electronics

Article
Differential–Linear Approximations of CHAM
Dongyoung Roh

The Affiliated Institute of Electronics and Telecommunications Research Institute,

Daejeon 34044, Republic of Korea; dyroh@nsr.re.kr

Abstract: CHAM is a family of lightweight block ciphers designed for resource-constrained envi-
ronments like IoT devices and embedded systems, which require low power consumption and high
performance. Despite numerous cryptanalytic evaluations, the security of CHAM remains robust.
Differential–linear cryptanalysis, a method that combines two of the strongest attack methods on
block ciphers—differential cryptanalysis and linear cryptanalysis—has been successfully applied
to many block ciphers. This study introduces the first concrete differential–linear approximations
of CHAM, marking a significant advancement in the cryptanalysis of this cipher family. Utilizing a
Boolean satisfiability problem framework, we present a 46-round differential–linear approximation
of CHAM-64/128 with a correlation of 2−31.08 and a 58-round approximation for CHAM-128/128 and
CHAM-128/256 with correlations of 2−58.86 and 2−59.08 , respectively. These findings significantly
exceed the designers’ expectations for differential–linear approximations using CHAM. Furthermore,
the 46-round differential–linear approximation of CHAM-64/128 is the best distinguisher of CHAM-
64/128 to date in a single-key attack model. Notably, our findings do not threaten the security of
CHAM but provide deeper insights into its cryptanalytic resistance.

Keywords: block cipher; Boolean satisifiability problem; CHAM; cryptanalysis; cryptography;

differential–linear approximations; SAT solver

1. Introduction
CHAM is a family of lightweight block ciphers designed for resource-constrained
environments, such as Internet of Things (IoT) devices, embedded systems, and other
Citation: Roh, D. Differential-Linear applications where both low power consumption and high performance are crucial. It was
Approximations of CHAM. Electronics introduced by Koo et al. [1] and further revised by Roh et al. [2] to increase the numbers of
2024, 13, 3141. https://doi.org/ rounds (note that only the numbers of rounds were changed, without changing the other
10.3390/electronics13163141 structures). CHAM is based on a four-branch generalized Feistel structure and consists of
Academic Editors: Guosheng Xu and ARX operations (modular addition ⊞, bitwise rotation ≪, and bitwise XOR ⊕). There are
Swapnoneel Roy three ciphers, CHAM-64/128, CHAM-128/128, and CHAM-128/256, where the first number
denotes the block size in bits and the second number denotes the key size in bits. For
Received: 4 July 2024 example, CHAM-64/128 has a 64-bit block size and a 128-bit key size, while CHAM-128/256
Revised: 5 August 2024
features a 128-bit block and a 256-bit key. Notably, CHAM is one of the ciphers that can be
Accepted: 6 August 2024
implemented with the smallest hardware area.
Published: 8 August 2024
Several cryptanalytic results using CHAM have been published, including differential
cryptanalysis [3,4], linear cryptanalysis [5], integral cryptanalysis [6], meet-in-the-middle
type attacks [7,8], and impossible differential cryptanalysis [9]. Despite these analyses, the
Copyright: © 2024 by the author.
security of CHAM remains unthreatened due to its sufficient security margin.
Licensee MDPI, Basel, Switzerland. Two important statistical techniques in the cryptanalysis of block ciphers are differen-
This article is an open access article tial cryptanalysis, introduced by Biham and Shamir [10], and linear cryptanalysis, intro-
distributed under the terms and duced by Matsui [11]. These techniques have been used to mount the best-known attacks
conditions of the Creative Commons on numerous block ciphers [12–15]. Consequently, resistance to these two cryptanalytic
Attribution (CC BY) license (https:// techniques, particularly the non-existence of high-probability differential characteristics or
creativecommons.org/licenses/by/ high-bias linear approximations spanning many rounds of the cipher, has become a crucial
4.0/). criterion in block cipher design.

Electronics 2024, 13, 3141. https://doi.org/10.3390/electronics13163141 https://www.mdpi.com/journal/electronics

Electronics 2024, 13, 3141 2 of 21

The initial step in differential cryptanalysis is to search for high-probability differen-

tial characteristics, while in linear cryptanalysis, it is to search for high-correlation linear
approximations. Over the last decade, a major focus has been on developing efficient meth-
ods to automatically search for these distinguishers (differential characteristics and linear
approximations) [14,16–20]. Notable works in this area have significantly expanded the
search space that can be explored within a practical time, thereby increasing our confidence
in a cipher’s resistance against differential cryptanalysis and linear cryptanalysis.
For some block ciphers, it is relatively easy to find high-probability differential charac-
teristics and high-correlation linear approximations within a few rounds. However, as the
number of rounds increases, the effectiveness of both differential and linear cryptanalysis
decreases. While it might seem that preventing long differential characteristics and linear
approximations would suffice to make a block cipher immune to these attacks, short charac-
teristics and approximations can also be exploited to break the cipher. The first cryptanalytic
technique to demonstrate this was differential–linear cryptanalysis, introduced by Langford
and Hellman in 1994 [21]. This technique combines differential cryptanalysis and linear
cryptanalysis, leveraging their individual strengths over a few rounds to mount more effec-
tive attacks over many rounds. Differential–linear cryptanalysis has been used to evaluate
the security of many block ciphers, including IDEA [22], COCONUT98 [23], Serpent [24,25],
CTC2 [25], ICEPOLE [26,27], Chaskey [28,29], ChaCha [29], LEA [30], SPECK [30], and
others. However, no concrete differential–linear approximations for CHAM have been
reported until now. Currently, the only information we have is the expectation set by
the designers of CHAM that differential–linear approximations would not exist beyond a
certain number of rounds.
In differential–linear cryptanalysis, a crucial initial step is identifying differential–
linear approximations (denoted by ∆ in → γout ) with high correlations. The develop-
ment of automated searches for these approximations has remained virtually stagnant for
nearly 20 years. Researchers typically identify differential–linear approximations using
a three-stage process: (1) experimentally verifying short differential–linear approxima-
tions, denoted by ∆ m → γm ; (2) searching for short differential characteristics (denoted by
∆ in → ∆ m ) and linear approximations (denoted by γm → γout ); and (3) concatenating these
three short distinguishers (differential characteristics and linear approximations) into a long
differential–linear approximation ∆ in → ∆ m → γm → γout . Due to the lack of an efficient
method for searching for the short differential–linear approximations of ∆ m → γm , the
practical search space for a difference ∆ m is severely constrained to linear masks, γm , with
a Hamming weight of 1 or 2. This persistent limitation weakens confidence in a cipher’s
resistance to differential–linear cryptanalysis.
Recently, two methods have been proposed to automatically find the differential–linear
approximation of the ARX cipher. One is based on mixed-integer linear programming
(MILP) and mixed-integer quadratic constraint programming (MIQCP) techniques [31],
and the other is based on a Boolean satisfiability problem [30]. The primary objective of
this study is to provide the first concrete differential–linear approximations of CHAM, one
of the ARX ciphers, by utilizing the latter framework.

1.1. Our Contributions

This paper gives the first concrete differential–linear approximations of CHAM. To
the best of our knowledge, the security analysis of CHAM against differential–linear crypt-
analysis has only been provided by its designers. However, they did not present concrete
differential–linear approximations. They only provided upper bounds on the maximum
numbers of rounds for which they expected differential–linear approximations to exist.
This was achieved by using the known maximum probabilities of the differential char-
acteristics and the known maximum correlations of the linear characteristics for short
rounds. Furthermore, their analysis did not consider the differential–linear connectivity
table (DLCT) and focused solely on the direct combination of differential characteristics
and linear approximations.
Electronics 2024, 13, 3141 3 of 21

Specifically, we present a 46-round differential–linear approximation with a correlation

of 2−31.08 for CHAM-64/128. This differential–linear approximation demonstrates that a
differential–linear approximation can indeed cover significantly more rounds than antici-
pated by the designers of CHAM. Additionally, this approximation serves as a distinguisher
for the longest rounds within the single-key attack model. The previous best distinguisher
in the single-key model was the 40-round differential [7]. If we take the multi-key model
into account, the 47-round related-key differential characteristic is the best distinguisher [2].
Furthermore, we introduce a 58-round differential–linear approximation with correla-
tions of 2−58.86 and 2−59.08 for CHAM-128/128 and CHAM-128/256, respectively. Although
this does not serve as a distinguisher for the longest rounds, it nevertheless illustrates
that a differential–linear approximation can span more rounds than anticipated by the
designers of CHAM. Note that the best distinguisher in the single-key model is the 67-round
differential [2].
Table 1 provides a summary of our differential–linear approximation results compared
to existing distinguishers for CHAM.

Table 1. Summary of distinguishers of CHAM.

Cipher Type Round Refs.

Differential characteristic 38 [4]
Differential 40 [7]
Related-key differential characteristic 47 [2]
Linear approximation 34 [1,5]
CHAM-64/128
Integral distinguisher 21 [6]
Impossible differential 1 22 [9]
Differential–linear approximation 2 35 [2]
Differential–linear approximation 46 This paper
Differential characteristic 63 [3]
Differential 67 [2]
CHAM-128/128 Linear approximation 40 [1]
CHAM-128/256 Integral distinguisher 19 [6]
Differential–linear approximation 2 45 [1]
Differential–linear approximation 58 this paper
1 under 2127 weak keys. 2 Only the estimated number of rounds is given. No concrete differential–linear
approximation is given.

1.2. Paper Organization

The outline of the paper is as follows. In Section 2, we provide basic definitions and
notations, introduce differential–linear approximations, Boolean satisfiability problems,
and SAT solvers, and describe CHAM. We review the method proposed by Chen et al. for
searching for differential–linear approximations of ARX block ciphers in Section 3. Section 4
presents our results: the first differential–linear approximations of CHAM. Finally, Section 5
concludes this paper and proposes further studies.

2. Preliminaries
2.1. Basic Definitions and Notations
Given a vector x ∈ F2n , x [ j] denotes the j-th bit of x, where x [0] is the least significant
bit. Let us denote as [i ] the vector y ∈ F2n , such that y[i ] = 1 and y[ j] = 0 for j ̸= i and
0 ≤ j < n. Let [i1 , i2 , · · · , it ] denote [i1 ] ⊕ [i2 ] ⊕ · · · ⊕ [it ], where 0 ≤ i1 , i2 , · · · , it < n, and
t ≤ n. The inner product of two vectors x and y in F2n is defined as ⟨ x, y⟩ = ∑in=−01 x [i ]y[i ].
Electronics 2024, 13, 3141 4 of 21

The correlation of a Boolean function g : F2n → F2 over a set S ⊆ F2n is defined

as follows:
|{ x ∈ S| g( x ) = 0}| − |{ x ∈ S| g( x ) = 1}|
Cor[ g( x )] = . (1)
x ∈S |S|
For a vectorial Boolean function f : F2n → F2m , a set S ⊆ F2n , an n-bit input mask γin ,
and an m-bit output mask γout , the (linear) correlation of f with respect to the set and the
mask pair, denoted by Corx∈S [ f ( x ); γin , γout ], is defined to be the correlation of a Boolean
function x 7→ ⟨γin , x ⟩ ⊕ ⟨γout , f ( x )⟩ over the set S as follows:

|{ x ∈ S|⟨γin , x ⟩ ⊕ ⟨γout , f ( x )⟩ = 0}| − |{ x ∈ S|⟨γin , x ⟩ ⊕ ⟨γout , f ( x )⟩ = 1}|

Cor[ f ( x ); γin , γout ] = . (2)
x ∈S |S|
We call the pair (γin , γout ) the linear approximation of f over S. When S = F2n , we call it the
linear approximation of f .

Example 1. Let f : F42 → F42 be a vectorial Boolean function. The function f maps the input x to
an output f ( x ), as given in hexadecimal notation in Table 2. (The function f is the 4-bit to 4-bit
S-box of PRESENT [32].) Let γin = (1, 0, 0, 1) and γout = (0, 0, 0, 1). Then, the linear correlation
of f with respect to the set F42 and the mask pair (γin , γout ) is as follows:

12 − 4
Cor [ f ( x ); γin , γout ] = = 2−1 . (3)
x ∈F42 16

Table 2. The vectorial Boolean function f .

x 0 1 2 3 4 5 6 7 8 9 A B C D E F
f ( x) C 5 6 B 9 0 A D 3 E F 8 4 7 1 2

2.2. Differential–Linear Approximation

The initial approach developed by Langford and Hellman [21] involved splitting the
targeted cipher E into two sub-ciphers, E1 and E2 , such that E = E2 ◦ E1 , and combining a
differential characteristic for E1 with a linear approximation for E2 to form an attack on the
entire cipher E. Thanks to the differential–linear connectivity table concept introduced by
Bar-On et al. [27], the differential–linear attack strategy has evolved to divide the cipher E
into three sub-ciphers, E1 , Em , and E2 , such that E = E2 ◦ Em ◦ E1 instead of two (Figure 1).

P0 X0 Y0 C0
q
γm γout
p r
Δin Δm
γm γout
q
P1 X1 Y1 C1

E1 Em E2

Figure 1. The structure of a differential–linear approximation.

1 E
Suppose that the differential characteristic for E1 , ∆ in −→ ∆ m , holds with a probability
2 E
p, the linear approximation for E2 , γm −→ γout , has a correlation of q, and the differential–
m E
linear approximation for Em , ∆ m −→ γm , has a correlation of r:
Electronics 2024, 13, 3141 5 of 21

Pr [ E1 ( x ) ⊕ E1 ( x ⊕ ∆ in ) = ∆ m ] = p,
x ∈F2n

Cor [ E2 ( x ); γm , γout ] = q, (4)

x ∈F2n

Cor[⟨γm , Em ( x )⟩ ⊕ ⟨γm , Em ( x ⊕ ∆ m )⟩] = r,

x ∈S

where S represents the set of samples used to calculate the correlation. Note that when
Em involves round keys, the correlation r is estimated using N samples and M random
keys. This is achieved by computing an empirical value with a random key and repeating
the process M times. The final value of r is determined as the median (or mean) of the
M obtained values [27,30,33]. Subsequently, the total correlation of the differential–linear
E
approximation ∆ in −→ γout is estimated as follows:

Cor [⟨γout , E( x )⟩ ⊕ ⟨γout , E( x ⊕ ∆ in )⟩] = prq2 . (5)

x ∈F2n

2.3. Boolean Satisfiability Problem and SAT Solver

The Boolean satisfiability problem involves determining whether a given Boolean
formula can be satisfied by any interpretation. In other words, it aims to ascertain if
the variables in the formula can be assigned values of TRUE or FALSE in a consistent
manner that results in the formula being evaluated as TRUE. If such an assignment is
possible, the formula is said to be satisfiable. Conversely, if no such assignment exists, the
formula is unsatisfiable, indicating that the formula is evaluated as FALSE for all potential
variable assignments.

