10 2 0 1 2 S CA CA 8 9

T Cr r r c a ta g * y P lK a i pa .98 6 - 694 8 K o o 31 20 1 K G n m * Ie Ws *WPA-TKIP: Wi-Fi Protected Access- 26 49 06A 67 8 A 1 5 9

3 8 8 8 . 1 02 9

W WP W A 8 0 1 • Ø 4 3 9 2 AE * * * * *WEP: Wired Equivalent Privacy, WPA: Wi-Fi Protected Access

a a la e e A i T S mG h DI e m m m RU K m T S m a G C Ø 01 Ø p 9,5 59 Ø G p m = m A m ≠ m A M Y GRU K E m Ø 1 1 5 9985 -124 I G r m Ø 0 5 5 8 ,-

8 8 8 6 1 02 9 0110100… 0110100… 1 0 2 2 ⊕ ⊕

K %& && , v [ ] L E 4 5 A & & G &, 6C A 4 6 E W P R v G 774 847 :0 : . 8 2 G V[ se i - 7. 61. -- - & 1 G a nn a I [ T & & S 6/ o / / C G a dt l [ 9 & 97 & K • S KSA PRGA 1 0 2 N-1 Z1 , Z2 , …, Zr

9 1 1 8 2 … 0 1 … … 9 K S 9 KSA PRGA 1 0 2 N-1 Z1 , Z2 , … P1 , P2 , … C1 , C2 , … ⊕

9 1 1 8 2 … 0 1 … … 9 K S 9 KSA PRGA 1 0 2 N-1 Z1 , Z2 , … P1 , P2 , … C1 , C2 , … ⊕

9 1 1 8 2 … 0 1 … … 9 K S 9 KSA PRGA 1 0 2 N-1 Z1 , Z2 , … P1 , P2 , … C1 , C2 , … ⊕

c S S S p I M r CU 4 u Ø A e Ø h Ø he u C Ø zR a Ø R a Ø t i a u C C Ø 2 2 - 48 .1+, Ø K G I M 0 8 9

W C [ b l T M s I p ,98 7 795 8 - 54 A P T M G r p I - 6 - 4 A M G r p rM - 4 A P T I r A 20 1 -0 I ] ie M p 20 1 -0 G K t - 4 p o K na m S P T KSA PRGA 1 0 2 N-1 Z1 , Z2 , … P1 , P2 , … C1 , C2 , … ⊕

l i m CTW e]tMa P - 9 8 , 8 6A9 4 0 65 C CTK r M IP as r Ma P a 4 0 7 0 5 K r M IP as s GP a 4 0 5 K C CTMa P as 31 2 1 M P 31 2 1M IP 4 0 5 p K ob[ n r S C CT KSA PRGA 1 0 2 N-1 Z1 , Z2 , … P1 , P2 , … C1 , C2 , … W ⊕ as

W C [ b l T M s I p ,98 7 795 8 - 54 A P T M G r p I - 6 - 4 A M G r p rM - 4 A P T I r A 20 1 -0 I ] ie M p 20 1 -0 G K t - 4 p o K na m S P T KSA PRGA 1 0 2 N-1 Z1 , Z2 , … P1 , P2 , … C1 , C2 , … ⊕ r

W C [ b l T M s I p ,98 7 795 8 - 54 A P T M G r p I - 6 - 4 A M G r p rM - 4 A P T I r A 20 1 -0 I ] ie M p 20 1 -0 G K t - 4 p o K na m S P T KSA PRGA 1 0 2 N-1 Z1 , Z2 , … P1 , P2 , … C1 , C2 , … ⊕ ] ie r

W C [ b l T M s I p ,98 7 795 8 - 54 A P T M G r p I - 6 - 4 A M G r p rM - 4 A P T I r A 20 1 -0 I ] ie M p 20 1 -0 G K t - 4 p o K na m S P T KSA PRGA 1 0 2 N-1 Z1 , Z2 , … P1 , P2 , … C1 , C2 , … ⊕

A 3T TETE EK C K 4 2 I R9 8 K P 2 2 1 . 9 7 W 1. 0- . 9 7 W P

2 I 1 16 V 0110100… 0110100… ⊕ ⊕ 2 . , , 3 16 ": {0, 1}) ×{0, 1}+ → {0, 1}ℓ 0 . 2 / 8 29 ℓ 29

g t 8 3 D2 7 , . .1.0 5 ℓ " 9 2# $ ∈ {0, 1}+ l 2 # ℓ , 2 e u 2# o n i b , 2ℓ , > , o b l . 2 Pr . 1 = 1 − Pr[. # $ = 1] ≤ 789:(,) f .) ) 1.(0 . 789: 21 {0, 1}ℓ(+) c 2 $ {0, 1}+ c 2 $ 1 .

