Optimization of the algorithm to compute the guaranteed number of activations in \(\textsf{XS}\)-circuits and its application to the analysis of block ciphers

Abstract

The guaranteed number of activations (GNA) is an important characteristic to determine the effectiveness of differential cryptanalysis of a given \(\textsf{XS}\)-circuit. In this paper, we propose an approach to optimize the known algorithm for GNA computation based on the branch and bound method. We also analyze special matrices that define \(\textsf{XS}\)-circuit. The experiments show that the proposed algorithm significantly outperforms the existing approach. In this paper, we prove that canonical forms of \(\textsf{XS}\)-circuit and its dual coincide, providing the strict connection between the guaranteed number of linear and differential activations. The circuits with the extremal values of GNA are studied. We made several hypotheses based on computational experiments. One of the hypotheses is that there are no \(\textsf{XS}\)-circuits of dimension greater than 2, which achieve an optimal GNA on every round.

Appendix A Theorem 2 proof

Proof

Denote the dual circuit to the (a, B, c) as \(\big (\bar{a}, \bar{B}, \bar{c}\big )\). By definition of duality: \(\bar{a} = c^T, \bar{B} = B^T, \bar{c} = a^T\). We bring the \(\big (\bar{a}, \bar{B}, \bar{c}\big )\) to the first canonical form \(\big (\widetilde{a},\widetilde{B},\widetilde{c}\big )\) by using the theory from [1]:

1) Let us find the matrix \(\widetilde{B} = A^{-1} \bar{B} A = A^{-1} B^T A\), where \({A =\big ( \bar{a} \ \bar{B} \bar{a} \dots \bar{B}^{n-1} \bar{a} \big )}\).

Since \(\bar{a} = c^T\) and \(c = (0, \dots ,0,1)\), then in \(\bar{B}^{i} \bar{a}\) we are only interested in the last column.

$$\begin{aligned} \bar{B}^2&= \begin{pmatrix} 0 & 1 & 0 & \dots & 0 \\ 0 & 0 & 1 & \dots & 0 \\ \vdots & \vdots & \vdots & \ddots & \vdots \\ 0 & 0 & 0 & \dots & 1 \\ b_1 & b_2 & b_3 & \dots & b_n \end{pmatrix} \begin{pmatrix} 0 & 1 & 0 & \dots & 0 \\ 0 & 0 & 1 & \dots & 0 \\ \vdots & \vdots & \vdots & \ddots & \vdots \\ 0 & 0 & 0 & \dots & 1 \\ b_1 & b_2 & b_3 & \dots & b_n \end{pmatrix}\\&= \begin{pmatrix} 0 & 0 & 1 & \dots & 0 \\ \vdots & \vdots & \vdots & \ddots & \vdots \\ 0 & 0 & 0 & \dots & 1 \\ b_1 & b_2 & b_3 & \dots & b_n \\ b_1b_n & b_1+b_2b_n & b_2 + b_3b_n & \dots & b_{n-1}b_n \end{pmatrix}. \end{aligned}$$

Note that the matrix \(\bar{B}\), when multiplied on the left, lifts the last \(n-1\) rows one up. Denote by \(\alpha _i\) the lower right element of the matrix \(\bar{B}^i\). Then, the matrix A has the following form:

$$\begin{aligned} A = \begin{pmatrix} 0 & 0 & 0 & \dots & 0 & 0 & 1 \\ 0 & 0 & 0 & \dots & 0 & 1 & \alpha _1\\ 0 & 0 & 0 & \dots & 1 & \alpha _1 & \alpha _2\\ \vdots & \vdots & \vdots & \vdots & \vdots & \vdots & \vdots \\ 0 & 0 & 1 & \dots & \alpha _{n-5} & \alpha _{n-4} & \alpha _{n-3}\\ 0 & 1 & \alpha _1 & \dots & \alpha _{n-4} & \alpha _{n-3} & \alpha _{n-2}\\ 1 & \alpha _1 & \alpha _2 & \dots & \alpha _{n-3} & \alpha _{n-2} & \alpha _{n-1} \end{pmatrix}, \end{aligned}$$

where \(\alpha _i = b_{n+1-i} + \sum \nolimits _{j=1}^{i-1}\alpha _{j}b_{n+1-i+j}\). Then from \(AA^{-1}=E\) find the elements of the matrix \(A^{-1}\):

