ストリーム暗号RC4における反復性のある新しい鍵相関

Transcript

1. ετϦʔϜ҉߸RC4ʹ͓͚Δ ൓෮ੑͷ͋Δ৽͍͠ݤ૬ؔ ΩʔϫʔυɿετϦʔϜ҉߸ɼRC4ɼݤ૬ؔɼݤճ෮߈ܸ ҏ౻ ཽഅ 1 ٶ஍ ॆࢠ 1,2 େࡕେֶ

   1, JST CREST2 SCIS 2018@৽ׁ 2018. 1. 24 ҏ౻ ཽഅ (େࡕେֶ) ετϦʔϜ҉߸ RC4 ʹ͓͚Δ൓෮ੑͷ͋Δ৽͍͠ݤ૬ؔ (SCIS 2018) 2018. 1. 24 1 / 32

2. ͸͡Ίʹ ݚڀഎܠɿετϦʔϜ҉߸ RC4 RC4 ▶ 1987 ೥ʹ Rivest ʹΑͬͯఏҊ͞ΕͨετϦʔϜ҉߸ ▶

   2 ͭͷΞϧΰϦζϜɿKSA, PRGA ▶ SSL/TLS Ͱͷ RC4 ར༻ېࢭ [Pop15] ▶ શ΢Σϒϒϥ΢βʗαʔόͷ͏ͪ໿ 23%͕ RC4 Λະͩαϙʔτத ▶ WEP, WPA-TKIP ར༻ͷඇਪ঑ ▶ ແઢ LAN ωοτϫʔΫͷʹର͢Δμ΢ϯάϨʔυ߈ܸͷݱ࣮తͳڴҖ [VP15] ҏ౻ ཽഅ (େࡕେֶ) ετϦʔϜ҉߸ RC4 ʹ͓͚Δ൓෮ੑͷ͋Δ৽͍͠ݤ૬ؔ (SCIS 2018) 2018. 1. 24 2 / 32

3. ͸͡Ίʹ ϞνϕʔγϣϯɿݤετϦʔϜʹؔ͢Δݤ૬ؔ ݤετϦʔϜʹؔ͢Δݤ૬ؔ [SVV11] ݤετϦʔϜ Z ͱൿີݤ K Λ༻͍ͨઢܗࣜʹؔ͢Δ૬ؔੑ (a0

   · K[0] + · · · + al−1 · K[l − 1] + al · Z1 + · · · + a2l−1 · Zl ) = b ai ∈ {−1, 0, 1} (0 ≤ i ≤ 2l − 1), b ∈ Z/NZ ݤ૬ؔϦετʢK[i] = K[0] + · · · + K[i]ʣ ઢܗࣜ ֬཰ จݙ Z1 = −K[1] 1.36467/N [VV07] Z2 = K[2] + 3 0.64300/N [SVV11] . . . . . . . . . Z46 = −2K[15] − K[14] + 57 1.00900/N [SVV11] Z47 = −3K[15] + 199 1.00620/N [MP08] ˞ 1.0/NɿϥϯμϜ ҏ౻ ཽഅ (େࡕେֶ) ετϦʔϜ҉߸ RC4 ʹ͓͚Δ൓෮ੑͷ͋Δ৽͍͠ݤ૬ؔ (SCIS 2018) 2018. 1. 24 3 / 32

4. ͸͡Ίʹ ݚڀ੒Ռɿ൓෮ੑͷ͋Δݤ૬ؔͷূ໌ͱݤճ෮߈ܸ΁ͷద༻ ൓෮ੑͷ͋Δݤ૬ؔ Zr = K[0] − K[r mod l]

   − r (K[0], K[r mod l]) ϖΞ͕ l ϥ΢ϯυ͝ͱ൓෮ ҏ౻ ཽഅ (େࡕେֶ) ετϦʔϜ҉߸ RC4 ʹ͓͚Δ൓෮ੑͷ͋Δ৽͍͠ݤ૬ؔ (SCIS 2018) 2018. 1. 24 4 / 32

5. ͸͡Ίʹ ൃද಺༰ 1 ४උ RC4 ΞϧΰϦζϜ 2 طଘݚڀ Sarkar ʹΑΔݤ૬ؔͷূ໌

   Isobe Βͷݤ௕ґଘόΠΞε 3 ൓෮ੑͷ͋Δ৽͍͠ݤ૬ؔ ؍ଌ࣮ݧ ূ໌ ݕূ࣮ݧ 4 ݤճ෮߈ܸ΁ͷద༻ 5 ·ͱΊ ҏ౻ ཽഅ (େࡕେֶ) ετϦʔϜ҉߸ RC4 ʹ͓͚Δ൓෮ੑͷ͋Δ৽͍͠ݤ૬ؔ (SCIS 2018) 2018. 1. 24 5 / 32

