The ADD differential probability of the F-function of TEA for a fixed key and round constants $\mathrm{adp}^{F}(k_0, k_1, \delta |~ da \rightarrow dd)$ , where $F(k_0, k_1, \delta |~ x) = ((x \ll 4) + k_0) \oplus (x + \delta) \oplus ((x \gg 5) + k_1)$ Complexity: $O(n) < c \le O(2^n)$ . More...

#include "common.hh"
#include "tea.hh"

Functions
bool	adp_f_check_x (const uint32_t lsh_const, const uint32_t rsh_const, const uint32_t k0, const uint32_t k1, const uint32_t delta, const uint32_t dx, const uint32_t dy, const uint32_t x)

bool	adp_f_is_sat (const uint32_t mask_i, const uint32_t lsh_const, const uint32_t rsh_const, const uint32_t k0, const uint32_t k1, const uint32_t delta, const uint32_t dx, const uint32_t dy, int32_t x)

uint32_t	adp_f_assign_bit_x (const uint32_t n, const uint32_t i, const uint32_t mask_i, const uint32_t x, const uint32_t lsh_const, const uint32_t rsh_const, const uint32_t k0, const uint32_t k1, const uint32_t delta, const uint32_t dx, const uint32_t dy, uint32_t x_cnt, double prob)

double	adp_f_fk (const uint32_t n, const uint32_t dx, const uint32_t dy, const uint32_t k0, const uint32_t k1, const uint32_t delta, const uint32_t lsh_const, const uint32_t rsh_const)

uint32_t	adp_f_assign_bit_x_dx (const uint32_t n, const uint32_t i, const uint32_t mask_i, const uint32_t x, const uint32_t lsh_const, const uint32_t rsh_const, const uint32_t k0, const uint32_t k1, const uint32_t delta, const uint32_t dx, const uint32_t dy, uint64_t x_cnt, double ret_prob, uint32_t *ret_dx)

double	max_dx_adp_f_fk (const uint32_t n, uint32_t *ret_dx, const uint32_t dy, const uint32_t k0, const uint32_t k1, const uint32_t delta, const uint32_t lsh_const, const uint32_t rsh_const)

uint32_t	adp_f_assign_bit_x_dy (const uint32_t n, const uint32_t i, const uint32_t mask_i, const uint32_t x, const uint32_t lsh_const, const uint32_t rsh_const, const uint32_t k0, const uint32_t k1, const uint32_t delta, const uint32_t dx, const uint32_t dy, uint64_t x_cnt, double ret_prob, uint32_t *ret_dy)

double	max_dy_adp_f_fk (const uint32_t n, const uint32_t dx, uint32_t *ret_dy, const uint32_t k0, const uint32_t k1, const uint32_t delta, const uint32_t lsh_const, const uint32_t rsh_const)

double	all_dy_adp_f_fk (const uint32_t n, const uint32_t dx, uint32_t ret_dy, const uint32_t k0, const uint32_t k1, const uint32_t delta, const uint32_t lsh_const, const uint32_t rsh_const, uint64_t x_cnt)

uint32_t	adp_f_assign_bit_x_dx_dy (const uint32_t n, const uint32_t i, const uint32_t mask_i, const uint32_t x, const uint32_t lsh_const, const uint32_t rsh_const, const uint32_t k0, const uint32_t k1, const uint32_t delta, const uint32_t dx, const uint32_t dy, differential_t x_cnt, double ret_prob, uint32_t ret_dx, uint32_t ret_dy)

double	max_dx_dy_adp_f_fk (const uint32_t n, uint32_t ret_dx, uint32_t ret_dy, const uint32_t k0, const uint32_t k1, const uint32_t delta, const uint32_t lsh_const, const uint32_t rsh_const)

uint64_t ***	x_cnt_alloc ()

void	x_cnt_free (uint64_t ***x_cnt)

void	x_cnt_print (uint32_t ***x_cnt)

uint32_t	adp_f_assign_bit_x_dx_key (const uint32_t n, const uint32_t i, const uint32_t mask_i, const uint32_t x, const uint32_t lsh_const, const uint32_t rsh_const, const uint32_t k0, const uint32_t k1, const uint32_t delta, const uint32_t dx, const uint32_t dy, uint64_t **x_cnt, double ret_prob, uint32_t ret_dx, uint32_t ret_k0, uint32_t *ret_k1)

