The ADD differential probability of the F-function of XTEA for a fixed key and round constants $\mathrm{adp}^{F}(k, \delta |~ da \rightarrow dd)$ . Complexity: $O(n) < c \le O(2^n)$ . More...

#include "common.hh"
#include "adp-xor.hh"
#include "max-adp-xor.hh"
#include "adp-xor-fi.hh"
#include "max-adp-xor-fi.hh"
#include "adp-shift.hh"
#include "xtea.hh"

Functions
double	adp_xtea_f_exper (const uint32_t da, const uint32_t db, const uint32_t k, const uint32_t delta, const uint32_t lsh_const, const uint32_t rsh_const)

double	adp_xtea_f_approx (const uint32_t ninputs, const uint32_t da, const uint32_t db, const uint32_t k, const uint32_t delta, const uint32_t lsh_const, const uint32_t rsh_const)

double	max_dy_adp_xtea_f_exper (const uint32_t dx, uint32_t *dy_max, const uint32_t k, const uint32_t delta, const uint32_t lsh_const, const uint32_t rsh_const)

double	max_dx_adp_xtea_f_exper (uint32_t *dx_max, const uint32_t dy, const uint32_t k, const uint32_t delta, const uint32_t lsh_const, const uint32_t rsh_const)

double	adp_xtea_f_lxr_exper (const uint32_t da, const uint32_t db, uint32_t lsh_const, uint32_t rsh_const)

double	adp_xtea_f_lxr_approx (const uint32_t ninputs, const uint32_t da, const uint32_t db, uint32_t lsh_const, uint32_t rsh_const)

bool	adp_xtea_f_lxr_check_x (const uint32_t lsh_const, const uint32_t rsh_const, const uint32_t dx, const uint32_t dy, const uint32_t x)

bool	adp_xtea_f_lxr_is_sat (const uint32_t mask_i, const uint32_t lsh_const, const uint32_t rsh_const, const uint32_t dx, const uint32_t dy, int32_t x)

uint32_t	adp_xtea_f_lxr_assign_bit_x (const uint32_t n, const uint32_t i, const uint32_t mask_i, const uint32_t x, const uint32_t lsh_const, const uint32_t rsh_const, const uint32_t dx, const uint32_t dy, uint32_t x_cnt, double prob)

double	adp_xtea_f_lxr (const uint32_t n, const uint32_t dx, const uint32_t dy, const uint32_t lsh_const, const uint32_t rsh_const)

double	adp_xtea_f_approx (const uint32_t n, gsl_matrix *A[2][2][2], const uint32_t dx, const uint32_t dy, const uint32_t k, const uint32_t delta, const uint32_t lsh_const, const uint32_t rsh_const)

bool	adp_xtea_f_check_x (const uint32_t lsh_const, const uint32_t rsh_const, const uint32_t k, const uint32_t delta, const uint32_t dx, const uint32_t dy, const uint32_t x)

bool	adp_xtea_f_is_sat (const uint32_t mask_i, const uint32_t lsh_const, const uint32_t rsh_const, const uint32_t k, const uint32_t delta, const uint32_t dx, const uint32_t dy, const uint32_t x)

uint32_t	adp_xtea_f_assign_bit_x (const uint32_t n, const uint32_t i, const uint32_t mask_i, const uint32_t x, const uint32_t key, const uint32_t delta, const uint32_t lsh_const, const uint32_t rsh_const, const uint32_t dx, const uint32_t dy, uint32_t x_cnt, double prob)

uint32_t	adp_xtea_f_assign_bit_x_dx (const uint32_t n, const uint32_t i, const uint32_t mask_i, const uint32_t x, const uint32_t lsh_const, const uint32_t rsh_const, const uint32_t key, const uint32_t delta, const uint32_t dx, const uint32_t dy, uint64_t x_cnt, double ret_prob, uint32_t *ret_dx)

uint32_t	adp_xtea_f_assign_bit_x_dy (const uint32_t n, const uint32_t i, const uint32_t mask_i, const uint32_t x, const uint32_t lsh_const, const uint32_t rsh_const, const uint32_t key, const uint32_t delta, const uint32_t dx, const uint32_t dy, uint64_t x_cnt, double ret_prob, uint32_t *ret_dy)

