CN114710272A - Automatic generation method and system of (n, m) -S box - Google Patents

Automatic generation method and system of (n, m) -S box Download PDF

Info

Publication number
CN114710272A
CN114710272A CN202210294442.6A CN202210294442A CN114710272A CN 114710272 A CN114710272 A CN 114710272A CN 202210294442 A CN202210294442 A CN 202210294442A CN 114710272 A CN114710272 A CN 114710272A
Authority
CN
China
Prior art keywords
box
algebraic
bit
index
order
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202210294442.6A
Other languages
Chinese (zh)
Other versions
CN114710272B (en
Inventor
袁征
刘晨祎
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
BEIJING ELECTRONIC SCIENCE AND TECHNOLOGY INSTITUTE
Original Assignee
BEIJING ELECTRONIC SCIENCE AND TECHNOLOGY INSTITUTE
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by BEIJING ELECTRONIC SCIENCE AND TECHNOLOGY INSTITUTE filed Critical BEIJING ELECTRONIC SCIENCE AND TECHNOLOGY INSTITUTE
Priority to CN202210294442.6A priority Critical patent/CN114710272B/en
Publication of CN114710272A publication Critical patent/CN114710272A/en
Application granted granted Critical
Publication of CN114710272B publication Critical patent/CN114710272B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Complex Calculations (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The invention relates to an automatic generation method and system of (n, m) -S boxes, wherein the method comprises the following steps: selecting one existing polynomial from an existing n-degree existing polynomial set, and constructing an (n, m) -S box capable of realizing a higher upper bound by utilizing an EA-equivalence method and a parallel repeated shifting method; judging whether the (n, m) -S box meets the cryptology security index; and if the preset cryptology safety index is met, outputting the (n, m) -S box, otherwise, regenerating a new (n, m) -S box until the preset cryptology safety index is met. The method provided by the invention can construct an (n, m) -S box with any input length, any output length, a higher upper bound, optimal compromise and provable safety; the upper bound of each type of S box can be given, the technical problem of rapidly realizing high-order polynomial inversion is solved by using a parallel method, and the complexity of an inversion algorithm is reduced.

