Efficient Algorithms for Computing Differential Properties of Addition

Efﬁcient Algorithms for Computing Differential

Properties of Addition

Helger Lipmaa and Shiho Moriai ¢ Helsinki University of Technology, Department of Computer Science and Engineering P.O.Box 5400, FI-02015 HUT, Espoo, Finland

[email protected]£ NTT Laboratories 1-1 Hikari-no-oka, Yokosuka, 239-0847 Japan [email protected]

Abstract. In this paper we systematically study the differential properties of ad- ¤¦¥

dition modulo . We derive §©¨ -time algorithms for most of the properties, including differential probability of addition. We also present log-time algorithms for ﬁnding good differentials. Despite the apparent simplicity of modular addition, the best known algorithms require naive exhaustive computation. Our re-

sults represent a signiﬁcant improvement over them. In the most extreme case,

§©¨ we present a complexity reduction from ¨ to .

Keywords: modular addition, differential cryptanalysis, differential probability, impossible differentials, maximum differential probability.

1 Introduction

One of the most successful and influential attacks against block ciphers is Differential Cryptanalysis (DC), introduced by Biham and Shamir in 1991 [BS91a]. For many of the block ciphers proposed since then, provable security against DC (defined by Lai, Massey and Murphy [LMM91] and first implemented by Nyberg and Knudsen [NK95]) has been one of the primary criteria used to confirm their potential quality. Unfortunately, few approaches to proving security have been really successful. The original approach of [NK95] has been used in designing MISTY and its variant KA- SUMI (the new 3GPP block cipher standard). Another influential approach has been the “wide trail” strategy proposed by Daemen [Dae95], applied for example in the proposed AES, Rijndael. The main reason for the small number of successful strategies is the complex structure of modern ciphers, which makes exact evaluation of their differential properties infeasible. This has, unfortunately, led to a situation where the security against DC is often evaluated by heuristic methods. We approach the above problem by using the bottom-up methodology. That is, we

evaluate many sophisticated differential properties of one of the most-used “non-trivial” ! block cipher cornerstones, addition modulo for . We hope that this will help to evaluate the differential properties of larger composite cipher parts like the Pseudo- Hadamard Transform, with the entire cipher being the ﬁnal goal. The algorithms proposed here will enable the advanced cryptanalysis of block ciphers. We hope that our results will facilitate cryptanalysis of such stream ciphers and hash functions that use addition and XOR at the same time.

Importance of Differential Properties of Addition. Originally, DC was considered with respect to XOR, and was generalized to DC with respect to an arbitrary group operation in [LMM91]. In 1992, Berson [Ber92] observed that for many primitive op-

erations, it is signiﬁcantly more difﬁcult to apply DC with respect to XOR than with ¡

respect to addition modulo " . Most interestingly, he classiﬁed DC of addition modulo itself, with sufﬁciently big, with respect to XOR to be hard to analyze, given the (then) current state of theory. Until now it has seemed that the problem of evaluating the differential properties of addition with respect to XOR is hard. Hereafter, we omit the “with respect to XOR” and

take the addition to be always modulo . The fastest known algorithms for computing

132547698%:<;>= ?A@B(DCFEHGI4JK(.(DCLJH*4ME

the differential probability of addition #%$'&)(+*',.-0/

(DGJN-4O4P8Q2R is exponential in . The complexity of the algorithms for the maximum

#S$ (+*',.-4W6 8YX[Z\A]'#S$ (^*_,O-0/13254

TU+V &

differential probability & , the double-maximum

#%$ (+*4a698YXbZc\ed ]_#S$ (^*_,O-0/13254

&` = & differential probability TU+V , and many other differ-

ential properties of addition are also exponential in .

H8gf H8h i With small (e.g., or even with ), exponential-in- computation is feasible, as demonstrated in the cryptanalysis of FEAL by Aoki, Kobayashi and Moriai

in [AKM98]. However, this is not the case when Hkjl as used in the recent 128-bit

block ciphers such as MARS, RC6 and Twoﬁsh. In practice, if mnjl , both cipher

designers and cryptanalysts have mostly made use of only a few differential properties C of addition. (For example, letting Co be the least signiﬁcant bit of , they often use

the property that *po

full version of [BS91b] treated some differential probabilities of addition modulo #%$ and included a few formulas useful to compute & , but did not include any concrete algorithms nor estimations of their complexities. The same is true for many later papers that analyzed ciphers like RC5, SAFER, and IDEA. Miyano [Miy98] studied the sim- pler case with one addend ﬁxed and derived a linear-time algorithm for computing the corresponding differential probability.

Our Results. We develop a framework that allows the extremely efﬁcient evaluation of many interesting differential properties of modular addition. In particular, most of

the algorithms described herein run in time, sublinear in . Since this would be impossible in the Turing machine model, we chose to use a realistic unit-cost RAM (Random Access Machine) model, which executes basic -bit operations like Boolean operations

and addition modulo > in unit time, as almost all contemporary microprocessors do. The choice of this model is clearly motivated by the popularity of such microprocessors. Still, for several problems (although sometimes implicitly) we also describe linear-time algorithms that might run faster in hardware. (Moreover, the linear-time algorithms are usually easier to understand and hence serve an educational purpose.) Nevertheless, the RAM model was chosen to be “minimal”, such that the described algorithms would be directly usable on as many platforms as possible. On the other hand, we immediately demonstrate the power of this model by describing some useful log-time algorithms (namely, for the Hamming weight, all-one parity and common alternation parity). They become very useful later when we investigate other differential properties. One of them (for the common alternation parity) might be interesting by itself; we have not met this algorithm in the literature.

After describing the model and the necessary tools, we show that #S$_& can be com-

puted in time v[(DwBx>y_p4 in the worst-case. The corresponding algorithm has two princi- 13254

pal steps. The ﬁrst step checks in constant-time whether the differential z<8{(+*',.-0/

#S$ (^z4|8Qu z

is impossible (i.e., whether & ). The second step, executed only if is possi- v[(DwBx>y_p4 ble, computes the Hamming weight of an -bit string in time . As a corollary, we prove an open conjecture from [AKM98].

The structure of the described algorithm raises an immediate question of what is 8u

the density of the possible differentials. We show that the event #S$_&}(^z4q~ oc-

e s

curs with the negligible probability ¡ (This proves an open conjecture stated #%$ in [AKM98]). That is, the density of possible differentials is negligible, so & can be

computed in time v[( 4 in the average-case. These results can be further used for impossible differential cryptanalysis, since the best previously known general algorithm to ﬁnd non-trivial impossible differentials was by exhaustive search. Moreover, the high density of impossible differentials makes differential cryptanalysis more efﬁcient; most

of the wrong pairs can be ﬁltered out [BS91a,O’C95].

