Upgrade to Pro — share decks privately, control downloads, hide ads and more …

A Study on Statistical Cryptanalysis of Stream ...

Ryoma Ito
November 29, 2018

A Study on Statistical Cryptanalysis of Stream Ciphers

公聴会に代わる論文発表会(予備審査) @ 大阪大学

Ryoma Ito

November 29, 2018
Tweet

More Decks by Ryoma Ito

Other Decks in Research

Transcript

  1. T Cr r r c a ta g * y

    P lK a i pa .98 6 - 694 8 K o o 31 20 1 K G n m * Ie Ws  *WPA-TKIP: Wi-Fi Protected Access- 26 49 06A 67 8 A 1 5 9
  2. W WP W A 8 0   1 •

    Ø 4 3 9 2 AE * * * * *WEP: Wired Equivalent Privacy, WPA: Wi-Fi Protected Access
  3. a a la e e A i T S mG

    h DI e       m m m RU K m T S m a G C Ø 01 Ø p 9,5 59 Ø G p m = m A m ≠ m A M Y GRU K E m Ø 1 1 5 9985 -124 I G r m Ø 0 5 5 8 ,-
  4. 8 8 8 6 1 02 9   

     0110100… 0110100… 1 0 2 2 ⊕ ⊕
  5. K %& && , v [ ] L E 4

    5 A & & G &, 6C A 4 6 E W P R v G 774 847 :0 : . 8 2 G V[ se i - 7. 61. -- - & 1 G a nn a I [ T & & S 6/ o / / C G a dt l [ 9 & 97 & K • S KSA PRGA 1 0 2 N-1 Z1 , Z2 , …, Zr
  6. 9 1 1 8 2 … 0 1 … …

    9 K S 9 KSA PRGA 1 0 2 N-1 Z1 , Z2 , … P1 , P2 , … C1 , C2 , … ⊕
  7. 9 1 1 8 2 … 0 1 … …

    9 K S 9 KSA PRGA 1 0 2 N-1 Z1 , Z2 , … P1 , P2 , … C1 , C2 , … ⊕
  8. 9 1 1 8 2 … 0 1 … …

    9 K S 9 KSA PRGA 1 0 2 N-1 Z1 , Z2 , … P1 , P2 , … C1 , C2 , … ⊕
  9. c S S S p I M r CU 4

    u Ø A e Ø h Ø he u C Ø zR a Ø R a Ø t i a u C C Ø 2 2 - 48 .1+, Ø K G I M 0 8 9
  10. W C [ b l T M s I p

    ,98 7 795 8 - 54 A P T M G r p I - 6 - 4 A M G r p rM - 4 A P T I r A 20 1 -0 I ] ie M p 20 1 -0 G K t - 4 p o  K na m S P T KSA PRGA 1 0 2 N-1 Z1 , Z2 , … P1 , P2 , … C1 , C2 , … ⊕
  11. l i m CTW e]tMa P - 9 8 ,

    8 6A9 4 0 65 C CTK r M IP as r Ma P a 4 0 7 0 5 K r M IP as s GP a 4 0 5 K C CTMa P as 31 2 1 M P 31 2 1M IP 4 0 5 p  K ob[ n r S C CT KSA PRGA 1 0 2 N-1 Z1 , Z2 , … P1 , P2 , … C1 , C2 , … W ⊕ as
  12. W C [ b l T M s I p

    ,98 7 795 8 - 54 A P T M G r p I - 6 - 4 A M G r p rM - 4 A P T I r A 20 1 -0 I ] ie M p 20 1 -0 G K t - 4 p o  K na m S P T KSA PRGA 1 0 2 N-1 Z1 , Z2 , … P1 , P2 , … C1 , C2 , … ⊕ r
  13. W C [ b l T M s I p

    ,98 7 795 8 - 54 A P T M G r p I - 6 - 4 A M G r p rM - 4 A P T I r A 20 1 -0 I ] ie M p 20 1 -0 G K t - 4 p o  K na m S P T KSA PRGA 1 0 2 N-1 Z1 , Z2 , … P1 , P2 , … C1 , C2 , … ⊕ ] ie r
  14. W C [ b l T M s I p

    ,98 7 795 8 - 54 A P T M G r p I - 6 - 4 A M G r p rM - 4 A P T I r A 20 1 -0 I ] ie M p 20 1 -0 G K t - 4 p o  K na m S P T KSA PRGA 1 0 2 N-1 Z1 , Z2 , … P1 , P2 , … C1 , C2 , … ⊕
  15. A 3T TETE EK C K 4 2 I R9

    8 K P 2 2 1 . 9 7 W 1. 0- . 9 7 W  P
  16. 2 I 1 16   V 0110100… 0110100… ⊕

    ⊕ 2 . , , 3 16 ": {0, 1}) ×{0, 1}+ → {0, 1}ℓ 0 . 2 / 8 29 ℓ 29
  17. g t 8 3 D2 7 , . .1.0 5

    ℓ " 9 2# $ ∈ {0, 1}+ l 2 # ℓ , 2 e u 2# o n i b , 2ℓ , > , o b l . 2 Pr . 1 = 1 − Pr[. # $ = 1] ≤ 789:(,) f .) ) 1.(0 . 789: 21 {0, 1}ℓ(+) c 2 $ {0, 1}+ c 2 $ 1 .
  18. 2 9 0 1      0110100…

    0110100… 0 1 1 ⊕ ⊕ 8 1
  19. SP SP R G K SP    0

    !, ℓ 5 256 ℓ=16 $ 8 A % & % &=256 %' ( $ 8 A 12 % %' $ 8 A 12 % ), *' ( %' ( )' , *' %' +' $ 8 A 12 9 ,' +' -' $ 12 .' $ 12 G
  20. 2 3 9 8 9 0 1 9 4: !"