Example 2. Consider the Boolean formula ( P ∨ ¬ Q) ∧ ( Q ∨ ¬ R) ∧ ( R ∨ ¬ P). To determine if

this formula is satisfiable, we can construct the following truth table (see Table 3). The formula is
satisfiable because there are combinations of P, Q, and R (specifically, (0, 0, 0) and (1, 1, 1)) that
make the formula true.

Table 3. The truth table of ( P ∨ ¬ Q) ∧ ( Q ∨ ¬ R) ∧ ( R ∨ ¬ P).

P Q R P ∨ ¬Q Q ∨ ¬R R ∨ ¬P Formula
0 0 0 1 1 1 1
0 0 1 1 0 1 0
0 1 0 0 1 1 0
0 1 1 0 1 1 0
1 0 0 1 1 0 0
1 0 1 1 0 1 0
1 1 0 1 1 0 0
1 1 1 1 1 1 1

The Boolean satisfiability problem is known to fall into the category of NP-complete
problems, which means that currently, only algorithms with exponential worst-case com-
plexity can solve it. Despite this complexity, there is ongoing research and development
aimed at creating efficient and scalable algorithms to address it.
In this paper, we use two well-known SAT solvers, CryptoMiniSat by M. Soos et al. [34]
and CaDiCaL by Biere [35], to search for differential–linear approximations of CHAM. Crypto-
MiniSat is recognized for its efficiency, scalability, and suitability for cryptographic applications.
It supports multi-threaded operations and XOR clauses, making it highly versatile. On the
other hand, CaDiCaL is designed with simplicity, performance, and lightweight architecture in
mind, excelling in situations where these attributes are paramount. Both solvers bring unique
Electronics 2024, 13, 3141 6 of 21

strengths to the table, contributing to the continuous efforts to develop robust solutions for
the Boolean satisfiability problem.

2.4. The Block Cipher CHAM

CHAM, consisting of ARX operations (modular addition ⊞, bitwise rotation ≪, and
bitwise XOR ⊕), is a family of block ciphers with a four-branch generalized Feistel structure.
Each cipher in this family is denoted as CHAM-n/k, where n represents the block size in
bits and k represents the key size in bits. Table 4 lists the ciphers in this family and their
parameters. Here, w denotes the bit length of a branch (word) and Nr represents the
number of rounds.

Table 4. The block cipher CHAM parameters.

Cipher n k w Nr
CHAM-64/128 64 128 16 88
CHAM-128/128 128 128 32 112
CHAM-128/256 128 256 32 120

By applying Nr iterations of the key-dependent round function, CHAM-n/k encrypts

an n-bit plaintext of four w-bit words to an n-bit ciphertext of four w-bit words. For a round
key rk i ∈ GF(2)w , the i-th round function of CHAM is defined as follows:
(i )
f rk : GF(2)w × GF(2)w × GF(2)w × GF(2)w −→ GF(2)w × GF(2)w × GF(2)w × GF(2)w
i
(6)
(i )
f rk ( xi , yi , zi , wi ) = (yi , zi , wi , (( xi ⊕ i ) ⊞ ((yi ≪ αi ) ⊕ rk i )) ≪ β i ),
i

where αi = 1 and β i = 8 when i is even and αi = 8 and β i = 1 when i is odd. The round
function of CHAM is depicted in Figure 2.
The CHAM key schedules generate round keys rk i for a given key of k/w w-bit words
K = (k0 , k1 , · · · , k k/w−1 ). The round keys are generated by the following:
(


kj ⊕ kj ≪ 1 ⊕ kj ≪ 8 , if 0 ≤ j < k/w,
rk i =

(7)
k j⊕1 ⊕ k j⊕1 ≪ 1 ⊕ k j⊕1 ≪ 11 , otherwise,

where j = i mod 2k/w. The value rk i is the i-th round key for 0 ≤ i < Nr.

xi yi zi wi

i rki

xi+1 yi+1 zi+1 wi+1

i+1 rki+1

xi+2 yi+2 zi+2 wi+2

Figure 2. The round function of CHAM.

Electronics 2024, 13, 3141 7 of 21

3. Searching for Differential–Linear Approximations

In this section, we briefly review the method proposed by Chen et al. for finding
differential–linear approximations of block ciphers [30]. The core idea of Chen et al.’s
method involves generating new differential–linear approximations by XORing known
approximations, aiming to create approximations with high correlations. Their motivation
is based on an intuitive understanding of correlations, leading to the conclusion that com-
bining high-correlation approximations is likely to result in another effective approximation.
Although this hypothesis relies on an assumption of independence that may not always be
valid, it has been supported by experimental results.
We first introduce two concepts, strong unbalanced bit and weak unbalanced bit.

Definition 1 ([30]). Consider an n-bit block cipher, an n-bit difference ∆, and a threshold c. The
i-th ciphertext bit, where 0 ≤ i < n, is called a strong unbalanced bit if the absolute correlation of
the differential–linear approximation ∆ → γ exceeds c, where γ = [i ]. If this condition is not met,
the bit is called a weak unbalanced bit.

Suppose that two sub-ciphers, Em and E2 and a difference ∆ m are given. Based on the
heuristic conclusion, a meet-in-the-middle search algorithm to search for differential–linear
Em 2E
approximations ∆ m −→ γm −→ γout is proposed. The algorithm works as follows. We
first search for a set of strong unbalanced bits, BS , for a sub-cipher Em , a difference ∆ m ,
and a threshold. Next, we search for linear approximations (γm , γout ) of a sub-cipher E2
under the conditions that γm [i ] = 0 if i ∈/ BS for 0 ≤ i < n. Finally, for each returned
linear approximation (γm , γout ) of E2 , we compute the experimental correlation of the
differential–linear approximation. We add the approximation to a list if the correlation is
greater than or equal to the threshold. See Algorithm 1 for the detailed steps.

m E 2 E
Algorithm 1 [30] Searching for ∆ m −→ γm −→ γout using the meet-in-the-middle method
Require: a difference ∆ m , a threshold c, a sample size N
Ensure: a set P of linear mask tuples (γm , γout )
1: P ← ϕ and BS ← ϕ
2: Generate N random plaintexts Pi (1 ≤ i ≤ N).
3: Collect N pseudo-ciphertext pairs ( Em ( Pi ), Em ( Pi ⊕ ∆ m )) (1 ≤ i ≤ N).
4: for 0 ≤ i < n do
5: γm ← [ i ]
6: Compute the correlation Cor of ∆ m → γm over the N pseudo-ciphertext pairs.
7: if |Cor| ≥ c then
8: B S ← B S ∪ { i }.
9: end if
10: end for
11: for 0 ≤ i < n and i ∈
/ BS do
12: Add a condition γm [i ] = 0 to Model(). ▷ Model() is the automatic search model of
linear approximations γm → γout
13: end for
14: Collect linear mask tuples (γm , γout ) by running Model ().
15: for each returned tuple (γm , γout ) do
16: Compute the correlation Cor of ∆ m → γm over N pseudo-ciphertext pairs.
17: if |Cor| ≥ c then
18: P ← P ∪ {(γm , γout )}.
19: end if
20: end for
Electronics 2024, 13, 3141 8 of 21

4. Differential–Linear Approximations of CHAM

This section presents the first differential–linear approximations of CHAM. We will
denote r1 , rm , and r2 as the numbers of rounds covered by E1 , Em , and E2 , respectively. We
m E
first search for a differential–linear approximation ∆ m −→ γm and a linear approximation
2E
γm −→ γout using Algorithm 1. Following this, we prepend a differential characteristic
E1
∆ in −→ ∆ m . Given the computational infeasibility of testing all the differences ∆ m ∈ F2n ,
we confine our investigation to cases where ∆ m takes the form [i ] for 0 ≤ i < n (1-bit
differences) or [i, i + 1] for 0 ≤ i < n − 1 (2-bit differences).

4.1. Differential–Linear Approximation of CHAM-64/128

This subsection presents the first differential–linear approximation of CHAM-64/128.
A 46-round differential–linear approximation of CHAM-64/128 with a correlation of 2−31.08
is found using Algorithm 1 by setting rm = 26, r2 = 14, and c = 2−7 (see Table 5). This
approximation is composed of the following:
• A six-round differential characteristic with an output difference of (2000 0000 0000
0000) and a probability of 2−10 (note that this is optimal, as there is no six-round
differential characteristic with a higher probability for this output difference; see
Table 6);
• A 26-round differential–linear approximation with a correlation of 2−11.08 . This value
is the median of 200 experimental correlations, each derived from 224 plaintext–
ciphertext pairs. (The average and standard deviation of the 200 correlations are 2−10.59
and 2−10.72 , respectively. The 95% and 99% confidence intervals are 2−10.79 , 2−10.42 ,

and 2−10.85 , 2−10.37 , respectively.)

• A 14-round linear approximation with a correlation of 2−5 (Note that this is also
optimal, as there is no 14-round linear approximation with a higher correlation; see
Table 7).
This approximation represents the most effective distinguisher for CHAM-64/128
found to date in a single-key attack model, significantly exceeding the designers’ expecta-
tions for differential–linear approximations of CHAM-64/128.
As mentioned earlier, for each 1-bit and 2-bit difference, the set of strong unbalanced
bits for the 26-round Em is determined using the threshold 2−7 and 228 pseudo plaintext–
ciphertext pairs. These results are summarized in Table A1 provided in Appendix A.

Table 5. A 46-round differential–linear approximation of CHAM-64/128.

(r1 , r m , r2 ) ∆ in → ∆ m → γm → γout Correlation

(8120 2090 8020 4000) →
(2000 0000 0000 0000) →
(6, 26, 14) 2−31.08
(0001 8000 0400 0201) →
(0106 0400 0200 0002) →

Table 6. An optimal 6-round differential characteristic of CHAM-64/128 with an output difference of

(2000 0000 0000 0000).
Round Difference Prob. Round Difference Prob.
0 (8120 2090 8020 4000) 4 (0040 0020 2000 0000) 2−1
1 (2090 8020 4000 0040) 2−3 5 (0020 2000 0000 0000) 2−1
2 (8020 4000 0040 0020) 2−3 6 (2000 0000 0000 0000) 2−1
3 (4000 0040 0020 2000) 2−1
Electronics 2024, 13, 3141 9 of 21

Table 7. An optimal 14-round linear approximation of CHAM-64/128 with a correlation of 2−5 .

Round Linear Mask Cor. Round Linear Mask Cor.

0 (0001 8000 0400 0201) 8 (0000 0000 0400 0000) 1
1 (0000 0400 0201 0100) 1 9 (0000 0400 0000 0000) 1
2 (0400 0201 0100 0000) 1 10 (0400 0000 0000 0000) 1
3 (0001 0100 0000 0006) 2−1 11 (0200 0000 0000 0006) 2−1
4 (0000 0000 0006 0002) 1 12 (0003 0000 0006 0400) 2−1
5 (0000 0006 0002 0000) 1 13 (0001 0006 0400 0200) 2−1
6 (0006 0002 0000 0000) 1 14 (0106 0400 0200 0002) 1
7 (0000 0000 0000 0400) 2−1

4.2. Differential–Linear Approximation of CHAM-128/128 and CHAM-128/256

This subsection presents the first differential–linear approximation of CHAM-128/128
and CHAM-128/256. A 58-round differential–linear approximation with correlations of
2−58.86 for CHAM-128/128 and 2−59.08 for CHAM-128/256 is found using Algorithm 1 by
setting rm = 32, r2 = 16, and c = 2−8 (see Table 8). This approximation is composed of
the following:
• A 10-round differential characteristic with an output difference of (08000000 00000000
00000000 00000000) and a probability of 2−26 (Note that this is optimal, as there is no
10-round differential characteristic with a higher probability for this output difference.
See Table 9);
• A 32-round differential–linear approximation with correlations of 2−14.86 for CHAM-
128/128 and 2−15.08 for CHAM-128/256 (These values are the medians of 100 exper-
imental correlations, each derived from 228 plaintext–ciphertext pairs. (For CHAM-
128/128, the average and standard deviation of the 100 correlations are 2−13.75
and
2−13.86 , respectively. The 95% and 99% confidence intervals are 2 −14.04 , 2−13.51 , and

2−14.14 , 2−13.44 , respectively. For CHAM-128/256, the average and standard devi-

ation of the 100 correlations are 2−14.03
and 2−14.34 , respectively. The 95% and 99%
− 14.28 − 13.82 − 14.37 − 13.76


confidence intervals are 2 ,2 , and 2 ,2 , respectively).
• A 16-round linear approximation with a correlation of 2−9 (note that this is also optimal,
as there is no 16-round linear approximation with a higher correlation; see Table 10).
Although this approximation is not the best distinguisher for CHAM-128/128 and
CHAM-128/256, it stands as the first concrete differential–linear approximation. Remark-
ably, it surpasses the designers’ expectations for differential–linear approximations of
CHAM-128/128 and CHAM-128/256.

Table 8. A 58-round differential–linear approximation of CHAM-128/128 and CHAM-128/256.

(r1 , r m , r2 ) ∆ in → ∆ m → γm → γout Correlation

(00100104 04082082 80000820 40000000) →
(08000000 00000000 00000000 00000000) → 2−58.86
(10, 32, 16)
(00040000 c1020000 00800000 00008000) → 2−59.08
(01040000 00000600 00000200 00000002) →

Table 9. An optimal 10-round differential characteristic of CHAM-128/128 and CHAM-128/256 with

an output difference of (08000000 00000000 00000000 00000000).

Round Difference Prob. Round Difference Prob.

0 (00100104 04082082 80000820 40000000) 6 (00082000 00001000 00000010 00000008) 2−3
1 (04082082 80000820 40000000 00400008) 2−5 7 (00001000 00000010 00000008 08000000) 2−2
2 (80000820 40000000 00400008 08200004) 2−6 8 (00000010 00000008 08000000 00000000) 2−1
3 (40000000 00400008 08200004 00082000) 2−2 9 (00000008 08000000 00000000 00000000) 2−1
4 (00400008 08200004 00082000 00001000) 2−2 10 (08000000 00000000 00000000 00000000) 2−1
5 (08200004 00082000 00001000 00000010) 2−3
Electronics 2024, 13, 3141 10 of 21

Table 10. An optimal 16-round linear approximation of CHAM-128/128 and CHAM-128/256 with a
correlation of 2−9 .

Round Linear Mask Cor. Round Linear Mask Cor.

