Automatic Search for Related-Key Differential Trails in SIMON-like Block Ciphers Based on MILP

Abstract

In this paper, we revisit the relationship between the probability of differential trails and the input difference of each round for SIMON-like block ciphers. The key observation is that not only the Hamming weight but also the positions of active bits of the input difference have effect on the probability. Based on this, our contributions are mainly twofold. Firstly, we rebuild the MILP model for SIMON-like block ciphers without quadratic constraints. Accordingly, we give the accurate objective function and reduce its degree to one by adding auxiliary variants to make the model easy to solve. Secondly, we search for optimal differential trails for SIMON and SIMECK based on this model. To the best of our knowledge, this is the first time that related-key differential trails have been obtained. Besides, we not only recover the single-key results in [11], but also obtain impossible differentials through this method.

1 Introduction

Devices of small size, such as smart cards and sensor networks, are increasingly involved in our life. Despite of the convenience, a major concern is that these highly constrained devices cannot afford the computational cost of traditional block ciphers such as DES and AES. To this end, the notion of lightweight block cipher was raised, and has seen a flourish of research works in recent years.

Specifically, SIMON and SPECK families of block ciphers [4] proposed by the NSA are amongst the most promising candidates. The distinguishing feature of SIMON (SPECK) is that AND operations (modular additions) serve as non-linear components instead of S-boxes, and this directly yields an implementation advantage on both hardware and software platforms. Later on, Yang et al. proposed a variant of SIMON, namely SIMECK [22] which adopts the rotational constants and key schedules of SPECK within the framework of SIMON. We refer to both SIMON and SIMECK as SIMON-like block ciphers, as introduced in [11].

Related Work. For SIMON, no designing rationale or security analysis was explicitly given in the original paper [4]. Lots of subsequent researches have been done for evaluating its security, and a majority of these works are also applicable to the SIMECK case due to their great similarities [22].

There have been many results for SIMON by differential cryptanalysis [2, 3, 6,7,8,9,10,11, 20] and linear cryptanalysis [1, 12, 14]. To our interest, Kölbl et al. [9] gave an exact closed form expression for the differential probability, and obtained single-key differential characteristics through SAT/SMT solvers; in 2017, Liu et al. [11] further investigated the relationship between Hamming weight of input difference and differential probability, and proposed an automatic searching algorithm by adapting Matsui’s algorithm [13], and obtained optimal single-key differential trails for SIMON-like block ciphers.

On the other hand, Todo introduced the notion of division property, and used it in finding integral distinguishers for SIMON [18]; later on, Todo and Morii proposed a fine-grained variant called bit-based division property [19], and thus gave integral distinguisher for SIMON32 with one more round.

Besides, the method of Mixed-Integer Linear Programming (MILP) is widely used in automatic searching recently [15, 17]. Specifically for SIMON, Sun et al. modified the original model [15, 17] into an MIP (Mixed-Integer Programming) one by adding quadratic constraints [16], to remove invalid characteristics out of the feasible region. Although they made it theoretically solvable by adding auxiliary variants, it still seems rather sophisticated to make practical use of this model. It is worth noting that based on division property, Xiang et al. [21] applied MILP to automatically searching integral distinguishers for six lightweight block ciphers including SIMON and SIMECK.

Throughout, no cryptanalysis work has been done for SIMON-like block ciphers in related-key setting, and this issue is also mentioned by the designers of SIMON [5] and SIMECK [22] independently. In fact, the behavior of certain block cipher under related-key differential cryptanalysis is an important criterion for its security, since the secret keys are often updated in security protocols or differences can be incorporated using fault attacks. Meanwhile, avoiding high-probability related-key differential characteristics is one of the goal of the key schedule.

Our Contributions. In this paper, we make a fine-grained analysis of the ROTATION-AND operations and construct proper MILP models for SIMON-like block ciphers. As a result, we give related-key differential trails for SIMON-like block ciphers for the first time.

Specifically, we revisit the relationship between the input difference and the probability of differential trails, and reveal that the active bits’ positions of the input difference will not only determine which bits of the output difference are likely to be active, but also affect the probability of differential characteristics. From this we can get all possible output differences of the ROTATION-AND operation and their accurate probabilities directly from input difference, rather than using a DDTA (Difference Distribution Table of AND) accompanied with some checking conditions as done in [6, 9, 11]. As a result, we can construct proper MILP models with linear objective function while without quadratic constraints, and search related-key differential trails for SIMON and SIMECK automatically, as well as impossible differentials.