Description

Automatic generation method and system of (n, m) -S box
Technical Field
The invention belongs to the field of information security passwords, and particularly relates to an automatic generation method and system of an (n, m) -S box.
Background
In the world, information becomes an important strategic resource, the information security problem is a key point concerned by governments and armies of various countries in the world and is also an important scientific research subject, cryptography and cryptographic technology are theoretical cores and technical bases of information security, and confidentiality, integrity and authentication realized by cryptographic algorithms such as block ciphers, sequence ciphers, Hash functions, message authentication codes MACs, signcryption and the like are the primary contents of the cryptography and the cryptographic technology. S-boxes are important tools for designing these nonlinear components of cryptographic algorithms.
In order to resist the existing attack method, an S-box used in a cryptographic algorithm needs to meet certain security requirements. The safety indexes of the S box comprise nonlinearity, difference uniformity, balance, algebraic times and the like. It is worth mentioning that these security indicators are mutually influenced and constrained, and particularly, when designing and selecting S-boxes as the non-linear components of the cryptographic algorithm, they need to be considered comprehensively. Note also that S-box output f (x) ═ f (f)1(x),f2(x),…,fm(x) Each component f) in the three-dimensional image1(x),f2(x),…,fm(x) The output function f (x) ═ f (f) formed by combining them is good1(x),f2(x),…,fm(x) Security index of) is not necessarily good. Therefore, designing an S-box with optimal compromise of multiple cryptographic security indexes is a difficult point and a key point in designing cryptographic algorithms such as block ciphers, sequence ciphers, pseudo-random number generators, Hash functions, message authentication codes MACs, signcrypts and the like.
Although many important achievements have been made in recent years by cryptologists at home and abroad in the research on the security index of the cryptographic function for constructing the S-box and the construction thereof, some basic problems are still unclear: such as: is the power function of an almost completely nonlinear function (APN function for short) only of class 6? Although the construction of the S-box Bent function has been given, the S-box Bent function constructs much less quadratic from the low-dimensional functions to construct the high-dimensional functions. In addition, 2012 solved the existing problem of complete algebraic immune boolean function against fast algebraic tools, but it is still lacking in constructing S-boxes. Finally, the configuration of the S-box with the best compromise of multiple cryptographic security indexes is poor, and especially, the configuration of the (n, m) (n is 16,32, and n ≧ m) S-box with the best compromise of multiple cryptographic security indexes is difficult and the most difficult point for designing the S-box.
Disclosure of Invention
In order to solve the technical problem, the invention provides an automatic generation method and system of an (n, m) -S box.
The technical solution of the invention is as follows: a method of automatic generation of an (n, m) -S-box, comprising:
let the (n, m) -S box be S: f2 n→F2 mSelecting one existing polynomial from the existing n-degree existing polynomial set and using binary expression to represent the selected one
Figure BDA0003562732550000021
For non-zero value
Figure BDA0003562732550000022
By using an EA-equivalence method and a parallel repeated shift method, an (n, m) -S box which can realize higher upper bound is constructed:
Figure BDA0003562732550000023
wherein
Figure BDA0003562732550000024
Judging whether the (n, m) -S box meets the cryptology security index; if the preset cryptology security index is met, outputting the (n, m) -S box, otherwise, regenerating a new (n, m) -S box and judging whether the new (n, m) -S box meets the cryptology security index; wherein the cryptographic security indicators include: difference uniformity, nonlinearity, balance, algebraic times, number of motionless points, strict avalanche criterion, algebraic immune order, first-order correlation immunity, transparent order index, algebraic positive order term number, input/output 1-bit difference number and input/output 1-bit linear mask number.
Compared with the prior art, the invention has the following advantages:
