Skip to main content
SpringerLink
Log in

Revisiting RC4 key collision: Faster search algorithm and new 22-byte colliding key pairs

  • Published:
Cryptography and Communications Aims and scope Submit manuscript

Abstract

If two different secret keys of stream cipher RC4 yield the same internal state after the key scheduling algorithm (KSA) and hence generate the same sequence of keystream bits, they are called a colliding key pair. The number of possible internal states of RC4 stream cipher is very large (approximately 21700), which makes finding key collision hard for practical key lengths (i.e., less than 30 bytes). Matsui (2009) for the first time reported a 24-byte colliding key pair and one 20-byte near-colliding key pair (i.e., for which the state arrays after the KSA differ in at most two positions) for RC4. Subsequently, Chen and Miyaji (2011) designed a more efficient search algorithm using Matsui’s collision pattern and reported a 22-byte colliding key pair which remains the only shortest known colliding key pair so far. In this paper, we show some limitations of both the above approaches and propose a faster collision search algorithm that overcomes these limitations. Using our algorithm, we are able to find three additional 22-byte colliding key pairs that are different from the one reported by Chen and Miyaji. We additionally give 12 new 20-byte near-colliding key pairs. These results are significant, considering the argument by Biham and Dunkelman (2007), that for shorter keys there might be no instances of collision at all.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8

Similar content being viewed by others

Notes

  1. Processor time is calculated by the difference of the start time and end time of getting a colliding key pair divided by CLOCKS-PER-SEC, by using the clock() function in C language.

References

  1. AlFardan, N.J., Bernstein, D.J., Paterson, K.G., Poettering, B., Schuldt, J.C.N.: On the security of RC4 in TLS. In: USENIX Security Symposium, pp. 305–320 (2013)

  2. Anonymous. RC4 Source Code. Cypherpunks mailing list (1994). http://cypherpunks.venona.com/date/1994/09/msg00304.html, http://groups.google.com/group/sci.crypt/msg/10a300c9d21afca0

  3. Biham, E., Dunkelman, O.: Differential cryptanalysis in stream ciphers. In: IACR Cryptology ePrint Archive, p. 218 (2007)

  4. Chen, J., Miyaji, A.: How to find short RC4 colliding key pairs. In: ISC 2011, vol. 7001 of Lecture Notes in Computer Science, pp. 32–46. Springer

  5. Chen, J., Miyaji, A.: Cryptanalysis of stream ciphers from a new aspect: How to apply key collisions to key recovery attack. In: IEICE Trans., Fundamentals, vol. 95-A(12), pp. 2148–2159 (2012)

  6. Chen, J., Miyaji, A.: Novel strategies for searching RC4 key collisions. Comput. Math. Appl. 66(1), 81–90 (2013). doi:10.1016/j.camwa.2012.09.013

    Article  MathSciNet  MATH  Google Scholar 

  7. Garman, C., Paterson, K.G., Van der Merwe, T.: Attacks only get better: Password recovery attacks against RC4 in TLS. In: USENIX Security Symposium, pp. 113–128 (2015)

  8. Isobe, T., Ohigashi, T., Watanabe, Y., Morii, M.: Full plaintext recovery attack on broadcast RC4. In: FSE 2013, vol. 8424 of Lecture Notes in Computer Science, pp. 179–202. Springer

  9. Maitra, S., Paul, G., Sen Gupta, S.: Attack on broadcast RC4 revisited. In: Joux, A. (ed.) FSE 2011, vol. 6733 of Lecture Notes in Computer Science, pp. 199–217. Springer

  10. Maitra, S., Paul, G., Sarkar, S., Lehmann, M., Meier, W.: New results on generalization of roos-type biases and related keystreams of RC4. In: AFRICACRYPT 2013, vol. 7918 of Lecture Notes in Computer Science, pp. 222–239. Springer

  11. Mantin, I., Shamir, A.: A practical attack on broadcast RC4. In: Matsui, M. (ed.) FSE 2001, vol. 2355 of Lecture Notes in Computer Science, pp. 152–164. Springer

  12. Mantin, I.: Predicting and distinguishing attacks on RC4 Keystream generator. In: EUROCRYPT 2005, vol. 3494 of the Series Lecture Notes in Computer Science, pp. 491–506. Springer

  13. Matsui, M.: Key collisions of the RC4 stream cipher. In: FSE 2009, vol. 5665 of the Series Lecture Notes in Computer Science, pp. 38-50. Springer

  14. Maximov, A., Khovratovich, D.: New state recovery attack on RC4. In: CRYPTO 2008, vol. 5157 of Lecture Notes in Computer Science, pp. 297–316. Springer

  15. Paterson, K.G., Poettering, B., Schuldt, J.C.N.: Plaintext recovery attacks against WPA/TKIP. In: FSE 2014, vol. 8540 of Lecture Notes in Computer Science, pp. 325–349. Springer

  16. Rivest, R.L., Schuldt, J.C.: Spritz–a spongy RC4-like stream cipher and hash function. In: CRYPTO 2014 Rump Session (2014)

  17. Sepehrdad, P., Susil, P., Vaudenay, S., Vuagnoux, M.: Tornado attack on RC4 with applications to WEP and WPA. In: IACR Cryptology ePrint Archive, p. 254 (2015)

  18. Vanhoef, M., Piessens, F.: All your biases belong to us: Breaking RC4 in WPA-TKIP and TLS. In: USENIX Security Symposium, pp. 97–112 (2015)

  19. Unoptimized implementations of RC4 collision search algorithms, https://github.com/janaamit001/Our_algo, https://github.com/janaamit001/Chen_Miyaji, https://github.com/janaamit001/Matsui_algo

Download references

Author information

Authors and Affiliations

  1. Cryptology and Security Research Unit (CSRU), R. C. Bose Centre for Cryptology and Security, Indian Statistical Institute, Kolkata, 700 108, India

    Amit Jana & Goutam Paul

Authors
  1. Amit Jana
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Goutam Paul
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Goutam Paul.

Appendices

Appendix A: Table for theoretical time complexity

Table 6 Complexity comparison of Matsui’s, Chen-Miyaji’s and Our collision search algorithms
Full size table

Appendix B: Table for experimental average time

Table 7 Average processor time taken to get a single collision for different key sizes in Intel(R) Core(TM) i5-3210M CPU @ 2.50GHz, 2 core, by running a single instance 220 times for the keys with 4, 5, 6, 7 round intervals, 210 times for the keys with 8 round intervals, 25 times for the keys with 9 round intervals and 5 times for the keys with 10 round intervals
Full size table

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Jana, A., Paul, G. Revisiting RC4 key collision: Faster search algorithm and new 22-byte colliding key pairs. Cryptogr. Commun. 10, 479–508 (2018). https://doi.org/10.1007/s12095-017-0231-z

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s12095-017-0231-z

Keywords

Mathematics Subject Classification (2010)

Search

Navigation