CN114710272B - Automatic generation method and system of (n, m) -S box - Google Patents

Abstract

The invention relates to a method and a system for automatically generating an (n, m) -S box, wherein the method comprises the following steps: selecting one reduced polynomial from the existing n-degree reduced polynomial set, and constructing an (n, m) -S box with a higher upper bound by using an EA-equivalent method and a parallel repeated shifting method; judging whether the (n, m) -S box meets the cryptographic security index; outputting the (n, m) -S box if the preset cryptographic security index is met, otherwise regenerating a new (n, m) -S box until the preset cryptographic security index is met. The method provided by the invention can construct an (n, m) -S box with arbitrary input length, arbitrary output length, higher upper bound, optimal compromise and proved safety; the upper bound of each class of S box can be given, and the parallel method is utilized, so that the technical problem of fast realizing the high-order polynomial inversion is solved, and the complexity of an inversion algorithm is reduced.

Description

Automatic generation method and system of (n, m) -S box

Technical Field

The invention belongs to the field of information security passwords, and particularly relates to an automatic generation method and system of an (n, m) -S box.

Background

Information is an important strategic resource in the world, information security is an important focus of governments and armies around the world, cryptography and cryptographic technology are theoretical cores and technological bases of information security, and confidentiality, integrity and authentication realized by cryptographic algorithms such as block ciphers, sequential ciphers, hash functions, message authentication codes MACs and signcryption are primary contents of cryptography and cryptographic technology. The S-box is an important tool for designing these cryptographic non-linear components.

In order to resist the existing attack method, the S box used in the cryptographic algorithm needs to meet certain security requirements. The safety indexes of the S box comprise nonlinearity, differential uniformity, balance, algebraic frequency and the like. It should be noted that these security indexes are mutually influenced and mutually restricted, and in particular, when designing and selecting the S-box as a nonlinear component of the cryptographic algorithm, comprehensive consideration is required. In addition, it should be noted that the safety index of each component F ₁(x),f₂(x),…,f_m (x) in the S-box output F (x) = (F ₁(x),f₂(x),…,f_m (x)) is good, but the safety index of the output function F (x) = (F ₁(x),f₂(x),…,f_m (x)) formed by combining them is not necessarily good. Therefore, the S-box for designing "optimal compromise of multiple cryptographic security indexes" is the difficulty and key point of the cryptographic algorithm for designing block ciphers, sequence ciphers, pseudo-random number generators, hash functions, message authentication codes MACs, signcryption, and the like.

Although the cryptologist at home and abroad has achieved a lot of important achievements in the research of the security index and its construction of the cryptographic function of the S-box in recent years, some basic problems remain unclear: such as: is the power function of an almost completely nonlinear function (AlmostPerfectNonlinearFunction, abbreviated as APN function) of only 6 classes? While the construction of the S-box Bent function has been presented, the S-box Bent function constructs the quadratic construction of the high-dimensional function from the low-dimensional function much less. In addition, in 2012, the problem of existence of a complete algebraic immune boolean function against a rapid algebraic tool was solved, but there is still a shortage in constructing S-boxes. Finally, the construction of S-boxes with optimal compromise of various cryptographic security indicators is still very poor, and in particular, the construction of (n, m) (n=16, 32 and n+.m) S-boxes with optimal compromise of various cryptographic security indicators is also very difficult, which is the most difficult point of S-box design.

Disclosure of Invention

In order to solve the technical problems, the invention provides an automatic generation method and system of an (n, m) -S box.

The technical scheme of the invention is as follows: an automatic generation method of an (n, m) -S box, comprising:

let (n, m) -S box be S: f ₂ ⁿ→F₂ ^m selecting one of the existing n-degree reduced polynomial sets and expressing it as binary system For non-zero values/>By using an EA-equivalent method and a parallel repeated shift method, a (n, m) -S box with a higher upper bound can be constructed: /(I)Wherein/>

Judging whether the (n, m) -S box meets the cryptographic security index; outputting an (n, m) -S box if the preset cryptographic security index is met, otherwise regenerating a new (n, m) -S box and judging whether the cryptographic security index is met; wherein the cryptographic security index comprises: the cryptographic security index is composed of any index combination of differential uniformity, nonlinearity, balance, algebraic times, number of fixed points, strict avalanche criterion, algebraic immunity order, first-order correlation immunity, transparent order index, algebraic normal term number, input/output 1-bit differential number and input/output 1-bit linear mask number.