Our main results are listed in the following:

1. 1.

   We find 10, 9, 9 rounds optimal related-key differential trails for SIMON32/64, SIMON48/96 and SIMON64/128 with probability \(2^{-16}\), \(2^{-18}\) and \(2^{-18}\) respectively, costing about 15 days, 6 days and 7 days respectively.¹ Moreover, we find that there is an 8-round period trail with probability \(2^{-n}\) for SIMON2n/4n, and thus all trails can be extended to 19 rounds with probability \(2^{-2n}\).

2. 2.

   We find two 11 rounds optimal related-key differential trails for SIMON48/72 and SIMON64/96 with probability \(2^{-22}\) and \(2^{-22}\) respectively, costing about 7 days and 7 days respectively. The extension for SIMON48 reaches 16 rounds with probability \(2^{-50}\), and the extension for SIMON64 reaches 18 rounds with probability \(2^{-64}\).

3. 3.

   We find 15, 16, 16 rounds optimal related-key differential trails for SIMECK32/64, SIMECK48/96, and SIMECK64/128 with probability \(2^{-34}\), \(2^{-40}\), and \(2^{-40}\) respectively, costing about 9.6 h, 3.8 days and 4 days respectively. The extension of SIMECK48/96 reaches 19 rounds with probability \(2^{-48}\), and the extension for SIMECK64/128 reaches 23 rounds with probability \(2^{-66}\).

For searching single-key differential trails, without of generality, we assume that there must exist certain round with input difference of Hamming weight one when considering the diffusion of block ciphers. Then by our method, we can recover the results in [11]. In addition, we also get 11, 12 and 13 rounds impossible differentials for SIMON32, SIMON48 and SIMON64 respectively, and get 11, 15 and 17 rounds impossible differentials for SIMECK32, SIMECK48 and SIMECK64 respectively, all in the single-key setting.

Organization of the Paper. We introduce notations and recall the constructions of SIMON-like block ciphers in Sect. 2. In Sect. 3, we present the main theorem on relationship between the input difference and the differential probability, and construct proper MILP models for SIMON-like block ciphers. Our results are presented in Sect. 4. Section 5 is a conclusion of this paper.

2 Preliminaries

2.1 Notations

We say a bit is active if it is one. For the left half input difference in SIMON2n, each bit has a subscript denoting its position, with that of the most significant bit being 0; all subscripts are in the sense modulo n. We list main notations in Table 1.

Table 1. Notations.

2.2 A Brief Description of SIMON and SIMECK

The round function of SIMON-like block ciphers is shown in Fig. 1, with the value of (a, b, c) being (8, 1, 2) and (0, 5, 1) for SIMON and SIMECK respectively.

Fig. 1.

The round function of SIMON-like block ciphers.

Fig. 2.

The key expansion of SIMECK.

The key schedules of SIMON and SIMECK are totally different. The constant \(C=2^{n}-4=0xff\cdot \cdot \cdot fc\), and the generation of constant sequence \(\{z_{j}\}\) is referred to [4] (for SIMON) and [22] (for SIMECK). The key of the i-th round is denoted by \(k_i\), and the identical permutation is denoted by I. For SIMON2n/mn, round keys are generated by

$$ k_{i+m}=\left\{ \begin{array}{lr} C\oplus (z_{j})_{i}\oplus k_{i}\oplus (I\oplus S^{-1})S^{-3}k_{i+1}, if m=2, \\ \\ C\oplus (z_{j})_{i}\oplus k_{i}\oplus (I\oplus S^{-1})S^{-3}k_{i+2}, if m=3, \\ \\ C\oplus (z_{j})_{i}\oplus k_{i}\oplus (I\oplus S^{-1})(S^{-3}k_{i+3}\oplus k_{i+1}), if m=4 .\\ \end{array}\right. $$

For SIMECK2n/4n, the key schedules are shown in Fig. 2. The updating function is expressed as

$$ \left\{ \begin{array}{lr} k_{i+1}=t_{i},\\ \\ t_{i+3}=k_{i}\oplus f(t_{i})\oplus C\oplus (z_{j})_{i}.\\ \end{array}\right. $$

where \(f(x)=x\odot S^{5}(x)\oplus S^{1}(x)\) is part of the round function.