:<l@ #%$ (+z4|8R 7,|u

Furthermore, we compute the explicit probabilities & for any

6zH/1

. This helps us to compute the distribution of the random variable

#S$ (^z4 & , and to create formulas for the expected value and variance of the random

variable . Based on this knowledge, one can easily compute the probabilities that

R :b@ for any . For the practical success of differential attacks it is not always sufficient to pick a random differential hoping it will be “good” with reasonable probability. It would be nice to find good differentials efficiently in a deterministic way. Both cipher designers and cryptanalysts are especially interested in finding the “optimal” differentials that re-

sult in the maximum differential probabilities and therefore in the best possible attacks.

TU+V

(^*_,O-4 2 For this purpose we describe a log-time algorithm for computing #S$_& and a that achieves this probability. Both the structure of the algorithm (which makes use of the all-one parity) and its proof of correctness are nontrivial. We also describe a log-

time algorithm that ﬁnds a pair (D-|,O24 that maximizes the double-maximum differential

#%$'&` (^*M4 * #S$_&` (+*4 TU+V probability TU+V . We show that for many nonzero -s, is very close to one. A summary of some of our results is presented in Table 1.

} }cB }

¤ ¥l¡ ¤¢£¥e¡ ¤ ¥s¡

Previous result

§©¨¥¤a §©¨ ¦ ¦M §©¨ Our result §©¨ (worst-case), (average)

Table 1. Summary of the efﬁciency of our main algorithms

Road map. We give some preliminaries in Sect. 2. Section 3 describes a unit-cost RAM model, and introduces the reader to several efﬁcient algorithms that are crucial

for the later sections. In Sect. 4 we describe a log-time algorithm for #S$_& . Section 5

gives formulas for the density of impossible differentials and other statistical properties & of #S$ . Algorithms for maximum differential probability and related problems are described in Sect. 6.

2 Preliminaries

C¬§ C®¯¬§

Let §¨8ª©uI,¦ « be the binary alphabet. For any -bit string , let

® ®

C C 8±° C 8nu C ®³²

be the -th coordinate of (i.e., o ). We always assume that if

)~¬´@ ur,O¶µ R C¶8 C

. (That is, °¸· .)

¹ º »

Let J , , and denote -bit bitwise “XOR”, “OR”, “AND” and “negation”,

C¾½

respectively. Let C¼½ (resp. ) denote the right (resp. the left) shift by positions

® Ã ®

C)¾m7698% C3X[xAÄ¯

(i.e., C}¼m76 8À¿DCÂÁ> and ). Addition is always performed modulo

C G Å Æ¦Ç(DC,OGÂ,.Åe4W6 8(+»CJGI4Wº(»CJÅe4

, if not stated otherwise. For any , and we deﬁne

C®Ê8QG>®8qÅ® ËcÌeÍ(DC,OGÂ,.Åe4W6 8CJG

(i.e., Æ¦Ç(DC,OGÂ,.Åe4®M8{ KÈÉ ) and . For any , let

ÎSÏÐaÑ

(^p4W6 8©µH (.(+»Mul4s¾ 4 8Qu

. For example, o .

Ô ÍÍBÕA(^Cp,.GA4a698%Ö%¬Y§ Cp,OGÀ¬×§ C'EbG

Addition modulo ÒIÓ . The carry, , , of addition is

® ® ® ® ® ® ®

6 8(DC ºG 4.J(^C ºMÖ 4.J(^G ºMÖ 4 Ö

deﬁned recursively as follows. First, Öao>6 8%u . Second, ,

Öa® 8½ KÈ[É C®ENGl®E Öa®'Q

for every P¸u . Equivalently, . (That is, the carry bit

C®lEG>®>EYÖa®

Öa® is a function of the sum .) The following is a basic property of addition

modulo .

CENG[8¸CJÙGJÔ Í+ÍBÕI(DCp,.GI4 Property 1. If (DC,OGI4P¬§LØ§ , then .

Differential Probability of Addition. We deﬁne the differential of addition modulo

(+*',.-H/1ª254 as a triplet of two input and one output differences, denoted as , where

*',.-|,2Y¬Y§ . The differential probability of addition is deﬁned as follows:

#S$ (^z4'8¸#S$ (^*_,O-0/13254W6 8%: @B(DCbEÙGI45JQ(O(^C[J*4pEQ(DG

& & ;>= ?

#S$ (^z4W6 8©Û7©Cp,.GL6r(^CEÙGI45J¸(O(DCbJÙ*M4pEQ(DG©JN-4.4'8H2«cÁ> z

That is, & . We say that is

#%$ (+z4'8Qu z

impossible if & . Otherwise we say that is possible. It follows directly from #S$

Property 1 that one can rewrite the deﬁnition of & as follows:

Ï Ï

#%$ (^*_,O-0/1Ü24|8¸:<;= ?A@ Ô Í+ÍBÕr(DC,OGI4>JÀÔ ÍÍ³ÕI(DCPJL*_,OG|JL-4'8HËÌeÍ(^*_,O-',254¥R Lemma 1. & . Probability Theory. Let be a discrete random variable. Except for a few explic-

itly mentioned cases, we always deal with uniformly distributed variables. We note

Ý8ßÞsR¯8áàâA(O bµà4OeÂâ 869ãM(+ÞÂä.Ê,^à4

that in the binomial distribution, :b@ , for

Þ!¬èç£ç

some ﬁxed umåàæ and any . From the basic axioms of probabil-

ãM(ÞÂäOÊ,+à4L8 é@ R<8 Þ :b@ ê8ÜÞsR

° °

² ² o

ity, . Moreover, the expectation o

â â Aà

of a binomially distributed random variable is equal to , while the variance

¡ ¡

ë©ìIí

×R8Qé@ Rµ´é@ ×R Aà( }µ¶à4 @ is equal to .

3 RAM Model and Some Useful Algorithms In the -bit unit-cost RAM model, some subset of ﬁxed -bit operations can be executed in constant time. In the current paper, we specify this subset to be a small set of

-bit instructions, all of which are readily available in the vast majority of contemporary microprocessors: Boolean operations, addition, and the constant shifts. We additionally allow unit-cost equality tests and (conditional) jumps. On the other hand, our model does not include table look-ups or (say) multiplications. Such a restriction guarantees that algorithms efﬁcient in this model are also efﬁcient on a very broad class of platforms, including FPGA and other hardware. This is further emphasized by the fact that our algorithms need only a few bytes of extra memory and thus a very small circuit size in hardware implementations. Many algorithms that we derive in the current paper make heavy use of the three non-trivial functions described below. The power of our minimal computational model

is stressed by the fact that all three functions can be computed in time v[(^w³xly'p4 .

Hamming Weight. The ﬁrst function is the Hamming weight function (also known as

î}ï Cq8 C®¥

° ®B²

the population count or, sometimes, as sideways addition) : For o ,

ï ® ï

î (^C4À8 C î

° ®³²

o , i.e., counts the “one” bits in an -bit string. In the unit-cost

(DCÂ4 v[(DwBx>y'p4 RAM model, î can be computed in steps. Many textbooks contain (a variation of) the next algorithm that we list here only for the sake of completeness.

