CN110690958B - Lightweight cipher hashing method based on sponge structure - Google Patents

Lightweight cipher hashing method based on sponge structure Download PDF

Info

Publication number
CN110690958B
CN110690958B CN201910994150.1A CN201910994150A CN110690958B CN 110690958 B CN110690958 B CN 110690958B CN 201910994150 A CN201910994150 A CN 201910994150A CN 110690958 B CN110690958 B CN 110690958B
Authority
CN
China
Prior art keywords
message
memory state
rule
state
function
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910994150.1A
Other languages
Chinese (zh)
Other versions
CN110690958A (en
Inventor
段明
吴茜琼
李文捷
隋东君
王超
王伟
郭路路
周国淼
付超辉
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Information Engineering University of PLA Strategic Support Force
Original Assignee
Information Engineering University of PLA Strategic Support Force
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Information Engineering University of PLA Strategic Support Force filed Critical Information Engineering University of PLA Strategic Support Force
Priority to CN201910994150.1A priority Critical patent/CN110690958B/en
Publication of CN110690958A publication Critical patent/CN110690958A/en
Application granted granted Critical
Publication of CN110690958B publication Critical patent/CN110690958B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0618Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
    • H04L9/0631Substitution permutation network [SPN], i.e. cipher composed of a number of stages or rounds each involving linear and nonlinear transformations, e.g. AES algorithms

Abstract

The invention provides a lightweight cryptographic hash algorithm based on a sponge structure. The algorithm comprises the following steps: step 1: receiving an input message, filling the input message, dividing the filled message into a plurality of segments with the length r, and marking the ith message segment as P i R is the conversion rate; inputting the ith message segment P i To the front of the memory state S, S represents the memory state of a four-dimensional structure, and the four-dimensional structure is a fourth-dimensional state w, a third-dimensional state x, a second-dimensional state y and a first-dimensional state z respectively; and 3, step 3: replacing F for fifteen times to the memory state S, taking the obtained F (S) as a new memory state S, and inputting the (i + 1) th message segment P i+1 To the front of the memory state S, the permutation F consists of 6 functions; and 4, step 4: step S103 is executed repeatedly until all message segments are processed, and a new memory state S is obtained; and 5: and extruding the first r bits of the memory state S according to a preset abstract extrusion rule to be used as a message abstract.

