Linear Approximating to Integer Addition

Linear Approximating to Integer Addition

Li An-Ping

Beijing 100085, P.R. China [email protected]

Abstract

The integer addition is often applied in ciphers as a cryptographic means. In this paper we will present some results about the linear approximating for the integer addition.

1. Preliminary

For the undecided effect of carry operations in the integer addition, it is often used as a cryptographic means in some ciphers, for instance, in the candidate ciphers of eSTREAM (The ECRYPT Stream Cipher Project) some of them employed the combination of the integer addition, XOR and rotations as main cryptographic transformation. Therefore, it is significant to know the effect of the integer addition in cryptography. J. Wallen [3] provided an algorithm for computing the correlation of linear approximation of addition modulo

2

n. In this paper, we will show some explicit results about the linear approximating to the integer addition.

2. Some basic results

In this paper, the symbol

⊕

as usually stands for XOR operation. Suppose

z

is a binary segment of length

n

, denoted by

z i

[ ]

the i-th bit, and let ₁

( )

[ ]

i

s z

=

∑

z i

,

s z

₀

( )

= −

n

s z

₁

( )

,

and

d z

( )

=

s z

₀

( )

−

s z

₁

( )

, that is,

s z

₀

( )

and

s z

₁

( )

are the numbers of the bit “0” and bit “1” in

z

respectively, and

d z

( )

is the bias of them. Let

x

and

y

be two integers of length

n

bits,

denoted by

L x y

( , )

=

(

x

+

y

)

⊕ ⊕

(

x

y

)

,

L x y

( , )

= + +

(1

x

y

)

⊕ ⊕

(

x

y

)

, and define

2 2

,

2 2

,

2

,

(2

2

( , )[ ]) / 2 ,

(2

2

( , )[ ]) / 2 ,

( ( , )) /

2 .

n n

i

x y

n n

i

x y

n x y

D

L x y i

D

L x y i

D

d L x y

n

=

−

=

−

=

⋅

∑

∑

∑

(2.1)

We have the following result

Proposition 1

1/ 2 ,

i

0

,

i

D

=

≤ <

i

n

(2.2)

1/ 2 ,

i

0

,

i

D

= −

≤ <

i

n

(2.3)

2

1

1

2

n

D

n

⎛

⎞

= ⋅ −

_⎜

_⎟

⎝

⎠

. (2.4)

Proof. It is easy to check directly

D

₀

=

1

, so we assume that

i

>

0

. For an integer

z

,

denoted by

z

_i the integer formed by the segment of

z

from bit 0 to bit

i

. Let

w

=

L x y

( , )

,

only if

x

_i−1

+

y

_i−1

<

2

i, so

( ) 2 2

1 2

(

) 2

(2

2

) / 2

i

n i n n i

i k

N

k

− −

≤ <

=

∑

⋅

=

−

. (2.5)

Hence,

2 2

(2

n

2

) / 2

n

1/ 2

i

i i

D

=

− ⋅

N

=

.

The proof of (1.3) is similar to the above, so omitted. It is easy to know that

0

(

i

) /

i n

D

D

n

≤ <

=

∑

, (2.6)

so,

0

2

1

(

2 ) /

1

2

i

n i n

D

n

n

−

≤ <

⎛

⎞

=

= ⋅ −

_⎜

_⎟

⎝

⎠

∑

.

From Proposition 1, we have seen that

x

+

y

is still some like

x

⊕

y

on the bits in statistics, especially for the first bits, though there are undecided carry operations in the addition. In other words, the probability

(

x

+

y i

)[ ]

= ⊕

(

x

y i

)[ ]

has notable advantage when

i

is small, e.g.

0,1, 2,

,

i

=

etc

. In the following, we will show a more general result on the linear approximating to the integer addition.

Suppose that

z

is a integer variable over the domain

Ω

, denoted by

( )

[ ]

i

z

z i

δ

=

⊕

and define

(|

| 2

( )) / |

|

z

z

z

δ

∈Ω

Δ = Ω −

∑

Ω

. (2.7)

Moreover, for a constant integer

c

, denoted by

C

=

{

i c i

| [ ] 1

=

}

. Suppose the

C

=

{

i

_k

}

₁s,

1 2 s

i

> >

i

>

i

, as usual,

|

C

|

represents the cardinality of set

C

, i.e.

|

C

|

=

s

, and define

1

1

( 1)

k _k

i s

C

−

i

≤ ≤

=

∑

−

.