9 2 1 8 0 2 0 2 2 1 0 2 2 1 0 2 2

2 9 0 1 0110100… 0110100… 0 1 1 ⊕ ⊕ 8 1

SP SP R G K SP 0 !, ℓ 5 256 ℓ=16 $ 8 A % & % &=256 %' ( $ 8 A 12 % %' $ 8 A 12 % ), *' ( %' ( )' , *' %' +' $ 8 A 12 9 ,' +' -' $ 12 .' $ 12 G

2 3 9 8 9 0 1 9 4: !" # ← 0 5: for & = 0 to ( − 1 do 6: !+,- # ← !+ # + /+ # & + 0[& mod ℓ] 7: Swap(/+ # & , /+ #[!+,- # ]) 8: /+,- # ← /+ # 9: end for Algorithm 1: KSA & 1 2 3 !- # N-1 /" # /- # Input: ℓ 0 Output: /" ← /> # 1: for & = 0 to ( − 1 do 2: /" #[&] ← & 3: end for

2 94 8 9 0 1 9 4: !" ← !"$% + '" [)" ] 5: Swap('"$% )" , '"$% [!" ]) 6: '" ← '"$% 7: 2" ← '" )" + '" !" 8: 3" ← '" [2" ] 9: end loop Algorithm 2: PRGA 0 2 3 S0 S1 Input: '4 Output: 3" 1: 5 ← 0, )4 ← 0, !4 ← 0 2: loop 3: 5 ← 5 + 1, )" ← )"$% + 1 S1 [i1 ]+S1 [j1 ] ⊞ N-1 i1 j1 Z1

R z r r r t y I cC Vo E K i l S I KSA PRGA 1 0 2 N-1 Z1 , Z2 , …, Zr ! 0 ∥ ! 1 ∥ ! 2 ∥ ! 3 ∥ ⋯ ∥ ![15] n E {K[0], K[1], K[2]} • IV24 : i P 41 1 19 154 0 5 IV24 K[0] K[1] K[2] aWk : e : 208

E PE 68 9 2 1 0 E 1 9 2W

K u t u e g W n VrR u M 72 0 2 I V 7-2 W T lK --- F:E C I a W 3 [ I zp K[1] = 255 [ S 7-2 V R [o• 8.14 9 6 P 3 {K[0], K[1], K[2]} • IV16 : ki slc] K 6 A F : :F A 6 F 0 1 IV16 K[0] K[1] K[2] K[0] = (IV16 >>> 8) & 0xFF K[1] = [(IV16 >>> 8) | 0x20] & 0x7F K[2] = IV16 & 0xFF

K I W 89 - T AP 0 12

4 9 9 9 02 13 . 8 8

e W[ M r GP A 703 8 Z2 =0 JKP TSW KVa] M 7-160 8 MVT GP TSW T[ P K TSW [ 7 8 T[M W[ J M P 70 8 T[ GP W[ J M P 7355 8 J W[ M P 739 8 7355 8 I M K 7 00 8 62+ 4 -2 P K[0]+K[1] M 62+ 4 -2 P J W[ M P J W[ GP Ø W[ O P Mn

8 9 V[ B G [ ] G Ø S W OP MB 5 1 Z2 =0 AGTKI 5 4 ATKI OP 5 0 V B 5+ 40 2- 0 B V 5001 40 2- 0 B V B 530 5001 B

V e R S [ K F l P R S M I F l Ø I n ] 6+03 1 K F 4 EGl 6 98 1 K F 6 8 EGl 6344 P R SK F EG Jl l ] 6 01 12 K D K F 60 J W EGl 6 013 j I J EJAl l

m a a a G 8 i 6C . 24 133 . 5 104 l n e 9 . 24 133 . 5 104

n ie] ieo T m bK ie Gr - 9 8 , 8 6A9 r - 9 8 , 8 6A9 4 0 65 T t a I b C s r t bK b 4 0 7 0 5 t a I b r b 4 0 5 T bK b 31 2 1 K l P [ r 31 2 1 I W M 4 0 5 K p t S T KSA PRGA 1 0 2 N-1 Z1 , Z2 , … P1 , P2 , … C1 , C2 , … m ⊕ b

e mi G 5 3C 9 ir 9 63 1 . a 1 00 2 1 3 3C Zr {Sr [ir ], Sr [jr ]} 8 Pr #$ = &$ − ($ )$ = Pr(#$ = )$ − ($ [&$ ]) ≈ 2 0 0 1 2 N-1 … Zr lo K n Sr 3 3C KSA PRGA Z1 , Z2 , …, Zr 2 0 1 0 jr

G n a a a 6 i e 7 . 3 1- - ( 02 11 3 2 C Zr , Zr+1 ) l Sr [r+1] 89 Pr #$ % + 1 = ) − 1 + ,$ = ,$-. ≈ 2 ) 0 1 2 N-1 … Zr mp K o l Sr KSA PRGA Z1 , …, Zr , Zr+1 2 ) 1 ) N-1 r+1

G n a a a i e 8 . 3 1- - 7 ( 02 11 3 2 C Zr , Zr+1 ) l Sr [r+1] 89 Pr #$ % + 1 = ) − 1 + ,$ = ,$-. ∧ ,$-. = % + 2 ≈ 1 ) 3 − 6 ) + 2 )4 0 1 2 N-1 … Zr mp K o l Sr KSA PRGA Z1 , …, Zr , Zr+1 3 ) 1 ) N-1 r+1 r+2 =

9 e a e 8 ]r Ce o 0 1 6 3 0 326 0 1 2 N-1 … Zr K m [ l p Sr 8 8 KSA PRGA Z1 , …, Zr , Zr+1 2 " 1 " N-1 r+1 2 , M G Cs Ø n M G 9 J8 Cs ti

