基于仿射变换S盒的轻量级杂凑函数

针对轻量级杂凑函数的线性层结构单一易受统计饱和攻击的问题，提出一种以海绵结构为主体，内部置换函数为仿射变换S盒结构的轻量级杂凑函数。仿射变换后的S盒继承了原S盒良好的密码特性，同时在很大程度上弥补了线性层结构过于简单的不足。根据最优4 bit最优S盒仿射等价类的具有最大差分概率的差分对个数、具有最优线性逼近关系的掩码个数及最大分支数确定了仿射变换S盒原型；通过差分及线性密码分析、统计饱和攻击分析了内部置换结构的安全性；设计了仿射变换结构的控制逻辑及算法整体的串/并行硬件实现方案，并在Design Compiler上进行了综合验证。结果表明，基于仿射变换S盒的轻量级杂凑函数在只加入了一些简单控制逻辑的情况下，提高了统计饱和分析中追踪特定比特位扩散路径的难度，即仿射变换结构增加了线性扩散层的混淆性，优化了其抗统计饱和攻击的能力。

Lightweight hash function based on affine transformation S-box

Linear layer of lightweight hash functions is ordinarily too simple to resist statistical saturation attack.A novel lightweight hash function is proposed,which is based on the sponge structure and inspired by affine transformation S-box.The affine transformation S-box inherit the excellent cryptographic properties of original S-box,and offset lack of simple linear layer to a great extent as well.The original 4 bit S-box is selected by computing numbers of differential pairs with the largest differential probability,masks with the best linear approximation and maximum branch number of optimal S-box affine equivalent classes.Security of holis-tic and internal primitives is analyzed with differential and linear cryptanalysis,and especially statistical satu-ration attack.The control logic of affine transformation structure and the serial／parallel hardware architecture are designed and synthesized by Design Compiler.The results show that in case of adding a few control logic, the lightweight hash function with affine transformation S-box increases difficulty of tracing specific bit in diffusion trail,that is,structures of affine transformations increase confusion of linear diffusion layer and im-prove the ability against statistical saturation attack.