On additive differential probabilities of a composition of bitwise XORs I. A. Sutormin, N. A. Kolomeec
Material type:
ArticleContent type: Текст Media type: электронный Other title: Разностные характеристики по модулю 2n композиции нескольких побитовых исключающих или [Parallel title]Subject(s): разностные характеристики | сложение по модулю | разностный криптоанализGenre/Form: статьи в журналах Online resources: Click here to access online
In:
Прикладная дискретная математика № 60. С. 59-75Abstract: We study the additive differential probabilities adp® of compositions of k — 1 bitwise XORs. For vectors a1,...,ak+1 G Zn, it is defined as the probability of transformation input differences a1,...,ak to the output difference ak+1 by the function x1 ф ... ф xk, where x1,... ,xk G Zn and k > 2. It is used for differential cryptanalysis of symmetric-key primitives, such as Addition-Rotation-XOR constructions. Several results which are known for adp2® are generalized for adpk®. Some argument symmetries are proven for adpk®. Recurrence formulas which allow us to reduce the dimension of the arguments are obtained. All impossible differentials as well as all differentials of adpk® with the probability 1 are found. For even k, it is proven that max adp® (a1,..., ak ak+1) = adp®(0,..., 0, ak+1 ak+1). Matrices that can a1,...,ak be used for efficient calculating adpk® are constructed. It is also shown that the cases of even and odd k differ significantly.
Библиогр.: 17 назв.
We study the additive differential probabilities adp® of compositions of k — 1 bitwise XORs. For vectors a1,...,ak+1 G Zn, it is defined as the probability of transformation input differences a1,...,ak to the output difference ak+1 by the function x1 ф ... ф xk, where x1,... ,xk G Zn and k > 2. It is used for differential cryptanalysis of symmetric-key primitives, such as Addition-Rotation-XOR constructions. Several results which are known for adp2® are generalized for adpk®. Some argument symmetries are proven for adpk®. Recurrence formulas which allow us to reduce the dimension of the arguments are obtained. All impossible differentials as well as all differentials of adpk® with the probability 1 are found. For even k, it is proven that max adp® (a1,..., ak ak+1) = adp®(0,..., 0, ak+1 ak+1). Matrices that can a1,...,ak be used for efficient calculating adpk® are constructed. It is also shown that the cases of even and odd k differ significantly.
There are no comments on this title.