Rotational Cryptanalysis on ChaCha Stream Cipher

Abstract

In this paper we consider the ChaCha20 stream cipher in the related-key scenario and we study how to obtain rotational-XOR pairs with nonzero probability after the application of the first quarter round. The ChaCha20 input can be viewed as a $4\times 4$ matrix of 32-bit words, where the first row of the matrix is fixed to a constant value, the second two rows represent the key, and the fourth some initialization values. Under some reasonable independence assumptions and a suitable selection of the input, we show that the aforementioned probability is about $2^{-251.7857}$, a value greater than $2^{-256}$, which is the one expected from a random permutation. We also investigate the existence of constants, different from the ones used in the first row of the ChaCha20 input, for which the rotational-XOR probability increases, representing a potential weakness in variants of the ChaCha20 stream cipher. So far, to our knowledge, this is the first analysis of the ChaCha20 stream cipher from a rotational-XOR perspective.

1. Introduction

The ChaCha20 stream cypher, published in 2008 [1], was developed by Daniel J. Bernstein as a modification of Salsa20 [2], another stream cypher designed in 2005 by the same author and then later submitted to the eSTREAM project. The aim of ChaCha20 is to increase diffusion and performance on some architectures with respect to Salsa20. Google has selected ChaCha20 along with Bernstein’s Poly1305 message authentication code as a replacement for RC4 in TLS, and its specifications can be found in [3]. Both ciphers are ARX (Add-Rotate-XOR) ciphers, i.e., built on a pseudorandom function based only on the following three 32-bit word operations: modular addition, circular rotation, and bitwise exclusive or (XOR). This pseudorandom function is itself built upon a 512 bit permutation. According to [4], both permutations are not designed to simulate ideal permutations: they are designed to simulate ideal permutations with certain symmetries, i.e., ideal permutations of the orbits of the state space under these symmetries. The input of the ChaCha20 function is partially fixed to specific asymmetric constants, ensuring that different inputs lie in different orbits. As a consequence of the ChaCha20 design, some cryptanalytic techniques, such as rotational cryptanalysis, seem hard to apply.

Related works. Rotational cryptanalysis studies the propagation of rotational pairs $(x,x⋘r)$ throughout the encryption steps of an ARX scheme. It is a probabilistic chosen-plaintext attack that turns to be an effective cryptanalytical tool against ciphers and hash functions that are based on the three ARX operations.

A rotational pair of keys was considered for the first time in the pioneering work on related keys by Biham [5]. This approach was extended by Kelsey et al. in several related-key attacks on block ciphers [6]. A rotational pair of inputs was later adopted in the cryptanalysis of the compression function of Shabal [7] (the term “rotational input” was not used yet), but it was traced only through bitwise operations and not through additions. Bernstein [8] explicitly prevented using rotational pairs in Salsa20 (and ChaCha20) by fixing non-symmetric constants in the input of the permutation. However, he did not provide any complexity or probability estimates for this kind of attack. The designers of the block cipher SEA [9] described the technique of rotational cryptanalysis in 2006 and defended against it with non-linear key-schedule and pseudorandom constants. In his Ph.D. thesis, Daum [10] described the links between modular addition and bit rotations. In 2010, the term “rotational cryptanalysis” appeared for the first time in the papers of Khovratovich and Nikolić [11,12], were they cryptanalyzed the reduced-round Threefish cipher, which is part of the Skein hash function, a SHA-3 competition candidate [13]. Their attack covered 53 rounds of Skein-256 and 57 rounds of Skein-512. In the aforementioned paper [11], the authors proved that for ARX primitives, under the assumption that the cipher can be modeled as a Markov chain, the probability to have a rotational pair of inputs which will produce a rotational pair at the output depends on the number of additions only. This claim was corrected in [14], where the authors showed that chained modular additions used in ARX ciphers do not always form a Markov chain with regards to rotational analysis. They provided a precise value of the probability of such chains and they gave a new algorithm for computing the rotational probability of ARX ciphers. Then, they used the algorithm to correct (from 12 to 7 rounds) the rotational attacks on BLAKE2 [15] and to provide valid rotational attacks against the simplified version of Skein. In 2013, rotational cryptanalysis was also applied to distinguish four rounds of KECCAK permutation [16] in time $2^{221}$. A crucial requirement for rotational cryptanalysis to work effectively is that all constants used in the ARX primitive must preserve their values when rotated. This requirement can be relaxed to some extent and instead of assuming completely rotational constants, one can work with constants that are almost rotational, i.e., the XOR difference between the initial constants and the rotated ones gives words of small Hamming weight. A different approach was taken by Ashur and Liu in 2016 [17]. They presented a way to compute the rotational probability when constants are injected into the state and applied their approach to Speck. In particular, they exposed, in the related-key scenario, a trail suggesting that a weak key class of size $2^{39}$ exists, leading to a 7-round distinguisher for Speck64/32. The technique was later automated in [18], through the use of SAT solvers. In [19], a rotational cryptanalysis of the Salsa core function was presented, also finding rotational distinguishers for the Salsa and Chacha permutations: the rotational distinguisher for the ChaCha permutation performs properly only up to 8 rounds with a probability of approximately $2^{-489.6}$, while the rotational distinguisher for the Salsa permutation performs properly up to 32 rounds with a probability of approximately $2^{-506.752}$, clarifying the weakness of the Salsa core function with respect to rotational cryptanalysis. Finally, in [20] the authors applied rotational cryptanalysis to Chacha20 permutation without considering the injected constants in the state of the permutation, showing that it does not behave as a random permutation for up to 17 rounds, since the related probability is less than $2^{-505}$ for 17 rounds of ChaCha permutation, while, for a random permutation of the same input size, this probability is $2^{-511}$.

Our contribution. In this paper we study the applicability to the ChaCha20 stream cipher quarter round function of the techniques due to Ashur and Liu [17], used for the rotational cryptanalysis of Speck in the presence of constants. In order to do this, we first consider the quarter round function $\mathcal{Q}$ of Chacha20, described in Section 2, determining the conditions which guarantee that, starting from randomly and independently chosen $\mathsf{w}$-bit words, inputs $x_1,x_2,x_3$ and a $\mathsf{w}$-bit constant $c_0$ giving the $\mathsf{w}$–bit words $y_0,y_1,y_2,y_3$ as output, i.e.,

$$(y_0,y_1,y_2,y_3)=\mathcal{Q}(c_0,x_1,x_2,x_3),$$

we can find a characteristics of the type

$$((y_0⋘\mathsf{r})\oplus a,(y_1⋘\mathsf{r})\oplus b,(y_2⋘\mathsf{r})\oplus c,(y_3⋘\mathsf{r})\oplus d)=\mathcal{Q}(c_0,f_1,f_2,f_3),$$

for some input relations $f_i=f_i(\mathsf{r},c_0,x_1,x_2,x_3)$, $i=1,2,3$, where $\mathsf{r}$ is an integer less than the word size $\mathsf{w}$ and $a,b,c,d$ are $\mathsf{w}$-bit strings. Then, we search for a suitable selection of $a,b,c,d,$ and key/nonce/counter relations, the above mentioned input relations $f_i$, $i=1,2,3$, such that, fixing the rotational amount $\mathsf{r}=1$, we can precisely determine which input constants $c_0$ yield rotational-XOR pairs with high or low probability, in a related-key scenario. We determine a formula to compute this probability as a function of $c_0$ and we show that in the case of the constants commonly used in ChaCha20 it is greater than $2^{-256}$, revealing the non-randomness of the quarter round permutation. Moreover we investigate the value of this probability for different constants than the ones injected in the ChaCha20 initial state, determining for which of them it increases. While in [19,20] it was only considered the core of ChaCha/Salsa, not the full stream cipher construction, to our knowledge, this is the first attempt to apply rotational analysis to the Chacha20 stream cipher in order to distinguish the behavior of the Chacha20 quarter round from a random permutation and to relate this behaviour to the values of the constants used in Chacha20.

Outline of the paper. In Section 2, we introduce the notation and the essential preliminaries, describing the ChaCha20 stream cipher and the fundamentals of rotational and rotational-XOR cryptanalysis.

In Section 3 we present our analysis. In particular, in Section 3.1, we derive a set of necessary and sufficient conditions which need to be satisfied for a rotational-XOR pair to appear in the output of ChaCha20 quarter round, given that the first word of the input is fixed to a constant value. In Section 3.2, we discuss a suitable choice of the input relations $f_i$, $i=1,2,3,$ and of the parameters $a,b,c,d,$ allowing them to meet the above conditions.In Section 3.3, under the previous choice we compute the probability that these conditions are satisfied by a randomly and independently chosen set of inputs $x_i$, $i=1,2,3$, as a function of the constant $c_0$, i.e., the probability that rotational-XOR pairs (with rotational amount $\mathsf{r}=1$) $(y,(y⋘1)\oplus \delta )$ appear as outputs of the quarter round. In Section 4 we discuss and resume our results. In particular, in Section 4.1 we evaluate this probability for the special constants commonly used in the ChaCha20 stream cipher. We show that, in our scenario, rotational-XOR pairs can appear in ChaCha20 after one round with probability around $2^{-251.7857}$ against the value of $2^{-256}$ for a random permutation. In Section 4.2 we describe the form of some initial constants for which these pairs are very likely. Finally, in Section 5 we give our conclusions.

2. Notation and ChaCha20 Stream Cipher Description

In this section, we first define our notation, then we describe the specifications of the ChaCha20 stream cipher and we provide the basics of rotational and rotational-XOR cryptanalysis.

