UNAF: A Special Set of Additive Differences with Application to the Differential Analysis of ARX

  • Vesselin Velichkov
  • Nicky Mouha
  • Christophe De Cannière
  • Bart Preneel
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7549)


Due to their fast performance in software, an increasing number of cryptographic primitives are constructed using the operations addition modulo 2 n , bit rotation and XOR (ARX). However, the resistance of ARX-based ciphers against differential cryptanalysis is not well understood. In this paper, we propose a new tool for evaluating more accurately the probabilities of additive differentials over multiple rounds of a cryptographic primitive. First, we introduce a special set of additive differences, called UNAF (unsigned non-adjacent form) differences. Then, we show how to apply them to find good differential trails using an algorithm for the automatic search for differentials. Finally, we describe a key-recovery attack on stream cipher Salsa20 reduced to five rounds, based on UNAF differences.


UNAF ARX Salsa20 additive differential probability differential cryptanalysis 


  1. 1.
    Aumasson, J.-P., Fischer, S., Khazaei, S., Meier, W., Rechberger, C.: New Features of Latin Dances: Analysis of Salsa, ChaCha, and Rumba. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 470–488. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  2. 2.
    Aumasson, J.-P., Henzen, L., Meier, W., Phan, R.C.-W.: SHA-3 proposal BLAKE. Submission to the NIST SHA-3 Competition (Round 2) (2008)Google Scholar
  3. 3.
    Bernstein, D.J.: The Salsa20 Family of Stream Ciphers. In: Robshaw, M., Billet, O. (eds.) New Stream Cipher Designs. LNCS, vol. 4986, pp. 84–97. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  4. 4.
    Biham, E., Shamir, A.: Differential Cryptanalysis of DES-like Cryptosystems. J. Cryptology 4(1), 3–72 (1991)MathSciNetCrossRefzbMATHGoogle Scholar
  5. 5.
    Crowley, P.: Truncated differential cryptanalysis of five rounds of Salsa20. In: SASC 2006 Workshop: Stream Ciphers Revisted. eSTREAM, ECRYPT Stream Cipher Project, Report 2005/073 (2005),
  6. 6.
    Daemen, J., Rijmen, V.: The Design of Rijndael: AES - The Advanced Encryption Standard. Springer (2002)Google Scholar
  7. 7.
    Ebeid, N.M., Hasan, M.A.: On binary signed digit representations of integers. In: Des. Codes Cryptography, vol. 42(1), pp. 43–65 (2007)Google Scholar
  8. 8.
    eSTREAM. ECRYPT stream cipher project,
  9. 9.
    Ferguson, N., Lucks, S., Schneier, B., Whiting, D., Bellare, M., Kohno, T., Callas, J., Walker, J.: The Skein Hash Function Family. Submission to the NIST SHA-3 Competition (Round 2) (2009)Google Scholar
  10. 10.
    Fischer, S., Meier, W., Berbain, C., Biasse, J.-F., Robshaw, M.J.B.: Non-randomness in eSTREAM Candidates Salsa20 and TSC-4. In: Barua, R., Lange, T. (eds.) INDOCRYPT 2006. LNCS, vol. 4329, pp. 2–16. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  11. 11.
    Hart, P.E., Nilsson, N.J., Raphael, B.: A formal basis for the heuristic determination of minimum cost paths. IEEE Transactions on Systems Science and Cybernetics 4(2), 100–107 (1968)CrossRefGoogle Scholar
  12. 12.
    Lipmaa, H., Moriai, S.: Efficient Algorithms for Computing Differential Properties of Addition. In: Matsui, M. (ed.) FSE 2001. LNCS, vol. 2355, pp. 336–350. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  13. 13.
    Lipmaa, H., Wallén, J., Dumas, P.: On the Additive Differential Probability of Exclusive-Or. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 317–331. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  14. 14.
    Matsui, M., Yamagishi, A.: A New Method for Known Plaintext Attack of FEAL Cipher. In: Rueppel, R.A. (ed.) EUROCRYPT 1992. LNCS, vol. 658, pp. 81–91. Springer, Heidelberg (1993)CrossRefGoogle Scholar
  15. 15.
    Mouha, N., Velichkov, V., De Cannière, C., Preneel, B.: The Differential Analysis of S-Functions. In: Biryukov, A., Gong, G., Stinson, D.R. (eds.) SAC 2010. LNCS, vol. 6544, pp. 36–56. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  16. 16.
    Reitwiesner, G.W.: Binary arithmetic. Advances in Computers 1, 231–308 (1960)MathSciNetCrossRefGoogle Scholar
  17. 17.
    Shimizu, A., Miyaguchi, S.: Fast Data Encipherment Algorithm FEAL. In: Price, W.L., Chaum, D. (eds.) EUROCRYPT 1987. LNCS, vol. 304, pp. 267–278. Springer, Heidelberg (1988)CrossRefGoogle Scholar
  18. 18.
    Velichkov, V., Mouha, N., De Cannière, C., Preneel, B.: The Additive Differential Probability of ARX. In: Joux, A. (ed.) FSE 2011. LNCS, vol. 6733, pp. 342–358. Springer, Heidelberg (2011)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Vesselin Velichkov
    • 1
    • 2
  • Nicky Mouha
    • 1
    • 2
  • Christophe De Cannière
    • 1
    • 2
  • Bart Preneel
    • 1
    • 2
  1. 1.Department of Electrical Engineering ESAT/SCD-COSICKatholieke Universiteit LeuvenHeverleeBelgium
  2. 2.Interdisciplinary Institute for BroadBand Technology (IBBT)Belgium

Personalised recommendations