A method and device for measuring and evaluating a cryptographic period based on SH structure
By using a cryptographic cycle evaluation method based on the SH structure, the compatibility and security deficiencies of symmetric cryptographic security analysis under the quantum computing model are solved. This enables accurate security analysis of cryptographic algorithms, provides a reference for the design of post-quantum cryptographic algorithms, and improves the security of data transmission and storage.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- NO 15 INST OF CHINA ELECTRONICS TECH GRP
- Filing Date
- 2025-09-16
- Publication Date
- 2026-06-23
AI Technical Summary
Existing symmetric cryptography security analysis and evaluation techniques suffer from poor compatibility and insufficient security under quantum computing models, especially lacking effective means to verify quantum distinguisher testing methods based on periodic functions.
This paper presents a cryptographic cycle evaluation method based on the SH structure. By constructing a structural model of the cryptographic algorithm, performing round function iteration operations, and judging whether the number of rounds of the cycle function is greater than half of the total number of rounds of the cryptographic algorithm under evaluation, the security of the algorithm under the quantum model is determined.
This study achieves accurate security analysis of SH-based cryptographic algorithms under a quantum computing model, provides more precise security indicators, offers a reference for the design and selection of post-quantum cryptographic algorithms, and improves the security of data transmission and storage.
Smart Images

Figure CN121239397B_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of computer encryption technology, and specifically to a method and apparatus for cryptographic period evaluation based on the SH (Source-Heavy) structure. Background Technology
[0002] Cryptographic evaluation technology verifies and analyzes encryption algorithms, key management mechanisms, and cryptographic security protocols to ensure the confidentiality, integrity, and non-repudiation of sensitive data during transmission and storage. It is a core means of ensuring the security and reliability of cryptographic systems.
[0003] Existing symmetric cryptography security analysis and evaluation techniques are all based on classical computational models, including differential path search, linear path search, and integral path search. However, with the rapid development of quantum computing, traditional cryptographic algorithms and evaluation techniques suffer from poor compatibility and insufficient security under quantum computing models. Cryptography research institutes worldwide, led by NIST in the United States, have begun actively promoting the deployment of post-quantum cryptography, and the design, analysis, and evaluation of quantum-resistant cryptographic algorithms have become a global focus for cryptographers. Among these, researching quantum distinguisher testing methods based on periodic functions is a key issue in symmetric cryptography security analysis and evaluation. The SH structure is a classical generalized Feistel structure. The compression functions of RC2, SPEED, the Chinese national cryptographic algorithms SM4, MD5, and SHA-1 are all based on the SH structure. This invention provides a periodic function evaluation method for cryptographic algorithms with this structure, which helps to more accurately analyze the security of related cryptographic algorithms and provides more precise security indicators for the design and selection of post-quantum cryptographic algorithms. Summary of the Invention
[0004] In view of this, the present invention provides a cryptographic periodicity evaluation method and apparatus based on SH structure, which can solve the above-mentioned technical problems.
[0005] To solve the above-mentioned technical problems, the present invention is implemented as follows.
[0006] A cryptographic cycle evaluation method based on SH structure includes:
[0007] Step S1: Obtain the cryptographic algorithm E to be tested K,q (·), the cryptographic algorithm is based on the SH structure; where K represents the master key and q represents the original iteration round number of the cryptographic algorithm; the input of the cryptographic algorithm is converted into plaintext mode and the structural model of the cryptographic algorithm is constructed, the structural model of the cryptographic algorithm includes a list of input and output bit modes of the linear transformation L in the cryptographic algorithm;
[0008] Step S2: Input the plaintext pattern into the structural model of the cryptographic algorithm, perform round function iteration operation, and obtain the number of rounds, independent variables, parameters and output variables of the periodic function of the cryptographic algorithm;
[0009] Step S3: Construct a periodic function based on the independent variable, parameters, and output variable; determine the period t based on the output variable; verify the correctness of the constructed periodic function based on the period t; if correct, proceed to step S4.
[0010] Step S4: Determine whether the number of rounds of the periodic function is greater than half of the total number of rounds of the cryptographic algorithm to be tested. If it is satisfied, the evaluation result of the cryptographic algorithm to be tested is secure under the quantum model; if it is not satisfied, the evaluation result of the cryptographic algorithm to be tested is insecure under the quantum model.
