+

CN111339577B - A construction method of S-box with excellent DPA resistance - Google Patents

A construction method of S-box with excellent DPA resistance Download PDF

Info

Publication number
CN111339577B
CN111339577B CN202010088063.2A CN202010088063A CN111339577B CN 111339577 B CN111339577 B CN 111339577B CN 202010088063 A CN202010088063 A CN 202010088063A CN 111339577 B CN111339577 B CN 111339577B
Authority
CN
China
Prior art keywords
box
value
input
loss function
elements
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010088063.2A
Other languages
Chinese (zh)
Other versions
CN111339577A (en
Inventor
徐友乐
王启春
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nanjing Normal University
Original Assignee
Nanjing Normal University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nanjing Normal University filed Critical Nanjing Normal University
Priority to CN202010088063.2A priority Critical patent/CN111339577B/en
Publication of CN111339577A publication Critical patent/CN111339577A/en
Application granted granted Critical
Publication of CN111339577B publication Critical patent/CN111339577B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/71Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
    • G06F21/75Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information by inhibiting the analysis of circuitry or operation
    • G06F21/755Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information by inhibiting the analysis of circuitry or operation with measures against power attack
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F7/00Methods or arrangements for processing data by operating upon the order or content of the data handled
    • G06F7/60Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers
    • G06F7/72Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers using residue arithmetic
    • G06F7/727Modulo N arithmetic, with N being either (2**n)-1,2**n or (2**n)+1, e.g. mod 3, mod 4 or mod 5
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/002Countermeasures against attacks on cryptographic mechanisms
    • H04L9/003Countermeasures against attacks on cryptographic mechanisms for power analysis, e.g. differential power analysis [DPA] or simple power analysis [SPA]
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2207/00Indexing scheme relating to methods or arrangements for processing data by operating upon the order or content of the data handled
    • G06F2207/72Indexing scheme relating to groups G06F7/72 - G06F7/729
    • G06F2207/7219Countermeasures against side channel or fault attacks

Landscapes

  • Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Mathematical Physics (AREA)
  • Computational Mathematics (AREA)
  • Mathematical Analysis (AREA)
  • Mathematical Optimization (AREA)
  • Pure & Applied Mathematics (AREA)
  • Software Systems (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computing Systems (AREA)
  • Storage Device Security (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The invention discloses a construction method of an S box with excellent DPA resistance, which relates to the technical field of information security, can obtain the S box with excellent DPA resistance, can also be used for improving the DPA resistance of the existing S box, and simultaneously can retain other important cryptology properties such as nonlinearity, algebraic times, difference consistency, absolute value indexes and the like. By contrast, the S box obtained by the method has the DPA resistance obviously superior to that of the existing practical S box, and other various important cryptology properties are the same, so that the S box has stronger safety and practicability.

Description

一种具有优良DPA抗性S盒的构造方法A construction method of S-box with excellent DPA resistance

技术领域technical field

本发明涉及信息安全技术领域,特别是一种具有优良DPA抗性S盒的构造方法。The invention relates to the technical field of information security, in particular to a construction method of an S-box with excellent DPA resistance.

背景技术Background technique

S盒是分组密码中唯一 的非线性组件,其密码学性质直接影响着相关密码系统的安全性。因此,S盒在对称密码学中有着十分重要的地位。针对各类攻击手段的防御都是从构造具有良好密码学性质的S盒着手,例如非线性度,差分一致性,代数次数,绝对值指标等。一个足够安全的S盒,其应该具有高的非线性度,不低的代数次数,低差分一致性,低绝对值指标等等。The S-box is the only nonlinear component in the block cipher, and its cryptographic properties directly affect the security of the related cryptosystem. Therefore, the S-box plays a very important role in symmetric cryptography. The defense against various attack methods starts with constructing S-boxes with good cryptographic properties, such as nonlinearity, differential consistency, algebraic times, and absolute value indicators. A sufficiently secure S-box should have high nonlinearity, not low algebraic degree, low differential consistency, low absolute value index, etc.

