RZ 3018 (# 93064) 04/20/98 Computer Science/Mathematics

17 pages

Research Report
Asymptotic Bounds on Di erential Probabilities
Philip Hawkes Department of Mathematics University of Queensland Australia Luke O'Connor IBM Research Division Zurich Research Laboratory 8803 Ruschlikon Switzerland

LIMITED DISTRIBUTION NOTICE This report has been submitted for publication outside of IBM and will probably be copyrighted if accepted for publication. It has been issued as a Research Report for early dissemination of its contents. In view of the transfer of copyright to the outside publisher, its distribution outside of IBM prior to publication should be limited to peer communications and speci c requests. After outside publication, requests should be lled only by reprints or legally obtained copies of the article (e.g., payment of royalties).

Division Almaden Austin Beijing Haifa T.J. Watson Tokyo Zurich IBM Research

Asymptotic Bounds on Di erential Probabilities

Philip Hawkes
Department of Mathematics, University of Queensland, Australia

Luke O'Connor
IBM Research Division, Zurich Research Laboratory, 8803 Ruschlikon, Switzerland

Let Pr ( ! ) be the probability of a di erential approximation to the n-bit permutation , n ). The probability is determined from the di erence determined with respect to the group (Z2 table T for which T ( ) = 2n Pr ( ! ). We show that the distribution of T ( ) asymptotically follows a Poisson distribution. Let M = max 6=I T ( ) where I is the identity n ), and de ne Bn = ln N 2= ln ln N 2 where N = (2n ; 1). Our main results are to show of (Z2 that with high probability for a random permutation , Pr (2Bn M < 2n) 1 = , and Pr (M < 2Bn ) 1 2 f + g, where + and denote modular addition and modular multiplication. Thus XOR di erences admit higher probability approximations for random permutations than di erences with respect to + and . Further, with high probability, the best di erential probability for a random 64-bit permutation with respect to XOR di erences lies in the interval 2;58:6 2;57].

Abstract

1 Introduction
Di erential approximations are the basis of di erential cryptanalysis (DC) 2, 7], a well-known chosenplaintext attack. The success of DC depends primarily on the probability of the di erential approximation(s) used in the attack. The basis of this paper is a study of the distribution of probabilities for di erential approximations to n-bit permutations, with particular emphasis on bounding on the maximum probability of an approximation. n ), with Di erential approximations are de ned with respect to an Abelian group operation (Z2 ; 1 the di erence of two group elements X X de ned as (X X ) = X (X ) , also denoted X . A di erential approximation predicts a propagation of di erences X = ! Y = from the input X to the output Y of an operation (for example, a permutation). For an n-bit permutation , we denote the probability of the di erential approximation X = ! (X ) = by Pr ( ! ). The choice of operation used to de ne di erences is typically de ned by the group operations(s) used to combine the key into the cipher. Consequently, we consider di erences de ned with respect to n ), bitwise exclusive-OR (XOR) (Z n + ), three groups commonly used in block cipher design: (Z2 2 n ), multiplication modulo (2n +1) where 2n +1 is prime and 0 : : : 0 2n . modular addition and (Z2 Our investigation is motivated by the results of experiments on uniformly selected n-bit permutations, 4 n 8, shown in Table 1. Observe that approximations with respect to XOR di erences yield higher probabilities with respect to the other di erences. While this phenomenon is quite likely to be known by many researchers1, this is the rst paper which analyses it mathematically. In summary, we determine an asymptotic approximation to the distribution of Pr ( ! ), obtain bounds on maximum probabilities for approximations with respect to the three group operations, and from these bounds conclude that with high probability that XOR di erences yield higher the probability approximations to an n-bit permutation than di erences with respect to + and . The similarities for the group operations + and are accounted for by the fact that their respective groups are isomorphic. av. max. av. max. av. max.

4 5 6 7 8 0.2771 0.1617 0.0919 0.0515 0.0284 0.2764 0.0283 0.4186 0.2487 0.1426 0.0806 0.0443

Table 1: The average maximum probability for di erential approximations to uniformly selected nbit permutations, 4 n 8, where di erences are de ned with respect to + , and respectively. Note that di erences with respect to are only de ned for n when 2n + 1 is prime. The probability of the best di erential approximation can vary greatly according to the group operations used to de ne the di erences. For example, the S -box S (x) = 45x mod 257 used in SAFER K-64 9] admits approximations of probability 1=2 for , while the approximations with respect to + and are signi cantly lower. To reduce the probability of approximations to these S -boxes, distinct group operations are used to combine subkeys into the cipher before and after the S -boxes. In particular, SAFER K-64 uses the and + operations or vice versa. To analyze the resulting structure, approximations were proposed which use distinct group operations when de ning input and output di erences. These mixed approximations are known as quasi-di erentials 10]. The probability of a di erential approximation to a xed mapping is determined from the di erence n ) be an Abelian group of order 2n with identity element I , and let N = (2n ; 1). table. Let (Z2 The di erence table for the n-bit permutation with respect to is the N N table where, for 2 Z2n n fI g,

T (
1

) = jf(X X ) : (X X ) = 1

( (X ) (X )) =

gj

(1)

For example, this observation was stated by M. Dichtl during a seminar presented at Isaac Newton Institute, 1996.

and di erences are de ned with respect to . We note that Pr ( ! ) = 2 n T ( ). The relevant quantity for DC is the maximum di erence table entry M = max 6=I T ( ). For example, the column for n = 8 of Table 1 indicates that the di erence tables for 8-bit mappings with respect to 2 f + g yielded a average maximum table entry between 7 and 8, while the average maximum XOR entry was between 10 and 12. The value 10 appears to be a critical value separating the maximum table entries with respect to + and from the maximum table entries with respect to . Our investigation proceeds as follows. First we reduce the problem of enumerating T ( ) to a counting problem on graphs. This reveals that the distribution of values for T ( ) over the n-bit permutations depends only on n and the orders of and with respect to . This counting problem is combined with the inclusion-exclusion principle to obtain the distribution of probabilities for a di erential approximation. Furthermore, we show that if is a uniformly selected n-bit permutation, then Pr (T ( ) = 2t) Pr (T ( ) = t)
1 1 t =t! if ord = ord = 2 e; 2 2 e;1 =t! otherwise,

2n=2 , as n ! 1. These distributions asymptotically follow the Poisson uniformly for 0 t 2 ln(ln n) 1 if ord = ord = 2 and with = 1 otherwise. distribution Pr X = t] = e; t =t!, with = 2 Consequently, we call these asymptotic approximations the Poisson approximation (PA) to the distribution of entries for T ( ). As the results of the PA are dependent on the order of the input and output di erences and not on the group itself, the PA also applies to quasi-di erentials. n ; f0g ) have order 2, while almost all elements of (Z n ; fI g ), Note that all elements of (Z2 2 f + g, have order greater than 2. >From these asymptotic distributions for T 2 ( ) and the distribution of elements in the corresponding groups, we determine asymptotic approximations to the distribution of values in di erence tables with respect to , + and . We also determine the variance in the number of entries of size 2t in di erence tables with respect to . >From these asymptotic results we derive the following two bounds for uniformly selected .2 If Bn is de ned as Bn = ln N 2= ln ln N 2 where N = (2n ; 1), then