[0011] Preferably, in step S1, converting the input of the cryptographic algorithm into plaintext includes:
[0012] The input to the cryptographic algorithm is divided into 4n plaintext blocks, and then these 4n plaintext blocks are further divided into four data blocks X′0, X′1, X′2, X′3, each containing n components. Let X′ be the input of the cryptographic algorithm. i =[m i0 ,m i1 ,…,m i(n-1) ], where X′ i Each component m ij For each byte, i = 0, 1, 2, 3; j = 0, ..., n-1; then each component m in X′0, X′1, X′2, X′3 is... ij Convert to bit components according to bit mode x ij ,Right now
[0013]
[0014] upcoming data block X′ i Converted into a bit pattern comprising n bit components [x] i0 ,x i1 ,…,x i(n-1) ],
[0015] The transformed X′0, X′1, X′2, X′3 are denoted as X0, X1, X2, X3 respectively. The combination of X0, X1, X2, X3 forms the plaintext pattern.
[0016] Preferably, the structural model expression of the cryptographic algorithm is as follows:
[0017]
[0018] Among them, T num Let X represent the function T constructed in round num. num-1 Xnum X num+1 X num+2 These are the input patterns for the num-th round, X num+3 For the output mode of the num-th round, This is an XOR operation.
[0019] Preferably, the structural model of the cryptographic algorithm performs r rounds of round function operations on X0, X1, X2, X3, and the round function iteration operation is performed with X0, X1, X2, X3 as the input of the first round;
[0020] The round function operations of the num-th round, where 1 ≤ num ≤ r, include:
[0021] Step S11: Obtain the input of the num-th round, and denote the input of the num-th round as Temp0, Temp1, Temp2, Temp3; where, when num equals 1, the input is the transformed X0, X1, X2, X3; when num is not equal to 1, the input is the output of the (num-1)-th round;
[0022] Step S12: Construct the T function; the T function consists of an S-box transformation and a linear L-box transformation. The S-box transformation performs a lookup table replacement on bytes. Three symbols are set in the S-box transformation: △, *, and ?. The lookup table rules are formatted as: S(0) = 0, S(1) = △. S(*) = *; And k is any non-zero sign among 0, 1, Δ, *, ?; the linear L-level transformation is based on the output pattern list calculated from the coefficient matrix of transformation L for Temp. i A linear transformation performed on the n components;
[0023] Input Temp1, Temp2, and Temp3 into function T. For each component of the XOR sum of Temp1, Temp2, and Temp3, query the S-box. When all n components have been queried, the output vector [y] is obtained. 10 ,y 11 ,…,y 1(n-1) ];in, For x 1j Query the results of the S-box;
[0024] Step S13: For the output vector [y 10 ,y 11 ,…,y 1(n-1) Perform a linear L-level transformation, and use the result of the linear L-level transformation as the output of the T function. The output of the T function is [z]. 10 ,z 11 ,…,z1(n-1) ] = L([y 10 ,y 11 ,…,y 1(n-1) ]);
[0025] Step S14: Output the result of the T function [z] 10 ,z 11 ,…,z 1(n-1) XORing with Temp0 yields Temp4.
[0026] Temp1, Temp2, Temp3, and Temp4 are used as the output of the num-th round.