INPUT: C

ï (DC4 OUTPUT: î

1. C¶ðÜCFµ (O(^Cñ¼ 45º¯òlóAôeôeôeôeôsôeôeôsõ4 ;

2. C¶ðö(^Cº¯ò>óI÷e÷e÷e÷s÷e÷e÷e÷sõ4E¸(.(DCñ¼m>4pº¶òlóI÷s÷e÷e÷e÷e÷s÷e÷sõ4 ;

3. C¶ðö(^CE¸(^Cñ¼Køe4O4º¶òlóIòlùIò>ùIòlùIòlùeõ ;

4. C¶ðÜCEQ(DCP¼kfl4 ;

5. C¶ðö(^CE¸(^Cñ¼ il4.45º¯ò>óIòeòeòeòsòeòe÷lùAõ ;

6. Return C ;

Additional time-space trade-offs are possible in calculating the Hamming weight. If

ï ï

>û î (D4 u[H'ü>û î (DC4 ×8qÖWú , then one can precompute values of , , and then ﬁnd

by doing ú8KÁcÖ table look-ups. This method is faster than the method described in

H8gjs úö¬©fr, iA« the previous paragraph if úª{wBx>y , which is the case if and . However, it also requires more memory. While we do not discuss this method hereafter, our implementations use it, since it offers better performance on 32-bit processors.

ýþNÿÿÿÿ¡ Wÿÿÿÿÿ¡ ¢ Wÿÿ¡ ¢ Wÿÿÿÿÿ¡ Wÿ£ Wÿ¡ Wÿ¡ 7ÿ¡ Wÿcÿ¥¤

¦%þNÿ¡ Wÿÿÿÿÿÿÿÿÿÿÿÿÿ¡ Wÿ¡ § Wÿ¡ ¢ Wÿÿÿ¡ ¢ ¢ 7ÿ¡ Wÿcÿ¥¤

¨ ©£

ý þNÿÿÿÿ¡ Wÿÿÿÿÿ¡ Wÿÿÿ¡ Wÿÿÿÿÿÿ¡ Wÿ£ Wÿ¡ Wÿ¡ 7ÿ¡ Wÿcÿ¥¤

¨ ©£

ý þNÿÿÿÿ¡ Wÿÿÿÿÿÿ¡ Wÿÿÿ¡ Wÿÿÿÿÿ¡ Wÿ£ Wÿ¡ Wÿ¡ 7ÿ¡ Wÿcÿ¥¤

ý¤¦ þNÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ¡ Wÿÿÿÿÿ¡ 7ÿÿ¡ Wÿÿ£ Wÿ¡ aÿ¥¤

ý¤¦ þNÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ¡ Wÿÿÿÿÿ¡ Wÿÿ¡ Wÿÿ¡ 7ÿ¡ Wÿcÿ¥

¨ © ¨ ©

ý¤¦ ý ý ý¤¦ ý¤¦

¨ ¨ ¨ ¨

Fig. 1. A pair with corresponding values , , and ¨ . Here,

£ £ £

¤0¤§

¨ ©£

ý þ þý þý þ

¤ ¤ ¤

for example, ¨ since and is odd. On the other hand,

£ £

þ´ý þ¦ þÙý þ¦ þ´ý! |þ¦¢ ý¤¦ þ ý þ¦ þ´ý þ¦

¢ ¢

¤ "

¨ since , and is even.

þ ý¤(¦ þ

¨ & ¤ Since %'& , we could have taken also

Interestingly, many ancient and modern power architectures have a special machine- ï

level “cryptanalyst’s” instruction for î (mostly known as the population count instruc-

) ) tion): SADD on the Mark I (sic), CX X on the CDC Cyber series, A PS on the Cray X-MP, VPCNT on the NEC SX-4, CTPOP on the Alpha 21264, POPC on the Ul- tra SPARC, POPCNT on the Intel IA64, etc. In principle, we could incorporate in our model a unit-time population count instruction, then several later presented algorithms would run in constant time. However, since there is no population count instruction on most of the other architectures (especially on the widespread Intel IA32 platform), we have decided not include it in the set of primitive operations. Moreover, the complexity of population count does not signiﬁcantly inﬂuence the (average-case) complexity of the derived algorithms.

All-one and Common Alternation Parity. The second and third functions, important for several derived algorithms (more precisely, they are used in Algorithm 4 and Al-

gorithm 5), are the all-one and common alternation parity of -bit strings, deﬁned as follows. (Note that while the Hamming weight has very many useful applications in cryptography, the functions deﬁned in this section have never been, as far as we know,

used before for any cryptographic or other purpose.)

C GÙ8 Ì+*e(DCÂ4

The all-one parity of an -bit number is another -bit number s.t.

® ® ® ®

8 l |ÚÚ¦ÚW ÚÚ¦ÚOC 8 C C

G iff the longest sequence of consecutive one-bits has

odd length. &

C G -[(^Cp,.GA4

The common alternation parity of two -bit numbers and is a function

® ® ®

[(DC,OGI4 8{ . -[(^Cp,OGI4 8Qu

with the next properties: (1) - , if is even and non-zero, (2) ,

® ® ®

u . 8¸u .

if . is odd, (3) unspeciﬁed (either or ) if , where is the length of the longest

¡ ¡

® ® ® ® ® ® ®

8kG 8{C~ 8{G 8kC~ 8kG ÚÚ¦ÚÊ~8kC 8

common alternating bit chain C

& & & & &0/1

® ® ® ®

E2. q×µ C 8kG

G , where . (In both cases, counting starts with one. E.g., if

&0/1

8¸G>®~ .®p8{ -[(^Cp,OGI4O®8¸u

but C® then and .) W.l.o.g., we will deﬁne

& &

-[(^Cp,.GA4a698 Ì3*e(»P(DCJNGI45ºt(+»P(^CJÙGI4s¼ 4ºt(^CJ¸(^Cñ¼ 4O4.4tÚ

For both the all-one and common alternation parity we will also need their “du-

+*54 -64 als” (denoted as Ì and ), obtained by bit-reversing their arguments. That is,

3*s(DCÂ4

Algorithm 1 Log-time algorithm for Ì

ý87$9

INPUT: , is a power of

¨ ©

OUTPUT: ¨

ý;: þ´ý > ý@?

=< ¨ ¤W

1. ¤ ;

¤ ¤ECF

ý: ý;: > ý;: ?

¤ AC

2. For A;B to do ;

¦+: ý >HGÂý;:

3. ¤ ;

EJF

¤ ¤

¦+: ¦+: ¦3: ? >ý;:

4. For A;B to do ;

¦+:

5. Return ¦ ;

Ï Ï

® ®

CK 6 8¸C G!K 6 8 G Ì+*§4l(DC,OGI4'8 Ì3*e(^CK,OG!K 4 ®

, where ® and . (See Fig. 1.) Note that for

e e

® ® ®

-[(DC,OGI4 8K SÉL-[(^Cp,OGI4 8M-[(^Cp,OGI4 8u

every (DC,OGI4 and , .

