RU2632119C1 - Orthomorphism constructor using paired differences - Google Patents

Abstract

FIELD: physics.

SUBSTANCE: method is performed by means of an orthomorphism constructor consisting of a mode selection block, a control block, a transpose substitution block, and a random access memory.

EFFECT: construction from a certain random or known orthomorphism of a large number of new affine inequivalent orthomorphisms having high values of the main cryptographic parameters and not having polynomial relations of the low degree.

3 dwg

Description

1 AREA OF USE

The invention relates to the field of development, production, operation and modernization of cryptographic protection of information in information processing systems for various purposes. The invention is recommended to be used in the construction of information processing and protection tools, including to ensure confidentiality, authenticity and integrity of information during its transmission, processing and storage in automated systems.

The concept of orthomorphism was first introduced in [21, 22], studied in detail in [24, 25], and was developed after the report [23]. Orthomorphisms are widely used in many cryptographic constructions [16, 17]. Their study is closely related to the tasks of constructing authentication codes [7, 12], systems of orthogonal Latin squares [10, 11, 14] and quasigroups [3, 4]. The use of quasigroups and two orthogonal 8th-order Latin squares is the basis of the draft American standard hash function, participant in the SHA-3 contest, Edon-R [20]. And some attacks on block cipher systems substantially use the property of uneven distribution of the sum of input and output substitution values [13, 15, 18, 26].

2. BASIC DEFINITIONS AND DESIGNATIONS

In the present description, the following notation is used:

;V _n is a vector space of dimension n over the field GF (2),

;

S (V _n ) is a symmetric group;

F _{n, m} is the set of all mappings from V _n to V _m ;

^_ кольцо вычетов по модулю 2ⁿ;

^_ residue ring modulo 2 ⁿ ;

- биективное отображение, сопоставляющее элементу u=(u_n-1, …, u₀) векторного пространства V_n элемент u=u₀+u₁⋅2+u₂⋅2²+…+u_n-1⋅2^n-1 кольца

;

is the bijective map corresponding to the element u = (u _n-1 , ..., u ₀ ) of the vector space V _{n the} element u = u ₀ + u ₁ ⋅ ₂ + u ₂ ⋅ ^{2 2} + ... + u _n-1 ⋅ 2 ^{n- 1} rings

;

- отображение, обратное к отображению ϕ;

is the map inverse to the map ϕ;

- бинарная операция на V_n,, заданная правилом: для u, ν∈V_n справедливо равенство

;

is the binary operation on V _n, defined by the rule: for u, ν∈V _{n the} equality

;

- бинарная операция покомпонентного сложения по модулю 2 элементов векторного пространства V_n;

- binary operation of componentwise addition modulo 2 elements of the vector space V _n ;

- бинарная операция умножения двух элементов V_n, заданная правилом: для u=(u_n-1, …, u0), ν=(ν_n-1, …, ν₀)∈V_n справедливо равенство

;

is the binary operation of multiplying two elements V _n defined by the rule: for u = (u _n-1 , ..., u0), ν = (ν _n-1 , ..., ν ₀ ) ∈V _{n the} equality

;

In the present description, the following terms are used with corresponding definitions.

Definition 1. A permutation g∈S (G) is called an orthomorphism of the group G if the map p: G → G defined by the condition p (x) = x ^-1 g (x), ∀x∈G, is a permutation from S (G) .

The ordered set of values of the mapping p will be called the string of differences of the permutation g.

подстановки g∈S(V_n) относительно операций

называется величина

,Definition 2. The difference characteristic

permutations g∈S (V _n ) with respect to operations

called quantity

,

,

,

, а вероятность

вычисляется при случайном равновероятном выборе x∈V_n. Матрицу размеров (2ⁿ-1)×(2ⁿ-1), составленную из коэффициентов

, будем называть разностной матрицей отображения g относительно операций

.Where

, and the probability

computed with a random equiprobable choice of x∈V _n . The matrix of sizes (2 ⁿ -1) × (2 ⁿ -1), composed of the coefficients

, will be called the difference matrix of the mapping g with respect to the operations

.

.Increasing the durability of cryptographic protection means relative to the difference method of cryptographic analysis requires minimizing the value

.

