Analysis of burn-in period for RC4 state transition

Abstract

The internal state of RC4 stream cipher is a permutation over \({\mathbb Z}_{N}\) and its state transition is effectively a transposition or swapping of two elements. How the randomness of RC4 state evolves due to its state transitions has been studied for many years. As the number of swaps increases, the state comes closer to a uniform random permutation. We define the burn-in period of RC4 state transition as the number of swaps required to make the state very close to uniform random permutation under some suitably defined distance measure. Earlier, Mantin in his Master’s thesis (2001) performed an approximate analysis of the burn-in period. In this paper, we perform a rigorous analysis of the burn-in period and in the process derive the exact distribution of the RC4 state elements at any stage.

Appendix A: Proof of Theorem 7

Recall our previous notation that \(p=\frac {1}{N}\) and q = 1 − p. Recall the definition of A. Note that the k-th row of A looks like

$$(p(1-q^{N-k}),\ldots,p(q^{k-1}-q^{N-1}),pq^{k},\ldots,pq^{N-1}), \; \forall \; 1 \leq k \leq N. $$

One observation which we shall use repeatedly in the proof is that \((1-\frac {1}{N})^{N}\), i.e., q^N is increasing in N, while q^N− 1 is decreasing in N. This can be proved simply by differentiating the functions \((1-\frac {1}{x})^{x}\) and \((1-\frac {1}{x})^{x-1}\) respectively.

Case 1: :

N is even

Let J denotes a subset of size \(\frac {N}{2}\) of the index set {1, …, N}. Then

$$\begin{array}{@{}rcl@{}} ||A||_{M} &:=& \max\limits_{1 \leq i \leq N} \left[ \sum\limits_{j = 1}^{\frac{N}{2}} a_{i(j)} - \sum\limits_{j=\frac{N}{2}+ 1}^{N} a_{i(j)} \right] = \max\limits_{1 \leq i \leq N} \max\limits_{J} \left[ \sum\limits_{j \in J} a_{ij} - \sum\limits_{j \notin J} a_{ij} \right] \\ &=& \max\limits_{1 \leq i \leq N} \left[ \max\limits_{J} \left[2 \sum\limits_{j \in J} a_{ij} \right] - \sum\limits_{j = 1}^{N} a_{ij} \right]. \end{array} $$

The first row of A is p(1 − q^N− 1, q, …, q^N− 1); and let us define, \( 2p(1+q+\cdots +q^{\frac {N}{2}-1}-q^{N-1}) - p(1+\cdots +q^{N-2}) =: I\). Let us take a closure look of the structure of row k of A. Note that, a_k1 > ⋯ > a _{k k} ; a_{k, k+ 1} > ⋯ > a_{k, N}. Therefore,

$$\max\limits_{J} \left[\sum\limits_{j \in J} a_{kj} \right] = \max\limits_{(l,m) \in \mathcal{Q}_{k}} \left[\sum\limits_{i = 1}^{l} a_{k,k+i} + \sum\limits_{j = 1}^{m} a_{k,j} \right] ,$$

where \(\mathcal {Q}_{k} := \left \{ (l,m) |\; l,m \geq 0;\; l+m =\frac {N}{2}, k+l \leq N, m \leq k \right \}\). So, let us define,

$$\begin{array}{@{}rcl@{}} D_{k,l,m} &:=\!& 2\left[\sum\limits_{i = 1}^{l} a_{k,k+i} \,+\, \sum\limits_{j = 1}^{m} a_{k,j} \right] \,-\, \sum\limits_{j = 1}^{N} a_{kj} \\ &\,=\,& 2p(q^{k} \,+\, {\cdots} \,+\, q^{k+l-1}\,+\,(1\,-\,q^{N-k})\,+\,\cdots\,+\,(q^{m-1}\,-\,q^{N+m-k-1})) \,-\, p(1\,+\,\cdots\,+\,q^{N-k-1}). \end{array} $$

Our target is to show

$${} D_{k,l,m} \leq I , \; \forall (l,m) \in \mathcal{Q}_{k}, k \in \left\{1,\ldots,N\right\}. $$

(11)

We shall only show for N ≥ 10. For smaller values of N, i.e., N = 2, 4, 6, 8, the correctness of the result can be checked directly by calculating the matrix A.