Pr (2Bn M < 2n) Pr (M < 2Bn )

1 1

2 f + g:

Equivalently, the fraction of n-bit permutations that do not satisfy these bounds tends to 0 as n increases. Some relevant values of Bn are given in Table 2. For example, if n = 8,then with high probability the maximum XOR entry is between 2 dB8 e = 10 and 2 8 = 16, while the maximum entry with respect to modular addition and modular multiplication is less than 2 dB8 e = 10. This agrees with our experiment results for n = 8. We conclude that for all but a decreasing fraction of permutations, di erences yield higher probability di erential approximations when compared to + and di erences. Similar bounds on the maximum table entry can be obtained for di erential approximations for other group operations, and likewise for quasi-di erentials. The dominant factor in bounding the maximum entry is the fraction of entries for which the orders of and is two with respect to the appropriate group operation(s). The success of DC depends on the average of the probabilities for the di erential approximation P ! CR;1 over all the keys, which is known as the average-key probability. If a di erential approximation has an average-key probability p , then the data complexity for DC using this approximation is inversely proportional to p ; 1=N . Our bounds show that with high probability, the best di erential probability for a random 64-bit permutation with respect to XOR di erences lies in the interval 2;58:6 2;57]. It follows that average-key probabilities should lie well below 2;57. However, block ciphers often have a iterative structure which allows for di erential approximations with higher probabilities than expected for a random permutation. For example, the 13-round di erential
2

The upper bound on M

was determined by 11].

2 dBn e

Bn

8 16 32 64 128 256 512 1024 4.6 7.2 11.7 20.8 34.3 60.4 108.1 195.6 10 16 24 42 70 122 218 392

Table 2: The values of Bn = ln N 2= ln ln N 2 , N = (2n ; 1) for several n. approximation used by Biham and Shamir for DC of the Data Encryption Standard (DES) 12, 3] has an average-key probability of more than 2;47:2. The corresponding data complexity is less than 2;9:8 1:1 10;3 times the data complexity predicted above. We suggest that block cipher proposals ensure that all average-key probabilities are below 2;57 . More rounds can be added to iterated ciphers to decrease average-key probabilities. However, the reduction in the speed of the cipher will also have to be considered.

2 An Equivalent Graph Theory Problem

We let (n) denote the set of n-bit permutations, and write 2R (n) to denote a uniformly selected n-bit permutation. The problem of determining the distribution of entries for T can be considered as an enumeration problem: count the number of edge-preserving mappings between two n appropriately de ned directed graphs, given below. Recall that the set of n-bit blocks is denoted Z2 n and can represented by the set f0 1 : : : 2 ; 1g. n ) of order 2n and a non-trivial (non-identity) di erence 2 Z n De nition 1 For a group (Z2 2 there is an associated directed graph D = (V E ), jV j = 2n , where each vertex v 2 V has a unique n and E = f(u v ) j l(u) (l(v ));1 = g. The directed edges or arcs of D represent label l(v ) 2 Z2 the ordered pairs (X X ) for which (X X ) = . We will call D the di erence graph of with respect to . 2 As a result of the group property, every vertex of D and D has indegree and outdegree one. Consequently, the arcs of D and D form cycles.3 2n labeled disjoint cycles of length ord . 2 Corollary 1 The directed graph D consists of ord Let D = (V E ) and D = (V E ) be the di erence directed graphs representing any two di erences 2 Z2n . For a permutation 2 (n) we de ne d (D D ) = jf(u v ) 2 E j (u v ) 2 E l(u ) = (l(u)) l(v ) = (l(v ))gj : If d (D D ) = t, then is said to map t arcs of D onto D . Now, d (D D ) is the number of arcs from D mapped to arcs of D by , or alternatively, d (D D ) is the number of pairs (X X ) such that (X X ) = and ( (X ) (X )) = . Thus, the entries of a di erence table for with respect to can be considered as the number of arcs preserved from a mapping between two di erence graphs. n and 2 (n) , T ( Lemma 1 For all non-trivial di erences 2 Z2 ) = d (D D ). 2 3 + ), the group of addition modulo 8. The directed graphs D1 D2 repreExample 1 Consider (Z2 senting the di erences (X X ) = 1 and (X X ) = 2 are shown in Figure 1. Notice that the arcs of D1 and D2 form cycles of length 8 and 4 respectively, as ord 1 = 8 and ord 2 = 4 with respect to + . Let 2 (3) be the permutation (3 0 7 1 2 5 4 6). Then the only arcs of D1 mapped by to arcs of D2 are the arcs labeled by (3 2) and (7 6) of D1 which are mapped to the arcs labeled by (1 7) and (6 4) respectively of D2 . Consequently T+ (1 2) = d+ (D1 D2) = 2. 2
3 A cycle is usually assumed to have length greater than three, but in this paper it is useful to extend the de nition to include cycles of length two. A cycle of length two on the vertices fv0 v1 g consists of the arcs f(v0 v1 ) (v1 v0)g, and is also considered as an undirected edge.

D1
0 1 2 3

D
0 2 1 3

Figure 1: The directed graphs D1 and D2 representing the two di erences (X X ) = 1 and (X X ) = 2 using the 3-bit + operation to de ne the di erences. From Corollary 1, the structure of D and D depends only on the orders of and , and the order of the group, that is, 2n . If ord = ord = a, then both D and D are comprised of disjoint cycles of length a, and thus D is isomorphic to D . Consequently, the distribution of values for d (D D ) over 2 (n) depends only on the orders of , and 2n. That is, if ord = ord and ord = ord , then Pr(d 1 (D D ) = t) = Pr(d 2 (D D ) = t) for each t, 0 t 2n , when 1 2 2R (n) are independent. We may then make the following de nition. n ) be an Abelian group of order 2n . For a = 2r , b = 2s , 1 r n, 1 s n, De nition 2 Let (Z2 and 0 t 2n , de ne where

2 Z2n are any elements such that ord

pt(2n a b) def = Pr d (D D ) = t j

2R

(n)

= a and ord = b. Note: pt (2n a b) = pt (2t b a).

Now, the expected distribution of values in T depends only the distribution of (element) orders n ). In the group (Z n ), all the nonzero elements have order 2, and the resulting directed in (Z2 2 n +) there are 2a;1 elements graphs D consist of 2n;1 cycles of length 2. However, in the group (Z2 a n n ) and of order 2 , 1 a n, and the identity (0) has order one. For 2 + 1 prime, the groups (Z2 n (Z2 +) are isomorphic, and thus have the same distribution of orders.