2.1. Notation

Let ${\mathsf{𝔽}}_2$ be the binary field with two elements, and ${\mathcal{M}}_{\mathsf{n}\times \mathsf{n}}({\mathsf{𝔽}}_2^{\mathsf{w}})$ be the set of all $\mathsf{n}\times \mathsf{n}$ matrices with elements in ${\mathsf{𝔽}}_2^{\mathsf{w}}$. Depending on the context, lowercase letters stand for $\mathsf{w}$-bit words or for the corresponding non-negative integers they represent, i.e.,

$$\begin{array}{cc}x& =\left(x[\mathsf{w}-1],x[\mathsf{w}-2],\dots ,x\left[1\right],x\left[0\right]\right)\in {\mathsf{𝔽}}_2^{\mathsf{w}},\hfill \\ x& =\sum _{i=0}^{\mathsf{w}-1}x\left[i\right]2^i\in \mathsf{\mathbb{N}}\hfill \end{array}$$

where $x\left[i\right]\in {\mathsf{𝔽}}_2$ for all $i=0,\dots ,\mathsf{w}-1$. In the case of ChaCha20, we have $\mathsf{n}=4$ and $\mathsf{w}=32$. With uppercase letters we indicate a $\mathsf{n}\times \mathsf{n}$ matrix of ${\mathsf{n}}^2$ words, i.e., $X\in {\mathcal{M}}_{\mathsf{n}\times \mathsf{n}}({\mathsf{𝔽}}_2^{\mathsf{w}})$.

We also use the following notation:

• ⊕ for the bitwise exclusive or (XOR), i.e., the addition in ${\mathsf{𝔽}}_2^{\mathsf{w}}$;
• ⊞ for the $\mathsf{w}$-bit addition $mod{2}^{\mathsf{w}}$;
• ⊟ for the $\mathsf{w}$-bit subtraction $mod{2}^{\mathsf{w}}$, i.e., the sum $mod{2}^{\mathsf{w}}$ with the opposite of an element in ${\mathsf{𝔽}}_2^{\mathsf{w}}$;
• ${⊞}_{i=1}^k{x}_i$ for the $\mathsf{w}$-bit addition $mod{2}^{\mathsf{w}}$ of k words $x_1,\dots ,x_k$;
• $x|y$ for the vector bitwise OR operation between x and y;
• $x\left|\right|y$ for the concatenation of x and y;
• $SHL\left(x\right)$ for a non–cyclic left shift by one bit of x;
• $(I\oplus SHL)\left(x\right)=x\oplus SHL\left(x\right)$;
• $⋘\mathsf{r}$ and $⋙\mathsf{r}$ respectively for constant-distance left and right circular rotation of $\mathsf{r}$ bits of a $\mathsf{w}$-bit word with $1\le \mathsf{r}\le \mathsf{w}-1$;
• $\left|\right|x\left|\right|$ for the Hamming weight of x;
• $\left|I\right|$ for the cardinality of a set I;
• ${\mathbb{1}}_Z$ for the characteristic function of a condition Z, which is equal to 1 when Z is satisfied and equal to 0 otherwise;
• $\underline{1}=(0,0,\dots ,0,1)\in {\mathsf{𝔽}}_2^{\mathsf{w}}$;
• $x\preccurlyeq y$ if and only if we have $x\left[i\right]\le y\left[i\right]$ for all $i=0,\dots ,\mathsf{w}-1$;
• $x=L_h\left(x\right)\left|\right|R_h\left(x\right)$, where, for $1\le h\le \mathsf{w}-1$,

  $$\begin{array}{cc}{L}_h\left(x\right)& =\left(x\right[\mathsf{w}-1],x[\mathsf{w}-2],\dots ,x[\mathsf{w}-h\left]\right)\hfill \\ R_h\left(x\right)& =\left(x\right[\mathsf{w}-h-1],x[\mathsf{w}-h-2],\dots ,x[1],x[0\left]\right)\hfill \end{array}$$

  and, considering $x\in \mathsf{\mathbb{N}}$,

  $$x=l_h\left(x\right)2^{\mathsf{w}-h}+r_h\left(x\right),\mathrm{where}{l}_h\left(x\right)={\sum }_{i=0}^{h-1}x[\mathsf{w}-h+i]2^i\mathrm{and}{r}_h\left(x\right)={\sum }_{i=0}^{\mathsf{w}-h-1}x\left[i\right]2^i$$

  with $0\le l_h\left(x\right)\le 2^h-1$ and $0\le r_h\left(x\right)\le 2^{\mathsf{w}-h}-1$;
• ${⌊·⌋}_h$ for the operator which gives for any $x\in \mathbb{N}$ the integer ${⌊x⌋}_h$ satisfying

  $$0\le {⌊x⌋}_h\le 2^{h-1}\mathrm{and}{⌊x⌋}_h\equiv xmod{2}^h.$$

2.2. ChaCha20 Specification

The ChaCha20 permutation has a state of 512 bits, which can be seen as a $4\times 4$ matrix whose elements are binary vectors of $\mathsf{w}=32$ bits, i.e.,

$$\begin{array}{c}X={\left\{x_{i,j}\right\}}_{\begin{array}{c}i=0,\dots ,3\\ j=0,\dots ,3\end{array}}=\left[\begin{array}{cccc}{x}_{0,0}& x_{0,1}& x_{0,2}& x_{0,3}\\ x_{1,0}& x_{1,1}& x_{1,2}& x_{1,3}\\ x_{2,0}& x_{2,1}& x_{2,2}& x_{2,3}\\ x_{3,0}& x_{3,1}& x_{3,2}& x_{3,3}\end{array}\right]\in {\mathcal{M}}_{\mathsf{n}\times \mathsf{n}}({𝔽}_2^{\mathsf{w}}).\end{array}$$

The initial state of ChaCha20 is initialized by setting the first row to a 128-bit constant value, the second and third row are used to store a 256-bit key, and the fourth row contains a 64-bit nonce and a 64-bit counter.

Definition 1

(ChaCha20 quarter round). Let $x_i,y_i,i=0,1,2,3$ be $\mathsf{w}$-bit words, and let $(y_0,y_1,y_2,y_3)=\mathcal{Q}(x_0,x_1,x_2,x_3)$, where $\mathcal{Q}$ is the ChaCha20 quarter round, defined as follows:

$$\begin{array}{lll}{b}_0=x_0⊞x_1& \left(1\right)& y_0=b_0⊞b_1\\ b_3=\left(b_0\oplus x_3\right)⋘r_1& & y_3=\left(y_0\oplus b_3\right)⋘r_3\\ b_2=b_3⊞x_2& \left(2\right)& y_2=y_3⊞b_2\\ b_1=\left(b_2\oplus x_1\right)⋘r_2& & y_1=\left(y_2\oplus b_1\right)⋘r_4.\end{array}$$

We show in Figure 1 a schematic drawing of the ChaCha20 quarter round. The permutation used in the ChaCha20 stream cipher performs 20 rounds or, equivalently, 10 double rounds. Two consecutive rounds (or a double round) of the ChaCha20 permutation consist in applying the quarter round four times in parallel to the columns of the state (first round), and then four times in parallel to the diagonals of the state (second round). More formally:

Figure 1. The ChaCha20 quarter round scheme.

Definition 2

(ChaCha20 column/diagonal round). Let $X={\left\{x_{i,j}\right\}}_{\begin{array}{c}i=0,\dots ,3\\ j=0,\dots ,3\end{array}}$, $Y={\left\{y_{i,j}\right\}}_{\begin{array}{c}i=0,\dots ,3\\ j=0,\dots ,3\end{array}}$ be two matrices in ${\mathcal{M}}_{\mathsf{n}\times \mathsf{n}}({𝔽}_2^{\mathsf{w}})$.

A column round $Y={\mathcal{R}}^{\mathsf{C}}\left(X\right)$ is defined as follows, with $i=0,1,2,3$:

$$\begin{array}{c}(y_{0,i},y_{1,i},y_{2,i},y_{3,i})=\mathcal{Q}(x_{0,i},x_{1,i},x_{2,i},x_{3,i}).\end{array}$$

A diagonal round $Y={\mathcal{R}}^{\mathsf{D}}\left(X\right)$ is defined as follows, for $i=0,1,2,3$ and where each subscript is computed modulo $\mathsf{n}=4$:

$$(y_{0,i},y_{1,i+1},y_{2,i+2},y_{3,i+3})=\mathcal{Q}(x_{0,i},x_{1,i+1},x_{2,i+2},x_{3,i+3}).$$

2.3. Rotational and Rotational-XOR (RX) Cryptanalysis

Rotational cryptanalysis is essentially a distinguishing attack that exploits rotational offsets with probability higher than the one for a random permutation. If we consider a $\mathsf{w}$–bit word x and a rotational offset $\mathsf{r}$, we call $(x,x⋘\mathsf{r})$ a rotational pair and we define the rotational property as the property that an operation with the input of a rotational pair gives, as output, another rotational pair. Let us denote with $\mathcal{S}$ an ARX scheme with q modular additions. Rotational cryptanalysis is based on the following facts:

• The rotational property is preserved through the XOR of rotational pairs and after a rotation by a constant value ${\mathsf{r}}^{\prime }$:

  $$(x\oplus y)⋘\mathsf{r}=(x⋘\mathsf{r})\oplus (y⋘\mathsf{r}),(x⋘\mathsf{r})⋙{\mathsf{r}}^{\prime }=(x⋙{\mathsf{r}}^{\prime })⋘\mathsf{r};$$
• The rotational property is preserved through a modular addition of two $\mathsf{w}$–bit words with a probability given by

  $$D_{\mathsf{r}}:=Pr\left[(x⊞y)⋘\mathsf{r}=(x⋘\mathsf{r})⊞(y⋘\mathsf{r})\right]=\frac{1}{4}(1+2^{\mathsf{r}-\mathsf{w}}+2^{-\mathsf{r}}+2^{-\mathsf{w}}),$$

  and computed in Corollary 4.12 of [10], this probability is a decreasing function of $\mathsf{r}$, thus it is maximized when $\mathsf{r}=1$;
• In the case of chained modular additions of more than two $\mathsf{w}$–bit strings, $D_{\mathsf{r}}$ must be evaluated using Lemma 2 in [14];
• $\mathcal{S}(x⋘\mathsf{r})=\mathcal{S}\left(x\right)⋘\mathsf{r}$ with probability ${\left(D_{\mathsf{r}}\right)}^q$
• Given a random function $\mathcal{P}:{𝔽}_2^{\mathsf{w}}\to {𝔽}_2^{\mathsf{w}}$, $\mathcal{P}(x⋘\mathsf{r})=\mathcal{P}\left(x\right)⋘\mathsf{r}$ with probability $2^{-\mathsf{w}}$

Thus, we can detect non-randomness in the ARX scheme $\mathcal{S}$ if ${\left(D_{\mathsf{r}}\right)}^q>2^{-\mathsf{w}}$. For example, when $\mathsf{r}=1$, an ARX scheme implemented with q not chained additions is vulnerable to rotational cryptanalysis if $q<\mathsf{w}/1.415$.

