Cryptography Reference
In-Depth Information
together, one can verify that
P(z
1
= f
0
∨z
1
= 1−f
1
∨z
1
= f
2
)
=
1−(1 −0.0043)(1−0.0053)(1−0.0053)
=
0.0148.
The independence assumption in calculating the probability is supported by
experimental results. The above result implies that out of randomly chosen
10000 secret keys, in 148 cases on an average, z
1
reveals f
0
or 1 −f
1
or f
2
,
i.e., K[0] or 1 − (K[0] + K[1] + 1) or (K[0] + K[1] + K[2] + 3). If, however,
one considers only random association, the probability that z
1
will be among
three randomly chosen values v
1
,v
2
,v
3
from {0,...,255}, is given by
3
1−
1
256
P(z
1
= v
1
∨z
1
= v
2
∨z
1
= v
3
)
=
1−
=
0.0117.
Thus, one can guess z
1
with an additional advantage of
0.0148−0.0117
0.0117
100% = 27%
over the random guess.
Looking at z
2
, from Theorem 5.6.3 and Table 5.5, we have
P(z
2
= 2−f
2
) = 0.0053
which provides an advantage of
0.0053−0.0039
0.0039
100% = 36%.
Similarly, referring to Theorem 5.6.3 and Theorem 5.6.6 (and also Table 5.5
and Table 5.6), significant biases can be observed in the events (z
r
= f
r−1
)
given z
r
= r−f
r
, for r = 3 to 32, over random association.
Next, consider the following scenario with the events A
1
,...,A
32
, where
A
1
:
(z
1
= f
0
∨z
1
= 1−f
1
∨z
1
= f
2
),
A
2
:
(z
2
= 2−f
2
),
and
A
r
:
(z
r
= f
r−1
∨z
r
= r−f
r
)
for 3 ≤ r ≤ 32.
Observing the first 32 keystream output bytes z
1
,...,z
32
, one may attempt
at guessing the secret key, assuming that 3 or more of the events A
1
,...,A
32
occur. Experimenting with 10 million randomly chosen secret keys of length
16 bytes, it is found that 3 or more of the events occur in 0.0028 proportion
of cases, which is true for 0.0020 proportion of cases for random association.
This demonstrates a substantial advantage (40%) over random guess.