    # ← 0 5: for & = 0 to ( − 1 do 6: !+,- # ← !+ # + /+ # & + 0[& mod ℓ] 7: Swap(/+ # & , /+ #[!+,- # ]) 8: /+,- # ← /+ # 9: end for Algorithm 1: KSA    & 1 2 3 !- # N-1 /" # /- # Input: ℓ   0 Output:   /" ← /> # 1: for & = 0 to ( − 1 do 2: /" #[&] ← & 3: end for
  21. 2 94 8 9 0 1 9 4: !" ←

    !"$% + '" [)" ] 5: Swap('"$% )" , '"$% [!" ]) 6: '" ← '"$% 7: 2" ← '" )" + '" !" 8: 3" ← '" [2" ] 9: end loop Algorithm 2: PRGA    0 2 3 S0 S1 Input:   '4 Output:  3" 1: 5 ← 0, )4 ← 0, !4 ← 0 2: loop 3: 5 ← 5 + 1, )" ← )"$% + 1 S1 [i1 ]+S1 [j1 ] ⊞ N-1 i1 j1 Z1
  22. R z r r r t y I cC Vo

    E K i l S I KSA PRGA 1 0 2 N-1 Z1 , Z2 , …, Zr ! 0 ∥ ! 1 ∥ ! 2 ∥ ! 3 ∥ ⋯ ∥ ![15] n E {K[0], K[1], K[2]} • IV24 : i P 41 1 19 154 0 5 IV24 K[0] K[1] K[2] aWk : e : 208
  23. K u t u e g W n VrR u

    M 72 0 2 I V 7-2 W T lK --- F:E C I a W 3 [ I zp K[1] = 255 [ S 7-2 V R [o• 8.14 9 6 P 3 {K[0], K[1], K[2]} • IV16 : ki slc] K 6 A F : :F A 6 F 0 1 IV16 K[0] K[1] K[2] K[0] = (IV16 >>> 8) & 0xFF K[1] = [(IV16 >>> 8) | 0x20] & 0x7F K[2] = IV16 & 0xFF
  24. e W[ M r GP   A 703 8

    Z2 =0 JKP TSW KVa] M 7-160 8 MVT GP TSW T[ P K TSW [ 7 8 T[M W[ J M P 70 8 T[ GP W[ J M P 7355 8 J W[ M P 739 8 7355 8 I M K 7 00 8 62+ 4 -2 P K[0]+K[1] M 62+ 4 -2 P J W[ M P J W[ GP Ø W[ O P Mn
  25. 8 9 V[ B G   [ ] G

    Ø S W OP MB 5 1 Z2 =0 AGTKI 5 4 ATKI OP 5 0 V B 5+ 40 2- 0 B V 5001 40 2- 0 B V B 530 5001 B
  26. V e R S [ K F   

     l P R S M I F l Ø I n ] 6+03 1 K F 4 EGl 6 98 1 K F 6 8 EGl 6344 P R SK F EG Jl l ] 6 01 12 K D K F 60 J W EGl 6 013 j I J EJAl l
  27. m a a a G 8 i 6C . 24

    133 . 5 104 l n e  9 . 24 133 . 5 104
  28. n ie] ieo T m bK ie  Gr -

    9 8 , 8 6A9 r - 9 8 , 8 6A9 4 0 65 T t a I b C s r t bK b 4 0 7 0 5 t a I b r b 4 0 5 T bK b 31 2 1 K l P [ r 31 2 1 I W M 4 0 5 K p t S T KSA PRGA 1 0 2 N-1 Z1 , Z2 , … P1 , P2 , … C1 , C2 , … m ⊕ b
  29. e mi G 5 3C 9 ir 9 63 1

    . a 1 00 2 1 3 3C Zr {Sr [ir ], Sr [jr ]} 8 Pr #$ = &$ − ($ )$ = Pr(#$ = )$ − ($ [&$ ]) ≈ 2 0 0 1 2 N-1 … Zr lo K n Sr 3 3C KSA PRGA Z1 , Z2 , …, Zr 2 0 1 0 jr
  30. G n a a a 6 i e 7 .

    3 1- - ( 02 11 3 2 C Zr , Zr+1 ) l Sr [r+1] 89 Pr #$ % + 1 = ) − 1 + ,$ = ,$-. ≈ 2 ) 0 1 2 N-1 … Zr mp K o l Sr KSA PRGA Z1 , …, Zr , Zr+1 2 ) 1 ) N-1 r+1
  31. G n a a a i e 8 . 3

