A New Weakness in the RC4 Keystream Generator and an Approach to Improve the Security of the Cipher - PowerPoint PPT Presentation

1 / 24
About This Presentation
Title:

A New Weakness in the RC4 Keystream Generator and an Approach to Improve the Security of the Cipher

Description:

based on an exchange shuffle paradigm. the algorithm Runs in Two Phases. key-scheduling algorithm ... exchange shuffle model. RC4A: Description ... – PowerPoint PPT presentation

Number of Views:164
Avg rating:3.0/5.0
Slides: 25
Provided by: joel61
Category:

less

Transcript and Presenter's Notes

Title: A New Weakness in the RC4 Keystream Generator and an Approach to Improve the Security of the Cipher


1
A New Weakness in the RC4 Keystream
Generator and an Approach to Improve the
Security of the Cipher
Souradyuti Paul and Bart Preneel K.U. Leuven,
ESAT/COSIC
FSE 2004 New Delhi, India February 6, 2004
2
Overview of the Presentation
  • Description of RC4
  • Main Contributions
  • Anomaly in the first two bytes of RC4
  • Estimating the bias in the first two bytes of RC4
  • RC4A A New Stream Cipher
  • Design Principle of RC4A
  • Conclusions

3
Description of RC4
  • based on an exchange shuffle paradigm
  • the algorithm Runs in Two Phases
  • key-scheduling algorithm
  • pseudo-random generation algorithm
  • pseudorandom bytes are bit-wise XORed with the
    plaintext bytes

4
RC4 (1987)
  • designed by Ron Rivest (MIT)
  • leaked out in 1994
  • Key Scheduling Algorithm S0..255 secret table
    derived from user key K (usually 40 to 256 bits)

for i0 to 255 Sii j0 for i0 to 255 j(j
Si Ki) mod 256 swap Si and Sj i0,
j0
5
RC4 (1987)
  • Pseudo-random Generation Algorithm Generate
    keystream which is added to plaintext

ii1 j(j Si) mod 256 swap Si and
Sj t(Si Sj) mod 256 output St
t
162
92
i
j
6
Main Contributions
  • A new statistical bias in the distribution of
    the first two output bytes.
  • Existence of the Bias after dropping the first
    N bytes.
  • A possible method to improve the security and
    performance of the cipher.

7
The First Two Outputs are Unequal
When S012
Index 0 1 2 3 4

N-1
2 X Z
i
j
  • Assume that after the key scheduling algorithm
    PS0121/N.

8

The First Two Outputs are Unequal
When S012 (Contd.)
Index 0 1 2 3 4
.
N-1
X 2 Z
i
j
Output
S1 X2
Index 0 1 2 3 4
.
N-1
X Z 2
i
j
Output
S2 Z2
  • S1X2 ? S2Z2


9
Strong Distinguisher
  • A Distinguisher is an Algorithm which
    distinguishes a stream of bits from a perfectly
    random stream of bits.
  • A Strong Distinguisher is a distinguisher which
    detects bias at particular locations of several
    randomly chosen stream of bits.

10
Quantifying the Bias
  • We assume that the first two output bytes are
    equal with probability 1/N when S01 ? 2.
  • Therefore, the probability that the first two
    output bytes are equal is 1/N(1-1/N).
  • Sample Size to noticeably distinguish RC4
    keystream from random stream of bits is O(N3)
    bytes.
  • Experiments show 224 pairs of bytes suffice to
    show the bias for N 256.

11
Distinguishing Attacks on RC4
Authors Year No. of bytes
Mantin and Shamir 2001 28
Mironov 2002 210.74
Our distinguisher 2004 225
Fluhrer and McGrew 2000 230.6
Golic 1997 244.7
12
The Bias after Dropping the initial N Bytes
  • We assume that Pj 01/N after the initial N
    rounds.
  • Therefore, after dropping the initial N bytes the
    probability that the first two output bytes are
    equal is 1/N(1-1/N2).
  • In this case, O(N5) bytes are required to
    reliably distinguish RC4 outputs from random
    outputs.
  • Experimentally, 232 pairs of bytes suffice to
    detect the bias for N 256.

13
Distinguishers after N bytes
Authors Year No. of bytes
Fluhrer and McGrew 2000 230.6
Our distinguisher 2004 233
Golic 1997 244.7
14
Recommendation
  • Experimentally, our distinguisher works better,
    partly due to the huge difference between the
    permutation space and the key space. The fact
    necessarily implies non-uniformity of the
    distribution of the initial permutation.
  • Based on this observation we recommend to dump at
    least 2N bytes of RC4 outputs in all future
    applications of it.

15
RC4A A Modification of RC4
  • Two phases for RC4A - Key Scheduling Algorithm
    and after that the Pseudo-random Generation
    Algorithm.
  • We only modify the Pseudo-random Generation
    Algorithm of RC4 in order to achieve better
    Security.
  • The Key Scheduling Algorithm of RC4 is assumed to
    be perfect and used in RC4A.

16
RC4A Main Motivation
  • most of the known attacks on RC4 exploit the
    correlation between the outputs and random input
    variables
  • main objective is to make outputs depend on more
    random variables
  • to reduce the number of instructions per output
    byte.
  • exchange shuffle model

17
RC4A Description
  • Take a key K1 and generate another key K2 using a
    pseudorandom bit generator (e.g. RC4).
  • Generate two random permutations of N elements,
    namely S1 and S2 , using K1 and K2 on the
    identity permutation respectively.
  • To generate S1 and S2 we may use the Key
    Scheduling Algorithm of RC4.

18
RC4A Description of the Pseudorandom
Generation Algorithm of RC4A
  • Input (S1, S2)
  • 1. i 0, j10, j20
  • 2. i (i 1) mod N
  • 3. j1(j1 S1i ) mod N
  • 4. Swap S1i and S1j1
  • 5. I(S1i S1j1) mod N
  • 6. Output S2I

19
RC4A Description of the Pseudorandom
Generation Algorithm of RC4A (contd.)
  • 7. j2(j2 S2i) mod N
  • 8. Swap S2 i and S2j2
  • 9. I(S2 i S2j2) mod N
  • 10. Output S1I
  • 11. Repeat from Step 2.

20
Security RC4A Vs RC4
  • Number of Internal States of RC4A is
    approximately N3.(N!)2 compared to N2.N! for
    RC4.
  • At every round of RC4A, one output byte depends
    on at least three variables compared to only two
    variables for RC4.
  • The upper bound on the probability of guessing
    maximum number of elements of the permutation
    from known outputs is 1/N2 compared to 1/N for
    RC4 under reasonable assumptions.

21
Security RC4A Vs RC4 (Contd.)
  • The Computation Cost to derive the secret
    Internal State of RC4A is much higher (C2
    compared to C under reasonable assumptions).
  • The number of Fortuitous States is less than in
    RC4A.
  • The Second Byte attack on RC4 by Mantin and
    Shamir is also weakened in RC4A (N3 bytes).

22
Prospect of a fast stream cipher
  • RC4A uses fewer instructions the i pointer is
    incremented once to generate two successive
    output bytes.
  • Existence of parallel steps.

23
Remarks on RC4A
  • It seems convincing to even improve RC4A.
  • The main idea was to decorrelate an index pointer
    and the value pointed to by the index.
  • The attack by Golic is still difficult to remove.
  • Generation of outputs of more than 8 bits A
    possible future work.

24
Conclusions
  • We detected a new bias that does not disappear
    after N rounds.
  • A new stream cipher is designed after a simple
    modification of RC4.
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "A New Weakness in the RC4 Keystream Generator and an Approach to Improve the Security of the Cipher" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!