by **Madory** » Sun Mar 06, 2005 8:09 am

When I now see the answer, I want to kick myself for not figuring it out sooner...

For the FMS attack to work, the first two bytes of the IV and the target byte of the secret key must survive the KSA swapping algorithm unchanged after the expected swaps occur. If we model the remaining swaps as random, then the chance that the three bytes in question are unchanged is 5%. This number comes from aggregating the probability that a byte is unchanged over each step over the three bytes.

P(1 byte is unchanged after one random swap) = (1 – 1/N)

N is the length of the resulting keystream.

P(1 byte is unchanged after N random swaps) = (1 – 1/N)^N

P(3 bytes are unchanged after N random swaps) = ((1 – 1/N)^N)^3

The expression, ((1 – 1/N)^N)^3, can be modeled as e^-3 because as N grows to be of any applicable length, the value of the expression asymptotically heads for 0.05. In the end, the value of N is irrelevant as the value is always just below 5%.

If we were to try to keep two bytes the same, P=((1 – 1/N)^N)^2 or or e^-2 or 13%.

Thanks anyway.