1. the invention discloses an automatic generation method of an (n, m) -S box, which can construct the (n, m) -S box with any input length, any output length, higher upper bound, optimal compromise and provable safety; and may give an upper bound for each type of S-box. The generated S box is used for a highly nonlinear part commonly used in the design of a block cipher algorithm, a sequence cipher algorithm, a pseudo-random number generator, a Hash function, a message authentication code MACs and an authentication encryption algorithm; and can also be used in the study and design of vector function construction and almost completely nonlinear permutation (APN).
2. The invention utilizes a parallel method to solve the technical problem of rapidly realizing the high-order polynomial inversion, so that the complexity of the inversion algorithm is reduced from O (n) to O (log (n)).
Drawings
FIG. 1 is a functional diagram of an (n, m) -S cartridge according to an embodiment of the present invention;
fig. 2 is a block diagram of an automatic generation system of an (n, m) -S box according to an embodiment of the present invention.
Detailed Description
The invention provides an automatic generation method of an (n, m) -S box, which can construct an (n, m) -S box with any input length, any output length, a higher upper bound, optimal compromise and provable safety; the upper bound of each type of S box can be given, the technical problem of rapidly realizing high-order polynomial inversion is solved by using a parallel method, and the complexity of an inversion algorithm is reduced.
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail below with reference to the accompanying drawings.
For a better understanding of the following examples, terms and the like used therein are to be construed:
the (n, m) -S box is one
Figure BDA0003562732550000031
Is represented as: s (x) f (x), developed as:
S(x1,x2,...,xn)=(f1(x1,x2,...,xn),f2(x1,x2,...,xn),...,fm(x1,x2,...,xn) N-ary Boolean function f), wherein1,f2,...,fmE GF (2) is called the coordinate function or component function of each S-box.
For an nth order polynomial q (x) dnxn+dn-1xn-1+...+d1x+d0Wherein d isn,dn-1,...,d1,d0E.g. GF (2), the binary representation of the polynomial being q ═ dn|dn-1|...|d1|d0It is obvious that
Figure BDA0003562732550000032
For example: polynomial of degree 4 q (x) x4+x3The binary representation of + x +1 is q 11011 0x1 b.
Definition 1: for an n-ary Boolean function fi(x) The Walsh spectrum is transformed into:
Figure BDA0003562732550000033
definition 2 (non-linearity): any one n-ary boolean function fi(x) The non-linearity of (c) defines: n is a radical offi(x)=2n-1(1-max|W(fi(x))(w) |). Degree of non-linearity
Figure BDA0003562732550000034
The boolean function f (x) is called the Bent function (fully nonlinear function).
Definition 3((n, m) -S-box equilibrium): (n, m) -S boxes are noted as functions
Figure BDA0003562732550000035
Is calculated at
Figure BDA0003562732550000036
If the number of the original images corresponding to each image point is the same, the S function is called a balance function.
Define 4((n, m) -S box linear probability): (n, m) -S boxes are denoted
Figure BDA0003562732550000037
For any purpose
Figure BDA0003562732550000038
The number of solutions of the equation α · x ═ β · s (x) is expressed by the symbol M (α, β), that is:
Figure BDA0003562732550000039
the linear probability of the S-box is defined as:
Figure BDA00035627325500000310
definition 5((n, m) -S-box differential uniformity): (n, m) -S boxes are denoted
Figure BDA00035627325500000311
For any purpose
Figure BDA00035627325500000312
The number of equation solutions is represented by the symbol N (Δ, Ω), i.e.:
Figure BDA00035627325500000313
the differential uniformity of the S-box is defined as: maxΔ≠0maxΩN(Δ,Ω)。
Definition 6((n, m) -S-box algebraic degree): (n, m) -S Box is noted
Figure BDA00035627325500000314
The algebraic degree is the function f of all coordinates1,f2,...,fmMinimum of the number of non-zero linear combinations of (a):
Figure BDA00035627325500000315
definition 7((n, m) -S-box algebraic immune order): (n, m) -S boxes are denoted
Figure BDA0003562732550000041
The algebraic immune order is: ai(s) ═ min { deg (P (x, f (x)) | P (x, f (x)) ═ 0}, where
Figure BDA0003562732550000042
(x) s (x) and deg (P (x, y)) is an n + m-membered polynomial P (x, f (x)) P (x)1,x2,...,xn;f1,f2,...,fm) The algebraic degree of (c).
The resistance TO Differential Power Attack (DPA) index Transparency level (TO for short) for (n, m) -S boxes.
Define 8((n, m) -S-Box transparent level index): (n, m) -S boxes are denoted
Figure BDA0003562732550000043
The transparent order TO index is as follows:
Figure BDA0003562732550000044
wherein wt (u) and wt (v) are each independentlyuAndvhamming weight (i.e., number of non-zero elements). W represents a Wash spectrum.
The smaller the transparent level TO of the S-box, the stronger the resistance TO DPA attacks, i.e. the greater the number of differential traces that an attacker needs TO recover the correct key from the differential traces, and thus the efficiency of DPA attacks becomes lower.