6. ४උ ൃද಺༰ 1 ४උ RC4 ΞϧΰϦζϜ 2 طଘݚڀ Sarkar ʹΑΔݤ૬ؔͷূ໌

   Isobe Βͷݤ௕ґଘόΠΞε 3 ൓෮ੑͷ͋Δ৽͍͠ݤ૬ؔ ؍ଌ࣮ݧ ূ໌ ݕূ࣮ݧ 4 ݤճ෮߈ܸ΁ͷద༻ 5 ·ͱΊ ҏ౻ ཽഅ (େࡕେֶ) ετϦʔϜ҉߸ RC4 ʹ͓͚Δ൓෮ੑͷ͋Δ৽͍͠ݤ૬ؔ (SCIS 2018) 2018. 1. 24 6 / 32

7. ४උ RC4 ΞϧΰϦζϜ KSA: Key Scheduling Algorithm Algorithm 1 KSA

   1: for i = 0 to N − 1 do 2: SK 0 [i] ← i 3: end for 4: jK 0 ← 0 5: for i = 0 to N − 1 do 6: jK i+1 ← jK i + SK i [i] + K[i mod l] 7: Swap(SK i [i], SK i [jK i+1 ]) 8: end for KSA ͷঢ়ଶભҠਤ K, l : ൿີݤɼݤ௕ʢ௨ৗɼl = 16ʣ r : ϥ΢ϯυ਺ N : ಺෦ঢ়ଶͷཁૉ਺ʢ௨ৗɼN = 256ʣ SK r : r ϥ΢ϯυޙͷ KSA ͷ಺෦ঢ়ଶʢॱྻʣ i, jK r : SK r ͷΠϯσοΫε ҏ౻ ཽഅ (େࡕେֶ) ετϦʔϜ҉߸ RC4 ʹ͓͚Δ൓෮ੑͷ͋Δ৽͍͠ݤ૬ؔ (SCIS 2018) 2018. 1. 24 7 / 32

8. ४උ RC4 ΞϧΰϦζϜ PRGA: Pseudo Random Generation Algorithm Algorithm 2

   PRGA 1: r ← 0, i0 ← 0, j0 ← 0 2: loop 3: r ← r + 1 4: ir ← ir−1 + 1 5: jr ← jr−1 + Sr−1 [ir ] 6: Swap(Sr−1 [ir ], Sr−1 [jr ]) 7: Output: Zr ← Sr [Sr [ir ] + Sr [jr ]] 8: end loop PRGA ͷঢ়ଶભҠਤ Sr : r ϥ΢ϯυޙͷ PRGA ͷ಺෦ঢ়ଶʢॱྻʣ ir , jr : Sr ͷΠϯσοΫε Zr : r ϥ΢ϯυʹ͓͚ΔݤετϦʔϜ ҏ౻ ཽഅ (େࡕେֶ) ετϦʔϜ҉߸ RC4 ʹ͓͚Δ൓෮ੑͷ͋Δ৽͍͠ݤ૬ؔ (SCIS 2018) 2018. 1. 24 8 / 32

9. طଘݚڀ ൃද಺༰ 1 ४උ RC4 ΞϧΰϦζϜ 2 طଘݚڀ Sarkar ʹΑΔݤ૬ؔͷূ໌

   Isobe Βͷݤ௕ґଘόΠΞε 3 ൓෮ੑͷ͋Δ৽͍͠ݤ૬ؔ ؍ଌ࣮ݧ ূ໌ ݕূ࣮ݧ 4 ݤճ෮߈ܸ΁ͷద༻ 5 ·ͱΊ ҏ౻ ཽഅ (େࡕେֶ) ετϦʔϜ҉߸ RC4 ʹ͓͚Δ൓෮ੑͷ͋Δ৽͍͠ݤ૬ؔ (SCIS 2018) 2018. 1. 24 9 / 32

10. طଘݚڀ Sarkar ʹΑΔݤ૬ؔͷূ໌ [Sar14] ఆཧ 2 [Sar14, Theorem 4] ೚ҙͷ

    K ʹ͓͍ͯɼZ1 ʹؔ͢Δݤ૬ؔ͸ɼԼهͷ֬཰Ͱ੒Γཱͭɿ Pr(Z1 = K[0] − K[1] − 1) ≈ 1.05 N . ໋୊ 1 [Sar14, Theorem 8] ೚ҙͷ K ʹ͓͍ͯɼZ3 ʹؔ͢Δݤ૬ؔ͸ɼԼهͷ֬཰Ͱ੒Γཱͭɿ Pr(Z3 = K[0] − K[3] − 3) ≈ 1.05 N . ໋୊ 2 [Sar14, Theorem 9] ೚ҙͷ K ʹ͓͍ͯɼZ4 ʹؔ͢Δݤ૬ؔ͸ɼԼهͷ֬཰Ͱ੒Γཱͭɿ Pr(Z4 = K[0] − K[4] − 4) ≈ 1.04 N . ҏ౻ ཽഅ (େࡕେֶ) ετϦʔϜ҉߸ RC4 ʹ͓͚Δ൓෮ੑͷ͋Δ৽͍͠ݤ૬ؔ (SCIS 2018) 2018. 1. 24 10 / 32

