Cryptography Reference
In-Depth Information
key and IV concatenated) can safely be assumed uniformly random. On the
other hand, here we use many different IVs with the same key n number
of times. So, the key can not be treated as uniformly randomly distributed
across the samples. The lower success probabilities may be attributed to this
non-uniformity in the distribution of the effective keys.
5.6 More Biases in Many Keystream Bytes toward Se-
cret Key
Some biases in initial keystream bytes of RC4 have been reported in [86].
Later, additional biases in 256th and 257th keystream bytes, including some
biases in the initial keystream bytes were reported in [103]. We present these
observations here.
5.6.1 Biases of z R toward r−f R
In Chapter 3, we discussed different biases of the permutation bytes toward
the secret key. On the other hand, Theorem 5.2.1, which is a restatement
of Jenkins' correlations, establishes the bias of the keystream bytes toward
the permutation bytes. Interestingly, these two biases can be linked to have
leakage of secret key information in the keystream in the form of the bias of
z r toward r−f r .
Lemma 5.6.1 shows how the permutation bytes at rounds τ and r−1 of the
PRGA, for r ≥ τ + 1, are related. The result first appeared in [103]. However,
based on [157], we present a revised version of the result here.
Lemma 5.6.1. For τ + 1 ≤r ≤ τ + N, we have
P(S r−1 [r] = X)
r−τ−1
N −1
N
≈ P(S τ [r] = X)
+
r−1
r−t
n
r−τ−2−n
P(S τ [t] = X)
n!N
r−t−1
N
1− 1
N
.
t=τ+1
n=0
Proof: Let us start from the PRGA state S τ , that is, the state that has
been updated τ times in the PRGA. Suppose S r−1 [r] = X. There can be two
cases by which the event (S r−1 [r] = X) can happen.
Case I: In the first case, suppose that (S τ [r] = X) after round τ, and the
r-th index is not disturbed for the next r−τ −1 state updates. Notice
that index i G varies from τ + 1 to r− 1 during this period, and hence
Search WWH ::




Custom Search