Let us consider first the case k = 1. Then m = 0, 1, and \(D_{1,\frac {N}{2}-1,1}=I\). So, it is enough to show \(1-q^{N-1}\geq q^{\frac {N}{2}}\), as this will imply that \(D_{1,\frac {N}{2}, 0} \leq D_{1,\frac {N}{2}-1,1}\). Now we have, q^N− 1 decreasing in N and hence, \(q^{N-1}+q^{\frac {N-1}{2}}\) is decreasing in N. Therefore,

$$q^{N-1}+q^{\frac{N}{2}} \leq q^{N-1}+q^{\frac{N-1}{2}} \leq \left( \frac{15}{16}\right)^{15}+\left( \frac{15}{16}\right)^{7.5} <1, \;\; \forall \; N \geq 16.$$

For smaller values of N, we have to check directly from the expression.

Now, we have to consider the case where k ≥ 2. First consider l, m > 0. Then, \(0 < l,m < \frac {N}{2}\), and

$$\begin{array}{@{}rcl@{}} I\,-\,D_{k,l,m} & \,=\,& 2p\left( \sum\limits_{i = 0}^{\frac{N}{2}-1} q^{i} \,-\, \sum\limits_{i = 0}^{m-1}q^{i} \,+\, \sum\limits_{j=N-k}^{N-k+m-1}q^{j} \,-\, \sum\limits_{j=k}^{k+l-1} q^{j} \,-\, q^{N-1}\right) \,-\, p\sum\limits_{j = 0}^{N-2}q^{j} \,+\, p\sum\limits_{j = 0}^{N-k-1} q^{j}\\ &\,=\,& 2p\left( \sum\limits_{i=m}^{\frac{N}{2}-1} q^{i} \,+\, \sum\limits_{j=N-k}^{N-k+m-1}q^{j} \,-\, \sum\limits_{j=k}^{k+l-1} q^{j} \,-\, q^{N-1}\right) \,-\, p\sum\limits_{j=N-k}^{N-2}q^{j}. \end{array} $$

Therefore, it is enough to show that

$${} 2\left( \sum\limits_{i=m}^{\frac{N}{2}-1} q^{i} + \sum\limits_{j=N-k}^{N-k+m-1}q^{j} - \sum\limits_{j=k}^{k+l-1} q^{j} - q^{N-1}\right) \geq \sum\limits_{j=N-k}^{N-2}q^{j}. $$

(12)

Note that, if m > k − 2, i.e. m = k − 1, k, then

$$\sum\limits_{i=m}^{\frac{N}{2}-1} q^{i} - \sum\limits_{j=k}^{k+l-1} q^{j} \,=\, \sum\limits_{i=m}^{m+l-1} q^{i} - \sum\limits_{i=k}^{k+l-1} q^{i} \!\geq\! 0,\;\; \text{and} \sum\limits_{j=N-k}^{N-k+m-1}q^{j} \!\geq\! \sum\limits_{j=N-k}^{N-2}q^{j}; \; \sum\limits_{j=N-k}^{N-k+m-1}q^{j} \geq q^{N-1},$$

which ensures that (12) holds true. So, now we should consider only the case m ≤ k − 2. Then \(m + 2 \leq k \leq \frac {N}{2}+m\) as k + l ≤ N. In this case, we can simplify (12) and conclude that it is enough to show the following.

$${} 2(1-q^{k-m})\left( \sum\limits_{i=m}^{\frac{N}{2}-1}q^{i}\right) + \sum\limits_{j=k}^{N-k+m-1} q^{j} - \sum\limits_{j=N-k+m}^{N-2} q^{j} - 2q^{N-1} \geq 0, $$