double	adp_xtea_f (const uint32_t n, const uint32_t dx, const uint32_t dy, const uint32_t key, const uint32_t delta, const uint32_t lsh_const, const uint32_t rsh_const)

double	max_dy_adp_xtea_f (const uint32_t n, const uint32_t dx, uint32_t *ret_dy, const uint32_t key, const uint32_t delta, const uint32_t lsh_const, const uint32_t rsh_const)

double	max_dx_adp_xtea_f (const uint32_t n, uint32_t *ret_dx, const uint32_t dy, const uint32_t key, const uint32_t delta, const uint32_t lsh_const, const uint32_t rsh_const)

double	first_nz_adp_xtea_f (gsl_matrix A[2][2][2], gsl_matrix AA[2][2][2], const uint32_t key, const uint32_t delta, const uint32_t da, uint32_t *ret_dd, uint32_t lsh_const, uint32_t rsh_const)

Detailed Description

The ADD differential probability of the F-function of XTEA for a fixed key and round constants $\mathrm{adp}^{F}(k, \delta |~ da \rightarrow dd)$ . Complexity: $O(n) < c \le O(2^n)$ .

Author: V.Velichkov, vesse.nosp@m.lin..nosp@m.velic.nosp@m.hkov.nosp@m.@uni..nosp@m.lu

Attention: The algorithms in this file have complexity that depends on the input and output differences to F. It is worst-case exponential in the word size, but is sub-exponential on average.

See Also: xdp-xtea-f-fk.cc

Function Documentation

double adp_xtea_f	(	const uint32_t	n,
		const uint32_t	dx,
		const uint32_t	dy,
		const uint32_t	key,
		const uint32_t	delta,
		const uint32_t	lsh_const,
		const uint32_t	rsh_const
	)

Compute the fixed-key, fixed-constant ADD differential probability of the F-function of block cipher XTEA: $\mathrm{adp}^{F}(k, \delta |~ dx \rightarrow dy)$ . Complexity: $O(n) < c \le O(2^n)$ .

Parameters

n	word size.
dx	input difference.
dy	output difference.
key	round key.
delta	round constant.
lsh_const	LSH constant.
rsh_const	RSH constant.

Returns: $\mathrm{adp}^{F}(k, \delta |~ dx \rightarrow dy)$ .

See Also: adp_f_assign_bit_x

double adp_xtea_f_approx	(	const uint32_t	ninputs,
		const uint32_t	da,
		const uint32_t	db,
		const uint32_t	k,
		const uint32_t	delta,
		const uint32_t	lsh_const,
		const uint32_t	rsh_const
	)

An approximation of the ADP of the XTEA F-function (xtea_f) obtained over a number of input chosen plaintext pairs chosen uniformly at random.

Parameters

ninputs	number of chosen plaintext pairs.
da	input difference.
db	output difference.
k	round key.
delta	round constant.
lsh_const	LSH constant.
rsh_const	RSH constant.

Returns: $\mathrm{adp}^{F}(k, \delta |~ dx \rightarrow dy)$ .

Note: For the exact computation refer to adp_xtea_f

double adp_xtea_f_approx	(	const uint32_t	n,
		gsl_matrix *	A[2][2][2],
		const uint32_t	dx,
		const uint32_t	dy,
		const uint32_t	k,
		const uint32_t	delta,
		const uint32_t	lsh_const,
		const uint32_t	rsh_const
	)

An approximation of the ADD differential probability (ADP) of the XTEA F-function (xtea_f) with fixed round key and round cnstant, obtained as the multiplication the ADP of its $f_{\mathrm{LXR}}$ component (adp_xtea_f_lxr) and the ADP of XOR with one fixed input (adp_xor_fixed_input):

$\mathrm{adp}^{F}(k, \delta |~ dx \rightarrow dy) = \mathrm{adp}^{f_\mathrm{LXR}}(dx \rightarrow dt) \cdot \mathrm{adp}^{\oplus}_{\mathrm{FI}}(k + \delta, dx + dt \rightarrow dy)$ .