Rotational-XOR cryptanalysis is also a distinguishing attack, firstly introduced in [17] where it was applied to SPECK. This attack studies the propagation of a rotational-XOR pair (RX–pair), i.e., a couple $(x,(x⋘r)\oplus \alpha )$ having RX–difference $\alpha$. Clearly RX cryptanalysis is a generalization of rotational cryptanalysis, since they coincide when $\alpha =0$. Moreover for RX–pairs $(x,(x⋘r)\oplus \alpha )$ and $(y,(y⋘r)\oplus \beta )$ we have

• $\left(\right(x\oplus y)⋘r)\oplus (\alpha \oplus \beta )=\left(\right(x⋘r)\oplus \alpha )\oplus \left(\right(y⋘r)\oplus \beta )$;
• $((x⋘\mathsf{r})\oplus \alpha )⋙{\mathsf{r}}^{\prime }=((x⋙{\mathsf{r}}^{\prime })⋘r)\oplus (\alpha ⋙{\mathsf{r}}^{\prime })$ for a fixed rotational amount ${\mathsf{r}}^{\prime }$.

The propagation of RX–differences through modular addition when $\mathsf{r}=1$ can be computed using the following theorem proved in [17], whose statement has been adapted to our notation

Theorem 1

(Ashur-Liu [17]). Let $x,y\in {\mathbb{F}}_2^{\mathsf{w}}$ be independent random variables. Let the following $a_1,b_1,a_2,b_2,{\Delta }_1,{\Delta }_2$ be constants in ${\mathbb{F}}_2^{\mathsf{w}}$. Then the probability

$$Pr\left[(((x\oplus a_1)⊞(y\oplus b_1))\oplus {\Delta }_1)⋘\mathsf{r}=(((x⋘\mathsf{r})\oplus a_2)⊞((y⋘\mathsf{r})\oplus b_2))\oplus {\Delta }_2\right]$$

(3)

when $\mathsf{r}=1$ and $\mathsf{w}$ is sufficiently large is equal to

$${𝟙}_{\{(a\oplus \underline{1})\preccurlyeq b\}}{2}^{-\left|\right|b\left|\right|}·p_1+{𝟙}_{\{a\preccurlyeq b\}}·2^{-\left|\right|b\left|\right|}·p_2,$$

where

$$a=(I\oplus SHL)({\delta }_1\oplus {\delta }_2\oplus {\delta }_3),b=SHL\left(({\delta }_1\oplus {\delta }_3)\right|({\delta }_2\oplus {\delta }_3)),$$

(4)

$${\delta }_1=R_1\left(a_1\right)\oplus L_{\mathsf{w}-1}\left(a_2\right),{\delta }_2=R_1\left(b_1\right)\oplus L_{\mathsf{w}-1}\left(b_2\right),{\delta }_3=R_1\left({\Delta }_1\right)\oplus L_{\mathsf{w}-1}\left({\Delta }_2\right),$$

(5)

and $p_1=2^{-3}$, $p_2=3·2^{-3}\simeq 2^{-1.415}$.

3. Searching for Rotational/RX Pairs in ChaCha20

The aim of this section is to consider the ChaCha20 stream cipher, in which the first row in its initial state has constant entries, giving general conditions on the propagation of rotational/RX–pairs that we simply call rotational propagation. Moreover, by a suitable choice of inputs and parameters, we find a special case in which the rotational propagation can have a non-negligible probability depending on a certain family of these constants.

3.1. Conditions for the Rotational Propagation

Recalling that the first row of the ChaCha20 $4\times 4$ matrix has constant entries, the following proposition holds

Proposition 1.

Let us consider the ChaCha20 quarter round $\mathcal{Q}$, $c_0$ a constant $\mathsf{w}$–bit string and the rotational amount $\mathsf{r}$ with $1\le \mathsf{r}\le \mathsf{w}-1$. If we have

$$\mathcal{Q}(c_0,x_1,x_2,x_3)=(y_0,y_1,y_2,y_3)$$

and we consider the $\mathsf{w}$–bit strings $a,b,c,d$ and the entries $f_i=f_i(\mathsf{r},c_0,x_1,x_2,x_3)$, $i=1,2,3,$ then

$$\begin{array}{cc}((y_0⋘\mathsf{r})\oplus a,(y_1⋘\mathsf{r})\oplus b,(y_2⋘\mathsf{r})\oplus c,(y_3⋘\mathsf{r})\oplus d)& =\mathcal{Q}(c_0,f_1,f_2,f_3)\hfill \\ & \iff \hfill \\ (\left(c_0⊞x_1\right)⋘\mathsf{r})\oplus (x_3⋘\mathsf{r})\oplus (a⋙r_1)\oplus (d⋙(r_1+r_3))& =(c_0⊞f_1)\oplus f_3\hfill \\ (\left(b_3⊞x_2\right)⋘\mathsf{r})\oplus (x_1⋘\mathsf{r})\oplus (c⋙r_2)\oplus (b⋙(r_2+r_4))& =\left((\left(b_3⋘\mathsf{r}\right)\oplus a\oplus (d⋙r_3))⊞f_2\right)\oplus f_1\hfill \\ (c_0⊞f_1)⊞\left((b_1⋘\mathsf{r})\oplus c\oplus (b⋙r_4)\right)& =(\left(c_0⊞x_1⊞b_1\right)⋘\mathsf{r})\oplus a\hfill \\ (\left(y_3⋘\mathsf{r}\right)\oplus d)⊞((b_3⋘\mathsf{r})\oplus a\oplus (d⋙r_3))⊞f_2& =(\left(y_3⊞b_3⊞x_2\right)⋘\mathsf{r})\oplus c.\hfill \end{array}$$

We call input relations the functions $f_i=f_i(\mathsf{r},c_0,x_1,x_2,x_3)$, $i=1,2,3$.

Proof. 

If we use the input $(c_0,f_1,f_2,f_3)$ instead of the input $(c_0,x_1,x_2,x_3)$, we find

$$\begin{array}{lll}\widetilde{b_0}=c_0⊞f_1& \left(6\right)& \widetilde{y_0}=\widetilde{b_0}⊞\widetilde{b_1}\end{array}$$

$$\begin{array}{ccc}\widetilde{b_3}=\left(\widetilde{b_0}\oplus f_3\right)⋘r_1& \left(7\right)& \widetilde{y_3}=\left(\widetilde{y_0}\oplus \widetilde{b_3}\right)⋘r_3\end{array}$$

$$\begin{array}{ccc}\widetilde{b_2}=\widetilde{b_3}⊞f_2& \left(8\right)& \widetilde{y_2}=\widetilde{y_3}⊞\widetilde{b_2}\end{array}$$

$$\begin{array}{ccc}\widetilde{b_1}=\left(\widetilde{b_2}\oplus f_1\right)⋘r_2& \left(9\right)& \widetilde{y_1}=\left(\widetilde{y_2}\oplus \widetilde{b_1}\right)⋘r_4.\end{array}$$

We have to satisfy the following conditions

$$\begin{array}{cc}\widetilde{y_0}=(y_0⋘\mathsf{r})\oplus a& ⟺\widetilde{b_0}⊞\widetilde{b_1}=(\left(b_0⊞b_1\right)⋘\mathsf{r})\oplus a\hfill \end{array}$$

(10)

$$\begin{array}{cc}\widetilde{y_3}=(y_3⋘\mathsf{r})\oplus d& ⟺\left(\widetilde{y_0}\oplus \widetilde{b_3}\right)⋘r_3=(\left(\left(y_0\oplus b_3\right)⋘r_3\right)⋘\mathsf{r})\oplus d\hfill \end{array}$$

(11)

$$\begin{array}{cc}\widetilde{y_2}=(y_2⋘\mathsf{r})\oplus c& ⟺\widetilde{y_3}⊞\widetilde{b_2}=(\left(y_3⊞b_2\right)⋘\mathsf{r})\oplus c\hfill \end{array}$$

(12)

$$\begin{array}{cc}\widetilde{y_1}=(y_1⋘\mathsf{r})\oplus b& ⟺\left(\widetilde{y_2}\oplus \widetilde{b_1}\right)⋘r_4=(\left(\left(y_2\oplus b_1\right)⋘r_4\right)⋘\mathsf{r})\oplus b\hfill \end{array}$$

(13)

where (11) and (13) easily give

$$\widetilde{b_3}=(b_3⋘\mathsf{r})\oplus a\oplus (d⋙r_3)$$

(14)

from conditions $\widetilde{y_0}=(y_0⋘\mathsf{r})\oplus a$ and

$$\widetilde{b_1}=(b_1⋘\mathsf{r})\oplus c\oplus (b⋙r_4),$$

(15)

since we have the condition $\widetilde{y_2}=(y_2⋘\mathsf{r})\oplus c$. Now from (14) and (7) we find

$$\widetilde{b_0}\oplus f_3=(b_0⋘\mathsf{r})\oplus (x_3⋘\mathsf{r})\oplus (a⋙r_1)\oplus (d⋙(r_1+r_3))$$

(16)

and from (15) and (9) we have

$$\widetilde{b_2}\oplus f_1=\left(b_2⋘\mathsf{r}\right)\oplus \left(x_1⋘\mathsf{r}\right)\oplus (c⋙r_2)\oplus (b⋙(r_2+r_4))$$

(17)

Thus, the four conditions we need to satisfy are (16), (17), (10) and (12). If in (16) we substitute (6) and we take in account (1) in Definition 1, we find the first condition of our thesis

$$(\left(c_0⊞x_1\right)⋘\mathsf{r})\oplus (x_3⋘\mathsf{r})\oplus (a⋙r_1)\oplus (d⋙(r_1+r_3))=(c_0⊞f_1)\oplus f_3.$$

If we substitute (8), (14) and (2) in (17) we find the second condition of our thesis

$$\begin{array}{c}(\left(b_3⊞x_2\right)⋘\mathsf{r})\oplus (x_1⋘\mathsf{r})\oplus (c⋙r_2)\oplus (b⋙(r_2+r_4))=\\ =(\left(\left(b_3⋘\mathsf{r}\right)\oplus a\oplus (d⋙r_3))⊞f_2\right)\oplus f_1.\end{array}$$