(13)

which, after some simplification, yields

$$2(1-q^{l})q^{k-N}(1-q^{k-m})+(2q-1)q^{k-m-1}+q^{-m} \geq 2.$$

Let us define,

$$u_{N,m} := 2(1-q^{\frac{N}{2}-m})q^{-N}; \; v_{N,m} = (2q-1)q^{-m-1},\;\; \text{and} \;\; E_{k,N,m} := u_{N,m}(q^{k}-q^{2k-m})+v_{N,m}q^{k}+q^{-m},$$

and therefore we have to show E_{k, N, m} ≥ 2. Note that

$$E_{k,N,m}-E_{k + 1,N,m} = pq^{k}\left[u_{N,m}(1-(1+q)q^{k-m})+v_{N,m}\right],$$

and u_{N, m}(1 − (1 + q)q^k−m) + v_{N, m} is an non-decreasing function of k when n, m are held at constant. Therefore,

$$E_{k,N,m} \geq E_{k + 1,N,m} \Rightarrow E_{k + 1,N,m} \geq E_{k + 2,N,m},$$

i.e., when E_{k, N, m} starts increasing, it goes on increasing. Therefore, to find the minimum it is enough to search at the extremes, i.e., at k = m + 2 and \(k=m+\frac {N}{2}\). We shall instead search for the minimum at \(k=m,m+\frac {N}{2}\), as it will suffice. Note that, E_{m, N, m} = 2 − q^− 1 + q^−m ≥ 2, as m > 0,and \(E_{m+\frac {N}{2},N,m}\) is equal to

$$\begin{array}{@{}rcl@{}} 2(1\,-\,q^{\frac{N}{2}-m})q^{m-\frac{N}{2}}(1\,-\,q^{\frac{N}{2}}) \,+\, (2q\,-\,1)q^{\frac{N}{2}-1}\,+\, q^{-m}&\,=\,& q^{m-\frac{N}{2}}\,-\,2q^{m}\,+\, 4q^{\frac{N}{2}}\,-\,q^{\frac{N}{2}-1}\,+\,(q^{m-\frac{N}{2}}\,+\,q^{-m}) \,-\,2 \\ & \geq & q^{m-\frac{N}{2}}-2q^{m}+ 4q^{\frac{N}{2}}-q^{\frac{N}{2}-1}+ 2q^{-\frac{N}{4}} -2, \end{array} $$

where the last expression is increasing in m because \(q^{N} \geq \frac {1}{4}\), which implies \(q^{-\frac {N}{2}} \leq 2\). Therefore, it is enough to check at m = 0, which gives us

$$\begin{array}{@{}rcl@{}} E_{m+\frac{N}{2},N,m} &\geq& q^{-\frac{N}{2}}+ 2q^{-\frac{N}{4}}+ 4q^{\frac{N}{2}}-q^{\frac{N}{2}-1} - 4 \\ & = & q^{-\frac{N}{2}}+ 2q^{-\frac{N}{4}} + \left( 3-\frac{p}{q}\right)q^{\frac{N}{2}} -4 \\ & \geq & q^{-\frac{N}{2}}+ 2q^{-\frac{N}{4}} + \left( 3-\frac{1}{17}\right)q^{\frac{N}{2}} -4, \; \forall \; N \geq 18; \end{array} $$

Now consider the function \(x \longrightarrow x + 2\sqrt {x}+(3-\frac {1}{17})\frac {1}{x}\), and it can easily be seen by differentiating that this function is increasing when \(x^{2}+x^{\frac {3}{2}} \geq (3-\frac {1}{17})\). Now, we know, \(q^{-\frac {N}{2}}\) is decreasing in N, and hence, \(q^{-\frac {N}{2}} \geq \lim_{N \rightarrow \infty } q^{-\frac {N}{2}} = \sqrt {e}\) and \(e+e^{\frac {3}{4}} \geq (3-\frac {1}{17})\). Therefore we have that the function \( q^{-\frac {N}{2}}+ 2q^{-\frac {N}{4}} + (3-\frac {1}{17})q^{\frac {N}{2}} -4\) is decreasing in N and therefore the minimum value is the limiting value when N goes to ∞, i.e., \(\sqrt {e}+ 2e^{\frac {1}{4}}+(3-\frac {1}{17})\frac {1}{\sqrt {e}}-4 > 2\). Hence, \(E_{m+\frac {N}{2},N,m} \geq 2, \; \forall \; N \geq 18\). And for smaller values of N, i.e., for N = 10, 12, 14, 16, we can directly check by calculating \(q^{-\frac {N}{2}}+ 2q^{-\frac {N}{4}}+ 4q^{\frac {N}{2}}-q^{\frac {N}{2}-1} - 4\). So, we are done with the first case of the proof except for the case that l = 0 or m = 0.

