Skip to main content
Log in

Settling the mystery of Zr = r in RC4

  • Published:
Cryptography and Communications Aims and scope Submit manuscript

Abstract

In this paper, using a matrix, at first we revisit the work of Mantin on finding the probability distribution of the RC4 permutation after the completion of the KSA. After that, we extend the same idea to analyse the probabilities during any iteration of the Pseudo Random Generation Algorithm. Next, we study the bias of Zr = r (where Zr is the r-th output keystream byte), which is one of the significant biases observed in the RC4 output keystream. This bias has played an important role in the plaintext recovery attack proposed by Isobe et al. in FSE 2013. However, the accurate theoretical explanation of the bias of Zr = r is still a mystery. Though several attempts have been made to prove this bias, none of those provides an accurate justification. Here, using the results found with the help of the probability transition matrix we justify this bias of Zr = r accurately and settle this issue. The bias obtained from our proof matches the experimental observations perfectly.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4

Similar content being viewed by others

References

  1. AlFardan, N., Bernstein, D., Paterson, K., Poettering, B., Schuldt, J.: On the security of RC4 in TLS. In: USENIX 2013, pp. 305–320. Published online at: http://www.isg.rhul.ac.uk/tls/ (2013)

  2. Biham, E., Carmeli, Y.: Efficient reconstruction of RC4 keys from internal States In FSE 2008. LNCS 5086, 270–288 (2008)

    MATH  Google Scholar 

  3. Banik, S., Isobe, T.: Cryptanalysis of the full spritz stream cipher. In: FSE 2016, LNCS 9783, pp. 63–77. Available at: https://eprint.iacr.org/2016/092 (2016)

  4. Bricout, R., Murphy, S., Paterson, K.G., van der Merwe, T.: Analysing and Exploiting the Mantin Biases in RC4. In: Designs, Codes and Cryptography. Volume =86, number =4, pages =743–770. https://doi.org/10.1007/s10623-017-0355-3 (2018)

  5. Fluhrer, S.R., Mantin, I., Shamir, A.: Weaknesses in the key scheduling algorithm of RC4. SAC Toronto, Ontario, Canada, August 16–17 (2001)

  6. Fluhrer, S.R., McGrew, D.A. (2000)

  7. Jha, S., Banik, S., Isobe, T., Ohigashi, T.: Some proofs of joint distribution of keystream biases in RC4. In: INDOCRYPT 2016, LNCS, vol. 10095, pp. 305–321 (2016)

  8. Isobe, T., Ohigashi, T., Watanabe, Y., Morii, M.: Full plaintext recovery attack on broadcast RC4. In: FSE LNCS, vol. 8424, pp. 179–202 (2013)

  9. Klein, A.: Attacks on the RC4 stream cipher. Des. Codes Crypt. 48(3), 269–286 (2008)

    Article  MathSciNet  MATH  Google Scholar 

  10. Knudsen, L.R., Meier, W., Preneel, B., Rijmen, V., Verdoolaege, S.: Analysis methods for (alleged) RC4. In: ASIACRYPT 1998, LNCS, pp. 327–341 (1514)

  11. Maitra, S., Paul, G.: New form of permutation bias and secret key leakage in keystream bytes of RC4. In: FSE 2008, LNCS, vol. 5086, pp. 253–269 (2008)

  12. Maitra, S., Paul, G., Sengupta, S.: Attack on broadcast rc4 revisited. In: FSE LNCS, vol. 6733, pp. 199–217 (2011)

  13. Mantin, I., Shamir, A.: A practical attack on broadcast RC4. In: FSE LNCS, vol. 2355, pp. 152–164 (2001)

  14. Mantin, I.: Analysis of the stream cipher RC4. Master’s Thesis. The Weizmann Institute of Science, Israel (2001)

    Google Scholar 

  15. Maximov, A., Khovratovich, D.: New State Recovery Attack on RC4. In: CRYPTO LNCS, vol. 5157, pp. 297–316 (2008)

  16. Mironov, I.: (Not So) Random Shuffles of RC4. In CRYPTO 2002, LNCS, vol. 2442, pp. 304–319

  17. Paterson, K.G., Poettering, B., Schuldt, J.C.N.: Big bias hunting in amazonia: Large-scale computation and exploitation of RC4 biases (Invited Paper). In: Asiacrypt 2014, LNCS 8873, pp. 398–419

