A Proof of Theorem 1
Proof
The state update function of MORUS-640 under \(\mathrm {AD_1}\) is expressed as follow:
$$\begin{aligned} (x_0, x_1, x_2, x_3, x_4) = \mathrm {StateUpdate}((s_0, s_1, s_2, s_3, s_4), \mathrm {AD_1})\,, \end{aligned}$$
(34)
where
$$\begin{aligned} x_0&= \mathrm {Rotl\_xxx\_yy}(s_0 \oplus (s_1\wedge s_2) \oplus s_3, 5)\lll 96\,, \end{aligned}$$
(35)
$$\begin{aligned} x_1&= \mathrm {Rotl\_xxx\_yy}(s_1 \oplus (s_2\wedge (s_3\lll 32)) \oplus s_4 \oplus \mathrm {AD_1}, 31)\lll 64\,, \end{aligned}$$
(36)
$$\begin{aligned} x_2&= \mathrm {Rotl\_xxx\_yy}(s_2 \oplus ((s_3 \lll 32)\wedge (s_4\lll 64)) \oplus \nonumber \\&\qquad \qquad \qquad (x_0 \ggg 96) \oplus \mathrm {AD_1}, 7)\lll 32\,, \end{aligned}$$
(37)
$$\begin{aligned} x_3&= \mathrm {Rotl\_xxx\_yy}((s_3 \lll 32) \oplus ((s_4 \lll 64)\wedge x_0) \oplus \nonumber \\&\qquad \qquad \qquad (x_1 \ggg 64) \oplus \mathrm {AD_1}, 22)\,, \end{aligned}$$
(38)
$$\begin{aligned} x_4&= \mathrm {Rotl\_xxx\_yy}((s_4 \lll 64) \oplus (x_0 \wedge x_1) \oplus (x_2 \ggg 32) \oplus \mathrm {AD_1}, 13)\,. \end{aligned}$$
(39)
We recall that each element \(x_j\) and \(y_j\) of the states \(X = (x_0, x_1, x_2, x_3, x_4)\) and \(Y = (y_0, y_1, y_2, y_3, y_4)\) is of size 128 bits organized in an array of four 32 bit words. Denote these words as \(x_j=(x_{j0}, x_{j1}, x_{j2}, x_{j3})\) and \(y_j=(y_{j0}, y_{j1}, y_{j2}, y_{j3})\), where \(|x_{ji}| = |y_{ji}| = 32\) bits for \(0 \le j \le 4\), \(1 \le i \le 3\).
Proof of Statement 1: \(x_0 = y_0\). Since Eq. (35) does not depend on the associated data block, it will be the same for both \(\mathrm {AD}_1\) and \(\mathrm {AD}_2\). It follows that \(x_0=y_0\).
Proof of Statement 2: Difference Between Words \(x_1\) and \(y_1\). In Eq. (36) denote
$$\begin{aligned} a_1&= s_1 \oplus (s_2 \wedge (s_3 \lll 32)) \oplus s_4\,, \end{aligned}$$
(40)
$$\begin{aligned} b_1&= (b_{10}, b_{11}, b_{12}, b_{13})\nonumber \\&= \mathrm {Rotl\_xxx\_yy}(a_1 \oplus \mathrm {AD}_1, 31) \nonumber \\&= \mathrm {Rotl\_xxx\_yy}(a_1, 31)\,. \end{aligned}$$
(41)
After rotation by 64 (see Eq. (36)) we have
$$\begin{aligned} x_1=(x_{10}, x_{11}, x_{12}, x_{13})= (b_{12}, b_{13}, b_{10}, b_{11})\,. \end{aligned}$$
(42)
For the second associated data block \(\mathrm {AD}_2 = (0^{(127)}||1)\) denote
$$\begin{aligned} c_1&= (c_{10}, c_{11}, c_{12}, c_{13})\nonumber \\&= \mathrm {Rotl\_xxx\_yy}(a_1 \oplus \mathrm {AD}_2, 31)\nonumber \\&= \mathrm {Rotl\_xxx\_yy}(a_1 \oplus (0^{(127)}||1), 31)\,. \end{aligned}$$
(43)
Analogously to \(\mathrm {AD}_1\), after rotation by 64 (see Eq. (36)) we get
$$\begin{aligned} y_1=(y_{10}, y_{11}, y_{12}, y_{13})= (x_{10}, x_{11}\oplus (1||0^{(31)}), x_{12}, x_{13})\,. \end{aligned}$$
(44)
For the words of \(b_1\) and \(c_1\), the following equalities hold:
$$\begin{aligned} c_{10}&= b_{10} = x_{12}\,, \end{aligned}$$
(45)
$$\begin{aligned} c_{11}&= b_{11} = x_{13}\,, \end{aligned}$$
(46)
$$\begin{aligned} c_{12}&= b_{12} = x_{10}\,, \end{aligned}$$
(47)
$$\begin{aligned} c_{13}&= b_{13} \oplus (1||0^{(31)}) = x_{11} \oplus (1||0^{(31)})\,. \end{aligned}$$
(48)
Therefore \(x_1\) and \(y_1\) differ only in the 33-th bit (counting from MSB to LSB).