Define 9(n, m) -S-box stringent avalanche criterion): (n, m) -S boxes are denoted
Figure BDA0003562732550000045
For any one
Figure BDA0003562732550000046
fj(x)+fj(x+ei) Is a balance function, the (n, m) -S-box is said to meet the strict avalanche criterion, where eiIs 1 and the remainder are 0.
Definition 10: for an n-ary Boolean function fi(x) The Walsh spectrum is transformed into: f is fi(x) Is a first order correlation immune function and only for arbitrary
Figure BDA0003562732550000047
wt (W) 1 and W(fi(x))(w)=0。
Definition 11: for an n-ary Boolean function fi(x) Satisfy fiA non-zero boolean function t (x) with t ═ 0, referred to as fi(x) The zero-ion of (1), called fi(x) And fi(x)+1 minimum value of algebraic degree in all zeros as function fi(x) Algebraic immune order of (c).
Definition 12: both polynomials are also called irreducible polynomials, and if a rational coefficient polynomial g (x) with degree greater than zero cannot be decomposed into the product of two rational coefficient polynomials of lower degree but both greater than zero, g (x) is called an "both polynomials" within the rational range.
Definition 13: when the feedback function of an n-stage feedback shift register at gf (q) is linear homogeneous, that is: f (a)i,ai+1,...,ai+n-1)=c1ai+n-1,...,+cn-1ai+1+cnaiIn this case, the Register is called an n-stage Linear Feedback Shift Register (LFSR) and is denoted as an n-LFSR.
Example one
As shown in fig. 1, an automatic generation method of an (n, m) -S box provided by an embodiment of the present invention includes the following steps:
let the (n, m) -S box be S: f2 n→F2 mSelecting one existing polynomial from the existing n-degree existing polynomial set and using binary expression to represent the selected one
Figure BDA0003562732550000051
For non-zero value
Figure BDA0003562732550000052
By using the EA-equivalence method and the parallel repeated shifting method, the (n, m) -S box which can realize higher upper bound is constructed:
Figure BDA0003562732550000053
wherein
Figure BDA0003562732550000054
Judging whether the (n, m) -S box meets the cryptology security index; if the preset cryptology safety index is met, outputting the (n, m) -S box, otherwise, regenerating a new (n, m) -S box and judging whether the new (n, m) -S box meets the cryptology safety index; wherein, the cryptology security index includes: difference uniformity, nonlinearity, balance, algebra times, number of motionless points, strict avalanche criterion, algebra immune order, first-order correlation immunity, transparent order index, algebra positive order item number, input and output 1-bit difference number and input and output 1-bit linear mask number.
In one embodiment, the step S1: let the (n, m) -S box be S: f2 n→F2 mSelecting one existing polynomial from the existing n-degree existing polynomial set and using binary expression to represent the selected one
Figure BDA0003562732550000055
For non-zero value
Figure BDA0003562732550000056
By using the EA-equivalence method and the parallel repeated shifting method, the (n, m) -S box which can realize higher upper bound is constructed:
Figure BDA0003562732550000057
wherein
Figure BDA0003562732550000058
Judging whether the (n, m) -S box meets the cryptology security index; if the preset cryptology safety index is met, outputting the (n, m) -S box, otherwise, regenerating a new (n, m) -S box and judging whether the new (n, m) -S box meets the cryptology safety index; wherein, the cryptology security index includes: the cryptology safety index is formed by combining any index of difference uniformity, nonlinearity, balance, algebraic times, fixed point number, strict avalanche criterion, algebraic immune order, first-order correlation immunity, transparent order index, algebraic normal form item number, input and output 1-bit difference number and input and output 1-bit linear mask number, and specifically comprises the following steps:
step S101: setting an iteration wheel number R-i by making an integer i-1, 2; registers A, B and C of not less than n bits are set for storage (a)i,bi,ci);
Step S102: to (a)1,b1,c1),...,(ai,bi,ci) Assigning an initial value and converting into a polynomial representation, wherein,
Figure BDA0003562732550000059
step S103: assigning a polynomial x to a register A; in a binary extension GF (2)n) Based on Fermat's theorem, the inverse A of the high-order polynomial A is obtained by adopting a parallel repeated shift method-1
Iterative calculation of a through R roundsiA-1+biA+cimodq (x) to save the obtained value to register a;
at this time, if m is equal to n, the content of the register a is output as S (x), and the process goes to step S104;
if m ≠ n, the following steps a and b are performed:
a. for any τ, using n-LFSR to generate m-sequence λ ← n-LFSR (τ), and intercepting λn-bitWherein, wt (. lamda.) (n-bit)≥m,wt(λn-bit) Is λn-bitHamming weight of (d);