9 e ] t ] M 8 m ] r i 0 1 6 3 0 326 2 , C J G n l a Ø J G n l o 0 1 2 N-x … Zr s K [ p Sr 8 M 8 KSA PRGA Z1 , …, Zr , Zr+1 3 " 1 " N-x r+1 = r+x

i e M 9 a[ ] G i2 m 102 466 1 8043 0 1 2 N-1 … Zr K l ot S2 9M 9 KSA PRGA Z1 , Z2 , …, Zr 2 " 1 " j2 , 3 C r]p Ø n CG J M Gr]p s

o a l g gp i ] [ m e g Cr ,6 7 3 9 362 98 0-38 , 1 J M L et Ø G M M L et n s .984 3 7 ,6 7 3 M

n i a e i o l g tG Ji 469 2 8 2 1 48 ,2 . 0 M L J sG Ø p M L [L] J sC m r -8 3 2 6 469 2 [L]

m e en g [ ] as e o 469 2 8 2 1 48 ,2 . 0 GJ M L t r i Ø p C M L t r l -8 3 2 6 469 2 M

i e M 9 a[ ] G i2 m 102 466 1 8043 K l ot S2 9M 9 KSA PRGA Z1 , Z2 , …, Zr j2 , 3 C r]p Ø n CG J M Gr]p s K l ot S2 9M 9 KSA PRGA Z1 , Z2 , Z3 , … 2 0 K l ot S1 9M 9 KSA PRGA 1 Z1 , Z2 , Z3 , … 0

Pi ol9e e e a 8 C 1 . 4 2 24 1 5 104 ! G 9! ≥ 2 C A R m n Pr &' ! + 1 = 0 , -' = -'./ ≈ 2 12 1 − 1 1 . ! G 9! ≥ 1 C A 5 ∈ [0, 1 − 1] R m n Pr &' ! + 1 = 0 , -' = -'./ ∧ -'./ = ! + 5 ≈ 1 1 1 − 1 12 ;ℎ=> 5 = 1, 2 12 1 − 1 1 ;ℎ=> 5 = 255, 1 12 1 − 2 1 @Aℎ=!;BC=.

n 9 P R i G 8 C 4 1 . e a 24 1 104 C ! 9! ≥ 2 A6 C l m Pr &' ! + 1 = 0 , -' = -'./ ≈ 2 12 1 − 1 1 .

Pi ol9e e e a 8 C ! G 9! ≥ 1 C A $ ∈ [2, ) − 1] R m n 7 Pr ./ ! + 1 = ) − $ | 3/ = 3/45 ∧ 3/45 = ! + 1 + $ ≈ 2 ) 1 − 1 ) + 1 )8 . GL 24 1 104 I 3) (1 3 .- 4 ! G 9! ≥ 1 C A $ ∈ [0, ) − 1] R m n 7 Pr ./ ! + 1 = ) − $ ; 3/ = 3/45 ∧ 3/45 = ! + 1 + $ ≈ 1 ) 1 − 1 ) − 1 )8 <ℎ>? $ = 0, 1 ) 3 − 6 ) + 2 )8 <ℎ>? $ = 1, 2 ) 1 − 1 ) + 1 )8 BCℎ>!.

totete meli h lip * nP s Tli 01., P [ ] A a P r M C Pr #$ 2 = 0 ( )* = )$ ≈ Pr(#- 1 = 1) + 1 1 2 345 67$ Pr(#- 1 = 8). . 54 6 (* G .98 6 69 8 4 01., P [ ] A a P r MC Pr #* 3 = 0 ( )5 = )* = 0. 4 01., P [ ] A a P r MC Pr #* ;* = <* − )* ∧ )* = 1, 2, 129 = 0. 4 *Pr(#- 1 = 1) 3 2 6 6 ) 4 R R T

G e % % 9C a . 1025 466 1.8043 0.000030522 0.000030398 0.406 % !ℎ#$ % = 1 0.003922408 0.003906131 0.415 !ℎ#$ % = 255 0.000030683 0.000030398 0.929 *+ℎ#,!-.# 0.000015259 0.000015140 0.780 0.007812333 0.007782102 0.387 0.007801373 0.007751621 0.638 ( 0 0 0 ) 0 0 0 / 0 = − ×100 (%)

p pl p tm s t ] i n Mr t C 68 3 3 2 6 9 0,39 . 1 J [ a T r M Ø L [ a T g r Ø G [ a T r 0,39 . 1 J r M Ø e h M L T r o 0,39 1 68 3 53 38 T] ] M r 0. 1 - 9 3 8 68 3 T] ] M r 68 3 3 2 6 9 r t

9 45 68 0 3 3 . 1.2 3

m n CTWl e] Ma P s Ma P a ,98 7 795 8 - 54 A C CTK s M IP at s Ma P a - 6 - 4 A K s M IP at i Kr t GP a - 4 A K C CTMa P at A 20 1 -0 M P 20 1 -0M IP - 4 K pb[ o s S C CT KSA PRGA 1 0 2 N-1 Z1 , Z2 , … P1 , P2 , … C1 , C2 , … Wl ⊕ at

K u t u • e g W n VrR u - M VrR r 2 50 2 I V -2 W T lK --- F:E C I a W 3 [ I zp K[1] = 255 [ S -2 V R [o 8.14 9 6 P 3 {K[0], K[1], K[2]} • IV16: ki slc] K 6 A F : :F A 6 F 0 1 IV16 K[0] K[1] K[2] K[0] = (IV16 >>> 8) & 0xFF K[1] = [(IV16 >>> 8) | 0x20] & 0x7F K[2] = IV16 & 0xFF