Compared with the prior art, the invention has the following advantages:

1. the invention discloses an automatic generation method of an (n, m) -S box, which can construct an (n, m) -S box with arbitrary input length, arbitrary output length, higher upper bound, optimal compromise and proved safety; and may give an upper bound for each class S box. The generated S box is used for a block cipher algorithm, a sequence cipher algorithm, a pseudo-random number generator, a Hash function, a message authentication code MACs and a high nonlinear component commonly used in the design of an authentication encryption algorithm; it can also be used in the study and design of vector function construction and almost complete nonlinear substitution (APN).

2. The invention solves the technical problem of fast realizing the high-order polynomial inversion by using the parallel method, so that the complexity of the inversion algorithm is reduced from O (n) to O (log (n)).

Drawings

FIG. 1 is a functional diagram of an (n, m) -S box according to an embodiment of the present invention;

fig. 2 is a block diagram of an automatic generation system of an (n, m) -S box according to an embodiment of the present invention.

Detailed Description

The invention provides an automatic generation method of an (n, m) -S box, which can construct an (n, m) -S box with arbitrary input length, arbitrary output length, higher upper bound, optimal compromise and provable safety; the upper bound of each class of S box can be given, and the parallel method is utilized, so that the technical problem of fast realizing the high-order polynomial inversion is solved, and the complexity of an inversion algorithm is reduced.

The present invention will be further described in detail below with reference to the accompanying drawings by way of specific embodiments in order to make the objects, technical solutions and advantages of the present invention more apparent.

For a better understanding of the following examples, terms and the like used therein are explained:

The (n, m) -S box is one Is expressed as: s (x) =f (x), and expands to:

S(x₁,x₂,...,x_n)＝(f₁(x₁,x₂,...,x_n),f₂(x₁,x₂,...,x_n),...,f_m(x₁,x₂,...,x_n)), Wherein the n-ary Boolean function f ₁,f₂,...,f_m ε GF (2) is referred to as the coordinate function or component function of each S-box.

For a polynomial of degree n q (x) =d _nxⁿ+d_n-1x^n-1+...+d₁x+d₀, where d _n,d_n-1,...,d₁,d₀ e GF (2), the binary representation of the polynomial is q=d _n|d_n-1|...|d₁|d₀, it is evident thatFor example: the binary representation of the 4 th order polynomial q (x) =x ⁴+x³ +x+1 is q=11011=0x1b.

Definition 1: for an n-ary Boolean function f _i (x), the Walsh spectrum is transformed into:

Definition 2 (nonlinearity): the non-linearity definition of any one of the n-ary Boolean functions f _i (x): n _fi(x)＝2^n-1(1-max|W_(fi(x)) (w) |). Non-linearity degree The boolean function f (x) is called a Bent function (completely nonlinear function) when this is the case.

Definition 3 ((n, m) -S-box balance): the (n, m) -S box is noted as a functionCalculate at/>The S function is called as a balance function if the number of the primary images corresponding to each image point is the same.

Definition of 4 ((n, m) -S-box linear probability): the (n, m) -S box is marked asFor any oneThe number of solutions to the equation α·x=β·s (x) is represented by the symbol M (α, β), namely: The linear probability of the S-box is defined as: /(I)

Definition 5 ((n, m) -S-box differential uniformity): the (n, m) -S box is marked asFor any oneThe number of equation solutions is denoted by the symbol N (Δ, Ω), namely: the differential uniformity of the S-box is defined as: max _Δ≠0max_Ω N (Δ, Ω).

Definition 6 ((n, m) -S-box algebraic times): the (n, m) -S box is marked asThe algebraic number is the minimum of the number of non-zero linear combinations of all the coordinate functions f ₁,f₂,...,f_m: /(I)

Definition 7 ((n, m) -S-box algebraic immune order): the (n, m) -S box is marked asThe algebraic immune order is: AI (S) =min { deg (P (x, f (x))) |p (x, f (x))=0, wherein/>F (x) =s (x) and deg (P (x, y)) is the algebraic degree of the n+m-ary polynomial P (x, f (x))=p (x ₁,x₂,...,x_n;f₁,f₂,...,f_m).

The (n, m) -S box is transparent TO the differential energy attack (DPA) index (TRANSPARENCY ORDER, abbreviated TO).

