Differential Distributions for Twofish S-Boxes

This paper gives some results concerning the the probability distribtuins for simultaneous di erentials across the same Two sh S-Box. 1 A Single Di erential for an S-Box Consider a Two sh S-Box [1] S-Box. For a given Two sh S-box (16-bit) subkey k, this de nes a function Sk : Z 8 2 ! Z 2 . The di erential count for Sk for input di erence a and output di erence b (a! b) is de ned by Nk(a; b) = #fx 2 Z 8 2 jSk(x) Sk(x a) b = 0g [a; b 2 Z 8 2 ]: The probability of the di erential a ! b is given by 2 8Nk(a; b). Clearly, Nk(a; 0) = Nk(0; b) = 0 for a; b 6= 0 with Nk(0; 0) = 2 . We consider Nk(a; b) when a; b 6= 0. Consider the quotient space Ua = Z 8 2 =f0; ag, and de ne Wx 2 Ua to be the coset fx; x ag. We can now de ne F : Ua ! Z 8 2 by F (Wx) = Sk(x) Sk(x a) b: It is reasonable to regard F as a random function mapping uniformly into an 8-bit space, so the indicator function IWx for the event F (Wx) = 0 takes the value 1 with probability 2 8 and 0 with probability 1 2 . Furthermore, to a very good approximation, IWx are independent random variables. Thus, summing over all 2 elements of Ua, we obtain X Wx2Ua IWx Bin(2 ; 2 ) Poi(1=2):