1. No category

The RC4 Stream Cipher - Indian Statistical Institute, Kolkata

Four Lines of Design to Forty Papers of Analysis:
The RC4 Stream Cipher
Subhamoy Maitra
Indian Statistical Institute
[[email protected]]
December 10, 2012
Subhamoy Maitra
RC4
Outline of the talk
Basics
Stream Cipher
RC4: Brief History
RC4: Description
How we have started
State-of-the-art Results
Key Scheduling Algorithm (KSA)
Non-randomness
Key collision
Bias of permutation locations to secret key
Reversing the KSA
Pseudo Random Generation Algorithm (PRGA)
Cycles
Non-randomness of j
Biases in RC4 Keystream
Bias of keystream to secret key
Bias related to key length
Fault attack
Modified designs
Subhamoy Maitra
RC4
Stream Cipher: Basics
Subhamoy Maitra
RC4
Stream Cipher Principle
Zi
Zi
Ci
Encryption
Decryption
Ci = Mi ⊕ Zi
Mi = Ci ⊕ Zi
Mi
Example
Message Mi
Keystream Zi
Ciphertext Ci
0
⊕
1
1
1
⊕
1
0
1
⊕
0
1
0
⊕
0
0
Subhamoy Maitra
0
⊕
1
1
···
···
···
···
RC4
Mi
Basic Idea
Parties: Alice (Sender/Receiver) and Bob (Receiver/Sender)
Procedure
Alice and Bob share a stream of random data (keystream) Ki ,
where i = 0, 1, . . .
The plaintext stream Mi is XOR-ed with Ki to generate the
cipher stream Ci .
[Ci = Mi ⊕ Ki ]
The cipher stream Ci is XOR-ed with Ki to generate the
plaintext stream Mi .
[Mi = Ci ⊕ Ki ]
Subhamoy Maitra
RC4
Perfect Secrecy/One Time Pad
Information Theoretic Security: Shannon (1949)
Ciphertext should reveal no “information” about plaintext
Example: One Time Pad (Miller 1882, Vernam 1917)
One Time Pad
Alice and Bob may sit on a table and toss an unbiased coin
enough number of times to generate the keystream bits.
Once some portion of the keystream is used for encryption, it
will never be used again.
Not practical!
Subhamoy Maitra
RC4
Pseudorandom Generator
Alice and Bob share a small key key of length l,
e.g., toss the coin for l = 128 times to generate the secret key.
Initialize the state using some deterministic algorithm (Key
Scheduling Algorithm: KSA) on a classical computer with this
secret key. The key will not be used after KSA.
After the initialization, the algorithm will keep on generating
random-looking bitstream, the keystream bits k (k0 , k1 , . . .).
This is Pseudo Random Generation Algorithm (PRGA).
Subhamoy Maitra
RC4
Pseudorandom Generator (contd.)
The small key key generates the keystream k (Should have a
unique one-to-one correspondence? Issues of collision.)
Say 128 bit key, and 12800 bit keystream. Then the possible
number of different pseudorandom streams will be at most
2128 out of 212800 bit patterns.
A practical solution!
Can we write C program to implement a stream cipher easily?
Use rand() and srand(), may not be secure.
Subhamoy Maitra
RC4
Cryptographic Security
Kerckhoff’s Principle: The security of a cipher should rely on
the secrecy of the key only!
Attacker knows every detail of the cryptographic algorithm
except the key.
Keeping the design secret in commercial domain has no
scientific justification. It may be leaked easily.
The design should be such that the designer himself cannot
break the system without knowing the key. No trapdoor.
Design should be known to everybody for evaluation.
Obscurity is the opposite of “transparency” or “transparentness”.
This never helps to achieve cryptographic security.
Subhamoy Maitra
RC4
Cryptanalytic Models (Stream Cipher, partial)
Required amount (say N bits) of keystream available.
Key Recovery Attack: Try to recover the key. Efficiency of
the attack depends on how less N is, and what is the time
and space complexity of the algorithm.
State Recovery Attack: Try to recover the state.
Distinguishing Attack: Try to distinguish the keystream
from ideal random stream. Need to find an event that will
distinguish. Efficiency depends on how less N is.
Side Channel Attacks: Additional information gained from
physical implementation of the system, e.g., timing
information, power consumption, electromagnetic leaks.
Fault Attacks: The cipher may become weaker if random
faults are injected.
Not considering Stream Ciphers with MAC
Subhamoy Maitra
RC4
RC4: Brief History
Subhamoy Maitra
RC4
RC4: Rivest Cipher/Ron’s Code?
Most popular software stream cipher
Developed by Ron Rivest, 1987?
Proprietary algorithm of RSA Data Security Inc.
Leaked in Cypherpunks mailing list, September 9, 1994
by Anonymous (email id: [email protected]).
Quite a few interesting email exchanges after that (available
in web)
Alleged RC4
Subhamoy Maitra
RC4
RC4: most widely deployed stream cipher
Secure Sockets Layer (SSL)
Transport Layer Security (TLS)
IEEE 802.11b (Wi-Fi): Wired Equivalent Privacy (WEP)
IEEE 802.11i: Wi-Fi Protected Access (WPA)
Apple Open Collaboration Environment (AOCE)
Microsoft Windows
Lotus Notes
Oracle Secure SQL
etc.
Subhamoy Maitra
RC4
RC4: 25 years of research
Perhaps the simplest encryption algorithm.
