Cryptography Reference
In-Depth Information
The
k
term is upper-bounded by
r
with
r
=
2
. Furthermore, we have
1
n
r
1
2
n
≤
r
1
2
i
−
i
=
1
with equality when
n
is even. Then
log
n
r
log
1
1
2
n
r
1
2
i
≤
−
i
=
1
r
1
2
1
i
≤−
i
=
1
r
+
1
1
2
dt
t
≤−
1
1
2
≤−
log(
r
+
1)
1
2
log
n
≤−
2
+
1
and therefore
2
n
n
k
1
2
n
≤
2
.
+
Nowwehave
2
n
n
2
.
n
n
1
2
n
≤
k
n
k
1
2
n
=
−
1
n
2
1
≤
k
−
1
+
We deduce
θ
√
n
2
(
n
θ
+
1)
2
3
2
p
c
−
|
−
p
0
|≤
2
×
.
n
−
1
θ
√
n
4wehave
(
n
θ
+
1)
2
n
−
1
1
2
3
2
<
p
c
Whe
n
<
an
d
n
≥
−
0, and so we obtain
|
−
p
0
|≤
θ
√
n
. When
θ
√
n
1
2
, this also holds since the right-hand side of the inequality is
greater than 1 and the left-hand side is a difference between two probabilities. This
proves the upper bound.
≥
2
Now here is the advantage of linear distinguishers.
Theorem 4.9 (Vaudenay 2003 [183]).
Given two randompermutations C andC
∗
over
the same message space
C
∗
)
be the difference in the probability that the linear distinguisher of complexity n (as
m
, where C
∗
is uniformly distributed, we let
Adv(
C
{
0
,
1
}
,
Search WWH ::
Custom Search