CN103701584B - Method for designing binary linear diffusion structure in symmetric ciphers - Google Patents

Abstract

The invention discloses a method for designing a binary linear diffusion structure in symmetric ciphers, and relates to a method used for designing ciphers. The scheme comprises the following steps: (1) calculating the upper bound and the lower bound of a Hamming weight value of a binary matrix, and meanwhile, generating a set consisting of candidate row vectors; (2) selecting elements from the row vector set to construct a binary invertible matrix which has theoretically optimal linear branches and high Hamming weight at the same time; (3) judging whether the differential branches of the matrix are theoretically optimal; (4) constructing a strong orthomorphic matrix by exchanging rows in pairs. The invention provides the method for designing the binary linear diffusion structure which has optimal differential branches and linear branches and strong full balance by utilizing strong orthomorphic replacement. Meanwhile, by the method, the highest value of the Hamming weight of the obtained binary linear matrix can also be ensured when the differential branches and the linear branches are optimal at the same time, so that data encryption security can be improved.

Description

The method for designing of binary linear diffusion structure in a kind of symmetric cryptography

Technical field

The present invention relates to the method for password design, particularly to the setting of binary linear diffusion structure in a kind of symmetric cryptography Meter method.

Background technology

C.e.shannon in 1949 proposes symmetric cryptography needs the two big design principles meeting: obscures principle and diffusion Principle.Replacement theory is one of basic theories of field of cryptography, and replacement theory both can be used for designing obscuring of symmetric cryptography Structure is it is also possible to be used for designing the diffusion structure of symmetric cryptography.Modern block cipher (block cipher is one kind of symmetric cryptography) In obscure structure, typical is exactly to be made up of the s box juxtaposition of n m × m to obscure structure, and such as aes, aria are by 16 8 × 8 s box juxtaposition forms, and camellia is to be formed by the s box juxtaposition of 88 × 8.The m bit of one s box output is only defeated with it The m bit entering is relevant, unrelated with the input of other s boxes.And the effect of linear diffusion structure is exactly to play the output of these s boxes Disorderly so that the m bit of output is also related to the input of other s boxes as far as possible.Binary linear diffusion structure is a kind of conventional Linear diffusion structure form, have and realize efficient advantage, but the method for designing of existing binary linear diffusion structure The Cryptographic Properties considering are mainly differential branch number and linear branch number, without considering other Cryptographic Properties, therefore Existing binary linear diffusion structure universal security single function is so that the cryptographic algorithm constructing is analyzed for novel cipher " immune " scarce capacity.The building method of existing binary linear diffusion matrix is it is impossible to ensure its matrix obtaining simultaneously While meeting differential branch number and linear branch number reaches optimum, hamming weight is also highest, and binary system diffusion square The hamming weight of battle array is higher, and snowslide effect is better, and snowslide effect is also important Cryptographic Properties.

Orthomorphic permutation is a kind of special Boolean Permutation, is also class Complete Mappings, has complete equipilibrium etc. excellent Cryptographic Properties, compare other common displacements and have higher diffusion property.The WLAN commercial cipher algorithm of China The round function of sms4 is it is simply that based on orthomorphic permutation Generator Design.In the stream cipher arithmetic loiss of China scientist design S box, is also a non-linear orthomorphic permutation.In addition, the military of China takes much count of application in cryptographic algorithm for the orthomorphic permutation, national defence University of Science and Technology, information engineering university of PLA and Xian Electronics Science and Technology University are all persistently studied to it.

Content of the invention

Present invention aim to address current binary linear diffusion structure only has excellent differential branch number and linear Branch's number, and lack other outstanding Cryptographic Properties；The building method of existing binary linear diffusion matrix is it is impossible to ensure it The matrix obtaining while meeting differential branch number and linear branch number reaches optimum, also ask for highest by hamming weight Topic and deficiency.By using strong orthomorphic permutation, provide one kind both to have optimum differential branch number and linear branch number, have strong again The binary linear diffusion structure method for designing of the Cryptographic Properties such as complete equipilibrium, obtained by the method also ensures that simultaneously The hamming weight of binary matrix reaches the peak under differential branch number and linear branch number all optimal conditions.