3 Constructing MILP Models for SIMON-like Block Ciphers

In this section, we make a fine-grained analysis of the relationship between input and output difference of the ROTATION-AND operations. We prove that not only the Hamming weight but also the active bits’ positions of the input difference can affect the probability of differential characteristics. The former has been proved by Liu et al. [11], and we highlight the latter’s importance in constructing proper MILP models for SIMON-like block ciphers. Specifically, we give the following theorem:

Theorem 1

Let \(f(x)=S^{a}(x) \odot S^{b}(x)\) be a Boolean function from \(\mathbb {F}^{n}_{2} \) to itself, and \(gcd(n,a-b)=1\). Let \(\varDelta x\), \(\varDelta d \in \mathbb {F}^{n}_{2}\) be the input and output difference of f respectively, with \(wt(\varDelta x)=m\), \(m < n\), and \(R=\{\varDelta x_{i_{0}}, \varDelta x_{i_{1}}, \ldots , \varDelta x_{i_{m-1}}\}\) be the set of all active bits in \(\varDelta x\). If there exist

1. 1.

   \(p_{1}\) pairs of \(\{i_{j}\), \(i_{k}\}\) such that \(|i_{j}-i_{k} |\equiv |a-b |\) mod n; and

2. 2.

   \(p_{2}\) pairs of \(\{i_{j}\), \(i_{k}\}\) such that \(|i_{j}-i_{k} |\equiv 2 |a-b |\) mod n and there exists some h such that \(|h-i_{j} |\equiv |a-b |\) mod n, \(|h-i_{k} |\equiv |a-b |\) mod n, \(\varDelta x_{h} \notin R\);

then there will be \(2^{2m-p_{1}-p_{2}}\) possible values for \(\varDelta d\), and each has the same probability \(2^{-2m+p_{1}+p_{2}}\).

To prove this theorem, we use the following lemma, which can be regarded as a generalization of Observation 2 in [8]. All proofs can be found in the Appendix.

Lemma 1

Let \(f(x)=S^{a}(x) \odot S^{b}(x)\) be a Boolean function from \(\mathbb {F}^{n}_{2} \) to itself. Let \(\varDelta x\), \(\varDelta d \in \mathbb {F}^{n}_{2}\) be the input and output difference of f respectively, and \(x \in \mathbb {F}^{n}_{2}\) be an input of f. Then,

1. 1.

   In \(\varDelta x\), only two bits, namely \(\varDelta x_{i+a}\) and \(\varDelta x_{i+b}\) can affect the value of \(\varDelta d_{i}\), which is an arbitrary bit in \(\varDelta d\);

2. 2.

   An arbitrary bit \(\varDelta x_{i}\) in \(\varDelta x\), can affect only two bits \(\varDelta d_{i-a}\) and \(\varDelta d_{i-b}\) in \(\varDelta d\);

3. 3.

   An arbitrary bit \(x_{i}\) in x can affect at most two bits \(\varDelta d_{i-a}\) and \(\varDelta d_{i-b}\) in \(\varDelta d\). Specifically, \(\varDelta d_{i-a}\) is affected by \(x_{i}\), iff. \(\varDelta x_{i-a+b}=1\); \(\varDelta d_{i-b}\) is affected by \(x_{i}\), iff. \(\varDelta x_{i-b+a}=1\).

Based on Theorem 1, we can construct proper MILP models for SIMON-like block ciphers in the following.

Constraints Imposed by XOR Operations. There are lots of XOR operations in either round functions or key schedules of SIMON-like block ciphers. This turns out be a bottleneck in constructing efficient models if we follow the XOR constraints given in [15, 17], since there will be too many auxiliary variants. However, we note that all possible points can be figured out easily and linear constraints without auxiliary variants can then be obtained using the SageMath code in [17]. We demonstrate this by the following example.

Let \(x\oplus y\oplus z=w\), where x, y, z, \(w \in \mathbb {F}_2\). All possible points for (x, y, z, w) are (0, 0, 0, 0), (0, 0, 1, 1), (0, 1, 0, 1), (0, 1, 1, 0), (1, 0, 0, 1), (1, 0, 1, 0), (1, 1, 0, 0) and (1, 1, 1, 1). We can easily get the linear constraints as follows:

$$ \left\{ \begin{array}{lr} x+y-z+w\ge 0\\ x+y+z-w\ge 0\\ -x+y+z+w\ge 0\\ x-y+z+w\ge 0\\ -x-y+z-w\ge -2\\ x-y-z-w\ge -2\\ -x+y-z-w\ge -2\\ -x-y-z+w\ge -2\\ \end{array}\right. $$

Constraints Imposed by ROTATION-AND Operations. Based on Theorem 1, we divide the n bits input difference and n bits output difference of ROTATION-AND operations into n groups. Specifically, group i (\(0 \le i \le n-1\)) consists of three input difference bits at positions \((i, i+t, i+2t)\) and two output difference bits at positions \((i-b, i+t-b)\), where \(t=|a-b |\).