A I IP K - 5 9 I K[0]+K[1] - W0 5 9 T Pr # 0 + # 1 = 0 ⟺ ) *+ ,--; ) ∈ 0,31 ; ) ∈ [128,159] Ø 5129 - - 5 9 T 48

K ] P P P TM T W GI5 [ AR T 1 4 1 8 AR R 1 + 1 Zr = aK[0] + bK[1] + cK[2] + d r ∈ [1, 257], a, b, c ∈ {-1, 0, 1}, d ∈ {-3, -2, -1, 0, 1, 2, 3} 4 1 0 + A 5 GI5 AR R R 1 0 + Z1 =-K[0]-K[1] 0.005264 0.005338 Z2 =-K[0]-K[1]+K[2]+3 0.004424 0.003903 Z3 =K[0]+K[1]+K[2]+3 0.004401 0.004405 ⋮ ⋮ ⋮ Z256 =-K[0] 0.004427 0.004429 Z257 =-K[0]-K[1] 0.004096 0.004094 2 -- C 5 GI5 AR RA Ø 1 0 + A 9 AR R

8 ] 9 * MP 3 0 + • A Ø 81 . * 2 9 5 Xr = aZr + bK[0] + cK[1] + dK[2] + e Xr ∈ {Sr [ir+1 ], Sr [jr+1 ], jr+1 , tr+1 } r ∈ [0, 256], a, b, c, d ∈ {-1, 0, 1}, e ∈ {-3, -2, -1, 0, 1, 2, 3} 3 A Ø GM 6 [ Ø RK GM 6 • * A 60.003906254

7 T 8 P6 R A . S0 [i1 ] 1 9 A W 1- 30, 2 .0 S0 [i1 ]=K[0] 0.001445489 0 S0 [i1 ]=K[0]-K[1]-3 0.005325263 0.007788309 S0 [i1 ]=K[0]-K[1]-1 0.003909411 0.007772441 S0 [i1 ]=-K[0]-K[1]-3 0.005344544 0.008375244 S0 [i1 ]=K[0]+K[1]+K[2]+3 0.001479853 0.001479853 K S0 I6 P6 KSA PRGA i1 Z1 , Z2 , …, Zr • 30, 2 .0 A • 30, 2 .0 A K Ø 30, 2 .0 1- C j1 * K 50.003906254

R 5 6 IK 4 W . S1 [i2 ] 0 1 K T S1 4IK 4 KSA PRGA i2 Z1 , Z2 , …, Zr • I • 1. 0- . 98 P Ø 1. 0- . CA 8 I 1. 0- . S1 [i2 ]=K[0]+K[1]+K[2]+3 0.362016405 0.362723221 S1 [i2 ]=-K[0]-K[1]+K[2]-1 0.005320377 0.008148630 S1 [i2 ]=K[1]+K[2]+3 0.008150313 0.008150313 S1 [i2 ]=K[0]-K[1]+K[2]+{-3,±1} 0.005320377 0.008148630 S1 [i2 ]=K[0]-K[1]+K[2]+3 0.005302926 0.002849060 j2 * P 30.003906252

5 6 P 4 W A . S255 [i256 ] 1 A K S255 4 P 4 KSA PRGA i256 Z1 , Z2 , …, Zr • RK I • 1. 0- . A98 A9 Ø 1. 0- . C 8RK Ø T AC 8RK I 1. 0- . S255 [i256 ]=K[0] 0.138325988 0.138325988 S255 [i256 ]=K[1] 0.003893102 0.037105932 j256 *T 30.003906252

- K K P 9 6 I K Sr [ir+1 ] 1. T K A T Sr 8 9 KSA PRGA ir+1 Z1 , Z2 , …, Zr • 10 K[0]+K[1] 6 W 2W jr+1

4 5 I R PT C . j2 12 6 C . 0- - j2 =K[2] 0.004426926 0.005471358 j2 =-K[0]-K[1]+K[2]+{±2} 0.003906250 0.004427953 j2 =-K[0]-K[1]+K[2] 0.003906250 0.005471358 j2 =-K[0]+K[1]+K[2] 0.003906250 0.005471358 j2 =-K[1]+K[2]+{-2,3} 0.003906250 0.005471358 j2 =K[0]-K[1]+K[2] 0.003906250 0.005471358 K W S1 I R P KSA PRGA Z1 , Z2 , …, Zr i2 j2 • 0- - 8 K I C 9 Ø 0- - 9 . A I C 9 * P 20.003906251

. % % 568 7 3 2 14 . 12 . 1 )% 0 2 14 9 ( S0 [i1 ]=K[0] 0.284 ( S0 [i1 ]=K[0]-K[1]-3 0.137 ( ( S0 [i1 ]=K[0]-K[1]-1 0.334 ( S0 [i1 ]=-K[0]-K[1]-3 0.211 ( S0 [i1 ]=K[0]+K[1]+K[2]+3 0.730 ( S1 [i2 ]=K[0]+K[1]+K[2]+3 0.459 ( S1 [i2 ]=-K[0]-K[1]+K[2]-1 0.277 ( % S1 [i2 ]=K[1]+K[2]+3 0.101 ( S1 [i2 ]=K[0]-K[1]+K[2]-3 0.476 ( S1 [i2 ]=K[0]-K[1]+K[2]-1 0.590 ( S1 [i2 ]=K[0]-K[1]+K[2]+1 0.203 ( S1 [i2 ]=K[0]-K[1]+K[2]+3 0.144 9 ( ( S255 [i256 ]=K[0] 0.208 ( ) S255 [i256 ]=K[1] 0.409 ( Sr [ir+1 ]=K[0]+K[1]+1 ( j2 =K[2] 0.078 ( j2 =-K[0]-K[1]+K[2]-2 0.371 ( j2 =-K[0]-K[1]+K[2] 0.335 ( j2 =-K[0]-K[1]+K[2]+2 0.120 ( % j2 =-K[0]+K[1]+K[2] 0.361 ( % j2 =-K[1]+K[2]-2 0.097 ( % j2 =-K[1]+K[2]+3 0.213 ( %% j2 =K[0]-K[1]+K[2] 0.297