For achieving the above object, the present invention adopts following solution: the present invention is based on vector space gf (2^m)ⁿOn strong Orthomorphic permutation designs binary linear diffusion structure, realizes by following step that (wherein 1≤n≤18, m ＞ 1, h are equal to this and two enter The hamming gravimetric value of matrix processed):

(1) upper bound of hamming gravimetric value of n rank (n row n row) binary linear diffusion matrix and one are calculated Lower bound, and this upper bound is assigned to h, generate the set that candidate n ties up row vector composition simultaneously；

(2) it is expert at during vector is gathered and chooses the element such n rank binary system invertible matrix of construction: hamming gravimetric value is H, simultaneously linear branch number reach the theoretially optimum value under the conditions of this kind.If finding such matrix, execute (3).If not depositing In such matrix, then h, from subtracting 1, if now h is less than lower bound, program determination, otherwise continues executing with (2)；

(3) calculate the differential branch number of this binary matrix, if differential branch number also reaches theoretially optimum value, execute (4), otherwise (2) are returned；

(4) this matrix by rows is exchanged two-by-two and (n can be formed altogether!Individual matrix), often obtain a new matrix and just sentence Breaking, whether it is gf (2^m) on strong orthomorphic matrices (each linearly strong orthomorphic permutation can be write as strong orthomorphic matrices). If strong orthomorphic matrices then output result, program determination, if this n!Individual matrix is not strong orthomorphic matrices, then return (2).

Above-mentioned one kind is based on vector space gf (2^m)ⁿOn strong orthomorphic permutation design the side of binary linear diffusion structure Method it is characterised in that:

The method calculating the hamming gravimetric value lower bound of binary matrix in described step (1) is as follows:

Hypothesis d is the minimum distance of binary linear code [2n, n, d], and the implication of the d occurring afterwards is all with herein.

It is now assumed that this binary matrix is n rank (n row n row), then according to binary linear code [2n, n, d] and two The corresponding relation of variable matrix, can obtain general lower bound is (d-1) n.

The method calculating the hamming gravimetric value upper bound of binary matrix in described step (1) is as follows:

One general upper bound isWhereinRepresent and be not more than (*) Maximum integer,Represent the smallest positive integral not less than (*), occur afterwardsWithImplication is all with herein.

In described step (1) candidate row vector composition set it is characterised in that:

Generate altogether the set of (n-d+1) individual row vector, in each row vector set, the hamming weight phase of all row Deng the row vector hamming weight value of (n-d+1) individual row vector set is followed successively by d-1, d ..., n.

Described step (2) be expert at vector set in choose element method as follows:

Assume λ_iIt is natural number for i(wherein i that value is equal to hamming weight in binary matrix, and d-1≤i≤n) The quantity of row, then can obtain following Indeterminate Equation Group:

$\left\{\begin{array}{c}{\mathrm{\λ}}_i\&greaterequal;0,d-1\≤i\≤n,\\ \underset{i=d-1}{\overset{n}{\mathrm{\σ}}}{\mathrm{\λ}}_i=n\\ \underset{i=d-1}{\overset{n}{\mathrm{\σ}}}i{\mathrm{\λ}}_i=h\end{array}\right.$

Solve equation group and obtain all of disaggregation { (λ_d-1,λ_d,…,λ_n), then randomly choose one of which solution (λ_d-1′,λ_d′,…,λ_n'), choose λ from the row vector set that hamming weight is i_i' individual different rows construct binary matrix.

Described Indeterminate Equation Group it is characterised in that:

Assume i, j, k, b are natural number.

