ON ADDITIVE DIFFERENTIAL PROBABILITIES OF A COMPOSITION OF BITWISE XORS Текст научной статьи по специальности «Математика»

2023 Математические методы криптографии № 60

УДК 519.7 DOI 10.17223/20710410/60/5

ON ADDITIVE DIFFERENTIAL PROBABILITIES OF A COMPOSITION OF BITWISE XORS1

I. A. Sutormin*, N. A. Kolomeec**

* Novosibirsk State University, Novosibirsk, Russia **Sobolev Institute of Mathematics, Novosibirsk, Russia

E-mail: ivan.sutormin@gmail.com, kolomeec@math.nsc.ru

We study the additive differential probabilities adp® of compositions of к — 1 bitwise XORs. For vectors al,...,ak+l e Zn, it is defined as the probability of transformation input differences a1,...,ak to the output difference ak+1 by the function x1 ф ... ф x , where x1,...,xk e Zn and k ^ 2. It is used for differential crypt-analysis of symmetric-key primitives, such as Addition-Rotation-XOR constructions. Several results which are known for adp® are generalized for adp®. Some argument symmetries are proven for adp®. Recurrence formulas which allow us to reduce the dimension of the arguments are obtained. All impossible differentials as well as all differentials of adp® with the probability 1 are found. For even k, it is proven that max adp® (а1,..., ak ^ ak+1) = adp®(0,..., 0, ak+1 ^ ak+1). Matrices that can

a1,...,ak

be used for efficient calculating adp® are constructed. It is also shown that the cases of even and odd k differ significantly.

Keywords: ARX, XOR, additive differential probabilities, differential cryptanalysis.

РАЗНОСТНЫЕ ХАРАКТЕРИСТИКИ ПО МОДУЛЮ 2n КОМПОЗИЦИИ НЕСКОЛЬКИХ ПОБИТОВЫХ ИСКЛЮЧАЮЩИХ ИЛИ

И. А. Сутормин*, Н. А. Коломеец**

* Новосибирский государственный университет, г. Новосибирск, Россия **Институт математики им. С. Л. Соболева СО РАН, г. Новосибирск, Россия

Исследуются разностные характеристики adp® по модулю 2n композиции к — 1 побитовых XOR. Для векторов a1,...,ak+1 e Zn они определяются как вероятность преобразования функцией x1 ф ... ф xk входных разностей а1,..., ak в выходную разность ak+1, где x1,...,xk e Zn и k ^ 2. Данные характеристики используются при разностном криптоанализе симметричных алгоритмов, в том числе ARX-конструкций, использующих только три операции: сложение по модулю 2n, побитовый XOR и циклический сдвиг битов. Показано, что многие свойства, известные для adp®, обобщаются на adp®. Доказаны симметрии аргументов adp®. Получены рекуррентные формулы, позволяющие уменьшить на 1 размерность аргументов n. Найдены все несовместные разности и все разности, при которых adp® равна 1. Для чётного к доказано, что max adp® (а1,..., ak ^

k a1,...,ak GZJ k

^ ak+1) = adp®(0,..., 0, ak+1 ^ ak+1). Построены матрицы, которые можно

1The work was carried out within the framework of the state contract of the Sobolev Institute of Mathematics (project no. FWNF-2022-0018).

использовать для вычисления adp® за линейное по n время. Показано, что случаи чётного и нечётного k существенно различаются.

Ключевые слова: ARX, XOR, разностные характеристики, сложение по модулю, разностный криптоанализ.

1. Introduction

Symmetric cryptography is used in many areas in the modern world: for fast data encryption (block and stream ciphers), for checking data integrity, for creating an electronic signature (cryptographic hash functions), etc. ARX is one of the constructions being used to develop these algorithms. All cryptographic primitives of this architecture use only three operations: addition modulo 2n (Addition, Ш), circular shift (Rotation, and bitwise addition modulo 2 (XOR, ф). Examples of ARX-based ciphers include the block ciphers FEAL [1], Threefish [2], one of the eSTREAM winners, the stream cipher Salsa20 [3] and its modification ChaCha20 [4] (it is a part of TLS 1.3), as well as SHA-3 finalists hash functions BLAKE [5] and Skein [2]. One of the well known problems of ARX ciphers is the complexity of their differential cryptanalysis.

Differential cryptanalysis is a statistical method for the analysis of symmetric-key primitives. It was proposed by E. Biham and A. Shamir in [6]. This attack uses pairs of the input differences AP and output differences AC with a high probability of ccurrence. The ordered pair (AP, AC) is called a differential. A common way to find such differential with a high probability is to construct a differential trail, i.e., a sequence (AP = AX0, AXi,..., AXp, AC = AXp+1), where AXb ..., AXp are some intermediate values that would occur after some operations. A common technique to construct a differential trail is to use a "greedy" strategy to pick the intermediate differences AXi+1 which have the highest probability of occurring for fixed AXj. Under some assumptions, we can multiply all the probabilities of a differential trail and obtain an estimation for the probability of the differential (AP, AC).

As for ARX ciphers, the difference A is typically one of their basic operations (addition or XOR). There are also approaches that use other A or even several different A, see, for instance, [7-10]. If we express the differences using addition modulo 2n, the additive differential probabilities are what we need. For an arbitrary function f : (Zn)k ^ Zn the probability adpf (a1,... ,ak ^ ak+1), where a1,..., ak+1 G Zn, is defined as

-Пт \{x\ ..., xk G Zn : f (x1 Ш a1,... ,xk Ш ak) = f (x1, ...,xk) Ш ak+1 }| .

2

However, the probability obtained by "greedy" strategy may be significantly different from the real one. For instance, even simple composition x ф y ф z can produce a high error. Let us choose the input differences a, 0, 0 for the first, second and third arguments respectively. Then the "greedy" strategy gives us

P = adp®(a, 0 ^ AX1) ■ adp®(AXb 0 ^ AX2).

It is known [11] that max adp® (a, 0 ^ 7) = adp®(a, 0 ^ a). Thus, we should choose

1

AX1 = a and then AX2 = a and obtain the result P = (adp®(a, 0 ^ a))2. At the same time, the function is symmetric, i.e., we can swap the first and the last arguments without changing the value/probabilities:

P = adp®(0, 0 ^ AX1) ■ adp®(AX1, a ^ AX2).

But adp®(0,0 ^ 0) = 1 is obviously the maximum value and max adp® (5, a ^ y) =

£,7

= adp®(0, a ^ a) = adp®(a, 0 ^ a). In this case, the "greedy" strategy gives us a different result: P = adp®(a, 0 ^ a).