Corollary 2 Let
2a , 1

only determine pt (2 a b) for a = 2 , b = 2 , 1 r n, 1 s n, and 0 t 2 , and apply Corollary 2. We now cast this enumeration problem in terms of the inclusion-exclusion principle (IEP) (see for example Hall 6]). n ), and let D = (V E ) and D = (V E ) be their respective Let and be elements of (Z2 n o (di erence) graphs. For each edge uv 2 E de ne Auv as Auv = 2 (n) j ( (u) (v )) 2 E , which is the set of permutations that preserve the edge uv of D in D . Then, by the inclusionexclusion principle, the number of permutations that preserve exactly t edges from D in D is

2 f + g. Then there are 22a;2 entries in Ta b( ) for which ord = ord = a n, and entries for which ford ord g = f2 2 g, 1 a < b n. 2 To obtain the expected distribution of entries in a di erence table for 2 f + g, we need n r s n
2a+b;1

Pt =

j ;t X i=0

(;

1)i

t+i S i t+i

Sk =

Y E uv2Y jYj=k

Auv

(2)

and it follows that pt(2n a b) = Pt =(2n!). In the case of XOR di erences ( = ) it is known 11] that

P2t

2n;1

!2

n;1 t)! 2t t! (2 1=; 2 :

(3)

In this case determining an exact expression for Pt is assisted by the fact that ord = ord = 2, and the sets Auv are `independent' in the sense that uv is the only edge incident on u and v . For a general group operation 6= , most groups elements will have ord > 2, and hence induce a di erence graph for which there exist sets Au1 v1 Au2 v2 and u1 = u2 . Dependence between the Auv sets considerably complicates the expressions for Pt , as we show next for pt (2n 2 4) and pt(2n 4 4).
n 2 4) = pt (2n 4 2) = P2n;1 ;t (;1)k ;t+i S (n) (2 4) for 0 t 2n;1 , and Lemma 2 For n 2, pt(2 i=0 i t+i ;
n ;t k pt (2n 4 4) = P2 i=0 (;1)

(n) (2 4) = Sk 0
B @

t+i S (n) (4 i t+i

4) for 0 t 2n , where

min(X k 2n;2 )

2n

(n) (4 Sk

4) =
X

j =d 2 e
k

;4

k;j
!

23j C A
! 12

2n;1

k! (2n ; 2k)!
!2

0 k 2n;1

(4)

0 B @

min( fk ) X

e( )=k for k 2n , where k = 2n;2 (g + h + i), p( ) = 2f + 3g + 4h + 4i, l m0 f + g + h + i 2n;2 . For 2n;1 + 1 t 2n , p (2n 2 4) = 0. t 2

=(f g h i)

k j j =d f 2e

f ;j

2 3j C A

2n;4

4z (k !)2 f ! (2n ; p( ))! g ! h! i!

z = f + 2g + 2h ; i, and

Proof. Apply the de nition of Sk in (2) directly.

(n)(a b) becomes increasing di cult to determine For general a b > 4 the expression for Sk = Sk exactly, and we therefore consider an asymptotic approximation. We denote (Y ) = f(u v ) j l(u ) = (l(u)) l(v ) = (l(v )) (u v) 2 Yg, so that we can represent \uv2Y Auv = f j (Y ) E g. Observe that Sk is de ned in terms of preserved edges , but it may be further decomposed into terms of preserved vertices . Observe that a set of k edges is incident on at least k vertices (a cycle) and at most 2k vertices (disjoint edges). Let p(Y ) be the number of vertices which are incident to the edges of Y , where k p(Y ) 2k. For k j 2k, de ne X (k j ) = jf j (Y ) E gj

jYj=k p(Y )=j P k such that Sk can be expressed as Sk = 2 j =k (k j ). As it turns out, Sk

(k 2k), meaning that Sk is dominated by the term mapping disjoint edges D to edges to disjoint edges in D . In Appendix A we formally prove (Corollaries 7 and 9) that for k = o(2n=2), (k 2k) = N ! (1 + o(1)) S = N ! (1 + o(1)) : (5) k k! k! Recalling that N = (2n ; 1), the approximation is valid for any k which is asymptotically bounded 2n=2 would su ce. by 2n=2 . For example, k ln(ln n)

3 The Poisson Approximation

In this section we determine an asymptotic approximation to pt (2n a b). In all our asymptotic approximations we shall assume that n ! 1. Suppose that for each n 0, gt (n) and ht (n) are de ned for t 2 S (n), for example, S (n) = f0 1 : : : 2ng. We say that gt(n) ht (n) uniformly for t 2 R(n) S (n) if max gt(n) ; 1 = o(1) t2R(n) ht (n) 5

that is, for all t 2 R(n), gt(n) is always approaching ht (n) as n ! 1. The approximation in (3) can be re ned to provide the following asymptotic approximation to p2t(2n 2 2):
2 Corollary 3 For n 1, p2t(2n 2 2) e; 1

1 t =t! 2

uniformly for 0 t

2n=2 2 ln(ln n) .

Corollary 3 indicates that if ord = ord = 2, then the distribution of smaller values in T ( ) can be approximated using the Poisson distribution with = 1=2. Our main result is to determine an asymptotic approximation to the distribution as n increases when ord > 2 or ord > 2. This approximation is derived using the following asymptotic result. Suppose that there are a sequence of sets T (n) , and for each n there are j (n) subsets Bi T (n) , 1 i j (n), with Pk and Sk de ned as above. Theorem 1 (Bender 1]) If for some > 0, Sk jT (n)j k =k! uniformly for 0 k l(n) j (n), where l(n) is some function which goes to in nity with n, then Pt jT (n)j e; t =t!, uniformly for 0 t m(n), if l(n) ; m(n) tends to in nity with n. 2 Theorem 1 can be applied to determining asymptotic approximations to pt (2n a b) from asymptotic approximations to Sk . For example, in Lemma 3, asymptotic approximations to pt (2n 2 4) = pt(2n 4 2) are determined from asymptotic approximations to the values of Sk given in Lemma 2.

Lemma 3 As n ! 1, pt(2n 2 4) = pt(2n 4 2) e;1=t! uniformly for 0 t

k X j =dk=2e
! ! !

2n=2 2 ln(ln n) .

Proof. Consider the expression for Sk when a = 2 and b = 4 given in Lemma 2. First, we obtain ;2n;2 ; j Pk 3j upper and lower bounds on the summation j =dk=2e j k;j 2 , to show that

2n;2

k;j
k ;1 Y i=0

23j = 2k

2n

1 + O(k2=2n )

for k = o(2n=2). After substituting this back into (4), we then go on to show that for k = o(2n=2),
n Sk = 2k!!

i+1 1 + 2n ; 2i ; 1 k
k

1 + O(k2 =2n )
!