Note that, \(q^{k}+q^{N-k} \geq 2q^{\frac {N}{2}} \geq 2(1/2) = 1\), as q^N is increasing in N. This implies that, a_{k, k+ 1} ≥ a_k1, which in turn implies that \(I \geq D_{k,1,\frac {N}{2}-1} \geq D_{k, 0,\frac {N}{2}}\). Therefore, the case for l = 0 is solved.

Now, \(k>\frac {N}{2}\) implies \(l \leq N-k < \frac {N}{2} \), and hence, m > 0. So, we need to consider \(1 \leq k \leq \frac {N}{2}\). Note that it is enough to prove that

$$q^{k+\frac{N}{2}-1} + q^{N-k} < 1,$$

as it guarantees \(a_{k1}< a_{k,k+\frac {N}{2}}\), which implies \(D_{k,\frac {N}{2}, 0} < D_{k,\frac {N}{2}-1,1} \leq I\). Now,

$$(q^{k+\frac{N}{2}-1}+q^{N-k}) - (q^{k + 1+\frac{N}{2}-1}+q^{N-k-1}) = q^{k+\frac{N}{2}-1}(1-q)-q^{N-k-1}(1-q)\,=\,(1-q)q^{N-k-1}(q^{2k-\frac{N}{2}}-1).$$

Therefore, \(q^{k+\frac {N}{2}-1} + q^{N-k}\) is at first decreasing and then increasing as k varies from 1 to \(\frac {N}{2}\). Hence for the maximum value, it is enough to check at \(k = 1,\frac {N}{2}\), and at both of these points the value is \(q^{\frac {N}{2}}+q^{\frac {N}{2}}\) which has already been proven to be less than 1. Therefore,

$$\begin{array}{@{}rcl@{}} ||A||_{M} &=& I = 2p(1+q+\cdots+q^{\frac{N}{2}-1}-q^{N-1}) - p(1+\cdots+q^{N-2}) \\ &=& 1-2q^{\frac{N}{2}}-q^{N-1}+ 2q^{N}. \end{array} $$

Case 2: :

N is odd

We shall follow similar technique as used in the even case. Let J denote a subset of size \(\frac {N-1}{2}\) of the index set {1, …, N}, and u denote a single index from the same set. Then

$$\begin{array}{@{}rcl@{}} ||A||_{M} &:=& \max\limits_{1 \leq i \leq N} \left[ \sum\limits_{j = 1}^{\frac{N + 1}{2}} a_{i(j)} - \sum\limits_{j=\frac{N + 1}{2}}^{N} a_{i(j)} \right] = \max\limits_{1 \leq i \leq N} \max\limits_{J,u : u \notin J} \left[ \sum\limits_{j \in J} a_{ij} - \sum\limits_{j \notin J,j \not = u} a_{ij} \right] \\ &=& \max\limits_{1 \leq i \leq N} \left[ \max\limits_{J,u:u \notin J} \left[2 \sum\limits_{j \in J} a_{ij}+a_{iu} \right] - \sum\limits_{j = 1}^{N} a_{ij} \right]. \end{array} $$

The first row of A is p(1 − q^N− 1, q, …, q^N− 1); and let us define,

$$2p(1+q+\cdots+q^{\frac{N-1}{2}-1}-q^{N-1})+pq^{\frac{N-1}{2}} - p(1+\cdots+q^{N-2}) =: I.$$

As expected from previous experience, here also we have, a_k1 > ⋯ > a _{k k} ; a_k,k+ 1 > ⋯ > a_k,N. Therefore,

$$\max\limits_{J,u:u \notin J} \!\left[2\sum\limits_{j \in J} a_{kj}+a_{ku} \right] \,=\, \max\limits_{(l,m) \in \mathcal{Q}_{k}} \!\left[2\sum\limits_{i = 1}^{l} a_{k,k+i} \,+\, 2\sum\limits_{j = 1}^{m} a_{kj}\,+\,a_{k,k+l + 1} ,2\sum\limits_{i = 1}^{l} a_{k,k+i} \,+\, 2\sum\limits_{j = 1}^{m} a_{kj}\,+\,a_{k,m + 1} \right],$$

