Efficient Algorithms for Computing Differential
Properties of Addition
¡
Helger Lipmaa and Shiho Moriai ¢ Helsinki University of Technology, Department of Computer Science and Engineering P.O.Box 5400, FI-02015 HUT, Espoo, Finland
[email protected]£ NTT Laboratories 1-1 Hikari-no-oka, Yokosuka, 239-0847 Japan [email protected]
Abstract. In this paper we systematically study the differential properties of ad- ¤¦¥
dition modulo . We derive §©¨ -time algorithms for most of the properties, including differential probability of addition. We also present log-time algorithms for finding good differentials. Despite the apparent simplicity of modular addi- tion, the best known algorithms require naive exhaustive computation. Our re-
sults represent a significant improvement over them. In the most extreme case,
¤
¥
§©¨ we present a complexity reduction from ¨ to .
Keywords: modular addition, differential cryptanalysis, differential probability, impos- sible differentials, maximum differential probability.
1 Introduction
One of the most successful and influential attacks against block ciphers is Differential Cryptanalysis (DC), introduced by Biham and Shamir in 1991 [BS91a]. For many of the block ciphers proposed since then, provable security against DC (defined by Lai, Massey and Murphy [LMM91] and first implemented by Nyberg and Knudsen [NK95]) has been one of the primary criteria used to confirm their potential quality. Unfortunately, few approaches to proving security have been really successful. The original approach of [NK95] has been used in designing MISTY and its variant KA- SUMI (the new 3GPP block cipher standard). Another influential approach has been the “wide trail” strategy proposed by Daemen [Dae95], applied for example in the pro- posed AES, Rijndael. The main reason for the small number of successful strategies is the complex structure of modern ciphers, which makes exact evaluation of their differ- ential properties infeasible. This has, unfortunately, led to a situation where the security against DC is often evaluated by heuristic methods. We approach the above problem by using the bottom-up methodology. That is, we
evaluate many sophisticated differential properties of one of the most-used “non-trivial” ! block cipher cornerstones, addition modulo for . We hope that this will help to evaluate the differential properties of larger composite cipher parts like the Pseudo- Hadamard Transform, with the entire cipher being the final goal. The algorithms pro- posed here will enable the advanced cryptanalysis of block ciphers. We hope that our results will facilitate cryptanalysis of such stream ciphers and hash functions that use addition and XOR at the same time.
Importance of Differential Properties of Addition. Originally, DC was considered with respect to XOR, and was generalized to DC with respect to an arbitrary group operation in [LMM91]. In 1992, Berson [Ber92] observed that for many primitive op-
erations, it is significantly more difficult to apply DC with respect to XOR than with ¡
respect to addition modulo " . Most interestingly, he classified DC of addition modulo itself, with sufficiently big, with respect to XOR to be hard to analyze, given the (then) current state of theory. Until now it has seemed that the problem of evaluating the differential properties of addition with respect to XOR is hard. Hereafter, we omit the “with respect to XOR” and
take the addition to be always modulo . The fastest known algorithms for computing
132547698%:<;>= ?A@B(DCFEHGI4JK(.(DCLJH*4ME
the differential probability of addition #%$'&)(+*',.-0/
(DGJN-4O4P8Q2R is exponential in . The complexity of the algorithms for the maximum
#S$ (+*',.-4W6 8YX[Z\A]'#S$ (^*_,O-0/13254
TU+V &
differential probability & , the double-maximum
#%$ (+*4a698YXbZc\ed ]_#S$ (^*_,O-0/13254
&` = & differential probability TU+V , and many other differ-
ential properties of addition are also exponential in .
H8gf H8h i With small (e.g., or even with ), exponential-in- computation is feasible, as demonstrated in the cryptanalysis of FEAL by Aoki, Kobayashi and Moriai
in [AKM98]. However, this is not the case when Hkjl as used in the recent 128-bit
block ciphers such as MARS, RC6 and Twofish. In practice, if mnjl , both cipher
designers and cryptanalysts have mostly made use of only a few differential properties C of addition. (For example, letting Co be the least significant bit of , they often use