. % % 568 7 3 2 14 21 .5 . 2 5 - ) 0 2 14 9 ( % S0 [i1 ]=K[0] 0 ( S0 [i1 ]=K[0]-K[1]-3 0.450 ( ) S0 [i1 ]=K[0]-K[1]-1 1.010 ( S0 [i1 ]=-K[0]-K[1]-3 0.393 ( S0 [i1 ]=K[0]+K[1]+K[2]+3 0.754 ( S1 [i2 ]=K[0]+K[1]+K[2]+3 0.268 ( S1 [i2 ]=-K[0]-K[1]+K[2]-1 0.318 ( % S1 [i2 ]=K[1]+K[2]+3 0.282 ( S1 [i2 ]=K[0]-K[1]+K[2]-3 0.095 ( S1 [i2 ]=K[0]-K[1]+K[2]-1 0.017 ( S1 [i2 ]=K[0]-K[1]+K[2]+1 0.022 ( S1 [i2 ]=K[0]-K[1]+K[2]+3 0.478 9 ( ( S255 [i256 ]=K[0] 0.208 ( ) S255 [i256 ]=K[1] 0.216 ( Sr [ir+1 ]=K[0]+K[1]+1 ( j2 =K[2] 1.605 ( j2 =-K[0]-K[1]+K[2]-2 3.178 ( j2 =-K[0]-K[1]+K[2] 1.636 ( j2 =-K[0]-K[1]+K[2]+2 2.550 ( % j2 =-K[0]+K[1]+K[2] 0.353 ( % j2 =-K[1]+K[2]-2 0.054 ( % j2 =-K[1]+K[2]+3 0.053 ( %% j2 =K[0]-K[1]+K[2] 2.419

6 8 124 9 0 0 Sr [ir+1 ]=K[0]+K[1]+1 0

6 M MI M P T 5 G[ RK A 2 -- 1 0 + 9 A 5 5 A W Ø S0 [i1 ] A Ø S1 [i2 ] A Ø S255 [i256 ] A Ø Sr [ir+1 ] A Ø j2 A 8 A 2 -- 1 0 + 9 A K[0]+K[1] 1 0 + 9 A 5 5 9 A 2 - Ø 9 A A ]W 4 A 2

3 K K WK P P 4 2A 9 7 P 6 P8 1 2 2A9 7 P 1 6 T P8 1 I P 10. - . 9 7 I 8 5 6

p l ] e i T n bK Gt • b t - 9 8 , 8 6A9 4 0 65 T a I b t bK • b 4 0 7 0 5 • a I b t • b 4 0 5 • T bK b C 31 2 1 K m P [ C m o t 31 2 1 I W M• 4 0 5 • K s r S T KSA PRGA 1 0 2 N-1 Z1 , Z2 , … P1 , P2 , … C1 , C2 , … n ⊕ m b

V [ [W [ ( a ) MR9 ] ( ] 9 MR9 ] ] 2 00 3 K C 9 MR9 Z ] 8ℓ=16 (a0 K[0] + + aℓ-1 K[ℓ-1] + aℓ Z1 + + a2ℓ-1 Zℓ) = b ai ∈ {-1, 0, 1} (0 ≤ i ≤ 2ℓ-1), b ∈ ℤ/Nℤ Z1 = K[0] - K[1] - 1 2 45 3 Z3 = K[0] - K[3] - 3 2 45 3 Z4 = K[0] - K[4] - 4 2 45 3 Zxℓ = K[0] - K[xl mod ℓ] – xℓ = - xℓ 2 1 3 8 9 MR9 ] ] 2 00 3 S ] Ø S 6(K[0], K[r mod ℓ]) OIC Zr ] r

0 T TP T 1 K I W9 2 W (K[0], K[r mod ℓ]) 6 ℓ 8 - K r r A K I Zr A (K[0], K[r mod ℓ]) W Zr = K[0] + K[r mod ℓ] - r A 6 9 -

, . 1 Zr=K[0]-K[r mod l]-r K r r = 1, 2, x·ℓ x = 1, 2, …, 7 108( r Zr (K[0], K[r mod ℓ]) 1 9 ( 2 7 Pr #$ = & 0 − & ) mod ℓ − ) ≈ /$ + 1 2 1 − /$ . 9( /$ ≈ (5$ + 6 7 786 1 − 5$ ) : ;$ : (<$ + 6 7 1 − <$ ) 5$ ≈ 6 7 : 78$86 7 : ∏>?@ A (78B86) ∏>?C AD@(78B) ;$ ≈ (1 − 6 7 )78$86: 6 7 : ∑BF$G6 786 (1 − 6 7 )B: (1 − 6 7 )B8$86: (1 − H 7 )78B86 <$ ≈ (1 − ∑IFH $ J6,I − ∑BF$G6 786 LM,> 78$8H ) : 78$G6 786 JN,I = Pr(OP Q = R) 9 )

