Maximums of the Additive Differential Probability of Exclusive-Or

At FSE 2004, Lipmaa et al. studied the additive differential probability adp(circle plus)(alpha, beta -> gamma) of exclusive-or where differences alpha, beta, gamma is an element of F-2(n) are expressed using addition modulo 2(n). This probability is used in the analysis of symmetrickey primitives that combine XOR and modular addition, such as the increasingly popular Addition-Rotation-XOR (ARX) constructions. The focus of this paper is on maximal differentials, which are helpful when constructing differential trails. We provide the missing proof for Theorem 3 of the FSE 2004 paper, which states that max(alpha,beta) adp(circle plus)(alpha, beta -> gamma) = adp(circle plus)(0, gamma -> gamma) for all gamma. Furthermore, we prove that there always exist either two or eight distinct pairs alpha,beta such that adp(circle plus)(alpha, beta -> gamma) = adp(circle plus)(0, gamma -> gamma), and we obtain recurrence formulas for calculating adp(circle plus). To gain insight into the range of possible differential probabilities, we also study other properties such as the minimum value of adp(circle plus)(0, gamma -> gamma), and we find all gamma that satisfy this minimum value.