0 (00040000 c1020000 00800000 00008000) 9 (00000000 00000000 00000000 00000600) 2−1
1 (c1000000 00800000 00008000 06000000) 2−1 10 (00000000 00000000 00000600 00000000) 1
2 (00018000 00008000 06000000 02000001) 2−2 11 (00000000 00000600 00000000 00000000) 1
3 (00000000 06000000 02000001 01000000) 2−1 12 (00000600 00000000 00000000 00000000) 1
4 (06000000 02000001 01000000 00000000) 1 13 (00000200 00000000 00000000 00040000) 2−1
5 (00000001 01000000 00000000 00000004) 2−1 14 (00000002 00000000 00040000 00000600) 2−1
6 (00000000 00000000 00000004 00000002) 1 15 (00000001 00040000 00000600 00000200) 2−1
7 (00000000 00000004 00000002 00000000) 1 16 (01040000 00000600 00000200 00000002) 1
8 (00000004 00000002 00000000 00000000) 1

As mentioned earlier, for each 1-bit and 2-bit difference, the set of strong unbalanced bits
for the 32-round Em is determined using the threshold 2−8 and 228 pseudo plaintext–ciphertext
pairs. These results are summarized in Tables A2 and A3 provided in Appendix A.

5. Conclusions
In this work, we presented the first concrete differential–linear approximations of
CHAM. We found a 46-round differential–linear approximation of CHAM-64/128 with a
correlation of 2−31.08 and a 58-round approximation for CHAM-128/128 and CHAM-128/256
with correlations of 2−58.86 and 2−59.08 , respectively. These are not only the first known
concrete differential–linear approximations of CHAM, but they also have much longer
rounds than the designers anticipated. Despite these findings, CHAM remains secure due
to its sufficient security margin.
Further research is needed to better understand the differential–linear approximations
and differential–linear cryptanalysis of ARX-based block ciphers, including CHAM. We
anticipate that the following studies are necessary:
• mounting differential–linear attacks on CHAM using known differential–linear approx-
imations,
• calculating more exact correlations of the differential–linear approximations, and
• developing more efficient and effective methods for finding differential–linear
approximations.

Funding: This work was supported by an Institute of Information & communications Technology
Planning & Evaluation (IITP) grant funded by the Korea government (MSIT) (No. 2021-0-00046,
Development of next-generation cryptosystem to improve security and usability of national informa-
tion system).
Data Availability Statement: The data are contained within this article.
Conflicts of Interest: The authors declare no conflicts of interest.

Appendix A. Experimental Results

Table A1. Strong unbalanced bits for 26-round CHAM-64/128 with a threshold of 2−7 .

Input Difference # Strong Unbalanced Bits

(0000 0000 0000 0001) 10 20, 27, 34, 35, 36, 37, 44, 53, 58, 60
(0000 0000 0000 0002) 8 21, 35, 36, 37, 38, 45, 54, 59
(0000 0000 0000 0004) 11 22, 29, 36, 37, 38, 39, 46, 55, 59, 60, 62
(0000 0000 0000 0008) 8 23, 38, 39, 40, 47, 56, 61, 63
(0000 0000 0000 0010) 8 24, 32, 39, 40, 41, 55, 57, 62
Electronics 2024, 13, 3141 11 of 21

Table A1. Cont.

Input Difference # Strong Unbalanced Bits

(0000 0000 0000 0020) 8 25, 33, 40, 41, 42, 49, 58, 63
(0000 0000 0000 0040) 7 26, 33, 34, 41, 42, 43, 59
(0000 0000 0000 0080) 6 27, 35, 42, 43, 44, 60
(0000 0000 0000 0100) 10 4, 27, 28, 35, 36, 43, 44, 45, 52, 59
(0000 0000 0000 0200) 8 29, 36, 37, 44, 45, 46, 51, 62
(0000 0000 0000 0400) 10 14, 21, 30, 38, 44, 45, 46, 47, 52, 63
(0000 0000 0000 0800) 12 0, 15, 22, 31, 32, 39, 45, 46, 47, 48, 53, 55
(0000 0000 0000 1000) 13 0, 15, 16, 23, 32, 33, 40, 46, 47, 49, 54, 56, 63
(0000 0000 0000 2000) 11 0, 17, 24, 32, 33, 34, 41, 47, 50, 55, 57
(0000 0000 0000 4000) 11 1, 18, 25, 27, 32, 33, 34, 35, 42, 51, 56
(0000 0000 0000 8000) 10 19, 26, 33, 34, 35, 36, 43, 52, 57, 59
(0000 0000 0001 0000) 6 35, 36, 52, 53, 59, 60
(0000 0000 0002 0000) 9 14, 36, 37, 44, 52, 53, 54, 60, 61
(0000 0000 0004 0000) 8 15, 38, 45, 53, 54, 55, 61, 62
(0000 0000 0008 0000) 7 39, 46, 54, 55, 56, 62, 63
(0000 0000 0010 0000) 8 1, 40, 47, 48, 55, 56, 57, 63
(0000 0000 0020 0000) 7 2, 32, 41, 49, 56, 57, 58
(0000 0000 0040 0000) 7 3, 33, 42, 50, 57, 58, 59
(0000 0000 0080 0000) 7 4, 34, 43, 51, 58, 59, 60
(0000 0000 0100 0000) 6 35, 44, 52, 59, 60, 61
(0000 0000 0200 0000) 7 36, 45, 53, 59, 60, 61, 62
(0000 0000 0400 0000) 6 46, 53, 54, 61, 62, 63
(0000 0000 0800 0000) 6 47, 48, 54, 55, 62, 63
(0000 0000 1000 0000) 5 32, 48, 49, 56, 63
(0000 0000 2000 0000) 5 33, 49, 50, 56, 57
(0000 0000 4000 0000) 7 33, 34, 49, 50, 51, 57, 58
(0000 0000 8000 0000) 7 12, 34, 35, 50, 51, 52, 59
(0000 0001 0000 0000) 2 52, 59
(0000 0002 0000 0000) 1 53
(0000 0004 0000 0000) 3 31, 54, 61
(0000 0008 0000 0000) 1 55
(0000 0010 0000 0000) 2 1, 56
(0000 0020 0000 0000) 2 18, 57
(0000 0040 0000 0000) 2 3, 58
(0000 0080 0000 0000) 3 35, 44, 59
(0000 0100 0000 0000) 1 60
(0000 0200 0000 0000) 2 52, 61
(0000 0400 0000 0000) 4 23, 46, 53, 62
(0000 0800 0000 0000) 4 32, 47, 54, 63
(0000 1000 0000 0000) 6 25, 32, 47, 48, 55, 63
(0000 2000 0000 0000) 4 26, 32, 49, 56
(0000 4000 0000 0000) 6 27, 33, 35, 50, 57, 59
(0000 8000 0000 0000) 1 51
(0001 0000 0000 0000) 10 12, 20, 27, 28, 29, 34, 36, 45, 51, 58
(0002 0000 0000 0000) 13 4, 13, 21, 27, 28, 29, 30, 35, 37, 46, 51, 52, 59
(0004 0000 0000 0000) 11 14, 22, 29, 30, 31, 36, 47, 52, 53, 59, 60
(0008 0000 0000 0000) 8 15, 16, 23, 31, 32, 53, 54, 61
(0010 0000 0000 0000) 9 0, 16, 17, 24, 31, 33, 54, 55, 62
(0020 0000 0000 0000) 10 1, 17, 18, 25, 32, 34, 41, 55, 56, 63
(0040 0000 0000 0000) 9 2, 17, 18, 19, 26, 35, 48, 56, 57
(0080 0000 0000 0000) 10 3, 18, 19, 20, 27, 36, 43, 49, 57, 58
(0100 0000 0000 0000) 9 4, 20, 21, 27, 28, 35, 44, 50, 59
(0200 0000 0000 0000) 7 5, 21, 22, 29, 51, 59, 60
(0400 0000 0000 0000) 10 6, 22, 23, 29, 30, 44, 46, 52, 60, 61
(0800 0000 0000 0000) 11 7, 14, 22, 23, 24, 31, 45, 53, 60, 61, 62
(1000 0000 0000 0000) 12 8, 15, 16, 23, 24, 25, 32, 41, 46, 54, 62, 63
(2000 0000 0000 0000) 13 0, 9, 17, 24, 25, 26, 33, 42, 47, 48, 54, 55, 63
(4000 0000 0000 0000) 11 1, 10, 18, 25, 26, 27, 32, 34, 43, 49, 56
Electronics 2024, 13, 3141 12 of 21

Table A1. Cont.

Input Difference # Strong Unbalanced Bits

(8000 0000 0000 0000) 14 2, 11, 19, 26, 27, 28, 33, 35, 44, 49, 50, 56, 57, 59
(0000 0000 0000 0003) 3 35, 36, 37
(0000 0000 0000 0006) 5 36, 37, 38, 45, 59
(0000 0000 0000 000c) 4 38, 39, 46, 55
(0000 0000 0000 0018) 4 39, 40, 47, 63
(0000 0000 0000 0030) 5 24, 32, 40, 41, 57
(0000 0000 0000 0060) 4 25, 33, 41, 42
(0000 0000 0000 00c0) 4 34, 42, 43, 59
(0000 0000 0000 0180) 4 27, 35, 43, 44
(0000 0000 0000 0300) 4 28, 36, 44, 45
(0000 0000 0000 0600) 5 29, 37, 44, 45, 46
(0000 0000 0000 0c00) 6 30, 38, 45, 46, 47, 63
(0000 0000 0000 1800) 5 31, 32, 46, 47, 55
(0000 0000 0000 3000) 6 32, 33, 40, 47, 49, 54
(0000 0000 0000 6000) 8 17, 32, 33, 34, 41, 47, 55, 57
(0000 0000 0000 c000) 4 33, 34, 35, 51
(0000 0000 0001 8000) 3 35, 36, 52
(0000 0000 0003 0000) 4 36, 52, 53, 60
(0000 0000 0006 0000) 3 53, 54, 61
(0000 0000 000c 0000) 4 38, 54, 55, 62
(0000 0000 0018 0000) 3 55, 56, 63
(0000 0000 0030 0000) 5 1, 48, 55, 56, 57
(0000 0000 0060 0000) 3 49, 57, 58
(0000 0000 00c0 0000) 6 33, 42, 50, 57, 58, 59
(0000 0000 0180 0000) 2 59, 60
(0000 0000 0300 0000) 4 52, 59, 60, 61
(0000 0000 0600 0000) 4 45, 53, 61, 62
(0000 0000 0c00 0000) 4 46, 54, 62, 63
(0000 0000 1800 0000) 4 47, 48, 55, 63
(0000 0000 3000 0000) 5 32, 48, 49, 56, 63
(0000 0000 6000 0000) 4 33, 49, 50, 57
(0000 0000 c000 0000) 5 34, 49, 50, 51, 58
(0000 0001 8000 0000) 0 -
(0000 0003 0000 0000) 0 -
(0000 0006 0000 0000) 0 -
(0000 000c 0000 0000) 0 -
(0000 0018 0000 0000) 1 55
(0000 0030 0000 0000) 1 56
(0000 0060 0000 0000) 1 57
(0000 00c0 0000 0000) 0 -
(0000 0180 0000 0000) 1 59
(0000 0300 0000 0000) 1 60
(0000 0600 0000 0000) 1 61
(0000 0c00 0000 0000) 1 62
(0000 1800 0000 0000) 1 63
(0000 3000 0000 0000) 1 48
(0000 6000 0000 0000) 2 49, 56
(0000 c000 0000 0000) 1 27
(0001 8000 0000 0000) 13 3, 4, 5, 12, 21, 28, 34, 43, 51, 57, 58, 59, 60
(0003 0000 0000 0000) 8 20, 27, 28, 29, 36, 45, 51, 58
(0006 0000 0000 0000) 7 21, 29, 30, 35, 46, 52, 59
(000c 0000 0000 0000) 8 14, 22, 30, 31, 36, 47, 53, 60
(0018 0000 0000 0000) 6 15, 16, 23, 31, 54, 61
(0030 0000 0000 0000) 7 0, 16, 17, 24, 33, 55, 62
(0060 0000 0000 0000) 9 1, 17, 18, 25, 34, 41, 55, 56, 63
(00c0 0000 0000 0000) 8 2, 18, 19, 26, 35, 48, 56, 57
(0180 0000 0000 0000) 8 3, 19, 20, 27, 36, 49, 57, 58
(0300 0000 0000 0000) 6 4, 20, 21, 28, 44, 59
Electronics 2024, 13, 3141 13 of 21

Table A1. Cont.

Input Difference # Strong Unbalanced Bits

(0600 0000 0000 0000) 6 21, 22, 29, 51, 59, 60
(0c00 0000 0000 0000) 9 6, 22, 23, 30, 44, 46, 52, 60, 61
(1800 0000 0000 0000) 7 23, 24, 31, 45, 53, 61, 62
(3000 0000 0000 0000) 10 16, 23, 24, 25, 32, 41, 46, 54, 62, 63
(6000 0000 0000 0000) 8 17, 25, 26, 33, 42, 47, 48, 55
(c000 0000 0000 0000) 11 1, 10, 18, 25, 26, 27, 32, 34, 43, 49, 56

Table A2. Strong unbalanced bits for 32-round CHAM-128/128 with a threshold of 2−8 .

