WO2011153666A1 - Method for constructing s-box and s-box - Google Patents

Method for constructing s-box and s-box Download PDF

Info

Publication number
WO2011153666A1
WO2011153666A1 PCT/CN2010/001048 CN2010001048W WO2011153666A1 WO 2011153666 A1 WO2011153666 A1 WO 2011153666A1 CN 2010001048 W CN2010001048 W CN 2010001048W WO 2011153666 A1 WO2011153666 A1 WO 2011153666A1
Authority
WO
WIPO (PCT)
Prior art keywords
unit
input
output
exclusive
bit
Prior art date
Application number
PCT/CN2010/001048
Other languages
French (fr)
Chinese (zh)
Inventor
吴文玲
冯秀涛
周春芳
Original Assignee
中国科学院软件研究所
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中国科学院软件研究所 filed Critical 中国科学院软件研究所
Publication of WO2011153666A1 publication Critical patent/WO2011153666A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0618Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
    • H04L9/0631Substitution permutation network [SPN], i.e. cipher composed of a number of stages or rounds each involving linear and nonlinear transformations, e.g. AES algorithms

Definitions

  • the invention relates to a method for information transmission and processing, in particular to a s box construction method and an S box, belonging to the technical field of communication. Background technique
  • Cryptography has a long history and was originally used to protect military and diplomatic communications. However, with the popularity of communication networks and computer networks, the application of modern cryptography is no longer limited to politics, military, and diplomacy, and its commercial value and social value are widely recognized. Confidentiality is at the heart of cryptography, and encryption is a practical tool for securing information.
  • the cryptographic algorithm is divided into a public key cryptography algorithm and a private key cryptographic algorithm.
  • the private key cryptographic algorithm is further divided into a block cipher algorithm and a sequence cipher algorithm.
  • the block cipher algorithm generally performs block encryption on the message, and the algorithm runs to encrypt a larger message block at a time.
  • the sequence cipher algorithm generally uses a short key to generate a key stream sequence equivalent to the length of the message to be encrypted, and the key stream sequence is XORed with the plaintext to achieve the purpose of encryption.
  • the decryption party generates the same key stream sequence and XORs with the ciphertext to obtain the plaintext.
  • the S-box is an indispensable nonlinear component.
  • the AES packet cipher algorithm in the US cryptographic standard, and the SNOW 3G cipher algorithm in the European communication standard the S-box is the main part that provides the nonlinearity of the entire algorithm. Therefore, the designed S-box is the basis for designing a cryptographic algorithm.
  • the efficient hardware implementation of the S-box is critical to the implementation of cryptographic algorithms. Especially for the encryption and decryption equipment with limited hardware resources, it is required that the number of hardware implementations of the S-box is as small as possible.
  • the design of the S-box is generally based on the operation of a certain structure.
  • the S-box of AES is based on the inverse operation on the finite field. Since the operation on the finite field consumes a large amount of resources, the implementation of such an S-box is usually performed by looking up a table. For an 8-in 8 out S box, a circuit size of 500 is generally required.
  • An object of the technical solution of the present invention is to provide an S-box construction method and an S-box, the method is based on a knot
  • the method of constructing the S-box is to construct a replacement S-box of 8 in 8 out using three transforms of 4 in 4 out.
  • This S-box is easy to implement in hardware and software and can provide good cryptographic properties such as algebra, difference, and nonlinearity. It plays an important role in the design of block cipher algorithms and sequence cipher algorithms, and is an indispensable component.
  • Another object of the present invention is to provide an S-box hardware module that is smaller in size than a general S-box module.
  • the input 2 ⁇ bit information X is divided into two parts, denoted as ⁇ , ⁇ 2 , where is the high ⁇ bit of the input information, which is the low ⁇ bit of the input information;
  • is the upper 11 bits, t 2 is connected as a low n-bit to become a 2n-bit information, denoted as t;
  • the value of m is an integer of l ⁇ 2n-l; the intake ⁇ ⁇ ⁇ 3 is a mapping; the ⁇ is an integer of 2.
  • the information t is cyclically shifted left by m bits by a line sequence permutation unit.
  • the transformation in the steps 3) to 5) is implemented by a combinational logic circuit; wherein the critical path of the combinational logic circuit is: XOR P 2 XOR or P 3 XOR. Further, the transformation in the steps 3) to 5) is implemented by a sequential circuit.
  • An S box comprising three exclusive OR units A, B, C, three transform units P!, P 2 , P 3 , and a line sequence replacement unit; wherein the two input ends of the exclusive OR unit A are respectively An n-bit information data end is connected to an output end of the transform unit Pi, and an output end of the exclusive OR unit A is respectively connected to an input end of the transform unit P 2 and an input end of the exclusive OR unit C; another n-bit information data end respectively The input end of the transform unit is connected to the input end of the exclusive OR unit B; the other input end of the exclusive OR unit B is connected to the output end of the transform unit P 2 ; the output end of the exclusive OR unit B is respectively associated with the line sequence replacement unit and converting means input terminal P is connected to the input terminal 3; an input terminal of the XOR output of the unit C is connected to line sequence permutation unit; P conversion unit 3 and the output of the exclusive oR unit C is connected to the input terminal; wherein P 2 is a permutation unit, and n is a
  • the S box is an 8-bit input interface and an 8-bit output interface; the n value is 4; the ⁇ !, P 3 is a 4-in 4-out conversion.
  • An S box comprising three exclusive OR units, B, C, three transform units IP 2 , P 3 , one line sequence permutation unit, two registers L, R, a memory; wherein the transform unit Pi , P 2 , P 3 are respectively connected to the memory through a base address line; the two input ends of the exclusive OR unit A are respectively connected to an n-bit information data end and an output end of the transform unit Pi, and the output end thereof and the register The input end of L is connected; the other n-bit information data end is respectively connected to the input end of the transform unit and the input end of the exclusive OR unit B; the other input end of the exclusive OR unit B is connected to the output end of the transform unit P 2 , and an output coupled to an input terminal R is connected to said register; the output of the register R are connected to the input terminal P conversion unit 3 and the displacement unit, the line sequence; the output of the register L, respectively Connected to the input of the exclusive OR unit C and the input of the transform unit P 2 ; the other input of the exclusive OR unit C
  • S is a cassette 8-bit input and 8-bit interface to an output interface; the value of n is 4; the Pi, P 3 to 4 into four transform.
  • the specific construction method for the S box of 8 in 8 out is:
  • the S-box structure is divided into three layers, and the input 8 bits are divided into two parts, and the two-part values are sequentially updated in the three layers. In the final step, the two partial values are combined and output.
  • the selected transformation should be constructed by a basic operation that is easy to implement by computer and implemented by hardware.
  • step a P 2 is a substitution, and ⁇ 3 may be a substitution or a non-displacement.
  • the value of m ranges from 1 to 7.
  • step 2-4 the output of the previous step is received as an input, and one of the two input values is updated.
  • the updating method is to change the value that does not need to be updated by 4 to 4, and then XOR the value to be updated, and the obtained value replaces the original value.
  • step 5 the output two-part values of the previous step are combined and output.
  • the S-box constructed by this method is implemented by finite field operation when the hardware is implemented, and the efficiency is very low. Therefore, it is usually implemented by a look-up table method, and generally requires 500 gate circuits.
  • the eight-in and eight-out S-box constructed by the method of the present invention is composed of a small-scale conversion multi-layer which is less expensive to implement, and only needs about 100 gate circuits.
  • the S-box construction algorithm constructed using the method of the present invention not only provides good cryptographic properties, but also achieves higher hardware implementation efficiency than other methods.
  • Another object of the present invention is an efficient S-box hardware module with an 8-bit input and an 8-bit output. It includes a 3-layer operation and a line-sequence permutation unit, where each layer includes a 4-bit to 4-bit transform and two 4-bit-bit bitwise XOR operations. Its hardware implementation structure is divided into two types:
  • the module includes three exclusive OR units and three look-up table units (ie, 4-bit to 4-bit transform units) P!, P 2 , P 3 and a line-sequence permutation unit ⁇ «m.
  • the XOR unit performs 4-bit XOR XOR, the circuit of the XOR unit is simple to implement, and is hardware designed. The basic components are not emphasized by the present invention.
  • the look-up table unit performs a 4-bit lookup table operation, which is equivalent to searching for a 4-bit index value.
  • two non-gates non-logic circuits
  • the circuit structure of Pi, P 2 , and P 3 can be obtained by further obtaining the actual logic structure through the synthesis tool.
  • the module includes a memory for storing ⁇ 2 , ⁇ 3 contents, a register resource for storing intermediate calculation results (at least 8 1 bit, if ⁇ bits, and can be divisible by q (n, q are natural numbers), then the hardware
  • the description can be defined as any n/q q-bit registers, no matter how it is divided, 'must ensure that n/2-bit registers are updated at the same time), three XOR units, and register update control logic.
  • the look-up step is divided into at least three clock cycles.
  • mode 2 requires at least 3 clock cycles. Since the intermediate results are stored in the registers between the steps, the circuit realizes a cost of about 80 gates, and the critical path is shorter than the mode 1), but the execution time is relatively long, which is not suitable for high-speed implementation.
  • This structure constructs an S-box with good cryptographic properties using simple, hardware-implemented permutation and non-permutation transformations.
  • an efficient S-box hardware module is constructed, and its hardware scale is 1/5 of the usual look-up table implementation method.
  • FIG. 1 Schematic diagram of the s box of the present invention.
  • Figure 2 Schematic diagram of the circuit structure of the implementation method 1).
  • Figure 3 Schematic diagram of the circuit structure of implementation 2).
  • the present invention will now be described in further detail with reference to the accompanying drawings, taking an 8-in and 8-out replacement S-box as an example.
  • the specific structure of the S-box based on the structural design of the present invention is shown in FIG.
  • the S-box structure is divided into three layers, and the input 8 bits are divided into two parts, and the two-part values are sequentially updated in the three layers. Finally, the two partial values are combined and output.
  • three transforms P, P 2 , and P 3 of 4 in 4 out are first selected, wherein P 2 is a permutation. All three transformations can be performed using a computer basic computational composite structure. Second, the integer value m is selected.
  • the S box output can be calculated and constructed as Table 1:
  • the high-efficiency S-box hardware module can be implemented in two ways:
  • the interface is an 8-bit input and an 8-bit output
  • the module includes three XOR units A, B, C and three look-up cells Pi, P 2 , P 3 and a line sequence replacement unit. ⁇ m". as shown in picture 2.
  • the lookup time of the circuit is less than one clock cycle. If the output is registered every clock cycle, the throughput is 640Mbps (8*80MHz) at 80MHz clock, and the implementation area is about 100 gates. Logical implementation.
  • Figure 4 (a), set? ! The base address of the content exists as Pi-base, and the content in the corresponding address is read by the offset address, and is XORed and updated to the 4-bit register L;
  • FIG. 4 (C) the output of the register R as an offset address, the corresponding selected content P 3 (base address, after the read data is XORed with R 4 and the stitching of L-bit register _base P 3)
  • the left loop shift m is arranged in line order, and y is output.
  • mode 2 takes at least 3 clock cycles. Since the intermediate results of the registers are used between the steps, the logic part of the circuit realizes about 80 gates (excluding the RAM unit), and the critical path is shorter than the mode 1), but the execution time is relatively long, for example, under the 80 MHz clock.
  • the throughput rate is up to 213Mbps (8 bits * 80MHz / 3), which is implemented by sequential logic circuits.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)
  • Error Detection And Correction (AREA)

