New Form of Permutation Bias and Secret Key Leakage in Keystream Bytes of RC4

Consider the permutation Sin RC4. Roos pointed out in 1995 that after the Key Scheduling Algorithm (KSA) of RC4, each of the initial bytes of the permutation, i.e., S[y] for small values of y, is biased towards some linear combination of the secret key bytes. In this paper, for the first time we show that the bias can be observed in S[S[y]] too. Based on this new form of permutation bias after the KSA and other related results, a complete framework is presented to show that many keystream output bytes of RC4 are significantly biased towards several linear combinations of the secret key bytes. The results do not assume any condition on the secret key. We find new biases in the initial as well as in the 256-th and 257-th keystream output bytes. For the first time biases at such later stages are discovered without any knowledge of the secret key bytes. We also identify that these biases propagate further, once the information for the index jis revealed.

[1]  Bart Preneel,et al.  Analysis of Non-fortuitous Predictive States of the RC4 Keystream Generator , 2003, INDOCRYPT.

[2]  Adi Shamir,et al.  Weaknesses in the Key Scheduling Algorithm of RC4 , 2001, Selected Areas in Cryptography.

[3]  Jovan Dj. Golic,et al.  Linear Statistical Weakness of Alleged RC4 Keystream Generator , 1997, EUROCRYPT.

[4]  Itsik Mantin,et al.  A Practical Attack on the Fixed RC4 in the WEP Mode , 2005, ASIACRYPT.

[5]  Goutam Paul,et al.  On Non-randomness of the Permutation After RC4 Key Scheduling , 2007, AAECC.

[6]  Adi Shamir,et al.  A Practical Attack on Broadcast RC4 , 2001, FSE.

[7]  Ilya Mironov,et al.  (Not So) Random Shuffles of RC4 , 2002, IACR Cryptol. ePrint Arch..

[8]  Goutam Paul,et al.  On non-negligible bias of the first output byte of RC4 towards the first three bytes of the secret key , 2008, Des. Codes Cryptogr..

[9]  Scott R. Fluhrer,et al.  Statistical Analysis of the Alleged RC4 Keystream Generator , 2000, FSE.

[10]  Bart Preneel,et al.  A New Weakness in the RC4 Keystream Generator and an Approach to Improve the Security of the Cipher , 2004, FSE.

[11]  Goutam Paul,et al.  Permutation After RC4 Key Scheduling Reveals the Secret Key , 2007, Selected Areas in Cryptography.

[12]  Serge Vaudenay,et al.  Passive-Only Key Recovery Attacks on RC4 , 2007, Selected Areas in Cryptography.

[13]  Goutam Paul,et al.  RC4 State Information at Any Stage Reveals the Secret Key , 2007, IACR Cryptol. ePrint Arch..

[14]  Erik Tews,et al.  Breaking 104 Bit WEP in Less Than 60 Seconds , 2007, WISA.

[15]  Itsik Mantin,et al.  Predicting and Distinguishing Attacks on RC4 Keystream Generator , 2005, EUROCRYPT.

[16]  Andreas Klein,et al.  Attacks on the RC4 stream cipher , 2008, Des. Codes Cryptogr..

[17]  Eli Biham,et al.  Differential Cryptanalysis in Stream Ciphers , 2007, IACR Cryptol. ePrint Arch..