$$\begin{aligned} A^{-1} = \begin{pmatrix} \alpha _{n-1}^{-1} & \alpha _{n-2}^{-1} & \dots & \alpha _{2}^{-1} & \alpha _{1}^{-1} & 1\\ \alpha _{n-2}^{-1} & \alpha _{n-3}^{-1} & \dots & \alpha _{1}^{-1} & 1 & 0\\ \vdots & \vdots & \ddots & \vdots & \vdots & \vdots \\ \alpha _{1}^{-1} & 1 & \dots & 0 & 0 & 0\\ 1 & 0 & \dots & 0 & 0 & 0 \end{pmatrix}, \end{aligned}$$

where \(\alpha _{i}^{-1} = \alpha _{i} + \sum \nolimits _{j=1}^{i-1}\alpha _{j}^{-1}\alpha _{i-j}\).

$$\begin{aligned} C = B^TA = \begin{pmatrix} 0 & 0 & \dots & 0 & 1 & \alpha _1\\ 0 & 0 & \dots & 1 & \alpha _1 & \alpha _2\\ \vdots & \vdots & \ddots & \vdots & \vdots & \vdots \\ 1 & \alpha _1 & \dots & \alpha _{n-3} & \alpha _{n-2} & \alpha _{n-1}\\ c_1 & c_2 & \dots & c_{n-2} & c_{n-1} & c_{n} \end{pmatrix}, \end{aligned}$$

where \(c_i = b_{n+1-i} + \sum \nolimits _{j=1}^{i-1}\alpha _{j}b_{n+1-i+j} = \alpha _i\).

$$\begin{aligned} \widetilde{B}&= A^{-1}B^TA \\&= \begin{pmatrix} \alpha _{n-1}^{-1} & \alpha _{n-2}^{-1} & \dots & \alpha _{1}^{-1} & 1\\ \alpha _{n-2}^{-1} & \alpha _{n-3}^{-1} & \dots & 1 & 0\\ \vdots & \vdots & \ddots & \vdots & \vdots \\ \alpha _{1}^{-1} & 1 & \dots & 0 & 0\\ 1 & 0 & \dots & 0 & 0 \end{pmatrix} \begin{pmatrix} 0 & 0 & \dots & 1 & \alpha _1\\ 0 & 0 & \dots & \alpha _1 & \alpha _2\\ \vdots & \vdots & \ddots & \vdots & \vdots \\ 1 & \alpha _1 & \dots & \alpha _{n-2} & \alpha _{n-1}\\ c_1 & c_2 & \dots & c_{n-1} & c_{n} \end{pmatrix}\\&= \begin{pmatrix} 0 & 0 & \dots & 0 & w_1 \\ 1 & 0 & \dots & 0 & w_2 \\ 0 & 1 & \dots & 0 & w_3 \\ \vdots & \vdots & \ddots & \vdots & \vdots \\ 0 & 0 & \dots & 1 & w_n \end{pmatrix}, \end{aligned}$$

where \(w_{n+1-i} = \alpha _i + \sum \nolimits _{j=1}^{i-1}\alpha _{j}^{-1}\alpha _{i-j} = \alpha _{i}^{-1}\), \(i=1,2,\ldots ,n\). Consider these numbers in detail:

$$\begin{aligned} \alpha _i^{-1}&=\alpha _i + \sum \limits _{j=1}^{i-1}\alpha _{j}^{-1}\alpha _{i-j}\\&= b_{n+1-i} + \sum \limits _{j=1}^{i-1}\left( \alpha _{j}^{-1}\alpha _{i-j} + \alpha _{j}b_{n+1-i+j}\right) \\&= b_{n+1-i} + \left( \alpha _{1}^{-1}\alpha _{i-1} + \alpha _{1}b_{n+2-i}\right) \\&\quad + \left( \alpha _{2}^{-1}\alpha _{i-2} + \alpha _2b_{n+3-i}\right) + \ldots \\ &\quad + \left( \alpha _{i-2}^{-1}\alpha _{2} + \alpha _{i-2}b_{n-1}\right) + \left( \alpha _{i-1}^{-1}\alpha _{1} + \alpha _{i-1}b_{n}\right) \\&= b_{n+1-i} + \sum \limits _{j=1}^{i-1}\alpha _{j}\left( b_{n+1-i+j} + \alpha _{i-j}^{-1}\right) . \end{aligned}$$

We obtain that

$$\begin{aligned} \alpha _{1}^{-1} = b_n&\Rightarrow \alpha _{2}^{-1} = b_{n-1} \Rightarrow \alpha _{3}^{-1} = b_{n-2} \\ &\Rightarrow \ldots \Rightarrow \alpha _{n}^{-1} = b_1 \end{aligned}$$

and finally \(\widetilde{B} = B\).

