留言板

尊敬的读者、作者、审稿人, 关于本刊的投稿、审稿、编辑和出版的任何问题, 您可以本页添加留言。我们将尽快给您答复。谢谢您的支持!

姓名
邮箱
手机号码
标题
留言内容
验证码

基于仿射变换S盒的轻量级杂凑函数

杜培 王维克 何展宏 李林 王翔

杜培, 王维克, 何展宏, 等 . 基于仿射变换S盒的轻量级杂凑函数[J]. 北京航空航天大学学报, 2018, 44(6): 1185-1193. doi: 10.13700/j.bh.1001-5965.2017.0311
引用本文: 杜培, 王维克, 何展宏, 等 . 基于仿射变换S盒的轻量级杂凑函数[J]. 北京航空航天大学学报, 2018, 44(6): 1185-1193. doi: 10.13700/j.bh.1001-5965.2017.0311
DU Pei, WANG Weike, HE Zhanhong, et al. Lightweight hash function based on affine transformation S-box[J]. Journal of Beijing University of Aeronautics and Astronautics, 2018, 44(6): 1185-1193. doi: 10.13700/j.bh.1001-5965.2017.0311(in Chinese)
Citation: DU Pei, WANG Weike, HE Zhanhong, et al. Lightweight hash function based on affine transformation S-box[J]. Journal of Beijing University of Aeronautics and Astronautics, 2018, 44(6): 1185-1193. doi: 10.13700/j.bh.1001-5965.2017.0311(in Chinese)

基于仿射变换S盒的轻量级杂凑函数

doi: 10.13700/j.bh.1001-5965.2017.0311
基金项目: 

国家自然科学基金 61232009

国家自然科学基金 60973106

详细信息
    作者简介:

    杜培  女, 博士研究生。主要研究方向:嵌入式系统安全、轻量级密码算法

    王维克  男, 博士研究生。主要研究方向:嵌入式系统安全、集成电路设计

    何展宏  男, 硕士研究生。主要研究方向:轻量级密码算法设计及硬件实现

    李林  男, 博士研究生。主要研究方向:嵌入式系统安全的多层次协同优化

    王翔  男, 博士, 教授, 博士生导师。主要研究方向:安全嵌入式处理器设计、基因电路设计、空间信息网络等

    通讯作者:

    王翔, E-mail:wxiang@buaa.edu.cn

  • 中图分类号: TN918.4

Lightweight hash function based on affine transformation S-box

Funds: 

National Natural Science Foundation of China 61232009

National Natural Science Foundation of China 60973106

More Information
  • 摘要:

    针对轻量级杂凑函数的线性层结构单一易受统计饱和攻击的问题,提出一种以海绵结构为主体,内部置换函数为仿射变换S盒结构的轻量级杂凑函数。仿射变换后的S盒继承了原S盒良好的密码特性,同时在很大程度上弥补了线性层结构过于简单的不足。根据最优4 bit最优S盒仿射等价类的具有最大差分概率的差分对个数、具有最优线性逼近关系的掩码个数及最大分支数确定了仿射变换S盒原型;通过差分及线性密码分析、统计饱和攻击分析了内部置换结构的安全性;设计了仿射变换结构的控制逻辑及算法整体的串/并行硬件实现方案,并在Design Compiler上进行了综合验证。结果表明,基于仿射变换S盒的轻量级杂凑函数在只加入了一些简单控制逻辑的情况下,提高了统计饱和分析中追踪特定比特位扩散路径的难度,即仿射变换结构增加了线性扩散层的混淆性,优化了其抗统计饱和攻击的能力。

     

  • 图 1  海绵结构框图

    Figure 1.  Block diagram of sponge structure

    图 2  内部置换结构加密流程

    Figure 2.  Encryption process of internal permutation structure

    图 3  ATSHash-96内部置换结构

    Figure 3.  Internal permutation structure of ATSHash-96

    图 4  置换层中的弱扩散路径

    Figure 4.  Poor diffusion trail in permutation layer

    图 5  经2、4、6、8轮的E/T-T欧氏距离统计

    Figure 5.  E/T-T Euclidean distance statistics after 2, 4, 6 and 8 rounds

    图 6  ATS结构与PRESENT结构攻击收益对比

    Figure 6.  Gain of attack comparison between ATS and PRESENT construction

    图 7  PRESENT结构与ATS结构的均匀/输出分布平方欧氏距离

    Figure 7.  Squared Euclidean distance between uniform and output distribution for PRESENT and ATS construction

    图 8  内部置换结构串行硬件实现方案

    Figure 8.  Serial hardware implementation scheme of internal permutation structure

    图 9  内部置换结构并行硬件实现方案

    Figure 9.  Parallel hardware implementation scheme of internal permutation structure

    表  1  海绵结构参数

    Table  1.   Parameters of sponge structure

    参数 含义
    M 输入消息
    S0 初始迭代状态
    mi i组分组消息块
    hi 输出第i组消息块
    r 分组长度
    F 内部置换函数
    r 每轮输出消息长度
    c 不与消息异或部分长度
    b(b=r+c) 内部迭代状态长度
    n 输出消息长度
    下载: 导出CSV

