Efficient Algorithms for Computing Differential
Properties of Addition
Helger Lipmaa and Shiho Moriai
Helsinki University of Technology, Department of Computer Science and Engineering
P.O.Box 5400, FI-02015 HUT, Espoo, Finland
[email protected]
NTT Laboratories
1-1 Hikari-no-oka, Yokosuka, 239-0847 Japan
[email protected]
Abstract. In this paper we systematically study the differential properties of ad
dition modulo . We derive -time algorithms for most of the properties,
including differential probability of addition. We also present log-time algorithms
for finding good differentials. Despite the apparent simplicity of modular addition, the best known algorithms require naive exhaustive computation. Our results represent a significant improvement over them. In the most extreme case,
to .
we present a complexity reduction from Keywords: modular addition, differential cryptanalysis, differential probability, impossible differentials, maximum differential probability.
1 Introduction
One of the most successful and influential attacks against block ciphers is Differential
Cryptanalysis (DC), introduced by Biham and Shamir in 1991 [BS91a]. For many of
the block ciphers proposed since then, provable security against DC (defined by Lai,
Massey and Murphy [LMM91] and first implemented by Nyberg and Knudsen [NK95])
has been one of the primary criteria used to confirm their potential quality.
Unfortunately, few approaches to proving security have been really successful. The
original approach of [NK95] has been used in designing MISTY and its variant KASUMI (the new 3GPP block cipher standard). Another influential approach has been
the “wide trail” strategy proposed by Daemen [Dae95], applied for example in the proposed AES, Rijndael. The main reason for the small number of successful strategies is
the complex structure of modern ciphers, which makes exact evaluation of their differential properties infeasible. This has, unfortunately, led to a situation where the security
against DC is often evaluated by heuristic methods.
We approach the above problem by using the bottom-up methodology. That is, we
evaluate many sophisticated differential properties of one of the most-used “non-trivial”
block cipher cornerstones, addition modulo for ! . We hope that this will help
to evaluate the differential properties of larger composite cipher parts like the PseudoHadamard Transform, with the entire cipher being the final goal. The algorithms proposed here will enable the advanced cryptanalysis of block ciphers. We hope that our
results will facilitate cryptanalysis of such stream ciphers and hash functions that use
addition and XOR at the same time.
Importance of Differential Properties of Addition. Originally, DC was considered
with respect to XOR, and was generalized to DC with respect to an arbitrary group
operation in [LMM91]. In 1992, Berson [Ber92] observed that for many primitive operations, it is significantly more
difficult to apply DC with respect to XOR than with
respect to addition modulo " . Most interestingly, he classified DC of addition modulo
itself, with sufficiently big, with respect to XOR to be hard to analyze, given the
(then) current state of theory.
Until now it has seemed that the problem of evaluating the differential properties of
addition with respect to XOR is hard. Hereafter, we omit the “with respect to XOR” and
take the addition to be always modulo . The fastest known algorithms for computing
the differential probability of addition #%$'&)(+*',.-013
/ 2547698%:<;>= ?A@B(DCFEHGI4JK(.(DCLJH*4ME
(DGJN-4O4P8Q2R is exponential in . The complexity of the algorithms for the maximum
differential probability #S$ &TU+V (+*',.-4W68YX[Z\A]'#S$ & (^*_,O-0/13254 , the double-maximum
differential probability #%$ &` TU+V (+*4a698YXbZc\ed = ]_#S$ & (^*_,O-0/13254 , and many other differential properties of addition are also exponential in .
With small (e.g., H8gf or even with H8hi ), exponential-in- computation is
feasible, as demonstrated in the cryptanalysis of FEAL by Aoki, Kobayashi and Moriai
in [AKM98]. However, this is not the case when Hkjl as used in the recent 128-bit
block ciphers such as MARS, RC6 and Twofish. In practice, if mnjl , both cipher
designers and cryptanalysts have mostly made use of only a few differential properties
of addition. (For example, letting Co be the least significant bit of C , they often use
the property that *po<Jq-ro<JQ2sot83u .) It means that block ciphers that employ both
XOR and addition modulo are hard to evaluate the security against DC due to the
lack of theory. This has led to the general concern that mixed use of XOR and modular
addition might add more confusion (in Shannon’s sense) to a cipher but “none has yet
demonstrated to have a clear understanding of how to produce any proof nor convincing
arguments of the advantage of such an approach” [Knu99]. One could say that they also
add more confusion to the cipher in the layman’s sense.
There has been significant ongoing work on evaluating the security of such “confusing” block ciphers against differential attacks. Some of these papers have also somewhat
focused on the specific problem of evaluating the differential properties of addition. The
full version of [BS91b] treated some differential probabilities of addition modulo and included a few formulas useful to compute #%$ & , but did not include any concrete
algorithms nor estimations of their complexities. The same is true for many later papers
that analyzed ciphers like RC5, SAFER, and IDEA. Miyano [Miy98] studied the simpler case with one addend fixed and derived a linear-time algorithm for computing the
corresponding differential probability.
Our Results. We develop a framework that allows the extremely efficient evaluation
of many interesting differential properties of modular addition. In particular, most of
the algorithms described herein run in time, sublinear in . Since this would be impossible in the Turing machine model, we chose to use a realistic unit-cost RAM (Random
Access Machine) model, which executes basic -bit operations like Boolean operations
and addition modulo > in unit time, as almost all contemporary microprocessors do.
The choice of this model is clearly motivated by the popularity of such microprocessors. Still, for several problems (although sometimes implicitly) we also describe
linear-time algorithms that might run faster in hardware. (Moreover, the linear-time
algorithms are usually easier to understand and hence serve an educational purpose.)
Nevertheless, the RAM model was chosen to be “minimal”, such that the described
algorithms would be directly usable on as many platforms as possible. On the other
hand, we immediately demonstrate the power of this model by describing some useful
log-time algorithms (namely, for the Hamming weight, all-one parity and common alternation parity). They become very useful later when we investigate other differential
properties. One of them (for the common alternation parity) might be interesting by
itself; we have not met this algorithm in the literature.
After describing the model and the necessary tools, we show that #S$_& can be computed in time v[(DwBx>y_p4 in the worst-case. The corresponding algorithm has two principal steps. The first step checks in constant-time whether the differential z<8{(+*',.-0/13254
is impossible (i.e., whether #S$ & (^z4|8Qu ). The second step, executed only if z is possible, computes the Hamming weight of an -bit string in time v[(DwBx>y_p4 . As a corollary,
we prove an open conjecture from [AKM98].
The structure of the described algorithm raises an immediate question of what is
the density of the possible differentials. We show that the event #S$_&}(^z4q8
~ u ocƒ … e† (This proves an open conjecture stated
curs with the negligible probability €‚„s
in [AKM98]). That is, the density of possible differentials is negligible, so #%$ & can be
computed in time v[(‡ˆ4 in the average-case. These results can be further used for impossible differential cryptanalysis, since the best previously known general algorithm
to find non-trivial impossible differentials was by exhaustive search. Moreover, the high
density of impossible differentials makes differential cryptanalysis more efficient; most
of the wrong pairs can be filtered out [BS91a,O’C95].
Furthermore, we compute the explicit probabilities :<‰l@ #%$ & (+z4|8‹ŠŒR for any Š7,|uŽ
Š . This helps us to compute the distribution of the random variable ‘’6“zH/1
#S$ & (^z4 , and to create formulas for the expected value and variance of the random
variable ‘ . Based on this knowledge, one can easily compute the probabilities that
:b@ ‘•”–ŠŒR for any Š .