2) Now let us find the vector \(\widetilde{a} = PA^{-1}\bar{a} = PA^{-1}c^T\).

We have

$$\begin{aligned} A^{-1}c^T = \begin{pmatrix} \alpha _{n-1}^{-1} & \alpha _{n-2}^{-1} & \dots & \alpha _{1}^{-1} & 1\\ \alpha _{n-2}^{-1} & \alpha _{n-3}^{-1} & \dots & 1 & 0\\ \vdots & \vdots & \ddots & \vdots & \vdots \\ \alpha _{1}^{-1} & 1 & \dots & 0 & 0\\ 1 & 0 & \dots & 0 & 0 \end{pmatrix} \begin{pmatrix} 0\\ 0\\ \vdots \\ 0\\ 1 \end{pmatrix} = \begin{pmatrix} 1\\ 0\\ \vdots \\ 0\\ 0 \end{pmatrix}, \end{aligned}$$

so we are only interested in the first column of the matrix P.

$$\begin{aligned} P = P(\widetilde{c}A) = \begin{pmatrix} \widetilde{c}AM_1 \\ \widetilde{c}AM_2 \\ \vdots \\ \widetilde{c}AM_n \end{pmatrix}, \end{aligned}$$

where \(M_n = E, M_i = BM_{i+1} + b_{i+1}E = B^{n-i} + b_{n}B^{n-i-1} + \ldots + b_{i-1}E\).

$$\begin{aligned} \widetilde{c}A&= a^{T} \begin{pmatrix} 0 & 0 & \dots & 0 & 1 \\ 0 & 0 & \dots & 1 & \alpha _1 \\ \vdots & \vdots & \ddots & \vdots & \vdots \\ 0 & 1 & \dots & \alpha _{n-3} & \alpha _{n-2}\\ 1 & \alpha _1 & \dots & \alpha _{n-2} & \alpha _{n-1} \end{pmatrix} \\ &= \left( v_1, v_2, \ldots , v_{n-1}, v_{n}\right) , \end{aligned}$$

where \(v_i = a_{n+1-i} + \sum \nolimits _{j=1}^{i-1}\alpha _{j}a_{n+1-i+j}\), \(i=1,2,\ldots ,n\). Consider in detail these matrices

$$\begin{aligned} B^{k} = \begin{pmatrix} 0 & * & \dots & * \\ \vdots & \vdots & \ddots & \vdots \\ 0 & * & \dots & * \\ 1 & * & \dots & * \\ 0 & * & \dots & * \\ \vdots & \vdots & \ddots & \vdots \\ 0 & * & \dots & * \end{pmatrix} \Rightarrow M_{n-t} = \begin{pmatrix} b_{n+1-t} & * & \dots & * \\ \vdots & \vdots & \ddots & \vdots \\ b_n & * & \dots & * \\ 1 & * & \dots & * \\ 0 & * & \dots & * \\ \vdots & \vdots & \ddots & \vdots \\ 0 & * & \dots & * \end{pmatrix}. \end{aligned}$$

Then

$$\begin{aligned} P = \begin{pmatrix} v M_{1} \\ v M_{2} \\ \vdots \\ v M_{n-1} \\ v M_{n} \end{pmatrix} = \begin{pmatrix} p_1 & * & \ldots & * \\ p_2 & * & \ldots & * \\ \vdots & \vdots & \ddots & \vdots \\ p_{n-1} & * & \ldots & * \\ p_n & * & \ldots & * \end{pmatrix}, \end{aligned}$$

where \(p_{n+1-i} = v_i + \sum \nolimits _{j=1}^{i-1}v_{j}b_{n+1-i+j} = a_{n+1-i} + \sum \nolimits _{j=1}^{i-1}\left( \alpha _{j}a_{n+1-i+j} + v_{j}b_{n+1-i+j}\right) \).