Thus, if we apply this for the function x1 © x2 ©... © xk, we obtain two different results: P = (adp®(a, 0 ^ a))k and P = adp®(a, 0 ^ a). We can make the difference between them as big as we want by choosing a and k. Similar examples for other compositions can be found in [12].

One of the possible ways to reduce the error is to use the differential probabilities for the whole composition x1 © ... © xk:

1

adp®(aV..,ak ^ ak+1) = ^

{x1

k

,xk G Z^ : 0(a* ffl x*)

¿=1

a

k+1

ffl 0 x*}

¿=1

where a1,... , ak+1 G Z^. Though it is difficult to meet this operation for large k in real ciphers, at least x © x © x is used, for instance, in EDON-R [13].

In this paper, we study the properties of adp®. As a rule, n = 32 is used in ARX constructions that makes an exhaustive search inefficient. We generalize results obtained in [11, 14] for adp® = adp®. Symmetries, impossible differentials, maximums, where one of the arguments is fixed, are considered. All these things are interesting for constructing differential trails. In [14] a way to compute adp® in linear time multiplying special matrices was proposed. It was also generalized in [15]. We describe special matrices that can be used for calculating adp®.

The outline. Section 2 gives us necessary definitions. In Section 3, symmetries of adp® are proven (Theorem 1). Section 4 contains recurrence formulas that can be used to reduce the dimension of the arguments (Theorem 2). All impossible differentials (Theorem 3) and all differentials with the probability 1 (Theorem 4) are found in Section 5 (see also Remark 3). Section 6 provides maximums of the adp®, where one of its argument is fixed and k is even (Theorem 5). In Section 7, matrices that allow us to calculate adp® are constructed (Theorem 6 and eq. (6)). We note that the cases of even and odd k significantly differ. Some operations are not symmetries for odd k. The structure of the matrices is a little bit more complex for odd k. The maximums for odd k do not generalize the maximums for k = 2.

2. Definitions

Let Zn be a vector space of dimension n over a field consisting of two elements. Let x = (x1,..., xn) and y = (y1,..., yn) be elements of Z^ Then x1 and x0 are the vectors (x1,... ,xn, 1) and (x1,... ,xn, 0) from Zn+1 respectively. The bitwise XOR is denoted by x © y. Also, x = (x1 © 1,..., xn © 1) G Zn. We say that y ^ x if y^ ^ x^ for all i, 1 ^ i ^ n. We denote the Hamming weight of the vector x by wt(x). We associate the vector x with the integer x12n-1+x22n-2 + .. .+xn. Thus, xffly = (x+y) mod 2n, where x and y are considered as the corresponding integers. Also, —x is the vector from Zn whose corresponding integer is — x mod 2n.

Additive differential probability of the function f (x1

k 1 k , x ) — x w... w x

x1

G Zn, for a differential a1

ak

k+1 G Zn is defined as

xk

1

adp®(a1,...,ak ^ ak+1) — ^

kk {x1,...,xk G Zn : 0(a* ffl x*) — ak+1 ffl0 x*}

¿=1 ¿=1

Also, we denote adp® by adp®. Hereinafter we assume that k ^ 2.

3. Argument symmetries of adp®

Argument symmetries were proven for adp® in [11]. In this Section, we generalize that result for adp®, k ^ 3. It is straightforward that we can rearrange a1,..., ak calculating adp®(a^..., ak ^ afc+1), see the definition of adp®. Let us show that we can rearrange all

a

, a

fc+i

Proposition 1. For any a1,..., ak+1 G Zn and j G {1,..., k} the following holds:

adp® (a1,..., aj ,...,ak ^ ak+1) = adp® (a1,..., ak+1, ...,ak ^ aj ).

In other words, adp® is symmetric.

Proof. Since we can rearrange the arguments a1,..., ak, we can only show that

adp®(a1,..., ak ^ ak+1 ) = adp®(ak+1, a2,..., ak ^ a1).

Substituting in (1) © x* = y1, x* = y* for all i = 2,..., k, we get that

*=1

1

2«k

y1,...,yk G zn : ( ( © yA ffl a1) © © (a* ffl y*) = y1 ffl ak+1 ^=1 / / ¿=2

which is equivalent to

1

2«.fc

y1,...,yk G Zn : (y1 ffl ak+1 ) ©© (a* ffl y*) = ©yM ffl a1

¿=1

*=1

We have the definition of adp®(ak+1, a2,..., ak ^ a1). ■

Proposition 2. For any a1,..., ak+1 G Zn the following holds:

adp®(a1,... ,ak ^ ak+1) = adp®(a1 ffl 2n-1, a2 ffl 2n-1,a3,..., ak ^ ak+1).

Proof. It is not difficult to see that a ffl 2n-1 = a © 2n-1 since the vector 2n-1 G Zn has 1 only in the most significant position. We can transform the condition from the definition of adp®:

(a1 ffl x1) © (a2 ffl x2) = (a1 ffl x1) © 2n-1 © (a2 ffl x2) © 2n-1 =

= (a1 ffl x1 ffl 2n-1) © (a2 ffl x2 ffl 2n-1) = = ((a1 ffl 2n-1) ffl x1) © ((a2 ffl 2n-1 ) ffl x2).

There is no need to change the terms containing a3,..., ak+1. ■ Proposition 3. For any a1,..., ak+1 G Zn the following holds:

adp® (a1,..., ak ^ ak+1) = adp®(-a1,..., -ak ^ -ak+1).

Proof. By definition,

1

adp® (a1,..., ak ^ ak+1) = ^

x1 ,...,xk G Zn : ©(a* ffl x*) = © x* ffl a

*=1

*=1

vfc+1

1

2nfc

x1,...,xk G Zn : © x* = ©(a* ffl x*) ffl -ak+1

*=1 *=1

Substituting y* = x* ffl a* for all i = 1,..., k and using x* = y* ffl -a1, we can rewrite the definition:

{y\...,yk e zn : © (-a* ffl y*) = ^ ® —ak+1} .

We have got exactly adp®(-a1,..., —ak ^ —ak+1). ■

Proposition 4. For any a1,..., ak+1 e Zn the following holds:

adp®(a1,...,ak ^ ak+1) = adp®(—a1, —a2,a3,..., ak ^ ak+1).

Proof. First of all, we show that —x = x ffl 1 for any x e Zn:

—x = (2n — 1 — x) ffl 1 = x ffl 1.

Therefore, x = —x ffl —1 and for any y e Zn

xWV = —(x ffl y) ffl —1 = —x ffl —1 ffl —y = x ffl —y.