Abstract

A method for constructing S-box and S-box is disclosed by the present invention,which belongs to the communication technology field. The method includes: an integer m and three n-bit input and n-bit output transform units P1, P2, P3 are selected, wherein P2 is a replacement unit, n is an integer which is greater than or equal to 2; the high n bits of the input 2n-bit information x is marked with x1, and the low n bits is marked with x2; x2 is performed exclusive OR with x1 after transformed by P1, and the output is marked with t1; t1 is performed exclusive OR with x2 after transformed by P2, and the output is marked with t2; t2 is performed exclusive OR with t1 after transformed by P3, and the output is marked with t3; t3 is taken as the high n bits, t2 is taken as the low n bits, and they are connected to form a 2n-bit information marked with t; the information t is circularly left shifted m bits and is sent out. Said S-box comprises three exclusive-OR units A, B, C, three transformation units P1, P2, P3, and a linear order replacement unit. The method for constructing said S-box is easy to implement, and the constructed S-box has well encryption property and high operation efficiency.

Description

—种 S盒构造方法及 S盒  - S box construction method and S box
技术领域 Technical field
本发明涉及一种信息传输与处理的方法, 尤其涉及一种 s盒构造方法及 S盒, 属于 通信技术领域。 背景技术  The invention relates to a method for information transmission and processing, in particular to a s box construction method and an S box, belonging to the technical field of communication. Background technique
密码技术历史悠久, 最初用于保护军事和外交通信安全。 但是, 随着通信网络和计 算机网络的普及, 现代密码学的应用不再局限于政治、 军事和外交, 其商业价值和社会 价值得到了广泛的认同。 保密是密码学的核心, 而加密是获得信息保密的实用工具。  Cryptography has a long history and was originally used to protect military and diplomatic communications. However, with the popularity of communication networks and computer networks, the application of modern cryptography is no longer limited to politics, military, and diplomacy, and its commercial value and social value are widely recognized. Confidentiality is at the heart of cryptography, and encryption is a practical tool for securing information.
密码算法分为公钥密码算法和私钥密码算法。 私钥密码算法又分为分组密码算法和 序列密码算法。 分组密码算法一般对消息进行分块加密, 算法运行一次加密一个较大的 消息块。 序列密码算法一般用一个短的密钥, 用特定的密钥流生成算法, 生成与要加密 的消息长度相当的密钥流序列, 将密钥流序列与明文按位异或达到加密的目的。 而解密 方生成同样的密钥流序列, 与密文异或, 即可得到明文。  The cryptographic algorithm is divided into a public key cryptography algorithm and a private key cryptographic algorithm. The private key cryptographic algorithm is further divided into a block cipher algorithm and a sequence cipher algorithm. The block cipher algorithm generally performs block encryption on the message, and the algorithm runs to encrypt a larger message block at a time. The sequence cipher algorithm generally uses a short key to generate a key stream sequence equivalent to the length of the message to be encrypted, and the key stream sequence is XORed with the plaintext to achieve the purpose of encryption. The decryption party generates the same key stream sequence and XORs with the ciphertext to obtain the plaintext.
设计安全、 高效的密码算法, 一直是各国争相研究的热点。 在已有的许多分组密码 算法和序列密码算法中, S盒是必不可少的非线性组件。如美国加密标准中的 AES分组 密码算法, 欧洲通信标准中的 SNOW 3G序列密码算法中, S盒是提供整个算法非线性 性的主要部分。 因此, 设计好的 S盒, 是设计一个密码算法的基础。 同时, S盒的高效 硬件实现, 对于密码算法的实现至关重要。 尤其对于硬件资源受限的加、 解密设备, 要 求 S盒的硬件实现门数尽可能的少。  Designing safe and efficient cryptographic algorithms has always been a hot topic in the study of countries. Among many existing block cipher algorithms and sequence cipher algorithms, the S-box is an indispensable nonlinear component. For example, the AES packet cipher algorithm in the US cryptographic standard, and the SNOW 3G cipher algorithm in the European communication standard, the S-box is the main part that provides the nonlinearity of the entire algorithm. Therefore, the designed S-box is the basis for designing a cryptographic algorithm. At the same time, the efficient hardware implementation of the S-box is critical to the implementation of cryptographic algorithms. Especially for the encryption and decryption equipment with limited hardware resources, it is required that the number of hardware implementations of the S-box is as small as possible.
S盒的设计, 一般基于某种结构的运算, 例如 AES的 S盒是基于有限域上的求逆运 算。 由于有限域上的运算, 要消耗大量的资源, 所以实现这种 S盒, 通常通过査表来实 现。 对于 8进 8出的 S盒, 一般需要 500门的电路规模。  The design of the S-box is generally based on the operation of a certain structure. For example, the S-box of AES is based on the inverse operation on the finite field. Since the operation on the finite field consumes a large amount of resources, the implementation of such an S-box is usually performed by looking up a table. For an 8-in 8 out S box, a circuit size of 500 is generally required.
为此, 我们提出了一个基于结构构造 S盒的方法, 该结构利用简单的易于硬件实现 的置换和非置换变换, 构造具有良好密码学性质的 S盒。 同时我们基于这种结构构造了 一种高效的 S盒硬件模块, 其硬件规模是查表实现的 1/5。 明内容  To this end, we propose a method based on structurally constructed S-boxes that constructs S-boxes with good cryptographic properties using simple, hardware-implemented permutation and non-permutation transformations. At the same time, we constructed an efficient S-box hardware module based on this structure, and its hardware scale is 1/5 of the table lookup implementation. Ming content
本发明的技术方案的目的在于提供一种 S盒构造方法及 S盒, 本方法是一种基于结 构构造 S盒的方法, 利用三个 4进 4出的变换, 构造 8进 8出的置换 S盒。这种 S盒易 于软硬件实现且能够提供良好的代数、 差分、 非线性性等密码学性质, 在分组密码算法 和序列密码算法的设计中都有着重要的作用, 是不可缺少的组件。 本发明的另一目的在 于提供一种 S盒硬件模块, 该模块规模较一般 S盒模块小。 An object of the technical solution of the present invention is to provide an S-box construction method and an S-box, the method is based on a knot The method of constructing the S-box is to construct a replacement S-box of 8 in 8 out using three transforms of 4 in 4 out. This S-box is easy to implement in hardware and software and can provide good cryptographic properties such as algebra, difference, and nonlinearity. It plays an important role in the design of block cipher algorithms and sequence cipher algorithms, and is an indispensable component. Another object of the present invention is to provide an S-box hardware module that is smaller in size than a general S-box module.
本发明的技术方案为:  The technical solution of the present invention is:
一种 S盒构造方法, 其步骤为:  An S-box construction method, the steps of which are:
1) 选定一整数 m以及三个 n进 n出的变换单元: Ρ!、 Ρ2、 Ρ3; 其中 Ρ2为置换单元, η为大于等于 2的整数数; 1) Select an integer m and three transform units that are n into n: Ρ!, Ρ 2 , Ρ 3; where Ρ 2 is a permutation unit and η is an integer number greater than or equal to 2;
2) 将输入的 2η 比特信息 X分为两部分, 记为 χ,、 χ2, 其中, 为输入信息的高 η 位、 为输入信息的低 η位; 2) The input 2η bit information X is divided into two parts, denoted as χ, χ 2 , where is the high η bit of the input information, which is the low η bit of the input information;
3) 将 χ2经过!^变换后与 X,异或, 输出结果记作 t1 ; 3) Pass χ 2 through! ^ After transformation with X, XOR, the output is recorded as t 1 ;
