Cryptography Reference
In-Depth Information
Theorem 4.5.1 implies that the permutation S
N
and its inverse S
−
N
reveal
information about the secret index j in each byte. This result can be used to
reveal the secret key in the following manner.
Let
0
= {S
N
[0],S
−1
G
[0]}
N
and for 1 ≤ y ≤ N −1, let
G
u−v−y | u ∈{S
N
[y]}∪{S
−1
[y]},v ∈{S
N
[y−1]}∪{S
−1
.
Once more we like to remind that in (u−v−y), the operations are modulo
N. For 0 ≤ y ≤ N − 1, G
y
=
[y−1]}
N
N
y
represents the set of possible values that the key
byte K[y] can take.
It is highly likely that S
N
[y] = S
−1
[y] and S
N
[y−1] = S
−1
[y−1]. Hence
N
N
we consider |G
| = 2 and |G
| = 4, 1 ≤y ≤ N −1. We write
G
0
= {g
01
,g
02
},
0
y
where g
01
= S
−1
N
[0], and g
02
= S
N
[0]; and for 1 ≤ y ≤N −1,
G
y
= {g
y1
,g
y2
,g
y3
,g
y4
},
where
= S
−1
N
[y]−S
−1
N
g
y1
[y−1]−y,
g
y2
= S
N
[y]−S
N
[y−1]−y,
= S
−1
N
g
y3
[y]−S
N
[y−1]−y,
= S
N
[y]−S
−1
N
g
y4
[y−1]−y.
Further, let
p
0x
= P(K[0] = g
0x
),
1 ≤x ≤ 2,
and for 1 ≤ y ≤ N −1, let
p
yx
= P(K[y] = g
yx
),
1 ≤ x ≤ 4.
We have the following result.
Theorem 4.5.2.
(1) p
01
=
1
N
(
N−1
N
)
N
+
1
N
and p
02
= (
N−1
N
)
N
+
1
N
.
(2) For 1 ≤y ≤ N −1,
2N−1
y(y + 1)
N
2
N −1
N
1
N
,
p
y1
=
+
2N−1+y
(N −y)(N −y + 1)
N
2
N −1
N
1
N
,
p
y2
=
+
2N−1+y
(y + 1)(N −y + 1)
N
2
N −1
N
1
N
,
p
y3
=
+
2N−1+y
y(N −y)
N
2
N −1
N
1
N
.
p
y4
=
+