A Study on Statistical Cryptanalysis of Stream Ciphers Ryoma Ito Miyaji Laboratory, Graduate School of Engineering, Osaka University February 4, 2019 Ph.D. Defense

Ryoma Ito (Miyaji Lab., Osaka University) February 4, 2019 1. Introduction 2. Preliminaries 3. Previous Works 4. Refined Glimpse Correlations 5. Key Correlations of the Internal State Variables 6. Iterated RC4 Key Correlations of the Keystream Bytes 7. Conclusion and Future Works Organization of This Dissertation 2

Ryoma Ito (Miyaji Lab., Osaka University) February 4, 2019 1. Introduction 1.1 Motivation 1.2 Contributions 1.3 Organization of This Dissertation Organization of This Dissertation 3

Ryoma Ito (Miyaji Lab., Osaka University) February 4, 2019 1.1 Motivation Importance of Cryptography Malicious Third Parties Cryptography • One of measure to ensure information security Ø need to continuously evaluate the security of cryptographic scheme Client 4 Access Point tampering eavesdropping WEP* → WPA* → WPA2 → WPA3 *WEP: Wired Equivalent Privacy, WPA: Wi-Fi Protected Access Chapter 1: Introduction ?

Ryoma Ito (Miyaji Lab., Osaka University) February 4, 2019 1.1 Motivation Cryptography 5 Cryptography Symmetric Key Cryptography Asymmetric Key Cryptography Block Cipher Stream Cipher based on the practical difficulty of mathematical problems Ø RSA, ElGamal, ECC Enc key = Dec key Enc key ≠ Dec key encrypts/decrypts a fixed-length block at a time Ø DES, AES, Camellia, MISTY, SIMON/SPECK encrypts/decrypts one bit at a time using keystream* Ø RC4, ChaCha20, KCipher-2, MUGI, HC-128 *keystream: pseudorandom number sequence Chapter 1: Introduction

Ryoma Ito (Miyaji Lab., Osaka University) February 4, 2019 1.1 Motivation Stream Ciphers 6 Sender Receiver Stream Ciphers Stream Ciphers Pre-Shared Key 0110100… 0110100… Keystream same Plaintext Plaintext Ciphertext Ciphertext ⊕ ⊕ 6 Chapter 1: Introduction

Ryoma Ito (Miyaji Lab., Osaka University) February 4, 2019 1.1 Motivation RC4 Stream Cipher RC4 stream cipher • designed by Prof. Ronald L. Rivest in 1987 • widely used in various security protocol: SSL/TLS, WEP, WPA-TKIP • consists of two algorithms: KSA and PRGA Prohibiting RC4 cipher suites in SSL/TLS [Pop15] • 15.8% of all web browsers/servers continue to support RC4 Recomending in neither WEP nor WPA-TKIP • downgrade attacks in Wi-Fi remain as real threats [VP16, VSP17] secret key K Init. Output internal state S keystream KSA PRGA 1 0 2 N-1 Z 1 , Z 2 , …, Zr 7 Chapter 1: Introduction

Ryoma Ito (Miyaji Lab., Osaka University) February 4, 2019 1.1 Motivation Statistical Cryptanalysis of RC4 Stream Cipher Statistical weakness (bias or correlation) in RC4 stream cipher … Value of biased or correlated events Probability … … Random secret key K Init. Output intetnal state S keystream KSA PRGA 1 0 2 N-1 Z 1 , Z 2 , … P 1 , P 2 , … C 1 , C 2 , … plaintext ciphertext Plaintext Recovery ⊕ 8 Chapter 1: Introduction positive bias negative bias

Ryoma Ito (Miyaji Lab., Osaka University) February 4, 2019 1.1 Motivation Statistical Cryptanalysis of RC4 Stream Cipher Statistical weakness (bias or correlation) in RC4 stream cipher … Value of biased or correlated events Probability … … Random secret key K Init. Output internal state S keystream KSA PRGA 1 0 2 N-1 Z 1 , Z 2 , … P 1 , P 2 , … C 1 , C 2 , … plaintext ciphertext Key Recovery ⊕ 9 Chapter 1: Introduction positive bias negative bias

Ryoma Ito (Miyaji Lab., Osaka University) February 4, 2019 1.1 Motivation Statistical Cryptanalysis of RC4 Stream Cipher Statistical weakness (bias or correlation) in RC4 stream cipher … Value of biased or correlated events Probability … … Random secret key K Init. Output internal state S keystream KSA PRGA 1 0 2 N-1 Z 1 , Z 2 , … P 1 , P 2 , … C 1 , C 2 , … plaintext ciphertext State Recovery ⊕ 10 Chapter 1: Introduction positive bias negative bias

Ryoma Ito (Miyaji Lab., Osaka University) February 4, 2019 Chapter 4: Refined Glimpse Correlations [IM16a] • correlations between keystream and internal state Chapter 5: Key Correlations of Internal State [IM16b, IM17] • correlations between secret key and internal state • toward secure RC4 key setting in WPA-TKIP Chapter 6: Iterated RC4 Key Correlations [IM18] • correlations between secret key and keystream • application to plaintext recovery on WPA-TKIP 1.2 Contributions Contributions secret key K Init. Output internal state S keystream KSA PRGA 1 0 2 N-1 Z 1 , Z 2 , … P 1 , P 2 , … C 1 , C 2 , … plaintext ciphertext ⊕ 11 Chapter 1: Introduction

Ryoma Ito (Miyaji Lab., Osaka University) February 4, 2019 Chapter 4: Refined Glimpse Correlations [IM16a] • correlations between keystream and internal state: 6 theorems Chapter 5: Key Correlations of Internal State [IM16b, IM17] • correlations between secret key and internal state • toward secure RC4 key setting in WPA-TKIP Chapter 6: Iterated RC4 Key Correlations [IM18] • correlations between secret key and keystream • application to plaintext recovery on WPA-TKIP 1.2 Contributions Contributions secret key K Init. Output internal state S keystream KSA PRGA 1 0 2 N-1 Z 1 , Z 2 , … P 1 , P 2 , … C 1 , C 2 , … plaintext ciphertext ⊕ 12 Correlations Chapter 1: Introduction

Ryoma Ito (Miyaji Lab., Osaka University) February 4, 2019 Chapter 4: Refined Glimpse Correlations [IM16a] • correlations between keystream and internal state Chapter 5: Key Correlations of Internal State [IM16b, IM17] • correlations between secret key and internal state: 22 theorems • toward secure RC4 key setting in WPA-TKIP: proposal of secure setting Chapter 6: Iterated RC4 Key Correlations [IM18] • correlations between secret key and keystream • application to plaintext recovery on WPA-TKIP 1.2 Contributions Contributions secret key K Init. Output internal state S keystream KSA PRGA 1 0 2 N-1 Z 1 , Z 2 , … P 1 , P 2 , … C 1 , C 2 , … plaintext ciphertext ⊕ 13 Correlations Chapter 1: Introduction Secure Setting

Ryoma Ito (Miyaji Lab., Osaka University) February 4, 2019 Chapter 4: Refined Glimpse Correlations [IM16a] • correlations between keystream and internal state Chapter 5: Key Correlations of Internal State [IM16b, IM17] • correlations between secret key and internal state • toward secure RC4 key setting in WPA-TKIP Chapter 6: Iterated RC4 Key Correlations [IM18] • correlations between secret key and keystream: 3 theorems • application to plaintext recovery on WPA-TKIP: optimization of attacks 1.2 Contributions Contributions secret key K Init. Output internal state S keystream KSA PRGA 1 0 2 N-1 Z 1 , Z 2 , … P 1 , P 2 , … C 1 , C 2 , … plaintext ciphertext ⊕ 14 Plaintext Recovery Correlations Chapter 1: Introduction

Ryoma Ito (Miyaji Lab., Osaka University) February 4, 2019 2. Preliminaries 2.1 Stream Cipher 2.2 Description of RC4 2.3 Secret Key Setting in WEP 2.4 Secret Key Setting in WPA-TKIP 2.5 Statistical Cryptanalysis of RC4 Stream Cipher Organization of This Dissertation 15 Chapter 2: Preliminaries