[0027] Preferably, step S2 involves inputting the plaintext pattern into the structural model of the cryptographic algorithm, performing round function iteration operations, and obtaining the number of rounds, independent variables, parameters, and output variables of the periodic function of the cryptographic algorithm, including:
[0028] Step S21: Input the plaintext patterns X0, X1, X2, and X3 into the structure model of the cryptographic algorithm, and perform l-3 rounds of iteration to obtain the result X. l-3 X l-2 X l-1 X l , l>3;
[0029] Where 1≤wheel≤l-3, the iteration process of the wheel-th round includes:
[0030] Step S211: Let X be the input of the wheel. wheel-1 X wheel X wheel+1 X wheel+2 ;
[0031] Step S212: Calculate the intermediate variable S wheel+3 Y wheel+3 Z wheel+3 and X wheel+3 :
[0032]
[0033] Y wheel+3 =[S(s) (wheel+3)0 ), S(s (wheel+3)1 ),...,S(s (wheel+3)(n-1) )]
[0034] =[y (wheel+3)0 y (wheel+3)1 , ..., y (wheel+3)(n-1) ]
[0035] Z wheel+3 =L([y(wheel+3)0 , y (wheel+3)1 ,..., y (wheel+3)(n-1) )
[0036] = [z (wheel+3)0 , z (wheel+3)1 , …, z (wheel+3)(n-1)
[0037]
[0038] Step S213: Obtain X wheel+3 's n components x (wheel+3)j ; Let test equal wheel + 3;
[0039] Step S22: Determine whether x testj is *;
[0040] Step S23: If so, let test equal test + 1, perform the (test - 2)-th round of iteration process, determine x test based on the obtained X test(j+1) , let j equal j + 1, and enter Step S22; if not, enter Step S24;
[0041] Step S24: Perform an L test transformation on X -1 to obtain
[0042] X′ test = L -1 ([x test0 , x test1 , …, x test(n-1) ) = [x′ test0 , x′ test1 , …, x′ test(n-1)
[0043] If there exists an x′ testj that is *, then the number of rounds of the periodic function of this cryptographic algorithm is l;
[0044] Otherwise, the number of rounds of the periodic function of this cryptographic algorithm is l - 1;
[0045] Step S25: Randomly select a master key K, and generate each round sub-key RK k-1 , where 0 < k < q; The position of the independent variable x of the cryptographic algorithm E K,q (·) is the non-zero bit position corresponding to the pattern of L -1 (X0); The position of the parameter α of the cryptographic algorithm E K,q (·) is the non-zero bit position corresponding to the patterns of X1, X2, X3; The output variable is the data value Data(x′ lj ) or Data(xlj ), defined as OUT r .
[0046] Preferably, in step S3, constructing a periodic function based on the independent variable, parameters, and output variable; determining the period t based on the output variable; and verifying the correctness of the constructed periodic function based on the period t include:
[0047] Step S31: The periodic function constructed based on the independent variable, parameters, and output variable is as follows:
[0048]
[0049] cycle
[0050] Where α0 and α1 are the variable parameters, and h(x,α0) is the OUT value corresponding to the plaintext input (x,α0) after encryption. r h(x,α1) is the OUT value corresponding to the plaintext input (x,α1) after encryption. r RK0[1] is the first byte of the first round subkey generated by the master key K;
[0051] Step S32: Randomly select a master key K and input E. K,q (·) corresponds to two different sets of plaintext blocks, and each set of plaintext blocks corresponds to a plaintext pattern;
[0052] Each plaintext block is encrypted for r rounds, and the output is denoted as OUT. r and OUT' r ;
[0053] If the calculated OUT r and OUT' r If they are equal, the constructed periodic function is correct; otherwise, the constructed periodic function is incorrect.
[0054] Preferably, in step S4, the encryption algorithm E K,q (·) The whole wheel is equal to q.
[0055] This invention provides a cryptographic periodicity evaluation device based on the SH structure, comprising:
[0056] Initialization module: Configured to obtain the cryptographic algorithm E to be evaluated. K,q (·), the cryptographic algorithm is based on the SH structure; where K represents the master key and q represents the original iteration round number of the cryptographic algorithm; the input of the cryptographic algorithm is converted into plaintext mode and the structural model of the cryptographic algorithm is constructed, the structural model of the cryptographic algorithm includes a list of input and output bit modes of the linear transformation L in the cryptographic algorithm;
[0057] Intermediate quantity acquisition module: configured to input plaintext mode into the structure model of cryptographic algorithm, perform round function iteration operation, and obtain the number of rounds, independent variables, parameters and output variables of the periodic function of cryptographic algorithm;
[0058] Verification module: Configured to construct a periodic function based on independent variables, parameters, and output variables; determine the period t based on the output variable; verify the correctness of the constructed periodic function based on the period t; and trigger the judgment module if it is correct.