the property that *po full version of [BS91b] treated some differential probabilities of addition modulo #%$ and included a few formulas useful to compute & , but did not include any concrete algorithms nor estimations of their complexities. The same is true for many later papers that analyzed ciphers like RC5, SAFER, and IDEA. Miyano [Miy98] studied the sim- pler case with one addend fixed and derived a linear-time algorithm for computing the corresponding differential probability. Our Results. We develop a framework that allows the extremely efficient evaluation of many interesting differential properties of modular addition. In particular, most of the algorithms described herein run in time, sublinear in . Since this would be impos- sible in the Turing machine model, we chose to use a realistic unit-cost RAM (Random Access Machine) model, which executes basic -bit operations like Boolean operations and addition modulo > in unit time, as almost all contemporary microprocessors do. The choice of this model is clearly motivated by the popularity of such micropro- cessors. Still, for several problems (although sometimes implicitly) we also describe linear-time algorithms that might run faster in hardware. (Moreover, the linear-time algorithms are usually easier to understand and hence serve an educational purpose.) Nevertheless, the RAM model was chosen to be “minimal”, such that the described algorithms would be directly usable on as many platforms as possible. On the other hand, we immediately demonstrate the power of this model by describing some useful log-time algorithms (namely, for the Hamming weight, all-one parity and common al- ternation parity). They become very useful later when we investigate other differential properties. One of them (for the common alternation parity) might be interesting by itself; we have not met this algorithm in the literature. After describing the model and the necessary tools, we show that #S$_& can be com- puted in time v[(DwBx>y_p4 in the worst-case. The corresponding algorithm has two princi- 13254 pal steps. The first step checks in constant-time whether the differential z<8{(+*',.-0/ #S$ (^z4|8Qu z is impossible (i.e., whether & ). The second step, executed only if is possi- v[(DwBx>y_p4 ble, computes the Hamming weight of an -bit string in time . As a corollary, we prove an open conjecture from [AKM98]. The structure of the described algorithm raises an immediate question of what is 8u the density of the possible differentials. We show that the event #S$_&}(^z4q~ oc- e s curs with the negligible probability ¡ (This proves an open conjecture stated #%$ in [AKM98]). That is, the density of possible differentials is negligible, so & can be computed in time v[( 4 in the average-case. These results can be further used for im- possible differential cryptanalysis, since the best previously known general algorithm to find non-trivial impossible differentials was by exhaustive search. Moreover, the high density of impossible differentials makes differential cryptanalysis more efficient; most of the wrong pairs can be filtered out [BS91a,O’C95]. :<l@ #%$ (+z4|8R 7,|u Furthermore, we compute the explicit probabilities & for any 6zH/1 . This helps us to compute the distribution of the random variable #S$ (^z4 & , and to create formulas for the expected value and variance of the random variable . Based on this knowledge, one can easily compute the probabilities that R :b@ for any . For the practical success of differential attacks it is not always sufficient to pick a random differential hoping it will be “good” with reasonable probability. It would be nice to find good differentials efficiently in a deterministic way. Both cipher designers and cryptanalysts are especially interested in finding the “optimal” differentials that re- sult in the maximum differential probabilities and therefore in the best possible attacks. TU+V (^*_,O-4 2 For this purpose we describe a log-time algorithm for computing #S$_& and a that achieves this probability. Both the structure of the algorithm (which makes use of the all-one parity) and its proof of correctness are nontrivial. We also describe a log- time algorithm that finds a pair (D-|,O24 that maximizes the double-maximum differential #%$'&` (^*M4 * #S$_&` (+*4 TU+V probability TU+V . We show that for many nonzero -s, is very close to one. A summary of some of our results is presented in Table 1. } }cB } B £ ¤ ¥l¡ ¤¢£¥e¡ ¤ ¥s¡ H Previous result §©¨¥¤a §©¨ ¦ ¦M §©¨ Our result §©¨ (worst-case), (average) Table 1. Summary of the efficiency of our main algorithms Road map. We give some preliminaries in Sect. 2. Section 3 describes a unit-cost RAM model, and introduces the reader to several efficient algorithms that are crucial for the later sections. In Sect. 4 we describe a log-time algorithm for #S$_& . Section 5 gives formulas for the density of impossible differentials and other statistical properties & of #S$ . Algorithms for maximum differential probability and related problems are described in Sect. 6. 2 Preliminaries C¬§ C®¯¬§ Let §¨8ª©uI,¦ « be the binary alphabet. For any -bit string , let ® e ® ® C C 8±° C 8nu C ®³² be the -th coordinate of (i.e., o ). We always assume that if ® ® )~¬´@ ur,O¶µ R C¶8 C . (That is, °¸· .) · ¹ º » Let J , , and denote -bit bitwise “XOR”, “OR”, “AND” and “negation”, C¾½ respectively. Let C¼½ (resp. ) denote the right (resp. the left) shift by positions ® à ® C)¾m7698% C3X[xAį (i.e., C}¼m76 8À¿DCÂÁ> and ). Addition is always performed modulo C G ŠƦÇ(DC,OGÂ,.Åe4W6 8(+»CJGI4Wº(»CJÅe4 , if not stated otherwise. For any , and we define C®Ê8QG>®8qÅ® ËcÌeÍ(DC,OGÂ,.Åe4W6 8CJG (i.e., ƦÇ(DC,OGÂ,.Åe4®M8{ KÈÉ ) and . For any , let ÎSÏÐaÑ (^p4W6 8©µH (.