Ryoma Ito (Miyaji Lab., Osaka University) February 4, 2019 2.1 Stream Cipher Stream Cipher 16 Reciever Stream Cipher Stream Cipher 0110100… 0110100… Plaintext Plaintext ciphertext ⊕ ⊕ 16 A stream cipher is a function such that a mapping ": {0, 1}) ×{0, 1}+ → {0, 1}ℓ , where . is a key size, / is an IV* size, and ℓ is a keystream size. Chapter 2: Preliminaries *IV: initialization vector Definition 2.1 ([Iso13, Definition 6])

Ryoma Ito (Miyaji Lab., Osaka University) February 4, 2019 2.1 Stream Cipher Security Level 17 Definition 2.2 ([KL07, Definition 3.15]) Let ℓ " be a polynomial and let # be a deterministic polynomial-time algorithm such that upon any input $ ∈ {0, 1}+, algorithm # outputs a string of length ℓ , . We say that # is a pseudorandom generator if the following two conditions hold: 1. Expansion: For every ,, it holds that ℓ , > ,. 2. PseudorandomnessFor all probabilistic polynomial-time distinguishers ., there exists a negligible function /012 such that: Pr . 5 = 1 − Pr[. # $ = 1] ≤ /012 , , where 5 is chosen uniformly at random from {0, 1}ℓ(+), the seed $ is chosen uniformly at random from {0, 1}+, and the probabilities are taken over the random coin used by . and the choice of $ and 5. Chapter 2: Preliminaries

Ryoma Ito (Miyaji Lab., Osaka University) February 4, 2019 Notation 18 2.2 Description of RC4 ! secret key: {! 0 , … , ! ℓ − 1 } ℓ key size (typically, ℓ=16 bytes) * the number of rounds + internal state: {+[0], …, +[. − 1]} . the number of arrays in + (typically, /=256) +0 1 + of KSA in the *-th round: {+0 1 0 , … , +0 1[. − 1]} +0 + of PRGA in the *-th round: {+0 0 , … , +0 [. − 1]} 2, 30 1 indices of +0 1 20 , 30 indices of +0 40 the *-th keystream byte 50 index of 40 60 the *-th plaintext byte 70 the *-th ciphertext byte Chapter 2: Preliminaries

Ryoma Ito (Miyaji Lab., Osaka University) February 4, 2019 Algorithm 1: KSA KSA: Key Scheduling Algorithm 19 2.2 Description of RC4 Input: secret key ! of ℓ bytes Output: initial state #$ ← #& ' 1: for ( = 0 to + − 1 do 2: #$ '[(] ← ( 3: end for 4: 0$ ' ← 0 5: for ( = 0 to + − 1 do 6: 0123 ' ← 01 ' + #1 ' ( + ![( mod ℓ] 7: Swap(#1 ' ( , #1 '[0123 ' ]) 8: #123 ' ← #1 ' 9: end for Chapter 2: Preliminaries 0 2 3 S 0 S 1 S 1 [i 1 ]+S 1 [j 1 ] ⊞ N-1 i 1 j 1 Z 1 Algorithm 2: PRGA Input: initial state #$ Output: keystream @A for each round 1: B ← 0, ($ ← 0, 0$ ← 0 2: loop 3: B ← B + 1, (A ← (AC3 + 1 4: 0A ← 0AC3 + #A [(A ] 5: Swap(#AC3 (A , #AC3 [0A ]) 6: #A ← #AC3 7: DA ← #A (A + #A 0A 8: @A ← #A [DA ] 9: end loop

Ryoma Ito (Miyaji Lab., Osaka University) February 4, 2019 Secret Key Setting in WEP 2.3 Secret Key Setting in WEP 20 secret key K Init. Output internal state S keystream KSA PRGA 1 0 2 N-1 Z 1 , Z 2 , …, Zr ! 0 ∥ ! 1 ∥ ! 2 ∥ ! 3 ∥ ⋯ ∥ ![15] The first 3-byte RC4 key {K[0], K[1], K[2]} are generated by IV24 • IV24 : 24-bit Initialization Vector IV24 K[0] K[1] K[2] IV (public parameter) WEP key (pre-shared key) Chapter 2: Preliminaries

Ryoma Ito (Miyaji Lab., Osaka University) February 4, 2019 Secret Key Setting in WPA-TKIP 2.4 Secret Key Setting in WPA-TKIP WPA-TKIP • standardized as a substitute for WEP in 2003 (IEEE 802.11i task group) • 16-byte RC4 key setting known as TKIP • avoid the known WEP attack using (IV-related) K[1] = 255[ FMS01] The first 3-byte RC4 key {K[0], K[1], K[2]} are generated by IV16 • IV16 : the least significant 16-bit Initialization Vector 0 1 IV16 K[0] K[1] K[2] 21 Chapter 2: Preliminaries ! 0 = IV&' ≫ 8 & 0xFF ! 1 = | IV&' ≫ 8 0x20 & 0x7F ! 2 = IV&' & 0xFF Correlation

Ryoma Ito (Miyaji Lab., Osaka University) February 4, 2019 95% Confidence Interval for Population Mean 2.5 Statistical Cryptanalysis of RC4 Stream Cipher 22 Chapter 2: Preliminaries Definition 2.8 ([Dev11, Definition in Chapter 7]) If, after observing !" = $" , !& = $& , …, !' = $', we compute the observed sample mean ̅ $'* and then the resulting fixed interval is called a 95% confidence interval of population mean ). This confidence interval can be expressed as ̅ $' − 1.96 / 0 ' < 2 < ̅ $' + 1.96 / 0 ' with 95% confidence. A concise expression for the interval is ̅ $' ± 1.96 / 5/ 7, where − gives the lower limit (289:;<), and + gives the upper limit (2=>>;<). We consider whether the certain event occurs or not. ⇒ The random variable has the bernoulli distribution ̅ $' − 1.96 / ̅ $' 1 − ̅ $' 7 < 2 < ̅ $' + 1.96 / ̅ $' 1 − ̅ $' 7 . *The observed sample mean is treated as the experimental value in our cryptanalysis.

Ryoma Ito (Miyaji Lab., Osaka University) February 4, 2019 Experimental Evaluation: Percentage of Relative Error 2.5 Statistical Cryptanalysis of RC4 Stream Cipher 23 Chapter 2: Preliminaries Definition 2.9 The percentage of the relative error is determined by using the following formula: ! = #$%#&'(#)*+, -+,.# − *ℎ#1*'2+, -+,.# #$%#&'(#)*+, -+,.# ×100 (%) We estimate 9:;;<= and 9>?@<= from the experimental value. !>?@<= = 9>?@<= − *ℎ#1*'2+, -+,.# 9>?@<= ×100 (%) !:;;<= = 9:;;<= − *ℎ#1*'2+, -+,.# 9:;;<= ×100 (%) ⇓ !BCD = max(!>?@<=, !:;;<=)

Ryoma Ito (Miyaji Lab., Osaka University) February 4, 2019 3. Previous Works 3.1 Distinguishing Attacks: Biases and Correlations 3.2 Plaintext Recovery Attacks 3.3 Key Recovery Attacks 3.4 State Recovery Attacks Organization of This Dissertation 24 Chapter 3: Previous Works

Ryoma Ito (Miyaji Lab., Osaka University) February 4, 2019 Distinguishing Attacks: Biases and Correlations 25 3.1 Distinguishing Attacks: Biases and Correlations A distinguishing attack distinguishes a keystream from a true random number sequence Ø aims to confirm the pseudorandomness of an output from stream ciphers Chapter 3: Previous Works Biases and Correlations • Short-term Biases in the keystream Bytes [MS01, IOWM13, GMM+14] Chapter 6 • Long-term Biases in the keystream Bytes [FM00, Man05] • Glimpse Correlations [Jen96, MG13] Chapter 4 • Key Correlations of the Internal State Variables [Roo95, PM07, MP08b] Chapter 5 • Key Correlations of the Keystream Bytes [SVV10, Sar14, GMM+14] Chapter 6