Moreover, if we substitute (6), (15) and (1) in (10), we obtain the third condition of our thesis

$$(c_0⊞f_1)⊞\left((b_1⋘\mathsf{r})\oplus c\oplus (b⋙r_4)\right)=(\left(c_0⊞x_1⊞b_1\right)⋘\mathsf{r})\oplus a.$$

Finally if we substitute (11), (8), (14) and (2) in (12) we have the last condition of our thesis

$$(\left(y_3⋘\mathsf{r}\right)\oplus d)⊞((b_3⋘\mathsf{r})\oplus a\oplus (d⋙r_3))⊞f_2=(\left(y_3⊞b_3⊞x_2\right)⋘\mathsf{r})\oplus c.$$

 □

3.2. On the Choices of the Input Relations and of a, b, c, d

One can consider many different choices for the values of $f_i$ and $a,b,c,d$ in order to satisfy the conditions of Proposition 1. Our intention is to set these values in order to obtain simplified conditions which can be satisfied with a non-negligible probability depending on the values given to $c_0$. Considering Equations (14) and (15), a first simplification we apply is to choose a, b, c and d such that

$$a\oplus (d⋙r_3)=0,c\oplus (b⋙r_4)=0.$$

(18)

With this setting the conditions of Proposition 1 become

$$\begin{array}{rr}(c_0⊞f_1)\oplus f_3& =(\left(c_0⊞x_1\right)⋘\mathsf{r})\oplus (x_3⋘\mathsf{r})\end{array}$$

(19)

$$\begin{array}{rr}\left(\left(b_3⋘\mathsf{r}\right)⊞f_2\right)\oplus f_1& =(\left(b_3⊞x_2\right)⋘\mathsf{r})\oplus (x_1⋘\mathsf{r})\end{array}$$

(20)

$$\begin{array}{rr}(c_0⊞f_1)⊞(b_1⋘\mathsf{r})& =(\left(c_0⊞x_1⊞b_1\right)⋘\mathsf{r})\oplus a\end{array}$$

(21)

$$\begin{array}{rr}((y_3⋘\mathsf{r})\oplus d)⊞(b_3⋘\mathsf{r})⊞f_2& =(\left(y_3⊞b_3⊞x_2\right)⋘\mathsf{r})\oplus c,\end{array}$$

(22)

and we have (21) and (22) satisfied when

$$\begin{array}{cc}a& =[(c_0⊞f_1)⊞(b_1⋘\mathsf{r})]\oplus [\left(c_0⊞x_1⊞b_1\right)⋘\mathsf{r}]\hfill \\ c& =[((y_3⋘\mathsf{r})\oplus d)⊞(b_3⋘\mathsf{r})⊞f_2]\oplus [\left(y_3⊞b_3⊞x_2\right)⋘\mathsf{r}].\hfill \end{array}$$

(23)

Regarding the input relations, we consider expressions of the kind $f_i=f_i(x_i,c_0,\mathsf{r})$, which seem reasonable choices once we look to the remaining conditions (19) and (20). Indeed we may select $f_3$ and $f_2$ as

$$f_3=x_3⋘\mathsf{r},f_2=x_2⋘\mathsf{r},$$

(24)

in order to simplify (19) and to give an expression for (20) very similar to the condition of rotational propagation through modular addition, obtaining

$$\begin{array}{cc}(c_0⊞f_1)& =\left(c_0⊞x_1\right)⋘\mathsf{r}\hfill \end{array}$$

(25)

$$\begin{array}{cc}\left(\left(b_3⋘\mathsf{r}\right)⊞(x_2⋘\mathsf{r})\right)\oplus f_1& =(\left(b_3⊞x_2\right)⋘\mathsf{r})\oplus (x_1⋘\mathsf{r}).\hfill \end{array}$$

(26)

Now we have to think about $f_1$ and, consequently, about how to manage conditions (25) and (26). Clearly a possibility is to choose $f_1=x_1⋘\mathsf{r}$ in order to reduce (26) exactly to the condition for the rotational propagation through modular addition

$$\left(b_3⋘\mathsf{r}\right)⊞(x_2⋘\mathsf{r})=\left(b_3⊞x_2\right)⋘\mathsf{r}.$$

(27)

In this case (25) becomes

$$\left(c_0⊞x_1\right)⋘\mathsf{r}=c_0⊞(x_1⋘\mathsf{r}),$$

(28)

which holds for some $x_1$ only under particular conditions on $c_0$. These conditions turn out to be too restrictive for our purposes. At the end of this subsection, we will prove them in Proposition 2, explaining why they give rise to a small number of possible choices for $c_0$ in order to obtain nonzero probability for (25). This part can be skipped over by the reader without problems. Therefore we may choose $f_1$ as something different from $x_1⋘\mathsf{r}$ and consequently we may consider (26) as a condition of the form

$$\left(b_3⋘\mathsf{r}\right)⊞(x_2⋘\mathsf{r})=(\left(b_3⊞x_2\right)\oplus \sigma (x_1,c_0,\mathsf{r}))⋘\mathsf{r}$$

(29)

where $\sigma$ in general is not a constant, since it depends on $x_1$. But we may combine the law of total probability with the Ashur-Liu Theorem 1 in [17] in order to find a probability estimate for (29) in the case $\mathsf{r}=1$. So a good choice is to consider the case $\mathsf{r}=1$ and use (25) in order to define $f_1$ as we will do in the next subsection.

Proposition 2.

If we consider

$$\begin{array}{cc}\hfill c_0& =l_{\mathsf{r}}\left(c_0\right)2^{\mathsf{w}-\mathsf{r}}+r_{\mathsf{r}}\left(c_0\right),\hfill \\ \hfill c_0⋙\mathsf{r}& =l_{\mathsf{r}}(c_0⋙\mathsf{r})2^{\mathsf{w}-\mathsf{r}}+r_{\mathsf{r}}(c_0⋙\mathsf{r}),\hfill \\ \hfill x_1& =l_{\mathsf{r}}\left(x_1\right)2^{\mathsf{w}-\mathsf{r}}+r_{\mathsf{r}}\left(x_1\right),\hfill \end{array}$$

(30)

and

$${\gamma }_L={𝟙}_{\{l_{\mathsf{r}}(c_0⋙\mathsf{r})+l_{\mathsf{r}}\left(x_1\right)\ge 2^{\mathsf{r}}\}},{\gamma }_R={𝟙}_{\{r_{\mathsf{r}}\left(c_0\right)+r_{\mathsf{r}}\left(x_1\right)\ge 2^{\mathsf{w}-\mathsf{r}}\}}$$

then condition (28) holds if and only if we have

$$r_{\mathsf{r}}\left(c_0\right)={⌊r_{\mathsf{r}}(c_0⋙\mathsf{r})+{\gamma }_L⌋}_{\mathsf{w}-\mathsf{r}},l_{\mathsf{r}}(c_0⋙\mathsf{r})={⌊l_{\mathsf{r}}\left(c_0\right)+{\gamma }_R⌋}_{\mathsf{r}}$$

(31)

or, in other words, if and only if

$$c_0\boxminus (c_0⋙\mathsf{r})={⌊(-{\gamma }_R)2^{\mathsf{w}-\mathsf{r}}+{\gamma }_L⌋}_{\mathsf{w}}.$$

Proof. 

The proof is quite straightforward, since from (30) we have

$$c_0=(c_0⋙\mathsf{r})⋘\mathsf{r}=r_{\mathsf{r}}(c_0⋙\mathsf{r})2^{\mathsf{r}}+l_{\mathsf{r}}(c_0⋙\mathsf{r}),x_1⋘\mathsf{r}=r_{\mathsf{r}}\left(x_1\right)2^{\mathsf{r}}+l_{\mathsf{r}}\left(x_1\right)$$

thus

$$c_0⊞(x_1⋘\mathsf{r})={⌊r_{\mathsf{r}}(c_0⋙\mathsf{r})+r_{\mathsf{r}}\left(x_1\right)+{\gamma }_L⌋}_{\mathsf{w}-\mathsf{r}}{2}^{\mathsf{r}}+{⌊l_{\mathsf{r}}(c_0⋙\mathsf{r})+l_{\mathsf{r}}\left(x_1\right)⌋}_{\mathsf{r}}$$

(32)

and, since

$$c_0⊞x_1={⌊l_{\mathsf{r}}\left(c_0\right)+l_{\mathsf{r}}\left(x_1\right)+{\gamma }_R⌋}_{\mathsf{r}}{2}^{\mathsf{w}-\mathsf{r}}+{⌊r_{\mathsf{r}}\left(x_1\right)+r_{\mathsf{r}}\left(c_0\right)⌋}_{\mathsf{w}-\mathsf{r}},$$

we obtain

$$(c_0⊞x_1)⋘\mathsf{r}={⌊r_{\mathsf{r}}\left(x_1\right)+r_{\mathsf{r}}\left(c_0\right)⌋}_{\mathsf{w}-\mathsf{r}}{2}^r+{⌊l_{\mathsf{r}}\left(c_0\right)+l_{\mathsf{r}}\left(x_1\right)+{\gamma }_R⌋}_{\mathsf{r}}.$$

(33)

Therefore comparing (32) and (33) we find (31). □

Following this choice, with arguments similar to the ones used by Daum in [10], we may evaluate some probability different from zero for condition (28) only when one of the following conditions is satisfied

