CN110572255A - Lightweight block cipher algorithm Shadow implementation method, device and computer readable medium - Google Patents

Lightweight block cipher algorithm Shadow implementation method, device and computer readable medium Download PDF

Info

Publication number
CN110572255A
CN110572255A CN201910916368.5A CN201910916368A CN110572255A CN 110572255 A CN110572255 A CN 110572255A CN 201910916368 A CN201910916368 A CN 201910916368A CN 110572255 A CN110572255 A CN 110572255A
Authority
CN
China
Prior art keywords
box
key
round
bits
data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201910916368.5A
Other languages
Chinese (zh)
Other versions
CN110572255B (en
Inventor
李浪
郭影
刘波涛
焦铬
邹祎
李秋萍
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hengyang Normal University
Original Assignee
Hengyang Normal University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hengyang Normal University filed Critical Hengyang Normal University
Priority to CN201910916368.5A priority Critical patent/CN110572255B/en
Publication of CN110572255A publication Critical patent/CN110572255A/en
Application granted granted Critical
Publication of CN110572255B publication Critical patent/CN110572255B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0618Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
    • H04L9/0631Substitution permutation network [SPN], i.e. cipher composed of a number of stages or rounds each involving linear and nonlinear transformations, e.g. AES algorithms

Abstract

The invention discloses a lightweight block cipher algorithm Shadow implementation method, a device and a computer readable medium based on an SPN structure, wherein the method comprises the following steps: obtaining 64 bits of plaintext to be encrypted, and determining an iteration round number R according to the number of bits of the secret key; in the 1 st to R th round of operation, each round of operation is sequentially subjected to round key addition operation, nonlinear S box replacement operation, row displacement operation and linear column mixing operation, and keys are updated; taking data obtained after linear column mixed operation as data to be encrypted of the next round of operation, and taking an updated key as a key of the next round of operation; and performing round key addition operation on the data after the R-th round operation and the key, and outputting a ciphertext. On the basis that partial cryptology indexes of the S box are not influenced by affine transformation, the invention adopts a composite affine mathematical method to perform transformation in a finite field GF (2)4) Constructing pseudo-random key correlation S box, and simultaneously utilizing orthogonal Schmitt matrixThe column mixing matrix is constructed by the chemical principle, and the attack can be effectively resisted.