For the practical success of differential attacks it is not always sufficient to pick a
random differential hoping it will be “good” with reasonable probability. It would be
nice to find good differentials efficiently in a deterministic way. Both cipher designers
and cryptanalysts are especially interested in finding the “optimal” differentials that result in the maximum differential probabilities and therefore in the best possible attacks.
For this purpose we describe a log-time algorithm for computing #S$_&TU+V (^*_,O-4 and a 2
that achieves this probability. Both the structure of the algorithm (which makes use of
the all-one parity) and its proof of correctness are nontrivial. We also describe a logtime algorithm that finds a pair (D-|,O2—4 that maximizes the double-maximum differential
probability #%$'&` TU+V (^*M4 . We show that for many nonzero * -s, #S$_&` TU+V (+*4 is very close
to one. A summary of some of our results is presented in Table 1.
˜}™ žš › œB
l¡
¢£e¡
s¡
Previous result Ÿ
HŸ
Ÿ
(worst-case), ¥¤a (average) ¦M Our result
˜}™š
˜}™š›cœB
Table 1. Summary of the efficiency of our main algorithms
Road map. We give some preliminaries in Sect. 2. Section 3 describes a unit-cost
RAM model, and introduces the reader to several efficient algorithms that are crucial
for the later sections. In Sect. 4 we describe a log-time algorithm for #S$_& . Section 5
gives formulas for the density of impossible differentials and other statistical properties
of #S$ & . Algorithms for maximum differential probability and related problems are
described in Sect. 6.
2 Preliminaries
Let §¨8ª©ˆuI,« be the binary alphabet. For any -bit string C­¬­§Ž , let C®¯¬­§
®
be the Š -th coordinate of C (i.e., C8±° e
®³² † o C ® ). We always assume that C ® 8nu if
®
Š)¬´
~ @ ur,O¶µ R . (That is, C¶8 °¸·
C ® .)
†
Let J , ¹ , º and » denote · -bit bitwise “XOR”, “OR”, “AND” and “negation”,
respectively. Let C“¼½Š (resp. C“¾½Š ) denote the right (resp. the left) shift by Š positions
®Ã
®
(i.e., C}¼mŠ768À¿DCÂÁ> and C)¾mŠ7698% C3X[xAį ). Addition is always performed modulo
, if not stated otherwise. For any C , G and Å we define ÆÇ(DC,OGÂ,.Åe4W68(+»CJGI4Wº“(Œ»CJÅe4
C®Ê8QG>®8qň® ) and ËcÌe͇(DC,OGÂ,.Åe4W68“CŽJ–G<J–Å . For any , let
(i.e., ÆÇ(DC,OGÂ,.Åe4‡®M8{KȎÉ
ÎSψÐaÑ
(^p4W68µH . For example, (.(+»Mul4s¾­ˆ4 o 8Qu .
Addition modulo ÒIÓ . The carry, Ô Ï ÍŒÍBÕA(^Cp,.GA4a698%Ö%¬Y§Ž , Cp,OGÀ¬×§Ž , of addition C'EbG is
defined recursively as follows. First, Öao>68%u . Second, Ö ® 68Ž(DC ® ºG ® 4.JŽ(^C ® ºMÖ ® 4.JŽ(^G ® ºMÖ ® 4 ,
&
8½KÈ[É
C®—ENGl®E Öa®'Q . (That is, the carry bit
for every ŠP¸u . Equivalently, Öa®
&
Öa®
is a function of the sum C®lEG>®>EYÖa® .) The following is a basic property of addition
&
modulo .
Property 1. If (DC,OGI4P¬§ŽL؏§Ž , then CŽENG[8¸CJÙGJ–Ô Ï Í+ÍBÕI(DCp,.GI4 .
Differential Probability of Addition. We define the differential of addition modulo
as a triplet of two input and one output differences, denoted as (+*',.-H/1ª254 , where
*',.-|,‡2Y¬Y§Ž . The differential probability of addition is defined as follows:
#S$ & (^z4'8¸#S$ & (^*_,O-0/13254W68%: ;>= ? @B(DCbEÙGI45JQ(O(^C[J–*4pEQ(DG<JÙ-4O4'8‹2RbÚ
That is, #S$ & (^z4W68Û7©Cp,.GL6r(^CŽEÙGI45J¸(O(DCbJÙ*M4pEQ(DGJN-4.4'8H2«cÁ> . We say that z is
impossible if #%$ & (+z4'8Qu . Otherwise we say that z is possible. It follows directly from
Property 1 that one can rewrite the definition of #S$ & as follows:
Lemma 1. #%$ & (^*_,O-0/1Ü2—4|8¸:<;= ?A@ Ô Ï Í+ÍBÕr(DC,OGI4>JÀÔ Ï ÍŒÍ³ÕI(DCPJL*_,OG|JL-4'8HˈÌe͇(^*_,O-',‡254¥R .
Probability Theory. Let ‘ be a discrete random variable. Except for a few explicitly mentioned cases, we always deal with uniformly distributed variables. We note
that in the binomial distribution, :b@ ‘Ý8ßÞsR¯8áàâA(Obµ–à4Oe†Â⠂ … 869ãM(+ÞÂä.Ê,^à4 , for
â
some fixed umåàæ and any Þ!¬èç£ç
. From the basic axioms
of probabil &
ity, ° ² o ãM(ŒÞÂäOÊ,+à4L8 . Moreover, the expectation éŽ@ ‘R<8 ° ² o Þ € :b@ ‘ê8ÜÞsR
â
â
of a binomially distributed random variable ‘ is equal to Aà , while the variance
ëìIí
@ ‘×R8QéŽ@ ‘ Rµ´é@ ‘×R is equal to Aà(‡}µ¶à4 .
3 RAM Model and Some Useful Algorithms
In the -bit unit-cost RAM model, some subset of fixed -bit operations can be executed in constant time. In the current paper, we specify this subset to be a small set of
-bit instructions, all of which are readily available in the vast majority of contemporary
microprocessors: Boolean operations, addition, and the constant shifts. We additionally
allow unit-cost equality tests and (conditional) jumps. On the other hand, our model
does not include table look-ups or (say) multiplications. Such a restriction guarantees
that algorithms efficient in this model are also efficient on a very broad class of platforms, including FPGA and other hardware. This is further emphasized by the fact that
our algorithms need only a few bytes of extra memory and thus a very small circuit size
in hardware implementations.
Many algorithms that we derive in the current paper make heavy use of the three
non-trivial functions described below. The power of our minimal computational model
is stressed by the fact that all three functions can be computed in time v[(^w³xly'p4 .
Hamming Weight. The first function is the Hamming weight function (also known as
®
the population count or, sometimes, as sideways addition) î}ï : For Cq8 ° e
®B² † o C®¥ ,
î ï (^C4À8 ° ®³e² † o C ® , i.e., î ï counts the “one” bits in an -bit string. In the unit-cost
RAM model, î ï (DCÂ4 can be computed in v[(DwBx>y'p4 steps. Many textbooks contain (a
variation of) the next algorithm that we list here only for the sake of completeness.
INPUT: C
OUTPUT: î ï (DC4
1.
2.
3.
4.
5.
6.