11. طଘݚڀ Isobe Βͷݤ௕ґଘόΠΞε [IOWM13] ఆཧ 3 [IOWM13, Theorem 9] r

    = x · l (x = 1, 2, . . . , 7) ͷ࣌ɼݤ௕ґଘͷઢܗࣜ Zr = −r ͸ɼԼهͷ֬཰Ͱ੒ Γཱͭɿ Pr(Zr = −r) ≈ 1 N2 + (1 − 1 N2 ) · γr + (1 − δr ) · 1 N . ͜͜Ͱɼγr = 1 N2 · (1 − r+1 N ) · ∑ N−1 y=r+1 (1 − 1 N ) · (1 − 2 N )y−r · (1 − 3 N )N−y+2r−4ɼ δr = Pr(Sr−1 [r] = 0) Ͱ͋Δɽ ˞ Zx·l = K[0] − K[x · l] − x · l = K[0] − K[0] − x · l = −x · l ൓෮ੑͷ͋Δݤ૬ؔ Zr = K[0] − K[r mod l] − r ҏ౻ ཽഅ (େࡕେֶ) ετϦʔϜ҉߸ RC4 ʹ͓͚Δ൓෮ੑͷ͋Δ৽͍͠ݤ૬ؔ (SCIS 2018) 2018. 1. 24 11 / 32

12. ൓෮ੑͷ͋Δ৽͍͠ݤ૬ؔ ൃද಺༰ 1 ४උ RC4 ΞϧΰϦζϜ 2 طଘݚڀ Sarkar ʹΑΔݤ૬ؔͷূ໌

    Isobe Βͷݤ௕ґଘόΠΞε 3 ൓෮ੑͷ͋Δ৽͍͠ݤ૬ؔ ؍ଌ࣮ݧ ূ໌ ݕূ࣮ݧ 4 ݤճ෮߈ܸ΁ͷద༻ 5 ·ͱΊ ҏ౻ ཽഅ (େࡕେֶ) ετϦʔϜ҉߸ RC4 ʹ͓͚Δ൓෮ੑͷ͋Δ৽͍͠ݤ૬ؔ (SCIS 2018) 2018. 1. 24 12 / 32

13. ൓෮ੑͷ͋Δ৽͍͠ݤ૬ؔ ؍ଌ࣮ݧɿ൓෮ੑͷ͋Δݤ૬ؔͷൃݟ ϥϯμϜʹબΜͩ 232 ݸͷൿີݤΛ༻͍ͯݤετϦʔϜʹؔ͢Δݤ૬ؔΛ୳ࡧ ݤετϦʔϜ Z ͱൿີݤ K Λ༻͍ͨઢܗࣜ

    (a0 · K[0] + · · · + al−1 · K[l − 1] + al · Z1 + · · · + a2l−1 · Zl ) = b ai ∈ {−1, 0, 1} (0 ≤ i ≤ 2l − 1), b ∈ Z/NZ ؍ଌ݁Ռɿ൓෮ੑͷ͋Δݤ૬ؔ ೚ҙͷൿີݤ K ͱϥ΢ϯυ r ʹ͓͍ͯɼr όΠτ໨ͷݤετϦʔϜ Zr ͱ 2 όΠ τͷൿີݤϖΞ (K[0], K[r]) ͷؒʹ͓͚Δݤ૬ؔ Zr = K[0] − K[r] − r ʹ͸ɼόΠΞε͕ଘࡏ͢Δɽ ؍ଌ݁Ռͷཧ࿦తͳূ໌ ▶ ఆཧ 2ɼఆཧ 3ɿূ໌ࡁΈ ˞ r = 1, x · l (x = 1, 2, . . . , 7) ͷ৔߹ ▶ ໋୊ 1ɼ໋୊ 2ɿ͞Βʹݫີʹূ໌Մ ˞ r = 3, 4 ͷ৔߹ ҏ౻ ཽഅ (େࡕେֶ) ετϦʔϜ҉߸ RC4 ʹ͓͚Δ൓෮ੑͷ͋Δ৽͍͠ݤ૬ؔ (SCIS 2018) 2018. 1. 24 13 / 32

