On additive differential probabilities of the composition of bitwise exclusive-or and a bit rotation
share
Properties of the additive differential probability adp^XR of the composition of bitwise XOR and a bit rotation are investigated, where the differences are expressed using addition modulo 2^n. This composition is widely used in ARX constructions consisting of additions modulo 2^n, bit rotations and bitwise XORs. Differential cryptanalysis of such primitives may involve maximums of adp^XR, where some of its input or output differences are fixed. Although there is an efficient way to calculate this probability, many its properties are still unknown. In this work we find maximums of adp^XR, where the rotation is one bit left/right and one of its input differences is fixed. Some symmetries of adp^XR are obtained as well. Also, we provide all its impossible differentials in terms of regular expression patterns. The number of them is estimated. It turned out to be maximal for the one bit left rotation and noticeably less than the number of impossible differentials of bitwise XOR.
READ FULL TEXT