double	max_key_dx_adp_f_fk (const uint32_t n, uint32_t ret_dx, const uint32_t dy, uint32_t ret_k0, uint32_t *ret_k1, const uint32_t delta, const uint32_t lsh_const, const uint32_t rsh_const)

double	adp_f_fk_v2 (const uint32_t da, const uint32_t dd, const uint32_t k0, const uint32_t k1, const uint32_t delta, const uint32_t lsh_const, const uint32_t rsh_const)

void	f_sfun (const uint32_t n, const uint32_t x_word, const uint32_t dx_word, const uint32_t delta_word, const uint32_t k0_word, const uint32_t k1_word)

double	adp_f_fk_exper (const uint32_t da, const uint32_t db, const uint32_t k0, const uint32_t k1, const uint32_t delta, uint32_t lsh_const, uint32_t rsh_const)

double	max_dx_adp_f_fk_exper (uint32_t *max_dx, const uint32_t dy, const uint32_t k0, const uint32_t k1, const uint32_t delta, uint32_t lsh_const, uint32_t rsh_const)

double	max_dy_adp_f_fk_exper (const uint32_t dx, uint32_t *max_dy, const uint32_t k0, const uint32_t k1, const uint32_t delta, uint32_t lsh_const, uint32_t rsh_const)

double	max_dx_dy_adp_f_fk_exper (uint32_t max_dx, uint32_t max_dy, const uint32_t k0, const uint32_t k1, const uint32_t delta, uint32_t lsh_const, uint32_t rsh_const)

Detailed Description

The ADD differential probability of the F-function of TEA for a fixed key and round constants $\mathrm{adp}^{F}(k_0, k_1, \delta |~ da \rightarrow dd)$ , where $F(k_0, k_1, \delta |~ x) = ((x \ll 4) + k_0) \oplus (x + \delta) \oplus ((x \gg 5) + k_1)$ Complexity: $O(n) < c \le O(2^n)$ .

Author: V.Velichkov, vesse.nosp@m.lin..nosp@m.velic.nosp@m.hkov.nosp@m.@uni..nosp@m.lu

Attention: The algorithms in this file have complexity that depends on the input and output differences to F. It is worst-case exponential in the word size, but is sub-exponential on average.

Function Documentation

uint32_t adp_f_assign_bit_x	(	const uint32_t	n,
		const uint32_t	i,
		const uint32_t	mask_i,
		const uint32_t	x,
		const uint32_t	lsh_const,
		const uint32_t	rsh_const,
		const uint32_t	k0,
		const uint32_t	k1,
		const uint32_t	delta,
		const uint32_t	dx,
		const uint32_t	dy,
		uint32_t *	x_cnt,
		double *	prob
	)

Counts the number of values x for which the differential $(dx \rightarrow dy)$ for the F-function of TEA is satisfied. The function operates by recursively assigning the bits of x starting from bit position i and terminating at the MS bit n. The recursion proceeds to bit $(i+1)$ only if the differential is satisfied on the i LS bits. This is checked by applying adp_f_is_sat.

Parameters

n	word size (terminating bit popsition).
i	current bit position.
mask_i	mask on the `i` LS bits of `x`.
x	input value of size at least (`i` + `rsh_const`).
lsh_const	LSH constant.
rsh_const	RSH constant.
k0	first round key.
k1	second round key.
delta	round constant.
dx	input difference.
dy	output difference.
x_cnt	number of values satisfying $(dx \rightarrow dy)$ .
prob	the fixed-key ADD probability of `F:` $\mathrm{adp}^{F}(k_0, k_1, \delta \|~ dx \rightarrow dy)$ .

Returns: 1 if satisfies $(dx[i-1:0] \rightarrow dy[i-1:0])$ ; 0 otherwise.