If k = o(2n=2), then 1
k ;1 Y i=0

i+1 1 + 2n ; 2i ; 1

1 ; 2n ; 2k
n

1 + O 2n ; 2k = 1 + O(k2 =2n )

k2

Q ;1 i+1 2 n n=2 and thus k i=0 1 + 2n ;2i;1 = 1 + o(k =2 ). Therefore, for k = o(2 ),

Sk = 2k!! 1 + O(k2=2n) :
2n=2 = o(2n=2), then the error term O(k2=2n ) is upper bounded by O(1=(ln(ln n))2 ) = If 0 k ln(ln n) 2n=2 , which we de ne to be l(n). o(1). Thus Sk 2n !=k! = (n) 1k =k! uniformly for 0 k ln(ln n) Hence, we can apply Theorem 1 with = 1. Let m(n) = l(n)=2, noting that l(n) ; m(n) = l(n)=2, which goes to in nity with n. Therefore Pt 2n ! e;1 =t! and pt (2n 2 4) e;1 =t! for 0 t m(n) = 2n=2 2 2 ln(ln n) . This asymptotic approximation extends to the remaining cases for which a > 2 or b > 2. Theorem 2 Let fang and fbng be any two sequences such that an = 2rn , bn = 2sn , 1 rn n and n= 2 2 . 2 sn n. Then, pt (2n an bn ) e;1 =t! uniformly for 0 t 2 ln(ln n)

Proof. Corollary 9 in Appendix A shows that Sk 2n !=k! = j (n)j=k! for k = o(2n=2). The remainder of the proof follows the last paragraph of the proof of Lemma 3. 2
n ) be an Abelian group of order 2n and Corollary 4 Let (Z2

If

R (n) ,

then

2 Z2n be non-trivial di

erences.

Pr (T ( ) = 2t) Pr (T ( ) = t) uniformly for 0 t

2n=2 2 ln(ln n) .

1 t=t! if ord = ord = 2 2 e; 1 2 e;1 =t! otherwise,

We call the asymptotic approximations in Corollary 4 the Poisson approximation (PA) to the distribution of entries for T ( ). The probabilities Pr(T ( ) = t, 0 t p 11, predicted by 2 2 the PA are listed in Table 3. Let E X ], Var X ] = E X ] ; (E X ]) and X ] = Var X ] denote the expectation, variance and standard deviation of the random variable X . It is known that if the distribution of values for X is Poisson, then Var X ] = E X ] = . For example, if ord > 2 or ord > 2 then Var T ( )] E T ( )] 1. A little algebraic manipulation reveals that the distribution of values for P ( ) has E P ( )] 1=2n and P ( )] =2n , p where = 2 if ord = ord = 2 and = 1 otherwise. This indicates that the probabilities for di erential approximation X = ! (X ) = where ord = ord = 2 are distributed p2 atimes as far from 1=2n as the probabilities for other di erential approximations. Consequently, di erential approximations for which ord = ord = 2 are more likely to have higher probabilities.

t
0 1 2 3 4 5

Pr(T ( ) = t) t Pr(T ( ) = t) ord = ord = 2 ord > 2 or ord > 2 ord = ord = 2 ord > 2 or ord > 2 0.606531 0.367879 6 0.0126361 0.000510944 0.367879 7 7:29920 10;5 0.303265 0.18394 8 0.00157951 9:12399 10;6 0.0613132 9 1:01378 10;6 0.0758163 0.0153283 10 0.000157951 1:01378 10;7 0.00306566 11 9:21616 10;9

Table 3: The probabilities Pr(T ( ) = t], 0 t 11, predicted by the Poisson approximation. Note that T ( ) must be even if ord = ord = 2.

4 Bounding the Maximum Di erence Table Entry

In this section we use the PA to obtain probabilistic bounds on the maximum di erence table entry with respect to the three group operations. The expected distribution of entries in the di erences tables can be predicted using the PA. The expected distribution of entries in the di erence tables 1 , as all non-trivial elements with respect to is approximated using a Poisson distribution with = 2 have order two. The expected distribution of entries in the di erence tables with respect to + and is approximated using a Poisson distribution with = 1, as there is only one pair ( ) with ord = ord = 2. We determine the expectation and variance of t (T ), de ned to be the fraction of entries in T that are equal to t, 0 t 2n .

Corollary 5 For
0 t
2 ln(ln n) 2n=2

where

2R

2 f + g.

2n ,

E 2t(T )]

2 e; 1

1 t =t! 2

and E t (T )]

e;1 =t! uniformly for 2

This information is su cient for obtaining upper bounds on the maximum entry in di erences tables with respect to the three group operations. However, to obtain our lower bound on the maximum entry in di erences tables with respect to , the variance of 2t (T ) is required. We have not attempted to determine the variance in t (T ) for 2 f + g as the counting problem is very complex, and this variance is not required for the results of this paper. Lemma 4 For 2R 2n ,

Var 2t(T )]

uniformly for 0 t o( N ). Proof. See Appendix B. 2 For nontrivial , de ne (t) , 0 t 2n;1 , where (t) = 1 if T ( ) = 2t and (t) = 0 P (t) = (2n ; 1)2 otherwise. It follows that (t) = 2t(T ) is the number of entries of size 6=I 1 t =t! 2t in the di erences table T . Note that E (t) ] = (2n ; 1)2 E 2t(T )] (2n ; 1)2 e; 2 1 2 n=2 2 uniformly for 0 t 2 ln(ln n) . Similarly,

(2n ; 1)2

1 t =t! 2 e; 1 2

1;

1 1 t =t! e; 2

Var

(t)

= (2n ; 1)4 Var 2t(T )]

drawing on the result of Lemma 4. Recall that we de ned Bn = ln N 2= ln ln N 2, where N = (2n ; 1). 2n=2 when Observe that the Poisson approximation (Corollary 4) holds for 0 t 2Bn , as 2Bn 2 ln(ln n) n 8.

1 ;2 e n 2 (2 ; 1) 2t t!

;1 2 e 1 ; 2t t!

;1 e ( t ) E ] 1 ; 2t 2t!

Lemma 5 If

2R

(n) , then

Pr (2Bn M

< 2n) 1.

Proof. O'Connor 11] proved that Pr (M 2n) = o(1). Denote = (Bn ) , and observe that Var ] E ] as Bn increases with n. Chebychev's inequality (see for example 4]) is applied to show that 1 : Var ] Pr(M < 2Bn ) Pr( = 0) Pr (j ; E ]j E ]) 2 E ] (E ])

The expected number of entries 2Bn in the di erences tables with respect to

is equal to

E ]=
Bn !
1

(2n

1)2
p

2Bn (T

)]

N2

1 e; 2 2Bn Bn !