C¶ðÜCFµ(O(^Cñ¼­ˆ45º¯òlóAôeôeôeôeôsôeôeôsõ4 ;
C¶ðö(^Cº¯ò>óI÷e÷e÷e÷s÷e÷e÷e÷sõˆ4E¸(.(DCñ¼m>4pº¶òlóI÷s÷e÷e÷e÷e÷s÷e÷sõ4 ;
C¶ðö(^CŽE¸(^Cñ¼Køe4O4º¶òlóIòlùIò>ùIòlùIòlùeõ ;
C¶ðÜCŽEQ(DCP¼kfl4 ;
C¶ðö(^CŽE¸(^Cñ¼­il4.45º¯ò>óIòeòeòeòsòeòe÷lùAõ ;
Return C ;
Additional time-space trade-offs are possible in calculating the Hamming weight. If
×8qÖWú , then one can precompute >û values of î ï (DŠ‡4 , u[HŠ'ü‹>û , and then find î ï (DC4
by doing ú•8KÁcÖ table look-ups. This method is faster than the method described in
the previous paragraph if úª{wBx>y , which is the case if H8gjs and úö¬‹©fr,iA« .
However, it also requires more memory. While we do not discuss this method hereafter,
our implementations use it, since it offers better performance on 32-bit processors.
ýþNÿˆÿˆÿÿWÿˆÿˆÿÿˆÿWÿÿWÿˆÿÿˆÿˆÿWÿWÿWÿ7ÿWÿcÿ
ý
ý
ý
ý
%þNÿWÿÿˆÿˆÿˆÿˆÿÿˆÿˆÿˆÿˆÿÿˆÿWÿWÿWÿÿˆÿ7ÿWÿcÿ
þNÿˆÿˆÿÿWÿˆÿˆÿÿˆÿWÿˆÿÿWÿˆÿˆÿÿˆÿˆÿWÿWÿWÿ7ÿWÿcÿ
þNÿˆÿˆÿÿWÿˆÿˆÿÿˆÿˆÿWÿÿˆÿWÿˆÿÿˆÿˆÿWÿWÿWÿ7ÿWÿcÿ
þNÿˆÿˆÿÿˆÿˆÿˆÿˆÿÿˆÿˆÿˆÿˆÿÿˆÿˆÿWÿÿˆÿˆÿˆÿ7ÿˆÿWÿˆÿWÿaÿ
þNÿˆÿˆÿÿˆÿˆÿˆÿˆÿÿˆÿˆÿˆÿˆÿÿˆÿWÿˆÿÿˆÿˆÿWÿÿWÿˆÿ7ÿWÿcÿ
ý with corresponding values ý , ý , ý and ý . Here,
Fig. 1. A pair þ
þ‹
ý 0 þ
for example, ý ¤ since ¤ þ‹ý
¤ is odd. On the other hand,
ý ¢ þ ¢ þ´
ý þ and
þÙ
ý þ ´
ý þ ¤ since ý þ þ´
þ ý!|þ , and " $# is even.
#
Since %'& þ
, we could have taken also ý( & þ ¤
Interestingly, many ancient and modern power architectures have a special machinelevel “cryptanalyst’s” instruction for î ï (mostly known as the population count instruction): SADD on the Mark I (sic), CXŠ X) on the CDC Cyber series, AŠ PS) on the
Cray X-MP, VPCNT on the NEC SX-4, CTPOP on the Alpha 21264, POPC on the Ultra SPARC, POPCNT on the Intel IA64, etc. In principle, we could incorporate in our
model a unit-time population count instruction, then several later presented algorithms
would run in constant time. However, since there is no population count instruction on
most of the other architectures (especially on the widespread Intel IA32 platform), we
have decided not include it in the set of primitive operations. Moreover, the complexity
of population count does not significantly influence the (average-case) complexity of
the derived algorithms.
All-one and Common Alternation Parity. The second and third functions, important
for several derived algorithms (more precisely, they are used in Algorithm 4 and Algorithm 5), are the all-one and common alternation parity of -bit strings, defined as
follows. (Note that while the Hamming weight has very many useful applications in
cryptography, the functions defined in this section have never been, as far as we know,
used before for any cryptographic or other purpose.)
The all-one parity of an -bit number C is another -bit number GÙ8 Ï Ì+e
* (DCÂ4 s.t.
G ® 8­ iff the longest sequence of consecutive one-bits C ® C ®
ÚÚÚOC ®
8­l|ÚÚÚW has
&
&,
odd length.
The common alternation parity of two -bit numbers C and G is a function [
- (^Cp,.GA4
with the next properties: (1) [
- (DC,OGI4 ® 8{ , if . ® is even and non-zero, (2) [
- (^Cp,OGI4 ® 8Qu ,
if . ® is odd, (3) unspecified (either u or ) if . ® 8¸u , where . ® is the length of the longest
common alternating bit chain C ® 8kG ® 8{
~ C ®
8{G ®
8k
~ C ® 8kG ® ÚÚÚÊ8k
~ C ®
8
&
&
&
&
&0/1
, where ŠE2. ® q×µ‹ . (In both cases, counting starts with one. E.g., if C ® 8kG ®
G ®
&0/1
8¸
~ G>®
- (^Cp,OGI4O®8¸u .) W.l.o.g., we will define
but C®
then . ®p8{ and [
&
&
-[(^Cp,.GA4a698 Ï Ì3*e(Œ»P(DCŽJNGI45ºt(+»P(^CŽJÙGI4s¼­4—ºt(^CŽJ¸(^Cñ¼­ˆ4O4.4tÚ
For both the all-one and common alternation parity we will also need their “duals” (denoted as Ï Ì+*54 and 6
- 4 ), obtained by bit-reversing their arguments. That is,
Algorithm 1 Log-time algorithm for Ï Ì3*s(DCÂ4
INPUT: ý87$9 , is a power of
ý
OUTPUT:
1.
2.
3.
4.
5.
ý;: ¤=< þ´ý> ý@? ¤W ;
ý : A ¤D< > ý;: A D¤ < ? ECF ;
For A;B
to ¤ do ý: AC<!B ;
+: ¤D<!B ý >HGÂý;: ¤D< ;
EJF >ý;: For A;B
to do +: CA <!B +: A
¤D
< IF£ 3: A ¤=< ?
A
Return +: !
<;
¤D<B ;
Ï
Ï
® and G!® K 68G
® . (See Fig. 1.) Note that for
Ì+*4l(DC,OGI4'8
Ì3*e(^CKŒ,OG!K 4 , where CK® 68¸C
e†
e†
every (DC,OGI4 and Š , -[(DC,OGI4 ® 8KSÉL-[(^Cp,OGI4 ®
8M[
- (^Cp,OGI4 ® † 8‹u .
&
Clearly, Algorithm 1 finds the all-one parity of C in time v[(^w³xly'p4 . (It is sufficient
to note that C@ ŠŒR 8
if and only if the number of ones in the sequence (DC
8
,
,
,
®
8±ul4 is at
>,OC
8•l,ÚÚÚa,.C
8•l,OC
least and G—@ ŠŒR 8• iff is
,.&
,.& 5 N†
,.& 5 Na†
,
,
an odd number not bigger than , .) Therefore also -[(^Cp,OGI4 can be computed in time
v[(DwBx>y'p4 .
4 Log-time Algorithm for Differential Probability of Addition
In this section we say that differential z×83(+*',.- /1 254 is “good” if ÆÇ(^*¾ál,O-¶¾
>,‡2‹¾
4}º (ˈÌe͇(^*_,O-',‡254“J (+* ¾
4O4N8ßu . Alternatively, z is not “good” iff for
some ŠQ¬ö@ uI,O‹µ!R , * ®
8¨- ®
8
2 ®
8 ~ * ® J½- ® Jm2 ® . (Remember that
†
†
†
*
8Q8¸2
8qu .) The next algorithm has a simple linear-time version, suitable
†
†
†
for “manual cryptanalysis”: (1) Check, whether z is “good”, using the second definition
of “goodness”; (2) If z is “good”, count the number of positions Š)8¸
~ µ , s.t. the triple
(^* ® ,.- ® ,‡2 ® 4 contains both zeros and ones.
