摘要
S盒是对称密码算法中的重要组成部分,作为主要的非线性部件,其密码性质的好坏直接影响到整体算法的安全性.差分均匀度和线性度(非线性度)是衡量S盒密码性质的两个基本指标,它们分别刻画了S盒抵抗差分密码分析和线性密码分析的能力,并且在仿射变换下保持不变.由于硬件成本限制,轻量密码算法通常采用4比特S盒,其差分均匀度和线性度的下界为4,达到下界的S盒称为最优S盒,Leander等将它们分成了16个仿射等价类.在此基础上,我们对现有典型轻量算法中的S盒按仿射等价关系进行了分类.为了对抗多差分分析、多线性分析及各种变形攻击方法的威胁,还希望S盒具有最大差分概率的差分对个数、具有最优线性逼近关系的掩码个数越少越好,有时甚至需要对单比特输入输出的差分特征和线性特征做更细致的分析,因此我们进一步对上述各轻量S盒达最大差分概率的差分对个数、具有最优线性逼近关系的掩码个数、单比特输入输出差分特征和单比特线性逼近关系的个数,以及单比特情况下的差分均匀度和线性度进行了详细的分析和统计,上述结论可为相关轻量密码算法的分析提供重要的理论依据.
S-boxes are important nonlinear components widely used in the design of symmetric ciphers. The security of the ciphers is directly affected by the cryptographic properties of the S-boxes. Differential uniformity and linearity(nonlinearity) are two fundamental measures for the cryptographic properties of S-boxes, which characterize their capability to resist against differential cryptanalysis and linear cryptanalysis. They are both affine invariant. In the design of lightweight ciphers, 4-bit S-boxes are preferred due to restrictions of hardware costs. For such S-boxes, the minimum value for their differential uniformity and linearity is 4, and those with the minimum value 4 are called optimal S-boxes. Leander et al. classified such S-boxes into 16 affine equivalent classes. Based on this, we classified the S-boxes of some typical lightweight ciphers according to the affine equivalent relations. In order to resist against multiple differential cryptanalysis, multiple linear cryptanalysis and other variants, the S-boxes are also expected to have as small number of differential pairs with largest differential probability and that of masks with best linear approximation as possible, and the differential and linear properties with one bit input and one bit output should also be further analyzed. For the above lightweight S-boxes, we further calculate the number of input and output differentials which occurs with largest probability and the number of input and output masks with the largest bias. Finally, we also calculate the number of appearances that a one-bit input difference causes a one-bit output difference, the number of appearances that a one-bit input mask causes a one-bit output mask with nonzero bias, and the differential uniformity and linearity under such one-bit conditions. All these results can be used in further analysis of related lightweight algorithms.
出处
《密码学报》
CSCD
2015年第6期497-504,共8页
Journal of Cryptologic Research
基金
国家自然科学基金(61521003
61472251
61100200
61309017)
国家863项目(2015AA01A708)
关键词
S盒
轻量密码算法
仿射等价
差分均匀度
线性度
S-boxes
Lightweight algorithms
Affine Equivalence
Differential uniformity
Linearity