14. ൓෮ੑͷ͋Δ৽͍͠ݤ૬ؔ ఆཧ 4ɿZr = K[0] − K[r] − r ͕੒Γཱͭ֬཰

    ఆཧ 4 ೚ҙͷൿີݤ K ͱϥ΢ϯυ rʢr = 1, 2, x · l (x = 1, 2, . . . , 7) Λআ͘ɽ ʣʹ͓͍ͯɼ r όΠτ໨ͷݤετϦʔϜ Zr ͱ 2 όΠτͷൿີݤϖΞ (K[0], K[r]) ͷؒʹ͓͚Δ ݤ૬ؔͰ͸ɼԼهͷ֬཰͕੒Γཱͭɿ Pr(Zr = K[0] − K[r] − r) ≈ αr + 1 N (1 − αr ). ͜͜Ͱɼ αr ≈ ( βr + 1 N(N−1) (1 − βr ) ) · γr · ( δr + 1 N (1 − δr ) ) , βr ≈ N−r−1 N · N−2 N−r+2 · 1 N−r+1 · ∏ r x=3 (N − x − 1)/ ∏ r−3 x=0 (N − x), γr ≈ (1 − 1 N )N−r−1 · 1 N · ∑ N−1 x=r+1 (1 − 1 N )x · (1 − 1 N )x−r−1 · (1 − 2 N )N−x−1, δr ≈ ∏ r x=2 (N − x)/ ∏ r−2 x=0 (N − x) Ͱ͋Δɽ ҏ౻ ཽഅ (େࡕେֶ) ετϦʔϜ҉߸ RC4 ʹ͓͚Δ൓෮ੑͷ͋Δ৽͍͠ݤ૬ؔ (SCIS 2018) 2018. 1. 24 14 / 32

15. ൓෮ੑͷ͋Δ৽͍͠ݤ૬ؔ ఆཧ 4ɿZr = K[0] − K[r] − r ͕੒Γཱͭ֬཰

    -ূ໌ͷུ֓- ূ໌ɿαr , βr , γr , δr ͷܭࢉ αr ≈ ( βr + 1 N(N−1) (1 − βr ) ) · γr · ( δr + 1 N (1 − δr ) ) βr ≈ N−r−1 N · N−2 N−r+2 · 1 N−r+1 · ∏ r x=3 (N − x − 1)/ ∏ r−3 x=0 (N − x) γr ≈ (1 − 1 N )N−r−1 · 1 N · ∑ N−1 x=r+1 (1 − 1 N )x · (1 − 1 N )x−r−1 · (1 − 2 N )N−x−1 δr ≈ ∏ r x=2 (N − x)/ ∏ r−2 x=0 (N − x) ϑΣʔζ 1: KSA ʹ͓͚Δ࠷ॳͷ r + 1 ϥ΢ϯυ ▶ SK r+1 [r − 1] = K[0] − K[r] − r ͱ SK r+1 [r] = 0 ͷಉ࣌֬཰ɿβr + 1 N(N−1) (1 − βr ) ϑΣʔζ 2: KSA ʹ͓͚Δ r + 2 ϥ΢ϯυ͔Β࠷ऴϥ΢ϯυ ▶ S0 [r − 1] = xɼS0 [r] = 0ɼS0 [x] = K[0] − K[r] − r ͷಉ࣌֬཰ɿγr ϑΣʔζ 3: PRGA ʹ͓͚Δ࠷ॳͷ r ϥ΢ϯυ ▶ Zr = K[0] − K[r] − r ͷ֬཰ɿδr + 1 N (1 − δr ) ҏ౻ ཽഅ (େࡕେֶ) ετϦʔϜ҉߸ RC4 ʹ͓͚Δ൓෮ੑͷ͋Δ৽͍͠ݤ૬ؔ (SCIS 2018) 2018. 1. 24 15 / 32

16. ൓෮ੑͷ͋Δ৽͍͠ݤ૬ؔ ఆཧ 4ɿZr = K[0] − K[r] − r ͕੒Γཱͭ֬཰

    -ϑΣʔζ 1- I ϑΣʔζ 1 KSA ʹ͓͚Δ࠷ॳͷ r + 1 ϥ΢ϯυޙʹ͓͍ͯɼSK r+1 [r − 1] = K[0] − K[r] − r ͱ SK r+1 [r] = 0 ͕ಉ࣌ʹ੒Γཱͭ֬཰Λܭࢉ͢Δɽ ৚݅ʢओཁͳύεʣ jK 1 = K[0] = f0 ̸∈ {1, . . . , r − 1, r, fr−1}, jK 2 = K[0] + K[1] + SK 1 [1] = f1 ̸∈ {2, . . . , r − 1, r, f0, fr−1}, jK 3 = K[0] + ∑ 2 x=1 (K[x] + SK x [x]) = f2 ̸∈ {3, . . . , r − 1, r, f0, fr−1}, . . . jK r−1 = K[0] + ∑ r−2 x=1 (K[x] + SK x [x]) = fr−2 ̸∈ {r − 1, r, f0, fr−1}, jK r = K[0] + ∑ r−1 x=1 (K[x] + SK x [x]) = fr−1 ̸∈ {r, f0}, jK r+1 = K[0] + ∑ r x=1 (K[x] + SK x [x]) = fr = f0. ҏ౻ ཽഅ (େࡕେֶ) ετϦʔϜ҉߸ RC4 ʹ͓͚Δ൓෮ੑͷ͋Δ৽͍͠ݤ૬ؔ (SCIS 2018) 2018. 1. 24 16 / 32

