Abstract
A theoretical analysis of the RC4 Key Scheduling Algorithm (KSA) is presented in this paper, where the nonlinear operation is swapping among the permutation bytes. Explicit formulae are provided for the probabilities with which the permutation bytes at any stage of the KSA are biased to the secret key. Theoretical proofs of these formulae have been left open since Roos’ work (1995). Next, a generalization of the RC4 KSA is analyzed corresponding to a class of update functions of the indices involved in the swaps. This reveals an inherent weakness of shuffle-exchange kind of key scheduling. Moreover, we show that biases towards the secret key also exist in S[S[y]], S[S[S[y]]], and so on, for initial values of y. We additionally show that each byte of S N actually reveals secret key information. Looking at all the elements of the final permutation S N and its inverse \(S^{-1}_N\), the value of the hidden index j in each round of the KSA can be estimated from a “pair of values” in 0, ..., N − 1 with a constant probability of success \(\pi = \frac{N-2}{N}\cdot(\frac{N-1}{N})^{N-1} + \frac{2}{N}\) (we get π ≈ 0.37, for N = 256), which is significantly higher than the random association. Using the values of two consecutive j’s, we estimate the y-th key byte from at most a “quadruple of values” in 0, ..., N − 1 with a probability > 0.12. As a secret key of l bytes is repeated at least \(\lfloor \frac{N}{l}\rfloor\) times in RC4, these many quadruples can be accumulated to get each byte of the secret key with very high probability (e.g., 0.8 to close to 1) from a small set of values. Based on our analysis of the key scheduling, we show that the secret key of RC4 can be recovered from the state information in a time much less than the exhaustive search with good probability. Finally, based on the above biases of the permutation after the KSA and other related results, a complete framework is presented to show that many keystream output bytes of RC4 are significantly biased towards several linear combinations of the secret key bytes. The results do not assume any condition on the secret key. We find new biases in the initial as well as in the 256-th and 257-th keystream output bytes.
Similar content being viewed by others
References
Akgün, M., Kavak, P., Demirci, H.: New Results on the Key Scheduling Algorithm of RC4. INDOCRYPT, Lecture Notes in Computer Science, vol. 5365, pp. 40–52. Springer, New York (2008)
Biham, E., Carmeli, Y.: Efficient Reconstruction of RC4 Keys from Internal States. FSE, Lecture Notes in Computer Science, vol. 5086, pp. 270–288. Springer, New York (2008)
Fluhrer, S.R., McGrew, D.A.: Statistical Analysis of the Alleged RC4 Keystream Generator. FSE, Lecture Notes in Computer Science, vol. 1978, pp. 19–30. Springer, New York (2000)
Fluhrer, S.R., Mantin, I., Shamir, A.: Weaknesses in the Key Scheduling Algorithm of RC4. Selected areas in Cryptography, Lecture Notes in Computer Science, vol. 2259, pp. 1–24. Springer, New York (2001)
Golic, J.: Linear Statistical Weakness of Alleged RC4 Keystream Generator. EUROCRYPT, Lecture Notes in Computer Science, vol. 1233, pp. 226–238. Springer, New York (1997)
Jenkins, R.J.: ISAAC and RC4. Available at http://burtleburtle.net/bob/rand/isaac.html (1996)
Khazaei, S., Meier, W.: On Reconstruction of RC4 Keys from Internal States. Accepted in Mathematical Methods in Computer Science (MMICS), December 17–19, Karlsruhe, Germany (2008)
Klein, A.: Attacks on the RC4 stream cipher. Designs, Codes and Cryptography, vol. 48, no. 3, pp. 269–286, September]. A draft dated February 27, 2006 is available at cage.ugent.be/~ klein/RC4/RC4-en.ps (2008)
Knudsen, L.R., Meier, W., Preneel, B., Rijmen, V., Verdoolaege, S.: Analysis Methods for (Alleged) RCA. ASIACRYPT, Lecture Notes in Computer Science, vol. 1514, pp. 327–341. Springer, New York (1998)
