Key Collisions of the RC4 Stream Cipher
Mitsuru Matsui
Information Technology R&D Center
Mitsubishi Electric Corporation
February 23 2009, FSE 2009
In this presentation we talk about…
●
A colliding key pair of RC4
– keys that create the same initial states
– a 24-byte colliding key pair found
– # of colliding key pairs = (1/e) (k - (256 mod k)) 256 k - 2 - (256/k)
●
A near-colliding key pair of RC4
– keys that creates initial states that differ at two positions
– a 20-byte near-colliding key pair found
– # of near-colliding key pairs = (1/e) (k - (256 mod k)) 256 k - (256/k)
The RC4 Stream Cipher
• Designed by Ron Rivest in 1987.
• Source program leaked in 1994.
• The most influential stream cipher
– WEP, WPA, SSL, file encryption …
– enormous efforts of cryptanalysis …
• Extremely simple and fast in software
The Structure
●
●
Variable key length: 1-byte to 256-byte
Key Scheduling Algorithm (KSA) +
Pseudo-random Generating Algorithm (PRGA)
KSA
PRGA
Wk
Sym(W)
W*
∋
∋
∋
K
S
R
“Secret Key”
“Initial State”
“Byte Stream”
W = {0,1,2,…,255}
Key Scheduling Algorithm
/* State Setup */
for(i=0; i<=0xFF; i++) S[i] = i;
/* State Updating */
j=0;
for(i=0; i<=0xFF; i++){
j = (j + S[i] + K[i]) & 0xFF;
SWAP(S[i], S[j]);
}
State S
0
1
2
3
4
5
6
7
FD FE FF
Note: K[i] = K[i mod k]
Pseudo Random Generating Algorithm
i=0;
j=0;
while( 1 ){
i = (i + 1) & 0xFF;
j = (j + S[i]) & 0xFF;
SWAP(S[i], S[j]);
OUTPUT S[(S[i]+S[j])0xFF];
}
i
j
OUTPUT
State S
S[i]
S[j]
S[i]+S[j]
The KSA Mapping: One-to-one ?
KSA
Wk
Sym(W)
No
if k > 210 (#Sym(W)=256!～21684)
Maybe no if k > 105 (birthday paradox)
?
otherwise
[Our Results]
No
if k ≧ 24 (colliding keys found)
Maybe no if k ≧ 17
?
otherwise
An Example: 64-byte Colliding Key Pair
K1
45 3D 7D 3D C9 45 57 12 00 00
00
j1 = j1 + S1[i] + K1[i%0x40]
K2
45 3D 7E 3D C9 45 57 12 00 00
00
j2 = j2 + S2[i] + K2[i%0x40]
i
00 01 02 03
40 41 42 43
80 81 82 83
C0 C1 C2 C3
∆K
0 0 1 0
0 0 1 0
0 0 1 0
0 0 1 0
j1
02 42
02 82
41 C1
81 C1 X
j2
03 42
02 82
41 C1
81 C0 X
S1
02 03
S2
02 03
General Key Collision Sequence
K2[i] = K1[i]+1 (if i = d)
K2[i] = K1[i] (otherwise)
Key Length k
0…d-1
i=d
j1=d
j2=d+1
d…
d+k-1
i=d+1
j1=d+k
j2=d+k
S1
d d+1
S2
d d+1
n = (256+k–1–d) / k
K1[i] = K2[i]+1 exactly n times (i=0,1,…255)
Repeated n-3 times
d+k …
d+2k-1
i=d+k
j1=d+2k
j2=d+2k
d+(n-2)k …
d+(n-1)k-1
i=d+(n-2)k
j1=d+(n-1)k-1
j2=d+(n-1)k-1
d+(n-1)k …
255
i=d+(n-1)k-2 i=d+(n-1)k-1
j1=x
j1=d+(n-1)k-1
j2=x
j2=d+(n-1)k-2
Probability Estimation
(254/256)d (255/256)k-2
Key Length k
0…d-1
i=d
j1=d
j2=d+1
d…
d+k-1
i=d+1
j1=d+k
j2=d+k
1/256 1/256
(255/256)k-4
(255/256)k-2
Repeated n-3 times
d+k …
d+2k-1
i=d+k
j1=d+2k
j2=d+2k
1/256
d+(n-2)k …
d+(n-1)k-1
i=d+(n-2)k
j1=d+(n-1)k-1
j2=d+(n-1)k-1
1/256
d+(n-1)k …
255
i=d+(n-1)k-2 i=d+(n-1)k-1
j1=x
j1=d+(n-1)k-1
j2=x
j2=d+(n-1)k-2
1/256 1/256
ColProb(k,d) = (254/256)d(255/256)(n-1)(k-2)-2(1/256)n+2 ≒ (1/e) (1/256)n+2
How to Find a Colliding Key Pair (I)
A Simple Try-and-Error Algorithm:
(1) Generate a key pair randomly.
(2) Proceed the key scheduling algorithm by one step
(3) If ‘j’ does not meet the expected value, go to (1).
(4) If the key scheduling algorithm is completed, stop. FOUND!
(5) Go to (2).
We can ‘skip’ the conditions at i=d and i=d+1, because
(1) i=d determines K[d] uniquely.
(2) i=d+1 determined K[d+1] uniquely. Specifically K[d+1] =k–d–1.
Experimental Results
K1 = 00
4a
bf
K2 = 00
4a
bf
6d
3b
80
6d
3b
80
41
ed
b6
41
ed
b6
8b
94
ae
8b
94
ae
95
34
df
95
34
df
46
50
ae
46
50
ae
07
04
43
07
04
43
a4
68
56
a4
68
56
87
4d
0a
87
4d
0a
8d
4f
80
8d
4f
80
69
2e
e7
69
2e
e8
d7 bc bc c4 70
30 c1 6e 20 a8
d7 bc bc c4 70
30 c1 6e 20 a8
Number of Colliding Pairs
ColPairs(k) ＝ 256kΣd=0…k-1 ColProb(k,d)
≒ (1/e) (k - (256 mod k)) 256 k-2-(256/k)
How to Find a Colliding Key Pair (II)
A Faster Recursive Search Algorithm: Search(K1,K2)
(1)
(2)
(3)
(4)
If K1 and K2 are a (near-)colliding pair, Stop.
Measure “Similarity S” between K1 and K2.
Change K1 and K2 slightly and measure similarity S’
If found K1’ and K2’ such that S’ > S then call Search(K1’,K2’)
Similarity : maxi { distance(S1,S2) ≦ 2 at all steps≦ i }
Change K1 and K2 by +y at x and –y at x+1 for all x and y≠0
i.e. K’[x] = K[x]+y, K’[x+1] = K[x]–y, K’[i] = K[i] (if i ≠ x or x+1)
Concluding Remarks
●
A 24-byte colliding key pair found.
K1 = 00 42 CE D3 DF DD B6 9D 41 3D BD 3A B1 16 5A 33
ED A2 CD 1F E2 8C 01 76
K2 = 00 42 CE D3 DF DD B6 9D 41 3D BD 3A B1 16 5A 33
ED A2 CD 1F E2 8C 01 77
●
RC4 has many colliding key pairs.
– much more than intuitively expected
●
●
Experimental results do not always agree with our
theoretical estimation when the key size is less than 30.
More precise probabilistic analysis is needed.