Cryptanalysis of RC4(n, m) stream cipher

RC4(n, m) is a stream cipher based on RC4 and is designed by G. Gong et al. It can be seen as a generalization of the famous RC4 stream cipher designed by Ron Rivest. The authors of RC4(n, m) claim that the cipher resists all the attacks that are successful against the original RC4. The paper reveals cryptographic weaknesses of the RC4(n, m) stream cipher. We develop two attacks. The first one is based on non-randomness of internal state and allows to distinguish it from a truly random cipher by an algorithm that has access to 24·n bits of the keystream. The second attack exploits low diffusion of bits in the KSA and PRGA algorithms and recovers all bytes of the secret key. This attack works only if the initial value of the cipher can be manipulated. Apart from the secret key, the cipher uses two other inputs, namely, initial value and initial vector. Although these inputs are fixed in the cipher specification, some applications may allow the inputs to be under the attacker control. Assuming that the attacker can control the initial value, we show a distinguisher for the cipher and a secret key recovery attack that for the L-bit secret key, is able to recover it with about (L/n) · 2n steps. The attack has been implemented on a standard PC and can reconstruct the secret key of RC(8, 32) in less than a second.

[1]  Amr M. Youssef,et al.  On the structural weakness of the GGHN stream cipher , 2009, Cryptography and Communications.

[2]  Eli Biham,et al.  Differential cryptanalysis of DES-like cryptosystems , 1990, Journal of Cryptology.

[3]  Hongjun Wu Cryptanalysis of a 32-bit RC4-like Stream Cipher , 2005, IACR Cryptol. ePrint Arch..

[4]  Vincent Rijmen,et al.  Analysis Methods for (Alleged) RC4 , 1998, ASIACRYPT.

[5]  Itsik Mantin,et al.  Predicting and Distinguishing Attacks on RC4 Keystream Generator , 2005, EUROCRYPT.

[6]  Guang Gong,et al.  A 32-bit RC4-like Keystream Generator , 2005, IACR Cryptol. ePrint Arch..

[7]  Bartosz Zoltak,et al.  VMPC One-Way Function and Stream Cipher , 2004, FSE.

[8]  Bart Preneel,et al.  On the (In)security of Stream Ciphers Based on Arrays and Modular Addition , 2006, ASIACRYPT.

[9]  Martin Hell,et al.  Towards a General RC4-Like Keystream Generator , 2005, CISC.

[10]  Amr M. Youssef,et al.  A new distinguishing and key recovery attack on NGG stream cipher , 2009, Cryptography and Communications.

[11]  Adi Shamir,et al.  A Practical Attack on Broadcast RC4 , 2001, FSE.

[12]  Santanu Sarkar,et al.  On the Evolution of GGHN Cipher , 2011, INDOCRYPT.

[13]  Serge Vaudenay,et al.  Passive-Only Key Recovery Attacks on RC4 , 2007, Selected Areas in Cryptography.

[14]  Scott R. Fluhrer,et al.  Statistical Analysis of the Alleged RC4 Keystream Generator , 2000, FSE.

[15]  Jovan Dj. Golic,et al.  Linear Statistical Weakness of Alleged RC4 Keystream Generator , 1997, EUROCRYPT.

[16]  Ilya Mironov,et al.  (Not So) Random Shuffles of RC4 , 2002, IACR Cryptol. ePrint Arch..

[17]  Alexander Maximov Two Linear Distinguishing Attacks on VMPC and RC4A and Weakness of RC4 Family of Stream Ciphers , 2005, FSE.

[18]  Adi Shamir,et al.  Cryptographic Applications of T-Functions , 2003, Selected Areas in Cryptography.

[19]  Bart Preneel,et al.  A New Weakness in the RC4 Keystream Generator and an Approach to Improve the Security of the Cipher , 2004, FSE.

[20]  Adi Shamir,et al.  Weaknesses in the Key Scheduling Algorithm of RC4 , 2001, Selected Areas in Cryptography.

[21]  Yukiyasu Tsunoo,et al.  A Distinguishing Attack on a Fast Software-Implemented RC4-Like Stream Cipher , 2007, IEEE Transactions on Information Theory.

[22]  Alexander Maximov,et al.  New State Recovery Attack on RC4 , 2008, CRYPTO.