It is easy to see that for any bits x*, y* e Z2 the equality x © y = x* © y* holds. Therefore, for any x, y e Zn it holds that x © y = x © y. Now, we transform the condition from the definition of adp®:

(a1 ffl x1) © (a2 ffl x2) = (a1 ffl x1) © (a2 ffl x2) = (—a1 ffl x1) © (—a2 ffl x2). Using y* = x* for i =1, 2, we obtain the following:

(—a1 ffl y1) © (—a2 ffl y2).

We have got the condition from the definition of adp® (—a1, —a2, a3,..., ak ^ ak+1). ■

Finally, Propositions 1-4 give us the following theorem.

Theorem 1. Let k ^ 2, a1,..., ak+1 e Zn and £1,... ,£k+1 e Zn Then

adp® (a1,..., ak ^ ak+1) = adp®(£\..., £k ^ £k+1)

if £1,... , £k+1 are any of the following:

1) £* = an(t) for all i, 1 ^ i ^ k + 1, where n is a permutation on the set {1,..., k + 1};

2) for arbitrary S C {1,..., k + 1}, where |S| is even,

£ * = a* ffl 2n-1 for all i e S and £ * = a* for all i e {1,..., k + 1} \ S;

3) for arbitrary S C {1,..., k + 1}, where |S| is even,

£ * = —a* for all i e S and £* = a* for all i e {1,..., k + 1} \ S;

4) if k is even, for arbitrary S C {1, . . . , k + 1}

£* = —a* for all i e S and £ * = a* for all i e {1,..., k + 1} \ S.

1

2nfc

Proof. The first point directly follows from Proposition 1. To prove the second point, we just need to apply |S|/2 times Proposition 2 together with the first point. The same applies to the third point: it is sufficient to use Proposition 4 instead of Proposition 2. Let us prove the last point. Since k is even, the third point guaranties that

adp® (a1,...,ak ^ afc+1) = adp® (-a1, ..., -ak ^ afc+1).

By Proposition 3,

adp® (-a1,..., -ak ^ afc+1) = adp® (a1, ...,ak ^ -ak+1)

fc+u

which implies that

adp®(ai,..., ak ^ ak+1) = adp® (a1,..., ak ^ -ak+1).

Applying this equality |S| times together with the first point gives us the last point. ■

4. Recurrence formulas for the adp®

The recurrence formulas for the adp® obtained in [11] can be generalized for adp®. Note that all our further results will use them.

Theorem 2. For all a1,..., afc+1 G Z£, k ^ 2, and a vector of the least significant bits A G Zk+1 the following holds: 1) if wt(A) is odd, then

adp®(a1Ai,..., afcAfc ^ afc+1Afc+i) = 0; (2)

2) if k is odd and A = (1,..., 1) = 2k+1 - 1, then

adp®(a1A1,..., akAfc ^ afc+1Afc+1) =

2k E adp® (a1 ffl B1,..., a ffl Bfc ^ ak+1 ffl Bfc+1);

Bez:

fc+i

wt(B) is even

3) otherwise

2wt(A)

adp®(a1A1,..., akAfc ^ afc+1Afc+1) =

E adp® (a1 ffl B1,..., ak ffl Bfc ^ ak+1 ffl Bfc+1).

Bezk+1,

B-<A

Note that a% ffl B* is the addition modulo 2n, i.e., a% determines n, 1 ^ i ^ k + 1. Proof.

1) Let us prove that adp®(a1A1,... ,akAk ^ ak+1Ak+1) = 0 if wt(A) is odd. First of all, we define odd(x) = xn+1 for x G Zn+1, i.e., odd(x) = 1 if and only if x is odd as integer. It is clear that odd(x ffl y) = odd(x © y) = odd(x) © odd(y). By definition,

adp®(a1A1,..., akAfc ^ afc+1Afc+1) =

1

2(n+1)fc

x

x

G Zn+1 : 0 (x* ffl a* A*) = 0 x ffl afc+1Afc+1

¿=1

¿=1

1

Since wt(A) is odd,

odd( ( 0 (x* ffl a*A*) ) © ( 0 x* ffl afc+1Afc+1 ) ) = 0 odd(x*) © 0 odd(x*) © 0 A = 1. \î=1 J \Î=1 J *=1 *=1 *=1

It implies that for any x1,..., xk G Zn+1

0 (x* ffl a*A*) = 0 x* ffl afc+1Afc+1.

*=1 *=1

In other words, adp®(a1A1,..., akAk ^ afc+1Afc+1) = 0 since the condition from its definition cannot be satisfied.

2) Let us prove the equality (3). We rewrite the definition of adp® as

adp®(a11,..., ak 1 ^ ak+11) =

1 1 k

) ^ r- AJ2 , ^ . . . , ak G Z2

2(n+1)fc

k / k x1,... ,xk G Zn, a1,..., ak G Z2 : 0(a*1 ffl x*a*) = 0x*a* ) ffl ak+11

*=1 \î=1

We fix a tuple a1,..., ak. Using Proposition 1, we rearrange the adp® arguments so that a1 = a2 = ... = aj = 0 and aj+1 = ... = ak = 1 for some j ^ k. Then we rewrite the condition from the definition:

0 (a*1 ffl x*0) © 0 (a*1 ffl x*1) = [0 x*0 © 0 x*1 ) ffl ak+11 = *=1 *=j+1 \i=1 *=j+1 y

0(a* ffl x*)1 ) © ( 0 (a* ffl x* ffl 1)0 ) = ( 0 x*0 © 0 x*1 ) ffl ak+11.

*=1 y \*=j+1 y y=1 *=j+1 y

In the case of even j, we can rewrite the condition from the definition as

0(a* ffl x*) ] 0 © ( 0 (a* ffl x* ffl 1) ) 0 = ( 0 x* © 0 xM 1 ffl ak+11,

*=1 y y=j+1 y y=1 *=j+1 y

0(a* ffl x*) J 0 © ( 0 (a* ffl x* ffl 1H 0 ^ 0 x* © 0 xM ffl ak+1 ffl 1 J 0.

*=1 y ^=0+1 y \\i=1 i=0+1 / /

Now look at the corresponding condition from the definition of adp® (a1,..., a0, a0^1 ffl 1, ... ,ak ffl 1 ^ ak+1 ffl 1):

00 (a* ffl x*) © 0 (a* ffl x* ffl 1) = (0 x* © 0 x* ) ffl ak+1 ffl 1. *=1 1=0+1 \i=1 1=0+1

It is easy to see that if a tuple x1, . . . , xk satisfies one of these conditions, then it must also satisfy the other.