& v[(^w³xly'p4

Clearly, Algorithm 1 ﬁnds the all-one parity of C in time . (It is sufﬁcient

R 8 (DC 8

to note that C@ if and only if the number of ones in the sequence

, , ,

8 l,Ú¦ÚÚa,.C 8 l,OC 8±ul4 G@ R 8

>,OC is at least and iff is

5N 5Na

,.& ,.& ,.& , ,

-[(^Cp,OGI4 an odd number not bigger than , .) Therefore also can be computed in time

v[(DwBx>y'p4 .

4 Log-time Algorithm for Differential Probability of Addition

/1 254 Æ¦Ç(^*¾á l,O-¶¾

In this section we say that differential z×83(+*',.- is “good” if

4}º ( ËÌeÍ(^*_,O-',254J (+* ¾ 4O4N8ßu z

>,2¾ . Alternatively, is not “good” iff for

® ® ® ® ® ®

uI,Oµ! R * 8¨- 8 2 8 ~ * J½- Jm2

some Q¬ö@ , . (Remember that

8Q- 8¸2 8qu

* .) The next algorithm has a simple linear-time version, suitable

for “manual cryptanalysis”: (1) Check, whether z is “good”, using the second deﬁnition

)~8¸µ

of “goodness”; (2) If z is “good”, count the number of positions , s.t. the triple

® ® ®

,.- ,2 4

(^* contains both zeros and ones. 1254

Theorem 1. Let z8(+*',.-h/ be an arbitrary differential. Algorithm 2 returns

#S$ (^z4 v[(DwBx>y'p4 v[(O 4IEPO O & in time . More precisely, it works in time , where is the time

it takes to compute î}ï . #%$

Algorithm 2 Log-time algorithm for &

þ ¤SUTVXW

¨CR

INPUT: Q

OUTPUT: ¨

# #

©`_

¤(S ¤W > ¤Sa¤W S þ

cstvu

s¨CR\[ ¤ [K¤ [ ¤W ¨^] ¨CR 3bN¨ [ ¤W£

1. If YDZ then return ;

F£c§dfehg¢iCjelknm o£m p qsr e F qsq 2. Return ¥ ;

Rest of this subsection consists of a step-by-step proof of this result, where we use

Ï Ï

(^z4|8Q:<;= ?e@ Ô Í+ÍBÕr(DC,OGI4 J<Ô Í+ÍBÕr(DC5J©*_,OGJ%-4ñ8 ËcÌeÍ(^*_,O-|,O24 the Lemma 1, i.e., that #S$ . We ﬁrst state and prove two auxiliary lemmas. After that we show how Theorem 1

follows from them, and present two corollaries.

(^C4 w(^us4|8u w( 4Ê8xwS(+>4Ê8 w(+jl4Ê8

Lemma 2. Let w be a mapping, such that , and

Ï Ï

® ® ® ®

*_,O-Ù¬Y§ :<;>= ?A@ Ô Í+ÍBÕr(DC,OGI4 J Ô ÍÍ³ÕI(DCbJN*_,OGJN-4 8{ ¡y * EÙ- E

. Let . Then

& &

8{)>R8xw(^)s4

Ö .

Ï Ï

ÍÍ³Õr(^Cp,.GA4 Ö|b8 Ô Í+ÍBÕr(DCÀJ¸*',.GJH-4 C G

Proof. We denote Öb8!Ô and , where and are

z z

| Öa® 8

understood from the context. Let also Ö)8QÖÂJÖ . By the deﬁnition of carry,

(DC®¦º)G>®¥4JY(DC®¦ºÖa®¥4JY(DG>®aºSÖa®¥4J(.(DC_JL*4O®º (^GMJF-4®¥4JY(O(DC_JL*M4®¦ºSÖ| 4J(.(DGÊJb-4O®ºSÖ| 4 ®

® .

z z

(DC® ,.*®+4 (^G>®O,.-®4 (+Öa®O, Öa®4

This formula for Öa® is symmetric in the three pairs , and .

z z

}M(^*®,.-®., Öa®4W6 8%: @ Öa® 8½ R

= ? =

Hence, the function ; is symmetric, and therefore

z z z

1 1 1

} *®lE-®>E Öa® }M(^)e4|8¸: @ Öa® 8{ ¡y *®>E×-®>E Öa®8~)>R

= ? =

is a function of , ; . One

z z

1 1 1

® ® ® ®

= ? @ Ö 8m ¡y * EÙ- E Ö 8~)>Rp8w(v)e4 ub{)À¸j

can now prove that :<; for any ,

z z

1 1 &

® ® ® ® ®

¬K©uI,¦ « :<; = ? @ Ö 8 ny * E- E Ö 8

and for any value of Ö . For example,

z z

1 1 &

® ® ® ® ® ® ® ®

aRS8n:<; = ? @ Ö 8Ü ¡y³(^* ,.- , Ö 4b8Ü(+uI,.ur, 4¥R8±:<; = ? @B(DC ºtÖ 4|J½(DG ºtÖ 4'J

1 1 & 1 1

® ® ® ® ® ®

º »MÖ 4)J!(^C ºH»MÖ 408 aRL8ª:<; = ? @ C 8 G RÀ8

(DC . The claim follows since

z z

1 1

® ®

?A@ Ö R8¸:<; = ? @ Ö R

:<;= .

& 1 1 &

Lemma 3. 1) Every possible differential is “good”.

Ï Ï

z©8m(^*_,O-0/13254 '¬´@ ur,ObµÙ R : @ Ô Í+ÍBÕr(DC,OGI4®AJtÔ ÍÍ³Õr(^C©J ?

2) Let be “good”. If , then ;=

*',.GJ -4®}8! ny *® E -® : @ Ô Í+ÍBÕr(DC,OGI4 J E 2A® 8)R|8w(v)e4

? o

. In particular, ;=

Ô Í+ÍBÕr(DCJ*_,OG©JN-4 8¸uRÂ8K

o .

Proof. 1) Let z be possible but not “good”. By Lemma 1, there exists an and a pair

Ï Ï

® ® ® ® ® ®

8¸*~ 8- 82 8HËcÌeÍ(^*_,O-|,O24 JYÔ ÍÍ³Õr(^C©J0*',.G}JY-4 Ô ÍÍBÕr(DCp,.GI4

(DCp,.GI4 , s.t. .

& & &

Ï Ï

® ® ®

JNÔ Í+ÍBÕI(DCJ 8 2 :<; = ? @ Ô Í+ÍBÕr(DC,OGI4

Note that then ËÌeÍ(^*_,O-',254 . But by Lemma 2,

& 1 1

® ® ® ® ®

82~ y * 8¸- 82 RÂ8¸u

*',.G©J-4 , which is a contradiction.

2) Let z be “good”. We prove the theorem by induction on , by simultaneously

Ï Ï

?A@ Ô ÍÍ³Õr(^Cp,.GA4JÔ ÍÍBÕA(^C[J*',.G

proving the induction invariant :<;>=

4£RFåu L8u (DX[xAÄ¯ . BASE ( ). Straightforward from Property 1 and the deﬁnition

of a “good” differential. STEP ( |Ek thu ). We assume that the invariant is true for

z z

Öa® Ö¶8 (^Cp,OGI4 8 ËcÌeÍ£(+*',.-|,254®

. In particular, there exists a pair , s.t. , where

Ï Ï

Ô Í+ÍBÕr(DC,OGI4JÔ Í+ÍBÕr(DCbJ *',.G

. Then, by Lemma 2, ;=

z z z

-® E Öa® 8~)>RÂ8: @ Öa®8K ¡y *® E©-® EËcÌeÍ£(+*',.-|,254® 8{)>RÂ8Q: @ Öa®8

;>= ? ;= ?

