Cryptography Reference
In-Depth Information
depicted in Fig. 4.12) outputs 1 when the oracle implements the distributions of C and
C
∗
. We have
E
LP
C
(
a
b
)
+
n
C
∗
)
Adv (
C
,
≤
3
3
n
.
,
3
3
1
.
2
m
−
Therefore, the attack is meaningless until the number of known plaintexts
n
reaches
the order of magnitude of
E
LP
C
(
a
b
)
.
≈
/
,
n
1
Proof.
We first notice that the advantage is zero when
a
=
0or
b
=
0, so the bound
=
=
holds. Let us now assume that
a
0. We now take a random permutation
C
with the corresponding
Z
and
p
C
as in the previous lemma. Let
0 and
b
δ
=
−
1)
2
).
E
((2
Z
E
(LC
C
(
a
(Note that
δ
=
,
b
)).) When
|
2
Z
−
1
|≤
α
,wehave
×
α
√
n
p
C
|
−
p
0
|≤
2
.
−
1)
2
is positive, the probability that
|
2
Z
−
1
|
is greater than
α
is less than
Since (2
Z
δ
α
2
. Hence
×
α
√
n
+
δ
α
|
p
−
p
0
|≤
2
2
for any
α
.
√
n
√
δ
1
3
Let us now fix
α
=
. We obtain
|
p
−
p
0
|≤
3
×
3
n
.
E
LP
C
(
a
b
)
. Since
a
We recall that
δ
=
,
=
0 and
b
=
0 we finally note that
E
LP
C
∗
(
a
b
)
=
1
2
m
,
and so we can have
−
1
n
p
∗
−
|
p
0
|≤
3
3
1
.
2
m
−
|
−
p
∗
|≤|
−
p
0
|+|
p
∗
−
p
0
|
Finally, we use the fact that
p
p
.
4.3.4
Ad hoc Construction
We define
a
=
0
,
b
E
DP
C
(
a
b
)
EDP
max
=
,
max
0
E
LP
C
(
a
b
)
.
ELP
max
=
max
a
,
,
b
=
Search WWH ::
Custom Search