See Also: adp_f_fk

uint32_t adp_f_assign_bit_x_dx	(	const uint32_t	n,
		const uint32_t	i,
		const uint32_t	mask_i,
		const uint32_t	x,
		const uint32_t	lsh_const,
		const uint32_t	rsh_const,
		const uint32_t	k0,
		const uint32_t	k1,
		const uint32_t	delta,
		const uint32_t	dx,
		const uint32_t	dy,
		uint64_t *	x_cnt,
		double *	ret_prob,
		uint32_t *	ret_dx
	)

For given output difference dy, compute all input differences dx and their probabilities, by counting all values x that satisfy the differential $(dx \rightarrow dy)$ for a fixed key and round constant. At the same time keeps track of the maximum probability input difference.

The function works by recursively assigning the bits of x and dx starting at bit position i and terminating at the MS bit n. The recursion proceeds to bit $(i+1)$ only if the differential is satisfied on the i LS bits. This is checked by applying adp_f_is_sat .

Parameters

n	word size (terminating bit popsition).
i	current bit position.
mask_i	mask on the `i` LS bits of `x`.
x	input value of size at least (`i` + `rsh_const`).
lsh_const	LSH constant.
rsh_const	RSH constant.
k0	first round key.
k1	second round key.
delta	round constant.
dx	input difference.
dy	output difference.
x_cnt	array of counters - each one keeps track of the number of values satisfying $(dx \rightarrow dy)$ for every `dx`.
ret_prob	the maximum probability over all input differences $\mathrm{max}_{dx} ~\mathrm{adp}^{F}(k_0, k_1, \delta \|~ dx \rightarrow dy)$ .
ret_dx	the input difference that has maximum probability.

Returns: 1 if satisfies $(dx[i-1:0] \rightarrow dy[i-1:0])$ ; 0 otherwise.

See Also: adp_f_assign_bit_x, max_dx_adp_f_fk

uint32_t adp_f_assign_bit_x_dx_dy	(	const uint32_t	n,
		const uint32_t	i,
		const uint32_t	mask_i,
		const uint32_t	x,
		const uint32_t	lsh_const,
		const uint32_t	rsh_const,
		const uint32_t	k0,
		const uint32_t	k1,
		const uint32_t	delta,
		const uint32_t	dx,
		const uint32_t	dy,
		differential_t *	x_cnt,
		double *	ret_prob,
		uint32_t *	ret_dx,
		uint32_t *	ret_dy
	)

For the TEA F-functuion with fixed key and round constant, compute all differentials $(dx \rightarrow dy)$ and their probabilities.

The function works by recursively assigning the bits of x, dx and dy starting at bit position i and terminating at the MS bit n. The recursion proceeds to bit $(i+1)$ only if the differential is satisfied on the i LS bits. This is checked by applying adp_f_is_sat.

Parameters

n	word size (terminating bit popsition).
i	current bit position.
mask_i	mask on the `i` LS bits of `x`.
x	input value of size at least (`i` + `rsh_const`).
lsh_const	LSH constant.
rsh_const	RSH constant.
k0	first round key.
k1	second round key.
delta	round constant.
dx	input difference.
dy	output difference.
x_cnt	array of $2^{2n}$ differentials $(dx \rightarrow dy)$ and their probabilities.
ret_prob	the maximum probability over all input and output differences $\mathrm{max}_{dy,dy} ~\mathrm{adp}^{F}(k_0, k_1, \delta \|~ dx \rightarrow dy)$ .
ret_dx	the input difference of the maximum probability differential.
ret_dy	the output difference of the maximum probability differential.

Returns: 1 if satisfies $(dx[i-1:0] \rightarrow dy[i-1:0])$ ; 0 otherwise.

See Also: adp_f_assign_bit_x_dx, adp_f_assign_bit_x_dy.

uint32_t adp_f_assign_bit_x_dx_key	(	const uint32_t	n,
		const uint32_t	i,
		const uint32_t	mask_i,
		const uint32_t	x,
		const uint32_t	lsh_const,
		const uint32_t	rsh_const,
		const uint32_t	k0,
		const uint32_t	k1,
		const uint32_t	delta,
		const uint32_t	dx,
		const uint32_t	dy,
		uint64_t ***	x_cnt,
		double *	ret_prob,
		uint32_t *	ret_dx,
		uint32_t *	ret_k0,
		uint32_t *	ret_k1
	)

For the TEA F-function with fixed round constant, and for a fixed output difference dy, compute all differentials $(dx \rightarrow dy)$ and their probabilities for all values of the round keys k0, k1.

