基于L-M-NFSR结构的16比特S盒设计方法

16-bit S-box Design Method Based on L-M-NFSR Structure

S盒是分组密码算法的重要部件,为密码算法提供非线性变换,S盒的安全强度在一定程度上决定着密码算法的安全强度。为构造具有优良密码学性质的16比特S盒,设计一种以Lai-Massey结构和非线性反馈移位寄存器(NFSR)组件相结合的L-M-NFSR新结构。该结构以与高级加密标准(AES)算法S盒仿射等价的8比特S盒作为新结构的轮函数,减少设计的复杂性并提高结构的可变性;左右分支各增加一个迭代少量拍数即可符合严格雪崩特性的NFSR组件用于提高结构的扩散性;通过3轮迭代和遍历生成16比特S盒。进一步地,基于该结构,以AES算法S盒仿射等价新生成的8比特S盒替换轮函数中的8比特S盒,可方便地生成大量新的16比特密码S盒。为提高对所构造16比特S盒性质的评估效率,采用图形处理器(GPU)进行并行计算,测试结果表明,所生成的16比特S盒具有较优的密码学性质,均满足双射性,代数次数为15,非线性度最优为31992,差分均匀度最低为18,信噪比最低为146.712,具有较好地抵御数学攻击和差分功耗分析的安全性。

S-box is an important component for non-linear transformation in symmetric cryptographic algorithm,and the security of S-box determines the security of the cryptographic algorithm.In order to construct 16-bit S-box with strong security,a new L-M-NFSR structure is designed based on the Lai-Massey structure and nonlinear feedback shift register(NFSR)component.In the new structure,8-bit S-boxes with advanced encryption standard(AES)algorithm S-box affine equivalence are selected as the round function to reduce the complexity of designing and increase the variability of the structure.Two designed NFSR components that can conform to strict avalanche properties with a small number of iterations are placed into two branches of the structure to improve the diffusion effect of the structure.Then,16-bit S-boxes are constructed by 3-round iteration and traversal search.Furthermore,based on this structure,a large number of new 16-bit S-boxes can be generated by replacing 8-bit S-boxes in the round function with 8-bit S-boxes which are affine equivalent to the AES algorithm S-box.To improve the efficiency of the evaluation of the properties of the constructed 16-bit S-boxes,parallel computation is performed using graphics processing unit(GPU).The test results show that the newly constructed 16-bit S-boxes have good cryptographic properties,which satisfy bijectivity with optimal algebraic number 15,the highest nonlinearity 31992,the lowest differential uniformity 18,and minimum signal-to-noise ratio 146.712,with excellent security against mathematical attacks and differential power analysis.