By applying Stirling's formula for n! (see, for example 5, page 213]),

Bn e
1

Bn

2)ln N 2 = ln ln N 2 (ln N 2 Bn = (e ln ln N 2)Bn

2 Bn

where (ln N 2)ln N 2 = lnln N 2 = (eln ln N 2 )ln N 2 = lnln N 2 = eln N 2 = N 2. Consequently, Pr(M

as 2 Bn = o ((e=2) ln ln N 2)Bn . Therefore, the probability that the maximum entry is either less than 2Bn or greater than or equal to 2n is o(1), and Pr (2Bn M < 2n) 1. 2

< 2Bn )

E ]

N 2 e; 1 2

2Bn

N 2 2 Bn = e 1 2 Bn 2 2 B n (e ln ln N ) ((e=2) ln ln N 2)Bn = o(1)

Lemma 6 If

2R

(n)

, then Pr (M

< 2Bn ) 1, where

8

2 f + g.

Proof. Assume 2 f + g. Let (t) = (2n ; 1)2 t (T ) denote the number of entries t in the di erences table with respect to , and in particular denote = (2Bn) . Recall that E ] = (2n ; 1)2 E 2Bn (T )] N 2 e;1 =(2Bn )!. By applying Stirling's formula for n!,

! 2 2Bn p 2)2 ln N 2 = lnln N 2 p 2 ln N (ln N 2 Bn (2Bn )! 2 Bn = 2 (2Bn ) = e ln ln N 2 e ((e=2) ln ln N 2 )2Bn where (ln N 2)2 ln N 2 = lnln N 2 = (elnln N 2 )2 ln N 2 = lnln N 2 = e2 ln N 2 = N 2 . Thus 2 2 ;1 1 2 2 ln N = lnln N p ( e= 2) ln ln N E ] N2 e 4 N 2 Bn

2Bn 2Bn

e;1 = p 2 Bn

0 @

(e=2) ln ln N 2 2= lnln N (N 2)1= ln N 2

2 1 2 ln N

e;1 = p 2 Bn

B; B B @ |

2 (e=2) ln ln N 2 2= ln ln N C C

1ln N 2

and we can show that y (N ) 1. Therefore,

y(N )

{z

C A }

E ]

2n=2 , E (t)] E ]=(2B )t;2Bn . (The value of as Bn increases with n. Now, for 2Bn t 2 ln(ln n n) n=2 2 ( t ) E ] is insigni cant for t > 2 ln(ln n) ). Therefore, the expected number of entries greater than or equal to 2Bn in a di erence table with respect to is X X X 1 1 = E ] E (t)] E ] = E ] E ] = o(1): t ; 2 B i n 1 ; 1=(2Bn ) i 0 (2Bn ) t 2Bn t 2Bn (2Bn ) Note that the probability that M 2Bn is less than the expected number of entries of size t 2Bn . Therefore, Pr(M 2Bn ) = o(1) as n ! 1. 2 The bounds on M correspond to bounds on the maximum probability of an approximation. For example, the probability of the best approximation with respect to XOR di erences is in the range 2;58:6 2;57] for a random 64-bit permutation and in the range 2;121:9 2;120] for a random 128-bit approximation. The values 2;58:6 and 2;121:9 are also upper bounds on the probability of approximations with respect to + or for random 64-bit and 128-bit permutations respectively. Further bounds on the maximum entry can be obtained for di erence tables with respect to other group operations, and these bounds will rely primarily on the fraction of entries in the di erence table for which both elements have order 2. A similar approach can be applied to bound the maximum probability of a quasi-di erential. For example, consider the quasi-di erentials which use to de ne input di erences and + to de ne output di erences. Di erence tables for quasi-di erentials are de ned in much the same way as (1). We note that ord = 2 for all non-trivial input di erences , while for the output di erences, ord = 2 only if = 2n;1 . Consequently there are (2n ; 1) = N entries for which ord = ord = 2. Now, N is approximately (2n=2 ; 1)2, so the maximum entry M for the approximations ! 2n;1 can be bounded in much the same way as bounding the maximum XOR entry for a random n=2-bit permutation. Consequently, for a random n-bit permutation, we can bound M by Pr(2Bn=2 M 2n=2 = n) 1. The maximum entry over the remaining approximations is upper bounded by 2Bn , and thus the maximum entry in the table is lower bounded by 2Bn=2 and upper bounded by max(n 2Bn ). For example, the maximum table entry for a random 64-bit permutation is between 24 and 64, corresponding to probabilities in the range 2;59:4 2;58]. Finally, Lemma 5 and Lemma 6 combine to con rm our initial observation that in general XOR di erences yield higher probability approximations than di erences with respect to modular addition and modular multiplication. 2 Corollary 6 If 2R (n), then Pr (M > M ) 1, for 2 f + g.

e;1 p 2 Bn

y (N )ln N 2 = o(1)

5 Conclusion
We have shown that with high probability, XOR di erences yield better di erential approximations than di erences with respect to modular addition and modular multiplication. Furthermore, we have also been able to nd asymptotic approximations to the distribution of entries in di erences tables, and nd bounds on the maximum di erences tables entry with respect to these three group operations. Further bounds on the maximum entry can be obtained for di erence tables with respect to other group operations, and these bounds will rely primarily on the fraction of entries in the di erence table for which both elements have order 2. The Poisson approximation (Corollary 4) can also be applied to quasi-di erentials and the maximum probability can be similarly bounded. The distribution of entries in di erence tables has previously been predicted using a \balls-in-bins" model 8], summarized as follows. In modeling di erences tables with respect to XOR, we let the \balls" represent the unordered pairs of di erence and let the \bins" represent the possible nontrivial output di erences. If the 2n;1 input pairs of input di erence (the \balls") can be allocated randomly and independently to any of the (2n ; 1) \bins", then the resulting distribution approaches n;1 2n 1 a Poisson distribution with parameter = 2 ;1 2 . In modeling di erences tables with respect to + or , we let the \balls" represent the ordered pairs of di erence and let the \bins" represent the possible non-trivial output di erences. If the input pairs of input di erence (the \balls") can be allocated randomly and independently to any of the (2n ; n 1) \bins", then the resulting distribution 2 approaches a Poisson distribution with parameter = 2n ;1 1. Our results add validity to the 2n=2 . \balls-in-bins" approach for predicting the distribution of di erence table entries less than 2ln(ln n)