Input Difference # Strong Unbalanced Bits

(00000000 00000000 00000000 00000001) 17 4, 5, 44, 55, 77, 83, 84, 87, 88, 95, 96, 109, 110, 117, 122, 123, 124
(00000000 00000000 00000000 00000002) 17 5, 6, 45, 56, 64, 78, 84, 85, 88, 89, 97, 111, 117, 118, 123, 124, 125
(00000000 00000000 00000000 00000004) 19 6, 7, 39, 46, 57, 65, 79, 85, 86, 89, 90, 98, 105, 112, 118, 119, 124, 125, 126
(00000000 00000000 00000000 00000008) 18 1, 8, 40, 47, 58, 66, 80, 86, 87, 90, 91, 99, 113, 119, 120, 125, 126, 127
(00000000 00000000 00000000 00000010) 20 2, 8, 9, 41, 48, 59, 67, 74, 81, 87, 88, 91, 92, 96, 100, 114, 120, 121, 126, 127
(00000000 00000000 00000000 00000020) 20 3, 9, 10, 49, 60, 68, 75, 82, 88, 89, 92, 93, 96, 97, 101, 108, 115, 121, 122, 127
(00000000 00000000 00000000 00000040) 19 4, 10, 11, 61, 69, 76, 83, 89, 90, 93, 94, 96, 97, 98, 102, 109, 116, 122, 123
(00000000 00000000 00000000 00000080) 19 5, 11, 12, 51, 62, 70, 77, 84, 90, 91, 94, 95, 97, 98, 99, 103, 117, 123, 124
(00000000 00000000 00000000 00000100) 19 6, 12, 13, 52, 63, 64, 71, 78, 85, 91, 92, 95, 98, 99, 100, 104, 118, 124, 125
(00000000 00000000 00000000 00000200) 18 13, 14, 32, 53, 64, 65, 72, 79, 86, 92, 93, 99, 100, 101, 105, 119, 125, 126
(00000000 00000000 00000000 00000400) 21 1, 8, 14, 15, 33, 54, 65, 66, 73, 80, 87, 93, 94, 99, 100, 101, 102, 106, 120, 126, 127
(00000000 00000000 00000000 00000800) 23 2, 9, 15, 16, 34, 41, 55, 66, 67, 74, 81, 88, 94, 95, 96, 100, 101, 102, 103, 107, 114, 121, 127
(00000000 00000000 00000000 00001000) 23 3, 10, 16, 17, 35, 56, 64, 67, 68, 75, 82, 89, 95, 96, 97, 101, 102, 103, 104, 108, 115, 121, 122
(00000000 00000000 00000000 00002000) 21 4, 11, 17, 18, 36, 57, 64, 65, 68, 69, 76, 83, 90, 97, 98, 103, 104, 105, 109, 122, 123
(00000000 00000000 00000000 00004000) 21 5, 12, 18, 19, 37, 58, 65, 66, 69, 70, 77, 84, 91, 98, 99, 104, 105, 106, 117, 123, 124
(00000000 00000000 00000000 00008000) 19 13, 19, 20, 38, 59, 66, 67, 70, 71, 78, 92, 99, 100, 105, 106, 107, 111, 124, 125
(00000000 00000000 00000000 00010000) 17 14, 20, 21, 39, 60, 67, 68, 72, 79, 93, 100, 101, 106, 107, 108, 125, 126
(00000000 00000000 00000000 00020000) 18 15, 21, 22, 40, 61, 68, 69, 72, 73, 80, 94, 101, 102, 107, 108, 109, 126, 127
(00000000 00000000 00000000 00040000) 19 16, 22, 23, 41, 62, 69, 70, 73, 74, 81, 95, 96, 102, 103, 108, 109, 110, 114, 127
(00000000 00000000 00000000 00080000) 21 17, 23, 24, 42, 63, 64, 70, 71, 74, 75, 82, 96, 97, 103, 104, 108, 109, 110, 111, 115, 122
(00000000 00000000 00000000 00100000) 20 18, 24, 25, 32, 43, 65, 71, 72, 75, 76, 83, 97, 98, 104, 105, 109, 110, 111, 112, 116
(00000000 00000000 00000000 00200000) 18 19, 26, 33, 44, 66, 72, 73, 76, 77, 84, 98, 99, 105, 106, 111, 112, 113, 117
(00000000 00000000 00000000 00400000) 20 26, 27, 34, 45, 67, 73, 74, 77, 78, 85, 92, 99, 100, 106, 107, 112, 113, 114, 118, 125
(00000000 00000000 00000000 00800000) 13 28, 35, 68, 74, 75, 78, 79, 86, 101, 108, 113, 114, 115
(00000000 00000000 00000000 01000000) 19 28, 29, 36, 47, 69, 75, 76, 79, 80, 87, 94, 101, 102, 108, 109, 114, 115, 116, 127
(00000000 00000000 00000000 02000000) 18 16, 29, 30, 37, 70, 76, 77, 80, 81, 88, 102, 103, 109, 110, 115, 116, 117, 121
(00000000 00000000 00000000 04000000) 23 17, 30, 31, 38, 49, 64, 71, 76, 77, 78, 80, 81, 82, 89, 97, 103, 104, 111, 115, 116, 117, 118, 122
(00000000 00000000 00000000 08000000) 22 0, 18, 31, 39, 50, 65, 72, 77, 78, 79, 82, 83, 90, 98, 104, 105, 111, 112, 117, 118, 119, 123
(00000000 00000000 00000000 10000000) 21 0, 1, 19, 40, 51, 66, 73, 78, 79, 80, 83, 84, 91, 99, 105, 106, 113, 118, 119, 120, 124
(00000000 00000000 00000000 20000000) 23 1, 2, 20, 27, 41, 52, 67, 74, 79, 80, 81, 84, 85, 92, 100, 106, 107, 113, 114, 119, 120, 121, 125
(00000000 00000000 00000000 40000000) 26 2, 3, 21, 28, 35, 42, 53, 60, 68, 75, 80, 81, 82, 85, 86, 93, 101, 107, 108, 114, 115, 119, 120, 121, 122, 126
(00000000 00000000 00000000 80000000) 21 3, 4, 36, 43, 54, 61, 69, 76, 82, 83, 86, 87, 94, 108, 109, 115, 116, 121, 122, 123, 127
(00000000 00000000 00000001 00000000) 10 36, 37, 62, 69, 76, 87, 109, 115, 116, 120
(00000000 00000000 00000002 00000000) 9 30, 37, 38, 63, 77, 88, 117, 121, 122
(00000000 00000000 00000004 00000000) 11 31, 32, 38, 39, 57, 78, 89, 111, 117, 118, 122
(00000000 00000000 00000008 00000000) 10 0, 33, 39, 40, 58, 79, 90, 118, 119, 123
(00000000 00000000 00000010 00000000) 12 1, 34, 40, 41, 59, 80, 91, 99, 113, 119, 120, 124
(00000000 00000000 00000020 00000000) 12 2, 35, 41, 42, 60, 81, 92, 100, 114, 120, 121, 125
(00000000 00000000 00000040 00000000) 12 3, 36, 43, 61, 82, 93, 115, 121, 122, 125, 126, 127
(00000000 00000000 00000080 00000000) 11 4, 37, 43, 44, 62, 83, 94, 122, 123, 126, 127
(00000000 00000000 00000100 00000000) 10 5, 38, 44, 45, 63, 84, 95, 96, 123, 124
(00000000 00000000 00000200 00000000) 11 6, 32, 39, 45, 46, 64, 85, 97, 98, 124, 125
(00000000 00000000 00000400 00000000) 10 33, 40, 47, 65, 86, 98, 99, 119, 125, 126
(00000000 00000000 00000800 00000000) 12 34, 41, 47, 48, 66, 80, 98, 99, 100, 120, 126, 127
(00000000 00000000 00001000 00000000) 10 9, 35, 49, 67, 88, 96, 99, 100, 121, 127
(00000000 00000000 00002000 00000000) 11 10, 36, 43, 50, 68, 89, 96, 97, 100, 101, 122
(00000000 00000000 00004000 00000000) 12 11, 37, 44, 51, 69, 90, 97, 98, 102, 103, 109, 123
(00000000 00000000 00008000 00000000) 10 12, 38, 45, 52, 70, 91, 98, 99, 103, 124
(00000000 00000000 00010000 00000000) 9 13, 39, 53, 92, 99, 100, 104, 105, 125
(00000000 00000000 00020000 00000000) 9 14, 40, 53, 54, 72, 100, 101, 105, 126
(00000000 00000000 00040000 00000000) 10 15, 41, 55, 73, 94, 101, 102, 105, 106, 127
(00000000 00000000 00080000 00000000) 9 16, 55, 56, 74, 95, 96, 102, 103, 107
(00000000 00000000 00100000 00000000) 10 17, 43, 57, 64, 75, 97, 103, 104, 108, 115
(00000000 00000000 00200000 00000000) 12 18, 44, 51, 57, 58, 65, 76, 98, 104, 105, 108, 109
(00000000 00000000 00400000 00000000) 10 19, 45, 59, 66, 77, 99, 105, 106, 109, 110
(00000000 00000000 00800000 00000000) 10 20, 53, 59, 60, 67, 78, 100, 106, 107, 111
Electronics 2024, 13, 3141 14 of 21

Table A2. Cont.

Input Difference # Strong Unbalanced Bits

(00000000 00000000 01000000 00000000) 6 21, 61, 79, 101, 108, 112
(00000000 00000000 02000000 00000000) 9 22, 61, 62, 69, 80, 102, 108, 109, 113
(00000000 00000000 04000000 00000000) 9 62, 63, 70, 81, 103, 109, 110, 114, 115
(00000000 00000000 08000000 00000000) 7 24, 32, 63, 82, 104, 111, 115
(00000000 00000000 10000000 00000000) 9 33, 72, 83, 105, 111, 112, 115, 116, 117
(00000000 00000000 20000000 00000000) 8 33, 34, 59, 73, 84, 106, 113, 117
(00000000 00000000 40000000 00000000) 9 27, 35, 53, 60, 74, 85, 114, 118, 119
(00000000 00000000 80000000 00000000) 12 28, 35, 36, 54, 61, 75, 86, 108, 114, 115, 119, 126
(00000000 00000001 00000000 00000000) 5 61, 68, 69, 108, 119
(00000000 00000002 00000000 00000000) 5 62, 69, 70, 109, 120
(00000000 00000004 00000000 00000000) 7 63, 64, 70, 71, 103, 110, 121
(00000000 00000008 00000000 00000000) 6 32, 65, 72, 104, 111, 122
(00000000 00000010 00000000 00000000) 7 33, 66, 72, 73, 105, 112, 123
(00000000 00000020 00000000 00000000) 6 34, 67, 73, 74, 113, 124
(00000000 00000040 00000000 00000000) 6 35, 68, 74, 75, 114, 125
(00000000 00000080 00000000 00000000) 6 36, 69, 75, 76, 115, 126
(00000000 00000100 00000000 00000000) 7 37, 70, 76, 77, 109, 116, 127
(00000000 00000200 00000000 00000000) 6 38, 64, 77, 78, 96, 117
(00000000 00000400 00000000 00000000) 7 39, 65, 72, 78, 79, 97, 118
(00000000 00000800 00000000 00000000) 8 40, 66, 73, 79, 80, 98, 105, 119
(00000000 00001000 00000000 00000000) 7 41, 67, 74, 80, 81, 99, 120
(00000000 00002000 00000000 00000000) 5 75, 81, 82, 100, 121
(00000000 00004000 00000000 00000000) 8 43, 69, 76, 82, 83, 101, 115, 122
(00000000 00008000 00000000 00000000) 6 44, 77, 83, 84, 102, 123
(00000000 00010000 00000000 00000000) 6 45, 78, 84, 85, 103, 124
(00000000 00020000 00000000 00000000) 5 79, 85, 86, 104, 125
(00000000 00040000 00000000 00000000) 6 47, 80, 86, 87, 105, 126
(00000000 00080000 00000000 00000000) 5 81, 87, 88, 106, 127
(00000000 00100000 00000000 00000000) 5 82, 88, 89, 96, 107
(00000000 00200000 00000000 00000000) 4 89, 90, 97, 108
(00000000 00400000 00000000 00000000) 4 90, 91, 98, 109
(00000000 00800000 00000000 00000000) 2 92, 99
(00000000 01000000 00000000 00000000) 5 53, 92, 93, 100, 111
(00000000 02000000 00000000 00000000) 2 94, 101
(00000000 04000000 00000000 00000000) 6 55, 81, 94, 95, 102, 113
(00000000 08000000 00000000 00000000) 6 56, 64, 82, 95, 103, 114
(00000000 10000000 00000000 00000000) 6 57, 64, 65, 83, 104, 115
(00000000 20000000 00000000 00000000) 7 58, 65, 66, 84, 98, 105, 116
(00000000 40000000 00000000 00000000) 9 59, 66, 67, 85, 92, 99, 106, 117, 124
(00000000 80000000 00000000 00000000) 7 60, 67, 68, 100, 107, 118, 125
(00000001 00000000 00000000 00000000) 21 20, 31, 32, 59, 60, 66, 67, 68, 72, 86, 93, 99, 100, 101, 107, 108, 117, 118, 119, 125, 126
(00000002 00000000 00000000 00000000) 22 0, 21, 33, 60, 61, 67, 68, 69, 73, 87, 94, 100, 101, 102, 108, 109, 118, 119, 120, 125, 126, 127
(00000004 00000000 00000000 00000000) 21 1, 22, 34, 61, 62, 68, 69, 70, 74, 88, 95, 96, 102, 103, 108, 109, 110, 119, 120, 121, 127
(00000008 00000000 00000000 00000000) 20 2, 35, 63, 64, 69, 70, 71, 75, 89, 96, 97, 103, 104, 109, 110, 111, 115, 120, 121, 122
(00000010 00000000 00000000 00000000) 19 3, 32, 36, 63, 65, 70, 71, 72, 76, 90, 97, 98, 104, 105, 111, 112, 121, 122, 123
(00000020 00000000 00000000 00000000) 20 4, 33, 37, 65, 66, 71, 72, 73, 77, 91, 98, 99, 105, 106, 111, 112, 113, 122, 123, 124
(00000040 00000000 00000000 00000000) 21 5, 33, 34, 38, 59, 67, 72, 73, 74, 78, 92, 99, 100, 105, 106, 107, 113, 114, 123, 124, 125
(00000080 00000000 00000000 00000000) 22 6, 27, 34, 35, 39, 60, 68, 73, 74, 75, 79, 86, 93, 100, 101, 107, 108, 114, 115, 124, 125, 126
(00000100 00000000 00000000 00000000) 20 28, 35, 36, 40, 61, 69, 74, 75, 76, 80, 94, 101, 102, 108, 109, 115, 116, 125, 126, 127
(00000200 00000000 00000000 00000000) 20 36, 37, 41, 62, 69, 70, 75, 76, 77, 95, 96, 102, 103, 109, 110, 115, 116, 117, 126, 127
(00000400 00000000 00000000 00000000) 24 9, 30, 37, 38, 41, 42, 63, 64, 70, 71, 76, 77, 78, 82, 96, 97, 103, 104, 109, 110, 111, 117, 118, 127
(00000800 00000000 00000000 00000000) 21 10, 32, 38, 39, 43, 65, 72, 77, 78, 79, 83, 96, 97, 98, 104, 105, 111, 112, 117, 118, 119
(00001000 00000000 00000000 00000000) 25 0, 11, 33, 39, 40, 44, 65, 66, 73, 77, 78, 79, 80, 84, 97, 98, 99, 104, 105, 106, 112, 113, 119, 120, 124
(00002000 00000000 00000000 00000000) 27 1, 12, 34, 40, 41, 45, 66, 67, 73, 74, 78, 79, 80, 81, 85, 92, 98, 99, 100, 105, 106, 107, 113, 114, 119, 120, 121
(00004000 00000000 00000000 00000000) 23 2, 13, 35, 41, 42, 46, 67, 68, 74, 75, 80, 81, 82, 86, 99, 100, 101, 107, 108, 114, 115, 121, 122
(00008000 00000000 00000000 00000000) 22 3, 14, 36, 43, 47, 69, 75, 76, 81, 82, 83, 100, 101, 102, 108, 109, 115, 116, 121, 122, 123, 127
(00010000 00000000 00000000 00000000) 22 4, 15, 37, 43, 44, 48, 70, 76, 77, 82, 83, 84, 101, 102, 103, 109, 110, 116, 117, 122, 123, 124
(00020000 00000000 00000000 00000000) 21 5, 16, 38, 44, 45, 49, 71, 77, 78, 83, 84, 85, 102, 103, 104, 111, 117, 118, 123, 124, 125
(00040000 00000000 00000000 00000000) 22 6, 17, 39, 45, 46, 50, 72, 78, 79, 84, 85, 86, 103, 104, 105, 111, 112, 118, 119, 124, 125, 126
(00080000 00000000 00000000 00000000) 20 18, 40, 47, 51, 73, 79, 80, 85, 86, 87, 104, 105, 106, 112, 113, 119, 120, 125, 126, 127
(00100000 00000000 00000000 00000000) 22 19, 41, 48, 52, 74, 80, 81, 86, 87, 88, 92, 96, 100, 105, 106, 107, 113, 114, 120, 121, 126, 127
(00200000 00000000 00000000 00000000) 18 9, 20, 49, 53, 75, 82, 87, 88, 89, 96, 97, 106, 107, 108, 114, 115, 121, 122
(00400000 00000000 00000000 00000000) 21 10, 21, 50, 53, 54, 76, 82, 83, 88, 89, 90, 94, 97, 98, 107, 108, 109, 115, 116, 122, 123
(00800000 00000000 00000000 00000000) 20 11, 22, 44, 51, 55, 77, 84, 89, 90, 91, 97, 98, 99, 108, 109, 110, 116, 117, 123, 124
(01000000 00000000 00000000 00000000) 19 12, 23, 45, 52, 56, 78, 85, 90, 91, 92, 99, 100, 109, 110, 111, 117, 118, 124, 125
(02000000 00000000 00000000 00000000) 17 13, 24, 53, 57, 79, 86, 91, 92, 93, 100, 101, 111, 112, 118, 119, 125, 126
(04000000 00000000 00000000 00000000) 18 14, 54, 58, 80, 87, 92, 93, 94, 100, 101, 102, 111, 112, 113, 119, 120, 126, 127
(08000000 00000000 00000000 00000000) 20 15, 26, 55, 59, 67, 80, 81, 88, 93, 94, 95, 96, 101, 102, 103, 113, 114, 120, 121, 127
(10000000 00000000 00000000 00000000) 22 16, 27, 55, 56, 59, 60, 64, 82, 89, 94, 95, 96, 97, 102, 103, 104, 108, 113, 114, 115, 121, 122
(20000000 00000000 00000000 00000000) 21 17, 28, 57, 61, 64, 65, 69, 83, 90, 95, 97, 98, 103, 104, 105, 109, 114, 115, 116, 122, 123
(40000000 00000000 00000000 00000000) 20 18, 29, 58, 62, 64, 65, 66, 70, 84, 91, 98, 99, 104, 105, 106, 115, 116, 117, 123, 124
(80000000 00000000 00000000 00000000) 23 19, 30, 58, 59, 63, 65, 66, 67, 85, 92, 98, 99, 100, 105, 106, 107, 111, 116, 117, 118, 123, 124, 125
(00000000 00000000 00000000 00000003) 9 5, 44, 83, 84, 88, 117, 122, 123, 124
(00000000 00000000 00000000 00000006) 10 6, 78, 84, 85, 89, 111, 118, 123, 124, 125
(00000000 00000000 00000000 0000000c) 9 7, 79, 85, 86, 90, 119, 124, 125, 126
(00000000 00000000 00000000 00000018) 11 8, 80, 86, 87, 91, 99, 113, 120, 125, 126, 127
(00000000 00000000 00000000 00000030) 10 9, 59, 88, 92, 96, 100, 114, 121, 126, 127
(00000000 00000000 00000000 00000060) 9 10, 88, 89, 93, 96, 97, 115, 122, 127
(00000000 00000000 00000000 000000c0) 9 11, 61, 69, 90, 94, 97, 98, 116, 123
(00000000 00000000 00000000 00000180) 9 12, 62, 91, 95, 97, 98, 99, 117, 124
(00000000 00000000 00000000 00000300) 10 12, 13, 63, 64, 92, 98, 99, 100, 118, 125
Electronics 2024, 13, 3141 15 of 21