Algorithm sketch:

Compute s.t. $p_1 = \mathrm{max}_{dz}~\mathrm{adp}^{\oplus}_{\mathrm{FI}}(k + \delta, dy \rightarrow dz)$ .
Note
Note that $\mathrm{adp}^{\oplus}_{\mathrm{FI}}(k + \delta, dy \rightarrow dz) = \mathrm{adp}^{\oplus}_{\mathrm{FI}}(k + \delta, dz \rightarrow dy)$ .
Compute the output from $f_{\mathrm{LXR}}$ : .
Compute $p_2 = \mathrm{adp}^{f_\mathrm{LXR}}(dx \rightarrow dt)$ .
Compute $\mathrm{adp}^{F}(k, \delta |~ dx \rightarrow dy) = p_1 \cdot p_2$ .

Parameters

n	word size.
A	transition probability matrices for $\mathrm{adp}^{\oplus}$ with FI (adp_xor_fixed_input_sf).
dx	input difference.
dy	output difference.
k	round key.
delta	round constant.
lsh_const	LSH constant.
rsh_const	RSH constant.

Returns: $\mathrm{adp}^{f_\mathrm{LXR}} \cdot \mathrm{adp}^{\oplus}_{\mathrm{FI}}$ .

Note: For the exact computation refer to adp_xtea_f.

uint32_t adp_xtea_f_assign_bit_x	(	const uint32_t	n,
		const uint32_t	i,
		const uint32_t	mask_i,
		const uint32_t	x,
		const uint32_t	key,
		const uint32_t	delta,
		const uint32_t	lsh_const,
		const uint32_t	rsh_const,
		const uint32_t	dx,
		const uint32_t	dy,
		uint32_t *	x_cnt,
		double *	prob
	)

Counts the number of values x for which the differential $(dx \rightarrow dy)$ for the F-function of XTEA is satisfied. The function operates by recursively assigning the bits of x starting from bit position i and terminating at the MS bit n. The recursion proceeds to bit $(i+1)$ only if the differential is satisfied on the i LS bits. This is checked by applying adp_xtea_f_is_sat.

Parameters

n	word size (terminating bit popsition).
i	current bit position.
mask_i	mask on the `i` LS bits of `x`.
x	input value of size at least (`i` + `rsh_const`).
key	round key.
delta	round constant.
lsh_const	LSH constant.
rsh_const	RSH constant.
dx	input difference.
dy	output difference.
x_cnt	number of values satisfying $(dx \rightarrow dy)$ .
prob	the fixed-key ADD probability of `F:` $\mathrm{adp}^{F}(k, \delta \|~ dx \rightarrow dy)$ .

Returns: 1 if satisfies $(dx[i-1:0] \rightarrow dy[i-1:0])$ ; 0 otherwise.

See Also: adp_f_fk

uint32_t adp_xtea_f_assign_bit_x_dx	(	const uint32_t	n,
		const uint32_t	i,
		const uint32_t	mask_i,
		const uint32_t	x,
		const uint32_t	lsh_const,
		const uint32_t	rsh_const,
		const uint32_t	key,
		const uint32_t	delta,
		const uint32_t	dx,
		const uint32_t	dy,
		uint64_t *	x_cnt,
		double *	ret_prob,
		uint32_t *	ret_dx
	)

For given output difference dy, compute all input differences dx and their probabilities, by counting all values x that satisfy the differential $(dx \rightarrow dy)$ for a fixed key and round constant. At the same time keeps track of the maximum probability input difference.

The function works by recursively assigning the bits of x and dx starting at bit position i and terminating at the MS bit n. The recursion proceeds to bit $(i+1)$ only if the differential is satisfied on the i LS bits. This is checked by applying adp_f_is_sat .

