论文信息 - New Results on Generalization of Roos-Type Biases and Related Keystreams of RC4

New Results on Generalization of Roos-Type Biases and Related Keystreams of RC4

The first known result on RC4 cryptanalysis (presented by Roos in 1995) points out that the most likely value of the y-th element of the permutation after the key scheduling algorithm (KSA) for the first few values of y is given by S N [y] = f y , some linear combinations of the secret keys. While it should have been quite natural to study the association S N [y] = f y ±t for small positive integers t (e.g., t ≤ 4), surprisingly that had never been tried before. In this paper, we study that problem for the first time and show that though the event S N [y] = f y + t occurs with random association, there is a significantly high probability for the event S N [y] = f y − t. We also present several related non-randomness behaviour for the event S N [S N [y]] = f y − t of RC4 KSA in this direction. Further, we investigate near-colliding keys that lead to related states after the KSA and related keystream bytes. Our investigation reveals that near-colliding states do not necessarily lead to near-colliding keystreams. From this motivation, we present a heuristic to find a related key pair with differences in two bytes, that lead to significant matches in the initial keystream. In the process, we discover a class of related key distinguishers for RC4. The best one of these shows that given a random key and a related one to that (the last two bytes increased and decreased by 1 respectively), the first pair of bytes corresponding to the related keys are same with very high probability (e.g., approximately 0.011 for 16-byte keys to 0.044 for 30-byte keys).

[1] Goutam Paul,et al. New Form of Permutation Bias and Secret Key Leakage in Keystream Bytes of RC4 , 2008, FSE.

[2] Gerhard Goos,et al. Fast Software Encryption , 2001, Lecture Notes in Computer Science.

[3] Goutam Paul,et al. RC4 Stream Cipher and Its Variants , 2011 .

[4] Goutam Paul,et al. Permutation After RC4 Key Scheduling Reveals the Secret Key , 2007, Selected Areas in Cryptography.

[5] Goutam Paul,et al. (Non-)Random Sequences from (Non-)Random Permutations—Analysis of RC4 Stream Cipher , 2012, Journal of Cryptology.

[6] Dan S. Wallach,et al. A Related-Key Cryptanalysis of RC4 , 2000 .

[7] Mitsuru Matsui. Key Collisions of the RC4 Stream Cipher , 2009, FSE.

[8] Atsuko Miyaji,et al. How to Find Short RC4 Colliding Key Pairs , 2011, ISC.

[9] Aggelos Kiayias,et al. Polynomial Reconstruction Based Cryptography , 2001, Selected Areas in Cryptography.

[10] Eli Biham,et al. Differential Cryptanalysis in Stream Ciphers , 2007, IACR Cryptol. ePrint Arch..

[11] Adi Shamir,et al. A Practical Attack on Broadcast RC4 , 2001, FSE.

[12] Andreas Klein,et al. Attacks on the RC4 stream cipher , 2008, Des. Codes Cryptogr..

[13] Goutam Paul,et al. A complete characterization of the evolution of RC4 pseudo random generation algorithm , 2008, J. Math. Cryptol..