Abstract
If two different secret keys of stream cipher RC4 yield the same internal state after the key scheduling algorithm (KSA) and hence generate the same sequence of keystream bits, they are called a colliding key pair. The number of possible internal states of RC4 stream cipher is very large (approximately 21700), which makes finding key collision hard for practical key lengths (i.e., less than 30 bytes). Matsui (2009) for the first time reported a 24-byte colliding key pair and one 20-byte near-colliding key pair (i.e., for which the state arrays after the KSA differ in at most two positions) for RC4. Subsequently, Chen and Miyaji (2011) designed a more efficient search algorithm using Matsui’s collision pattern and reported a 22-byte colliding key pair which remains the only shortest known colliding key pair so far. In this paper, we show some limitations of both the above approaches and propose a faster collision search algorithm that overcomes these limitations. Using our algorithm, we are able to find three additional 22-byte colliding key pairs that are different from the one reported by Chen and Miyaji. We additionally give 12 new 20-byte near-colliding key pairs. These results are significant, considering the argument by Biham and Dunkelman (2007), that for shorter keys there might be no instances of collision at all.
Similar content being viewed by others
Notes
Processor time is calculated by the difference of the start time and end time of getting a colliding key pair divided by CLOCKS-PER-SEC, by using the clock() function in C language.
References
AlFardan, N.J., Bernstein, D.J., Paterson, K.G., Poettering, B., Schuldt, J.C.N.: On the security of RC4 in TLS. In: USENIX Security Symposium, pp. 305–320 (2013)
Anonymous. RC4 Source Code. Cypherpunks mailing list (1994). http://cypherpunks.venona.com/date/1994/09/msg00304.html, http://groups.google.com/group/sci.crypt/msg/10a300c9d21afca0
Biham, E., Dunkelman, O.: Differential cryptanalysis in stream ciphers. In: IACR Cryptology ePrint Archive, p. 218 (2007)
Chen, J., Miyaji, A.: How to find short RC4 colliding key pairs. In: ISC 2011, vol. 7001 of Lecture Notes in Computer Science, pp. 32–46. Springer
Chen, J., Miyaji, A.: Cryptanalysis of stream ciphers from a new aspect: How to apply key collisions to key recovery attack. In: IEICE Trans., Fundamentals, vol. 95-A(12), pp. 2148–2159 (2012)
Chen, J., Miyaji, A.: Novel strategies for searching RC4 key collisions. Comput. Math. Appl. 66(1), 81–90 (2013). doi:10.1016/j.camwa.2012.09.013
Garman, C., Paterson, K.G., Van der Merwe, T.: Attacks only get better: Password recovery attacks against RC4 in TLS. In: USENIX Security Symposium, pp. 113–128 (2015)
Isobe, T., Ohigashi, T., Watanabe, Y., Morii, M.: Full plaintext recovery attack on broadcast RC4. In: FSE 2013, vol. 8424 of Lecture Notes in Computer Science, pp. 179–202. Springer
Maitra, S., Paul, G., Sen Gupta, S.: Attack on broadcast RC4 revisited. In: Joux, A. (ed.) FSE 2011, vol. 6733 of Lecture Notes in Computer Science, pp. 199–217. Springer
Maitra, S., Paul, G., Sarkar, S., Lehmann, M., Meier, W.: New results on generalization of roos-type biases and related keystreams of RC4. In: AFRICACRYPT 2013, vol. 7918 of Lecture Notes in Computer Science, pp. 222–239. Springer
Mantin, I., Shamir, A.: A practical attack on broadcast RC4. In: Matsui, M. (ed.) FSE 2001, vol. 2355 of Lecture Notes in Computer Science, pp. 152–164. Springer
Mantin, I.: Predicting and distinguishing attacks on RC4 Keystream generator. In: EUROCRYPT 2005, vol. 3494 of the Series Lecture Notes in Computer Science, pp. 491–506. Springer
Matsui, M.: Key collisions of the RC4 stream cipher. In: FSE 2009, vol. 5665 of the Series Lecture Notes in Computer Science, pp. 38-50. Springer
Maximov, A., Khovratovich, D.: New state recovery attack on RC4. In: CRYPTO 2008, vol. 5157 of Lecture Notes in Computer Science, pp. 297–316. Springer
Paterson, K.G., Poettering, B., Schuldt, J.C.N.: Plaintext recovery attacks against WPA/TKIP. In: FSE 2014, vol. 8540 of Lecture Notes in Computer Science, pp. 325–349. Springer
Rivest, R.L., Schuldt, J.C.: Spritz–a spongy RC4-like stream cipher and hash function. In: CRYPTO 2014 Rump Session (2014)
Sepehrdad, P., Susil, P., Vaudenay, S., Vuagnoux, M.: Tornado attack on RC4 with applications to WEP and WPA. In: IACR Cryptology ePrint Archive, p. 254 (2015)
Vanhoef, M., Piessens, F.: All your biases belong to us: Breaking RC4 in WPA-TKIP and TLS. In: USENIX Security Symposium, pp. 97–112 (2015)
Unoptimized implementations of RC4 collision search algorithms, https://github.com/janaamit001/Our_algo, https://github.com/janaamit001/Chen_Miyaji, https://github.com/janaamit001/Matsui_algo
Author information
Authors and Affiliations
Corresponding author
Appendices
Appendix A: Table for theoretical time complexity
Appendix B: Table for experimental average time
Rights and permissions
About this article
Cite this article
Jana, A., Paul, G. Revisiting RC4 key collision: Faster search algorithm and new 22-byte colliding key pairs. Cryptogr. Commun. 10, 479–508 (2018). https://doi.org/10.1007/s12095-017-0231-z
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s12095-017-0231-z