Title: A New Weakness in the RC4 Keystream Generator and an Approach to Improve the Security of the Cipher
1A New Weakness in the RC4 Keystream
Generator and an Approach to Improve the
Security of the Cipher
Souradyuti Paul and Bart Preneel K.U. Leuven,
ESAT/COSIC
FSE 2004 New Delhi, India February 6, 2004
2Overview of the Presentation
- Description of RC4
- Main Contributions
- Anomaly in the first two bytes of RC4
- Estimating the bias in the first two bytes of RC4
- RC4A A New Stream Cipher
- Design Principle of RC4A
- Conclusions
3Description of RC4
- based on an exchange shuffle paradigm
- the algorithm Runs in Two Phases
- key-scheduling algorithm
- pseudo-random generation algorithm
- pseudorandom bytes are bit-wise XORed with the
plaintext bytes
4RC4 (1987)
- designed by Ron Rivest (MIT)
- leaked out in 1994
- Key Scheduling Algorithm S0..255 secret table
derived from user key K (usually 40 to 256 bits)
for i0 to 255 Sii j0 for i0 to 255 j(j
Si Ki) mod 256 swap Si and Sj i0,
j0
5RC4 (1987)
- Pseudo-random Generation Algorithm Generate
keystream which is added to plaintext
ii1 j(j Si) mod 256 swap Si and
Sj t(Si Sj) mod 256 output St
t
162
92
i
j
6 Main Contributions
- A new statistical bias in the distribution of
the first two output bytes. - Existence of the Bias after dropping the first
N bytes. - A possible method to improve the security and
performance of the cipher.
7 The First Two Outputs are Unequal
When S012
Index 0 1 2 3 4
N-1
2 X Z
i
j
-
- Assume that after the key scheduling algorithm
PS0121/N.
8 The First Two Outputs are Unequal
When S012 (Contd.)
Index 0 1 2 3 4
.
N-1
X 2 Z
i
j
Output
S1 X2
Index 0 1 2 3 4
.
N-1
X Z 2
i
j
Output
S2 Z2
9 Strong Distinguisher
- A Distinguisher is an Algorithm which
distinguishes a stream of bits from a perfectly
random stream of bits. - A Strong Distinguisher is a distinguisher which
detects bias at particular locations of several
randomly chosen stream of bits. -
10Quantifying the Bias
- We assume that the first two output bytes are
equal with probability 1/N when S01 ? 2. - Therefore, the probability that the first two
output bytes are equal is 1/N(1-1/N). - Sample Size to noticeably distinguish RC4
keystream from random stream of bits is O(N3)
bytes. - Experiments show 224 pairs of bytes suffice to
show the bias for N 256.
11Distinguishing Attacks on RC4
Authors Year No. of bytes
Mantin and Shamir 2001 28
Mironov 2002 210.74
Our distinguisher 2004 225
Fluhrer and McGrew 2000 230.6
Golic 1997 244.7
12The Bias after Dropping the initial N Bytes
- We assume that Pj 01/N after the initial N
rounds. - Therefore, after dropping the initial N bytes the
probability that the first two output bytes are
equal is 1/N(1-1/N2). - In this case, O(N5) bytes are required to
reliably distinguish RC4 outputs from random
outputs. - Experimentally, 232 pairs of bytes suffice to
detect the bias for N 256.
13Distinguishers after N bytes
Authors Year No. of bytes
Fluhrer and McGrew 2000 230.6
Our distinguisher 2004 233
Golic 1997 244.7
14 Recommendation
- Experimentally, our distinguisher works better,
partly due to the huge difference between the
permutation space and the key space. The fact
necessarily implies non-uniformity of the
distribution of the initial permutation. - Based on this observation we recommend to dump at
least 2N bytes of RC4 outputs in all future
applications of it. -
15 RC4A A Modification of RC4
- Two phases for RC4A - Key Scheduling Algorithm
and after that the Pseudo-random Generation
Algorithm. - We only modify the Pseudo-random Generation
Algorithm of RC4 in order to achieve better
Security. - The Key Scheduling Algorithm of RC4 is assumed to
be perfect and used in RC4A. -
16 RC4A Main Motivation
- most of the known attacks on RC4 exploit the
correlation between the outputs and random input
variables - main objective is to make outputs depend on more
random variables - to reduce the number of instructions per output
byte. - exchange shuffle model
-
17 RC4A Description
- Take a key K1 and generate another key K2 using a
pseudorandom bit generator (e.g. RC4). - Generate two random permutations of N elements,
namely S1 and S2 , using K1 and K2 on the
identity permutation respectively. - To generate S1 and S2 we may use the Key
Scheduling Algorithm of RC4. -
18 RC4A Description of the Pseudorandom
Generation Algorithm of RC4A
- Input (S1, S2)
- 1. i 0, j10, j20
- 2. i (i 1) mod N
- 3. j1(j1 S1i ) mod N
- 4. Swap S1i and S1j1
- 5. I(S1i S1j1) mod N
- 6. Output S2I
19 RC4A Description of the Pseudorandom
Generation Algorithm of RC4A (contd.)
- 7. j2(j2 S2i) mod N
- 8. Swap S2 i and S2j2
- 9. I(S2 i S2j2) mod N
- 10. Output S1I
- 11. Repeat from Step 2.
20 Security RC4A Vs RC4
- Number of Internal States of RC4A is
approximately N3.(N!)2 compared to N2.N! for
RC4. - At every round of RC4A, one output byte depends
on at least three variables compared to only two
variables for RC4. - The upper bound on the probability of guessing
maximum number of elements of the permutation
from known outputs is 1/N2 compared to 1/N for
RC4 under reasonable assumptions.
21 Security RC4A Vs RC4 (Contd.)
- The Computation Cost to derive the secret
Internal State of RC4A is much higher (C2
compared to C under reasonable assumptions). - The number of Fortuitous States is less than in
RC4A. - The Second Byte attack on RC4 by Mantin and
Shamir is also weakened in RC4A (N3 bytes).
22 Prospect of a fast stream cipher
- RC4A uses fewer instructions the i pointer is
incremented once to generate two successive
output bytes. - Existence of parallel steps.
23Remarks on RC4A
- It seems convincing to even improve RC4A.
- The main idea was to decorrelate an index pointer
and the value pointed to by the index. - The attack by Golic is still difficult to remove.
- Generation of outputs of more than 8 bits A
possible future work.
24Conclusions
- We detected a new bias that does not disappear
after N rounds. - A new stream cipher is designed after a simple
modification of RC4.