On the best linear approximation of addition modulo 2ⁿ

Abstract

In this paper, the best linear approximations of addition modulo 2ⁿ are studied. Let x = (x _n−1, x _n−2,…,x ₀) and y = (y _n−1, y _n−2,…,y ₀) be any two n-bit integers, and let z = x + y (mod 2ⁿ). Firstly, all the correlations of a single bit z _i approximated by x _j ’s and y _j ’s (0 ≤ i, j ≤ n − 1) are characterized, and similar results are obtained for the linear approximation of the xoring of the neighboring bits of z _i ’s. Then the maximum correlations and the best linear approximations are presented when these z _j ’s (0 ≤ j ≤ n − 1) are xored in any given means.

Appendices

Appendix A: The proof of Lemma 3.2

Let z _i , σ _i be defined the same as in the proof of Lemma 3.1, then from the (3.1) we have

$$ \sigma_{i+1}=\left\{ \begin{array}{c} 0,\text{\ if }x_{i}=y_{i}=0\text{,} \\ 1,\text{\ if }x_{i}=y_{i}=1\text{,} \\ \sigma_{i},\text{\ if }x_{i}\oplus y_{i}=1\text{.} \end{array} \right. $$

(1.1)

If c(2ⁱ⁺¹;v, w) ≠ 0, then from Lemma 3.1 we have 2ⁱ⁺¹ ≤ v, w ≤ 2ⁱ⁺². Without loss of generality, we can assume that v = v ^′⊕v _i 2ⁱ ⊕ 2ⁱ⁺¹, w ^′⊕w _i 2ⁱ ⊕ 2ⁱ⁺¹, where 0 ≤ v ^′, w ^′ < 2ⁱ, and v _i , w _i ∈ {0, 1}. Thus from the definition of c(2ⁱ⁺¹;v, w), we have

$$\begin{array}{@{}rcl@{}} c(2^{i+1};v,w) &=&2\cdot \Pr (z_{i+1}=x_{i+1}\oplus y_{i+1}\oplus v_{i}x_{i}\oplus w_{i}y_{i}\oplus v^{\prime }\cdot x\oplus w^{\prime }\cdot y)-1 \\ &=&2\cdot \Pr (\sigma_{i+1}\oplus v_{i}x_{i}\oplus w_{i}y_{i}\oplus v^{\prime }\cdot x\oplus w^{\prime }\cdot y=0)-1. \end{array} $$

(1.2)

On the other hand, using the total probability formula and the (A.1), we have

$$\begin{array}{@{}rcl@{}} &&\Pr (\sigma_{i+1}\oplus v_{i}x_{i}\oplus w_{i}y_{i}\oplus v^{\prime }\cdot x\oplus w^{\prime }\cdot y=0) \\ &=&\Pr (v^{\prime }\cdot x\oplus w^{\prime }\cdot y=0|x_{i}=y_{i}=0)\Pr (x_{i}=y_{i}=0) \\ &&+\Pr (v^{\prime }\cdot x\oplus w^{\prime }\cdot y=v_{i}\oplus w_{i}\oplus 1|x_{i}=y_{i}=1)\Pr (x_{i}=y_{i}=1) \\ &&+\Pr (v^{\prime }\cdot x\oplus w^{\prime }\cdot y=v_{i}\oplus \sigma_{i}|x_{i}=1,y_{i}=0)\Pr (x_{i}=1,y_{i}=0) \\ &&+\Pr (v^{\prime }\cdot x\oplus w^{\prime }\cdot y=w_{i}\oplus \sigma_{i}|x_{i}=0,y_{i}=1)\Pr (x_{i}=0,y_{i}=1) \\ &=&\frac{1}{4}(\Pr (v^{\prime }\cdot x\oplus w^{\prime }\cdot y=0)+\Pr (v^{\prime }\cdot x\oplus w^{\prime }\cdot y=v_{i}\oplus w_{i}\oplus 1) \\ &&+\Pr (v^{\prime }\cdot x\oplus w^{\prime }\cdot y=v_{i}\oplus \sigma_{i})+\Pr (v^{\prime }\cdot x\oplus w^{\prime }\cdot y=\sigma_{i}\oplus w_{i})). \end{array} $$

(1.3)

Next we will show the (3.2) holds according to the following three cases.