/
254 be an arbitrary differential. Algorithm 2 returns
Theorem 1. Let z‹8(+*',.-h1’
#S$ & (^z4 in time v[(DwBx>y'p4 . More precisely, it works in time v[(O4IEPO , where O is the time
it takes to compute î}ï .
Algorithm 2 Log-time algorithm for #%$ &
INPUT: Q þ CR SUTVXW ˜P™ š
C
Q OUTPUT:
1. If YDZsCR\[ ¤ (S [K¤ W [ ›c¤Wœs tvu > ^] `_ CR SaW 3bN S [
FcdfehgiCjelknm om pqsr
e F qsq
2. Return
#
#
¤W£ þ
then return ;
;
Rest of this subsection consists of a step-by-step proof of this result, where we use
the Lemma 1, i.e., that #S$ & (^z4|8Q:<;= ?e@ Ô Ï Í+ÍBÕr(DC,OGI4 J<Ô Ï Í+ÍBÕr(DC5J*_,OGJ%-4ñ8 ËcÌe͇(^*_,O-|,O2—4 .
We first state and prove two auxiliary lemmas. After that we show how Theorem 1
follows from them, and present two corollaries.
Lemma 2. Let w“(^C4 be a mapping, such that w“(^us4|8‹u , w“(‡ˆ4Ê8xwS(+>4Ê8 and w“(+jl4Ê8
Ï
Ï
z . Let *_,O-Ù¬Y§Ž . Then :<;>= ?A@ Ô Í+ÍBÕr(DC,OGI4 ® & J Ô ÍŒÍ³ÕI(DCbJN*_,OGJN-4 ® & 8{y * ® EÙ- ® E
Ö ® 8{>
) R—8x“
w (^s) 4 .
| 8 Ô Ï Í+ÍBÕr(DCÀJ¸*',.GŽJH-4 , where C and
G are
Proof. We denote Öb8!Ô Ï ÍŒÍ³Õr(^Cp,.GA4 and
z Öb
z
8
understood from the context. Let also Ö)8QÖÂJÖ| . By the definition of carry, Öa®
&
(DC®º)G>®¥4JY(DC®º“Öa®¥4JY(DG>®aºSÖa®¥4J(.(DC_JL*4O®º (^GMJF-4‡®¥4JY(O(DC_JL*M4‡®ºSÖ®| 4J(.(DGÊJb-4O®ºSÖ®| 4 .
z
z
is symmetric
in the three
This formula for Öa®
z
z pairs (DC® ,.*®+4 , (^G>®O,.-®Œ4 and (+Öa®O, Öa®Œ4 .
&
} (^*®‡,.-z®., Öa®Œ4W68%: ; = ? = û @ Öa® z 8½R is symmetric,z and therefore
Hence, the function M
1 1 1
&
} is a function of *®lE-®>E z Öa® , M
} (^e
) 4|8¸: ; = ? = û z @ Öa®
8{y *®>E×-®>E
Öa®8~>
) R . One
1 1 1
&
can now prove that :<; = ? @ Ö ®
8my * ® EÙ- ® E
Ö ® 8~>
)z Rp8“
w (ve
) 4 for any ub{z À
) ¸j ,
1 1
&
and for any value
of
Ö ® ¬K©ˆuI,« . For example, :<; = ? @ Ö ®
8 ny * ® E‹- ® E
Ö ® 8
z
z
1 1
&
aRS8n:<; = ? @ Ö ®
8Üy³(^* ® ,.- ® , Ö ® 4b8Ü(+uI,.ur,ˆ4¥R“8±:<; = ? @B(DC ® ºtÖ ® 4|J½(DG ® ºtÖ ® 4'J
1 1
&
1 1
. The claim follows since
(DC ® º »MÖ ® 4)J!(^C ® ºH»MÖ ® 408
aRL8ª:<; = ? @ C ® 8 G ® RÀ8
z
z
1 1
®
®
.
:<;= ?A@ Ö
R—8¸:<; = ? @ Ö
R
€
&
1 1
&
Lemma 3. 1) Every possible differential is “good”.
2) Let z8m(^*_,O-0/13254 be “good”. If Š'¬´@ ur,ObµÙR , then : ;= ? @ Ô Ï Í+ÍBÕr(DC,OGI4‡®AJtÔ Ï ÍŒÍ³Õr(^CJ
*',.GJ -4‡®}8!ny *®
E -®
E 2A®
8
) R|8‚“
w (ve
) 4 . In particular, : ;= ? @ Ô Ï Í+ÍBÕr(DC,OGI4 o J
†
†
†
Ï
Ô Í+ÍBÕr(DCŽJ–*_,OGJN-4 o 8¸uRÂ8K .
Proof. 1) Let z be possible but not “good”. By Lemma 1, there exists an Š and a pair
Ï
Ï
(DCp,.GI4 , s.t. Ô ÍŒÍBÕr(DCp,.GI4 ®
JYÔ ÍŒÍ³Õr(^CJ0*',.G}JY-4 ®
8HËcÌe͇(^*_,O-|,O2—4 ®
8¸
~ * ® 8‹- ® 8‹2 ® .
&
&
&
Ï
Note that then ˈÌe͇(^*_,O-',‡254 ® 82 ® . But by Lemma 2, :<; = ? @ Ô Ï Í+ÍBÕr(DC,OGI4 ®
JNÔ Í+ÍBÕI(DCJ
1 1
&
*',.GJ–-4 ®
8‹
~ 2 ® y * ® 8¸- ® 8‹2 ® RÂ8¸u , which is a contradiction.
&
2) Let z be “good”. We prove the theorem by induction on Š , by simultaneously
proving the induction invariant :<;>= ?A@ Ô Ï ÍŒÍ³Õr(^Cp,.GA4J–Ô Ï ÍŒÍBÕA(^C[J–*',.G<J–-4_8ËcÌe͇(^*_,O-|,O2—4
®
(DX[xAį 4£RF”åu . BASE ( ŠL8•u ). Straightforward from Property 1 and the definition
of a “good” differential. S TEP ( Š|Ekt”hu ). We
assume that the invariant is true
z
z for
8 ËcÌeÍ£(+*',.-|,‡254‡® , where Ö¶8
Š . In particular, there exists a pair (^Cp,OGI4 , s.t. Öa®
†
†z
Ï
Ï
Ô Í+ÍBÕr(DC,OGI4J–Ô Í+ÍBÕr(DCbJ *',.G<J–-4 . Then, by Lemma 2, “
w (ve
) 4ñ8 : ;= ? @ Ö®M8½ny *z ® † E
z
z
-®
E
Öa®
8~>
) RÂ8‹: ;>= ? @ Öa®8Ky *® † E-® † E“ËcÌeÍ£(+*',.-|,‡254‡® † 8{>) RÂ8Q: ;= ? @ Öa®8
†
†
y * ® † E - ® † E–2 ® † 8x>) R , where the last equation follows from the easily verifiable
equality “
w („ƒ E…ƒ E†ƒ " 4%8‡“
w („ƒ E…ƒ E–ˈÌe͇(„ƒ ,=ƒ ,=ƒ " z 4.4 , for every ƒ ,=ƒ ,Dƒ " ¬ § .
This proves the theorem claim for Š . The invariant for Š , Ö ® 8{ËcÌe͇(^*_,O-|,O2—4 ® , follows
from that and the “goodness” of z .