If n ≠ 4 and n ≠ 12, then when

When, (wherein), then

And if(wherein 0≤j≤k), then

When When, if(wherein), then

If n=4 or n=12, now d is even number, then when

$(n-\frac{d-2}{2}+(k+1))+(n-\frac{d-2}{2}-(k+1))\&times;(n-1)<h\&le;(n-\frac{d-2}{2}+k)+(n-\frac{d-2}{2}-k)\&times;(n-1)$ When, (wherein $0\&le;k\&le;n-\frac{d-2}{2}-(d-1)-1$ ), then

${\mathrm{\&lambda;}}_i=0,(n-\frac{d-2}{2}+(k+1))\&le;i\&le;(2n-2d+3),$

And if(wherein 0≤j≤k), then

${\mathrm{\&lambda;}}_b=0,(n-\frac{d-2}{2}-j)<b\&le;(n-\frac{d-2}{2}+k),b\&notequal;(n-\frac{d-2}{2}+j);$

When $(d-1)+(d-1)\&times;(n-1)\&le;h\&le;(n-\frac{d-2}{2}+n-\frac{d-2}{2}-(d-1))+(d-1)\&times;(n-1)=(2n-2d+3)+(d-1)\&times;(n-1)$ When, if ${\mathrm{\&lambda;}}_{(n-\frac{d-2}{2}+i)}\&notequal;0,$ (wherein $0\&le;i\&le;n-\frac{d-2}{2}-(d-1)$ ), then

${\mathrm{\&lambda;}}_j=0,(n-\frac{d-2}{2}-i)<j\&le;(2n-2d+3),j\&notequal;(n-\frac{d-2}{2}+i).$

Described Indeterminate Equation Group it is characterised in that:

If n ≠ 4 and n ≠ 12, then whenWhen, λ_i0 or 1 can only be taken；And if only if d During for even number,The number more than 1 can be taken, when d is for odd number,The nonzero integer that can take only has 1.

If n=4 or n=12, d is obtained by the knowledge of binary linear code and is even number, then whenWhen, λ_i0 or 1 can only be taken；The number more than 1 can be taken.

Why described method, can generate the high binary matrix of hamming weight, and its reason is as follows:

The first test high situation of hamming weight, if can not find, just by h(matrix hamming weight and) certainly subtract 1, then Again solve Indeterminate Equation Group, again choose row structural matrix, the hamming weight this ensures that thering gained matrix is always higher Situation.

The method constructing strong orthomorphic matrices in described step (4), its feature is as follows:

Generate the 1 all n arriving n!Plant arrangement, then to rearrange the row sequence of matrix using arrangement.The generation of arrangement can To precalculate, then store precomputation result, directly invoke when use.When rearranging row sequence using an arrangement, After obtaining a new matrix, then calculate this poly, then detect finite field gf (2^m) (assume gf (2^m) Represent finite field gf (2^m), the implication of wherein m ＞ 1, the m occurring afterwards is all with herein) on all nonzero elements whether be this Root of polynomial, if being not root, this matrix is strong orthomorphic matrices, and this result is exported.

In described step (2) binary matrix hamming weight lower bound it is characterised in that:

When h(matrix hamming weight and) after certainly subtract 1, if the value of h is less than lower bound, program determination, and point out this scale Under (m and n for setting) no meet the strong orthomorphic matrices of requirement.

Compared with prior art, the invention has the beneficial effects as follows:

(1) the hamming weight of the binary matrix obtained by ensure that reaches differential branch number and linear branch number Peak all under optimal conditions, thus reaching the snowslide effect of optimum, and prior art is it cannot be guaranteed that this point；

(2) assume to design the binary system diffusion matrix of a n rank, then if testing binary system from high to low in order The situation of the possible hamming weight sum of matrix, due to this scope than larger (scope be (0, n²)) it is therefore desirable to reduce model Enclose；And for a specific hamming weight and, different situations to be tested also a lot (needing to solve Indeterminate Equation Group), So the different situations number that also will reduce for a specific hamming weight and need test.The present invention gives two One general upper bound of the possible hamming weight sum of system matrix and a general lower bound, thus reduce and need to test Hamming weight sum scope；The present invention is simultaneous for being in different interval binary matrix hamming weight sums not Determining equation group, all give constraints, which reduces different situations number to be tested, thus subtracting to a great extent Lack amount of calculation.