In the case of odd j, we can rewrite the condition from the definition as

0 (a* ffl x'n 1 © ( 0 (a* ffl x* ffl 0 x* © 0 xM 0 ffl ak+11,

*=1 y y=0+1 y y=1 1=0+1 /

0 (a* ffl x'n 1 © ( 0 (a* ffl x* ffl 0 x* © 0 x* | ffl ak+^ 1.

v*=1 y V i=j+1 / V V *=1 *=0+1

Now look at the corresponding condition from the definition of adp® (a1,..., aj, aj+1 ffl 1, ...,ak ffl 1 ^ afc+1):

0 (a* ffl x*) © 0 (a® ffl x* ffl 1) = ( 0 x* © 0 xM ffl afc+1.

i=1 i=j+1 U=1 i=j+1 /

It is easy to see that if a tuple x1,..., xk satisfies one of these conditions, then it must also satisfy the other.

The total number of tuples satisfying the conditions from the definitions for vectors of dimension n +1 is 2(n+1)kadp®(a11,..., ak 1 ^ ak+11), and for vectors of dimension n it is equal to 2nkadp® (a1,..., ak ^ ak+1). For every fixed tuple a1,..., ak, there is a unique adp® such that x*a* and x*, 1 ^ i ^ k, satisfy the corresponding conditions. Choosing all possible combinations of a1,..., ak, we obtain that

2(n+1)kadp®(a1A1,... ,akAfc ^ afc+1Afc+1) = = E 2nkadp®(a1 ffl B1,..., ak ffl Bfc ^ ak+1 ffl Bfc+1).

Bez k+1,

wt(B) is even

We recall that after the rearranging a1,..., ak we have the following: B1,..., Bj must be zero, Bj+1,..., Bk must be one, and Bk+1 = 1 if and only if j is even. That is why we consider only B of even weight. The equality (3) is proven.

3) Now, we prove the equality (4). Since we exclude the previous cases, wt(A) is even and there exists i, 1 ^ i ^ k + 1, such that A* = 0. Using Proposition 1, we rearrange the arguments of adp® so that Aj+1 = Aj+2 = ... = Ak+1 = 0, where j ^ k, and A1 = ... = = Aj = 1. We rewrite the definition of adp® (a1!,..., aj 1,aj+10,..., ak0 ^ ak+10):

|x1,...,xfc G Zn, a1,...,ak G Z2

1 J x1

2«(fc+1)

j k / j k

x*

0(a*1 ffl x*a*) © 0 (a*0 ffl x*a*) = ( 0 x*a* © 0 x*a*) ffl ak+10) *=1 *=j+1 m=1 *=j+1 ' '

We also fix the first j elements from the tuple a1,...,ak. Using Proposition 1, we rearrange the arguments of adp® so that a1 = ... = aq = 1 and aq+1 = ... = aj = 0 for some q ^ j. Then we can rewrite the condition from the definition as

0 (a*1 ffl x*1) © 0 (a*1 ffl x*0) © 0 (a*0 ffl x*a*) =

*=1 *=q+1 *=j+1

00 x*1 © 0 x*0 © 00 x*a* ) ffl ak+10, v*=1 *=q+1 *=j+1 J

0(a* ffl x* ffl 1)0 © 0 (a* ffl x*)1 © 00 (a* ffl x*)a* =

*=1 *=q+1 *=j+1

q j k \ f q k

0 x* © 0 x* © 0 x* 0 1 © 0 a* | ffl ak+10.

i*=1 *=q+1 *=j+1 / \*=1 *=j+1

Next, we rewrite it in the following way:

0 (a* ffl x* ffl 1) © 0 (a* ffl x*) © 0 (a* ffl x*) J I 0 1 © 0 a*

ki=1 *=q+1 *=j+1 y \i=q+1 *=j+1

0 x* ffl ak+1) ( 0 1 © 0 a* *=1 / y=1 *=j+1

Let us extract the condition for the least significant bit:

j k q k j

0 1 © 0 a* = 01 © 0 a*, which is equivalent to 0 1 = 0.

*=q+1 *=j+1 *=1 *=j+1 *=1

It is always satisfied since j = wt(A) is even. Now we consider the transformed condition without the least significant bit:

0 (a* ffl x* ffl 1) © 0 (a* ffl x*) © 0 (a* ffl x*) = 0 x* ffl ak+1.

*=1 *=q+1 *=j+1 *=1

It obviously matches the condition from the definition of

adp®(a1 ffl 1,..., aq ffl 1, aq+1,..., ak ^ ak+1).

If the tuple x1, . . . , xk satisfies the condition from the definition, then the tuple consisting of vectors x*1 for all i, i ^ q, vectors x*0 for all i, q < i ^ j and vectors x^ for all i, j < i ^ k, also satisfies the condition from the definition of adp®(a1 A1,...,akAk ^ ^ ak+1Ak+1) for all a*, j < i ^ k. There are 2k-j such solutions. We can also see that a* ffl 1 can occur only when A* =1. The total number of solutions of the conditions from the definitions for vectors of dimension n +1 is 2(n+1)k adp®(a1A1,..., akAk ^ ak+1Ak+1), and for vectors of dimension n it is equal to 2nk adp® (a1,..., ak ^ ak+1). Choosing all possible combinations of a*, we obtain

kA

= ^ 2nk2k-jadp®(a1 ffl B1,..., ak ffl Bk ^ ak+1 ffl Bk+1).

BeZk+1, B^A

Since j = wt(A), the equality (4) is proven. ■

Remark 1. We can extend the recurrence formulas for "empty" a1,..., ak+1, i.e., for a* A* e Z2. It is sufficient to assume that adp® (0,..., 0 ^ 0) = 1. Indeed, we obtain by the recurrence formulas exactly that adp®(A1,..., Ak ^ Ak+1) = 1 ^^ wt(A1,..., Ak+1) is even and adp®(A1,..., Ak ^ Ak+1) = 0 ^^ wt(A1,..., Ak+1) is odd. Remark 2. Using symmetries from Section 3 and the equality

a ffl 1 = (2n — 1) ffl —a ffl 1 = 2n ffl —a ffl — 1 ffl 1 = 2n ffl —a = —a,

we can replace a ffl 1 with a for a pair of arguments in the recurrence formulas (and for any argument if k is even). For instance,

adp® (a1, a1, a1 ^ a1) =

13 1

= -adp® (a, a, a ^ a) + -adp® (a, a, a ^ a) + -adp® (a, a, a ^ a). 8 4 8

2(n+1)k adp® (a1A1,..., akAk ^ ak+1Ak+1)

5. Zeros and ones of the adp®

For the purposes of cryptanalysis, it is important to distinguish the set of arguments on which adp® is equal to zero.

