Near Optimal Algorithms for Solving Differential Equations of Addition with Batch Queries

Mixing modular addition (+) with exclusive-or (⊕) is extensively used in design of symmetric ciphers as the operations are very fast and their combination is non-linear over GF(2). The paper investigates the strength of modular addition against differential cryptanalysis (DC) where the differences of inputs and outputs are expressed as XOR. In particular, we solve two very frequently used equations (1) (x + y) ⊕ (x + (y ⊕ β)) = γ and (2) (x + y) ⊕ ((x ⊕ α) + (y ⊕ β)) = γ, known as the differential equations of addition (DEA), with a set of batch queries. Although solution to this problem with adaptive queries, which is easier and less practical, was previously known, a nontrivial solution with batch queries has remained open. The two major contributions of the paper are (i) the determination of lower bounds on the required number of batch queries to solve the equations and (ii) the design of two algorithms which solve them with queries close to optimal. Our algorithms require 2n−2 and 6 queries to solve (1) and (2) where the lower bounds are 34 · 2n−2 (theoretically proved) and 4 (based on extensive experiments) respectively. This exponential lower bound is an important theoretical benchmark which certifies (1) as strong against DC. On the other hand, the constant number of queries to solve (2) discovers a major weakness of modular addition against DC. Muller, at FSE’04, showed a key recovery attack on the Helix stream cipher (presented at FSE’03) with 2 adaptive chosen plaintexts (ACP). However, the data complexity of the attack with chosen plaintexts (CP) was not known previously. Using our results we recover the secret key of the Helix cipher with only 2 chosen plaintexts (CP) which has so far been the only CP attack on this cipher (the attack is under the same assumption as that of Muller’s attack). Considering the abundant use of this component, the results seem useful to evaluate the security of many block ciphers against DC.