Only four (4) lines of design
Simple structure of RC4 has always attracted the
cryptologists.
Including stalwarts like Golic, Shamir, Biham, Preneel, Rijman,
Vaudney (and many other well known researchers, I apologize
in advance for not writing all the names).
Publications in Crypto, Eurocrypt, Asiacrypt, FSE, Journal of
Cryptology.
Lots of results, but the cipher is not yet completely broken.
(indeed a debatable statement)
References:
1
2
Wikipedia: http://en.wikipedia.org/wiki/RC4
RC4 Stream Cipher and Its Variants
by G. Paul & S. Maitra,
1st Edition, CRC Press, November 16, 2011
Subhamoy Maitra
RC4
RC4: Description
Subhamoy Maitra
RC4
RC4: Data Structure
S-array of size N = 256 bytes
Secret key k of size l = 5 to 30 bytes
Expanded key K of N = 256 bytes
Two indices i and j
Output: Stream of bytes
Key Expansion:
K [i] = k[i mod l]
k = {k0 , k1 , . . . , kl−1 }
K = {k0 , k1 , . . . , kl−1 , k0 , k1 , . . . , kl−1 , . . .}
Subhamoy Maitra
RC4
RC4: Key Scheduling Algorithm (KSA)
(Initialize S-box to identity permutation of {0, 1, . . . , 255})
for i = 0, . . . , 255
S[i] = i;
(Swap several times to provide a pseudorandom permutation)
Initialize counter: j = 0;
for i = 0, . . . , 255
j = j + S[i] + K [i];
Swap: S[i] ↔ S[j];
Addition modulo N = 256
Subhamoy Maitra
RC4
RC4: Pseudo-Random Generation Algorithm (PRGA)
Four lines of design
Initialize the counters: i = j = 0;
While you need keystream bytes
1
2
3
4
i = i + 1;
j = j + S[i];
Swap S[i] ↔ S[j];
Output Z = S[S[i] + S[j]];
Addition modulo N = 256
Subhamoy Maitra
RC4
RC4 Random Bit String
pseudo Random Generation
Subhamoy Maitra
RC4
RC4 Operation
Plaintext Byte: P
Pseudo-Random: K
Ciphertext Byte: C
Encryption
C =P ⊕K
Decryption
P =C ⊕K
How Large is the State
space for N = 256?
(28 )! × (28 )2 ≈ 21700
Strength of RC4 relies on KSA, PRGA
Subhamoy Maitra
RC4
How we have started?
Subhamoy Maitra
RC4
RC4: How we have started?
Siddheshwar Rathi was an M. Tech. (CS) student at our
institute.
Left for industry after completion of the above and then again
came back in 2006 for research program.
Took interest in RC4 research.
Left forever on October 28, 2006.
G. Paul, S. Rathi and S. Maitra.
On Non-negligible Bias of the First Output Byte
of RC4 towards the First Three Bytes of the Secret Key. In WCC 2007, International Workshop on Coding
and Cryptography, Pages 285–294, April 16-20, 2007, Versailles (France).
Extended version:
G. Paul, S. Rathi and S. Maitra.
On Non-negligible Bias of the First Output Byte
of RC4 towards the First Three Bytes of the Secret Key. Designs, Codes and Cryptography, special issue
of in memory of Hans Dobbertin, 49(1-3): 123-134 (2008).
Subhamoy Maitra
RC4
Rathi’s theorem
Theorem (Autumn 2006)
Assume that the initial (just after the KSA) permutation S0 is
chosen uniformly at random from the set of all possible
permutations of the set {0, 1, . . . , N − 1}. Then the probability
distribution of the output index t1 , that selects the first byte of the
keystream output, is given by
P(t1 = x)
=
=
=
1
N,
1
2
N − N(N−1) ,
1
2
N − N(N−1) ,
Subhamoy Maitra
RC4
for odd x
for even x 6= 2
for x = 2
The Key Scheduling Algorithm (KSA)
Subhamoy Maitra
RC4
Random Permutation by a series of (N − 1) Transpositions
Q
Given a permutation of N elements,
= (π0 , . . . , πN−1 ), a
series of N − 1 transpositions can produce random
permutation as follows [D. E. Knuth. The art of Computer Programming, Vol. 3 (Sorting
and Searching), Addison-Wesley, 1973]
For i = N − 1 to 1: πi ↔ πkeyi , where, keyi = rand(0, i);
For i = N − 1, we have N choices from 0 to N − 1, . . .,
for i = u − 1, we have u choices from 0 to u − 1, . . .,
for i = 2 − 1, we have 2 choices from 0 to 2 − 1,
and thus, a total N · (N − 1) · · · u · · · 2 = N! options for key .
However, this cannot be used in a cryptosystem as the
permutation after these steps will immediately reveal keyi .
Subhamoy Maitra
RC4
The RC4 KSA
for i = 0, . . . , N − 1: S[i] = i;
Initialize counter: j = 0;
for i = 0, . . . , N − 1
j = (j + S[i] + K [i]) mod N;
Swap: S[i] ↔ S[j];
1
Total number of permutation given l-byte key is at most 28l .
In general l is in between 5 to 30.
2
Total number of possible permutations of N elements is N!,
which is much larger than the above for N = 256.
3
Thus, the number of permutations generated is only a small
subset of all the permutations.
4
Are we getting random permutation?