Proposition 2 Suppose that

c

is a constant integer, denoted by

L

_c

=

L x y

( , ) &

c

and

( , ) &

c

L

=

L x y

c

, we have

| |

1/ 2 ,

( 1) / 2 ,

c

c

C L

C C L

Δ =

Δ = −

(2.8)

known the formula (2.8) is true when

s

=

1

. Now assume it is true in the case

s

. We consider the first

i

_s+1bits, denoted by

N

₀ and

N

₁ the numbers of the pairs

( , )

x y

of

i

_s+1-bits integers

such that

_x

+ <

_y

₂

is+1 _and

_x

+ ≥

_y

₂

is+1_{, we have known that which are equal the numbers of}

the pairs

( , )

x y

with that

L x y i

( , )[

s+₁

]

=

0

and1 respectively and

1 1 1 1 1 1

0

(2

1)2

,

1

(2

1)2

.

s s s s

i i i i

N

=

+

+

+−

N

=

+

−

+−

(2.9)

Denote

j

_k

= −

i

_k

i

_s+1

, 1

≤ ≤

k

s

, and

C

′ =

{

j

_k

}

₁s, then we apply the induction on the set

C

′

,

that is, on the segments of integers beginning the

i

_s+1-th bit, we have

1/ 2

,

( 1) / 2

,

c c C L C s L ′ ′ ′ ′

Δ =

Δ = −

So, 1 1 1 1 1 2 1 0 1 2 1 0 1 2 1 0 1 1

(1 ( 1) ) / 2

( ( 1) (

2

{

(1

/ 2)

(1 ( 1)

/ 2)}

2

{

(1

/ 2)

(1 ( 1)

/ 2)}

2

(

( 1)

)

((1 ( 1)

) / 2 2

(1 ( 1) ) / 2)

2

2

s

c c c

s c c s c s c s s c k k i s

L L L

i s L L i s L i s s L i L j

N

N

N

N

N

N

+ ′ ′ + ′ ′ + ′ + ′ + ′ − ⋅ − − ⋅ − − ⋅ − − − − + − − − +

Δ =

⋅

⋅ + Δ

+

⋅ + −

Δ

−

⋅

⋅ − Δ

+

⋅ − −

Δ

=

⋅

+ −

⋅ Δ

=

+ −

+

⋅ + −

⋅ Δ

=

⋅ Δ

=

1 1 1 1 1 1 1 1 1 1 1 1 1

1 ( 1) ) / 2)

( 1) (1 ( 1) ) / 2 (1 ( 1) ) / 2

( 1) (1 ( 1) ) / 2 (1 ( 1) ) / 2

( 1)

2

2

2

.

s s k s

k s s

k s s

k s

k s s

k s s

k s

k k k s

i

i i i

i i i

i + ≤ ≤ − + + ≤ ≤ − + + ≤ ≤ − ≤ ≤ + + − − − + − − − + − − − + − − − + − − −

∑

∑

=

∑

=

∑

=

The proof for the second formula of (2.8) is similar to the above, so omitted.

In the some real cases, it is possible to come into the partial cases, that is, in

L x y

( , )

=

(

x

+

y

)

⊕ ⊕

(

x

y

)

the variable

y

=

a

is a constant. Let

c

be a constant, denoted

by

L

_c

=

L x a

( , ) &

c

, we define

1 0 1

0 2

( , )

(

),

( , )

2

( , ).

n

n c

x

a c

L

a c

a c

φ

δ

φ

φ

≤ <

=

∑

=

−

(2.10)

if the parameters are clear from the context, In the following we will mainly calculate the

( , )

a c

Φ

.

Suppose that

A

=

{ | [ ] 1}

i a i

=

and

C

=

{ | [ ] 1}

i c i

=

, that is,

A

and

C

are the sets of the positions of bits “1” of the constants

a

and

c

respectively. Without loss the generality, we assume that

1 1 2 2 s s

,

A

∪ =

C

A C A C

A C

(2.11) which is the arrangement of

A

and

C

in the order from small to large, where

1 1

,

i i

i s i s

A

A C

C

≤ ≤ ≤ ≤

=

_∪

=

_∪

. In this paper we restrict the case

A

∩ = ∅

C

. Denoted by

a

_kthe

segment of the integer

a

formed by

A

₁to

A

_k. Let

α

_ibe the smallest element of

A

_ibut

1

0,

α

=

α

s+1

=

n

, and

n

i

=

α

i+1

−

α

i

,

1

≤ ≤

i

s

,

(

)

2

2

i

i

t i

t A

A

α

χ

−

∈

=

∑

. Suppose

{ } ,

₀k

i i

C

=

x

0 1 k

,

x

< <

x

<

x

we define

0

(

)