b. according to registers A and lambdan-bitThe middle numerical value is obtained by intercepting binary values in m registers A from right to left to meet the requirement of lambda at the corresponding position of the register An-bitHas a value of 1; outputting the content of the register A as S (x), and proceeding to step S104;
the embodiment of the invention realizes the step S103 through the following pseudo codes:
for(x=0;x<2n;x++){
While(i){
A←x;
in binary extension GF (2)n) Based on Fermat's theorem, the inverse A of the high-order polynomial A is obtained by adopting a parallel repeated shifting method-1
B←aiA-1+biA+ci modq(x);
i++;
A←B}
if (m ═ n) { s (x) ← a; go to step S104; }
else{
For any tau, using n-LFSR to generate m sequence lambda ← n-LFSR (tau), and cutting lambdan-bitWherein, wt (. lamda.) (n-bit)≥m,wt(λn-bit) Is λn-bitHamming weight of (a); // obtaining a sequence of length nn-bitIntercepting m-bit binary value in the register A in the subsequent step;
for(intj=0;j<m;j++){
if(0x1∧λn-bit) // here for the determination that is λ at the corresponding location of register An-bitWhether or not the value of (A) is 1
Figure BDA0003562732550000061
If 1, after the value of the corresponding position of the register A is taken, S (x) is shifted to the left by one bit
λn-bit>>;//λn-bitShifted by one bit to the right for comparison with the next digit
A > >; // the value of register A is shifted one bit to the right for comparison of the next digit
The binary value of m bits in the register A is intercepted in turn, and is given to S (x), for example: let n be 8, m be 4, if a be 01010010, λn-bit11010110, the 4 bits in register a are sequentially truncated and assigned to s (x), resulting in s (x) 1011
Go to step S104; }
Step S104: judging the difference uniformity of the S (x), if the difference uniformity is larger than a threshold value, turning to a step S102, and regenerating an (n, m) -S box; otherwise, go to step S105;
in the embodiment of the invention, the threshold value of the difference uniformity is set to be 4 when n is less than or equal to 8, otherwise, the threshold value is set to be 6;
step S105: if the nonlinearity of the step (S) (x) is within the APN threshold range, go to step S102; otherwise go to step S106;
step S106: judging the balance of the S (x), if not, turning to the step S102; otherwise, go to step S107;
step S107: judging the algebraic times of the S (x), and if the algebraic times are less than a threshold value, turning to the step S102; otherwise, go to step S108;
in the embodiment of the invention, the threshold value of the algebraic times is set as n-1;
step S108: judging the number of the fixed points in the step S (x), and if the number is larger than a threshold value, turning to a step S102; otherwise, if go to step S109;
in the embodiment of the invention, the threshold value of the number of the fixed points is set, when n is less than 16, the threshold value is set as 0, otherwise, the threshold value is set as 1;
step S109: judging the strict avalanche criterion of S (x), if not, turning to step S102; otherwise, go to step S110;
step S110: judging the algebraic immune order of the step S (x), and if the algebraic immune order is smaller than a threshold value, turning to a step S102; otherwise, go to step S111;
step S111: judging the first-order correlation immunity degree of the S (x), and if the first-order correlation immunity degree is greater than a threshold value, turning to the step S102; otherwise, go to step S112;
step S112: judging the number of algebraic correct type terms in the step (S) (x), and if the algebraic correct type terms are smaller than a threshold value, turning to the step (S102); otherwise, go to step S113;
step S113: judging the transparent level index of the step (S) (x), and if the transparent level index is greater than the threshold value, turning to the step (S102); otherwise, the step S114 is carried out, otherwise, the (n, m) -S box S (x) is output;
in the embodiment of the invention, the threshold value of the transparent level index is set to be 6;
step S114: judging the number of 1-bit input and output difference of S (x), and if the number is 0, turning to the step S102; otherwise go to step S115;
step S115: judging the number of the 1-bit input/output linear masks in the step S (x), and if the number is n, turning to a step S102; otherwise, the (n, m) -S box S (x) is output.
In the embodiment of the present invention, the above steps S104 to S115 are sorted according to the importance of the cryptographic security index, and are only examples. The embodiment of the invention is not limited to the sequence and the selected range of the cryptographic security indexes, and the S boxes can be screened after the cryptographic security indexes are arranged and combined according to actual needs.
The method provided by the invention can randomly and automatically realize 10 types of (n, m) -S boxes (n is 4, 8, 16 and 32, and n is more than or equal to m), namely: the method comprises the following steps of randomly and automatically generating 10 types of S boxes with higher upper bound and currently common inputs of 4 bits, 8 bits, 16 bits and 32 bits, specifically: all (4,4) -S boxes, almost all (8,8) -S boxes, almost all (8,4) -S boxes, higher upper bound (16,16) -S boxes, higher upper bound (16,8) -S boxes, higher upper bound (16,4) -S boxes, higher upper bound (32,32) -S boxes, higher upper bound (32,16) -S boxes, higher upper bound (32,8) -S boxes, higher upper bound (32,4) -S boxes; and may give an upper bound for each type of S-box.
The embodiment of the invention adopts the S-box 'optimal compromise of cryptographic characteristics' automatically generated by C language, considers the difference uniformity, the nonlinearity, the balance, the algebraic times, the number of fixed points, the strict avalanche criterion, the algebraic immune order, the first-order correlation immunity, the transparent order index, the number of algebraic normal form terms, the number of 1-bit difference input/output and the number of 1-bit linear mask input/output, and optimally selects the S-box for the compromise of the cryptographic security indexes. All S boxes with 4 bits and 8 bits of input can realize that all indexes reach the optimum; all S-boxes with 16 and 32 bit inputs can achieve the best of 4-5 indices.
The speed of generating the (n, m) -S boxes is mainly determined by the storage and detection speed, and the embodiment of the invention can generate all (4,4) -S boxes, a large number of (8,8) -S boxes or (8,4) -S boxes within a few minutes; one (16,16) -S cassette, (16,8) -S cassette or (16,4) -S cassette can be generated within minutes; it takes a long time to generate one (32,32) -S box, (32,16) -S box, (32,8) -S box, and (32,4) -S box.
All the S boxes generated by the embodiment of the invention are truth tables (small item representation), thereby facilitating application and performance analysis.
The invention discloses an automatic generation method of an (n, m) -S box, which can construct the (n, m) -S box with any input length, any output length, higher upper bound, optimal compromise and provable safety; and may give an upper bound for each type of S-box. The generated S box is used for a highly nonlinear part commonly used in the design of a block cipher algorithm, a sequence cipher algorithm, a pseudo-random number generator, a Hash function, a message authentication code MACs and an authentication encryption algorithm; it can also be used in the construction of vector functions and the study and design of almost completely non-linear permutations (APNs). The invention utilizes a parallel method to solve the technical problem of rapidly realizing the high-order polynomial inversion, so that the complexity of the inversion algorithm is reduced from O (n) to O (log (n)).
Example two
As shown in fig. 2, an embodiment of the present invention provides an automatic generation system of an (n, m) -S box, including the following modules:
the S-box module 11 is configured to configure (n, m) -S-box S: f2 n→F2 mSelecting an existing polynomial from the existing n-degree existing polynomial set and using binary representation to be represented as
Figure BDA0003562732550000091
For non-zero value
Figure BDA0003562732550000092
By using an EA-equivalence method and a parallel repeated shift method, an (n, m) -S box which can realize higher upper bound is constructed:
Figure BDA0003562732550000093
wherein
Figure BDA0003562732550000094
A judge S-box performance module 12 for judging whether the (n, m) -S-box satisfies the cryptology security index; if the preset cryptology safety index is met, outputting the (n, m) -S box, otherwise, regenerating a new (n, m) -S box and judging whether the new (n, m) -S box meets the cryptology safety index; wherein, the cryptology security index includes: difference uniformity, nonlinearity, balance, algebra times, number of motionless points, strict avalanche criterion, algebra immune order, first-order correlation immunity, transparent order index, algebra positive order item number, input and output 1-bit difference number and input and output 1-bit linear mask number.
The above examples are provided only for the purpose of describing the present invention, and are not intended to limit the scope of the present invention. The scope of the invention is defined by the appended claims. Various equivalent substitutions and modifications can be made without departing from the spirit and principles of the invention, and are intended to be within the scope of the invention.