(3) the binary linear diffusion matrix enabling to construct has strong complete equipilibrium, and prior art structure The binary system diffusion matrix made no this property.

Brief description

Fig. 1 is the rough flow chart of method for designing；

Fig. 2 is method for designing detail flowchart.

Specific embodiment

For making the object, technical solutions and advantages of the present invention become more apparent, below in conjunction with drawings and Examples, to this Invention is further elaborated.It should be appreciated that specific embodiment described herein is only in order to explain the present invention, not For limiting the present invention.

Generally, the linear diffusion structure of block cipher can be with a gf (2^m)ⁿOn linear orthomorphism representing, and One linear orthomorphism can be represented with an invertible matrix again, and the differential branch of linear diffusion structure therefore can be defined as below Number and linear branch number: θ are gf (2^m)ⁿOn a linear orthomorphism, x=(x₀,x₁,…,x_n-1)∈gf(2^m)ⁿIt is column vector, θ X ()=mx, m are gf (2^m) on n rank invertible matrix, then claim ${\mathrm{\&beta;}}_d\left(\mathrm{\&theta;}\right)=\underset{x\&notequal;0}{\min }\{w_h\left(x\right)+w_h\left(\mathrm{mx}\right)\}$ Differential branch number for θ； ${\mathrm{\&beta;}}_l\left(\mathrm{\&theta;}\right)=\underset{x\&notequal;0}{\min }\{w_h\left(x\right)+w_h\left(m^{t}x\right)\}$ Linear branch number for θ.Wherein (.)^tRepresent matrix transposition, x₀,x₁,…,x_n-1In The number being not zero is the hamming weight of x, is designated as w_h(x).

One linear transformation corresponds to a liner code, if θ is gf (2^m)ⁿOn linear orthomorphism, and θ (x)=mx, then Corresponding liner code is [2n, n, d], g=[i_n| m], and the differential branch number of θ is equal to the minimum distance d of liner code.And two The bound of system liner code minimum distance has been given by document [1], therefore gives n, we can be obtained by n rank two and enter The theoretially optimum value of matrix differential branch number processed, the theoretially optimum value then theoretially optimum value with differential branch number of linear branch number Equal.The minimum distance d of common binary linear code [2n, n, d] is as follows:

The minimum distance d of table 1 binary linear code [2n, n, d]

n	d	n	d
				1	2	10	6
2	2	11	7
				3	3	12	8

4	4	13	7
				5	4	14	8
6	4	15	8
				7	4	16	8
8	5	17	8
				9	6	18	8

Lemma 1 [2] assumes that m is gf (2^m) on n rank binary matrix, definition mappingFor gf (2^m)ⁿTo gf (2^m)ⁿReflect Penetrate and For gf (2)ⁿTo gf (2)ⁿMapping andThen have

Can quickly be judged whether binary matrix differential branch number reaches the theorem of optimum by lemma 1.

Theorem 1 sets a₀,a₁..., a_n-1It is n dimension binary column vector, matrix a=(a₀,a₁,…,a_n-1) it is a reversible square Battle array, and the maximum differential branch number of known n rank binary matrix is β_d(n), then the differential branch number of matrix a is β_d(n)Abundant Necessary condition is that following inequality group is set up, w_h(.) expression hamming weight:

(0≤i₁,i₂…,i_k＜ n and being not mutually equal, 1≤k≤β_d(n)- 2).

Following theorem can be obtained for linear branch number in the same manner.