Ryoma Ito (Miyaji Lab., Osaka University) February 4, 2019 Plaintext Recovery Attacks 26 3.2 Plaintext Recovery Attacks Chapter 3: Previous Works A plaintext recovery attack Ø aims to recover the same plaintext from only ciphertexts in the Broadcast Setting Attacks on generic RC4, TLS, and WPA-TKIP • Recovery of the second byte of plaintexts [MS01] • Recovery of the first 256 bytes of plaintexts [MPG11] • Recovery of the full bytes of plaintexts [IOWM13, OIWM13] • Attack on TLS [ABP+13] • Attack on WPA-TKIP [GMM+14, PPS14, VP15] Chapter 6 Broadcast Setting • Same plaintext is encrypted with different randomly chosen keys • First studied in context of RC4 by Mantin and Shamir [MS01]

Ryoma Ito (Miyaji Lab., Osaka University) February 4, 2019 Key Recovery Attacks / State Recovery Attacks 27 3.3 Key Recovery Attacks / 3.4 State Recovery Attacks Chapter 3: Previous Works A key recovery attack / a state recovery attack recovers a secret key/an internal state from a keystream* Ø aims to confirm the difficulty in recovering a secret key/an internal state *We consider the scenario of the known plaintext attack (refer to Section 2.1 for details). State Recovery Attacks • Guess and determine approaches to recover the unknown internal state {"# $#%& , "# (#%& , (#%& , )#%& } for + ≥ 0 [KMP+98, MP08b, DMPS11] Chapter 5 Key Recovery Attacks • Attack on generic RC4 using biases or correlations [PM07, SVV10] • Attack on WEP (without) using weak IVs [FMS01, Kle08]

Ryoma Ito (Miyaji Lab., Osaka University) February 4, 2019 4. Refined Glimpse Correlations Related Works: Glimpse Theorem and Long-term Glimpse 4.1 Experimental Observations 4.2 New Results 4.3 Experimental Evaluations 4.4 Chapter Conclusion Organization of This Dissertation 28 Chapter 4: Refined Glimpse Correlations

Ryoma Ito (Miyaji Lab., Osaka University) February 4, 2019 ir Glimpse Theorem [Jen96] –Theorem 3.16- 29 After the !-th round of the PRGA for ! ≥ 1, we have Pr &' = )' − +' ,' = Pr &' = ,' − +' )' ≈ 2 / . 0 1 2 N-1 … Value of Zr secret key K Init. Output internal state Sr keystream KSA PRGA Z 1 , Z 2 , …, Zr 2 / 1 / jr Chapter 4: Refined Glimpse Correlations Related Works

Ryoma Ito (Miyaji Lab., Osaka University) February 4, 2019 Long-term Glimpse [MG13] –Theorem 3.17- 30 After the !-th round of the PRGA for ! ≥ 1, we have Pr &' ! + 1 = * − 1 , -'./ = -' ≈ 2 * . 0 1 2 N-1 … Value of Zr secret key K Init. Output internal state Sr keystream KSA PRGA Z 1 , …, Zr , Zr+1 2 * 1 * N-1 r+1 Chapter 4: Refined Glimpse Correlations Related Works =

Ryoma Ito (Miyaji Lab., Osaka University) February 4, 2019 Long-term Glimpse [MG13] –Theorem 3.18- 31 After the !-th round of the PRGA for ! ≥ 1, we have Pr &' ! + 1 = * − 1 , -'./ = -' ∧ -'./ = ! + 2 ≈ 3 * . 0 1 2 N-1 … secret key K Init. Output internal state Sr keystream KSA PRGA Z 1 , …, Zr , Zr+1 3 * 1 * N-1 r+1 r+2 = Chapter 4: Refined Glimpse Correlations Related Works = Value of Zr

Ryoma Ito (Miyaji Lab., Osaka University) February 4, 2019 Research Problem: Dual Cases of [Jen96, MG13] 32 4.1 Experimental Observations 0 1 2 N-1 … Value of Zr secret key K Init. Output internal state Sr keystream KSA PRGA Z 1 , …, Zr , Zr+1 2 " 1 " N-1 r+1 The related works provide only cases with positive biases. Ø There may exist a dual case of a positive bias, which is a negative bias. Chapter 4: Refined Glimpse Correlations ? For example: a dual case of Theorem 3.17 ?

Ryoma Ito (Miyaji Lab., Osaka University) February 4, 2019 r+2 N-1 N-x Research Problem: A New Positive Bias 33 The related works provide only cases with positive biases. Ø There may exist a certain case with new positive bias. 0 1 2 N-x … Value of Zr secret key K Init. Output internal state Sr keystream KSA PRGA Z1 , …, Zr , Zr+1 3 " 1 " r+1 = r+1+x Chapter 4: Refined Glimpse Correlations 4.1 Experimental Observations N-1 For example: a new positive bias of the Long-term Glimpse

Ryoma Ito (Miyaji Lab., Osaka University) February 4, 2019 ir i 2 Research Problem: Precise Biases on Specific Rounds 34 0 1 2 N-1 … Value of Zr secret key K Init. Output internal state S 2 keystream KSA PRGA Z 1 , Z 2 , …, Zr 2 " 1 " j 2 The related works deal with correlations in each round all together. Ø There may be room for improvement on correlations in a specific round. Chapter 4: Refined Glimpse Correlations 4.1 Experimental Observations For example: a precise bias on r=2 of the Glimpse Theorem

Ryoma Ito (Miyaji Lab., Osaka University) February 4, 2019 Theorem 4.1: A New Dual Case of Theorem 3.17 35 4.2 New Results Theorem 4.1 After the !-th round of the PRGA for ! ≥ 3, we have $ % ∑'() *+, % %-$ Pr 0' ! + 1 = 0 5 6' = 6'7$ ≈ 9 %: − $ %< . Chapter 4: Refined Glimpse Correlations secret key K Init. Output internal state Sr keystream KSA PRGA Z 1 , …, Zr , Zr+1 0 r+1 Remark 4.1 The previous result of Theorem 4.1 is as follows: Pr 0' ! + 1 = 0 5 6' = 6'7$ ≈ 9 %: (1 − $ % ). After the revision, we improve @*AB from 0.406% to 0.212%. This is the result of strict analysis of the occurrence probability of the target event in each round.

Ryoma Ito (Miyaji Lab., Osaka University) February 4, 2019 Theorem 4.1: A New Dual Case of Theorem 3.17 36 4.2 New Results Theorem 4.1* After the !-th round of the PRGA for ! ≥ 3, we have Chapter 4: Refined Glimpse Correlations Pr('( ! + 1 = 0 - .( = .(/0 ) ≈ 3 45 6 45 − 3 48 3 45 − 6 48 6 45 + 0 48 0 45 + 0 48 3 45 − 3 48 3 45 − 9 48 when ! = 0 mod =, when ! = 1 mod =, when ! = = − 3 mod =, when ! = = − 2 mod =, when ! = = − 1 mod =, when ! is even and ! ≠ 0, = − 2 mod =, when ! is odd and ! ≠ 1, = − 3 , = − 1 mod =. *Theorem 4.1 can be shown as the strict analysis of the occurrence probability of the target event in each round.

Ryoma Ito (Miyaji Lab., Osaka University) February 4, 2019 Theorem 4.2: A New Dual Case of Theorem 3.18 37 4.2 New Results Chapter 4: Refined Glimpse Correlations secret key K Init. Output internal state Sr keystream KSA PRGA Z 1 , …, Zr , Zr+1 0 r+1 r+2 = *We have revised in the same way as the proof of Theorem 4.1 (see Remark 4.2 in my doctoral dissertation for detail). Theorem 4.2* After the !-th round of the PRGA for ! ≥ 1 and ∀% ∈ [0, * − 1], we have Pr /0 ! + 1 = 0 | (50 = 5067 ) ∧ (5067 = ! + 2) ≈ 1 * + 1 *< =ℎ?@ % = 1, 2 *A =ℎ?@ % = * − 1, 1 *A BCℎ?!=DE?.

