In ARX construction like Salsa 20, why xor operation is required? That is why AR is not sufficient? Note that xor is a linear operation.
Asked
Active
Viewed 590 times
1 Answers
3
Xor is the "addition" operator for algebra with boolean operators, while AND is the "multiplication" operator for boolean operators. "Regular" addition and multiplication are the addition/multiplication operators for integers. So speaking of "linearity" in the sense of algebraic compatibility, XOR and integer addition are non-linear. I feel like this question/answer(s) sums it up pretty well.
As for why xor is required/why AR is not sufficient, technically, AR is equivalent to ARX, but less efficient. See the paper Rotational Cryptanalysis of ARX . There are some details to it:
We also show that the AR systems , that do not use XOR, are theoretically equivalent to ARX systems. However, we prove that they are less secure with the same number of operations, because of the linear mod 2**n approximation. It is also easy to prove that omitting addition or rotation is devastating, and such systems (XR and AX) can always be broken.