Theorem 3. For any k ^ 2 and any a1,..., ak+1 G Zn, the equality adp® (a1,..., ak ^ ak+1) = 0 holds if and only if there exists i, 1 ^ i ^ n, such that (a1,... ,ak+1) = = (0,..., 0), (a],..., ajk+1) = (0,..., 0) for all j, i < j ^ n, and one of the following conditions is true:

1) the vector (a1,..., ak+1) has odd weight;

2) (a1,..., ak+1) = (1,..., 1), k is odd, i > 1, and (a1-1,..., af+j1) is of odd weight.

Proof. Let us use induction by n. For n =1, adp®(a1,..., ak ^ ak+1), where a1,..., ak+1 G Z2, is equal to 0 if and only if (a1,... ,ak+1) is of odd weight. It is the

base of the induction. Suppose that the statement holds for n. Let us prove that it is true for n +1. We represent elements from Zn+1 as a1A1,..., ak+1Ak+1, where a1,..., ak+1 G Zn and A = (A1,..., Ak+1) G Z^1. First of all, we can assume that A = (0,..., 0). Indeed, adp®(a10,..., ak0 ^ ak+10) = adp®(a1,..., ak ^ ak+1) by Theorem 2. Moreover, the statement of the theorem takes it into account. Next, we need to consider three cases.

1) wt(A) is odd. According to Theorem 2, adp®(a1A1,..., akAk ^ ak+1Ak+1) = 0. It proves that the first condition is sufficient.

2) A = (1,..., 1) and k is odd. In this case

adp®(a11,..., ak 1 ^ ak+11) =

= 2k E adp® (a1 ffl B1,..., ak ffl Bfc ^ ak+1 ffl Bfc+1).

2 Bezk+1,

wt(B) is even

The least significant bits of a1 fflB1,..., ak+1 fflBk+1 are a^©B1,..., aJn+1 ©Bk+1. Moreover, wt(B) is even. Thus, if wt(an,..., a^+1) is odd, then wt(an © B1,..., a^+1 © Bk+1) is odd as well. It means that any of adp® (a1 ffl B1,..., ak ffl Bk ^ ak+1 ffl Bk+1) is equal to zero by induction.

Let wt(an,..., aJn+1) be even. Choosing (0,..., 0) or (1,1, 0,..., 0) as B and taking into account that k ^ 2, we obtain that at least one of (a^,..., aJn+1) and (a^ © 1, a^ © 1, a^,..., an+1) does not belong to {(0,..., 0), (1,..., 1)}. Moreover, both of them are of even weight. It means that at least one of adp®(a1,..., ak ^ ak+1) and adp®(a1 ffl 1, a2 ffl 1, a3,..., ak ^ ak+1) is not zero by induction. Therefore, adp® (a11,..., ak 1 ^ ak+11) is not zero as well.

Thus, in this case adp® (a11,..., ak 1 ^ ak+11) is zero if and only if wt(an,... ,a^+1) is odd. It proves the correctness of the second condition.

3) wt(A) is even and A G {(0,..., 0), (1,..., 1)}. In this case

1

adp®(a1A1,..., akAk ^ ak+1Ak+1) = E adp® (a1 ffl B1,..., ak ffl Bfc ^ ak+1 ffl Bfc+1).

Owt(A)

2 ( ) Bez^1, B^A

Without loss of generality we assume that A1 = A2 = 1, otherwise we can rearrange arguments by Theorem 1. Similarly to the previous point, at least one of (a^, a^, a^, ..., an+1), (an© 1, an, a^,... ,a^+1), (an, an © 1,a^,... ,a^+1) and (an© 1,a^ © 1,a^,... ,a^+1) is of even weight and does not belong to {(0,..., 0), (1,..., 1)}. Thus, the corresponding

adp® is not zero by induction. Therefore, adp®(a1Ai,..., akAk ^ afc+1Ak+i) is not zero as well.

It proves that the first condition is necessary, except for the cases A = (0,..., 0) and A = (1,..., 1) for odd k. ■

Note that the zeros of the function in the case of even k look similar to the zeros for adp®. The second point appears only for odd k and generates an additional set of zeros.

The arguments on which adp® is equal to 1 are also interesting.

Theorem 4. For any k ^ 2 and any a1,..., afc+1 G Z^, the equality adp® (a1,..., ak ^ afc+1) = 1 holds if and only if the vector (a1,..., a^1) has even weight, and one of the following conditions is true:

1) (a*,... ,af+1) = (0,... 0) for all i, 2 ^ i ^ n;

2) (a1,...,ak+1) = (l,..., 1), k is odd, n ^ 2, and (a1,..., atfc+1) = (0,... 0) for all i, 3 ^ i ^ n.

Proof. Let us use induction by n. For n =1, adp®(a1,..., ak ^ afc+1), where a1,..., afc+1 G Z2, is equal to 1 if and only if (a1,..., afc+1) is of even weight. It is the base of the induction. Suppose that the statement holds for n. Let us prove that it is true for n + 1. We represent elements from Zn+1 as a1A1,..., afc+1 Ak+1, where a1,..., afc+1 G Z^ and A = (A1,..., Ak+1) G Z2+1. Similarly to the proof of Theorem 3, we assume that A = (0,..., 0) (otherwise the statement is true by induction) and consider three cases.

1) wt(A) is odd, which means that adp®(a1A1,... , akAk ^ afc+1Afc+1) = 0=1.

2) A = (1,..., 1) and k is odd. In this case

adp®(a11,..., ak 1 ^ afc+11) = ^ E adp® (a1 ffl B1,..., ak ffl Bfc ^ afc+1 ffl Bfc+1),

2k

Bez,

fc+i 2

wt(B) is even

which implies that adp®(a11,..., ak 1 ^ ak+11) = 1 if and only if adp® (a1 ffl B1,..., ak ffl ffl Bfc ^ ak+1 ffl Bfc+1) = 1 for all B G Z2+1 of even weight.

The least significant bits of a1 ffl B1,..., ak+1 ffl Bk+1 are a^ © B1,..., a^1 © Bk+1. Choosing (0,..., 0) or (1,1, 0,..., 0) as B and taking into account that k ^ 2, we obtain that at least one of (a^,..., a^+1) and (a^ © 1,a^ © 1, a^,..., aJn+1) does not belong to {(0,..., 0), (1,..., 1)}. In other words, at least one of adp®(a1,..., ak ^ ak+1) and adp®(a1 ffl 1, a2 ffl 1, a3,..., ak ^ ak+1) is not equal to 1 if n > 1 by induction. If n = 1, then all adp® (a1 ffl B1,..., ak ffl Bfc ^ ak+1 ffl Bfc+1) = adp®(a1 © B1,..., aj © Bfc ^ ^ aj+1 © Bk+1) = 1 if and only if wt(a1,..., aj+1) is even.