Description

Lightweight cipher hashing method based on sponge structure
Technical Field
The invention relates to the technical field of information security, in particular to a lightweight cipher hashing method based on a sponge structure.
Background
The cryptographic hash algorithm is one of the most important security components of the network space, and is also one of three cryptology primitives, and the design and analysis thereof are widely concerned, especially the design of the lightweight cryptographic hash algorithm, because a balance needs to be found among various mutual constraint factors such as the implementation efficiency, the hardware overhead, the comprehensive analysis of the security of the cryptographic algorithm, and the like, the cryptographic hash algorithm is particularly concerned and explored.
The sponge structure was a novel cryptographic Hash algorithm design structure proposed in 2007 by Bertoni et al (Bertoni G. Sponge functions. In: ecrypt Hash Workshop2007, http:// www.csrc.nist.gov/pki/Hash Workshop/Public _ commands/2007 _ May. Html), which was popular among symmetric cryptographic algorithm designers in recent years because its novel design is distinguished from the classical MD structure and the provability of white-box indistinguishability (Indiferentiality). The first and most successful cryptographic hash algorithm based on the sponge structure at present is Keccak, which was characterized as a new international cryptographic hash algorithm standard (SHA-3) in 10 months 2012. After the Keccak algorithm is developed, the cryptoanalysis layer of the algorithm is infinite, although existing attacks cannot pose a substantial threat to the security of the algorithm, the Keccak-f of the core substitution still exposes a lot of small non-random properties, for example, a large invariant subspace exists in theta transformation, which can cause linear structure analysis, too slow increase of the inverse number of chi transformation can cause zero-sum distinguishing attack of a full round, the round constant in iota transformation is too simple, S box properties have certain flaws, and the magnitude is relatively large, and the like.
Disclosure of Invention
The invention provides a light-weight password hashing method based on a sponge structure, and aims to solve the problems that a single-row non-active cell space of theta transformation is too large, the inverse times of chi transformation are increased too slowly, round constants in iota transformation are too simple, and S box properties have certain flaws and are relatively large in magnitude in the existing Keccak algorithm.
The invention provides a lightweight cipher hash algorithm based on a sponge structure, which comprises the following steps:
step 1: receiving an input message, filling the input message, dividing the filled message into a plurality of segments with the length of r, and marking the ith message segment as P i Wherein r is the conversion rate;
and 2, step: input deviceIth message fragment P i To the front of the memory state S, S represents the memory state of a four-dimensional structure, and the four-dimensional structure is a fourth-dimensional state w, a third-dimensional state x, a second-dimensional state y and a first-dimensional state z respectively;
and step 3: replacing F for fifteen times on the memory state S, taking the obtained F (S) as a new memory state S, and inputting the (i + 1) th message segment P i+1 To the front of the memory state S, the permutation F consists of 6 functions;
and 4, step 4: step S103 is executed repeatedly until all message segments are processed, and a new memory state S is obtained;
and 5: and extruding the first r bits of the memory state S according to a preset abstract extrusion rule to be used as a message abstract.
Further, in step 1, an end mark with a length of 64 bits is added to the tail of the input message, the end mark is used for indicating the total length of the input message, and the total length is less than or equal to 2 64 -1; correspondingly, the filling of the input message in step 1 specifically includes:
when the total length of the message is not multiple of r, filling the message according to a preset message filling rule, so that the filled total length of the message is multiple of r; wherein the content of the first and second substances,
the preset message filling rule is as follows:
rule 1: the total length of the filling content is l, l ≡ r-p (mod r), wherein p is the total length of the message before filling;
rule 2: the first bit of the padding is 1, the last bit is 1, and the rest bits are 0.
Further, the abstract compression rule is as follows:
rule 1: outputting the first r bits of the memory state S for the first time as a part of the message digest;
rule 2: detecting whether the length of the outputted message digest reaches the preset length requirement, if not, replacing the memory state S to obtain F (S), outputting the first r bits of the F (S), and succeeding the former r bits with the outputted message digest;
rule 3: and repeating the rule 2 until the length of the message digest which is output reaches the preset length requirement.
Further, the scrambling F is composed of 6 different functions, specifically:
Figure BDA0002239222940000021
wherein the content of the first and second substances,
Figure BDA0002239222940000022
the function is used for replacing each bit of the memory state S by a linear relation; the mu function is used for circularly shifting the memory state S on the z axis; the sigma function is used for replacing each longitudinal section of the memory state S; the zeta function is used for replacing x lines of the memory state S according to the mapping rule of an MIBS 4-bit S box in each F replacing process; the xi function is used for carrying out replacement operation on the w-dimensional state of the memory state S; the delta function is used to pair S [ w ] after the ith permutation of F][0][0][z]Bit-wise XOR round constant R c [i]。
Further, the
Figure BDA0002239222940000031
The function is used for performing linear relationship permutation on each bit of the memory state S, and specifically includes:
according to the difference of the values of y, different processing is carried out on the bits of S [ w ] [ x ] [ y ] [ z ]:
when y =0 or 1, the number of the carbon atoms is zero,
S[w][x][y][z]←S[w][x][y][z]+S[w][x-1][0][z]+S[w][x-1][1][z]+S[w+1][x+1][2][z- 1]+S[w+1][x+1][3][z-1];
when y =2 or 3, the number of the metal particles is,
S[w][x][y][z]←S[w][x][y][z]+S[w][x-1][0][z]+S[w][x-1][1][z]+S[w+1][x+1][2][z- 1]+S[w+1][x+1][3][z-1]+1;
the arrow direction of "←" represents the value of the S [ w ] [ x ] [ y ] [ z ] bit after permutation, and the non-arrow direction represents the permutation process.
Further, the μ function is used to perform cyclic shift on the z-axis for the memory state S, specifically:
S[w][x][y][z]←S[w][x][y][z-t],
whereinT represents the cyclic displacement, t is 0-15, and
Figure BDA0002239222940000032
x +4y = a +2b +4c +8d; a. b, c, d represent the intermediate quantities of the calculation.