Subhamoy Maitra
RC4
Non-Randomness in KSA
Subhamoy Maitra
RC4
Non-Randomness in RC4 KSA
What is P(S[u] = v ) for u, v ∈ [0, . . . , N − 1]? In ideal case
P(S[u] = v ) = N1 . For RC4 [Mantin, Master’s thesis, 2001]:
P(SN [u] = v ) =









1
N
1
N
N−1
N
N−1
N
v
v N−1 N−u−1
+ 1 − N−1
N
N
N−u−1
Subhamoy Maitra
+
N−1
N
v RC4
if v ≤ u;
if v > u.
Non-Randomness in RC4 KSA: Theory vs Practice
While most of the cases are same in theory and experiment,
there are a few points where they do not closely match. We
call them anomaly pairs.
The location of the anomaly pairs and the total number of
anomaly pairs vary with the key lengths in certain cases.
These results show that as the key length increases, the
proportion of anomaly pairs tends to decrease. With 256-byte
key, there is no anomaly pair.
Open: Characterization of the anomaly pairs.
Subhamoy Maitra
RC4
Non-Randomness in RC4 KSA: Theory
Subhamoy Maitra
RC4
Non-Randomness in RC4 KSA: Practice
Subhamoy Maitra
RC4
Non-Randomness in RC4 KSA: Theory vs Practice
u
38
38
46
47
48
66
66
70
128
128
130
v
6
31
31
15
16
2
63
63
0
127
127
Th: pNu,v
0.003846
0.003643
0.003649
0.003774
0.003767
0.003882
0.003454
0.003460
0.003900
0.003303
0.003311
Exp: qNu,v
0.003409
0.003067
0.003408
0.003991
0.003974
0.003372
0.002797
0.003237
0.003452
0.002440
0.003022
|pNu,v − qNu,v |
0.000437
0.000576
0.000241
0.000217
0.000207
0.000510
0.000657
0.000223
0.000448
0.000863
0.000289
The anomaly pairs for key length 32 bytes.
Subhamoy Maitra
RC4
u,v (in %)
12.82
18.78
7.07
5.44
5.21
15.12
23.49
6.89
12.98
35.37
9.56
Movement Frequency of Permutation Values
Maitra-Paul (Indocrypt 2008)
Theorem
The probability that a value v in the permutation is touched
exactly once during the KSA by the indices i, j, is given by
2v
N−1 N−1
, 0 ≤ v ≤ N − 1.
N ·( N )
Theorem
For 0 ≤ v ≤ N − 1, the expected number of times a value v in the
permutation is touched by the indices i, j during the KSA is given
by
2N − v
N −1 v
Ev = 1 +
·
.
N
N
In some cases, this would make it easier to guess the values of j for
which a permutation byte is swapped.
Subhamoy Maitra
RC4
Key Collision
Subhamoy Maitra
RC4
Key Collision
The RC4 KSA is not one to one. There can be two different
keys that can land to the same permutation after the KSA
and thus generating same keystream bytes during the PRGA.
Matsui (FSE 2009), 24-byte colliding key pairs:
K1
=
00 42 CE D3 DF DD B6 9D 41 3D BD 3A B1 16 5A 33 ED A2 CD 1F E2 8C 01 76
K2
=
00 42 CE D3 DF DD B6 9D 41 3D BD 3A B1 16 5A 33 ED A2 CD 1F E2 8C 01 77
Chen-Miyaji (ISC 2011), 22-byte colliding key pairs:
K1
=
A2 27 43 A7 03 94 2F 17 75 BB A7 27 8F DD 3E 7B C6 A1 C7 81 02 5A
K2
=
A2 27 43 A7 03 94 2F 17 75 BB A7 27 8F DD 3E 7B C6 A1 C7 82 02 5A
Open: Can you get a shorter collision?
Subhamoy Maitra
RC4
Bias of Permutation locations to Secret Key Bytes
Subhamoy Maitra
RC4
Bias of some Permutation locations toward Secret Key
for i = 0, . . . , N − 1: S[i] = i; j = 0;
for i = 0, . . . , N − 1:
{ j = (j + S[i] + K [i]) mod N; S[i] ↔ S[j]; }
Take i = 0. Updated j will be j + S[0] + K [0] = 0 + 0 + K [0].
After swap, S[0] = S[K [0]] = K [0].
After that S[0] may be touched again only by j, with
probability N1 in each step.
That is, in each step, it will not be touched by j with
probability N−1
N in each step.
In (N − 1) steps, it will not be touched with probability
N−1 ≈ 0.37 for N = 256.
( N−1
N )
Subhamoy Maitra
RC4
Bias of some Permutation locations
fy =
y (y +1)
2
+
y
X
K [x]
x=0
The most likely value of the y -th element of the permutation
after the KSA for the first few values of y is given by
SN [y ] = fy . [Roos, 1995]
Theorem (Paul-Maitra, SAC 2007)
Assume that the index j takes its value from ZN independently and
uniformly at random at each round of the KSA. Then, for
0 ≤ y ≤ r − 1, 1 ≤ r ≤ N,
P(Sr [y ] = fy ) ≈
fy = S0
N −y
N
y
hX
y (y +1)
N − 1 [ 2 +r ]
1
+ ,
·
N
N
S0 [x] +
x=0
Subhamoy Maitra
y
X
x=0
RC4
i
K [x] .