(+»Mul4s¾ 4 8Qu . For example, o . Ï Ô ÍÍBÕA(^Cp,.GA4a698%Ö%¬Y§ Cp,OGÀ¬×§ C'EbG Addition modulo ÒIÓ . The carry, , , of addition is ® ® ® ® ® ® ® 6 8(DC ºG 4.J(^C ºMÖ 4.J(^G ºMÖ 4 Ö defined recursively as follows. First, Öao>6 8%u . Second, , & Öa® 8½ KÈ[É C®ENGl®E Öa®'Q for every P¸u . Equivalently, . (That is, the carry bit & C®lEG>®>EYÖa® Öa® is a function of the sum .) The following is a basic property of addition & modulo . Ï CENG[8¸CJÙGJÔ Í+ÍBÕI(DCp,.GI4 Property 1. If (DC,OGI4P¬§Lا , then . Differential Probability of Addition. We define the differential of addition modulo (+*',.-H/1ª254 as a triplet of two input and one output differences, denoted as , where *',.-|,2Y¬Y§ . The differential probability of addition is defined as follows: #S$ (^z4'8¸#S$ (^*_,O-0/13254W6 8%: @B(DCbEÙGI45JQ(O(^C[J*4pEQ(DG & & ;>= ? ¡ #S$ (^z4W6 8©Û7©Cp,.GL6r(^CEÙGI45J¸(O(DCbJÙ*M4pEQ(DG©JN-4.4'8H2«cÁ> z That is, & . We say that is #%$ (+z4'8Qu z impossible if & . Otherwise we say that is possible. It follows directly from #S$ Property 1 that one can rewrite the definition of & as follows: Ï Ï #%$ (^*_,O-0/1Ü24|8¸:<;= ?A@ Ô Í+ÍBÕr(DC,OGI4>JÀÔ ÍͳÕI(DCPJL*_,OG|JL-4'8HËÌeÍ(^*_,O-',254¥R Lemma 1. & . Probability Theory. Let be a discrete random variable. Except for a few explic- itly mentioned cases, we always deal with uniformly distributed variables. We note Ý8ßÞsR¯8áàâA(O bµà4OeÂâ 869ãM(+ÞÂä.Ê,^à4 that in the binomial distribution, :b@ , for â Þ!¬èç£ç some fixed umåàæ and any . From the basic axioms of probabil- & ãM(ÞÂäOÊ,+à4L8 é@ R<8 Þ :b@ ê8ÜÞsR ° ° ² ² o ity, . Moreover, the expectation o â â Aà of a binomially distributed random variable is equal to , while the variance ¡ ¡ ë©ìIí ×R8Qé@ Rµ´é@ ×R Aà( }µ¶à4 @ is equal to . 3 RAM Model and Some Useful Algorithms In the -bit unit-cost RAM model, some subset of fixed -bit operations can be exe- cuted in constant time. In the current paper, we specify this subset to be a small set of -bit instructions, all of which are readily available in the vast majority of contemporary microprocessors: Boolean operations, addition, and the constant shifts. We additionally allow unit-cost equality tests and (conditional) jumps. On the other hand, our model does not include table look-ups or (say) multiplications. Such a restriction guarantees that algorithms efficient in this model are also efficient on a very broad class of plat- forms, including FPGA and other hardware. This is further emphasized by the fact that our algorithms need only a few bytes of extra memory and thus a very small circuit size in hardware implementations. Many algorithms that we derive in the current paper make heavy use of the three non-trivial functions described below. The power of our minimal computational model is stressed by the fact that all three functions can be computed in time v[(^w³xly'p4 . Hamming Weight. The first function is the Hamming weight function (also known as ® e î}ï Cq8 C®¥ ° ®B² the population count or, sometimes, as sideways addition) : For o , e ï ® ï î (^C4À8 C î ° ®³² o , i.e., counts the “one” bits in an -bit string. In the unit-cost ï (DCÂ4 v[(DwBx>y'p4 RAM model, î can be computed in steps. Many textbooks contain (a variation of) the next algorithm that we list here only for the sake of completeness. INPUT: C ï (DC4 OUTPUT: î 1. C¶ðÜCFµ (O(^Cñ¼ 45º¯òlóAôeôeôeôeôsôeôeôsõ4 ; 2. C¶ðö(^Cº¯ò>óI÷e÷e÷e÷s÷e÷e÷e÷sõ4E¸(.(DCñ¼m>4pº¶òlóI÷s÷e÷e÷e÷e÷s÷e÷sõ4 ; 3. C¶ðö(^CE¸(^Cñ¼Køe4O4º¶òlóIòlùIò>ùIòlùIòlùeõ ; 4. C¶ðÜCEQ(DCP¼kfl4 ; 5. C¶ðö(^CE¸(^Cñ¼ il4.45º¯ò>óIòeòeòeòsòeòe÷lùAõ ; 6. Return C ; Additional time-space trade-offs are possible in calculating the Hamming weight. If ï ï >û î (D4 u[H'ü>û î (DC4 ×8qÖWú , then one can precompute values of , , and then find by doing ú8KÁcÖ table look-ups. This method is faster than the method described in ¡ H8gjs úö¬©fr, iA« the previous paragraph if úª{wBx>y , which is the case if and . However, it also requires more memory. While we do not discuss this method hereafter, our implementations use it, since it offers better performance on 32-bit processors. ýþNÿÿÿÿ¡ Wÿÿÿÿÿ¡ ¢ Wÿÿ¡ ¢ Wÿÿÿÿÿ¡ Wÿ£ Wÿ¡ Wÿ¡ 7ÿ¡ Wÿcÿ¥¤ ¦%þNÿ¡ Wÿÿÿÿÿÿÿÿÿÿÿÿÿ¡ Wÿ¡ § Wÿ¡ ¢ Wÿÿÿ¡ ¢ ¢ 7ÿ¡ Wÿcÿ¥¤ ¨ ©£ ý þNÿÿÿÿ¡ Wÿÿÿÿÿ¡ Wÿÿÿ¡ Wÿÿÿÿÿÿ¡ Wÿ£ Wÿ¡ Wÿ¡ 7ÿ¡ Wÿcÿ¥¤ ¨ ¨ ©£ ý þNÿÿÿÿ¡ Wÿÿÿÿÿÿ¡ Wÿÿÿ¡ Wÿÿÿÿÿ¡ Wÿ£ Wÿ¡ Wÿ¡ 7ÿ¡ Wÿcÿ¥¤ ¨ ý¤¦ þNÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ¡ Wÿÿÿÿÿ¡ 7ÿÿ¡ Wÿÿ£ Wÿ¡ aÿ¥¤ ¨ ý¤¦ þNÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ¡ Wÿÿÿÿÿ¡ Wÿÿ¡ Wÿÿ¡ 7ÿ¡ Wÿcÿ¥ ¨ ¨ © ¨ © ý¤¦ ý ý ý¤¦ ý¤¦ ¨ ¨ ¨ ¨ Fig. 1. A pair with corresponding values , , and ¨ . Here, £ £ £ ¤0¤§ ¨ ©£ ý þ þý þý þ ¤ ¤ ¤ for example, ¨ since and is odd. On the other hand, £ £ $# þ´ý þ¦ þÙý þ¦ þ´ý! |þ¦¢ ý¤¦ þ ý þ¦ þ´ý þ¦ ¢ ¢ ¢ ¢ ¤ " ¨ since , and is even. # þ ý¤(¦ þ ¨ & ¤ Since %'& , we could have taken also Interestingly, many ancient and modern power architectures have a special machine- ï level “cryptanalyst’s” instruction for î (mostly known as the population count instruc- ) ) tion): SADD on the Mark I (sic), CX X on the CDC Cyber series, A PS on the Cray X-MP, VPCNT on the NEC SX-4, CTPOP on the Alpha 21264, POPC on the Ul- tra SPARC, POPCNT on the Intel IA64, etc. In principle, we could incorporate in our model a unit-time population count instruction, then several later presented algorithms would run in constant time. However, since there is no population count instruction on most of