Abstract
At FSE 2004, Lipmaa et al. studied the additive differential probability adp⊕(α,β → γ) of exclusive-or where differences α,β,γ ∈ Fn2 are expressed using addition modulo 2n. This probability is used in the analysis of symmetric-key primitives that combine XOR and modular addition, such as the increasingly popular Addition-Rotation-XOR (ARX) constructions. The focus of this paper is on maximal differentials, which are helpful when constructing differential trails. We provide the missing proof for Theorem 3 of the FSE 2004 paper, which states that maxα,βadp⊕(α,β → γ) = adp⊕(0,γ → γ) for all γ. Furthermore, we prove that there always exist either two or eight distinct pairs α,β such that adp⊕( α,β → γ) = adp⊕(0,γ → γ), and we obtain recurrence formulas for calculating adp⊕. To gain insight into the range of possible differential probabilities, we also study other properties such as the minimum value of adp⊕(0,γ → γ), and we find all γ that satisfy this minimum value.
Highlights
Differential cryptanalysis [BS91] is a well-known statistical method for the analysis of symmetric-key primitives
To apply differential cryptanalysis to an ARX primitive, one approach is to use XOR differences: these differences pass through rotation and XOR operations with probability one, and formulas for the differential probability xdp+ of the modular addition were provided at FSE 2001 by Lipmaa et al [LM01]
When Biryukov and Velichkov [BV14] provided a differential cryptanalysis using additive differences for TEA [WN94] and Raiden [PHCER08]; they argued that additive differences are more appropriate given that round keys and round constants are added, and that there is a higher number of add operations compared to XOR operations in one round
Summary
Differential cryptanalysis [BS91] is a well-known statistical method for the analysis of symmetric-key primitives. The differential probability adp⊕ of exclusive-or (XOR) when differences are expressed using addition modulo 2n was studied at FSE 2004 by Lipmaa et al [LWD04]. Lipmaa et al point out in their FSE 2004 paper [LWD04] that “many of the enumerative aspects of adp⊕ seem infeasible,” but provide a theorem related to the maximal differential probability when the output difference γ is fixed. We calculate the sum of all adp⊕(0, γ → γ), and conclude the paper in Sect. 9 along with some suggestions for future work
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