LAN/MAN Standard Committee. Wireless LAN Medium Access Control (MAC) and physical layer (PHY) specifications, 1999 edition. IEEE standard 802.11 (1999)
Maitra, S., Paul, G.: New Form of Permutation Bias and Secret Key Leakage in Keystream Bytes of RC4. FSE, Lecture Notes in Computer Science, vol. 5086, pp. 253–269. Springer, New York (2008)
Mantin, I., Shamir, A.: A Practical Attack on Broadcast RC4. FSE, Lecture Notes in Computer Science, vol. 2355, pp. 152–164. Springer, New York (2001)
Mantin, I.: A Practical Attack on the Fixed RC4 in the WEP Mode. ASIACRYPT, Lecture Notes in Computer Science, vol. 3788, pp. 395–411. Springer, New York (2005)
Mantin, I.: Predicting and Distinguishing Attacks on RC4 Keystream Generator. EUROCRYPT, Lecture Notes in Computer Science, vol. 3494, pp. 491–506. Springer, New York (2005)
Mantin, I.: Analysis of the stream cipher RC4. Master’s Thesis, The Weizmann Institute of Science, Israel (2001)
Maximov, A., Khovratovich, D.: New State Recovering Attack on RC4. CRYPTO, Lecture Notes in Computer Science, vol. 5157, pp. 297–316. Springer, New York (2008)
McKague, M.E.: Design and Analysis of RC4-like Stream Ciphers. Master’s Thesis, University of Waterloo Canada (2005)
Mironov, I.: (Not So) Random Shuffles of RC4. CRYPTO, Lecture Notes in Computer Science, vol. 2442, pp. 304–319. Springer, New York (2002)
Paul, G., Rathi, S., Maitra, S.: On Non-negligible bias of the first output byte of RC4 towards the first three bytes of the secret key. Proceedings of the International Workshop on Coding and Cryptography 2007, pp. 285–294. An extended version appears in Designs, Codes and Cryptography, vol. 49, no. 1–3, pp. 123–134, (2008), December
Paul, G., Maitra, S.: Permutation after RC4 Key Scheduling Reveals the Secret Key. SAC, Lecture Notes in Computer Science, vol. 4876, pp. 360–377. Springer, New York (2007)
Paul, G., Maitra, S., Srivastava, R.: On Non-Randomness of the Permutation after RC4 Key Scheduling. Applied Algebra, Algebraic Algorithms, and Error Correcting Codes (AAECC-17), Lecture Notes in Computer Science, vol. 4851, pp. 100–109. Springer, New York (2007)
Paul, S., Preneel, B.: Analysis of Non-fortuitous Predictive States of the RC4 Keystream Generator. INDOCRYPT, Lecture Notes in Computer Science, vol. 2904, pp. 52–67. Springer, New York (2003)
Paul, S., Preneel, B.: A New Weakness in the RC4 Keystream Generator and an Approach to Improve the Security of the Cipher. FSE, Lecture Notes in Computer Science, vol. 3017, pp. 245–259. Springer (2004)
Roos, A.: A class of weak keys in the RC4 stream cipher. Two posts in sci.crypt, message-id 43u1eh$1j3@hermes.is.co.za and 44ebge$llf@hermes.is.co.za. Available at http://marcel.wanda.ch/Archive/WeakKeys (1995)
Silverman, J.: A Friendly Introduction to Number Theory, 2nd edn., pp. 56. Prentice Hall, NJ(2001)
Tews, E., Weinmann, R.P., Pyshkin, A.: Breaking 104 bit WEP in less than 60 seconds. IACR Eprint Server, eprint.iacr.org, number 2007/120, April 1 (2007)
Tomasevic, V., Bojanic, S., Nieto-Taladriz, O.: Finding an internal state of RC4 stream cipher. Information Sciences, vol. 177, pp. 1715–1727 (2007)
Vaudenay, S., Vuagnoux, M.: Passive-Only Key Recovery Attacks on RC4. SAC, Lecture Notes in Computer Science, vol. 4876, pp. 344–359. Springer, New York (2007)
Wagner, D.: My RC4 weak keys. Post in sci.crypt, message-id 447o1l$cbj@cnn.Princeton.EDU, 26 September. Available at http://www.cs.berkeley.edu/~daw/my-posts/my-rc4-weak-keys (1995)
Acknowledgements
The authors like to thank the anonymous reviewers for their detailed comments that helped improve the technical as well as editorial quality of this paper.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Paul, G., Maitra, S. On biases of permutation and keystream bytes of RC4 towards the secret key. Cryptogr. Commun. 1, 225–268 (2009). https://doi.org/10.1007/s12095-008-0009-4
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s12095-008-0009-4