€
Proof (Theorem 1). First, z is “good” iff it is possible. (The “if” part follows from the
first claim of Lemma 3. The “only if” part follows from the second claim of Lemma 3
and the definition of a “good” differential.) Let z be possible. Then, by Lemma 1,
Ï
Ï
#S$ & (^z4‹8‰ˆ ®³e² † o : ;>= ? @ Ô Í+ÍBÕI(DCp,.GI4‡®}JmÔ ÍŒÍBÕr(DCNJm*_,OGJ½-4O®Ù8 ˈÌe͇(^*_,O-',‡254‡®^R . By
Ï
Ï
Lemma 2, : ;>= ? @ Ô ÍŒÍBÕr(DCp,.GI4‡®'J Ô ÍŒÍ³Õr(^CJk*',.GÀJ -4‡®¶8ÜËcÌe͇(^*_,O-|,O2—4O®DR is either or
, depending on whether *®
8!-®
8½2A®
or not. (This probability cannot be u ,
†
†
†
since z is possible and hence “good”.) Therefore, #%$ & (+z4F8èe†‹ŠH1vŒ5
Ž ‘’”“•^– = d = ]5— 1 8
d
= d = ]5—”™ TUš”›
—J—
, as required. Finally, the only non-constant time computa• A†
€
tion is that of Hamming weight.
†3˜ •^‘’„“
•^–
Note that technically, for Algorithm 2 to be log-time it would have to return (say) µ<
if the differential is impossible, or w³xly #%$|&)(+z4 , if it is not. (The other valid possibility
would be to include data-dependent shifts in the set of unit-cost operations.)
The next two corollaries follow straightforwardly from Algorithm 2
Corollary 1. %
# $'& is symmetric in its arguments. That is, for an arbitrary triple
(^*_,O-|,O2—4 , #%$ & +( *',.-01Ü
/ 254ñ8{#S$ & (D-|, *t/13254}8K#%$ & (^*_,‡2/1Ü-4 . Therefore, in par/ 254Ê8‹XbZc\ed}#S$ & (^*_,O-0/13254|8¸X[Z\s]ñ#S$ & (^*_,O-0/13254 .
ticular, XbZ\ #%$ & (+*',.-01Ü
–
Corollary 2. 1) [Conjecture 1, [AKM98].] Let *YEH-¸8­*œKrE-aK and Y
* JH-8­*KrJ
-aK . Then for every 2 , #%$ & (+*',.-0/1325408ª#%$ & (^*KŒ,O-aKÂ/13254 . 2) For every * , - , 2 ,
#S$ & (^*_,O-0/13254|8¸#%$ & (+*ÀºÀ-|, *À¹À-Y/132—4 .
Proof. We say that (+*',.-4 and (+*œKŒ,O-œKB4 are equivalent, if ©ˆ*®.,O-®£«¶8è©*K® ,.-a® K « for Š ü
YµQ , and *
J‹8 *œK
JH. If (+*',.-4 and (^*KŒ,O-aK 4 are equivalent then
e†
e†
e†
A†
#S$ & (^*_,O-0/13254|8¸#%$ & (+*œŒK ,.-a
K 13
/ 254 by the structure of Algorithm 2.
1) The corresponding carries Ö)8¸Ô Ï ÍŒÍBÕr(^*_,O-4 and Ö
K 8QÔ Ï Í+ÍBÕI(^*+K ,.-aK 4 are equal, since
Ö}8m(^*FJ0-4—JH(+*LE0-4'8k(+* K J0- K 4ÂJH(^* K E0- K 4|8QÖ K . Therefore, *FEt-Y8Q* K E0- K and
*¶JN-8Q*s
K JN-aK iff (+*',.-4 and (^*+K ,.-aK 4 are equivalnet.
2) The second claim is straightforward, since (^*_,O-4 and (^*'º'-|, *'¹|-4 are equivalent
€
for any * and - .
d ž ? —”™ TUš”›
—J— different pairs (DC0|>,OG3|4 .
Note that a pair (DC,OGI4 is equivalent to & ˜ •J• ;p
• e†
In [DGV93, Sect. 2.3] it was briefly mentioned that the number of such pairs is not more
d ž ? —
than 5˜ • ;p
; this result was used to cryptanalyse IDEA. The second claim carries
K 8{(+*Àº¶*BK 4pEQ(^*¶¹¶*œK 4 .
unexpected connotations with the well known fact that *¶E–*œÂ
5 Statistical Properties of Differential Probability
Note that Algorithm 2 has two principal steps. The first step is a constant-time check of
whether the differential z<8k(+*',.-0/132—4 is impossible (i.e., whether #%$ & (+z4|8¸u ). The
second step, executed only if z is possible, computes in log-time the Hamming weight
of an -bit string. The structure of this algorithm raises an immediate question of what
~ uR of the possible differentials, since its average-case
is the density : ‰ @ #%$ & (+z48ª
complexity (where the average is taken over uniformly and random chosen differentials
z ) is v[(+:<‰>@ #S$ & (^z4'8QucREY:<‰l@ #%$ & (+z4%8‹
~ uR € wBx>y|p4 . This is one (but certainly not the
only or the most important) motivation for the current section.
Let ‘
6<zQ/1
#%$ & (^z4 be a uniformly random variable. We next calculate the
exact probabilities :b@ ‘ 8܊ŒR for any Š . From the results we can directly derive the
distribution of ‘ . Knowing the distribution, one can, by using standard probabilistic
tools, calculate the values of many other interesting probabilistic properties like the
probabilities :b@ ‘•” Š+R for any Š .
~ uR8
Theorem 2. 1) [Conjecture 2, [AKM98].] :b@ ‘ª8¸
€‚ ƒ„ … e†
.
† … 8
2) Let uKáÞgüÜ . Then :b@ ‘’8ªe†ÂâRF8ª & â†" € js⠀|‚ e
â
㠂 ÞÂä.ÀµH>,Ÿ … .
€|‚ ƒ„ … e†
€
ƒ
Proof. Let zÀ8è(^*_,O-Q/1ß2—4 be an arbitrary differential and let L8gÆÇ(^*_,O-',‡254 , K|8
ÆÇ(^*L¾å>,.-[¾å>,O2¾3ˆ4 and CÙ8kËcÌeÍ£(+*',.-|,‡254ÊJK(^*L¾åˆ4 ) be convenient shorthands.
Since * , - and 2 are mutually independent, and C (and also K and C ) are pairwise
independent.
1) From Theorem 1, :b@ ‘ 8{
~ uRM8k:<‰l@ A
K º¶Ct8mucR8 ˆ A
®B² † o (‡“µN:<‰l@ K® 8 >,.C ® 8
A
†
€
‚
€
aRD4¯8 ˆ ®B² o (Oµq:<‰>@ ®K 8 aR :<‰@ C ® 8ªR4×8
}µH …Ž€ ˆ e
®³² † ‚ }µ ¡ € … 8
€r‚ƒ„ … e† .
2) Let úß8 ÎSψÐÑ (Dtµqˆ4 . First, clearly, for any uNæÞü! , :<‰>@ î ï („c 4Ž8±ÞsR“8
: = d = ]¢£ @ î ï (”c
4|8qÞsRÂ8 ‚ ¡ … ⠀ ‚ ¡" … e†Â⠀ ‚ … 8Q㠂 ÞÂäOÊ, ¡ … and therefore :<‰l@ î ï (+»¤Ê
º
Œ
–
â
e
†
Â
†
â
â
€r‚ ¡" … €r‚ e† … 8q † € jl⠀r‚ e† … .
