[PPT] - Rotational Cryptanalysis in the Presence of Constants Tomer Ashur PowerPoint Presentation

SLIDE 1

Rotational Cryptanalysis in the Presence of Constants

Tomer Ashur Yunwen Liu

ESAT/COSIC, KU Leuven, and imec, Belgium

FSE, March 2017

1

SLIDE 2

ARX

3

SLIDE 4

ARX

Symmetric-key designs

3

SLIDE 5

ARX

Symmetric-key designs
Addition + Rotation + XOR

3

SLIDE 6

ARX

Symmetric-key designs
Addition + Rotation + XOR
Differential cryptanalysis and linear cryptanalysis

3

SLIDE 7

ARX

Symmetric-key designs
Addition + Rotation + XOR
Differential cryptanalysis and linear cryptanalysis
Rotational cryptanalysis

3

SLIDE 8

Differences

4

SLIDE 9

Differences

XOR difference

Ek Ek x ⊕ δ x y ⊕ ∆ y

4

SLIDE 10

Differences

XOR difference

Ek Ek x ⊕ δ x y ⊕ ∆ y

Modular difference

Ek Ek x ⊞ δ x y ⊞ ∆ y

4

SLIDE 11

Differences

XOR difference

Ek Ek x ⊕ δ x y ⊕ ∆ y

Modular difference

Ek Ek x ⊞ δ x y ⊞ ∆ y

Rotational difference

Ek Ek x ≪ r x y ≪ r y

4

SLIDE 12

Rotational Cryptanalysis

5

SLIDE 13

Rotational Cryptanalysis

Circular Rotation (x ≪ r) ≪ s = x ≪ (r + s)

5

SLIDE 14

Rotational Cryptanalysis

Circular Rotation (x ≪ r) ≪ s = x ≪ (r + s) XOR (x ≪ r) ⊕ (y ≪ r) = (x ⊕ y) ≪ r

5

SLIDE 15

Rotational Cryptanalysis

Circular Rotation (x ≪ r) ≪ s = x ≪ (r + s) XOR (x ≪ r) ⊕ (y ≪ r) = (x ⊕ y) ≪ r Modular Addition (x ≪ r) ⊞ (y ≪ r) = (x ⊞ y) ≪ r with probability p

5

SLIDE 16

Rotational Cryptanalysis

Modular Addition (x ≪ r) ⊞ (y ≪ r) = (x ⊞ y) ≪ r with probability p

6

SLIDE 17

Rotational Cryptanalysis

Modular Addition (x ≪ r) ⊞ (y ≪ r) = (x ⊞ y) ≪ r with probability p When r = 1, p achieves the maximum. p = 2−1.415

6

SLIDE 18

Rotational Cryptanalysis

Modular Addition (x ≪ r) ⊞ (y ≪ r) = (x ⊞ y) ≪ r with probability p When r = 1, p achieves the maximum. p = 2−1.415 Denote x ≪ 1 by ← − x for simplicity.

6

SLIDE 19

Rotational Cryptanalysis

Rotational Cryptanalysis (v1), [KN10]

The probability that a rotational distinguisher holds for an ARX primitive is determined by the number of modular additions. Pr = (2−1.415)#⊞

[KN10]: D. Khovratovich, I. Nikolic: Rotational Cryptanalysis of ARX, FSE 2010 7

SLIDE 20

Rotational Cryptanalysis

Rotational Cryptanalysis (v2), [KNP+15]

The probability that a rotational distinguisher holds for an ARX primitive is dependent with the chained modular additions.

8

SLIDE 21

Rotational Cryptanalysis

Rotational Cryptanalysis (v2), [KNP+15]

The probability that a rotational distinguisher holds for an ARX primitive is dependent with the chained modular additions. (x ≪ r) ⊞ (y ≪ r) = (x ⊞ y) ≪ r (x ≪ r) ⊞ (y ≪ r) ⊞ (z ≪ r) = (x ⊞ y ⊞ z) ≪ r

[KNP+15]: D. Khovratovich, I. Nikolic, J. Pieprzyk, P. Sokolowski, R. Steinfeld: Rotational Cryptanalysis of ARX Revisited. FSE 2015 8