Ryoma Ito (Miyaji Lab., Osaka University) February 4, 2019 Theorem 4.3: A New Positive Bias 38 Chapter 4: Refined Glimpse Correlations 4.2 New Results secret key K Init. Output internal state Sr keystream KSA PRGA Z1 , …, Zr , Zr+1 N-x r+1 r+1+x = After the !-th round of the PRGA for ! ≥ 1 and $ ∈ [2, ) − 1], we have Pr ./ ! + 1 = ) − $ | (4/ = 4/56 ) ∧ (4/56 = ! + 1 + $) ≈ 2 ) 1 − 1 ) + 2 ): . Theorem 4.3 Remark 4.3 The previous result of Theorem 4.3 is as follows: Pr ./ ! + 1 = ) − $ < 4/ = 4/56 ∧ 4/56 = ! + 1 + $ ≈ : = (1 − 6 = + 6 => ). After the revision, we improve ?@AB from 0.387% to 0.386%, but its revision shows that there was almost no effect of improving the relative error.

Ryoma Ito (Miyaji Lab., Osaka University) February 4, 2019 Theorems 4.4-4.6: Precise Biases on Specific Rounds 39 Pr #$ 3 = 0 ( )* = )$ = Pr #$ +$ = ,$ − )$ ∧ )$ = 1, 2, 129 = 0. Theorems 4.5 and 4.6 *Pr(#5 1 = 1) follows Lemma 3.1 ([Man01, Theorem 6.2.1]). Chapter 4: Refined Glimpse Correlations 4.2 New Results secret key K Init. Output internal state S 1 keystream KSA PRGA Z 1 , Z 2 , Z 3 , … Pr #7 2 = 0 ( )$ = )7 ≈ Pr(#5 1 = 1) + 7 : ∑<=* :>7 Pr(#5 1 = ?). Theorem 4.4 2 0 secret key K Init. Output internal state S 2 keystream KSA PRGA Z 1 , Z 2 , Z 3 , … 3 0 i 2 j 2

Ryoma Ito (Miyaji Lab., Osaka University) February 4, 2019 Check the Accuracy of Theorems 4.1-4.6 40 4.3 Experimental Evaluations Results Experimental Value Theoretical Value !"#$(%) Theorem 4.1* 0.000030522 0.000030458 0.406 ⟶ 0.212 Theorem 4.2* &ℎ() * = 1 0.003922408 0.003906310 0.415 ⟶ 0.410 &ℎ() * = - − 1 0.000030683 0.000030518 0.929 ⟶ 0.541 /0ℎ(1&23( 0.000015259 0.000015259 0.780 ⟶ 0.004 Theorem 4.3* 0.007812333 0.007782221 0.387 ⟶ 0.386 Theorem 4.4** 0.007801373 0.007751621 0.640 Theorem 4.5** 0 0 Theorem 4.6** 0 0 Chapter 4: Refined Glimpse Correlations *Our experiments use 224 randomly generated RC4 keys of 16 bytes and 224 keystream bytes for each key. This means 248 samples. **our experiments used 240 samples randomly generated RC4 keys of 16 bytes.

Ryoma Ito (Miyaji Lab., Osaka University) February 4, 2019 Chapter Conclusion 41 4.4 Chapter Conclusion 1. The related works provide only cases with positive biases. Ø We found dual cases of a positive bias, which is a negative bias. Ø We found a certain case with new positive bias. 2. The related works deal with correlations in each round all together. Ø We found certain cases with precise biases on specific rounds. Our research problems and their solutions: 6 theorems and their proofs Chapter 4: Refined Glimpse Correlations Related Works 1. Glimpse Theorem [Jen96] Ø correlations between a keystream byte and an internal state variable 2. Long-term Glimpse [MG13] Ø correlations between two consecutive keystream bytes and an internal state variable

Ryoma Ito (Miyaji Lab., Osaka University) February 4, 2019 5. Key Correlations of the Internal State Variables Related Work 5.1 Experimental Observations 5.2 New Results 5.3 Experimental Evaluations 5.4 Toward Secure RC4 Key Setting in WPA-TKIP 5.5 Chapter Conclusion Organization of This Dissertation 42 Chapter 5: Key Correlations of the Internal State Variables

Ryoma Ito (Miyaji Lab., Osaka University) February 4, 2019 A Distribution of K[0]+K[1] in WPA-TKIP [GMM+14] Related Works The first 3-byte RC4 key {K[0], K[1], K[2]} are generated by IV16 43 Chapter 5: Key Correlations of the Internal State Variables ! 0 = IV&' ≫ 8 & 0xFF ! 1 = | IV&' ≫ 8 0x20 & 0x7F ! 2 = IV&' & 0xFF Correlation K[0] Range K[1] (depends on K[0]) K[0]+K[1] (only even) Value Range Value Range 031 K[0]+32 3263 2K[0]+32 3295 3263 K[0] 3263 2K[0] 64127 6495 K[0]+32 96127 2K[0]+32 160223 96127 K[0] 96127 2K[0] 192255 128159 K[0]-96 3263 2K[0]-96 160223 160191 K[0]-128 3263 2K[0]-128 192255 192223 K[0]-96 96127 2K[0]-96 3295 224255 K[0]-128 96127 2K[0]-128 64127

Ryoma Ito (Miyaji Lab., Osaka University) February 4, 2019 A Distribution of K[0]+K[1] in WPA-TKIP [GMM+14] 44 Related Work Pr # 0 + # 1 = 0 ⟺ ) *+ ,--; ) ∈ 0,31 ; ) ∈ [128,159] Ø This distribution induces key correlations of the keystream in WPA-TKIP. Chapter 5: Key Correlations of the Internal State Variables

Ryoma Ito (Miyaji Lab., Osaka University) February 4, 2019 Key Correlations of the Keystream in WPA-TKIP [GMM+14] 45 Related Work Linear Equation in [GMM+14] Zr = aK[0] + bK[1] + cK[2] + d r ∈ [1, 257], a, b, c ∈ {-1, 0, 1}, d ∈ {-3, -2, -1, 0, 1, 2, 3} Table: Experimental observations in generic RC4 and WPA-TKIP Key Correlations RC4 WPA-TKIP Z 1 =-K[0]-K[1] 0.005264 0.005338 Z 2 =-K[0]-K[1]+K[2]+3 0.004424 0.003903 Z 3 =K[0]+K[1]+K[2]+3 0.004401 0.004405 ⋮ ⋮ ⋮ Z 256 =-K[0] 0.004427 0.004429 Z 257 =-K[0]-K[1] 0.004096 0.004094 The related work focused only on key correlations of the keystream. Ø There may exist key correlations of the internal state in WPA-TKIP. Research Problem Chapter 5: Key Correlations of the Internal State Variables

Ryoma Ito (Miyaji Lab., Osaka University) February 4, 2019 Key Correlations of the Internal State 46 5.1 Experimental Observations Key Correlations of the Internal State • We focus on unknown internal state variables Xr in each round. Ø targets to guess and determine in the state recovery attack [KMP+98] Linear Equation for Research Problem Xr = aZr + bK[0] + cK[1] + dK[2] + e Xr ∈ {Sr[ir+1 ], Sr[jr+1 ], jr+1 , tr+1 } r ∈ [0, 256], a, b, c, d ∈ {-1, 0, 1}, e ∈ {-3, -2, -1, 0, 1, 2, 3} • We find hundreds of significant key correlations. Ø We summarize a list of correlations with more than 0.0048 (positive bias) or less than 0.0020 (negative bias) in generic RC4 and WPA-TKIP*. *The probability of random association is 0.00390625 We present 22 theorems and their proofs. Chapter 5: Key Correlations of the Internal State Variables

Ryoma Ito (Miyaji Lab., Osaka University) February 4, 2019 Theorems 5.1-5.9: Key Correlations of S 0 [i 1 ] 47 5.2 New Results Results Key Correlations RC4 WPA-TKIP Theorems 5.1-5.2 S 0 [i 1 ]=K[0] 0.001445489 0 Theorems 5.3-5.4 S 0 [i 1 ]=K[0]-K[1]-3 0.005325263 0.007788309 Theorems 5.5-5.6 S 0 [i 1 ]=K[0]-K[1]-1 0.003909411 0.007772441 Theorems 5.7-5.8 S 0 [i 1 ]=-K[0]-K[1]-3 0.005344544 0.008375244 Theorem 5.9 S 0 [i 1 ]=K[0]+K[1]+K[2]+3 0.001479853 0.001479853 secret key K Init. Output internal state S 0 keystream KSA PRGA i 1 =1 Z 1 , Z 2 , …, Zr ü Theorem 5.2 shows Pr(S 0 [i 1 ]=K[0]) = 0 in WPA-TKIP. ü Theorems 5.4, 5.6, and 5.8 show approximately twice the probability of random association*. j 1 *The probability of random association is 0.00390625 Chapter 5: Key Correlations of the Internal State Variables

