The Central Term and the Tails Stacking consecutive binomial terms, we have

Figure 3.1 Binomial Distribution

3.5.2.1 The Central Term and the Tails Stacking consecutive binomial terms, we have

Equation 3.5.2

The second term in the right-hand side is positive when k < (n + 1)p and then becomes negative after k > (n + 1)p. So, the ratio in (3.5.2) is greater than 1 when k < (n + 1)p and is less than 1 after k > (n + 1)p. Consequently, b(k;n,p) increases as k does before k reaches (n + 1)p and then decreases after k > (n + 1)p. Therefore, the binomial term b(k;n,p) reaches the maximum value at the point k = (n + 1)p . The binomial term

Equation 3.5.3

is called the central term. Since the central term reaches the maximum value, the point (n + 1)p is one with "the most probable number of successes." Notice that when (n + 1)p is an integer, the ratio in (3.5.2) is 1, and therefore in this case we have two central terms b((n + 1)p – 1; n, p) and b((n + 1)p; n, p).

Let r > (n + 1)p, i.e., r is a point somewhere right to the point of "the most probable number of successes." We know that terms b(k; n, p) decrease for all k r. We can estimate the speed of the decreasing by replacing k with r in the right-hand side of (3.5.2) and obtain

• Table of Contents

Modern Cryptography: Theory and Practice By Wenbo Mao Hewlett-Packard Company

Publisher: Prentice Hall PTR Pub Date: July 25, 2003

ISBN: 0-13-066943-1 Pages: 648

Many cryptographic schemes and protocols, especially those based on public-keycryptography, have basic or so-called "textbook crypto" versions, as these versionsare usually the subjects for many textbooks on cryptography. This book takes adifferent approach to introducing

cryptography: it pays much more attention tofit-for-application aspects of cryptography. It explains why "textbook crypto" isonly good in an ideal world where data are random and bad guys behave nicely.It reveals the general unfitness of "textbook crypto" for the real world by demonstratingnumerous attacks on such schemes, protocols and systems under variousreal- world application scenarios. This book chooses to introduce a set of practicalcryptographic schemes, protocols and systems, many of them standards or de factoones, studies them closely, explains their working principles, discusses their practicalusages, and examines their strong (i.e., fit-for-application) security properties, oftenwith security evidence formally established. The book also includes self-containedtheoretical background material that is the foundation for modern cryptography.

In particular, we have

Notice that (3.5.4) holds for all k = r + 1, r + 2, …, n. Therefore we have

Equation 3.5.5

Now for r > np, let us see an upper bound of the probability of having r or more "successes," which is

Equation 3.5.6

By (3.5.5), we have

Replacing s back to , we have

Now we notice that there are only r – (n + 1)p binomial terms between the central term and b(r; n, p), each is greater than b(r; n, p), and their sum is still less than 1. Therefore it turns out that b(r; n, p) < (r – (n + 1)p) –1_{. We therefore finally reach}

• Table of Contents

Modern Cryptography: Theory and Practice By Wenbo Mao Hewlett-Packard Company

Publisher: Prentice Hall PTR Pub Date: July 25, 2003

ISBN: 0-13-066943-1 Pages: 648

Equation 3.5.7

The bound in (3.5.7) is called a right tail of the binomial distribution function. We can see that if r is slightly away from the central point (n + 1)p, then the denominator in the fraction of (3.5.7) is not zero and hence the whole "right tail" is bounded by a quantity which is at the magnitude of (np)–1_{. Hence, a right tail is a small quantity and diminishes to 0 when}_n_gets large.

We can analogously derive the bound for a left tail:

Equation 3.5.8

The derivation is left for the reader as an exercise (Exercise 3.7).

At first sight of (3.5.7) and (3.5.8) it seems that the two tails are bounded by quantities which are at the magnitude of . We should however notice that the estimates derived in (3.5.7) and (3.5.8) are only two upper bounds. The real speed that a tail diminishes to 0 is much faster than

does. The following numerical example reveals this fact (also see the soundness and completeness properties of Prot 18.4 in §18.5.1.1).

Example 3.9.

Let p = 0.5. For various cases of n, let us compute left tails of binomial distribution functions bounded to the point r = n(p – 0.01).

For n = 1,000, the corresponding left tail is:

For n = 10,000, the corresponding left tail becomes:

ii.

If n is increased to 100,000, then the corresponding tail is trivialized to:

• Table of Contents

Modern Cryptography: Theory and Practice By Wenbo Mao Hewlett-Packard Company

Publisher: Prentice Hall PTR Pub Date: July 25, 2003

ISBN: 0-13-066943-1 Pages: 648

iii.

Comparing these results, it is evident that a tail diminishes to 0 much faster than does. Since p = 0.5, the distribution density function is symmetric (see Fig 3.1). For a symmetric distribution, a right tail equals a left one if they have the equal number of terms. Thus, for case (iii), the sum of the two tails of 98,000 terms (i.e., 98% of the total terms) is practically 0, while the sum of the terms of the most probable number of successes (i.e., 2% of the total terms around the center, there are 2,001 such terms) is practically 1.

In document Modern Cryptography Theory & Practice pdf (Page 91-94)