    1- - 7 ( 02 11 3 2 C Zr , Zr+1 ) l Sr [r+1] 89 Pr #$ % + 1 = ) − 1 + ,$ = ,$-. ∧ ,$-. = % + 2 ≈ 1 ) 3 − 6 ) + 2 )4 0 1 2 N-1 … Zr mp K o l Sr KSA PRGA Z1 , …, Zr , Zr+1 3 ) 1 ) N-1 r+1 r+2 =
  32. 9 e a e 8 ]r Ce   

    o 0 1 6 3 0 326 0 1 2 N-1 … Zr K m [ l p Sr 8 8 KSA PRGA Z1 , …, Zr , Zr+1 2 " 1 " N-1 r+1 2 , M G Cs Ø n M G 9 J8 Cs ti 
  33. 9 e ] t ] M 8 m ] 

      r i 0 1 6 3 0 326 2 , C J G n l a Ø J G n l o  0 1 2 N-x … Zr s K [ p Sr 8 M 8 KSA PRGA Z1 , …, Zr , Zr+1 3 " 1 " N-x r+1 = r+x
  34. i e M 9 a[ ] G i2  

     m 102 466 1 8043 0 1 2 N-1 … Zr K l ot S2 9M 9 KSA PRGA Z1 , Z2 , …, Zr 2 " 1 " j2 , 3 C r]p Ø n CG J M Gr]p s 
  35. o a l g gp i ] [ m e

    g     Cr ,6 7 3 9 362 98 0-38 , 1 J M L et Ø G M M L et n  s .984 3 7 ,6 7 3 M
  36. n i a e i o l g tG Ji

        469 2 8 2 1 48 ,2 . 0 M L J sG Ø p M L [L] J sC m  r -8 3 2 6 469 2 [L]
  37. m e en g [ ] as e  

      o 469 2 8 2 1 48 ,2 . 0 GJ M L t r i Ø p C M L t r l  -8 3 2 6 469 2 M
  38. i e M 9 a[ ] G i2  

      m 102 466 1 8043 K l ot S2 9M 9 KSA PRGA Z1 , Z2 , …, Zr j2 , 3 C r]p Ø n CG J M Gr]p s  K l ot S2 9M 9 KSA PRGA Z1 , Z2 , Z3 , … 2 0 K l ot S1 9M 9 KSA PRGA 1 Z1 , Z2 , Z3 , … 0
  39. Pi ol9e e e a 8 C 1 . 4

    2 24 1 5 104 ! G 9! ≥ 2 C A R m n Pr &' ! + 1 = 0 , -' = -'./ ≈ 2 12 1 − 1 1 . ! G 9! ≥ 1 C A 5 ∈ [0, 1 − 1] R m n Pr &' ! + 1 = 0 , -' = -'./ ∧ -'./ = ! + 5 ≈ 1 1 1 − 1 12 ;ℎ=> 5 = 1, 2 12 1 − 1 1 ;ℎ=> 5 = 255, 1 12 1 − 2 1 @Aℎ=!;BC=.
  40. n 9 P R i G 8 C 4 1

    . e a 24 1 104 C ! 9! ≥ 2 A6 C l m Pr &' ! + 1 = 0 , -' = -'./ ≈ 2 12 1 − 1 1 .
  41. Pi ol9e e e a 8 C ! G 9!

    ≥ 1 C A $ ∈ [2, ) − 1] R m n 7 Pr ./ ! + 1 = ) − $ | 3/ = 3/45 ∧ 3/45 = ! + 1 + $ ≈ 2 ) 1 − 1 ) + 1 )8 . GL 24 1 104 I 3) (1 3 .- 4 ! G 9! ≥ 1 C A $ ∈ [0, ) − 1] R m n 7 Pr ./ ! + 1 = ) − $ ; 3/ = 3/45 ∧ 3/45 = ! + 1 + $ ≈ 1 ) 1 − 1 ) − 1 )8 <ℎ>? $ = 0, 1 ) 3 − 6 ) + 2 )8 <ℎ>? $ = 1, 2 ) 1 − 1 ) + 1 )8 BCℎ>!<DE>.
  42. totete meli h lip * nP s Tli 01., P

    [ ] A a P r M C Pr #$ 2 = 0 ( )* = )$ ≈ Pr(#- 1 = 1) + 1 1 2 345 67$ Pr(#- 1 = 8). . 54 6 (* G .98 6 69 8 4 01., P [ ] A a P r MC Pr #* 3 = 0 ( )5 = )* = 0. 4 01., P [ ] A a P r MC Pr #* ;* = <* − )* ∧ )* = 1, 2, 129 = 0. 4 *Pr(#- 1 = 1) 3 2 6 6 ) 4 R R T
  43. G e % % 9C a . 1025 466 1.8043

    0.000030522 0.000030398 0.406 % !ℎ#$ % = 1 0.003922408 0.003906131 0.415 !ℎ#$ % = 255 0.000030683 0.000030398 0.929 *+ℎ#,!-.# 0.000015259 0.000015140 0.780 0.007812333 0.007782102 0.387 0.007801373 0.007751621 0.638 ( 0 0 0 ) 0 0 0  / 0 =   −    ×100 (%)
  44. p pl p tm s t ] i n Mr

    t C 68 3 3 2 6 9 0,39 . 1 J [ a T r M Ø L [ a T g r Ø G [ a T r 0,39 . 1 J    r M Ø e h M L T r o 0,39 1 68 3 53 38 T] ] M r 0. 1 - 9 3 8 68 3 T] ] M r 68 3 3 2 6 9 r t
  45. m n CTWl e] Ma P  s Ma P

    a ,98 7 795 8 - 54 A C CTK s M IP at s Ma P a - 6 - 4 A K s M IP at i Kr t GP a - 4 A K C CTMa P at A 20 1 -0 M P 20 1 -0M IP - 4 K pb[ o s S C CT KSA PRGA 1 0 2 N-1 Z1 , Z2 , … P1 , P2 , … C1 , C2 , … Wl ⊕ at
  46. K u t u • e g W n VrR

    u - M VrR r 2 50 2 I V -2 W T lK --- F:E C I a W 3 [ I zp K[1] = 255 [ S -2 V R [o 8.14 9 6 P 3 {K[0], K[1], K[2]} • IV16: ki slc] K 6 A F : :F A 6 F 0 1 IV16 K[0] K[1] K[2] K[0] = (IV16 >>> 8) & 0xFF K[1] = [(IV16 >>> 8) | 0x20] & 0x7F K[2] = IV16 & 0xFF
  47. A I IP K - 5 9 I K[0]+K[1] -