the other architectures (especially on the widespread Intel IA32 platform), we have decided not include it in the set of primitive operations. Moreover, the complexity of population count does not significantly influence the (average-case) complexity of the derived algorithms. All-one and Common Alternation Parity. The second and third functions, important for several derived algorithms (more precisely, they are used in Algorithm 4 and Al- gorithm 5), are the all-one and common alternation parity of -bit strings, defined as follows. (Note that while the Hamming weight has very many useful applications in cryptography, the functions defined in this section have never been, as far as we know, used before for any cryptographic or other purpose.) Ï C GÙ8 Ì+*e(DCÂ4 The all-one parity of an -bit number is another -bit number s.t. ® ® ® ® 8 l |ÚÚ¦ÚW ÚÚ¦ÚOC 8 C C G iff the longest sequence of consecutive one-bits has &, odd length. & C G -[(^Cp,.GA4 The common alternation parity of two -bit numbers and is a function ® ® ® [(DC,OGI4 8{ . -[(^Cp,OGI4 8Qu with the next properties: (1) - , if is even and non-zero, (2) , ® ® ® u . 8¸u . if . is odd, (3) unspecified (either or ) if , where is the length of the longest ¡ ¡ ® ® ® ® ® ® ® 8kG 8{C~ 8{G 8kC~ 8kG ÚÚ¦ÚÊ~8kC 8 common alternating bit chain C & & & & &0/1 ® ® ® ® E2. q×µ C 8kG G , where . (In both cases, counting starts with one. E.g., if &0/1 8¸G>®~ .®p8{ -[(^Cp,OGI4O®8¸u but C® then and .) W.l.o.g., we will define & & Ï -[(^Cp,.GA4a698 Ì3*e(»P(DCJNGI45ºt(+»P(^CJÙGI4s¼ 4ºt(^CJ¸(^Cñ¼ 4O4.4tÚ For both the all-one and common alternation parity we will also need their “du- Ï +*54 -64 als” (denoted as Ì and ), obtained by bit-reversing their arguments. That is, Ï 3*s(DCÂ4 Algorithm 1 Log-time algorithm for Ì ¤ ¥ ý87$9 INPUT: , is a power of ¨ © ý OUTPUT: ¨ ý;: þ´ý > ý@? =< ¨ ¤W 1. ¤ ; ¢ ¤ ¤ECF £ ý: ý;: > ý;: ? ¤ AC 2. For A;B to do ; ¦+: ý >HGÂý;: D 3. ¤ ; ¢ EJF ¤ ¤ £ ¦+: ¦+: ¦3: ? >ý;: AC 4. For A;B to do ; £ ¦+: !< 5. Return ¦ ; Ï Ï ® ® CK 6 8¸C G!K 6 8 G Ì+*§4l(DC,OGI4'8 Ì3*e(^CK,OG!K 4 ® , where ® and . (See Fig. 1.) Note that for e e ® ® ® -[(DC,OGI4 8K SÉL-[(^Cp,OGI4 8M-[(^Cp,OGI4 8u every (DC,OGI4 and , . & v[(^w³xly'p4 Clearly, Algorithm 1 finds the all-one parity of C in time . (It is sufficient R 8 (DC 8 to note that C@ if and only if the number of ones in the sequence , , , ® ¡ 8 l,Ú¦ÚÚa,.C 8 l,OC 8±ul4 G@ R 8 >,OC is at least and iff is 5N 5Na ,.& ,.& ,.& , , -[(^Cp,OGI4 an odd number not bigger than , .) Therefore also can be computed in time v[(DwBx>y'p4 . 4 Log-time Algorithm for Differential Probability of Addition /1 254 ƦÇ(^*¾á l,O-¶¾ In this section we say that differential z×83(+*',.- is “good” if 4}º ( ËÌeÍ(^*_,O-',254J (+* ¾ 4O4N8ßu z >,2¾ . Alternatively, is not “good” iff for ® ® ® ® ® ® uI,Oµ! R * 8¨- 8 2 8 ~ * J½- Jm2 some Q¬ö@ , . (Remember that 8Q- 8¸2 8qu * .) The next algorithm has a simple linear-time version, suitable for “manual cryptanalysis”: (1) Check, whether z is “good”, using the second definition )~8¸µ of “goodness”; (2) If z is “good”, count the number of positions , s.t. the triple ® ® ® ,.- ,2 4 (^* contains both zeros and ones. 1254 Theorem 1. Let z8(+*',.-h/ be an arbitrary differential. Algorithm 2 returns #S$ (^z4 v[(DwBx>y'p4 v[(O 4IEPO O & in time . More precisely, it works in time , where is the time it takes to compute î}ï . #%$ Algorithm 2 Log-time algorithm for & þ ¤SUTVXW ¨CR INPUT: Q P CQ OUTPUT: ¨ # # ©`_ ¤(S ¤W > ¤Sa¤W S þ cstvu s¨CR\[ ¤ [K¤ [ ¤W ¨^] ¨CR 3bN¨ [ ¤W£ 1. If YDZ then return ; ¢ ¤ F£c§dfehg¢iCjelknm o£m p qsr e F qsq 2. Return ¥ ; Rest of this subsection consists of a step-by-step proof of this result, where we use Ï Ï & (^z4|8Q:<;= ?e@ Ô Í+ÍBÕr(DC,OGI4 J<Ô Í+ÍBÕr(DC5J©*_,OGJ%-4ñ8 ËcÌeÍ(^*_,O-|,O24 the Lemma 1, i.e., that #S$ . We first state and prove two auxiliary lemmas. After that we show how Theorem 1 follows from them, and present two corollaries. ¡ (^C4 w(^us4|8u w( 4Ê8xwS(+>4Ê8 w(+jl4Ê8 Lemma 2. Let w be a mapping, such that , and Ï Ï ® ® ® ® *_,O-Ù¬Y§ :<;>= ?A@ Ô Í+ÍBÕr(DC,OGI4 J Ô ÍͳÕI(DCbJN*_,OGJN-4 8{ ¡y * EÙ- E . Let . Then z & & ® 8{)>R8xw(^)s4 Ö . Ï Ï ÍͳÕr(^Cp,.GA4 Ö|b8 Ô Í+ÍBÕr(DCÀJ¸*',.GJH-4 C G Proof. We denote Öb8!Ô and , where and are z z | Öa® 8 understood from the context. Let also Ö)8QÖÂJÖ . By the definition of carry, & (DC®¦º)G>®¥4JY(DC®¦ºÖa®¥4JY(DG>®aºSÖa®¥4J(.(DC_JL*4O®º (^GMJF-4®¥4JY(O(DC_JL*M4®¦ºSÖ| 4J(.(DGÊJb-4O®ºSÖ| 4 ® ® . z z (DC® ,.*®+4 (^G>®O,.-®4 (+Öa®O, Öa®4 This formula for Öa® is symmetric in the three pairs , and . z z & }M(^*®,.-®., Öa®4W6 8%: @ Öa® 8½ R = ? = Hence, the function ; is symmetric, and therefore z z z û 1 1 1 & } *®lE-®>E Öa® }M(^)e4|8¸: @ Öa® 8{ ¡y *®>E×-®>E Öa®8~)>R = ? = is a function of , ; . One z z û 1 1 1 & ® ® ® ® = ? @ Ö 8m ¡y * EÙ- E Ö 8~)>Rp8w(v)e4 ub{)À¸j can now prove that :<; for any , z z 1 1 & ® ® ® ® ® ¬K©uI,¦ « :<; = ? @ Ö 8 ny * E- E Ö 8 and for any value of Ö . For example, z z 1 1 & ® ® ® ® ® ® ® ® aRS8n:<; = ? @ Ö 8Ü ¡y³(^* ,.- , Ö 4b8Ü(+uI,.ur, 4¥R8±:<; = ? @B(DC ºtÖ 4|J½(DG ºtÖ 4'J 1 1 & 1 1 ¡ ® ® ® ® ® ® º »MÖ 4)J!(^C ºH»MÖ 408 aRL8ª:<; = ? @ C 8 G RÀ8 (DC . The claim follows since z z 1 1 ® ® ?A@ Ö R8¸:<; = ? @ Ö R :<;= . & 1 1 & Lemma 3. 