Thus, in this case adp® (a11,..., ak 1 ^ ak+11) = 1 if and only if n =1 and wt(a^ ... ,aj+1) is even. It proves the correctness of the second condition. 3) wt(A) is even and A G {(0,..., 0), (1,..., 1)}. In this case

adp®(a1A1,..., afcAfc ^ afc+1Afc+1) = 1 E adp® (a1 ffl B1 ,...,ak ffl Bfc ^ ak+1 ffl Bfc+1).

2wt(A)

?ezk+1,

B-2A

This means that adp®(a1A1,..., akAk ^ ak+1Ak+1) = 1 if and only if adp®( ffl B1,..., ak ffl Bk ^ Q!fc+1 ffl Bk+1) = 1 for all B G ZJ+1 such that B X A.

a1

Without loss of generality we assume that A1 = 1, otherwise we can rearrange arguments by Theorem 1. Next, one of (an, an,..., an+1) and (an © 1, an,..., an+1) is of odd weight. Thus, one of adp®(a1,..., ak ^ ak+1) and adp®(a1 ffl 1,a2,...,ak ^ ak+1) is zero by Theorem 2 and adp®(a1A1,..., akAfc ^ afc+1Afc+1) = 1.

Together with the first point, it proves the correctness of the first condition. ■

Remark 3. The conditions from Theorems 3 and 4 for a1,...,ak+1 G Zn can be simplified. Let us define the following pattern symbols for elements of Z^1:

— * means any x G Z2+1,

— e and d mean any x G Z^1 of even and odd weight respectively,

— 0 and 1 mean (0,..., 0) and (1,..., 1) from Z^1 respectively.

Then adp®(a1,..., ak ^ ak+1) = 0 if and only if the vector

a,

(a1,

, a,

fc+i

))

matches

Similarly, adp®(a1

(*,..., *, d, 0,... , 0) for any k or (*,..., *, d, 1, 0,..., 0) for odd k.

, ak ^ ak+1) = 1 if and only if the vector (5) matches

(e, 0,..., 0) for any k or (e, 1, 0,..., 0) for odd k.

6. Maximums of the adp®

Also, for the purposes of cryptanalysis, the maximum values of adp® are of interest, where some argument (or arguments) is fixed. In the case of even k, it is not difficult to show that the maximum of the characteristic, where one its argument is fixed, is similar to the maximum for k = 2.

Theorem 5. Let k ^ 2 be even and y G Z2. Then

max adp®(x1,

x1,...,xk eZi?

,xk ^ Y) = adp® (0,..., 0, y ^ y).

Proof. Let us use induction by n. If n =1, adp®(0, see Theorem 4. It is the base of the induction.

Next, we assume that adp® (,51,...,^k

^V..,r,Y G

Z^.

Let a1 ,

ak, y

G

Z2,

Y ) A

G

, 0, y ^ Y) = 1 for any y G Z2,

adp®(0,..., 0,y ^ Y ) for any Z^1. We need to prove that

adp®(a1A1,..., ak Ak ^ YAk+1) ^ adp®(0,..., 0,YAk+1 ^ 7Afc+1). We divide the proof into the following cases.

Case 1 . A = (0,..., 0). According to Theorem 2, adp®(a1A1,... ,akAk ^ YAk+1) =

adp®(0,..., 0, y ^ Y).

, ak A

k ^

= adp®(a1,... ,ak ^ y ) and adp®(0,..., 0,YAk+1 ^ YAk+1) Thus, the induction hypothesis provides that adp®(a1A1,. ^ adp® (0,..., 0,YAfc+1 ^ YAfc+1).

Case 2 . wt(A) is odd. According to Theorem 2, adp®(a1A1 It proves the induction step.

Case 3 . wt(A) is even and Ak+1 = 0. Without loss of generality, we can assume that A1 = ... = Aw = 1 and Aw+1 = ... = Ak = 0, where w = wt(A). Indeed,

YAfc+1) akAfc ^ YAfc+1) = 0.

Proposition 1 allows us to rearrange the arguments of adp®. Then, Theorem 2 and the induction hypothesis give us that

adp®(a1A1,...,afc Ak ^ 70) = 2-w E adp® (a1 ffl B^...,aw ffl Bw ,aw+1,...,ak ^ 7)^

Bezf

^ 2-w ■ 2w ■ adp® (0,..., 0,7 ^ 7) = adp® (0,..., 0,70 ^ 7O).

Case 4. wt(A) is even and Ak+1 = 1. Similarly to the previous case, we assume without loss of generality that A1 = ... = Aw = 1 and Aw+1 = ... = A k = 0, where w = wt(A) — 1. According to Theorem 2,

adp®(a%,..., afcAfc ^ 7Afc+1) =

= 2-w-1E E adp®(a1 ffl B1,...,aw ffl Bw ,aw+1,...,a k ^ 7 ffl c) =

cez2 Bezf

= 2-w-1 E adp®(a1 ffl B1,...,aw ffl Bw ,aw+1,...,ak ^ 7) + +2-w-1 E adp® (a1 ffl B1,...,aw ffl Bw, aw+1,..., ak ^ 7 ffl 1).

Also, if the vector of the least significant coordinates has odd weight, i.e., wt(B) + c + + wt(an,... ,a£,7n) is odd, then adp®(a1 ffl B1,... ,aw ffl Bw ,aw+1,...,ak ^ 7 ffl c) = 0. It means that at least half of adp®(a1 ffl B1,..., aw ffl Bw, aw+1,..., ak ^ 7) are zero and at least half of adp®(a1 ffl B1,..., aw ffl Bw, aw+1,..., ak ^ 7 ffl 1) are zero. At the same time,

adp® (0,..., 0,71 ^ 71) = 1adp®(0,..., 0,7 ^ 7) + ^adp® (0,..., 0,7 ffl 1 ^ 7 ffl 1),

since adp® (0,..., 0,7 ^ 7 ffl 1) = adp®(0,..., 0,7 ffl 1 ^ 7) = 0. Finally, by the induction hypothesis and due to the least significant vectors of odd weight, we obtain that

2-w-1 E adp® (a1 ffl B1,..., aw ffl Bw ,aw+1,...,ak ^ 7) ^ Bezf

^ 2-w-1 ■ 2w-1 ■ adp®(0,..., 0,7 ^ 7) = ^dp® (0,..., 0,7 ^ 7).