Theorem 2 sets a₀,a₁,…,a_n-1It is n dimension binary row vector, matrix a=(a₀,a₁,…,a_n-1)^tIt is a reversible square Battle array, and the maximum linear branch number of known n rank binary matrix is β_l(n), then the linear branch number of matrix a is β_l(n)Abundant Necessary condition is that following inequality group is set up:

(0≤i₁,i₂…,i_k＜ n and being not mutually equal, 1≤k≤β_l(n)-2).

By theorem 1 and theorem 2, we can quickly judge the correlated branch number of a n rank binary system invertible matrix Whether reach optimum.

Known by document [3], the hamming weight of binary matrix column vector and higher, then snowslide effect is better, therefore I In addition to considering differential branch number and linear branch number in addition it is also necessary to make the hamming weight of binary matrix as far as possible Height.In Fig. 1 and Fig. 2, the described hamming weight involved by " determining the bound of binary matrix hamming weight " is For this justice.

As used in this specification is gf (2^m)ⁿOn strong orthomorphic permutation, be defined as follows:

Defining 1 and setting σ is gf (2^m)ⁿOn one displacement, ifIt is still gf (2^m)ⁿOn one displacement, wherein k is gf(2^m) on arbitrary element, i be gf (2^m)ⁿOn identical permutation, then σ be gf (2^m)ⁿOn strong orthomorphic permutation.

It is gf (2 that theorem 3 sets σ^m)ⁿOn one displacement, then σ correspond to a gf (2^m) on n × n rank invertible matrix m.If x ∈gf(2^m)ⁿColumn vector, then σ (x)=mx.So σ is that the proper polynomial of strong orthomorphic permutation and if only if invertible matrix m exists gf(2^m) on there is no root.When σ is strong orthomorphic permutation, our m now are called strong orthomorphic matrices.

Strong orthomorphic matrices in Fig. 1 and Fig. 2 are it is simply that linear strong matrix corresponding to orthomorphic permutation.

It is followed by the definition of strong complete equipilibrium:

If defining 2 one gf (2^m)ⁿOn displacement, can be by groupAny one rank upper is 2^mn-1's It is gf (2 that the half of the element of maximal subgroup is mapped to shape such as kh(wherein k^m) on any nonzero element) maximal subgroup, and Second half is mapped in the supplementary set of maximal subgroup kh, then claim this displacement to be gf (2^m)ⁿOn the displacement of strong complete equipilibrium.

Then there are following cor-responding identified theorems:

4 one gf (2 of theorem^m)ⁿOn displacement be strong orthomorphic permutation, and if only if, and it is strong complete equipilibrium.

Note: the definition of strong orthomorphic permutation is derived from document [4], but the definition in document [4] is orthomorphic permutation.Due to strong just The form of shape displacement and common orthomorphic permutation have significantly different, so it has been re-started in this specification with definition.Theorem 4 The visible document of proof [4].

It is easy to compare, redefine gf (2 in document [4] here^m)ⁿThe related notion of upper orthomorphic permutation:

Defining 3 and setting σ is gf (2^m)ⁿOn one displacement, ifIt is still gf (2^m)ⁿOn one displacement, wherein i is gf(2^m)ⁿOn identical permutation, then σ be gf (2^m)ⁿOn orthomorphic permutation.

If defining 4 one gf (2^m)ⁿOn displacement, can be by groupAny one rank upper is 2^mn-1's The half of the element of maximal subgroup is mapped to this maximal subgroup, and second half is mapped in the supplementary set of this maximal subgroup, then claiming should Displacement is gf (2^m)ⁿOn complete equipilibrium displacement.

5 one gf (2 of theorem^m)ⁿOn displacement be orthomorphic permutation, and if only if, and it is complete equipilibrium.

Can see, the balance of strong orthomorphic permutation is more higher than common orthomorphic permutation, property is more excellent.

The principle of this method to be described with reference to specific sample, the method generates a differential branch number and linear point Number is all theoretical optimum, the strong orthomorphic matrices of hamming weight highest simultaneously, and this matrix can make as linear diffusion structure With.

