nach oben

Journal of Cryptology

Erschienen in:

01.01.2014

(Non-)Random Sequences from (Non-)Random Permutations—Analysis of RC4 Stream Cipher

verfasst von: Sourav Sen Gupta, Subhamoy Maitra, Goutam Paul, Santanu Sarkar

Erschienen in: Journal of Cryptology | Ausgabe 1/2014

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

RC4 has been the most popular stream cipher in the history of symmetric key cryptography. Its internal state contains a permutation over all possible bytes from 0 to 255, and it attempts to generate a pseudo-random sequence of bytes (called keystream) by extracting elements of this permutation. Over the last twenty years, numerous cryptanalytic results on RC4 stream cipher have been published, many of which are based on non-random (biased) events involving the secret key, the state variables, and the keystream of the cipher.

Though biases based on the secret key are common in RC4 literature, none of the existing ones depends on the length of the secret key. In the first part of this paper, we investigate the effect of RC4 keylength on its keystream, and report significant biases involving the length of the secret key. In the process, we prove the two known empirical biases that were experimentally reported and used in recent attacks against WEP and WPA by Sepehrdad, Vaudenay and Vuagnoux in EUROCRYPT 2011. After our current work, there remains no bias in the literature of WEP and WPA attacks without a proof.

In the second part of the paper, we present theoretical proofs of some significant initial-round empirical biases observed by Sepehrdad, Vaudenay and Vuagnoux in SAC 2010.

In the third part, we present the derivation of the complete probability distribution of the first byte of RC4 keystream, a problem left open for a decade since the observation by Mironov in CRYPTO 2002. Further, the existence of positive biases towards zero for all the initial bytes 3 to 255 is proved and exploited towards a generalized broadcast attack on RC4. We also investigate for long-term non-randomness in the keystream, and prove a new long-term bias of RC4.

Vorheriger Artikel Concurrent Zero Knowledge, Revisited

Nächster Artikel A New Interactive Hashing Theorem

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

[1]

M. Akgün, P. Kavak, H. Demirci, New results on the key scheduling algorithm of RC4, in INDOCRYPT’08. Lecture Notes in Computer Science, vol. 5365 (2008), pp. 40–52

[2]

R. Basu, S. Ganguly, S. Maitra, G. Paul, A complete characterization of the evolution of RC4 pseudo random generation algorithm. J. Math. Cryptol. 2(3), 257–289 (2008) CrossRefMATHMathSciNet

[3]

R. Basu, S. Maitra, G. Paul, T. Talukdar, On some sequences of the secret pseudo-random index j in RC4 key scheduling, in AAECC’09. Lecture Notes in Computer Science, vol. 5527 (2009), pp. 137–148

[4]

E. Biham, Y. Carmeli, Efficient reconstruction of RC4 keys from internal states, in FSE’08. Lecture Notes in Computer Science, vol. 5086 (2008), pp. 270–288

[5]

J. Chen, A. Miyaji, How to find short RC4 colliding key pairs, in ISC’11. Lecture Notes in Computer Science, vol. 7001 (2011), pp. 32–46

[6]

S.R. Fluhrer, D.A. McGrew, Statistical analysis of the alleged RC4 keystream generator, in FSE’00. Lecture Notes in Computer Science, vol. 1978 (2000), pp. 19–30

[7]

S.R. Fluhrer, I. Mantin, A. Shamir, Weaknesses in the key scheduling algorithm of RC4, in SAC’01. Lecture Notes in Computer Science, vol. 2259 (2001), pp. 1–24

[8]

J.D. Golic, Linear statistical weakness of alleged RC4 keystream generator, in EUROCRYPT’97. Lecture Notes in Computer Science, vol. 1233 (1997), pp. 226–238

[9]

J.D. Golic, Iterative probabilistic cryptanalysis of RC4 keystream generator, in ACISP’00. Lecture Notes in Computer Science, vol. 1841 (2000), pp. 220–233

[10]

J.D. Golic, G. Morgari, Iterative probabilistic reconstruction of RC4 internal states. IACR Cryptology ePrint Archive, Report 2008/348 (2008). Available at http://eprint.iacr.org/2008/348

[11]

A.L. Grosul, D.S. Wallach, A related-key cryptanalysis of RC4. Technical Report TR-00-358, Department of Computer Science, Rice University (2000)

[12]

R.J. Jenkins, ISAAC and RC4 (1996). Published on the Internet at http://burtleburtle.net/bob/rand/isaac.html

[13]

S. Khazaei, W. Meier, On reconstruction of RC4 keys from internal states, in MMICS’08. Lecture Notes in Computer Science, vol. 5393 (2008), pp. 179–189

[14]

A. Klein, Attacks on the RC4 stream cipher. Des. Codes Cryptogr. 48(3), 269–286 (2008) CrossRefMATHMathSciNet

[15]

L.R. Knudsen, W. Meier, B. Preneel, V. Rijmen, S. Verdoolaege, Analysis methods for (alleged) RC4, in ASIACRYPT’98. Lecture Notes in Computer Science, vol. 1514 (1998), pp. 327–341

[16]

S. Maitra, G. Paul, S. Sen Gupta, Attack on broadcast RC4 revisited, in FSE’11. Lecture Notes in Computer Science, vol. 6733 (2011), pp. 199–217

[17]