1) Every possible differential is “good”. Ï Ï z©8m(^*_,O-0/13254 '¬´@ ur,ObµÙ R : @ Ô Í+ÍBÕr(DC,OGI4®AJtÔ ÍͳÕr(^C©J ? 2) Let be “good”. If , then ;= Ï *',.GJ -4®}8! ny *® E -® : @ Ô Í+ÍBÕr(DC,OGI4 J E 2A® 8)R|8w(v)e4 ? o . In particular, ;= Ï Ô Í+ÍBÕr(DCJ*_,OG©JN-4 8¸uRÂ8K o . Proof. 1) Let z be possible but not “good”. By Lemma 1, there exists an and a pair Ï Ï ® ® ® ® ® ® 8¸*~ 8- 82 8HËcÌeÍ(^*_,O-|,O24 JYÔ ÍͳÕr(^C©J0*',.G}JY-4 Ô ÍÍBÕr(DCp,.GI4 (DCp,.GI4 , s.t. . & & & Ï Ï ® ® ® JNÔ Í+ÍBÕI(DCJ 8 2 :<; = ? @ Ô Í+ÍBÕr(DC,OGI4 Note that then ËÌeÍ(^*_,O-',254 . But by Lemma 2, & 1 1 ® ® ® ® ® 82~ y * 8¸- 82 RÂ8¸u *',.G©J-4 , which is a contradiction. & 2) Let z be “good”. We prove the theorem by induction on , by simultaneously Ï Ï ?A@ Ô ÍͳÕr(^Cp,.GA4JÔ ÍÍBÕA(^C[J*',.G proving the induction invariant :<;>= ® 4£RFåu L8u (DX[xAį . BASE ( ). Straightforward from Property 1 and the definition of a “good” differential. STEP ( |Ek thu ). We assume that the invariant is true for z z Öa® Ö¶8 (^Cp,OGI4 8 ËcÌeÍ£(+*',.-|,254® . In particular, there exists a pair , s.t. , where z Ï Ï Ô Í+ÍBÕr(DC,OGI4JÔ Í+ÍBÕr(DCbJ *',.G . Then, by Lemma 2, ;= z z z -® E Öa® 8~)>RÂ8: @ Öa®8K ¡y *® E©-® EËcÌeÍ£(+*',.-|,254® 8{)>RÂ8Q: @ Öa®8 ;>= ? ;= ? ® ® ® ¡y * E - E2 8x)>R , where the last equation follows from the easily verifiable ¡ ¡ ¡ ¡ ( E E 4%8w( E EËÌeÍ( ,= ,= 4.4 ,= ,D ¬ § equality w , for every . z " " " ® ® Ö 8{ËcÌeÍ(^*_,O-|,O24 This proves the theorem claim for . The invariant for , , follows from that and the “goodness” of z . Proof (Theorem 1). First, z is “good” iff it is possible. (The “if” part follows from the first claim of Lemma 3. The “only if” part follows from the second claim of Lemma 3 and the definition of a “good” differential.) Let z be possible. Then, by Lemma 1, ¡ Ï Ï e #S$ (^z48 : @ Ô Í+ÍBÕI(DCp,.GI4®}JmÔ ÍÍBÕr(DCNJm*_,OGJ½-4O®Ù8 ËÌeÍ(^*_,O-',254®^R & ;>= ? ®³² o . By Ï Ï : @ Ô ÍÍBÕr(DCp,.GI4®'J Ô ÍͳÕr(^CJk*',.GÀJ -4®¶8ÜËcÌeÍ(^*_,O-|,O24O®DR ? Lemma 2, ;>= is either or ¡ 8!-® 8½2A® u , depending on whether *® or not. (This probability cannot be , d ]5 = = & z #%$ (+z4F8èeH5 8 1 since is possible and hence “good”.) Therefore, 1v£¡ ^ d TU d ]5 J = = 3 A ^¡ ^ , as required. Finally, the only non-constant time computa- tion is that of Hamming weight. Note that technically, for Algorithm 2 to be log-time it would have to return (say) µ< ¡ #%$|&)(+z4 if the differential is impossible, or w³xly , if it is not. (The other valid possibility would be to include data-dependent shifts in the set of unit-cost operations.) The next two corollaries follow straightforwardly from Algorithm 2 Corollary 1. #%$'& is symmetric in its arguments. That is, for an arbitrary triple & & & #%$ (+*',.-0/1Ü254ñ8{#S$ (D-|, *t/13254}8K#%$ (^*_,2/1Ü-4 (^*_,O-|,O24 , . Therefore, in par- XbZ\ #%$ (+*',.-0/1Ü254Ê8XbZc\ed}#S$ (^*_,O-0/13254|8¸X[Z\s]ñ#S$ (^*_,O-0/13254 & & ticular, & . KrE -aK *YJH- 8*KrJ Corollary 2. 1) [Conjecture 1, [AKM98].] Let *YEH-¸8* and -aK 2 #%$ (+*',.-0/1325408ª#%$ (^*K,O-aKÂ/13254 * - 2 & . Then for every , & . 2) For every , , , & & (^*_,O-0/13254|8¸#%$ (+*ÀºÀ-|, *À¹À-Y/1324 #S$ . (+*',.-4 (+*K,O-KB4 ©*®.,O-®£«¶8è©*K ,.-aK « ü ® Proof. We say that and are equivalent, if ® for * J- 8 *K JH- (+*',.-4 (^*K,O-aK 4 YµQ , and . If and are equivalent then e e e A #S$ (^*_,O-0/13254|8¸#%$ (+*K,.-aK/13254 & & by the structure of Algorithm 2. Ï Ï ÍÍBÕr(^*_,O-4 Ö K8QÔ Í+ÍBÕI(^*K+,.-aK 4 1) The corresponding carries Ö)8¸Ô and are equal, since K K K K K K K J0- 4ÂJH(^* E0- 4|8QÖ *FEt-Y8Q* E0- Ö}8m(^*FJ0-4JH(+*LE0-4'8k(+* . Therefore, and KsJN-aK (+*',.-4 (^*K+,.-aK 4 *¶JN-8Q* iff and are equivalnet. (^*'º'-|, *'¹|-4 2) The second claim is straightforward, since (^*_,O-4 and are equivalent - for any * and . d TU J ;§p? (DC,OGI4 (DC0|>,OG3|4 e & Note that a pair is equivalent to J different pairs . In [DGV93, Sect. 2.3] it was briefly mentioned that the number of such pairs is not more d ;§p? 5 than ; this result was used to cryptanalyse IDEA. The second claim carries KÂ8{(+*Àº¶*KB4pEQ(^*¶¹¶*K 4 unexpected connotations with the well known fact that *¶E* . 5 Statistical Properties of Differential Probability Note that Algorithm 2 has two principal steps. The first step is a constant-time check of z<8k(+*',.-0/1324 #%$ (+z4|8¸u whether the differential is impossible (i.e., whether & ). The second step, executed only if z is possible, computes in log-time the Hamming weight of an -bit string. The structure of this algorithm raises an immediate question of what : @ #%$ (+z4 ~8ªuR & is the density of the possible differentials, since its average-case complexity (where the average is taken over uniformly and random chosen differentials z v[(+:<>@ #S$ (^z4'8QucREY:<l@ #%$ (+z4%~8uR wBx>y|p4 & ) is & . This is one (but certainly not the only or the most important) motivation for the current section. 6 Let & be a uniformly random variable. We next calculate the 8ÜR exact probabilities :b@ for any . From the results we can directly derive the distribution of . Knowing the distribution, one can, by using standard probabilistic tools, calculate the values of many other interesting probabilistic properties like the +R probabilities :b@ for any . e ¡ ª~8¸uR8 Theorem 2. 