4) 将 经过 P2变换后与 x2异或, 输出结果记作 t2 ; 4) After the transformed P 2 x 2 and the exclusive OR, the output denoted as t 2;
5) 将^经过 P3变换后与^异或, 输出结果记作 t3 ; 5) After the ^ ^ P 3 Transformation and exclusive OR, the output denoted as t 3;
6) 将^作为高11位, t2作为低 n位连接成为一个 2η比特的信息, 记作 t; 6) ^ is the upper 11 bits, t 2 is connected as a low n-bit to become a 2n-bit information, denoted as t;
7) 将信息 t循环左移 m位输出。 7) Rotate the information t to the left by shifting m bits.
进一步的, 所述整数 m的取值为 l〜2n-l; 所述 Ρ3为 η进 η出的映射; 所述 η 为大于等于 2的整数。 Further, the value of m is an integer of l~2n-l; the intake η η Ρ 3 is a mapping; the η is an integer of 2.
进一步的, 采用一个线序置换单元将信息 t循环左移 m位输出。  Further, the information t is cyclically shifted left by m bits by a line sequence permutation unit.
进一步的, 所述步骤 3)〜5) 中的变换采用组合逻辑电路实现; 其中组合逻辑电路 的关键路径为: 异或 P2 异或 P3 异或。 进一步的, 所述步骤 3) 〜5) 中的变换采用时序电路实现。 Further, the transformation in the steps 3) to 5) is implemented by a combinational logic circuit; wherein the critical path of the combinational logic circuit is: XOR P 2 XOR or P 3 XOR. Further, the transformation in the steps 3) to 5) is implemented by a sequential circuit.
进一步的, 所述采用时序电路实现变换的方法为:  Further, the method for implementing transformation by using a sequential circuit is:
1) 将!^、 P2、 P3中的信息分别存储在一存储器中; 1) Will! The information in ^, P 2 , P 3 is stored in a memory, respectively;
2)根据 的基地址, 以 x2为偏移地址读出所述存储器中存储的 信息, 将其与 X, 进行异或后更新到一 n比特寄存器 L中; 2) according to the base address, read the information stored in the memory with x 2 as the offset address, XOR it, and then update to an n-bit register L;
3) 根据 P2的基地址, 以该寄存器 L的输出作为偏移地址, 读取所述寄存器中存储 的 P2信息, 将其与 x2进行异或后更新到一 n比特寄存器 R中; 4)根据 P3的基地址, 以该寄存器 R的输出作为偏移地址, 读取所述寄存器中存储 的 P3信息, 将其与该寄存器 L进行异或。 3) according to the base address of P 2 , using the output of the register L as an offset address, reading the P 2 information stored in the register, XORing it with x 2 and updating to an n-bit register R; 4) The base address P 3, to the output of the register R as an offset address, said read information P 3 stored in the register, which register is XORed with the L.
一种 S盒, 其特征在于包括三个异或单元 A、 B、 C, 三个变换单元 P!、 P2、 P3, 一 个线序置换单元; 其中异或单元 A的两输入端分别与一 n比特信息数据端和变换单元 Pi的输出端连接, 异或单元 A的输出端分别与变换单元 P2的输入端和异或单元 C的输 入端连接; 另一 n比特信息数据端分别与变换单元 的输入端和异或单元 B的输入端 连接; 异或单元 B的另一输入端与变换单元 P2的输出端连接; 异或单元 B的输出端分 别与所述线序置换单元的输入端和变换单元 P3的输入端连接; 异或单元 C的输出端与 所述线序置换单元的输入端连接; 变换单元 P3的输出端与异或单元 C的输入端连接; 其中 P2为置换单元, n为自然数。 An S box, comprising three exclusive OR units A, B, C, three transform units P!, P 2 , P 3 , and a line sequence replacement unit; wherein the two input ends of the exclusive OR unit A are respectively An n-bit information data end is connected to an output end of the transform unit Pi, and an output end of the exclusive OR unit A is respectively connected to an input end of the transform unit P 2 and an input end of the exclusive OR unit C; another n-bit information data end respectively The input end of the transform unit is connected to the input end of the exclusive OR unit B; the other input end of the exclusive OR unit B is connected to the output end of the transform unit P 2 ; the output end of the exclusive OR unit B is respectively associated with the line sequence replacement unit and converting means input terminal P is connected to the input terminal 3; an input terminal of the XOR output of the unit C is connected to line sequence permutation unit; P conversion unit 3 and the output of the exclusive oR unit C is connected to the input terminal; wherein P 2 is a permutation unit, and n is a natural number.
进一步的, S盒为 8比特输入接口和 8比特输出接口; 所述 n取值为 4; 所述 Ρ!、 P3为 4进 4出的变换。 Further, the S box is an 8-bit input interface and an 8-bit output interface; the n value is 4; the Ρ!, P 3 is a 4-in 4-out conversion.
一种 S盒, 其特征在于包括三个异或单元 、 B、 C, 三个变换单元 I P2、 P3, — 个线序置换单元, 两个寄存器 L、 R, 一存储器; 其中变换单元 Pi、 P2、 P3分别通过基 地址线与所述存储器连接;异或单元 A的两输入端分别与一 n比特信息数据端和变换单 元 Pi的输出端连接, 且其输出端与所述寄存器 L的输入端连接; 另一 n比特信息数据 端分别与变换单元 的输入端和异或单元 B的输入端连接; 异或单元 B的另一输入端 与变换单元 P2的的输出端连接, 且其输出端与所述寄存器 R的输入端连接; 所述寄存 器 R的输出端分别与变换单元 P3的输入端和所述线序置换单元的输入端连接; 所述寄 存器 L的输出端分别与异或单元 C的输入端和变换单元 P2的输入端连接; 异或单元 C 的另一输入端与变换单元 P3的输出端连接, 且其输出端与所述线序置换单元的输入端 连接, 其中 P2为置换单元, n为自然数。 An S box, comprising three exclusive OR units, B, C, three transform units IP 2 , P 3 , one line sequence permutation unit, two registers L, R, a memory; wherein the transform unit Pi , P 2 , P 3 are respectively connected to the memory through a base address line; the two input ends of the exclusive OR unit A are respectively connected to an n-bit information data end and an output end of the transform unit Pi, and the output end thereof and the register The input end of L is connected; the other n-bit information data end is respectively connected to the input end of the transform unit and the input end of the exclusive OR unit B; the other input end of the exclusive OR unit B is connected to the output end of the transform unit P 2 , and an output coupled to an input terminal R is connected to said register; the output of the register R are connected to the input terminal P conversion unit 3 and the displacement unit, the line sequence; the output of the register L, respectively Connected to the input of the exclusive OR unit C and the input of the transform unit P 2 ; the other input of the exclusive OR unit C is connected to the output of the transform unit P 3 , and the output thereof and the input of the line sequence replacement unit End connection, where P 2 is a permutation unit, and n is a natural number.
进一步的, S盒为 8比特输入接口和 8比特输出接口; 所述 n取值为 4; 所述 Pi、 P3为 4进 4出的变换。 具体的, 针对于 8进 8出的 S盒具体构造方法为: Further, S is a cassette 8-bit input and 8-bit interface to an output interface; the value of n is 4; the Pi, P 3 to 4 into four transform. Specifically, the specific construction method for the S box of 8 in 8 out is:
a. 选定 4进 4出的变换 Ρ2、 Ρ3, 其中 Ρ2为置换; a. Select 4 into 4 out of the transformation Ρ 2 , Ρ 3 , where Ρ 2 is the replacement;
b. 选定一个整数 m。 b. Select an integer m.
对于任意给定的 8比特信息 jc e F2 8, 经 S盒变换后的信息 y = S0c)计算过程如下: 1) 取 x的高 4位为 JC,, 低 4位为 χ2, χ, , χ2作为下一步的输入; For any given 8-bit information jc e F 2 8 , the S-box transformed information y = S0c) is calculated as follows: 1) Take the upper 4 bits of x as JC, and the lower 4 bits as χ 2 , χ, , χ 2 as the next input;
2) 令 x2经过 Pi变换后与 异或, 结果记作 输出 ^、 x2作为下一步的输入; 2) Let x 2 undergo Pi conversion and XOR, and the result is recorded as output ^, x 2 as the input of the next step;
3) 令^经过 P2变换后与 x2异或, 结果记作 t2, 输出 t,、 t2作为下一步的输入; 3) Let ^ be X 2 transformed and X 2 or X 2 , the result is recorded as t 2 , output t, and t 2 as the next input;
4) 令^经过 P3变换后与^异或, 结果记作 , 输出 t3、 t2作为下一步的输入; 4) Let ^ be transformed by P 3 and XOR, and the result is recorded as outputting t 3 and t 2 as the input of the next step;
5) 将^作为高 4位, t2作为低 4位连接成为一个 8比特的信息记做 t ; 将 t循环左移 m 位输出。 5) Write ^ as the upper 4 bits, t 2 as the lower 4 bits to become an 8-bit information, and t; turn the t-loop to the left by m bits.