Description

Lightweight block cipher algorithm Shadow implementation method, device and computer readable medium
Technical Field
The invention relates to the field of computer encryption, in particular to a lightweight block cipher algorithm Shadow implementation method and device based on an SPN structure and a computer readable medium.
background
In recent years, data security in the fields of financial services, smart cards, retail industry, auto-driving of automobiles, and the like has become more prominent, and people have attracted extensive attention to data confidentiality, privacy protection, and personal data security. Because the traditional block cipher is not suitable for resource-limited application environments with low cost and low power consumption, such as RFID tags, sensor nodes and the like, the research on lightweight block ciphers specially suitable for the resource-limited environments is a hot problem of the current international cryptography research.
Compared with the traditional block cipher, the lightweight block cipher has the following characteristics: (1) resource-constrained application environments typically process relatively small data sizes and have low requirements on throughput rates, so that packet lengths are typically 64-bit, and 32-bit/48-bit/80-bit/96-bit is also considered for some special application requirements. (2) The existing lightweight block cipher algorithm mostly adopts fixed components and can not fully resist known or unknown attack methods. (3) Most of the existing lightweight block ciphers are designed by taking the traditional block ciphers as reference, and many algorithms are light-weighted reconstruction based on the original block ciphers, for example, strategies of reducing the number of nonlinear S boxes, using fixed keys, utilizing special cipher structures with self-reversion/reflection properties, constructing nonlinear transformation by simple logic operation and the like are adopted.
Part of lightweight block ciphers proposed in recent years have security problems in algorithms soon after the algorithms are proposed due to the adoption of an over-simple round function or a special cipher structure.
Disclosure of Invention
The invention provides a lightweight block cipher algorithm Shadow implementation method, a device and a computer readable medium based on an SPN structure, and aims to solve the problem that known or unknown attacks cannot be sufficiently resisted due to the adoption of a fixed component under the condition of limited equipment.
The invention provides a lightweight block cipher algorithm Shadow implementation method, which comprises the following steps:
a1: obtaining 64 bits of plaintext to be encrypted, and determining an iteration round number R according to the number of bits of the secret key;
A2: in the 1 st to R th round of operation, sequentially performing round key addition operation, nonlinear S box replacement operation, row displacement operation and linear column mixed operation on data to be encrypted in each round of operation, and updating keys; taking data obtained after linear column mixed operation as data to be encrypted of the next round of operation, and taking an updated key as a key of the next round of operation;
Wherein the round key addition operation comprises: selecting the first 64 bits of the key and a plaintext to be encrypted according to the sequence from high bits to low bits to perform round key addition operation;
The non-linear S-box permutation operation comprises: performing composite affine operation on the key and an S0 box; data obtained by statistical complex affine operation in the finite field GF (2)4) A first repetition value σ of; when the first repetition value σ<when 8, the data calculated in the step A2 selects the S1 box to perform nonlinear S-box replacement operation; when the first repetition value σ>12, selecting the S3 box from the data calculated in the step A2 to perform nonlinear S-box replacement operation; when the first repeated value is more than or equal to 8 and less than or equal to 12, the data calculated in the step A2 selects the S2 box to carry out nonlinear S-box permutation operation; the S0 box is a PRESENT algorithm S box, and the S1 box, the S2 box and the S3 box are all generated by randomly selecting a composite affine equivalent S box of the S0 box according to the range of a second repetition value sigma' after composite affine operation is carried out on the S0 box and the random matrix;
A3: and performing round key addition operation on the data to be encrypted and the key obtained after the R-th round of operation is finished, and outputting a ciphertext.
the encryption method is based on the SPN structure, and in order to adapt to different application environments, a user can select a proper key length under different resources. On the basis that the partial cryptography index of the S box is not influenced by affine transformation, in the Shadow algorithm encryption process, one of the S1 box, the S2 box and the S3 box is selected to carry out nonlinear S-box replacement according to a round key and a repeated value sigma in a composite affine value of the S0 box. On one hand, the confusion effect of the algorithm round function is usually realized by an S box or arithmetic operation, and the method constructs a pseudorandom using method by utilizing a composite affine mathematical method on the basis of constructing a key-related S box, so that the confusion effect of the round function is greatly improved, the attack can be effectively resisted, and the problem that the known or unknown attack cannot be sufficiently resisted due to the adoption of a fixed component is avoided. On the other hand, the method avoids weak S boxes in the process of constructing the key related S boxes, and saves a large amount of screening time.
Further, the round key addition operation includes the following steps:
Selecting the first 64 bits of the key according to the sequence from high bit to low bit, and acquiring data to be encrypted in the round of operation;
And carrying out XOR operation on the data to be encrypted and the first 64 bits of the selected key.
Further, the complex affine operation of the key and the S0 box includes the following steps:
In the finite field GF (2)4) The values of the elements of the upper 4-bit S box can be sequentially marked as S from left to right and from high order to low order0,S1,S2,S3,S4,S5,S6,S7,S8,S9,S10,S11,S12,S13,S14,S15And expressed as a 4 th order matrix α:
Dividing the key into a data unit according to 4 bits from high bit to low bit and from left to right, sequentially selecting the data units of the first 16 keys from left to right and from high bit to low bit, and expressing the data units by a 4-order matrix beta as follows:
carrying out compound affine on the matrix alpha and the matrix beta, wherein the compound affine matrix is recorded as gamma, and the compound affine process is shown as the following formula:
Further, the S0, S1, S2 and S3 boxes generation process includes the following steps:
Selecting a PRESENT algorithm S box as an S0 box;
Performing compound affine operation on the S0 box and a group of randomly selected matrixes containing 16 data units, and counting the positions of repeated values in a compound affine matrix gamma' in a finite field GF (2)4) A second repeat value σ' and a repeat and missing value group;
arranging each data unit in the repeated and missing value group, sequentially filling each arrangement to the position of a repeated value in a composite affine matrix gamma', and screening out a composite affine equivalent S box of an S0 box, wherein the composite affine equivalent S box of the S0 box is the same as the S0 box in three aspects of nonlinearity, differential uniformity and linear approximation;
Judging whether the composite affine equivalent S box of the S0 box has the motionless point, and if so, xoring the composite affine equivalent S box by a constant to eliminate the motionless point;
Randomly selecting a composite affine equivalent S box as an S1 box when the second repetition value sigma' is less than 8 and after the fixed point is eliminated;
Randomly selecting a composite affine equivalent S box with the second repetition value sigma' being greater than 12 and the fixed point eliminated as an S3 box;
And randomly selecting a composite affine equivalent S box with the second repetition value of 8-12 and the fixed point eliminated as an S2 box.
More specifically, the S0, S1, S2 and S3 boxes generating process includes the following steps:
C1: selecting a PRESENT algorithm S box as an S0 box;
C2: in the finite field GF (2)4) Upper random selectionA set of matrices β 'including 16 data units, and performing a complex affine operation with the S0 box to obtain a matrix γ', where the case of the matrix γ 'can be classified into three types according to the size of the second repetition value σ': sigma'<8、σ’>12 and 8 is less than or equal to sigma' is less than or equal to 12;
C3: the position of occurrence of repeated number values in the statistical complex affine matrix gamma' in the finite field GF (2)4) Judging which category the matrix gamma ' belongs to according to the second repetition value sigma ', arranging each data unit in the repeated and missing value groups, sequentially filling the positions of the repeated values in the matrix gamma ' according to the arrangement sequence, judging whether the filled matrix gamma ' is consistent with an S0 box in the aspects of nonlinearity, differential uniformity and linear approximation, if so, the matrix gamma ' is an affine equivalent S box of the S0 box, otherwise, the next array is filled in the matrix gamma ', and judging whether the matrix gamma ' is the affine equivalent S box of the S0 box again;
C4: in the finite field GF (2)4) Randomly selecting a group of matrixes beta ' containing 16 data units again, carrying out compound affine operation with an S0 box to obtain a matrix gamma ', counting a second repetition value sigma ' and repeated and missing value groups appearing in the matrix gamma ', judging which category the matrix gamma ' belongs to according to the second repetition value sigma ', discarding the random matrix beta ' selected this time if the matrix gamma ' is overlapped with the category obtained in the step C3, simultaneously, selecting the random matrix beta ' again, judging again until a matrix gamma ' which is different from the category obtained in the step C3 is obtained, and finally, carrying out a process of searching for an affine equivalent S box on the category matrix gamma ', wherein the process is the same as that in the previous step and is not repeated;
C5: in the finite field GF (2)4) Randomly selecting a group of matrix beta 'containing 16 data units, carrying out compound affine operation with an S0 box to obtain a matrix gamma', counting a second repetition value sigma 'and repeated and missing value groups appearing in the matrix gamma', judging whether the matrix gamma 'is the same as the types in the steps C3 and C4 according to the second repetition value sigma', discarding the random matrix beta 'selected at this time if the matrix gamma' is the same as the types in the steps C3 and C4, reselecting the random matrix beta ', and judging again until the random matrix beta' is obtainedfinally, a matrix gamma 'with the category different from that in the step C3 and the step C4 is obtained, and finally, the process of searching an affine equivalent S box is carried out on the matrix gamma';
c6: judging whether the three types of affine S boxes obtained in the step have motionless points or not, and if so, XOR a constant to eliminate the motionless points;