® ® ®

¡y * E - E2 8x)>R

, where the last equation follows from the easily veriﬁable

¡ ¡ ¡ ¡

( E E 4%8w( E EËÌeÍ( ,= ,= 4.4 ,= ,D ¬ §

equality w , for every .

" " "

® ®

Ö 8{ËcÌeÍ(^*_,O-|,O24

This proves the theorem claim for . The invariant for , , follows

from that and the “goodness” of z .

Proof (Theorem 1). First, z is “good” iff it is possible. (The “if” part follows from the ﬁrst claim of Lemma 3. The “only if” part follows from the second claim of Lemma 3

and the deﬁnition of a “good” differential.) Let z be possible. Then, by Lemma 1,

Ï Ï

#S$ (^z48 : @ Ô Í+ÍBÕI(DCp,.GI4®}JmÔ ÍÍBÕr(DCNJm*_,OGJ½-4O®Ù8 ËÌeÍ(^*_,O-',254®^R

& ;>= ? ®³²

o . By

Ï Ï

: @ Ô ÍÍBÕr(DCp,.GI4®'J Ô ÍÍ³Õr(^CJk*',.GÀJ -4®¶8ÜËcÌeÍ(^*_,O-|,O24O®DR ?

Lemma 2, ;>= is either or

8!-® 8½2A® u

, depending on whether *® or not. (This probability cannot be ,

d ]5

= =

z #%$ (+z4F8èeH5 8 1

since is possible and hence “good”.) Therefore, 1v£¡ ^

d TU

d ]5 J

= =

3 A

^¡ ^ , as required. Finally, the only non-constant time computation is that of Hamming weight.

Note that technically, for Algorithm 2 to be log-time it would have to return (say) µ<

¡ #%$|&)(+z4 if the differential is impossible, or w³xly , if it is not. (The other valid possibility would be to include data-dependent shifts in the set of unit-cost operations.) The next two corollaries follow straightforwardly from Algorithm 2

Corollary 1. #%$'& is symmetric in its arguments. That is, for an arbitrary triple

& & &

#%$ (+*',.-0/1Ü254ñ8{#S$ (D-|, *t/13254}8K#%$ (^*_,2/1Ü-4

(^*_,O-|,O24 , . Therefore, in par-

XbZ\ #%$ (+*',.-0/1Ü254Ê8XbZc\ed}#S$ (^*_,O-0/13254|8¸X[Z\s]ñ#S$ (^*_,O-0/13254

& &

ticular, & .

KrE -aK *YJH- 8*KrJ

Corollary 2. 1) [Conjecture 1, [AKM98].] Let *YEH-¸8* and

-aK 2 #%$ (+*',.-0/1325408ª#%$ (^*K,O-aKÂ/13254 * - 2 &

. Then for every , & . 2) For every , , ,

& &

(^*_,O-0/13254|8¸#%$ (+*ÀºÀ-|, *À¹À-Y/1324

#S$ .

(+*',.-4 (+*K,O-KB4 ©*®.,O-®£«¶8è©*K ,.-aK « ü ®

Proof. We say that and are equivalent, if ® for

* J- 8 *K JH- (+*',.-4 (^*K,O-aK 4

YµQ , and . If and are equivalent then

e e e

#S$ (^*_,O-0/13254|8¸#%$ (+*K,.-aK/13254 &

& by the structure of Algorithm 2.

Ï Ï

ÍÍBÕr(^*_,O-4 Ö K8QÔ Í+ÍBÕI(^*K+,.-aK 4

1) The corresponding carries Ö)8¸Ô and are equal, since

K K K K K K K

J0- 4ÂJH(^* E0- 4|8QÖ *FEt-Y8Q* E0-

Ö}8m(^*FJ0-4JH(+*LE0-4'8k(+* . Therefore, and

KsJN-aK (+*',.-4 (^*K+,.-aK 4

*¶JN-8Q* iff and are equivalnet.

(^*'º'-|, *'¹|-4

2) The second claim is straightforward, since (^*_,O-4 and are equivalent

for any * and .

;§p?

(DC,OGI4 (DC0|>,OG3|4 e

& Note that a pair is equivalent to J different pairs .

In [DGV93, Sect. 2.3] it was brieﬂy mentioned that the number of such pairs is not more

;§p?

than ; this result was used to cryptanalyse IDEA. The second claim carries

KÂ8{(+*Àº¶*KB4pEQ(^*¶¹¶*K 4 unexpected connotations with the well known fact that *¶E* .

5 Statistical Properties of Differential Probability

Note that Algorithm 2 has two principal steps. The ﬁrst step is a constant-time check of

z<8k(+*',.-0/1324 #%$ (+z4|8¸u whether the differential is impossible (i.e., whether & ). The

second step, executed only if z is possible, computes in log-time the Hamming weight

of an -bit string. The structure of this algorithm raises an immediate question of what

: @ #%$ (+z4 ~8ªuR & is the density of the possible differentials, since its average-case

complexity (where the average is taken over uniformly and random chosen differentials

z v[(+:<>@ #S$ (^z4'8QucREY:<l@ #%$ (+z4%~8uR wBx>y|p4 & ) is & . This is one (but certainly not the

only or the most important) motivation for the current section.

Let & be a uniformly random variable. We next calculate the

8ÜR exact probabilities :b@ for any . From the results we can directly derive the

distribution of . Knowing the distribution, one can, by using standard probabilistic

tools, calculate the values of many other interesting probabilistic properties like the

+R probabilities :b@ for any .

ª~8¸uR8

Theorem 2. 1) [Conjecture 2, [AKM98].] :b@ .

| |

uKáÞgüÜ :b@ 8ªeÂâ¦RF8ª â" jsâ 8

2) Let . Then &

ÞÂä.ÀµH >,£

ã .

1ß24 L8gÆ¦Ç(^*_,O-',254 ¢K|8

Proof. Let zÀ8è(^*_,O-Q/ be an arbitrary differential and let , CÙ8kËcÌeÍ£(+*',.-|,254ÊJK(^*L¾å 4

Æ¦Ç(^*L¾å >,.-[¾å >,O2¾3 4 and ) be convenient shorthands.

- 2 C C Since * , and are mutually independent, and (and also and ) are pairwise

independent.

:b@ 8{uRM8k:<l@~ ¢KAº¶Ct8mucR8 ( µN:<l@ ¢K 8 >,.C 8

® ®B²

1) From Theorem 1, o

e A

¡ ¡

}µ aRD4¯8 (O µq:<>@ §K 8 aR :<@ C 8ª R 4×8 }µH 8

®³² ®B²

¡ .