Proof of Statement 3: Difference Between Words \(x_2\) and \(y_2\). In Eq. (37) denote
$$\begin{aligned} a_2&= s_2 \oplus ((s_3 \lll 32)\wedge (s_4\lll 64)) \oplus (x_0 \ggg 96)\,, \end{aligned}$$
(49)
$$\begin{aligned} b_2&= (b_{20}, b_{21}, b_{22}, b_{23})\nonumber \\&= \mathrm {Rotl\_xxx\_yy}(a_2 \oplus \mathrm {AD}_1, 7)\nonumber \\&= \mathrm {Rotl\_xxx\_yy}(a_2, 7)\,. \end{aligned}$$
(50)
After rotation by 32 (see Eq. (36)) we have
$$\begin{aligned} x_2 = (x_{20}, x_{21}, x_{22}, x_{23})= (b_{21}, b_{22}, b_{23}, b_{20})\,. \end{aligned}$$
(51)
For the second associated data block \(\mathrm {AD}_2 = (0^{(127)}||1)\) denote
$$\begin{aligned} c_2&= (c_{20}, c_{21}, c_{22}, c_{23}) \nonumber \\&= \mathrm {Rotl\_xxx\_yy}(a_2 \oplus \mathrm {AD}_2, 7) \nonumber \\&= \mathrm {Rotl\_xxx\_yy}(a_2 \oplus (0^{(127)}||1), 7)\,. \end{aligned}$$
(52)
For the words of \(b_2\) and \(c_2\), the following equalities hold:
$$\begin{aligned} c_{20}&= b_{20} = x_{23}\,, \end{aligned}$$
(53)
$$\begin{aligned} c_{21}&= b_{21} = x_{20}\,, \end{aligned}$$
(54)
$$\begin{aligned} c_{22}&= b_{22} = x_{21}\,, \end{aligned}$$
(55)
$$\begin{aligned} c_{23}&= b_{23} \oplus (0^{(24)}||1||0^{(7)}) = x_{22} \oplus (0^{(24)}||1||0^{(7)})\,, \end{aligned}$$
(56)
and so
$$\begin{aligned} y_2 = (y_{20}, y_{21}, y_{22}, y_{23}) = (x_{20}, x_{21}, x_{22} \oplus (0^{(24)}||1||0^{(7)}), x_{23})\,. \end{aligned}$$
(57)
Therefore \(x_2\) and \(y_2\) differ only in the 89-th bit (counting from MSB to LSB).
Proof of Statement 4: Difference Between Words \(x_3\) and \(y_3\). In Eq. (38) denote
$$\begin{aligned} a_3 = (s_3 \lll 32) \oplus ((s_4 \lll 64) \wedge x_0)\,. \end{aligned}$$
(58)
For \(x_3\) we have
$$\begin{aligned} x_3&= \mathrm {Rotl\_xxx\_yy}(a_3 \oplus (x_1 \ggg 64) \oplus \mathrm {AD}_1, 22) \end{aligned}$$
(59)
$$\begin{aligned}&= \mathrm {Rotl\_xxx\_yy}(a_3 \oplus (x_{12}, x_{13}, x_{10}, x_{11}), 22) \end{aligned}$$
(60)
$$\begin{aligned}&= ((a_{30} \oplus x_{12})\lll 22,~ (a_{31} \oplus x_{13})\lll 22,~(a_{32} \oplus x_{10})\lll 22,\nonumber \\&\qquad \qquad (a_{33} \oplus x_{11})\lll 22) \end{aligned}$$
(61)
$$\begin{aligned}&= (x_{30}, x_{31}, x_{32}, x_{33})\,. \end{aligned}$$
(62)
For \(y_3\) we have
$$\begin{aligned} y_3&= \mathrm {Rotl\_xxx\_yy}(a_3 \oplus (y_1 \ggg 64) \oplus \mathrm {AD}_2, 22) \end{aligned}$$
(63)
$$\begin{aligned}&= \mathrm {Rotl\_xxx\_yy}(a_3 \oplus (x_{12}, x_{13}, x_{10}, x_{11} \oplus (1||0^{(31)})) \oplus (0^{(127)}||1), 22) \end{aligned}$$
(64)
$$\begin{aligned}&= \mathrm {Rotl\_xxx\_yy}(a_3 \oplus (x_{12}, x_{13}, x_{10}, x_{11} \oplus (1||0^{(31)}) \oplus (0^{(31)}||1)), 22) \end{aligned}$$
(65)
$$\begin{aligned}&= ((a_{30} \oplus x_{12})\lll 22, (a_{31} \oplus x_{13})\lll 22, (a_{32} \oplus x_{10})\lll 22,\nonumber \\&\qquad (a_{33} \oplus x_{11}\oplus (1||0^{(31)}) \oplus (0^{(31)}||1))\lll 22) \end{aligned}$$
(66)
$$\begin{aligned}&= (x_{30}, x_{31}, x_{32}, x_{33} \oplus (0^{(9)}||11||0^{(21)}))\,. \end{aligned}$$
(67)
Therefore \(x_3\) and \(y_3\) differ only in the 106-th and 107-th bit (counting from MSB to LSB).
