Expanding Weak-key Space of RC4

RC4 is a stream cipher designed by Rivest in 1987. It is the most famous stream cipher and widely used e.g., SSL/TLS, WEP and WPA. Although RC4 in particular implementations and settings such as the WEP implementation and the broadcast setting, was already broken, RC4 itself is not completely broken yet. In 2011, Teramura et al. generalized classes of weak keys of RC4 by using the predictive state, which are special classes of the internal state of RC4. The total number of Teramura et al.’s weak keys is approximately 2117.29. Their weak-key attack can recover a 128-bit secret key with efficiency of 295.10, where efficiency is defined as time complexity per success probability of the attack. This attack works only if particular patterns of the keystream are observed. In this paper, we further expand weak-key space of RC4. By thoroughly analyzing the relation between the key and the initial state of the pseudorandom generation algorithm, we can find new classes of predictive state which are utilized for key recovery attacks. As a result, 2118.58 keys can be defined as new weak keys, whose number is more than twice the number of Teramura et al.’s weak keys. Moreover, our attack is applicable to any keystream, while Teramura et al.’s attack is feasible only in particular patterns of the keystream. Given any keystream, our weak-key attack can recover a 128-bit secret key with efficiency of 2115.11. Our attack is the best-known single-key key recovery attack on RC4 with respect to efficiency. In addition, if we focus on specific keystreams similar to Teramura et al.’s attack, the 128-bit secret key can be recovered with efficiency of 276.32, which is more efficient than Teramura et al.’s attack.

[1]  Serge Vaudenay,et al.  Discovery and Exploitation of New Biases in RC4 , 2010, Selected Areas in Cryptography.

[2]  Goutam Paul,et al.  Attack on Broadcast RC4 Revisited , 2011, FSE.

[3]  Atsuko Miyaji,et al.  Generalized RC4 Key Collisions and Hash Collisions , 2010, SCN.

[4]  Hidenori Kuwakado,et al.  Generalized Classes of Weak Keys on RC4 Using Predictive State , 2011, IEICE Trans. Fundam. Electron. Commun. Comput. Sci..

[5]  Adi Shamir,et al.  A Practical Attack on Broadcast RC4 , 2001, FSE.

[6]  Mitsuru Matsui Key Collisions of the RC4 Stream Cipher , 2009, FSE.

[7]  Scott R. Fluhrer,et al.  Statistical Analysis of the Alleged RC4 Keystream Generator , 2000, FSE.

[8]  Bernard P. Zajac Applied cryptography: Protocols, algorithms, and source code in C , 1994 .

[9]  Adi Shamir,et al.  Weaknesses in the Key Scheduling Algorithm of RC4 , 2001, Selected Areas in Cryptography.

[10]  Wi-Fi Alliance,et al.  Wi-Fi protected access , 2003 .

[11]  Serge Vaudenay,et al.  Passive-Only Key Recovery Attacks on RC4 , 2007, Selected Areas in Cryptography.

[12]  Serge Vaudenay,et al.  Smashing WEP in a Passive Attack , 2013, FSE.

[13]  Alexander Maximov,et al.  New State Recovery Attack on RC4 , 2008, CRYPTO.

[14]  Bart Preneel,et al.  Analysis of Non-fortuitous Predictive States of the RC4 Keystream Generator , 2003, INDOCRYPT.

[15]  Jovan Dj. Golic,et al.  Linear Statistical Weakness of Alleged RC4 Keystream Generator , 1997, EUROCRYPT.

[16]  Itsik Mantin,et al.  Predicting and Distinguishing Attacks on RC4 Keystream Generator , 2005, EUROCRYPT.

[17]  Vincent Rijmen,et al.  Analysis Methods for (Alleged) RC4 , 1998, ASIACRYPT.