ÎSÏÐÑ

(Dtµq 4 uNæÞ ü! :<>@ î ( c48±ÞsR8

2) Let úß8 . First, clearly, for any ,

â eÂâ

¡ ¡ ¡

d ]¡¢££ ï ï

= = @ î ( c4|8qÞsRÂ8 8Qã ÞÂäOÊ, :<l@ î (+»¤ Êº

: and therefore

¡ ¡ â

e Ââ â

¡ ¡ ¡

r r r

e e

ú¯4|8qÞsRÂ8qã ¶µ }µÙÞÂä.ÀµH >, 8q jlâ

8 .

â â

î}ï( ºú¯4|8¸%µÀ µbÞ ¦ ¢KºC¶8Qu

Let ¥ denote the event and let denote the event .

¦%® §K ºPC®8Qu :b@ å8¸eâ¦R8¸: @ ¥,=¦RÂ8

Let be the event ® . According to Algorithm 2,

e e

® ®

:<>@ ¦ y ¥)RÂ8 :<>@ ¦ y ¥}R :<>@ ¦§y ¥}RÂ8Q:<>@ ¥}R :<l@ ¥)R :<>@ ¥}R

®³² ®B²

o , where we

§K 8k

used the fact that o .

® ® ®

hu :<l@ ¦ y ¢K 8 aR8n:<>@ C 8nucR8 :<@ ¦ 8nuy ¢K 8 ®

Now, if then ® , while

e Ââ

¡s

¢K 8¨ ® ucR©8 : @ ¦S®'y ¥}R<8

® ®B²

. Moreover, . Therefore, o , and hence

e Ââ

¡M ¡M ¡

Ââ ®

:b@ å8¸ R8 :<>@ ¥}R ã ¶µ }µÙÞÂäO¶µH >, 8 :<@ ¦ y ¥)R8

®B²

¡ ¡ ¡

¡ ¡

e e

jlâ ã ÞäO¶µ l, âÂ[8q âÂ". jsâ 8

& .

â â

Corollary 3. Algorithm 2 has average-case complexity v[(O 4 .

8[oÂEÀ ,O 6>z

As another corollary, , where & are two random

[o ©À(D[oc4|8K©z ¬§".À6>#%$ (+z4'8uI«

variables. has domain & , while has the com-

©À(D 4S8g©zÀ¬§".06r#%$ (+z4~8kuI« [o

plementary domain & . Moreover, has constant

[o%8uRÂ8{ µ¯wBx>y

distribution (since :b@ ), while the random variable has binomial ª

distribution with àY8 . Knowledge of the distribution helps to ﬁnd further properties

#%$'&}(+z4½AÂâ of #%$'& (e.g., the probabilities that ) by using standard methods from

probability theory.

¡ (

One can double-check the correctness of Theorem 2 by verifying that 4e

e e

8 :b@ 8½AÂâ¦R|8m:b@ 8mucRÊ8~ ã ÞäO¶µ l,

° °

² ² o

o . Moreover,

â â

:b@ 8±AÂâRS8Ly ©À(^ 4 y :b@ 8èAÂâ¦R5E«y ©À(D 4 y :b@ 8èAÂâ¦RS8 o

clearly o

ã ÞÂä.ÀµH >,

, which agrees with Theorem 2.

eâ:b@ ª8 eÂâ¦R'8 é@ ×RÊ8

° ²

We next compute the variance of . Clearly, o

¡ ¡

e ×R 8Ke

, and therefore é@ . Next, by using Theorem 2 and the basic properties

¡ ¡ ¡ ¡ ¡

é@ RÂ8¸u :b@ 8¸uRcE A â :b@ 8QA â¦RÂ8

° ²

of the binomial distribution, o

e e

@¬

¡L ¡À

8 8 e â ã ÞÂä.ÀµH >, ã ÞÂäO¶µ l,

° °

² ®B²

o o

ë<ìAí

e e e e

@¬ ¤¬ @¬

¡S ¡ ¡%3

@ ×RÂ8 b8 µ

. Therefore, µYe .

ª~8¸ucR Note that the density of possible differentials :b@ is exponentially small in .

This can be contrasted with a result of O’Connor [O’C95] that a randomly selected -bit

2 #%$ (^*_,O-0/1Ü24|8¸#S$ TU+V(^*_,O-4 &

Algorithm 3 Algorithm that ﬁnds all -s, s.t. &

¤(S

INPUT: ¨

¤S W

OUTPUT: All ¨ -optimal output differences

W S

1. B¯R ;

¤S

¨CR

2. °±B ;

è¤ ¤

3. For A;B to do

þ²S þ³W W S

¢ ¢ ¢ ¢

ECF ECF ECF E E E ECF

B¯R b b´R

If R then

þ²S þ þ W ¤

E E E E

¤ R ° ¤ B¶µ ¤ ·

else if A or or then

E E else B¸R ;

4. Return W .

=¹ ¡\º

± l uIÚ ø

permutation has a fraction of µ impossible differentials, independently of

the choice of . Moreover, a randomly selected -bit composite permutation [O’C93],

º ¡

>".rÁ` controlled by an -bit string, has a negligible fraction of impossible differentials.

6 Algorithms for Finding Good Differentials of Addition

The last section described methods for computing the probability that a randomly

picked differential z has high differential probability. While this alone might give rise to successful differential attacks, it would be nice to have an efﬁcient deterministic algorithm for ﬁnding differentials with high differential probability. This section gives

some relevant algorithms for this.

½0¾¿

¶:±¼ 6.1 Linear-time Algorithm for »

In this subsection, we will describe an algorithm that, given an input difference (^*_,O-4 ,

2 #S$ (^*_,O-0/13254

ﬁnds all output differences , for which & is equal to the maximum

TU+V

(+*',.-4W6 80XbZc\e]_#%$'&}(^*_,O-0/1Ü24 differential probability of addition, #%$'& . (By Corol-

lary 1, we would get exactly the same result when maximizing the differential probabil-

- 2 *',.-4 (+*',.-4 ity under * or .) We say that such is ( -optimal. Note that when an -

optimal 2 is known, the maximum differential probability can be found by apply-

8 (+*',.-ª/1 254

ing Algorithm 2 to z . Moreover, similar algorithms can be used

wBx>y #%$'&}(^*_,O-0/1Ü24

to ﬁnd “near-optimal” 2 -s, where is only slightly smaller than

w³xly #%$ TU+Vc(^*_,O-4

& . 2

Theorem 3. Algorithm 3 returns all (^*_,O-4 -optimal output differences .

