New Distinguishers Based on Random Mappings against Stream Ciphers - Sequences and Their Applications-SETA 2008

Information Technology Reference

In-Depth Information

l bits

000 ... 0)

v−l bits

Z (1) =( z (1 1 ,z (1 2 ,...,z (1)

IV (1) =(

∗∗∗

...

∗|

→

)

Z (2) =( z (2 1 ,z (2 2 ,...,z (2)

IV (2) =(

∗∗∗

...

∗|

000 ... 1)

→

)

Z (2 l ) =( z (2 l )

,z (2 l )

,...,z (2 l )

IV (2 l ) =(

∗∗∗

...

∗|

111 ... 1)

→

)

Fig. 3. The table generated in the coverage test

we calculate the number of distinct Z ( i ) 's and denote it as C 1 which is expected

to be around 0 . 63

2 l . We repeat the experiment for a number of times with

different assignments of the inactive IV bits and obtain a coverage variable for

each trial, then evaluate the randomness of the cipher based on the distribution

of C i 's. The pseudocode of the coverage test is given in Algorithm 4.1.

Using the recursive formula (2), the probability distributions of C i for 12 and

14 bits are calculated and categorized into 5 groups with approximately equal

probability. The limit of the groups and corresponding probabilities are given in

Table 1.

Algorithm 4.1: Coverage Test ( R, l )

Randomly select l positions p 1 ,p 2 ,...,p l from v bits of IV;

for i ← 0 to R

⎨

⎩

Randomly select IV

=( iv 1 ,iv 2 ,...,iv v );

for j ← 0 to 2 l

− 1

⎨

⎩

j 1 ,j 2 ,...,j l ) binary representation of

;

( iv p 1 ,iv p 2 ,...,iv p l )= J ;

Z ( j ) =First l keystream bits using K and IV ;

Coverage i = Number of distinct Z (0) ,...,Z (2 l − 1) ;

Evaluate ( Coverage 1 ,...,Coverage R )using χ 2 test;

return ( p − value )

If the coverage test returns low p -value ( < 0 . 01), it means that the coverage

of the corresponding mapping is statistically different than the expected values.

Obtaining a low coverage value means that the first keystream bits that are

generated using different IVs are similar, it is obviously a threat for frequently

resynchronized ciphers. This is also an indication of low diffusion properties.

Obtaining a high coverage value means that the mapping is close to a permu-

tation. This may be interpreted as follows; whenever a subpart of the secret

bits is recovered and the rest of the bits form a permutation, to identify un-

known state bits, the required number of keystream bits is equal to the number of

Sequences and Their Applications-SETA 2008

Search WWH ::

Custom Search

Home