Nested Bias of some Permutation locations
A: P(SN [y ] = fy ), B: P(SN [SN [y ]] = fy ), C: P(SN [SN [SN [y ]]] = fy )
Subhamoy Maitra
RC4
Reversing the KSA
Subhamoy Maitra
RC4
Reversing the KSA
RC4 KSA is not one-to-one, there are examples where two
different keys provide the same permutation.
However, the collision is not frequent.
Consider that the permutation after the KSA is given.
How can we get back the key?
Our work (SAC 2007), followed by Biham-Carmeli (FSE
2008), Akgün-Kavak-Demirci (Indocrypt 2008),
Khazaei-Meier et. al. (MMICS 2008)
Subhamoy Maitra
RC4
Reversing the KSA: Basic Idea
Consider a 5-byte secret key K [0 . . . 4] with
K [0] = 106, K [1] = 59, K [2] = 220, K [3] = 65, and K [4] = 34.
If one runs the KSA with this key, then the first 16 bytes of the
final permutation are as follows.
y
fy
S256 [y ]
y
fy
S256 [y ]
0
106
230
8
202
202
1
166
166
9
245
83
2
132
87
10
105
105
3
200
48
11
175
147
Subhamoy Maitra
RC4
4
238
238
12
151
151
5
6
93 158
93
68
13 14
229 21
229 35
7
129
239
15
142
142
Reversing the KSA (contd.)
The most likely value of the y -th element of the permutation
after the KSA for the first few values of y is given by
SN [y ] = fy . [Roos, 1995]
Consider all possible systems of 5 equations chosen from the
16 equations of the form SN [y ] = fy , 0 ≤ y ≤ 15.
A solution to such a system would give one candidate key.
The correctness of a candidate key can be verified by running
the KSA with this key and comparing the permutation thus
obtained with the permutation in hand.
Of course, some of the systems may not be solvable at all.
Subhamoy Maitra
RC4
Reversing the KSA (contd.)
The correct solution for this example correspond to the choices
y = 1, 4, 5, 8 and 12, and the corresponding equations are:
K [0] + K [1] + (1 · 2)/2
=
K [0] + K [1] + K [2] + K [3] + K [4] + (4 · 5)/2
=
238
K [0] + . . . + K [5] + (5 · 6)/2
=
93
K [0] + . . . + K [8] + (8 · 9)/2
=
202
K [0] + . . . + K [12] + (12 · 13)/2
=
151
166
K [0] = K [5] = K [10], K [1] = K [6] = K [11] and so on.
Exhaustive search for 5-byte key requires complexity of 240 .
In the
one needs to consider at the most
above approach,
16
13 sets of 5 equations.
=
4368
<
2
5
Equations are triangular in form, solving each system of 5
equations: approximately 52 = 25 many add/subtract.
Thus the complexity required is less than 218 .
Subhamoy Maitra
RC4
The Pseudo Random Generation Algorithm (PRGA)
Subhamoy Maitra
RC4
RC4 PRGA
Initialize the counters: i = j = 0;
While you need keystream bytes
1
2
3
4
i = i + 1;
j = j + S[i];
Swap S[i] ↔ S[j];
Output Z = S[S[i] + S[j]];
Addition modulo N = 256
Subhamoy Maitra
RC4
State Recovery from Keystream
How Large is the State space?
28 ! × (28 )2 ≈ 21700
Knudsen, Meier, Preneel, Rijmen & Verdoolaege
(ASIACRYPT 1998): 2779
Shiraishi, Ohigashi & Morii (CommNet. InfoSec. 2003): 2220
(if 112 permutation entries are known)
Tomasevic, Bojanic & Nieto-Taladriz (Info. Sci. 2007): 2731
Maximov & Khovratovich (CRYPTO 2008): 2241
Golic & Morgari (eprint 2008)
Safe to use upto key length 30 bytes (240 bits).
Open: Improving this and may be in a little easier manner.
Subhamoy Maitra
RC4
Cycles in RC4
No known short cycle in RC4 PRGA.
Finney cycle is one interesting example, but that cannot
happen in RC4.
Suppose, j = i + 1 and S[j] = 1 in some round of RC4 PRGA.
Then the same relations continue to hold in all subsequent
rounds.
A cycle of length N(N − 1) is formed in the state-space.
In PRGA, we start with: i = j = 0 and the condition for
Finney cycle is never satisfied.
H. Finney. An RC4 cycle that cant happen. Post in sci.crypt,
September 1994.
Open problem: Any short cycle in RC4
Subhamoy Maitra
RC4
Non-Randomness of j
j is considered to be a pseudo-random index
j = j + S[i], i.e., j1 = j0 + S[1] = S[1]
We have already seen that S[u] = v is biased just after KSA
Thus, j1 will also be biased
Biases are also observed in j2
For jr , r ≥ 3, biases are not prominent
Subhamoy Maitra
RC4
Non-Randomness of j in the initial rounds
Pr(j1 = v ) =







1
N ,
1 N−1
1 N−1 N−2
+
,
N N
N
N
N−1 N−2
1
N−1 v
+ N
,
N
N
if v = 0;
if v = 1;
if v > 1.
0.01
Distribution of j1
Distribution of j2
Pr( j r = v ).
0.0075
Distribution of j3
0.005
0.0039
0.0025
04
32
64
96
128
160
192
224
Value v, from 0 to 255.
Figure: Probability distribution of jr for 1 ≤ r ≤ 3.