Claims (3)

1. A method for automatically generating an (n, m) -S box, comprising:
let the (n, m) -S box be S: f2 n→F2 mSelecting an existing polynomial from the existing n-degree existing polynomial set and using binary representation to be represented as
Figure FDA0003562732540000011
For non-zero value
Figure FDA0003562732540000012
By using an EA-equivalence method and a parallel repeated shift method, an (n, m) -S box which can realize higher upper bound is constructed:
Figure FDA0003562732540000013
wherein
Figure FDA0003562732540000014
Determining whether the (n, m) -S box meets a cryptographic security index; if the preset cryptology safety index is met, outputting the (n, m) -S box, otherwise, regenerating a new (n, m) -S box and judging whether the new (n, m) -S box meets the cryptology safety index; wherein the cryptographic security indicators include: difference uniformity, nonlinearity, balance, algebraic times, number of motionless points, strict avalanche criterion, algebraic immune order, first-order correlation immunity, transparent order index, algebraic positive order term number, input/output 1-bit difference number and input/output 1-bit linear mask number.
2. Method for automatic generation of (n, m) -S-boxes according to claim 1Characterized in that, the step S1: let the (n, m) -S box be S: f2 n→F2 mSelecting one existing polynomial from the existing n-degree existing polynomial set and using binary expression to represent the selected one
Figure FDA0003562732540000015
For non-zero value
Figure FDA0003562732540000016
By using an EA-equivalence method and a parallel repeated shift method, an (n, m) -S box which can realize higher upper bound is constructed:
Figure FDA0003562732540000017
wherein
Figure FDA0003562732540000018
Judging whether the (n, m) -S box meets the cryptology security index; if the preset cryptology safety index is met, outputting the (n, m) -S box, otherwise, regenerating a new (n, m) -S box and judging whether the new (n, m) -S box meets the cryptology safety index; wherein the cryptographic security indicators include: the cryptology security index is formed by any index combination of difference uniformity, nonlinearity, balance, algebraic times, number of fixed points, strict avalanche criterion, algebraic immune order, first-order correlation immunity, transparent order index, algebraic positive order item number, input and output 1-bit difference number and input and output 1-bit linear mask number, and specifically comprises the following steps:
step S101: setting an iteration wheel number R-i by making an integer i-1, 2; setting registers A, B and C of not less than n bits;
step S102: to (a)1,b1,c1),...,(ai,bi,ci) Assigning an initial value and converting into a polynomial representation, wherein,
Figure FDA0003562732540000019
step S103: assigning a polynomial x to a register A; in a binary extension GF (2)n) Based on Fermat's theorem, the inverse A of the high-order polynomial A is obtained by adopting a parallel repeated shifting method-1
Iterative calculation of a through R roundsiA-1+biA+cimodq (x) to save the obtained value to register a;
at this time, if m ═ n, the content of the register a is output as S (x), and the process proceeds to step S104;
if m ≠ n, the following steps a and b are performed:
a. for any τ, using n-LFSR to generate m-sequence λ ← n-LFSR (τ), and intercepting λn-bitWherein, wt (. lamda.) (n-bit)≥m,wt(λn-bit) Is λn-bitHamming weight of (d);
b. according to registers A and lambdan-bitThe binary values in the m registers A are cut from right to left to satisfy the lambda at the corresponding position of the register An-bitThe value of (b) is 1; outputting the content of the register A as S (x), and going to step S104;
step S104: judging the difference uniformity of the step S (x), if the difference uniformity is larger than a threshold value, turning to a step S102, and regenerating an (n, m) -S box; otherwise, go to step S105;
step S105: if the nonlinearity of the step (S) (x) is not within the APN threshold range, go to step S102; otherwise, go to step S106;
step S106: judging the balance of S (x), if not, going to step S102; otherwise, go to step S107;
step S107: judging the algebraic times of S (x), and if the algebraic times are less than a threshold value, turning to a step S102; otherwise, go to step S108;
step S108: judging the number of the immobile points in the step (S) (x), and if the number is greater than the threshold value, turning to the step (S102); otherwise, if go to step S109;
step S109: judging the strict avalanche criterion of the S (x), and if the strict avalanche criterion of the S (x) is not met, turning to the step S102; otherwise, go to step S110;
step S110: judging the algebraic immune order of the S (x), and if the algebraic immune order is smaller than a threshold value, turning to the step S102; otherwise, go to step S111;
step S111: judging the first-order correlation immunity degree of the S (x), and if the first-order correlation immunity degree does not meet the threshold value, turning to the step S102; otherwise, go to step S112;
step S112: judging the number of algebraic correct type terms in the step (S) (x), and if the algebraic correct type terms are smaller than a threshold value, turning to the step (S102); otherwise, go to step S113;
step S113: judging the transparent level index of the step (S) (x), and if the transparent level index is greater than the threshold value, turning to the step (S102); otherwise, go to step S114, otherwise, output (n, m) -S box S (x);
step S114: judging the number of 1-bit input and output difference of S (x), and if the number is 0, turning to the step S102; otherwise, go to step S115;
step S115: judging the number of the 1-bit input/output linear masks in the step S (x), and if the number is n, turning to a step S102; otherwise, output (n, m) -S box S (x).
3. An automatic generation system of (n, m) -S boxes, characterized by comprising the following modules:
a construct S-box module for constructing an (n, m) -S-box S: f2 n→F2 mSelecting an existing polynomial from the existing n-degree existing polynomial set and using binary representation to be represented as
Figure FDA0003562732540000031
For non-zero value
Figure FDA0003562732540000032
By using the EA-equivalence method and the parallel repeated shifting method, the (n, m) -S box which can realize higher upper bound is constructed:
Figure FDA0003562732540000033
wherein
Figure FDA0003562732540000034
A judge S-box performance module for judging whether the (n, m) -S-box meets the cryptology security index; if the preset cryptology safety index is met, outputting the (n, m) -S box, otherwise, regenerating a new (n, m) -S box and judging whether the new (n, m) -S box meets the cryptology safety index; wherein the cryptographic security indicators include: difference uniformity, nonlinearity, balance, algebraic times, number of motionless points, strict avalanche criterion, algebraic immune order, first-order correlation immunity, transparent order index, algebraic positive order term number, input/output 1-bit difference number and input/output 1-bit linear mask number.
CN202210294442.6A 2022-03-24 2022-03-24 Automatic generation method and system of (n, m) -S box Active CN114710272B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210294442.6A CN114710272B (en) 2022-03-24 2022-03-24 Automatic generation method and system of (n, m) -S box