Definition 3. The linear characteristic δ (g) of the permutation g∈S (V _n ) is the quantity δ (g),

,

,

. Величина преобладания вычисляется по формуле

при x∈V_n, выбираемом случайно равновероятно. Матрицу размеров (2ⁿ-1)×(2ⁿ-1), составленную из коэффициентов |δ_α,β(g)|, будем называть матрицей модулей спектральных коэффициентов отображения g.where δ _{α, β} (g) is the spectral substitution coefficient g (the predominance of a linear statistical analogue), which is given by a pair of functions

. The prevalence value is calculated by the formula

for x∈V _n , chosen randomly with equal probability. The size matrix (2 ⁿ -1) × (2 ⁿ -1) composed of the coefficients | δ _{α, β} (g) | will be called the modulus matrix of spectral coefficients of the mapping g.

Increasing the durability of cryptographic protection means with respect to the linear method of cryptographic analysis requires minimizing the value of δ (g).

подстановки g∈S(V_n) называется величина

,Definition 4. The generalized degree of nonlinearity

the permutation g∈S (V _n ) is called the quantity

,

,

,

, a deg обозначает степень нелинейности многочлена Жегалкина булевой функции.Where

, a deg denotes the degree of nonlinearity of the Zhegalkin polynomial of the Boolean function.

Definition 5. The dimension of the space of polynomial relations of degree at most i> 0 of the permutation g∈S (V _n ) is the number r ⁽ⁱ⁾ (g),

,

,

Where

.

.

Definition 6. The minimum degree of the polynomial substitution relation g∈S (V _n ) is the number r (g),

r (g) = min {i | r ⁽ⁱ⁾ (g)> 0}.

имеет место неравенство r(g)≤3.Remark 7. For permutations g∈S (V ₈ ) by virtue of the inequality

the inequality r (g) ≤3 holds.

и r(g).Increasing the durability of cryptographic protection means with respect to linearization methods requires minimizing the values of r ⁽ⁱ⁾ (g), i = r (g), ..., n and maximizing the values

and r (g).

3. BACKGROUND

Among the known approaches to the synthesis of orthomorphisms acting on a vector space V _{n of a} sufficiently large dimension n (n≥6), the following can be distinguished.

The first approach consists in a random search for the orthomorphism g∈S (V _n ) among representatives of a certain well-known class (for example, the class of piecewise linear permutations [2, 9]), which contains a significantly larger fraction of permutations with this property relative to the entire symmetric group. The approach is convenient because it is relatively simple to find a representative with high values of cryptographic parameters in some well-known substitution classes. The disadvantage of this approach is the presence of an algebraic structure of permutations.

The second approach consists in using well-known constructions (for example, the two-round Feistel scheme [19]), for which it was proved that the resulting permutations are orthomorphisms. The disadvantage of this approach is the low values of the main cryptographic parameters and the analytical structure of the resulting substitutions.

, где E_n×n - единичная матрица, проверки обратимости матриц A_n×n и B_n×n. Линейность построенных подстановок g резко ограничивает возможность их использования в криптографических приложениях.The third approach consists in randomly choosing a linear orthomorphism g∈S (V _n ). The approach is to generate a random binary matrix A _{n × n} , calculate the matrix

, where E _{n × n} is the identity matrix, checks the reversibility of the matrices A _{n × n} and B _{n × n.} The linearity of the constructed permutations g sharply limits the possibility of their use in cryptographic applications.

A common drawback of the presented approaches is the low degree of polynomial relations of the resulting permutations (low value of the parameter r _g ).

4. DEVICE FOR BUILDING ORTHOMORPHISMS USING PAIR DIFFERENCES

The aim of the invention is the construction of a certain random or known orthomorphism of a large number of new affine nonequivalent orthomorphisms that have high values of the main cryptographic parameters and do not have low polynomial relations.

To achieve the goal, a device using paired differences is proposed.

A device for constructing orthomorphisms using pair differences (Fig. 1 applications), contains:

- mode selection block - 0;

- control unit - 1;

- block multiplication substitution by transposition - 2;

- random access memory (RAM) - 3.

.The mode selection block 0 consists of a switch and allows the user to determine which group to use.

.

The control unit 1 selects, compares, changes the contents of the random access memory, decides to stop the device or continue to work.

The block multiplying the substitution by transposition 2 implements the standard product of transformations by sequentially performing them.

The random access memory 3 stores the current lookup.

A device for constructing orthomorphisms using pair differences works as follows.

The input of the device receives some initial orthomorphism g ₀ ∈S (G), with a calculated string of differences p, and an arbitrary transposition (x, y), x, y∈G, x <y.

