Lightweight multimedia encryption: Algorithms and performance analysis.  Page 123 
Save page Remove page  Previous  123 of 126  Next 

small (250x250 max)
medium (500x500 max)
Large (1000x1000 max)
Extra Large
large ( > 500x500)
Full Resolution
All (PDF)

This page
All

A.5 Proof of Lemma 5 Let Ki denote the set of alias keys corresponding to each plaintext/ciphertext pair (Ai,Ci), i = 1, 2, . . . . According to Lemma 4, each Ki contains about A(N) ∼ cN keys out of all possible R(N) keys. We use Xi to denote the set of possible keys. First, it is clear that X1 = K1. After each pair (Ai,Ci) is checked, the set of possible keys is the intersection of the current set and Ki; namely, Xi = Xi−1 ∩ Ki or, equivalently, Xi = K1 ∩ K2 ∩ · · · ∩ Ki. We would like to find out index i such that Xi = 1, i.e., Xi contains only one element, which is the correct key. Instead of treating Xi directly, we consider its complementary set ¯X i = R − Xi, where R denotes the set of all possible R(N) keys as specified in Lemma 2. According to the set operation rule, we have ¯X i = K1 ∩ K2 ∩ · · · ∩ Ki = K¯1 ∪ K¯2 ∪ · · · ∪ ¯K i, (A.5) where ¯K i = R − Ki is the complementary set of Ki. Note that Xi = 1 is equivalent to  ¯X i = R(N) − 1. Since R(N) > 2N ≫ 1 we can take  ¯X i = R(N) which means ¯X i = R. Since a cryptanalyst cannot manipulate the input stream A arbitrarily, we may assume that each alias key set Ki is a random drawing of A(N) keys out of a bin of R(N) keys. Conversely, ¯K i is a random drawing of R(N) − A(N) keys. This attack is therefore treated as a random test. Each step constitutes drawing a random set ¯K i from R and joining the element in ¯K i into set ¯X i. The random test is terminated when ¯X i = R. That is, when ¯X i contains all elements in R. The problem amounts to finding the expected number of trials before this random test can terminate. This problem turns out to be a variant of the classic coupon collector problem, where one randomly draws one coupon at a time from a total of N coupons until all N coupons have been collected. It is a wellknown result that the expected number of draws to collect all N coupons is N lnN. The difference here is that the draw size is R(N)−A(N) instead of 1. Due to the randomness of available plaintexts (note that a cryptanalyst cannot manipulate input stream A due to black box structure), all keys in each Ki can be viewed as independently drawn from all R(N) keys with an equal probability. Therefore, we can treat each step in our test as an aggregation of R(N)−A(N) tests in the coupon collection problem. The expected number of tests is equal to R(N) lnR(N) divided by R(N) − A(N), i.e., P(N) = R(N) R(N) − A(N) lnR(N) It is already shown that R(N) > 2N and A(N) ∼ cN for some constant 1 < c < 2. For sufficiently large N, we have R(N) ≫ A(N) and R(N) R(N)−A(N) → 1. Finally, taking 2N as a rough estimate of R(N), we obtain P(N) ≈ N ln 2 which completes the proof. 113
Object Description
Description
Title  Lightweight multimedia encryption: Algorithms and performance analysis.  Page 123 
Repository email  cisadmin@lib.usc.edu 
Full text  A.5 Proof of Lemma 5 Let Ki denote the set of alias keys corresponding to each plaintext/ciphertext pair (Ai,Ci), i = 1, 2, . . . . According to Lemma 4, each Ki contains about A(N) ∼ cN keys out of all possible R(N) keys. We use Xi to denote the set of possible keys. First, it is clear that X1 = K1. After each pair (Ai,Ci) is checked, the set of possible keys is the intersection of the current set and Ki; namely, Xi = Xi−1 ∩ Ki or, equivalently, Xi = K1 ∩ K2 ∩ · · · ∩ Ki. We would like to find out index i such that Xi = 1, i.e., Xi contains only one element, which is the correct key. Instead of treating Xi directly, we consider its complementary set ¯X i = R − Xi, where R denotes the set of all possible R(N) keys as specified in Lemma 2. According to the set operation rule, we have ¯X i = K1 ∩ K2 ∩ · · · ∩ Ki = K¯1 ∪ K¯2 ∪ · · · ∪ ¯K i, (A.5) where ¯K i = R − Ki is the complementary set of Ki. Note that Xi = 1 is equivalent to  ¯X i = R(N) − 1. Since R(N) > 2N ≫ 1 we can take  ¯X i = R(N) which means ¯X i = R. Since a cryptanalyst cannot manipulate the input stream A arbitrarily, we may assume that each alias key set Ki is a random drawing of A(N) keys out of a bin of R(N) keys. Conversely, ¯K i is a random drawing of R(N) − A(N) keys. This attack is therefore treated as a random test. Each step constitutes drawing a random set ¯K i from R and joining the element in ¯K i into set ¯X i. The random test is terminated when ¯X i = R. That is, when ¯X i contains all elements in R. The problem amounts to finding the expected number of trials before this random test can terminate. This problem turns out to be a variant of the classic coupon collector problem, where one randomly draws one coupon at a time from a total of N coupons until all N coupons have been collected. It is a wellknown result that the expected number of draws to collect all N coupons is N lnN. The difference here is that the draw size is R(N)−A(N) instead of 1. Due to the randomness of available plaintexts (note that a cryptanalyst cannot manipulate input stream A due to black box structure), all keys in each Ki can be viewed as independently drawn from all R(N) keys with an equal probability. Therefore, we can treat each step in our test as an aggregation of R(N)−A(N) tests in the coupon collection problem. The expected number of tests is equal to R(N) lnR(N) divided by R(N) − A(N), i.e., P(N) = R(N) R(N) − A(N) lnR(N) It is already shown that R(N) > 2N and A(N) ∼ cN for some constant 1 < c < 2. For sufficiently large N, we have R(N) ≫ A(N) and R(N) R(N)−A(N) → 1. Finally, taking 2N as a rough estimate of R(N), we obtain P(N) ≈ N ln 2 which completes the proof. 113 