    W0 5 9 T Pr # 0 + # 1 = 0 ⟺ ) *+ ,--; ) ∈ 0,31 ; ) ∈ [128,159] Ø 5129 - - 5 9 T 48
  48. K ] P P P TM T W GI5 [

    AR T 1 4 1 8 AR R 1 + 1 Zr = aK[0] + bK[1] + cK[2] + d r ∈ [1, 257], a, b, c ∈ {-1, 0, 1}, d ∈ {-3, -2, -1, 0, 1, 2, 3} 4 1 0 + A 5 GI5 AR R R 1 0 + Z1 =-K[0]-K[1] 0.005264 0.005338 Z2 =-K[0]-K[1]+K[2]+3 0.004424 0.003903 Z3 =K[0]+K[1]+K[2]+3 0.004401 0.004405 ⋮ ⋮ ⋮ Z256 =-K[0] 0.004427 0.004429 Z257 =-K[0]-K[1] 0.004096 0.004094 2 -- C 5 GI5 AR RA Ø 1 0 + A 9 AR R
  49. 8 ] 9 * MP     3

    0 + • A Ø 81 . * 2 9 5  Xr = aZr + bK[0] + cK[1] + dK[2] + e Xr ∈ {Sr [ir+1 ], Sr [jr+1 ], jr+1 , tr+1 } r ∈ [0, 256], a, b, c, d ∈ {-1, 0, 1}, e ∈ {-3, -2, -1, 0, 1, 2, 3} 3 A Ø GM 6 [ Ø RK GM 6 • * A 60.003906254
  50. 7 T 8 P6 R A . S0 [i1 ]

    1 9 A W 1- 30, 2 .0 S0 [i1 ]=K[0] 0.001445489 0 S0 [i1 ]=K[0]-K[1]-3 0.005325263 0.007788309 S0 [i1 ]=K[0]-K[1]-1 0.003909411 0.007772441 S0 [i1 ]=-K[0]-K[1]-3 0.005344544 0.008375244 S0 [i1 ]=K[0]+K[1]+K[2]+3 0.001479853 0.001479853 K S0 I6 P6 KSA PRGA i1 Z1 , Z2 , …, Zr • 30, 2 .0 A • 30, 2 .0 A K Ø 30, 2 .0 1- C j1 * K 50.003906254
  51. R 5 6 IK 4 W . S1 [i2 ]

    0 1 K T S1 4IK 4 KSA PRGA i2 Z1 , Z2 , …, Zr • I • 1. 0- . 98 P Ø 1. 0- . CA 8 I 1. 0- . S1 [i2 ]=K[0]+K[1]+K[2]+3 0.362016405 0.362723221 S1 [i2 ]=-K[0]-K[1]+K[2]-1 0.005320377 0.008148630 S1 [i2 ]=K[1]+K[2]+3 0.008150313 0.008150313 S1 [i2 ]=K[0]-K[1]+K[2]+{-3,±1} 0.005320377 0.008148630 S1 [i2 ]=K[0]-K[1]+K[2]+3 0.005302926 0.002849060 j2 * P 30.003906252
  52. 5 6 P 4 W A . S255 [i256 ]

    1 A K S255 4 P 4 KSA PRGA i256 Z1 , Z2 , …, Zr • RK I • 1. 0- . A98 A9 Ø 1. 0- . C 8RK Ø T AC 8RK I 1. 0- . S255 [i256 ]=K[0] 0.138325988 0.138325988 S255 [i256 ]=K[1] 0.003893102 0.037105932 j256 *T 30.003906252
  53. - K K P 9 6 I K Sr [ir+1

    ] 1. T K A T Sr 8 9 KSA PRGA ir+1 Z1 , Z2 , …, Zr • 10 K[0]+K[1] 6 W 2W jr+1
  54. 4 5 I R PT C . j2 12 6

    C . 0- - j2 =K[2] 0.004426926 0.005471358 j2 =-K[0]-K[1]+K[2]+{±2} 0.003906250 0.004427953 j2 =-K[0]-K[1]+K[2] 0.003906250 0.005471358 j2 =-K[0]+K[1]+K[2] 0.003906250 0.005471358 j2 =-K[1]+K[2]+{-2,3} 0.003906250 0.005471358 j2 =K[0]-K[1]+K[2] 0.003906250 0.005471358 K W S1 I R P KSA PRGA Z1 , Z2 , …, Zr i2 j2 • 0- - 8 K I C 9 Ø 0- - 9 . A I C 9 * P 20.003906251
  55. . % % 568 7 3 2 14 . 12