ú¯4|8qÞsRÂ8q㠂 ¶µ }µÙÞÂä.ÀµH>, ¡ … 8 ‚ ¡ …
â
º“ú¯4|8¸%µÀ—µbÞ and let ¦ denote
Let ¥ denote the event î}ïˆ(„
the event ‡K º“C¶â8Qu .
¦ ® be the event ®K ºPC®8Qu . According to Algorithm 2, :b@ ‘å8¸e†—âR—8¸: ‰ @ ¥ ,=
¦ RÂ8
Let %
†
e
†
€
€
®
®
,
where
we
:<‰>@ }
¥ R € :<‰>@ ¦§y }
¥ RÂ8Q:<‰>@ }
¥ R € ˆ e
<
:
>
‰
@
¦
y
¥
)
Â
R
8
<
:
l
‰
@
¥
)
R
<
:
>
‰
@
¦
y
¥
}
R
ˆ
®³² o
®B²
used the fact that oK 8k .
Now, if ŠŽ”hu then :<‰l@ ¦ ® y ®K 8•aR“8n:<‰>@ C ® 8nucR“8 , while :<‰@ ¦ ® 8nuy K® 8
† â , and hence
. Therefore, ˆ Be
® ² † o : ‰ @ ¦S®'y ¥}R<8 ‚ s… e† Â
† â 8
€ :<‰>@ ¥}R € ˆ e
:b@ ‘å8¸ †Ââ R—8 M
¥ R—8 M€ 㠂 ¶µ }µÙÞÂäO¶µH>, ¡ … € ‚ … e† Â
®B² † o :<‰@ ¦ ® y )
€ † €l
j ⠀ ‚ e† … € & â†Â[8q & â†Â". € js⠀ ‚ e† … 8 € ‚ ƒ„ … e† € 㠂 ޗäO¶µ l, Ÿ … . €
ucR8
. Moreover, K® 8¨ ˆ®
â
†
â
ƒ
Corollary 3. Algorithm 2 has average-case complexity v[(O4 .
As another corollary, ‘ 8‹‘[oÂEÀ‘ , where ‘ ,O‘ 6>z</1•#%$ & (+z4 are two random
variables. ‘[o has domain ©À(D‘[oc4|8K©ˆz ¬§Ž".À6>#%$ & (+z4'8‹uI« , while ‘
has the complementary domain À
© (D‘ 4S8g©zÀ¬–§Ž".06r#%$ & (+z4Ž8k
~ uI« . Moreover, ‘[o has constant
distribution (since :b@ ‘[o%8‹uRÂ8{ ), while the random variable µ¯wBx>y ‘ has binomial
distribution with àY8ªŸ . Knowledge of the distribution helps to find further properties
ƒ
of #%$'& (e.g., the probabilities that #%$'&}(+z4”½A†Ââ ) by using standard methods from
probability theory.
One can double-check the correctness of Theorem 2 by verifying that € ( ƒ„ 4‡e† €
e
~ ucRÊ8 €—‚ ƒ„ … e† . Moreover,
°
² † o 㠂 ޗäO¶µ l, Ÿ … 8 ° e² † o :b@ ‘ 8½A†ÂâR|8m:b@ ‘ 8m
ƒ
â
â
€
© (^‘ o 4y :b@ ‘ o 8èA†ÂâR5E«y À
© (D‘ 4y € :b@ ‘
8èA†ÂâRS8 €
clearly :b@ ‘ 8±A†ÂâRS8Ly À
‚ ƒ„ … A†
€ 㠂 ÞÂä.ÀµH>, Ÿ … , which agrees with Theorem 2.
ƒ
e†
We next compute the variance
of ‘ . Clearly, é@ ‘×RÊ8 ° â ² o e†—âˆ:b@ ‘ª8 e†ÂâR'8
e† , and therefore é@ ‘×R 8Ke† . Next, by using Theorem 2 and the basic properties
of the binomial distribution, éŽ@ ‘ RÂ8¸u € :b@ ‘
8¸uRcE ° A² † o A† ⠀ :b@ ‘
8QA† âRÂ8
â
‚ ¬ … e†
L€ ‚ ƒ„ … e†
€ ° e² † o e† ⠀ 㠂 ÞÂä.ÀµH>, Ÿ … 8 À€ @
€ ° e
®B² † o 㠂 ÞÂäO¶µ l, ¬" … ® 8
ƒ
â
¡
Ÿ
<
ë
A
ì
í
… e†
S€ ‚@¬ … e† . Therefore,
.
@ ‘×RÂ8 “€ ‚¤¬ … e† µYe† b8 %€3­ ‚@¬ … e† µ ‚
Ÿ
Ÿ
Ÿ
Ÿ
Note that the density of possible differentials :b@ ‘ª8¸
~ ucR is exponentially small in .
This can be contrasted with a result of O’Connor [O’C95] that a randomly selected -bit
Algorithm 3 Algorithm that finds all 2 -s, s.t. #%$ & (^*_,O-0/1Ü2—4|8¸#S$ &TU+Vˆ(^*_,O-4
INPUT: CR (S OUTPUT: All CR S -optimal output differences W
1. W B¯R b S ;
2. °±B
CR S ;
3. For A;è
B ¤ to ¤ do
If R ECF þ²S ECF þ³W ECF then W E B¯R E b S E b´R ECF #
¤ or R E þ²S E or ° E þ ¤ then W E B¶µ ¤
·
else if A þ W
else E B¸R E ;
4. Return W .
=¹ \º
uIÚ ø impossible differentials, independently of
permutation has a fraction of µ± l†
the choice of . Moreover, a randomly selected -bit composite
º
permutation [O’C93],
controlled by an -bit string, has a negligible fraction >".rÁ` Œ † of impossible differentials.
6 Algorithms for Finding Good Differentials of Addition
The last section described methods for computing the probability that a randomly
picked differential z has high differential probability. While this alone might give rise
to successful differential attacks, it would be nice to have an efficient deterministic algorithm for finding differentials with high differential probability. This section gives
some relevant algorithms for this.
6.1
Linear-time Algorithm for »¶:±½0
¼ ¾¿
In this subsection, we will describe an algorithm that, given an input difference (^*_,O-4 ,
finds all output differences 2 , for which #S$ & (^*_,O-0/13254 is equal to the maximum
differential probability of addition, #%$'&TU+V (+*',.-4W680XbZc\e]_#%$'&}(^*_,O-0/1Ü2—4 . (By Corollary 1, we would get exactly the same result when maximizing the differential probability under * or - .) We say that such 2 is ( *',.-4 -optimal. Note that when an (+*',.-4 optimal 2 is known, the maximum differential probability can be found by applying Algorithm 2 to z 8 (+*',.-ª/1
254 . Moreover, similar algorithms can be used
to find “near-optimal” 2 -s, where wBx>y #%$'&}(^*_,O-0/1Ü2—4 is only slightly smaller than
w³xly #%$ &TU+Vc(^*_,O-4 .
Theorem 3. Algorithm 3 returns all (^*_,O-4 -optimal output differences 2 .