Æ¦Ç(^*_,O-',254 8ªu

Proof (Sketch). First, we say that position is bad if . According

(^*_,O-4 q u

to Theorem 1, 2 is -optimal if it is chosen so that (1) for every , if

® ® ® ® ®

8 ËcÌeÍ£(+* ,O- ,O2 4)8k*

Æ¦Ç(^*_,O-|,O24 then , and (2) the number of bad positions

;K (^*_,O-0/1320KB4 is the least among all such output differences 2 , for which is possible. For 2

Algorithm 4 A log-time algorithm that ﬁnds an (^*_,O-4 -optimal

¤(S

INPUT: ¨

¤S W

OUTPUT: An ¨ -optimal

> ¤

1. ÀÁB¯R ;

G S >ÄG

¨CRHb À

2. ÂÃB ;

> >

¨JÂ+[ ¤a ¨CRHb´¨CR\[ ¤a£

3. ÅÆB¸Â ;

¨ ©

¨CÅs

4. °±B ;

? >HG

å¨CÅÁIL¨CÅ ¤a£ À

5. ÅÆB ;

å¨CÅÁI±Â¦§[K¤

6. ÇÈB ;

W > S >HG > >HG >ÄG

3¨£¨CRÄb8°I Ål3IL¨£¨CRÄb bN¨CRÁ[K¤W£ Å Ç7+IÀ¨CR Å Ç7

7. B ;

W W >HG S >

3¨ ¤WIF¨£¨CR8b ¤a 8. B ;

9. Return W . *poPJ -ro

achieving (1) we must ﬁrst ﬁx 2soð , and after that recursively guarantee that

*® 8-® 8H2A®

2e® obtains the predicted value whenever .

uÀ

This, and minimizing the number of bad -s can be done recursively for every

® ®

P8{u * 8{-~

Q×µ , starting from . If then is bad independently of the value of

® ®

¬ ©ur, « 2 2

2 . Moreover, either choice of places no restriction on choosing . This

& 2A®pðö

means that we can assign either 2e®ðáu or .

® ® ®

8½- . 8>ÞÙmu

The situation is more complicated if * . Intuitively, if is even,

® ® ® ®

ð * 2 ð »M* Þ

then the choice 2 (as compared to the choice ) will result in bad

Þ (D¦E¯ >,O¦EbjI,Ú¦ÚÚa,.¦Eb>Þ|µF 4

positions (D7,.¦EbA,¦ÚÚÚ,O¦EblÞÊµl4 instead of bad positions . ®8Q>ÞME¯ <Hu

Thus these two choices are equal. On the other hand, if . , then the choice

Þ ÞñEt 2e®ðá*® 2e®ðá*® would result in bad positions compared to when , and hence is

to be preferred over the second one. We leave the full details of the proof to the reader.

A linear-time algorithm that ﬁnds one (^*_,O-4 -optimal can be derived from Algorithm 3

® ® ®

ðá* Æ¦Ç(^*_,O-|,O24 8¸u

straightforwardly, by assigning 2 whenever .

*´8¸òlóIô¡Éeô£Ê -Y8qò>óÌËÍnÊIô

As an example, let us look at the case 8{ ¦i , and . Then

[(^*_,O-4F8åò>óÌË¢É£ÊnÊ (^*_,O-4

- , and by Algorithm 3 the set of -optimal values is equal to

O¡ Î Î

, where , and , as always. There-

fore, for example, &

e .

½0¾f¿

¼ À: 6.2 Log-time Algorithm for »

For a log-time algorithm we need a somewhat different approach, since in Algorithm 3

® ® ®

2 2

the value of 2 depends on that of . However, luckily for us, only depends on

® ®

Æ¦Ç(^*_,O-|,O24 8k

2 if , and as seen from the proof of Theorem 3, in many cases we

ÆÇ(+*',.-|,254® 8¸u

can choose the output difference 2A® so that !

® 8Ü

Moreover, the positions where Æ¦Ç(^*_,O-|,O24 must hold are easily detected.

® ® ® ®

* 8!- 8 u ½u * 8-

Namely (see Algorithm 3), if (1) %8!u and , or (2) and

® ®

8åu ÆÇ(+*',.-|,254 8á

but à . Accordingly, we can replace the condition with the

#S$ ` (+*4 TU+V Algorithm 5 A log-time algorithm for &

INPUT: R

CR5

OUTPUT: ¨

cstvu

¤`F£c§dfehÑ+Òelknm kqsr e F q^q

1. Return ¥ .

® ® ®

J¸- 4_ºLà

condition »P(^* , and take additional care if is small. By noting how the ®

values à are computed, one can prove that 2 Theorem 4. Algorithm 4 ﬁnds an (^*_,O-4 -optimal .

Proof (Sketch, many details omitted). First, the value of à computed in the step 4 is >(^*_,O-4

“approximately” equal to -64 , with some additional care taken about the lowest

4 4

. . .

bits. Let be the bit-reverse of (i.e., ® is equal to the length of longest common

8Q*® 8 -® 8kÚ¦ÚÚ~ 2A®

alternating chain *®8¸-®ñ~ .). Step 7 computes (again, “approx-

*®pJ´à® *®8!-® 2A®ð *®pJ -®5J¸*® *®~8g-®

imately”) as (1) 2A®}ð , if , (2) if but

® ® ® ® ® ®

8 2 ð * * 8q-~ ÆÇ(+*',.-|,254 8Ku

Æ¦Ç(^*_,O-|,O24 and (3) if and . Since the two last cases are sound, according to Algorithm 3, we are now left to prove that the ﬁrst

choice makes 2 optimal.

But this choice means that in every maximum-length common alternating bit chain

Ò Ò

® ® ® ® ® ®

8½- 8g*~ 8½- 8±ÚÚÚ_~~ 8* 8g-

* , Algorithm 4 chooses all bits

/ & / &

1 1

Ò Ò

4 ® ®

2 )¶¬ @ Mµ. EQ >,.+R * 8k-

, ® , to be equal to . By approximately the same

, / & / &

1 1

C. Á>

arguments as in the proof of Theorem 3, this choice gives rise to ¿ bad bit positions

@ µ. 4 E >,.R 2

in the fragment ® ; every other choice of bits would result in at least as

8Q-® 8 ~ *®M8q-®+4

many bad positions. Moreover, since »P(^*® , it has to be the case

& &

8-®~ *® 8-® 8Q*®p8¸-® 2e®

that either *® or . In the ﬁrst case, both choices of

& & & &

2e® ð*® eEN

make AEÙ bad. In the second case we must later take , which makes

& &

good, and enables us to start the next fragment from the position IE . (Intuitively, this

Ï Ï

3*§4 Ì+*

last fact is also the reason why Ì is here preferred over .)

1*¯JÙ-4 8

Note that Biham and Shamir used the fact #S$_&}(^*_,O-0/

TUJ

d£ J

e3 e Js£Ó in their differential cryptanalysis of FEAL in [BS91b].

Often this value is signiﬁcantly smaller than the maximum differential probability

#S$ (^*_,O-4 *á8 -8 tµ #S$ (^*_,O-4 8

TU+V & TU+V

& . For example, if , then , while

#S$ (^*_,O-0/1*¯JÙ-4¶83#S$ (^*_,O-0/1áus4L8Üe &

& . However, since FEAL only uses

(^*_,O-4 2 f -bit addition, it is possible to ﬁnd -optimal output differences by exhaustive search. This has been done, for example, in [AKM98].