( 1) 2

j xj

i

j k

C

−

≤ ≤

∂

=

∑

−

,

₍

₎

₂

i1

₍

₎

i i

C

α

C

τ

=

+

⋅∂

_{. (2.12)}

Lemma 1 If

s

=

1,

then

1

( , )

a c

a

( )

C

φ

= ⋅

τ

. (2.13)

Proof. It is clear that the number

φ

₁

( , )

a c

is the number of

L x a

( , )

with odd carries in the

positions of constant

c

. Suppose that

C

=

{ } ,

x

_{i 0}k

x

₀

< <

x

₁

<

x

_k

,

denoted by

N

_r the

number of

L x a

( , )

with

r

carries in the positions of constant

c

. It is not difficult to know that

the

r

carries must appear in the first

r

positions of

C

, i.e.

x

₀

< <

x

₁

<

x

r−₁

,

hence it is easy to have

1

1

( )

(2

1) 2

(2

2

).

r r r

r r

x x n x

r

n x n x

N

a

a

− −

− −

− −

= ⋅

− ⋅

= ⋅

−

(2 .14)

Therefore,

2 2 1

1 1 2

0 2

( , )

(2

n xi

2

n xi

)

( )

i

i i k

a c

N

a

a

C

φ

− − +

τ

+

≤ ≤

=

∑

= ⋅

∑

−

= ⋅

. (2.15)

1 2

(

,

)

v

∗ =

v

xu

+

yw xw

+

yu

. (2.16) and for 2-vector

( , )

x y

, we define

T x y

( , )

=

( , )

y x

. Let

2 2

( , )

(

),

n n

c a x

p a c

δ

L

− ≤ <

=

∑

( , )

( , ),

q a c

= −

a

p a c

and

Γ

( , )

a c

=

( ( , ), ( , )).

q a c p a c

Denoted by

I

=

2

n

−

1

, and for the

integers

k

, 0

≤ <

k

s

, let

₂

k1

₁

k

I

=

α+

−

_,

_{& ,}

k k

a

=

I

a

₂

k1

_,

k k

a

=

α+

−

a

_and

_&

k k

c

=

I

c

.

Moreover, denoted by

1

|

i

|

i s

C

λ

≤ ≤

=

∑

.

Lemma 2

1 1

( , )

(

(

_{s k}

)

(

_{s k}

,

_{s k}

))

k s

a c

T

λ

χ

A

_{− +}

a

₋

c

₋

≤ ≤

Γ

=

∑

⋅Φ

, (2.17)

where it is assumed that

Φ

(

a c

₀

,

₀

)

=

(1, 0)

.

Proof. Let

z

be the integer of length

n

such that

z

≡ +

x

a

mod(2 )

n , and

a

=

2

n

−

a

,

hence it has

x

= +

z

a

mod(2 )

n , so

( , )

(

)

(

)

(

)

( , )

(

)

L a x

= ⊕

z

a

+ ⊕ = ⊕

z

a

z

a

+ ⊕ ⊕ ⊕

z

a

a

a

=

L z a

⊕ ⊕

a

a

,

Denoted by

I

′ = ⊕

a

a

, suppose that

α

=

min{ |

t t

∈

A

}

, then it is easy to know

1

2

n

2

I

′ =

−

α + . Thus it has,

( , ) &

( ( , )

) &

( ( , ) & )

L a x

c

=

L z a

⊕

I

′

c

=

L z a

c

⊕

c

.

Hence,

0

( , )

( ( , ) & )

( )

z a

p a c

δ

L z a

c

δ

c

≤ <

=

∑

⊕

. (2.18)

Denoted by

0

[ ]

( ( , ) & ), [ ]

[ ]

z a

p s

δ

L z a

c q s

a

p s

≤ <

=

∑

= −

and

Γ

[ ]

s

=

( [ ], [ ])

q s p s

, from

(2.18) we know that in order to prove (2.17) it suffice to prove

1 1

( , )

(

_{s k}

)

(

_{s k}

,

_{s k}

)

k s

a c

χ

A

_{− +}

a

₋

c

₋

≤ <

Γ

=

∑

⋅Φ

. (2.19)

It is easy to know that the bits of

L z a

( , )

excel over

A

_s will be “0” for the bits of

a

and

a

+

z

after

A

_sall are “1” , so it follows that

1

( , ) &

( , ) &

s

L z a

c

=

L z a

c

₋

integer

z

belongs to

S

_i iff

z

>>

α

s

=

χ

(

A

s

)

−

i

. It is clear that for

1, 2,

, (

), |

| 2

s

s i

i

=

χ

A

S

=

α , and

|

S

₀

|

=

a

_s−1. Hence we have

0 1

1 1 1 1

1 1

0

( ( , ) & )

( ( , ) &

)

(

,

),

0,

( ( , ) & )

( ( ,

) &

)

[

1]

i i

s

s s s

z S z S

s s

z S z a

L z a

c

L z a

c

a

c

for i

L z a

c

L z a

c

p s

δ

δ

φ

δ

δ

−

− − −

∈ ∈

− −

∈ ≤ <

=

=

>

=

=

−

∑

∑

∑

∑

.