Ryoma Ito (Miyaji Lab., Osaka University) February 4, 2019 Theorems 5.10-5.14: Key Correlations of S 1 [i 2 ] 48 5.2 New Results secret key K Init. Output internal state S 1 keystream KSA PRGA i 2 =2 Z 1 , Z 2 , …, Zr ü Theorem 5.10 shows a relatively high probability (approximately 0.362). ü Theorems 5.11-5.13 show approximately twice the probability of random association*. Results Key Correlations RC4 WPA-TKIP Theorem 5.10 S 1 [i 2 ]=K[0]+K[1]+K[2]+3 0.362016405 0.362723221 Theorem 5.11 S 1 [i 2 ]=-K[0]-K[1]+K[2]-1 0.005320377 0.008148630 Theorem 5.12 S 1 [i 2 ]=K[1]+K[2]+3 0.008150313 0.008150313 Theorem 5.13 S 1 [i 2 ]=K[0]-K[1]+K[2]+{-3,±1} 0.005320377 0.008148630 Theorem 5.14 S 1 [i 2 ]=K[0]-K[1]+K[2]+3 0.005302926 0.002849060 j 2 *The probability of random association is 0.00390625 Chapter 5: Key Correlations of the Internal State Variables

Ryoma Ito (Miyaji Lab., Osaka University) February 4, 2019 ü Theorem 5.15 shows a relatively high probability (approximately 0.138). ü Theorem 5.16 shows a relatively high probability (approximately 0.037) only in WPA-TKIP. Ø These key correlations continue to hold high probability even after 255 rounds. Theorems 5.15 and 5.16: Key Correlations of S 255 [i 256 ] 49 5.2 New Results secret key K Init. Output internal state S 255 keystream KSA PRGA i 256 =0 Z 1 , Z 2 , …, Zr Results Key Correlations RC4 WPA-TKIP Theorem 5.15 S 255 [i 256 ]=K[0] 0.138325988 0.138325988 Theorem 5.16 S 255 [i 256 ]=K[1] 0.003893102 0.037105932 j 256 *The probability of random association is 0.00390625 Chapter 5: Key Correlations of the Internal State Variables

Ryoma Ito (Miyaji Lab., Osaka University) February 4, 2019 Theorem 5.17: Key Correlations of Sr[ir+1 ]=K[0]+K[1]+1 50 5.2 New Results secret key K Init. Output internal state Sr keystream KSA PRGA ir+1 Z 1 , Z 2 , …, Zr ü Theorem 5.17 reflects the distribution of K[0]+K[1] in WPA-TKIP. jr+1 Chapter 5: Key Correlations of the Internal State Variables

Ryoma Ito (Miyaji Lab., Osaka University) February 4, 2019 Theorems 5.18-5.22: Key Correlations of j 2 51 5.2 New Results Results Key Correlations RC4 WPA-TKIP Theorem 5.18 j 2 =K[2] 0.004426926 0.005471358 Theorem 5.19 j 2 =-K[0]-K[1]+K[2]+{±2} 0.003906250 0.004427953 Theorem 5.19 j 2 =-K[0]-K[1]+K[2] 0.003906250 0.005471358 Theorem 5.20 j 2 =-K[0]+K[1]+K[2] 0.003906250 0.005471358 Theorem 5.21 j 2 =-K[1]+K[2]+{-2,3} 0.003906250 0.005471358 Theorem 5.22 j 2 =K[0]-K[1]+K[2] 0.003906250 0.005471358 secret key K Init. Output internal state S 1 keystream KSA PRGA Z 1 , Z 2 , …, Zr i 2 j 2 ü Theorem 5.18 shows a positive bias in both generic RC4 and WPA-TKIP. ü Theorems 5.19-5.22 show positive biases only in WPA-TKIP but no biases in generic RC4. Chapter 5: Key Correlations of the Internal State Variables

Ryoma Ito (Miyaji Lab., Osaka University) February 4, 2019 Check the Accuracy of Theorems 5.1-5.22 in Generic RC4 52 . Results !"#$ (%) Theorem 5.1 0.284 Theorem 5.3 0.137 Theorem 5.5 0.334 Theorem 5.7 0.211 Theorem 5.9 0.730 Theorem 5.10 0.459 Theorem 5.11 0.277 Theorem 5.12 0.101 Theorem 5.13 x = -3 0.476 x = -1 0.590 x = 1 0.203 Theorem 5.14 0.144 Results !"#$ (%) Theorem 5.15 0.208 Theorem 5.16 0.409 Theorem 5.17 See page 54 Theorem 5.18 0.078 Theorem 5.19 x = -2 0.371 x = 0 0.335 x = 2 0.120 Theorem 5.20 0.361 Theorem 5.21 x = -2 0.097 x = 3 0.213 Theorem 5.22 0.297 Chapter 5: Key Correlations of the Internal State Variables *Our experiments used 240 samples randomly generated RC4 keys of 16 bytes.

Ryoma Ito (Miyaji Lab., Osaka University) February 4, 2019 Check the Accuracy of Theorems 5.1-5.22 in WPA-TKIP 53 . Results !"#$ (%) Theorem 5.2 Theorem 5.4 0.452 Theorem 5.6 1.013 Theorem 5.8 0.395 Theorem 5.9 0.758 Theorem 5.10 0.269 Theorem 5.11 0.320 Theorem 5.12 0.284 Theorem 5.13 x = -3 0.097 x = -1 0.020 x = 1 0.024 Theorem 5.14 0.482 Results !"#$ (%) Theorem 5.15 0.208 Theorem 5.16 0.216 Theorem 5.17 See page 54 Theorem 5.18 1.608 Theorem 5.19 x = -2 3.180 x = 0 1.638 x = 2 2.553 Theorem 5.20 0.356 Theorem 5.21 x = -2 0.056 x = 3 0.055 Theorem 5.22 1.608 Chapter 5: Key Correlations of the Internal State Variables *Our experiments used 240 samples randomly generated RC4 keys of 16 bytes.

Ryoma Ito (Miyaji Lab., Osaka University) February 4, 2019 Check the Accuracy of Theorem 5.17 54 . Chapter 5: Key Correlations of the Internal State Variables Figure: Comparison between experimental and theoretical values in Theorem 5.17

Ryoma Ito (Miyaji Lab., Osaka University) February 4, 2019 How TKIP Induces Biases of Generic RC4 55 5.4 Toward Secure RC4 Key Setting in WPA-TKIP The first 3-byte RC4 key {K[0], K[1], K[2]} are generated by IV16 • IV16 : the least significant 16-bit Initialization Vector 0 1 IV16 K[0] K[1] K[2] Our analysis can clarify how TKIP induces biases of generic RC4. Ø Ideally, WPA-TKIP should be constructed in such a way that it can retain the security level of generic RC4. Research Problem Chapter 5: Key Correlations of the Internal State Variables ! 0 = IV&' ≫ 8 & 0xFF ! 1 = | IV&' ≫ 8 0x20 & 0x7F ! 2 = IV&' & 0xFF

Ryoma Ito (Miyaji Lab., Osaka University) February 4, 2019 Discussion: Toward Secure RC4 Key Setting in WPA-TKIP 56 5.4 Toward Secure RC4 Key Setting in WPA-TKIP The first 3-byte RC4 key {K[x], K[y], K[z]} are generated by IV16 • IV16 : the least significant 16-bit Initialization Vector 0 1 IV16 K[x] K[y] K[z] We carefully set arbitrary three bytes of the RC4 key {K[x], K[y], K[z]}. Ø we investigate to construct a secure RC4 key setting so as not to induce significant key correlations in WPA-TKIP. Our Solution for Research Problem Chapter 5: Key Correlations of the Internal State Variables ! " = IV&' ≫ 8 & 0xFF ! . = | IV&' ≫ 8 0x20 & 0x7F ! 2 = IV&' & 0xFF

