Cryptography Reference
In-Depth Information
for each of the n samples and find out the most frequently occurring value
m
′
1
. If this value matches with the given m
1
, the recovery is considered to be
successful. To estimate the success probability, we repeat the above process
with 1000 randomly chosen m
1
values and find out in how many cases, say s,
m
1
is recovered successfully. That is, the success probability is
s
1000
.
The above experiment is repeated 100 times to get a set of 100 success
probabilities. The minimum, maximum, average and standard deviation of
these probabilities are presented in columns min, max, avg and sd respectively
of Table 5.3.
When the IV Follows the Secret Key
Suppose we can observe the first byte z
1
of the keystream output. Then
with probability 0.0053 we know the value of K[0] + K[1] + K[2] + 3. Thus
the uncertainty about these 8 bits (of z
1
) is reduced by 0.44. If the key
is not appended with IV, then the same secret key would give rise to the
same keystream (and hence the same z
1
) each time. Appending different IVs
makes the keystream change and helps in constructing a frequency distribution
of z
1
. Then the most frequent value of z
1
can be treated as the value of
K[0] + K[1] + K[2] + 3. We need the same secret key to be appended by
different IVs to generate z
1
for recovering the value of K[0] + K[1] + K[2] + 3
reliably.
Further, if one can ensure that the first two bytes of the secret key add
to zero, then following Theorem 5.5.4, one can perform the attack (e.g. re-
covering K[2]) much more e
ciently requiring a very few (practically ≤ 100)
samples.
Condition
#Samples n
min
max
avg
sd
Unconditional
1870
0.012000 0.032000
0.022540
0.004318
Unconditional
25000
0.113000 0.164000
0.144340
0.010867
Unconditional
50000
0.125000 0.182000
0.152910
0.011410
K[0] + K[1] = 0
25
0.759000 0.821000
0.789010
0.013393
K[0] + K[1] = 0
50
0.921000 0.968000
0.943020
0.007708
K[0] + K[1] = 0
100
0.952000 0.977000
0.965300
0.005442
TABLE 5.4: Results with 11-byte IV following 5-byte secret key
Table 5.4 shows the success probabilities of recovering the sum of the first
three bytes when a 11 byte-IV is followed by the 5-byte secret key. We use
the same experimental setup as before. The only difference is that in order
to generate a distribution of z
1
, we need to assume that a different IV is used
with each of the n samples.
Observe that the success probability is less compared to the case where
the IV bytes precede the secret key. In the previous case, a different IV and a
different key are used for each sample, so that the effective key (i.e., the secret