6 Appendix A

Recall the counting problem posed in x2, along with the de nitions required for applying Theorem 1. To simplify further proofs, we derive an alternative expression for (k j ). For a set Y of arcs, de ne the directed graph D(Y ) = (VY Y ), where VY = fu v j (u v ) 2 Yg. Recall that D and D are composed of disjoint cycles. As D(Y ) is a subgraph of D it follows that D(Y ) consists of disjoint cycles of length a and disjoint paths of length less than a, where a path of length L is a set of L connected arcs, (ui0 ui1 ) (ui1 ui2 ) : : : (uiL;1 uiL ) , where the vertices ui0 : : : uiL are distinct. In each path there is a unique element with indegree zero and out degree one (for example, vertex ui0 ), which we call the head vertex of the path. For each Y E de ne the length vector La(Y ) = = ( 1 : : : a), where
a For a length vector we de ne h( ) = a i=0 i , e( ) = i=0 i i and p( ) = h( ) + e( ) ; a . Note that if La (Y ) = then h( ) is the total number of disjoint paths and cycles in Y , e( ) is the number of arcs in Y and p( ) = p(Y ) = jVY j.
P P

i a

= (# disjoint paths in D(Y ) of length i) 1 i a ; 1 = (# disjoint cycles in D(Y )):

Lemma 7 If Y

YY jf j

E and D(Y ) and D(Y ) are isomorphic then La (Y ) = La(Y ). If E and La (Y ) = La (Y ), then D(Y ) and D(Y ) are isomorphic and jf j (Y ) E gj = (Y ) E gj. 2 E,

Assume that a = ord ord = b. Let Y E be a representative subset of E for which La (Y ) = and suppose that (Y ) E for some 2 2n . As is a permutation, the subgraphs D(Y ) and D( (Y )) are, by de nition, isomorphic. Therefore La ( (Y )) = La (Y ) = by Lemma 7. Let F denote the set of possible length vectors which exist for both subsets of E and subsets of E . Note that a = 0 for all 2 F where ord 6= ord . >From Lemma 7, it follows that jf j (Y ) E gj = jf j (Y ) E gj for all Y E such that La (Y ) = . Therefore, 10

(k j ) can be expressed as (k j ) = = =

Y E jYj=k p(Y )=j

X

jf j (Y ) jfY
E

gj
E

2F e( )=k p( )=j
X

j La(Y ) = gj jf j (Y )
E

gj
(6)

where = jfY E j La (Y ) = gj. Now, if (Y ) E , then (Y ) can be any subset of E for which La ( (Y )) = and there are such subsets. Let Y E be any such subset. Then

2F e( )=k p( )=j

jf j (Y )

gj:

jf j (Y )

gj

= =

jf j (Y ) = Y La(Y ) = gj n o jfY E jLa(Y ) = gj j (Y ) = Y

X

Y E

=
o

j (Y ) = Y

and substitution into (6) reveals (k j ) =

X n

We now determine the last factor in the above equation, that is, the number of permutations 2 2n such that (Y ) = Y . There are a a a ! ways to map the cycles of Y to the cycles of Y and i ! ways to map the paths of length i of Y to the cycles of length Y for 1 i a ; 1. Finally, there are and (2n ; j )! ways to map the remaining vertices of D onto the remaining vertices of D . Thus, n o j (Y ) = Y = a a ! (2n ; j )! and (k j ) =
X

2F e( )=k p( )=j

j (Y ) = Y

Our task now is to determine and for each 2 F . For small a and b this is not very di cult. For example, the exact expressions for Sk in Lemma 2 are derived using this method. However, in general, determining an exact expression for and is a di cult task and an asymptotic approximation is su cient. This asymptotic approximation is developed from an asymptotic approximation to (k 2k) and bounds on the remaining terms. Let D1 = (V E1) and D2 = (V E2) be digraphs on jV j = N vertices such that D1 consists of N=a disjoint cycles of length a and D2 consists of N=b disjoint cycles of length b. Assume that a = 2r , b = 2s , r 1, s 1 and consequently N is even. Let F1 2 denote the set of possible length vectors which exist for both subsets of E1 and subsets of E2 . For i 2 f1 2g de ne i = jfY Ei j La (Y ) = gj. De ne Sk and (k j ) as in 3. Let F1 2 denote the set of a-tuples 2 F1 2 such that a = 0, and denote (k j ) =
P X

e( )=k p( )=j

2F

! (2n ; j )!:

k with Sk = 2 j =k (k j ). Note that if a 6= b then F1 2 = F1 2, (k j ) = (k j ) and Sk = Sk . The three main steps of our approximation are to develop asymptotic approximations to (k 2k), then p Sk and nally Sk for k = o( N ). To obtain our asymptotic approximation to (k 2k), we rst determine the number of ways to select k single disjoint arcs from a cycle of length a. Let D = (V E ) be a cycle of length a 2. Let

2F1 2 e( )=k p( )=j

! (N ; j )!

11

fa k denote the number of subsets Y E which consist of k single disjoint arcs, k 0. Note that fa k = 0 when k > ba=2c. The following expression for fa k is derived using recurrence relations,
although the proof is not included here. Lemma 9 is also given without proof. a ;a;k . Lemma 8 For a 2, 0 k ba=2c, fa k = a; k k
i

2
;N

Lemma 9 Suppose that = (k 0 : : :) where 0 k N=2. Then fN k

2

. for i 2 f1 2g.

The following asymptotic approximations are used frequently (without reference) in obtaining our asymptotic approximations. p p Lemma 10 If k = o( N ) and t = o( N ) as N ! 1, then
k 2 =N k! 1 + o k =N t k (N ; k) = N (1 + 0 (kt=N ))

;N

N ! = N k (N ; k)! 1 + 0 k2 =N N N ;k = 1 + 0 (k=N ) :
; ;

Corollary 7 Suppose that a and b are even. For N ;

1 + O k2 =N .

! 2, and k = o( N ), (k 2k) = N k!

Proof. Recall that (k 2k) = 1 2 k! (N ; 2k)!, where = (k 0 : : : 0). >From Lemma 9, a lower bound on (k 2k) is determined by

(k 2k)

for k = o( N ). >From Lemma 9, the following upper bound on (k 2k) is obtained: (k 2k)

2 k! (N ; 2k)! = fN k N;k
!2

N;k k

!2

! (1 + O(k2 =N )) k! (N ; 2k)! = N k!

! 2 2 for k = o( N ). Consequently, (k 2k) = N k! (1 + O(k =N )) for k = o( N ). p ; 2 ! ; The next step;is to show that Sk = N k! 1 + O k =N for k = o( N ). For any a-tuple with h( ) = h, de ne h = h! .

N k

2k 2 =N )) = N ! (1 + O(k2 =N )) k! (N ; 2k)! = (N k ! ( N ; 2 k )! (1 + O ( k 2 k!) k!