Take m=8, n=8, be according to the differential branch number learning binary matrix in table 1 and linear branch number maximum 5, that is, d=5, according to Fig. 1 and Fig. 2, implement step as follows:

Step 1: using general Lower Bound Formula (d-1) n, calculating a lower bound is (5-1) × 8=32, on general Boundary's formulaCalculating a upper bound is H is set to 49.

Then the set that our generation (n-d+1)=(8-5+1)=4 are made up of n=8 dimension binary row vector, first The hamming weight of set row vector is all d-1=4, and the hamming weight of second set is all d=5, the 3rd set Hamming weight be all d+1=6, the hamming weight of the 4th set be all d+2=7, and hamming weight is for n=8 Row vector only one of which (i.e. binary vector 11111111), without being individually created.

Step 2: assume that binary matrix to be generated includes the row that hamming weight is i and has λ_iIndividual (d-1≤i≤n, I.e. 4≤i≤8), then obtain following Indeterminate Equation Group:

$\left\{\begin{array}{c}{\mathrm{\&lambda;}}_i\&greaterequal;\mathrm{0,4}\&le;i\&le;8\\ \underset{i=4}{\overset{8}{\mathrm{\&sigma;}}}{\mathrm{\&lambda;}}_i=8\\ \underset{i=4}{\overset{8}{\mathrm{\&sigma;}}}i{\mathrm{\&lambda;}}_i=h\end{array}\right.$

According to the versatility conclusion of Summary, bring parameter n=8, d=5 into, obtain:

When 43 ＜ h≤49, λ₈=0；

When 32≤h≤43,

If λ₈≠ 0, then λ₆=λ₇=0,

If λ₇≠ 0, then λ₈=0；

λ₇And λ₈The nonzero integer that can take can only be 1.

The initial value of h is 49 now, then λ₈=0, λ₇0 or 1 can only be taken.Which reduces different situations to be tested Number.Solve equation now, obtain all of disaggregation { (λ₄,λ₅,λ₆,λ₇,λ₈=0) }

For each group of solution, from the row vector set that hamming weight is i, choose λ_iIndividual row, obtains 8 ranks two and enters Producing linear diffusion matrix (unrelated with row sequence), then judges using theorem 2 whether the linear branch number of this matrix reaches optimum, Reach optimum and then detect whether this matrix is that invertible matrix (can pass through to calculate this determinant of a matrix, it is can that determinant is not 0 Inverse matrix), it is that invertible matrix then continues executing with next step, if linear branch number is not reaching to optimum or is not invertible matrix Then select other row.If it is invalid that this group solution is certified as, continue to take other solutions that solution is concentrated to be detected.If disaggregation is demonstrate,proved Bright then h is subtracted 1 for invalid, if now h is less than 32, program determination, otherwise continue executing with step 2.

Calculate by this step, work as h=49, when 48,47,46,45, all there is not linear branch number optimum and may be used simultaneously

Inverse binary matrix.Work as h=44, meet the row vector requiring with the presence of two groups of solutions and combine:

{(λ₄=0, λ₅=4, λ₆=4, λ₇=0, λ₈=0) } and { (λ₄=1, λ₅=3, λ₆=3, λ₇=1, λ₈=0) }.

Step 3: whether the differential branch number using theorem 1 judgment matrix reaches optimum, if then continue executing with next step Suddenly, if otherwise returning execution step 2.

After tested, { (λ₄=1, λ₅=3, λ₆=3, λ₇=1, λ₈=0) the row vector combination } solving is all no in this step It is fixed,

{(λ₄=0, λ₅=4, λ₆=4, λ₇=0, λ₈=0) the row vector combination } solving is detected by differential branch number, enters Next step.

Step 4: this matrix by rows is exchanged two-by-two, often obtains new matrix computations and go out its proper polynomial, Then according to theorem 3, detect gf (2 successively⁸) whether upper all nonzero elements are the roots of this feature value (is that root then represents this matrix It is not strong orthomorphic matrices), if not being root, this matrix is gf (2⁸) on strong orthomorphic matrices, output result, program determination.If It is that root then continues to attempt to the exchange combination of other row, if all 8！Individual matrix is not strong orthomorphic matrices, then return execution step 2.