Similarly,

2-w-1 E adp®(a1 ffl Bi,...,aw ffl , aw+1,..., ak ^ Y ^ 1) ^

^ 2-w-1 ■ 2w-1 ■ adp®(0,..., 0,7 ffl 1 ^ 7 ffl 1) = 1adp®(0,..., 0,7 ffl 1 ^ 7 ffl 1).

Thus, adp®(a1A1,...,ak Ak ^ 71) ^ adp®(0,..., 0,71 ^ 71). ■ For odd k the maximum looks different.

Corollary 1. For any odd k ^ 3 and 7 = 2n-1 + 2n-2 e Z^ the following holds:

adp®(7,7, 0,..., 0 ^ 0) < 1 = adp®(7,... ,7 ^ 7).

It directly follows from Theorem 4. However, for some cases we can generalize results of Theorem 5.

Bezf

Corollary 2. Let k ^ 3 be odd. Then for any 7 e Zn the following holds: max adp® (0, x1,... , xk-1 ^ 7) = adp®(0,..., 0,7 ^ 7).

Indeed, the proof of Theorem 5 is correct for this case since the first argument is zero. Thus, we will never use the case (1,..., 1) in the recurrence formulas which is the only difference between even and odd k. At the same time, we believe that for an arbitrary odd k the following holds.

Hypothesis 1. Let k ^ 3 be odd and 7 e Z£. Then

max adp® (x1,..., xk ^ 7) = adp® (7,..., 7 ^ 7). x1,...,xk ezn

Note that a problem connected with the values adp®(0,7 ^ 7) can be found in [16]. NSUCRYPTO-2014 [17] also included a problem related to ARX constructions.

7. A matrix approach for calculating adp®

The section is devoted to a generalization of the approach proposed in [14] for calculating adp®, i.e., adp®. There is also the S-function technique [15], which provides a matrix calculation algorithm that help to compute values of any S-function (including adp®). However, it does not allow us to obtain analytic expressions for the matrix elements, as well as relationship between matrices.

In this section, we will consider a vector space Q2k+1 over rationals. We assume that the coordinates of the vectors from Q2k+1 start with zero and for coordinate x12k + x22k-1 + +... + xk+1 we use both integer and binary vectors (x1,..., xk+1) representations, x e Zk+1. Let A e Zk+1 and k ^ 2. We define matrices M^ of size 2fc+1 x 2fc+1 in the following way:

{2-fc, if x = A, k is odd and wt(y) is even,

2-wt(x®A), if wt(x © A) is even and y © A X x © A, (6)

0, otherwise,

where x,y e Zk+1. Similarly to the elements of Q2k+1, we use both integer (starting with 0) and binary vector notations for the matrix indexes.

The next theorem follows from the Theorem 2 and gives us a way to calculate adp®.

Theorem 6. Let k ^ 2 and a1,..., afc+1 e Zn Then

adp® (a\ ..., ak ^ afc+1) = (^ ..., 1)M(t1,...,«i+1) ■ ... ■ M*,.^ )(1, 0 ..., 0)T

Proof. We use the recurrence formulas obtained in Theorem 2. First of all, we define [^]m = ,..., for any ^ e Zn and 1 ^ m ^ n. Also, [^]m ffl a means [^]m + a mod 2m, where a e Z2. Let x e Zk+1. We apply Theorem 2 to adp®([a1 ]m+1 fflx1,..., [ak]m+1 fflxk ^ ^ [afc+1]m+1 ffl xk+1). Let A = (am+1,... ,am+11). Then the vector of the least significant bits of the arguments is x © A. After applying the recurrence formulas, we obtain a sum of

adp® ([[a1 ]m+1 ffl x1]m ffl y1,..., [[ak]m+1 ffl xfc]m ffl yfc ^ [[afc+1]m+1 ffl xfc+1]m ffl yfc+1) for some y e Zk+1, y X x © A. Let us show that

[[ai]m+1 ffl xi]m ffl y = [a^]m ffl (yi © xi ■ Ai), (7)

where i = 1,...,k + 1 and y X x © A. Indeed, if (Aj,Xj) = (a^+^x^ = (1,1), i.e., xj ■ Aj = 0, then the addition of xj to [aj]m+1 may change only its least significant bit. Thus, [[aj ]m+1 H xj]m = [aj]m. If (Aj,xj) = (1,1), then yj = 0 since xj © Aj = 0 and y X x © A. Thus, [[aj]m+1 H xj]m H yj = [[aj]m+1 H 1]m = [aj]m H 1 = [aj]m H (yj © xj ■ Aj). Next, we denote by x ■ A the vector (x1 ■ A1,..., xk+1 ■ Ak+1). Let us show that

{y © (x ■ A) : y G Zk+1 and y X x © A} = {z G Zkk+1 : z © A X x © A}. (8)

Indeed, {y © (x ■ A) : y G and y X x © A} = {z G Zkk+1 : z © (x ■ A) X x © A}. At the same time, z © (x ■ A) X x © A ^^ z © A X x © A since for any i = 1,..., k + 1 we have the following: xj = Aj (i.e., xj © Aj = 1) implies that both zj © (xj ■ Aj) ^ 1 and zj © Aj ^ 1 always hold for any zj G Z2; also, xj = Aj implies that zj © (xj ■ Aj) — zj © Aj. Moreover, the following holds for x = A:

{y © (x ■ A) : y G Zk+1, wt(y) is even} = {z G Z^1 : wt(z) is even}. (9)

It is straightforward since in this case x © A = (1,..., 1) and x ■ A = (0,..., 0).

Theorem 2 allows us to express r = adp®([a1]m+1 H x1,..., [ak]m+1 H xk ^ [ak+1]m+1 H H xk+1) in the following way:

1) If wt(x © A) is odd, then r = 0.

2) If x © A = (1,..., 1) and k is odd, then according to (7) and (9) the following holds:

r = 2-k E adp®([a1]m H z1,..., [ak]m H zfc ^ [afc+1]m H zfc+1).

z: wt(z) is even

3) Otherwise, due to (7) and (8) we have that

r = 2-wt(x®A) £ adp®([a1]m H z1,..., [ak]m H zfc ^ [afc+1]m H zfc+1).

z: zffiA^xffiA

At the same time, we know how the matrix MA transforms the standard basis eX (it has 1 in the coordinate x and 0 in all other coordinates) for all x G Zkk+1: (MA)y,x is the y-th coordinate of MAeej, where y G Zkk+1, which is equal to

2-k, if x = A, k is odd and wt(y) is even,

2-wt(x®A), if wt(x © A) is even and y © A X x © A, 0 otherwise.