[0059] Judgment module: Configured to determine whether the number of rounds of the periodic function is greater than half of the total number of rounds of the cryptographic algorithm to be evaluated. If it is satisfied, the evaluation result of the cryptographic algorithm to be evaluated is secure under the quantum model; if it is not satisfied, the evaluation result of the cryptographic algorithm to be evaluated is insecure under the quantum model.
[0060] The present invention provides a computer-readable storage medium storing a plurality of instructions; the plurality of instructions are used by a processor to load and execute the method as described above.
[0061] The present invention provides an electronic device, characterized in that the electronic device comprises:
[0062] A processor is used to execute multiple instructions;
[0063] Memory, used to store multiple instructions;
[0064] The plurality of instructions are to be stored in the memory and loaded and executed by the processor as described above.
[0065] Beneficial effects:
[0066] (1) The periodic function of the present invention is designed based on the characteristics of the linear layer L in the SH structure and the round function. The design method is simple, easy to implement on software and hardware platforms, and has the advantage of high efficiency.
[0067] (2) This invention is applicable to the fields of cryptographic evaluation and cryptographic security analysis. It is used to evaluate the quantum distinguisher and quantum security of SH-structure symmetric cryptography in quantum cryptosystems after evaluation, and provides security for data storage and transmission.
[0068] (3) The feature design of the cryptographic round function module based on the SH structure in this invention can provide new ideas for the design of symmetric cryptography such as block ciphers, hash functions, and authentication encryption based on the generalized Feistel structure in the post-quantum era. Attached Figure Description
[0069] Figure 1 This is a schematic diagram of the cryptographic periodicity evaluation method based on the SH structure of the present invention;
[0070] Figures 2(a) and 2(b) are schematic diagrams of the encryption process mode of the typical SH structure cipher in this invention;
[0071] Figure 3 This is a schematic diagram of the cryptographic periodic evaluation process based on the SH structure in this invention. Detailed Implementation
[0072] The present invention will now be described in detail with reference to the accompanying drawings and embodiments.
[0073] like Figure 1 As shown, this invention proposes a cryptographic periodicity evaluation method based on the SH structure, the method comprising:
[0074] Step S1: Obtain the cryptographic algorithm E to be tested K,q (·), the cryptographic algorithm is based on the SH structure; where K represents the master key and q represents the original iteration round number of the cryptographic algorithm; the input of the cryptographic algorithm is converted into plaintext mode and the structural model of the cryptographic algorithm is constructed, the structural model of the cryptographic algorithm includes a list of input and output bit modes of the linear transformation L in the cryptographic algorithm;
[0075] Step S2: Input the plaintext pattern into the structural model of the cryptographic algorithm, perform round function iteration operation, and obtain the number of rounds, independent variables, parameters and output variables of the periodic function of the cryptographic algorithm;
[0076] Step S3: Construct a periodic function based on the independent variable, parameters, and output variable; determine the period t based on the output variable; verify the correctness of the constructed periodic function based on the period t; if correct, proceed to step S4.
[0077] Step S4: Determine whether the number of rounds of the periodic function is greater than half of the total number of rounds of the cryptographic algorithm to be tested. If it is satisfied, the evaluation result of the cryptographic algorithm to be tested is secure under the quantum model; if it is not satisfied, the evaluation result of the cryptographic algorithm to be tested is insecure under the quantum model.
[0078] In step S1, converting the input of the cryptographic algorithm into plaintext includes:
[0079] The input to the cryptographic algorithm is divided into 4n plaintext blocks, and then these 4n plaintext blocks are further divided into four data blocks X′0, X′1, X′2, X′3, each containing n components. Let X′ be the input of the cryptographic algorithm. i =[m i0 ,m i1 ,…,m i(n-1) ], where X′ i Each component m ij For each byte, i = 0, 1, 2, 3; j = 0, ..., n-1; then each component m in X′0, X′1, X′2, X′3 is... ijConvert to bit components according to bit mode x ij ,Right now
[0080]
[0081] upcoming data block X′ i Converted into a bit pattern comprising n bit components [x] i0 ,x i1 ,…,x i(n-1) ],
[0082] The transformed X′0, X′1, X′2, X′3 are denoted as X0, X1, X2, X3 respectively. The combination of X0, X1, X2, X3 forms the plaintext pattern.
