A Bit-Vector Differential Model for the Modular Addition by a Constant

ARX algorithms are a class of symmetric-key algorithms constructed by Addition, Rotation, and XOR, which achieve the best software performances in low-end microcontrollers. To evaluate the resistance of an ARX cipher against differential cryptanalysis and its variants, the recent automated methods employ constraint satisfaction solvers, such as SMT solvers, to search for optimal characteristics. The main difficulty to formulate this search as a constraint satisfaction problem is obtaining the differential models of the non-linear operations, that is, the constraints describing the differential probability of each non-linear operation of the cipher. While an efficient bit-vector differential model was obtained for the modular addition with two variable inputs, no differential model for the modular addition by a constant has been proposed so far, preventing ARX ciphers including this operation from being evaluated with automated methods. In this paper, we present the first bit-vector differential model for the n-bit modular addition by a constant input. Our model contains O(log2(n)) basic bit-vector constraints and describes the binary logarithm of the differential probability. We also represent an SMT-based automated method to look for differential characteristics of ARX, including constant additions, and we provide an open-source tool ArxPy to find ARX differential characteristics in a fully automated way. To provide some examples, we have searched for related-key differential characteristics of TEA, XTEA, HIGHT, and LEA, obtaining better results than previous works. Our differential model and our automated tool allow cipher designers to select the best constant inputs for modular additions and cryptanalysts to evaluate the resistance of ARX ciphers against differential attacks.acceptedVersio

Automatic Search for the Best Trails in ARX: Application to Block Cipher Speck

We propose the first adaptation of Matsui's algorithm for finding the best differential and linear trails to the class of ARX ciphers. It is based on a branch-and-bound search strategy, does not use any heuristics and returns optimal results. The practical application of the new algorithm is demonstrated on reduced round variants of block ciphers from the Speck family. More specifically, we report the probabilities of the best differential trails for up to 10, 9, 8, 7, and 7 rounds of Speck32, Speck48, Speck64, Speck96 and Speck128 respectively, together with the exact number of differential trails that have the best probability. The new results are used to compute bounds, under the Markov assumption, on the security of Speck against single-trail differential cryptanalysis. Finally, we propose two new ARX primitives with provable bounds against single-trail differential and linear cryptanalysis -- a long standing open problem in the area of ARX design

Some results on the joint distribution of the renewal Epochs prior to a given time instant

Let (Sn)n[greater-or-equal, slanted]0 be a renewal process with interarrival times X1,X2,... Several results on the behavior of the renewal process up to a given time t>0 or up to a given Sn=s are proved. For example, X1 is stochastically dominated by XN(t)+1, and X0=0, X1,...,XN(t)+1 is a stochastically increasing sequence, where N(t)=sup{n[greater-or-equal, slanted]0|Sn[less-than-or-equals, slant]t}. Conditions are given under which the distribution of the process (S[nt])0[less-than-or-equals, slant]t[less-than-or-equals, slant]1, given that Sn=s, converges weakly in D[0,1] to the point mass at the function xs(t)=st. The result e.g. holds, if X1 has a strongly unimodal distribution or if E(X21|S2)[less-than-or-equals, slant]S22/(2(1+c)) a.s. for some c>0. In this context some new characterizations of the gamma, Poisson, binomial and negative binomial distributions are derived.renewal process fixed time fixed number of renewals inspection paradox asymptotic behaviour characterization of distributions