1996年,由Kocher提出的侧信道攻击对物理加密设备的安全构成了严重威胁。在侧信道攻击的类型中,差分能量分析(Differential Power Analysis,DPA)是最为有效的攻击手段之一。该攻击手段相较于传统攻击手段,如线性攻击,代数攻击,差分攻击等而言,其攻击效率十分强大,仅需要不多的物理信息便可以提取出密钥信息,从而成功攻破一个加密系统。尤其是广泛应用的AES,其采用的S盒抵抗DPA 攻击的能力十分差。因此,近些年许多研究人员一直在探索,如何构造一个具有优良DPA抗性的S盒,借此以较小的代价提升相关密码设备的DPA抗性。透明阶是一种经实践证明,可以有效衡量S盒DPA抗性的密码学性质。近些年的研究针对DPA 抗性得到的S盒,其DPA抗性相对于AES而言已经有了大幅提高。然而,这些技术手段得到的S盒,其非线性度、差分一致性、绝对值指标等等重要密码学性质均不能满足安全性要求和实用性要求。In 1996, side-channel attacks, proposed by Kocher, pose a serious threat to the security of physical encryption devices. Among the types of side channel attacks, Differential Power Analysis (DPA) is one of the most effective attack methods. Compared with traditional attack methods, such as linear attacks, algebraic attacks, differential attacks, etc., this attack method has a very powerful attack efficiency. It only needs a little physical information to extract the key information, thereby successfully breaking an encryption system. . Especially the widely used AES, the S-box adopted by it is very poor in resisting the DPA attack. Therefore, in recent years, many researchers have been exploring how to construct an S-box with excellent DPA resistance, thereby improving the DPA resistance of related cryptographic devices at a small cost. The transparency order is a cryptographic property that has been proven to be an effective measure of S-box DPA resistance. In recent years, the S box obtained by DPA resistance has been studied, and its DPA resistance has been greatly improved compared to AES. However, the important cryptographic properties of the S-box obtained by these technical means, such as nonlinearity, differential consistency, absolute value index, etc., cannot meet the requirements of security and practicability.

发明内容SUMMARY OF THE INVENTION

本发明所要解决的技术问题是克服现有技术的不足而提供一种具有优良DPA 抗性S盒的构造方法,同时,其非线性度,差分一致性,代数次数,绝对值指标等等重要密码学性质也满足安全性要求和实用性要求。The technical problem to be solved by the present invention is to overcome the deficiencies of the prior art and provide a construction method of an S-box with excellent DPA resistance. The academic properties also meet the safety requirements and practicality requirements.

本发明为解决上述技术问题采用以下技术方案:The present invention adopts the following technical solutions for solving the above-mentioned technical problems:

根据本发明提出的一种具有优良DPA抗性S盒的构造方法,包括以下步骤:A method for constructing an S-box with excellent DPA resistance proposed according to the present invention comprises the following steps:

步骤1、给定一个n比特输入且平衡的S盒F,F作为迭代构造过程的初始输入,并将F放入集合SF中;迭代构造过程为步骤2-步骤7;Step 1. Given an n-bit input and balanced S box F, F is used as the initial input of the iterative construction process, and F is put into the set SF; the iterative construction process is step 2-step 7;

步骤2、根据输入的S盒F的真值表生成一个候选池,该候选池包含所有能够反转的比特位置;Step 2. Generate a candidate pool according to the truth table of the input S box F, and the candidate pool contains all the bit positions that can be reversed;

步骤3、从候选池中取出b个元素,这b个元素即是b个比特位置;随后在S 盒的这b个比特位置进行比特反转操作,生成一个新的S盒;Step 3. Take b elements from the candidate pool, these b elements are b bit positions; then perform a bit inversion operation at the b bit positions of the S box to generate a new S box;

其中取出的b个元素需满足如下要求:1)b=2k,k=1,2,…,2n-1;2)归属于 S盒的同一分量函数;3)这b个元素对应的比特位组成的向量,其汉明权重为2b-1The b elements taken out need to meet the following requirements: 1) b=2k, k=1,2,..., 2n-1 ; 2) the same component function belonging to the S box; 3) the bits corresponding to these b elements A vector of bits with a Hamming weight of 2b-1 ;

步骤4、重复步骤3过程,直到该候选池中的元素被取空,生成所有与F相关联的新的S盒;Step 4. Repeat the process of Step 3 until the elements in the candidate pool are empty, and generate all new S boxes associated with F;

步骤5、对每个新生成的S盒,计算其损失函数的值,将该S盒以及对应的损失函数的值放入到列表L中;Step 5. For each newly generated S box, calculate the value of its loss function, and put the S box and the value of the corresponding loss function into the list L;