Parameters

n	word size (terminating bit popsition).
i	current bit position.
mask_i	mask on the `i` LS bits of `x`.
x	input value of size at least (`i` + `rsh_const`).
key	round key.
delta	round constant.
lsh_const	LSH constant.
rsh_const	RSH constant.
dx	input difference.
dy	output difference.
x_cnt	array of counters - each one keeps track of the number of values satisfying $(dx \rightarrow dy)$ for every `dx`.
ret_prob	the maximum probability over all input differences $\mathrm{max}_{dx} ~\mathrm{adp}^{F}(k, \delta \|~ dx \rightarrow dy)$ .
ret_dx	the input difference that has maximum probability.

Returns: 1 if satisfies $(dx[i-1:0] \rightarrow dy[i-1:0])$ ; 0 otherwise.

See Also: adp_f_assign_bit_x

uint32_t adp_xtea_f_assign_bit_x_dy	(	const uint32_t	n,
		const uint32_t	i,
		const uint32_t	mask_i,
		const uint32_t	x,
		const uint32_t	lsh_const,
		const uint32_t	rsh_const,
		const uint32_t	key,
		const uint32_t	delta,
		const uint32_t	dx,
		const uint32_t	dy,
		uint64_t *	x_cnt,
		double *	ret_prob,
		uint32_t *	ret_dy
	)

For given input difference dx, compute all output differences dy and their probabilities, by counting all values x that satisfy the differential $(dx \rightarrow dy)$ for a fixed key and round constant. At the same time keeps track of the maximum probability output difference.

The function works by recursively assigning the bits of x and dy starting at bit position i and terminating at the MS bit n. The recursion proceeds to bit $(i+1)$ only if the differential is satisfied on the i LS bits. This is checked by applying adp_f_is_sat.

Parameters

n	word size (terminating bit popsition).
i	current bit position.
mask_i	mask on the `i` LS bits of `x`.
x	input value of size at least (`i` + `rsh_const`).
lsh_const	LSH constant.
rsh_const	RSH constant.
key	round key.
delta	round constant.
dx	input difference.
dy	output difference.
x_cnt	array of counters - each one keeps track of the number of values satisfying $(dx \rightarrow dy)$ for every `dy`.
ret_prob	the maximum probability over all output differences $\mathrm{max}_{dy} ~\mathrm{adp}^{F}(k, \delta \|~ dx \rightarrow dy)$ .
ret_dy	the output difference that has maximum probability.

Returns: 1 if satisfies $(dx[i-1:0] \rightarrow dy[i-1:0])$ ; 0 otherwise.

See Also: adp_f_assign_bit_x_dx

bool adp_xtea_f_check_x	(	const uint32_t	lsh_const,
		const uint32_t	rsh_const,
		const uint32_t	k,
		const uint32_t	delta,
		const uint32_t	dx,
		const uint32_t	dy,
		const uint32_t	x
	)

Check if a given value x satisfies the ADD differential $(dx \rightarrow dy)$ for the XTEA F-function.

Parameters

lsh_const	LSH constant.
rsh_const	RSH constant.
k	round key.
delta	round constant.
dx	input difference.
dy	output difference.
x	input value.

Returns: TRUE if $k, \delta:~ dy = F(x + dx) - F(x)$ .

double adp_xtea_f_exper	(	const uint32_t	da,
		const uint32_t	db,
		const uint32_t	k,
		const uint32_t	delta,
		const uint32_t	lsh_const,
		const uint32_t	rsh_const
	)

Compute the fixed-key, fixed-constant ADD differential probability of the F-function of block cipher XTEA: $\mathrm{adp}^{F}(k, \delta |~ dx \rightarrow dy)$ through exhaustive search over all input values. Complexity: $O(2^n)$ .

Parameters

da	input difference.
db	output difference.
k	round key.
delta	round constant.
lsh_const	LSH constant.
rsh_const	RSH constant.

Returns: $\mathrm{adp}^{F}(k, \delta |~ dx \rightarrow dy)$ .

bool adp_xtea_f_is_sat	(	const uint32_t	mask_i,
		const uint32_t	lsh_const,
		const uint32_t	rsh_const,
		const uint32_t	k,
		const uint32_t	delta,
		const uint32_t	dx,
		const uint32_t	dy,
		const uint32_t	x
	)

Check if the differential $(dx \rightarrow dy)$ for F (xtea_f) is satisfied on the i LS bits of x i.e. check if

$k, \delta:~ dy[i-1:0] = F(x[i-1:0] + dx[i-1:0]) - F(x[i-1:0]) ~\mathrm{mod} ~2^{i}$ .