I. Mantin, Analysis of the stream cipher RC4. Master’s Thesis, The Weizmann Institute of Science, Israel (2001). Available at http://www.wisdom.weizmann.ac.il/~itsik/RC4/rc4.html

[18]

I. Mantin, A. Shamir, A practical attack on broadcast RC4, in FSE’01. Lecture Notes in Computer Science, vol. 2355 (2002), pp. 152–164

[19]

I. Mantin, Predicting and distinguishing attacks on RC4 keystream generator, in EUROCRYPT’05. Lecture Notes in Computer Science, vol. 3494 (2005), pp. 491–506

[20]

I. Mantin, A practical attack on the fixed RC4 in the WEP mode, in ASIACRYPT’05. Lecture Notes in Computer Science, vol. 3788 (2005), pp. 395–411

[21]

M. Matsui, Key collisions of the RC4 stream cipher, in FSE’09. Lecture Notes in Computer Science, vol. 5665 (2009), pp. 38–50

[22]

A. Maximov, D. Khovratovich, New state recovery attack on RC4, in CRYPTO’08. Lecture Notes in Computer Science, vol. 5157 (2008), pp. 297–316

[23]

I. Mironov, (Not so) random shuffles of RC4, in CRYPTO’02. Lecture Notes in Computer Science, vol. 2442 (2002), pp. 304–319

[24]

S. Mister, S.E. Tavares, Cryptanalysis of RC4-like ciphers, in SAC’98. Lecture Notes in Computer Science, vol. 1999 (1998), pp. 131–143

[25]

S. Paul, B. Preneel, Analysis of non-fortuitous predictive states of the RC4 keystream generator, in INDOCRYPT’03. Lecture Notes in Computer Science, vol. 2904 (2003), pp. 52–67

[26]

G. Paul, S. Maitra, Permutation after RC4 key scheduling reveals the secret key, in SAC’07. Lecture Notes in Computer Science, vol. 4876 (2007), pp. 360–377

[27]

A. Roos, A class of weak keys in the RC4 stream cipher. Two posts in sci.crypt, message-id 43u1eh$1j3@hermes.is.co.za and 44ebge$llf@hermes.is.co.za (1995). Available at http://www.impic.org/papers/WeakKeys-report.pdf

[28]

S. Sen Gupta, S. Maitra, G. Paul, S. Sarkar, Proof of empirical RC4 biases and new key correlations, in SAC’11. Lecture Notes in Computer Science, vol. 7118 (2011), pp. 151–168

[29]

P. Sepehrdad, Statistical and algebraic cryptanalysis of lightweight and ultra-lightweight symmetric primitives. Ph.D. Thesis, No. 5415, École Polytechnique Fédérale de Lausanne (EPFL) (2012). Available at http://lasecwww.epfl.ch/~sepehrdad/Pouyan_Sepehrdad_PhD_Thesis.pdf

[30]

P. Sepehrdad, S. Vaudenay, M. Vuagnoux, Discovery and exploitation of new biases in RC4, in SAC’10. Lecture Notes in Computer Science, vol. 6544 (2011), pp. 74–91

[31]

P. Sepehrdad, S. Vaudenay, M. Vuagnoux, Statistical attack on RC4—distinguishing WPA, in EUROCRYPT’11. Lecture Notes in Computer Science, vol. 6632 (2011), pp. 343–363

[32]

Y. Shiraishi, T. Ohigashi, M. Morii, An improved internal-state reconstruction method of a stream cipher RC4, in Communication, Network, and Information Security. Track 440-088, New York, USA, December 10–12 (2003)

[33]

V. Tomasevic, S. Bojanic, O. Nieto-Taladriz, Finding an internal state of RC4 stream cipher. Inf. Sci. 177, 1715–1727 (2007) CrossRefMATHMathSciNet

[34]

E. Tews, R.-P. Weinmann, A. Pyshkin, Breaking 104 bit WEP in less than 60 seconds, in WISA’07. Lecture Notes in Computer Science, vol. 4867 (2007), pp. 188–202

[35]

E. Tews, M. Beck, Practical attacks against WEP and WPA, in WISEC’09 (ACM, New York, 2009), pp. 79–86

[36]

S. Vaudenay, M. Vuagnoux, Passive-only key recovery attacks on RC4, in SAC’07. Lecture Notes in Computer Science, vol. 4876 (2007), pp. 344–359

[37]

D.A. Wagner, My RC4 weak keys (1995). http://www.cs.berkeley.edu/~daw/my-posts/my-rc4-weak-keys

Titel: (Non-)Random Sequences from (Non-)Random Permutations—Analysis of RC4 Stream Cipher
verfasst von: Sourav Sen Gupta
Subhamoy Maitra
Goutam Paul
Santanu Sarkar
Publikationsdatum: 01.01.2014
Verlag: Springer US
Erschienen in: Journal of Cryptology / Ausgabe 1/2014
Print ISSN: 0933-2790
Elektronische ISSN: 1432-1378
DOI: https://doi.org/10.1007/s00145-012-9138-1

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Weitere Artikel der Ausgabe 1/2014

Security Models and Proof Strategies for Plaintext-Aware Encryption

Concurrent Zero Knowledge, Revisited

Erratum to: A Comparison of Cryptanalytic Tradeoff Algorithms

A New Interactive Hashing Theorem

A One-Time Stegosystem and Applications to Efficient Covert Communication

An Efficient State Recovery Attack on the X-FCSR Family of Stream Ciphers

Premium Partner