1

Let $x, y, z$ denote three $n$-bit words such that $$z = (x \oplus y) \oplus ((x \land y) \ll 1).$$

The NORX paper contains the generalized description of the algebraic normal forms for each bit of $x$ given $y$ and $z$: $$\begin{array}{l} x_0 = (z_0 \oplus y_0),\\ x_1 = (z_1 \oplus y_1) \oplus (x_0 \land y_0),\\ \vdots\\ x_i = (z_i \oplus y_i) \oplus (x_{i-1} \land y_{i-1}),\\ \vdots\\ x_{n-1} = (z_{n-1} \oplus y_{n-1}) \oplus (x_{n-2} \land y_{n-2}), \end{array}$$

where $w_i$ denotes an $i$-th bit of the word $w \in \{x, y, z\}$.

What is the corresponding generalized description of the algebraic normal forms for each bit of $z$ given $x$ and $y$?

lyrically wicked
  • 1,337
  • 7
  • 10

1 Answers1

2

From $$x_i = z_i \oplus y_i \oplus (x_{i-1} \land y_{i-1})$$ we get $$z_i = x_i \oplus y_i \oplus (x_{i-1} \land y_{i-1}).$$

Fractalice
  • 3,087
  • 12
  • 10
  • Then I am wondering why the paper claims that this function "is not obviously invertible at a first glance". Is it true that it is a triangular T-function (as well as addition and subtraction)? – lyrically wicked Jun 11 '21 at 02:32
  • It is triangular, but there is no word-based expression for inversion like for addition/subtraction. Probably that's the reason. – Fractalice Jun 11 '21 at 08:48
  • It seems that the inverse of H function in NORX is triangular, but the H function itself is not triangular because the algebraic normal form for $z_i$ does not depend on every single less significant bit. Is it true? – lyrically wicked Jun 11 '21 at 09:30
  • 1
    That is correct; not having an inverse with a similar number of word operations as the forward direction is why we called it "not obvious". Both the forward and backward directions are T-functions; a T-function does not need to involve every previous bit to be triangular, it just needs to involve exclusively previous bits. – Samuel Neves Jun 11 '21 at 22:14
  • @SamuelNeves: "a T-function does not need to involve every previous bit to be triangular" — it depends on what is meant by the word "involve". According to this Wikipedia article, "if every single less significant bit is included in the update of every bit in the state, such a T-function is called triangular." Note the phrasing: "every single less significant bit". [1/2] – lyrically wicked Jun 12 '21 at 04:46
  • @SamuelNeves: The backward direction of H function matches the definition of "triangular", but the forward direction does not because the ANF for an $i$-th bit of the word $x$ (i.e. backward direction) contains $x_{i-1}$, but the ANF for an $i$-th bit of the word $z$ (i.e. forward direction) does not contain $z_{i-1}$. Is my understanding of "triangularity" correct? [2/2] – lyrically wicked Jun 12 '21 at 04:49
  • It seems a bit silly to me to be talking about triangular T-functions, since the T already stands for triangular. I don't quite know where the wikipedia article got that definition from, since I don't recall seeing it in literature. – Samuel Neves Jun 12 '21 at 13:36
  • @SamuelNeves: Section 4 in the paper "A New Class of Invertible Mappings" [A. Klimov, A. Shamir] gives a description of what the name "T-function" refers to, and explains the difference between the implicit triangulation and the explicit triangulation... So maybe a "triangular T-function" implies a "T-function which has an explicit triangular shape"? – lyrically wicked Jun 12 '21 at 14:59
  • OK, as far as I can tell Wikipedia has a much more restricted definition of a T-function, which forces it to be invertible (this is not necessarily the case). What it calls a T-function is what one would ordinarily call an invertible or bijective T-function, and what it calls a triangular T-function is what one would call a single-cycle T-function. So, the NORX op is a bijective T-function, but definitely not a single-cycle T-function (when fixing one of the arguments). – Samuel Neves Jun 12 '21 at 15:20