Proof of Statement 5: Difference Between Words \(x_4\) and \(y_4\). In Eq. (39) denote
$$\begin{aligned} a_4 = s_4 \lll w_1\,. \end{aligned}$$
(68)
Then \(x_4\) can be expressed as:
$$\begin{aligned} x_4&= \mathrm {Rotl\_xxx\_yy}(a_4 \oplus (x_0 \wedge x_1) \oplus (x_2 \ggg 32) \oplus \mathrm {AD}_1, 13) \end{aligned}$$
(69)
$$\begin{aligned}&= \mathrm {Rotl\_xxx\_yy}(a_4 \oplus (x_0 \wedge x_1) \oplus (x_{23}, x_{20}, x_{21}, x_{22}), 13) \end{aligned}$$
(70)
$$\begin{aligned}&= ((a_{40} \oplus (x_{00} \wedge x_{10}) \oplus x_{23})\lll 13,~ (a_{41} \oplus (x_{01} \wedge x_{11}) \oplus x_{20})\lll 13,\nonumber \\&\qquad (a_{42} \oplus (x_{02} \wedge x_{12}) \oplus x_{21})\lll 13,~ (a_{43} \oplus (x_{04} \wedge x_{14}) \oplus x_{22})\lll 13) \end{aligned}$$
(71)
$$\begin{aligned}&=(x_{40}, x_{41}, x_{42}, x_{43})\,, \end{aligned}$$
(72)
and \(y_4\) is expressed as:
$$\begin{aligned} y_4&= \mathrm {Rotl\_xxx\_yy}(a_4 \oplus (y_0 \wedge y_1) \oplus (y_2 \ggg 32) \oplus \mathrm {AD}_2, 13) \end{aligned}$$
(73)
$$\begin{aligned}&= \mathrm {Rotl\_xxx\_yy}(a_4 \oplus (x_0 \wedge y_1) \oplus \nonumber \\&\qquad (x_{23}, x_{20}, x_{21}, x_{22} \oplus (0^{(24)}||1||0^{(7)})) \oplus (0^{(127)}||1), 13) \end{aligned}$$
(74)
$$\begin{aligned}&= ((a_{40} \oplus (x_{00} \wedge x_{10}) \oplus x_{23})\lll 13,\nonumber \\&\qquad (a_{41} \oplus (x_{01} \wedge (x_{11}\oplus (1||0^{(31)}))) \oplus x_{20})\lll 13,\nonumber \\&\qquad (a_{42} \oplus (x_{02} \wedge x_{12}) \oplus x_{21})\lll 13,\nonumber \\&\qquad (a_{43} \oplus (x_{04} \wedge x_{14}) \oplus x_{22} \oplus (0^{(24)}||1||0^{(6)}||1) )\lll 13) \end{aligned}$$
(75)
$$\begin{aligned}&= ((a_{40} \oplus (x_{00} \wedge x_{10}) \oplus x_{23})\lll 13,\nonumber \\&\qquad (a_{41} \oplus (x_{01} \wedge (x_{11}\oplus (1||0^{(31)}))) \oplus x_{20})\lll 13,\nonumber \\& \qquad (a_{42} \oplus (x_{02} \wedge x_{12}) \oplus x_{21})\lll 13,\nonumber \\&\qquad (a_{43} \oplus (x_{04} \wedge x_{14}) \oplus x_{22})\lll 13 \oplus (0^{(11)}||1||0^{(6)}||1||0^{(13)})) \end{aligned}$$
(76)
$$\begin{aligned}&= (x_{40}, x'_{41}, x_{42}, x_{43} \oplus (0^{(11)}||1||0^{(6)}||1||0^{(13)}))\,, \end{aligned}$$
(77)
where \(x'_{41}\) differ from \(x_{41}\) at most in the first (i.e. most significant) bit with probability 1 / 2. Therefore \(x_4\) and \(y_4\) differ only in the 108-th and 115-th bit, and the 33-th bit is different with probability 1 / 2. \(\square \)
B Derivation of the System of Equations (33) in Sect. 6
Let \(X=(x_0, x_1, x_2, x_3, x_4)=\mathrm {StateUpdate}(S^0,AD_1)\), and \(Y=(y_0, y_1, y_2, y_3, y_4)=\mathrm {StateUpdate}(S^0,AD_2)\). Let \(x_1 \oplus y_1 = x_2 \oplus y_2 = x_3 \oplus y_3 = x_4 \oplus y_4=\varDelta M\). Clearly \(x_0 = y_0\).