所述 S盒结构分为三层, 将输入的 8比特分做两部分, 在三层中依次对两部分值进 行更新。 在最后一步中, 将两部分值组合后输出。  The S-box structure is divided into three layers, and the input 8 bits are divided into two parts, and the two-part values are sequentially updated in the three layers. In the final step, the two partial values are combined and output.
所述步骤 a中, 选取的变换应由易于计算机实现、 硬件实现的基本运算构造。  In the step a, the selected transformation should be constructed by a basic operation that is easy to implement by computer and implemented by hardware.
所述步骤 a中, P2为置换, Ρ3可以是置换, 也可以是非置换。 In the step a, P 2 is a substitution, and Ρ 3 may be a substitution or a non-displacement.
所述步骤 b中, m的取值范围为 1到 7之间的整数。  In the step b, the value of m ranges from 1 to 7.
所述步骤 2— 4中,接收之前步骤的输出作为输入,对两个输入的值中的一个进行更 新。  In the step 2-4, the output of the previous step is received as an input, and one of the two input values is updated.
所述步骤 2— 4中,更新方法为将不需更新的数值经 4进 4出的变换作用后异或到需 要被更新的数值上, 得到的值替换原来的数值。  In the step 2-4, the updating method is to change the value that does not need to be updated by 4 to 4, and then XOR the value to be updated, and the obtained value replaces the original value.
所述步骤 5中, 将前一步骤的输出两部分值组合后输出。  In the step 5, the output two-part values of the previous step are combined and output.
S盒的设计方法有很多种,例如 AES的 S盒是利用有限域 F78上的多项式 /0c) =丄构 造。 这种方法构造的 S盒如果硬件实现的时候用有限域运算来实现, 效率非常低, 所以 通常用査表的方法实现, 一般需要 500门电路。 There are many ways to design the S-box. For example, the S-box of AES is constructed using the polynomial /0c) =丄 on the finite field F 78 . The S-box constructed by this method is implemented by finite field operation when the hardware is implemented, and the efficiency is very low. Therefore, it is usually implemented by a look-up table method, and generally requires 500 gate circuits.
而本发明方法构造的 8进 8出的 S盒,由实现代价较小的小规模变换多层组合而成, 只需大约 100门电路即可。使用本发明方法构造的 S盒构造算法, 不仅能够提供良好的 密码学性质, 并且硬件实现效率比其它方法更高。  The eight-in and eight-out S-box constructed by the method of the present invention is composed of a small-scale conversion multi-layer which is less expensive to implement, and only needs about 100 gate circuits. The S-box construction algorithm constructed using the method of the present invention not only provides good cryptographic properties, but also achieves higher hardware implementation efficiency than other methods.
本发明的另一目的为一种高效的 S盒硬件模块, 接口为 8比特输入和 8比特输出。 包括 3层运算和一个线序置换单元,其中每一层包括一个 4比特到 4比特的变换和两个 4比特数的按位异或运算。 其硬件实现结构分为两种:  Another object of the present invention is an efficient S-box hardware module with an 8-bit input and an 8-bit output. It includes a 3-layer operation and a line-sequence permutation unit, where each layer includes a 4-bit to 4-bit transform and two 4-bit-bit bitwise XOR operations. Its hardware implementation structure is divided into two types:
对于方式 1 ) 纯组合逻辑电路实现方式, 模块内包括三个异或单元和三个査表单元 (即 4比特到 4比特的变换单元) P!、 P2、 P3和一个线序置换单元 <«m。 For mode 1) pure combinational logic circuit implementation, the module includes three exclusive OR units and three look-up table units (ie, 4-bit to 4-bit transform units) P!, P 2 , P 3 and a line-sequence permutation unit < «m.
所述异或单元完成 4 比特的二输入异或, 异或单元的电路实现简单, 是硬件设计的 基本组件, 不是本发明所强调的内容。 The XOR unit performs 4-bit XOR XOR, the circuit of the XOR unit is simple to implement, and is hardware designed. The basic components are not emphasized by the present invention.
所述查表单元完成对 4比特查表运算, 相当于对 4比特索引值进行检索。 例如 2个 非门(非逻辑电路)可对 2比特信息实现一种査表,即输入为二进制" 00"时输出为" 11 "; 输入为二进制 "01 "时输出为 " 10"; 输入为二进制 " 10"时输出为 "01 "; 输入为二进 制 " 11 " 时输出为 "00"。 依次该 示为二进制形式:
Figure imgf000007_0001
The look-up table unit performs a 4-bit lookup table operation, which is equivalent to searching for a 4-bit index value. For example, two non-gates (non-logic circuits) can implement a look-up table for 2-bit information, that is, the output is "11" when the input is binary "00"; the output is "10" when the input is binary "01"; the input is binary The output is "01" when "10"; the output is "00" when the input is binary "11". This is shown in binary form:
Figure imgf000007_0001
对应的十进制形式为:
Figure imgf000007_0002
The corresponding decimal form is:
Figure imgf000007_0002
对于 4比特査表可依此类推。实际上,当前的硬件电路设计普遍采用硬件描述语言, 如 Verilog或 VHDL等, 只需对输出进行定义后, 如:  For 4-bit lookup tables, and so on. In fact, the current hardware circuit design generally uses hardware description language, such as Verilog or VHDL, etc., only need to define the output, such as:
Case(input)  Case(input)
00: out<=ll;  00: out<=ll;
01: out<=10;  01: out<=10;
10: out<=01;  10: out<=01;
11 : out<=00;  11 : out<=00;
Endcase  Endcase
即可进一步通过综合工具得到实际逻辑结构得到 Pi、 P2、 P3的电路结构。 The circuit structure of Pi, P 2 , and P 3 can be obtained by further obtaining the actual logic structure through the synthesis tool.
在硬件实现时, 电路是否满足时序约束的一个重要指标就是最长组合逻辑路径时 延, 也称为关键路径。 该方式关键路径为: 异或 ">P2 异或 P3 异或。 通常 一个逻辑门的时间延迟远小于 ns级。 所以, 对于方式 1 )纯组合逻辑电路的实现, 可以 在远小于一个时钟周期的时间内保证所有门电路翻转完毕, 从而完成整个査表过程。 An important metric for timing constraints in hardware implementation is the longest combined logical path delay, also known as critical path. The critical path of this mode is: XOR ">P 2 XOR or P 3 XOR. Usually the time delay of a logic gate is much smaller than ns. So, for mode 1) the implementation of pure combinational logic can be much less than one clock. All the gate circuits are turned over during the period of time to complete the entire table lookup process.
对于方式 2)时序电路实现方式,则需要设计有限状态机以多个时钟周期完成査表。 模块中包括存储 Ρ2、 Ρ3内容的存储器, 用于存储中间计算结果的寄存器资源(至少 为 8个 1比特, 如果为 η比特, 且能被 q整除 (n、 q为自然数), 则硬件描述时可以定 义为任意 n/q个 q比特寄存器, 无论如何划分, '在工作时须保证 n/2比特寄存器同时更 新), 三个异或单元、 以及寄存器更新控制逻辑。 所述查表步骤至少分为三个时钟周期。 For mode 2) sequential circuit implementation, it is necessary to design a finite state machine to complete the lookup table in multiple clock cycles. The module includes a memory for storing Ρ 2 , Ρ 3 contents, a register resource for storing intermediate calculation results (at least 8 1 bit, if η bits, and can be divisible by q (n, q are natural numbers), then the hardware The description can be defined as any n/q q-bit registers, no matter how it is divided, 'must ensure that n/2-bit registers are updated at the same time), three XOR units, and register update control logic. The look-up step is divided into at least three clock cycles.
设输入为 x, 高 4位为; c,, 低 4位为 x2, 设寄存器资源为 8比特, 分为一个 4比特 的 L和一个 4比特的 R分别进行定义, 则查表处理步骤为: Let input be x, high 4 bits be; c,, lower 4 bits be x 2 , set register resource to 8 bits, divide into 4 bits The L and a 4-bit R are defined separately, and the table lookup processing steps are:
1 )设 Pi内容存在的基地址为 P!— base, 以 偏移地址读出相应地址中的内容, 与 进行异或后更新到 4比特寄存器 L中;  1) Let the base address of the Pi content be P!-base, read the content in the corresponding address with the offset address, and perform XOR and update to the 4-bit register L;