0 T T T 1 K 9 2 Zr=K[0]-K[r mod l]-r 2 . . K I (K[0], K[1]) K Z1 7 PW A Pr #$ = & 0 − & 1 − 1 ≈ 1 + 1 − ,$ . 88 ,$ ≈ $ ./ 0 (1 − 2 . ) 0 (1 − $ . ).420 ∑672 .4$(1 − $ . )60 (1 − $ . )6420 (1 − 2 . ).464$ - K K Z2 I (K[0], K[2]) 7 PW A Pr #2 = & 0 − & 2 − 2 ≈ 1 + .

2W W W A P I 1 9 CT8 . 4 9 R0 7 - 9 K

9 1 . 0 3 , R S0 1 8 7 3 902 C Z2 1 78 2/N 9 4 0 1 2 N-1 … Z2 K R S KSA PRGA 1 0 2 N-1 Z1 , Z2 , …, Zr 2 " 1 "

k 0 . C 1 M 2 C3 • . , P2 C 9 C(1), …, C(k) R k C • 8 7C k = Ω(N) C C(1), …, C(k) P2 0 C P C • K 9 C 0 1 2 N-1 … 2 " 1 " C2 C ★ 0 23 P2 k = Ω(N) C C C 4 C2 C P2 = C2 ⊕ Z2 = C2 ⊕ 0 = C2 9 P2 1 2/N C

9 1 0 3 1 1 Zr 1 Z1 = 0 | Z2 = 0 2-8 (1 + 2-1.009) 2 Z2 = 0 2-8 (1 + 20) 3 Z3 = 131 2-8 (1 + 2-8.089) 4 Z4 = 0 2-8 (1 + 2-7.581) ⋮ ⋮ ⋮ 112 Z112 = 144 2-8 (1 + 2-7.300) 113-255 Zr = 0 2-8 (1 + 2-10.052) 2-8(1 + 2-8.763) 256 Z256 = 0 2-8 (1 - 2-9.474) 257 Z257 = 0 2-8 (1 + 2-9.474) 590 2 5 789

. 6 I 0 1 Zr O M 1 Z1 = 0 | Z2 = 0 2-8 (1 + 2-1.009) 2 Z2 = 0 2-8 (1 + 20) 3 Z3 = 131 2-8 (1 + 2-8.089) 4 Z4 = 0 2-8 (1 + 2-7.581) ⋮ ⋮ ⋮ 112 Z112 = 144 2-8 (1 + 2-7.300) 113-255 Zr = 0 2-8 (1 + 2-10.052) 2-8(1 + 2-8.763) 256 Z256 = 0 2-8 (1 - 2-9.474) 257 Z257 = 0 2-8 (1 + 2-9.474) % 2 3 P1 -P257 I 1. k = Ω(N) C 1 1 Cr Pr = Cr ⊕ Zr 957 Pr Zr 3 . % 3 8

T ] ] 7 GKP M A W [ ] 4 8 A9 [ I O 41 0 + A 1 + Zr = aK[0] + bK[1] + cK[2] + d r ∈ [1, 257], a, b, c ∈ {-1, 0, 1}, d ∈ {-3, -2, —1, 0, 1, 2, 3} 4 1 0 + {P1 , P3 , P256 , P257 } A A K 2 -- 3 2+ 1- 3 [ P1 Z1 =-K[0]-K[1] 210.895 Z1 = 0 | Z2 = 0 218.072 P3 Z3 =K[0]+K[1]+K[2]+3 213.939 Z3 = 131 224.128 P256 Z256 =-K[0] 213.803 Z256 = 0 226.814 P257 Z257 =-K[0]-K[1] 216.758 Z257 = 0 227.062 2 -- 3 A d ∈ {-3, -2, —1, 0, 1, 2, 3} Ø A9 [ 1 0 + 4

3 3 1 B +A 8 7 91 ! {# $ , # & , … , # ( } * Ø 3 0 8 3 . 8 2 Ø +∗

W 7 8 * ] + 1 3 * 9 ] I !",$ ≔ Pr (" = * , * = 0x00, … , 0xFF / (12322 4 , … , 1 2355 4 ) I 1 $ (4) = 7 8 9:," = * ⨁ / <=:=> , * = 0x00, … , 0xFF / [ ?4 I ?4 = @! 1 2322 (4) ! BBB 1 2355 (4) ! C $∈ 2322,… ,2355 ! ",$ E F (G) ?4 / I 2+ 3 B PK Ø ] ]I A 1 + 0.- 1 *(12322 4 , … , 1 2355 4 ) 4 !",2322 , … , !",2355 @ I T

9 0 2 IV= (IV0 , IV1 )IV16 8 1 0 IV0 1 0 IV1 (IV0 , IV1 )=(0x00, 0x00) (IV0 , IV1 )=(0x00, 0x20) (IV0 , IV1 )=(0x8F, 0x34) (IV0 , IV1 )=(0xFF, 0xFF)