Lemma 11 For each

Proof. Recall that a = 0 for all 2 F1 2. Denote G1 = fY E1 j La (Y ) = g, so that 1 = jG1 j. For each 2 F1 2 we construct a set H1 of subsets of E1 such that G1 H1 . Any subset Y 2 G1 can be partitioned into the h disconnected paths denoted Y1 : : : Yh . Note that there are h vertices corresponding to the heads of the paths Y1 : : : Yh . Let A = fui1 : : : uih g ;N V be any subset of h vertices. There are h such subsets A. If Y 2 G1 then the subset of head vertices of the paths in Y must be one of these subsets. For each set A construct subsets of E1 as follows. Partition A into subsets A1 : : : Aa;1 such that Al contains l vertices, 1 l a ; 1. ;h h There are ! = such partitions. For each l, 1 l a ; 1, construct l paths of length l so that each vertex of Al is the head vertex of a chain of length l. Let Y be the union ;of all such paths, ;h N and H1 be the union of all subsets Y constructed using this method. There are h choices of ;N ;h subsets A and partitions A1 : : : Aa;1 to create such sets Y . Therefore jH1 j h . Note that each Y 2 G1 will be constructed using ; some ;subset A and partition A : : : A . Consequently, 1 a;1 ;N ;h h . Similarly G1 H1 and 1 = jG1 j jH1 j N . 2 1 h h

2 F1 2,

;N ;h

and

;N ;h

where h = h( ).

12

i=2 cycles

(i)

Figure 2: Constructing the set of arcs E (i) from E . In this gure, ord = 4 and i = 2.

Lemma 12 For k > 0, and 1 h k, with j = k + h,

X

e( )=k p( )=j

h =

e( )=k h( )=h

h = k;1 h;1
!

where the summation is over all possible a-tuples with non-negative integer coe cients.
! 2 Sk = N k! 1 + O k =N .

Corollary 8 Suppose that N ; ;

p 0, a = 2r and b = 2s such that ajN and bjN . For k = o( N ),

Proof. p Consider (k j )pwhere 0 j p 2k and thus 1 h = h( ) = j ; k k. Note that if k = o( N ) then j = o( N ) and h = o( N ). P Similarly, if something is O(k2 =N ), then it is also 2 2 O(j =N ) and O(h =N ). Recall that (k j ) = ! (N ; j )! where the summation is over f 2 F1 2 j e( ) = k p( ) = j g, and thus

(k j )

"

= N j ;2h h! (N ; j )!

Nj

N h

!#2

! (N ; j )! =
X

!!

! (1 + O(k2 =N )) = N h!
! !

N 2h h! (h!)2 !

! (N ; j )! (1 + O(k2=N ))
X

!!

(1 + O(k2=N )):

Note that F1 2 is a subset of all possible a-tuples Lemma 12 provides the following upper bound:
X

with non-negative integer coe cients. Thus,

Set m = j ; 2h. Now, we can show that

!

e( )=k p( )=j

2F1 2

e( )=k p( )=j

h = k;1 : h;1

N! 1 k ; 1 1 + O k2=N (k j ) j ; 2 h h! N h;1 ! 1 1 + O k2 =N k ! k ; 1 N ! = k! (k ; m)! k ; 1 ; m N m

for k = o( N ). Thus Sk is upper bounded by

N ! k2m 1 + O k2=N k! N m
! 1 + O k2 =N =N k!

Sk =

2k X

! 2 =N , for k = o( N ), following from for k = o( N ). Finally, Sk ; (k 2k;) = N k! 1 + O kp N ! 2 Corollary 7. Therefore Sk = k! 1 + O k2 =N , for k = o( N ).

j =k+1

(k j )

N ! k2m 1 + O k2 =N m m=1 k! N
; ;

k X

p
s

Corollary 9 Suppose that n ; ; n

2 ! k!

1+O

k2 =2n

for k = o(2n=2).

0, a = 2r , b = 2s , 1 13

n and 2

n. Then Sk =

Proof. If a 6= b, then Sk = Sk = 2k!! 1 + O k2 =2n for k = o(2n=2 ) as shown in Corollary 8. Suppose a = b > 2, and a = i > 0. Let E (i) be the arc set E excluding i cycles as shown in Figure 2. De ne = ( 1 : : : a ) by i = i , 1 i a ; 1, a = 0. Then,

jfY

j La(Y ) = gj = jfY jfY

E

j La(Y ) = (0 : : : 0 i)gj Y
n

E (i) j La(Y ) =

The rst term is the number of ways to choose i cycles from 2n =a = 2n;r cycles, and thus

j La(Y ) = (0 : : : 0 i)gj
o

=
; n;r

2n;r : i

(i) = . Note that provided We de ne (i) = Y E (i) j La (Y ) = , so that = 2i ( i ) n ; r k 2 , 0 a bk=ac. De ne F = fLa(Y ) = j Y E g and let F denote the set of a-tuples 2 F such that a = 0. Therefore
n

Sk =
=

2n;r
a

(i)

!2

2F1 2 e( )=k bX k=ac n;r !2

! (2n ; j )!
2

p ; Note that if k = o(2n=2 ), then k ; ia = o( 2n ; ia), and O((k ; ia)2=2n ; ia) = O k2 =2n . Therefore, if k = o(2n=2 ), we can show that
Sk =
bX k=ac
i=0

We can apply Corollary 8 to determine the summation over F with N = 2n ; ia. Thus, for p k ; ia = o( 2n ; ia), n ; ia)! X 2 ! (2n ; j ; ia)! = (2 1 + O (k ; ia)2=2n ; ia : ( k ; ia )! 2F e( )=k;ia

i=0

ai i!

2F e( )=k;ia

! (2n ; j ; ia)!:

2n;r
0

!2

n ; ia)! 2 n ai i! (2 (k ; ia)! 1 + O k =2
1

n! = 2 k!

Bbk=ac BX B B @ i=0

C k! 1 (2n);i(a;2) C C 1 + O k2 =2n C i ( k ; ia )! i ! a A | {z }

v(2n a k i)

and v (2n a k i)

;k

ka;1 i a (2n)a;2 .

Thus, an upper bound for Sk is

k=ac ! n ! bX a;1 !i 2 k k Sk 1 + O k2=2n k! i=0 i a (2n)a;2 !k 2n ! 1 + ka;1 1 + O k2 =2n k! a (2n )a;2 n ka 2n ! 1 + O k2 =2n 2=2n = 2k!! 1 + O a (2 1 + O k = n )a;2 k! n=2), provided that a > 2. Note that Sk for k = o(2 ; n! ; 2 Sk = k! 1 + O k2=2n for k = o(2n=2 ).

Sk =

2n ! k!

1 + O k2 =2n , and therefore

14

G2

edges of G edges of G

Figure 3: The undirected graphs G and G2 = (V E2) where E2 = E

E.

7 Appendix B Lemma 13 For 2R

uniformly for 0 t

2n ,

Var 2t(T )]
2n=2 2 ln(ln n) .