17. ൓෮ੑͷ͋Δ৽͍͠ݤ૬ؔ ఆཧ 4ɿZr = K[0] − K[r] − r ͕੒Γཱͭ֬཰

    -ϑΣʔζ 1- II ϑΣʔζ 1 ʹ͓͚Δঢ়ଶભҠਤʢr = 3 ͷ৔߹ʣ ҏ౻ ཽഅ (େࡕେֶ) ετϦʔϜ҉߸ RC4 ʹ͓͚Δ൓෮ੑͷ͋Δ৽͍͠ݤ૬ؔ (SCIS 2018) 2018. 1. 24 17 / 32

18. ൓෮ੑͷ͋Δ৽͍͠ݤ૬ؔ ఆཧ 4ɿZr = K[0] − K[r] − r ͕੒Γཱͭ֬཰

    -ϑΣʔζ 1- III 1. ৚݅Λશͯຬͨ͢৔߹ βr ≈ N − r − 1 N · N − 2 N − r + 2 · 1 N − r + 1 · ∏ r x=3 (N − x − 1) ∏ r−3 x=0 (N − x) . 2. ৚݅Λ 1 ͭͰ΋ຬͨ͞ͳ͍৔߹ ▶ SK r+1 [r − 1] = K[0] − K[r] − r ͱ Sr+1 [r] = 0 ͕ಉ࣌ʹ੒Γཱͭ֬཰͸ɼϥϯμ ϜͰ͋ΔͱԾఆ͢Δʢ಺෦ঢ়ଶ͸ॱྻʣ ɿ 1 N(N − 1) (1 − βr ). ϑΣʔζ 1 ʹ͓͚Δ֬཰ βr + 1 N(N − 1) (1 − βr ). ҏ౻ ཽഅ (େࡕେֶ) ετϦʔϜ҉߸ RC4 ʹ͓͚Δ൓෮ੑͷ͋Δ৽͍͠ݤ૬ؔ (SCIS 2018) 2018. 1. 24 18 / 32

19. ൓෮ੑͷ͋Δ৽͍͠ݤ૬ؔ ఆཧ 4ɿZr = K[0] − K[r] − r ͕੒Γཱͭ֬཰

    -ϑΣʔζ 2- I ϑΣʔζ 2 KSA ʹ͓͚Δ r + 2 ϥ΢ϯυ͔Β࠷ऴϥ΢ϯυʹ͓͍ͯɼS0 [r − 1] = xɼ S0 [r] = 0ɼS0 [x] = K[0] − K[r] − r ͕ಉ࣌ʹ੒Γཱͭ֬཰Λܭࢉ͢Δɽ ৚݅ 1. jK t ̸= r (r + 2 ≤ t ≤ N) 2. SK x [x] = x (x ∈ [r + 1, N − 1]) 3. jK t ̸= r − 1 (r + 2 ≤ t ≤ x) 4. jK x+1 = r − 1 5. jK t ̸∈ {r − 1, x} (x + 2 ≤ t ≤ N) ҏ౻ ཽഅ (େࡕେֶ) ετϦʔϜ҉߸ RC4 ʹ͓͚Δ൓෮ੑͷ͋Δ৽͍͠ݤ૬ؔ (SCIS 2018) 2018. 1. 24 19 / 32

20. ൓෮ੑͷ͋Δ৽͍͠ݤ૬ؔ ఆཧ 4ɿZr = K[0] − K[r] − r ͕੒Γཱͭ֬཰

    -ϑΣʔζ 2- II ϑΣʔζ 2 ʹ͓͚Δঢ়ଶભҠਤʢr = 3 ͷ৔߹ʣ ϑΣʔζ 2 ʹ͓͚Δ֬཰ γr ≈ (1 − 1 N )N−r−1 · 1 N · N−1 ∑ x=r+1 (1 − 1 N )x · (1 − 1 N )x−r−1 · (1 − 2 N )N−x−1. ҏ౻ ཽഅ (େࡕେֶ) ετϦʔϜ҉߸ RC4 ʹ͓͚Δ൓෮ੑͷ͋Δ৽͍͠ݤ૬ؔ (SCIS 2018) 2018. 1. 24 20 / 32

