Niggling differential probability question.
From: Matt (cipher_q2000@yahoo.co.uk)
Date: 02/13/03
- Next message: Tomas Rosa: "Re: RSA and Number Theory"
- Previous message: Eric Doenges: "Re: Fletcher Checksum Question"
- Next in thread: Scott Fluhrer: "Re: Niggling differential probability question."
- Reply: Scott Fluhrer: "Re: Niggling differential probability question."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: cipher_q2000@yahoo.co.uk (Matt) Date: 13 Feb 2003 03:30:47 -0800
Apologies for this somewhat trivial question...
In an early DC paper[1], Biham and Shamir give a formula for the
probability of a certain (xor) difference after modulo addition: let
the two inputs be X and Y, yielding Z = X + Y mod 256. Given two
differences in the inputs, X' and Y', and the output difference Z',
the probability that X' and Y' may cause Z' = X' xor Y' is "about":
1 / (2 ** N(X' or Y')), where N(B) is the number of bits set to "1"
in the lower seven bits of B, "or" is bitwise or, and ** is
exponentiation.
This seems straightforward, but I don't understand why the word
"about" was used -- it seems that it should be "exactly", but I know
it's easy to overlook stuff in probability calculations. The paper
elaborates:
"This happens because each bit which is different in the pairs (X and
X*, Y and Y*) gives rise to a different carry with probability close
to 1/2",
Again, I don't know why it's "close to"; can someone put me out of my
misery?
Matt
[1] E. Biham and A. Shamir, "Differential Cryptanalysis of Feal and
N-Hash",
http://www.cs.technion.ac.il/~biham/Reports/Weizmann/cs91-17.ps.gz
- Next message: Tomas Rosa: "Re: RSA and Number Theory"
- Previous message: Eric Doenges: "Re: Fletcher Checksum Question"
- Next in thread: Scott Fluhrer: "Re: Niggling differential probability question."
- Reply: Scott Fluhrer: "Re: Niggling differential probability question."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