步骤6、判断列表L是否为空,若L为空,则增大b的取值,同时b满足步骤 3中的要求1),2)和3),执行步骤3-5;若L不为空,则从列表L中选择一个具有最小损失函数值的S盒;Step 6. Determine whether the list L is empty. If L is empty, increase the value of b, and at the same time, b meets the requirements 1), 2) and 3) in step 3, and execute steps 3-5; if L is not If it is empty, select an S-box with the smallest loss function value from the list L;

步骤7、判断步骤6选择的S盒,是否存在于集合SF中:Step 7. Determine whether the S box selected in step 6 exists in the set SF:

若是,则从列表L中删除该S盒和其对应的损失函数值,执行步骤6;If so, delete the S box and its corresponding loss function value from the list L, and perform step 6;

若不是,判断该S盒是否满足预先设定的安全性要求:若满足,则输出该S盒,终止迭代构造过程;若不满足,则将该S盒放入集合SF中,并将该S盒作为下次迭代构造过程的输入S盒,即该S盒作为步骤2中的输入S盒;并执行步骤2-7。If not, judge whether the S-box meets the preset security requirements: if so, output the S-box and terminate the iterative construction process; if not, put the S-box into the set SF, and put the S-box into the set SF The box is used as the input S box of the next iterative construction process, that is, the S box is used as the input S box in step 2; and steps 2-7 are executed.

作为本发明所述的一种具有优良DPA抗性S盒的构造方法进一步优化方案,步骤5中损失函数为:As a further optimization scheme for the construction method of the S-box with excellent DPA resistance according to the present invention, the loss function in step 5 is:

Figure BDA0002382743370000021
Figure BDA0002382743370000021

其中,n代表S盒为n输入比特,

Figure BDA0002382743370000022
为二元域上的n维向量空间,
Figure BDA0002382743370000023
为二元域上的非零n维向量空间,WF(c,b)为S盒关于向量c,b的Walsh谱值,b、β为二元域上的n维向量,c、α为二元域上非零n维向量,R为常数,σ(α,β)为S盒关于向量α,β的差分谱值,N4(σ(α,β))为判断σ(α,β)是否大于4的函数,τF为S盒的透明阶。where n represents that the S box is n input bits,
Figure BDA0002382743370000022
is an n-dimensional vector space on a binary field,
Figure BDA0002382743370000023
is a non-zero n-dimensional vector space on the binary field, W F (c,b) is the Walsh spectral value of the S box about the vector c, b, b, β are the n-dimensional vectors on the binary field, c, α are A non-zero n-dimensional vector on the binary field, R is a constant, σ(α, β) is the difference spectrum value of the S box with respect to the vectors α, β, N 4 (σ(α, β)) is the judgment σ(α, β) ) is a function of whether it is greater than 4, and τ F is the transparency order of the S-box.

作为本发明所述的一种具有优良DPA抗性S盒的构造方法进一步优化方案,步骤7中预先设定的安全性要求为:S盒的非线性度为112,代数次数大于3,差分一致性为4,绝对值指标为32,透明阶小于6.9160。As a further optimization scheme of the construction method of the S-box with excellent DPA resistance according to the present invention, the security requirements preset in step 7 are: the nonlinearity of the S-box is 112, the algebraic number is greater than 3, and the difference is consistent The property is 4, the absolute value index is 32, and the transparency level is less than 6.9160.

作为本发明所述的一种具有优良DPA抗性S盒的构造方法进一步优化方案,R 设为2~5。As a further optimization scheme of the construction method of the S-box with excellent DPA resistance according to the present invention, R is set to 2-5.

本发明采用以上技术方案与现有技术相比,具有以下技术效果:Compared with the prior art, the present invention adopts the above technical scheme, and has the following technical effects:

(1)本发明可以生成具有优良DPA抗性、非线性度非常高、低差分一致性、低绝对值指标、高代数次数的S盒,相比于已有技术研究方案,构造得到的S盒具有更强的安全性和实用性;(1) The present invention can generate an S box with excellent DPA resistance, very high nonlinearity, low differential consistency, low absolute value index, and high algebraic degree. Compared with the existing technical research scheme, the constructed S box It has stronger security and practicality;

(2)本发明可以提升已有S盒的DPA抗性,同时保留其他重要密码学性质,诸如非线性度,差分一致性,代数次数,绝对值指标等;本发明S盒抵抗其他攻击的能力也足够强,从而本发明S盒可以有更高的安全性来满足实用性要求。(2) The present invention can improve the DPA resistance of the existing S box, while retaining other important cryptographic properties, such as nonlinearity, differential consistency, algebraic times, absolute value indicators, etc.; the ability of the S box of the present invention to resist other attacks It is also strong enough so that the S-box of the present invention can have higher security to meet practical requirements.