[0083] As shown in Figure 2(a), the structural model expression of the cryptographic algorithm is:
[0084]
[0085] Among them, T num Let X represent the function T constructed in round num. num-1 X num X num+1 X num+2 These are the input patterns for the num-th round, X num+3 For the output mode of the num-th round, This is an XOR operation.
[0086] Furthermore, the structural model of the cryptographic algorithm performs r rounds of round function operations on X0, X1, X2, X3, and the round function iteration operation is performed with X0, X1, X2, X3 as the input of the first round;
[0087] The round function operations of the num-th round, where 1 ≤ num ≤ r, include:
[0088] Step S11: Obtain the input of the num-th round, and denote the input of the num-th round as Temp0, Temp1, Temp2, Temp3; where, when num equals 1, the input is the transformed X0, X1, X2, X3; when num is not equal to 1, the input is the output of the (num-1)-th round;
[0089] Step S12: Construct the T function; the T function consists of an S-box transformation and a linear L-box transformation. The S-box transformation performs a lookup table replacement on bytes. Three symbols are set in the S-box transformation: △, *, and ?. The lookup table rules are formatted as: S(0) = 0, S(1) = △. S(*) = *; And k is any non-zero sign among 0, 1, Δ, *, ?; the linear L-level transformation is based on the output pattern list calculated from the coefficient matrix of transformation L for Temp. i A linear transformation performed on the n components;
[0090] Input Temp1, Temp2, and Temp3 into function T. For each component of the XOR sum of Temp1, Temp2, and Temp3, query the S-box. When all n components have been queried, the output vector [y] is obtained. 10 ,y 11 ,…,y 1(n-1) ];in, For x 1j Query the results of the S-box;
[0091] Step S13: For the output vector [y 10 ,y 11 ,…,y 1(n-1) Perform a linear L-level transformation, and use the result of the linear L-level transformation as the output of the T function. The output of the T function is [z]. 10 ,z 11 ,…,z 1(n-1) ] = L([y 10 ,y 11 ,…,y 1(n-1) ]);
[0092] Step S14: Output the result of the T function [z] 10 ,z 11 ,…,z 1(n-1) XORing with Temp0 yields Temp4.
[0093] Temp1, Temp2, Temp3, and Temp4 are used as the output of the num-th round.
[0094] In this invention, the T function is shown in Figure 2(b). It is necessary to construct an output mode list based on the coefficient matrix of the transformation L. Taking the MDS coefficient matrix as an example, all output mode components corresponding to non-zero inputs are 1. If the coefficient matrix is a non-singular n-order square matrix in a binary field, taking n=4 as an example, then the input is a 4-dimensional byte vector, and the corresponding output mode will have 0 components. For example, assuming the coefficient matrix of L is...
[0095]
[0096] The input-corresponding output mode list is as follows:
[0097] Input mode 0000 0001 0010 0011 0100 0101 0110 0111 Output mode 0000 0100 1000 1100 0011 0111 1011 1111 Input mode 1000 1001 1010 1011 1100 1101 1110 1111 Output mode 0010 0110 1010 1110 0011 0111 1011 1111
[0098] like Figure 3 As shown, step S2 involves inputting the plaintext pattern into the structural model of the cryptographic algorithm and performing round function iteration to obtain the number of rounds, independent variables, parameters, and output variables of the periodic function of the cryptographic algorithm, including:
[0099] Step S21: Input the plaintext patterns X0, X1, X2, X3 into the structure model of the cryptographic algorithm, and perform l-3 rounds of iteration to obtain the result X. l-3 ,X l-2 ,X l-1 ,X l , l>3;
[0100] Where 1≤wheel≤l-3, the iteration process of the wheel-th round includes:
[0101] Step S211: Let X be the input of the wheel. wheel-1 ,X wheel ,X wheel+1 ,X wheel+2 ;
[0102] Step S212: Calculate the intermediate variable S wheel+3 Y wheel+3 Z wheel+3 and X wheel+3 :
[0103]
[0104] Y wheel+3 =[S(s) (wheel+3)0 ),S(s (wheel+3)1 ),…,S(s (wheel+3)(n-1) )]
[0105] =[y (wheel+3)0 ,y (wheel+3)1 ,…,y (wheel+3)(n-1) ]
[0106] Z wheel+3 =L([y (wheel+3)0 ,y (wheel+3)1 ,…,y (wheel+3)(n-1) ])
[0107] =[z (wheel+3)0 ,z (wheel+3)1 ,…,z (wheel+3)(n-1) ]
[0108]
[0109] Step S213: Obtain X wheel+3 n components x (wheel+3)j Let test equal wheel + 3;
[0110] Step S22: Determine x testj whether it is *;