By executing above step, as h=44, by { (λ₄=0, λ₅=4, λ₆=4, λ₇=0, λ₈=0) row } solving to The strong orthomorphic matrices of one 8 rank binary system of amount combination producing are following (can be generated much strong orthomorphic matrices, only select a conduct to show Example):

$\left[\begin{array}{cccccccc}1& 1& 0& 1& 1& 1& 0& 0\\ 1& 1& 1& 0& 1& 0& 1& 0\\ 0& 0& 1& 1& 1& 0& 1& 1\\ 1& 0& 0& 1& 0& 1& 1& 1\\ 0& 1& 1& 1& 1& 1& 1& 0\\ 1& 0& 1& 1& 1& 1& 0& 1\\ 1& 1& 0& 0& 1& 1& 1& 1\\ 1& 1& 1& 1& 0& 0& 1& 1\end{array}\right]$

The differential branch number of this matrix and linear branch number are all theoretially optimum value 5,44 also for possible maximum hamming Weight, also has strong complete equipilibrium simultaneously.

Above-mentioned specific embodiment is described the present invention with preferred embodiments, but this is only to facilitate understanding and lifting Visualization example, be not considered as the restriction of the scope of the invention.Equally, all within the spirit and principles in the present invention, Any modification, equivalent substitution and improvement made etc., should be included within the scope of the present invention.

Bibliography

[1]brouwer a e,verhoeff t.an updated table of minimum-distance bounds for binary linear codes[j].information theory,ieee transactions on,1993,39 (2):662-677.

[2] Cui Ting, Chen Heshan, Jin Chenhui. some annotation [j] of block cipher binary diffusion structure. Journal of Software, 2012,23(9):2430-2437.

[3]kanda m,takashima y,matsumoto t,aoki k,ohta k.a strategy for constructing fast round functions with practical security against Differential and linear cryptanalysis [a] .in:tavares s, meijer h.proceedings of the selected areas in cryptography[c].berlin/heidelberg:springer,1999,1556: 264-279.

[4] virgin speech, the clear .gf of Zhang Huanguo, Han Hai (2ⁿ)^mOn linear orthomorphic permutation [j]. Wuhan University Journal (Edition), 2010,56(2):235-239.

Claims (9)

1. in a kind of symmetric cryptography the method for designing of binary linear diffusion structure it is characterised in that methods described includes:

(1) upper bound of the hamming gravimetric value of n rank binary linear diffusion matrix and a lower bound are calculated, and should The upper bound is assigned to h, generates the set that candidate n ties up row vector composition simultaneously；

(2) it is expert at during vector is gathered and chooses element construction n rank binary system invertible matrix: hamming gravimetric value is h, linearly simultaneously Branch's number reaches the theoretially optimum value under the conditions of this kind, if finding such matrix, execution step (3), if do not exist so Matrix, then h from subtracting 1, if now h is less than lower bound, program determination, otherwise continue executing with step (2)；

(3) calculate the differential branch number of this binary matrix, if differential branch number also reaches theoretially optimum value, execution step (4), otherwise return to step (2)；

(4) this matrix by rows is exchanged two-by-two, often obtain a new matrix and be judged as whether it is gf (2^m) on strong conformality Matrix, if strong orthomorphic matrices then output result, program determination, if this n！Individual matrix is not strong orthomorphic matrices, then return step Suddenly (2)；

Wherein, m ＞ 1, the scale of n representing matrix, and 1≤n≤18, d is the minimum distance of binary linear code [2n, n, d], Assume that this binary matrix is n rank, then according to the corresponding relation of binary linear code [2n, n, d] and binary matrix, permissible Obtaining general lower bound is (d-1) n, and binary matrix is the matrix that matrix element is 0 or 1, binary matrix here Hamming gravimetric value is equal to the number that element in this matrix is 1.