Taking SIMON32 as an example, we list all 16 groups in Table 2, and all possible points with respect to each group in Table 3. Then we can get the following linear constraints by running the SageMath code [17] on input of all possible points, where there is no auxiliary variants and the feasible region of which contains no invalid characteristics.

$$\left\{ \begin{array}{lr} \varDelta x_{i+t}^{r}-\varDelta x_{i+2t}^{r}-\varDelta d_{i-b}^{r}+\varDelta d_{i+t-b}^{r}\ge -1\\ \\ \varDelta x_{i}^{r}+\varDelta x_{i+t}^{r}-\varDelta d_{i-b}^{r}\ge 0\\ \\ -\varDelta x_{i}^{r}+\varDelta x_{i+t}^{r}+\varDelta d_{i-b}^{r}-\varDelta d_{i+t-b}^{r}\ge -1\\ \\ \varDelta x_{i+t}^{r}+\varDelta x_{i+2t}^{r}-\varDelta d_{i+t-b}^{r}\ge 0\\ \end{array}\right. $$

Table 2. The 16 groups for SIMON32.

Objective Functions. Let the probability of the differential characteristic be \(2^{-w}\). Then we have the following objective function from Theorem 1:

$$\begin{aligned} w=\sum _{r=0}^{R}(2\sum _{i=0}^{n-1}\varDelta x^r_i-\sum _{i=0}^{n-1}\varDelta x^r_i \varDelta x^r_{i+t}-\sum _{i=0}^{n-1}\varDelta x^r_i \varDelta x^r_{i+2t}+\sum _{i=0}^{n-1}\varDelta x^r_i \varDelta x^r_{i+t} \varDelta x^r_{i+2t}). \end{aligned}$$

(1)

However, this objective function of degree three makes it hard to solve the model. To solve this issue, we form n groups with group i consisting of three bits input difference (\(\varDelta x_i^r\), \(\varDelta x_{i+t}^r\), \(\varDelta x_{i+2t}^r\)) as well as an auxiliary variants \(p_i^r\), in order to reduce the degree of the objective function to one.

$$\begin{aligned} w=2\sum _{r=0}^{R} \sum _{i=0}^{n-1} \varDelta x^r_i - \sum _{r=0}^{R} \sum _{i=0}^{n-1} p_i^r. \end{aligned}$$

(2)

Then we can obtain the following linear constraints, taking the relationships between \((\varDelta x_i^r\), \(\varDelta x_{i+t}^r\), \(\varDelta x_{i+2t}^r)\) and \(p_i^r\) as shown in Table 4.

$$\left\{ \begin{array}{lr} \varDelta x_{i+2t}^{r}-p_{i}^{r}\ge 0\\ \\ -\varDelta x_{i}^{r}-\varDelta x_{i+2t}^{r}+p_{i}^{r}\ge -1\\ \\ -\varDelta x_{i+t}^{r}-\varDelta x_{i+2t}^{r}+p_{i}^{r}\ge -1\\ \\ \varDelta x_{i}^{r}+\varDelta x_{i+t}^{r}-p_{i}^{r}\ge 0\\ \end{array}\right. $$

Since the non-linear key schedules of SIMECK essentially reuse its round function, the objective function of SIMECK turns out to

$$\begin{aligned} w=2\sum _{r=0}^{R} \sum _{i=0}^{n-1} \varDelta x^r_i - \sum _{r=0}^{R} \sum _{i=0}^{n-1} p_i^r + 2\sum _{r=1}^{R-3}\sum _{i=0}^{n-1} \varDelta k^{r}_{i} - \sum _{r=1}^{R-3}\sum _{i=0}^{n-1} p_{ki}^{r}. \end{aligned}$$

(3)

4 (Related-Key) Differential Trails for SIMON and SIMECK

In this section, we show the (related-key) differential trails for SIMON and SIMECK, which are automatically searched by solving the MILP models in Sect. 3 using Gurobi. Our results are twofold: first and foremost, we give (long) related-key differential trails for SIMON-like block ciphers for the first time; second, using the same method, we give impossible differentials for SIMON-like block ciphers and recover the trails given by Liu et al. [11], both in the single-key setting.

