Cryptography Reference
In-Depth Information
and since Pr[
ΔX
3
[5] =
a
i
]=2
−
4
for all
i
=0
,
1
, ...,
15, the probability
u
such
that
ΔX
4
[6] = 0, among prepared pairs is calculated by
15
15
1
16
ΔX
3
[5] =
a
i
]
>
2
−
4
.
09312
.
u
=
u
i
=
Pr[
ΔX
4
[6] = 0
|
i
=0
i
=0
Let
b
i
denote each element in
and
v
i
denote the probabilities that
ΔX
10
[2] =
b
i
for
i
=0
,
1
, ...,
17, then the probability
p
2
that both related-key differential trails
for
E
0 are satisfied with the same output difference is calculated by
B
17
p
2
=
u
2
v
i
>
2
−
8
.
18624
2
−
3
.
83007
>
2
−
12
.
017
.
·
×
i
=0
E
1
For each element
c
i
Probability of Related-Key Differential Trail for
C
, let the probabilities
w
i
be defined by
in
w
i
=Pr[
ΔX
14
[2] = 0
|
ΔX
13
[1] =
c
i
]
,
for
i
=0
,
1
,
2
,
3, then
ΔX
14
[0
,
1
, ...,
8] = 0 with probabilities
w
i
.Both
w
3
and
w
4
are 2
−
3
for all
SK
[52], whereas
w
1
and
w
2
are among 2
−
1
,2
−
2
,and2
−
3
according to
SK
[52]. So the lower-bound of
w
i
(
i
=(0
,
1
,
2
,
3) is 2
−
3
.
Since we assume that
+
K
[1] =
+
K
[5] =
+
K
[9] =
,
we can calculate a nonzero probability
q
such that three local collisions occur
sequentially as described in Section 3.1. As we know that both the first and the
third local collisions during round 15
∇
,
∇
,and
∇
0x10
0x68
0x10
26 are of type A and
their probabilities are bounded below by 2
−
6
.
41504
and the second local collision
during round 19
∼
18 and round 23
∼
22 is of type B and its probability is 2
−
6
, the probability
q
such that related-key differential trail from round 15 to 26 is calculated by
∼
2
−
6
.
41504
−
6
−
6
.
41504
=2
−
18
.
83008
<q.
Hence, the probability
q
2
that both related-key differential trails for
E
1are
satisfied is calculated by
3
2
−
4
2
−
37
.
66016
=2
−
41
.
66016
>
2
−
41
.
661
.
q
2
=
w
i
q
2
·
≥
×
i
=0
Therefore, we have a 24-round related-key rectangle distinguisher with the prob-
ability
p
2
2
−
64
q
2
2
−
12
.
017
−
64
−
41
.
661
=2
−
117
.
678
>
2
−
117
.
68
.
·
·
≥
The probabilities occurring by additions between differences are computed by ex-
haustive counting with PC. By experiments on PC, we make sure that suggested
probabilities of related-key differential trail for
E
0and
E
1 are lower bounds of
the actual ratio of right pairs for
E
0and
E
1 respectively, under the assumption
that plaintexts and related keys are randomly chosen.
Search WWH ::
Custom Search