Definition 8 ((n, m) -S-box transparency level index): the (n, m) -S box is marked asThe transparent TO index is:

Wherein, wt (u) and wt (v) are respectively the hamming weights (i.e., the number of non-zero elements) of _u and _v. W represents Wash spectrum.

The smaller the transparent order TO value of the S-box, the stronger the resistance TO DPA attacks, i.e. the greater the number of differential tracks that an attacker needs TO recover the correct key from the differential tracks, and thus the lower the efficiency of the DPA attack.

Definition 9 (n, m) -S box strict avalanche criterion): the (n, m) -S box is marked asFor any arbitraryF _j(x)+f_j(x+e_i) is a balance function, then the (n, m) -S box is said to meet the strict avalanche criterion, with the i-th component of e _i being 1 and the remainder being 0.

Definition 10: for an n-ary Boolean function f _i (x), the Walsh spectrum is transformed into: f _i (x) is the first-order correlation immune function if and only if for anyWt (W) =1 and W _(fi(x)) (W) =0.

Definition 11: for an n-ary boolean function f _i (x), the non-zero boolean function t (x) that satisfies f _i ·t=0 is called the nulling sub-of f _i (x), and the minimum of the algebraic times in all nulling sub-of f _i (x) and f _i (x) +1 is the algebraic immunity order of the function f _i (x).

Definition 12: the polynomial is also called an 'irreducible polynomial', and if the rational coefficient polynomial g (x) with the degree larger than zero cannot be decomposed into the product of two rational coefficient polynomials with the degree lower than zero, the polynomial g (x) is called an 'about polynomial' in the rational range.

Definition 13: when the Feedback function of an n-stage Feedback shift register over GF (q) is Linear homogeneous, ：F(a_i,a_i+1,...,a_i+n-1)＝c₁a_i+n-1,...,+c_n-1a_i+1+c_na_i,, it is referred to as an n-stage Linear Feedback shift register (Linear Feedback SHIFT REGISTER, LFSR), denoted as an n-LFSR.

Example 1

As shown in fig. 1, the method for automatically generating the (n, m) -S box provided by the embodiment of the invention comprises the following steps:

let (n, m) -S box be S: f ₂ ⁿ→F₂ ^m selecting one of the existing n-degree reduced polynomial sets and expressing it as binary system For non-zero values/>By using an EA-equivalent method and a parallel repeated shift method, a (n, m) -S box with a higher upper bound can be constructed: /(I)Wherein/>

Judging whether the (n, m) -S box meets the cryptographic security index; outputting the (n, m) -S box if the preset cryptographic security index is met, otherwise regenerating a new (n, m) -S box and judging whether the new (n, m) -S box meets the cryptographic security index; wherein, the cryptographic security index includes: the cryptographic security index is composed of any index combination of differential uniformity, nonlinearity, balance, algebraic times, number of fixed points, strict avalanche criterion, algebraic immunity order, first-order correlation immunity, transparent order index, algebraic normal term number, input/output 1-bit differential number and input/output 1-bit linear mask number.

In one embodiment, step S1 described above: let (n, m) -S box be S: f ₂ ⁿ→F₂ ^m selecting one of the existing n-degree reduced polynomial sets and expressing it as binary systemFor non-zero values/>By using an EA-equivalent method and a parallel repeated shift method, a (n, m) -S box with a higher upper bound can be constructed: /(I)Wherein the method comprises the steps of

Judging whether the (n, m) -S box meets the cryptographic security index; outputting the (n, m) -S box if the preset cryptographic security index is met, otherwise regenerating a new (n, m) -S box and judging whether the new (n, m) -S box meets the cryptographic security index; wherein, the cryptographic security index includes: the cryptographic security index is composed of any index combination of differential uniformity, nonlinearity, balance, algebraic times, number of fixed points, strict avalanche criterion, algebraic immunity order, first-order related immunity, transparent order index, algebraic normal term number, input/output 1-bit differential number and input/output 1-bit linear mask number, and specifically comprises:

Step S101: let the integer i=1, 2..set the iteration round r=i; setting registers A, B and C of not less than n bits for storage (a _i,b_i,c_i);

Step S102: giving an initial value to (a ₁,b₁,c₁),...,(a_i,b_i,c_i), and converting the initial value into a polynomial expression, wherein,