SLIDE 22

ARX with constants

10

SLIDE 24

ARX with constants

Complete system ARX-C

10

SLIDE 25

ARX with constants

Complete system ARX-C
Constants come with keys and round constants

10

SLIDE 26

ARX with constants

Complete system ARX-C
Constants come with keys and round constants

XOR with a rotational variable (x ≪ r) ⊕ (y ≪ r) = (x ⊕ y) ≪ r

10

SLIDE 27

ARX with constants

Complete system ARX-C
Constants come with keys and round constants

XOR with a rotational variable (x ≪ r) ⊕ (y ≪ r) = (x ⊕ y) ≪ r XOR with a constant (x ≪ r) ⊕ k

10

SLIDE 28

ARX with constants

Complete system ARX-C
Constants come with keys and round constants

XOR with a rotational variable (x ≪ r) ⊕ (y ≪ r) = (x ⊕ y) ≪ r XOR with a constant (x ≪ r) ⊕ k

Previous analyses: experiment

10

SLIDE 29

Rotational cryptanalysis on ARX-C

11

SLIDE 30

Rotational cryptanalysis on ARX-C Ek Ek x ≪ r x y ≪ r y

11

SLIDE 31

Rotational cryptanalysis on ARX-C Ek Ek x ≪ r x y ≪ r y

Ek Ek x′ = x ≪ r x y y′⊕δ = y ≪ r

11

SLIDE 32

Rotational-XOR difference

Combine rotational difference with XOR difference (x, (x ≪ γ)

12

SLIDE 33

Rotational-XOR difference

Combine rotational difference with XOR difference (x, (x ≪ γ) ⊕ a)

12

SLIDE 34

Rotational-XOR difference

Combine rotational difference with XOR difference (x, (x ≪ γ) ⊕ a) ((a1, a2), γ)-Rotational-XOR difference (RX-difference) (x ⊕ a1, (x ≪ γ) ⊕ a2)

12

SLIDE 35

Rotational-XOR difference

Combine rotational difference with XOR difference (x, (x ≪ γ) ⊕ a) ((a1, a2), γ)-Rotational-XOR difference (RX-difference) (x ⊕ a1, (x ≪ γ) ⊕ a2) equivalent to (˜ x, (˜ x ≪ γ) ⊕ (a1 ≪ γ) ⊕ a2)

12

SLIDE 36

Rotational-XOR difference through ARX

13

SLIDE 37

Rotational-XOR difference through ARX

Rotation x

≪γ

− − − → x ≪ γ ← − x ⊕ a

≪γ

− − − → ← − − − − x ≪ γ ⊕ (a ≪ γ) ⇒ ((0, a), 1)

≪γ

− − − → ((0, a ≪ γ), 1)

13

SLIDE 38

Rotational-XOR difference through ARX

Rotation x

≪γ

− − − → x ≪ γ ← − x ⊕ a

≪γ

− − − → ← − − − − x ≪ γ ⊕ (a ≪ γ) ⇒ ((0, a), 1)

≪γ

− − − → ((0, a ≪ γ), 1) XOR x, y

⊕

− − → x ⊕ y ← − x ⊕ a, ← − y ⊕ b

⊕

− − → ← − − − x ⊕ y ⊕ (a ⊕ b) ⇒ ((0, a), 1), ((0, b), 1)

⊕

− − → ((0, a ⊕ b), 1)

13

SLIDE 39

Rotational-XOR difference through ARX

Modular addition

14

SLIDE 40

Rotational-XOR difference through ARX

Modular addition ← − − − − − − − − − − − − − − − − − − (x ⊕ a1) ⊞ (y ⊕ b1) ⊕ ∆1 = (← − x ⊕ a2) ⊞ (← − y ⊕ b2) ⊕ ∆2

14

SLIDE 41

Rotational-XOR difference through ARX

Modular addition ← − − − − − − − − − − − − − − − − − − (x ⊕ a1) ⊞ (y ⊕ b1) ⊕ ∆1 = (← − x ⊕ a2) ⊞ (← − y ⊕ b2) ⊕ ∆2 Sketch of proof:

14

SLIDE 42

Rotational-XOR difference through ARX

Modular addition ← − − − − − − − − − − − − − − − − − − (x ⊕ a1) ⊞ (y ⊕ b1) ⊕ ∆1 = (← − x ⊕ a2) ⊞ (← − y ⊕ b2) ⊕ ∆2 Sketch of proof:

x = R(x) L0(x) R0(x) = L(x)

