Cryptography Reference
In-Depth Information
≈ 0.37 for N = 256. Instead of approximating P(S
0
[1] = 2) by
Note that φ
N
1
N
, one could use Theorem 3.2.3 to substitute the exact expression, i.e.,
N−2
2
1
N
N −1
N
N −1
N
P(S
0
[1] = 2) =
+
.
However, for N = 256, practically there is no change in the value of φ
N
due
to this exact substitution.
Next we present the result that shows the bias of the first keystream output
byte toward the first three bytes of the secret key.
Theorem 5.5.2. For any arbitrary secret key, the correlation between the key
bytes and the first byte of the keystream output is given by
P(z
1
= K[0] + K[1] + K[2] + 3) ≈
1
N
(1 + φ
N
).
Proof: For the sake of brevity, once again let
f(K) = K[0] + K[1] + K[2] + 3.
Then
S
1
[t
1
] = f(K)
P (z
1
= f(K))
= P
N−1
S
1
[t
1
] = f(K) | t
1
= x
=
P(t
1
= x)P
x=0
N−1
S
1
[x] = f(K)
=
P(t
1
= x)P
x=0
S
1
[2] = f(K)
= P(t
1
= 2)P
N−1
S
1
[x] = f(K)
+
P(t
1
= x) P
x=0
even x=2
N−1
S
1
[x] = f(K)
+
P(t
1
= x)P
x=0
odd x
2
N
−
1
N(N −1)
S
1
[2] = f(K)
=
P
N−1
S
1
[x] = f(K)
1
N
−
2
N(N −1)
+
P
x=0
even x=2
N−1
1
N
S
1
[x] = f(K)
+
P
(by Theorem 5.3.1)
x=0
odd x