The function works by recursively assigning the bits of x, dx, k0 and k1 starting at bit position i and terminating at the MS bit n. The recursion proceeds to bit $(i+1)$ only if the differential is satisfied on the i LS bits. This is checked by applying adp_f_is_sat.

Parameters

n	word size (terminating bit popsition).
i	current bit position.
mask_i	mask on the `i` LS bits of `x`.
x	input value of size at least (`i` + `rsh_const`).
lsh_const	LSH constant.
rsh_const	RSH constant.
k0	first round key.
k1	second round key.
delta	round constant.
dx	input difference.
dy	output difference.
x_cnt	array of $2^{3n}$ differentials $(dx \rightarrow dy)$ and their probabilities.
ret_prob	the maximum probability over all input differences and round keys $\mathrm{max}_{dx,k_0,k_1} ~\mathrm{adp}^{F}(k_0, k_1, \delta \|~ dx \rightarrow dy)$ .
ret_dx	the input difference of the maximum probability differential.
ret_k0	the first round key for the maximum probability differential.
ret_k1	the second round key for the maximum probability differential.

Returns: 1 if satisfies $(dx[i-1:0] \rightarrow dy[i-1:0])$ ; 0 otherwise.

See Also: adp_f_assign_bit_x_dx_key, adp_f_assign_bit_x_dx_dy.

uint32_t adp_f_assign_bit_x_dy	(	const uint32_t	n,
		const uint32_t	i,
		const uint32_t	mask_i,
		const uint32_t	x,
		const uint32_t	lsh_const,
		const uint32_t	rsh_const,
		const uint32_t	k0,
		const uint32_t	k1,
		const uint32_t	delta,
		const uint32_t	dx,
		const uint32_t	dy,
		uint64_t *	x_cnt,
		double *	ret_prob,
		uint32_t *	ret_dy
	)

For given input difference dx, compute all output differences dy and their probabilities, by counting all values x that satisfy the differential $(dx \rightarrow dy)$ for a fixed key and round constant. At the same time keeps track of the maximum probability output difference.

The function works by recursively assigning the bits of x and dy starting at bit position i and terminating at the MS bit n. The recursion proceeds to bit $(i+1)$ only if the differential is satisfied on the i LS bits. This is checked by applying adp_f_is_sat.

Parameters

n	word size (terminating bit popsition).
i	current bit position.
mask_i	mask on the `i` LS bits of `x`.
x	input value of size at least (`i` + `rsh_const`).
lsh_const	LSH constant.
rsh_const	RSH constant.
k0	first round key.
k1	second round key.
delta	round constant.
dx	input difference.
dy	output difference.
x_cnt	array of counters - each one keeps track of the number of values satisfying $(dx \rightarrow dy)$ for every `dy`.
ret_prob	the maximum probability over all output differences $\mathrm{max}_{dy} ~\mathrm{adp}^{F}(k_0, k_1, \delta \|~ dx \rightarrow dy)$ .
ret_dy	the output difference that has maximum probability.

Returns: 1 if satisfies $(dx[i-1:0] \rightarrow dy[i-1:0])$ ; 0 otherwise.

See Also: adp_f_assign_bit_x_dx

bool adp_f_check_x	(	const uint32_t	lsh_const,
		const uint32_t	rsh_const,
		const uint32_t	k0,
		const uint32_t	k1,
		const uint32_t	delta,
		const uint32_t	dx,
		const uint32_t	dy,
		const uint32_t	x
	)

Check if a given value x satisfies the ADD differential $(dx \rightarrow dy)$ for the TEA F-function.

Parameters

lsh_const	LSH constant.
rsh_const	RSH constant.
k0	first round key.
k1	second round key.
delta	round constant.
dx	input difference.
dy	output difference.
x	input value.

Returns: TRUE if $k_0, k_1, \delta:~ dy = F(x + dx) - F(x)$ .

double adp_f_fk	(	const uint32_t	n,
		const uint32_t	dx,
		const uint32_t	dy,
		const uint32_t	k0,
		const uint32_t	k1,
		const uint32_t	delta,
		const uint32_t	lsh_const,
		const uint32_t	rsh_const
	)

Compute the fixed-key, fixed-constant ADD differential probability of the F-function of block cipher TEA: $\mathrm{adp}^{F}(k_0, k_1, \delta |~ dx \rightarrow dy)$ . Complexity: $O(n) < c \le O(2^n)$ .