γ bits γ bits

14

SLIDE 43

Rotational-XOR difference through ARX

Modular addition ← − − − − − − − − − − − − − − − − − − (x ⊕ a1) ⊞ (y ⊕ b1) ⊕ ∆1 = (← − x ⊕ a2) ⊞ (← − y ⊕ b2) ⊕ ∆2 Sketch of proof:

x = R(x) L0(x) R0(x) = L(x)

γ bits γ bits

The addition of two variables:

R(x) L(x) L(y) R(y)

R(x) R(y)

L(x) L(y) C1

n−γ

x

ne bit of carry

14

SLIDE 44

proof continued

LHS: ← − − − − − − − − − − − − − − − − − − (x ⊕ a1) ⊞ (y ⊕ b1) ⊕ ∆1 = ← − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − ((L(x) ⊕ L(a1)) ⊞ (L(y) ⊕ L(b1)) ⊞ C1

n−γ) ⊕ L(∆1)||

((R(x) ⊕ R(a1)) ⊞ (R(y) ⊕ R(b1))) ⊕ R(∆1)

15

SLIDE 45

proof continued

LHS: ← − − − − − − − − − − − − − − − − − − (x ⊕ a1) ⊞ (y ⊕ b1) ⊕ ∆1 = ← − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − ((L(x) ⊕ L(a1)) ⊞ (L(y) ⊕ L(b1)) ⊞ C1

n−γ) ⊕ L(∆1)||

((R(x) ⊕ R(a1)) ⊞ (R(y) ⊕ R(b1))) ⊕ R(∆1) = ((R(x) ⊕ R(a1)) ⊞ (R(y) ⊕ R(b1))) ⊕ R(∆1)|| ((L(x) ⊕ L(a1)) ⊞ (L(y) ⊕ L(b1)) ⊞ C1

n−γ) ⊕ L(∆1).

15

SLIDE 46

proof continued

LHS: ← − − − − − − − − − − − − − − − − − − (x ⊕ a1) ⊞ (y ⊕ b1) ⊕ ∆1 = ← − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − ((L(x) ⊕ L(a1)) ⊞ (L(y) ⊕ L(b1)) ⊞ C1

n−γ) ⊕ L(∆1)||

((R(x) ⊕ R(a1)) ⊞ (R(y) ⊕ R(b1))) ⊕ R(∆1) = ((R(x) ⊕ R(a1)) ⊞ (R(y) ⊕ R(b1))) ⊕ R(∆1)|| ((L(x) ⊕ L(a1)) ⊞ (L(y) ⊕ L(b1)) ⊞ C1

n−γ) ⊕ L(∆1).

RHS: (← − x ⊕ a2) ⊞ (← − y ⊕ b2) ⊕ ∆2 = ((R(x) ⊕ L

′(a2)) ⊞ (R(y) ⊕ L ′(b2)) ⊞ C2

γ) ⊕ L

′(∆2)||

((L(x) ⊕ R

′(a2)) ⊞ (L(y) ⊕ R ′(b2))) ⊕ R ′(∆2).

15

SLIDE 47

Rotational-XOR difference through ARX

proof continued

((L(x) ⊕ L(a1)) ⊞ (L(y) ⊕ L(b1)) ⊞ C1

n−γ) ⊕ L(∆1) =

((L(x) ⊕ R

′(a2)) ⊞ (L(y) ⊕ R ′(b2))) ⊕ R ′(∆2).

((R(x) ⊕ L

′(a2)) ⊞ (R(y) ⊕ L ′(b2)) ⊞ C2

γ) ⊕ L

′(∆2) =

(R(x) ⊕ R(a1)) ⊞ (R(y) ⊕ R(b1)) ⊕ R(∆1),

16

SLIDE 48

Rotational-XOR difference through ARX

proof continued

((L(x) ⊕ L(a1)) ⊞ (L(y) ⊕ L(b1)) ⊞ C1

n−γ) ⊕ L(∆1) =

((L(x) ⊕ R

′(a2)) ⊞ (L(y) ⊕ R ′(b2))) ⊕ R ′(∆2).

((R(x) ⊕ L

′(a2)) ⊞ (R(y) ⊕ L ′(b2)) ⊞ C2

γ) ⊕ L

′(∆2) =

(R(x) ⊕ R(a1)) ⊞ (R(y) ⊕ R(b1)) ⊕ R(∆1), Consider the carry 0 + 0 = 00 0 + 1 = 01 1 + 0 = 01 1 + 1 = 10

16

SLIDE 49

Rotational-XOR difference through ARX

proof continued

((L(x) ⊕ L(a1)) ⊞ (L(y) ⊕ L(b1)) ⊞ C1

n−γ) ⊕ L(∆1) =

((L(x) ⊕ R

′(a2)) ⊞ (L(y) ⊕ R ′(b2))) ⊕ R ′(∆2).

((R(x) ⊕ L

′(a2)) ⊞ (R(y) ⊕ L ′(b2)) ⊞ C2

γ) ⊕ L

′(∆2) =

(R(x) ⊕ R(a1)) ⊞ (R(y) ⊕ R(b1)) ⊕ R(∆1), Consider the carry 0 + 0 = 00 0 + 1 = 01 1 + 0 = 01 1 + 1 = 10

Distribution of C1

n−γ and C2 γ, when γ = 1

Pr[C2

γ = 0, C1 n−γ = 0] = 2−1.415

Pr[C2

γ = 0, C1 n−γ = 1] = 2−1.415

Pr[C2

γ = 1, C1 n−γ = 0] = 2−3

Pr[C2

γ = 1, C1 n−γ = 1] = 2−3.

16

SLIDE 50

Rotational-XOR difference through ARX

proof continued x ⊞ y = (x ⊕ ζ1) ⊞ (y ⊕ ζ2) ⊕ ζ3 differential probability

17

SLIDE 51

Rotational-XOR difference through ARX

proof continued x ⊞ y = (x ⊕ ζ1) ⊞ (y ⊕ ζ2) ⊕ ζ3 differential probability x ⊞ y ⊞ 1 = (x ⊕ ζ1) ⊞ (y ⊕ ζ2) ⊕ ζ3 See Lemma 1

17

SLIDE 52

Rotational-XOR difference through ARX

proof continued x ⊞ y = (x ⊕ ζ1) ⊞ (y ⊕ ζ2) ⊕ ζ3 differential probability x ⊞ y ⊞ 1 = (x ⊕ ζ1) ⊞ (y ⊕ ζ2) ⊕ ζ3 See Lemma 1 RX-difference through modular addition:

Pr[← − − − − − − − − − − − − − − − − − − (x ⊕ a1) ⊞ (y ⊕ b1) ⊕ ∆1 = (← − x ⊕ a2) ⊞ (← − y ⊕ b2) ⊕ ∆2] = 1(I⊕SHL)(δ1⊕δ2⊕δ3)⊕1SHL((δ1⊕δ3)|(δ2⊕δ3)) · 2−|SHL((δ1⊕δ3)|(δ2⊕δ3))| · 2−3 + 1(I⊕SHL)(δ1⊕δ2⊕δ3)SHL((δ1⊕δ3)|(δ2⊕δ3)) · 2−|SHL((δ1⊕δ3)|(δ2⊕δ3))| · 2−1.415, where δ1 = R(a1) ⊕ L

′(a2), δ2 = R(b1) ⊕ L ′(b2), δ3 = R(∆1) ⊕ L ′(∆2)

17

SLIDE 53

SPECK Family

19

SLIDE 55

SPECK Family

NSA cipher
block size 32/48/64/96/128 (2n)
key size mn with m = 2, 3, 4

19

SLIDE 56

SPECK Family

NSA cipher
block size 32/48/64/96/128 (2n)
key size mn with m = 2, 3, 4

xi yi

≫ α ≪ β

xi+1 yi+1 ki

19

SLIDE 57

SPECK Family

NSA cipher
block size 32/48/64/96/128 (2n)
key size mn with m = 2, 3, 4

li+m−2 · · · li ki Ri ci

xi yi

≫ α ≪ β

xi+1 yi+1 ki

19

SLIDE 58

Application to SPECK32/64

20

SLIDE 59

Application to SPECK32/64

li+2 li+1 li ki Ri ci

xi yi

≫ α ≪ β

xi+1 yi+1 ki

20

SLIDE 60

Application to SPECK32/64

li+2 li+1 li ki Ri ci

xi yi

≫ α ≪ β

xi+1 yi+1 ki

Track RX-difference propagation in the key schedule

20

SLIDE 61

Application to SPECK32/64

li+2 li+1 li ki Ri ci

xi yi

≫ α ≪ β

xi+1 yi+1 ki

Track RX-difference propagation in the key schedule
Based on the good RX-trails found in the key schedule, track

the propagation of RX-differences in the encryption

20

SLIDE 62

Application to SPECK32/64

An RX-characteristic in the keyschedule

Round a1 b1 ∆1 a2 b2 ∆2 Predicted Empirical Accumulated Prob. Prob. Prob. 1 2−1.415 2−1.415 2−1.415 2 2−1.415 2−1.415 2−2.83 3 1 1 2 2−2.415 2−2.415 2−5.245 4 2 6 8 2−2.415 2−2.415 2−7.66 5 D C4 B 78 2−6.415 2−6.415 2−14.075 6 F4 1000 50 1088 2−7.415 2−7.415 2−21.49 Total 2−21.49 21