For \(x_1 \oplus y_1\) we derive:
$$\begin{aligned}&x_1 \oplus y_1 = \mathrm {Rotl\_xxx\_yy}(s_1 \oplus (s_2\wedge (s_3 \lll w_0)) \oplus s_4 \oplus \mathrm {AD}_1, b_1) \lll w_3 \oplus \nonumber \\&\qquad \qquad \qquad \mathrm {Rotl\_xxx\_yy}(s_1 \oplus (s_2\wedge (s_3 \lll w_0)) \oplus s_4 \oplus \mathrm {AD}_2, b_1) \lll w_3 \end{aligned}$$
(78)
$$\begin{aligned}&\mathrm {Rotr\_xxx\_yy}((x_1 \oplus y_1) \ggg w_3, b_1) = s_1 \oplus (s_2\wedge (s_3 \lll w_0)) \oplus \nonumber \\&\qquad \qquad \qquad s_4\oplus \mathrm {AD}_1\oplus s_1 \oplus (s_2\wedge (s_3 \lll w_0)) \oplus s_4 \oplus \mathrm {AD}_2 \end{aligned}$$
(79)
$$\begin{aligned}&\mathrm {Rotr\_xxx\_yy}((x_1 \oplus y_1) \ggg w_3, b_1) = \mathrm {AD}_1 \oplus \mathrm {AD}_2 \end{aligned}$$
(80)
For \(x_2 \oplus y_2\) we derive:
$$\begin{aligned}&x_2 \oplus y_2 = \mathrm {Rotl\_xxx\_yy}(s_2 \oplus ((s_3 \lll w_0)\wedge (s_4 \lll w_1)) \oplus \nonumber \\&\qquad \qquad \qquad (x_0 \ggg w_2) \oplus \mathrm {AD}_1, b_2) \lll w_4 \oplus \nonumber \\&\qquad \qquad \qquad \mathrm {Rotl\_xxx\_yy}(s_2 \oplus ((s_3 \lll w_0)\wedge (s_4 \lll w_1)) \oplus \nonumber \\&\qquad \qquad \qquad (y_0 \ggg w_2) \oplus \mathrm {AD}_2, b_2) \lll w_4 \end{aligned}$$
(81)
$$\begin{aligned}&\mathrm {Rotr\_xxx\_yy}((x_2 \oplus y_2) \ggg w_4, b_2) = s_2 \oplus ((s_3 \lll w_0)\wedge (s_4 \lll w_1)) \oplus \nonumber \\&\qquad \qquad \qquad (x_0 \ggg w_2) \oplus \mathrm {AD}_1 \oplus s_2 \oplus ((s_3 \lll w_0)\wedge (s_4 \lll w_1)) \oplus \nonumber \\&\qquad \qquad \qquad (y_0 \ggg w_2) \oplus \mathrm {AD}_2 \end{aligned}$$
(82)
$$\begin{aligned}&\mathrm {Rotr\_xxx\_yy}((x_2 \oplus y_2) \ggg w_4, b_2) = \mathrm {AD}_1 \oplus \mathrm {AD}_2 \end{aligned}$$
(83)
For \(x_3 \oplus y_3\) we derive:
$$\begin{aligned}&x_3 \oplus y_3 = \mathrm {Rotl\_xxx\_yy}((s_3 \lll w_0) \oplus ((s_4 \lll w_1)\wedge x_0) \oplus (x_1 \ggg w_3) \oplus \nonumber \\&\qquad \qquad \qquad \mathrm {AD}_1, b_3) \oplus \mathrm {Rotl\_xxx\_yy}((s_3 \lll w_0) \oplus ((s_4 \lll w_1)\wedge y_0) \oplus \nonumber \\&\qquad \qquad \qquad (y_1 \ggg w_3) \oplus \mathrm {AD}_2, b_3) \end{aligned}$$
(84)
