| | Input: the cLAT is precomputed and stored by Algorithm 2. have been recorded |
| (1) | Program entry: |
| (2) | Let = , and = null // can be derived manually for most ARX ciphers. |
| (3) | while do |
| (4) | ; //the expected r-round correlation weight increases monotonously. |
| (5) | Call Procedure Round-1; |
| (6) | end while |
| (7) | Exit the program. |
| (8) | Round-1:/exclude the search space with correlation weights larger than . |
| (9) | for to do // increases monotonously. |
| (10) | if then |
| (11) | Return to the upper procedure with FALSE state; |
| (12) | else |
| (13) | Call Algorithm 1Const (), and traverse each output tuple ; |
| (14) | if call Round- and the return value is TRUE, then |
| (15) | Stop Algorithm 1 and return TRUE; /record the optimal linear trail be found. |
| (16) | end if |
| (17) | end if |
| (18) | end for |
| (19) | Return to the upper procedure with FALSE state; |
| (20) | Round-: /exclude the correlation weights larger than . |
| (21) | for to // increases monotonously. |
| (22) | if then |
| (23) | Return to the upper procedure with FALSE state; |
| (24) | else |
| (25) | Call Algorithm 1Const (), and traverse each output tuple ; |
| (26) | , ; //: rotation parameters. |
| (27) | if call Round-r () and the return value is TRUE, then |
| (28) | Stop Algorithm 1, compute the masks of the first/second round and return TRUE; |
| (29) | end if |
| (30) | end if |
| (31) | end for |
| (32) | Return to the upper procedure with FALSE state; |
| (33) | Round-r (): //middle rounds, . |
| (34) | , and let and , ; //splitting v. |
| (35) | Call , traversing each u and ; //where . |
| (36) | if and then //the last round. |
| (37) | Let , break from and return TRUE; |
| (38) | end if //r-round optimal linear trail of expected correlation weight have been found. |
| (39) | , ; |
| (40) | if call Round-r () and the return value is TRUE, then |
| (41) | Break from and return TRUE; //record the masks of each round and return. |
| (42) | end if |
| (43) | Return to the upper procedure with FALSE state; |
| (44) | LR: //looking up cLAT and recombining another input mask and the output mask u. |
| (45) | Let , and , for ; |
| (46) | for to 0 do //from MSB to LSB direction. |
| (47) | for to do // and for . |
| (48) | if + then + |
| (49) | for to do |
| (50) | ; //querying and . |
| (51) | ; |
| (52) | ; //record the next connection status. |
| (53) | if then //recombining u and w. |
| (54) | Output each , , and ; |
| (55) | end if |
| (56) | end for |
| (57) | end if |
| (58) | end for |
| (59) | end for |