21. ൓෮ੑͷ͋Δ৽͍͠ݤ૬ؔ ఆཧ 4ɿZr = K[0] − K[r] − r ͕੒Γཱͭ֬཰

    -ϑΣʔζ 3- I ϑΣʔζ 3 Zr = K[0] − K[r] − r ͕੒Γཱͭ֬཰Λܭࢉ͢Δɽ ৚݅ʢओཁͳύεʣ j1 = S0 [1] ̸∈ {2, . . . , r, x}, j2 = ∑ 1 x=0 Sx [x+1] ̸∈ {3, . . . , r, x}, . . . jr−2 = ∑ r−3 x=0 Sx [x+1] ̸∈ {r −1, r, x}, jr−1 = ∑ r−2 x=0 Sx [x+1] ̸∈ {r, x}. ҏ౻ ཽഅ (େࡕେֶ) ετϦʔϜ҉߸ RC4 ʹ͓͚Δ൓෮ੑͷ͋Δ৽͍͠ݤ૬ؔ (SCIS 2018) 2018. 1. 24 21 / 32

22. ൓෮ੑͷ͋Δ৽͍͠ݤ૬ؔ ఆཧ 4ɿZr = K[0] − K[r] − r ͕੒Γཱͭ֬཰

    -ϑΣʔζ 3- II ϑΣʔζ 3 ʹ͓͚Δঢ়ଶભҠਤʢr = 3 ͷ৔߹ʣ ҏ౻ ཽഅ (େࡕେֶ) ετϦʔϜ҉߸ RC4 ʹ͓͚Δ൓෮ੑͷ͋Δ৽͍͠ݤ૬ؔ (SCIS 2018) 2018. 1. 24 22 / 32

23. ൓෮ੑͷ͋Δ৽͍͠ݤ૬ؔ ఆཧ 4ɿZr = K[0] − K[r] − r ͕੒Γཱͭ֬཰

    -ϑΣʔζ 3- III 1. ৚݅Λશͯຬͨ͢৔߹ δr ≈ ∏ r x=2 (N − x) ∏ r−2 x=0 (N − x) . 2. ৚݅Λ 1 ͭͰ΋ຬͨ͞ͳ͍৔߹ ▶ PRGA ͕ Zr = K[0] − K[r] − r Λग़ྗ͢Δ֬཰͸ɼϥϯμϜͰ͋ΔͱԾఆ͢Δɿ 1 N (1 − δr ). ϑΣʔζ 3 ʹ͓͚Δ֬཰ δr + 1 N (1 − δr ). ҏ౻ ཽഅ (େࡕେֶ) ετϦʔϜ҉߸ RC4 ʹ͓͚Δ൓෮ੑͷ͋Δ৽͍͠ݤ૬ؔ (SCIS 2018) 2018. 1. 24 23 / 32

24. ൓෮ੑͷ͋Δ৽͍͠ݤ૬ؔ ఆཧ 4ɿZr = K[0] − K[r] − r ͕੒Γཱͭ֬཰

    1. શͯͷϑΣʔζΛຬͨ͢৔߹ αr = ( βr + 1 N(N − 1) (1 − βr ) ) · γr · ( δr + 1 N (1 − δr ) ) . 2. ֤ϑΣʔζ 1 ͭͰ΋ຬͨ͞ͳ͍৔߹ ▶ PRGA ͕ Zr = K[0] − K[r] − r Λग़ྗ͢Δ֬཰͸ɼϥϯμϜͰ͋ΔͱԾఆ͢Δɿ 1 N (1 − αr ). Zr = K[0] − K[r] − r ͕੒Γཱͭ֬཰ Pr(Zr = K[0] − K[r] − r) ≈ αr + 1 N (1 − αr ). ʢূ໌ऴΘΓʣ ҏ౻ ཽഅ (େࡕେֶ) ετϦʔϜ҉߸ RC4 ʹ͓͚Δ൓෮ੑͷ͋Δ৽͍͠ݤ૬ؔ (SCIS 2018) 2018. 1. 24 24 / 32

25. ൓෮ੑͷ͋Δ৽͍͠ݤ૬ؔ ఆཧ 5ɿZ2 = K[0] − K[2] − 2 ͕੒Γཱͭ֬཰

    ఆཧ 5 ೚ҙͷൿີݤ K ʹ͓͍ͯɼ2 όΠτ໨ͷݤετϦʔϜ Z2 ͱ 2 όΠτͷൿີݤϖ Ξ (K[0], K[2]) ͷؒʹ͓͚Δݤ૬ؔͰ͸ɼԼهͷ֬཰͕੒Γཱͭɿ Pr(Z2 = K[0] − K[2] − 2) ≈ 1 N . ൓෮ੑͷ͋Δݤ૬ؔϦετ ఆཧ ϥ΢ϯυ จݙ 2 1 [Sar14, Theorem 4] 3 x · l (x = 1, 2, . . . , 7) [IOWM13, Theorem 9] 4 r/{1, 2, x · l} (x = 1, 2, . . . , 7) ຊݚڀ 5 2 ຊݚڀ ҏ౻ ཽഅ (େࡕେֶ) ετϦʔϜ҉߸ RC4 ʹ͓͚Δ൓෮ੑͷ͋Δ৽͍͠ݤ૬ؔ (SCIS 2018) 2018. 1. 24 25 / 32