We are to prove that \(\sum \nolimits _{j=1}^{i-1}\left( \alpha _{j}a_{n+1-i+j} + v_{j}b_{n+1-i+j}\right) =0\). It can be

$$\begin{aligned}&\sum \limits _{j=1}^{i-1}(\alpha _{j}a_{n+1-i+j} + v_{j}b_{n+1-i+j})\\&=\sum \limits _{j=1}^{i-1}\Biggl [a_{n+1-i+j}\Biggl (b_{n+1-j}+\sum \limits _{k=1}^{j-1}\alpha _{k}b_{n+1-j+k}\Biggr )\\&\quad +b_{n+1-i+j}\Biggl (a_{n+1-j}+\sum \limits _{k=1}^{j-1}\alpha _{k}a_{n+1-j+k}\Biggr )\Biggr ]\\&=\sum \limits _{j=1}^{i-1}\Biggl (a_{n+1-i+j}b_{n+1-j}+b_{n+1-i+j}a_{n+1-j}\Biggr )\\&\quad +\sum \limits _{j=2}^{i-1}\sum \limits _{k=1}^{j-1}\alpha _{k}\Biggl (a_{n+1-i+j}b_{n+1-j+k}+b_{n+1-i+j}a_{n+1-j+k}\Biggr ) \end{aligned}$$

Consider the last two amounts separately. For the first one, it holds

$$\begin{aligned}&\sum \limits _{j=1}^{i-1}(a_{n+1-i+j}b_{n+1-j}+b_{n+1-i+j}a_{n+1-j})\\&=(a_{n+2-i}b_{n}+b_{n+2-i}a_{n})+(a_{n+3-i}b_{n-1}+b_{n+3-i}a_{n-2})\\&\quad +\ldots +(a_{n-1}b_{n+3-i}+b_{n-1}a_{n+3-i})+(a_{n}b_{n+2-i}+b_{n}a_{n+2-i})\\&=0, \end{aligned}$$

whereas for the second one we have the following multipliers with each \(\alpha _i\), \({i=1,2,\ldots ,i-2}\):

$$\begin{aligned}&\alpha _1:\quad (a_{n+3-i}b_{n}+b_{n+3-i}a_{n})+(a_{n+4-i}b_{n-1}+b_{n+4-i}a_{n-1}) \\ &\quad +\ldots +(a_{n-1}b_{n+4-i}+b_{n-1}a_{n+4-i})+(a_{n}b_{n+3-i}+b_{n}a_{n+3-i})=0;\\&\alpha _2:\quad (a_{n+4-i}b_{n}+b_{n+4-i}a_{n})+(a_{n+5-i}b_{n-1}+b_{n+5-i}a_{n-1}) \\ &\quad +\ldots +(a_{n-1}b_{n+5-i}+b_{n-1}a_{n+5-i})+(a_{n}b_{n+4-i}+b_{n}a_{n+4-i})=0;\\ &\vdots \\&\alpha _{i-3}:\quad (a_{n-1}b_{n}+b_{n-1}a_{n})+(a_{n}b_{n-1}+b_{n}a_{n-1})=0;\\&\alpha _{i-2}:\quad (a_{n}b_{n}+b_{n}a_{n})=0, \end{aligned}$$

therefore, all the multipliers of \(\alpha _i\) are zero.

Thus, we obtain that \(p_i = a_i\) for \(i=1,2,\ldots ,n\). Then it holds

$$\begin{aligned} \widetilde{a} = PA^{-1}c^T = \begin{pmatrix} p_{1} & * & \ldots & * \\ p_{2} & * & \ldots & * \\ \vdots & \vdots & \ddots & \vdots \\ p_{n-1} & * & \ldots & * \\ p_{n} & * & \ldots & * \end{pmatrix} \begin{pmatrix} 1\\ 0\\ \vdots \\ 0\\ 0 \end{pmatrix} = \begin{pmatrix} a_{1}\\ a_{2}\\ \vdots \\ a_{n-1}\\ a_{n} \end{pmatrix} = a. \end{aligned}$$

\(\square \)