Analysis of Nonfortuitous Predictive States of the RC4 Keystream Generator

1
Analysis of Non-fortuitous Predictive
States of the RC4 Keystream Generator
Souradyuti Paul and Bart Preneel K.U. Leuven,
ESAT/COSIC
Indocrypt 2003 India Habitat Center December 8,
2003
2
Overview of the Presentation

• Description of RC4
• Definition of a Predictive State and its
  Importance
• Upper Bound on the Number of Outputs of a
  Predictive State
• Definition of a Non-fortuitous Predictive State
• Determination of Non-fortuitous Predictive States
• Of Length 1 and 2
• General Approach
• Conclusions

3
Overview of the Presentation

• Description of RC4
• Definition of a Predictive State and its
  Importance
• Upper Bound on the Number of Outputs of a
  Predictive State
• Definition of a Non-fortuitous Predictive State
• Determination of Non-fortuitous Predictive States
• Of Length 1 and 2
• General Approach
• Conclusions

4
Description of RC4

• Based on Exchange Shuffle Paradigm
• The Algorithm Runs in Two Phases
• Key-scheduling Algorithm
• Pseudo-random Generation Algorithm
• Pseudo-random Bytes are Bit-wise X-Ored with the
  Plaintext Bytes in Succession to Generate the
  Ciphertexts.

5
Key-scheduling Algorithm

• A Variable Size Key (K) Turns an Array (S) of
  Identity Permutation into a Random Permutation
• The Size of the Key K 40 to 256 Bits in All
  Practical Applications
• The Size of the Array N 256 Bytes in All
  Practical Applications

6
Key-scheduling Algorithm

• Input (S, K)
• 1. for (i 0 to N-1)
• Si i
• 2. j 0
• 3. for (i 0 to N-1)
• j (j Ki mod l Si ) mod N
• Swap (Si, Sj )

7
Key-scheduling Algorithm

• Input (S, K)
• 1. for (i 0 to N-1)
• Si i
• 2. j 0
• 3. for (i 0 to N-1)
• j (j Ki mod l Si ) mod N
• Swap (Si, Sj )

8
Pseudo-random Generation
Algorithm

• Input (S)
• 1. i 0
• 2. j 0
• 3. i i 1
• 4. j (j Si ) mod N
• 5. Swap (Si, Sj)
• 6. I (Si Sj) mod N
• 7. Output SI

9
Pseudo-random Generation
Algorithm

• Input (S)
• 1. i 0
• 2. j 0
• 3. i i 1
  round
• 4. j (j Si ) mod N
• 5. Swap (Si, Sj)
• 6. I (Si Sj) mod N
• 7. Output SI

10
Overview of the Presentation

• Description of RC4
• Definition of a Predictive State
• Definition of a Non-fortuitous Predictive State
• Main Contributions
• Upper Bound on the Number of Outputs of a
  Predictive State and its Importance
• Determination of Non-fortuitous Predictive States
• Of Length 1 and 2
• General Approach
• Conclusions

11
Predictive States of RC4

• An a-state of RC4 is only a known elements of
  the S-box together with i and j at some round
  denoted by round 0.
• In the next c rounds b output bytes are produced
  where c lt N where bgt1 and round 1 produces
  output.
• This internal state of RC4 at round 0 is defined
  to be b-predictive a-state.

12
Predictive States of RC4Snapshot at Round 0
Round 0 1 r
. c
i
j
Number of Known elements in the S-box is a.
13
Predictive States of RC4Snapshot at Round c
Round 0 1 r
. c
i
j
Outputs Z1 Z2 Z3
Zb
Number of Predicted Outputs is b.
14
Overview of the Presentation

• Description of RC4
• Definition of a Predictive State
• Definition of a Non-fortuitous Predictive State
• Main Contributions
• Upper Bound on the Number of Outputs of a
  Predictive State and its Importance
• Determination of Non-fortuitous Predictive States
• Of Length 1 and 2
• General Approach
• Conclusions

15
Non-fortuitous Predictive States

• Consider the a-predictive a-states.
• If a elements of the S-box are consecutive and so
  are the a outputs then the state is a Fortuitous
  State of length a.
• All other a-predictive a-states are
  Non-fortuitous Predictive States of length a.

16
Overview of the Presentation

• Description of RC4
• Definition of a Predictive State
• Definition of a Non-fortuitous Predictive State
• Main Contributions
• Upper Bound on the Number of Outputs of a
  Predictive State and its Importance
• Determination of Non-fortuitous Predictive States
• Of Length 1 and 2
• General Approach
• Conclusions

17
Main Contributions

• We give an upper bound on the number of predicted
  outputs b for a b-predictive a-state
• We also give an algorithm which is better than
  exhaustive search to determine Non-fortuitous
  Predictive States for small values of a

18
Overview of the Presentation

• Description of RC4
• Definition of a Predictive State
• Definition of a Non-fortuitous Predictive State
• Main Contributions
• Upper Bound on the Number of Outputs of a
  Predictive State and its Importance
• Determination of Non-fortuitous Predictive States
• Of Length 1 and 2
• General Approach
• Conclusions

19
For a b-Predictive a-State b lt a (Sketch of
the Proof)

• The claim was left as a conjecture by Mantin and
  Shamir, 2001.
• The bound on c, which was 2N in the original
  conjecture, is wrong. When aN, b is infinitely
  large.
• The claim is true when c lt N.
• Clearly a-predictive a-states are important.
• The proof is by contradiction.