    . 1 )% 0 2 14 9 ( S0 [i1 ]=K[0] 0.284 ( S0 [i1 ]=K[0]-K[1]-3 0.137 ( ( S0 [i1 ]=K[0]-K[1]-1 0.334 ( S0 [i1 ]=-K[0]-K[1]-3 0.211 ( S0 [i1 ]=K[0]+K[1]+K[2]+3 0.730 ( S1 [i2 ]=K[0]+K[1]+K[2]+3 0.459 ( S1 [i2 ]=-K[0]-K[1]+K[2]-1 0.277 ( % S1 [i2 ]=K[1]+K[2]+3 0.101 ( S1 [i2 ]=K[0]-K[1]+K[2]-3 0.476 ( S1 [i2 ]=K[0]-K[1]+K[2]-1 0.590 ( S1 [i2 ]=K[0]-K[1]+K[2]+1 0.203 ( S1 [i2 ]=K[0]-K[1]+K[2]+3 0.144 9 ( ( S255 [i256 ]=K[0] 0.208 ( ) S255 [i256 ]=K[1] 0.409 ( Sr [ir+1 ]=K[0]+K[1]+1 ( j2 =K[2] 0.078 ( j2 =-K[0]-K[1]+K[2]-2 0.371 ( j2 =-K[0]-K[1]+K[2] 0.335 ( j2 =-K[0]-K[1]+K[2]+2 0.120 ( % j2 =-K[0]+K[1]+K[2] 0.361 ( % j2 =-K[1]+K[2]-2 0.097 ( % j2 =-K[1]+K[2]+3 0.213 ( %% j2 =K[0]-K[1]+K[2] 0.297
  56. . % % 568 7 3 2 14 21 .5

    . 2 5 - ) 0 2 14 9 ( % S0 [i1 ]=K[0] 0 ( S0 [i1 ]=K[0]-K[1]-3 0.450 ( ) S0 [i1 ]=K[0]-K[1]-1 1.010 ( S0 [i1 ]=-K[0]-K[1]-3 0.393 ( S0 [i1 ]=K[0]+K[1]+K[2]+3 0.754 ( S1 [i2 ]=K[0]+K[1]+K[2]+3 0.268 ( S1 [i2 ]=-K[0]-K[1]+K[2]-1 0.318 ( % S1 [i2 ]=K[1]+K[2]+3 0.282 ( S1 [i2 ]=K[0]-K[1]+K[2]-3 0.095 ( S1 [i2 ]=K[0]-K[1]+K[2]-1 0.017 ( S1 [i2 ]=K[0]-K[1]+K[2]+1 0.022 ( S1 [i2 ]=K[0]-K[1]+K[2]+3 0.478 9 ( ( S255 [i256 ]=K[0] 0.208 ( ) S255 [i256 ]=K[1] 0.216 ( Sr [ir+1 ]=K[0]+K[1]+1 ( j2 =K[2] 1.605 ( j2 =-K[0]-K[1]+K[2]-2 3.178 ( j2 =-K[0]-K[1]+K[2] 1.636 ( j2 =-K[0]-K[1]+K[2]+2 2.550 ( % j2 =-K[0]+K[1]+K[2] 0.353 ( % j2 =-K[1]+K[2]-2 0.054 ( % j2 =-K[1]+K[2]+3 0.053 ( %% j2 =K[0]-K[1]+K[2] 2.419
  57. 6 8 124 9 0    0 Sr

    [ir+1 ]=K[0]+K[1]+1 0
  58. 6 M MI M P T 5 G[ RK A

    2 -- 1 0 + 9 A 5 5 A W Ø S0 [i1 ] A Ø S1 [i2 ] A Ø S255 [i256 ] A Ø Sr [ir+1 ] A Ø j2 A 8 A 2 -- 1 0 + 9 A K[0]+K[1] 1 0 + 9 A 5 5 9 A 2 - Ø 9 A A ]W 4 A 2
  59. 3 K K WK P P 4 2A 9 7

    P 6 P8 1 2 2A9 7 P 1 6 T P8 1 I P 10. - . 9 7 I 8  5 6
  60. p l ] e i T n bK  Gt

    • b t - 9 8 , 8 6A9 4 0 65 T a I b t bK • b 4 0 7 0 5 • a I b t • b 4 0 5 • T bK b C 31 2 1 K m P [ C m o t 31 2 1 I W M• 4 0 5 • K s r S T KSA PRGA 1 0 2 N-1 Z1 , Z2 , … P1 , P2 , … C1 , C2 , … n ⊕ m b
  61. V [ [W [ ( a ) MR9 ] 

       ( ] 9 MR9 ] ] 2 00 3 K C 9 MR9 Z ] 8ℓ=16 (a0 K[0] +  + aℓ-1 K[ℓ-1] + aℓ Z1 +  + a2ℓ-1 Zℓ) = b ai ∈ {-1, 0, 1} (0 ≤ i ≤ 2ℓ-1), b ∈ ℤ/Nℤ   Z1 = K[0] - K[1] - 1 2 45 3 Z3 = K[0] - K[3] - 3 2 45 3 Z4 = K[0] - K[4] - 4 2 45 3 Zxℓ = K[0] - K[xl mod ℓ] – xℓ = - xℓ 2 1 3 8 9 MR9 ] ] 2 00 3 S ] Ø S 6(K[0], K[r mod ℓ]) OIC Zr ] r 
  62. 0 T TP T 1 K I W9  

    2 W  (K[0], K[r mod ℓ]) 6 ℓ 8 - K r r A K I Zr A (K[0], K[r mod ℓ]) W Zr = K[0] + K[r mod ℓ] - r A 6 9 -
  63. , . 1 Zr=K[0]-K[r mod l]-r K r r =