where \(\mathcal {Q}_{k} := \left \{ (l,m) |\; l,m \geq 0;\; l+m =\frac {N-1}{2}, k+l \leq N, m \leq k \right \}\). So, let us define, for l < N − k,

$$\begin{array}{@{}rcl@{}} D^{\prime}_{k,l,m} &:=& 2\left[\sum\limits_{i = 1}^{l} a_{k,k+i} + \sum\limits_{j = 1}^{m} a_{kj}+a_{k,k+l + 1} \right] - \sum\limits_{j = 1}^{N} a_{kj} \\ &=& 2p(q^{k} + {\cdots} + q^{k+l-1}+(1-q^{N-k})+\cdots+(q^{m-1}-q^{N+m-k-1}))\\&&+pq^{k+l} - p(1+\cdots+q^{N-k-1}), \end{array} $$

and for m < k,

$$\begin{array}{@{}rcl@{}} D^{\prime \prime}_{k,l,m} &:=& 2\left[\sum\limits_{i = 1}^{l} a_{k,k+i} + \sum\limits_{j = 1}^{m} a_{kj}+a_{k,m + 1} \right] - \sum\limits_{j = 1}^{N} a_{kj} \\ &=& 2p(q^{k} + {\cdots} + q^{k+l-1}+(1-q^{N-k})+\cdots+(q^{m-1}-q^{N+m-k-1}))\\ &&+p(q^{m}-q^{m+N-k}) - p(1+\cdots+q^{N-k-1}). \end{array} $$

Our target is to show

$${} D^{\prime}_{k,l,m},D^{\prime \prime}_{k,l,m} \leq I , \; \forall (l,m) \in \mathcal{Q}_{k}, k \in \left\{1,\ldots,N\right\}, $$

(14)

and where they are defined. After this part, the proof is completely similar to the proof for the even part. So, to avoid the repetition of the calculations, we just sketch the next part of the proof.

Let us first consider the case for \(D^{\prime }_{k,l,m}\). Let us consider first the case k = 1. Then m = 0, 1, and \(D^{\prime }_{1,\frac {N-1}{2}-1,1}=I\). So, it is enough to show that \(1-q^{N-1}\geq q^{\frac {N-1}{2}}\), as this will imply that \(D^{\prime }_{1,\frac {N-1}{2}, 0} \leq D^{\prime }_{1,\frac {N-1}{2}-1,1}\). Now we have, q^N− 1 decreasing in N and hence, \(q^{N-1}+q^{\frac {N-1}{2}}\) decreasing in N. Therefore,

$$q^{N-1}+q^{\frac{N-1}{2}} \leq \left( \frac{14}{15}\right)^{14}+\left( \frac{14}{15}\right)^{7} <1, \;\; \forall \; N \geq 15.$$

The situations with l = 0, m = 0 and m ≥ k − 1 are solved similar to the even case. For, l, m > 0 and m ≤ k − 2 case, simplifying the expression we see that it is enough to show

$$E_{k,N,m}^{\prime}:= 2(1-q^{l})q^{k-N}(1-q^{k-m})+(2q-1)q^{k-m-1}+q^{-m}+pq^{k-m-\frac{N + 1}{2}}-pq^{2k+l-N-m} \!\geq\! 2.$$

Considering it as a function of k only, keeping N, m fixed, we see that

$$\frac{E_{k,N,m}^{\prime}-E_{k + 1,N,m}^{\prime}}{pq^{k}}$$

is increasing in k. Therefore, \(E_{k,N,m}^{\prime }\) can have minimum only at two ends, i.e., at \(k=m,m+\frac {N + 1}{2}\).

