## Issue

I saw a function called ‘SWAPMOVE’ below.

```
SWAPMOVE(A,B,M,n):
T = (B ^ (A >> n)) & M
B = B ^ T
A = A ^ (T << n)
```

And I don’t know what does this function actually do.

It seems to calculate the linear layer of some block ciphers, but I can’t understand the entire steps using this function.

So, what does this function actually do?

This is the research paper I saw: Alexandre Adomnicai, Zakaria Najm, and Thomas Peyrin. Fixslicing: A New GIFT Representation: Fast Constant-Time Implementations of GIFT and GIFT-COFB on ARM Cortex-M. IACR Transactions on Cryptographic Hardware and Embedded Systems, 2020(3):402–427, Jun. 2020.

Look up 15~16p of this paper.

## Solution

Let’s look at this in some more detail.

Pretend we didn’t have `M`

, which is a mask. In such a case, `B = B ^ T`

would be equivalent to `B = B ^ B ^ (A >> n)`

. That would itself be equivalent to `B = A >> n`

. Then the last line would be equivalent to `A = A ^ B ^ ((A >> n) << n)`

, where `B`

is our original B. `(A >> n) << n`

essentially clears the bottom `n`

bits and preserves the rest. So this last line would compute `B`

xor’d with the top `K-n`

(where `K`

is the total number of bits in the word) of `A`

.

So the only difference here is that we have a mask `M`

, which adjusts the bits in the word `T`

and therefore affects which bits are included in our resulting values. It should be possible to deduce what affects the results if you think about it a little more, although it’s a little more difficult to describe using words.

This function is considered linear because it includes only XORs, ANDs, and shifts, and those are linear in GF(2). Other, similar operations which are linear in GF(2) include CRCs. Without going into the cryptography too much here, which isn’t on topic, most cryptographic algorithms include linear operations (which often offer cheap diffusion) with non-linear operations (to prevent using linear cryptanalysis to easily solve them). If you want to know more about the cryptographic purposes of this function, you should ask that on Cryptography Stack Exchange, where you’ll get a better, on-topic response by someone much more capable in cryptography than I am.

Answered By – bk2204

Answer Checked By – Clifford M. (BugsFixing Volunteer)