Table A2. Cont.

Input Difference # Strong Unbalanced Bits

(00000000 00000000 00000000 00000600) 11 13, 14, 65, 92, 93, 99, 100, 101, 119, 125, 126
(00000000 00000000 00000000 00000c00) 12 14, 15, 33, 65, 66, 94, 100, 101, 102, 120, 126, 127
(00000000 00000000 00000000 00001800) 12 15, 16, 66, 67, 74, 94, 95, 96, 101, 102, 103, 121
(00000000 00000000 00000000 00003000) 11 16, 17, 64, 68, 95, 97, 102, 103, 104, 108, 122
(00000000 00000000 00000000 00006000) 10 18, 64, 65, 69, 98, 103, 104, 105, 109, 123
(00000000 00000000 00000000 0000c000) 10 19, 65, 66, 69, 70, 99, 104, 105, 106, 124
(00000000 00000000 00000000 00018000) 9 20, 66, 67, 71, 100, 105, 106, 107, 125
(00000000 00000000 00000000 00030000) 8 21, 68, 72, 101, 106, 107, 108, 126
(00000000 00000000 00000000 00060000) 8 22, 69, 73, 80, 102, 108, 109, 127
(00000000 00000000 00000000 000c0000) 9 23, 69, 70, 74, 96, 103, 108, 109, 110
(00000000 00000000 00000000 00180000) 10 24, 71, 74, 75, 97, 104, 109, 110, 111, 115
(00000000 00000000 00000000 00300000) 7 25, 72, 76, 98, 105, 111, 112
(00000000 00000000 00000000 00600000) 10 26, 44, 73, 77, 99, 106, 111, 112, 113, 117
(00000000 00000000 00000000 00c00000) 9 27, 73, 74, 77, 78, 100, 107, 113, 114
(00000000 00000000 00000000 01800000) 8 28, 74, 75, 79, 101, 108, 114, 115
(00000000 00000000 00000000 03000000) 9 29, 75, 76, 80, 102, 109, 114, 115, 116
(00000000 00000000 00000000 06000000) 11 30, 70, 76, 77, 80, 81, 103, 110, 115, 116, 117
(00000000 00000000 00000000 0c000000) 11 31, 38, 77, 78, 81, 82, 104, 111, 116, 117, 118
(00000000 00000000 00000000 18000000) 10 0, 78, 79, 82, 83, 105, 112, 117, 118, 119
(00000000 00000000 00000000 30000000) 13 1, 40, 73, 79, 80, 83, 84, 106, 113, 118, 119, 120, 124
(00000000 00000000 00000000 60000000) 18 1, 2, 41, 52, 74, 79, 80, 81, 84, 85, 92, 100, 107, 114, 119, 120, 121, 125
(00000000 00000000 00000000 c0000000) 13 2, 3, 53, 75, 81, 82, 85, 86, 108, 115, 120, 121, 122
(00000000 00000000 00000001 80000000) 6 36, 76, 87, 109, 115, 116
(00000000 00000000 00000003 00000000) 3 37, 116, 120
(00000000 00000000 00000006 00000000) 3 38, 117, 121
(00000000 00000000 0000000c 00000000) 4 39, 78, 118, 122
(00000000 00000000 00000018 00000000) 4 40, 79, 119, 123
(00000000 00000000 00000030 00000000) 4 41, 80, 120, 124
(00000000 00000000 00000060 00000000) 3 42, 121, 125
(00000000 00000000 000000c0 00000000) 3 43, 122, 126
(00000000 00000000 00000180 00000000) 3 44, 123, 127
(00000000 00000000 00000300 00000000) 2 45, 124
(00000000 00000000 00000600 00000000) 3 46, 97, 125
(00000000 00000000 00000c00 00000000) 3 47, 98, 126
(00000000 00000000 00001800 00000000) 3 48, 99, 127
(00000000 00000000 00003000 00000000) 3 49, 96, 100
(00000000 00000000 00006000 00000000) 3 50, 97, 101
(00000000 00000000 0000c000 00000000) 3 51, 98, 102
(00000000 00000000 00018000 00000000) 3 52, 99, 103
(00000000 00000000 00030000 00000000) 3 53, 100, 104
(00000000 00000000 00060000 00000000) 3 54, 101, 105
(00000000 00000000 000c0000 00000000) 3 55, 102, 106
(00000000 00000000 00180000 00000000) 4 56, 74, 103, 107
(00000000 00000000 00300000 00000000) 4 57, 75, 104, 108
(00000000 00000000 00600000 00000000) 4 58, 76, 105, 109
(00000000 00000000 00c00000 00000000) 8 19, 59, 66, 77, 99, 105, 106, 110
(00000000 00000000 01800000 00000000) 2 60, 107
(00000000 00000000 03000000 00000000) 2 61, 108
(00000000 00000000 06000000 00000000) 3 62, 109, 113
(00000000 00000000 0c000000 00000000) 3 63, 110, 114
(00000000 00000000 18000000 00000000) 4 32, 82, 111, 115
(00000000 00000000 30000000 00000000) 3 33, 112, 116
(00000000 00000000 60000000 00000000) 4 34, 84, 113, 117
(00000000 00000000 c0000000 00000000) 6 35, 60, 74, 85, 114, 118
(00000000 00000001 80000000 00000000) 0 -
(00000000 00000003 00000000 00000000) 1 69
(00000000 00000006 00000000 00000000) 2 70, 109
(00000000 0000000c 00000000 00000000) 1 71
(00000000 00000018 00000000 00000000) 2 72, 122
(00000000 00000030 00000000 00000000) 1 73
(00000000 00000060 00000000 00000000) 1 74
(00000000 000000c0 00000000 00000000) 2 75, 125
(00000000 00000180 00000000 00000000) 1 76
(00000000 00000300 00000000 00000000) 3 76, 77, 127
(00000000 00000600 00000000 00000000) 2 77, 78
(00000000 00000c00 00000000 00000000) 3 78, 79, 97
(00000000 00001800 00000000 00000000) 3 79, 80, 98
(00000000 00003000 00000000 00000000) 3 80, 81, 99
(00000000 00006000 00000000 00000000) 3 81, 82, 100
(00000000 0000c000 00000000 00000000) 2 82, 83
(00000000 00018000 00000000 00000000) 1 84
(00000000 00030000 00000000 00000000) 1 85
(00000000 00060000 00000000 00000000) 1 86
(00000000 000c0000 00000000 00000000) 2 87, 105
(00000000 00180000 00000000 00000000) 1 88
(00000000 00300000 00000000 00000000) 1 89
(00000000 00600000 00000000 00000000) 1 90
(00000000 00c00000 00000000 00000000) 1 91
(00000000 01800000 00000000 00000000) 1 92
(00000000 03000000 00000000 00000000) 1 93
(00000000 06000000 00000000 00000000) 1 94
Electronics 2024, 13, 3141 16 of 21

Table A2. Cont.

Input Difference # Strong Unbalanced Bits

(00000000 0c000000 00000000 00000000) 1 95
(00000000 18000000 00000000 00000000) 2 64, 114
(00000000 30000000 00000000 00000000) 3 65, 104, 115
(00000000 60000000 00000000 00000000) 4 65, 66, 105, 116
(00000000 c0000000 00000000 00000000) 4 59, 66, 67, 117
(00000001 80000000 00000000 00000000) 27 13, 19, 20, 24, 53, 58, 59, 60, 66, 67, 68, 78, 79, 86, 92, 93, 99, 100, 105, 106, 107, 109, 110, 111, 117, 118, 125
(00000003 00000000 00000000 00000000) 16 32, 60, 66, 67, 68, 86, 93, 100, 101, 107, 108, 117, 118, 119, 125, 126
(00000006 00000000 00000000 00000000) 15 33, 61, 67, 68, 69, 87, 94, 101, 102, 108, 109, 119, 120, 126, 127
(0000000c 00000000 00000000 00000000) 15 34, 62, 69, 70, 88, 95, 96, 102, 103, 109, 110, 119, 120, 121, 127
(00000018 00000000 00000000 00000000) 16 35, 63, 64, 69, 70, 71, 89, 96, 97, 103, 104, 110, 111, 120, 121, 122
(00000030 00000000 00000000 00000000) 16 32, 36, 65, 70, 71, 72, 90, 97, 98, 104, 105, 111, 112, 121, 122, 123
(00000060 00000000 00000000 00000000) 16 4, 33, 37, 66, 72, 73, 91, 98, 99, 105, 106, 112, 113, 122, 123, 124
(000000c0 00000000 00000000 00000000) 15 34, 38, 67, 73, 74, 92, 99, 100, 106, 107, 113, 114, 123, 124, 125
(00000180 00000000 00000000 00000000) 15 35, 39, 68, 73, 74, 75, 93, 100, 101, 108, 114, 115, 124, 125, 126
(00000300 00000000 00000000 00000000) 16 36, 40, 69, 74, 75, 76, 94, 101, 102, 108, 109, 115, 116, 125, 126, 127
(00000600 00000000 00000000 00000000) 16 37, 41, 70, 75, 76, 77, 95, 96, 102, 103, 109, 110, 116, 117, 126, 127
(00000c00 00000000 00000000 00000000) 15 38, 42, 64, 71, 76, 77, 78, 96, 97, 103, 104, 111, 117, 118, 127
(00001800 00000000 00000000 00000000) 17 10, 39, 43, 65, 72, 77, 78, 79, 96, 97, 98, 104, 105, 111, 112, 118, 119
(00003000 00000000 00000000 00000000) 17 11, 40, 44, 66, 73, 78, 79, 80, 97, 98, 99, 105, 106, 112, 113, 119, 120
(00006000 00000000 00000000 00000000) 17 12, 41, 45, 67, 74, 79, 80, 81, 98, 99, 100, 106, 107, 113, 114, 120, 121
(0000c000 00000000 00000000 00000000) 16 13, 42, 46, 68, 75, 80, 81, 82, 99, 100, 101, 108, 114, 115, 121, 122
(00018000 00000000 00000000 00000000) 16 43, 47, 69, 76, 81, 82, 83, 100, 101, 102, 108, 109, 115, 116, 122, 123
(00030000 00000000 00000000 00000000) 14 44, 70, 77, 82, 83, 84, 102, 103, 109, 110, 116, 117, 123, 124
(00060000 00000000 00000000 00000000) 13 45, 49, 78, 83, 84, 85, 103, 104, 111, 117, 118, 124, 125
(000c0000 00000000 00000000 00000000) 15 46, 50, 72, 79, 84, 85, 86, 103, 104, 105, 112, 118, 119, 125, 126
(00180000 00000000 00000000 00000000) 16 18, 47, 51, 73, 80, 85, 86, 87, 104, 105, 106, 113, 119, 120, 126, 127
(00300000 00000000 00000000 00000000) 16 19, 48, 52, 74, 81, 86, 87, 88, 96, 105, 106, 107, 114, 120, 121, 127
(00600000 00000000 00000000 00000000) 15 20, 49, 53, 75, 82, 87, 88, 89, 96, 97, 107, 108, 115, 121, 122
(00c00000 00000000 00000000 00000000) 16 21, 50, 54, 76, 83, 88, 89, 90, 97, 98, 108, 109, 115, 116, 122, 123
(01800000 00000000 00000000 00000000) 17 22, 51, 55, 77, 84, 89, 90, 91, 98, 99, 108, 109, 110, 116, 117, 123, 124
(03000000 00000000 00000000 00000000) 14 52, 78, 85, 91, 92, 99, 100, 109, 110, 111, 117, 118, 124, 125
(06000000 00000000 00000000 00000000) 14 53, 57, 79, 86, 92, 93, 100, 101, 111, 112, 118, 119, 125, 126
(0c000000 00000000 00000000 00000000) 15 54, 58, 80, 87, 92, 93, 94, 101, 102, 112, 113, 119, 120, 126, 127
(18000000 00000000 00000000 00000000) 16 15, 55, 59, 81, 88, 93, 94, 95, 96, 102, 103, 113, 114, 120, 121, 127
(30000000 00000000 00000000 00000000) 16 16, 56, 60, 64, 82, 89, 94, 95, 96, 97, 103, 104, 114, 115, 121, 122
(60000000 00000000 00000000 00000000) 15 57, 61, 64, 65, 83, 90, 95, 97, 98, 104, 105, 115, 116, 122, 123
(c0000000 00000000 00000000 00000000) 20 18, 29, 58, 62, 64, 65, 66, 70, 84, 91, 98, 99, 104, 105, 106, 115, 116, 117, 123, 124

Table A3. Strong unbalanced bits for 32-round CHAM-128/256 with a threshold of 2−8 .