2) 将寄存器 L的输出作为偏移地址, 选中 P2中相应的内容 (基地址为 P2_baSe), 读出数据后与 进行异或后更新到 4比特寄存器 R中; 2) The output of the register L as an offset address corresponding to the selected content P 2 (base address of P 2 _ba Se), updated after the read data to a 4-bit register R with a heterologous or after;
3 ) 将寄存器 R的输出作为偏移地址, 选中 P3中相应的内容 (基地址为 P3— base), 读出的数据与 4比特寄存器 L进行异或后与 R的输出拼接为 T, 对 Τ按左循环移位 m 进行线序排列, 输出 y。 3) The output of the register R is used as the offset address, and the corresponding content in P 3 is selected (the base address is P 3 — base), and the read data is XORed with the 4-bit register L and then the output of R is spliced into T. For the left loop shift m, the line order is arranged, and y is output.
根据上述步骤中各操作输入、 输出的依存关系, 可知方式 2) 的实现至少需 3个时 钟周期。 由于各步骤间采用寄存器存储中间结果, 如此电路实现代价约 80 门, 关键路 径相比方式 1 ) 更短, 但执行时间相对长许多, 不适合用于高速实现场合。  According to the dependency of each operation input and output in the above steps, it can be seen that the implementation of mode 2) requires at least 3 clock cycles. Since the intermediate results are stored in the registers between the steps, the circuit realizes a cost of about 80 gates, and the critical path is shorter than the mode 1), but the execution time is relatively long, which is not suitable for high-speed implementation.
与现有技术相比, 本发明具有的积极效果为:  Compared with the prior art, the positive effect of the invention is:
该结构利用简单的易于硬件实现的置换和非置换变换, 构造具有良好密码学性质的 S盒。 同时基于这种结构构造了一种高效的 S盒硬件模块, 其硬件规模是通常査表实现 方法的 1/5。  This structure constructs an S-box with good cryptographic properties using simple, hardware-implemented permutation and non-permutation transformations. At the same time, based on this structure, an efficient S-box hardware module is constructed, and its hardware scale is 1/5 of the usual look-up table implementation method.
附图说明 DRAWINGS
图 1、 本发明的 s盒结构图。  Figure 1. Schematic diagram of the s box of the present invention.
图 2、 实现方式 1 ) 的电路结构示意图。  Figure 2. Schematic diagram of the circuit structure of the implementation method 1).
图 3、 实现方式 2) 的电路结构示意图。  Figure 3. Schematic diagram of the circuit structure of implementation 2).
图 4(a)〜4(c)、 实现方式 2) 的各步的电路结构示意图, 其中:  4(a) to 4(c), a schematic diagram of the circuit structure of each step of the implementation method 2), wherein:
图 4(a). 方式 2) 的步骤 1的实现数据路径;  Figure 4(a). Method 2) The implementation data path of step 1;
图 4(b). 方式 2) 的步骤 2的实现数据路径;  Figure 4(b). The implementation data path of step 2 of mode 2);
图 4(c). 方式 2) 的步骤 3的实现数据路径。 具体实施方式  Figure 4(c). The implementation data path for step 3 of mode 2). detailed description
现结合附图, 以 8进 8出的置换 S盒为例, 对本发明进行进一步详细描述: 本发明基于结构设计的 S盒具体结构如附图 1所示。 S盒结构分为三层, 将输入的 8比特分做两部分, 在三层中依次对两部分值进行更新。 最后将两部分值组合后输出。 利用本发明的 S盒结构构造 S盒, 首先要选定 3个 4进 4出的变换 P,、 P2、 P3, 其 中 P2为置换。 3个变换均采用计算机基本运算复合构造即可。 第二, 选定整数值 m。 The present invention will now be described in further detail with reference to the accompanying drawings, taking an 8-in and 8-out replacement S-box as an example. The specific structure of the S-box based on the structural design of the present invention is shown in FIG. The S-box structure is divided into three layers, and the input 8 bits are divided into two parts, and the two-part values are sequentially updated in the three layers. Finally, the two partial values are combined and output. By constructing the S-box using the S-box structure of the present invention, three transforms P, P 2 , and P 3 of 4 in 4 out are first selected, wherein P 2 is a permutation. All three transformations can be performed using a computer basic computational composite structure. Second, the integer value m is selected.
在选定上述参数后, 对于输入为 x, 则输出 y=S(X)具体计算过程如下:  After selecting the above parameters, for the input is x, the output y=S(X) is calculated as follows:
X一 X 11 ^2  X-X 11 ^2
t! =χ]ΦΡι2) t! =χ ] ΦΡ ι2 )
t2 =x2©P2(t)
Figure imgf000009_0001
t 2 =x 2 ©P 2 (t)
Figure imgf000009_0001
其中 II表示比特串的连接操作, 为 c的高 4比特, 为^的低 4比特。 下面, 给出一个具体实施例并分析它的硬件实现效率及密码学性质。  Where II represents the connection operation of the bit string, which is the upper 4 bits of c and the lower 4 bits of ^. In the following, a specific embodiment is given and its hardware implementation efficiency and cryptographic properties are analyzed.
1. 参数选取 1. Parameter selection
令》2 = 5。  Order 2 = 5.
非置换?!对于输入 , , ^。), 输出 y = 03, ,: ^,_。)的代数表达式为: y3 = x3x、 + xtx0 + 3 + + ; y = ¾ 1 + + ¾ + ; Non-replacement? ! For input, ^. ), output y = 0 3 , , : ^, _. The algebraic expression is: y 3 = x 3 x, + x t x 0 + 3 + + ; y = 3⁄4 1 + + 3⁄4 + ;
= Χ3Χ0 + Χ2Χ0 + + ; yQ - x3xt + x3x2 + x3 + + 1。 BP ^ = {9,15,0,14,15,15,2,10,0,4,0,12,7,5,3,9} o 置换 P2对于输入 x = ( , , , x。), 输出: = (A, y2 , , 。)的代数表达式为: = Χ 3 Χ 0 + Χ 2 Χ 0 + + ; y Q - x 3 x t + x 3 x 2 + x 3 + + 1. BP ^ = {9,15,0,14,15,15,2,10,0,4,0,12,7,5,3,9} o Replace P 2 for the input x = ( , , , x. ), output: = (A, y 2 , , .) The algebraic expression is:
— ^2 ^ ^0 "^" ^3 ^0 ^3^0 ^3 ^\ ^3 ^2 ^2 ^\ 1; — ^2 ^ ^0 "^" ^3 ^0 ^3^0 ^3 ^\ ^3 ^2 ^2 ^\ 1;
^3 ^2 ^ ^2 "^O "^- ^3 ~ ^2 ^3 ^2 ^ ^ "^- ^3; ^3 ^2 ^ ^2 "^O "^- ^3 ~ ^2 ^3 ^2 ^ ^ "^- ^3;
即 P2 = {8, 13, 6, 5, 7, 0, 12,4,11, 1,14,10,15, 3, 9, 2}。 非置换 P3对于输入 x = (x3 , x2 , , x。), 输出 _y = ( , , , )的代数表达式为: 一 Λ^·¾ + ^2 + 1 2 = X^XQ + + ¾ '
Figure imgf000010_0001
That is, P 2 = {8, 13, 6, 5, 7, 0, 12, 4, 11, 1, 14, 10, 15, 3, 9, 2}. Non-replacement P 3 For the input x = (x 3 , x 2 , , x.), the algebraic expression of the output _y = ( , , , ) is: Λ^·3⁄4 + ^2 + 1 2 = X^XQ + + 3⁄4 '
Figure imgf000010_0001
= X2X0 + X3X2 + X3 ' = X 2 X 0 + X 3 X 2 + X 3 '
BP 3 ={2,6,10,6,0,13,10,15,3,3,13,5,0,9,12,13}。 S盒表格 BP 3 = {2,6,10,6,0,13,10,15,3,3,13,5,0,9,12,13}. S box form
选定上述变换及 m后, 对于所有 JceF2 8, 以 c的高 4位为行号, 低 4位为列号, 可 计算 S盒输出并构造表 1: After selecting the above transformation and m, for all JceF 2 8 , with the upper 4 bits of c as the line number and the lower 4 bits as the column number, the S box output can be calculated and constructed as Table 1:
表 1、 S盒输出表  Table 1, S box output table
Figure imgf000010_0002
Figure imgf000010_0002
表格中数字采用 16进制表示。 The numbers in the table are expressed in hexadecimal.
S盒各项密码学指标 S box of various cryptographic indicators
上述 S盒的各项密码学指标为: 差分均匀性为 8, 非线性度为 96, 代数免疫度为 2。 对于输入 = 07, , 5, ,¾,¾, 1,:《:。),输出 = 076, ¾, 4, ¾, ¾, ,;¾), 输出的每 分量关于所有输入分量的表达式为: The cryptographic indicators of the above S-box are: differential uniformity is 8, nonlinearity is 96, and algebraic immunity is 2. For input = 0 7 , , 5 , , 3⁄4, 3⁄4, 1 ,:::. ), output = 0 7 , 6 , 3⁄4 , 4 , 3⁄4 , 3⁄4 , ,; 3⁄4), the expression of each component of the output for all input components is:
' " Λ< ^ "^2 "^Ί "^0 ^5 ^"2. "^"1 "^0 4 3 2^^0 4 3^^1 ^ "^2 ^5 "^"3 "^l  ' " Λ < ^ "^2 "^Ί "^0 ^5 ^"2. "^"1 "^0 4 3 2^^0 4 3^^1 ^ "^2 ^5 "^"3 "^ l
I 6 2 1"^0 6 3 2 0 6 3"^2 1 ^^6"^4 3 1  I 6 2 1"^0 6 3 2 0 6 3"^2 1 ^^6"^4 3 1
I ^^6*^4^^i^^ J "^6^^5^^1^^0 I *^6"^5^^3^^1 I I ^\ I "^3  I ^^6*^4^^i^^ J "^6^^5^^1^^0 I *^6"^5^^3^^1 I I ^\ I "^3
I 7 4 2 0 ^7 ^4 "^2 "^1 7 5"^2 0 "^7 5 2 1 7 6 2 7 6 3 0  I 7 4 2 0 ^7 ^4 "^2 "^1 7 5"^2 0 "^7 5 2 1 7 6 2 7 6 3 0