• $c_0\boxminus (c_0⋙\mathsf{r})=2^{\mathsf{w}}-2^{\mathsf{w}-\mathsf{r}}+1$, i.e., ${\gamma }_L={\gamma }_R=1,$ which is equivalent to the equation

  $$(l_{\mathsf{r}}(c_0⋙\mathsf{r})-1)(2^{\mathsf{w}-\mathsf{r}}-1)=r_{\mathsf{r}}(c_0⋙\mathsf{r})(2^{\mathsf{r}}-1)$$

  and it gives $2^{gcd(\mathsf{w},\mathsf{r})}-1$ possible values for $c_0$;
• $c_0\boxminus (c_0⋙\mathsf{r})=1$, i.e., ${\gamma }_L=1$, ${\gamma }_R=0$, which is equivalent to the equation

  $$r_{\mathsf{r}}(c_0⋙\mathsf{r})(2^{\mathsf{r}}-1)-l_{\mathsf{r}}(c_0⋙\mathsf{r})(2^{\mathsf{w}-\mathsf{r}}-1)=1$$

  and it gives one value for $c_0$ only when $gcd(\mathsf{w},\mathsf{r})=1$ and otherwise it is impossible;
• $c_0\boxminus (c_0⋙\mathsf{r})=0$, i.e., ${\gamma }_L={\gamma }_R=0$, which is equivalent to the equation

  $$l_{\mathsf{r}}(c_0⋙\mathsf{r})(2^{\mathsf{w}-\mathsf{r}}-1)=r_{\mathsf{r}}(c_0⋙\mathsf{r})(2^{\mathsf{r}}-1)$$

  and it gives $2^{gcd(\mathsf{w},\mathsf{r})}$ possible values for $c_0$;
• $c_0\boxminus (c_0⋙\mathsf{r})=2^{\mathsf{w}}-2^{\mathsf{w}-\mathsf{r}}$, i.e., ${\gamma }_L=0$, ${\gamma }_R=1$, which is equivalent to the equation

  $$(l_{\mathsf{r}}(c_0⋙\mathsf{r})-1)(2^{\mathsf{w}-\mathsf{r}}-1)-r_{\mathsf{r}}\left(c_0\right)(2^{\mathsf{r}}-1)=1$$

  and it gives one value for $c_0$ only when $gcd(\mathsf{w},\mathsf{r})=1$ and otherwise it is impossible.

The strong dependence from $gcd(\mathsf{w},\mathsf{r})$ of the possible values of $c_0$ for which (25) holds for some $x_1$ seems too limiting for our purposes. For example, when $gcd(\mathsf{w},\mathsf{r})=1$ we have only two suitable values for $c_0$ from the third case and only a single value from the remaining ones.

3.3. Probability of Rotational Propagation for 1 Bit Rotations

From what we have previously pointed out, we will consider from now on $\mathsf{r}=1$ with the choices (24), (35) and (29), where

$$\sigma (x_1,c_0,1)=(f_1⋙1)\oplus x_1.$$

(34)

and we use condition (25) in order to define $f_1$

$$c_0⊞f_1=(c_0⊞x_1)⋘1\Rightarrow f_1(x_1,c_0,1)=((c_0⊞x_1)⋘1)\boxminus c_0$$

(35)

This definition of $f_1$ seems reasonable since we can simultaneously have (25) automatically satisfied and a better range of possible values for $\sigma (x_1,c_0,1)$ that may give a non-negligible probability for condition (26).

We will follow this path: first we will prove the following Corollary 1 of Theorem 1, then we will use it together with the law of total probability in order to find a formula for the probability of (29) depending on $c_0$ and in particular on the cardinalities of some sets related to $c_0$. Finally, we will evaluate these cardinalities in Lemma 1 and we will give in Theorem 2 the value of this probability making explicit its dependence on $c_0$.

Corollary 1.

Let $x,y\in {\mathbb{F}}_2^{\mathsf{w}}$ be independent random variables, $\mathsf{r}=1$ and

$$\sigma =L_1\left(\sigma \right)\left|\right|R_1\left(\sigma \right)=\sigma [\mathsf{w}-1]\left|\right|\left(\sigma [w-2],\sigma [\mathsf{w}-3],\dots ,\sigma \left[1\right],\sigma \left[0\right]\right)$$

a constant word in ${\mathbb{F}}_2^{\mathsf{w}}$. If j, $0\le j\le \mathsf{w}-1$, is the index of the first bit equal to 0 in $R_1\left(\sigma \right)$ starting from the right to the left, with the convention that $j=\mathsf{w}-1$ only when $R_1\left(\sigma \right)$ has all the entries equal to 1, then

$$Pr\left[\left(\right(x⊞y)\oplus \sigma )⋘1=(x⋘1)⊞(y⋘1)\right]=P\left(\sigma \right),$$

(36)

where

$$P\left(\sigma \right)=\left\{\begin{array}{cc}{p}_2\hfill & \mathit{if}j=0\mathit{and}\sigma \left[i\right]=0\mathit{for}\mathit{all}i=0,\dots \mathsf{w}-2\hfill \\ 2^{-j}{p}_1\hfill & \mathit{if}j=\mathsf{w}-1\mathit{or},\mathit{if}j\ge 1,\sigma \left[i\right]=0\mathit{for}\mathit{all}i=j+1,\dots ,\mathsf{w}-2\hfill \\ 0\hfill & \mathit{otherwise}.\hfill \end{array}\right.$$

(37)

Proof. 

We observe that (36) is a special case of (3) when $a_1=a_2=b_1=b_2={\Delta }_2=0$, $\sigma ={\Delta }_1$. Thus from (5) we find ${\delta }_1={\delta }_2=0$ and ${\delta }_3=R_1\left(\sigma \right)$. Therefore

$${\delta }_1\oplus {\delta }_2\oplus {\delta }_3=R_1\left(\sigma \right)({\delta }_1\oplus {\delta }_3)|({\delta }_2\oplus {\delta }_3)=\left({\delta }_3\right|{\delta }_3)={\delta }_3=R_1\left(\sigma \right)$$

$$b=SHL\left(R_1\left(\sigma \right)\right)=\left(\sigma [\mathsf{w}-3],\sigma [\mathsf{w}-4],\dots ,\sigma \left[1\right],\sigma \left[0\right],0\right)$$

(38)

and

$$\begin{array}{cc}a& =(I\oplus SHL)({\delta }_1\oplus {\delta }_2\oplus {\delta }_3)=(I\oplus SHL)\left(R_1\left(\sigma \right)\right)=R_1\left(\sigma \right)\oplus SHL\left(R_1\left(\sigma \right)\right)=\hfill \\ & =\left(\sigma \right[\mathsf{w}-2]\oplus \sigma [\mathsf{w}-3],\dots ,\sigma [h+1]\oplus \sigma [h],\dots ,\sigma [1]\oplus \sigma [0],\sigma [0\left]\right)\hfill \end{array}$$

(39)

$$a\oplus \underline{1}=(\sigma [\mathsf{w}-2]\oplus \sigma [\mathsf{w}-3],\dots ,\sigma [h+1]\oplus \sigma \left[h\right],\dots ,\sigma \left[1\right]\oplus \sigma \left[0\right],\sigma \left[0\right]\oplus 1).$$

(40)

We obtain ${𝟙}_{\{(a\oplus \underline{1})\preccurlyeq b\}}=1$ if and only if we have

$$\sigma \left[0\right]\oplus 1\le 0\Rightarrow \sigma \left[0\right]=1$$

and, for all $0\le h\le \mathsf{w}-3$,

$$\sigma [h+1]\oplus \sigma \left[h\right]\le \sigma \left[h\right].$$

(41)

Clearly, condition (41) holds when all the bits $\sigma \left[h\right]$ are equal to 1 for any $\sigma [h+1]\in {𝔽}_2$, while, if $\sigma \left[j\right]$, $j\ge 1$, is the first bit equal to 0 in $R_1\left(\sigma \right)$ starting from the right to the left, condition (41) holds for $h\ge j$ if and only if $\sigma [h+1]=0$. Thus in order to have ${𝟙}_{\{(a\oplus \underline{1})\preccurlyeq b\}}=1$, we need $R_1\left(\sigma \right)$ such that $\left|\right|R_1\left(\sigma \right)\left|\right|=j\le \mathsf{w}-2$, where all the first j bits from $\sigma \left[0\right]$ to $\sigma [j-1]$ are equal to 1 and the remaining ones from $\sigma \left[j\right]$ to $\sigma [\mathsf{w}-2]$ are equal to 0, or $\left|\right|R_1\left(\sigma \right)\left|\right|=\mathsf{w}-1$, i.e., all the bits of $R_1\left(\sigma \right)$ are equal to 1. In these cases we find from Theorem 1 that $P\left(\sigma \right)=2^{-j}{p}_1.$ On the other hand ${𝟙}_{\{a\preccurlyeq b\}}$ is equal to 1 if and only if we have

$$\sigma \left[0\right]\le 0\Rightarrow \sigma \left[0\right]=0$$

and for all $0\le h\le \mathsf{w}-3$ condition (41) holds. Since $\sigma \left[h\right]=0$ in (41) implies $\sigma [h+1]=0$ and we have $\sigma \left[0\right]=0$, an easy inductive argument shows that all the bits of $R_1\left(\sigma \right)$ must be equal to 0 in order to have ${𝟙}_{\{a\preccurlyeq b\}}=1$. Thus $\left|\right|R_1\left(\sigma \right)\left|\right|=0$ and we find from Theorem 1$P\left(\sigma \right)=p_2.$ We finally observe that the two characteristic functions ${𝟙}_{\{(a\oplus \underline{1})\preccurlyeq b\}}$ and ${𝟙}_{\{a\preccurlyeq b\}}$ can not be contemporarily equal to 1, and they are contemporarily equal to 0, with $P\left(\sigma \right)=0$, for any other value of $R_1\left(\sigma \right)$ different from the ones we have pointed out. □

Thanks to the law of total probability, since for a fixed v we may assume $\sigma (v,c_0,1)$ as a constant while $b_3$ and $x_2$ are independent variables, we find

$$\begin{array}{cc}& Pr\left[(\left(b_3⊞x_2\right)\oplus \sigma (x_1,c_0,1))⋘1=\left(b_3⋘1\right)⊞(x_2⋘1)\right]=\hfill \\ & =\sum _{v\in {\mathbb{F}}_2^{\mathsf{w}}}Pr\left[x_1=v\right]·Pr\left[(\left(b_3⊞x_2\right)\oplus \sigma (x_1,c_0,1))⋘1=\left(b_3⋘1\right)⊞(x_2⋘1)|x_1=v\right]=\hfill \\ & =\frac{1}{2^{\mathsf{w}}}\sum _{v\in {\mathbb{F}}_2^{\mathsf{w}}}Pr\left[(\left(b_3⊞x_2\right)\oplus \sigma (v,c_0,1))⋘1=\left(b_3⋘1\right)⊞(x_2⋘1)\right]=\hfill \\ & =\frac{1}{2^{\mathsf{w}}}\sum _{v\in {\mathbb{F}}_2^{\mathsf{w}}}P\left(\sigma (v,c_0,1)\right)=P\left(c_0\right),\hfill \end{array}$$

where we used the fact that $x_1$ is uniformly distributed, so $Pr\left[x_1=v\right]=\frac{1}{2^{\mathsf{w}}}$. In order to explicitly evaluate $P\left(c_0\right)$ applying the results of Corollary 1, we now define sets of $\mathsf{w}$–bit words having a special form and, in the next Lemma 1, we will find their cardinalities, depending on $c_0$.