Table 3. All possible points for each group.

Table 4. The value of auxiliary variant \(p_{i}^{r}\).

4.1 Related-Key Differential Trails

We present optimal related-key differential trails for SIMON32/64 in Table 6, SIMON48/72 and SIMON48/96 in Table 7, SIMECK32/64 and SIMECK48/96 in Table 8. The optimal trails for SIMON64 and SIMECK64 are identical to those for SIMON48 and SIMECK48 respectively.

Except for SIMECK32/64, constrained by the limited computational resources, it is still difficult to obtain longer optimal related-key differential trails for other parameters, whose probabilities may hopefully reach the security margin. To solve this issue, putting some optimal trail in the middle, we search both forwards and backwards until it reaches the security margin. In addition, we observe that there exists an 8-round period for SIMON32/64 in the related-key setting, which yields a 19-round related-key differential trail with probability \(2^{-32}\). These results are summarized in Table 5.

4.2 Single-Key Differential Trails

For obtaining single-key trails, it indeed costs more time by directly solving the MILP models in Sect. 3 than using the method in [11]. However, a key observation is that in optimal single-key differential trails, there is always some round’s input difference with Hamming weight one. This can explained from the following two perspectives: on the one hand, the upper-bound of probability of each round is negatively related to the Hamming weight of its input difference, as proved in [11]; on the other hand, considering the diffusion property, an active input difference bit of some round can make many forward and backward bits active; thus, it is intuitive to require the hamming weight of some round’s input difference to be the least (namely one), for obtaining long trails.

Keeping these in mind, we can recover the results in [11] (R-round optimal single-key differential trails) using much less time, by solving the MILP models with the precondition that there exists some \(r \in \{0,\cdots ,R-1\}\) such that the Hamming weight of the r-th round’s input difference is one.

Table 5. The probabilities of optimal and best related-key differential trails for variants of SIMON and SIMECK. To distinguish from optimal trails, best trails are labeled with *. For simplicity, all probabilities p are given as \((-\log _{2} p)\) in the table.

Table 6. 10 rounds optimal related-key differential trails for SIMON32/64, where the numbers represent the positions of active bits of input difference of each round while ‘-’ represents that there is no active bits.

Table 7. Optimal related-key differential trails for SIMON48.

Table 8. Optimal related-key differential trails for SIMECK32 and SIMECK48.

4.3 Impossible Differentials

Considering the miss-in-the-middle approach and the diffusion property, we search impossible differentials for SIMON-like block ciphers in single-key setting, under that there is only one active bit in either the input difference or the output difference. Then if the MILP models are infeasible under this condition, we get impossible differentials.

Taking the rotational invariance property of SIMON-like block ciphers [20], for each variant of SIMON2n and SIMECK2n, an impossible differential additionally yields \((n-1)\) impossible differentials by rotation. Our main results are listed in Table 9.

Table 9. Impossible differentials for SIMON and SIMECK in single-key.

5 Summary

In this paper, we mainly studied the security of SIMON-like block ciphers in the related-key setting, by a fine-grained analysis of the ROTATION-AND operations. We hope our work helpful in designing key schedules for SIMON-like block ciphers. For future works, it is desirable to obtain longer optimal differential trails in related-key setting, maybe by combining our work with other automatic searching algorithm, e.g., SAT/SMT solver.

Appendices

A Proof of Lemma 1

Proof

Let x and \((x \oplus \varDelta x)\) be two inputs of the function f. We have

$$\begin{aligned} \begin{aligned} \varDelta d&= f(x)\oplus f(x\oplus \varDelta x) \\&= (S^{a}(x)\odot S^{b}(x))\oplus (S^{a}(x\oplus \varDelta x)\odot S^{b}(x\oplus \varDelta x))\\&= S^{a}(x)\odot S^{b}(\varDelta x)\oplus S^{a}(\varDelta x)\odot S^{b}(x)\oplus S^{a}(\varDelta x)\odot S^{b}(\varDelta x) \end{aligned}\end{aligned}$$

(4)

Then for any bit \(\varDelta d_{i}\) in \(\varDelta d\) (\(i=0,\cdots ,n-1\)), we have

$$\begin{aligned} \varDelta d_{i} = x_{i+a}\odot \varDelta x_{i+b}\oplus \varDelta x_{i+a}\odot x_{i+b} \oplus \varDelta x_{i+a}\odot \varDelta x _{i+b} \end{aligned}$$

(5)

Obviously, only two bits in \(\varDelta x\), namely \(\varDelta x_{i+a}\) and \(\varDelta x_{i+b}\) can affect the value of \(\varDelta d_{i}\).