Subhamoy Maitra
RC4
255
Biases in RC4 Keystream
Subhamoy Maitra
RC4
Biases in RC4 Keystream
Independent of the KSA, consider the PRGA that starts from
a random permutation.
i = j = 0; While you need keystream bytes
i = i + 1; j = j + S[i]; S[i] ↔ S[j]; Z = S[S[i] + S[j]];
For ideal case, P(zi = x) should be
x ∈ [0, . . . , N − 1].
1
N,
for any
For RC4, there are cases where it is not ideal, e.g.,
P(z2 = 0) ≈ N2 .
Subhamoy Maitra
RC4
Bias in 2nd Byte: Mantin-Shamir (FSE 2001)
0
1
X
2
0
Y
0
3
X
Y
i j
X
j
i
Y
S[X + Y ]
X
0
i
j
Figure: Mantin/Shamir’s Bias
Subhamoy Maitra
RC4
0
Attack on Broadcast RC4: Mantin-Shamir (FSE 2001)
P[z2 = 0] = P[z2 = 0|S0 (2) = 0] · P[S0 (2) = 0] + P[z2 = 0|S0 (2) 6= 0] · P[S0 (2) 6= 0]
1
1
1
2
≈1·
+
· (1 − ) ≈
N
N
N
N
Ideal Case : P[z2 = 0] = p = N1
RC4 : P[z2 = 0] = p(1 + q) = N2
APPLICATIONS
A. Strong Distinguisher : O( pq1 2 ) = O(N) different
keystreams required to distinguish RC4 from a
random source.
B. Recovery of 2nd Byte of O(N) Plaintexts encrypted
with RC4 → Most frequent 2nd ciphertext byte.
Subhamoy Maitra
RC4
More on this Bias after a decade
MS-Claim (2001): P(Zr = 0) =
1
N
at PRGA rounds 3 ≤ r ≤ 255.
Theorem (Maitra-Paul-SenGupta, FSE 2011)
P(Zr = 0) ≈ N1 + Ncr2 . For N = 256 and 3 ≤ r ≤ 255, the
probability Pr(Zr = 0) is bounded as
1
1.337057
≥ Pr(Zr = 0) ≥ N1 + 0.242811
.
N +
N2
N2
Value of cr .
1.5
1.0
0.5
0.0
3
32
64
96
128
160
Index r of RC4 keystream bytes.
Subhamoy Maitra
RC4
192
224
255
Negative bias in Z2 towards two (2)
As Pr(Z2 = 0) ≈
2
N,
Pr(Z2 = x) should be
1
N
−
1
N2
for x 6= 0.
Theorem (Sarkar 2012)
Assume that the initial permutation S0 of RC4 PRGA is randomly
chosen from the set of all permutations of {0, 1, . . . , N − 1}. Then
the probability that the second output byte of RC4 keystream is 2
is approximately 1/N − 3/N 2 .
Second significant keystream bias after Mantin and Shamir.
Subhamoy Maitra
RC4
Distribution of Z2
1
N
1
N
Pr(Z2 = x)
64
128
192
255
x→
Figure: Distribution of Pr(Z2 = x) for x ∈ [1, 255].
Subhamoy Maitra
RC4
− 32
N
Negative bias in Z1 towards zero
Negative bias in Z1 towards zero: Observed by Mironov (Crypto
2002)
Theorem
Assume that the initial permutation S0 of RC4 PRGA is randomly
chosen from the set of all permutations of {0, 1, . . . , N − 1}. Then
the probability that the first output byte of RC4 keystream is 0 is
approximately 1/N − 1/N 2 .
Proved S0 [j1 ] = 0 & j1 6= 1 ⇒ Z1 6= 0
Subhamoy Maitra
RC4
Negative bias in Z1 towards zero
0
1
X
2
3
X
0
i j
0
X
i
j
Subhamoy Maitra
RC4
S[X ]
Complete distribution of Z1
Sine curve: Observed by Mironov (Crypto 2002)
0.003935
Experimental (with 16 byte keys)
Theoretical (with KSA-generated S0 )
Theoretical (with Random S0 )
Pr (Z1 = v).
0.003925
0.003915
0.003905
0.003895
0.003885
0
32
64
96
128
160
192
Value v taken by the first output byte Z1 of RC4.
224
255
Figure: The probability distribution of the first output byte Z1 .
Complete proof by [SenGupta-Maitra-Paul-Sarkar], Available
Online JoC, 2012.
Subhamoy Maitra
RC4
Digraph Repetition Bias (Mantin, Eurocrypt 2005)
Most efficient long term distinguisher for RC4.
The term digraph means a pair of consecutive keystream
words.
Getting strings of the pattern ABTAB, where A, B are bytes
and T is a string of bytes of small length ∆ (typically ∆ ≤ 16)
are more probable in RC4 keystream than in random stream.
The probability is
association.
1
(1
N2
+
e
−8−8∆
N
N
)>
1
,
N2
the random
Number of samples required to distinguish RC4 from uniform
random stream are 229 , 228 , and 226 for success probabilities
0.9, 0.8 and 0.67 respectively.
Open: Any better long term distinguisher than this.
Subhamoy Maitra
RC4
Other long term biases
Golic [Eurocrypt 1997]: Certain correlation was found between
the least significant bits of the two non-consecutive output
bytes Zr and Zr +2 , for all rounds r of RC4.
Fluhrer-McGrew [FSE 2000]:
P(ZkN+1 = 0 | ZkN = 0) ≈ 1/N + 1/N 2 ,
P(ZkN+2 = 0 | ZkN+1 = 0) ≈ 1/N + 2/N 2 .