Definition 3.

Let us consider the vectors $u(\delta ,h)\in {\mathbb{F}}_2^{\mathsf{w}}$ such that

$$u(\delta ,h)=\underset{\mathsf{w}-1-h-\mathit{zeros}}{(\delta ,\underbrace{0,0,0,\dots ,0}}\underset{h-\mathit{ones}}{,\underbrace{1,1,1,\dots ,1})}\mathit{where}h=0,1,\cdots \mathsf{w}-1,\delta \in {𝔽}_2$$

(42)

We define the sets $I_h$ as

$$I_h=\{v\in {\mathbb{F}}_2^{\mathsf{w}}:\sigma (v,c_0,1)=u(\delta ,h),\delta {\in }_2\}.$$

(43)

Therefore, from Corollary 1 we have the following explicit expression for $P\left(c_0\right)$

$$\begin{array}{cc}P\left(c_0\right)& =\frac{1}{2^{\mathsf{w}}}\sum _{v\in {\mathbb{F}}_2^{\mathsf{w}}}P\left(\sigma (v,c_0,1)\right)=\frac{1}{2^{\mathsf{w}}}\left(|I_0|p_2+p_1\sum _{h=1}^{\mathsf{w}-1}\left|I_h\right|·2^{-h}\right)=\hfill \\ & =\frac{1}{2^{\mathsf{w}+3}}\left(3|I_0|+\sum _{h=1}^{\mathsf{w}-1}\left|I_h\right|·2^{-h}\right),\hfill \end{array}$$

(44)

where, for $h=0,\dots ,\mathsf{w}-1$, we evaluate the cardinalities $|I_h|$ in the following lemma.

Lemma 1.

Let us consider σ and $f_1$ respectively defined as in (34) and (35). Then we have

$$|I_0|=\left\{\begin{array}{cc}{2}^{\mathsf{w}-1}\hfill & \mathit{if}{\mathrm{c}}_0=\underset{\mathsf{w}-1-\mathit{zeros}}{(\underbrace{0,0,0,\dots ,0}},1) \mathit{or} {\mathrm{c}}_0=(\underset{\mathsf{w}-\mathit{ones}}{\underbrace{1,1,1,1,\dots ,1})}\hfill \\ 2^{\mathsf{w}}\hfill & \mathit{if}{c}_0=(\underset{\mathsf{w}-\mathit{zeros}}{\underbrace{0,0,0,0,\dots ,0})}\hfill \\ 0\hfill & \mathit{otherwise}\hfill \end{array}\right.$$

(45)

and

$$|I_h|=\left\{\begin{array}{cc}2\hfill & \mathit{if}h=\mathsf{w}-1,\mathsf{w}-2\mathit{and}{c}_0\left[0\right]=1\hfill \\ 2^{\mathsf{w}-1-h}\hfill & \mathit{if}1\le h\le \mathsf{w}-3,c_0\left[0\right]=1\hfill \\ & \mathit{and}{c}_0\left[i\right]=j{\in }_2\mathit{for}\mathit{all}i=h+1,\dots ,\mathsf{w}-1\hfill \\ 4\hfill & \mathit{if}h=\mathsf{w}-1,\mathsf{w}-2\mathit{and}{c}_0\left[0\right]=0,c_0\left[1\right]=1\hfill \\ 2^{\mathsf{w}-h}\hfill & \mathit{if}1\le h\le \mathsf{w}-3,c_0\left[0\right]=0,c_0\left[1\right]=1\hfill \\ & \mathit{and}{c}_0\left[i\right]=j\in {𝔽}_2\mathit{for}\mathit{all}i=h+1,\dots ,\mathsf{w}-1\hfill \\ 0\hfill & \mathit{otherwise}.\hfill \end{array}\right.$$

Proof. 

First of all, we recall that $v\in I_h$ if and only if

$$\sigma (v,c_0,1)=(f_1(v,c_0,1)⋙1)\oplus v=u(\delta ,h)$$

or, equivalently, if and only if

$$f_1(v,c_0,1)=(u(\delta ,h)\oplus v)⋘1$$

and if we use (35) we finally have the condition

$$v\in I_h⟺(c_0⊞v)⋘1=((u(\delta ,h)\oplus v)⋘1)⊞c_0.$$

(46)

If we consider

$$\begin{array}{cc}{c}_0& =l_1\left(c_0\right)2^{\mathsf{w}-1}+r_1\left(c_0\right)=c_0[\mathsf{w}-1]2^{\mathsf{w}-1}+\sum _{i=0}^{\mathsf{w}-2}{c}_0\left[i\right]2^i,\hfill \\ v& =l_1\left(v\right)2^{\mathsf{w}-1}+r_1\left(v\right)=v[\mathsf{w}-1]2^{\mathsf{w}-1}+\sum _{i=0}^{\mathsf{w}-2}v\left[i\right]2^i,\hfill \end{array}$$

(47)

we find

$$(c_0⊞v)⋘1={⌊r_1\left(c_0\right)+r_1\left(v\right)⌋}_{\mathsf{w}-1}·2+{⌊c_0[\mathsf{w}-1]+v[\mathsf{w}-1]+{\gamma }_R⌋}_1,$$

(48)

where ${\gamma }_R={𝟙}_{\{r_1\left(c_0\right)+r_1\left(v\right)\ge 2^{\mathsf{w}-1}\}}$. On the other hand, we have

$$(u(\delta ,h)\oplus v)⋘1=\left(v[\mathsf{w}-2]\oplus u[\mathsf{w}-2],v[\mathsf{w}-3]\oplus u[\mathsf{w}-3],\dots ,v\left[0\right]\oplus u\left[0\right],v[\mathsf{w}-1]\oplus \delta \right)$$

and, since

$$c_0=2\left(c_0[\mathsf{w}-1]2^{\mathsf{w}-2}+\frac{1}{2}\sum _{i=1}^{\mathsf{w}-2}{c}_0\left[i\right]2^i\right)+c_0\left[0\right]=2\left(c_0[\mathsf{w}-1]2^{\mathsf{w}-2}+\frac{r_1\left(c_0\right)-c_0\left[0\right]}{2}\right)+c_0\left[0\right],$$

$$u(\delta ,h)\oplus v=l_1\left((u(\delta ,h)\oplus v)\right)2^{\mathsf{w}-1}+r_1((u(\delta ,h)\oplus v),$$

where $l_1((u(\delta ,h)\oplus v)=v[w-1]\oplus \delta$, and by Definition 3

$$\begin{array}{cc}\overline{v}=r_1((u(\delta ,h)\oplus v)& =\sum _{i=0}^{\mathsf{w}-2}(v\left[i\right]\oplus u\left[i\right])2^i=\hfill \\ & =\sum _{i=h}^{\mathsf{w}-2}(v\left[i\right]\oplus u\left[i\right])2^i+\sum _{i=0}^{h-1}(v\left[i\right]\oplus u\left[i\right])2^i=\hfill \\ & =\sum _{i=h}^{\mathsf{w}-2}v\left[i\right]2^i+\sum _{i=0}^{h-1}(v\left[i\right]\oplus 1)2^i,\hfill \end{array}$$

(49)

we obtain

$$\begin{array}{cc}& ((u(\delta ,h)\oplus v)⋘1)⊞c_0=\hfill \\ & ={⌊c_0[\mathsf{w}-1]2^{\mathsf{w}-2}+{\displaystyle \frac{r_1\left(c_0\right)-c_0\left[0\right]}{2}}+\overline{v}+{\gamma }_L⌋}_{\mathsf{w}-1}·2+{⌊c_0\left[0\right]+\left(v[\mathsf{w}-1]\oplus \delta \right)⌋}_1,\hfill \end{array}$$

(50)

where ${\gamma }_L={𝟙}_{\{c_0\left[0\right]+\left(v[\mathsf{w}-1]\oplus \delta \right)\ge 2\}}$.

Therefore, comparing (48) and (50), we find that condition (46) is equivalent to the system of congruences

$$\left\{\begin{array}{c}{r}_1\left(c_0\right)+r_1\left(v\right)\equiv c_0[\mathsf{w}-1]2^{\mathsf{w}-2}+{\displaystyle \frac{r_1\left(c_0\right)-c_0\left[0\right]}{2}}+\overline{v}+{\gamma }_{L}mod{2}^{\mathsf{w}-1}\hfill \\ c_0[\mathsf{w}-1]+v[\mathsf{w}-1]+{\gamma }_R\equiv c_0\left[0\right]+\left(v[\mathsf{w}-1]\oplus \delta \right)mod2,\hfill \end{array}\right.$$

(51)

where, using (47) and (49), and observing that

$$\sum _{i=0}^{h-1}(v\left[i\right]+(v\left[i\right]\oplus 1))2^i=\sum _{i=0}^{h-1}{2}^i=2^h-1,{\displaystyle \frac{r_1\left(c_0\right)+c_0\left[0\right]}{2}}=\sum _{i=0}^{\mathsf{w}-3}{c}_0[i+1]2^i+c_0\left[0\right],$$

we can rewrite the first congruence of (51) as

$$\sum _{i=0}^{\mathsf{w}-3}{c}_0[i+1]2^i+c_0\left[0\right]+2^h-1\equiv c_0[\mathsf{w}-1]2^{\mathsf{w}-2}+2\sum _{i=0}^{h-1}(v\left[i\right]\oplus 1)2^i+{\gamma }_{L}mod{2}^{\mathsf{w}-1}.$$

(52)

Now, in solving (52) we have to consider the following cases.