Step S103: assigning a polynomial x to register a; on the binary spread field GF (2 ⁿ), based on the Fermat's theorem, a parallel repeated shifting method is adopted to obtain the inverse A ^-1 of the higher order polynomial A;

carrying out iterative calculation of a _iA^-1+b_iA+c_i mod q (x) by R rounds, and storing the obtained value into a register A;

At this time, if m=n, the content of the register a is output as S (x), and the process proceeds to step S104;

if m+.n, the following steps a and b are performed:

a. For any τ, generating an m-sequence λ≡n-LFSR (τ) with an n-LFSR, intercepting λ _n-bit, where wt (λ _n-bit)≥m,wt(λ_n-bit) is the hamming weight of λ _n-bit;

b. According to the values in the registers A and lambda _n-bit, binary values in m registers A are cut from right to left, and the value of lambda _n-bit at the corresponding position of the register A is 1; outputting the content of the register a as S (x), and proceeding to step S104;

the embodiment of the invention realizes the step S103 through the following pseudo codes:

for(x＝0；x＜2ⁿ；x++){

While(i){

A←x；

On the binary spread field GF (2 ⁿ), based on the Fermat's theorem, a parallel repeated shifting method is adopted to obtain the inverse A ^-1 of the higher order polynomial A;

B←a_iA^-1+b_iA+c_i modq(x)；

i++；

A←B}

if (m=n) { S (x) ≡a; go to step S104; }

else{

For any τ, generating an m-sequence λ≡n-LFSR (τ) with an n-LFSR, intercepting λ _n-bit, wherein wt (λ _n-bit)≥m,wt(λ_n-bit) is the hamming weight of λ _n-bit; obtaining a sequence lambda _n-bit with the length of n, which is used for intercepting an m-bit binary number value in a register A in the subsequent step;

for(intj＝0；j＜m；j++){

if (0 x1 ∈λ _n-bit)// here is used to determine whether the value of λ _n-bit at the corresponding location of register a is 1

If it is 1, S (x) is shifted to left by one bit after taking the value of the corresponding position of register A

Lambda _n-bit>>;//λ_n-bit is shifted one bit to the right for comparison of the next number

A >; the value of the// register A is shifted one bit to the right for the next digit comparison

Sequentially truncating the m-bit binary value in register a, assigning S (x), e.g.: let n=8, m=4, if a= 01010010, λ _n-bit = 11010110, then sequentially truncating 4 to special assessment in register a to S (x), resulting in S (x) =1011

Go to step S104; }

Step S104: judging the differential uniformity of the S (x), if the differential uniformity is larger than a threshold value, turning to a step S102, and regenerating an (n, m) -S box; otherwise, go to step S105;

in the embodiment of the invention, the threshold value of the differential uniformity is set to be 4 when n is less than or equal to 8, otherwise, is set to be 6;

Step S105: judging that the nonlinearity of S (x) is in the APN threshold range, and turning to step S102; otherwise, go to step S106;

Step S106: judging the balance of S (x), if not, turning to step S102; otherwise go to step S107;

Step S107: judging the algebraic times of S (x), if the algebraic times are smaller than the threshold value, turning to step S102; otherwise, go to step S108;

in the embodiment of the invention, the threshold value of algebraic times is set to be n-1;

step S108: judging the number of the fixed points of the S (x), and if the number of the fixed points is larger than a threshold value, turning to the step S102; otherwise, if yes, go to step S109;

In the embodiment of the invention, the threshold value of the number of the fixed points is set, when n is smaller than 16, the threshold value is set to 0, otherwise, the threshold value is set to 1;

Step S109: judging the strict avalanche criterion of the S (x), and if the strict avalanche criterion is not met, turning to the step S102; otherwise, go to step S110;

step S110: judging the algebraic immunity order of S (x), if the algebraic immunity order is smaller than the threshold value, turning to step S102; otherwise, go to step S111;

Step S111: judging the first-order related immunity of the S (x), and if the first-order related immunity is larger than a threshold value, turning to the step S102; otherwise, go to step S112;

Step S112: judging the algebraic normal term number of the S (x), and if the algebraic normal term number is smaller than a threshold value, turning to the step S102; otherwise go to step S113;

Step S113: judging the transparent level index of S (x), if the transparent level index is larger than the threshold value, turning to step S102; otherwise go to step S114, otherwise, output (n, m) -S box S (x);

In the embodiment of the invention, the threshold value of the transparent level index is set to be 6;

Step S114: judging the number of 1-bit input/output differences of S (x), and if the number is 0, turning to step S102; otherwise, go to step S115;

step S115: judging the number of the 1-bit input/output linear masks of the S (x), and if n is the number, turning to the step S102; otherwise, output (n, m) -S box S (x).