Ryoma Ito (Miyaji Lab., Osaka University) February 4, 2019 Experimental Evaluations 57 x y z The Number of Key Correlations** Zr+1 Sr [ir+1 ] Sr [jr+1 ] jr+1 tr+1 total reduction rate (%) 0 1 2 22 368 13 28 462 893 reference value (TKIP) 0 8 0 22 424 5 15 952 1418 -58.791 (Min) 9 10 11 3 103 2 5 161 271 69.653 (Max) * * Zr+1 = bK[x] + cK[y] + dK[z] + e Xr = aZr+1 + bK[x] + cK[y] + dK[z] + e Xr ∈ {Sr [ir+1 ], Sr [jr+1 ], jr+1 , tr+1 } r ∈ [0, 256], a, b, c, d ∈ {-1, 0, 1}, e ∈ {-3, -2, -1, 0, 1, 2, 3} Chapter 5: Key Correlations of the Internal State Variables 5.4 Toward Secure RC4 Key Setting in WPA-TKIP *Our experiments use 232 randomly generated RC4 keys of 16 bytes and 28 keystream bytes for each key. This means 240 samples. ** We summarize the list of key correlations including Zr or Xr with more than 0.00395 or 0.0048 as positive biases and less than 0.00385 or 0.0020 as negative biases, respectively.

Ryoma Ito (Miyaji Lab., Osaka University) February 4, 2019 1. The related work focused only on key correlations of the keystream. Ø We found hundreds of significant key correlations of the internal state. Ø We presented 22 theorems and their proofs. Ø Key correlations of S 0 [i 1 ], S 1 [i 2 ], S 255 [i 256 ], Sr[ir+1 ], and j 2 2. Our analysis can clarify how TKIP induces biases of generic RC4. Ø The number of key correlations induced by our proposed setting can be reduced by approximately 70% in comparison with that in the original setting. Chapter Conclusion 58 5.5 Chapter Conclusion Chapter 5: Key Correlations of the Internal State Variables Related Works 1. A distribution of K[0]+K[1] in WPA-TKIP [GMM+14] 2. Key correlations of the keystream [GMM+14] Our research problems and their solutions

Ryoma Ito (Miyaji Lab., Osaka University) February 4, 2019 6. Iterated RC4 Key Correlations of the Keystream Bytes Related Works: Key Correlations of the Keystream Bytes 6.1 Experimental Observations 6.2 New Results 6.3 Experimental Evaluations Related Works: Plaintext Recovery Attacks 6.4 Applications to Plaintext Recovery on WPA-TKIP 6.5 Chapter Conclusion Organization of This Dissertation 59 Chapter 6: Iterated RC4 Key Correlations of the Keystream Bytes

Ryoma Ito (Miyaji Lab., Osaka University) February 4, 2019 Key Correlations of the Keystream 60 Related Works Linear Equation for Key Correlations of the Keystream [SVV10] Correlations between the RC4 key K and the keystream Z (key size: ℓ=16) (a0 K[0] + + aℓ-1 K[ℓ-1] + aℓ Z1 + + a2ℓ-1 Zℓ) = b ai ∈ {-1, 0, 1} (0 ≤ i ≤ 2ℓ-1), b ∈ ℤ/Nℤ Key Correlations Reference Z1 = K[0] - K[1] - 1 [Sar14] Z3 = K[0] - K[3] - 3 [Sar14] Z4 = K[0] - K[4] - 4 [Sar14] Zxℓ = K[0] - K[xl mod ℓ] – xℓ = - xℓ [IOWM13] Table: Related works on key correlations of the keystream. Their investigations are limited to the first 5 rounds [SVV10]. Ø There may exist correlations between (K[0], K[r mod ℓ]) pairs and Zr . Research Problem Chapter 6: Iterated RC4 Key Correlations of the Keystream Bytes

Ryoma Ito (Miyaji Lab., Osaka University) February 4, 2019 Iterated RC4 Key Correlations 6.1 Experimental Observations 61 Observation 6.1: (K[0], K[r mod ℓ]) pairs are iterated every ℓ rounds Figure: Experimental observations in WPA-TKIP. For arbitrary secret key K, the following key correlations of the keystream bytes Zr in both generic RC4 and WPA-TKIP induce biases: Zr = K[0] + K[r mod ℓ] – r. Chapter 6: Iterated RC4 Key Correlations of the Keystream Bytes

Ryoma Ito (Miyaji Lab., Osaka University) February 4, 2019 Iterated RC4 Key Correlations –Theorem 6.1- 6.2 New Results 62 Theorem 6.1 For arbitrary secret key and round except when r = 1, 2, xℓ (x = 1, 2, …, 7), key correlations of the keystream Zr in both generic RC4 and WPA-TKIP are given by Pr #$ = & 0 − & ) mod ℓ − ) ≈ /$ + 1 2 1 − /$ , where /$, 4$, 5$, 6$, and 78,9 are given by /$ ≈ (4$ + ; < <=; 1 − 4$ ) ? 5$ ? (6$ + ; < 1 − 6$ ), 4$ ≈ ; < ? <=$=; < ? ∏ABC D (<=E=;) ∏ABF DGC(<=E) , 5$ ≈ (1 − ; < )<=$=;? ; < ? ∑EI$J; <=; (1 − ; < )E? (1 − ; < )E=$=;? (1 − K < )<=E=;, 6$ ≈ (1 − ∑9IK $ 7;,9 − ∑EI$J; <=; LM,A <=$=K ) ? <=$J; <=; , 78,9 = Pr(NO P = Q). Chapter 6: Iterated RC4 Key Correlations of the Keystream Bytes

Ryoma Ito (Miyaji Lab., Osaka University) February 4, 2019 Iterated RC4 Key Correlations -Theorems 6.2 and 6.3- 6.2 New Results 63 Theorem 6.2 Theorem 6.3 For arbitrary secret key, a key correlation of the keystream in WPA-TKIP is given by Pr #$ = & 0 − & 1 − 1 ≈ 1 + 1 − ,$ , where ,$ ≈ $ ./ 0 (1 − 2 . ) 0 (1 − $ . ).420 ∑672 .4$(1 − $ . )60 1 − $ . 642 0 1 − 2 . .464$ . For arbitrary secret key, a key correlation of the keystream in both generic RC4 and WPA-TKIP is given by Pr #2 = & 0 − & 2 − 2 ≈ 1 + . Chapter 6: Iterated RC4 Key Correlations of the Keystream Bytes

Ryoma Ito (Miyaji Lab., Osaka University) February 4, 2019 Check the Accuracy of Theorems 6.1-6.3 6.3 Experimental Evaluations 64 Figure: !"#$ in both generic RC4 and WPA-TKIP. Chapter 6: Iterated RC4 Key Correlations of the Keystream Bytes *Our experiments used 240 samples randomly generated RC4 keys of 16 bytes.

Ryoma Ito (Miyaji Lab., Osaka University) February 4, 2019 Plaintext Recovery Attack -the MS Attack- [MS01] 65 Related Works Theorem 3.1 [MS01, Theorem 1] Assume that the initial state S is randomly chosen from the set of all possible permutations of {0, …, N-1}. Then, the probability that the second byte of the keystream Z 2 is 0 is approximately 2/N. 0 1 2 N-1 … Value of Z 2 secret key K Init. Output internal state S keystream KSA PRGA 1 0 2 N-1 Z 1 , Z 2 , …, Zr 2 " 1 " Chapter 6: Iterated RC4 Key Correlations of the Keystream Bytes

Ryoma Ito (Miyaji Lab., Osaka University) February 4, 2019 Plaintext Recovery Attack –the MS Attack- [MS01] 66 Related Works Theorem 3.22 [MS01, Theorem 3] Let P be a plaintext, and let C(1), …, C(k) be the RC4 encryptions of P under k randomly chosen keys. Then, if k = Ω(N), the second byte of P can be reliably extracted from C(1), …, C(k). Broadcast Setting • Same plaintext P is encrypted with different randomly chosen keys 0 1 2 N-1 … 2 " 1 " Value of C 2 ★ Plaintext (P2) Recovery in the Broadcast Setting 1. Obtain k = Ω(N) ciphertexts C. 2. Exploit the most frequent value in distribution of C 2 . 3. Recover P 2 = C 2 ⊕ Z 2 = C 2 ⊕ 0 = C 2 w.p. 2/N (see Theorem 3.1). Chapter 6: Iterated RC4 Key Correlations of the Keystream Bytes

