b. Suppose that Trudy also happens to know that the first three bytes of the key are (K 0 , K 1 _,K 2 ) = (2, 253,0). Show that Trudy can determine the next byte of the key, A 3 , with a probability...

b. Suppose that Trudy also happens to know that the first three bytes of the key are (K₀, K₁_,K₂) = (2, 253,0). Show that Trudy can determine the next byte of the key, A₃, with a probability of success of about 0.05. Note that from part a, Trudy knows the first byte of the keystream. Hint: Suppose that the RC4 initialization algorithm were to stop after the i = 3 step. Write an equation that you could solve to determine the first byte of the key. Then show that this equation holds with a probability of about 0.05 when the entire 256-step initialization algorithm is used.

c. If Trudy sees several messages encrypted with the same key that was used in part b, how can Trudy improve on the attack to recover A₃? That is, how can Trudy recover the key byte K₃
with a much higher probability of success (ideally, with certainty)?

d. Assuming that the attack in part b (or part c) succeeds, and Trudy recovers K₃, extend the attack so that Trudy can recover K₄, with some reasonable probability of success. What is the probability that this step of the attack succeeds?

e. Extend the attack in part d to recover the remaining key bytes, that is, Κ₅, K₆, Show that this attack has essentially the same work factor regardless of the length of the key.

f. Show that the attack in part a (and hence, the attack in parts a through e) also works if the first three key bytes are of the form (K₀, K₁
K₂) = (3,255, V) for any byte V.

g. Why is this attack relevant to the (in)security of WEP?