Further, the σ function is used to replace each longitudinal section of the memory state S, specifically: such that S [ x ] [ y ] = S [ x '] [ y' ], wherein:
Figure BDA0002239222940000033
at GF (2) 4×4 In the specification, x +4y = e +2f +4g +8h and x ' +4y ' = e ' +2f ' +4g ' +8 h; wherein e, f, g, h, e ', f', g 'and h' represent intermediate quantities of operation; GF (2) 4×4 Is a4 th order full matrix loop over a binary field.
Further, in the process of the ith replacement of F, the (i 1000+ 1) - (i 1000+ 64) bits of e and pi are selected and are left according to the bit modulo 2 to obtain the wheel constant R c [i]。。
The invention has the beneficial effects that:
the lightweight cryptographic hash method based on the sponge structure provided by the invention has the advantages that the security of the KECCAK algorithm is continued, and meanwhile, on the basis that the size of the permutation is 1024 bits, the internal state S of the four-dimensional structure and the permutation F consisting of 6 functions (namely F = delta. Xi. Zeta. Sigma. Mu. Phi.) are adopted, so that the security and the pseudo-randomness of the algorithm are further improved.
The permutation F designed by the present invention is a safer and more efficient internal fixed permutation for the relatively weak nature of some of the permutations or permutations in KECCAK-F, wherein: (1) For the fact that the proportion of 0 contained in a binary system of a wheel constant in a KECCAK-f algorithm is very large and often appears continuously, the influence of the wheel constant on stirring data is small, two common override numbers of pi and e are selected by a delta function designed by the method, and are combined with certain bits to obtain a wheel constant which is '0' and '1' relatively balanced and can better stir and store data in operation, and therefore the delta function can provide better wheel constant complexity; (2) The xi function is a displacement function on the w dimension, and the four-dimensional data operation is effectively combined with the regular tetrahedron structure, so that the diffusion effect can be further improved; (3) The problem analysis that one S box is selected for carrying out in x-dimensional correlation operation in the KECCAK-f algorithm shows that the inverse of the S box is always three times, the higher-order condition does not occur, the separability property is not particularly excellent, the zeta function designed by the method selects the S box with the input and output of the MIBS (micro-electro-magnetic resonance) with better separability property and 4bits, and the zeta function provides better help in resisting the separability property integral attack safety; (4) The sigma function is based on a carefully selected 15-order cycle group, and ensures that the maximum periodicity is provided after just one cycle after 15 rounds of replacement; (5) The mu function is cyclic shift on the z axis, because the length of the z axis is 16, and the value range of the cyclic shift is exactly 16, the maximum diversity is achieved; (6) The phi function effectively reduces the size of the immobile subspace, makes up the problem of poor attack property of the second primary image to a certain extent, and has better safety compared with KECCAK-f replacement.
In addition, by testing the permutation effect and the pseudo-randomness of the algorithm, wherein for the permutation effect, the sequences with little bit phase difference are mainly processed by the algorithm and the output abstract results are observed to be compared, the obtained output difference is very large under the condition of little bit phase difference, and the algorithm can be considered to form an avalanche effect; the pseudo-randomness test mainly comprises the steps of taking an abstract sequence with the length of 20000, carrying out single-bit test, playing card test and run test, and judging that the algorithm has good pseudo-randomness through research on obtained data.
In conclusion, the algorithm provided by the invention can be more safely applied to message summarization and the processing of digital signature on messages, has good application prospects in the aspects of verifying the integrity of installation files, verifying repeated submitted messages and the like, and also provides possibility for better application in various environments such as RFID, WSN, internet of things and the like.
Drawings
Fig. 1 is a schematic flow chart of a lightweight cryptographic hash algorithm based on a sponge structure according to an embodiment of the present invention;
fig. 2 is a second schematic flowchart of a lightweight cryptographic hash algorithm based on a sponge structure according to an embodiment of the present invention;
FIG. 3 is a schematic diagram of an embodiment of the present invention
Figure BDA0002239222940000051
The function is used for carrying out linear relationship permutation on each bit;
fig. 4 is a schematic diagram illustrating that a σ function replaces each longitudinal section of a memory state S according to an embodiment of the present invention;
fig. 5 is a schematic diagram of a displacement operation performed on a w-dimensional state of the memory state S by a ξ function, taking a (0,0,0,1) vector as an example, according to an embodiment of the present invention;
fig. 6 is a schematic view of a conventional sponge structure.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly described below with reference to the accompanying drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The invention provides a lightweight cryptographic hash algorithm based on a sponge structure, which is mainly improved on the basis of a KECCAK algorithm as follows:
1. upgrading the memory state S into a four-dimensional data structure;
2. designing a permutation function F with a smaller invariant subspace;
3. the memory of the memory state S is reduced to 4 × 16=1024 bits.
In cryptography, a sponge structure (also called a sponge function) is an algorithm that can output a bit stream of any length after the bit stream of any length is input using finite states. The prior sponge structure is shown in FIG. 6, (wherein P is i Message segment representing the ith input, Z i The message digest segment representing the ith output) is an iterative process for one fixed permutation f. The iterative process of the sponge structure is divided into two parts, namely an absorption process of the message and an extrusion process of the message abstract.
When the sponge structure is realized by hardware, the whole message is not absorbed at one time, but a part of the message is absorbed by a part of the register according to a certain sequence, and then the influence of the message is diffused to the whole register through a fixed permutation function; meanwhile, the output of the message digest is not all the message digests output at one time, but part of the message digest is extruded each time through multiple times of extrusion, and the message digest is finally integrated into a complete message digest. In this way, the sponge structure can obtain the bit stream output with any length meeting the requirement from any bit stream input with any length.