Input Difference # Strong Unbalanced Bits

(00000000 00000000 00000000 00000001) 17 4, 5, 44, 55, 77, 83, 84, 87, 88, 95, 96, 109, 110, 117, 122, 123, 124
(00000000 00000000 00000000 00000002) 17 5, 6, 45, 56, 64, 78, 84, 85, 88, 89, 97, 111, 117, 118, 123, 124, 125
(00000000 00000000 00000000 00000004) 19 6, 7, 39, 46, 57, 65, 79, 85, 86, 89, 90, 98, 105, 112, 118, 119, 124, 125, 126
(00000000 00000000 00000000 00000008) 18 1, 8, 40, 47, 58, 66, 80, 86, 87, 90, 91, 99, 113, 119, 120, 125, 126, 127
(00000000 00000000 00000000 00000010) 20 2, 8, 9, 41, 48, 59, 67, 74, 81, 87, 88, 91, 92, 96, 100, 114, 120, 121, 126, 127
(00000000 00000000 00000000 00000020) 19 3, 9, 10, 49, 60, 68, 82, 88, 89, 92, 93, 96, 97, 101, 108, 115, 121, 122, 127
(00000000 00000000 00000000 00000040) 19 4, 10, 11, 61, 69, 76, 83, 89, 90, 93, 94, 96, 97, 98, 102, 109, 116, 122, 123
(00000000 00000000 00000000 00000080) 19 5, 11, 12, 51, 62, 70, 77, 84, 90, 91, 94, 95, 97, 98, 99, 103, 117, 123, 124
(00000000 00000000 00000000 00000100) 19 6, 12, 13, 52, 63, 64, 71, 78, 85, 91, 92, 95, 98, 99, 100, 104, 118, 124, 125
(00000000 00000000 00000000 00000200) 19 0, 13, 14, 32, 53, 64, 65, 72, 79, 86, 92, 93, 99, 100, 101, 105, 119, 125, 126
(00000000 00000000 00000000 00000400) 20 1, 8, 14, 15, 33, 54, 65, 66, 73, 80, 87, 93, 94, 100, 101, 102, 106, 120, 126, 127
(00000000 00000000 00000000 00000800) 22 2, 9, 15, 16, 34, 55, 66, 67, 74, 81, 88, 94, 95, 96, 100, 101, 102, 103, 107, 114, 121, 127
(00000000 00000000 00000000 00001000) 23 3, 10, 16, 17, 35, 56, 64, 67, 68, 75, 82, 89, 95, 96, 97, 101, 102, 103, 104, 108, 115, 121, 122
(00000000 00000000 00000000 00002000) 21 4, 11, 17, 18, 36, 57, 64, 65, 68, 69, 76, 83, 90, 97, 98, 103, 104, 105, 109, 122, 123
(00000000 00000000 00000000 00004000) 21 5, 12, 18, 19, 37, 58, 65, 66, 69, 70, 77, 84, 91, 98, 99, 104, 105, 106, 117, 123, 124
(00000000 00000000 00000000 00008000) 19 13, 19, 20, 38, 59, 66, 67, 70, 71, 78, 92, 99, 100, 105, 106, 107, 111, 124, 125
(00000000 00000000 00000000 00010000) 16 14, 20, 21, 39, 60, 67, 68, 72, 79, 100, 101, 106, 107, 108, 125, 126
(00000000 00000000 00000000 00020000) 19 15, 21, 22, 40, 61, 68, 69, 72, 73, 80, 94, 101, 102, 107, 108, 109, 113, 126, 127
(00000000 00000000 00000000 00040000) 19 16, 22, 23, 41, 62, 69, 70, 73, 74, 81, 95, 96, 102, 103, 108, 109, 110, 114, 127
(00000000 00000000 00000000 00080000) 21 17, 23, 24, 42, 63, 64, 70, 71, 74, 75, 82, 96, 97, 103, 104, 108, 109, 110, 111, 115, 122
(00000000 00000000 00000000 00100000) 20 18, 24, 25, 32, 43, 65, 71, 72, 75, 76, 83, 97, 98, 104, 105, 109, 110, 111, 112, 116
(00000000 00000000 00000000 00200000) 19 19, 26, 33, 44, 66, 72, 73, 76, 77, 84, 98, 99, 105, 106, 111, 112, 113, 117, 124
(00000000 00000000 00000000 00400000) 20 26, 27, 34, 45, 67, 73, 74, 77, 78, 85, 92, 99, 100, 106, 107, 112, 113, 114, 118, 125
(00000000 00000000 00000000 00800000) 13 28, 35, 68, 74, 75, 78, 79, 86, 101, 108, 113, 114, 115
(00000000 00000000 00000000 01000000) 19 28, 29, 36, 47, 69, 75, 76, 79, 80, 87, 94, 101, 102, 108, 109, 114, 115, 116, 127
(00000000 00000000 00000000 02000000) 17 29, 30, 37, 70, 76, 77, 80, 81, 88, 102, 103, 109, 110, 115, 116, 117, 121
(00000000 00000000 00000000 04000000) 23 17, 30, 31, 38, 49, 64, 71, 76, 77, 78, 80, 81, 82, 89, 97, 103, 104, 111, 115, 116, 117, 118, 122
(00000000 00000000 00000000 08000000) 22 0, 18, 31, 39, 50, 65, 72, 77, 78, 79, 82, 83, 90, 98, 104, 105, 111, 112, 117, 118, 119, 123
(00000000 00000000 00000000 10000000) 21 0, 1, 19, 40, 51, 66, 73, 78, 79, 80, 83, 84, 91, 99, 105, 106, 113, 118, 119, 120, 124
(00000000 00000000 00000000 20000000) 23 1, 2, 20, 41, 52, 59, 67, 74, 79, 80, 81, 84, 85, 92, 100, 106, 107, 113, 114, 119, 120, 121, 125
(00000000 00000000 00000000 40000000) 25 2, 3, 21, 28, 35, 42, 53, 60, 68, 75, 80, 81, 82, 85, 86, 93, 101, 108, 114, 115, 119, 120, 121, 122, 126
Electronics 2024, 13, 3141 17 of 21

Table A3. Cont.

Input Difference # Strong Unbalanced Bits

(00000000 00000000 00000000 80000000) 21 3, 4, 36, 43, 54, 61, 69, 76, 82, 83, 86, 87, 94, 108, 109, 115, 116, 121, 122, 123, 127
(00000000 00000000 00000001 00000000) 10 36, 37, 62, 69, 76, 87, 109, 115, 116, 120
(00000000 00000000 00000002 00000000) 9 30, 37, 38, 63, 77, 88, 117, 121, 122
(00000000 00000000 00000004 00000000) 11 31, 32, 38, 39, 57, 78, 89, 111, 117, 118, 122
(00000000 00000000 00000008 00000000) 10 0, 33, 39, 40, 58, 79, 90, 118, 119, 123
(00000000 00000000 00000010 00000000) 11 1, 34, 40, 41, 59, 80, 91, 113, 119, 120, 124
(00000000 00000000 00000020 00000000) 12 2, 35, 41, 42, 60, 81, 92, 100, 114, 120, 121, 125
(00000000 00000000 00000040 00000000) 12 3, 36, 43, 61, 82, 93, 115, 121, 122, 125, 126, 127
(00000000 00000000 00000080 00000000) 10 4, 37, 43, 44, 62, 83, 94, 122, 123, 127
(00000000 00000000 00000100 00000000) 10 5, 38, 44, 45, 63, 84, 95, 96, 123, 124
(00000000 00000000 00000200 00000000) 11 6, 32, 39, 45, 46, 64, 85, 97, 98, 124, 125
(00000000 00000000 00000400 00000000) 10 33, 40, 47, 65, 86, 98, 99, 119, 125, 126
(00000000 00000000 00000800 00000000) 13 34, 41, 47, 48, 66, 80, 87, 98, 99, 100, 120, 126, 127
(00000000 00000000 00001000 00000000) 10 9, 35, 49, 67, 88, 96, 99, 100, 121, 127
(00000000 00000000 00002000 00000000) 11 10, 36, 43, 50, 68, 89, 96, 97, 100, 101, 122
(00000000 00000000 00004000 00000000) 12 11, 37, 44, 51, 69, 90, 97, 98, 102, 103, 109, 123
(00000000 00000000 00008000 00000000) 10 12, 38, 45, 52, 70, 91, 98, 99, 103, 124
(00000000 00000000 00010000 00000000) 9 13, 39, 53, 92, 99, 100, 104, 105, 125
(00000000 00000000 00020000 00000000) 9 14, 40, 53, 54, 72, 100, 101, 105, 126
(00000000 00000000 00040000 00000000) 10 15, 41, 55, 73, 94, 101, 102, 105, 106, 127
(00000000 00000000 00080000 00000000) 9 16, 55, 56, 74, 95, 96, 102, 103, 107
(00000000 00000000 00100000 00000000) 10 17, 43, 57, 64, 75, 97, 103, 104, 108, 115
(00000000 00000000 00200000 00000000) 11 18, 44, 57, 58, 65, 76, 98, 104, 105, 108, 109
(00000000 00000000 00400000 00000000) 10 19, 45, 59, 66, 77, 99, 105, 106, 109, 110
(00000000 00000000 00800000 00000000) 10 20, 53, 59, 60, 67, 78, 100, 106, 107, 111
(00000000 00000000 01000000 00000000) 6 21, 61, 79, 101, 108, 112
(00000000 00000000 02000000 00000000) 9 22, 61, 62, 69, 80, 102, 108, 109, 113
(00000000 00000000 04000000 00000000) 9 62, 63, 70, 81, 103, 109, 110, 114, 115
(00000000 00000000 08000000 00000000) 7 24, 32, 63, 82, 104, 111, 115
(00000000 00000000 10000000 00000000) 10 33, 58, 72, 83, 105, 111, 112, 115, 116, 117
(00000000 00000000 20000000 00000000) 8 33, 34, 59, 73, 84, 106, 113, 117
(00000000 00000000 40000000 00000000) 8 35, 53, 60, 74, 85, 114, 118, 119
(00000000 00000000 80000000 00000000) 12 28, 35, 36, 54, 61, 75, 86, 108, 114, 115, 119, 126
(00000000 00000001 00000000 00000000) 5 61, 68, 69, 108, 119
(00000000 00000002 00000000 00000000) 5 62, 69, 70, 109, 120
(00000000 00000004 00000000 00000000) 7 63, 64, 70, 71, 103, 110, 121
(00000000 00000008 00000000 00000000) 6 32, 65, 72, 104, 111, 122
(00000000 00000010 00000000 00000000) 7 33, 66, 72, 73, 105, 112, 123
(00000000 00000020 00000000 00000000) 6 34, 67, 73, 74, 113, 124
(00000000 00000040 00000000 00000000) 6 35, 68, 74, 75, 114, 125
(00000000 00000080 00000000 00000000) 6 36, 69, 75, 76, 115, 126
(00000000 00000100 00000000 00000000) 7 37, 70, 76, 77, 109, 116, 127
(00000000 00000200 00000000 00000000) 6 38, 64, 77, 78, 96, 117
(00000000 00000400 00000000 00000000) 7 39, 65, 72, 78, 79, 97, 118
(00000000 00000800 00000000 00000000) 7 40, 66, 73, 79, 80, 98, 119
(00000000 00001000 00000000 00000000) 7 41, 67, 74, 80, 81, 99, 120
(00000000 00002000 00000000 00000000) 5 75, 81, 82, 100, 121
(00000000 00004000 00000000 00000000) 8 43, 69, 76, 82, 83, 101, 115, 122
(00000000 00008000 00000000 00000000) 6 44, 77, 83, 84, 102, 123
(00000000 00010000 00000000 00000000) 6 45, 78, 84, 85, 103, 124
(00000000 00020000 00000000 00000000) 5 79, 85, 86, 104, 125
(00000000 00040000 00000000 00000000) 6 47, 80, 86, 87, 105, 126
(00000000 00080000 00000000 00000000) 5 81, 87, 88, 106, 127
(00000000 00100000 00000000 00000000) 5 82, 88, 89, 96, 107
(00000000 00200000 00000000 00000000) 4 89, 90, 97, 108
(00000000 00400000 00000000 00000000) 4 90, 91, 98, 109
(00000000 00800000 00000000 00000000) 2 92, 99
(00000000 01000000 00000000 00000000) 5 53, 92, 93, 100, 111
(00000000 02000000 00000000 00000000) 2 94, 101
(00000000 04000000 00000000 00000000) 6 55, 81, 94, 95, 102, 113
(00000000 08000000 00000000 00000000) 6 56, 64, 82, 95, 103, 114
(00000000 10000000 00000000 00000000) 6 57, 64, 65, 83, 104, 115
(00000000 20000000 00000000 00000000) 7 58, 65, 66, 84, 98, 105, 116
(00000000 40000000 00000000 00000000) 9 59, 66, 67, 85, 92, 99, 106, 117, 124
(00000000 80000000 00000000 00000000) 7 60, 67, 68, 100, 107, 118, 125
(00000001 00000000 00000000 00000000) 21 20, 31, 32, 59, 60, 66, 67, 68, 72, 86, 93, 99, 100, 101, 107, 108, 117, 118, 119, 125, 126
Electronics 2024, 13, 3141 18 of 21

Table A3. Cont.

