Information Technology Reference
In-Depth Information
Table 2.
Interval and probability values of
ρ
-test using 15 and 20 IV bits
15 IV Bits 20 IV Bits
Category Limits Probability Category Limits Probability
2- 122
0.201906
2-685
0.200258
123 - 184
0.200448
686-1036
0.200124
185 - 246
0.199904
1037-1386
0.199400
247 - 325
0.198270
1387-1838
0.200518
326 - 32768
0.199472
1839 -1048576
0.199700
Using the recursive formula (4), the probability distribution of
R
i
for 15 and 20
bits is calculated and categorized into 5 groups with approximately equal proba-
bility. The limit of the groups and corresponding probabilities are given in Table 2.
Rows of the Hellman tables are generated by applying encryption and reduc-
tion functions iteratively. This test generates rows similar to Hellman's table
and calculates their
ρ
-length. Obtaining a low
p
-value from the
ρ
test means
that length of iterations is statistically different than the expected values. Hav-
ing short cycles results low coverage, which motives us to use smaller number of
iterations
t
.
4.3 DP-Coverage Test
The last distinguisher is very similar to the coverage test described in Sect. 4.1.
The only difference is instead of considering the coverage of first
l
keystream
bits, we find the coverage of
l
bit keystream after the first
k
bit DP, as given in
Fig. 5.
(0
,
0
,...,
0
,
∗
,
∗
,...,
∗
)
kbits
lbits
Fig. 5.
Distinguished Points
First, we select
l
random positions (active bits) from IV and fix the rest (inac-
tive) bits to a random value. Then, we synchronize the cipher for all possible 2
l
IVs and generate
l
bit distinguished keystreams. Then, we calculate the number
of different
l
bit keystreams and denote it as
C
1
. We repeat the experiment for
a number of times with different assignments of the inactive IV bits and obtain
a coverage variable for each trial, then evaluate the randomness of the cipher
based on the distribution of
C
i
's. The pseudocode of the DP coverage test is
given in Algorithm 4.3. To evaluate the output coverage values, the theoretical
distribution given in the coverage test is used.
Distinguished points in TMTO attacks are used to reduce the number of
memory checks, since only distinguished keystream portions with a special
property are checked. These distinguished portions are assumed to be uniformly
distributed throughout the keystream, otherwise it is possible to distinguish the