The operation process of the sponge structure is mainly determined by three parts: memory state S, permutation function f, and fill function P. Memory state S: the total length is b bits, and is divided into two blocks of c and r. Where c is capacity, with a value of twice the hash size n, with c =2n; r is the conversion rate, the length of the message processed per cycle, and has a value of r = b-2n. In the hash algorithm, the length of c is generally defined as twice of the anti-attack level, depending on the c section of memory to resist collision attack and primary image attack.
As shown in fig. 1 and fig. 2, an embodiment of the present invention provides a lightweight cryptographic hash algorithm based on a sponge structure, including the following steps:
s101: receiving an input message, filling the input message, dividing the filled message into a plurality of segments with the length r, and marking the ith message segment as P i Wherein r is the conversion rate;
s102: input the ith message fragment P i To the front of the memory state S, S represents the memory state of a four-dimensional structure, and the four-dimensional structure is a fourth-dimensional state w, a third-dimensional state x, a second-dimensional state y and a first-dimensional state z respectively;
s103: replacing F for fifteen times to the memory state S, taking the obtained F (S) as a new memory state S, and inputting the (i + 1) th message segment P i+1 To the front of the memory state S,the permutation F consists of 6 functions;
specifically, the substitution F is specifically:
Figure BDA0002239222940000061
wherein the content of the first and second substances,
Figure BDA0002239222940000062
the function is used for carrying out linear relation replacement on each bit of the memory state S; the mu function is used for circularly shifting the memory state S on the z axis; the sigma function is used for replacing each longitudinal section of the memory state S; the zeta function is used for replacing x lines of the memory state S according to the mapping rule of the MIBS 4-bit S box in each F replacing process; the xi function is used for carrying out replacement operation on the w-dimensional state of the memory state S; the delta function is used to pair S [ w ] after the ith permutation of F][0][0][z]Bit-wise XOR round constant R c [i]。
Note that, S [ w ]: three-dimensional structures, cubic blocks; s [ x ] [ y ]: a two-dimensional structure, a longitudinal section; s [ w ] [ y ] [ z ]: a one-dimensional structure, row; s [ w ] [ x ] [ y ] [ z ]: a single bit;
s104: step S103 is executed repeatedly until all message segments are processed, and a new memory state S is obtained;
s105: and extruding the first r bits of the memory state S according to a preset abstract extrusion rule to be used as a message abstract.
On the basis of the above embodiment, in step S101, an end flag with a length of 64 bits is added to the tail of the input message, where the end flag is used to indicate the total length of the input message, and the total length is less than or equal to 2 64 -1; correspondingly, the filling of the input message in step S101 specifically includes:
when the total length of the message is not multiple of r, filling the message according to a preset message filling rule, so that the filled total length of the message is multiple of r; wherein, the first and the second end of the pipe are connected with each other,
the preset message filling rule is as follows:
rule 1: the total length of the filling content is l, l ≡ r-p (mod r), wherein p is the total length of the message before filling;
rule 2: the first bit of the padding is 1, the last bit is 1, and the rest bits are 0.
On the basis of the above embodiments, the digest compression rule in step S105 is:
rule 1: outputting the first r bits of the memory state S for the first time as a part of the message digest;
rule 2: detecting whether the length of the outputted message digest reaches the preset length requirement, if not, replacing the memory state S to obtain F (S), outputting the first r bits of the F (S), and succeeding the former r bits with the outputted message digest;
rule 3: and repeating the rule 2 until the length of the message digest which is output reaches the preset length requirement.
On the basis of the above-described embodiments,
Figure BDA0002239222940000071
the function is used for performing linear relationship permutation on each bit of the memory state S, and specifically includes:
according to the difference of the values of y, different processing is carried out on the bits of S [ w ] [ x ] [ y ] [ z ]:
when y =0 or 1, the ratio of the total of the components,
S[w][x][y][z]←S[w][x][y][z]+S[w][x-1][0][z]+S[w][x-1][1][z]+S[w+1][x+1][2][z- 1]+S[w+1][x+1][3][z-1];
when y =2 or 3, the ratio of the total of the components,
S[w][x][y][z]←S[w][x][y][z]+S[w][x-1][0][z]+S[w][x-1][1][z]+S[w+1][x+1][2][z- 1]+S[w+1][x+1][3][z-1]+1;
here, the arrow direction of "←" represents S [ w ] after substitution][x][y][z]The value of the bit, the non-arrow direction, represents the permutation process. FIG. 3 is a schematic view of
Figure BDA0002239222940000072
The function is a schematic diagram of the permutation of each bit in a linear relationship.
In a way, in the embodiments of the present invention
Figure BDA0002239222940000073
The function is similar to theta transform of KECCAK algorithm, and for theta transform in KECCAK algorithm, the operation result is related to the first 11 bits of transform, resulting in larger invariant subspace; designed in the embodiment of the invention
Figure BDA0002239222940000074
The function reduces the relevant bits so that the invariant subspace size is reduced to about half of the KECCAK algorithm.
The μ function is used for circularly shifting the memory state S on the z-axis, and specifically includes:
S[w][x][y][z]←S[w][x][y][z-t],
wherein t represents the cyclic displacement, and t is more than or equal to 0 and less than or equal to 15; and is
Figure BDA0002239222940000081
x +4y = a +2b +4c +8d. The matrix here is chosen to be a binary field F 2 The upper full rank 4-order square matrix is the generator of the 15-order cyclic group. F 2 Is a binary domain; a. b, c and d represent intermediate quantities of operation; for example, the cyclic displacement amounts for the different z-axes are shown in table 1.
TABLE 1 cyclic displacement in different z-axes
y\x 0 1 2 3
0 t=0 t=15 t=1 t=4
1 t=2 t=8 t=5 t=10
2 t=3 t=14 t=9 t=7
3 t=6 t=13 t=11 t=12
The σ function is used for replacing each longitudinal section of the memory state S, and the purpose of the σ function is to enable S [ x ] [ y ] = S [ x '] [ y' ], specifically:
Figure BDA0002239222940000082
under GF (2) 4×4 In the specification, x +4y = e +2f +4g +8h and x ' +4y ' = e ' +2f ' +4g ' +8 h; wherein e, f, g, h, e ', f', g 'and h' represent intermediate quantities of operation; GF (2) 4×4 Is a4 th order full matrix ring over a binary field.
Fig. 4 is a diagram illustrating the replacement of each longitudinal section of the memory state S by the σ function.