Parameters

n	word size.
dx	input difference.
dy	output difference.
k0	first round key.
k1	second round key.
delta	round constant.
lsh_const	LSH constant.
rsh_const	RSH constant.

Returns: $\mathrm{adp}^{F}(k_0, k_1, \delta |~ dx \rightarrow dy)$ .

See Also: adp_f_assign_bit_x

double adp_f_fk_exper	(	const uint32_t	da,
		const uint32_t	db,
		const uint32_t	k0,
		const uint32_t	k1,
		const uint32_t	delta,
		uint32_t	lsh_const,
		uint32_t	rsh_const
	)

Compute the fixed-key, fixed-constant ADD differential probability of the F-function of block cipher TEA: $\mathrm{adp}^{F}(k_0, k_1, \delta |~ dx \rightarrow dy)$ through exhaustive search over all input values. Complexity: $O(2^n)$ .

Parameters

da	input difference.
db	output difference.
k0	first round key.
k1	second round key.
delta	round constant.
lsh_const	LSH constant.
rsh_const	RSH constant.

Returns: $\mathrm{adp}^{F}(k_0, k_1, \delta |~ dx \rightarrow dy)$ .

See Also: adp_f_fk, adp_f_fk_v2.

double adp_f_fk_v2	(	const uint32_t	da,
		const uint32_t	dd,
		const uint32_t	k0,
		const uint32_t	k1,
		const uint32_t	delta,
		const uint32_t	lsh_const,
		const uint32_t	rsh_const
	)

Compute the fixed-key, fixed-constant ADD differential probability of the F-function of block cipher TEA: $\mathrm{adp}^{F}(k_0, k_1, \delta |~ dx \rightarrow dy)$ .

The function works by dividing the input to F into independent parts and iterating over the values in each part. The resulting complexity is equivalent to exhaustive search over all inputs: $O(2^n)$ .

Parameters

da	input difference.
dd	output difference.
k0	first round key.
k1	second round key.
delta	round constant.
lsh_const	LSH constant.
rsh_const	RSH constant.

Returns: $\mathrm{adp}^{F}(k_0, k_1, \delta |~ dx \rightarrow dy)$ .

See Also: adp_f_fk

bool adp_f_is_sat	(	const uint32_t	mask_i,
		const uint32_t	lsh_const,
		const uint32_t	rsh_const,
		const uint32_t	k0,
		const uint32_t	k1,
		const uint32_t	delta,
		const uint32_t	dx,
		const uint32_t	dy,
		int32_t	x
	)

Check if the differential $(dx \rightarrow dy)$ for F is satisfied on the i LS bits of x i.e. check if $k_0, k_1, \delta:~ dy[i-1:0] = F(x[i-1:0] + dx[i-1:0]) - F(x[i-1:0]) ~\mathrm{mod} ~2^{i}$ .

Attention: x must be of size at least bits where R is the RSH constant of F.

Parameters

mask_i	`i` bit mask.
lsh_const	LSH constant.
rsh_const	RSH constant.
k0	first round key.
k1	second round key.
delta	round constant.
dx	input difference.
dy	output difference.
x	input value of size at least (`i` + `rsh_const`).

Returns: TRUE if $k_0, k_1, \delta:~ dy[i-1:0] = F(x[i-1:0] + dx[i-1:0]) - F(x[i-1:0]) ~\mathrm{mod} ~2^{i}$ .

double all_dy_adp_f_fk	(	const uint32_t	n,
		const uint32_t	dx,
		uint32_t *	ret_dy,
		const uint32_t	k0,
		const uint32_t	k1,
		const uint32_t	delta,
		const uint32_t	lsh_const,
		const uint32_t	rsh_const,
		uint64_t *	x_cnt
	)

For given input difference dx, compute all output differences dy for the TEA F-function with fixed keys and round constants. Returns the maximum output probability.

Parameters

n	word size.
dx	input difference.
ret_dy	maximum probability output difference.
k0	first round key.
k1	second round key.
delta	round constant.
lsh_const	LSH constant.
rsh_const	RSH constant.
x_cnt	array of counters - each one keeps track of the number of inputs `x` satisfying $(dx \rightarrow dy)$ for every `dy`.