1) [Conjecture 2, [AKM98].] :b@ . ¡ e | | ¡ e uKáÞgüÜ :b@ 8ªeÂâ¦RF8ª â" jsâ 8 2) Let . Then & â ÞÂä.ÀµH >,£ ã . 1ß24 L8gƦÇ(^*_,O-',254 ¢K|8 Proof. Let zÀ8è(^*_,O-Q/ be an arbitrary differential and let , CÙ8kËcÌeÍ£(+*',.-|,254ÊJK(^*L¾å 4 ƦÇ(^*L¾å >,.-[¾å >,O2¾3 4 and ) be convenient shorthands. K - 2 C C Since * , and are mutually independent, and (and also and ) are pairwise independent. A ® :b@ 8{uRM8k:<l@~ ¢KAº¶Ct8mucR8 ( µN:<l@ ¢K 8 >,.C 8 ® ®B² 1) From Theorem 1, o e A ¡ ¡ ¡ ® }µ aRD4¯8 (O µq:<>@ §K 8 aR :<@ C 8ª R 4×8 }µH 8 ® ®³² ®B² o e r ¡ . ÎSÏÐÑ ï (Dtµq 4 uNæÞ ü! :<>@ î ( c48±ÞsR8 2) Let úß8 . First, clearly, for any , â eÂâ ¡ ¡ ¡ " d ]¡¢££ ï ï = = @ î ( c4|8qÞsRÂ8 8Qã ÞÂäOÊ, :<l@ î (+»¤ ʺ : and therefore ¡ ¡ â e Ââ â ¡ ¡ ¡ r r r e e " ú¯4|8qÞsRÂ8qã ¶µ }µÙÞÂä.ÀµH >, 8q jlâ 8 . â â î}ï( ºú¯4|8¸%µÀ µbÞ ¦ ¢KºC¶8Qu Let ¥ denote the event and let denote the event . ¦%® §K ºPC®8Qu :b@ å8¸eâ¦R8¸: @ ¥,=¦RÂ8 Let be the event ® . According to Algorithm 2, e e ¡ ® ® :<>@ ¦ y ¥)RÂ8 :<>@ ¦ y ¥}R :<>@ ¦§y ¥}RÂ8Q:<>@ ¥}R :<l@ ¥)R :<>@ ¥}R ®³² ®B² o , where we §K 8k used the fact that o . ¡ ® ® ® hu :<l@ ¦ y ¢K 8 aR8n:<>@ C 8nucR8 :<@ ¦ 8nuy ¢K 8 ® Now, if then ® , while e Ââ e ¡s ¢K 8¨ ® ucR©8 : @ ¦S®'y ¥}R<8 ® ®B² . Moreover, . Therefore, o , and hence e Ââ e ¡ ¡M ¡M ¡ Ââ ® :b@ å8¸ R8 :<>@ ¥}R ã ¶µ }µÙÞÂäO¶µH >, 8 :<@ ¦ y ¥)R8 ®B² o ¡ ¡ ¡ e ¡ ¡ e e jlâ ã ÞäO¶µ l, âÂ[8q âÂ". jsâ 8 & & . â â Corollary 3. Algorithm 2 has average-case complexity v[(O 4 . ¡ 8[oÂEÀ ,O 6>z As another corollary, , where & are two random [o ©À(D[oc4|8K©z ¬§".À6>#%$ (+z4'8uI« variables. has domain & , while has the com- ©À(D 4S8g©zÀ¬§".06r#%$ (+z4~8kuI« [o plementary domain & . Moreover, has constant ¡ [o%8uRÂ8{ µ¯wBx>y distribution (since :b@ ), while the random variable has binomial ª distribution with àY8 . Knowledge of the distribution helps to find further properties #%$'&}(+z4½AÂâ of #%$'& (e.g., the probabilities that ) by using standard methods from probability theory. ¡ ( One can double-check the correctness of Theorem 2 by verifying that 4e e e e ¡ 8 :b@ 8½AÂâ¦R|8m:b@ 8mucRÊ8~ ã ÞäO¶µ l, ° ° ² ² o o . Moreover, â â ¡ :b@ 8±AÂâRS8Ly ©À(^ 4 y :b@ 8èAÂâ¦R5E«y ©À(D 4 y :b@ 8èAÂâ¦RS8 o clearly o A ã ÞÂä.ÀµH >, , which agrees with Theorem 2. e eâ:b@ ª8 eÂâ¦R'8 é@ ×RÊ8 ° ² We next compute the variance of . Clearly, o ¡ ¡ â e ×R 8Ke , and therefore é@ . Next, by using Theorem 2 and the basic properties ¡ ¡ ¡ ¡ ¡ A é@ RÂ8¸u :b@ 8¸uRcE A â :b@ 8QA â¦RÂ8 ° ² of the binomial distribution, o ¡ â e e e e @¬ ¡L ¡À " 8 8 e â ã ÞÂä.ÀµH >, ã ÞÂäO¶µ l, ° ° ² ®B² o o ® ¬ â ¡ ¡ ë<ìAí e e e e @¬ ¤¬ @¬ ¡S ¡ ¡%3 @ ×RÂ8 b8 µ . Therefore, µYe . ª~8¸ucR Note that the density of possible differentials :b@ is exponentially small in . This can be contrasted with a result of O’Connor [O’C95] that a randomly selected -bit 2 #%$ (^*_,O-0/1Ü24|8¸#S$ TU+V(^*_,O-4 & Algorithm 3 Algorithm that finds all -s, s.t. & ¤(S CR INPUT: ¨ ¤S W CR OUTPUT: All ¨ -optimal output differences W S b 1. B¯R ; ¤S ¨CR 2. °±B ; è¤ ¤ 3. For A;B to do þ²S þ³W W S ¢ ¢ ¢ ¢ ECF ECF ECF E E E ECF B¯R b b´R If R then # þ²S þ þ W ¤ E E E E ¤ R ° ¤ B¶µ ¤ · else if A or or then W E E else B¸R ; 4. Return W . =¹ ¡\º ± l uIÚ ø permutation has a fraction of µ impossible differentials, independently of the choice of . Moreover, a randomly selected -bit composite permutation [O’C93], º ¡ >".rÁ` controlled by an -bit string, has a negligible fraction of impossible dif- ferentials. 6 Algorithms for Finding Good Differentials of Addition The last section described methods for computing the probability that a randomly picked differential z has high differential probability. While this alone might give rise to successful differential attacks, it would be nice to have an efficient deterministic al- gorithm for finding differentials with high differential probability. This section gives some relevant algorithms for this. ½0¾¿ ¶:±¼ 6.1 Linear-time Algorithm for » In this subsection, we will describe an algorithm that, given an input difference (^*_,O-4 , 2 #S$ (^*_,O-0/13254 finds all output differences , for which & is equal to the maximum TU+V (+*',.-4W6 80XbZc\e]_#%$'&}(^*_,O-0/1Ü24 differential probability of addition, #%$'& . (By Corol- lary 1, we would get exactly the same result when maximizing the differential probabil- - 2 *',.-4 (+*',.-4 ity under * or .) We say that such is ( -optimal. Note that when an - optimal 2 is known, the maximum differential probability can be found by apply- 8 (+*',.-ª/1 254 ing Algorithm 2 to z . Moreover, similar algorithms can be used ¡ wBx>y #%$'&}(^*_,O-0/1Ü24 to find “near-optimal” 2 -s, where is only slightly smaller than ¡ w³xly #%$ TU+Vc(^*_,O-4 & . 