1. (i)

   If v _i ⊕w _i = 1, then Pr(v ^′⋅x⊕w ^′⋅y = v _i ⊕σ _i )+ Pr(v ^′⋅x⊕w ^′⋅y = σ _i ⊕w _i )=1, thus from the (A.3) we have

   $$\begin{array}{@{}rcl@{}} &&\Pr (\sigma_{i+1}\oplus v_{i}x_{i}\oplus w_{i}y_{i}\oplus v^{\prime }\cdot x\oplus w^{\prime }\cdot y=0) \\ &=&\frac{1}{2}\Pr (v^{\prime }\cdot x\oplus w^{\prime }\cdot y=0)+\frac{1}{4} . \end{array} $$

   Since

   $$\Pr (v^{\prime }\cdot x\oplus w^{\prime }\cdot y=0)=\left\{ \begin{array}{l} 1,\text{\ if }v^{\prime }=w^{\prime }=0, \\ \frac{1}{2},\text{ otherwise,} \end{array} \right. $$

   then combining with the (A.2) we know that

   $$c(2^{i+1};v^{\prime }\oplus v_{i}2^{i}\oplus 2^{i+1},w^{\prime }\oplus w_{i}2^{i}\oplus 2^{i+1})=\left\{ \begin{array}{l} \frac{1}{2},\text{\ if }v^{\prime }=w^{\prime }=0, \\ 0,\text{ otherwise.} \end{array} \right. $$

   Thus the (3.2) holds when \(v_{^{i}}\oplus w_{^{i}}=1\).

2. (ii)

   If v _i = w _i = 0, then v = 2ⁱ⁺¹⊕v ^′, w = 2ⁱ⁺¹⊕w ^′. Thus from the (A.3), we have

   $$\begin{array}{@{}rcl@{}} &&\Pr (\sigma_{i+1}\oplus v_{i}x_{i}\oplus w_{i}y_{i}\oplus v^{\prime }\cdot x\oplus w^{\prime }\cdot y=0) \\ &=&\frac{1}{4}+\frac{1}{2}\Pr (\sigma_{i}\oplus v^{\prime }\cdot x\oplus w^{\prime }\cdot y=0) \\ &=&\frac{1}{4}+\frac{1}{2}\cdot \frac{1+c(2^{i};v^{\prime }\oplus 2^{i},w^{\prime }\oplus 2^{i})}{2} \\ &=&\frac{1}{2}+\frac{1}{4}c(2^{i};v^{\prime }\oplus 2^{i},w^{\prime }\oplus 2^{i}). \end{array} $$

   It follows that \(c(2^{i+1};2^{i+1}\oplus v_{i}2^{i}\oplus v^{\prime },2^{i+1}\oplus w_{i}2^{i}\oplus w^{\prime })=\frac {1}{2}c(2^{i};2^{i}\oplus v^{\prime },2^{i}\oplus w^{\prime }),\) and the (3.2) holds when v _i = w _i = 0.

3. (iii)

   If v _i = w _i = 1, then we have v = 2ⁱ⁺¹ ⊕ 2ⁱ⊕v ^′, w = 2ⁱ⁺¹ ⊕ 2ⁱ⊕w ^′. Thus from the (1.3), we have

   $$\begin{array}{@{}rcl@{}} &&\Pr (\sigma_{i+1}\oplus v_{i}x_{i}\oplus w_{i}y_{i}\oplus v^{\prime }\cdot x\oplus w^{\prime }\cdot y=0) \\ &=&\frac{1}{4}+\frac{1}{2}\Pr (\sigma_{i}\oplus v^{\prime }\cdot x\oplus w^{\prime }\cdot y=1) \\ &=&\frac{1}{4}+\frac{1}{2}\cdot \frac{1-c(2^{i};v^{\prime }\oplus 2^{i},w^{\prime }\oplus 2^{i})}{2} \\ &=&\frac{1}{2}-\frac{1}{4}c(2^{i};v^{\prime }\oplus 2^{i},w^{\prime }\oplus 2^{i}). \end{array} $$

   It follows that \(c(2^{i+1};v^{\prime }\oplus v_{i}2^{i}\oplus 2^{i+1},w^{\prime }\oplus w_{i}2^{i}\oplus 2^{i+1})=-\frac {1}{2} c(2^{i};v^{\prime }\oplus 2^{i},w^{\prime }\oplus 2^{i}),\) and the (3.2) holds when v _i = w _i = 1.

Appendix B: The proof of Lemma 3.3

Let z _i , σ _i be defined the same as in the proof of Lemma 3.1. If c(2ⁱ ⊕ 2ⁱ⁺¹;v, w) ≠ 0, then from Lemma 3.1 we have 2ⁱ⁺¹ ≤ v, w ≤ 2ⁱ⁺². Without loss of generality, we can assume that v = v ^′⊕v _i 2ⁱ ⊕ 2ⁱ⁺¹ , w = w ^′⊕w _i 2ⁱ ⊕ 2ⁱ⁺¹, where 0 ≤ v ^′, w ^′ < 2ⁱ, and v _i , w _i ∈ {0,1}. Thus from the definition of c(2ⁱ ⊕ 2ⁱ⁺¹;v, w) and x _i+1⊕y _i+1⊕z _i+1 = σ _i+1 we have

$$\begin{array}{@{}rcl@{}} &&c(2^{i}\oplus 2^{i+1};v,w) \\ &=&2\cdot \Pr (z_{i}\oplus z_{i+1}=x_{i+1}\oplus y_{i+1}\oplus v_{i}x_{i}\oplus w_{i}y_{i}\oplus v^{\prime }\cdot x\oplus w^{\prime }\cdot y)-1 \\ &=&2\cdot \Pr (\sigma_{i+1}\oplus z_{i}\oplus v_{i}x_{i}\oplus w_{i}y_{i}\oplus v^{\prime }\cdot x\oplus w^{\prime }\cdot y=0)-1. \end{array} $$