附图说明Description of drawings

图1是本发明方法。Figure 1 shows the method of the present invention.

具体实施方式Detailed ways

为了使本发明的目的、技术方案和优点更加清楚,下面将结合附图及具体实施例对本发明进行详细描述。In order to make the objectives, technical solutions and advantages of the present invention clearer, the present invention will be described in detail below with reference to the accompanying drawings and specific embodiments.

图1是本发明方法,本发明的具体实施方式为:Fig. 1 is the method of the present invention, and the specific embodiment of the present invention is:

步骤1,给定一个n比特输入且平衡的S盒F,作为迭代构造过程的初始输入,并放入集合SF中。迭代构造过程为步骤2-7:Step 1, given an n-bit input and balanced S-box F, as the initial input of the iterative construction process, and put it into the set SF. The iterative construction process is steps 2-7:

步骤2,依据作为输入的S盒F的真值表,将S盒的所有比特位置加入一个候选池PF,该池中包含所有可能反转比特位置,一共有n*2n个元素。Step 2, according to the input truth table of the S box F, add all the bit positions of the S box to a candidate pool PF, which contains all possible inverted bit positions, and has a total of n*2 n elements.

步骤3、从候选池中取出b个元素,即比特位置。其中取出的b个元素需要满足要求:1)b=2k,(k=1,2,…,2n-1)。2)归属于S盒的同一分量函数。3)这b 个元素对应的比特位组成的向量,其汉明权重为2b-1。随后在S盒的这b个位置进行比特反转操作,生成新的S盒F’。Step 3. Take b elements, ie bit positions, from the candidate pool. The b elements taken out need to meet the requirements: 1) b=2k, (k=1, 2, . . . , 2 n-1 ). 2) The same component function that belongs to the S-box. 3) A vector composed of bits corresponding to the b elements, and its Hamming weight is 2 b-1 . Then a bit inversion operation is performed at the b position of the S box to generate a new S box F'.

步骤4,重复步骤3过程,直到候选池中所有元素被取空,生成所有和F相关联的S盒F’。Step 4, repeat the process of step 3 until all elements in the candidate pool are empty, and generate all S boxes F' associated with F.

步骤5,每个新生成的S盒F’,计算其损失函数的值CF,将该S盒F’和对应的损失函数值CF放入列表L中。其中计算使用的损失函数为:Step 5, for each newly generated S box F', calculate the value CF of its loss function, and put the S box F' and the corresponding loss function value CF into the list L. The loss function used in the calculation is:

Figure BDA0002382743370000031
Figure BDA0002382743370000031

其中,n表示S盒F的输入比特数目,

Figure BDA0002382743370000032
为二元域上的n维向量空间,
Figure BDA0002382743370000033
为二元域上的非零n维向量空间,R为常数,设置为2~5。Among them, n represents the number of input bits of S box F,
Figure BDA0002382743370000032
is an n-dimensional vector space on a binary field,
Figure BDA0002382743370000033
is a non-zero n-dimensional vector space on the binary field, R is a constant, set to 2~5.

WF(c,b)为S盒关于向量c,b的Walsh谱值,定义为:W F (c, b) is the Walsh spectral value of the S box with respect to the vectors c, b, defined as:

Figure BDA0002382743370000034
其中,x=(x1,x2,…,xn),b=(b1,b2,…,bn) 为二元域上的n维向量,"·"为内积运算,即x·b=x1b1⊕x2b2⊕…⊕xnbn。⊕为二元域上的加法,即模2加法。
Figure BDA0002382743370000034
Among them, x=(x 1 ,x 2 ,...,x n ),b=(b 1 ,b 2 ,...,b n ) is the n-dimensional vector on the binary field, "·" is the inner product operation, that is x·b=x 1 b 1 ⊕x 2 b 2 ⊕…⊕x n b n . ⊕ is the addition on the binary field, that is, the addition modulo 2.