2 Theorem 3. Algorithm 3 returns all (^*_,O-4 -optimal output differences . ® ƦÇ(^*_,O-',254 8ªu Proof (Sketch). First, we say that position is bad if . According (^*_,O-4 q u to Theorem 1, 2 is -optimal if it is chosen so that (1) for every , if ® ® ® ® ® 8 ËcÌeÍ£(+* ,O- ,O2 4)8k* ƦÇ(^*_,O-|,O24 then , and (2) the number of bad positions ;K (^*_,O-0/1320KB4 is the least among all such output differences 2 , for which is possible. For 2 Algorithm 4 A log-time algorithm that finds an (^*_,O-4 -optimal ¤(S CR INPUT: ¨ ¤S W CR OUTPUT: An ¨ -optimal > ¤ 1. ÀÁB¯R ; G S >ÄG ¨CRHb À 2. ÂÃB ; > > ¨JÂ+[ ¤a ¨CRHb´¨CR\[ ¤a£ 3. ÅÆB¸Â ; ¨ © ¨CÅs 4. °±B ; ? >HG å¨CÅÁIL¨CÅ ¤a£ À 5. ÅÆB ; å¨CÅÁI±Â¦§[K¤ 6. ÇÈB ; W > S >HG > >HG >ÄG 3¨£¨CRÄb8°I Ål3IL¨£¨CRÄb bN¨CRÁ[K¤W£ Å Ç7+IÀ¨CR Å Ç7 7. B ; W W >HG S > 3¨ ¤WIF¨£¨CR8b ¤a 8. B ; 9. Return W . *poPJ -ro achieving (1) we must first fix 2soð , and after that recursively guarantee that *® 8-® 8H2A® 2e® obtains the predicted value whenever . uÀ This, and minimizing the number of bad -s can be done recursively for every ® ® P8{u * 8{-~ Q×µ , starting from . If then is bad independently of the value of ® ® ¬ ©ur, « 2 2 2 . Moreover, either choice of places no restriction on choosing . This & 2A®pðö means that we can assign either 2e®ðáu or . ® ® ® 8½- . 8>ÞÙmu The situation is more complicated if * . Intuitively, if is even, ® ® ® ® ð * 2 ð »M* Þ then the choice 2 (as compared to the choice ) will result in bad Þ (D¦E¯ >,O¦EbjI,Ú¦ÚÚa,.¦Eb>Þ|µF 4 positions (D7,.¦EbA,¦ÚÚÚ,O¦EblÞʵl4 instead of bad positions . ®8Q>ÞME¯ <Hu Thus these two choices are equal. On the other hand, if . , then the choice Þ ÞñEt 2e®ðá*® 2e®ðá*® would result in bad positions compared to when , and hence is to be preferred over the second one. We leave the full details of the proof to the reader. 2 A linear-time algorithm that finds one (^*_,O-4 -optimal can be derived from Algorithm 3 ® ® ® ðá* ƦÇ(^*_,O-|,O24 8¸u straightforwardly, by assigning 2 whenever . *´8¸òlóIô¡Éeô£Ê -Y8qò>óÌËÍnÊIô As an example, let us look at the case 8{ ¦i , and . Then [(^*_,O-4F8åò>óÌˢɣÊnÊ (^*_,O-4 - , and by Algorithm 3 the set of -optimal values is equal to ¡ O¡ Î Î ¬ §¯E© E© §¯E© §¯E 8K©uI,.jr,'Ïe« §æ8k©ur, « , where , and , as always. There- #%$ TU+V(òlóAônÉeô£Êr,7ò>óÌËÍnÊIô4)8{#%$ (òlóAônÉeô£Êr,7ò>óÌËÍnÊIô©/1 ò>ó+Ðeò;ËnË4)8 & fore, for example, & e . ½0¾f¿ ¼ À: 6.2 Log-time Algorithm for » For a log-time algorithm we need a somewhat different approach, since in Algorithm 3 ® ® ® 2 2 the value of 2 depends on that of . However, luckily for us, only depends on ® ® ƦÇ(^*_,O-|,O24 8k 2 if , and as seen from the proof of Theorem 3, in many cases we ÆÇ(+*',.-|,254® 8¸u can choose the output difference 2A® so that ! ® 8Ü Moreover, the positions where ƦÇ(^*_,O-|,O24 must hold are easily detected. ® ® ® ® * 8!- 8 u ½u * 8- Namely (see Algorithm 3), if (1) %8!u and , or (2) and ® ® 8åu ÆÇ(+*',.-|,254 8á but à . Accordingly, we can replace the condition with the #S$ ` (+*4 TU+V Algorithm 5 A log-time algorithm for & INPUT: R P cB CR5 OUTPUT: ¨ cstvu ¢ ¤`F£c§dfehÑ+Òelknm kqsr e F q^q 1. Return ¥ . ® ® ® J¸- 4_ºLà condition »P(^* , and take additional care if is small. By noting how the ® values à are computed, one can prove that 2 Theorem 4. Algorithm 4 finds an (^*_,O-4 -optimal . Proof (Sketch, many details omitted). First, the value of à computed in the step 4 is >(^*_,O-4 “approximately” equal to -64 , with some additional care taken about the lowest 4 4 . . . bits. Let be the bit-reverse of (i.e., ® is equal to the length of longest common 8Q*® 8 -® 8kÚ¦ÚÚ~ 2A® alternating chain *®8¸-®ñ~ .). Step 7 computes (again, “approx- *®pJ´à® *®8!-® 2A®ð *®pJ -®5J¸*® *®~8g-® imately”) as (1) 2A®}ð , if , (2) if but ® ® ® ® ® ® 8 2 ð * * 8q-~ ÆÇ(+*',.-|,254 8Ku ƦÇ(^*_,O-|,O24 and (3) if and . Since the two last cases are sound, according to Algorithm 3, we are now left to prove that the first choice makes 2 optimal. But this choice means that in every maximum-length common alternating bit chain Ò Ò ® ® ® ® ® ® 8½- 8g*~ 8½- 8±ÚÚÚ_~~ 8* 8g- * , Algorithm 4 chooses all bits / & / & 1 1 Ò Ò 4 ® ® 2 )¶¬ @ Mµ. EQ >,.+R * 8k- , ® , to be equal to . By approximately the same , / & / & à 1 1 ® C. Á> arguments as in the proof of Theorem 3, this choice gives rise to ¿ bad bit positions @ µ. 4 E >,.R 2 in the fragment ® ; every other choice of bits would result in at least as , 8Q-® 8 ~ *®M8q-®+4 many bad positions. Moreover, since »P(^*® , it has to be the case & & 8-®~ *® 8-® 8Q*®p8¸-® 2e® that either *® or . In the first case, both choices of & & & & 2e® ð*® eEN make AEÙ bad. In the second case we must later take , which makes & & good, and enables us to start the next fragment from the position IE . (Intuitively, this Ï Ï 3*§4 Ì+* last fact is also the reason why Ì is here preferred over .) 1*¯JÙ-4 8 Note that Biham and Shamir used the fact #S$_&}(^*_,O-0/ d TUJ d£ J e3 e Js£Ó in their differential cryptanalysis of FEAL in [BS91b]. Often this value is significantly smaller than the maximum differential probability ¡ #S$ (^*_,O-4 *á8 -8 tµ #S$ (^*_,O-4 8 TU+V & TU+V & . For example, if , then , while #S$ (^*_,O-0/1*¯JÙ-4¶83#S$ (^*_,O-0/1áus4L8Üe & & . However, since FEAL only uses (^*_,O-4 2 f -bit addition, it is possible to find -optimal output differences by exhaustive search. This has been done, for example, in [AKM98]. 6.3 Log-time Algorithm for Double-Maximum Differential Probability We next show that the double-maximum differential probability #%$'&` (^*M4W6 8YX[Z\ #%$'&}(+*',.