    1, 2, x·ℓ x = 1, 2, …, 7 108( r Zr (K[0], K[r mod ℓ]) 1 9 ( 2 7 Pr #$ = & 0 − & ) mod ℓ − ) ≈ /$ + 1 2 1 − /$ . 9( /$ ≈ (5$ + 6 7 786 1 − 5$ ) : ;$ : (<$ + 6 7 1 − <$ ) 5$ ≈ 6 7 : 78$86 7 : ∏>?@ A (78B86) ∏>?C AD@(78B) ;$ ≈ (1 − 6 7 )78$86: 6 7 : ∑BF$G6 786 (1 − 6 7 )B: (1 − 6 7 )B8$86: (1 − H 7 )78B86 <$ ≈ (1 − ∑IFH $ J6,I − ∑BF$G6 786 LM,> 78$8H ) : 78$G6 786 JN,I = Pr(OP Q = R) 9 )
  64. 0 T T T 1 K 9 2 Zr=K[0]-K[r mod

    l]-r 2 . . K I (K[0], K[1]) K Z1 7 PW A Pr #$ = & 0 − & 1 − 1 ≈ 1 + 1 − ,$ . 88 ,$ ≈ $ ./ 0 (1 − 2 . ) 0 (1 − $ . ).420 ∑672 .4$(1 − $ . )60 (1 − $ . )6420 (1 − 2 . ).464$ - K K Z2 I (K[0], K[2]) 7 PW A Pr #2 = & 0 − & 2 − 2 ≈ 1 + .
  65. 2W W W A P I 1 9 CT8 .

    4 9 R0 7 - 9 K
  66. 9 1 . 0 3 , R S0 1 8

    7 3 902 C Z2 1 78 2/N 9 4 0 1 2 N-1 … Z2 K R S KSA PRGA 1 0 2 N-1 Z1 , Z2 , …, Zr 2 " 1 "
  67. k 0 . C 1 M 2 C3 • .

    , P2 C 9 C(1), …, C(k) R k C • 8 7C k = Ω(N) C C(1), …, C(k) P2 0 C P C • K 9 C 0 1 2 N-1 … 2 " 1 " C2 C ★ 0 23 P2 k = Ω(N) C C C 4 C2 C P2 = C2 ⊕ Z2 = C2 ⊕ 0 = C2 9 P2 1 2/N C
  68. 9 1 0 3 1 1 Zr 1 Z1 =

    0 | Z2 = 0 2-8 (1 + 2-1.009) 2 Z2 = 0 2-8 (1 + 20) 3 Z3 = 131 2-8 (1 + 2-8.089) 4 Z4 = 0 2-8 (1 + 2-7.581) ⋮ ⋮ ⋮ 112 Z112 = 144 2-8 (1 + 2-7.300) 113-255 Zr = 0 2-8 (1 + 2-10.052)  2-8(1 + 2-8.763) 256 Z256 = 0 2-8 (1 - 2-9.474) 257 Z257 = 0 2-8 (1 + 2-9.474) 590 2 5 789
  69. . 6 I 0 1 Zr O M 1 Z1

    = 0 | Z2 = 0 2-8 (1 + 2-1.009) 2 Z2 = 0 2-8 (1 + 20) 3 Z3 = 131 2-8 (1 + 2-8.089) 4 Z4 = 0 2-8 (1 + 2-7.581) ⋮ ⋮ ⋮ 112 Z112 = 144 2-8 (1 + 2-7.300) 113-255 Zr = 0 2-8 (1 + 2-10.052)  2-8(1 + 2-8.763) 256 Z256 = 0 2-8 (1 - 2-9.474) 257 Z257 = 0 2-8 (1 + 2-9.474) % 2 3 P1 -P257 I 1. k = Ω(N) C 1 1 Cr Pr = Cr ⊕ Zr 957 Pr Zr 3 . % 3 8
  70. T ] ] 7 GKP M A W [ ]

    4 8 A9 [ I O 41 0 + A 1 + Zr = aK[0] + bK[1] + cK[2] + d r ∈ [1, 257], a, b, c ∈ {-1, 0, 1}, d ∈ {-3, -2, —1, 0, 1, 2, 3} 4 1 0 + {P1 , P3 , P256 , P257 } A A K 2 -- 3 2+ 1- 3 [ P1 Z1 =-K[0]-K[1] 210.895 Z1 = 0 | Z2 = 0 218.072 P3 Z3 =K[0]+K[1]+K[2]+3 213.939 Z3 = 131 224.128 P256 Z256 =-K[0] 213.803 Z256 = 0 226.814 P257 Z257 =-K[0]-K[1] 216.758 Z257 = 0 227.062 2 -- 3 A d ∈ {-3, -2, —1, 0, 1, 2, 3} Ø A9 [ 1 0 + 4
  71. 3 3 1 B +A 8 7 91 ! {#

    $ , # & , … , # ( } * Ø 3 0 8 3 . 8 2 Ø +∗
  72. W 7 8 * ] + 1 3 * 9

    ] I !",$ ≔ Pr (" = * , * = 0x00, … , 0xFF / (12322 4 , … , 1 2355 4 ) I 1 $ (4) = 7 8 9:," = * ⨁ / <=:=> , * = 0x00, … , 0xFF / [ ?4 I ?4 = @! 1 2322 (4) ! BBB 1 2355 (4) ! C $∈ 2322,… ,2355 ! ",$ E F (G) ?4 / I 2+ 3 B PK Ø ] ]I A 1 + 0.- 1 *(12322 4 , … , 1 2355 4 ) 4 !",2322 , … , !",2355 @ I T
  73. 9 0 2     IV= (IV0 ,

    IV1 )IV16 8 1 0 IV0 1 0 IV1 (IV0 , IV1 )=(0x00, 0x00) (IV0 , IV1 )=(0x00, 0x20) (IV0 , IV1 )=(0x8F, 0x34) (IV0 , IV1 )=(0xFF, 0xFF)
  74. 9 8 5 4 1 . 9 813 9 IV=