Fix an arbitrary i, assume that \(\varDelta d_{k}\) is affected by \(\varDelta x_{i}\). First, we have

$$\begin{aligned} \varDelta d_{k} = x_{k+a}\odot \varDelta x_{k+b}\oplus \varDelta x_{k+a}\odot x_{k+b} \oplus \varDelta x_{k+a}\odot \varDelta x _{k+b}, \end{aligned}$$

(6)

from Eq. (5). If \(\varDelta d_{k}\) is affected by \(\varDelta x_{i}\), then we have

$$\begin{aligned} i \equiv k+a \mod n \end{aligned}$$

(7)

or

$$\begin{aligned} i \equiv k+b \mod n \end{aligned}$$

(8)

Put it in another form, we have

$$\begin{aligned} k \equiv i-a \mod n \end{aligned}$$

(9)

or

$$\begin{aligned} k \equiv i-b \mod n \end{aligned}$$

(10)

So proved that an arbitrary bit \(\varDelta x_{i}\) can affect only two bits \(\varDelta d_{i-a}\) and \(\varDelta d_{i-b}\).

From Eq. (5), we have that

1. (1)

   if \(\varDelta x_{i+a}=0, \varDelta x_{i+b}=0\), then \(\varDelta d_{i}=0\);

2. (2)

   if \(\varDelta x_{i+a}=1, \varDelta x_{i+b}=1\), then \(\varDelta d_{i}\) = \((x_{i+a}\oplus x_{i+b})\odot 1 \oplus 1\);

3. (3)

   if \(\varDelta x_{i+a} = 1\), \(\varDelta x_{i+b} = 0\), then \(\varDelta d_{i} = \varDelta x_{i+a} \odot x_{i+b} = x_{i+b}\);

4. (4)

   if \(\varDelta x_{i+a} = 0\), \(\varDelta x_{i+b} = 1\), then \(\varDelta d_{i} = x_{i+a} \odot \varDelta x_{i+b} = x_{i+a}\).

Let \(x_i\) denote an arbitrary bit in x. \(\varDelta d_k\) is affected by \(x_i\), iff. \(k \equiv i-a \mod n\) and \(\varDelta x_{k+b}=\varDelta x_{i-a+b} = 1\), or \(k \equiv i-b \mod n\) and \(\varDelta x_{k+a}=\varDelta x_{i-b+a} = 1\).     \(\square \)

B Proof of Theorem 1

Proof

Let \(R_{d}\) be the collection of bits in \(\varDelta d\) which are affected by bits in R. From Lemma 1,

$$R_{d}=\{\varDelta d_{i_{0}-a}, \varDelta d_{i_{0}-b}, \varDelta d_{i_{1}-a}, \varDelta d_{i_{1}-b}, \ldots , \varDelta d_{i_{m-1}-a}, \varDelta d_{i_{m-1}-b} \}$$

There may be duplicate elements in the collection \(R_d\).

1. 1.

   Since \(a \ne b\), then \(i_\ell -a \not \equiv i_\ell -b \mod n\), for \(\ell = 0,\cdots ,m-1\);

2. 2.

   For \(0 \le j \ne k \le m-1\), \(i_j -a \not \equiv i_k - a \mod n\), since \(i_j \ne i_k\);

3. 3.

   For \(0 \le j \ne k \le m-1\), if \(i_j -a \equiv i_k - b \mod n\), then \(i_j - i_k \equiv a - b \mod n\);

4. 4.

   For \(0 \le j \ne k \le m-1\), if \(i_j -b \equiv i_k - a \mod n\), then \(i_j - i_k \equiv b - a \mod n\);

If there exist \(p_1\) pairs of \(\{i_j,i_k\}\) such that \(|i_j-i_k |\equiv |a-b |\mod n\), we have

$$\begin{aligned} i_j-i_k \equiv a-b \mod n \end{aligned}$$

(11)

or

$$\begin{aligned} i_j-i_k \equiv b-a \mod n \end{aligned}$$

(12)

we claim that Eqs. (11) and (12) cannot hold true simultaneously, otherwise it contradicts with \(gcd(n,a-b)=1\). Let \(R_d'\) denote the set obtained by removing duplicate elements from the collection \(R_d\). Then if there exist \(p_1\) pairs of \(\{i_j,i_k\}\) such that \(|i_j-i_k |\equiv |a-b |\mod n\), \(|R_d |- |R_d' |= p_1\).