The equation above can be written as

1 1

[ ]

s

χ

(

A

_s

) (

a

_s−

,

c

_s−

)

[

s

1]

Γ

=

Φ

+ Γ −

(2.20) So, the equation (2.19) will be followed by the induction.

For each integer

k

,

1

≤ ≤

k

s

, denoted by

d

_k

=

χ

(

A

_k

)

⋅

τ

(

C

_k

)

,

(2

nk

,

)

k

d d

k k

ζ

=

−

,

Moreover, let

p a

(

_k

)

and

q a

(

_k

)

be defined as in the Lemma 2 and denoted by

1 1

(

) ( (

)

(

)),

k k k k

e

=

τ

C

⋅

q a

₋

−

p a

₋

σ

_k

= −

(

e e

_k

,

_k

)

, and assuming that

σ

₀

=

(1, 0),

σ

₁

=

(0, 0)

,

and

ζ

s+₁

=

(1, 0)

, then we have

Proposition 3 If

A

∩ = ∅

C

,

0 1

( , )

(

_{k i}

)

k s k i s

a c

σ

ζ

≤ ≤ < ≤ +

Φ

=

∑

∏

, (2.21)

Proof. We will apply the induction on

s

. From Lemma 1, we can know that the Proposition 3 is true for

s

=

1.

Consider the integers of length

α

_s, by the induction we have

0 1

0 1

( [

1], [

1])

(

_{k i}

).

k s k i s

s

s

φ

φ

σ

ζ

≤ ≤ − < ≤

−

−

=

∑

∏

In the case

s

, it is clear that there are

a

_s−1 integers that will carry in the position

α

_s, which are

1 1

2

s

, 2

s

1,

, 2

s

1

s s

a

a

α α α

− −

−

−

+

−

. Suppose that in these

a

_s−1 integers there are

[

1]

p s

−

ones in

φ

₁

[

s

−

1]

and

q s

[

−

1]

ones in

φ

₀

[

s

−

1]

respectively. Consider the last

segments of integers from the

α

_s-bit to the end, let

a

_kand

c

_kbe defined as the above and

k k

a

= −

a

a

,

c

_k

= −

c c

_k , and denoted by

N

₀ and

N

₁ the numbers of the segments

1 1

( ,

_s

) &

_s

1

(

)

(

)

,

0

2

s

n

s s s s

N

=

χ

A

⋅

τ

C

=

d

N

=

−

d

.

Let ₁

( (

) 1)

(

),

₀

2

ns ₁

s s

N

′

=

χ

A

+ ⋅

τ

C

N

′

=

−

N

′

, it has,

1 0 1 1 0 1 0

0 1 1 0

0 1

[ ]

( [

1]

[

1])

( [

1]

[

1])

[

1]

[

1]

[

1]

[

1]

( [

1]

[

1]) (

)

Im(

(

)).

s

k i

k s k i s

s

s

q s

N

s

p s

N

N q s

N p s

s

N

s

N

q s

p s

C

φ

φ

φ

φ

φ

τ

σ

ζ

≤ ≤ < ≤ +

′

′

=

− −

−

⋅

+

− −

−

⋅

+

− +

−

=

− ⋅

+

− ⋅

+

− −

−

=

∑

∏

Where

Im( , )

x y

=

y

.

As a example, the case

s

=

2

,

2 1 | 1|

1

( , )

1

2

2

2

2

1 2

( 1)

1

(

2

)

n n C

a c

d

d

d d

a

C

φ

= ⋅

+

⋅

−

⋅ + −

⋅

τ

.

The case

A

∩ ≠ ∅

C

may be treated in a similar way but will require a little more consideration to set

A

_i

∩

C

_i

=

B

_iand as the first step to calculate in the case of a block

ABC

, the detail discussion is omitted.

3. Conclusion

We hope that these results presented here will be useful in the designs and cryptanalysis of ciphers in the future, the results of Proposition 1 were once appeared in the paper [1] and [2].

Reference

[1] Li An-Ping, Linear approximating for the cipher Salsa20, available at

http://www.ecrypt.eu.org/stream/papersdir/056.pdf

[2] Li An-Ping, Linear approximating for the cipher Salsa20 (II), available at

http://www.ecrypt.eu.org/stream/papersdir/067.pdf