• $c_0\left[0\right]=1,h\ge 1$: in this case when $h=\mathsf{w}-1$ congruence (52) becomes

  $$\begin{array}{cc}& \sum _{i=1}^{\mathsf{w}-3}{c}_0[i+1]2^i+c_0\left[1\right]\equiv \hfill \\ \equiv & c_0[\mathsf{w}-1]2^{\mathsf{w}-2}+\sum _{i=1}^{\mathsf{w}-3}(v[i-1]\oplus 1)2^i+(v[\mathsf{w}-3]\oplus 1)2^{\mathsf{w}-2}+{\gamma }_{L}mod{2}^{\mathsf{w}-1}.\hfill \end{array}$$
  Comparing the two members it clearly holds if and only if

  $$v[i-1]=c_0[i+1]\oplus 1,i=1,\dots ,\mathsf{w}-2,\mathrm{and}{c}_0\left[1\right]={\gamma }_L$$

  (53)

  and, by definition of ${\gamma }_L$, the second congruence in (51) holds if

  $$\left\{\begin{array}{cc}v[\mathsf{w}-1]\equiv c_0[\mathsf{w}-1]+{\gamma }_{R}mod2\hfill & \mathrm{and},\mathrm{if}{\gamma }_{\mathrm{L}}=1\delta =v[\mathsf{w}-1]\oplus 1\hfill \\ v[\mathsf{w}-1]\equiv c_0[\mathsf{w}-1]+{\gamma }_R+1mod2\hfill & \mathrm{and},\mathrm{if}{\gamma }_{\mathrm{L}}=0\delta =v[\mathsf{w}-1]\hfill \end{array}\right.$$

  (54)

  where ${\gamma }_R$ is fixed by (53) and by the free choice of $v[\mathsf{w}-2]$. Therefore we always have only 2 solutions when $h=\mathsf{w}-1$. When $h=\mathsf{w}-2$ congruence (52) becomes

  $$\begin{array}{cc}& \sum _{i=1}^{\mathsf{w}-3}{c}_0[i+1]2^i+c_0\left[1\right]+2^{\mathsf{w}-2}\equiv \hfill \\ \equiv & c_0[\mathsf{w}-1]2^{\mathsf{w}-2}+\sum _{i=1}^{\mathsf{w}-3}(v[i-1]\oplus 1)2^i+\left(v[\mathsf{w}-3]\oplus 1\right)2^{\mathsf{w}-2}+{\gamma }_{L}mod{2}^{\mathsf{w}-1}\hfill \end{array}$$

  giving $v[\mathsf{w}-3]=[(1+c_0[\mathsf{w}-1])mod2]\oplus 1$ and conditions similar to (53)

  $$v[i-1]=c_0[i+1]\oplus 1,i=1,\dots ,\mathsf{w}-3,\mathrm{and}{c}_0\left[1\right]={\gamma }_L$$

  and the same conditions (54) for congruence (51). Thus also when $h=\mathsf{w}-2$ we find that we do not have conditions on $v[\mathsf{w}-2]$ and we always have only 2 solutions. Finally if $1\le h\le \mathsf{w}-3$ both members of the congruence (52) are less than $2^{\mathsf{w}-1}$ and they have the same parity if and only if $c_0\left[1\right]={\gamma }_L$. Moreover, we have

  $$2^{\mathsf{w}-2}-2^{h+1}=\sum _{i=h+1}^{\mathsf{w}-3}{2}^i\ge \sum _{i=h+1}^{w-3}{c}_0[i+1]2^i,$$

  where the equality holds if and only if $c_0[i+1]=1$ for all $i=h+1,\dots ,\mathsf{w}-3$, and

  $$\sum _{i=1}^{h-1}{c}_0[i+1]2^i\le 2^h-2,\sum _{i=1}^{h-1}(v[i-1]\oplus 1)2^i\le 2^h-2,$$

  where the equalities hold if $c_0[i+1]=(v[h-1]\oplus 1)=1$ for all $i=1,\dots ,h-1$. Thus we find

  $$\begin{array}{cc}& \sum _{i=h+1}^{\mathsf{w}-3}{c}_0[i+1]2^i+(c_0[h+1]+1)2^h+\sum _{i=1}^{h-1}{c}_0[i+1]2^i=\hfill \\ & =c_0[\mathsf{w}-1]2^{\mathsf{w}-2}+(v[h-1]\oplus 1)2^h+\sum _{i=1}^{h-1}(v[i-1]\oplus 1)2^i,\hfill \end{array}$$

  which gives $v[i-1]=c_0[i+1]\oplus 1$ for all $i=1,\dots ,h-1$ and, if $c_0[\mathsf{w}-1]=j{\in }_2$, we need $c_0[i+1]=j$ for all $i=h+1,\dots ,\mathsf{w}-3$ and $v[h-1]=j$. Therefore we have solutions only when the constant $c_0$ is such that $c_0\left[i\right]=j\in {𝔽}_2$ for all $i=h+1,\dots ,\mathsf{w}-1$ and, since also in these cases the same conditions (54) for congruence (51) hold, we have $v\left[i\right]$ free for all $i=h,h+1,\dots ,\mathsf{w}-2$ and $2^{\mathsf{w}-1-h}$ possible solutions.
• $c_0\left[0\right]=0,h\ge 1$: in this case we necessarily have ${\gamma }_L=0$ and $v[\mathsf{w}-1]\oplus \delta \in {𝔽}_2$ since ${\gamma }_L=1$ only when $c_0\left[0\right]=v[\mathsf{w}-1]\oplus \delta =1$, thus (52) becomes

  $$\sum _{i=1}^{\mathsf{w}-3}{c}_0[i+1]2^i+c_0\left[1\right]+2^h-1\equiv c_0[\mathsf{w}-1]2^{\mathsf{w}-2}+2\sum _{i=0}^{h-1}(v\left[i\right]\oplus 1)2^{i}mod{2}^{\mathsf{w}-1}$$

  (55)

  and we have solutions only when $c_0\left[1\right]=1$, in order to preserve the same parity for both members. Under this supplementary condition, congruence (55) is equivalent to

  $$\sum _{i=1}^{\mathsf{w}-3}{c}_0[i+1]2^i+2^h\equiv c_0[\mathsf{w}-1]2^{\mathsf{w}-2}+2\sum _{i=0}^{h-1}(v\left[i\right]\oplus 1)2^{i}mod{2}^{\mathsf{w}-1},$$

  (56)

  moreover in this case the second congruence in (51) gives

  $$v[\mathsf{w}-1]\equiv c_0[\mathsf{w}-1]+{\gamma }_{R}mod2\mathrm{and}\delta =v[\mathsf{w}-1]$$

  or

  $$v[\mathsf{w}-1]\equiv c_0[\mathsf{w}-1]+{\gamma }_R+1mod2\mathrm{and}\delta =v[\mathsf{w}-1]\oplus 1,$$

  i.e., for every solution of (56) we have also two possibilities for $v[\mathsf{w}-1]$. Thus, since (56) can be solved as in the previous case distinguishing between $h=\mathsf{w}-1$, $h=\mathsf{w}-2$, and $1\le h\le \mathsf{w}-3$, the number of solutions is doubled. So, if $c_0\left[1\right]=1$ and $h=\mathsf{w}-1,\mathsf{w}-2$, we find 4 solutions, while, if $1\le h\le \mathsf{w}-3$ and $c_0\left[i\right]=j{\in }_2$ for all $i=h+1,\dots ,\mathsf{w}-1$, we have $2^{\mathsf{w}-h}$ solutions.
• $h=0$: in this last case we have $\overline{v}=r_1\left(v\right)$ in the first congruence in (51) so this congruence becomes the equality

  $$\sum _{i=0}^{\mathsf{w}-3}{c}_0[i+1]2^i+c_0\left[0\right]=c_0[\mathsf{w}-1]2^{\mathsf{w}-2}+{\gamma }_L.$$
  Since

  $$\sum _{i=0}^{\mathsf{w}-3}{c}_0[i+1]2^i\le 2^{\mathsf{w}-2}-1,$$

  (57)

  if $c_0\left[0\right]=0$ we have solutions only when $c_0\left[i\right]=0$ for all $i=1,\dots ,\mathsf{w}-1$ and ${\gamma }_L=0$, with the two possibilities for $v[\mathsf{w}-1]$ given by

  $$v[\mathsf{w}-1]\equiv {\gamma }_{R}mod2\mathrm{and}\delta =v[\mathsf{w}-1]$$

  or

  $$v[\mathsf{w}-1]\equiv {\gamma }_R+1mod2\mathrm{and}\delta =v[\mathsf{w}-1]\oplus 1,$$

  so all $v\in {\mathbb{F}}_2^{\mathsf{w}}$ are solutions. On the other hand, if $c_0\left[0\right]=1$ and $c_0[\mathsf{w}-1]=1$, from (57) we also need $c_0\left[i\right]=1$ for all $i=1,\dots ,\mathsf{w}-2$ and ${\gamma }_L=0$, therefore $\delta =v[\mathsf{w}-1]$ and $v[\mathsf{w}-1]\equiv {\gamma }_{R}mod2$. Thus only $v[\mathsf{w}-1]$ is fixed and we have $2^{\mathsf{w}-1}$ solutions. Finally, when $c_0\left[0\right]=1$ and $c_0[\mathsf{w}-1]=0$ we also need $c_0\left[i\right]=0$ for all $i=1,\dots ,\mathsf{w}-2$ and ${\gamma }_L=1$. Therefore $\delta =v[\mathsf{w}-1]\oplus 1$ and $v[\mathsf{w}-1]\equiv {\gamma }_{R}mod2$, thus also in this case we have only $v[\mathsf{w}-1]$ fixed and, consequently, there are $2^{\mathsf{w}-1}$ solutions.

 □

Thanks to Lemma 1 and to (44), we have nonzero probabilities only if $c_0$ satisfies one of the following conditions

• $c_0\left[0\right]=1$,
• $c_0\left[0\right]=0$ and $c_0\left[1\right]=1$,
• $c_0\left[i\right]=0$, $i=0,\dots ,\mathsf{w}-1$, i.e., $c_0$ is the zero vector in ${\mathbb{F}}_2^{\mathsf{w}}$,

or, in other words, there are $3·2^{\mathsf{w}-2}+1$ possible choices of $c_0$ which are about $\frac{3}{4}$ of all the possible constants.