    表  2  同类型轻量级杂凑函数安全边界

    Table  2.   Security boundaries of similar lightweight hash functions

    轻量级杂凑函数 安全性/bit
    第一原象安全性 第二原象安全性 抗碰撞性
    ATSHash-88/80/16 72 40 40
    ATSHash-88/88/8 80 44 44
    ATSHash-144/128/32 112 64 64
    ATSHash-144/144/16 128 72 72
    SPONGENT-88/80/8 80 40 40
    SPONGENT-128/128/8 120 64 64
    PHOTON-80/80/16 64 40 40
    PHOTON-128/128/16 112 64 64
    下载: 导出CSV

    表  3  最优4 bit S盒的16个仿射等价类[17]

    Table  3.   Sixteen affine equivalence classes of optimal 4 bit S-box[17]

    S盒 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, A, B, C, D, E, F
    G0 0, 1, 2, D, 4, 7, F, 6, 8, B, C, 9, 3, E, A, 5
    G1 0, 1, 2, D, 4, 7, F, 6, 8, B, E, 3, 5, 9, A, C
    G2 0, 1, 2, D, 4, 7, F, 6, 8, B, E, 3, A, C, 5, 9
    G3 0, 1, 2, D, 4, 7, F, 6, 8, C, 5, 3, A, E, B, 9
    G4 0, 1, 2, D, 4, 7, F, 6, 8, C, 9, B, A, E, 5, 3
    G5 0, 1, 2, D, 4, 7, F, 6, 8, C, B, 9, A, E, 3, 5
    G6 0, 1, 2, D, 4, 7, F, 6, 8, C, B, 9, A, E, 5, 3
    G7 0, 1, 2, D, 4, 7, F, 6, 8, C, E, B, A, 9, 3, 5
    G8 0, 1, 2, D, 4, 7, F, 6, 8, E, 9, 5, A, B, 3, C
    G9 0, 1, 2, D, 4, 7, F, 6, 8, E, B, 3, 5, 9, A, C
    G10 0, 1, 2, D, 4, 7, F, 6, 8, E, B, 5, A, 9, 3, C
    G11 0, 1, 2, D, 4, 7, F, 6, 8, E, B, A, 5, 9, C, 3
    G12 0, 1, 2, D, 4, 7, F, 6, 8, E, B, A, 9, 3, C, 5
    G13 0, 1, 2, D, 4, 7, F, 6, 8, E, C, 9, 5, B, A, 3
    G14 0, 1, 2, D, 4, 7, F, 6, 8, E, C, B, 3, 9, 5, A
    G15 0, 1, 2, D, 4, 7, F, 6, 8, E, C, B, 9, 3, A, 5
    下载: 导出CSV

    表  4  最优4 bit S盒的密码特性

    Table  4.   Cryptographic properties of optimal 4 bit S-box

    S盒 ND(S) NL(S) B
    G0 24 36 3
    G1 24 36 3
    G2 24 36 3
    G3 15 30 2
    G4 15 30 2
    G5 15 30 2
    G6 15 30 2
    G7 15 30 2
    G8 24 36 2
    G9 18 32 3
    G10 18 32 3
    G11 15 30 2
    G12 15 30 2
    G13 15 30 2
    G14 18 32 3
    G15 18 32 3
    下载: 导出CSV

    表  5  仿射变换S盒

    Table  5.   Affine transformation S-boxes

    SS 输出 仿射变换S盒
    00 y3y0y2y1 S(0):0, 4, 1, E, 2, 7, F, 3, 8, B, D, 5, 6, C, 9, A
    01 y1y0y3y2 S(1):0, 1, 8, 7, 4, D, F, 9, 2, B, E, C, 5, 6, A, 3
    10 y1y2y3y0 S(2):0, 1, 8, 7, 4, D, F, C, 2, E, B, 9, 5, 3, A, 6
    11 y2y0y3y1 S(3):0, 4, 1, E, 8, D, F, 9, 2, B, 7, 5, C, 6, 3, A
    下载: 导出CSV

    表  6  差分活动S盒数量下界

    Table  6.   Lowest numbers of differentially active S-box

    轮数 差分活动S盒数量
    ATSHash-96 ATSHash-160
    5 10 10
    10 21 24
    15 31 41
    20 42 56
    下载: 导出CSV