1. The control unit 1 performs a sequence of actions:

1.1. calculates the values p ₀ = x ^-1 * g ₀ (x), p ₁ = y ^-1 * g ₀ (y) and writes these values to the random access memory 3;

1.2. transfers the orthomorphism g ₀ and the transposition (x, y) to the block of multiplication of the substitution by transposition 2, which implements the standard product of transformations by sequentially performing them:

g = (x, y) ⋅g ₀ ;

1.3. the resulting permutation g is written in RAM 3.

2. The control unit 1 performs a sequence of actions:

2.1. searches in RAM for 3 elements x ', y'∈G, x' ≠ x, y '≠ y with the property

p (x ') = (x') ^-1 * g (x ') = x ^-1 * g (x) = p (x),

p (y ') = (y') ^-1 * g (y ') = y ^-1 * g (y) = p (y);

2.2. transfers the substitution g and the transposition (x ', y') from RAM 3 to the block of multiplying the substitution by transposition 2;

2.3. calculates the values p [x '] = (y') ^-1 * g (x ') and p [y'] = (x ') ^-1 * g (y');

3. The control unit 1 writes g to RAM 3 and compares the obtained values p [x '], p [y'] with the values p ₀ , p ₁ ,

- if p [x '] = p ₀ or p [x'] = p ₁ , the device finishes its work, the substitution g is output;

- otherwise, put x = x ', y = y' and the device repeats the cycle of operations, starting from step 2.

The operation of the device is illustrated by the following example.

.Example. Block 0 switch set to

.

Input: orthomorphism g ₀ ∈S (V ₄ ):

transposition (2.9).

Output: orthomorphism g∈S (V ₄ ):

The implementation of the device may be hardware, software or hardware-software.

5. ACHIEVED TECHNICAL RESULTS

A device for constructing orthomorphisms using pair differences was used to construct new orthomorphisms that have high values of the main cryptographic parameters and do not have low polynomial relations. Some of the results are presented below.

,

,

, r(g')=3, r⁽³⁾(g')=441 и в отличие от исходного ортоморфизма не имеет квадратичных соотношений.FIG. 2 applications contains an orthomorphism g'∈S (V ₈ ) constructed by applying the described device to the orthomorphism g∈S (V ₈ ) to a representative of the class of piecewise linear permutations [2, 9]. From the table it follows that g 'has actual (as in the state standard of the Republic of Belarus “BelT” [1, 8]) values of the main cryptographic parameters

,

,

, r (g ') = 3, r ⁽³⁾ (g') = 441 and, unlike the original orthomorphism, does not have quadratic relations.

,

,

, r(g')=3, r⁽³⁾(g')=441.FIG. 3 applications contains an orthomorphism g'∈S (V ₈ ), constructed by applying the described device to some randomly selected linear orthomorphism g∈S (V ₈ ). From the table it follows that g 'has actual (as in the national standards of the Russian Federation GOST R 34.11-2015 [5] and GOST P 34.12-2012 [6]) values of the main cryptographic parameters

,

,

, r (g ') = 3, r ⁽³⁾ (g') = 441.

A device for constructing orthomorphisms has also been applied to more than a hundred randomly generated linear orthomorphisms g∈S (V ₈ ). Each application of the device made it possible to construct a large number of new affinely nonequivalent orthomorphisms g∈S (V ₈ ) with the following values of cryptographic parameters

,

,

, r(g')=3, r⁽³⁾(g')=441.

,

,

, r (g ') = 3, r ⁽³⁾ (g') = 441.

Achievable technical result of the proposed device is the construction of a certain random or known orthomorphism of a large number of new affine nonequivalent orthomorphisms that have high values of the main cryptographic parameters and do not have polynomial relations of a low degree.

LITERATURE

[1] Agievich S.V., Galinsky V.A., Mikulich N.D., Kharin Yu.S. BelT Block Encryption Algorithm.

[2] Bugrov A.D. Piecewise affine permutations of finite fields. Applied Discrete Mathematics, 2015, No. 4 (30), ss. 5-23.

[3] Deaf M.M. On methods for constructing systems of orthogonal quasigroups using groups. Mathematical Problems of Cryptography, 2011, vol. 2, No. 4, ss. 5-24.

[4] Deaf M.M. On the applications of quasigroups in cryptography. Applied Discrete Mathematics, 2008, No. 2 (2), ss. 28-32.

[5] GOST R 34.12-2015 Information technology. Cryptographic information security. Block ciphers. - Moscow: Standartinform, 2015.

[6] GOST R 34.11-2012 Information technology. Cryptographic information security. Hash function. - Moscow: Standartinform, 2012.