Proof (Sketch). First, we say that position Š is bad if ÆÇ(^*_,O-',‡254 ® 8ªu . According
to Theorem 1, 2 is (^*_,O-4 -optimal if it is chosen so that (1) for every Šq u , if
ÆÇ(^*_,O-|,O2—4 ®
8­ then ËcÌeÍ£(+* ® ,O- ® ,O2 ® 4)8k* ® , and (2) the number of bad positions Š
†
†
is the least among all such output differences 2;K , for which (^*_,O-0/1320KB4 is possible. For
Algorithm 4 A log-time algorithm that finds an ^( *_,O-4 -optimal 2
INPUT: CR (S OUTPUT: An CR S -optimal W
1. ÀÁB¯R > ¤ ;
2. ÂÃB G CRHb S >ÄG À ;
3. ÅÆB¸Â > JÂ+[ ¤a > CRH´
b CR\[ ¤a£ ;
4. °±B Cs
Å ;
B CÅÁL
I CÅ ? ¤a£ >HG À ;
5. ÅÆå
6. ÇÈå
B CÅÁI±Â K
[ ¤;
7. W 3
B £CRÄb8I
° > lÅ 3L
I £CRÄb S N
b CRÁK
[ ¤W£ >HG Å > 7Ç +IÀCR >HG Å >ÄG Ç7 ;
B W>HG ¤WF
I £CR8b S > ¤a ;
8. W 3
9. Return W .
achieving (1) we must first fix 2soð *poPJ -ro , and after that recursively guarantee that
2e® obtains the predicted value whenever *®
8‹-®
8H2A® .
†
†
†
This, and minimizing the number of bad Š -s can be done recursively for every uÀ
Š“Q×µ‹ , starting from ŠP8{u . If * ® 8{
~ - ® then Š is bad independently of the value of
2 ® ¬ ©ur,« . Moreover, either choice of 2 places no restriction on choosing 2 ® . This
&
means that we can assign either 2e®ðáu or 2A®pðö .
The situation is more complicated if * ® 8½- ® . Intuitively, if . ® 8­>Þٔmu is even,
then the choice 2 ® ð * ® (as compared to the choice 2 ® ð »M* ® ) will result in Þ bad
positions (DŠ7,.ŠEbA,ÚÚÚ,OŠEblÞʵl4 instead of Þ bad positions (DŠE¯>,OŠEbjI,ÚÚÚa,.ŠEb>Þ|µF4 .
Thus these two choices are equal. On the other hand, if . ®8Q>ÞME¯<”Hu , then the choice
2e®ðá*® would result in Þ bad positions compared to ÞñEt when 2e®ðá*® , and hence is
to be preferred over the second one. We leave the full details of the proof to the reader.
€
A linear-time algorithm that finds one (^*_,O-4 -optimal 2 can be derived from Algorithm 3
straightforwardly, by assigning 2 ® ðá* ® whenever ÆÇ(^*_,O-|,O2—4 ®
8¸u .
†
É ôÊ and -Y8qò>óÌËÍnÊIô . Then
As an example, let us look at the case 8{i , *´8¸òlóIôe
- (^*_,O-4FO8å
[
¡ by Algorithm
Î ò>óÌËÉÊnÊ , and
Î 3 the set of (^*_,O-4 -optimal values is equal to
¬ §¯E
E
§¯E §¯E , where 8K©ˆuI,.jr,'e
Ï « , and §æ8k©ur,« , as always. Therefore,
for
example,
%
#
$
T
+
U
ˆ
V
Œ
(
l
ò
A
ó
n
ô
É
e
ô
Ê
r
7
,
>
ò
Ì
ó
Ë
n
Í
Ê
I
ô
)
4
{
8
%
#
$ & (ŒòlóAône
É ôr
Ê ,7ò>óÌËÍnI
Ê ô1/ ò>ó+e
Ð ò;ËnË 4)8
&
„
e† .
6.2
¼ ¾f¿
Log-time Algorithm for »À: ½0
For a log-time algorithm we need a somewhat different approach, since in Algorithm 3
the value of 2 ® depends on that of 2 ® . However, luckily for us, 2 ® only depends on
†
if ÆÇ(^*_,O-|,O2—4 ®
2 ®
8k , and as seen from the proof of Theorem 3, in many cases we
†
†
8¸u !
can choose the output difference 2A®
so that ÆÇ(+*',.-|,‡254‡®
†
†
Moreover, the positions where ÆÇ(^*_,O-|,O2—4 ®
8Ü must hold are easily detected.
†
Namely (see Algorithm 3), if (1) Š%8!u and * ® 8!- ® 8 u , or (2) Š”½u and * ® 8­- ®
but à ® 8åu . Accordingly, we can replace the condition ÆÇ(+*',.-|,‡254 ®
8á with the
†
Algorithm 5 A log-time algorithm for #S$ &` TU+V (+*4
INPUT: R
˜P™ žš ›cœB
OUTPUT:
C5
R ›cœstvu
`FcdfehÑ+Òelknm kqsr
e F q^q
1. Return
.
condition »P(^* ® J¸- ® 4_ºLà ® , and take additional care if Š is small. By noting how the
values à ® are computed, one can prove that
Theorem 4. Algorithm 4 finds an (^*_,O-4 -optimal 2 .
Proof (Sketch, many details omitted). First, the value of à computed in the step 4 is
“approximately” equal to -64>(^*_,O-4 , with some additional care taken about the lowest
bits. Let . 4 be the bit-reverse of . (i.e., . 4® is equal to the length of longest common
~ *®
8-®
8k
~ ÚÚÚ .). Step 7 computes 2A® (again, “approxalternating chain *®8¸-®ñ8Q
†
†
~ -® but
imately”) as (1) 2A®}ð *®pJ´à® , if *®“8!-® , (2) 2A®“ð *®pJ-®5J¸*®
if *®Ž8g
†
ÆÇ(^*_,O-|,O2—4 ®
8­ and (3) 2 ® ð * ® if * ® 8q
~ - ® and ÆÇ(+*',.-|,‡254 ®
8Ku . Since the two
†
†
last cases are sound, according to Algorithm 3, we are now left to prove that the first
choice makes 2 optimal.
But this choice means that in every maximum-length common alternating bit chain
, Algorithm 4 chooses all bits
* ® 8½- ® 8g
~ * ®
8½- ®
8±
~ ÚÚÚ_8­
~ * ® Ò
8g- ® Ò
†
†
† / &
† / 1 &
. By approximately the same
2 ,¶
) ¬ @ ŠMµ. ®4 EQ>,.Š+R , to be equal to * ® † 1 Ò
8k- ® Ò
† / 1 &
,
/ &
Ã
arguments as in the proof of Theorem 3, this1 choice gives
rise to ¿C. ® Á> bad bit positions
in the fragment @ Šµ.®4 E >,.ŠŒR ; every other choice of bits 2 would result in at least as
,
8Q-®
8 ~ *®M8q-®+4 , it has to be the case
many bad positions. Moreover, since »P(^*®
&
&
8‹
~ -®
8‹-®
8Q*®p8¸-® . In the first case, both choices of 2e®
that either *®
or *®
&
&
&
&
ð•*® , which makes ŠeEN
make ŠAEÙ bad. In the second case we must later take 2e®
&
&
good, and enables us to start the next fragment from the position ŠIE . (Intuitively, this
€
last fact is also the reason why Ï Ì3*4 is here preferred over Ï Ì+* .)
Note that Biham and Shamir used the fact #S$_&}(^*_,O-0/1•*¯JÙ-4
8
d
d—„™ TUšJ›
—J— in their differential cryptanalysis of FEAL in [BS91b].
