Abstract
The internal state of RC4 stream cipher is a permutation over \({\mathbb Z}_{N}\) and its state transition is effectively a transposition or swapping of two elements. How the randomness of RC4 state evolves due to its state transitions has been studied for many years. As the number of swaps increases, the state comes closer to a uniform random permutation. We define the burn-in period of RC4 state transition as the number of swaps required to make the state very close to uniform random permutation under some suitably defined distance measure. Earlier, Mantin in his Master’s thesis (2001) performed an approximate analysis of the burn-in period. In this paper, we perform a rigorous analysis of the burn-in period and in the process derive the exact distribution of the RC4 state elements at any stage.


Similar content being viewed by others
References
AlFardan, N.J., Bernstein, D.J., Paterson, K.G., Poettering, B., Schuldt, J.C.N.: On the security of RC4 in TLS. In: King, S.T. (ed.) Proceedings of the 22th USENIX Security Symposium, pp. 305–320. USENIX Association, Washington (2013)
Dierks, T., Rescorla, E.: The Transport Layer Security (TLS) Protocol Version 1.2. RFC 5246 (Proposed Standard). Updated by RFCs 5746, 5878, 6176, 7465, 7507, 7568, 7627, 7685, 7905, 7919 (2008)
Calhoun, P., Montemurro, M., Stanley, D., (Ed.) Control and Provisioning of Wireless Access Points (CAPWAP) Protocol Binding for IEEE 802.11. RFC 5416 (Proposed Standard) (2009)
Freier, A., Karlton, P., Kocher, P.: The Secure Sockets Layer (SSL) Protocol Version 3.0 RFC 6101 (Historic) (2011)
Garman, C., Paterson, K.G., Van der Merwe, T.: Attacks only get better: Password recovery attacks against RC4 in TLS. In: Jung, J., Holz, T. (eds.) 24th USENIX Security Symposium, USENIX Security 15, pp. 113–128. USENIX Association, Washington (2015)
Gupta, S. S., Maitra, S., Paul, G., Santanu, S.: (non-)random sequences from (non-)random permutations - analysis of RC4 stream cipher. J. Cryptol. 27(1), 67–108 (2014)
Maitra, S.: The index j in rc4 is not pseudo-random due to non-existence of finney cycle. Cryptology ePrint Archive, Report 2015/1043. https://eprint.iacr.org/2015/1043 (2015)
Maitra, S., Paul, G.: Analysis of RC4 and proposal of additional layers for better security margin. In: Chowdhury, D.R., Rijmen, V., Das, A. (eds.) Progress in Cryptology - INDOCRYPT 2008, 9th International Conference on Cryptology in India, Kharagpur. Proceedings, volume 5365 of Lecture Notes in Computer Science, pp. 27–39. Springer (2008)
Mantin, I.: The security of the stream cipher rc4. Master Thesis, The Weizmann Institue of Science (2001)
Mironov, I.: (not so) random shuffles of RC4. In: Yung, M. (ed.) Advances in Cryptology - CRYPTO 2002, 22nd Annual International Cryptology Conference, Santa Barbara. Proceedings, volume 2442 of Lecture Notes in Computer Science, pp. 304–319. Springer (2002)
Paterson, K.G., Poettering, B., Schuldt, J.C.N.: Big bias hunting in amazonia: Large-scale computation and exploitation of RC4 biases (invited paper). In: Sarkar, P., Iwata, T. (eds.) Advances in Cryptology - ASIACRYPT 2014 - 20th International Conference on the Theory and Application of Cryptology and Information Security, Kaoshiung. Proceedings, Part I, volume 8873 of Lecture Notes in Computer Science, pp. 398–419. Springer (2014)
Paul, G., Maitra, S., Srivastava, R.: On non-randomness of the permutation after RC4 key scheduling. In: Boztas, S., Lu, H.-f. (eds.) Applied Algebra, Algebraic Algorithms and Error-Correcting Codes, 17th International Symposium, AAECC-17, Bangalore. Proceedings, volume 4851 of Lecture Notes in Computer Science, p. 2007. Springer (2007)
Rivest, R.L., Schuldt, J.C.N.: Spritz–A spongy RC4-like stream cipher and hash function. CRYPTO 2014 Rump Session (2014)
Sarkar, S., Gupta, S.S., Paul, G., Maitra, S.: Proving tls-attack related open biases of RC4. Des Codes Crypt. 77(1), 231–253 (2015)
Ylonen, T., Lonvick, C. (Ed.) The Secure Shell (SSH) Transport Layer Protocol. RFC 4253 (Proposed Standard), Updated by RFC 6668 (2006)
Acknowledgments
The second author worked for this paper during the winter break in 2016 in his Master of Statistics course.