SLIDE 63

Application to SPECK32/64

An RX-characteristic in the keyschedule

Round a1 b1 ∆1 a2 b2 ∆2 Predicted Empirical Accumulated Prob. Prob. Prob. 1 2−1.415 2−1.415 2−1.415 2 2−1.415 2−1.415 2−2.83 3 1 1 2 2−2.415 2−2.415 2−5.245 4 2 6 8 2−2.415 2−2.415 2−7.66 5 D C4 B 78 2−6.415 2−6.415 2−14.075 6 F4 1000 50 1088 2−7.415 2−7.415 2−21.49 Total 2−21.49 Experimental probability: 2−25.046, leading to a weak-key class of size 239 All RX-differences are in hexadecimal notation. 21

SLIDE 64

Application to SPECK32/64

A corresponding RX-characteristic in the round function

Round Input diff. Key diff. Output diff. Predicted Empirical (left,right) (left,right)

accumu. Prob.
accumu. Prob.

0, 0 0, 0 2−1.415 2−1.415 1 0, 0 0, 0 2−2.83 2−2.85 2 0, 0 3 3, 3 2−4.245 2−4.27 3 3, 3 4 607, 60B 2−8.66 2−8.68 4 607, 60B 11 40E, 1C22 2−15.075 2−15.01 5 40E, 1C22 1B8 3992, 491A 2−21.49 2−21.44 6 3992, 491A 1668 333F, 1756 2−31.905 2−31.6 All RX-differences are in hexadecimal notation. 22

SLIDE 65

Application to SPECK32/64

A corresponding RX-characteristic in the round function

Round Input diff. Key diff. Output diff. Predicted Empirical (left,right) (left,right)

accumu. Prob.
accumu. Prob.

0, 0 0, 0 2−1.415 2−1.415 1 0, 0 0, 0 2−2.83 2−2.85 2 0, 0 3 3, 3 2−4.245 2−4.27 3 3, 3 4 607, 60B 2−8.66 2−8.68 4 607, 60B 11 40E, 1C22 2−15.075 2−15.01 5 40E, 1C22 1B8 3992, 491A 2−21.49 2−21.44 6 3992, 491A 1668 333F, 1756 2−31.905 2−31.6 All RX-differences are in hexadecimal notation.

Open-key model vs. Single-key model

22

SLIDE 66

Conclusion

24

SLIDE 68

Conclusion

We propose a new notion of difference: Rotational-XOR

difference

24

SLIDE 69

Conclusion

We propose a new notion of difference: Rotational-XOR

difference

Rotational cryptanalysis in the presence of constants can be

mathematically characterised

24

SLIDE 70

Conclusion

We propose a new notion of difference: Rotational-XOR

difference

Rotational cryptanalysis in the presence of constants can be

mathematically characterised

RX-distinguisher on SPECK32/64 is found

24

SLIDE 71

Conclusion

We propose a new notion of difference: Rotational-XOR

difference

Rotational cryptanalysis in the presence of constants can be

mathematically characterised

RX-distinguisher on SPECK32/64 is found
Further applications on ARX ciphers

24

SLIDE 72

Thank you!

25

Rotational Cryptanalysis in the Presence of Constants

Tomer Ashur Yunwen Liu

FSE, March 2017

Table of Contents

ARX & Rotational Cryptanalysis Rotational cryptanalysis with constants Experiment Verification Conclusion

ARX

ARX

ARX

ARX

ARX

Differences

Differences

XOR difference

Ek Ek x ⊕ δ x y ⊕ ∆ y

Differences

XOR difference

Ek Ek x ⊕ δ x y ⊕ ∆ y

Modular difference

Ek Ek x ⊞ δ x y ⊞ ∆ y

Differences

XOR difference

Ek Ek x ⊕ δ x y ⊕ ∆ y

Modular difference

Ek Ek x ⊞ δ x y ⊞ ∆ y

Rotational difference

Ek Ek x ≪ r x y ≪ r y

Rotational Cryptanalysis

Rotational Cryptanalysis

Circular Rotation (x ≪ r) ≪ s = x ≪ (r + s)