The ζ function is used for permuting x rows of the memory state S according to the mapping rule of the MIBS 4-bit S box in each F permutation process, that is, the permutation process is performed on x rows of the memory state S according to table 2 in each F permutation process. The separability property of the MIBS 4-bit S box is better, and in the embodiment of the invention, the 4-bit S box of the MIBS is selected in the non-linear part.
Table 2 mapping tables for x before and x' after permutation
x 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
x’ 4 5 3 8 13 10 12 0 11 5 7 14 2 6 1 9
The ξ function is used to perform a permutation operation on the w-dimensional state of the memory state S, and for example, the rule may be: and (3) taking the four bit data of S [0] [0] [0] [0], S [1] [0] [0] [0], S [2] [0] [0], S [3] [0] [0] [0] to be connected into a 4-dimensional vector, and exchanging the w dimensions as shown in a table 3 corresponding to different vectors. Fig. 5 is a schematic diagram of a w-dimensional state replacement operation performed on the memory state S by the ξ function, taking the (0,0,0,1) vector as an example.
TABLE 3
Is free of (0,1,2,3)
(0,0,0,0) (0,1,2,3)
(0,0,0,1) (1,0,2,3)
(0,0,1,0) (1,2,0,3)
(0,0,1,1) (1,2,3,0)
(0,1,0,0) (1,3,2,0)
(0,1,0,1) (1,3,0,2)
(0,1,1,0) (3,1,0,2)
(0,1,1,1) (3,0,1,2)
(1,0,0,0) (3,0,2,1)
(1,0,0,1) (3,2,0,1)
(1,0,1,0) (3,2,1,0)
(1,0,1,1) (2,3,1,0)
(1,1,0,0) (2,1,3,0)
(1,1,0,1) (2,1,0,3)
(1,1,1,0) (2,0,1,3)
(1,1,1,1) (2,0,3,1)
The delta function is used to pair S [ w ] after the ith permutation F][0][0][z]Bit-wise XOR round constant R c [i]The method specifically comprises the following steps: during the process of replacing F at the ith time, the (i 1000+ 1) - (i 1000+ 64) bits of e and pi are selected and are left according to the bit module 2 to obtain the wheel constant R c [i]。
Specifically, in the embodiment of the invention, z is more than or equal to 0 and less than or equal to 15; w is more than or equal to 0 and less than or equal to 3; the bitwise xor may be performed in the order z first and w later, i.e.: firstly, the S0 z is operated, then the S10 z is operated, and the bit-by-bit exclusive OR can be performed according to the sequence of w and z; the wheel constant extracted by the method for determining the wheel constant provided by the embodiment of the invention has the properties of e and pi constants, and has better pseudo-randomness.
Specific constants were selected as follows:
binary bit representation:
R c [1]=1100100101111010001101110010010111100101110001111100101110110101
R c [2]=0111101100111101001000101111100101101101111110110111111010000011
R c [3]=0110010001101111011101000101011101010100001110101111110011010100
R c [4]=0101010100110100101010011100000101001111110011100010011100110101
R c [5]=1000001011100001101111101110101011010110100101101001110011001011
R c [6]=1000011111000000111011000010111111100110011001111101010011010111
R c [7]=1101000001101000001100111110100110110100001111010101010010000111
R c [8]=1110000100111011101111100001010011110101000010111000110001110011
R c [9]=1101010111101000101111101110101101110000000010010101100011001100
R c [10]=1100001011110001111000101010111000100000111110001111010111110100
R c [11]=0100001001000101100010110000110100000011111101111110000001100111
R c [12]=1001111101100111111101001101010010010010000001110111100011011111
R c [13]=1110111001100010011001111111100001010110101111000111110110011101
R c [14]=0010110011000010001100001111001011010011111010110011001001100011
R c [15]=0111001101000011111110011001000100111010100101010001001010111101
the hexadecimal system is:
R c [1]=c97a3725e5c7cbb5 R c [9]=d5e8beeb700958cc
R c [2]=7b3d22f96dfb7e83 R c [10]=c2f1e2ae20f8f5f4
R c [3]=646f7457543afcd4 R c [11]=42458b0d03f7e067
R c [4]=5534a9c14fce2735 R c [12]=9f67f4d4920778df
R c [5]=82e1beead6969ccb R c [13]=ee6267f856bc7d9d
R c [6]=87c0ec2fe667d4d7 R c [14]=2cc230f2d3eb3263
R c [7]=d06833e9b43d5487 R c [15]=7343f9913a9512bd
R c [8]=e13bbe14f50b8c73 is free of
When the performance of a cryptographic hash algorithm is evaluated, the main technical indexes are the security and hardware overhead condition of the cryptographic hash algorithm.
Hardware overhead situation: the special memory occupied in the windows7 system under the i5 configuration is 487Kb (the memory usage is different in different system environments), the average CPU is 0.02, in the operation process, as the subfunction mainly comprises a plurality of for loops, the operation efficiency can be improved by adding parallel computation in the actual operation, and the number of program operation threads can be increased to 4 by adding parallel computation in the test.
Security of cryptographic hash algorithm: due to the adoption of the sponge structure, the anti-collision attack and anti-original-phase attack grade is 2 c/2 (ii) a It can be shown in theory that the sponge structure is indistinguishable from the random prophetic in the case of fixed displacement randomness.
For the θ function in KECCAK-f, it can be considered that each bit of the output is related to 11 bits, and although the constructed matrix has a more complex inverse, since there are more bits associated with the selection, the size of the motionless subspace of the function can be calculated to be 2 9 The motionless subspace is large, so that the second primary image attack resistance is poor. While the invention is in the structure
Figure BDA0002239222940000113
And selecting two bits above the right side and two bits below the left front side of the current bit to participate in calculation during the function, and respectively taking the operation result or the inverse at different positions. Calculated, constructed in this way
Figure BDA0002239222940000114
The motionless subspace size of the function is only 2 6 Therefore, the algorithm provided by the invention has better safety compared with the KECCAK-f replacement.
The operation related to the x dimension in the KECCAK-f algorithm is carried out by selecting an S box, and the expression is quadratic. It is computationally derived that the inverse of this S-box is always three times, no four and no five times, no matter how many rounds are iterated, so its separable nature is not particularly good. In designing the algorithm, the invention takes this point into account, selects the S box with 4bit input and output as listed in Table 4, and observes the effect of the S box
Figure BDA0002239222940000111
All 3-dimensional linear subspaces of (a) are divisible by the S-box.
TABLE 4S Box
Figure BDA0002239222940000112
Let alpha 1 =(0,0,0,1),α 2 =(0,0,1,0),α 3 =(0,1,0,0),α 4 = (1,0,0,0) represents
Figure BDA0002239222940000121
A group of radicals of (a). The results of the experiment are shown in Table 5.
TABLE 5
Figure BDA0002239222940000122
Separability of subspaces after S-box action
Figure BDA0002239222940000123
Figure BDA0002239222940000131
The operation result shows that for the S box with 4bit input and output of the MIBS,
Figure BDA0002239222940000132
all the divisibility of the 3-dimensional linear subspace after S-box action is