Motivated by Golic’s result (bit to byte and non-consecutive) as
well as similar to Fluhrer-McGrew (in terms of bytes):
Theorem (SenGupta-Maitra-Paul-Sarkar, 2012)
For any integer w ≥ 1, assume that the permutation SwN is
randomly chosen from the set of all possible permutations of
{0, . . . , N − 1}. Then P(ZwN+2 = 0 ∧ ZwN = 0) ≈ 1/N 2 + 1/N 3 .
First long-term byte-wise correlation observed between two
non-consecutive bytes.
Subhamoy Maitra
RC4
Keystream and Key correlation
Subhamoy Maitra
RC4
Keystream and Key correlation
First few bytes of initial keystream are biased to secret keys.
These may be used in different kinds of attacks in practical
scenarios, e.g., WEP, WPA etc.
These biases are generally not significant if some initial bytes
are thrown away.
Subhamoy Maitra
RC4
Glimpse Theorem
R. J. Jenkins. ISAAC and RC4. 1996. Available at
http://burtleburtle.net/bob/rand/isaac.html
Theorem (Glimpse Theorem)
After the r -th round of the PRGA, r ≥ 1,
P(Sr [jr ] = ir − zr ) = P(Sr [ir ] = jr − zr ) ≈
2
.
N
Corollary
P(zr = r − Sr −1 [r ]) ≈
2
N,
r ≥ 1.
Theorem (Klein, 2006, published DCC 2008)
For r ≥ 1, we have P(zr = r − fr ) =
ωr = P(Sr −1 [r ] = fr ).
Subhamoy Maitra
1
N
RC4
· (1 + ωr ), where
Numerical Values
r
1-8
9-16
17-24
25-32
33-40
41-48
P(zr = r − fr )
0.0053 0.0053 0.0053
0.0051 0.0050 0.0050
0.0046 0.0046 0.0045
0.0043 0.0042 0.0042
0.0041 0.0040 0.0040
0.0040 0.0040 0.0040
Note that
1
N
0.0053
0.0049
0.0045
0.0042
0.0040
0.0040
= 0.0039, for N = 256.
Subhamoy Maitra
RC4
0.0052
0.0048
0.0044
0.0041
0.0040
0.0040
0.0052
0.0048
0.0044
0.0041
0.0040
0.0039
0.0052
0.0047
0.0043
0.0041
0.0040
0.0039
0.0051
0.0047
0.0043
0.0041
0.0040
0.0039
Biases in 256, 257th bytes
[Maitra-Paul, FSE 2008]
Theorem
2N−1 + 1 · ( N−1 )N−1 − 1 + 1 .
P(zN = N − f0 ) = N1 · 1 + ( N−1
)
2
2
N
N
N
N
N
This probability is 0.0045 for N = 256.
Theorem
P(zN+1
= N + 1 − f1 )
1
3(N−1) −
= N · 1 + ( N−1
N )
is 0.0041 for N = 256.
1
N
2(N−1) +
· ( N−1
N )
1
N
. This probability
Open: Can we have some bias greater than 0.0040 in later bytes?
Subhamoy Maitra
RC4
Bias Related to Key Length
Subhamoy Maitra
RC4
Sepehrdad, Vaudenay and Vuagnoux (SAC 2010)
SAC 2010. Discovery and Exploitation of New Biases in RC4.
P. Sepehrdad, S. Vaudenay and M. Vuagnoux.
[SVV10]
Applications:
Key recovery attack against WEP [Sepehrdad et al, SAC 2010]
Distinguishing attack against WPA [Sepehrdad et al, EUROCRYPT 2011]
Empirical Result Pr(S16 [j16 ] = 0 | Z16 = −16) ≈ 10
N : SVV (SAC 2010)
SVV10 authors commented:
“So far, we have no explanation about this new bias.”
Q: Whats up with the number 16?
Ans. Its just the keylength in bytes!
(1)
(1)
Pr (Sl [jl ] = 0 | Zl = −l) ≈ ηl /256, where ηl
l increases from 5 to 32.
Subhamoy Maitra
RC4
decreases from 12 to 7 as
Bias Related to Key Length
SenGupta-Maitra-Paul-Sarkar [JoC, 2012]
Theorem
Suppose that l is the length of the secret key of RC4. Then we
have
1
1
Pr(Zl = −l ∧ Sl [jl ] = 0) ≈ 2 + 1 − 2 γl ,
N
N
where
γl = N12 1 −
l+1
N
PN−1
x=l+1
Gives Pr(Zl = −l) >
1
N
1−
+
1 x
N
1−
1
N2
Subhamoy Maitra
RC4
2 x−l
N
1−
3 N−x+2l−4
.
N
Key Length Prediction
Theorem
Suppose that l is the length of the secret key of RC4. Then we
have
1
1
1
Pr(Zl = −l) ≈ 2 + 1 − 2 γl + (1 − δl ) ,
N
N
N
where
1
δl = Pr(S1 [l] = 0) 1 −
N
l−1 X
l−t
X
Pr(S1 [t] = 0)
w! · N
t=2 w =0
w l −t −1
1 l−3−w
1−
.
N
N
l−2
Subhamoy Maitra
+
RC4
Key Length Prediction
Figure: Distribution of Pr (Zl = −l) for different lengths 5 ≤ l ≤ 32 of
the RC4 secret key.