26. ൓෮ੑͷ͋Δ৽͍͠ݤ૬ؔ ݕূ࣮ݧɿఆཧ 2ʙఆཧ 5 ϥϯμϜʹબΜͩ 240 ݸͷൿີݤΛ༻͍ͯఆཧͷਖ਼౰ੑΛݕূ ૬ରޡࠩ ϵ =

    | ࣮ݧ஋ − ཧ࿦஋ | ࣮ݧ஋ × 100 (%) ҏ౻ ཽഅ (େࡕେֶ) ετϦʔϜ҉߸ RC4 ʹ͓͚Δ൓෮ੑͷ͋Δ৽͍͠ݤ૬ؔ (SCIS 2018) 2018. 1. 24 26 / 32

27. ݤճ෮߈ܸ΁ͷద༻ ൃද಺༰ 1 ४උ RC4 ΞϧΰϦζϜ 2 طଘݚڀ Sarkar ʹΑΔݤ૬ؔͷূ໌

    Isobe Βͷݤ௕ґଘόΠΞε 3 ൓෮ੑͷ͋Δ৽͍͠ݤ૬ؔ ؍ଌ࣮ݧ ূ໌ ݕূ࣮ݧ 4 ݤճ෮߈ܸ΁ͷద༻ 5 ·ͱΊ ҏ౻ ཽഅ (େࡕେֶ) ετϦʔϜ҉߸ RC4 ʹ͓͚Δ൓෮ੑͷ͋Δ৽͍͠ݤ૬ؔ (SCIS 2018) 2018. 1. 24 27 / 32

28. ݤճ෮߈ܸ΁ͷద༻ ൓෮ੑͷ͋Δݤ૬ؔΛ༻͍ͨ߈ܸख๏ͷߟ࡯ ৚݅ɿط஌ฏจ߈ܸ ▶ ֤ϥ΢ϯυ r ʹ͓͍ͯɼZr = Pr ⊕

    Cr Λܭࢉ͠ɼZ1, . . . , Z143 Λೖख ൓෮ੑͷ͋Δݤ૬ؔϦετ ൓෮ճ਺ ઢܗࣜ ֬཰ උߟ 1 Z1 = K[0] − K[1] − 1 0.00409920 256 ௨Γͷ (K[0], K[1]) ϖΞ 1 Z2 = K[0] − K[2] − 2 0.00390625 256 ௨Γͷ (K[0], K[2]) ϖΞ 1 Z3 = K[0] − K[3] − 3 0.00409543 256 ௨Γͷ (K[0], K[3]) ϖΞ . . . . . . . . . . . . 9 Z141 = K[0] − K[13] − 141 0.00390750 256 ௨Γͷ (K[0], K[13]) ϖΞ 9 Z142 = K[0] − K[14] − 142 0.00390743 256 ௨Γͷ (K[0], K[14]) ϖΞ 9 Z143 = K[0] − K[15] − 143 0.00390737 256 ௨Γͷ (K[0], K[15]) ϖΞ K[0] ͷ஋Λਪଌ ▶ K[1], . . . , K[15] ͷީิ஋ΛҰҙʹܾఆʢ൓෮ճ਺෼ʣ ҏ౻ ཽഅ (େࡕେֶ) ετϦʔϜ҉߸ RC4 ʹ͓͚Δ൓෮ੑͷ͋Δ৽͍͠ݤ૬ؔ (SCIS 2018) 2018. 1. 24 28 / 32

29. ݤճ෮߈ܸ΁ͷద༻ ߈ܸΞϧΰϦζϜ Step 1: ط஌ฏจ߈ܸʹΑΓ Z1, . . . ,

    Z143 Λೖख Step 2: ֤ϥ΢ϯυ 256 ௨Γͷ (K[0], K[r]) ϖΞΛอଘ Step 3: (K[0], K[r]) ϖΞ͔Β (K[0], . . . , K[15]) ૊Λߏ੒ Step 4: (K[0], . . . , K[15]) ૊Λ RC4 ʹೖྗͯ͠ݤετϦʔϜ Z′ 1 , . . . , Z′ 143 Λग़ྗ Step 5: Step 1 Ͱೖखͨ͠ Z1, . . . , Z143 ͱ Z′ 1 , . . . , Z′ 143 Λর߹ Step 5-1: ҰகͳΒ͹ɼ߈ܸ੒ޭ Step 5-2: ෆҰகͳΒ͹ɼStep 3 ʹ໭Δɽ ࠓޙͷ՝୊ 1. ܭࢉྔɼϝϞϦɼ߈ܸ੒ޭ֬཰ͷධՁ 2. طଘͷ߈ܸख๏ɼόΠΞεΛ૊Έ߹Θͤͨޮ཰ͷྑ͍߈ܸख๏ͷఏҊ ҏ౻ ཽഅ (େࡕେֶ) ετϦʔϜ҉߸ RC4 ʹ͓͚Δ൓෮ੑͷ͋Δ৽͍͠ݤ૬ؔ (SCIS 2018) 2018. 1. 24 29 / 32