Figure BDA0002239222940000133
The 4-bit S box is relatively good, so the input and output of the MIBS are all 4-bit S boxes.
For the round constants in KECCAK-f, which are very many 0's in binary and often appear continuously, the present invention considers two common transcendental numbers of e and pi in selecting the round constants, considering that such round constants 0 and 1 are not similarly randomly valued and have relatively little influence on the agitation data. The present invention contemplates that π Or is pi e All have the property of only one transcendental element, so that when the wheel constant is selected, the invention combines some bits of e and pi to calculate and obtain the wheel constant in the algorithm. Respectively fetching e and e in calculationAnd (3) performing XOR operation on certain bits of the pi after modulo 2 remainder of each bit respectively to finally obtain a round constant. Compared to the round constants in KECCAK-f, the round constants given by the present invention have approximately equal frequency of 1's and 0's, and it is believed that the new round constants can better "stir" the data in the storage state during operation.
In addition, the permutation effect and the pseudo-randomness of the cryptographic hash algorithm provided by the invention are tested by using some data and parameters.
And (3) replacement effect test: for sequences with different lengths and small differences, a plurality of groups of different r and c (the digest lengths are 64bit,128bit,196bit and 256bit respectively) are selected, the output digest results of the sequences are examined after algorithm processing is utilized, and the message digests of each group are compared.
Pseudo-randomness test: for a sequence of length 20000, the following tests were performed: single bit test, playing card test and run length test.
Single bit test: in the test, whether "0" and "1" of the output sequence are balanced, that is, whether the weight can be stabilized at [ n/2] is judged when the sequence length is n. If the number of 1 s is between [9654,10346], the test is passed.
Testing the playing cards: in the test, the sequence is divided into several segments, each segment having 4bits and simultaneously converted into hexadecimal numbers, assuming that n is n i Representing the number of the number i, calculating
Figure BDA0002239222940000134
The test is passed if x ∈ (1.03,57.4), indicating that each hexadecimal number occurs approximately equally.
Run-length testing: in the test, the number of 1-runs of various lengths is calculated, and if the number of each run meets the following conditions, the test is passed:
A. number of runs of length 1: [2267,2733]
B. Number of runs of length 2: [1079,1421]
C. Number of runs of length 3: [502,748]
D. Run number of length 4: [223,402]
E. Run number of 5 or more in length: [90,223]
If the sequence passes this set of tests, it is shown that the sequence has good random properties. And programming and testing the message digest, namely randomly selecting a group of data, encrypting the data through an algorithm to obtain a message digest with the length of 20000 bits, and testing the message digest.
Replacement effect test results: the total number of the components is four.
Group one: r =768, c =2n =256
Input 1:
4DEA9E83AD9D8ED61483EAF958663FA3695F55C5CC12C29F7852D45AF012B 07D6837368408B240F236D3E37EE76F7AEE408A0E21338205B777597877FB5D6 E5D682A16E66C6B25AFBDE5CA35D690FF845AA412C52F0C3D5F0F115CA3B 23EDA02
input 2:
7DEA9E83AD9D8ED61483EAF958663FA3695F55C5CC12C29F7852D45AF012B 07D6837368408B240F236D3E37EE76F7AEE408A0E21338205B777597877FB5D6 E5D682A16E66C6B25AFBDE5CA35D690FF845AA412C52F0C3D5F0F115CA3B 23EDA02
output 1:93CCDDD8658719FF9F26B46709CE54FF
And (3) outputting 2:965DC35E66D3954F9E2A9D25B9CD3AE7
And a second group: r =640, c =2n =384
Input 1:
4DEA9E83AD9D8ED61483EAF958663FA3695F55C5CC12C29F7852D45AF012B 07D6837368408B240F236D3E37EE76F7AEE408A0E21338205B777597877FB5D6 E5D682A16E66C6B25AFBDE5CA35D690FF84
input 2:
7DEA9E83AD9D8ED61483EAF958663FA3695F55C5CC12C29F7852D45AF012B 07D6837368408B240F236D3E37EE76F7AEE408A0E21338205B777597877FB5D6 E5D682A16E66C6B25AFBDE5CA35D690FF84
output 1:4190475A651971C86CCAFCB8C33BB27EC8A803446D544D01
And (3) outputting 2: DB1E3DFAF25C0139C7D664E7A68C1BD6385C827B2727EE85
And (3) group III: r =512, c =2n =512
Input 1:
4DEA9E83AD9D8ED61483EAF958663FA3695F55C5CC12C29F7852D45AF012B 07D6837368408B240F236D3E37EE76F7AEE408A0E21338205B777597877FB5D6 E5D
input 2:
7DEA9E83AD9D8ED61483EAF958663FA3695F55C5CC12C29F7852D45AF012B 07D6837368408B240F236D3E37EE76F7AEE408A0E21338205B777597877FB5D6 E5D
output 1:
5DF4243FA1CD8632FF42A209E93A97AD1F1E4CF4D0846A0EF121E494603FA9 BC
and (3) outputting 2:
F82DF2209BEC3D757EBF8ED2FDFCFEB396016569518F0019FCB9CCDB60700 8EA
group four: r =896, c =2n =128
Input 1:
4DEA9E83AD9D8ED61483EAF958663FA3695F55C5CC12C29F7852D45AF012B 07D6837368408B240F236D3E37EE76F7AEE408A0E21338205B777597877FB5D6 E5D682A16E66C6B25AFBDE5CA35D690FF845AA412C52F0C3D5F0F115CA3B 23EDA0251FDD9A0E5A3130DFAE3A40F1397EDA9
input 2:
7DEA9E83AD9D8ED61483EAF958663FA3695F55C5CC12C29F7852D45AF012B 07D6837368408B240F236D3E37EE76F7AEE408A0E21338205B777597877FB5D6 E5D682A16E66C6B25AFBDE5CA35D690FF845AA412C52F0C3D5F0F115CA3B 23EDA0251FDD9A0E5A3130DFAE3A40F1397EDA9
output 1: B0C5341C40A4C0FC
And (3) outputting 2:41E93F5A5AF05DC4
Pseudo-randomness test results: for the pseudo-randomness we have programmed and tested, arbitrarily choosing a group of data and encrypting it by an algorithm to obtain a message digest 20000 bits long, and testing the message digest (r =640, the processed file is in the attachment).
In a single bit test: the number of 1 was 9969, passing the test.
In the playing card test: as shown in table 6, the probabilities of occurrence of the terms are considered approximately equal and pass the test.
TABLE 6
The probability of 0 occurring is 6.82%; 8, the probability of occurrence is 6.84%;
the probability of 1 occurrence is 6.36%; the probability of 9 occurrence is 5.90%;
the probability of 2 occurrence is 5.58%; the probability of occurrence of A is 6.38%;
3, the probability of occurrence is 6.08%; the probability of occurrence of B is 6.38%
4, the probability of occurrence is 6.14%; the probability of C occurrence is 6.22%
5, the probability of occurrence is 6.16%; the probability of D occurrence is 6.54%
6, the probability of occurrence is 5.80%; the probability of occurrence of E is 5.96%
7 has a probability of 6.54%; the probability of the occurrence of F is 6.28 percent
In the run-length test: from table 7 it can be seen that: the run length test passes.
TABLE 7
1-run 0-run
Number of runs of length 1: 2477 2458
number of runs of length 2: 1243 1216
number of runs of length 3: 589 601
run number of length 4: 300 327
number of runs of length 5: 155 181
number of runs of length 6: 91 71
number of runs of length 7: 36 46
number of runs of length 8: 14 24
run number of 9: 21 6
run number of 10: 8 5
through the analysis of the test results, the algorithm has good pseudo-randomness.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.