C7: an affine equivalence S box in which the second repetition value σ' <8 and the motionless point is eliminated is taken as an S1 box; taking a complex affine equivalent S box with the second repetition value sigma' being greater than 12 and the fixed point eliminated as an S3 box; the affine equivalent S box obtained when the second repetition value 8 ≦ σ' ≦ 12 and the stationary point is eliminated is set as the S2 box.
selecting a PRESENT algorithm S box as an S0 box, and based on that partial cryptology indexes of the S box are not influenced by affine transformation, performing the operation in a finite field GF (2)4) And randomly selecting a matrix containing 16 data units and an S0 box to perform compound affine operation, and screening according to a second repetition value range to obtain three groups of S boxes with partial cryptography properties identical to those of the S0 box, namely an S1 box, an S2 box and an S3 box. According to the condition of the first repeated value sigma in the composite affine value of the round key and the S0 boxes, one of the S1 box, the S2 box and the S3 box is selected to carry out nonlinear S-box replacement, and a pseudo-random using method is constructed.
further, the row displacement operation includes the following steps:
The 64-bit data state to be encrypted after the nonlinear S-box replacement operationiDividing every 4 bits from high bit to low bit into one data unit, and obtaining 16 data units by dividingWherein i is more than or equal to 1 and less than or equal to R; will be provided withCircularly left shifting a bit; will be provided withcircularly left shifting by b bits; will be provided withCircularly left shifting c bit;Will be provided withAnd d bits are circularly shifted left, wherein a, b, c and d are preset values.
Further, the linear column mixing operation includes the steps of:
In the finite field GF (2)4) Constructing a column hybrid transformation matrix delta based on the Schmidt matrix orthogonalization principle;
the 64-bit data state to be encrypted after the line displacement operation is carried outjDividing every 4 bits from high bit to low bit into one data unit, and obtaining 16 data units by dividingWherein j is more than or equal to 1 and less than or equal to R; combining the 16 data units into 4 × 4 matrix, and arranging the column hybrid transformation matrix δ and the 4 × 4 matrix in the finite field GF (2)4) The above multiplication is performed, and the calculation formula is as follows:
Further, the construction process of the column hybrid transformation matrix δ includes the following steps:
Let us note λ1,λ2,λ3,λ4A column vector of δ;
randomly selecting one of 81 arrangements consisting of three exclusive or numbers of 1, 2 and 4 as lambda1(ii) a Let mu let1=λ1If μ1| equal to 0 orOr [ mu ] or11]In the finite field GF (2)4) If there is no inverse element, then randomly selecting a permutation as lambda1Otherwise, entering the next construction step; wherein | μ1| represents μ1The die of (a) is used,is mu1chinese characterApparent weight, [ mu ]11]Represents two μ1The inner products of (1) have the same meaning as that represented by the similar expressions appearing below, and are not described again;
Randomly selecting one of 81 arrangements consisting of three exclusive or numbers of 1, 2 and 4 as lambda2Let us orderIf μ2| equal to 0 oror [ mu ] or22]In the finite field GF (2)4) If there is no inverse element, then randomly selecting a permutation as lambda2Otherwise, entering the next construction step;
randomly selecting one of 81 arrangements consisting of three exclusive or numbers of 1, 2 and 4 as lambda3let us order if μ3| equal to 0 orOr [ mu ] or33]in the finite field GF (2)4) If there is no inverse element, then randomly selecting a permutation as lambda3Otherwise, entering the next construction step;
Randomly selecting one of 81 arrangements consisting of three exclusive or numbers of 1, 2 and 4 as lambda4Let us order if μ4| equal to 0 orOr [ mu ] or44]In the finite field GF (2)4) If there is no inverse element, then randomly selecting a permutation as lambda4otherwise, the column hybrid transformation matrix δ is output.
The invention adopts a mathematical method of Schmidt matrix orthogonalization and is in a finite field GF (2)4) The column hybrid transform matrix is constructed. The branch number is an important criterion for designing linear permutation, and the greater the branch number of the linear permutation, the stronger the resistance to differential and linear cryptanalysis. In general, linear permutation and matrix are in one-to-one correspondence in number domain, so the branch number of linear permutation is also called matrix branch number, and the four-order column mixed matrix constructed in the above way reaches the maximum branch number of 5, and can effectively resist differential and linear cryptanalysis.
Further, the key length is 80 bits or 128 bits, and when the key length is 80 bits, the iteration round number R is 25; when the key length is 128 bits, the iteration round number R is 32.
further, the updating the key comprises the following steps:
When the key length is 80 bits, in the 1 st round to the R th round of key updating, each round of key updating includes: dividing the key stored in the register into one data unit according to every 4 bits from high bit to low bit and from left to right, and dividing the key in the register into the first 10 data units k from high bit to low bit0,k1,…k9Rotate left by e bits, the last 10 data units k10,k11,…k19Cyclically left-shifted by f bits, one data unit k of the highest order0Obtaining an updated key through the replacement operation of the S0 box, and taking the updated key as a key to be updated in the next round of key updating; the round key of the ith round is the highest 64 bits in the register, wherein e and f are preset values, and i is more than or equal to 1 and less than or equal to R + 1;
When the key length is 128 bits, in the 1 st round to the R th round of key updating, each round of key updating includes: dividing the key stored in the register into one data unit from high bit to low bit and from left to right every 4 bits, and dividing the key in the register from high bit to low bit into the first 16 data units k0,k1,…k15rotate left by g bits, the last 16 data units k16,k11,…k31cyclically left-shifted by h bits, two data units k of the highest order0,k1And two data units k of the lowest order30,k31And (4) obtaining an updated key through the replacement operation of the S0 box, taking the updated key as a key to be updated in the next round of key updating, wherein the key in the round i is the highest 64 bits in the register, g and h are preset values, and i is more than or equal to 1 and is less than or equal to R + 1.
further, when decrypting the ciphertext, the decryption process includes the following steps:
B1: acquiring 64-bit ciphertext to be decrypted, and determining an iteration round number R' according to the number of key bits;
B2: selecting the first 64 bits from high bits to low bits of the key obtained after the last round of operation in the encryption process and the data to be decrypted to perform round key addition operation, and using the obtained data as the data to be decrypted in the 1 st round of operation;
B3: in the 1 st to R' th round of operations of decryption, in each round of operations, linear column mixed inverse operation, row shift inverse operation, nonlinear S-box replacement inverse operation and round key addition operation are sequentially carried out on data to be decrypted, and the key in the decryption process is updated according to the inverse sequence of the updated key in the encryption process; taking the data obtained after the round key addition operation as the data to be decrypted of the next round operation, and taking the updated key as the key of the next round operation; and outputting the plaintext after the R' th round of operation is completed.
the linear column mixed inverse operation, the line displacement inverse operation, the nonlinear S-box replacement inverse operation and the round key addition operation in the decryption process are respectively corresponding to the linear column mixed operation, the line displacement operation, the nonlinear S-box replacement operation and the round key addition operation in the encryption process as reciprocal operations.
In a second aspect of the present invention, a computer-readable storage medium is provided, which includes a stored program, which is adapted to be loaded by a processor and execute the above-mentioned lightweight block cipher algorithm Shadow implementation method.
in a third aspect of the present invention, a lightweight block cipher algorithm Shadow implementation apparatus is provided, including:
An initialization unit: the encryption device is used for obtaining 64 bits of plaintext to be encrypted and determining iteration round number R according to the number of key bits;
An iteration processing unit: the method is used for sequentially performing round key addition operation, nonlinear S box replacement operation, row displacement operation and linear column mixed operation on data to be encrypted in each round of 1 st to R < th > operations, and updating keys; taking data obtained after linear column mixed operation as data to be encrypted of the next round of operation, and taking an updated key as a key of the next round of operation;
Wherein the round key addition operation comprises: selecting the first 64 bits of the key and a plaintext to be encrypted according to the sequence from high bits to low bits to perform round key addition operation;
The non-linear S-box permutation operation comprises: performing composite affine operation on the key and an S0 box; data obtained by statistical complex affine operation in the finite field GF (2)4) A first repetition value σ of; when the first repetition value σ<when 8, the data calculated in the step A2 selects the S1 box to perform nonlinear S-box replacement operation; when the first repetition value σ>12, selecting the S3 box from the data calculated in the step A2 to perform nonlinear S-box replacement operation; when the first repeated value is more than or equal to 8 and less than or equal to 12, the data calculated in the step A2 selects the S2 box to carry out nonlinear S-box permutation operation;
A ciphertext generation unit: and the cipher key adding device is used for performing round cipher key adding operation on the data to be encrypted and the cipher key obtained after the R-th round of operation is finished, and outputting a cipher text.
Advantageous effects
The invention provides a lightweight block cipher algorithm Shadow implementation method, a device and a computer readable medium based on an SPN structure.
In the aspect of a nonlinear layer, a PRESENT algorithm S box is selected as an S0 box, and on the basis that partial cryptology indexes of the S box are not influenced by affine transformation, the method is carried out in a finite field GF (2)4) Randomly selecting a matrix containing 16 data units, performing a composite affine operation with an S0 box, and screening according to a second repeat value rangeThree sets of S-boxes with identical partial cryptographic properties to the S0-box were obtained. In the Shadow algorithm encryption process, one of an S1 box, an S2 box and an S3 box is selected to carry out nonlinear S-box replacement according to the condition of a first repeated value sigma in a round key and a S0 box composite affine value, and a pseudo-random use method is constructed. On one hand, the confusion effect of the algorithm round function is usually realized by an S box or arithmetic operation, and the method constructs a pseudorandom using method by utilizing a composite affine mathematical method on the basis of constructing a key-related S box, so that the confusion effect of the round function is greatly improved, the attack can be effectively resisted, and the problem that the known or unknown attack cannot be sufficiently resisted due to the adoption of a fixed component is avoided. On the other hand, the method avoids weak S boxes in the process of constructing the key related S boxes, and saves a large amount of screening time.