[0111] Step S23: If so, let test be equal to test + 1, perform the (test - 2)-th iteration process, and based on the obtained X test determine x test(j+1) , let j be equal to j + 1, and enter Step S22; if not, enter Step S24;
[0112] Step S24: Perform an L test transformation on X -1 to obtain
[0113] X′ test = L -1 ([x test0 ,x test1 ,…,x test(n-1) ) = [x′ test0 ,x′ test1 ,…,x′ test(n-1)
[0114] If there exists an x′ testj that is *, then the number of rounds of the periodic function of this cryptographic algorithm is l;
[0115] Otherwise, the number of rounds of the periodic function of this cryptographic algorithm is l - 1;
[0116] Step S25: Randomly select a master key K, and generate each round sub-key RK k-1 , where 0 < k < q; the position of the independent variable x of the cryptographic algorithm E K,q (·) is the non-zero bit position corresponding to the pattern of L -1 (X0); the position of the parameter α of the cryptographic algorithm E K,q (·) is the non-zero bit position corresponding to the patterns of X1, X2, X3; the output variable is the data value Data(x′[[ID=5I]] lj ) or Data(x lj ) corresponding to the position of *, defined as OUT r .
[0117] Furthermore, in the said Step S3, construct a periodic function based on the independent variable, parameter, and output variable; determine the period t based on the output variable, and verify the correctness of the constructed periodic function according to the period t, including:
[0118] Step S31: The periodic function constructed based on the independent variable, parameter, and output variable is:
[0119]
[0120] Period
[0121] Where α0 and α1 are the variable parameters, and g(x,α0) is the OUT value corresponding to the plaintext input (x,α0) after encryption. r g(x,α1) is the OUT value corresponding to the plaintext input (x,α1) after encryption. r RK0[1] is the first byte of the first round subkey generated by the master key K;
[0122] Step S32: Randomly select a master key K and input E. K,q (·) corresponds to two different sets of plaintext blocks, and each set of plaintext blocks corresponds to a plaintext pattern;
[0123] Each plaintext block is encrypted for r rounds, and the output is denoted as OUT. r and OUT' r ;
[0124] If the calculated OUT r and OUT' r If they are equal, the constructed periodic function is correct; otherwise, the constructed periodic function is incorrect.
[0125] In this invention, each group of plaintext blocks is encrypted in r rounds, for example:
[0126] X0=L[x,0,…,0]; X1=[α0,0,…,0]; X2=[α0,0,…,0]; X3=[v0,0,…,0];
[0127] X′1=[α1,0,…,0]; X′2=[α1,0,…,0]; X′3=[α1,0,…,0].
[0128] Furthermore, in step S4, the encryption algorithm E K,q (·) The total number of cycles equals q. Determine if the number of cycles r is greater than q. If the conditions are met, the cryptography to be tested is considered relatively secure under the quantum model; if the conditions are not met, the cryptography to be tested is considered insecure under the quantum model.
[0129] The present invention also provides a cryptographic periodicity evaluation device based on the SH structure, the device comprising:
[0130] Initialization module: Configured to obtain the cryptographic algorithm E to be evaluated. K,q (·), the cryptographic algorithm is based on the SH structure; where K represents the master key and q represents the original iteration round number of the cryptographic algorithm; the input of the cryptographic algorithm is converted into plaintext mode and the structural model of the cryptographic algorithm is constructed, the structural model of the cryptographic algorithm includes a list of input and output bit modes of the linear transformation L in the cryptographic algorithm;
[0131] Intermediate quantity acquisition module: configured to input plaintext mode into the structure model of cryptographic algorithm, perform round function iteration operation, and obtain the number of rounds, independent variables, parameters and output variables of the periodic function of cryptographic algorithm;
[0132] Verification module: Configured to construct a periodic function based on independent variables, parameters, and output variables; determine the period t based on the output variable; verify the correctness of the constructed periodic function based on the period t; and trigger the judgment module if it is correct.