Claims (3)

1. A lightweight cryptographic hash method based on a sponge structure is characterized by comprising the following steps:
step 1: receiving an input message, filling the input message, dividing the filled message into a plurality of segments with the length r, and marking the ith message segment as P i Wherein r is the conversion rate;
step 2: inputting the ith message segment P i To memory stateIn the front of the state S, S represents the memory state of a four-dimensional structure, wherein the four-dimensional structure is a fourth-dimensional state w, a third-dimensional state x, a second-dimensional state y and a first-dimensional state z;
and step 3: replacing F for fifteen times on the memory state S, taking the obtained F (S) as a new memory state S, and inputting the (i + 1) th message segment P i+1 To the front of the memory state S, the permutation F consists of 6 functions; the permutation F consists of 6 different functions, in particular:
Figure FDA0003872548610000011
wherein, the first and the second end of the pipe are connected with each other,
Figure FDA0003872548610000012
the function is used for carrying out linear relation replacement on each bit of the memory state S; the mu function is used for circularly shifting the memory state S on the z axis; the sigma function is used for replacing each longitudinal section of the memory state S; the zeta function is used for replacing x lines of the memory state S according to the mapping rule of the MIBS 4-bit S box in each F replacing process; the xi function is used for carrying out replacement operation on the w-dimensional state of the memory state S; the delta function is used to pair S [ w ] after the ith permutation F][0][0][z]Bit-wise XOR round constant R c [i];
The above-mentioned
Figure FDA0003872548610000014
The function is used for performing linear relationship permutation on each bit of the memory state S, and specifically includes:
according to the difference of the values of y, different processing is carried out on the bits of S [ w ] [ x ] [ y ] [ z ]:
when y =0 or 1, the number of the carbon atoms is zero,
S[w][x][y][z]←S[w][x][y][z]+S[w][x-1][0][z]+S[w][x-1][1][z]+S[w+1][x+1][2][z-1]+S[w+1][x+1][3][z-1];
when y =2 or 3, the number of the metal particles is,
S[w][x][y][z]←S[w][x][y][z]+S[w][x-1][0][z]+S[w][x-1][1][z]+S[w+1][x+1][2][z-1]+S[w+1][x+1][3][z-1]+1;
wherein, the arrow direction of "←" represents the value of the S [ w ] [ x ] [ y ] [ z ] bit after the permutation, and the non-arrow direction represents the permutation process;
the μ function is used for circularly shifting the memory state S on the z-axis, and specifically includes:
S[w][x][y][z]←S[w][x][y][z-t],
wherein t represents the cyclic displacement, 0. Ltoreq. T.ltoreq.15, and
Figure FDA0003872548610000013
x + 4y=aa b +2b +4c +8d; a. b, c and d represent intermediate quantities of operation;
the σ function is used for replacing each longitudinal section of the memory state S, and specifically includes: so that S [ x ] [ y ] = S [ x '] [ y' ],
Figure FDA0003872548610000021
under GF (2) 4×4 In, x +4y = e +2f +4g +8h and x ' +4y ' = e ' +2f ' +4g ' +8 h; wherein e, f, g, h, e ', f', g 'and h' represent intermediate quantities of operation; GF (2) 4×4 Is a4 th order full matrix ring over a binary domain;
in the process of replacing F at the ith time, the (i 1000+ 1) - (i 1000+ 64) bits of e and pi are selected, and the bit modulo 2 is used for residue to obtain the wheel constant R c [i];
And 4, step 4: repeatedly executing the step 3 until all the message segments are processed, and obtaining a new memory state S;
and 5: and extruding the first r bits of the memory state S according to a preset abstract extrusion rule to be used as a message abstract.
2. The lightweight cryptographic hashing method according to claim 1, wherein in step 1, an end flag with a length of 64 bits is added to the end of said input message, said end flag is used to indicate the total length of said input message, said total length is ≦ 2 64 -1; correspondingly, the filling of the input message in the step 1 specifically includes:
when the total length of the message is not a multiple of r, filling the message according to a preset message filling rule, so that the filled total length of the message is a multiple of r; wherein the content of the first and second substances,
the preset message filling rule is as follows:
rule 1: the total length of the filling content is l, l ≡ r-p (mod r), wherein p is the total length of the message before filling;
rule 2: the first bit of the padding is 1, the last bit is 1, and the rest bits are 0.
3. The lightweight cryptographic hashing method of claim 1, wherein said predetermined digest puncturing rule is:
rule 1: outputting the first r bits of the memory state S for the first time as a part of the message abstract;
rule 2: detecting whether the length of the outputted message digest reaches the preset length requirement, if not, replacing the memory state S to obtain F (S), outputting the first r bits of the F (S), and succeeding the former r bits with the outputted message digest;
rule 3: and repeating the rule 2 until the length of the message digest which is output reaches the preset length requirement.
CN201910994150.1A 2019-10-18 2019-10-18 Lightweight cipher hashing method based on sponge structure Active CN110690958B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910994150.1A CN110690958B (en) 2019-10-18 2019-10-18 Lightweight cipher hashing method based on sponge structure

