Exact Formula for RX-Differential Probability Through Modular Addition for All Rotations

[en] This work presents an exact and compact formula for the probability of rotation-xor differentials (RX-differentials) through modular addition, for arbitrary rotation amounts, which has been a long-standing open problem. The formula comes with a rigorous proof and is also verified by extensive experiments. Our formula uncovers error in a recent work from 2022 proposing a formula for rotation amounts bigger than 1. Surprisingly, it also affects correctness of the more studied and used formula for the rotation amount equal to 1 (from TOSC 2016). Specifically, it uncovers rare cases where the assumptions of this formula do not hold. Correct formula for arbitrary rotations now opens up a larger search space where one can often find better trails. For applications, we propose automated mixed integer linear programming (MILP) modeling techniques for searching optimal RX-trails based on our exact formula. They are consequently applied to several ARX designs, including Salsa, Alzette and a small-key variant of Speck, and yield many new RX-differential distinguishers, some of them based on provably optimal trails. In order to showcase the relevance of the RX-differential analysis, we also design Malzette, a 12-round Alzette-based permutation with maliciously chosen constants, which has a practical RX-differential distinguisher, while standard differential/linear security arguments suggest sufficient security.

Disciplines :

Computer science

Author, co-author :

BIRYUKOV, Alexei ; University of Luxembourg > Faculty of Science, Technology and Medicine (FSTM) > Department of Computer Science (DCS) ; University of Luxembourg > SnT

LAMBIN, Baptiste ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust > Cryptolux > Team Alexei BIRYUKOV

UDOVENKO, Aleksei ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > Cryptolux

External co-authors :

Language :

English

Title :

Exact Formula for RX-Differential Probability Through Modular Addition for All Rotations

Publication date :

07 March 2025

Event name :

FSE2025 - 31st Fast Software Encryption Conference

Event organizer :

International Association for Cryptologic Research (IACR)

Event place :

Rome, Italy

Event date :

March 17-21, 2025

Event number :

Audience :

International

Journal title :

IACR Transactions on Symmetric Cryptology

eISSN :

2519-173X

Publisher :

Universitatsbibliothek der Ruhr-Universitat Bochum

Volume :

2025

Issue :

Pages :

542-591

Peer reviewed :

Peer Reviewed verified by ORBi

Focus Area :

Security, Reliability and Trust

Additional URL :

https://tosc.iacr.org/index.php/ToSC/article/download/12087/11927
https://github.com/cryptolu/RX-Differentials-Probability

FnR Project :

FNR13641232 - Analysis And Protection Of Lightweight Cryptographic Algorithms, 2019 (01/01/2021-31/12/2023) - Alex Biryukov

Name of the research project :

R-AGR-3748 - C19/IS/13641232/APLICA - BIRYUKOV Alexei

Funders :

FNR - Luxembourg National Research Fund
DFG - German Research Foundation

Funding number :

C19/IS/13641232

Available on ORBilu :

since 25 March 2025

Statistics

Number of views

89 (4 by Unilu)

Number of downloads

29 (2 by Unilu)