N4(σ(α,β))为判断函数,判断S盒关于二元域上的n维向量α,β差分谱值σ(α,β)是否大于4,如果大于4,返回1,否则返回0。其中,σ(α,β)定义为

Figure BDA0002382743370000041
其中#表示集合元素的数目。N 4 (σ(α,β)) is a judgment function, which judges whether the difference spectrum value σ(α,β) of the S box about the n-dimensional vector α,β on the binary field is greater than 4, if it is greater than 4, return 1, otherwise Returns 0. where σ(α,β) is defined as
Figure BDA0002382743370000041
Where # represents the number of set elements.

τF为S盒F的透明阶,定义为:τ F is the transparency order of the S-box F, which is defined as:

Figure BDA0002382743370000042
Figure BDA0002382743370000042

这里的

Figure BDA0002382743370000043
是S盒F的互相关系数,定义为here
Figure BDA0002382743370000043
is the cross-correlation coefficient of S-box F, defined as

Figure BDA0002382743370000044
Figure BDA0002382743370000044

其中,max表示取最大值,β=(β01,…,βn)为二元域上的n维向量,且 F=(f1,f2,…,fn),fi(x),fj(x)为S盒F的分量函数,βij为向量β中i和j位置的比特信息,其中0≤i,j,≤n。Among them, max means taking the maximum value, β=(β 01 ,…,β n ) is an n-dimensional vector on the binary field, and F=(f 1 ,f 2 ,…,f n ),f i (x), f j (x) are the component functions of the S box F, β i , β j are the bit information of the i and j positions in the vector β, where 0≤i,j,≤n.

对于一个给定的S盒F,计算其以上设计的损失函数值,计算得到的值越小,说明该S盒其密码学性质中,拥有越高的非线性度,越低的差分一致性,越小的绝对值指标,越低的透明阶,越高的DPA抗性。从而可以提高S盒抵抗DPA攻击,线性攻击,代数攻击,差分攻击等攻击的攻击,继而提高相关设备的安全性和实用性。For a given S-box F, calculate the value of the loss function designed above. The smaller the calculated value, the higher the nonlinearity and the lower the differential consistency in the cryptographic properties of the S-box. The smaller the absolute value index, the lower the transparency level, the higher the DPA resistance. Thus, the S-box can be improved to resist DPA attacks, linear attacks, algebraic attacks, differential attacks and other attacks, thereby improving the security and practicability of related equipment.

步骤6,判断列表L是否为空,若L为空,则增大b的取值,同时b满足步骤 3中的要求1),2)和3)。重现开始迭代构造过程中的步骤3。若L不为空,列表L 中选择一个S盒,该S盒需满足具有最小损失函数值要求;Step 6, determine whether the list L is empty, if L is empty, then increase the value of b, while b meets the requirements 1), 2) and 3) in step 3. Reproduce step 3 in the process of starting the iterative construction. If L is not empty, select an S box in the list L, and the S box must meet the requirement of having the minimum loss function value;

步骤7,判断步骤6选择的S盒,是否存在于集合SF中。若是,则从列表L中删除该S盒和其对应的损失函数值,重复步骤6;若不是,判断该S盒是否满足事前设计的安全性要求。具体为:Step 7, determine whether the S box selected in step 6 exists in the set SF. If so, delete the S box and its corresponding loss function value from the list L, and repeat step 6; if not, judge whether the S box meets the security requirements designed in advance. Specifically:

计算该S盒的非线性度,透明阶,差分一致性,代数次数,绝对值指标等性质是否满足非线性度等于112,透明阶小于6.9160,代数次数大于3,差分一致性等于4,绝对值指标等于32。具体计算过程为:Calculate the non-linearity, transparency order, differential consistency, algebraic degree, absolute value index and other properties of the S-box. Whether the nonlinearity is equal to 112, the transparency degree is less than 6.9160, the algebraic degree is greater than 3, the differential consistency is equal to 4, and the absolute value is equal to 4. The indicator is equal to 32. The specific calculation process is as follows:

非线性度

Figure BDA0002382743370000045
nonlinearity
Figure BDA0002382743370000045

差分一致性

Figure BDA0002382743370000046
differential consistency
Figure BDA0002382743370000046

绝对值指标

Figure BDA0002382743370000047
其中r(a,b)为其自相关函数,定义为:Absolute value indicator
Figure BDA0002382743370000047
where r(a,b) is its autocorrelation function, defined as:

Figure BDA0002382743370000051
Figure BDA0002382743370000051

若满足,则输出该S盒,终止迭代构造过程。若不满足,则将该S盒放入集合 SF中,并作为下次迭代构造过程的输入S盒,重复迭代构造过程,即步骤2-7。If satisfied, output the S-box and terminate the iterative construction process. If it is not satisfied, put the S box into the set SF, and use it as the input S box of the next iterative construction process, and repeat the iterative construction process, that is, steps 2-7.