[0133] Judgment module: Configured to determine whether the number of rounds of the periodic function is greater than half of the total number of rounds of the cryptographic algorithm to be evaluated. If it is satisfied, the evaluation result of the cryptographic algorithm to be evaluated is secure under the quantum model; if it is not satisfied, the evaluation result of the cryptographic algorithm to be evaluated is insecure under the quantum model.
[0134] The specific embodiments described above only illustrate the design principles of the present invention. The shapes and names of the components in this description may differ and are not limited. Therefore, those skilled in the art can modify or make equivalent substitutions to the technical solutions described in the foregoing embodiments; and these modifications and substitutions do not depart from the inventive spirit and technical solutions of the present invention, and should all fall within the protection scope of the present invention.
Claims
1. A cryptographic periodicity evaluation method based on SH structure, characterized in that, include: Step S1: Obtain the cryptographic algorithm to be tested The cryptographic algorithm is based on the SH structure; where K represents the master key and q represents the original iteration round number of the cryptographic algorithm; the input of the cryptographic algorithm is converted into plaintext mode and the structural model of the cryptographic algorithm is constructed, wherein the structural model of the cryptographic algorithm includes a list of input and output bit modes of the linear transformation L in the cryptographic algorithm; Step S2: Input the plaintext pattern into the structural model of the cryptographic algorithm, perform round function iteration operation, and obtain the number of rounds, independent variables, parameters and output variables of the periodic function of the cryptographic algorithm; Step S3: Construct a periodic function based on the independent variable, parameters, and output variable; The period t is determined based on the output variable. The correctness of the constructed periodic function is verified based on the period t. If it is correct, proceed to step S4. Step S4: Determine whether the number of rounds of the periodic function is greater than half of the total number of rounds of the cryptographic algorithm to be tested. If it is satisfied, the evaluation result of the cryptographic algorithm to be tested is secure under the quantum model; if it is not satisfied, the evaluation result of the cryptographic algorithm to be tested is insecure under the quantum model. The structural model expression of the cryptographic algorithm is as follows: in, Represents the number constructed in round num. function, , , , The first num Wheel input mode, For the first num Wheel output mode, This is an XOR operation; the T function consists of an S-box transformation and a linear L-box transformation. The S-box transformation performs a lookup and replacement of bytes, and it uses three symbols: The table lookup rules are formatted as follows: , , , ; ,and For 0, 1, Any non-zero symbol in the matrix; the linear L-level transform is based on the output mode list calculated from the coefficient matrix of transform L. In Linear transformation of each component; In step S3, a periodic function is constructed based on the independent variable, parameters, and output variable; the period t is determined based on the output variable; and the correctness of the constructed periodic function is verified based on the period t, including: Step S31: Constructing a periodic function based on the independent variable, parameters, and output variable. for: cycle in, These are the variable parameters in the parameters. for( Plaintext input encrypted , for( Plaintext input encrypted , This is the first byte of the first round subkey generated from the master key K; cryptographic algorithms Independent variable; Step S32: Randomly select a master key K and input it. There are two different sets of plaintext blocks, and each set of plaintext blocks corresponds to a plaintext pattern; Each plaintext block is encrypted for r rounds, and the outputs are denoted as follows: and ; If the calculation yields and If they are equal, the constructed periodic function is correct; otherwise, the constructed periodic function is incorrect.
2. The method as described in claim 1, characterized in that, In step S1, converting the input of the cryptographic algorithm into plaintext includes: The input to this cryptographic algorithm is divided into block of plaintext, then The plaintext is divided into 4 data blocks, each containing n components. ,remember = ,in Each component For 1 byte, =0,1,2,3; j =0,…, Then Each component in Convert from bit pattern to bit components ,Right now upcoming data block Transformed into including n Bit pattern of each bit component , Transformed They are respectively denoted as , The combination is in plaintext mode.
