YAARX: Yet Another ARX Toolkit
0.1
|
The maximum ADD differential probability of XOR: . More...
Functions | |
void | max_adp_xor_i (const WORD_T i, const WORD_T k, const WORD_T n, double *p, WORD_T *dd, gsl_matrix *A[2][2][2], gsl_vector *B[WORD_SIZE+1], gsl_vector *C, const WORD_T da, const WORD_T db, WORD_T *dd_max, double *p_max, WORD_T A_size) |
void | max_adp_xor_bounds (gsl_matrix *A[2][2][2], gsl_vector *B[WORD_SIZE+1], const WORD_T da, const WORD_T db, WORD_T *dd_max, WORD_T A_size) |
double | max_adp_xor (gsl_matrix *A[2][2][2], const WORD_T da, const WORD_T db, WORD_T *dd_max) |
double | max_adp_xor_exper (gsl_matrix *A[2][2][2], const WORD_T da, const WORD_T db, WORD_T *dc_max) |
The maximum ADD differential probability of XOR: .
double max_adp_xor | ( | gsl_matrix * | A[2][2][2], |
const WORD_T | da, | ||
const WORD_T | db, | ||
WORD_T * | dd_max | ||
) |
Compute the maximum differential probability over all output differences: . Complexity c: .
A | transition probability matrices. |
da | first input difference. |
db | second input difference. |
dd_max | maximum probability output difference. |
void max_adp_xor_bounds | ( | gsl_matrix * | A[2][2][2], |
gsl_vector * | B[WORD_SIZE+1], | ||
const WORD_T | da, | ||
const WORD_T | db, | ||
WORD_T * | dd_max, | ||
WORD_T | A_size | ||
) |
Compute an array of bounds that can be used in the computation of the maximum differential probability.
A | transition probability matrices. |
B | array of size A_size rows by (n + 1) columns containing upper bounds on the maximum probabilities of all j bit differentials beginning from any state i: A_size . |
da | first input difference. |
db | second input difference. |
dd_max | maximum probability output difference. |
A_size | size of the square transition probability matrices (equivalently, the number of states of the S-function). |
Algorithm Outline:
i
from 0 to (A_size
- 1)A_size
with 1 at position idc
starting at bit popsition and terminating at bit position n
.Meaning of the bounds B:
is an upper bound on on the maximum probability of the differential because clearly for any choice of the MS bits of dc, the probability will never be bigger than . Furthermore, let be the multiplication of the corresponding transition probability matrices for the MS bits of dc and let and . Then for any choice of . In particular, when .
double max_adp_xor_exper | ( | gsl_matrix * | A[2][2][2], |
const WORD_T | da, | ||
const WORD_T | db, | ||
WORD_T * | dc_max | ||
) |
Compute the maximum differential probability by exhaustive search over all output differences. Complexity: .
A | transition probability matrices. |
da | first input difference. |
db | second input difference. |
dc_max | maximum probability output difference. |
void max_adp_xor_i | ( | const WORD_T | i, |
const WORD_T | k, | ||
const WORD_T | n, | ||
double * | p, | ||
WORD_T * | dd, | ||
gsl_matrix * | A[2][2][2], | ||
gsl_vector * | B[WORD_SIZE+1], | ||
gsl_vector * | C, | ||
const WORD_T | da, | ||
const WORD_T | db, | ||
WORD_T * | dd_max, | ||
double * | p_max, | ||
WORD_T | A_size | ||
) |
Compute an upper bound on the maximum probability of the differential starting from initial state i
of the S-function i.e. , given the upper bounds on the probabilities of the differentials for , where is a row vector of size A_size
and is a unit column vector of size A_size
with 1 at position and .
i | index of the state of the S-function: A_size . |
k | current bit position: . |
n | word size. |
p | the estimated probability at bit position k . |
dd | output difference. |
A | transition probability matrices. |
B | array of size A_size rows by (n + 1) columns containing upper bounds on the maximum probabilities of all j bit differentials beginning from any state i: A_size . |
C | unit row vector of size A_size rows, initialized with 1 at state index i . |
da | first input difference. |
db | second input difference. |
dd_max | maximum probability output difference. |
p_max | the maximum probability. |
A_size | size of the square transition probability matrices (equivalently, the number of states of the S-function). |
Algorithm Outline:
Recursively assign values to the bits of the output difference dc
starting at bit popsition and terminating at bit position n
. The recursion proceeds to bit postion only if the probability of the partially constructed differential multiplied by the bound of the probability until the end is bigger than the best probability found so far i.e. if: . When update the max.: .