More statistics

Scopus citations^®

Scopus citations^®
without self-citations

OpenCitations

OpenAlex citations

Bibliography

[AAE+ 14] Ange Albertini, Jean-Philippe Aumasson, Maria Eichlseder, Florian Mendel, and Martin Schläffer. Malicious hashing: Eve’s variant of SHA-1. In Selected Areas in Cryptography, volume 8781 of Lecture Notes in Computer Science, pages 1–19. Springer, 2014. 544
[AL16] Tomer Ashur and Yunwen Liu. Rotational cryptanalysis in the presence of constants. IACR Trans. Symmetric Cryptol., 2016(1):57–70, 2016. 542, 543, 545, 558, 559, 560, 561
[ARS+ 20] Seyyed Arash Azimi, Adrián Ranea, Mahmoud Salmasizadeh, Javad Mohajeri, Mohammad Reza Aref, and Vincent Rijmen. A bit-vector differential model for the modular addition by a constant. In ASIACRYPT (1), volume 12491 of Lecture Notes in Computer Science, pages 385–414. Springer, 2020. 555, 556
[ARS+ 22] Seyyed Arash Azimi, Adrián Ranea, Mahmoud Salmasizadeh, Javad Mohajeri, Mohammad Reza Aref, and Vincent Rijmen. A bit-vector differential model for the modular addition by a constant and its applications to differential and impossible-differential cryptanalysis. Des. Codes Cryptogr., 90(8):1797–1855, 2022. 555, 556
[AY15] Riham AlTawy and Amr M. Youssef. Watch your constants: malicious Streebog. IET Inf. Secur., 9(6):328–333, 2015. 544
[BBdS+ 20a] Christof Beierle, Alex Biryukov, Luan Cardoso dos Santos, Johann Großschädl, Léo Perrin, Aleksei Udovenko, Vesselin Velichkov, and Qingju Wang. Alzette: A 64-bit ARX-box (feat. CRAX and TRAX). In CRYPTO (3), volume 12172 of Lecture Notes in Computer Science, pages 419–448. Springer, 2020. 543, 544, 566
[BBdS+ 20b] Christof Beierle, Alex Biryukov, Luan Cardoso dos Santos, Johann Großschädl, Léo Perrin, Aleksei Udovenko, Vesselin Velichkov, and Qingju Wang. Lightweight AEAD and hashing using the Sparkle permutation family. IACR Trans. Symmetric Cryptol., 2020(S1):208–261, 2020. 566
[Ber08a] Daniel J Bernstein. ChaCha, a variant of Salsa20. In Workshop record of SASC, volume 8 (1), pages 3–5. Citeseer, 2008. 567
[Ber08b] Daniel J. Bernstein. The Salsa20 family of stream ciphers. In The eSTREAM Finalists, volume 4986 of Lecture Notes in Computer Science, pages 84–97. Springer, 2008. 567
[BSS+ 15] Ray Beaulieu, Douglas Shors, Jason Smith, Stefan Treatman-Clark, Bryan Weeks, and Louis Wingers. The SIMON and SPECK lightweight block ciphers. In DAC, pages 175:1–175:6. ACM, 2015. 568, 569, 587
[CZX+ 23] Siwei Chen, Mingming Zhu, Zejun Xiang, Runqing Xu, Xiangyong Zeng, and Shasha Zhang. Rotational-XOR differential rectangle cryptanalysis on Simon-like ciphers. In CT-RSA, volume 13871 of Lecture Notes in Computer Science, pages 305–330. Springer, 2023. 542
[FWG+ 16] Kai Fu, Meiqin Wang, Yinghua Guo, Siwei Sun, and Lei Hu. MILP-based automatic search algorithms for differential and linear trails for Speck. In FSE, volume 9783 of Lecture Notes in Computer Science, pages 268–288. Springer, 2016. 562, 563
[HLK+ 13] Deukjo Hong, Jung-Keun Lee, Dong-Chan Kim, Daesung Kwon, Kwon Ho Ryu, and Donggeon Lee. LEA: A 128-bit block cipher for fast encryption on common processors. In WISA, volume 8267 of Lecture Notes in Computer Science, pages 3–27. Springer, 2013. 587
[HXW22] Mingjiang Huang, Zhen Xu, and Liming Wang. On the probability and automatic search of rotational-XOR cryptanalysis on ARX ciphers. Comput. J., 65(12):3062–3080, 2022. 543, 558, 566, 567, 570
[KN10] Dmitry Khovratovich and Ivica Nikolic. Rotational cryptanalysis of ARX. In FSE, volume 6147 of Lecture Notes in Computer Science, pages 333–346. Springer, 2010. 542
[KNR10] Dmitry Khovratovich, Ivica Nikolic, and Christian Rechberger. Rotational rebound attacks on reduced Skein. In ASIACRYPT, volume 6477 of Lecture Notes in Computer Science, pages 1–19. Springer, 2010. 543
[LM01] Helger Lipmaa and Shiho Moriai. Efficient algorithms for computing differential properties of addition. In FSE, volume 2355 of Lecture Notes in Computer Science, pages 336–350. Springer, 2001. 545, 564
[LWRA17] Yunwen Liu, Glenn De Witte, Adrián Ranea, and Tomer Ashur. Rotational-XOR cryptanalysis of reduced-round SPECK. IACR Trans. Symmetric Cryptol., 2017(3):24–36, 2017. 542, 543, 558, 569, 570
[Mac01] Alexis Warner Machado. Differential probability of modular addition with a constant operand. Cryptology ePrint Archive, Paper 2001/052, 2001. 555
[Mor15] Pawel Morawiecki. Malicious Keccak. Cryptology ePrint Archive, Paper 2015/1085, 2015. 544
[MVCP10] Nicky Mouha, Vesselin Velichkov, Christophe De Cannière, and Bart Preneel. The differential analysis of S-functions. In Selected Areas in Cryptography, volume 6544 of Lecture Notes in Computer Science, pages 36–56. Springer, 2010. 556
[NW97] Roger M Needham and David J Wheeler. TEA extensions. Report (Cambridge University, Cambridge, UK, 1997), 1997. 587
[Ran22] Adrián Ranea. Cascada 1.0, April 2022. 543, 558, 567
[RLA17] Adrián Ranea, Yunwen Liu, and Tomer Ashur. An easy to use tool for rotational-XOR cryptanalysis of ARX block ciphers. Proceedings of the Romanian Academy, Series A, 18(special issue):307–316, 2017. 558
[RR22] Adrián Ranea and Vincent Rijmen. Characteristic automated search of cryptographic algorithms for distinguishing attacks (CASCADA). IET Inf. Secur., 16(6):470–481, 2022. 567, 569, 570
[Sch13] Ernst Schulte-Geers. On CCZ-equivalence of addition mod 2n . Des. Codes Cryptogr., 66(1-3):111–127, 2013. 545
[SRB21] Sadegh Sadeghi, Vincent Rijmen, and Nasour Bagheri. Proposing an MILP-based method for the experimental verification of difference-based trails: application to SPECK, SIMECK. Des. Codes Cryptogr., 89(9):2113–2155, 2021. 566
[ST17] Yu Sasaki and Yosuke Todo. New impossible differential search tool from design and cryptanalysis aspects-revealing structural properties of several ciphers. In EUROCRYPT (3), volume 10212 of Lecture Notes in Computer Science, pages 185–215, 2017. 587
[Udo21] Aleksei Udovenko. MILP modeling of boolean functions by minimum number of inequalities. Cryptology ePrint Archive, Paper 2021/1099, 2021. 562
[XLSL19] Wenqian Xin, Yunwen Liu, Bing Sun, and Chao Li. Improved cryptanalysis on SipHash. In CANS, volume 11829 of Lecture Notes in Computer Science, pages 61–79. Springer, 2019. 558