In the aspect of linear layer, the invention adopts a mode of combining row shift operation and column mixing operation, so that after 3 rounds, each byte of the intermediate state of the data to be operated on depends on all 16 plaintext bytes as much as possible, namely, each bit of the intermediate state of the data to be operated on is influenced by many bits in the plaintext. In addition, the invention adopts a mathematical method of Schmidt matrix orthogonalization in a finite field GF (2)4) The column hybrid transform matrix is constructed. The branch number is an important criterion for designing linear permutation, and the greater the branch number of the linear permutation, the stronger the resistance to differential and linear cryptanalysis. In general, linear permutation and matrix are in one-to-one correspondence in number domain, so the branch number of linear permutation is also called matrix branch number, and the four-order column mixed matrix constructed in the above way reaches the maximum branch number of 5, and can effectively resist differential and linear cryptanalysis.
drawings
Fig. 1 is a schematic diagram of an encryption/decryption process of a lightweight block cipher algorithm Shadow implementation method based on an SPN structure according to an embodiment of the present invention.
Detailed Description
The present invention will be described in detail with reference to specific examples. The following examples will assist those skilled in the art in further understanding the invention, but are not intended to limit the invention in any way. It should be noted that variations and modifications can be made by persons skilled in the art without departing from the spirit of the invention. All falling within the scope of the present invention.
the embodiment of the invention provides a lightweight block cipher algorithm Shadow implementation method, as shown in figure 1, comprising the following steps:
A1: obtaining 64 bits of plaintext to be encrypted, and determining an iteration round number R according to the number of bits of the secret key;
In specific implementation, 64-bit plaintext is loaded to a register, and when the length of a secret key is 80-bit, the value R is 25; when the key length is 128-bit, R takes 32.
A2: in the 1 st to R th round of operation, sequentially performing round key addition operation, nonlinear S box replacement operation, row displacement operation and linear column mixed operation on data to be encrypted in each round of operation, and updating keys; taking data obtained after linear column mixed operation as data to be encrypted of the next round of operation, and taking an updated key as a key of the next round of operation;
wherein the round key addition operation comprises: selecting the first 64 bits of the key and a plaintext to be encrypted according to the sequence from high bits to low bits to perform round key addition operation;
More specifically, the round key addition operation includes the following steps:
In the ith round of operation, the first 64 bits of the secret key are selected according to the sequence from high bits to low bits, and data to be encrypted in the ith round of operation are obtained, wherein i is more than or equal to 1 and is less than or equal to R;
Carrying out XOR operation on the data to be encrypted and the first 64 bits of the selected key;
In specific implementation, carrying out exclusive OR operation on each bit of a plaintext or each round of data to be encrypted and the ith (i is more than or equal to 1 and less than or equal to R) round, wherein the round key participating in the round key addition operation of the ith round is the highest bit 64-bit in the register; in this embodiment, the length of the key is 80-bit, and 64-bit plaintext or each round of data state to be encrypted in the Shadow cipheriand the ith round 80-bit round keyiThe operational relationship of (1) is as follows:
Wherein the non-linear S-box permutation operation comprises: performing composite affine operation on the key and an S0 box; data obtained by statistical complex affine operation in the finite field GF (2)4) A first repetition value σ of; when the first repetition value σ<When 8, the data calculated in the step A2 selects the S1 box to perform nonlinear S-box replacement operation; when the first repetition value σ>12, selecting the S3 box from the data calculated in the step A2 to perform nonlinear S-box replacement operation; when the first repeated value is more than or equal to 8 and less than or equal to 12, the data calculated in the step A2 selects the S2 box to carry out nonlinear S-box permutation operation; the S0 box is a PRESENT algorithm S box, and the S1 box, the S2 box and the S3 box are all generated by performing composite affine operation on the S0 box and the random matrix and then randomly selecting the composite affine equivalent S box of the S0 box according to the range of the second repetition value sigma'.
in specific implementation, the performing of the complex affine operation on the secret key and the S0 box includes the following steps:
in the finite field GF (2)4) The values of the elements of the upper 4-bit S box can be sequentially marked as S from left to right and from high bit to low bit0,S1,S2,S3,S4,S5,S6,S7,S8,S9,S10,S11,S12,S13,S14,S15And expressed as a 4 th order matrix α:
Dividing the key into one data unit from high bit to low bit and from left to right every 4 bits, the 80-bit key can be divided into 20 data units, which are recorded as: k is a radical of0,k1,k2,k3,…,k17,k18,k19(ii) a The 128-bit key can be divided into 32 data units, which are recorded as: k is a radical of0,k1,k2,k3,…,k29,k30,k31
data units of the first 16 keys are sequentially selected from left to right and from high order to low order, and are represented by a 4-order matrix beta as follows:
Carrying out compound affine on the matrix alpha and the matrix beta, wherein the compound affine matrix is recorded as gamma, and the compound affine process is shown as the following formula:
Wherein, the generation process of the S0 box, the S1 box, the S2 box and the S3 box comprises the following steps:
Selecting a PRESENT algorithm S box as an S0 box; one purpose of the S0 box is to perform a complex affine operation with the secret key, serving as a basis for selecting which S-box of the S1 box, the S2 box, and the S3 box to perform the permutation operation for the data to be encrypted;
Performing compound affine operation on the S0 box and a group of randomly selected matrixes containing 16 data units, and counting the positions of repeated values in a compound affine matrix gamma' in a finite field GF (2)4) A second repeat value σ' and a repeat and missing value group;
arranging each data unit in the repeated and missing value group, sequentially filling each arrangement to the position of a repeated value in a composite affine matrix gamma' according to the arrangement sequence, and screening out a composite affine equivalent S box of an S0 box, wherein the composite affine equivalent S box of the S0 box is the same as the S0 box in the aspects of nonlinearity, differential uniformity and linear approximation;
Judging whether the composite affine equivalent S box of the S0 box has the motionless point, and if so, xoring the composite affine equivalent S box by a constant to eliminate the motionless point;
Randomly selecting a composite affine equivalent S box as an S1 box when the second repetition value sigma' is less than 8 and after the fixed point is eliminated;
Randomly selecting a composite affine equivalent S box with the second repetition value sigma' being greater than 12 and the fixed point eliminated as an S3 box;
And randomly selecting a composite affine equivalent S box with the second repetition value of 8-12 and the fixed point eliminated as an S2 box.
The sets of the composite affine equivalence S boxes with the stationary points eliminated corresponding to the three value ranges of the second repetition value σ 'are different, and the sets of the composite affine equivalence S boxes with the stationary points eliminated corresponding to the value ranges of the second repetition value σ' are respectively different.
more specifically, the S0, S1, S2 and S3 boxes generating process includes the following steps:
c1: selecting a PRESENT algorithm S box as an S0 box;
C2: in the finite field GF (2)4) A group of matrixes beta ' containing 16 data units is randomly selected, and the matrixes beta ' and an S0 box are subjected to compound affine operation to obtain matrixes gamma ', and the conditions of the matrixes gamma ' can be divided into three types according to the size of a second repeated value sigma ': sigma'<8、σ’>12 and 8 is less than or equal to sigma' is less than or equal to 12;
c3: the position of occurrence of repeated number values in the statistical complex affine matrix gamma' in the finite field GF (2)4) Judging which category the matrix gamma ' belongs to according to the second repetition value sigma ', arranging each data unit in the repeated and missing value groups, sequentially filling the positions of the repeated values in the matrix gamma ' according to the arrangement sequence, judging whether the filled matrix gamma ' is consistent with an S0 box in the aspects of nonlinearity, differential uniformity and linear approximation, if so, the matrix gamma ' is an affine equivalent S box of the S0 box, otherwise, the next array is filled in the matrix gamma ', and judging whether the matrix gamma ' is the affine equivalent S box of the S0 box again;
c4: in the finite field GF (2)4) Randomly selecting a group of matrixes beta ' containing 16 data units again, carrying out compound affine operation with an S0 box to obtain a matrix gamma ', counting a second repetition value sigma ' and repeated and missing value groups appearing in the matrix gamma ', judging which of the three classes the matrix gamma ' belongs to according to the second repetition value sigma ', and discarding the randomly selected matrix gamma if the randomly selected matrix gamma ' is overlapped with the class obtained in the step C3Simultaneously, reselecting the random matrix beta ', judging again until obtaining a matrix gamma ' with a category different from that in the step C3, and finally, carrying out a process of searching for an affine equivalent S box on the category matrix gamma ', wherein the process is the same as that in the previous step and is not repeated;
C5: in the finite field GF (2)4) Randomly selecting a group of matrixes beta 'containing 16 data units, carrying out compound affine operation with an S0 box to obtain a matrix gamma', counting second repetition values sigma 'and repeated and missing value groups appearing in the matrix gamma', judging whether the matrix gamma 'is the same as the types in the C3 and C4 steps according to the second repetition values sigma', if so, discarding the selected random matrix beta ', simultaneously, re-selecting the random matrix beta', judging again until obtaining a matrix gamma 'which is different from the types in the C3 and C4 steps, and finally, searching the affine equivalent S box for the matrix gamma';
c6: judging whether the three types of affine S boxes obtained in the step have motionless points or not, and if so, XOR a constant to eliminate the motionless points;
C7: randomly selecting an affine equivalence S box with the second repetition value σ' <8 and the motionless point eliminated as an S1 box; randomly selecting a complex affine equivalent S box with the second repetition value sigma' >12 and the fixed point eliminated as an S3 box; the affine equivalent S box with the second repetition value 8 ≦ σ' ≦ 12 and with the motionless point eliminated is randomly selected as the S2 box.