本发明与应用广泛的AES的S盒的密码学性质比较如表1所示The cryptographic properties of the present invention and the widely used S-box of AES are compared as shown in Table 1

表1Table 1

非线性度nonlinearity 代数次数Algebraic degree 差分一致性differential consistency 绝对值指标Absolute value indicator 透明阶Transparency 本发明方法method of the invention 112112 77 44 3232 6.89306.8930 AES S盒AES S Box 112112 77 44 3232 6.9160 6.9160

本发明方法构造S盒为:[65,158,207,138,121,103,233,69,72,60,88,51,244,215,34,37,164,28,30,78,129,172,77,153,56,122,95,235,17,251,18,200,82,71, 14,66,180,15,86,39,232,64,203,214,166,97,204,202,156,234,189,11,197,175, 218,245,24,136,196,253,9,128,100,239,41,165,35,93,114,7,127,33,8,90,160, 135,171,22,19,188,116,254,32,89,249,229,38,107,10,83,73,176,230,67,101, 26,206,45,117,194,62,94,212,5,146,226,205,87,109,108,250,237,140,185,68, 184,80,98,223,126,167,4,25,192,178,221,119,70,61,20,243,210,145,177,174, 75,57,157,3,154,112,191,247,144,143,132,104,173,208,151,195,149,213,23, 139,181,48,137,1,222,74,186,228,255,16,65,44,120,252,179,242,76,21,147, 134,53,91,133,124,169,36,155,216,219,115,113,161,190,79,50,187,141,123, 231,99,150,58,52,225,238,31,209,47,42,46,106,96,2,148,201,131,241,102, 152,43,13,182,248,54,183,227,125,159,118,246,198,105,220,162,85,92,193, 40,6,49,27,240,111,199,63,236,211,170,130,12,55,224,142,217,84,110,29, 168,59,16,163]The S box constructed by the method of the present invention is: [65,158,207,138,121,103,233,69,72,60,88,51,244,215,34,37,164,28,30,78,129,172,77,153,56,122,95,235,17,251,18,200,82,71 ,86,39,232,64,203,214,166,97,204,202,156,234,189,11,197,175, 218,245,24,136,196,253,9,128,100,239,41,165,35,93,114,7,127,33,8,90,160, 135,171,22,19,188,116,254,32,89,249,229,38,107,10,83,73,176,230,67,101 , 26,206,45,117,194,62,94,212,5,146,226,205,87,109,108,250,237,140,185,68, 184,80,98,223,126,167,4,25,192,178,221,119,70,61,20,243,210,145,177,174, 75,57,157,3,154,112,191,247,144,143,132,104,173,208,151,195,149,213,23, 139,181,48,137,1,222,74,186,228,255,16,65 ,44,120,252,179,242,76,21,147, 134,53,91,133,124,169,36,155,216,219,115,113,161,190,79,50,187,141,123, 231,99,150,58,52,225,238,31,209,47,42,46,106,96,2,148,201,131,241,102, 152,43,13,182,248,54,183,227,125,159,118,246,198,105,220,162,85,92,193 , 40,6,49,27,240,111,199,63,236,211,170,130,12,55,224,142,217,84,110,29,168,59,16,163]

上述给出的实施方法仅用于说明本发明致力于提高S盒的DPA抗性,并不用限制本发明仅仅取上述参数数值和参数形式,对于本领域的技术人员来说,在不脱离本发明的思想前提下,本发明可以有各种变换形式,故而本发明的保护范围不仅局限于上述实施例。凡在本发明的思想架构内,所作的任何纂改、等同替换、改进等,均应包含在本发明的权利要求范围之内。The implementation method given above is only used to illustrate that the present invention is devoted to improving the DPA resistance of the S box, and does not limit the present invention to only take the above-mentioned parameter values and parameter forms. For those skilled in the art, without departing from the present invention. Under the premise of the thought, the present invention can have various transformation forms, so the protection scope of the present invention is not limited to the above-mentioned embodiments. Any modifications, equivalent replacements, improvements, etc. made within the ideological framework of the present invention shall be included within the scope of the claims of the present invention.