Attention: x must be of size at least bits where R is the RSH constant of F.

Parameters

mask_i	`i` bit mask.
lsh_const	LSH constant.
rsh_const	RSH constant.
k	round key.
delta	round constant.
dx	input difference.
dy	output difference.
x	input value of size at least (`i` + `rsh_const`).

Returns: TRUE if $k, \delta:~ dy[i-1:0] = F(x[i-1:0] + dx[i-1:0]) - F(x[i-1:0]) ~\mathrm{mod} ~2^{i}$ .

double adp_xtea_f_lxr	(	const uint32_t	n,
		const uint32_t	dx,
		const uint32_t	dy,
		const uint32_t	lsh_const,
		const uint32_t	rsh_const
	)

Compute the ADD differential probability of the $f_{\mathrm{LXR}}$ (xtea_f_lxr) function: $\mathrm{adp}^{f_\mathrm{LXR}}(dx \rightarrow dy)$ . Complexity c: $O(n) < c \le O(2^n)$ .

Parameters

n	word size.
dx	input difference.
dy	output difference.
lsh_const	LSH constant.
rsh_const	RSH constant.

Returns: $\mathrm{adp}^{f_\mathrm{LXR}}(dx \rightarrow dy)$ .

See Also: adp_xtea_f_lxr_assign_bit_x

double adp_xtea_f_lxr_approx	(	const uint32_t	ninputs,
		const uint32_t	da,
		const uint32_t	db,
		uint32_t	lsh_const,
		uint32_t	rsh_const
	)

An approximation of the ADP of $f_{\mathrm{LXR}}$ (xtea_f_lxr) obtained over a number of input chosen plaintext pairs chosen uniformly at random.

Parameters

ninputs	number of input chosen plaintext pairs.
da	input difference.
db	output difference.
lsh_const	LSH constant.
rsh_const	RSH constant.

Returns: $\mathrm{adp}^{f_\mathrm{LXR}}(da \rightarrow db)$

Note: For the exact computation refer to adp_xtea_f_lxr_exper

uint32_t adp_xtea_f_lxr_assign_bit_x	(	const uint32_t	n,
		const uint32_t	i,
		const uint32_t	mask_i,
		const uint32_t	x,
		const uint32_t	lsh_const,
		const uint32_t	rsh_const,
		const uint32_t	dx,
		const uint32_t	dy,
		uint32_t *	x_cnt,
		double *	prob
	)

Counts the number of values x for which the differential $(dx \rightarrow dy)$ for the $f_{\mathrm{LXR}}$ (xtea_f_lxr) function is satisfied. The algorithm works by recursively assigning the bits of x starting from bit position i and terminating at the MS bit n. The recursion proceeds to bit $(i+1)$ only if the differential is satisfied on the i LS bits. This is checked by applying adp_xtea_f_lxr_is_sat.

Parameters

n	word size (terminating bit popsition).
i	current bit position.
mask_i	mask on the `i` LS bits of `x`.
x	input value of size at least (`i` + `rsh_const`).
lsh_const	LSH constant.
rsh_const	RSH constant.
dx	input difference.
dy	output difference.
x_cnt	number of values satisfying $(dx \rightarrow dy)$ .
prob	the probability $\mathrm{adp}^{f_\mathrm{LXR}}(dx \rightarrow dy)$ .

Returns: 1 if satisfies $(dx[i-1:0] \rightarrow dy[i-1:0])$ ; 0 otherwise.

See Also: adp_xtea_f_lxr

bool adp_xtea_f_lxr_check_x	(	const uint32_t	lsh_const,
		const uint32_t	rsh_const,
		const uint32_t	dx,
		const uint32_t	dy,
		const uint32_t	x
	)

Check if a given value x satisfies the ADD differential $(dx \rightarrow dy)$ for the function $f_{\mathrm{LXR}}$ (xtea_f_lxr).

