Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

On additive differential probabilities of the composition of bitwise exclusive-or and a bit rotation

Nikolay Kolomeec, Ivan Sutormin, Denis Bykov, Matvey Panferov, Tatyana Bonich

TL;DR

The paper analyzes the additive differential probability of the XR operation $\mathrm{adp}^{\mathrm{XR}}$ = $\Pr_{x,y}[ (x \oplus y) \lll r$ differential preserves output by $\alpha_{k+1}$ modulo $2^n]$ within ARX-like primitives. It derives a formula expressing $\mathrm{adp}^{\mathrm{XR}}$ as a convolution of auxiliary $\mathrm{adp}^{\oplus}$ components, establishes argument symmetries, and determines maximums for one-bit rotations ($r=1$ and $r=n-1$) with fixtures on the input differences. The work also provides a complete characterization of impossible differentials for $ (x \oplus y) \lll r$ via regular-expression-like octal patterns and gives tight bounds on their numbers, showing that rotation reduces the count of impossible differentials compared to plain XOR. Collectively, these results deepen the differential-cryptanalysis understanding of XR-based ARX primitives and offer tools for constructing differential trails and impossible-differential attacks. The methods and patterns extend to the RX variant and suggest directions for future exploration of higher-rotation cases and broader fixed-input-difference settings.

Abstract

Properties of the additive differential probability $\mathrm{adp}^{\mathrm{XR}}$ of the composition of bitwise XOR and a bit rotation are investigated, where the differences are expressed using addition modulo $2^n$. This composition is widely used in ARX constructions consisting of additions modulo $2^n$, bit rotations and bitwise XORs. Differential cryptanalysis of such primitives may involve maximums of $\mathrm{adp}^{\mathrm{XR}}$, where some of its input or output differences are fixed. Although there is an efficient way to calculate this probability (Velichkov et al, 2011), many of its properties are still unknown. In this work, we find maximums of $\mathrm{adp}^{\mathrm{XR}}$, where the rotation is one bit left/right and one of its input differences is fixed. Some symmetries of $\mathrm{adp}^{\mathrm{XR}}$ are obtained as well. We provide all its impossible differentials in terms of regular expression patterns and estimate the number of them. This number turns out to be maximal for the one bit left rotation and noticeably less than the number of impossible differentials of bitwise XOR.

On additive differential probabilities of the composition of bitwise exclusive-or and a bit rotation

TL;DR

The paper analyzes the additive differential probability of the XR operation = differential preserves output by modulo within ARX-like primitives. It derives a formula expressing as a convolution of auxiliary components, establishes argument symmetries, and determines maximums for one-bit rotations ( and ) with fixtures on the input differences. The work also provides a complete characterization of impossible differentials for via regular-expression-like octal patterns and gives tight bounds on their numbers, showing that rotation reduces the count of impossible differentials compared to plain XOR. Collectively, these results deepen the differential-cryptanalysis understanding of XR-based ARX primitives and offer tools for constructing differential trails and impossible-differential attacks. The methods and patterns extend to the RX variant and suggest directions for future exploration of higher-rotation cases and broader fixed-input-difference settings.

Abstract

Properties of the additive differential probability of the composition of bitwise XOR and a bit rotation are investigated, where the differences are expressed using addition modulo . This composition is widely used in ARX constructions consisting of additions modulo , bit rotations and bitwise XORs. Differential cryptanalysis of such primitives may involve maximums of , where some of its input or output differences are fixed. Although there is an efficient way to calculate this probability (Velichkov et al, 2011), many of its properties are still unknown. In this work, we find maximums of , where the rotation is one bit left/right and one of its input differences is fixed. Some symmetries of are obtained as well. We provide all its impossible differentials in terms of regular expression patterns and estimate the number of them. This number turns out to be maximal for the one bit left rotation and noticeably less than the number of impossible differentials of bitwise XOR.
Paper Structure (13 sections, 27 theorems, 80 equations, 7 tables)

This paper contains 13 sections, 27 theorems, 80 equations, 7 tables.

Table of Contents

  1. Introduction
  2. Preliminaries
  3. A formula for
  4. Symmetries of
  5. Maximums of for one bit rotations
  6. Maximums of for
  7. Maximums of for
  8. Impossible differentials of the XR-operation
  9. Patterns for octal words
  10. The characterization of the impossible differentials
  11. Estimations for the number of all impossible differentials
  12. Conclusion
  13. Proof of Theorem \ref{['th:padpzeros']}

Key Result

Theorem 1

Let $L = (1, 1, 1, 1, 1, 1, 1, 1)$, $A_0, \ldots, A_7$ be $8\times8$ matrices, where and $(A_k)_{i,j} = (A_0)_{i \oplus k, j \oplus k}$, where $i, j, k \in \mathbb{Z}_{2}^{3}$. Then where $\alpha, \beta, \gamma \in \mathbb{Z}_{2}^{n}$ and $\omega = \omega(\alpha, \beta, \gamma)$.

Theorems & Definitions (52)

  • Theorem 1: Lipmaa et al. LipmaaEtAl2004, 2004
  • Corollary 1: Lipmaa et al. LipmaaEtAl2004, 2004
  • Example 1
  • Lemma 1
  • proof
  • Theorem 2
  • proof
  • Corollary 2
  • proof
  • Theorem 3
  • ...and 42 more