Analysis of Xorrotation With Application to an HC-128 Variant

Many cryptographic primitives rely on word rotations (R) and xor (X) to provide proper mixing. We give RX-system mixing a very general treatment and deduce some theoretical results on related probability distributions. Pure RX-systems are easy to break, so we show how to apply our theory to a more complex system that uses RX operations in combination with S-boxes. We construct an impractical (keystream complexity 2^{90.9}), but new and non-trivial distinguisher for a variant of HC-128 for which modular addition is replaced with xor