(2.1)

On the other hand, from the (A.1) that

$$\sigma_{i+1}=\left\{ \begin{array}{c} 0,\text{\ if }x_{i}=y_{i}=0\text{,} \\ 1,\text{\ if }x_{i}=y_{i}=1\text{,} \\ \sigma_{i},\text{\ if }x_{i}\oplus y_{i}=1\text{,} \end{array} \right. $$

using the total probability formula we can further derive that

$$\begin{array}{@{}rcl@{}} &&\Pr (\sigma_{i+1}\oplus z_{i}\oplus v_{i}x_{i}\oplus w_{i}y_{i}\oplus v^{\prime }\cdot x\oplus w^{\prime }\cdot y=0) \\ &=&\frac{1}{4}(\Pr (\sigma_{i}\oplus v^{\prime }\cdot x\oplus w^{\prime }\cdot y=0)+\Pr (\sigma_{i}\oplus v^{\prime }\cdot x\oplus w^{\prime }\cdot y=v_{i}\oplus w_{i}\oplus 1) \\ &&+\Pr (v^{\prime }\cdot x\oplus w^{\prime }\cdot y=v_{i}\oplus 1)+\Pr (v^{\prime }\cdot x\oplus w^{\prime }\cdot y=w_{i}\oplus 1)). \end{array} $$

(2.2)

Next we will show the (3.3) holds according to the following three cases.

1. (i)

   If v _i = w _i = 1, then we have v = 2ⁱ⁺¹ ⊕ 2ⁱ⊕v ^′, w = 2ⁱ⁺¹ ⊕ 2ⁱ⊕w ^′. Thus from the (B.2), we have

   $$\begin{array}{@{}rcl@{}} &&\Pr (\sigma_{i+1}\oplus z_{i}\oplus v_{i}x_{i}\oplus w_{i}y_{i}\oplus v^{\prime }\cdot x\oplus w^{\prime }\cdot y=0) \\ &=&\frac{1}{4}+\frac{1}{2}\Pr (v^{\prime }\cdot x\oplus w^{\prime }\cdot y=0). \end{array} $$

   Since Pr(v ^′⋅x⊕w ^′⋅y = 0)=1 if v ^′ = w ^′ = 0 and 1/2 otherwise, then we know that c(2ⁱ⁺¹ ⊕ 2ⁱ;v, w) = 1/2 if v ^′ = w ^′ = 0 and 0 otherwise. Thus the (3.3) holds when v _i = w _i = 1.

2. (ii)

   If v _i = w _i = 0, similar as case (i), we can show that c(2ⁱ⁺¹ ⊕ 2ⁱ;v, w) = 1/2 if and only if v ^′ = w ^′ = 0. Thus the (3.3) holds when v _i = w _i = 0.

3. (iii)

   If v _i ⊕w _i = 1, since σ _i = x _i ⊕y _i ⊕z _i , then from the (B.2) we have

   $$\begin{array}{@{}rcl@{}} &&\Pr (\sigma_{i+1}\oplus z_{i}\oplus v_{i}x_{i}\oplus w_{i}y_{i}\oplus v^{\prime }\cdot x\oplus w^{\prime }\cdot y=0) \\ &=&\frac{1}{4}+\frac{1}{2}\Pr (\sigma_{i}\oplus v^{\prime }\cdot x\oplus w^{\prime }\cdot y=0) \\ &=&\frac{1}{4}+\frac{1}{2}\Pr (x_{i}\oplus y_{i}\oplus z_{i}\oplus v^{\prime }\cdot x\oplus w^{\prime }\cdot y=0) \\ &=&\frac{1}{4}+\frac{1}{2}\cdot \frac{1+c(2^{i};2^{i}\oplus v^{\prime },2^{i}\oplus w^{\prime })}{2}. \end{array} $$

   Thus combining with the (B.1) we know that \(c(2^{i+1}\oplus 2^{i};2^{i+1}\oplus v_{^{i}}2^{i}\oplus v^{\prime },2^{i+1}\oplus w_{^{i}}2^{i}\oplus w^{\prime })=\frac {1}{2} c(2^{i};2^{i}\oplus v^{\prime },2^{i}\oplus w^{\prime }).\) Hence the (3.3) holds when v _i ⊕w _i = 1.