in this example, the elements of the box S0 are shown in Table 1,
TABLE 1S 0 Box elements Table
X 0 1 2 3 4 5 6 7 8 9 A B C D E F
S0(x) C 5 6 B 9 0 A D 3 E F 8 4 7 1 2
The value of a matrix beta 'containing 16 data units is randomly set to {6, 3, 0, 1, E, 9, 5, 2, B, D, 8, C, 7, F, 4, A }, and the key matrix beta' does not participate in the Shadow algorithm encryption and decryption process. The matrix γ' is then as shown in the following equation:
It can be seen that the matrix γ' has repeated numbers at the 0, 4, 5, 9, 10, 13 th bits and is in the finite field GF (2)4) The upper repeated value group and the missing value group are {0, 4, 5, 6, 9, C }, and the second repeated value sigma ' in the S0 box and the composite affine value of the random matrix beta ' is obtained through statistics '<8;
rearranging 720 combinations of the value groups {0, 4, 5, 6, 9, C }, sequentially filling the 0 th, 4 th, 5 th, 9 th, 10 th, and 13 th positions in the matrix gamma' in order to screen out a composite affine equivalent S box of an S0 box;
and judging whether the composite affine equivalent S box obtained in the step has the motionless point, and if so, XOR a constant to eliminate the motionless point. In this embodiment, the composite affine equivalent S boxes screened by the above method all have an immobile point, and cannot be directly used in the nonlinear layer, and the immobile point needs to be eliminated by xoring the equivalent S boxes by a constant. Therefore, the element values of the S1 box randomly selected from a plurality of compound affine equivalent S boxes after the fixed point is eliminated are {1, 2, 8, F, 9, 3, B, 6, A, 5, 0, E, 7, C, D, 4 };
Similarly, when the second repeat value 8 ≦ σ '≦ 12 in the composite affine values of the S0 box and the random matrix β', the S2 box element values are {1, 7, F, 8, 5, 6, D, 4, C, E, B, a, 9, 0, 2, 3 }. When the second repeated value σ '> 12 in the composite affine value of the S0 box and the random matrix β', the S3 box element value is {1, 8, 5, 7, 0, 6, F, a, 3, D, 9, E, 4, 2, C, B }. The elements of S1 box, S2 box, S3 box are shown in tables 2 to 4, respectively:
TABLE 2S 1 Box elements Table
X 0 1 2 3 4 5 6 7 8 9 A B C D E F
S1(x) 1 2 8 F 9 3 B 6 A 5 0 E 7 C D 4
TABLE 3S 2 Box elements Table
X 0 1 2 3 4 5 6 7 8 9 A B C D E F
S2(x) 1 7 F 8 5 6 D 4 C E B A 9 0 2 3
TABLE 4S 3 Box elements Table
X 0 1 2 3 4 5 6 7 8 9 A B C D E F
S3(x) 1 8 5 7 0 6 F A 3 D 9 E 4 2 C B
selecting a PRESENT algorithm S box as an S0 box, and based on that partial cryptology indexes of the S box are not influenced by affine transformation, performing the operation in a finite field GF (2)4) The matrix beta' containing 16 data units and the S0 box are randomly selected to be subjected to compound affine operation, and three groups of S boxes with partial cryptography properties identical to those of the S0 box are obtained by screening according to the second repeated value range, wherein the S boxes are respectively the S1 box, the S2 box and the S3 box. And selecting one of the S1 box, the S2 box and the S3 box to perform nonlinear S-box replacement according to the condition of the first repeated value sigma in the composite affine value of the round key and the S0 box, and constructing a pseudo-random use method.
in this embodiment, the row displacement operation includes the following steps:
the 64-bit data state to be encrypted after the nonlinear S-box replacement operationiDividing every 4 bits from high bit to low bit into one data unit, and obtaining 16 data units by dividing(1. ltoreq. i. ltoreq.R); will be provided withcircularly moving left by 7-bit; will be provided withCircularly moving left by 9-bit; will be provided withCircularly moving left by 11-bit; will be provided withthe loop is shifted left by 13-bit. In other embodiments, different numbers of loop left shifts may be set as desired.
Wherein the linear column mixing operation comprises the steps of:
in the finite field GF (2)4) Constructing a column hybrid transformation matrix delta based on the Schmidt matrix orthogonalization principle;
the 64-bit data state to be encrypted after the line displacement operation is carried outjdividing every 4 bits from high bit to low bit into one data unit, and obtaining 16 data units by dividing(j is more than or equal to 1 and less than or equal to R); combining the 16 data units into 4 × 4 matrix, and arranging the column hybrid transformation matrix δ and the 4 × 4 matrix in the finite field GF (2)4) The above multiplication is performed, and the calculation formula is as follows:
In this embodiment, the construction process of the column hybrid transformation matrix δ includes the following steps:
Let us note λ1,λ2,λ3,λ4a column vector of δ;
Each column vector of the matrix delta65536 arrangements are provided, in order to make the performance of the Shadow algorithm more superior in the hardware implementation, in this embodiment, one of 81 arrangements composed of three lower exclusive or numbers of 1, 2 and 4 is randomly selected as λ1(ii) a Let mu let1=λ1If μ1| equal to 0 oror [ mu ] or11]In the finite field GF (2)4) If there is no inverse element, then randomly selecting a permutation as lambda1otherwise, entering the next construction step; in this example, μ is randomly selected1=λ1=[4,4,2,4]TAnd [ mu ] is11]7, the condition is satisfied; wherein | μ1| represents μ1The die of (a) is used,is mu1Hamming weight, [ mu ] of11]represents two μ1The inner products of (1) have the same meaning as that represented by the similar expressions appearing below, and are not described again;
Randomly selecting one of 81 arrangements consisting of 1, 2 and 4 lower exclusive or numbers as lambda2Let us order if μ2| equal to 0 orOr [ mu ] or22]in the finite field GF (2)4) If there is no inverse element, then randomly selecting a permutation as lambda2otherwise, entering the next construction step; in this example, λ is randomly selected2=[4,2,1,4]T And [ mu ] is22]13, the condition is satisfied;
Randomly selecting one of 81 arrangements consisting of 1, 2 and 4 lower exclusive or numbers as lambda3Let us order If μ3| equal to 0 orOr [ mu ] or33]in the finite field GF (2)4) If there is no inverse element, then randomly selecting a permutation as lambda3Otherwise, entering the next construction step; in this example, λ is randomly selected3=[1,1,4,2]TAnd [ mu ] is33]3, the condition is satisfied;
Randomly selecting one of 81 arrangements consisting of 1, 2 and 4 lower exclusive or numbers as lambda4Let us order if μ4| equal to 0 orOr [ mu ] or44]In the finite field GF (2)4) If there is no inverse element, then randomly selecting a permutation as lambda4Otherwise, outputting a column hybrid transformation matrix delta; in this example, λ is randomly selected4=[4,4,1,4]TAnd [ mu ] is44]The condition is satisfied at 1.
the above construction steps can be used to obtain
The invention adopts a mathematical method of Schmidt matrix orthogonalization and is in a finite field GF (2)4) The column hybrid transform matrix is constructed. The branch number is an important criterion for designing linear permutation, and the greater the branch number of the linear permutation, the stronger the resistance to differential and linear cryptanalysis. In general, linear permutation and matrix are in one-to-one correspondence in number domain, so the branch number of linear permutation is also called matrix branch number, and the four-order column mixed matrix constructed in the above way reaches the maximum branch number of 5, and can effectively resist differential and linear cryptanalysis.
In this embodiment, the updating the key includes the following steps:
When the key length is 80-bit, in the 1 st round to the R < th > round of key updating, each round of key updating comprises the following steps: dividing the key stored in the register into one data unit from high bit to low bit and from left to right every 4-bit, and dividing the key in the register into the first 10 data units k from high bit to low bit0,k1,…k9circularly left-shift by 25-bit, and then 10 data units k10,k11,…k19circularly left-shifted by 33-bit, one data unit k of the highest bit0Obtaining an updated key through the replacement operation of the S0 box, and taking the updated key as a key to be updated in the next round of key updating; the round key of the ith (i is more than or equal to 1 and less than or equal to R +1) is the highest bit 64-bit in the register;
When the key length is 128-bit, in the 1 st round to the R th round of key updating, each round of key updating comprises: dividing the key stored in the register into one data unit from high bit to low bit and from left to right every 4-bit, and dividing the key in the register into the first 16 data units k from high bit to low bit0,k1,…k15Circularly left-shift 49-bit, and 16 data units k at the back16,k11,…k31two data units k circularly left-shifted by 61-bit, highest bit0,k1And two data units k of the lowest order30,k31And (3) obtaining an updated key through the replacement operation of an S0 box, taking the updated key as a key to be updated in the next round of key updating, wherein the round key of the ith (i is more than or equal to 1 and is less than or equal to R +1) is the highest 64-bit in the register. In other embodiments, the number of bits left shifted in the round-robin process may be set to different values as desired.
a3: and performing round key addition operation on the data to be encrypted and the key obtained after the R-th round of operation is finished, and outputting a ciphertext. The principle of round key addition in this step is the same as that in step a2, and will not be described herein again.
In this embodiment, when decrypting the ciphertext, as shown in fig. 1, the decryption process includes the following steps:
B1: acquiring 64-bit ciphertext to be decrypted, and determining an iteration round number R' according to the number of key bits; when the length of the key is 80-bit, the value of R' is 25; when the key length is 128-bit, R' takes the value of 32;
B2: performing round key addition operation on the first 64 bits selected from the high bit to the low bit of the key obtained after the last round of operation in the encryption process and the data to be decrypted, updating the key in the decryption process according to the reverse order of the updated key in the encryption process, and taking the obtained data as the data to be decrypted in the 1 st round of operation;
b3: in the 1 st to R' th round of operations of decryption, in each round of operations, linear column mixed inverse operation, row shift inverse operation, nonlinear S-box replacement inverse operation and round key addition operation are sequentially carried out on data to be decrypted, and the key in the decryption process is updated according to the inverse sequence of the updated key in the encryption process; taking the data obtained after the round key addition operation as the data to be decrypted of the next round operation, and taking the updated key as the key of the next round operation; and outputting the plaintext after the R' th round of operation is completed.
the linear column mixed inverse operation, the line displacement inverse operation, the nonlinear S-box replacement inverse operation and the round key addition operation in the decryption process are respectively corresponding to the linear column mixed operation, the line displacement operation, the nonlinear S-box replacement operation and the round key addition operation in the encryption process as reciprocal operations.