9 8 5 4 1 . 9 813 9 IV= (IV0 , IV1 ) 4 8 #$%,',( ≔ Pr ,' = . , IV = (0x00,0x00), … , (0xFF, 0cF6), . = 0x00, … , 0xFF 7 813 9 (8 $%,9:99 ; , … , 8 $%,9:<< ; ) 8 $%,( (;) = = > ?$%,@,' = . ⨁ 7 BC@CD , . = 0x00, … , 0xFF IV 4 8 2 7 E$%,; E$%,; = F! 8 $%,9:99 (;) ! HHH 8 $%,9:<< (;) ! I (∈ 9:99,… ,9:<< # $%,',( K LM,N (O) 2 7 E; E; = I (9:99,9:99)C$%C(9:<<,9:<<) E$%,; E; 2 7 *(89:99 ; , … , 89:<< ; ) #',9:99, … , #',9:<< F 5 8 0*

2 S S ]S[WP [W 3 IK1 AT [W 4 1 4 T A 8 1 IK1 IV= (IV0 , IV1 ) 9 A #$%,',( ≔ Pr ,' = . , IV = (0x00,0x00), … , (0xFF, 0cF6), . = 0x00, … , 0xFF 7 A 8 1 IK1 (8 $%,9:99 ; , … , 8 $%,9:<< ; ) 8 $%,( (;) = = > ?$%,@,' = . ⨁ 7 BC@CD , . = 0x00, … , 0xFF IV 9 A 7 E$%,; E$%,; = F! 8 $%,9:99 (;) ! HHH 8 $%,9:<< (;) ! I (∈ 9:99,… ,9:<< # $%,',( K LM,N (O) 7 E; E; = I (9:99,9:99)C$%C(9:<<,9:<<) E$%,; 0 [W . - A Ø 1 IK1 AT T A 4

O 2 P W 3 [ 1I - 0- {P17 , P18 , P33 , P34 , P49 , P50 , P66 , P82 } ] T 1 - P17 Z17 =K[0]-K[1]-17 217.727 Z17 = 17 223.178 P18 Z18 =K[0]-K[2]-18 217.800 Z18 = 18 223.120 P33 Z33 =K[0]-K[1]-33 218.955 Z33 = 0 223.770 P34 Z34 =K[0]-K[2]-34 219.035 Z34 = 0 223.791 P49 Z49 =K[0]-K[1]-49 220.297 Z49 = 0 224.114 P50 Z50 =K[0]-K[2]-50 220.386 Z50 = 0 224.135 P66 Z66 =K[0]-K[2]-66 221.869 Z66 = 0 224.479 P82 Z82 =K[0]-K[2]-82 223.506 Z82 = 0 224.820 Zr = K[0] - K[r mod ℓ] - r 1AKM0(K[0], K[1]) 9 (K[0], K[2]) 8

[ [W [ ] T + 31 8 9 K T !",$ ≔ Pr (" = * , * = 0x00, … , 0xFF / K T (12322 4 , … , 1 2355 4 ) 1 $ (4) = 7 8 9:," = * ⨁ / <=:=> , * = 0x00, … , 0xFF / B ?4 ?4 = @! 1 2322 (4) ! BBB 1 2355 (4) ! C $∈ 2322,… ,2355 ! ",$ E F (G) ?4 B / 1*+. 2 A K T I Ø K T 0.* - . *(12322 4 , … , 1 2355 4 ) 3 !",2322 , … , !",2355 B @ P B 4

8 2 - !",$ ≔ Pr (" = −+ 0 − + 1 + / !0 $ ≔ Pr (0 = + 0 + + 1 + +[2] + / !"4,$ ≔ Pr ("4 = + 0 − + 1 + / !"5,$ ≔ Pr ("5 = + 0 − + 2 + / !00,$ ≔ Pr (00 = + 0 − + 1 + / !06,$ ≔ Pr (06 = + 0 − + 2 + / !67,$ ≔ Pr (67 = + 0 − + 1 + / !89,$ ≔ Pr (89 = + 0 − + 2 + / !::,$ ≔ Pr (:: = + 0 − + 2 + / !5;,$ ≔ Pr (5; = + 0 − + 2 + / !;8:,$ ≔ Pr (;8: = −+ 0 + / !;84,$ ≔ Pr (;84 = −+ 0 − + 1 + / * 9 !<,9=99 , … , !<,9=?? 01 151,

0 S 1 P 8 7 4 - 2 83 ] [ 54597 6 8 P1 P3 P17 P18 P33 P34 % P49 P50 P66 P82 P256 P257

, 5 28 - . 8 07 9 28 - Ø 135 3 07 9

3 [ [W [ 4 a 2 ] SM 9 Ø (K[0], K[r mod ℓ]) O 8 ℓ SM ] r5 ] 2 2 9 ] I V 0 ] 1 ] ] 3

W 8 [ 9 O T 4+.. BG K d ∈ {-3, -2, —1, 0, 1, 2, 3} 4 0 BG O TSM O 4001 G B 30 2- 0 Ø K 30 2- 0 Ø O T K A K I 4.1 Z2 =0 SM OK 4 3. SM OP K 4 0 O T K 4+.. 30 2- 0 A O T K 4001 30 2- 0 A O T K ]

1 T P K P 2 0 9 8 P . - 84 7 I . - 84 7 9 A 3W . - 84 7

W C [ b l T M r I o 20 1 -0 G tK s o ,98 7 795 8 - 54 A P T p M G o p I - 6 - 4 A p M G o M - 4 A P T I A 20 1 -0 I ] ie M o 20 1 -0 G tK s - 4 K na m p S P T KSA PRGA 1 0 2 N-1 Z1 , Z2 , … P1 , P2 , … C1 , C2 , … ⊕

i i ri l W at o K A 1- - KC 0 R {K[0], K[1], K[2]} n • IV16: ec z V 0 5:5265 2:58 04 :89 0 1 IV16 K[0] K[1] K[2] K[0] = (IV16 >>> 8) & 0xFF K[1] = [(IV16 >>> 8) | 0x20] & 0x7F K[2] = IV16 & 0xFF I W Ø 1- - P T WI

n e n W l I n 1- - IA 0 z P {K[x], K[y], K[z]} • IV16: tca VW i TW 0 : 26 2: 8 043:89 0 1 IV16 K[x] K[y] K[z] K[x] = (IV16 >>> 8) & 0xFF K[y] = [(IV16 >>> 8) | 0x20] & 0x7F K[z] = IV16 & 0xFF 1- - IA Ø 1- - C Kr R o -

e ea neli lir % - . T A c K li .) t 42 3102 K o I K x y z Zr+1 Sr [ir+1 ] Sr [jr+1 ] jr+1 tr+1 5 87 6 9 5 8 0 1 2 22 368 13 28 462 -.( 3102 0 8 0 22 424 5 15 952 ) - *- . 9 10 11 3 103 2 5 161 . *( Zr = bK[x] + cK[y] + dK[z] + e Xr = aZr + bK[x] + cK[y] + dK[z] + e Xr ∈ {Sr [ir+1 ], Sr [jr+1 ], jr+1 , tr+1 } r ∈ [0, 256], a, b, c, d ∈ {-1, 0, 1}, e ∈ {-3, -2, -1, 0, 1, 2, 3} Ø P T d % %%)* uK Ø W P T d % %%(% K

5 9 0 1 2 8 . 0 1 2

[ • r b b nbl l s W p i K l G - 9 8 , 8 6A9 4 0 65 T W I C m K 4 0 7 0 5 I C m 4 0 5 T W K C m 31 2 1 K a o P ] Ce o 31 2 1 I M 4 0 5 K t S T W KSA PRGA 1 0 2 N-1 Z1 , Z2 , … P1 , P2 , … C1 , C2 , … p ⊕

l t tm t p M - . e iKh ., e iKh • I o 2 a J0 0 40 5912 M Ø 70) an RV e iKh [ r s I Ke iKh ea RU • Ø Ke iKh ea RU [ n ( r s I 1A G 8 3 C.+ ] n 4A - M Ø T 1A G 0 A CG 51 ( ) a n ) s I 671 P ) • 456 .- Ø a n

8 8 8 ) . 1 02A 9 8 9

n a “ r P L L R , , 2 45 S C A KA P C R 8≈9 E L ” R “" = 1 ∧ & = 19 C E K 9 " = (1 ∧ &) = 19 TK R T I P 8(" = 1) ∧ (& = 1)9 L R s L W 11. 2.1 2-, L R 0 s a L R

4 p p 3 K p K G 1ℓ a 2 0G AG G 0 AG 2 ℓ S G 2 A0 A 1 w 0 K . G K R8K 9 1 K A 1 w K G0 2 P 1 A P S 1

n n n r r u ad c t SoI r y “s p q 40 q=1 ” 840 p 1 q9 940 9 9p9 I !(#) ≈ # # !(#) S I S m m m I S m m m I S 9 00 379 8 1532 5.219 SI I I r iS I l S I

8 8 01 2 1 9 1 8

1 2 83 8 0 9 8 [IM14] Ryoma Ito and Atsuko Miyaji.. New Integrated Long-Term Glimpse of RC4. In Kyung- Hyune Rhee and Jeong Hyun Yi, editors, Information Security Application - WISA 2014, volume 8909 of Lecture Notes in Computer Science, pages 137–149. Springer Berlin Hei- delberg, 2015. [IM15a] Ryoma Ito and Atsuko Miyaji. New Linear Correlations related to State Information of RC4 PRGA using IV in WPA. In Gregor Leander, editor, Fast Software Encryption - FSE 2015, volume 9054 of Lecture Notes in Computer Science, pages 557–576. Springer Berlin Heidelberg, 2015. [IM15b] Ryoma Ito and Atsuko Miyaji. How TKIP Induces Biases of Internal States of RC4. In Emest Foo and Douglas Stebila, editors, Information Security and Privacy - ACISP 2015, volume 9144 of Lecture Notes in Computer Science, pages 329–342. Springer International Publishing, 2015. [IM16a] Ryoma Ito and Atsuko Miyaji. Refined Glimpse Correlations of RC4. IEICE Trans., E99- A(1):3–13, jan 2016. [IM16b] Ryoma Ito and Atsuko Miyaji. Refined RC4 Key Correlations of Internal States in WPA. IEICE Trans., E99-A(6):1132–1144, jun 2016.. [IM17] Ryoma Ito and Atsuko Miyaji. Refined Construction of RC4 Key Setting in WPA. IEICE Trans., E100-A(1):138–148, jan 2017. [IM18] Ryoma Ito and Atsuko Miyaji. New Iterated RC4 Key Correlations. In Willy Susilo and Guomin Yang, editors, Information Security and Privacy - ACISP 2018, volume 10946 of Lecture Notes in Computer Science, pages 154–171. Springer International Publishing, 2018.