Parameters

lsh_const	LSH constant.
rsh_const	RSH constant.
dx	input difference.
dy	output difference.
x	input value.

Returns: TRUE if $dy = f_{\mathrm{LXR}}(x + dx) - f_{\mathrm{LXR}}(x)$ .

double adp_xtea_f_lxr_exper	(	const uint32_t	da,
		const uint32_t	db,
		uint32_t	lsh_const,
		uint32_t	rsh_const
	)

Compute the ADD differential probability of the $f_{\mathrm{LXR}}$ (xtea_f_lxr) component of the F-function of block cipher XTEA, through exhaustive search over all input values. Complexity: $O(2^n)$ .

Parameters

da	input difference.
db	output difference.
lsh_const	LSH constant.
rsh_const	RSH constant.

Returns: $\mathrm{adp}^{f_\mathrm{LXR}}(da \rightarrow db)$

bool adp_xtea_f_lxr_is_sat	(	const uint32_t	mask_i,
		const uint32_t	lsh_const,
		const uint32_t	rsh_const,
		const uint32_t	dx,
		const uint32_t	dy,
		int32_t	x
	)

Check if the differential $(dx \rightarrow dy)$ for the function $f_{\mathrm{LXR}}$ (xtea_f_lxr) is satisfied on the i LS bits of x i.e. check if

$dy[i-1:0] = f_{\mathrm{LXR}}(x[i-1:0] + dx[i-1:0]) - f_{\mathrm{LXR}}(x[i-1:0]) ~\mathrm{mod} ~2^{i}$ .

Attention: x must be of size at least bits where R is the RSH constant of $f_{\mathrm{LXR}}$ .

Parameters

mask_i	`i` bit mask.
lsh_const	LSH constant.
rsh_const	RSH constant.
dx	input difference.
dy	output difference.
x	input value of size at least (`i` + `rsh_const`).

Returns: TRUE if $dy[i-1:0] = f_{\mathrm{LXR}}(x[i-1:0] + dx[i-1:0]) - f_{\mathrm{LXR}}(x[i-1:0]) ~\mathrm{mod} ~2^{i}$ .

double first_nz_adp_xtea_f	(	gsl_matrix *	A[2][2][2],
		gsl_matrix *	AA[2][2][2],
		const uint32_t	key,
		const uint32_t	delta,
		const uint32_t	da,
		uint32_t *	ret_dd,
		uint32_t	lsh_const,
		uint32_t	rsh_const
	)

For the XTEA F-function (xtea_f), for fixed input difference da, compute an arbitrary dd such that the differential $(da \rightarrow dd)$ has non-zero probability.

The procedure approximates the ADP of the TEA F-function as a multiplication of the ADP of its three non-linear components (w.r.t. ADD differences): the two XOR operations and the RSH operation (see xtea_f):

$\mathrm{adp}^{F}(k, \delta |~ dx \rightarrow dy) = \mathrm{adp}^{\oplus} \cdot \mathrm{adp}^{\gg} \cdot \mathrm{adp}^{\oplus}_{\mathrm{FI}}$

Algorithm sketch:

Compute $dy: \mathrm{max}_{dc[i]}~\mathrm{adp}^{\oplus}(db, dc[i] \rightarrow dy)$ , where $dc[i] \in \{(da \gg 5), (da \gg 5) + 1, (da \gg 5) - 2^{n-5}, (da \gg 5) - 2^{n-5} + 1\}$ , is one of the four possible ADD differences after RSH (adp_rsh).
Compute .
Compute $dd:\mathrm{max}_{dd}~\mathrm{adp}^{\oplus}((k + \delta), dt \rightarrow dd)$ .
For the computed da and dd experimenttaly re-adjust the probability using adp_xtea_f_approx.
Note
At this step the exact probability can also be computed with adp_xtea_f which is more accurate but less efficient.
Return the adjusted probability p and dd.

Attention: it is still possible that p = 0.0 for some da.