in this embodiment, the nonlinear S-box permutation inverse operation: encrypted Process Key reverse order for decryption Process, decrypted S1-1The boxes are shown in Table 5, S2-1The boxes are shown in Table 6, S3-1the boxes are shown in Table 7. Performing compound affine operation on the S0 box and the key, wherein when the S0 box and the key are combined to obtain the first repeated value sigma<8, the data to be decrypted is selected S1-1Performing nonlinear S-box permutation inverse operation on the boxes; when S0 box and key are combined with first repeated value sigma in affine value>12, the data to be decrypted selects S3-1Performing nonlinear S-box permutation inverse operation on the boxes; when the first repeated value 8 ≦ σ ≦ 12 in the S0 box and key composite affine value, the data to be decrypted is selected S2-1the box performs a nonlinear S-box permutation inverse operation. The 64-bit data state to be decryptediDividing every 4-bit from high bit to low bit into one data unit, then obtaining 16 data units(1. ltoreq. i. ltoreq.R'). All 16 data units are subjected to S-box replacement, and the operation relationship is as the following formula:
(0≤j≤15)(1≤i≤R′)
TABLE 5S 1-1box element table
X 0 1 2 3 4 5 6 7 8 9 A B C D E F
S1-1(x) A 0 1 5 F 9 7 C 2 4 8 6 D E B 3
TABLE 6S 2-1Box element table
X 0 1 2 3 4 5 6 7 8 9 A B C D E F
S2-1(x) D 0 E F 7 4 5 1 3 C B A 8 6 9 2
TABLE 7S 3-1Box element table
X 0 1 2 3 4 5 6 7 8 9 A B C D E F
S3-1(x) 4 0 D 8 C 2 5 3 1 A 7 F E 9 B 6
in this embodiment, the row shift inversion operation: the intermediate value state of the 64-bit data to be decryptediDividing every 4-bit from high bit to low bit into one data unit, then obtaining 16 data units,(1≤i≤R′)。Circularly right-shifting by 7-bit;circularly right shifting by 9-bit;circularly right shifting by 11-bit;Circularly right-shifting by 13-bit;
In this embodiment, the column mixing inversion operation: the column hybrid inverse transform matrix δ is as follows:
the column mixing inverse operation is to use 64-bit data state to be decryptedieach 4-bit from high bit to low bit is a data unit, and 16 data units are obtained by same division(i is more than or equal to 1 and less than or equal to R'), the 16 data units are combined into a 4 x 4 matrix, and then the column mixed matrix delta and the 4 x 4 matrix are arranged in a finite field GF (2)4) Carry out multiplication intersection onAlternatively, the expression formula is as follows:
in a second aspect of the present invention, a lightweight block cipher algorithm Shadow implementation apparatus is provided, including:
An initialization unit: the encryption device is used for obtaining 64 bits of plaintext to be encrypted and determining iteration round number R according to the number of key bits;
an iteration processing unit: the method is used for sequentially performing round key addition operation, nonlinear S box replacement operation, row displacement operation and linear column mixed operation on data to be encrypted in each round of 1 st to R < th > operations, and updating keys; taking data obtained after linear column mixed operation as data to be encrypted of the next round of operation, and taking an updated key as a key of the next round of operation;
Wherein the round key addition operation comprises: selecting the first 64 bits of the key and a plaintext to be encrypted according to the sequence from high bits to low bits to perform round key addition operation;
The non-linear S-box permutation operation comprises: performing composite affine operation on the key and an S0 box; data obtained by statistical complex affine operation in the finite field GF (2)4) A first repetition value σ of; when the first repetition value σ<When 8, the data calculated in the step A2 selects the S1 box to perform nonlinear S-box replacement operation; when the first repetition value σ>12, selecting the S3 box from the data calculated in the step A2 to perform nonlinear S-box replacement operation; when the first repeated value is more than or equal to 8 and less than or equal to 12, the data calculated in the step A2 selects the S2 box to carry out nonlinear S-box permutation operation;
a ciphertext generation unit: and the cipher key adding device is used for performing round cipher key adding operation on the data to be encrypted and the cipher key obtained after the R-th round of operation is finished, and outputting a cipher text.
The specific function implementation processes of the initialization unit, the iteration processing unit and the ciphertext generating unit refer to the lightweight block cipher algorithm Shadow implementation method provided by the embodiment.
in a third aspect of the present invention, a computer-readable storage medium is provided, which includes a stored program, which is adapted to be loaded by a processor and execute the above-mentioned lightweight block cipher algorithm Shadow implementation method.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
these computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The invention provides a lightweight block cipher algorithm Shadow implementation method, a device and a computer readable medium based on an SPN structure.
in the aspect of a nonlinear layer, a PRESENT algorithm S box is selected as an S0 box, and on the basis that partial cryptology indexes of the S box are not influenced by affine transformation, the method is carried out in a finite field GF (2)4) The matrix beta' containing 16 data units and the S0 box are randomly selected to be subjected to compound affine operation, and three groups of S boxes with partial cryptography properties identical to those of the S0 box are obtained by screening according to the second repeated value range, wherein the S boxes are respectively the S1 box, the S2 box and the S3 box. In the Shadow algorithm encryption process, one of an S1 box, an S2 box and an S3 box is selected to carry out nonlinear S-box replacement according to the condition of a first repeated value sigma in a composite affine value of a round key and the S0 box, and a pseudo-random use method is constructed. On one hand, the confusion effect of the algorithm round function is usually realized by an S box or arithmetic operation, and the method constructs a pseudorandom using method by utilizing a composite affine mathematical method on the basis of constructing a key-related S box, so that the confusion effect of the round function is greatly improved, the attack can be effectively resisted, and the problem that the known or unknown attack cannot be sufficiently resisted due to the adoption of a fixed component is avoided. On the other hand, the method avoids weak S boxes in the process of constructing the key related S boxes, and saves a large amount of screening time.
In the aspect of linear layer, the invention adopts a mode of combining row shift operation and column mixing operation, so that after 3 rounds, each byte of the intermediate state of the data to be operated on depends on all 16 plaintext bytes as much as possible. In addition, the invention adopts a mathematical method of Schmidt matrix orthogonalization in a finite field GF (2)4) The column hybrid transform matrix is constructed. The branch number is an important criterion for designing linear permutation, and the greater the branch number of the linear permutation, the stronger the resistance to differential and linear cryptanalysis. In general, linear permutations are one-to-one associated with matrices in the number domain, so that the linear permutations are placed linearlyThe number of the converted branches is also called the number of the matrix branches, and the four-order column mixed matrix constructed in the mode reaches the maximum number of the branches of 5, so that the differential and linear cryptanalysis can be effectively resisted.
The method provided by the embodiment of the invention is used for testing, and the vector of the Shadow test is shown in tables 8 and 9:
TABLE 8 Shadow-80 test data
Plaintext Key Ciphertext
0000_0000_0000_0000 0000_0000_0000_0000_0000 2A23_38E6_6F67_E8EA
FFFF_FFFF_FFFF_FFFF FFFF_FFFF_FFFF_FFFF_FFFF DB82_B303_8851_44ED
0000_0000_0000_0000 FFFF_FFFF_FFFF_FFFF_FFFF 1D49_6C72_2B3F_790A
0123_4567_89AB_CDEF 0123_4567_89AB_CDEF_4567 07CC_034A_BBC2_7CE2
TABLE 9 Shadow-128 test data
The Shadow cryptographic algorithm is simulated on Modlsim SE 6.1f Evaluation and is simulated on Synopsys Design Compiler Version B-2008.09, wherein a comprehensive process library is an SMIC0.18 mu m CMOS, and in a comprehensive experiment, an area resource unit is GE.
The hardware resource report analysis of the Shadow lightweight block cipher is characterized in that the resource occupied by each component in the encryption module algorithm is described as follows: the 64-bit plaintext is stored in a register and needs 344 GE; in the round key addition module, the round key exclusive or unit requires 170.85 GE; the nonlinear S-box displacement module requires 440 GE; the linear column mixing module converts multiplication operation into exclusive or and shift operation, so that the realization resources can be reduced, and only 50GE is needed; the specific resource occupied by each component of the key update module is described as follows: in the Shadow-80 cryptographic algorithm, a register needs 420GE for storing an 80-bit key; the S-box replacement operation requires 24 GE. In the Shadow-128 cipher algorithm, 688GE is needed for a register to store a 128-bit key; the S-box replacement operation required 48 GE. In the algorithm implementation, the control logic unit and the counter need 40 GE. The list of Shadow-80 cryptographic hardware implementation resources is shown in Table 10, and the list of Shadow-128 cryptographic hardware implementation resources is shown in Table 11.
TABLE 10 Shadow-80 cipher hardware implementation resource List
algorithm module GE Resource occupation ratio
Plaintext register 344 23.11%
S-Box replacement transformation 464 31.16%
column hybrid transform 50 3.36%
Round key plus transform 170.85 11.48%
Key register 420 28.20%
Control logic 40 2.69%
Sum of 1488.85 100%
TABLE 11 Shadow-128 cipher hardware implementation resource List
The Shadow cipher algorithm performs area comparison analysis with some existing lightweight block cipher algorithms based on SPN structures, as shown in table 12.
TABLE 12 lightweight block cipher algorithm implementation area comparison
according to the lightweight block cipher algorithm Shadow implementation method based on the SPN structure, on one hand, the confusion effect of the algorithm round function is usually realized by an S box or arithmetic operation, and on the other hand, the pseudo-random key related S box is constructed by using a composite affine mathematical method, so that the confusion effect of the round function is greatly improved. On the other hand, the method effectively avoids weak S boxes when the key related S boxes are constructed, and saves a large amount of screening time. In the aspect of linear layer, the invention adopts a mathematical method of Schmidt matrix orthogonalization in a finite field GF (2)4) The column mixed matrix with the branch number of 5 is constructed, and differential and linear cryptanalysis is effectively resisted. And finally, the hardware resources of the Shadow algorithm are compared with the hardware resources of several classic SPN structure cryptographic algorithms, so that the implementation area of the Shadow algorithm is moderate.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solutions of the present invention and not for limiting the same, and although the present invention is described in detail with reference to the above embodiments, those of ordinary skill in the art should understand that: modifications and equivalents may be made to the embodiments of the invention without departing from the spirit and scope of the invention, which is to be covered by the claims.