    (IV0 , IV1 ) 4 8 #$%,',( ≔ Pr ,' = . , IV = (0x00,0x00), … , (0xFF, 0cF6), . = 0x00, … , 0xFF 7 813 9 (8 $%,9:99 ; , … , 8 $%,9:<< ; ) 8 $%,( (;) = = > ?$%,@,' = . ⨁ 7 BC@CD , . = 0x00, … , 0xFF IV 4 8 2 7 E$%,; E$%,; = F! 8 $%,9:99 (;) ! HHH 8 $%,9:<< (;) ! I (∈ 9:99,… ,9:<< # $%,',( K LM,N (O) 2 7 E; E; = I (9:99,9:99)C$%C(9:<<,9:<<) E$%,; E; 2 7 *(89:99 ; , … , 89:<< ; ) #',9:99, … , #',9:<< F 5 8 0*
  75. 2 S S ]S[WP [W 3 IK1 AT [W 4

    1 4 T A 8 1 IK1 IV= (IV0 , IV1 ) 9 A #$%,',( ≔ Pr ,' = . , IV = (0x00,0x00), … , (0xFF, 0cF6), . = 0x00, … , 0xFF 7 A 8 1 IK1 (8 $%,9:99 ; , … , 8 $%,9:<< ; ) 8 $%,( (;) = = > ?$%,@,' = . ⨁ 7 BC@CD , . = 0x00, … , 0xFF IV 9 A 7 E$%,; E$%,; = F! 8 $%,9:99 (;) ! HHH 8 $%,9:<< (;) ! I (∈ 9:99,… ,9:<< # $%,',( K LM,N (O) 7 E; E; = I (9:99,9:99)C$%C(9:<<,9:<<) E$%,; 0 [W . - A Ø 1 IK1 AT T A 4
  76. O 2 P W 3 [ 1I - 0- {P17

    , P18 , P33 , P34 , P49 , P50 , P66 , P82 } ] T 1 - P17 Z17 =K[0]-K[1]-17 217.727 Z17 = 17 223.178 P18 Z18 =K[0]-K[2]-18 217.800 Z18 = 18 223.120 P33 Z33 =K[0]-K[1]-33 218.955 Z33 = 0 223.770 P34 Z34 =K[0]-K[2]-34 219.035 Z34 = 0 223.791 P49 Z49 =K[0]-K[1]-49 220.297 Z49 = 0 224.114 P50 Z50 =K[0]-K[2]-50 220.386 Z50 = 0 224.135 P66 Z66 =K[0]-K[2]-66 221.869 Z66 = 0 224.479 P82 Z82 =K[0]-K[2]-82 223.506 Z82 = 0 224.820 Zr = K[0] - K[r mod ℓ] - r 1AKM0(K[0], K[1]) 9 (K[0], K[2]) 8
  77. [ [W [ ] T + 31 8 9 K

    T !",$ ≔ Pr (" = * , * = 0x00, … , 0xFF / K T (12322 4 , … , 1 2355 4 ) 1 $ (4) = 7 8 9:," = * ⨁ / <=:=> , * = 0x00, … , 0xFF / B ?4 ?4 = @! 1 2322 (4) ! BBB 1 2355 (4) ! C $∈ 2322,… ,2355 ! ",$ E F (G) ?4 B / 1*+. 2 A K T I Ø K T 0.* - . *(12322 4 , … , 1 2355 4 ) 3 !",2322 , … , !",2355 B @ P B 4
  78. 8 2 - !",$ ≔ Pr (" = −+ 0

    − + 1 + / !0 $ ≔ Pr (0 = + 0 + + 1 + +[2] + / !"4,$ ≔ Pr ("4 = + 0 − + 1 + / !"5,$ ≔ Pr ("5 = + 0 − + 2 + / !00,$ ≔ Pr (00 = + 0 − + 1 + / !06,$ ≔ Pr (06 = + 0 − + 2 + / !67,$ ≔ Pr (67 = + 0 − + 1 + / !89,$ ≔ Pr (89 = + 0 − + 2 + / !::,$ ≔ Pr (:: = + 0 − + 2 + / !5;,$ ≔ Pr (5; = + 0 − + 2 + / !;8:,$ ≔ Pr (;8: = −+ 0 + / !;84,$ ≔ Pr (;84 = −+ 0 − + 1 + / * 9 !<,9=99 , … , !<,9=?? 01 151,
  79. 0 S 1 P 8 7 4 - 2 83

    ] [ 54597 6 8 P1 P3 P17 P18 P33 P34 % P49 P50 P66 P82 P256 P257
  80. , 5 28 - . 8 07 9 28 -

    Ø 135 3 07 9
  81. 3 [ [W [ 4 a 2 ] SM 9

    Ø (K[0], K[r mod ℓ]) O 8 ℓ SM ] r5 ] 2 2 9 ] I V 0 ] 1 ] ] 3
  82. W 8 [ 9 O T 4+.. BG K d

    ∈ {-3, -2, —1, 0, 1, 2, 3} 4 0 BG O TSM O 4001 G B 30 2- 0 Ø K 30 2- 0 Ø O T K A K I   4.1 Z2 =0 SM OK 4 3. SM OP K 4 0 O T K 4+.. 30 2- 0 A O T K 4001 30 2- 0 A O T K ]     
  83. 1 T P K P 2 0 9 8 P