(2n ; 1)2

1 t =t! 2 e; 1 2

1;

1 1 t =t! e; 2

h i h i Sketch of Proof. Observe that Var (t) = (2n ; 1)4 Var 2t (T ], and Var (t) is determined h i h i h i from Var (t) = E ( (t))2 ; (E (t)])2. We determine E ( (t))2 from

E(

(t) )2

= E

(t) 2

E
+
6=

(t) 2
X

+
(t)

6=

(t)
X

(t) i

(7)
h

(t) i +

6= 6=

(t)

(t) i (t).

where the summation is over the nontrivial di erences , , and in the subscripts of
X

Now, (8)

(t) 2

(t)

Pr (T (

) 2t)

1 (2n ; 1)2 e; 2 2t1 t

2n=2 . However, the remaining terms must be determined using di erent graph for 0 t 2 ln(ln n) h i enumeration problems. Consider E (t) (t) where , and are non-trivial di erences such that 6= . Note that (t) (t) = 1 only if d (D D ) = 2t and d (D D ) = 2t, and

= Pr (t) (t) = 1 = Pr (d (D D ) = 2t and d (D D ) = 2t) n o (n) j d (D D ) = 2t d (D D ) = 2t : 2 = 21 n! We consider all the edges to be undirected, that is (u v ) = (v u). Let G be the undirected graph with the same edge set as D . Similarly de ne G and G . De ne G2 = (V E2) where E2 = E E . Observe that G2 consists of 2n;2 unordered cycles of length four, as shown in Figure 3. Note that d (D D ) = d (D D ) = 2t if maps 2t (undirected) edges of G onto G2 such that exactly t edges are mapped onto G and exactly t edges are mapped onto G . We apply the IEP twice to determine

(t)

(t) i

and our approximation will require two applications of Theorem 1. Suppose that Y1 E with jY1j = k (considering the edges to be undirected, so this is the equivalent of 2k directed edges). For 15

(n)

jd

(D D ) = 2t d (D D ) = 2t

each e 2 E nY1 de ne Be (Y1 ) = 2 (n) j (Y1) E (feg) E . By the IEP, the number of permutations that preserve exactly t edges from G in G and for which (Y1) E is

Qt(Y1 ) =

i 0

t + i S (Y ) t+i 1 i

St(Y1 ) =

Y2 E nY1 jY2 j=t

\e2Y Be (Y1):
2

By applying the IEP a second time, the number of permutations from G in G and preserve exactly t edges of G in G is

that preserve exactly k edges

Pt(k) =

i 0

k + i R (t) k+i i

Rt (k ) =

Y1 E jY1 j=k

Qt (Y1):

Using a similar approach to that used in Appendix A, and repeated application of Theorem 1 with =1 2 , we show that
1 e; 2 2t t! ;1 2 e ) Pk (t) ) Rt(k) 2k k! 2n=2 and 0 k 2n=2 where the approximation to Pk (t) is uniform for for 0 t 2 ln(ln n) 2 ln(ln n) . Therefore

St(Y1 )

2n ! 1 n k t (2 ) 2 t! 1 1 2n ! e; 2 2t t! 2k k!
(t) i
h

Qt(Y1 )

2n ! (2n )k 1 2n ! e; 2 2t t!
2 e; 1 t 2 t!

(t)

= E

(t)

(t) i

t (t) = P2 n!

!2

(9)

2n=2 . uniformly for 0 t h 2 ln(ln n) i ( t ) (t) where 6= and 6= in a similar way. We consider all the We determine E edges to be undirected, as above. De ne G1 = (V E1) and G2 = (V E2) where E1 = E E and E2 = E E . Observe that G1 and G2 consists of 2n;2 unordered cycles of length four, as for G2 in Figure 3 Now, d (D D ) = d (D D ) = 2t if maps 2t (undirected) edges of G1 onto G2 such that exactly t edges are mapped from G onto G and exactly t edges are mapped from G onto G . Once again we apply the IEP and Theorem 1 twice to show that for all , , and such that 6= and 6= ,

(t)

(t) i

1 e; 2 2t t!

!2

(10)

2n=2 . The proof is very involved, so it is not shown here. The values (9) uniformly for 0 t 2 ln(ln n) i h and (10) are substituted back into (7), to obtain E ( (t))2 . >From Corollary 5 we obtain the 2 ; 2 =(2t t!) asymptotic approximation (E (t)])2 = (2n ; 1)2 E 2i (T )] 2 (2n ; 1)4 e; 1 for h i n=2 2 0 t 2 ln(ln n) . The lemma is proven by substituting the value into the expression for Var (t) , resulting in

Var

(t)

(2n

;
h

1)2
(t)
i

2 e; 1 2t t!

;1 2 e 1 ; 2t t!

from which Var 2t (T )] = (2n ; 1);4 Var

is determined.

16

References
1] E. A. Bender. Asymptotic methods in enumeration. SIAM Review, 16(4):485{515, 1974. 2] E. Biham and Shamir A. Di erential cryptanalysis of DES-like cryptosystems. Advances in Cryptology, CRYPTO'90, Lecture Notes in Computer Science, vol. 537, A. J. Menezes and S. A. Vanstone ed., Springer-Verlag, pages 2{21, 1991. 3] E. Biham and A. Shamir. Di erential cryptanalysis of the full 16-round DES. Technical Report 708, Technion, Israel Institute of Technology, Haifa, Israel, 1991. Also presented at Advances in Cryptology, CRYPTO'92, Lecture Notes in Computer Science, vol. 740, E. F. Brickell ed., Springer-Verlag, pages 487-496, 1993. 4] W. Feller. An Introduction to Probability Theory and its Applications. New York: Wiley, 3rd edition, Volume 1, 1968. 5] R. P. Grimaldi. Discrete and Combinatorial Mathematics: An Applied Introduction. Second Edition. Addison Wesley Publishing Company, 1989. 6] M. Hall. Combinatorial Theory. New York: Wiley-Interscience, 1986. 7] X. Lai, J. Massey, and S. Murphy. Markov ciphers and di erential cryptanalysis. Advances in Cryptology, EUROCRYPT'91, Lecture Notes in Computer Science, vol. 547, D. W. Davies ed., Springer-Verlag, pages 17{38, 1991. 8] J. Lee, H. M. Heys, and S. E. Tavares. Resistance of a CAST-like encryption algorithm to linear and di erential cryptanalysis. Designs, Codes and Cryptography, 12(3):267{282, 1997. 9] J. Massey. SAFER K-64: A byte-oriented block-ciphering algorithm. Fast Software Encryption, Lecture Notes in Computer Science, vol. 809, R. Anderson ed., Springer-Verlag, pages 1{17, 1994. 10] J. Massey. SAFER K-64: One year later. Fast Software Encryption, Lecture Notes in Computer Science, vol. 1008, B. Preneel ed., Springer, pages 212{241, 1995. 11] L. J. O'Connor. On the distribution of characteristics in bijective mappings. Advances in Cryptology, EUROCRYPT'93, Lecture Notes in Computer Science, vol. 765, T. Helleseth ed., Springer-Verlag, pages 360{370, 1994. 12] National Bureau of Standards. Data Encryption Standard. FIPS PUB 46, Washington, D. C. (January 1977).

17