In the embodiment of the present invention, the steps S104 to S115 are ordered according to the importance of the cryptographic security index, which is merely an example. The embodiment of the invention is not limited to the sequence and the selected range of the cryptographic security indexes, and the S boxes can be screened after the cryptographic security indexes are arranged and combined according to actual needs.

The method provided by the invention can randomly and automatically realize 10 types of (n, m) -S boxes (n=4, 8, 16, 32 and n is more than or equal to m), namely: the 10 class S boxes with 4 bits, 8 bits, 16 bits and 32 bits input are commonly used at present, and the method is characterized by randomly and automatically generating a higher upper bound: all (4, 4) -S cassettes, almost all (8, 8) -S cassettes, almost all (8, 4) -S cassettes, upper bound (16, 16) -S cassettes, upper bound (16, 8) -S cassettes, upper bound (16, 4) -S cassettes, upper bound (32, 32) -S cassettes, upper bound (32,16) -S cassettes, upper bound (32,8) -S cassettes, upper bound (32, 4) -S cassettes; and may give an upper bound for each class S box.

The embodiment of the invention adopts an S box 'password characteristic compromise optimal' generated automatically by C language, considers differential uniformity, nonlinearity, balance, algebra times, number of fixed points, strict avalanche criterion, algebraic immunity order, first-order correlation immunity, transparent order index, algebraic normal term number, input/output 1-bit differential number and input/output 1-bit linear mask number, and optimally selects the S box for the password safety index compromise. All S boxes with 4 bits and 8 bits of input can realize that all indexes reach the optimal; all S-boxes with inputs of 16 bits and 32 bits can achieve 4-5 of these metrics optimizations.

The speed of generating (n, m) -S boxes is mainly determined by the storage and detection speeds, and embodiments of the present invention can generate all (4, 4) -S boxes, a large number of (8, 8) -S boxes, or (8, 4) -S boxes in a few minutes; one (16, 16) -S box, (16, 8) -S box or (16, 4) -S box can be generated within minutes; it takes a long time to generate one (32, 32) -S box, (32,16) -S box, (32,8) -S box, and (32, 4) -S box.

All S boxes generated by the embodiment of the invention are truth tables (small item representations), so that the application and performance analysis are convenient.

The invention discloses an automatic generation method of an (n, m) -S box, which can construct an (n, m) -S box with arbitrary input length, arbitrary output length, higher upper bound, optimal compromise and proved safety; and may give an upper bound for each class S box. The generated S box is used for a block cipher algorithm, a sequence cipher algorithm, a pseudo-random number generator, a Hash function, a message authentication code MACs and a high nonlinear component commonly used in the design of an authentication encryption algorithm; it can also be used in the study and design of vector function construction and almost complete nonlinear substitution (APN). The invention solves the technical problem of fast realizing the high-order polynomial inversion by using the parallel method, so that the complexity of the inversion algorithm is reduced from O (n) to O (log (n)).

Example two

As shown in fig. 2, an embodiment of the present invention provides an automatic generation system of an (n, m) -S box, including the following modules:

The S-box module 11 is constructed for constructing (n, m) -S-boxes S: f ₂ ⁿ→F₂ ^m selecting one of the existing n-degree reduced polynomial sets and expressing it as binary system For non-zero values/>By using an EA-equivalent method and a parallel repeated shift method, a (n, m) -S box with a higher upper bound can be constructed: /(I)Wherein the method comprises the steps of

A judgment S box performance module 12 for judging whether the (n, m) -S box satisfies the cryptographic security index; outputting the (n, m) -S box if the preset cryptographic security index is met, otherwise regenerating a new (n, m) -S box and judging whether the new (n, m) -S box meets the cryptographic security index; wherein, the cryptographic security index includes: the cryptographic security index is composed of any index combination of differential uniformity, nonlinearity, balance, algebraic times, number of fixed points, strict avalanche criterion, algebraic immunity order, first-order correlation immunity, transparent order index, algebraic normal term number, input/output 1-bit differential number and input/output 1-bit linear mask number.