Author information
Authors and Affiliations
Corresponding author
Additional information
This article is part of the Topical Collection on Special Issue on Statistics in Design and Analysis of Symmetric Ciphers
Appendix A: Proof of Theorem 7
Appendix A: Proof of Theorem 7
Recall our previous notation that \(p=\frac {1}{N}\) and q = 1 − p. Recall the definition of A. Note that the k-th row of A looks like
One observation which we shall use repeatedly in the proof is that \((1-\frac {1}{N})^{N}\), i.e., qN is increasing in N, while qN− 1 is decreasing in N. This can be proved simply by differentiating the functions \((1-\frac {1}{x})^{x}\) and \((1-\frac {1}{x})^{x-1}\) respectively.
- Case 1: :
-
N is even
Let J denotes a subset of size \(\frac {N}{2}\) of the index set {1, …, N}. Then
The first row of A is p(1 − qN− 1, q, …, qN− 1); and let us define, \( 2p(1+q+\cdots +q^{\frac {N}{2}-1}-q^{N-1}) - p(1+\cdots +q^{N-2}) =: I\). Let us take a closure look of the structure of row k of A. Note that, ak1 > ⋯ > a k k ; ak, k+ 1 > ⋯ > ak, N. Therefore,
where \(\mathcal {Q}_{k} := \left \{ (l,m) |\; l,m \geq 0;\; l+m =\frac {N}{2}, k+l \leq N, m \leq k \right \}\). So, let us define,
Our target is to show
We shall only show for N ≥ 10. For smaller values of N, i.e., N = 2, 4, 6, 8, the correctness of the result can be checked directly by calculating the matrix A.
Let us consider first the case k = 1. Then m = 0, 1, and \(D_{1,\frac {N}{2}-1,1}=I\). So, it is enough to show \(1-q^{N-1}\geq q^{\frac {N}{2}}\), as this will imply that \(D_{1,\frac {N}{2}, 0} \leq D_{1,\frac {N}{2}-1,1}\). Now we have, qN− 1 decreasing in N and hence, \(q^{N-1}+q^{\frac {N-1}{2}}\) is decreasing in N. Therefore,
For smaller values of N, we have to check directly from the expression.
Now, we have to consider the case where k ≥ 2. First consider l, m > 0. Then, \(0 < l,m < \frac {N}{2}\), and
Therefore, it is enough to show that
Note that, if m > k − 2, i.e. m = k − 1, k, then
which ensures that (12) holds true. So, now we should consider only the case m ≤ k − 2. Then \(m + 2 \leq k \leq \frac {N}{2}+m\) as k + l ≤ N. In this case, we can simplify (12) and conclude that it is enough to show the following.
which, after some simplification, yields
Let us define,
and therefore we have to show Ek, N, m ≥ 2. Note that
and uN, m(1 − (1 + q)qk−m) + vN, m is an non-decreasing function of k when n, m are held at constant. Therefore,
i.e., when Ek, N, m starts increasing, it goes on increasing. Therefore, to find the minimum it is enough to search at the extremes, i.e., at k = m + 2 and \(k=m+\frac {N}{2}\). We shall instead search for the minimum at \(k=m,m+\frac {N}{2}\), as it will suffice. Note that, Em, N, m = 2 − q− 1 + q−m ≥ 2, as m > 0,and \(E_{m+\frac {N}{2},N,m}\) is equal to
where the last expression is increasing in m because \(q^{N} \geq \frac {1}{4}\), which implies \(q^{-\frac {N}{2}} \leq 2\). Therefore, it is enough to check at m = 0, which gives us
Now consider the function \(x \longrightarrow x + 2\sqrt {x}+(3-\frac {1}{17})\frac {1}{x}\), and it can easily be seen by differentiating that this function is increasing when \(x^{2}+x^{\frac {3}{2}} \geq (3-\frac {1}{17})\). Now, we know, \(q^{-\frac {N}{2}}\) is decreasing in N, and hence, \(q^{-\frac {N}{2}} \geq \lim_{N \rightarrow \infty } q^{-\frac {N}{2}} = \sqrt {e}\) and \(e+e^{\frac {3}{4}} \geq (3-\frac {1}{17})\). Therefore we have that the function \( q^{-\frac {N}{2}}+ 2q^{-\frac {N}{4}} + (3-\frac {1}{17})q^{\frac {N}{2}} -4\) is decreasing in N and therefore the minimum value is the limiting value when N goes to ∞, i.e., \(\sqrt {e}+ 2e^{\frac {1}{4}}+(3-\frac {1}{17})\frac {1}{\sqrt {e}}-4 > 2\). Hence, \(E_{m+\frac {N}{2},N,m} \geq 2, \; \forall \; N \geq 18\). And for smaller values of N, i.e., for N = 10, 12, 14, 16, we can directly check by calculating \(q^{-\frac {N}{2}}+ 2q^{-\frac {N}{4}}+ 4q^{\frac {N}{2}}-q^{\frac {N}{2}-1} - 4\). So, we are done with the first case of the proof except for the case that l = 0 or m = 0.
Note that, \(q^{k}+q^{N-k} \geq 2q^{\frac {N}{2}} \geq 2(1/2) = 1\), as qN is increasing in N. This implies that, ak, k+ 1 ≥ ak1, which in turn implies that \(I \geq D_{k,1,\frac {N}{2}-1} \geq D_{k, 0,\frac {N}{2}}\). Therefore, the case for l = 0 is solved.