Now we turn to discuss the relationships amongst bits in \(\varDelta d\). First, for \(\varDelta d_k \notin R_d'\), we have \(\varDelta x_{k+a}=0\) and \(\varDelta x_{k+b} = 0\) from Lemma 1; specifically, \(\varDelta d_{k}=0\) holds with probability 1, regardless of the values of \(x_{k+a}\) and \(x_{k+b}\). Thus, we need only to discuss the relationships amongst bits in \(R_d'\). For \(\varDelta d_k \in R_d'\), it has been proved by Lemma 1 that at least one of \(\varDelta x_{k+a}\) and \(\varDelta x_{k+b}\) is active. Specifically,

1. 1.

   \(\varDelta x_{k+a}=1\), \(\varDelta x_{k+b}=0\). In this case, \(\varDelta d_{k}=x_{k+b}\). If there exists some other bit \(\varDelta d_{k}' \in R_d'\) such that \(\varDelta d_{k}'\) is dependent of \(\varDelta d_{k}\), then \(k' \equiv k+b-a \mod n\), since \(\varDelta d_{k+b-a}\) is the only bit which may be affected by \(x_{k+b}\) except for \(\varDelta d_k\) from Lemma 1.

   $$\begin{aligned} \begin{aligned} \varDelta d_{k+b-a}=&\varDelta x_{k+b}\odot x_{k+2b-a}\oplus x_{k+b}\odot \varDelta x_{k+2b-a}\\&\oplus \varDelta x_{k+b}\odot \varDelta x_{k+2b-a} \end{aligned}\end{aligned}$$

   (13)

   If \(\varDelta x_{k+2b-a}\in R\), then \(\varDelta d_{k+b-a}=x_{k+b}=\varDelta d_{k}\); otherwise, \(\varDelta d_{k+b-a}=0\) holds with probability 1 (independent of \(\varDelta d_{k}\)).

2. 2.

   \(\varDelta x_{k+a}=0\), \(\varDelta x_{k+b}=1\). In this case, \(\varDelta d_{k}=x_{k+a}\). If there exists some other bit \(\varDelta d_{k}' \in R_d'\) such that \(\varDelta d_{k}'\) is dependent of \(\varDelta d_{k}\), then \(k' \equiv k+a-b \mod n\), since \(\varDelta d_{k+a-b}\) is the only bit which may be affected by \(x_{k+a}\) except for \(\varDelta d_k\) from Lemma 1.

   $$\begin{aligned} \begin{aligned} \varDelta d_{k+a-b}=&\varDelta x_{k+a}\odot x_{k+2a-b}\oplus x_{k+a}\odot \varDelta x_{k+2a-b}\\&\oplus \varDelta x_{k+a}\odot \varDelta x_{k+2a-b} \end{aligned}\end{aligned}$$

   (14)

   If \(\varDelta x_{k+2a-b}\in R\), then \(\varDelta d_{k+a-b}=x_{k+a}=\varDelta d_{k}\); otherwise, \(\varDelta d_{k+a-b}=0\) holds with probability 1 (independent of \(\varDelta d_{k}\)).

3. 3.

   \(\varDelta x_{k+a}=1\), \(\varDelta x_{k+b}=1\). In this case, \(\varDelta d_{k}=(x_{k+a}\oplus x_{k+b})\odot 1\oplus 1\). From Lemma 1, the only other bit which may be affected by \(x_{k+a}\) is \(\varDelta d_{k+a-b}\). Specifically, the following equation holds if \(\varDelta x_{k+2a-b} \in R\).

   $$\begin{aligned} \varDelta d_{k+a-b}=(x_{k+2a-b}\oplus x_{k+a})\odot 1\oplus 1 \end{aligned}$$

   (15)

   From Lemma 1, the only other bit which may be affected by \(x_{k+b}\) is \(\varDelta d_{k+b-a}\). Specifically, the following equation holds if \(\varDelta x_{k+2b-a} \in R\).