[7] Zubov A.Yu. Mathematics of authentication codes. M .: Helios ARV, 2007, 480 p.

[8] STB 34.101.31-2011 Information technology. Protection of information. Cryptographic algorithms for encryption and integrity control. - Minsk: Gosstandart, 2011.

. Прикладная дискретная математика, 2015, №4(30), сс. 32-42.[9] Grishin A.E. On the nonlinearity exponent of piecewise linear permutations of the additive field group

. Applied Discrete Mathematics, 2015, No. 4 (30), ss. 32-42.

[10] Trishin A.E. A method of constructing orthogonal latin squares based on permutation binomials of finite fields. Abstracts Scientific journal "Review of Applied and Industrial Mathematics". M .: TVP, 2008, T. 15, No. 4.

[11] Tuzhilin M.E. Latin squares and their use in cryptography. Applied Discrete Mathematics. Appendix, 2012, No. 3 (17), ss. 47-52.

[12] Cheremushkin A.V. Cryptographic protocols. Key features and vulnerabilities. M .: Publishing. Center "Academy", 2009, 272 p.

[13] Daemen J. Limitations of the Even-Mansour construction. ASIACRYPT, LNCS, vol. 739, pp. 495-498. Springer, 1991.

[14] Denes J., Keedwell A.D. Latin squares and their applications. London: English Univ. Press, 1975.

[15] Dinur I., Dunkelman O., Keller N., Shamir A. Key recovery attacks on 3-round Even-Mansour, 8-step LED-128, and full AES. http://eprint.iacr.org/2013/391, 2013.

[16] Evans A. Orthomorphisms graphs and groups, Springer-Verlag, Berlin, 1992.

[17] Evans A. Applications of complete mappings and orthomorphisms of finite groups.

[18] Even E. Mansour Y. A construction of a cipher from a single pseudorandom permutation. ASIACRYPT 1991. LNCS, vol. 739, pp. 210-224. Springer, Heidelberg (2013).

[19] Gilboa S., Gueron S. Balanced permutations Even-Mansour ciphers. arXiv preprint arXiv: 1409.0421, 2014.

[20] Gligoroski D., Odegard R. S., Mihova M., et al. Cryptographic Hash Function Edon-R // Proc. IWSCN. Trondheim, 2009, pp. 1-9.

[21] Johnson D.M., Dulmage A.L. and Mendelsohn N.S. Orthomorphisms of groups and orthogonal latin squares, I. Canad. J. Math. 13, 1961, pp. 356-372.

[22] Mann H.B. On orthogonal latin squares, Bull. Amer. Math. Soc. 50, 1944, pp. 249-257.

[23] Menyachikhin A. Spectral-linear and spectral-differential methods for generating cryptographicaly strong S-boxes. In: Pre-proceedings of CTCrypt'16-Yaroslavl, Russia, 2016. p. 232-252.

[24] Niederreiter H., Robinson K. Bol loops of order pq, Math. Proc. Cambridge Philos. Soc, 1981, pp. 241-256.

[25] Niederreiter H., Robinson K. Complete mappings of finite fields. J. Austral. Math. Soc. Ser., 1982, pp. 197-212.

[26] Nikolic I., Wang L., Wu S. Cryptoanalysis of Round-Reduce LED. In Fast Software Encryption, 2013. LNCS, vol. 8424, pp. 112-130. Springer, Heidelberg (2014).

Claims (1)

A device for constructing orthomorphisms, consisting of a mode selection unit, a control unit, a transposition substitution multiplication unit, a random access memory, the mode selection unit having an output that is connected to the control unit and is designed to transmit information about the group operation selected to the control unit by the user as the device operation mode, the control unit has 4 inputs, the first of which is the input for the initial orthomorphism entering the device input, the second meaning to obtain information about the operating mode of the device, the third is intended to obtain the results of multiplying the substitution by transposition, the fourth is intended to obtain the current contents of the random access memory, and two outputs, the first of which is connected to the block of multiplying the substitution by transposition and is intended for transmission to this block substitutions and transpositions, and the second is connected to random access memory and is designed to update its contents, the unit of multiplication of substitution by tra the position has an input for receiving substitution and transposition from the control unit, and one output, which is connected to the control unit and is intended for transmitting the multiplication results to the control unit, the random access memory has an input for receiving a substitution defined in the random access memory by the control unit, and two outputs, the first of which is connected to the control unit and is designed to transfer content to the control unit, and the second is intended to transfer the output of the orthomorphy device a zm resulting from the operation of the device.

Images