    表  7  同类型轻量级杂凑函数族的硬件实现

    Table  7.   Hardware implementation of similar lightweight hash functions

    轻量级杂凑函数 位宽/
    bit
    轮数 面积/GE UMC180 nm 吞吐率/(kb·s-1)@100 kHz
    ATSHash-88/80/16 4 1 152 832 1.02(0.18 μm)
    96 48 1 334 19.26(0.18 μm)
    ATSHash-144/128/32 4 3 200 1 260 0.48(0.18 μm)
    160 80 2 129 16.62(0.18 μm)
    SPONGENT-88/80/8 4 990 759 0.81(0.13 μm)
    88 45 1 232 17.78(0.13 μm)
    SPONGENT-160/160/16 4 3 960 1 367 0.40(0.13 μm)
    176 90 2 241 17.78(0.13 μm)
    PHOTON-80/80/16 4 708 856 2.82(0.18 μm)
    20 132 1 151 15.15(0.18 μm)
    PHOTON-128/128/16 4 996 1 394 1.61(0.18 μm)
    24 156 2 172 10.26(0.18 μm)
    下载: 导出CSV
  • [1] MURAMATSU J, MIYAKE S.Hash property and fixed-rate universal coding theorems[J].IEEE Information Theory Society, 2010, 56(6):2688-2698. doi: 10.1109/TIT.2010.2046214
    [2] SAM L, SAM A, PATRICK V T, et al.Wearable flexible lightweight modular RFID tag with intergrated energy harvester[J].IEEE Transactions on Microwave Theory and Techniques, 2016, 64(7):2304-2314. doi: 10.1109/TMTT.2016.2573274
    [3] IGNACIO A B, CLAUDIA F U, RENE C, et al.Design and implementation of a non-pipelined MD5 hardware architecture using a new functional description[J].IEICE Transactions on Information and Systems, 2008, E91-D(10):2519-2523. doi: 10.1093/ietisy/e91-d.10.2519
    [4] HILARIE O.Recent parables in cryptography[J].IEEE Internet Computing, 2014, 18(1):82-86. doi: 10.1109/MIC.2014.13
    [5] WILLIAM E B.A new hash competition[J].IEEE Security & Privacy, 2008, 6(3):60-62. http://ieeexplore.ieee.org/document/4530402/
    [6] AUMASSON J P, HENZEN L, MEIER W, et al.Quark:A lightweight hash[J].Journal of Cryptology, 2013, 26(2):313-339. doi: 10.1007/s00145-012-9125-6
    [7] DING L, JIN C H, GUAN J.New state recovery attacks on the Grain v1 stream cipher[J].China Communication, 2016, 13(11):180-188. doi: 10.1109/CC.2016.7781728
    [8] CANNIōRE D, DUNKELMAN O, KNEŽEVIC'M. KATAN and KTANTAN: A family of small and efficient hardware-oriented block ciphers[C]//Proceedings of 11th International Workshop on Cryptographic Hardware and Embedded Systems. Berlin: Springer, 2009: 272-288.
    [9] GUO J, PEYRIN T, POSCHMANN A, et al. The PHOTON family of lightweight hash functions[C]//Advances in Cryptology-CRYPTO. Berlin: Springer, 2011: 222-239.
    [10] ISSAM H, KAMAL E S, EZZ E M, et al.High-speed AES encryptor with efficient merging techniques[J].IEEE Embedded Systems Letters, 2010, 2(3):67-71. doi: 10.1109/LES.2010.2052401
    [11] BOGDANOV A, KNEZENIV M, LEANDER G.SPONGENT:The design space of lightweight cryptographic hashing[J].IEEE Transactions on Computers, 2013, 62(10):2041-2053. doi: 10.1109/TC.2012.196
    [12] BOGDANOV A, KNEZENIV M, LEANDER G. PRESENT: An ultra lightweight block cipher[C]//Proceedings of 9th International Workshop on Cryptographic Hardware and Embedded Systems. Berlin: Springer, 2007: 450-466.
    [13] COLLARD B, STANDAERT F X. A statistical saturation attack against the block cipher PRESENT[C]//The Cryptographers Track at RSA Conference 2009. Berilin: Springer, 2009: 195-211.
    [14] CHARANJIT S J, ANINDYA C P.Provably good codes for Hash function design[J].IEEE Transactions on Information Theory, 2009, 55(1):33-45. http://ieeexplore.ieee.org/document/4729745/
    [15] BERTONI G, DAEMEN J, PEETERS M. Sponge based pseudo-random number generators[C]//Proceedings of 12th International Conference Cryptographic Hardware and Embedded Systems. Berlin: Springer, 2010: 33-47.
    [16] LIM C, KORKISHKO T. MCrypton: A lightweight block cipher for security of low-cost RFID tags and sensors[C]//Information Security Applications: 6th International Workshop, WISA 2005. Berlin: Springer, 3786: 243-258.
    [17] LEANDER G, POSCHMANN A. On the classification of 4 bit S-BOX[C]//Arithmetic of Finite Fields: First International Workshop, WAIFI 2007. Berlin: Springer, 2007: 159-176.
  • 加载中
图(9) / 表(7)
计量
  • 文章访问数:  650
  • HTML全文浏览量:  51
  • PDF下载量:  361
  • 被引次数: 0
出版历程
  • 收稿日期:  2017-05-15
  • 录用日期:  2017-12-29
  • 网络出版日期:  2018-06-20

目录

    /

    返回文章
    返回
    常见问答