• e†
Often this value is significantly smaller than the maximum differential probability
, while
#S$ &TU+V (^*_,O-4 . For example, if *á8
-•8
tµ­ , then #S$ &TU+V (^*_,O-48
#S$ & (^*_,O-0/1•*¯JÙ-4¶83#S$ & (^*_,O-0/1áus4L8Üe† . However, since FEAL only uses
f -bit addition, it is possible to find (^*_,O-4 -optimal output differences 2 by exhaustive
search. This has been done, for example, in [AKM98].
e†3˜ •J•s–Ó
6.3
Log-time Algorithm for Double-Maximum Differential Probability
We next show that the double-maximum differential probability
#%$'&` TU+V (^*M4W68YX[Z\ #%$'&}(+*',.-013
/ 254|8XbZc\ #S$_&TU+V(^*_,O-4
d =]
d
of addition can be computed in time v[(^w³xly'p4 . (As seen from Algorithm 3, #%$'&TU+Vc(^*_,O-4
is a symmetric function and hence #S$_&` TU+V (+*4 is equal to #%$'&}(^*_,O-0/1Ü2—4 maximized under any two of its three arguments.) In particular, the next theorem shows
á
ß^à
ÝÞ
ÚÌÛ Ü
ØÙ
Ô ÕÖ ×
0
-1
-2
-3
-4
0
16 32 48 64 80 96 112 128 144 160 176 192 208 224 240
R
˜ ™ žš ›cœB
#Xâ
}
Fig. 2. Tabulation
values of ˜}
˜P™ žš ›cœB
™ žš ›cœB ã å þ 5A
F CR5 ,
þ
Jä"ˆ
and
R
âßãã
, for þ
. For example,
that #S$_&` TU+V (+*4 is equal to the (more relevant for the DC) value XbZc\ d;² æ o5#%$'&TU+Vc(^*_,O-4
whenever
*n8±
~ u . Note that the naive algorithm for the same problem works in time
¡
ç
(Œ 4 , which makes it practically infeasible even for 8ki .
Theorem 5. For every *Ù¬Y§Ž , Algorithm 5 computes #%$'`& TU+V (+*4 in time v[(DwBx>y_p4 .
Proof (Sketch). By the same arguments as in the proof of previous theorem, given inputs
ÎSψÐÑ
(^*_,.*M4 , the value 2M68“*×JQ(„- 4 (^*_,.*M4pº
(D¯µ4O4 is (^*_,.*M4 -optimal. We now prove
~ * and 20K be such that
by contradiction that #%$ &` TU+V (^*M4t8ª#%$ &TU+V (+*', *4 . Let - 8ª
#S$ & (^*_,O-0/1320BK 4N” #S$ &TU+V (^*_,.*M4 . By Algorithms 2 and 4, there is an Š´üᖵm
4 (^*_,.*M4‡®L8ª . But then, on the other hand, since
such that ÆÇ(+*',.-|,‡20BK 4O®L8
and -6l
4 (^*_,.*M4‡®À8ö , it is also the case that
the differential (^*_,O-æ/1 2;K 4 is possible and -6l
ÆÇ(^*_,O-|,O2;K 4‡®
8èu . Since -6>
4
(+*', *4O®Ž8 YÉè-6>
4 (+*', *4O® † 8åu , we have also that
†
-6>4 (^*_,.*M4 ®
8¸u . Therefore #S$ & (^*_,O-0/1320BK 4ñ#%$ &TU+V(+*', *4 .
€
†
Straightforwardly, Theorem 5 helps to find many interesting properties of #%$ &` TU+V . For
¹.
example, #%$ &` TU+V (^*M4b83 iff *tºH(+A† µ 4[8nu , and X8é^ê #%$ &` TU+V (^*M4b8±e† .
–
Another consequence is that #S$'&` TU+V (+*4 8 iff (1) *Yº–(Œe† µQ48 µ“ëñEK for
some u´‡Y
ì üg , or (2) *Yº–(Œe† µQˆ48æë for some u´í
ì ü½tµQ . For better
understanding, all values of #S$ &` TU+V (+*4 , 8¸f , are depicted in Fig. 2.
Once again, our results may be compared with the results in [O’C93,O’C95] that
show that for an -bit permutation (resp. composite permutation, controlled by an bit string)
the expected probability of the maximum nonzero differential is  Á>e†
º
(resp. † ).
Further Work and Acknowledgments
While we leave practical applications of our results as an open question, we note that
our results have already been used in [MY00] for truncated differential cryptanalysis
of Twofish.
The current work bases somewhat on [Mor00], that had a (correct) linear-time algorithm for #%$'& , but with an incorrect proof. We would like to thank Eli Biham for
notifying us about the results presented in the full version of [BS91b].
References
[AKM98] Kazumaro Aoki, Kunio Kobayashi, and Shiho Moriai. The Best Differential Charac
teristic Search of FEAL. IEICE Trans. Fundamentals, E81-A(1):98–104,
January 1998.
¢
[Ber92] Thomas A. Berson. Differential Cryptanalysis Mod
with Applications to MD5. In
Ernest F. Brickell, editor, Advances in Cryptology—CRYPTO ’92, volume 740 of Lecture
Notes in Computer Science, pages 71–80. Springer-Verlag, 1993, 16–20 August 1992.
[BS91a] Eli Biham and Adi Shamir. Differential Cryptanalysis of DES-like Cryptosystems.
Journal of Cryptology, 4(1):3–72, 1991.
[BS91b] Eli Biham and Adi Shamir. Differential Cryptanalysis of Feal and N-Hash. In Donald W. Davies, editor, Advances on Cryptology — EUROCRYPT ’91, volume 547 of
Lecture Notes in Computer Science, pages 1–16, Brighton, UK, April 1991. SpringerVerlag. Full version available from
http://www.cs.technion.ac.il/˜biham/, as of April 2001.
[Dae95] Joan Daemen. Cipher and Hash Function Design. Strategies based on linear and differential cryptanalysis. PhD thesis, Katholieke Universiteit Leuven, 1995.
[DGV93] Joan Daemen, René Govaerts, and Joos Vandewalle. Cryptanalysis of 2.5 Rounds of
IDEA. Technical Report 1, ESAT-COSIC, 1993.
[Knu99] Lars Knudsen. Some Thoughts on the AES Process. Public Comment to the AES First
Round, 15 April 1999. Available from
http://www.ii.uib.no/˜larsr/serpent/, as of April 2001.
[LMM91] Xuejia Lai, James L. Massey, and Sean Murphy. Markov Ciphers and Differential
Cryptanalysis. In Donald W. Davies, editor, Advances on Cryptology — EUROCRYPT
’91, volume 547 of Lecture Notes in Computer Science, pages 17–38, Brighton, UK,
April 1991. Springer-Verlag.
[Miy98] Hiroshi Miyano. Addend Dependency of Differential/Linear Probability of Addition.
IEICE Trans. Fundamentals, E81-A(1):106–109, January 1998.
[Mor00] Shiho Moriai. Cryptanalysis of Twofish (I). In The Symposium on Cryptography and
Information Security, Okinawa, Japan, 26–28 January 2000. In Japanese.
[MY00] Shiho Moriai and Yiqun Lisa Yin. Cryptanalysis of Twofish (II). Technical report,
IEICE, ISEC2000-38, July 2000.
[NK95] Kaisa Nyberg and Lars Knudsen. Provable Security Against a Differential Attack. Journal of Cryptology, 8(1):27–37, 1995.
[O’C93] Luke J. O’Connor. On the Distribution of Characteristics in Composite Permutations.
In Douglas R. Stinson, editor, Advances on Cryptology — CRYPTO ’93, volume 773 of
Lecture Notes in Computer Science, pages 403–412, Santa Barbara, USA, August 1993.
Springer-Verlag.
[O’C95] Luke O’Connor. On the Distribution of Characteristics in Bijective Mappings. Journal
of Cryptology, 8(2):67–86, 1995.