It is not difficult to see that the mapping MA completely corresponds to the points 1, 2, and 3. It other words, we can consider it as a "state" transformation: it maps all multipliers of adp®([a1]m+1 Hx1,..., [ak]m+1 Hxk ^ [ak+1]m+1 Hxk+1) (for all x G Z^1) to all multipliers of adp®([a1]m Hy1,..., [ak]m H yk ^ [ak+1]m Hyk+1) (for all y G Z^1). Since we start with adp®(a1,...,ak ^ ak+1), it corresponds to the "state" e0r. Thus, the final multipliers are

s = Mk 1 ... Mk , ej,

(a 1,...,a ) («n,...,an+ ) 0 '

see Remark 1 for the case n =1. Finally, adp®(a1,..., ak ^ ak+1) = (1,..., 1) ■ s. ■

Corollary 3. If k is even, then (MA)y,x = (M0)y®A,X®A, A,x,y G Zkk+1. It means that all MA can be obtained from each other using some permutations of rows and columns.

This does not hold for odd k. However, almost the same thing is true: we swap x and x © A columns, after that we swap y and y © A rows of Mq except for the rows A and (1,...,1).

The proof follows directly from the definition of M^. Thus, the difference in recurrence formulas gives us some difference in the calculation of the adp® for odd and even k. Some matrices for k = 3 are presented bellow:

8

'8 0 0 2 0 0 0 0 2 0 0 0 0 2 0 0 0 2 0 0 0 0 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000

2 2 00

MJ, 200 000 200 00000 02200 02000 00200 00000 00000 00000 00000 00000 00000 00000 00000 00000

0,0,0) 2202 2000 0200 0000 0002 0000 0000 0000 2202 2000 0200 0000 0002 0000 0000 0000

8

0 0 1 000 000 0 0 1 000 0 0 1 0 0 1 000 000 0 0 1 0 0 1 000 0 0 1 000 000 0 0 1

For instance, if a1 = (0,0,1),

a

adpf (a1, a2, a3 ^ a4)

0020 0820 2 2 00

00 00 00

20 20 000 000 20 000020 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000

00 00 00 00 00 00 00 00 00 00

M(0,0 0020 0220 0000 0200 0000 0200 0000 0200 0020 0020 0000 0000 0000 0000 0000 0000

„3

,0,1) 000 020 000 020 000 000 000 000 000 020 000 020 000 000 000 000

0 10' 200 000 0 1 0 000 2 1 0 0 1 0 000 000 2 1 0 0 1 0 000 0 1 0 200 000 0 10,

10 00 00 10 00 10 10 00 00 10 10 00 10 00 00 10

0000 0000 0000 0200 0000 0002 0000 0202 0000 0000 0000 0200 0000 0002 0000 0202

M(1,1 0000 0000 0000 0000 0000 0000 2000 2000 0000 0002 0000 0002 0000 0002 2000 2002

1,1) 000 000 000 000 000 000 000 000 000 000 200 200 002 002 202 202

000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 008

(0,0,1), a3 = (0,0,1), and a4 = (0,1,1), we obtain that

0,0,0,0)M(0,0,0,1)M(31,1,1,1)(1-, 0,... , Q)

T

16

8. Conclusion

We have generalized some properties of adp® to adp®. The results obtained show us that there is the difference between odd and even k, it looks like the case of odd k is more complicated. A generalization of other properties such as maximum for odd k is a topic for future research.

The authors would like to thank Nicky Mouha for interesting discussions and valuable advice.

REFERENCES

1. Shimizu A. and Miyaguchi S. Fast Data Encipherment Algorithm (FEAL). LNCS, 1988, vol. 304, pp. 267-278.

2. Ferguson N., Lucks S., Schneier B., et al. http://www.skein-hash.info — The Skein Hash Function Family, 2009.

3. Bernstein D. J. https://cr.yp.to/snuffle/spec.pdf — Salsa20 specification, 2005.

4. Bernstein D. J. https://cr.yp.to/chacha/chacha-20080128.pdf — ChaCha, a variant of Salsa20, 2008.

5. Aumasson J.-P., Meier W., PhanR.C.-W., and Henzen L. The Hash Function BLAKE. Berlin; Heidelberg, Springer, 2014.

6. Biham E. and Shamir A. Differential cryptanalysis of DES-like cryptosystems. J. Cryptology, 1991, vol.4, no. 1, pp. 3-72.

7. Malyshev F. M. Veroyatnostnye kharakteristiki raznostnykh sootnosheniy dlya neodnorodnoy lineynoy sredy [Probabilistic characteristics of differential and linear relations for nonhomogeneous linear medium]. Matematicheskie Voprosy Kriptografii, 2019, vol.10, no.1, pp. 41-72. (in Russian)

8. Malyshev F. M. Raznostnye kharakteristiki osnovnykh operatsiy ARX-shifrov [Differential characteristics of base operations in ARX-ciphers]. Matematicheskie Voprosy Kriptografii, 2020, vol.11, no.4, pp. 97-105. (in Russian)

9. Leurent G. Analysis of differential attacks in ARX constructions. LNCS, 2012, vol. 7658, pp. 226-243.

8

10. Leurent G. Construction of differential characteristics in ARX designs application to Skein. LNCS, 2013, vol.8042, pp. 241-258.

11. Mouha N., Kolomeec N., Tokareva N., et al. Maximums of the additive differential probability of exclusive-or with one fixed argument. IACR Trans. Symmetric Cryptology, 2021, vol. 2021, no. 2, pp. 292-313.

12. Velichkov V., Mouha N., De Canniére C., and Preneel B. The additive differential probability of ARX. LNCS, 2011, vol.6733, pp. 342-358.

13. Gligoroski D., 0degard R. S., MihovaM., et al. Cryptographic hash function Edon-R'. Proc. 1st Intern. Workshop on Security and Communication Networks, Trondheim, Norway, 2009, pp. 1-9.

14. Lipmaa H., Wallen J., and Dumas P. On the additive differential probability of Exclusive-Or. LNCS, 2004, vol.3017, pp. 317-331.

15. Mouha N., Velichkov V., De Canniére C., and Preneel B. The differential analysis of S-func-tions. LNCS, 2011, vol.6544, pp. 36-56.

16. Gorodilova A., Tokareva N., Agievich S., et al. An overview of the eight international olympiad in cryptography "Non-Stop University Crypto". Siberian Electronic Math. Reports, 2022, vol.19, no. 1, pp. A9-A37.

17. Agievich S. V., Gorodilova A. A., Tokareva N. N., et al. Problems, solutions and experience of the first international student's Olympiad in cryptography. Prikladnaya Diskretnaya Matematika, 2015, no.3, pp. 41-62.