Cryptography Reference
In-Depth Information
According to Proposition 8.4.10,
S
(ρ+1)N+y
= < b
y
,b
0
,b
1
,...,b
y−1
,b
y+1
,...,b
N−2
,b
N−1
>
= < a
N−(ρ+1)+y
,a
N−(ρ+1)
,a
N−(ρ+1)+1
,...,
a
N−(ρ+1)+y−1
,a
N−(ρ+1)+y+1
,...,a
N−(ρ+1)−1
> .
Hence, the result holds for the case ρ + 1 also.
Now we prove item (2). In round ρN + y, the value of the deterministic
index i
G
is y (modN) and that of the index j
G
remains fixed at 0. Hence the
output is generated from the index
t
ρN+y
= S
ρN+y
[y] + S
ρN+y
[0].
Writing the permutation bytes in terms of the a
y
's, we get the result.
Theorem 8.4.12. Consider the two rounds ρN + y and (ρ + 1)N + (y + 1),
ρ ≥ 0,1 ≤ y ≤ N − 2. The two keystream output bytes z
ρN+y
and
z
(ρ+1)N+(y+1)
come from the same location t = a
N−ρ+y−1
+ a
N−ρ+y
in the
respective permutations S
ρN+y
and S
(ρ+1)N+(y+1)
with the following charac-
teristics.
1. t = 0 ⇐⇒ z
ρN+y
= z
(ρ+1)N+(y+1)
= S
0
[N −ρ + y].
2. t = y + 1 ⇐⇒ z
ρN+y
= suc
2
(z
(ρ+1)N+(y+1)
) with respect to S
0
.
3. t ∈{0,1,...,y−1,y,y + 2,y + 3,...,N −1}
⇐⇒ z
ρN+y
= suc
1
(z
(ρ+1)N+(y+1)
) with respect to S
0
.
Proof: Consider ρ ≥ 0,1 ≤y ≤ N −2. From Lemma 8.4.11, we get
t
ρN+y
= t
(ρ+1)N+(y+1)
= a
N−ρ+y−1
+ a
N−ρ+y
= t (say).
Again from Lemma 8.4.11, we have
S
ρN+y
= < a
N−ρ+y
,a
N−ρ
,a
N−ρ+1
,...,a
N−ρ+y−1
,a
N−ρ+y+1
,a
N−ρ+y+2
,
...,a
N−ρ−2
,a
N−ρ−1
>,
and
S
(ρ+1)N+(y+1)
= < a
N−ρ+y
,a
N−ρ−1
,a
N−ρ
,...,a
N−ρ+y−2
,a
N−ρ+y−1
,
a
N−ρ+y+1
,...,a
N−ρ−3
,a
N−ρ−2
> .
Thus, t = 0 if and only if
z
ρN+y
= z
(ρ+1)N+(y+1)
= z (say).