  18. Paterson, K.G., Schuldt, J., B. Poettering.: Plaintext recovery attacks against WPA/TKIP. In: FSE 2014, LNCS, vol. 8540, pp. 325–349 (2014)

  19. Paul, G., Maitra, S.: Permutation after RC4 key scheduling reveals the secret key. In: SAC LNCS, vol. 4876, pp. 360–377 (2007)

  20. Paul, G., Ray, S.: On data complexity of distinguishing attacks versus message recovery attacks on stream ciphers. Des. Codes Crypt. 86(6), 1211–1247 (2018). Available at: https://doi.org/10.1007/s10623-017-0391-z

    Article  MathSciNet  MATH  Google Scholar 

  21. Paul, G., Ray, S.: Analysis of burn-in period for RC4 state transition. Cryptogr. Commun. 10(5), 881–908 (2018). Available at: https://eprint.iacr.org/2017/175.pdf

    Article  MathSciNet  MATH  Google Scholar 

  22. Rivest, R.L., Schuldt, J.C.N.: Spritz - a spongy RC4-like stream cipher and hash function. Available at: https://people.csail.mit.edu/rivest/pubs/RS14.pdf

  23. Sengupta, S., Maitra, S., Meier, W., Paul, G., Sarkar, S.: Dependence in IV-Related Bytes of RC4 Key Enhances Vulnerabilities in WPA. In: FSE 2014, LNCS 8540, pp. 350–369. Available at: https://eprint.iacr.org/2013/476.pdf

  24. Sengupta, S., Maitra, S., Paul, G., Sarkar, S.: (Non-)random sequences from (Non-)random permutations - analysis of RC4 stream cipher. J. Cryptol. 27(1), 67–108 (2014). Available at http://eprint.iacr.org/2011/448

    Article  MATH  Google Scholar 

  25. Sepehrdad, P., Vaudenay, S., Vuagnoux, M.: Discovery and exploitation of new biases in RC4. SAC LNCS 6632, 343–363 (2010)

    MATH  Google Scholar 

  26. Sepehrdad, P., Vaudenay, S., Vuagnoux, M.: Statistical attack on RC4 - distinguishing WPA. EUROCRYPT LNCS 6632, 343–363 (2011)

    MATH  Google Scholar 

  27. Sepehrdad, P., Susil, P., Vaudenay, S., Vuagnoux, M.: Smashing WEP in a Passive Attack. In: FSE 2013, LNCS, vol. 8424, pp. 155–178

  28. Sepehrdad, P., Susil, P., Vaudenay, S., Vuagnoux, M.: Tornado attack on RC4 with applications to WEP & WPA. IACR cryptology ePrint archive. Available at https://eprint.iacr.org/2015/254.pdf (2015)

  29. Vanhoef, M., Piessens, F.: All your biases belong to us: Breaking RC4 in WPA-TKIP and TLS. USENIX 2016, pp. 1–16. Available at https://www.rc4nomore.com/vanhoef-usenix2015.pdf (2016)

Download references

Acknowledgments

We are sincerely thankful to the anonymous reviewers for their detailed review comments. Their suggestions improved the editorial quality of the paper.

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Sabyasachi Dey.

Additional information

Publisher’s Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Dey, S., Sarkar, S. Settling the mystery of Zr = r in RC4. Cryptogr. Commun. 11, 697–715 (2019). https://doi.org/10.1007/s12095-018-0323-4

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s12095-018-0323-4

Keywords

Navigation