    . - 84 7 I . - 84 7 9 A  3W . - 84 7
  84. W C [ b l T M r I o

    20 1 -0 G tK s  o ,98 7 795 8 - 54 A P T p M G o p I - 6 - 4 A p M G o M - 4 A P T I A 20 1 -0 I ] ie M o 20 1 -0 G tK s - 4 K na m p S P T KSA PRGA 1 0 2 N-1 Z1 , Z2 , … P1 , P2 , … C1 , C2 , … ⊕
  85. i i ri l W at o K  A

    1- - KC 0 R {K[0], K[1], K[2]} n • IV16: ec z V 0 5:5265 2:58 04 :89 0 1 IV16 K[0] K[1] K[2] K[0] = (IV16 >>> 8) & 0xFF K[1] = [(IV16 >>> 8) | 0x20] & 0x7F K[2] = IV16 & 0xFF I W Ø 1- - P T WI 
  86. n e n W l I n 1- - IA

    0 z P {K[x], K[y], K[z]} • IV16: tca VW i TW 0 : 26 2: 8 043:89 0 1 IV16 K[x] K[y] K[z] K[x] = (IV16 >>> 8) & 0xFF K[y] = [(IV16 >>> 8) | 0x20] & 0x7F K[z] = IV16 & 0xFF 1- - IA Ø 1- - C Kr R o -
  87. e ea neli lir % - . T A c

    K li  .) t 42 3102 K o I K x y z Zr+1 Sr [ir+1 ] Sr [jr+1 ] jr+1 tr+1 5 87 6 9 5 8 0 1 2 22 368 13 28 462 -.( 3102 0 8 0 22 424 5 15 952 ) - *- . 9 10 11 3 103 2 5 161 . *(  Zr = bK[x] + cK[y] + dK[z] + e Xr = aZr + bK[x] + cK[y] + dK[z] + e Xr ∈ {Sr [ir+1 ], Sr [jr+1 ], jr+1 , tr+1 } r ∈ [0, 256], a, b, c, d ∈ {-1, 0, 1}, e ∈ {-3, -2, -1, 0, 1, 2, 3} Ø P T d % %%)* uK Ø W P T d % %%(% K
  88. [ • r b b nbl l s W p

    i K l G - 9 8 , 8 6A9 4 0 65 T W I C m K 4 0 7 0 5 I C m 4 0 5 T W K C m 31 2 1 K a o P ] Ce o 31 2 1 I M 4 0 5 K t S T W KSA PRGA 1 0 2 N-1 Z1 , Z2 , … P1 , P2 , … C1 , C2 , … p ⊕
  89. l t tm t p M - . e iKh

        ., e iKh • I o 2 a J0 0 40 5912 M Ø 70) an RV e iKh [ r s I Ke iKh ea RU • Ø Ke iKh ea RU [ n ( r s I 1A G 8 3 C.+ ] n 4A - M Ø T 1A G 0 A CG 51 ( ) a n ) s I 671 P ) • 456 .- Ø a n
  90. n a    “ r P L L

    R , , 2 45 S C A KA P C R 8≈9 E L ” R “" = 1 ∧ & = 19 C E K 9 " = (1 ∧ &) = 19 TK R T I P 8(" = 1) ∧ (& = 1)9 L R s L W 11. 2.1 2-, L R 0 s a L R
  91. 4 p p 3 K p    K

    G 1ℓ a 2 0G AG G 0 AG 2 ℓ S G 2 A0 A 1 w 0 K . G K R8K 9 1 K A 1 w K G0 2 P 1 A P S 1
  92. n n n r r u ad c t SoI

    r    y “s p q 40 q=1 ” 840 p 1 q9 940 9 9p9 I !(#) ≈ # # !(#) S I S m m m I S m m m I S 9 00 379 8 1532 5.219 SI I I r iS I l S I
  93. 1 2 83 8 0 9 8  [IM14] Ryoma

    Ito and Atsuko Miyaji.. New Integrated Long-Term Glimpse of RC4. In Kyung- Hyune Rhee and Jeong Hyun Yi, editors, Information Security Application - WISA 2014, volume 8909 of Lecture Notes in Computer Science, pages 137–149. Springer Berlin Hei- delberg, 2015. [IM15a] Ryoma Ito and Atsuko Miyaji. New Linear Correlations related to State Information of RC4 PRGA using IV in WPA. In Gregor Leander, editor, Fast Software Encryption - FSE 2015, volume 9054 of Lecture Notes in Computer Science, pages 557–576. Springer Berlin Heidelberg, 2015. [IM15b] Ryoma Ito and Atsuko Miyaji. How TKIP Induces Biases of Internal States of RC4. In Emest Foo and Douglas Stebila, editors, Information Security and Privacy - ACISP 2015, volume 9144 of Lecture Notes in Computer Science, pages 329–342. Springer International Publishing, 2015. [IM16a] Ryoma Ito and Atsuko Miyaji. Refined Glimpse Correlations of RC4. IEICE Trans., E99- A(1):3–13, jan 2016. [IM16b] Ryoma Ito and Atsuko Miyaji. Refined RC4 Key Correlations of Internal States in WPA. IEICE Trans., E99-A(6):1132–1144, jun 2016.. [IM17] Ryoma Ito and Atsuko Miyaji. Refined Construction of RC4 Key Setting in WPA. IEICE Trans., E100-A(1):138–148, jan 2017. [IM18] Ryoma Ito and Atsuko Miyaji. New Iterated RC4 Key Correlations. In Willy Susilo and Guomin Yang, editors, Information Security and Privacy - ACISP 2018, volume 10946 of Lecture Notes in Computer Science, pages 154–171. Springer International Publishing, 2018.