3. The method as described in claim 2, characterized in that, The structural model of the cryptographic algorithm is... conduct r The round function operation of the wheel, the round function iteration operation is based on... This was done as input for the first round; The round function operation of the num-th round, where ,include: Step S11: Obtain the input for the num-th round, and denote the input for the num-th round as... When num equals 1, the input is the converted value. When num is not equal to 1, the input is the output of the (num-1)th round; Step S12: Construct the T function; Will Input the T function, for Each component of the XOR sum is queried in the S-box. After all n components have been queried, the output vector is obtained. ;in, , Query the results of the S-box; Step S13: Process the output vector The linear L-level transformation is used as the output of the T function, and the output of the T function is: ; Step S14: Output the result of the T function and XOR, get , ; Will As the first num The output of the wheel.
4. The method as described in claim 3, characterized in that, Step S2 involves inputting the plaintext pattern into the structural model of the cryptographic algorithm and performing round function iteration to obtain the number of rounds, independent variables, parameters, and output variables of the periodic function of the cryptographic algorithm, including: Step S21: Convert plaintext mode The structural model of the input cryptographic algorithm was carried out in a total of The result of the round of iterations is , ; in, , No. The round-iteration process includes: Step S211: Record the first The input to the wheel is ; Step S212: Calculate intermediate variables , , and : Step S213: Obtain of n Each component ;make test equal wheel+3 ; Step S22: Determine Is it ; Step S23: If so, let test equal test+ 1. Proceed to the first Round iterative process, based on the obtained Sure ,make equal +1, proceed to step S22; otherwise, proceed to step S24; Step S24: For conduct Transformation, to obtain If it exists for Then the number of rounds of the periodic function of this cryptographic algorithm is ; Otherwise, the number of rounds of the periodic function of this cryptographic algorithm is ; Step S25: Randomly select a master key K, and generate the sub-keys for each round using a key arrangement algorithm. ,in cryptographic algorithms Independent variable Location is Non-zero bit positions corresponding to the pattern; cryptographic algorithm parameter Location is The corresponding non-zero bit position of the pattern; the output variable is the data value corresponding to the position of *. or Defined as .
5. The method as described in claim 4, characterized in that, In step S4, the encryption algorithm The whole wheel equals .
6. A cryptographic periodicity evaluation device based on an SH structure, used to execute the method described in any one of claims 1-5, characterized in that, include: Initialization module: Configured to obtain the cryptographic algorithm to be evaluated. The cryptographic algorithm is based on the SH structure; where K represents the master key and q represents the original iteration round number of the cryptographic algorithm; the input of the cryptographic algorithm is converted into plaintext mode and the structural model of the cryptographic algorithm is constructed, wherein the structural model of the cryptographic algorithm includes a list of input and output bit modes of the linear transformation L in the cryptographic algorithm; Intermediate quantity acquisition module: configured to input plaintext mode into the structure model of cryptographic algorithm, perform round function iteration operation, and obtain the number of rounds, independent variables, parameters and output variables of the periodic function of cryptographic algorithm; Validation module: configured to construct periodic functions based on independent variables, parameters, and output variables; The period t is determined based on the output variable, and the correctness of the constructed periodic function is verified based on the period t. If it is correct, the judgment module is triggered. Judgment module: Configured to determine whether the number of rounds of the periodic function is greater than half of the total number of rounds of the cryptographic algorithm to be evaluated. If it is satisfied, the evaluation result of the cryptographic algorithm to be evaluated is secure under the quantum model; if it is not satisfied, the evaluation result of the cryptographic algorithm to be evaluated is insecure under the quantum model.
7. A computer-readable storage medium, characterized in that, The storage medium stores a plurality of instructions; the plurality of instructions are loaded by a processor and executed as described in any one of claims 1-5.
8. An electronic device, characterized in that, The electronic device includes: A processor is used to execute multiple instructions; Memory, used to store multiple instructions; The plurality of instructions are to be stored in the memory and loaded by the processor and executed as described in any one of claims 1-5.