Claims (3)

1. A method of constructing an S-cassette with excellent DPA resistance, comprising the steps of:
step 1, giving an n-bit input and balanced S box F, wherein the S box F is used as an initial input of an iterative construction process, and the S box F is put into a set SF; the iterative construction process is step 2-step 7;
step 2, generating a candidate pool according to the input truth table of the S box F, wherein the candidate pool comprises all bit positions capable of being reversed;
step 3, b elements are taken out from the candidate pool, and the b elements are b bit positions; then, carrying out bit inversion operation on the b bit positions of the S box to generate a new S box;
the b elements taken out need to meet the following requirements: 1) b 2k, k 1,2, …,2n-1(ii) a 2) The same component function attributed to the S-box; 3) the Hamming weight of the vector composed of the bits corresponding to the b elements is 2b-1
Step 4, repeating the process of step 3 until the elements in the candidate pool are emptied, and generating all new S boxes associated with the F;
step 5, calculating the value of the loss function of each newly generated S box, and putting the S box and the corresponding value of the loss function into a list L;
step 6, judging whether the list L is empty, if so, increasing the value of b, and simultaneously b meets the requirements 1), 2) and 3) in the step 3, and executing the step 3 to the step 5; if L is not empty, selecting an S box with the minimum loss function value from the list L;
and 7, judging whether the S box selected in the step 6 exists in the set SF:
if yes, deleting the S box and the corresponding loss function value from the list L, and executing the step 6;
if not, judging whether the S box meets the preset safety requirement: if yes, outputting the S box, and terminating the iterative construction process; if not, putting the S box into the set SF, and taking the S box as an input S box of the next iteration construction process, namely taking the S box as the input S box in the step 2; and executing the step 2 to the step 7;
the loss function in step 5 is:
Figure FDA0003470425490000011
where n represents the S-box as n input bits,
Figure FDA0003470425490000012
is an n-dimensional vector space over a binary domain,
Figure FDA0003470425490000013
is a non-zero n-dimensional vector space, W, over a binary domainF(c, b) Walsh spectrum values of S-box with respect to vector c, b, β are N-dimensional vectors in binary domain, c, α are non-zero N-dimensional vectors in binary domain, R is a constant, σ (α, β) is a differential spectrum value of S-box with respect to vector α, β, N4(σ (α, β)) is a function for determining whether σ (α, β) is greater than 4, τFIs a transparent step of the S-box.
2. The method of claim 1, wherein the safety requirements predetermined in step 7 are: the nonlinearity of the S-box is 112, the algebraic degree is greater than 3, the difference consistency is 4, the absolute value index is 32, and the transparency level is less than 6.9160.
3. The method of claim 1, wherein R is set to 2-5.
CN202010088063.2A 2020-02-12 2020-02-12 A construction method of S-box with excellent DPA resistance Active CN111339577B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010088063.2A CN111339577B (en) 2020-02-12 2020-02-12 A construction method of S-box with excellent DPA resistance

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010088063.2A CN111339577B (en) 2020-02-12 2020-02-12 A construction method of S-box with excellent DPA resistance

Publications (2)

Publication Number Publication Date
CN111339577A CN111339577A (en) 2020-06-26
CN111339577B true CN111339577B (en) 2022-06-07

Family

ID=71181504

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010088063.2A Active CN111339577B (en) 2020-02-12 2020-02-12 A construction method of S-box with excellent DPA resistance

Country Status (1)

Country Link
CN (1) CN111339577B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112511293B (en) * 2020-09-21 2022-03-18 中国电子科技集团公司第三十研究所 S-box parameterization design method based on bit sum operation and storage medium
CN112636899B (en) * 2020-09-21 2022-03-18 中国电子科技集团公司第三十研究所 Lightweight S box design method
CN114124351B (en) * 2021-11-15 2023-06-27 中国电子科技集团公司第三十研究所 Rapid calculation method of nonlinear invariant