Ryoma Ito (Miyaji Lab., Osaka University) February 4, 2019 Plaintext Recovery Attack –the IOWM Attack- [IOWM13] 67 Related Works Round Biased Events Theoretical Value 1 Z 1 = 0 | Z 2 = 0 2-8 (1 + 2-1.009) 2 Z 2 = 0 2-8 (1 + 20) 3 Z 3 = 131 2-8 (1 + 2-8.089) 4 Z 4 = 0 2-8 (1 + 2-7.581) ⋮ ⋮ ⋮ 112 Z 112 = 144 2-8 (1 + 2-7.300) 113-255 Zr = 0 2-8 (1 + 2-10.052) 2-8(1 + 2-8.763) 256 Z 256 = 0 2-8 (1 - 2-9.474) 257 Z 257 = 0 2-8 (1 + 2-9.474) Figure: A set of the strongest biases in the first 257 rounds. Chapter 6: Iterated RC4 Key Correlations of the Keystream Bytes

Ryoma Ito (Miyaji Lab., Osaka University) February 4, 2019 Plaintext Recovery Attack –the IOWM Attack- [IOWM13] 68 Related Works Round Biased Events Theoretical Value 1 Z 1 = 0 | Z 2 = 0 2-8 (1 + 2-1.009) 2 Z 2 = 0 2-8 (1 + 20) 3 Z 3 = 131 2-8 (1 + 2-8.089) 4 Z 4 = 0 2-8 (1 + 2-7.581) ⋮ ⋮ ⋮ 112 Z 112 = 144 2-8 (1 + 2-7.300) 113-255 Zr = 0 2-8 (1 + 2-10.052) 2-8(1 + 2-8.763) 256 Z 256 = 0 2-8 (1 - 2-9.474) 257 Z 257 = 0 2-8 (1 + 2-9.474) Figure: A set of the strongest biases in the first 257 rounds. Chapter 6: Iterated RC4 Key Correlations of the Keystream Bytes Plaintext (P1–P257) Recovery in the Broadcast Setting 1. Obtain k ciphertexts. 2. Exploit the most/least frequent value in distribution of Cr. 3. Recover Pr = Cr ⊕ Zr where Zr is the value of the keystream byte from a set of the strongest biases. The first 257 bytes of a plaintext can be recovered with probability of more than 80% from 232 ciphertexts.

Ryoma Ito (Miyaji Lab., Osaka University) February 4, 2019 Plaintext Recovery Attack -the SMMPS Attack- [GMM+14] 69 Related Works The IOWM attack uses only keystream biases of the constant values. Linear Equation for Key Correlations of the Keystream [GMM+14] Zr = aK[0] + bK[1] + cK[2] + d r ∈ [1, 257], a, b, c ∈ {-1, 0, 1}, d ∈ {-3, -2, —1, 0, 1, 2, 3} Motivation: improvement of the IOWM attack, particularly on WPA-TKIP Target [GMM+14] [IOWM13] Key Correlations # of C Biased Events # of C P 1 Z 1 =-K[0]-K[1] 210.895 Z 1 = 0 | Z 2 = 0 218.072 P 3 Z 3 =K[0]+K[1]+K[2]+3 213.939 Z 3 = 131 224.128 P 256 Z 256 =-K[0] 213.803 Z 256 = 0 226.814 P 257 Z 257 =-K[0]-K[1] 216.758 Z 257 = 0 227.062 The SMMPS attack limits the constant term in the linear equation to 7 values. Ø Further improvement on WPA-TKIP using iterated RC4 key correlations Research Problem Chapter 6: Iterated RC4 Key Correlations of the Keystream Bytes

Ryoma Ito (Miyaji Lab., Osaka University) February 4, 2019 Plaintext Recovery Attack –the ABPPS Attack- [ABP+13] 70 Related Works Maximum Likelihood Approach 1. Obtain S ciphertexts {" # , " % , … , " ' } in the broadcast setting 2. Guess plaintext candidate values ) Ø Obtain the induced distributions of the keystream bytes based on ) 3. Compare with accurate distributions of the keystream bytes Ø Output the maximum-likelihood plaintext byte value *∗ Chapter 6: Iterated RC4 Key Correlations of the Keystream Bytes

Ryoma Ito (Miyaji Lab., Osaka University) February 4, 2019 Plaintext Recovery Attack –the ABPPS Attack- [ABP+13] 71 Related Works 1. Estimate the accurate distributions of the keystream bytes Zr !",$ ≔ Pr (" = * , * = 0x00, … , 0xFF. 2. Obtain the induced distributions of the keystream vector (12322 4 , … , 12355 4 ) 1$ (4) = 7 8 9:," = * ⨁ < =>:>? , * = 0x00, … , 0xFF. 3. Calculate the probability function of the multinomial distribution* @4 = A! 12322 (4) ! CCC 12355 (4) ! D $∈ 2322,… ,2355 ! ",$ FG (H) . 4. Determine the maximum-likelihood plaintext byte value P* The ABPPS attack uses only keystream biases of the constant values. Ø Further improvement on WPA-TKIP using key correlations of the keystream Research Problem *The probability @4 that plaintext candidate byte < is encrypted to ciphertext byte {9:,"}=>:>? follows a multinomial distribution with parameter A and K = !",2322, … , !",2355 . Chapter 6: Iterated RC4 Key Correlations of the Keystream Bytes

Ryoma Ito (Miyaji Lab., Osaka University) February 4, 2019 Plaintext Recovery Attack –the PPS Attack- [PPS14] 72 Related Works 1. Estimate the accurate distribution on a per IV= (IV0 , IV1 ) pair. #$%,',( ≔ Pr ,' = . , IV = 0x00,0x00 , … , 0xFF, 0cF4 , . = 0x00, … , 0xFF. 2. Obtain the induced distributions of the keystream vector (7 $%,8988 : , … , 7 $%,89;; : ) 7 $%,( (:) = = > ?$%,@,' = . ⨁ B CD@DE , . = 0x00, … , 0xFF. 3. Calculate the probability function of the multinomial distribution* F $%,: = G! 7 $%,8988 (:) ! III 7 $%,89;; (:) ! J (∈ 8988,… ,89;; # $%,',( L MN,O (P) . 4. Combine likelihoods across all bins F: = J (8988,8988)D$%D(89;;,89;;) F $%,: . 5. Determine the maximum-likelihood plaintext byte value P* Chapter 6: Iterated RC4 Key Correlations of the Keystream Bytes *The probability F: that plaintext candidate byte B is encrypted to ciphertext byte {?@,' }CD@DE follows a multinomial distribution with parameter G and S = #',8988 , … , #',89;; .

Ryoma Ito (Miyaji Lab., Osaka University) February 4, 2019 Plaintext Recovery Attack –the PPS Attack- [PPS14] 73 Related Works 1. Estimate the accurate distribution on a per IV= (IV0 , IV1 ) pair. #$%,',( ≔ Pr ,' = . , IV = 0x00,0x00 , … , 0xFF, 0cF4 , . = 0x00, … , 0xFF. 2. Obtain the induced distributions of the keystream vector (7 $%,8988 : , … , 7 $%,89;; : ) 7 $%,( (:) = = > ?$%,@,' = . ⨁ B CD@DE , . = 0x00, … , 0xFF. 3. Calculate the probability function of the multinomial distribution* F $%,: = G! 7 $%,8988 (:) ! III 7 $%,89;; (:) ! J (∈ 8988,… ,89;; # $%,',( L MN,O (P) . 4. Combine likelihoods across all bins F: = J (8988,8988)D$%D(89;;,89;;) F $%,: . Chapter 6: Iterated RC4 Key Correlations of the Keystream Bytes The PPS attack is the best plaintext recovery algorithm on WPA-TKIP. Ø Further optimize the attack using key correlations of the keystream Research Problem