6.3 Log-time Algorithm for Double-Maximum Differential Probability

We next show that the double-maximum differential probability

#%$'&` (^*M4W6 8YX[Z\ #%$'&}(+*',.-0/13254|8 XbZc\ #S$_& TU+V(^*_,O-4

TU+V

d ] d

#%$'& TU+Vc(^*_,O-4

of addition can be computed in time v[(^w³xly'p4 . (As seen from Algorithm 3,

#S$_&` (+*4 #%$'&}(^*_,O-0/1Ü24 is a symmetric function and hence TU+V is equal to maxi- mized under any two of its three arguments.) In particular, the next theorem shows á

ß^à 0

Ý Þ Ü ÚÌÛ -1

-2

ØÙ -3

-4

ÕÖ ×

Ô 0 16 32 48 64 80 96 112 128 144 160 176 192 208 224 240

}

#Xâ âß¤ã§ã

¨CR5 R

Fig. 2. Tabulation of values , , for . For example,

P }

ã å ¤5FA

cB cB

þ þ

Jä" ¨

¨ and

d;æ²

#S$_&` (+*4 XbZc\ o5#%$'& TU+Vc(^*_,O-4

that TU+V is equal to the (more relevant for the DC) value 8±u

whenever *n~ . Note that the naive algorithm for the same problem works in time

4 8k i

( , which makes it practically infeasible even for .

*Ù¬Y§ #%$'&` (+*4 v[(DwBx>y_p4 Theorem 5. For every , Algorithm 5 computes TU+V in time .

Proof (Sketch). By the same arguments as in the proof of previous theorem, given inputs

ÎSÏÐÑ

2M6 8*×JQ(- (^*_,.*M4pº (D¯µ 4O4 (^*_,.*M4

(^*_,.*M4 , the value is -optimal. We now prove

#%$ - 8ª*~ 20K (^*M4t8ª#%$ (+*', *4

&` & TU+V

by contradiction that TU+V . Let and be such that

TU+V

#S$ (^*_,O-0/1320KB4N #S$ ´üáµm (^*_,.*M4 &

& . By Algorithms 2 and 4, there is an

0KB4O®L8 -64l(^*_,.*M4®L8ª

such that ÆÇ(+*',.-|,2 and . But then, on the other hand, since

1 2;K 4 -64l(^*_,.*M4®À8ö

the differential (^*_,O-æ/ is possible and , it is also the case that

Æ¦Ç(^*_,O-|,O2;K 4® -64>(+*', *4O®8 YÉè-64>(+*', *4O® 8åu

8èu . Since , we have also that

-64>(^*_,.*M4 8¸u #S$ (^*_,O-0/1320KB4ñ #%$ TU+V(+*', *4 &

. Therefore & .

#%$

& `

Straightforwardly, Theorem 5 helps to ﬁnd many interesting properties of TU+V . For

¹.¡

#%$ ` (^*M4b83 *tºH(+A µ 4[8nu X8é^ê #%$ ` (^*M4b8±e

TU+V & TU+V

example, & iff , and .

#S$'&` (+*4 8 *Yº(e µQ 48 µëñEK

Another consequence is that TU+V iff (1) for

ìYüg *Yº(e µQ 48æ£ë u´íìü½tµQ

some u´ , or (2) for some . For better

#S$ ` (+*4 8¸f TU+V understanding, all values of & , , are depicted in Fig. 2.

Once again, our results may be compared with the results in [O’C93,O’C95] that

show that for an -bit permutation (resp. composite permutation, controlled by an -

Á>e

bit string) the expected probability of the maximum nonzero differential is

º (resp. ).

Further Work and Acknowledgments

While we leave practical applications of our results as an open question, we note that our results have already been used in [MY00] for truncated differential cryptanalysis of Twoﬁsh. The current work bases somewhat on [Mor00], that had a (correct) linear-time al-

gorithm for #%$'& , but with an incorrect proof. We would like to thank Eli Biham for notifying us about the results presented in the full version of [BS91b]. References

[AKM98] Kazumaro Aoki, Kunio Kobayashi, and Shiho Moriai. The Best Differential Charac-

teristic Search of FEAL. IEICE Trans. Fundamentals, E81-A(1):98–104,£ January 1998. ¤ [Ber92] Thomas A. Berson. Differential Cryptanalysis Mod ¢ with Applications to MD5. In Ernest F. Brickell, editor, Advances in Cryptology—CRYPTO ’92, volume 740 of Lecture Notes in Computer Science, pages 71–80. Springer-Verlag, 1993, 16–20 August 1992. [BS91a] Eli Biham and Adi Shamir. Differential Cryptanalysis of DES-like Cryptosystems. Journal of Cryptology, 4(1):3–72, 1991. [BS91b] Eli Biham and Adi Shamir. Differential Cryptanalysis of Feal and N-Hash. In Don- ald W. Davies, editor, Advances on Cryptology — EUROCRYPT ’91, volume 547 of Lecture Notes in Computer Science, pages 1–16, Brighton, UK, April 1991. Springer- Verlag. Full version available from http://www.cs.technion.ac.il/˜biham/, as of April 2001. [Dae95] Joan Daemen. Cipher and Hash Function Design. Strategies based on linear and differential cryptanalysis. PhD thesis, Katholieke Universiteit Leuven, 1995. [DGV93] Joan Daemen, Rene´ Govaerts, and Joos Vandewalle. Cryptanalysis of 2.5 Rounds of IDEA. Technical Report 1, ESAT-COSIC, 1993. [Knu99] Lars Knudsen. Some Thoughts on the AES Process. Public Comment to the AES First Round, 15 April 1999. Available from http://www.ii.uib.no/˜larsr/serpent/, as of April 2001. [LMM91] Xuejia Lai, James L. Massey, and Sean Murphy. Markov Ciphers and Differential Cryptanalysis. In Donald W. Davies, editor, Advances on Cryptology — EUROCRYPT ’91, volume 547 of Lecture Notes in Computer Science, pages 17–38, Brighton, UK, April 1991. Springer-Verlag. [Miy98] Hiroshi Miyano. Addend Dependency of Differential/Linear Probability of Addition. IEICE Trans. Fundamentals, E81-A(1):106–109, January 1998. [Mor00] Shiho Moriai. Cryptanalysis of Twoﬁsh (I). In The Symposium on Cryptography and Information Security, Okinawa, Japan, 26–28 January 2000. In Japanese. [MY00] Shiho Moriai and Yiqun Lisa Yin. Cryptanalysis of Twoﬁsh (II). Technical report, IEICE, ISEC2000-38, July 2000. [NK95] Kaisa Nyberg and Lars Knudsen. Provable Security Against a Differential Attack. Jour- nal of Cryptology, 8(1):27–37, 1995. [O’C93] Luke J. O’Connor. On the Distribution of Characteristics in Composite Permutations. In Douglas R. Stinson, editor, Advances on Cryptology — CRYPTO ’93, volume 773 of Lecture Notes in Computer Science, pages 403–412, Santa Barbara, USA, August 1993. Springer-Verlag. [O’C95] Luke O’Connor. On the Distribution of Characteristics in Bijective Mappings. Journal of Cryptology, 8(2):67–86, 1995.