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910994150.1A CN110690958B (en) 2019-10-18 2019-10-18 Lightweight cipher hashing method based on sponge structure

Publications (2)

Publication Number Publication Date
CN110690958A CN110690958A (en) 2020-01-14
CN110690958B true CN110690958B (en) 2022-11-22

Family

ID=69113238

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910994150.1A Active CN110690958B (en) 2019-10-18 2019-10-18 Lightweight cipher hashing method based on sponge structure

Country Status (1)

Country Link
CN (1) CN110690958B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109005025B (en) * 2018-07-11 2021-07-02 桂林电子科技大学 Convolution compression method for hash function
CN113890741B (en) * 2021-09-29 2023-11-10 北京天融信网络安全技术有限公司 Message filling method, chip, device, electronic equipment and storage medium
CN116015610B (en) * 2022-12-19 2023-08-22 豪符密码检测技术(成都)有限责任公司 Detection method for lightweight passwords

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107124264A (en) * 2017-03-06 2017-09-01 北京航空航天大学 A kind of lightweight hash method that box is replaced based on affine transformation byte
CN108449171A (en) * 2018-02-09 2018-08-24 中国科学院软件研究所 A kind of lightweight hash cryptographic summary generation method
WO2019190411A1 (en) * 2018-03-29 2019-10-03 Agency For Science, Technology And Research Method and system for generating a keccak message authentication code (kmac) based on white-box implementation

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107124264A (en) * 2017-03-06 2017-09-01 北京航空航天大学 A kind of lightweight hash method that box is replaced based on affine transformation byte
CN108449171A (en) * 2018-02-09 2018-08-24 中国科学院软件研究所 A kind of lightweight hash cryptographic summary generation method
WO2019190411A1 (en) * 2018-03-29 2019-10-03 Agency For Science, Technology And Research Method and system for generating a keccak message authentication code (kmac) based on white-box implementation

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
基于不可能差分的SHA3-512约减轮区分攻击;丁瑶玲等;《密码学报》;20171215(第06期);全文 *
基于仿射变换S盒的轻量级杂凑函数;杜培等;《北京航空航天大学学报》;20180115(第06期);全文 *

Also Published As

Publication number Publication date
CN110690958A (en) 2020-01-14

Similar Documents

Publication Publication Date Title
CN110690958B (en) Lightweight cipher hashing method based on sponge structure
Hu et al. Coupling chaotic system based on unit transform and its applications in image encryption
Li et al. Conditional cube attack on round-reduced ASCON
Bernstein et al. Smaller decoding exponents: ball-collision decoding
Boyar et al. Logic minimization techniques with applications to cryptology
Overbeck et al. Code-based cryptography
Lin et al. An image encryption scheme based on Lorenz hyperchaotic system and RSA algorithm
Black et al. A study of the MD5 attacks: Insights and improvements
CN108898539B (en) Color image encryption method compatible with JPEG (joint photographic experts group) compression standard
Yao On the power of quantum fingerprinting
CN110086600B (en) Image encryption method based on hyperchaotic system and variable step length Joseph problem
CN110572255A (en) Lightweight block cipher algorithm Shadow implementation method, device and computer readable medium
Silverman et al. Timing attacks on NTRUEncrypt via variation in the number of hash calls
CN113300827B (en) Latin square-based chaotic image encryption method
CN109379508B (en) A kind of combining encryption and the image guard method of compression, storage medium
CN112153045B (en) Method and system for identifying encrypted field of private protocol
Li et al. Cube cryptanalysis of LBlock with noisy leakage
François et al. A pseudo-random bit generator using three chaotic logistic maps
Aulbach et al. Practical key-recovery attack on MQ-Sign
Shi et al. Continuous-time quantum hash function based on one-dimensional cycle lattice
CN113691364A (en) Encryption and decryption method of dynamic S-box block cipher based on bit slice technology
Loidreau Analysis of a public-key encryption scheme based on distorted Gabidulin codes
Wang et al. High‐sensitivity synchronous image encryption based on improved one‐dimensional compound sine map
CN111614864A (en) SVD and CBC mode combination-based image compression encryption transmission method
Çalık et al. Message recovery and pseudo-preimage attacks on the compression function of hamsi-256

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant