Cryptography Reference
In-Depth Information
6.3.2 A Conditional Bias in Equality of Any Two Consecu-
tive Bytes
The following technical result is a consequence of the leakage of j
G
in
keystream as quantified in Theorem 5.4.8.
1 +
, r ≥ 1.
1
N
2
N
2
| 2z
r
= i
r
) =
Theorem 6.3.4. P(z
r+1
= z
r
Proof: Item 3 of Corollary 5.4.2 gives, for r ≥ 0,
2
N
−
1
P(j
r
| 2z
r+1
= i
r+1
) =
= z
r+1
N(N −1)
.
From Theorem 5.4.8, we get
1
N
2
N
P(z
r+2
= j
r
) =
1 +
.
Now,
P(z
r+2
= z
r+1
| 2z
r+1
= i
r+1
)
= P(j
r
| 2z
r+1
= i
r+1
)
P(z
r+2
= z
r+1
= z
r+1
| j
r
= z
r+1
,2z
r+1
= i
r+1
) +
P(j
r
| 2z
r+1
= i
r+1
)
P(z
r+2
= z
r+1
= z
r+1
| j
r
= z
r+1
,2z
r+1
= i
r+1
)
= P(j
r
| 2z
r+1
= i
r+1
)
P(z
r+2
= j
r
= z
r+1
| j
r
= z
r+1
,2z
r+1
= i
r+1
) +
P(j
r
| 2z
r+1
= i
r+1
)
P(z
r+2
= z
r+1
= z
r+1
| j
r
= z
r+1
,2z
r+1
= i
r+1
)
= P(j
r
| 2z
r+1
= i
r+1
)P(z
r+2
= j
r
) +
= z
r+1
P(j
r
| 2z
r+1
= i
r+1
)
P(z
r+2
= z
r+1
= z
r+1
| j
r
= z
r+1
,2z
r+1
= i
r+1
)
2
N
−
1
N(N −1)
1
N
+
2
N
2
=
1−
2
1
N(N −1)
1
N −1
1−
1
N
−
2
N
2
+
N
+
N
+
2
1
N
3
,
neglecting the higher order terms. Note that the event (z
r+2
= j
r
) is con-
sidered to be independent of the event (j
r
=
= z
r+1
& 2z
r+1
= i
r+1
). Further,
1
the term
N−1
comes due to the uniformity assumption for the events
(j
r
= z
r+1
+ γ | 2z
r+1
= i
r+1
)