1 ^3 7 6^^3 2 "^3 ^2 "^"1 4 1 "^4"^2 1 4 3 2 ^3^  1 ^3 7 6^^3 2 "^3 ^2 "^"1 4 1 "^4"^2 1 4 3 2 ^3^
I 6 2 1 ^2 I 6 3*^1 "^6 4"^3 6 4 1 "^1 I 6 2 1 ^2 I 6 3*^1 "^6 4"^3 6 4 1 "^1
I 6 5 3 7 6 2 ^ "^2 ^7 ^3 "^7 "^0 ^3 ^2 7 4 0 ^7 ^5 ^0I 6 5 3 7 6 2 ^ "^2 ^7 ^3 "^7 "^0 ^3 ^2 7 4 0 ^7 ^5 ^0
I X 6 0 7 6 1 ^6^3 7 6 4 ^1 ^6 I 3 2 ^2 I I X 6 0 7 6 1 ^6^3 7 6 4 ^1 ^6 I 3 2 ^2 I
y — ^5 "^2 "^l I ^3 ^2 "^O I ^3 I ^3 ^"2, ^\ "^"0 ' 5 2 0 I 5 2 1 y — ^5 "^2 "^l I ^3 ^2 "^O I ^3 I ^3 ^"2, ^\ "^"0 ' 5 2 0 I 5 2 1
I 3 I ^3 I "^3 ^2 I 6^^2 0 I 6*^2 1 一 I 6 3 2  I 3 I ^3 I "^3 ^2 I 6^^2 0 I 6*^2 1 I I 6 3 2
3 1
Figure imgf000011_0001
3 1
Figure imgf000011_0001
I 4 ί I ^Cg^Q I 6 2 6 4 I *^6*^5 I I i I Λ-^ · I Ί" ^¾ "^l "^O一 ^ "^3 ^2 I ^3 1 ^2 "^O I Λ·^ "^2 I J£-j 4 I ^ ^2 ^6^^^\^ I 3 1^^0 I ^5 ^3 ^6 "^3 I 4 ί I ^Cg^QI 6 2 6 4 I *^6*^5 II i I Λ-^ · I Ί" ^3⁄4 "^l "^O一^ "^3 ^2 I ^3 1 ^2 "^OI Λ·^ "^2 IJ£-j 4 I ^ ^2 ^6^^^\^ I 3 1^^0 I ^5 ^3 ^6 "^3
I
Figure imgf000011_0002
y ^ ^5 ^ ^½ "^™ ^^5"^4*^2"^1 3*^2^1 6*^4 2 1 0 ^4 "^3 ^3 "^2 I
Figure imgf000011_0002
y ^ ^5 ^ ^1⁄2 "^TM ^^5"^4*^2"^1 3*^2^1 6*^4 2 1 0 ^4 "^3 ^3 "^2
I X Χ ^2 ^^7*^6^3 I X 2 ^4 ^2 ^4 ^3 "^2 "^l ^4 ^  I X Χ ^2 ^^7*^6^3 I X 2 ^4 ^2 ^4 ^3 "^2 "^l ^4 ^
1 Cg X5 ' I *^6^^5*^4^^ ^"1 "^2 "^l ^6 ^3 ^3 "^- ^6 ^"3 ^2 1 Cg X5 ' I *^6^^5*^4^^ ^"1 "^2 "^l ^6 ^3 ^3 "^- ^6 ^"3 ^2
I X Λ-^ X "t" X X ^4 ^2*^1 H~ ^7 ^3 ^2 ^3 I X Λ-^ X "t" X X ^4 ^2*^1 H~ ^7 ^3 ^2 ^3
Figure imgf000011_0003
Figure imgf000011_0003
I X ^\ X "^ "^2 ^ ^3 "^- ^4 "^2 ^ ^"2  I X ^\ X "^ "^2 ^ ^3 "^- ^4 "^2 ^ ^"2
I 6 3 1 "^" ^6 ^4 "^l 6"^5^^0 ^6 "^5 X Χ Χ·^ "^" ^"]  I 6 3 1 "^" ^6 ^4 "^l 6"^5^^0 ^6 "^5 X Χ Χ·^ "^" ^"]
I ~j I I ^C ^^^ I X^^ I ^^j ^ J Λ^Λ^^^ I ^C I -^^  I ~j I I ^C ^^^ I X^^ I ^^j ^ J Λ^Λ^^^ I ^C I -^^
t ^ I <^7^^5^^4 I · I一 *^3^^2 I I j I ^^3^^ ί X ^C a\ ^^^C^ i/:/:sooss>I>d O 999oiAV t ^ I <^7^^5^^4 I · I_*^3^^2 II j I ^^3^^ ί X ^C a \ ^^^C^ i/:/:sooss>I>d O 999oiAV
+x xbVxxx χνχχχ xVx xxvx o + + + ++X x¾ hex„Vxcx x xcx xhcx XchX o  +x xbVxxx χνχχχ xVx xxvx o + + + ++X x3⁄4 hex„Vxcx x xcx xhcx XchX o
+ + + + + xVx¾¾xΛ¾ Vx x¾ xχ¾χ χ o -
Figure imgf000012_0001
+ + + + + xVx3⁄43⁄4xΛ3⁄4 Vx x3⁄4 xχ3⁄4χ χ o -
Figure imgf000012_0001
+ + + + Vxhc he x„c Vx xr¾x bd ~i~
Figure imgf000013_0001
+ + + + Vxhc he x„c Vx xr3⁄4x bd ~i~
Figure imgf000013_0001
I I ^^l I I I I I I ^^l I I I I
I I I *^ "I I I I I I I *^ "I I I I
"I I I I I I I ^^o I "I I I I I I I ^^o I
I ~i~ <2^ I , ~ ~ JC -j ,  I ~i~ <2^ I , ~ ~ JC -j ,
给出了 S盒的每一个分量函数中各个次数的项出现的个数及数学期望值 表 2 S盒的每一个分量函数中各个次数的项出现的个数及数学期望值表 The number of occurrences of each number of items in each component function of the S box and the mathematical expectation value are given. Table 2 The number of occurrences of each number of items in each component function of the S box and the mathematical expectation value table
Figure imgf000013_0002
S盒硬件实现效率分析
Figure imgf000013_0002
S box hardware implementation efficiency analysis
所述一种高效的 S盒硬件模块可采用两种方式实现:  The high-efficiency S-box hardware module can be implemented in two ways:
1) 纯组合逻辑电路实现方式;  1) pure combination logic circuit implementation;
2) 时序电路实现方式。 对于实现方式 1 ), 所述接口为 8比特输入和 8比特输出, 模块内包括三个异或单元 A、 B、 C和三个査表单元 Pi、 P2、 P3和一个线序置换单元 "<<<m"。 如图 2所示。 2) Sequential circuit implementation. For implementation 1), the interface is an 8-bit input and an 8-bit output, and the module includes three XOR units A, B, C and three look-up cells Pi, P 2 , P 3 and a line sequence replacement unit. <<<m". as shown in picture 2.
在硬件实现时, 电路是否满足时序约束的一个重要指标就是最长组合逻辑路径时 延, 也称为关键路径。 该方式关键路径为: Ρ! 异或 P2 异或 P3 异或。 通常 一个逻辑门的时间延迟远小于 ns级。所以, 对于方式 1 )纯组合逻辑电路的实现, 可以 在远小于一个时钟周期的时间内保证所有门电路翻转完毕, 从而完成整个査表过程。 An important metric for timing constraints in hardware implementation is the longest combined logical path delay, also known as critical path. The critical path for this approach is: Ρ! XOR P 2 XOR or P 3 XOR. Usually the time delay of a logic gate is much smaller than the ns level. Therefore, for the implementation of the mode 1) pure combinational logic circuit, all the gate circuits can be flipped over within a time period of less than one clock cycle, thereby completing the entire table lookup process.
该电路的查表时间小于一个时钟周期, 若输出在每个时钟周期当即寄存, 则在 80MHz时钟下, 实现吞吐率为 640Mbps(8*80MHz), 实现面积约 100门, 査表过程全部 采为组合逻辑实现。  The lookup time of the circuit is less than one clock cycle. If the output is registered every clock cycle, the throughput is 640Mbps (8*80MHz) at 80MHz clock, and the implementation area is about 100 gates. Logical implementation.
对于方式 2) Ρ, , Ρ2、 Ρ3内容存储在存储器中的时序电路实现方式, 则需要设计有 限状态机以多个时钟周期完成査表。 设输入为 χ, 高 4位为 , 低 4位为 x2, 则査表处 理过程如图 3所示, 至少需要三次寄存, 每次需一个时钟周期来更新相应的寄存器, 具 体工作电路如图 4(a)〜4(c)所示。 For the sequential circuit implementation of mode 2) Ρ, , Ρ 2 , Ρ 3 contents stored in memory, it is necessary to design a finite state machine to complete the lookup table in multiple clock cycles. Set the input to χ, the upper 4 bits are, the lower 4 bits are x 2 , then the table lookup process is shown in Figure 3. At least three registrations are required, and each clock cycle is required to update the corresponding register. The specific working circuit is shown in Figure 4. (a) ~4(c).
作为一种实施例, 如 P2、 P3内容存放在 RAM介质中, 则处理步骤如下:As an embodiment, if the contents of P 2 and P 3 are stored in the RAM medium, the processing steps are as follows:
1 )图 4(a), 设?!内容存在的基地址为 Pi— base, 以 偏移地址读出相应地址中的内 容, 与 进行异或后更新到 4比特寄存器 L中; 1) Figure 4 (a), set? ! The base address of the content exists as Pi-base, and the content in the corresponding address is read by the offset address, and is XORed and updated to the 4-bit register L;
2)图 4(b), 设 P2内容存在的基地址为 P2_baSe, 以 L的内容为偏移地址读出相应地 址中的内容, 与 c2进行异或后更新到 4比特寄存器 R中; 2) Figure 4 (b), let the base address of the P 2 content be P 2 _ba Se , read the content of the corresponding address with the content of L as the offset address, XOR with c 2 and update to the 4-bit register R;
3 ) 图 4(c), 将寄存器 R的输出作为偏移地址, 选中 P3中相应的内容 (基地址为 P3_base), 读出数据后与 4比特寄存器 L进行异或后与 R拼接为 T, 对 Τ按左循环移位 m进行线序排列, 输出 y。 3) FIG. 4 (C), the output of the register R as an offset address, the corresponding selected content P 3 (base address, after the read data is XORed with R 4 and the stitching of L-bit register _base P 3) For T, the left loop shift m is arranged in line order, and y is output.
方式 2) 的实现至少需 3个时钟周期。 由于各步骤间采用寄存器存储中间结果, 如 此电路逻辑部分实现代价约 80门 (不包括 RAM单元) , 关键路径相比方式 1 )更短, 但执行时间相对长许多, 例如在 80MHz 时钟下, 实现吞吐率最高为 213Mbps(8 比特 *80MHz/3), 采用时序逻辑电路实现。  The implementation of mode 2) takes at least 3 clock cycles. Since the intermediate results of the registers are used between the steps, the logic part of the circuit realizes about 80 gates (excluding the RAM unit), and the critical path is shorter than the mode 1), but the execution time is relatively long, for example, under the 80 MHz clock. The throughput rate is up to 213Mbps (8 bits * 80MHz / 3), which is implemented by sequential logic circuits.