Claims (10)

1. a lightweight block cipher algorithm Shadow implementation method is characterized by comprising the following steps:
A1: obtaining 64 bits of plaintext to be encrypted, and determining an iteration round number R according to the number of bits of the secret key;
A2: in the 1 st to R th round of operation, sequentially performing round key addition operation, nonlinear S box replacement operation, row displacement operation and linear column mixed operation on data to be encrypted in each round of operation, and updating keys; taking data obtained after linear column mixed operation as data to be encrypted of the next round of operation, and taking an updated key as a key of the next round of operation;
Wherein the round key addition operation comprises: selecting the first 64 bits of the key and a plaintext to be encrypted according to the sequence from high bits to low bits to perform round key addition operation;
The non-linear S-box permutation operation comprises: performing composite affine operation on the key and an S0 box; data obtained by statistical complex affine operation in the finite field GF (2)4) A first repetition value σ of; when the first repetition value σ<When 8, the data calculated in the step A2 selects the S1 box to perform nonlinear S-box replacement operation; when the first repetition value σ>12, selecting the S3 box from the data calculated in the step A2 to perform nonlinear S-box replacement operation; when the first repeated value is more than or equal to 8 and less than or equal to 12, the data calculated in the step A2 selects the S2 box to carry out nonlinear S-box permutation operation; the S0 box is a PRESENT algorithm S box, and the S1 box, the S2 box and the S3 box are all generated by randomly selecting a composite affine equivalent S box of the S0 box according to the range of a second repetition value sigma' after composite affine operation is carried out on the S0 box and the random matrix;
a3: and performing round key addition operation on the data to be encrypted and the key obtained after the R-th round of operation is finished, and outputting a ciphertext.
2. the lightweight block cipher algorithm Shadow implementation method according to claim 1, wherein the round key addition operation includes the steps of:
Selecting the first 64 bits of the key according to the sequence from high bit to low bit, and acquiring data to be encrypted in the round of operation;
and carrying out XOR operation on the data to be encrypted and the first 64 bits of the selected key.
3. The lightweight block cipher algorithm Shadow implementation method according to claim 1,
The complex affine operation of the key and the S0 box comprises the following steps:
in the finite field GF (2)4) The values of the elements of the upper 4-bit S0 box can be sequentially marked as S from left to right and from high to low0,S1,S2,S3,S4,S5,S6,S7,S8,S9,S10,S11,S12,S13,S14,S15and expressed as a 4 th order matrix α:
dividing the key into a data unit according to 4 bits from high bit to low bit and from left to right, sequentially selecting the data units of the first 16 keys from left to right and from high bit to low bit, and expressing the data units by a 4-order matrix beta as follows:
Carrying out compound affine on the matrix alpha and the matrix beta, wherein the compound affine matrix is recorded as gamma, and the compound affine process is shown as the following formula:
The generation process of the S0 box, the S1 box, the S2 box and the S3 box comprises the following steps:
Selecting a PRESENT algorithm S box as an S0 box;
Performing compound affine operation on the S0 box and a group of randomly selected matrixes containing 16 data units, and counting the positions of repeated values in a generated compound affine matrix gamma' in a finite field GF (2)4) A second repeat value σ' and a repeat and missing value group;
Arranging each data unit in the repeated and missing value groups, sequentially filling each arrangement to the position of the repeated value in the composite affine matrix gamma' according to the arrangement sequence, and screening out a composite affine equivalent S box of the S0 box;
judging whether the composite affine equivalent S box of the S0 box has the motionless point, and if so, xoring the composite affine equivalent S box by a constant to eliminate the motionless point;
Randomly selecting a composite affine equivalent S box as an S1 box when the second repetition value sigma' is less than 8 and after the fixed point is eliminated;
Randomly selecting a composite affine equivalent S box with the second repetition value sigma' being greater than 12 and the fixed point eliminated as an S3 box;
and randomly selecting a composite affine equivalent S box with the second repetition value of 8-12 and the fixed point eliminated as an S2 box.
4. The lightweight block cipher algorithm Shadow implementation method according to claim 1, characterized in that the row shift operation comprises the following steps:
The 64-bit data state to be encrypted after the nonlinear S-box replacement operationiDividing every 4 bits from high bit to low bit into one data unit, and obtaining 16 data units by dividingwherein i is more than or equal to 1 and less than or equal to R; will be provided withcircularly left shifting a bit; will be provided withCircularly left shifting by b bits; will be provided withCircularly left shifting c bit; will be provided withAnd d bits are circularly shifted left, wherein a, b, c and d are preset values.
5. The lightweight block cipher algorithm Shadow implementation method according to claim 1, characterized in that the linear column mixing operation comprises the following steps:
In the finite field GF (2)4) Constructing a column hybrid transformation matrix delta based on the Schmidt matrix orthogonalization principle;
the 64-bit data state to be encrypted after the line displacement operation is carried outjDividing every 4 bits from high bit to low bit into one data unit, and obtaining 16 data units by dividingwherein j is more than or equal to 1 and less than or equal to R; combining the 16 data units into 4 × 4 matrix, and arranging the column hybrid transformation matrix δ and the 4 × 4 matrix in the finite field GF (2)4) The above multiplication is performed, and the calculation formula is as follows:
6. the lightweight block cipher algorithm Shadow implementation method according to claim 5, wherein the construction process of the column hybrid transformation matrix δ includes the following steps:
let us note λ1,λ2,λ3,λ4A column vector of δ;
Randomly selecting one of 81 arrangements consisting of three exclusive or numbers of 1, 2 and 4 as lambda1(ii) a Let mu let1=λ1If μ10 or ω(μ1)<4 or [ mu ]11]In the finite field GF (2)4) If there is no inverse element, then randomly selecting a permutation as lambda1Otherwise, entering the next construction step;
Randomly selecting one of 81 arrangements consisting of three exclusive or numbers of 1, 2 and 4 as lambda2let us orderIf μ2| equal to 0 orOr [ mu ] or22]In the finite field GF (2)4) If there is no inverse element, then randomly selecting a permutation as lambda2otherwise, entering the next construction step;
Randomly selecting one of 81 arrangements consisting of three exclusive or numbers of 1, 2 and 4 as lambda3Let us order if μ3| equal to 0 orOr [ mu ] or33]in the finite field GF (2)4) If there is no inverse element, then randomly selecting a permutation as lambda3Otherwise, entering the next construction step;
Randomly selecting one of 81 arrangements consisting of three exclusive or numbers of 1, 2 and 4 as lambda4Let us order if μ4| equal to 0 orOr [ mu ] or44]in the finite field GF (2)4) If there is no inverse element, then randomly selecting a permutation as lambda4Otherwise, the column hybrid transformation matrix δ is output.
7. the lightweight block cipher algorithm Shadow implementation method according to claim 1, wherein the key length is 80 bits or 128 bits, and when the key length is 80 bits, the iteration round number R is 25; when the key length is 128 bits, the iteration round number R is 32; the updating the key comprises the following steps:
When the key length is 80 bits, in the 1 st round to the R th round of key updating, each round of key updating includes: dividing the key stored in the register into one data unit according to every 4 bits from high bit to low bit and from left to right, and dividing the key in the register into the first 10 data units k from high bit to low bit0,k1,…k9Rotate left by e bits, the last 10 data units k10,k11,…k19Cyclically left-shifted by f bits, one data unit k of the highest order0Obtaining an updated key through the replacement operation of the S0 box, and taking the updated key as a key to be updated in the next round of key updating, wherein e and f are preset values;
when the key length is 128 bits, in the 1 st round to the R th round of key updating, each round of key updating includes: dividing the key stored in the register into one data unit from high bit to low bit and from left to right every 4 bits, and dividing the key in the register from high bit to low bit into the first 16 data units k0,k1,…k15Rotate left by g bits, the last 16 data units k16,k11,…k31Cyclically left-shifted by h bits, two data units k of the highest order0,k1and two data units k of the lowest order30,k31And (4) obtaining an updated key through the replacement operation of the S0 box, and taking the updated key as a key to be updated in the next round of key updating, wherein g and h are preset values.
8. The lightweight block cipher algorithm Shadow implementation method according to any one of claims 1 to 7, wherein when a ciphertext is decrypted, the decryption process includes the following steps:
b1: acquiring 64-bit ciphertext to be decrypted, and determining an iteration round number R' according to the number of key bits;
B2: selecting the first 64 bits from high bits to low bits of the key obtained after the last round of operation in the encryption process and the data to be decrypted to perform round key addition operation, and using the obtained data as the data to be decrypted in the 1 st round of operation;
B3: in the 1 st to R' th round of operations of decryption, in each round of operations, linear column mixed inverse operation, row shift inverse operation, nonlinear S-box replacement inverse operation and round key addition operation are sequentially carried out on data to be decrypted, and the key in the decryption process is updated according to the inverse sequence of the updated key in the encryption process; taking the data obtained after the round key addition operation as the data to be decrypted of the next round operation, and taking the updated key as the key of the next round operation; and outputting the plaintext after the R' th round of operation is completed.
9. A lightweight block cipher algorithm Shadow implementation device is characterized by comprising:
an initialization unit: the encryption device is used for obtaining 64 bits of plaintext to be encrypted and determining iteration round number R according to the number of key bits;
An iteration processing unit: the method is used for sequentially performing round key addition operation, nonlinear S box replacement operation, row displacement operation and linear column mixed operation on data to be encrypted in each round of 1 st to R < th > operations, and updating keys; taking data obtained after linear column mixed operation as data to be encrypted of the next round of operation, and taking an updated key as a key of the next round of operation;
Wherein the round key addition operation comprises: selecting the first 64 bits of the key and a plaintext to be encrypted according to the sequence from high bits to low bits to perform round key addition operation;
the non-linear S-box permutation operation comprises: performing composite affine operation on the key and an S0 box; data obtained by statistical complex affine operation in the finite field GF (2)4) A first repetition value σ of; when the first repetition value σ<When 8, the data calculated in the step A2 selects the S1 box to perform nonlinear S-box replacement operation; when the first repetition value σ>12, selecting the S3 box from the data calculated in the step A2 to perform nonlinear S-box replacement operation; when the first repeated value is more than or equal to 8 and less than or equal to 12, the data calculated in the step A2 selects the S2 box to carry out nonlinear S-box permutation operation;
A ciphertext generation unit: and the cipher key adding device is used for performing round cipher key adding operation on the data to be encrypted and the cipher key obtained after the R-th round of operation is finished, and outputting a cipher text.
10. A computer-readable medium, characterized in that it comprises a stored program adapted to be loaded by a processor and to perform the method of any of claims 1 to 8.
CN201910916368.5A 2019-09-26 2019-09-26 Encryption method and device based on lightweight block cipher algorithm Shadow and computer readable medium Active CN110572255B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910916368.5A CN110572255B (en) 2019-09-26 2019-09-26 Encryption method and device based on lightweight block cipher algorithm Shadow and computer readable medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910916368.5A CN110572255B (en) 2019-09-26 2019-09-26 Encryption method and device based on lightweight block cipher algorithm Shadow and computer readable medium