   $$\begin{aligned} \varDelta d_{k+b-a}=(x_{k+b}\oplus x_{k+2b-a})\odot 1\oplus 1 \end{aligned}$$

   (16)

   It is obvious that \(\varDelta d_k\) can be dependent of other bit(s) in \(R_d'\), only in the case that \(\varDelta x_{k+2a-b},\varDelta x_{k+2b-a} \in R\). However, since \(\varDelta d_{k+b-a}\) and \(\varDelta d_{k+a-b}\) introduce the new bits (variants) of \(x_{k+2a-b}\) and \(x_{k+2b-a}\) respectively, we should involve more elements in \(R_d'\) to reduce the effects of \(x_{k+2a-b}\) and \(x_{k+2b-a}\). Again from Lemma 1, the only other bit affected by \(x_{k+2a-b}\) (\(x_{k+2b-a}\)) is \(\varDelta d_{k+2a-2b} = (x_{k+3a-2b}\oplus x_{k+2a-b})\odot 1\oplus 1\) (\(\varDelta d_{k+2b-2a} =(x_{k+2b-a}\oplus x_{k+3b-2a})\odot 1\oplus 1\)) on condition that \(\varDelta x_{k+3a-2b} \in R\) (\(\varDelta x_{k+3b-2a} \in R\)).

   Thus, in order to eliminate the effects of \(x_{k+2a-b}\) and \(x_{k+2b-a}\), the only choice (from Lemma 1) is involving the new bits of \(\varDelta d_{k+2a-2b}\) and \(\varDelta d_{k+2b-2a}\), which can indeed eliminate \(x_{k+2a-b}\) and \(x_{k+2b-a}\) however introduce two new variants of \(x_{k+3a-2b}\) and \(x_{k+3b-2a}\). Under the condition \(gcd(n,a-b)=1\), this eliminating-while-introducing process will succeed iff. \(|R |= n\), and the probability of each possible value of \(\varDelta d\) is \(2^{-(n-1)}\) which coincides with the result in [11]. On the other hand, \(\varDelta d_{k}=(x_{k+a}\oplus x_{k+b})\odot 1\oplus 1\) is independent of other bits in \(R_d'\) when \(|R |< n\).

    \(\square \)

For a better understanding, we give an example with (n, a, b)=(8, 0, 3) as shown in Fig. 3. Assume that \(\varDelta x_{0}=1\), \(\varDelta x_{3}=1\). Only in the case where all input difference bits are active, can \(\varDelta d_0\) be dependent of other bits in \(\varDelta d\), namely \(\varDelta d_0 = \varDelta d_1 \oplus \cdots \oplus \varDelta d_7\).

1. 1.

   \(\varDelta d_0 = (x_0 \oplus x_3) \odot 1 \oplus 1\)

2. 2.

   \(\varDelta d_5 = (x_0 \oplus x_5) \odot 1 \oplus 1\), when \(\varDelta x_5=1\); \(\varDelta d_3 = (x_6 \oplus x_3) \odot 1 \oplus 1\), when \(\varDelta x_6=1\)

3. 3.

   \(\varDelta d_2 = (x_2 \oplus x_5) \odot 1 \oplus 1\), when \(\varDelta x_2=1\); \(\varDelta d_6 = (x_6 \oplus x_1) \odot 1 \oplus 1\), when \(\varDelta x_1=1\)

4. 4.

   \(\varDelta d_7 = (x_2 \oplus x_7) \odot 1 \oplus 1\), when \(\varDelta x_7=1\); \(\varDelta d_1 = (x_1 \oplus x_4) \odot 1 \oplus 1\), when \(\varDelta x_4=1\)

5. 5.

   \(\varDelta d_4 = (x_4 \oplus x_7) \odot 1 \oplus 1\)

Fig. 3.

The affected relationship between input and output difference bits of ROTATION-AND.

Essentially, given \(gcd(n,a-b)=1\), there is only one cycle (\( \left( \begin{array}{cccccccc} 3 &{} 6 &{} 1 &{} 4 &{} 7 &{} 2 &{} 5 &{} 0 \\ 6 &{} 1 &{} 4 &{} 7 &{} 2 &{} 5 &{} 0 &{} 3\\ \end{array} \right) \) in this example). More generally, when \(gcd(n, a-b) = t\), there will be t cycles, and this in some way explains the rationalities of such requirement \(gcd(n,a-b)=1\).