2. in a kind of symmetric cryptography according to claim 1 binary linear diffusion structure method for designing, its feature exists In:

One general upper bound isWhereinRepresent the maximum being not more than (*) Integer,Represent the smallest positive integral not less than (*), occur afterwardsWithImplication is all with herein.

3. in a kind of symmetric cryptography according to claim 1 binary linear diffusion structure method for designing, its feature exists In:

Generate altogether (n-d+1) individual n dimension row vector set, in each row vector set, the hamming weight phase of all row Deng the row vector hamming weight value of (n-d+1) individual row vector set is followed successively by d-1, d ..., n.

4. in a kind of symmetric cryptography according to claim 1 binary linear diffusion structure method for designing, its feature exists In:

Assume that h is equal to the hamming gravimetric value of this binary matrix, λ_iIt is i's that value is equal to hamming weight in binary matrix The quantity of row, then can obtain following Indeterminate Equation Group:

$\left\{\begin{array}{c}{\mathrm{\&lambda;}}_i\&greaterequal;0,d-1\&le;i\&le;n,\\ \underset{i=d-1}{\overset{n}{\&sigma;}}{\mathrm{\&lambda;}}_i=n\\ \underset{i=d-1}{\overset{n}{\&sigma;}}{\mathrm{i\&lambda;}}_i=h\end{array}\right.$

Solve equation group and obtain all of disaggregation { (λ_d-1,λ_d,…,λ_n), then randomly choose one of which solution (λ_d-1′, λ_d′,…,λ_n'), choose λ from the row vector set that hamming weight is i_i' individual different rows construct binary matrix.

5. in a kind of symmetric cryptography according to claim 4 binary linear diffusion structure method for designing, its feature exists In:

Assume i, j, k, b are natural number,Represent the maximum integer being not more than (*),Represent not less than (*) Small integer；

If n ≠ 4 and n ≠ 12, then when

When, whereinThen

λ_i=0,

And ifWherein 0≤j≤k, then

λ_b=0,

WhenWhen,

IfWhereinThen

λ_j=0,

If n=4 or n=12, now d is even number, then when

When, whereinThen

λ_i=0,

And ifWherein 0≤j≤k, then

λ_b=0,

When

When, ifWhereinThen

λ_j=0,

6. in a kind of symmetric cryptography according to claim 5 binary linear diffusion structure method for designing, its feature exists In:

If n ≠ 4 and n ≠ 12, then whenWhen, λ_i0 or 1 can only be taken；And if only if, and d is even number When,The number more than 1 can be taken, when d is for odd number,The nonzero integer that can take only has 1；

If n=4 or n=12, d is obtained by the knowledge of binary linear code and is even number, then whenWhen, λ_i0 or 1 can only be taken；The number more than 1 can be taken.

7. in a kind of symmetric cryptography according to claim 4 binary linear diffusion structure method for designing, its feature exists In:

The first high situation of test hamming weight, if can not find, just by h from subtracting 1, then again indefinite in solution claim 4 Equation, chooses row structural matrix again.

8. in a kind of symmetric cryptography according to claim 1 binary linear diffusion structure method for designing, its feature exists In:

Generate the 1 all n arriving n！Plant arrangement, then to rearrange the row sequence of matrix using arrangement, the generation of arrangement can be pre- First calculate, then store precomputation result, directly invoke when use, when rearranging row sequence using an arrangement, obtain After one new matrix, then calculate this poly, then detect finite field gf (2^m) on all non-zero entry Whether element is this root of polynomial, if being not root, this matrix is strong orthomorphic matrices, and this result is exported.

9. in a kind of symmetric cryptography according to claim 8 binary linear diffusion structure method for designing, its feature exists In:

After h subtracts 1 certainly, if the value of h is less than lower bound, program determination, and point out no to meet the strong conformality square of requirement under this scale Battle array.