Input Difference # Strong Unbalanced Bits

(00000002 00000000 00000000 00000000) 21 0, 21, 33, 61, 67, 68, 69, 73, 87, 94, 100, 101, 102, 108, 109, 118, 119, 120, 125, 126, 127
(00000004 00000000 00000000 00000000) 21 1, 22, 34, 61, 62, 68, 69, 70, 74, 88, 95, 96, 102, 103, 108, 109, 110, 119, 120, 121, 127
(00000008 00000000 00000000 00000000) 20 2, 35, 63, 64, 69, 70, 71, 75, 89, 96, 97, 103, 104, 109, 110, 111, 115, 120, 121, 122
(00000010 00000000 00000000 00000000) 19 3, 32, 36, 63, 65, 70, 71, 72, 76, 90, 97, 98, 104, 105, 111, 112, 121, 122, 123
(00000020 00000000 00000000 00000000) 19 4, 33, 37, 65, 66, 71, 72, 73, 77, 91, 98, 99, 105, 106, 112, 113, 122, 123, 124
(00000040 00000000 00000000 00000000) 20 5, 33, 34, 38, 59, 67, 72, 73, 74, 78, 92, 99, 100, 106, 107, 113, 114, 123, 124, 125
(00000080 00000000 00000000 00000000) 22 6, 27, 34, 35, 39, 60, 68, 73, 74, 75, 79, 86, 93, 100, 101, 107, 108, 114, 115, 124, 125, 126
(00000100 00000000 00000000 00000000) 20 28, 35, 36, 40, 61, 69, 74, 75, 76, 80, 94, 101, 102, 108, 109, 115, 116, 125, 126, 127
(00000200 00000000 00000000 00000000) 20 36, 37, 41, 62, 69, 70, 75, 76, 77, 95, 96, 102, 103, 109, 110, 115, 116, 117, 126, 127
(00000400 00000000 00000000 00000000) 24 9, 30, 37, 38, 41, 42, 63, 64, 70, 71, 76, 77, 78, 82, 96, 97, 103, 104, 109, 110, 111, 117, 118, 127
(00000800 00000000 00000000 00000000) 21 10, 32, 38, 39, 43, 65, 72, 77, 78, 79, 83, 96, 97, 98, 104, 105, 111, 112, 117, 118, 119
(00001000 00000000 00000000 00000000) 24 0, 11, 33, 39, 40, 44, 65, 66, 73, 77, 78, 79, 80, 84, 97, 98, 99, 105, 106, 112, 113, 119, 120, 124
1, 12, 34, 40, 41, 45, 66, 67, 73, 74, 78, 79, 80, 81, 85, 92, 98, 99, 100, 105, 106, 107, 113, 114, 119,
(00002000 00000000 00000000 00000000) 27
120, 121
(00004000 00000000 00000000 00000000) 23 2, 13, 35, 41, 42, 46, 67, 68, 74, 75, 80, 81, 82, 86, 99, 100, 101, 107, 108, 114, 115, 121, 122
(00008000 00000000 00000000 00000000) 22 3, 14, 36, 43, 47, 69, 75, 76, 81, 82, 83, 100, 101, 102, 108, 109, 115, 116, 121, 122, 123, 127
(00010000 00000000 00000000 00000000) 22 4, 15, 37, 43, 44, 48, 70, 76, 77, 82, 83, 84, 101, 102, 103, 109, 110, 116, 117, 122, 123, 124
(00020000 00000000 00000000 00000000) 21 5, 16, 38, 44, 45, 49, 71, 77, 78, 83, 84, 85, 102, 103, 104, 111, 117, 118, 123, 124, 125
(00040000 00000000 00000000 00000000) 22 6, 17, 39, 45, 46, 50, 72, 78, 79, 84, 85, 86, 103, 104, 105, 111, 112, 118, 119, 124, 125, 126
(00080000 00000000 00000000 00000000) 20 18, 40, 47, 51, 73, 79, 80, 85, 86, 87, 104, 105, 106, 112, 113, 119, 120, 125, 126, 127
(00100000 00000000 00000000 00000000) 22 19, 41, 48, 52, 74, 80, 81, 86, 87, 88, 92, 96, 100, 105, 106, 107, 113, 114, 120, 121, 126, 127
(00200000 00000000 00000000 00000000) 17 20, 49, 53, 75, 82, 87, 88, 89, 96, 97, 106, 107, 108, 114, 115, 121, 122
(00400000 00000000 00000000 00000000) 21 10, 21, 50, 53, 54, 76, 82, 83, 88, 89, 90, 94, 97, 98, 107, 108, 109, 115, 116, 122, 123
(00800000 00000000 00000000 00000000) 21 11, 22, 44, 51, 55, 77, 84, 89, 90, 91, 97, 98, 99, 103, 108, 109, 110, 116, 117, 123, 124
(01000000 00000000 00000000 00000000) 18 12, 23, 52, 56, 78, 85, 90, 91, 92, 99, 100, 109, 110, 111, 117, 118, 124, 125
(02000000 00000000 00000000 00000000) 18 13, 24, 53, 57, 79, 86, 91, 92, 93, 99, 100, 101, 111, 112, 118, 119, 125, 126
(04000000 00000000 00000000 00000000) 18 14, 54, 58, 80, 87, 92, 93, 94, 100, 101, 102, 111, 112, 113, 119, 120, 126, 127
(08000000 00000000 00000000 00000000) 20 15, 26, 55, 59, 67, 80, 81, 88, 93, 94, 95, 96, 101, 102, 103, 113, 114, 120, 121, 127
(10000000 00000000 00000000 00000000) 22 16, 27, 55, 56, 59, 60, 64, 82, 89, 94, 95, 96, 97, 102, 103, 104, 108, 113, 114, 115, 121, 122
(20000000 00000000 00000000 00000000) 21 17, 28, 57, 61, 64, 65, 69, 83, 90, 95, 97, 98, 103, 104, 105, 109, 114, 115, 116, 122, 123
(40000000 00000000 00000000 00000000) 20 18, 29, 58, 62, 64, 65, 66, 70, 84, 91, 98, 99, 104, 105, 106, 115, 116, 117, 123, 124
(80000000 00000000 00000000 00000000) 23 19, 30, 58, 59, 63, 65, 66, 67, 85, 92, 98, 99, 100, 105, 106, 107, 111, 116, 117, 118, 123, 124, 125
(00000000 00000000 00000000 00000003) 9 5, 44, 83, 84, 88, 117, 122, 123, 124
(00000000 00000000 00000000 00000006) 10 6, 78, 84, 85, 89, 111, 118, 123, 124, 125
(00000000 00000000 00000000 0000000c) 9 7, 79, 85, 86, 90, 119, 124, 125, 126
(00000000 00000000 00000000 00000018) 11 8, 80, 86, 87, 91, 99, 113, 120, 125, 126, 127
(00000000 00000000 00000000 00000030) 10 9, 59, 88, 92, 96, 100, 114, 121, 126, 127
(00000000 00000000 00000000 00000060) 9 10, 88, 89, 93, 96, 97, 115, 122, 127
(00000000 00000000 00000000 000000c0) 9 11, 61, 69, 90, 94, 97, 98, 116, 123
(00000000 00000000 00000000 00000180) 9 12, 62, 91, 95, 97, 98, 99, 117, 124
(00000000 00000000 00000000 00000300) 10 12, 13, 63, 64, 92, 98, 99, 100, 118, 125
(00000000 00000000 00000000 00000600) 11 13, 14, 65, 92, 93, 99, 100, 101, 119, 125, 126
(00000000 00000000 00000000 00000c00) 12 14, 15, 33, 65, 66, 94, 100, 101, 102, 120, 126, 127
(00000000 00000000 00000000 00001800) 12 15, 16, 66, 67, 74, 94, 95, 96, 101, 102, 103, 121
(00000000 00000000 00000000 00003000) 11 16, 17, 64, 68, 95, 97, 102, 103, 104, 108, 122
(00000000 00000000 00000000 00006000) 10 18, 64, 65, 69, 98, 103, 104, 105, 109, 123
(00000000 00000000 00000000 0000c000) 10 19, 65, 66, 69, 70, 99, 104, 105, 106, 124
(00000000 00000000 00000000 00018000) 9 20, 66, 67, 71, 100, 105, 106, 107, 125
(00000000 00000000 00000000 00030000) 8 21, 68, 72, 101, 106, 107, 108, 126
(00000000 00000000 00000000 00060000) 9 21, 22, 69, 73, 80, 102, 108, 109, 127
(00000000 00000000 00000000 000c0000) 9 23, 69, 70, 74, 96, 103, 108, 109, 110
(00000000 00000000 00000000 00180000) 10 24, 71, 74, 75, 97, 104, 109, 110, 111, 115
(00000000 00000000 00000000 00300000) 7 25, 72, 76, 98, 105, 111, 112
(00000000 00000000 00000000 00600000) 9 26, 73, 77, 99, 106, 111, 112, 113, 117
(00000000 00000000 00000000 00c00000) 9 27, 73, 74, 77, 78, 100, 107, 113, 114
(00000000 00000000 00000000 01800000) 8 28, 74, 75, 79, 101, 108, 114, 115
(00000000 00000000 00000000 03000000) 9 29, 75, 76, 80, 102, 109, 114, 115, 116
(00000000 00000000 00000000 06000000) 11 30, 70, 76, 77, 80, 81, 103, 110, 115, 116, 117
(00000000 00000000 00000000 0c000000) 11 31, 38, 77, 78, 81, 82, 104, 111, 116, 117, 118
(00000000 00000000 00000000 18000000) 10 0, 78, 79, 82, 83, 105, 112, 117, 118, 119
(00000000 00000000 00000000 30000000) 13 1, 40, 73, 79, 80, 83, 84, 106, 113, 118, 119, 120, 124
(00000000 00000000 00000000 60000000) 18 1, 2, 41, 52, 74, 79, 80, 81, 84, 85, 92, 100, 107, 114, 119, 120, 121, 125
(00000000 00000000 00000000 c0000000) 13 2, 3, 53, 75, 81, 82, 85, 86, 108, 115, 120, 121, 122
(00000000 00000000 00000001 80000000) 6 36, 76, 87, 109, 115, 116
(00000000 00000000 00000003 00000000) 4 37, 87, 116, 120
(00000000 00000000 00000006 00000000) 3 38, 117, 121
Electronics 2024, 13, 3141 19 of 21

Table A3. Cont.

Input Difference # Strong Unbalanced Bits

(00000000 00000000 0000000c 00000000) 4 39, 78, 118, 122
(00000000 00000000 00000018 00000000) 4 40, 79, 119, 123
(00000000 00000000 00000030 00000000) 4 41, 80, 120, 124
(00000000 00000000 00000060 00000000) 3 42, 121, 125
(00000000 00000000 000000c0 00000000) 3 43, 122, 126
(00000000 00000000 00000180 00000000) 3 44, 123, 127
(00000000 00000000 00000300 00000000) 2 45, 124
(00000000 00000000 00000600 00000000) 3 46, 97, 125
(00000000 00000000 00000c00 00000000) 3 47, 98, 126
(00000000 00000000 00001800 00000000) 3 48, 99, 127
(00000000 00000000 00003000 00000000) 3 49, 96, 100
(00000000 00000000 00006000 00000000) 3 50, 97, 101
(00000000 00000000 0000c000 00000000) 3 51, 98, 102
(00000000 00000000 00018000 00000000) 3 52, 99, 103
(00000000 00000000 00030000 00000000) 3 53, 100, 104
(00000000 00000000 00060000 00000000) 3 54, 101, 105
(00000000 00000000 000c0000 00000000) 3 55, 102, 106
(00000000 00000000 00180000 00000000) 4 56, 74, 103, 107
(00000000 00000000 00300000 00000000) 4 57, 75, 104, 108
(00000000 00000000 00600000 00000000) 4 58, 76, 105, 109
(00000000 00000000 00c00000 00000000) 8 19, 59, 66, 77, 99, 105, 106, 110
(00000000 00000000 01800000 00000000) 2 60, 107
(00000000 00000000 03000000 00000000) 2 61, 108
(00000000 00000000 06000000 00000000) 3 62, 109, 113
(00000000 00000000 0c000000 00000000) 3 63, 110, 114
(00000000 00000000 18000000 00000000) 4 32, 82, 111, 115
(00000000 00000000 30000000 00000000) 3 33, 112, 116
(00000000 00000000 60000000 00000000) 4 34, 84, 113, 117
(00000000 00000000 c0000000 00000000) 6 35, 60, 74, 85, 114, 118
(00000000 00000001 80000000 00000000) 0 -
(00000000 00000003 00000000 00000000) 1 69
(00000000 00000006 00000000 00000000) 2 70, 109
(00000000 0000000c 00000000 00000000) 1 71
(00000000 00000018 00000000 00000000) 2 72, 122
(00000000 00000030 00000000 00000000) 1 73
(00000000 00000060 00000000 00000000) 1 74
(00000000 000000c0 00000000 00000000) 2 75, 125
(00000000 00000180 00000000 00000000) 2 76, 126
(00000000 00000300 00000000 00000000) 3 76, 77, 127
(00000000 00000600 00000000 00000000) 2 77, 78
(00000000 00000c00 00000000 00000000) 3 78, 79, 97
(00000000 00001800 00000000 00000000) 3 79, 80, 98
(00000000 00003000 00000000 00000000) 3 80, 81, 99
(00000000 00006000 00000000 00000000) 3 81, 82, 100
(00000000 0000c000 00000000 00000000) 1 83
(00000000 00018000 00000000 00000000) 1 84
(00000000 00030000 00000000 00000000) 1 85
(00000000 00060000 00000000 00000000) 1 86
(00000000 000c0000 00000000 00000000) 2 87, 105
(00000000 00180000 00000000 00000000) 1 88
(00000000 00300000 00000000 00000000) 1 89
(00000000 00600000 00000000 00000000) 1 90
(00000000 00c00000 00000000 00000000) 1 91
(00000000 01800000 00000000 00000000) 1 92
(00000000 03000000 00000000 00000000) 1 93
(00000000 06000000 00000000 00000000) 1 94
(00000000 0c000000 00000000 00000000) 1 95
(00000000 18000000 00000000 00000000) 2 64, 114
(00000000 30000000 00000000 00000000) 3 65, 104, 115
(00000000 60000000 00000000 00000000) 4 65, 66, 105, 116
(00000000 c0000000 00000000 00000000) 4 59, 66, 67, 117
13, 19, 20, 24, 53, 58, 59, 60, 66, 67, 68, 78, 79, 86, 92, 93, 99, 100, 105, 106, 107, 109, 110, 111, 117,
(00000001 80000000 00000000 00000000) 27
118, 125
(00000003 00000000 00000000 00000000) 16 32, 60, 66, 67, 68, 86, 93, 100, 101, 107, 108, 117, 118, 119, 125, 126
(00000006 00000000 00000000 00000000) 15 33, 61, 67, 68, 69, 94, 101, 102, 108, 109, 118, 119, 120, 126, 127
(0000000c 00000000 00000000 00000000) 15 34, 62, 69, 70, 88, 95, 96, 102, 103, 109, 110, 119, 120, 121, 127
Electronics 2024, 13, 3141 20 of 21

Table A3. Cont.