Publications (2)

Publication Number Publication Date
CN110572255A true CN110572255A (en) 2019-12-13
CN110572255B CN110572255B (en) 2020-07-28

Family

ID=68782631

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910916368.5A Active CN110572255B (en) 2019-09-26 2019-09-26 Encryption method and device based on lightweight block cipher algorithm Shadow and computer readable medium

Country Status (1)

Country Link
CN (1) CN110572255B (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111262685A (en) * 2020-01-17 2020-06-09 衡阳师范学院 Novel method and device for realizing Shield block cipher generated by secret key and readable storage medium
CN112511293A (en) * 2020-09-21 2021-03-16 中国电子科技集团公司第三十研究所 S-box parameterization design method based on bit sum operation and storage medium
CN112636899A (en) * 2020-09-21 2021-04-09 中国电子科技集团公司第三十研究所 Lightweight S box design method
CN113343276A (en) * 2021-07-01 2021-09-03 衡阳师范学院 Generalized two-dimensional cat mapping-based lightweight block cipher algorithm GCM implementation method
CN113343175A (en) * 2021-05-31 2021-09-03 中国电子科技集团公司第三十研究所 Rapid method for automatically searching SPN type lightweight block cipher active S box
CN113645615A (en) * 2021-08-12 2021-11-12 衡阳师范学院 Lightweight block cipher encryption and decryption method

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2011136614A2 (en) * 2010-04-29 2011-11-03 동국대학교 산학협력단 Encryption system using discrete chaos function
CN104065474A (en) * 2014-07-14 2014-09-24 衡阳师范学院 Novel low-resource efficient lightweight Surge block cipher implementation method
CN108206736A (en) * 2018-01-11 2018-06-26 衡阳师范学院 A kind of lightweight cryptographic algorithm HBcipher implementation methods and device

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2011136614A2 (en) * 2010-04-29 2011-11-03 동국대학교 산학협력단 Encryption system using discrete chaos function
CN104065474A (en) * 2014-07-14 2014-09-24 衡阳师范学院 Novel low-resource efficient lightweight Surge block cipher implementation method
CN108206736A (en) * 2018-01-11 2018-06-26 衡阳师范学院 A kind of lightweight cryptographic algorithm HBcipher implementation methods and device

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111262685A (en) * 2020-01-17 2020-06-09 衡阳师范学院 Novel method and device for realizing Shield block cipher generated by secret key and readable storage medium
CN112511293A (en) * 2020-09-21 2021-03-16 中国电子科技集团公司第三十研究所 S-box parameterization design method based on bit sum operation and storage medium
CN112636899A (en) * 2020-09-21 2021-04-09 中国电子科技集团公司第三十研究所 Lightweight S box design method
CN112636899B (en) * 2020-09-21 2022-03-18 中国电子科技集团公司第三十研究所 Lightweight S box design method
CN112511293B (en) * 2020-09-21 2022-03-18 中国电子科技集团公司第三十研究所 S-box parameterization design method based on bit sum operation and storage medium
CN113343175A (en) * 2021-05-31 2021-09-03 中国电子科技集团公司第三十研究所 Rapid method for automatically searching SPN type lightweight block cipher active S box
CN113343276A (en) * 2021-07-01 2021-09-03 衡阳师范学院 Generalized two-dimensional cat mapping-based lightweight block cipher algorithm GCM implementation method
CN113343276B (en) * 2021-07-01 2022-06-14 衡阳师范学院 Encryption method of light-weight block cipher algorithm GCM based on generalized two-dimensional cat mapping
CN113645615A (en) * 2021-08-12 2021-11-12 衡阳师范学院 Lightweight block cipher encryption and decryption method
CN113645615B (en) * 2021-08-12 2023-12-22 衡阳师范学院 Lightweight block cipher encryption and decryption method

Also Published As

Publication number Publication date
CN110572255B (en) 2020-07-28

Similar Documents

Publication Publication Date Title
CN110572255B (en) Encryption method and device based on lightweight block cipher algorithm Shadow and computer readable medium
François et al. Pseudo-random number generator based on mixing of three chaotic maps
US6314186B1 (en) Block cipher algorithm having a robust security against differential cryptanalysis, linear cryptanalysis and higher-order differential cryptanalysis
CA2497935C (en) Stream cipher design with revolving buffers
Petit et al. A block cipher based pseudo random number generator secure against side-channel key recovery
CN107147487B (en) Symmetric key random block cipher
CN110784307B (en) Lightweight cryptographic algorithm SCENERY implementation method, device and storage medium
CN113645615B (en) Lightweight block cipher encryption and decryption method
Achkoun et al. SPF-CA: A new cellular automata based block cipher using key-dependent S-boxes
Yan et al. DBST: a lightweight block cipher based on dynamic S-box
Jamil et al. A new cryptographic hash function based on cellular automata rules 30, 134 and omega-flip network
McKague Design and analysis of RC4-like stream ciphers
Kadhim et al. Proposal of new keys generator for DES algorithms depending on multi techniques
CN113691364B (en) Encryption and decryption method of dynamic S-box block cipher based on bit slice technology
CN107886463A (en) A kind of digital image encryption method based on Chen systems and cellular automaton
Abdulwahed Chaos-Based Advanced Encryption Standard
Ray et al. Classification of Encryption Algorithms using Fisher's Discriminant Analysis
Barrieta et al. Modified Hill Cipher Algorithm using Myszkowski Transposition to address Known-Plaintext attack
Abumuala et al. A new method for generating cryptographically strong sequences of pseudo random bits for stream cipher
CN113886804B (en) Lightweight stream cipher generation method based on parallel cyclic shift register
CN113343276B (en) Encryption method of light-weight block cipher algorithm GCM based on generalized two-dimensional cat mapping
Nafl et al. Fast lightweight encryption device based on LFSR technique for increasing the speed of LED performance
Das et al. New Key-Dependent S-Box Generation Algorithm on AES
Mahrousa et al. A novel method to increase diffusion and confusion in AES algorithm
Ziani et al. CA-PCS: A Cellular Automata based Partition Ciphering System

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant