Information Technology Reference
In-Depth Information
l
bits
000
...
0)
v−l
bits
Z
(1)
=(
z
(1
1
,z
(1
2
,...,z
(1)
IV
(1)
=(
∗∗∗
...
∗|
→
)
l
Z
(2)
=(
z
(2
1
,z
(2
2
,...,z
(2)
IV
(2)
=(
∗∗∗
...
∗|
000
...
1)
→
)
l
.
Z
(2
l
)
=(
z
(2
l
)
1
,z
(2
l
)
2
,...,z
(2
l
)
l
IV
(2
l
)
=(
∗∗∗
...
∗|
111
...
1)
→
)
Fig. 3.
The table generated in the coverage test
we calculate the number of distinct
Z
(
i
)
's and denote it as
C
1
which is expected
to be around 0
.
63
2
l
. We repeat the experiment for a number of times with
different assignments of the inactive IV bits and obtain a coverage variable for
each trial, then evaluate the randomness of the cipher based on the distribution
of
C
i
's. The pseudocode of the coverage test is given in Algorithm 4.1.
Using the recursive formula (2), the probability distributions of
C
i
for 12 and
14 bits are calculated and categorized into 5 groups with approximately equal
probability. The limit of the groups and corresponding probabilities are given in
Table 1.
×
Algorithm 4.1:
Coverage Test
(
R, l
)
Randomly select
l
positions
p
1
,p
2
,...,p
l
from
v
bits of IV;
for
i ←
0
to
R
⎨
⎩
Randomly select
IV
=(
iv
1
,iv
2
,...,iv
v
);
for
j ←
0
to
2
l
−
1
⎨
⎩
J
=(
j
1
,j
2
,...,j
l
) binary representation of
j
;
(
iv
p
1
,iv
p
2
,...,iv
p
l
)=
J
;
Z
(
j
)
=First
l
keystream bits using K and
IV
;
Coverage
i
= Number of distinct
Z
(0)
,...,Z
(2
l
−
1)
;
Evaluate (
Coverage
1
,...,Coverage
R
)using
χ
2
test;
return
(
p − value
)
If the coverage test returns low
p
-value (
<
0
.
01), it means that the coverage
of the corresponding mapping is statistically different than the expected values.
Obtaining a low coverage value means that the first keystream bits that are
generated using different IVs are similar, it is obviously a threat for frequently
resynchronized ciphers. This is also an indication of low diffusion properties.
Obtaining a high coverage value means that the mapping is close to a permu-
tation. This may be interpreted as follows; whenever a subpart of the secret
bits is recovered and the rest of the bits form a permutation, to identify un-
known state bits, the required number of keystream bits is equal to the number of