30. ൃද಺༰ 1 ४උ RC4 ΞϧΰϦζϜ 2 طଘݚڀ Sarkar ʹΑΔݤ૬ؔͷূ໌ Isobe

    Βͷݤ௕ґଘόΠΞε 3 ൓෮ੑͷ͋Δ৽͍͠ݤ૬ؔ ؍ଌ࣮ݧ ূ໌ ݕূ࣮ݧ 4 ݤճ෮߈ܸ΁ͷద༻ 5 ·ͱΊ ҏ౻ ཽഅ (େࡕେֶ) ετϦʔϜ҉߸ RC4 ʹ͓͚Δ൓෮ੑͷ͋Δ৽͍͠ݤ૬ؔ (SCIS 2018) 2018. 1. 24 30 / 32

31. ·ͱΊ ݤετϦʔϜʹؔ͢Δݤ૬ؔ [MP08, SVV11, VV07] ▶ ݤετϦʔϜ Z ͱൿີݤ K

    Λ༻͍ͨઢܗࣜʹؔ͢Δ૬ؔੑ (a0 · K[0] + · · · + al−1 · K[l − 1] + al · Z1 + · · · + a2l−1 · Zl ) = b ai ∈ {−1, 0, 1} (0 ≤ i ≤ 2l − 1), b ∈ Z/NZ ൓෮ੑͷ͋Δݤ૬ؔ Zr = K[0] − K[r mod l] − r (K[0], K[r mod l]) ϖΞ͕ l ϥ΢ϯυ͝ͱ൓෮ ൓෮ੑͷ͋Δݤ૬ؔΛ༻͍ͨ߈ܸख๏ͷߟ࡯ ▶ K[0] ͷ஋Λਪଌ͢Δ͜ͱͰ K[1], . . . , K[15] ͷީิ஋ΛҰҙʹܾఆ ҏ౻ ཽഅ (େࡕେֶ) ετϦʔϜ҉߸ RC4 ʹ͓͚Δ൓෮ੑͷ͋Δ৽͍͠ݤ૬ؔ (SCIS 2018) 2018. 1. 24 31 / 32

32. References I [IOWM13] Takanori Isobe, Toshihiro Ohigashi, Yuhei Watanabe, and

    Masakatu Morii. Full Plaintext Recovery Attack on Broadcast RC4. In Shiho Moriai, editor, Fast Software Encryption - FSE 2013, volume 8424 of Lecture Notes in Computer Science. Springer Berlin Heidelberg, 2013. [MP08] Subhamoy Maitra and Goutam Paul. New Form of Permutation Bias and Secret Key Leakage in Keystream Bytes of RC4. In Kaisa Nyberg, editor, Fast Software Encryption - FSE 2008, volume 5086 of Lecture Notes in Computer Science, pages 253–269. Springer Berlin Heidelberg, 2008. [Pop15] Andrey Popov. Prohibiting RC4 cipher suites. Internet Engineering Task Force - IETF, Request for Comments, 7465, February 2015. [Sar14] Santanu Sarkar. Proving Empirically key-correlations in RC4. Information Processing Letters, 114 (5):234–238, 2014. [SVV11] Pouyan Sepehrdad, Serge Vaudenay, and Martin Vuagnoux. Discovery and Exploitation of New Biases in RC4. In Alex Biryukov, Guang Gong, and Douglas R. Stinson, editors, Selected Areas in Cryptography - SAC 2010, volume 6544 of Lecture Notes in Computer Science, pages 74–91. Springer Berlin Heidelberg, 2011. [VP15] Mathy Vanhoef and Frank Piessens. All Your Biases Belong to Us: Breaking RC4 in WPA-TKIP and TLS. In USENIX Security Symposium 2015, pages 97–112, 2015. [VV07] Serge Vaudenay and Martin Vuagnoux. Passive – only Key Recovery Attack on RC4. In Carlisle Adams, Ali Miri, and Michael Wiener, editors, Selected Areas in Cryptography - SAC 2007, volume 4876 of Lecture Notes in Computer Science, pages 344–359. Springer Berlin Heidelberg, 2007. ҏ౻ ཽഅ (େࡕେֶ) ετϦʔϜ҉߸ RC4 ʹ͓͚Δ൓෮ੑͷ͋Δ৽͍͠ݤ૬ؔ (SCIS 2018) 2018. 1. 24 32 / 32