Information Technology Reference
In-Depth Information
Table 1.
Interval and probability values of coverage test using 12 and 14 IV bits
12 IV Bits 14 IV Bits
Category Limits Probability Category Limits Probability
0-2571
0.199139
0-10322
0.201591
2572-2583
0.204674
10323-10345
0.195966
2584-2593
0.197856
10346-10366
0.207519
2594-2605
0.203225
10367-10389
0.195253
2606-4096
0.195106
10390-16384
0.199671
unknown state bits. For mappings close to permutation, cipher is more vulnerable
to TMTO attacks.
4.2
ρ
-Test
ρ
-test is another probabilistic distinguisher against stream ciphers where the
encryption function is iteratively applied and a sequence of
l
bits keystreams
Z
(1)
,Z
(2)
,...
are generated until one of the entries is repeated (See Fig. 4). The
index of the last entry,
ρ
-length, is used to evaluate the randomness of the cipher.
Z
(0)
IV
(0)
=(
∗∗∗|Z
(0)
)
Z
(1)
IV
(1)
=(
∗∗∗|Z
(1)
)
...
IV
(
R
)
=(
∗∗∗|Z
(
R
)
)
Z
(
R
)
−→
−→
−→
Fig. 4.
The rows generated in the
ρ
-test
First, we select
l
random positions from IV and fix the rest (inactive) bits
to a random value, then initialize the cipher with this IV and secret key
K
and generate
l
bit keystream,
Z
(1)
. Then,
Z
(1)
is assigned to the variable part
of IV and iteratively
l
bit keystreams are generated until one of the
Z
(
i
)
is
repeated and the index of the last entry is stored as
Index
1
. This is repeated
for different assignments of inactive IV bits, then
Index
i
values are compared
to their theoretical distribution using
χ
2
goodness of fit tests. The pseudocode
of
ρ
test is given in Algorithm 4.2.
ρ
-Test
(
R, l
)
Algorithm 4.2:
Randomly select
l
positions
p
1
,p
2
,...,p
l
from
v
bits of IV;
for
i ←
0
to
R
⎨
⎩
Randomly select
IV
=(
iv
1
,iv
2
,...,iv
v
);
index
i
=0;
repeat
Z
index
i
=First
l
keystream bits using
K
and
IV
;
(
iv
p
1
,iv
p
2
,...,iv
p
l
)=(
z
1
,z
2
,...,z
l
);
Index
i
++;
until
a Z value is repeated
Evaluate (
Index
1
,...,Index
R
)using
χ
2
test;
return
(
p − value
)