Claims

权利要求书 Claim
1. 一种 s盒构造方法, 其步骤为-1. A s box construction method, the steps of which are -
1) 选定一整数 m以及三个 n进 n出的变换单元: P!、 P2、 P3; 其中 P2为置换单元, n为自然数; 1) Select an integer m and three transform units that are n into n: P!, P 2 , P 3 ; where P 2 is the permutation unit and n is the natural number;
2) 将输入的 2n 比特信息 X分为两部分, 记为 xt、 x2, 其中, 为输入信息的高 n 位、 为输入信息的低 n位; 2) The input 2n bit information X is divided into two parts, denoted as x t , x 2 , where is the high n bits of the input information and the low n bits of the input information;
3) 将 经过?1变换后与 X,异或, 输出结果记作 t1 ; 3) Will it pass? 1 after conversion and X, XOR, the output is recorded as t 1 ;
4) 将^经过 P2变换后与 x2异或, 输出结果记作 t2 ; 4) After passing through P 2 transformation, X is XORed with x 2 and the output is recorded as t 2 ;
5) 将^经过 P3变换后与^异或, 输出结果记作 t3 ; 5) After the ^ ^ P 3 Transformation and exclusive OR, the output denoted as t 3;
6) 将^作为高11位, t2作为低 n位连接成为一个 2n比特的信息, 记作 t; 6) ^ is the upper 11 bits, t 2 is connected as the low n bits to become a 2n bit of information, denoted as t;
7) 将信息 t循环左移 m位输出。 7) Rotate the information t to the left by shifting m bits.
2. 如权利要求 1所述的方法, 其特征在于所述整数 m的取值为 l〜2n-l; 所述 Ρ3 为 η进 η出的映射; 所述 η为整数、 且!1^2。 2. The method according to claim 1, wherein m is an integer value of l~2n-l; the intake η η Ρ 3 is a mapping; the η is an integer and 1 ^! 2.
3. 如权利要求 1或 2所述的方法,其特征在于采用一个线序置换单元将信息 t循环左移 m位输出。  3. Method according to claim 1 or 2, characterized in that the information t is cyclically shifted left by m bits using a line sequence permutation unit.
4. 如权利要求 1或 2所述的方法, 其特征在于所述步骤 3) 〜5) 中的变换采用组合逻 辑电路实现; 其中组合逻辑电路的关键路径为: 异或 P2 异或 P3 异 或。 The method according to claim 1 or 2, wherein the transformation in the steps 3) to 5) is implemented by a combinational logic circuit; wherein the critical path of the combinational logic circuit is: XOR P 2 or P 3 XOR.
5. 如权利要求 1或 2所述的方法, 其特征在于所述步骤 3) 〜5) 中的变换采用时序电 路实现。  The method according to claim 1 or 2, characterized in that the transformation in the steps 3) to 5) is implemented by a timing circuit.
6. 如权利要求 5所述的方法, 其特征在于所述采用时序电路实现变换的方法为:  6. The method of claim 5, wherein the method of implementing the transform using the sequential circuit is:
1) 将 P!、 P2、 P3中的信息分别存储在一存储器中; 1) storing the information in P!, P 2 and P 3 in a memory respectively;
2)根据 Pi的基地址, 以 c2为偏移地址读出所述存储器中存储的 信息, 将其与 X, 进行异或后更新到一 n比特寄存器 L中; 2) reading the information stored in the memory according to the base address of Pi, using c 2 as the offset address, XORing it with X, and updating to an n-bit register L;
3)根据 P2的基地址, 以该寄存器 L的输出作为偏移地址, 读取所述寄存器中存储 的 P2信息, 将其与 x2进行异或后更新到一 n比特寄存器 R中; 4)根据 P3的基地址, 以该寄存器 R的输出作为偏移地址, 读取所述寄存器中存储 的 P3信息, 将其与该寄存器 L进行异或。 3) according to the base address of P 2 , using the output of the register L as an offset address, reading the P 2 information stored in the register, XORing it with x 2 and updating to an n-bit register R; 4) The base address P 3, to the output of the register R as an offset address, said read information P 3 stored in the register, which register is XORed with the L.
7. 一种 S盒, 其特征在于包括三个异或单元 A、 B、 C, 三个变换单元 I P2、 P3, 一 个线序置换单元; 其中异或单元 A的两输入端分别与一 n比特信息数据端和变换单 元 Pi的输出端连接,异或单元 A的输出端分别与变换单元 P2的输入端和异或单元 C 的输入端连接; 另一 n比特信息数据端分别与变换单元 的输入端和异或单元 B的 输入端连接; 异或单元 B的另一输入端与变换单元 P2的输出端连接;异或单元 B的 输出端分别与所述线序置换单元的输入端和变换单元 P3的输入端连接; 异或单元 C 的输出端与所述线序置换单元的输入端连接;变换单元 P3的输出端与异或单元 C的 输入端连接; 其中 P2为置换单元, n为自然数。 7. An S-box, comprising three exclusive OR units A, B, C, three transform units IP 2 , P 3 , and a line sequence replacement unit; wherein the two input ends of the exclusive OR unit A are respectively The n-bit information data end is connected to the output end of the transform unit Pi, and the output end of the exclusive OR unit A is respectively connected to the input end of the transform unit P 2 and the input end of the exclusive OR unit C; the other n-bit information data end and the transform respectively The input of the unit is connected to the input of the exclusive OR unit B; the other input of the exclusive OR unit B is connected to the output of the transform unit P 2; the output of the exclusive OR unit B is respectively input to the line replacement unit end P and converting means 3 is connected to an input terminal; an input terminal of the XOR output of the unit C is connected to line sequence permutation unit; P conversion unit 3 and the output of the exclusive oR unit C is connected to the input terminal; wherein P 2 For the permutation unit, n is a natural number.
8. 如权利要求 7所述的 S盒, 其特征在于 S盒为 8比特输入接口和 8比特输出接口; 所述 n取值为 4; 所述 I P3为 4进 4出的变换。 8. The S-box according to claim 7, wherein the S-box is an 8-bit input interface and an 8-bit output interface; the n value is 4; and the IP 3 is a 4-in-4-out conversion.
9. 一种 S盒, 其特征在于包括三个异或单元 A、 B、 C, 三个变换单元 P,、 P2、 P3, 一 个线序置换单元, 两个寄存器 L、 R, 一存储器; 其中变换单元 Pi、 P2、 P3分别通过 基地址线与所述存储器连接; 异或单元 A的两输入端分别与一 n比特信息数据端和 变换单元 Pi的输出端连接, 且其输出端与所述寄存器 L的输入端连接; 另一 n比特 信息数据端分别与变换单元 的输入端和异或单元 B的输入端连接;异或单元 B的 另一输入端与变换单元 P2的的输出端连接,且其输出端与所述寄存器 R的输入端连 接;所述寄存器 R的输出端分别与变换单元 P3的输入端和所述线序置换单元的输入 端连接;所述寄存器 L的输出端分别与异或单元 C的输入端和变换单元 P2的输入端 连接; 异或单元 C的另一输入端与变换单元 P3的输出端连接, 且其输出端与所述线 序置换单元的输入端连接, 其中 P2为置换单元, n为整数、 且 n 2。 9. An S-box, comprising three exclusive OR units A, B, C, three transform units P, P 2 , P 3 , a line sequence permutation unit, two registers L, R, a memory Wherein the transform units Pi, P 2 , P 3 are respectively connected to the memory through a base address line; the two input terminals of the exclusive OR unit A are respectively connected to an n-bit information data end and an output end of the transform unit Pi, and the output thereof The other end is connected to the input end of the register L; the other n-bit information data end is respectively connected to the input end of the transform unit and the input end of the exclusive OR unit B; the other input end of the exclusive OR unit B and the transform unit P 2 The output is connected, and its output is connected to the input of the register R; the output of the register R is respectively connected to the input of the transform unit P 3 and the input of the line-sequence replacement unit; The output of L is connected to the input of the exclusive OR unit C and the input of the transform unit P 2 respectively; the other input of the exclusive OR unit C is connected to the output of the transform unit P 3 , and its output and the line The input terminal of the sequence replacement unit is connected In the middle P 2 is a permutation unit, n is an integer, and n 2 .
10. 如权利要求 9所述的 S盒, 其特征在于 S盒为 8比特输入接口和 8比特输出接口; 所述 n取值为 4; 所述 P,、 P3为 4进 4出的变换。 S 10. The cartridge according to claim 9, characterized in that the 8-bit S-boxes as an input interface and an output interface 8-bit; the value of n is 4; P ,, P 3 of the 4 4 transform into .
PCT/CN2010/001048 2010-06-11 2010-07-13 Method for constructing s-box and s-box WO2011153666A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201010204508.5 2010-06-11
CN 201010204508 CN101848081A (en) 2010-06-11 2010-06-11 S box and construction method thereof

