Abstract
In this paper, using a matrix, at first we revisit the work of Mantin on finding the probability distribution of the RC4 permutation after the completion of the KSA. After that, we extend the same idea to analyse the probabilities during any iteration of the Pseudo Random Generation Algorithm. Next, we study the bias of Zr = r (where Zr is the r-th output keystream byte), which is one of the significant biases observed in the RC4 output keystream. This bias has played an important role in the plaintext recovery attack proposed by Isobe et al. in FSE 2013. However, the accurate theoretical explanation of the bias of Zr = r is still a mystery. Though several attempts have been made to prove this bias, none of those provides an accurate justification. Here, using the results found with the help of the probability transition matrix we justify this bias of Zr = r accurately and settle this issue. The bias obtained from our proof matches the experimental observations perfectly.
Similar content being viewed by others
References
AlFardan, N., Bernstein, D., Paterson, K., Poettering, B., Schuldt, J.: On the security of RC4 in TLS. In: USENIX 2013, pp. 305–320. Published online at: http://www.isg.rhul.ac.uk/tls/ (2013)
Biham, E., Carmeli, Y.: Efficient reconstruction of RC4 keys from internal States In FSE 2008. LNCS 5086, 270–288 (2008)
Banik, S., Isobe, T.: Cryptanalysis of the full spritz stream cipher. In: FSE 2016, LNCS 9783, pp. 63–77. Available at: https://eprint.iacr.org/2016/092 (2016)
Bricout, R., Murphy, S., Paterson, K.G., van der Merwe, T.: Analysing and Exploiting the Mantin Biases in RC4. In: Designs, Codes and Cryptography. Volume =86, number =4, pages =743–770. https://doi.org/10.1007/s10623-017-0355-3 (2018)
Fluhrer, S.R., Mantin, I., Shamir, A.: Weaknesses in the key scheduling algorithm of RC4. SAC Toronto, Ontario, Canada, August 16–17 (2001)
Fluhrer, S.R., McGrew, D.A. (2000)
Jha, S., Banik, S., Isobe, T., Ohigashi, T.: Some proofs of joint distribution of keystream biases in RC4. In: INDOCRYPT 2016, LNCS, vol. 10095, pp. 305–321 (2016)
Isobe, T., Ohigashi, T., Watanabe, Y., Morii, M.: Full plaintext recovery attack on broadcast RC4. In: FSE LNCS, vol. 8424, pp. 179–202 (2013)
Klein, A.: Attacks on the RC4 stream cipher. Des. Codes Crypt. 48(3), 269–286 (2008)
Knudsen, L.R., Meier, W., Preneel, B., Rijmen, V., Verdoolaege, S.: Analysis methods for (alleged) RC4. In: ASIACRYPT 1998, LNCS, pp. 327–341 (1514)
Maitra, S., Paul, G.: New form of permutation bias and secret key leakage in keystream bytes of RC4. In: FSE 2008, LNCS, vol. 5086, pp. 253–269 (2008)
Maitra, S., Paul, G., Sengupta, S.: Attack on broadcast rc4 revisited. In: FSE LNCS, vol. 6733, pp. 199–217 (2011)
Mantin, I., Shamir, A.: A practical attack on broadcast RC4. In: FSE LNCS, vol. 2355, pp. 152–164 (2001)
Mantin, I.: Analysis of the stream cipher RC4. Master’s Thesis. The Weizmann Institute of Science, Israel (2001)
Maximov, A., Khovratovich, D.: New State Recovery Attack on RC4. In: CRYPTO LNCS, vol. 5157, pp. 297–316 (2008)
Mironov, I.: (Not So) Random Shuffles of RC4. In CRYPTO 2002, LNCS, vol. 2442, pp. 304–319
Paterson, K.G., Poettering, B., Schuldt, J.C.N.: Big bias hunting in amazonia: Large-scale computation and exploitation of RC4 biases (Invited Paper). In: Asiacrypt 2014, LNCS 8873, pp. 398–419
Paterson, K.G., Schuldt, J., B. Poettering.: Plaintext recovery attacks against WPA/TKIP. In: FSE 2014, LNCS, vol. 8540, pp. 325–349 (2014)
Paul, G., Maitra, S.: Permutation after RC4 key scheduling reveals the secret key. In: SAC LNCS, vol. 4876, pp. 360–377 (2007)
Paul, G., Ray, S.: On data complexity of distinguishing attacks versus message recovery attacks on stream ciphers. Des. Codes Crypt. 86(6), 1211–1247 (2018). Available at: https://doi.org/10.1007/s10623-017-0391-z
Paul, G., Ray, S.: Analysis of burn-in period for RC4 state transition. Cryptogr. Commun. 10(5), 881–908 (2018). Available at: https://eprint.iacr.org/2017/175.pdf
Rivest, R.L., Schuldt, J.C.N.: Spritz - a spongy RC4-like stream cipher and hash function. Available at: https://people.csail.mit.edu/rivest/pubs/RS14.pdf
Sengupta, S., Maitra, S., Meier, W., Paul, G., Sarkar, S.: Dependence in IV-Related Bytes of RC4 Key Enhances Vulnerabilities in WPA. In: FSE 2014, LNCS 8540, pp. 350–369. Available at: https://eprint.iacr.org/2013/476.pdf
Sengupta, S., Maitra, S., Paul, G., Sarkar, S.: (Non-)random sequences from (Non-)random permutations - analysis of RC4 stream cipher. J. Cryptol. 27(1), 67–108 (2014). Available at http://eprint.iacr.org/2011/448
Sepehrdad, P., Vaudenay, S., Vuagnoux, M.: Discovery and exploitation of new biases in RC4. SAC LNCS 6632, 343–363 (2010)
Sepehrdad, P., Vaudenay, S., Vuagnoux, M.: Statistical attack on RC4 - distinguishing WPA. EUROCRYPT LNCS 6632, 343–363 (2011)
Sepehrdad, P., Susil, P., Vaudenay, S., Vuagnoux, M.: Smashing WEP in a Passive Attack. In: FSE 2013, LNCS, vol. 8424, pp. 155–178
Sepehrdad, P., Susil, P., Vaudenay, S., Vuagnoux, M.: Tornado attack on RC4 with applications to WEP & WPA. IACR cryptology ePrint archive. Available at https://eprint.iacr.org/2015/254.pdf (2015)
Vanhoef, M., Piessens, F.: All your biases belong to us: Breaking RC4 in WPA-TKIP and TLS. USENIX 2016, pp. 1–16. Available at https://www.rc4nomore.com/vanhoef-usenix2015.pdf (2016)
Acknowledgments
We are sincerely thankful to the anonymous reviewers for their detailed review comments. Their suggestions improved the editorial quality of the paper.
Author information
Authors and Affiliations
Corresponding author
Additional information
Publisher’s Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
About this article
Cite this article
Dey, S., Sarkar, S. Settling the mystery of Zr = r in RC4. Cryptogr. Commun. 11, 697–715 (2019). https://doi.org/10.1007/s12095-018-0323-4
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s12095-018-0323-4