Input Difference # Strong Unbalanced Bits

(00000018 00000000 00000000 00000000) 16 35, 63, 64, 69, 70, 71, 89, 96, 97, 103, 104, 110, 111, 120, 121, 122
(00000030 00000000 00000000 00000000) 16 32, 36, 65, 70, 71, 72, 90, 97, 98, 104, 105, 111, 112, 121, 122, 123
(00000060 00000000 00000000 00000000) 16 4, 33, 37, 66, 72, 73, 91, 98, 99, 105, 106, 112, 113, 122, 123, 124
(000000c0 00000000 00000000 00000000) 15 34, 38, 67, 73, 74, 92, 99, 100, 106, 107, 113, 114, 123, 124, 125
(00000180 00000000 00000000 00000000) 15 35, 39, 68, 73, 74, 75, 93, 100, 101, 108, 114, 115, 124, 125, 126
(00000300 00000000 00000000 00000000) 16 36, 40, 69, 74, 75, 76, 94, 101, 102, 108, 109, 115, 116, 125, 126, 127
(00000600 00000000 00000000 00000000) 16 37, 41, 70, 75, 76, 77, 95, 96, 102, 103, 109, 110, 116, 117, 126, 127
(00000c00 00000000 00000000 00000000) 15 38, 42, 64, 71, 76, 77, 78, 96, 97, 103, 104, 111, 117, 118, 127
(00001800 00000000 00000000 00000000) 17 10, 39, 43, 65, 72, 77, 78, 79, 96, 97, 98, 104, 105, 111, 112, 118, 119
(00003000 00000000 00000000 00000000) 17 11, 40, 44, 66, 73, 78, 79, 80, 97, 98, 99, 105, 106, 112, 113, 119, 120
(00006000 00000000 00000000 00000000) 17 12, 41, 45, 67, 74, 79, 80, 81, 98, 99, 100, 106, 107, 113, 114, 120, 121
(0000c000 00000000 00000000 00000000) 16 13, 42, 46, 68, 75, 80, 81, 82, 99, 100, 101, 108, 114, 115, 121, 122
(00018000 00000000 00000000 00000000) 16 43, 47, 69, 76, 81, 82, 83, 100, 101, 102, 108, 109, 115, 116, 122, 123
(00030000 00000000 00000000 00000000) 14 44, 70, 77, 82, 83, 84, 102, 103, 109, 110, 116, 117, 123, 124
(00060000 00000000 00000000 00000000) 13 45, 49, 78, 83, 84, 85, 103, 104, 111, 117, 118, 124, 125
(000c0000 00000000 00000000 00000000) 15 46, 50, 72, 79, 84, 85, 86, 103, 104, 105, 112, 118, 119, 125, 126
(00180000 00000000 00000000 00000000) 16 18, 47, 51, 73, 80, 85, 86, 87, 104, 105, 106, 113, 119, 120, 126, 127
(00300000 00000000 00000000 00000000) 16 19, 48, 52, 74, 81, 86, 87, 88, 96, 105, 106, 107, 114, 120, 121, 127
(00600000 00000000 00000000 00000000) 14 20, 49, 53, 75, 82, 88, 89, 96, 97, 107, 108, 115, 121, 122
(00c00000 00000000 00000000 00000000) 16 21, 50, 54, 76, 83, 88, 89, 90, 97, 98, 108, 109, 115, 116, 122, 123
(01800000 00000000 00000000 00000000) 17 22, 51, 55, 77, 84, 89, 90, 91, 98, 99, 108, 109, 110, 116, 117, 123, 124
(03000000 00000000 00000000 00000000) 14 52, 78, 85, 91, 92, 99, 100, 109, 110, 111, 117, 118, 124, 125
(06000000 00000000 00000000 00000000) 14 53, 57, 79, 86, 92, 93, 100, 101, 111, 112, 118, 119, 125, 126
(0c000000 00000000 00000000 00000000) 15 54, 58, 80, 87, 92, 93, 94, 101, 102, 112, 113, 119, 120, 126, 127
(18000000 00000000 00000000 00000000) 16 15, 55, 59, 81, 88, 93, 94, 95, 96, 102, 103, 113, 114, 120, 121, 127
(30000000 00000000 00000000 00000000) 15 56, 60, 64, 82, 89, 94, 95, 96, 97, 103, 104, 114, 115, 121, 122
(60000000 00000000 00000000 00000000) 15 57, 61, 64, 65, 83, 90, 95, 97, 98, 104, 105, 115, 116, 122, 123
(c0000000 00000000 00000000 00000000) 20 18, 29, 58, 62, 64, 65, 66, 70, 84, 91, 98, 99, 104, 105, 106, 115, 116, 117, 123, 124

References
1. Koo, B.; Roh, D.; Kim, H.; Jung, Y.; Lee, D.G.; Kwon, D. CHAM: A family of lightweight block ciphers for resource-constrained
devices. In Proceedings of the Information Security and Cryptology–ICISC 2017: 20th International Conference, Seoul, Republic
of Korea, 29 November–1 December 2017; Revised Selected Papers 20; Springer: Cham, Switzerland, 2018; pp. 3–25.
2. Roh, D.; Koo, B.; Jung, Y.; Jeong, I.W.; Lee, D.G.; Kwon, D.; Kim, W.H. Revised version of block cipher CHAM. In Proceedings of
the Information Security and Cryptology–ICISC 2019: 22nd International Conference, Seoul, Republic of Korea, 4–6 December
2019; Revised Selected Papers 22; Springer: Cham, Switzerland, 2020; pp. 1–19.
3. Huang, M.; Wang, L. Automatic Tool for Searching for Differential Characteristics in ARX Ciphers and Applications. In Progress
in Cryptology—INDOCRYPT 2019; Hao, F., Ruj, S., Sen Gupta, S., Eds.; Springer: Cham, Switzerland, 2019; pp. 115–138.
4. Roh, D. Validity of Differential Characteristics of ARX Block Ciphers. IEEE Access 2023, 11, 100672–100682. [CrossRef]
5. Huang, M.; Wang, L. Automatic search for the linear (hull) characteristics of ARX ciphers: Applied to SPECK, SPARX, CHASKEY,
and CHAM-64. Secur. Commun. Netw. 2020, 2020, 4898612. [CrossRef]
6. Li, J.; Qiu, X.; Li, L.; Zhu, C.; Wu, X. New Integral distinguishers for I-Present™, TANGRAM and CHAM. In Proceedings of the
2022 7th IEEE International Conference on Data Science in Cyberspace (DSC), Guilin, China, 11–13 July 2022; pp. 548–555.
7. Biryukov, A.; Teh, J.S.; Udovenko, A. Advancing the Meet-in-the-Filter Technique: Applications to CHAM and KATAN. In
International Conference on Selected Areas in Cryptography; Springer: Cham, Switzerland, 2023.
8. Zhang, K.; Lai, X.; Wang, L.; Guan, J.; Hu, B.; Wang, S.; Shi, T. Meet-in-the-middle attack with splice-and-cut technique and a
general automatic framework. Des. Codes Cryptogr. 2023, 91, 2845–2878. [CrossRef]
9. Ling, Q.; Cui, T.; Hu, H.; Gong, S.; He, Z.; Huang, J.; Xiao, J. Finding Impossible Differentials in ARX Ciphers under Weak Keys.
IACR Trans. Symmetric Cryptol. 2024, 2024, 326–356. [CrossRef]
10. Biham, E.; Shamir, A. Differential cryptanalysis of DES-like cryptosystems. J. Cryptol. 1991, 4, 3–72. [CrossRef]
11. Matsui, M. Linear Cryptanalysis Method for DES Cipher. In Advances in Cryptology—EUROCRYPT ’93; Helleseth, T., Ed.;
Springer: Berlin/Heidelberg, Germany, 1994; pp. 386–397.
12. Biham, E.; Shamir, A. Differential Cryptanalysis of Feal and N-Hash. In Advances in Cryptology—EUROCRYPT ’91. EUROCRYPT
1991; Davies, D.W., Ed.; Springer: Berlin/Heidelberg, Germany, 1991; pp. 1–16.
13. Etrog, J.; Robshaw, M.J.B. The Cryptanalysis of Reduced-Round SMS4. In Selected Areas in Cryptography, SAC 2008; Avanzi, R.M.,
Keliher, L., Sica, F., Eds.; Springer: Berlin/Heidelberg, Germany, 2009; pp. 51–65.
14. Song, L.; Huang, Z.; Yang, Q. Automatic Differential Analysis of ARX Block Ciphers with Application to SPECK and LEA. In
Information Security and Privacy; Liu, J.K., Steinfeld, R., Eds.; Springer: Cham, Switzerland, 2016; pp. 379–394.
15. Flórez-Gutiérrez, A.; Naya-Plasencia, M. Improving Key-Recovery in Linear Attacks: Application to 28-Round PRESENT. In
Advances in Cryptology—EUROCRYPT 2020; Canteaut, A., Ishai, Y., Eds.; Springer: Cham, Switzerland, 2020; pp. 221–249.
Electronics 2024, 13, 3141 21 of 21

16. Mouha, N.; Wang, Q.; Gu, D.; Preneel, B. Differential and Linear Cryptanalysis Using Mixed-Integer Linear Programming. In
Information Security and Cryptology; Wu, C.K., Yung, M., Lin, D., Eds.; Springer: Berlin/Heidelberg, Germany, 2012; pp. 57–76.
17. Mouha, N.; Preneel, B. Towards finding optimal differential characteristics for ARX: Application to Salsa20. Cryptol. Eprint Arch.
2013, 2013/328 .
18. Sun, S.; Hu, L.; Wang, P.; Qiao, K.; Ma, X.; Song, L. Automatic Security Evaluation and (Related-key) Differential Characteristic
Search: Application to SIMON, PRESENT, LBlock, DES(L) and Other Bit-Oriented Block Ciphers. In Advances in Cryptology—
ASIACRYPT 2014; Sarkar, P., Iwata, T., Eds.; Springer: Berlin/Heidelberg, Germany, 2014; pp. 158–178.
19. Liu, Y.; Wang, Q.; Rijmen, V. Automatic Search of Linear Trails in ARX with Applications to SPECK and Chaskey. In Applied
Cryptography and Network Security; Manulis, M., Sadeghi, A.R., Schneider, S., Eds.; Springer: Cham, Switzerland, 2016; pp. 485–499.
20. Sun, L.; Wang, W.; Wang, M. Accelerating the search of differential and linear characteristics with the SAT method. IACR Trans.
Symmetric Cryptol. 2021, 2021, 269–315. [CrossRef]
21. Langford, S.K.; Hellman, M.E. Differential-Linear Cryptanalysis. In Advances in Cryptology—CRYPTO ’94; Desmedt, Y.G., Ed.;
Springer: Berlin/Heidelberg, Germany, 1994; pp. 17–25.
22. Hawkes, P. Differential-linear weak key classes of IDEA. In Advances in Cryptology—EUROCRYPT’98; Nyberg, K., Ed.; Springer:
Berlin/Heidelberg, Germany, 1998; pp. 112–126.
23. Biham, E.; Dunkelman, O.; Keller, N. Enhancing Differential-Linear Cryptanalysis. In Advances in Cryptology—ASIACRYPT 2002;
Zheng, Y., Ed.; Springer: Berlin/Heidelberg, Germany, 2002; pp. 254–266.
24. Dunkelman, O.; Indesteege, S.; Keller, N. A Differential-Linear Attack on 12-Round Serpent. In Progress in Cryptology—
INDOCRYPT 2008; Chowdhury, D.R., Rijmen, V., Das, A., Eds.; Springer: Berlin/Heidelberg, Germany, 2008; pp. 308–321.
25. Lu, J. A methodology for differential-linear cryptanalysis and its applications. Des. Codes Cryptogr. 2015, 77, 11–48. [CrossRef]
26. Huang, T.; Tjuawinata, I.; Wu, H. Differential-Linear Cryptanalysis of ICEPOLE. In Fast Software Encryption; Leander, G., Ed.;
Springer: Berlin/Heidelberg, Germany, 2015; pp. 243–263.
27. Bar-On, A.; Dunkelman, O.; Keller, N.; Weizman, A. DLCT: A New Tool for Differential-Linear Cryptanalysis. In Advances in
Cryptology—EUROCRYPT 2019; Ishai, Y., Rijmen, V., Eds.; Springer: Cham, Switzerland, 2019; pp. 313–342.
28. Leurent, G. Improved Differential-Linear Cryptanalysis of 7-Round Chaskey with Partitioning. In Advances in Cryptology—
EUROCRYPT 2016; Fischlin, M., Coron, J.S., Eds.; Springer: Berlin/Heidelberg, Germany, 2016; pp. 344–371.
29. Beierle, C.; Leander, G.; Todo, Y. Improved Differential-Linear Attacks with Applications to ARX Ciphers. In Advances in
Cryptology—CRYPTO 2020; Micciancio, D., Ristenpart, T., Eds.; Springer: Cham, Switzerland, 2020; pp. 329–358.
30. Chen, Y.; Bao, Z.; Yu, H. Differential-Linear Approximation Semi-unconstrained Searching and Partition Tree: Application to LEA
and Speck. In Advances in Cryptology—ASIACRYPT 2023; Guo, J., Steinfeld, R., Eds.; Springer: Singapore, 2023; pp. 223–255.
31. Bellini, E.; Gerault, D.; Grados, J.; Makarim, R.H.; Peyrin, T. Fully Automated Differential-Linear Attacks Against ARX Ciphers.
In Topics in Cryptology—CT-RSA 2023; Rosulek, M., Ed.; Springer: Cham, Switzerland, 2023; pp. 252–276.
32. Bogdanov, A.; Knudsen, L.R.; Leander, G.; Paar, C.; Poschmann, A.; Robshaw, M.J.B.; Seurin, Y.; Vikkelsoe, C. PRESENT: An
Ultra-Lightweight Block Cipher. In Cryptographic Hardware and Embedded Systems—CHES 2007; Springer: Berlin/Heidelberg,
Germany, 2007; pp. 450–466.
33. Blondeau, C.; Leander, G.; Nyberg, K. Differential-linear cryptanalysis revisited. J. Cryptol. 2017, 30, 859–888. [CrossRef]
34. Soos, M.; Nohl, K.; Castelluccia, C. Extending SAT solvers to cryptographic problems. In Theory and Applications of Satisfiability
Testing; Springer: Berlin/Heidelberg, Germany, 2009; pp. 244–257.
35. Biere, A. CaDiCaL at the SAT Race 2019. SAT RACE 2019, 2019, 8.

Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual
author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to
people or property resulting from any ideas, methods, instructions or products referred to in the content.