Returns: $\mathrm{max}_{dy} ~\mathrm{adp}^{F}(k_0, k_1, \delta |~ dx \rightarrow dy)$ .

See Also: max_dy_adp_f_fk

void f_sfun	(	const uint32_t	n,
		const uint32_t	x_word,
		const uint32_t	dx_word,
		const uint32_t	delta_word,
		const uint32_t	k0_word,
		const uint32_t	k1_word
	)

Compute the S-function for the TEA F function.

Parameters

n	word size.
x_word	input to F.
dx_word	input difference.
delta_word	round constant.
k0_word	first round key.
k1_word	second round key.

double max_dx_adp_f_fk	(	const uint32_t	n,
		uint32_t *	ret_dx,
		const uint32_t	dy,
		const uint32_t	k0,
		const uint32_t	k1,
		const uint32_t	delta,
		const uint32_t	lsh_const,
		const uint32_t	rsh_const
	)

For given output difference dy, compute the maximum probability input differences dx over all input differences: $\mathrm{max}_{dx} ~\mathrm{adp}^{F}(k_0, k_1, \delta |~ dx \rightarrow dy)$ . Complexity: $O(2n) < c \le O(2^{2n})$ . Memory: $4 \cdot 2^n$ Bytes.

Parameters

n	word size.
ret_dx	maximum probability input difference.
dy	output difference.
k0	first round key.
k1	second round key.
delta	round constant.
lsh_const	LSH constant.
rsh_const	RSH constant.

Returns: $\mathrm{max}_{dx} ~\mathrm{adp}^{F}(k_0, k_1, \delta |~ dx \rightarrow dy)$ .

See Also: adp_f_assign_bit_x_dx

double max_dx_adp_f_fk_exper	(	uint32_t *	max_dx,
		const uint32_t	dy,
		const uint32_t	k0,
		const uint32_t	k1,
		const uint32_t	delta,
		uint32_t	lsh_const,
		uint32_t	rsh_const
	)

For given output difference dy, compute the maximum probability input differences dx over all input differences: $\mathrm{max}_{dx} ~\mathrm{adp}^{F}(k_0, k_1, \delta |~ dx \rightarrow dy)$ through exhaustive search over all input values and input differences. Complexity: $O(2^{2n})$ .

Parameters

max_dx	maximum probability input difference.
dy	output difference.
k0	first round key.
k1	second round key.
delta	round constant.
lsh_const	LSH constant.
rsh_const	RSH constant.

Returns: $\mathrm{max}_{dx} ~\mathrm{adp}^{F}(k_0, k_1, \delta |~ dx \rightarrow dy)$ .

See Also: max_dx_adp_f_fk

double max_dx_dy_adp_f_fk	(	const uint32_t	n,
		uint32_t *	ret_dx,
		uint32_t *	ret_dy,
		const uint32_t	k0,
		const uint32_t	k1,
		const uint32_t	delta,
		const uint32_t	lsh_const,
		const uint32_t	rsh_const
	)

For the TEA F-functuion with fixed key and round constant, compute the maximum probability differential $(dx \rightarrow dy)$ over all input and output differences. Complexity: $O(3n) < c \le O(2^{3n})$ . Memory: $12 \cdot 2^{2n}$ Bytes.

Parameters

n	word size.
ret_dx	the input difference of the maximum probability differential.
ret_dy	the output difference of the maximum probability differential.
k0	first round key.
k1	second round key.
delta	round constant.
lsh_const	LSH constant.
rsh_const	RSH constant.

Returns: $\mathrm{max}_{dx,dy} ~\mathrm{adp}^{F}(k_0, k_1, \delta |~ dx \rightarrow dy)$ .

See Also: adp_f_assign_bit_x_dx_dy

double max_dx_dy_adp_f_fk_exper	(	uint32_t *	max_dx,
		uint32_t *	max_dy,
		const uint32_t	k0,
		const uint32_t	k1,
		const uint32_t	delta,
		uint32_t	lsh_const,
		uint32_t	rsh_const
	)

For the TEA F-functuion with fixed key and round constant, compute the maximum probability differential $(dx \rightarrow dy)$ over all input and output differences. Complexity: $O(2^{3n})$ .

