Differential Equations Of Addition

In cryptography, differential equations of addition (DEA) are one of the most basic equations related to differential cryptanalysis that mix additions over two different groups (e.g. addition modulo 2³² and addition over GF(2)) and where input and output differences are expressed as XORs.

Examples

Differential equations of addition (DEA) are of the following form:

$(x+y)\oplus((x\oplus a)+(y\oplus b))=c$

where $x$ and $y$ are $n$-bit unknown variables and $a$, $b$ and $c$ are known variables. The symbols $+$ and $\oplus$ denote ''addition modulo'' $2^n$ and ''bitwise exclusive-or'' respectively. The above equation is denoted by $(a, b, c)$.

Let a set

$S=\$

for integer $i$ denote a system of $k(n)$ DEA where $k(n)$ is a polynomial in $n$. It has been proved that the satisfiability of an arbitrary set of DEA is in the complexity class P when a brute force search requires an exponential time.

In 2013, some properties of a special form of DEA were reported by Chengqing Li et al., where $a=0$ and $y$ is assumed known. Essentially, the special DEA can be represented as $(x \dotplus \alpha) \oplus (x\dotplus \beta)=c$. Based on the found properties, an algorithm for deriving $x$ was proposed and analyzed.

Applications

Solution to an arbitrary set of DEA (either in batch and or in adaptive query model) was due to Souradyuti Paul and Bart Preneel. The solution techniques have been used to attack the stream cipher Helix.

Further reading

* Souradyuti Paul and Bart Preneel, Solving Systems of Differential Equations of Addition, ACISP 2005.
Full version
(PDF)
* Souradyuti Paul and Bart Preneel, Near Optimal Algorithms for Solving Differential Equations of Addition With Batch Queries, Indocrypt 2005.
Full version
(PDF)
* Helger Lipmaa, Johan Wallén, Philippe Dumas: On the Additive Differential Probability of Exclusive-Or. FSE 2004: 317-331.

References

{{Cryptography navbox , block

Cryptographic attacks
Theory of cryptography
Ciphers