Subhamoy Maitra
RC4
New Bias
We observe and prove a family of new conditional biases.
New biases:
(2)
(2)
Pr (Zl = −l | Sl [jl ] = 0) ≈ ηl /256 where 12 ≥ ηl
Pr (Sl [l] = −l | Sl [jl ] = 0)
Pr (tl = −l | Sl [jl ] = 0) ≈
Pr (Sl [jl ] = 0 | tl = −l) ≈
(3)
≈ ηl /256 where 34
(4)
ηl /256 where 34 ≥
(5)
ηl /256
Subhamoy Maitra
where 30 ≥
RC4
≥ 7 as l ∈ [5, 32]
(3)
≥ ηl
(4)
ηl ≥
(5)
ηl
≥ 22 as l ∈ [5, 32]
22 as l ∈ [5, 32]
≥ 20 as l ∈ [5, 32]
Other Significant Biases
Subhamoy Maitra
RC4
Significant initial round empirical bias
Significant biases: SVV10
Type of Bias
Biased events
Probabilities
observed in SVV
reported in SVV
j2 + S2 [j2 ] = S2 [i2 ] + Z2
2/N
Bias at Specific
j2 + S2 [j2 ] = 6
2.37/N
Initial Rounds
j2 + S2 [j2 ] = S2 [i2 ]
2/N
j1 + S1 [i1 ] = 2
1.94/N
Subhamoy Maitra
RC4
Significant initial round empirical bias
Significant biases: SVV10
Type of Bias
Biased events
Probabilities
observed in SVV
reported in SVV
Bias at All Rounds
jr + Sr [ir ] = ir + Sr [jr ]
2/N
(round-independent)
jr + Sr [jr ] = ir + Sr [ir ]
2/N
Bias at All Initial
Sr [ir ] = jr
1.9/N at r = 3
Rounds, 1 ≤ r ≤ N − 1
Sr [tr ] = tr
1.9/N at r = 3
(round-dependent)
Sr [jr ] = ir
2.34/N at r = 3
Subhamoy Maitra
RC4
Round-Dependent Bias at Initial Rounds
Observation: Pr(Sr [ir ] = jr ) ≈ Pr(Sr [tr ] = tr ) ≈
1.9
N
for r = 3
Theorem
For PRGA rounds 3 ≤ r ≤ N − 1, Pr(Sr [ir ] = jr ) ≈ Pr(Sr [tr ] = tr )
N−1
X 1
1 r −2
r
is N 2 +
+
Pr(S1 [X ] = X ) 1 −
N
N
X =r
!
r −u
r −1 X
X
Pr(S1 [u] = r ) r − u − 1 w
1 r −3−w
.
1−
w! · N
N
N
u=2 w =0
Subhamoy Maitra
RC4
Round-Dependent Bias at Initial Rounds
Experimental verification:
0.008
0.005
0.004
Experimental (16 byte key)
Theoretical
0.007
Pr (Sr [tr ] = tr ).
Pr (Sr [ir ] = jr ).
0.006
0.003 3
0.008
Experimental (16 byte key)
Theoretical
0.007
0.006
0.005
0.004
32
64
96
128
160
Count r of RC4 rounds.
192
224
255
0.003 3
32
64
96
128
160
Count r of RC4 rounds.
192
Figure: Distributions of Pr(Sr [ir ] = jr ) and Pr(Sr [tr ] = tr ) for initial
rounds 3 ≤ r ≤ 255 of RC4 PRGA.
Subhamoy Maitra
RC4
224
255
Round-Dependent Bias at Initial Rounds
Observation: Pr(Sr [jr ] = ir ) =
2.34
N
for r = 3
Theorem
For PRGA rounds 3 ≤ r ≤ N − 1 Pr(Sr [jr ] = ir ) is
r −2
Pr(S1 [r ] = r ) 1 − N1
+
r −t
rX
−1 X
Pr(S1 [t] = r ) r − t − 1 w
1 r −3−w
.
1−
w! · N
N
N
t=2 w =0
Subhamoy Maitra
RC4
Round-Dependent Bias at Initial Rounds
Experimental verification:
0.010
Experimental (16 byte key)
Theoretical
Pr (Sr [jr ] = ir ).
0.009
0.008
0.007
0.006
0.005
0.004 3
32
64
96
128
160
Count r of RC4 rounds.
192
224
255
Figure: Distribution of Pr(Sr [jr ] = ir ) for rounds 3 ≤ r ≤ 255 of RC4
PRGA.
Subhamoy Maitra
RC4
Fault Attack
Subhamoy Maitra
RC4
Fault Attack
The fault models usually rely on optimistic assumptions and
consider a weaker version of the cipher than the original one.
The attacker should have partial control in terms of number,
location, and timing of fault injections.
It is also assumed that the attacker can reset the system with
the same key as many times as he wants. In other words, he
can cancel the effects of the previously made faults, go back
to the initial configuration and re-execute the cipher with the
same key.
Though the assumptions are optimistic, they are not
unrealistic.
In addition, the fault models serve as platforms to evaluate
the strength and weaknesses of the cipher.
The motivation is to recover the RC4 permutation.
Subhamoy Maitra
RC4
Fault Attack on RC4: Hoch-Shamir, CHES 2004
It is assumed that the attacker can introduce a fault on a
single byte of S after the KSA is over but before the PRGA
begins.
Further, the attacker can reset the system and inject a new
fault as many times as desired.