$$\begin{aligned}&\mathrm {Rotr\_xxx\_yy}(x_3 \oplus y_3, b_3) = \nonumber \\&\qquad \qquad \qquad (s_3 \lll w_0) \oplus ((s_4 \lll w_1)\wedge x_0) \oplus (x_1 \ggg w_3) \oplus \nonumber \\&\qquad \qquad \qquad \mathrm {AD}_1 \oplus (s_3 \lll w_0) \oplus ((s_4 \lll w_1)\wedge y_0) \oplus (y_1 \ggg w_3) \oplus \mathrm {AD}_2 \end{aligned}$$
(85)
$$\begin{aligned}&\mathrm {Rotr\_xxx\_yy}(x_3 \oplus y_3, b_3) = (x_1 \ggg w_3) \oplus (y_1 \ggg w_3) \oplus \mathrm {AD}_1 \oplus \mathrm {AD}_2 \end{aligned}$$
(86)
For \(x_4 \oplus y_4\) we derive:
$$\begin{aligned}&x_4 \oplus y_4 = \mathrm {Rotl\_xxx\_yy}((s_4 \lll w_1) \oplus (x_0 \wedge x_1) \oplus (x_2 \ggg w_4) \oplus \nonumber \\&\qquad \qquad \qquad \mathrm {AD}_1, b_4) \oplus \mathrm {Rotl\_xxx\_yy}((s_4 \lll w_1) \oplus (y_0 \wedge y_1) \oplus \nonumber \\&\qquad \qquad \qquad (y_2 \ggg w_4) \oplus \mathrm {AD}_2, b_4) \end{aligned}$$
(87)
$$\begin{aligned}&\mathrm {Rotr\_xxx\_yy}(x_4 \oplus y_4, b_4) = (s_4 \lll w_1) \oplus (x_0 \wedge x_1) \oplus (x_2 \ggg w_4) \oplus \nonumber \\&\qquad \qquad \qquad \mathrm {AD}_1 \oplus (s_4 \lll w_1) \oplus (y_0 \wedge y_1) \oplus (y_2 \ggg w_4) \oplus \mathrm {AD}_2 \end{aligned}$$
(88)
$$\begin{aligned}&\mathrm {Rotr\_xxx\_yy}(x_4 \oplus y_4, b_4) = (x_0 \wedge x_1) \oplus (y_0 \wedge y_1) \oplus (x_2 \ggg w_4) \oplus \nonumber \\&\qquad \qquad \qquad (y_2 \ggg w_4) \oplus \mathrm {AD}_1 \oplus \mathrm {AD}_2 \end{aligned}$$
(89)
From Eqs. (80), (83), (86) and (89) we obtain the following system that is equivalent to the system (33) from Sect. 6:
$$\begin{aligned} {\left\{ \begin{array}{ll} &{}\mathrm {Rotr\_xxx\_yy}((x_1 \oplus y_1) \ggg w_3, b_1) = \mathrm {AD}_1 \oplus \mathrm {AD}_2\\ &{}\mathrm {Rotr\_xxx\_yy}((x_2 \oplus y_2) \ggg w_4, b_2) = \mathrm {AD}_1 \oplus \mathrm {AD}_2\\ &{}\mathrm {Rotr\_xxx\_yy}(x_3 \oplus y_3, b_3) = (x_1 \ggg w_3) \oplus (y_1 \ggg w_3) \oplus \mathrm {AD}_1 \oplus \mathrm {AD}_2\\ &{}\mathrm {Rotr\_xxx\_yy}(x_4 \oplus y_4, b_4) = (x_0 \wedge x_1) \oplus (y_0 \wedge y_1) \oplus (x_2 \ggg w_4) \oplus \\ &{}\qquad \qquad \qquad \qquad \qquad \qquad (y_2 \ggg w_4) \oplus \mathrm {AD}_1 \oplus \mathrm {AD}_2 \end{array}\right. } \end{aligned}$$
(90)