The above examples are provided for the purpose of describing the present invention only and are not intended to limit the scope of the present invention. The scope of the invention is defined by the appended claims. Various equivalents and modifications that do not depart from the spirit and principles of the invention are intended to be included within the scope of the invention.

Claims (2)

1. An automatic generation method of an (n, m) -S box, comprising:

let (n, m) -S box be S: f ₂ ⁿ→F₂ ^m selecting one of the existing n-degree reduced polynomial sets and expressing it as binary system For non-zero values/>By using an EA-equivalent method and a parallel repeated shift method, a (n, m) -S box with a higher upper bound can be constructed: /(I)Wherein/>n≥m；

When the S box is used for designing a nonlinear component of a cryptographic algorithm, whether the (n, m) -S box meets a cryptographic security index is required to be judged; outputting an (n, m) -S box if the preset cryptographic security index is met, otherwise regenerating a new (n, m) -S box and judging whether the cryptographic security index is met; wherein the cryptographic security index comprises: the cryptographic security index formed by any index combination of differential uniformity, nonlinearity, balance, algebraic times, number of fixed points, strict avalanche criterion, algebraic immunity order, first-order correlation immunity, transparent order index, algebraic normal term number, input/output 1-bit differential number and input/output 1-bit linear mask number specifically comprises:

step S101: let the integer i=1, 2..set the iteration round r=i; registers A, B and C set to not less than n bits;

Step S102: giving an initial value to (a ₁,b₁,c₁),...,(a_i,b_i,c_i), and converting the initial value into a polynomial expression, wherein,

Step S103: assigning a polynomial x to register a; on the binary spread field GF (2 ⁿ), based on the Fermat's theorem, a parallel repeated shifting method is adopted to obtain the inverse A ^-1 of the higher order polynomial A;

Carrying out iterative calculation of a _iA^-1+b_iA+c_i mod q (x) through R rounds, and storing the obtained value into a register A;

at this time, if m=n, the content of the register a is output as S (x), that is, the S box outputs a string of binary values with a length of m, and goes to step S104;

if m+.n, then the following steps a and b are performed:

a. For any τ, generating an m-sequence λ≡n-LFSR (τ) with an n-LFSR, intercepting λ _n-bit, where wt (λ _n-bit)≥m,wt(λ_n-bit) is the hamming weight of λ _n-bit;

b. According to the values in the register A and the lambda _n-bit, the binary values in m registers A are cut from right to left, and the value of lambda _n-bit at the corresponding position of the register A is 1; outputting the content of the register a as S (x), i.e., the S box outputs a string of binary values with length m, and goes to step S104;

Step S104: judging the differential uniformity of the S (x), if the differential uniformity is larger than a threshold value, turning to a step S102, and regenerating an (n, m) -S box; otherwise, go to step S105;

step S105: judging that the nonlinearity of the S (x) is not in the APN threshold range, and turning to the step S102; otherwise, go to step S106;

Step S106: judging the balance of S (x), if not, turning to step S102; otherwise go to step S107;

Step S107: judging the algebraic times of S (x), if the algebraic times are smaller than the threshold value, turning to step S102; otherwise, go to step S108;

step S108: judging the number of the fixed points of the S (x), and if the number of the fixed points is larger than a threshold value, turning to the step S102; otherwise, if yes, go to step S109;

Step S109: judging the strict avalanche criterion of the S (x), and if the strict avalanche criterion is not met, turning to a step S102; otherwise, go to step S110;

Step S110: judging the algebraic immunity order of S (x), if the algebraic immunity order is smaller than the threshold value, turning to step S102; otherwise, go to step S111;

Step S111: judging the first-order related immunity of the S (x), and if the first-order related immunity does not meet the threshold value, turning to the step S102; otherwise, go to step S112;

step S112: judging the algebraic normal term number of the S (x), and if the algebraic normal term number is smaller than a threshold value, turning to the step S102; otherwise, go to step S113;

Step S113: judging the transparent level index of S (x), if the transparent level index is larger than the threshold value, turning to step S102; otherwise go to step S114, otherwise, output (n, m) -S box S (x);

step S114: judging the number of 1-bit input/output differences of S (x), and if the number is 0, turning to step S102; otherwise, go to step S115;

step S115: judging the number of the 1-bit input/output linear masks of the S (x), and if n is the number, turning to the step S102; otherwise, the (n, m) -S box S (x) is output.