Under such a model, the attacker can analyze the resulting
keystreams to reconstruct the internal state.
If S[y ] = v and the fault changes v to v 0 , then it is possible
to recognize both v and v 0 , but not y .
The strategy is to observe the frequency of each value in the
keystream.
The value v would never appear and v 0 would appear with
twice the expected frequency.
Subhamoy Maitra
RC4
Impossible Fault Attack on RC4
Biham-Granboulan-Nguyen [FSE 2005]
The attacker repeatedly injects faults into either register i or
register j, until a Finney state is identified.
It provides a very small cycle and also looking at the outputs
it is possible to immediately recover the state.
Impossible, as the cipher lands into the impossible Finney
state due to the fault.
Subhamoy Maitra
RC4
Differential Fault Attack on RC4
Biham-Granboulan-Nguyen [FSE 2005]
This attack relies on collecting three sets of data with the
same unknown key.
In each of the following cases, the KSA is performed without
any fault.
1
The first set is the first 256 keystream bytes zr ,
r = 1, 2, . . . , 256 from normal RC4.
2
For each t in [0, 255], make a fault in S[t] and run the PRGA
for 30 steps. Thus, we have 256 output streams, each of
length 30. Denote these streams by Xt , t = 0, 1, . . . , 255.
3
Run the PRGA for 30 steps. Then for each t ∈ [0, 255], inject
a fault in S[t] and starting from that step collect longer
keystreams Yt .
The technique employed to guess the entries of the permutation is
called cascade guessing.
Subhamoy Maitra
RC4
Other fault attacks
Fault Attack based on Fork Model [Mantin, Asiacrypt 2005]:
The attacker injects a fault either to j or to one of the entries
of S that are located closely after the index i. Repeating this
many times, the attacker collects many instances of RC4 that
are identical initially but they diverge at a certain point.
Fault Attack with Pseudo-Random Index Stuck [Maitra-Paul,
ACISP 2008]: Recovers the RC4 permutation completely
when the value of the pseudo-random index j is stuck at some
value x from some point in PRGA.
Subhamoy Maitra
RC4
Modifying the design of RC4
Subhamoy Maitra
RC4
Modified Designs of RC4: Byte Oriented
RC4A: Paul-Preneel, FSE 2004, Cryptanalysis: Maximov, FSE
2005
Two copies of RC4
VMPC: Zoltak, FSE 2004, Cryptanalysis: Maximov, FSE
2005, Tsunoo et al, SKEW 2005
Variably Modified Permutation Composition: which is a
transformation of permutation P into the permutation Q.
RC4+ : Maitra-Paul, Indocrypt 2008, Cryptanalysis: nothing
known
More rounds in KSA and some modification in PRGA
Open: Cryptanalysis of RC4+ , probably nobody is interested
or it is a great ;-) design!
Subhamoy Maitra
RC4
Modified Designs of RC4: Word Oriented
In [McKague, Masters thesis, UoW 2005], two new ciphers,
named Sheet Bend and Bowline, were developed by expanding
RC4 to 32 bits.
The work [NGG, Nawaz-Gupta-Gong, eprint 2005]
proposed a generalization of RC4 with an aim to expand RC4
to 32/64 bits with a state size much smaller than 232 or 264 .
The new algorithm is called RC 4(n, m), where N = 2n is the
size of the state array in words, m is the word size in bits,
n ≤ m.
Another version GGHN (GG-Hell-N, CISC 2005).
Cryptanalytic results available, latest by Banik-Maitra-Sarkar
(Indocrypt 2011)
Subhamoy Maitra
RC4
Modified Designs of RC4: Word Oriented
In 2005, an RC4-like stream cipher Py (pronounced Roo) was
submitted [Biham-Seberry] to the eSTREAM project. Variant
in 2007.
The cipher Py produces two 32-bit words as output at each
step.
A building block of the cipher is rolling arrays.
The designers of Py define the rolling array to be a vector
whose entries are cyclically rotated by one place at every step.
Many attacks reported, e.g., Wu-Preneel, Eurocrypt 2007,
Sekar-Paul-Preneel, ISC 2007, Indocrypt 2007.
Subhamoy Maitra
RC4
Modified Designs of RC4: Our Attempt
Several copies (say 4) of RC4, each one is a permutation.
Glued one below the other.
A 32-bit (Quad-RC4) or 64-bit (Octa-RC4) cipher.
All the weaknesses of RC4 should be removed.
Facility of IV and MAC.
Should be competitive with HC-128 in speed and security.
Rejected in Indocrypt 2012 :-(
Subhamoy Maitra
RC4
Modified Designs of RC4: Work in progress
Let us denote the permutations by S1 , S2 , . . . , Sm .
They are merged into a single array S of size 256, where the
i-th entry of S is an 8m-bit number, formed by concatenating
the m many bytes S1 [i], . . . , Sm [i].
One can visualize S as a two-dimensional structure, where
each column is a word of S and each row is a permutation.
We use two variables i and j to access a word of S or a byte
of the individual permutations.
Lots of issues are yet to be settled . . . to have a competitive
design.
Subhamoy Maitra
RC4
Conclusion
Cryptanalysis is always interesting and RC4 cryptanalysis is
still publishable.
Getting a better design in this direction is challenging and also
hard to publish (true for any stream cipher design).
Is the RC4 dead? Long live the RC4.
Thank You
Subhamoy Maitra
RC4

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2025 Paperzz