Parameters

max_dx	the input difference of the maximum probability differential.
max_dy	the output difference of the maximum probability differential.
k0	first round key.
k1	second round key.
delta	round constant.
lsh_const	LSH constant.
rsh_const	RSH constant.

Returns: $\mathrm{max}_{dx,dy} ~\mathrm{adp}^{F}(k_0, k_1, \delta |~ dx \rightarrow dy)$ .

See Also: max_dx_dy_adp_f_fk

double max_dy_adp_f_fk	(	const uint32_t	n,
		const uint32_t	dx,
		uint32_t *	ret_dy,
		const uint32_t	k0,
		const uint32_t	k1,
		const uint32_t	delta,
		const uint32_t	lsh_const,
		const uint32_t	rsh_const
	)

For given input difference dx, compute the maximum probability output difference dy over all output differences: $\mathrm{max}_{dy} ~\mathrm{adp}^{F}(k_0, k_1, \delta |~ dx \rightarrow dy)$ . Complexity: $O(2n) < c \le O(2^{2n})$ . Memory requirement: $4 \cdot 2^n$ Bytes.

Parameters

n	word size.
dx	input difference.
ret_dy	maximum probability output difference.
k0	first round key.
k1	second round key.
delta	round constant.
lsh_const	LSH constant.
rsh_const	RSH constant.

Returns: $\mathrm{max}_{dy} ~\mathrm{adp}^{F}(k_0, k_1, \delta |~ dx \rightarrow dy)$ .

See Also: adp_f_assign_bit_x_dy, max_dy_adp_f_fk

double max_dy_adp_f_fk_exper	(	const uint32_t	dx,
		uint32_t *	max_dy,
		const uint32_t	k0,
		const uint32_t	k1,
		const uint32_t	delta,
		uint32_t	lsh_const,
		uint32_t	rsh_const
	)

For given input difference dx, compute the maximum probability output difference dy over all output differences: $\mathrm{max}_{dy} ~\mathrm{adp}^{F}(k_0, k_1, \delta |~ dx \rightarrow dy)$ through exhaustive search over all input values and input differences. Complexity: $O(2^{2n})$ .

Parameters

dx	input difference.
max_dy	maximum probability output difference.
k0	first round key.
k1	second round key.
delta	round constant.
lsh_const	LSH constant.
rsh_const	RSH constant.

Returns: $\mathrm{max}_{dx} ~\mathrm{adp}^{F}(k_0, k_1, \delta |~ dx \rightarrow dy)$ .

See Also: max_dy_adp_f_fk

double max_key_dx_adp_f_fk	(	const uint32_t	n,
		uint32_t *	ret_dx,
		const uint32_t	dy,
		uint32_t *	ret_k0,
		uint32_t *	ret_k1,
		const uint32_t	delta,
		const uint32_t	lsh_const,
		const uint32_t	rsh_const
	)

For the TEA F-functuion with fixed key and round constant, compute the maximum probability differential $(dx \rightarrow dy)$ over all input differences and round keys. Complexity: $O(4n) < c \le O(2^{4n})$ . Memory: $12 \cdot 2^{3n}$ Bytes.

Parameters

n	word size.
dy	output difference.
ret_dx	the input difference of the maximum probability differential.
ret_k0	the first round key for the maximum probability differential.
ret_k1	the second round key for the maximum probability differential.
delta	round constant.
lsh_const	LSH constant.
rsh_const	RSH constant.

Returns: $\mathrm{max}_{dx,k_0,k_1} ~\mathrm{adp}^{F}(k_0, k_1, \delta |~ dx \rightarrow dy)$ .

See Also: adp_f_assign_bit_x_dx_key

uint64_t*** x_cnt_alloc ( )

Allocate memory for a 2D array of differentials.

Returns: 2D array of differentials.

See Also: x_cnt_free

void x_cnt_free ( uint64_t *** x_cnt )

Free the memory allocated from a previous call to x_cnt_alloc

Parameters

x_cnt 2D array of differentials.

See Also: x_cnt_alloc

void x_cnt_print ( uint32_t *** x_cnt )

Print the elements of a 2D array of differentials.

Parameters

x_cnt 2D array of differentials.

Functions

Detailed Description

Function Documentation