The expectation and variance of the number of solutions of a class of differential system of modular addition

Abstract

The modular addition is an important nonlinear operation in symmetric ciphers, and has been widely used in the design of cryptographic primitives, such as MD5, SNOW 3G, SPECK, ZUC and so on. Differential fault attack is a general cryptanalytic method for cipher implementations with the assumption that an adversary is able to inject faults into the registers on the fly. A differential equation system of modular addition (DESMA, in short) is usually deduced during differential fault cryptanalysis of these ciphers. In this paper we present the relationship between the number of solutions of the DESMA and the number of injected faults, and give their expectation and variance. Our result shows that about $\log_2(n)+5$ faults are required to determine the candidate solutions of the DESMA.