Family Cites Families (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB0211812D0 (en) * 2002-05-23 2002-07-03 Koninkl Philips Electronics Nv S-box encryption in block cipher implementations
JP2006019872A (en) * 2004-06-30 2006-01-19 Sony Corp Encryption processing apparatus
CN101729241B (en) * 2008-10-23 2012-01-25 国民技术股份有限公司 AES encryption method for resisting differential power attacks
CN101848081A (en) * 2010-06-11 2010-09-29 中国科学院软件研究所 S box and construction method thereof
US8971526B2 (en) * 2011-07-26 2015-03-03 Crocus-Technology Sa Method of counter-measuring against side-channel attacks
CN102546157B (en) * 2011-12-14 2014-06-18 北京航空航天大学 Random mixed encryption system for resisting energy analysis and implementation method thereof
CN102571331A (en) * 2012-02-07 2012-07-11 中国科学院软件研究所 Cryptographic algorithm realization protecting method used for defending energy analysis attacks
CN103888245A (en) * 2012-12-20 2014-06-25 北京握奇数据系统有限公司 S box randomized method and system for smart card
CN103647637B (en) * 2013-11-19 2017-01-04 国家密码管理局商用密码检测中心 A kind of SM4 algorithm to simple mask carries out second order side channel energy and analyzes method
MY162666A (en) * 2013-12-04 2017-06-30 Mimos Berhad A method to construct bijective substitution box from non-permutation power functions using heuristic techniques
CN106788974B (en) * 2016-12-22 2020-04-28 深圳国微技术有限公司 Mask S box, grouping key calculation unit, device and corresponding construction method
CN107204841B (en) * 2017-03-14 2020-01-07 中国人民武装警察部队工程大学 A method for implementing multiple S-boxes of block ciphers against differential power attack
AU2018101651A4 (en) * 2018-11-03 2018-12-20 JAIN (Deemed-to-be-University) An apparatus and method based on dynamic key dependent S-Box for Symmetric Encryption in wireless networks using symmetric ciphers.
CN109525384A (en) * 2018-11-16 2019-03-26 成都信息工程大学 The DPA attack method and system, terminal being fitted using neural network
CN109921899B (en) * 2019-04-18 2019-11-19 衡阳师范学院 A Complete Avalanche 4×4 S-box Realization Method

Also Published As

Publication number Publication date
CN111339577A (en) 2020-06-26

Similar Documents

Publication Publication Date Title
Sun et al. More accurate differential properties of LED64 and Midori64
Carlet et al. Further properties of several classes of Boolean functions with optimum algebraic immunity
CN111339577B (en) A construction method of S-box with excellent DPA resistance
CN103457719B (en) A kind of side channel energy to SM3 cryptographic algorithm HMAC pattern analyzes method
CN106788974A (en) Mask S boxes, packet key computing unit, device and corresponding building method
CN105959098A (en) Format-reserved encryption algorithm based on multi-segmented Feistel network
CN109921899B (en) A Complete Avalanche 4×4 S-box Realization Method
CN104270247A (en) Efficient Universal Hash Function Authentication Scheme for Quantum Cryptosystem
CN104753665A (en) Side channel energy attack method aiming at SM4 password round function output
CN104301095A (en) DES round operation method and circuit
Zhang et al. Fault attack on ACORN v3
CN107204841B (en) A method for implementing multiple S-boxes of block ciphers against differential power attack
Wang et al. Improved lightweight encryption algorithm based on optimized S-box
Hu et al. An effective differential power attack method for advanced encryption standard
Li Collision analysis and improvement of a hash function based on chaotic tent map
CN104753668B (en) A kind of side channel energy attack method for SM4 passwords linear transformation output
CN109936437A (en) An anti-power attack method based on d+1 order mask
CN109981247B (en) Dynamic S box generation method based on integer chaotic mapping
CN114614971B (en) AES & SM4 reconfigurable S box replacement circuit for resisting zero value attack
Xia et al. Correlation power analysis of lightweight block cipher algorithm LiCi
Deepthi et al. Cryptanalysis for reduced round Salsa and ChaCha: revisited
Zajac et al. Cryptographic properties of small bijective S-boxes with respect to modular addition
Zhang et al. Construction of resilient S‐boxes with higher‐dimensional vectorial outputs and strictly almost optimal non‐linearity
Peng et al. Improved Key Recovery Attacks of Ascon
Shi et al. A Secure Implementation of a Symmetric Encryption Algorithm in White‐Box Attack Contexts

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
点击 这是indexloc提供的php浏览器服务,不要输入任何密码和下载