$$E_{m,N,m}^{\prime} = (2q-1)q^{-1}+q^{-m} \geq 2.$$

$$\begin{array}{@{}rcl@{}} E^{\prime}_{\frac{N + 1}{2}+m,N,m} &=& 2q^{m-\frac{N-1}{2}} - 2q^{m + 1}+ 4q^{\frac{N + 1}{2}}-q^{\frac{N-1}{2}}+q^{-m}-2+p-pq^{\frac{N + 1}{2}} \\ & \geq & q^{m-\frac{N-1}{2}}+ 2q^{-\frac{N-1}{4}}-2q^{m + 1}+ 4q^{\frac{N + 1}{2}}-q^{\frac{N-1}{2}}-2+p-pq^{\frac{N + 1}{2}}, \end{array} $$

and the final RHS term is increasing in m as \(q^{-\frac {N + 1}{2}} \leq 2\). So, it is enough to check at m = 0. Thus, it is enough to show,

$$q^{-\frac{N-1}{2}}+ 2q^{-\frac{N-1}{4}}-2q + 4q^{\frac{N + 1}{2}}-q^{\frac{N-1}{2}}-2+p-pq^{\frac{N + 1}{2}} \geq 2.$$

The LHS converges to \(\sqrt {e}+ 2e^{\frac {1}{4}}+ 3\frac {1}{\sqrt {e}}-4 > 2\). So, after some N LHS will be greater than 2. For some initial terms, we have to check directly. Now for the last case, we have to show that \(D^{\prime \prime }_{k,l,m} \leq I\). The cases for l = 0, m = 0 and m ≥ k − 1 are easy to handle. For l, m > 0 and m ≤ k − 2, simplifying the expression we see that it is enough to show,

$$E^{\prime\prime}_{k,N,m} \,=\, 2(1-q^{l})q^{k-N}(1-q^{k-m})+(2q-1)q^{k-m-1}+q^{-m}+pq^{k-m-\frac{N + 1}{2}}-pq^{k-N} +p \!\geq\! 2.$$

It is easy to observe that

$$\frac{E_{k,N,m}^{\prime\prime}-E_{k + 1,N,m}^{\prime\prime}}{pq^{k}}$$

is increasing in k considering N, m fixed. So, \(E^{\prime \prime }_{k,N,m}\) can have minimum only at the two ends, \(k=m + 1,m+\frac {N + 1}{2}\). Let us define,

$$E^{\prime\prime}_{m + 1,N,m}=:F_{m,N}.$$

Observe that, F_{m, N} − F_{m+ 1, N} is decreasing in m and F_{0, N} − F_{1, N} = q^−Np(p(2q − 1) − q^N− 1) ≤ 0,as 2q + q^N− 2 ≥ 2. Therefore, F_{m, N} − F_{m+ 1, N} ≤ 0, and hence, F_{m, N} will be minimum at m = 1(as m = 0 case is done separately) and observe that,

$$\frac{F_{1,N}-2}{p} \longrightarrow e-\sqrt{e}+ 1 > 0.$$

Therefore, F_{1, N} ≥ 2 after some terms and those cases are easy to check. This finishes checking at k = m + 1. For the other end point,

$$\begin{array}{@{}rcl@{}} E^{\prime\prime}_{\frac{N + 1}{2}+m,N,m} &=& 2q^{m-\frac{N-1}{2}} - 2q^{m + 1}+ 4q^{\frac{N + 1}{2}}-q^{\frac{N-1}{2}}+q^{-m}-2+p-pq^{m-\frac{N-1}{2}}+p \\ & \geq & q^{m-\frac{N-1}{2}}+ 2q^{-\frac{N-1}{4}}-2q^{m + 1}+ 4q^{\frac{N + 1}{2}}-q^{\frac{N-1}{2}}-2 + 2p-pq^{m-\frac{N-1}{2}}, \end{array} $$

and the final RHS term is increasing in m as \(q^{-\frac {N + 1}{2}} \leq 2\). So, it is enough to check at m = 0. Thus, it is enough to show that

$$q^{-\frac{N-1}{2}}+ 2q^{-\frac{N-1}{4}}-2q + 4q^{\frac{N + 1}{2}}-q^{\frac{N-1}{2}}-2 + 2p-pq^{-\frac{N-1}{2}} \geq 2.$$

The LHS converges to \(\sqrt {e}+ 2e^{\frac {1}{4}}+ 3\frac {1}{\sqrt {e}}-4 > 2\). So, after some N, the LHS will be greater than 2. For some initial terms, we have to check directly. Then simplifying for the expression of I, we get

$$|| A||_{M} = 1-q^{\frac{N-1}{2}}-q^{\frac{N + 1}{2}}-q^{N-1}+ 2q^{N}.$$

This completes the proof.