Разностные характеристики по модулю 2n композиции нескольких побитовых исключающих или

Abstract

We study the additive differential probabilities adp® of compositions of k — 1 bitwise XORs. For vectors a1,...,ak+1 G Zn, it is defined as the probability of transformation input differences a1,...,ak to the output difference ak+1 by the function x1 ф ... ф xk, where x1,... ,xk G Zn and k > 2. It is used for differential cryptanalysis of symmetric-key primitives, such as Addition-Rotation-XOR constructions. Several results which are known for adp2® are generalized for adpk®. Some argument symmetries are proven for adpk®. Recurrence formulas which allow us to reduce the dimension of the arguments are obtained. All impossible differentials as well as all differentials of adpk® with the probability 1 are found. For even k, it is proven that max adp® (a1,..., ak ak+1) = adp®(0,..., 0, ak+1 ak+1). Matrices that can a1,...,ak be used for efficient calculating adpk® are constructed. It is also shown that the cases of even and odd k differ significantly