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210294442.6A CN114710272B (en) 2022-03-24 2022-03-24 Automatic generation method and system of (n, m) -S box

Publications (2)

Publication Number Publication Date
CN114710272A true CN114710272A (en) 2022-07-05
CN114710272B CN114710272B (en) 2024-06-07

Family

ID=82170187

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210294442.6A Active CN114710272B (en) 2022-03-24 2022-03-24 Automatic generation method and system of (n, m) -S box

Country Status (1)

Country Link
CN (1) CN114710272B (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109905231A (en) * 2019-02-26 2019-06-18 清华大学 A kind of S box building method of novel password dedicated 4 × 4
CN113783684A (en) * 2021-09-15 2021-12-10 桂林电子科技大学 16-bit S box construction method based on NFSR and Feistel structures

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109905231A (en) * 2019-02-26 2019-06-18 清华大学 A kind of S box building method of novel password dedicated 4 × 4
CN113783684A (en) * 2021-09-15 2021-12-10 桂林电子科技大学 16-bit S box construction method based on NFSR and Feistel structures

Also Published As

Publication number Publication date
CN114710272B (en) 2024-06-07

Similar Documents

Publication Publication Date Title
Handschuh et al. Key-recovery attacks on universal hash function based MAC algorithms
CN104270247B (en) Suitable for the efficient general Hash functions authentication method of quantum cryptography system
Kanso et al. A fast and efficient chaos-based keyed hash function
Noura et al. A new efficient lightweight and secure image cipher scheme
CN107147487B (en) Symmetric key random block cipher
KR20120071884A (en) Ring signature method based on lattices
Zong et al. Collision attacks on round-reduced gimli-hash/ascon-xof/ascon-hash
US20230269073A1 (en) The Generation Of One Way Functions, Based On Mutual Hiding Predefined Success Criteria
Kuang et al. A new post-quantum multivariate polynomial public key encapsulation algorithm
US20220382521A1 (en) System and method for encryption and decryption using logic synthesis
Ullah et al. An efficient construction of S-box based on the fractional-order Rabinovich–Fabrikant chaotic system
Katiyar et al. Pure dynamic S-box construction
Bavdekar et al. Post quantum cryptography: Techniques, challenges, standardization, and directions for future research
Knežević Combinatorial optimization in cryptography
Ahmad et al. Improved 2D Discrete Hyperchaos Mapping with Complex Behaviour and Algebraic Structure for Strong S‐Boxes Generation
Beyne et al. On the security of the Rescue hash function
Shooshtari et al. Provably secure strong designated verifier signature scheme based on coding theory
Pornin The MAKWA password hashing function
Jamil et al. A new cryptographic hash function based on cellular automata rules 30, 134 and omega-flip network
CN111835825A (en) Method suitable for transmitting messages between two intelligent Internet of things system communication parties
WO2017103226A1 (en) Improved system for key sharing
CN114710272B (en) Automatic generation method and system of (n, m) -S box
Shahapure et al. Variation and security enhancement of block ciphers by embedding
Rohit et al. Practical Forgery attacks on Limdolen and HERN
RP Keyed-CAHASH: a new fast keyed hash function based on cellular automata for authentication

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant