

Those skilled in the art can be well understood to, for convenience and simplicity of description, the system of foregoing description, the specific works process of equipment and unit, can, with reference to the corresponding process in preceding method embodiment, not repeat them here.

In several embodiment provided by the present invention, should be understood that, disclosed system, equipment and method, can realize by another way.For example, apparatus embodiments described above is only schematic, for example, the division of described unit, be only that a kind of logic function is divided, during actual realization, can have other dividing mode, for example a plurality of unit or assembly can in conjunction with or can be integrated into another system, or some features can ignore, or do not carry out.Another point, shown or discussed coupling each other or direct-coupling or communication connection can be by some interfaces, the indirect coupling of equipment or unit or communication connection can be electrically, machinery or other form.

The described unit as separating component explanation can or can not be also physically to separate, and the parts that show as unit can be or can not be also physical locations, can be positioned at a place, or also can be distributed in a plurality of network element.Can select according to the actual needs some or all of unit wherein to realize the object of the present embodiment scheme.

In addition, each functional unit in each embodiment of the present invention can be integrated in a processing unit, can be also that the independent physics of unit exists, and also can be integrated in a unit two or more unit.Above-mentioned integrated unit both can adopt the form of hardware to realize, and the form that also can adopt hardware to add SFU software functional unit realizes.

The integrated unit that the above-mentioned form with SFU software functional unit realizes, can be stored in a computer read/write memory medium.Above-mentioned SFU software functional unit is stored in a storage medium, comprise that some instructions are with so that a computer equipment (can be personal computer, server, or the network equipment etc.) or processor (processor) carry out the part steps of method described in each embodiment of the present invention.And aforesaid storage medium comprises: various media that can be program code stored such as USB flash disk, portable hard drive, read-only memory (Read-Only Memory, ROM), random access memory (Random Access Memory, RAM), magnetic disc or CDs.

Finally it should be noted that: above embodiment only, in order to technical scheme of the present invention to be described, is not intended to limit; Although the present invention is had been described in detail with reference to previous embodiment, those of ordinary skill in the art is to be understood that: its technical scheme that still can record aforementioned each embodiment is modified, or part technical characterictic is wherein equal to replacement; And these modifications or replacement do not make the essence of appropriate technical solution depart from the spirit and scope of various embodiments of the present invention technical scheme.

Claims (10)

1. a cipher processing method, is characterized in that, comprising:

Wheel sub-key to the first information of 64 and 64 carries out xor operation, to obtain the second information;

4 * 4 the S box that 16 of described the second input informations are set up in parallel, to obtain the 3rd information;

4 * 4 the 2nd S box that 16 of described the 3rd input informations are set up in parallel, to obtain the 4th information; Wherein, 16 described the 2nd S boxes are that 16 described S boxes carry out 24 acquisitions of ring shift left;

By in described the 4th information every 16 be divided into one group, to obtain 4 grouping informations;

1 LFSR of grouping information input described in each is carried out to iteration 4 times, to obtain the 5th information; Wherein, the state-transition matrix of described LFSR $A=\left[\begin{array}{cccc}0& 1& 0& 0\\ 0& 0& 1& L\\ 0& 0& 0& 1\\ L& 1& 0& 0\end{array}\right],$ Wherein, $L=\left[\begin{array}{cccc}0& 1& 1& 0\\ 0& 0& 1& 0\\ 0& 0& 0& 1\\ 1& 0& 0& 0\end{array}\right];$

Wherein, wheel sub-key is to be generated by 4 iterative operations, and each iterative operation comprises:

By in the initial key of 64 every 32 be divided into one group, to obtain 2 the first packet key;

The first packet key described in each is carried out to 4 of ring shift lefts, to obtain 2 the second packet key; Wherein, first second packet key is high 32, and second the second packet key is low 32;

By 1 described S box of high 4 inputs of first the second packet key, to obtain the new high 4 of first the second packet key;

Carry out xor operation with the iteration wheel number of described cipher processing method by high 4 of second the second packet key, to obtain the new high 4 of second the second packet key; Wherein, the iteration of described cipher processing method wheel number is less than or equal to 12 times;

New high 4 by second the second packet key, low 28 with, first the second packet key, combines, to generate first new second packet key;

New high 4 by first the second packet key, low 28 with, second the second packet key, combines, to generate second new the second packet key.

2. method according to claim 1, is characterized in that, described 4 * 4 the S box that 16 of described the second input informations are set up in parallel, before obtaining the 3rd information, also comprises:

At finite field gf (2 ⁴) upper, utilize irreducible function, obtain the inverse element of input message;

Inverse element according to described input message, utilizes affine transformation method, obtains the output information of a described S box.

3. method according to claim 2, is characterized in that, described input message is hexadecimal status word [0123456789ABCDEF]; Described at finite field gf (2 ⁴) upper, utilize irreducible function, obtain the inverse element of input message, comprising:

At finite field gf (2 ⁴) upper, utilize irreducible function x ⁴+ x ³+ x ²+ x+1, the inverse element X of acquisition input message ^-1for [01FA8659473EDCB2].

4. method according to claim 3, is characterized in that, describedly according to the inverse element of described input message, utilizes affine transformation method, obtains the output information of a described S box, comprising:

According to the inverse element of described input message, utilize formula b (x)=v (x)+(X ^-1) μ (x) modm (x), obtain the output information of a described S box; Wherein,

X ^-1inverse element for described input message;

M (x) is finite field gf (2 ⁴) on any quartic polynomial;

μ (x) is any multinomial coprime with m (x);

V (x) is affine constant, for guaranteeing not exist fixed point and anti-fixed point.

5. method according to claim 4, is characterized in that, described according to the inverse element of described input message, utilizes formula b (x)=v (x)+(X ^-1) μ (x) modm (x), obtain the output information of a described S box, comprising:

By the inverse element of described input message, m (x)=x ⁴+ 1, μ (x)=x ²+ x+1 and v (x)=x ²+ x+1, substitution formula b (x)=v (x)+(X ^-1) μ (x) modm (x), the output information that obtains a described S box of take is [7082C4DBA3EF6159]; Or

By the inverse element of described input message, m (x)=x ⁴+ 1, μ (x)=x ²+ x+1 and v (x)=x ³, substitution formula b (x)=v (x)+(X ^-1) μ (x) modm (x), the output information that obtains a described S box of take is [8F7D3B245C109EA6]; Or

By the inverse element of described input message, m (x)=x ⁴+ 1, μ (x)=x ³+ x ²+ x and v (x)=x ³, substitution formula b (x)=v (x)+(X ^-1) μ (x) modm (x), the output information that obtains a described S box of take is [8672FED130B9A4C5]; Or

By the inverse element of described input message, m (x)=x ⁴+ 1, μ (x)=x ³+ x ²+ x and v (x)=x ², substitution formula b (x)=v (x)+(X ^-1) μ (x) modm (x), the output information that obtains a described S box of take is [4ABE321DFC756809]; Or

By the inverse element of described input message, m (x)=x ⁴+ 1, μ (x)=x ³+ x ²+ x and v (x)=x ³+ x+1, substitution formula b (x)=v (x)+(X ^-1) μ (x) modm (x), the output information that obtains a described S box of take is [B541CDE2038A97F6]; Or

By the inverse element of described input message, m (x)=x ⁴+ 1, μ (x)=x ³+ x ²+ x and v (x)=x ²+ x+1, substitution formula b (x)=v (x)+(X ^-1) μ (x) modm (x), the output information that obtains a described S box of take is [798D012ECF465B3A]; Or

By the inverse element of described input message, m (x)=x ⁴+ 1, μ (x)=x ³+ x+1 and v (x)=x, substitution formula b (x)=v (x)+(X ^-1) μ (x) modm (x), the output information that obtains a described S box of take is [29D8FB74C0E6A135]; Or

By the inverse element of described input message, m (x)=x ⁴+ 1, μ (x)=x ³+ x ²+ 1 and v (x)=1, substitution formula b (x)=v (x)+(X ^-1) μ (x) modm (x), the output information that obtains a described S box of take is [1CE4FDB26073589A]; Or

By the inverse element of described input message, m (x)=x ⁴+ 1, μ (x)=x ³+ x ²+ 1 and v (x)=x ³+ x ²+ x, substitution formula b (x)=v (x)+(X ^-1) μ (x) modm (x), the output information that obtains a described S box of take is [E31B024D9F8CA765].

6. an encryption processing apparatus, is characterized in that, comprising:

The first operating unit, carries out xor operation for the first information to 64 and 64 s' wheel sub-key, to obtain the second information;

The second operating unit, for 4 * 4 the S box that 16 of described the second input informations are set up in parallel, to obtain the 3rd information;

The 3rd operating unit, for 4 * 4 the 2nd S box that 16 of described the 3rd input informations are set up in parallel, to obtain the 4th information; Wherein, 16 described the 2nd S boxes are that 16 described S boxes carry out 24 acquisitions of ring shift left;

The 4th operating unit, for every 16 of described the 4th information is divided into one group, to obtain 4 grouping informations;

The 5th operating unit, for just described in each 1 LFSR of grouping information input carry out iteration 4 times, to obtain the 5th information; Wherein, the state-transition matrix of described LFSR $A=\left[\begin{array}{cccc}0& 1& 0& 0\\ 0& 0& 1& L\\ 0& 0& 0& 1\\ L& 1& 0& 0\end{array}\right],$ Wherein, $L=\left[\begin{array}{cccc}0& 1& 1& 0\\ 0& 0& 1& 0\\ 0& 0& 0& 1\\ 1& 0& 0& 0\end{array}\right];$

Wherein, wheel sub-key is to be generated by 4 iterative operations, and each iterative operation comprises:

By in the initial key of 64 every 32 be divided into one group, to obtain 2 the first packet key;

The first packet key described in each is carried out to 4 of ring shift lefts, to obtain 2 the second packet key; Wherein, first second packet key is high 32, and second the second packet key is low 32;

By 1 described S box of high 4 inputs of first the second packet key, to obtain the new high 4 of first the second packet key;

Carry out xor operation with the iteration wheel number of described cipher processing method by high 4 of second the second packet key, to obtain the new high 4 of second the second packet key; Wherein, the iteration of described cipher processing method wheel number is less than or equal to 12 times;

New high 4 by second the second packet key, low 28 with, first the second packet key, combines, to generate first new second packet key;

New high 4 by first the second packet key, low 28 with, second the second packet key, combines, to generate second new the second packet key.

7. equipment according to claim 6, is characterized in that, described equipment also comprises:

Inverse element obtains unit, at finite field gf (2 ⁴) upper, utilize irreducible function, obtain the inverse element of input message;

Output obtains unit, for according to the inverse element of described input message, utilizes affine transformation method, obtains the output information of a described S box.

8. equipment according to claim 7, is characterized in that, described input message is hexadecimal status word [0123456789ABCDEF]; Described inverse element obtains unit, specifically for

At finite field gf (2 ⁴) upper, utilize irreducible function x ⁴+ x ³+ x ²+ x+1, the inverse element X of acquisition input message ^-1for [01FA8659473EDCB2].

9. equipment according to claim 8, is characterized in that, described output obtains unit, specifically for

According to the inverse element of described input message, utilize formula b (x)=v (x)+(X ^-1) μ (x) modm (x), obtain the output information of a described S box; Wherein,

X ^-1inverse element for described input message;

M (x) is finite field gf (2 ⁴) on any quartic polynomial;

μ (x) is any multinomial coprime with m (x);

V (x) is affine constant, for guaranteeing not exist fixed point and anti-fixed point.

10. equipment according to claim 9, is characterized in that, described output obtains unit, specifically for

By the inverse element of described input message, m (x)=x ⁴+ 1, μ (x)=x ²+ x+1 and v (x)=x ²+ x+1, substitution formula b (x)=v (x)+(X ^-1) μ (x) modm (x), the output information that obtains a described S box of take is [7082C4DBA3EF6159]; Or

By the inverse element of described input message, m (x)=x ⁴+ 1, μ (x)=x ²+ x+1 and v (x)=x ³, substitution formula b (x)=v (x)+(X ^-1) μ (x) modm (x), the output information that obtains a described S box of take is [8F7D3B245C109EA6]; Or

By the inverse element of described input message, m (x)=x ⁴+ 1, μ (x)=x ³+ x ²+ x and v (x)=x ³, substitution formula b (x)=v (x)+(X ^-1) μ (x) modm (x), the output information that obtains a described S box of take is [8672FED130B9A4C5]; Or

By the inverse element of described input message, m (x)=x ⁴+ 1, μ (x)=x ³+ x ²+ x and v (x)=x ², substitution formula b (x)=v (x)+(X ^-1) μ (x) modm (x), the output information that obtains a described S box of take is [4ABE321DFC756809]; Or

By the inverse element of described input message, m (x)=x ⁴+ 1, μ (x)=x ³+ x ²+ x and v (x)=x ³+ x+1, substitution formula b (x)=v (x)+(X ^-1) μ (x) modm (x), the output information that obtains a described S box of take is [B541CDE2038A97F6]; Or

By the inverse element of described input message, m (x)=x ⁴+ 1, μ (x)=x ³+ x ²+ x and v (x)=x ²+ x+1, substitution formula b (x)=v (x)+(X ^-1) μ (x) modm (x), the output information that obtains a described S box of take is [798D012ECF465B3A]; Or

By the inverse element of described input message, m (x)=x ⁴+ 1, μ (x)=x ³+ x+1 and v (x)=x, substitution formula b (x)=v (x)+(X ^-1) μ (x) modm (x), the output information that obtains a described S box of take is [29D8FB74C0E6A135]; Or

By the inverse element of described input message, m (x)=x ⁴+ 1, μ (x)=x ³+ x ²+ 1 and v (x)=1, substitution formula b (x)=v (x)+(X ^-1) μ (x) modm (x), the output information that obtains a described S box of take is [1CE4FDB26073589A]; Or

By the inverse element of described input message, m (x)=x ⁴+ 1, μ (x)=x ³+ x ²+ 1 and v (x)=x ³+ x ²+ x, substitution formula b (x)=v (x)+(X ^-1) μ (x) modm (x), the output information that obtains a described S box of take is [E31B024D9F8CA765].

Images