Cryptography Reference
In-Depth Information
Each wrong entry in Next is a potential contributor to one conflict set, i.e.,
NumConflicts≤ X.
Assuming that the index j
G
is pseudo-randomly updated and each output
index is uniformly randomly distributed, we have P(x
ρ,y
= 1) =
N−1
N
. Thus,
E(x
ρ,y
) =
N−1
N
and
R−3
N
N−1
E(X)
=
E(x
ρ,y
) +
E(x
R−2,y
)
ρ=0
y=1
y=1
(R−1)(N −1)−
N −1
N
=
.
Thus, the attacker can run the PartResolvePerm algorithm once on the
sequence of available keystream bytes and count the number of conflict sets.
Numconflicts would be O(R) if j
G
is stuck during the interval when those
keystream bytes were generated; otherwise, Numconflicts will be O(RN).
RESEARCH PROBLEMS
Problem 8.1 Can Algorithm 8.2.1 be improved to detect Finney cycles more
e
ciently?
Problem 8.2 Can a fault attack be mounted if instead of the whole byte of
j, a single of j is stuck?
Problem 8.3 Can a fault attack be mounted if the attacker can choose spe-
cific bits of j to inject faults?