2. An automatic generation system of (n, m) -S boxes, characterized by comprising the following modules:

constructing an S-box module for constructing (n, m) -S-boxes S: f ₂ ⁿ→F₂ ^m selecting one of the existing n-degree reduced polynomial sets and expressing it as binary system For non-zero values/>By using an EA-equivalent method and a parallel repeated shift method, a (n, m) -S box with a higher upper bound can be constructed: /(I)Wherein/>n≥m；

The S box judging performance module is used for judging whether the (n, m) -S box meets the cryptographic security index or not when the S box is designed and selected as a nonlinear component of a cryptographic algorithm; outputting an (n, m) -S box if the preset cryptographic security index is met, otherwise regenerating a new (n, m) -S box and judging whether the cryptographic security index is met; wherein the cryptographic security index comprises: the cryptographic security index formed by any index combination of differential uniformity, nonlinearity, balance, algebraic times, number of fixed points, strict avalanche criterion, algebraic immunity order, first-order correlation immunity, transparent order index, algebraic normal term number, input/output 1-bit differential number and input/output 1-bit linear mask number specifically comprises:

step S101: let the integer i=1, 2..set the iteration round r=i; registers A, B and C set to not less than n bits;

Step S102: giving an initial value to (a ₁,b₁,c₁),...,(a_i,b_i,c_i), and converting the initial value into a polynomial expression, wherein,

Step S103: assigning a polynomial x to register a; on the binary spread field GF (2 ⁿ), based on the Fermat's theorem, a parallel repeated shifting method is adopted to obtain the inverse A ^-1 of the higher order polynomial A;

carrying out iterative calculation of a _iA^-1+b_iA+c_i mod q (x) by R rounds, and storing the obtained value into a register A;

at this time, if m=n, the content of the register a is output as S (x), that is, the S box outputs a string of binary values with a length of m, and goes to step S104;

if m+.n, then the following steps a and b are performed:

a. For any τ, generating an m-sequence λ≡n-LFSR (τ) with an n-LFSR, intercepting λ _n-bit, where wt (λ _n-bit)≥m,wt(λ_n-bit) is the hamming weight of λ _n-bit;

b. According to the values in the register A and the lambda _n-bit, the binary values in m registers A are cut from right to left, and the value of lambda _n-bit at the corresponding position of the register A is 1; outputting the content of the register a as S (x), i.e., the S box outputs a string of binary values with length m, and goes to step S104;

Step S104: judging the differential uniformity of the S (x), if the differential uniformity is larger than a threshold value, turning to a step S102, and regenerating an (n, m) -S box; otherwise, go to step S105;

step S105: judging that the nonlinearity of the S (x) is not in the APN threshold range, and turning to the step S102; otherwise, go to step S106;

Step S106: judging the balance of S (x), if not, turning to step S102; otherwise go to step S107;

Step S107: judging the algebraic times of S (x), if the algebraic times are smaller than the threshold value, turning to step S102; otherwise, go to step S108;

step S108: judging the number of the fixed points of the S (x), and if the number of the fixed points is larger than a threshold value, turning to the step S102; otherwise, if yes, go to step S109;

Step S109: judging the strict avalanche criterion of the S (x), and if the strict avalanche criterion is not met, turning to a step S102; otherwise, go to step S110;

Step S110: judging the algebraic immunity order of S (x), if the algebraic immunity order is smaller than the threshold value, turning to step S102; otherwise, go to step S111;

Step S111: judging the first-order related immunity of the S (x), and if the first-order related immunity does not meet the threshold value, turning to the step S102; otherwise, go to step S112;

step S112: judging the algebraic normal term number of the S (x), and if the algebraic normal term number is smaller than a threshold value, turning to the step S102; otherwise, go to step S113;

Step S113: judging the transparent level index of S (x), if the transparent level index is larger than the threshold value, turning to step S102; otherwise go to step S114, otherwise, output (n, m) -S box S (x);

step S114: judging the number of 1-bit input/output differences of S (x), and if the number is 0, turning to step S102; otherwise, go to step S115;

step S115: judging the number of the 1-bit input/output linear masks of the S (x), and if n is the number, turning to the step S102; otherwise, the (n, m) -S box S (x) is output.