20
For a b-Predictive a-State b lt a (Sketch of
the Proof)

• Assume bgta.
• Si is always occupied with a known element at
  each round till the cth round is reached
  otherwise the execution is stopped.
• Maximum one element can be filled in a vacant
  place in one round.
• Maximum of (c-b) locations can be filled with
  known elements in c rounds.
• Therefore, b known elements at round 0 leads to
  contradiction.

21
Importance of Predictive States when b
a

• Assume Internal States and External States (i.e.,
  Outputs) of RC4 are random for a fixed i.
• For Predictive States when b a, the elements of
  the S-box elements can be predicted with the
  maximum probability, that is 1/N, when outputs
  are known.
• The larger the number of a-predictive a-states
  the higher is the probability for one of them to
  occur.

22
Overview of the Presentation

• Description of RC4
• Definition of a Predictive State
• Definition of a Non-fortuitous Predictive State
• Main Contributions
• Upper Bound on the Number of Outputs of a
  Predictive State and its Importance
• Determination of Non-fortuitous Predictive States
• Of Length 1 and 2
• General Approach
• Conclusions

23
Determination of Non-fortuitous
Predictive States

• An efficient algorithm to determine the
  Fortuitous States of small length is designed by
  Fluhrer and McGrew, 2000.
• The main problems to determine the Non-fortuitous
  Predictive States are
• The inter-element-gaps of the S-box elements are
  not known.
• The inter-element-gaps of the S-box elements
  change after each round.

24
Overview of the Presentation

• Description of RC4
• Definition of a Predictive State
• Definition of a Non-fortuitous Predictive State
• Main Contributions
• Upper Bound on the Number of Outputs of a
  Predictive State and its Importance
• Determination of Non-fortuitous Predictive States
• Of Length 1 and 2
• General Approach
• Conclusions

25
The Set of Non-fortuitous Predictive States of
length 1 is Empty
Index 0 1 2
2x-1 2 x ... x
N-1
i
j

• Any 1-predictive 1-state is a Fortuitous State.
• The number of 1-predictive 1-states is N.

26
The Set of Non-fortuitous Predictive States of
length 2 is Empty
Index 0 1 2 r
r
N-1
i
Outputs Z1

Empty
Index 0 1 2 r
r
N-1
i

• Therefore, r-r 1, otherwise RC4 halts.

27
The Set of Non-fortuitous Predictive States of
length 2 is Empty
Index
p1 p2 p3 p4 p5
1
i
j
Outputs Z1

• Finneys Forbidden State after the 1st round.
  Therefore, not possible.

Possibility 1
28
The Set of Non-fortuitous Predictive States of
length 2 is Empty
Index
p1 p2 p3 p4 p5
2
i
j
Outputs Z1

After the 1st round
Possibility 2
29
The Set of Non-fortuitous Predictive States of
length 2 is Empty
Index
p1 p2 p3 p4 p5
2
i
j
After the 2nd round
Possibility 2
30
The Set of Non-fortuitous Predictive States of
length 2 is Empty
Empty
Index
p1 p2 p3 p4 p5
2
i
j
After the 3rd round
Possibility 2
31
Overview of the Presentation

• Description of RC4
• Definition of a Predictive State
• Definition of a Non-fortuitous Predictive State
• Main Contributions
• Upper Bound on the Number of Outputs of a
  Predictive State and its Importance
• Determination of Non-fortuitous Predictive States
• Of Length 1 and 2
• General Approach
• Conclusions

32
Determination of Non-fortuitous Predictive
States A General Approach

• The inter-element-gap is the number of vacant
  places between two successive elements of the
  S-box.
• The possible inter-element-gaps of the
  a-predictive a-states are determined from that of
  (a-1)-predictive (a-1)-states recursively.
• Once the inter-element-gaps are known then we
  apply an algorithm similar to the one by Fluhrer
  and McGrew, 2000.

33
Overview of the Presentation

• Description of RC4
• Definition of a Predictive State
• Definition of a Non-fortuitous Predictive State
• Main Contributions
• Upper Bound on the Number of Outputs of a
  Predictive State and its Importance
• Determination of Non-fortuitous Predictive States
• Of Length 1 and 2
• General Approach
• Conclusions

34
Conclusions

• We obtained an important combinatorial result
  that an a-state of RC4 can not produce more than
  a outputs in the next N rounds.
• A practical algorithm is designed to determine a
  special set of RC4 states known as Non-fortuitous
  States which reduce the data complexity of all
  known attacks on RC4.