(Non-)Random Sequences from (Non-)Random Permutations—Analysis of RC4 Stream Cipher

RC4 has been the most popular stream cipher in the history of symmetric key cryptography. Its internal state contains a permutation over all possible bytes from 0 to 255, and it attempts to generate a pseudo-random sequence of bytes (called keystream) by extracting elements of this permutation. Over the last twenty years, numerous cryptanalytic results on RC4 stream cipher have been published, many of which are based on non-random (biased) events involving the secret key, the state variables, and the keystream of the cipher.Though biases based on the secret key are common in RC4 literature, none of the existing ones depends on the length of the secret key. In the first part of this paper, we investigate the effect of RC4 keylength on its keystream, and report significant biases involving the length of the secret key. In the process, we prove the two known empirical biases that were experimentally reported and used in recent attacks against WEP and WPA by Sepehrdad, Vaudenay and Vuagnoux in EUROCRYPT 2011. After our current work, there remains no bias in the literature of WEP and WPA attacks without a proof.In the second part of the paper, we present theoretical proofs of some significant initial-round empirical biases observed by Sepehrdad, Vaudenay and Vuagnoux in SAC 2010.In the third part, we present the derivation of the complete probability distribution of the first byte of RC4 keystream, a problem left open for a decade since the observation by Mironov in CRYPTO 2002. Further, the existence of positive biases towards zero for all the initial bytes 3 to 255 is proved and exploited towards a generalized broadcast attack on RC4. We also investigate for long-term non-randomness in the keystream, and prove a new long-term bias of RC4.

[1]  Goutam Paul,et al.  Permutation After RC4 Key Scheduling Reveals the Secret Key , 2007, Selected Areas in Cryptography.

[2]  Erale De Lausanne Statistical and Algebraic Cryptanalysis of Lightweight and Ultra-Lightweight Symmetric Primitives , 2012 .

[3]  Mitsuru Matsui Key Collisions of the RC4 Stream Cipher , 2009, FSE.

[4]  Vincent Rijmen,et al.  Analysis Methods for (Alleged) RC4 , 1998, ASIACRYPT.

[5]  Richard E. Blahut,et al.  Principles and practice of information theory , 1987 .

[6]  Dan S. Wallach,et al.  A Related-Key Cryptanalysis of RC4 , 2000 .

[7]  Serge Vaudenay,et al.  Discovery and Exploitation of New Biases in RC4 , 2010, Selected Areas in Cryptography.

[8]  Atsuko Miyaji,et al.  How to Find Short RC4 Colliding Key Pairs , 2011, ISC.

[9]  Goutam Paul,et al.  On biases of permutation and keystream bytes of RC4 towards the secret key , 2008, Cryptography and Communications.

[10]  Adi Shamir,et al.  Weaknesses in the Key Scheduling Algorithm of RC4 , 2001, Selected Areas in Cryptography.

[11]  Shahram Khazaei,et al.  On Reconstruction of RC4 Keys from Internal States , 2008, MMICS.

[12]  Goutam Paul,et al.  On Some Sequences of the Secret Pseudo-random Index j in RC4 Key Scheduling , 2009, AAECC.

[13]  Serge Vaudenay,et al.  Statistical Attack on RC4 - Distinguishing WPA , 2011, EUROCRYPT.

[14]  Eli Biham,et al.  Efficient Reconstruction of RC4 Keys from Internal States , 2008, FSE.

[15]  Mete Akgün,et al.  New Results on the Key Scheduling Algorithm of RC4 , 2008, INDOCRYPT.

[16]  Itsik Mantin,et al.  A Practical Attack on the Fixed RC4 in the WEP Mode , 2005, ASIACRYPT.

[17]  Adi Shamir,et al.  A Practical Attack on Broadcast RC4 , 2001, FSE.

[18]  Jovan Dj. Golic,et al.  Linear Statistical Weakness of Alleged RC4 Keystream Generator , 1997, EUROCRYPT.

[19]  Goutam Paul,et al.  A complete characterization of the evolution of RC4 pseudo random generation algorithm , 2008, J. Math. Cryptol..

[20]  Ilya Mironov,et al.  (Not So) Random Shuffles of RC4 , 2002, IACR Cryptol. ePrint Arch..

[21]  Bart Preneel,et al.  A New Weakness in the RC4 Keystream Generator and an Approach to Improve the Security of the Cipher , 2004, FSE.

[22]  Goutam Paul,et al.  Attack on Broadcast RC4 Revisited , 2011, FSE.

[23]  Andreas Klein,et al.  Attacks on the RC4 stream cipher , 2008, Des. Codes Cryptogr..

[24]  Serge Vaudenay,et al.  Passive-Only Key Recovery Attacks on RC4 , 2007, Selected Areas in Cryptography.

[25]  Alexander Maximov,et al.  New State Recovery Attack on RC4 , 2008, CRYPTO.

[26]  Jovan Dj. Golic,et al.  Iterative Probabilistic Reconstruction of RC4 Internal States , 2008, IACR Cryptol. ePrint Arch..

[27]  Itsik Mantin,et al.  Predicting and Distinguishing Attacks on RC4 Keystream Generator , 2005, EUROCRYPT.

[28]  Erik Tews,et al.  Practical attacks against WEP and WPA , 2009, WiSec '09.

[29]  Octavio Nieto-Taladriz,et al.  Finding an internal state of RC4 stream cipher , 2007, Inf. Sci..

[30]  Goutam Paul,et al.  Proof of Empirical RC4 Biases and New Key Correlations , 2011, Selected Areas in Cryptography.

[31]  Bart Preneel,et al.  Analysis of Non-fortuitous Predictive States of the RC4 Keystream Generator , 2003, INDOCRYPT.

[32]  Goutam Paul,et al.  New Form of Permutation Bias and Secret Key Leakage in Keystream Bytes of RC4 , 2008, FSE.

[33]  Erik Tews,et al.  Breaking 104 Bit WEP in Less Than 60 Seconds , 2007, WISA.

[34]  Stafford E. Tavares,et al.  Cryptanalysis of RC4-like Ciphers , 1998, Selected Areas in Cryptography.

[35]  Jovan Dj. Golic Iterative Probabilistic Cryptanalysis of RC4 Keystream Generator , 2000, ACISP.

[36]  Huaiyu Zhu On Information and Sufficiency , 1997 .

[37]  Goutam Paul,et al.  On non-negligible bias of the first output byte of RC4 towards the first three bytes of the secret key , 2008, Des. Codes Cryptogr..

[38]  Scott R. Fluhrer,et al.  Statistical Analysis of the Alleged RC4 Keystream Generator , 2000, FSE.