Abstract
In this paper, we show that the first byte of the keystream output of RC4 has non-negligible bias towards the sum of the first three bytes of the secret key. This result is based on our observation that the index, where the first byte of the keystream output is chosen from, is approximately twice more likely to be 2 than any other value. Our technique is further used to theoretically prove Roos’s experimental observation (A class of weak keys in the RC4 stream cipher, 1995) related to weak keys.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Fluhrer S.R., McGrew D.A.: Statistical Analysis of the Alleged RC4 Keystream Generator. Lecture Notes in Computer Science, vol. 1978, pp. 19–30. Springer-Verlag, FSE (2000).
Fluhrer S.R., Mantin I., Shamir A.: Weaknesses in the Key Scheduling Algorithm of RC4. Lecture Notes in Computer Science, vol. 2259, pp. 1–24. Springer-Verlag, SAC (2001).
Golic J.: Linear Statistical Weakness of Alleged RC4 Keystream Generator. Lecture Notes in Computer Science, vol. 1233, pp. 226–238. Springer-Verlag, EUROCRYPT (1997).
LAN/MAN Standard Committee, Wireless LAN Medium access control (MAC) and physical layer (PHY) specifications, 1999 edition. IEEE standard 802.11 (1999).
Mantin I.: A Practical Attack on the Fixed RC4 in the WEP Mode. Lecture Notes in Computer Science, vol. 3788, pp. 395–411. Springer-Verlag, ASIACRYPT (2005).
Mantin I.: Predicting and Distinguishing Attacks on RC4 Keystream Generator. Lecture Notes in Computer Science, vol. 3494, pp. 491–506. Springer-Verlag, EUROCRYPT (2005).
Mantin I., Shamir A.: A Practical Attack on Broadcast RC4. Lecture Notes in Computer Science, vol. 2355, pp. 152–164. Springer-Verlag, FSE (2001).
Mironov I.: (Not So) Random Shuffles of RC4. Lecture Notes in Computer Science, vol. 2442, pp. 304–319. Springer-Verlag, CRYPTO (2002).
Paul S., Preneel B.: Analysis of Non-fortuitous Predictive States of the RC4 Keystream Generator, Lecture Notes in Computer Science, vol. 2904, pp. 52–67. Springer-Verlag, INDOCRYPT (2003).
Paul S., Preneel B.: A New Weakness in the RC4 Keystream Generator and an Approach to Improve the Security of the Cipher. Lecture Notes in Computer Science, vol. 3017, pp. 245–259. Springer-Verlag, FSE (2004).
Roos A.: A class of weak keys in the RC4 stream cipher. Two posts in sci.crypt, message-id 43u1eh$1j3@hermes.is.co.za and 44ebge$llf@hermes.is.co.za. Available at http://marcel.wanda.ch/Archive/WeakKeys (1995).
Wagner D.: My RC4 weak keys. Post in sci.crypt, message-id 447o1l$cbj@cnn.Princeton.EDU, 26 September, 1995. Available at http://www.cs.berkeley.edu/~daw/my-posts/my-rc4-weak-keys (1995).
Author information
Authors and Affiliations
Corresponding author
Additional information
This is a revised and extended version of the paper that has been presented in International Workshop on Coding and Cryptography, April 16–20, 2007 (WCC 2007), Versailles, France.
Siddheshwar Rathi was a researcher at Applied Statistics Unit, Indian Statistical Institute, Kolkata. We were shocked by his sudden demise on October 28, 2006. Siddheshwar had observed and proved Theorem 2. However, we, the other two co-authors, noted the consequence of this theorem at a later date. In fact, we were attracted towards the analysis of RC4 due to Siddheshwar’s enthusiasm. Unfortunately, Siddheshwar could not see this paper published.
Rights and permissions
About this article
Cite this article
Paul, G., Rathi, S. & Maitra, S. On non-negligible bias of the first output byte of RC4 towards the first three bytes of the secret key. Des. Codes Cryptogr. 49, 123–134 (2008). https://doi.org/10.1007/s10623-008-9177-7
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10623-008-9177-7