Lightweight multimedia encryption: Algorithms and performance analysis.  Page 100 
Save page Remove page  Previous  100 of 126  Next 

small (250x250 max)
medium (500x500 max)
Large (1000x1000 max)
Extra Large
large ( > 500x500)
Full Resolution
All (PDF)

This page
All

Proof : Let G denote the range of g(·, ·). For z ∈ G, a preimage attack aims at finding a pair of input x and k such that g(x, k) = z. First, let us study the relationship between the lengths of x and k in g(x, k), which are of m and n bits, respectively. Generally, we have m < n. Otherwise, if m ≥ n, for all x > 2n−1, (x + 1)2 − x2 = 2x + 1 > 2n. That is, the gap between successive x2 is larger than the maximal value of h(k), which enables one to determine the value of x for a large value of z. Practically, it is not difficult to construct a hash function with a longer output length from a basic hash function h(·) with a shorter output length, such as concatenating h(k), h(k + 1), h(k + 2), · · · . Thus, when m ≥ n, we just extend the output length of h(·) until m < n is satisfied. The maximal element of space { 0, 1}m is 2m−1. Thus, the maximal value of z = x2+h(k) is (2m − 1)2 + 2n − 1 = 22m − 2m+1 + 2n and any value of z less than this bound can be obtained for the reasons discussed above. Hence, G = 22m − 2m+1 + 2n. For a given z ∈ G, we may consider the following two attack strategies. 1. Attack on h(k) A random mbit number x is first chosen. The cryptanalyst then attempts to find k such that h(k) = z −x2. Given the randomness of z and x, this is equivalent of finding a preimage of h(·) for a random value. The computational complexity is known to be 2n for a good nbit hash function. 2. Attack on x2 In this case, a random key k ∈ K is chosen and the cryptanalyst computes z−h(k) and checks to see whether it is a square of some x ∈ { 0, 1}m. The computational complexity is equal to the total number of trials before a hit is met. 90
Object Description
Description
Title  Lightweight multimedia encryption: Algorithms and performance analysis.  Page 100 
Repository email  cisadmin@lib.usc.edu 
Full text  Proof : Let G denote the range of g(·, ·). For z ∈ G, a preimage attack aims at finding a pair of input x and k such that g(x, k) = z. First, let us study the relationship between the lengths of x and k in g(x, k), which are of m and n bits, respectively. Generally, we have m < n. Otherwise, if m ≥ n, for all x > 2n−1, (x + 1)2 − x2 = 2x + 1 > 2n. That is, the gap between successive x2 is larger than the maximal value of h(k), which enables one to determine the value of x for a large value of z. Practically, it is not difficult to construct a hash function with a longer output length from a basic hash function h(·) with a shorter output length, such as concatenating h(k), h(k + 1), h(k + 2), · · · . Thus, when m ≥ n, we just extend the output length of h(·) until m < n is satisfied. The maximal element of space { 0, 1}m is 2m−1. Thus, the maximal value of z = x2+h(k) is (2m − 1)2 + 2n − 1 = 22m − 2m+1 + 2n and any value of z less than this bound can be obtained for the reasons discussed above. Hence, G = 22m − 2m+1 + 2n. For a given z ∈ G, we may consider the following two attack strategies. 1. Attack on h(k) A random mbit number x is first chosen. The cryptanalyst then attempts to find k such that h(k) = z −x2. Given the randomness of z and x, this is equivalent of finding a preimage of h(·) for a random value. The computational complexity is known to be 2n for a good nbit hash function. 2. Attack on x2 In this case, a random key k ∈ K is chosen and the cryptanalyst computes z−h(k) and checks to see whether it is a square of some x ∈ { 0, 1}m. The computational complexity is equal to the total number of trials before a hit is met. 90 