In the following theorem we give the exact values of $P\left(c_0\right)$ excluding the only three trivial values of $c_0$ for which $|I_0|\ne 0$.

Theorem 2.

Let us consider $c_0$ such that $c_0\left[i\right]=j\in {\mathbb{F}}_2$ for all $i=t+1,\dots ,\mathsf{w}-2$ with $1\le t\le \mathsf{w}-3$ and $c_0$ different from $\underset{\mathsf{w}-1-\mathit{zeros}}{(\underbrace{0,0,0,\dots ,0}},1)$, $(\underset{\mathsf{w}-\mathit{ones}}{\underbrace{1,1,1,1,\dots ,1})}$, $(\underset{\mathsf{w}-\mathit{zeros}}{\underbrace{0,0,0,0,\dots ,0})}$. Then we have

$$P\left(c_0\right)=\left\{\begin{array}{c}{\displaystyle \frac{9+8·{\delta }_{c_0[\mathsf{w}-1],c_0[\mathsf{w}-2]}·\left(2^{2(\mathsf{w}-2-t)}-1\right)}{3·2^{2\mathsf{w}+1}}}\mathrm{if}{c}_0\left[0\right]=1\hfill \\ {\displaystyle \frac{9+8·{\delta }_{c_0[\mathsf{w}-1],c_0[\mathsf{w}-2]}·\left(2^{2(\mathsf{w}-2-t)}-1\right)}{3·2^{2\mathsf{w}}}}\mathrm{if}{c}_0\left[0\right]=0,c_0\left[1\right]=1,\hfill \end{array}\right.$$

(58)

where

$${\delta }_{c_0[\mathsf{w}-1],c_0[\mathsf{w}-2]}=\left\{\begin{array}{c}1\mathit{if}{c}_0[\mathsf{w}-1]=c_0[\mathsf{w}-2]\hfill \\ 0\mathit{if}{c}_0[\mathsf{w}-1]\ne c_0[\mathsf{w}-2].\hfill \end{array}\right.$$

Proof. 

With our choices of $c_0$ and from the results of Lemma 1, we have $|I_h|=0$ for $h=0,1,\dots ,t-1$, $|I_h|\ne 0$ for $h=t,\dots ,\mathsf{w}-3$ if $c_0[\mathsf{w}-1]=c_0[\mathsf{w}-2]$, and $|I_h|\ne 0$ if $h=\mathsf{w}-1,\mathsf{w}-2$. Thus, from (44) we obtain

$$P\left(c_0\right)=\frac{1}{2^{\mathsf{w}+3}}\left(|I_{\mathsf{w}-1}|2^{-(\mathsf{w}-1)}+|I_{\mathsf{w}-2}|2^{-(\mathsf{w}-2)}+{\delta }_{c_0[\mathsf{w}-1],c_0[\mathsf{w}-2]}\sum _{h=t}^{\mathsf{w}-3}\left|I_h\right|·2^{-h}\right).$$

If $c_0\left[0\right]=1$ from the results of Lemma 1 we find

$$P\left(c_0\right)=\frac{1}{2^{\mathsf{w}+3}}\left(2^{-(\mathsf{w}-2)}+2^{-(\mathsf{w}-3)}+{\delta }_{c_0[\mathsf{w}-1],c_0[\mathsf{w}-2]}{2}^{\mathsf{w}-1}\sum _{h=t}^{\mathsf{w}-3}{2}^{-2h}\right)$$

and, since

$$2^{\mathsf{w}-1}\sum _{h=t}^{\mathsf{w}-3}{2}^{-2h}=\frac{4·\left(2^{2(\mathsf{w}-2-t)}-1\right)}{3·2^{\mathsf{w}-3}},$$

an easy calculation gives

$$P\left(c_0\right)={\displaystyle \frac{9+8·{\delta }_{c_0[\mathsf{w}-1],c_0[\mathsf{w}-2]}·\left(2^{2(\mathsf{w}-2-t)}-1\right)}{3·2^{2\mathsf{w}+1}}}.$$

The case $c_0\left[0\right]=0$ and $c_0\left[1\right]=1$ is straightforward, since all the non-zero cardinalities of the sets $|I_h|$ are doubled. □

4. Discussion

We first resume our results: with the choices (18), (23), (24) and (35)

• conditions (21) and (22) hold automatically from (23);
• condition (25) holds automatically from (35);
• condition (26), for $\mathsf{w}$ sufficiently large, holds with probability $P\left(c_0\right)$ given by (44) and explicitly by (58), under the assumption of independence and uniform distribution for $x_1$, $x_2$ and $b_3$.

Therefore when $\mathsf{r}=1$ and $\mathsf{w}$ is sufficiently large, if $c_0$ satisfies the hypotheses of Theorem 2 and following our choices for $f_1$, $f_2$, $f_3$, a, b, c and d, with the aforementioned assumptions of independence and uniform distribution for $x_1$, $x_2$ and $b_3$, the equality

$$((y_0⋘1)\oplus a,(y_1⋘1)\oplus b,(y_2⋘1)\oplus c,(y_3⋘1)\oplus d)=\mathcal{Q}(c_0,f_1,f_2,f_3)$$

holds with probability $P\left(c_0\right)$ given by (58).

4.1. Propagation Probability of Rotational-XOR Pairs through ChaCha20 Quarter Round

If we consider the four constants used in the ChaCha20 definition, they all satisfy $c_0\left[0\right]=1$, thus we have

• $\left[\mathrm{expa}\right]=01100101011110000111000001100001$ and ${\delta }_{c_0[\mathsf{w}-1],c_0[\mathsf{w}-2]}=0$, so $P\left(c_0\right)=\frac{3}{2^{2\mathsf{w}+1}}$, which gives $P\left(c_0\right)=3·2^{-65}$ when $\mathsf{w}=32$;
• $\left[\mathrm{nd}3\right]=01101110011001000010000000110011$ and ${\delta }_{c_0[\mathsf{w}-1],c_0[\mathsf{w}-2]}=0$ with $P\left(c_0\right)$ as before;
• $[2-\mathrm{by}]=00110010001011010110001001111001$ and ${\delta }_{c_0[\mathsf{w}-1],c_0[\mathsf{w}-2]}=1$, $t=\mathsf{w}-3$, so $P\left(c_0\right)=\frac{11}{2^{2\mathsf{w}+1}}$, which gives $P\left(c_0\right)=11·2^{-65}$ when $\mathsf{w}=32$;
• $\left[\mathrm{te}\mathrm{k}\right]=01110100011001010010000001101011$ and ${\delta }_{c_0[\mathsf{w}-1],c_0[\mathsf{w}-2]}=0$ with $P\left(c_0\right)$ as for the first two constants.

A simple calculation shows that the probability of rotational propagation related to the 4 columns of the initial state of ChaCha20 is $297·2^{-260}\simeq 2^{-251.7857}$ which is greater than $2^{-32·8}=2^{-256}$.

4.2. ChaCha20 Alternative Constants Giving Non-Negligible Probability

In our scenario, this probability increases for some selections of alternative constants and may represent a weakness for variants of ChaCha20 against rotational attacks. From Theorem 2 we observe that $P\left(c_0\right)$ has always a higher value when $c_0[\mathsf{w}-1]=c_0[\mathsf{w}-2]$. In this case we find

$$P\left(c_0\right)=\left\{\begin{array}{c}{\displaystyle \frac{2^{2\mathsf{w}-2t-1}+1}{3·2^{2\mathsf{w}+1}}}\mathrm{if}{c}_0\left[0\right]=1\hfill \\ \\ {\displaystyle \frac{2^{2\mathsf{w}-2t-1}+1}{3·2^{2\mathsf{w}}}}\mathrm{if}{c}_0\left[0\right]=0,c_0\left[1\right]=1,\hfill \end{array}\right.$$

(59)

both of them are greater than $2^{-2\mathsf{w}}$ for all the possible values of $t\in \left\{1,2,\dots ,\mathsf{w}-3\right\}$ and increase their value when t decreases. Thus, constants $c_0$ satisfying the hypotheses of Theorem 2 and giving a rotational propagation probability for the quarter round greater than $2^{-64}$ when $\mathsf{w}=32$ have one of the two following forms

$$c_0=\left\{\begin{array}{c}(\underset{\ge 2\mathrm{equal}\mathrm{bits}}{\underbrace{j,j,\dots ,j,}}{c}_0\left[t\right],c_0[t-1],\dots ,c_0\left[2\right],c_0\left[1\right],1)\hfill \\ \\ (\underset{\ge 2\mathrm{equal}\mathrm{bits}}{\underbrace{j,j,\dots ,j,}}{c}_0\left[t\right],c_0[t-1],\dots ,c_0\left[2\right],1,0).\hfill \end{array}\right.$$

Finally, we consider the following special values of $c_0$:

• $c_0=\underset{\mathsf{w}-1-\mathrm{zeros}}{(\underbrace{0,0,0,\dots ,0}},1)$ and $c_0=(\underset{\mathsf{w}-\mathrm{ones}}{\underbrace{1,1,1,1,\dots ,1})}$ using the results from (44) and Lemma 1 we have $P\left(c_0\right)=\frac{3}{16}$ for $\mathsf{w}$ sufficiently large;
• $c_0=(\underset{\mathsf{w}-\mathrm{zeros}}{\underbrace{0,0,0,0,\dots ,0})}$ again, from (44) and Lemma 1, we obtain $P\left(c_0\right)=\frac{3}{8}$ for $\mathsf{w}$ sufficiently large.

5. Conclusions

We considered the ChaCha20 stream cipher and we studied the propagation of rotational-XOR pairs in the quarter round function. Under suitable choices of the inputs and assumptions of independence and uniform distribution, setting the rotational amount $\mathsf{r}$ to 1, we established a formula for the probability of the propagation of rotational-XOR pairs depending on the selected constants. For the standard constants in ChaCha20 we find a probability around $2^{-251.7857}$ against the probability of $2^{-256}$ of a random permutation. Moreover, we were able to find a family of constants which in our scenario potentially facilitate rotational propagation with non-negligible probability.