Publications (1)

Publication Number Publication Date
WO2011153666A1 true WO2011153666A1 (en) 2011-12-15

Family

ID=42772549

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2010/001048 WO2011153666A1 (en) 2010-06-11 2010-07-13 Method for constructing s-box and s-box

Country Status (2)

Country Link
CN (1) CN101848081A (en)
WO (1) WO2011153666A1 (en)

Families Citing this family (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102185690B (en) * 2011-01-27 2013-11-27 中国科学院软件研究所 Optimal S box construction method and circuit
CN103368725B (en) * 2012-04-06 2016-08-31 中国科学院软件研究所 A kind of G0 class S box building method and circuit thereof
CN103378968B (en) * 2012-04-16 2016-08-03 中国科学院软件研究所 A kind of G1 class S box building method and circuit thereof
CN104683096B (en) * 2013-11-29 2017-12-22 中国航天科工集团第三研究院第八三五七研究所 Dynamic S-box transform method and system
CN109905231B (en) * 2019-02-26 2020-10-30 清华大学 Novel 4 x 4S box construction method special for password
CN111339577B (en) * 2020-02-12 2022-06-07 南京师范大学 Construction method of S box with excellent DPA resistance
CN112511293B (en) * 2020-09-21 2022-03-18 中国电子科技集团公司第三十研究所 S-box parameterization design method based on bit sum operation and storage medium
CN112636899B (en) * 2020-09-21 2022-03-18 中国电子科技集团公司第三十研究所 Lightweight S box design method
CN113162755B (en) * 2021-02-03 2022-12-20 北京信息科学技术研究院 Construction method and circuit of light-weight 8-bit S box
CN114710285B (en) * 2022-05-19 2022-08-23 北京大学 High-performance SM4 bit slice optimization method for heterogeneous parallel architecture

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6243470B1 (en) * 1998-02-04 2001-06-05 International Business Machines Corporation Method and apparatus for advanced symmetric key block cipher with variable length key and block
CN101512618A (en) * 2006-09-01 2009-08-19 索尼株式会社 Data conversion device, data conversion method, and computer program
WO2009104827A1 (en) * 2008-02-20 2009-08-27 Industry-Academic Cooperation Foundation, Yonsei University Method and apparatus for generating key stream for stream cipher, s-box for block cipher and method for substituting input vector using the s-box
CN101719823A (en) * 2009-10-30 2010-06-02 中国科学院软件研究所 Method for realizing linear transformation of S-box

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FR2789535B1 (en) * 1999-02-04 2001-09-28 Bull Cp8 METHOD FOR SECURING AN ELECTRONIC ASSEMBLY OF SECRET KEY CRYPTOGRAPHY AGAINST ATTACKS BY PHYSICAL ANALYSIS

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6243470B1 (en) * 1998-02-04 2001-06-05 International Business Machines Corporation Method and apparatus for advanced symmetric key block cipher with variable length key and block
CN101512618A (en) * 2006-09-01 2009-08-19 索尼株式会社 Data conversion device, data conversion method, and computer program
WO2009104827A1 (en) * 2008-02-20 2009-08-27 Industry-Academic Cooperation Foundation, Yonsei University Method and apparatus for generating key stream for stream cipher, s-box for block cipher and method for substituting input vector using the s-box
CN101719823A (en) * 2009-10-30 2010-06-02 中国科学院软件研究所 Method for realizing linear transformation of S-box

Also Published As

Publication number Publication date
CN101848081A (en) 2010-09-29

Similar Documents

Publication Publication Date Title
WO2011153666A1 (en) Method for constructing s-box and s-box
Zodpe et al. An efficient AES implementation using FPGA with enhanced security features
Mangard et al. A highly regular and scalable AES hardware architecture
CN109639428B (en) Method for constructing secure hash function from bit mixer
JP2005215688A (en) Hardware encryption/decryption apparatus using s-box operation, and method for the same
Chang et al. High throughput 32-bit AES implementation in FPGA
Huang et al. Compact FPGA implementation of 32-bits AES algorithm using Block RAM
Gangadari et al. FPGA implementation of compact S-box for AES algorithm using composite field arithmetic
Lee et al. Resource-efficient fpga implementation of advanced encryption standard
Yan et al. Hardware implementation of the Salsa20 and Phelix stream ciphers
Li et al. A new compact dual-core architecture for AES encryption and decryption
Li et al. High throughput AES encryption/decryption with efficient reordering and merging techniques
Hulle et al. Compact Reconfigurable Architecture for Sosemanuk Stream Cipher
Kumar et al. FPGA Implementation of High Performance Hybrid Encryption Standard
Keliher Cryptanalysis of a modified Hill Cipher
Li et al. A new compact architecture for AES with optimized ShiftRows operation
Alam et al. Single chip encryptor/decryptor core implementation of AES algorithm
Burns et al. Efficient advanced encryption standard implementation using lookup and normal basis
CN109150496B (en) AES encryption operation unit, AES encryption circuit and encryption method
Hiremath et al. Advanced encryption standard implemented on FPGA
Kumar VLSI implementation of AES algorithm
Sardar et al. An Efficient Hardware Design for Combined AES and AEGIS
Yang et al. Celerity hardware implementation of the AES with data parallel and pipelining architecture inside the Round Function
TW202242692A (en) Circuit module of single round advanced encryption standard
Rijmen et al. 6 CryptographicAlgorithms

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 10852659

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 10852659

Country of ref document: EP

Kind code of ref document: A1