Parameters

A	transition probability matrices for $\mathrm{adp}^{\oplus}$ (adp_xor_sf).
AA	transition probability matrices for $\mathrm{adp}^{\oplus}$ with FI (adp_xor_fixed_input_sf).
key	round key.
delta	round constant.
da	input difference.
ret_dd	output difference.
lsh_const	LSH constant.
rsh_const	RSH constant.

Returns: $\mathrm{adp}^{F}(k, \delta |~ da \rightarrow dd)$

double max_dx_adp_xtea_f	(	const uint32_t	n,
		uint32_t *	ret_dx,
		const uint32_t	dy,
		const uint32_t	key,
		const uint32_t	delta,
		const uint32_t	lsh_const,
		const uint32_t	rsh_const
	)

For given output difference dy, compute the maximum probability input differences dx over all input differences: $\mathrm{max}_{dx} ~\mathrm{adp}^{F}(k, \delta |~ dx \rightarrow dy)$ through exhaustive search over all input values and input differences. Complexity: $O(2^{2n})$ .

Parameters

n	word size.
ret_dx	maximum probability input difference.
dy	output difference.
key	round key.
delta	round constant.
lsh_const	LSH constant.
rsh_const	RSH constant.

Returns: $\mathrm{max}_{dx} ~\mathrm{adp}^{F}(k, \delta |~ dx \rightarrow dy)$ .

See Also: max_dx_adp_f_fk

double max_dx_adp_xtea_f_exper	(	uint32_t *	dx_max,
		const uint32_t	dy,
		const uint32_t	k,
		const uint32_t	delta,
		const uint32_t	lsh_const,
		const uint32_t	rsh_const
	)

For given output difference dy, compute the maximum probability input differences dx over all input differences: $\mathrm{max}_{dx} ~\mathrm{adp}^{F}(k, \delta |~ dx \rightarrow dy)$ through exhaustive search over all input values and input differences. Complexity: $O(2^{2n})$ .

Parameters

dx_max	maximum probability input difference.
dy	output difference.
k	round key.
delta	round constant.
lsh_const	LSH constant.
rsh_const	RSH constant.

Returns: $\mathrm{max}_{dx} ~\mathrm{adp}^{F}(k, \delta |~ dx \rightarrow dy)$ .

See Also: max_dx_adp_f_fk

double max_dy_adp_xtea_f	(	const uint32_t	n,
		const uint32_t	dx,
		uint32_t *	ret_dy,
		const uint32_t	key,
		const uint32_t	delta,
		const uint32_t	lsh_const,
		const uint32_t	rsh_const
	)

For given input difference dx, compute the maximum probability output difference dy over all output differences: $\mathrm{max}_{dy} ~\mathrm{adp}^{F}(k, \delta |~ dx \rightarrow dy)$ . Complexity: $O(2n) < c \le O(2^{2n})$ . Memory requirement: $4 \cdot 2^n$ Bytes.

Parameters

n	word size.
dx	input difference.
ret_dy	maximum probability output difference.
key	round key.
delta	round constant.
lsh_const	LSH constant.
rsh_const	RSH constant.

Returns: $\mathrm{max}_{dx} ~\mathrm{adp}^{F}(k, \delta |~ dx \rightarrow dy)$ .

See Also: adp_f_assign_bit_x_dy, max_dx_adp_f_fk

double max_dy_adp_xtea_f_exper	(	const uint32_t	dx,
		uint32_t *	dy_max,
		const uint32_t	k,
		const uint32_t	delta,
		const uint32_t	lsh_const,
		const uint32_t	rsh_const
	)

For given input difference dx, compute the maximum probability output difference dy over all output differences: $\mathrm{max}_{dy} ~\mathrm{adp}^{F}(k, \delta |~ dx \rightarrow dy)$ through exhaustive search over all input values and input differences. Complexity: $O(2^{2n})$ .

Parameters

dx	input difference.
dy_max	maximum probability output difference.
k	round key.
delta	round constant.
lsh_const	LSH constant.
rsh_const	RSH constant.

Returns: $\mathrm{max}_{dx} ~\mathrm{adp}^{F}(k, \delta |~ dx \rightarrow dy)$ .

See Also: max_dy_adp_f_fk

Functions

Detailed Description

Function Documentation