Ryoma Ito (Miyaji Lab., Osaka University) February 4, 2019 Extension of the IOWM Attack 74 6.4 Applications to Plaintext Recovery on WPA-TKIP Figure: Significant improvement in recovering eight bytes of a plaintext {P 17 , P 18 , P 33 , P 34 , P 49 , P 50 , P 66 , P 82 } on WPA-TKIP from [IOWM13]. Target Ours [IOWM13] Key Correlations # of C Biased Events # of C P 17 Z 17 =K[0]-K[1]-17 217.727 Z 17 = 17 223.178 P 18 Z 18 =K[0]-K[2]-18 217.800 Z 18 = 18 223.120 P 33 Z 33 =K[0]-K[1]-33 218.955 Z 33 = 0 223.770 P 34 Z 34 =K[0]-K[2]-34 219.035 Z 34 = 0 223.791 P 49 Z 49 =K[0]-K[1]-49 220.297 Z 49 = 0 224.114 P 50 Z 50 =K[0]-K[2]-50 220.386 Z 50 = 0 224.135 P 66 Z 66 =K[0]-K[2]-66 221.869 Z 66 = 0 224.479 P 82 Z 82 =K[0]-K[2]-82 223.506 Z 82 = 0 224.820 Iterated RC4 Key Correlations with the known value {K[0], K[1], K[2]} Zr = K[0] - K[r mod ℓ] - r Further improvement on WPA-TKIP using (K[0], K[1]) pair and (K[0], K[2]) pair Chapter 6: Iterated RC4 Key Correlations of the Keystream Bytes

Ryoma Ito (Miyaji Lab., Osaka University) February 4, 2019 1. Estimate the accurate distributions of the keystream bytes Zr: where ! = 0x00, … , 0xFF and (),* is taken over randomly chosen keys. 2. Obtain the induced distributions of the keystream vector (,-.-- / , … , , -.00 / ) Extension of the ABPPS Attack 75 Chapter 6: Iterated RC4 Key Correlations of the Keystream Bytes 6.4 Applications to Plaintext Recovery on WPA-TKIP

Ryoma Ito (Miyaji Lab., Osaka University) February 4, 2019 Extension of the ABPPS Attack 76 Table: Experimental comparison of the number of ciphertexts for recovering 12 bytes of a plaintext on WPA-TKIP. The probability of success in each case is 100%. Target The Number of Ciphertexts Ours [PPS14] P 1 217 216 P 3 220 227 P 17 223 223 P 18 224 228 P 33 224 223 P 34 225 226 P 49 226 224 P 50 226 228 P 66 228 229 P 82 229 229 P 256 219 219 P 257 222 222 Chapter 6: Iterated RC4 Key Correlations of the Keystream Bytes 6.4 Applications to Plaintext Recovery on WPA-TKIP

Ryoma Ito (Miyaji Lab., Osaka University) February 4, 2019 Optimization of Plaintext Recovery on WPA-TKIP 77 Figure: Success probabilities for recovering the first 257 bytes of a plaintext. Chapter 6: Iterated RC4 Key Correlations of the Keystream Bytes 6.4 Applications to Plaintext Recovery on WPA-TKIP Plaintext recovery of the first 257 bytes on WPA-TKIP can be optimized by combining the best approach for each round from ours and existing attacks.

Ryoma Ito (Miyaji Lab., Osaka University) February 4, 2019 2. The SMMPS attack limits the constant term in the linear equation to 7 values. Ø Significant improvement for recovering eight bytes of a plaintext on WPA-TKIP 3. The ABPPS attack uses only keystream biases of the constant values. Ø Significant improvement for recovering five bytes of a plaintext on WPA-TKIP 4. The PPS attack is the best plaintext recovery attack on WPA-TKIP. Ø Success probability of our optimized attack is approximately 6.0% higher than the success probability of the best attack. Chapter Conclusion 78 1. Their investigations are limited to the first 5 rounds [SVV10]. Ø We found correlations between (K[0], K[r mod ℓ]) pairs and Zr. Ø (K[0], K[r mod ℓ]) pairs are iterated every ℓ rounds. Our research problem and its solution: 3 theorems and their proofs Iterated RC4 Key Correlations Chapter 6: Iterated RC4 Key Correlations of the Keystream Bytes 6.5 Chapter Conclusion Application to Plaintext Recovery on WPA-TKIP Our research problems and their solutions: optimization of attacks

Ryoma Ito (Miyaji Lab., Osaka University) February 4, 2019 7. Conclusion and Future Works 7.1 Summary of Our Results 7.2 Future Works 7.3 Concluding Remarks Organization of This Dissertation 79 Chapter 7: Conclusion and Future Works

Ryoma Ito (Miyaji Lab., Osaka University) February 4, 2019 Chapter 4: Refined Glimpse Correlations [IM16a] • correlations between keystream and internal state: 6 theorems Chapter 5: Key Correlations of Internal State [IM16b, IM17] • correlations between secret key and internal state: 22 theorems • toward secure RC4 key setting in WPA-TKIP: proposal of secure setting Chapter 6: Iterated RC4 Key Correlations [IM18] • correlations between secret key and keystream: 3 theorems • application to plaintext recovery on WPA-TKIP: optimization of attacks 7.1 Summary of Our Results Summary of Our Results secret key K Init. Output internal state S keystream KSA PRGA 1 0 2 N-1 Z 1 , Z 2 , … P 1 , P 2 , … C 1 , C 2 , … plaintext ciphertext ⊕ 80 Chapter 7: Conclusion and Future Works

Ryoma Ito (Miyaji Lab., Osaka University) February 4, 2019 1. Further Improvement for Plaintext Recovery on WPA-TKIP • Previous works used not only short-term biases but also long-term biases. Ø Further improvement on WPA-TKIP using long-term biases 2. Improvement for Key Recovery Attacks • Previous works used only a practical application of the Glimpse Theorem. Ø Improvement for the attack using the other Glimpse Correlations 3. Improvement for State Recovery Attacks • Previous works guessed and determined the unknown internal state. Ø Improvement for the attack using key correlations of the internal state 4. Toward Secure Stream Ciphers • The IV is often used for initialization of the internal state, e.g., ChaCha20. Ø Securely operating stream ciphers by investigating secure IV setting Future Works and Concluding Remarks 81 7.2 Future Works / 7.3 Concluding Remarks Chapter 7: Conclusion and Future Works

Ryoma Ito (Miyaji Lab., Osaka University) February 4, 2019 List of Publications 82 [IM14] Ryoma Ito and Atsuko Miyaji.. New Integrated Long-Term Glimpse of RC4. In Kyung- Hyune Rhee and Jeong Hyun Yi, editors, Information Security Application - WISA 2014, volume 8909 of Lecture Notes in Computer Science, pages 137–149. Springer Berlin Hei- delberg, 2015. [IM15a] Ryoma Ito and Atsuko Miyaji. New Linear Correlations related to State Information of RC4 PRGA using IV in WPA. In Gregor Leander, editor, Fast Software Encryption - FSE 2015, volume 9054 of Lecture Notes in Computer Science, pages 557–576. Springer Berlin Heidelberg, 2015. [IM15b] Ryoma Ito and Atsuko Miyaji. How TKIP Induces Biases of Internal States of RC4. In Emest Foo and Douglas Stebila, editors, Information Security and Privacy - ACISP 2015, volume 9144 of Lecture Notes in Computer Science, pages 329–342. Springer International Publishing, 2015. [IM16a] Ryoma Ito and Atsuko Miyaji. Refined Glimpse Correlations of RC4. IEICE Trans., E99- A(1):3–13, jan 2016. [IM16b] Ryoma Ito and Atsuko Miyaji. Refined RC4 Key Correlations of Internal States in WPA. IEICE Trans., E99-A(6):1132–1144, jun 2016.. [IM17] Ryoma Ito and Atsuko Miyaji. Refined Construction of RC4 Key Setting in WPA. IEICE Trans., E100-A(1):138–148, jan 2017. [IM18] Ryoma Ito and Atsuko Miyaji. New Iterated RC4 Key Correlations. In Willy Susilo and Guomin Yang, editors, Information Security and Privacy - ACISP 2018, volume 10946 of Lecture Notes in Computer Science, pages 154–171. Springer International Publishing, 2018.