-0/13254|8 XbZc\ #S$_& TU+V(^*_,O-4 TU+V d ] d = #%$'& TU+Vc(^*_,O-4 of addition can be computed in time v[(^w³xly'p4 . (As seen from Algorithm 3, #S$_&` (+*4 #%$'&}(^*_,O-0/1Ü24 is a symmetric function and hence TU+V is equal to maxi- mized under any two of its three arguments.) In particular, the next theorem shows á ß^à 0 Ý Þ Ü ÚÌÛ -1 -2 ØÙ -3 -4 ÕÖ × Ô 0 16 32 48 64 80 96 112 128 144 160 176 192 208 224 240 R } #Xâ âߤã§ã cB £ þ ¨CR5 R Fig. 2. Tabulation of values , , for . For example, ¢ P } ã å ¤5FA cB cB £ þ þ Jä" ¨ ¨ and d;æ² #S$_&` (+*4 XbZc\ o5#%$'& TU+Vc(^*_,O-4 that TU+V is equal to the (more relevant for the DC) value 8±u whenever *n~ . Note that the naive algorithm for the same problem works in time ¡ ç 4 8k i ( , which makes it practically infeasible even for . *Ù¬Y§ #%$'&` (+*4 v[(DwBx>y_p4 Theorem 5. For every , Algorithm 5 computes TU+V in time . Proof (Sketch). By the same arguments as in the proof of previous theorem, given inputs ÎSÏÐÑ 4 2M6 8*×JQ(- (^*_,.*M4pº (D¯µ 4O4 (^*_,.*M4 (^*_,.*M4 , the value is -optimal. We now prove #%$ - 8ª*~ 20K (^*M4t8ª#%$ (+*', *4 &` & TU+V by contradiction that TU+V . Let and be such that TU+V #S$ (^*_,O-0/1320KB4N #S$ ´üáµm (^*_,.*M4 & & . By Algorithms 2 and 4, there is an 0KB4O®L8 -64l(^*_,.*M4®L8ª such that ÆÇ(+*',.-|,2 and . But then, on the other hand, since 1 2;K 4 -64l(^*_,.*M4®À8ö the differential (^*_,O-æ/ is possible and , it is also the case that ƦÇ(^*_,O-|,O2;K 4® -64>(+*', *4O®8 YÉè-64>(+*', *4O® 8åu 8èu . Since , we have also that ® -64>(^*_,.*M4 8¸u #S$ (^*_,O-0/1320KB4ñ #%$ TU+V(+*', *4 & . Therefore & . #%$ & ` Straightforwardly, Theorem 5 helps to find many interesting properties of TU+V . For ¹.¡ #%$ ` (^*M4b83 *tºH(+A µ 4[8nu X8é^ê #%$ ` (^*M4b8±e TU+V & TU+V example, & iff , and . ¡ #S$'&` (+*4 8 *Yº(e µQ 48 µëñEK Another consequence is that TU+V iff (1) for ìYüg *Yº(e µQ 48æ£ë u´íìü½tµQ some u´ , or (2) for some . For better #S$ ` (+*4 8¸f TU+V understanding, all values of & , , are depicted in Fig. 2. Once again, our results may be compared with the results in [O’C93,O’C95] that show that for an -bit permutation (resp. composite permutation, controlled by an - Á>e bit string) the expected probability of the maximum nonzero differential is º (resp. ). Further Work and Acknowledgments While we leave practical applications of our results as an open question, we note that our results have already been used in [MY00] for truncated differential cryptanalysis of Twofish. The current work bases somewhat on [Mor00], that had a (correct) linear-time al- gorithm for #%$'& , but with an incorrect proof. We would like to thank Eli Biham for notifying us about the results presented in the full version of [BS91b]. References [AKM98] Kazumaro Aoki, Kunio Kobayashi, and Shiho Moriai. The Best Differential Charac- teristic Search of FEAL. IEICE Trans. Fundamentals, E81-A(1):98–104,£ January 1998. ¤ [Ber92] Thomas A. Berson. Differential Cryptanalysis Mod ¢ with Applications to MD5. In Ernest F. Brickell, editor, Advances in Cryptology—CRYPTO ’92, volume 740 of Lecture Notes in Computer Science, pages 71–80. Springer-Verlag, 1993, 16–20 August 1992. [BS91a] Eli Biham and Adi Shamir. Differential Cryptanalysis of DES-like Cryptosystems. Journal of Cryptology, 4(1):3–72, 1991. [BS91b] Eli Biham and Adi Shamir. Differential Cryptanalysis of Feal and N-Hash. In Don- ald W. Davies, editor, Advances on Cryptology — EUROCRYPT ’91, volume 547 of Lecture Notes in Computer Science, pages 1–16, Brighton, UK, April 1991. Springer- Verlag. Full version available from http://www.cs.technion.ac.il/˜biham/, as of April 2001. [Dae95] Joan Daemen. Cipher and Hash Function Design. Strategies based on linear and dif- ferential cryptanalysis. PhD thesis, Katholieke Universiteit Leuven, 1995. [DGV93] Joan Daemen, Rene´ Govaerts, and Joos Vandewalle. Cryptanalysis of 2.5 Rounds of IDEA. Technical Report 1, ESAT-COSIC, 1993. [Knu99] Lars Knudsen. Some Thoughts on the AES Process. Public Comment to the AES First Round, 15 April 1999. Available from http://www.ii.uib.no/˜larsr/serpent/, as of April 2001. [LMM91] Xuejia Lai, James L. Massey, and Sean Murphy. Markov Ciphers and Differential Cryptanalysis. In Donald W. Davies, editor, Advances on Cryptology — EUROCRYPT ’91, volume 547 of Lecture Notes in Computer Science, pages 17–38, Brighton, UK, April 1991. Springer-Verlag. [Miy98] Hiroshi Miyano. Addend Dependency of Differential/Linear Probability of Addition. IEICE Trans. Fundamentals, E81-A(1):106–109, January 1998. [Mor00] Shiho Moriai. Cryptanalysis of Twofish (I). In The Symposium on Cryptography and Information Security, Okinawa, Japan, 26–28 January 2000. In Japanese. [MY00] Shiho Moriai and Yiqun Lisa Yin. Cryptanalysis of Twofish (II). Technical report, IEICE, ISEC2000-38, July 2000. [NK95] Kaisa Nyberg and Lars Knudsen. Provable Security Against a Differential Attack. Jour- nal of Cryptology, 8(1):27–37, 1995. [O’C93] Luke J. O’Connor. On the Distribution of Characteristics in Composite Permutations. In Douglas R. Stinson, editor, Advances on Cryptology — CRYPTO ’93, volume 773 of Lecture Notes in Computer Science, pages 403–412, Santa Barbara, USA, August 1993. Springer-Verlag. [O’C95] Luke O’Connor. On the Distribution of Characteristics in Bijective Mappings. Journal of Cryptology, 8(2):67–86, 1995.