Cryptography Reference
In-Depth Information
by linearity of expectation,
31
E(M)
=
E(m
b
)
b=0
31
=
r
b
.
b=0
Substituting the values of r
b
's from Theorem 10.3.4, we get
E(M) ≈ 16 +
13
3
2
−81
.
Along the same line of the above idea, a new word-based distinguisher
counting the number of zeros in created sets of (32) bits has recently been
reported in [173]. This work claims to require around 2
152.537
such sets to
mount the distinguisher.
10.3.3 A Distinguisher Spread over Three 512-Word Blocks
In this section, we are going to describe the distinguisher recently reported
in [106].
Once again, refer to the visualization of the array P as explained in
Table 10.1. The keystream generation occurs in blocks of 512 words. If
B
1
,B
2
,B
3
,B
4
,... denote successive blocks, the array P is updated in blocks
B
1
,B
3
,B
5
,... and the array Q is updated in blocks B
2
,B
4
,B
6
,..., and so
on. Without loss of generality, for some fixed t, consider a block B
2t+1
of 512
keystream word generation in which the array P is updated. The symbol P
without any subscript or superscript denotes the updated array in the current
block B
2t+1
. Let P
−1
and P
−2
denote the updated arrays in blocks B
2t−1
and
B
2t−3
respectively.
From Equation (10.1) (see Section 10.2), using the equality of XOR and
sum for the least significant bit, one can write, for 10 ≤ i mod 512 < 511,
23
⊕
0
=
0
⊕
10
⊕
8
. (10.4)
P[i]
P
−1
[i]
P[i ⊟ 3]
P
−1
[i ⊟ 511]
P[i ⊟ 10]
Similarly, we can write
0
=
0
⊕
10
⊕
23
⊕
8
. (10.5)
P
−1
[i]
P
−2
[i]
P
−1
[i⊟3]
P
−2
[i⊟511]
P
−1
[i⊟10]
XOR-ing both sides of Equation (10.4) and Equation (10.5) and rearrang-
ing terms, we have, for 10 ≤i mod 512 < 511,
0
⊕
0
10
⊕
10
P[i]
P
−2
[i]
=
P[i ⊟ 3]
P
−1
[i ⊟ 3]
8
⊕
8
⊕
P[i ⊟ 10]
P
−1
[i ⊟ 10]
(10.6)
23
⊕
23
⊕
P
−1
[i ⊟ 511]
P
−2
[i ⊟ 511]
.