Rotational Cryptanalysis

Circular Rotation (x ≪ r) ≪ s = x ≪ (r + s) XOR (x ≪ r) ⊕ (y ≪ r) = (x ⊕ y) ≪ r

Rotational Cryptanalysis

Circular Rotation (x ≪ r) ≪ s = x ≪ (r + s) XOR (x ≪ r) ⊕ (y ≪ r) = (x ⊕ y) ≪ r Modular Addition (x ≪ r) ⊞ (y ≪ r) = (x ⊞ y) ≪ r with probability p

Rotational Cryptanalysis

Modular Addition (x ≪ r) ⊞ (y ≪ r) = (x ⊞ y) ≪ r with probability p

Rotational Cryptanalysis

Modular Addition (x ≪ r) ⊞ (y ≪ r) = (x ⊞ y) ≪ r with probability p When r = 1, p achieves the maximum. p = 2−1.415

Rotational Cryptanalysis

Modular Addition (x ≪ r) ⊞ (y ≪ r) = (x ⊞ y) ≪ r with probability p When r = 1, p achieves the maximum. p = 2−1.415 Denote x ≪ 1 by ← − x for simplicity.

Rotational Cryptanalysis

Rotational Cryptanalysis (v1), [KN10]

The probability that a rotational distinguisher holds for an ARX primitive is determined by the number of modular additions. Pr = (2−1.415)#⊞

Rotational Cryptanalysis

Rotational Cryptanalysis (v2), [KNP+15]

The probability that a rotational distinguisher holds for an ARX primitive is dependent with the chained modular additions.

Rotational Cryptanalysis

Rotational Cryptanalysis (v2), [KNP+15]

The probability that a rotational distinguisher holds for an ARX primitive is dependent with the chained modular additions. (x ≪ r) ⊞ (y ≪ r) = (x ⊞ y) ≪ r (x ≪ r) ⊞ (y ≪ r) ⊞ (z ≪ r) = (x ⊞ y ⊞ z) ≪ r

Table of Contents

ARX & Rotational Cryptanalysis Rotational cryptanalysis with constants Experiment Verification Conclusion

ARX with constants

ARX with constants

ARX with constants

ARX with constants

XOR with a rotational variable (x ≪ r) ⊕ (y ≪ r) = (x ⊕ y) ≪ r

ARX with constants

XOR with a rotational variable (x ≪ r) ⊕ (y ≪ r) = (x ⊕ y) ≪ r XOR with a constant (x ≪ r) ⊕ k

ARX with constants

XOR with a rotational variable (x ≪ r) ⊕ (y ≪ r) = (x ⊕ y) ≪ r XOR with a constant (x ≪ r) ⊕ k

Rotational cryptanalysis on ARX-C

Rotational cryptanalysis on ARX-C Ek Ek x ≪ r x y ≪ r y

Rotational cryptanalysis on ARX-C Ek Ek x ≪ r x y ≪ r y

Ek Ek x′ = x ≪ r x y y′⊕δ = y ≪ r

Rotational-XOR difference

Combine rotational difference with XOR difference (x, (x ≪ γ)

Rotational-XOR difference

Combine rotational difference with XOR difference (x, (x ≪ γ) ⊕ a)

Rotational-XOR difference

Combine rotational difference with XOR difference (x, (x ≪ γ) ⊕ a) ((a1, a2), γ)-Rotational-XOR difference (RX-difference) (x ⊕ a1, (x ≪ γ) ⊕ a2)

Rotational-XOR difference

Combine rotational difference with XOR difference (x, (x ≪ γ) ⊕ a) ((a1, a2), γ)-Rotational-XOR difference (RX-difference) (x ⊕ a1, (x ≪ γ) ⊕ a2) equivalent to (˜ x, (˜ x ≪ γ) ⊕ (a1 ≪ γ) ⊕ a2)

Rotational-XOR difference through ARX

Rotational-XOR difference through ARX

Rotation x

− − − → x ≪ γ ← − x ⊕ a

− − − → ← − − − − x ≪ γ ⊕ (a ≪ γ) ⇒ ((0, a), 1)

− − − → ((0, a ≪ γ), 1)

Rotational-XOR difference through ARX

Rotation x

− − − → x ≪ γ ← − x ⊕ a