TY - JOUR
AU - Mouha, Nicky
AU - Kolomeec, Nikolay
AU - Akhtiamov, Danil
AU - Sutormin, Ivan
AU - Panferov, Matvey
AU - Titova, Kseniya
AU - Bonich, Tatiana
AU - Ishchukova, Evgeniya
AU - Tokareva, Natalia
AU - Zhantulikov, Bulat
PY - 2021/06/11
Y2 - 2022/08/13
TI - Maximums of the Additive Differential Probability of Exclusive-Or
JF - IACR Transactions on Symmetric Cryptology
JA - ToSC
VL - 2021
IS - 2
SE - Articles
DO - 10.46586/tosc.v2021.i2.292-313
UR - https://tosc.iacr.org/index.php/ToSC/article/view/8912
SP - 292-313
AB - <p>At FSE 2004, Lipmaa et al. studied the additive differential probability adp<sup>⊕</sup>(α,β → γ) of exclusive-or where differences α,β,γ ∈ F<sup>n</sup><sub>2</sub> are expressed using addition modulo 2<sup>n</sup>. This probability is used in the analysis of symmetric-key primitives that combine XOR and modular addition, such as the increasingly popular Addition-Rotation-XOR (ARX) constructions. The focus of this paper is on maximal differentials, which are helpful when constructing differential trails. We provide the missing proof for Theorem 3 of the FSE 2004 paper, which states that max<sub>α</sub>,<sub>β</sub>adp<sup>⊕</sup>(α,β → γ) = adp<sup>⊕</sup>(0,γ → γ) for all γ. Furthermore, we prove that there always exist either two or eight distinct pairs α,β such that adp<sup>⊕</sup>( α,β → γ) = adp<sup>⊕</sup>(0,γ → γ), and we obtain recurrence formulas for calculating adp<sup>⊕</sup>. To gain insight into the range of possible differential probabilities, we also study other properties such as the minimum value of adp<sup>⊕</sup>(0,γ → γ), and we find all γ that satisfy this minimum value.</p>
ER -