Now, \(k>\frac {N}{2}\) implies \(l \leq N-k < \frac {N}{2} \), and hence, m > 0. So, we need to consider \(1 \leq k \leq \frac {N}{2}\). Note that it is enough to prove that
as it guarantees \(a_{k1}< a_{k,k+\frac {N}{2}}\), which implies \(D_{k,\frac {N}{2}, 0} < D_{k,\frac {N}{2}-1,1} \leq I\). Now,
Therefore, \(q^{k+\frac {N}{2}-1} + q^{N-k}\) is at first decreasing and then increasing as k varies from 1 to \(\frac {N}{2}\). Hence for the maximum value, it is enough to check at \(k = 1,\frac {N}{2}\), and at both of these points the value is \(q^{\frac {N}{2}}+q^{\frac {N}{2}}\) which has already been proven to be less than 1. Therefore,
- Case 2: :
-
N is odd
We shall follow similar technique as used in the even case. Let J denote a subset of size \(\frac {N-1}{2}\) of the index set {1, …, N}, and u denote a single index from the same set. Then
The first row of A is p(1 − qN− 1, q, …, qN− 1); and let us define,
As expected from previous experience, here also we have, ak1 > ⋯ > a k k ; ak,k+ 1 > ⋯ > ak,N. Therefore,
where \(\mathcal {Q}_{k} := \left \{ (l,m) |\; l,m \geq 0;\; l+m =\frac {N-1}{2}, k+l \leq N, m \leq k \right \}\). So, let us define, for l < N − k,
and for m < k,
Our target is to show
and where they are defined. After this part, the proof is completely similar to the proof for the even part. So, to avoid the repetition of the calculations, we just sketch the next part of the proof.
Let us first consider the case for \(D^{\prime }_{k,l,m}\). Let us consider first the case k = 1. Then m = 0, 1, and \(D^{\prime }_{1,\frac {N-1}{2}-1,1}=I\). So, it is enough to show that \(1-q^{N-1}\geq q^{\frac {N-1}{2}}\), as this will imply that \(D^{\prime }_{1,\frac {N-1}{2}, 0} \leq D^{\prime }_{1,\frac {N-1}{2}-1,1}\). Now we have, qN− 1 decreasing in N and hence, \(q^{N-1}+q^{\frac {N-1}{2}}\) decreasing in N. Therefore,
The situations with l = 0, m = 0 and m ≥ k − 1 are solved similar to the even case. For, l, m > 0 and m ≤ k − 2 case, simplifying the expression we see that it is enough to show
Considering it as a function of k only, keeping N, m fixed, we see that
is increasing in k. Therefore, \(E_{k,N,m}^{\prime }\) can have minimum only at two ends, i.e., at \(k=m,m+\frac {N + 1}{2}\).
and the final RHS term is increasing in m as \(q^{-\frac {N + 1}{2}} \leq 2\). So, it is enough to check at m = 0. Thus, it is enough to show,
The LHS converges to \(\sqrt {e}+ 2e^{\frac {1}{4}}+ 3\frac {1}{\sqrt {e}}-4 > 2\). So, after some N LHS will be greater than 2. For some initial terms, we have to check directly. Now for the last case, we have to show that \(D^{\prime \prime }_{k,l,m} \leq I\). The cases for l = 0, m = 0 and m ≥ k − 1 are easy to handle. For l, m > 0 and m ≤ k − 2, simplifying the expression we see that it is enough to show,
It is easy to observe that
is increasing in k considering N, m fixed. So, \(E^{\prime \prime }_{k,N,m}\) can have minimum only at the two ends, \(k=m + 1,m+\frac {N + 1}{2}\). Let us define,
Observe that, Fm, N − Fm+ 1, N is decreasing in m and F0, N − F1, N = q−Np(p(2q − 1) − qN− 1) ≤ 0,as 2q + qN− 2 ≥ 2. Therefore, Fm, N − Fm+ 1, N ≤ 0, and hence, Fm, N will be minimum at m = 1(as m = 0 case is done separately) and observe that,
Therefore, F1, N ≥ 2 after some terms and those cases are easy to check. This finishes checking at k = m + 1. For the other end point,
and the final RHS term is increasing in m as \(q^{-\frac {N + 1}{2}} \leq 2\). So, it is enough to check at m = 0. Thus, it is enough to show that
The LHS converges to \(\sqrt {e}+ 2e^{\frac {1}{4}}+ 3\frac {1}{\sqrt {e}}-4 > 2\). So, after some N, the LHS will be greater than 2. For some initial terms, we have to check directly. Then simplifying for the expression of I, we get
This completes the proof.
Rights and permissions
About this article
Cite this article
Paul, G., Ray, S. Analysis of burn-in period for RC4 state transition. Cryptogr. Commun. 10, 881–908 (2018). https://doi.org/10.1007/s12095-018-0287-4
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s12095-018-0287-4