Let X, X, . . . , X be independent and uniformly distributed over the non-negative integers {0, 1, . . . , 2 − 1}; S = X +X + · · ·+X and L = X ⊕X ⊕ · · · ⊕X. Denote the i-th bits of S and L by S i and L (n) i respectively. We show that as i→∞, Pr[S (n) i = L (n) i ]→ γ = 1 2 + 2n+1(2n+1−1) 2(n+1) × bn+1 n! , where bn is the n-th Bernoulli number. As a consequence, γ (2r) = 1/2 for every r; and we show that γ → 1/2 as r → ∞. For small values of r, γ is significantly different from 1/2; for example γ = 1/3 and γ = 17/30. The behaviour of γ for even and odd values of n was earlier shown by Staffelbach and Meier without actually obtaining the formula mentioned above. For every fixed n ≥ 2, we give a simple method for computing Pr[S i = L (n) i ] for each i ≥ 0. The expression involving Bernoulli numbers is arrived at via the Eulerian number triangle which in turn arises in relation to the stationary distribution of a Markov chain formed by the carry values.
[1]
N. J. A. Sloane,et al.
The On-Line Encyclopedia of Integer Sequences
,
2003,
Electron. J. Comb..
[2]
Willi Meier,et al.
Cryptographic Significance of the Carry for Ciphers Based on Integer Addition
,
1990,
CRYPTO.
[3]
Bart Preneel,et al.
New Weaknesses in the Keystream Generation Algorithms of the Stream Ciphers TPy and Py
,
2007,
ISC.
[4]
Stephen Wolfram,et al.
The Mathematica Book
,
1996
.
[5]
Roger M. Needham,et al.
TEA, a Tiny Encryption Algorithm
,
1994,
FSE.
[6]
Kaisa Nyberg,et al.
Improved Linear Distinguishers for SNOW 2.0
,
2006,
FSE.