Finding an internal state of RC4 stream cipher

doi:10.1016/j.ins.2006.10.010

Information Sciences

Volume 177, Issue 7, 1 April 2007, Pages 1715-1727

https://doi.org/10.1016/j.ins.2006.10.010 Get rights and content

Abstract

The RC4 is a stream cipher widely deployed in software applications due to its simplicity and efficiency. The paper presents a cryptanalytic attack that employs the tree representation of this cipher and introduces an abstraction in the form of general conditions for managing the information about its internal state. In order to find the initial state, the tree of general conditions is searched applying the hill-climbing strategy. The complexity of this attack is lower than that of an exhaustive search. The attack is derived from a general cryptanalytic approach for a class of table-shuffling ciphers, whose next-state function permutes the table entries. Incorporating the general conditions in the existing backtracking algorithm, the estimated complexity of the cryptanalytic attack is decreased below the best published result but the RC4 still remains a quite secure cipher in practice.

Introduction

The RC4 is a stream cipher widely deployed in software applications due to its simplicity and efficiency. The RC4 Keystream generator (Ron’s code #4, RSA Data Security Inc., 1987) is based on the table-shuffling principle and is designed for fast software implementation [14]. It is used in many commercial products, including Lotus Notes, Oracle Secure SQL, Microsoft Windows, as well as some standards such as Secure Sockets Layer standard SSL 3.0.

The RC4 is, in fact, a family of algorithms parameterized by a positive integer n, which denotes the width of a table entry and the width of output symbol in bits, as well (usually n = 8). The initial table is derived from a secret key. The table varies slowly in time steps by swapping two entries indexed by two pointers, while all other entries in the table remain the same. Then, the output function determines the position in the table whose value is used as the output symbol. A sequence of output symbols makes the stream, which is XORed with the plaintext to generate the final ciphertext. Since the output sequence depends on the initial table only, the knowledge of this table enables generating the output sequence without knowing the secret key.

The cryptanalysis research of the RC4 stream cipher has been mainly devoted to the statistical analysis of the RC4 output sequence [1], [3], [4], [7], [10], [11], or to the RC4 initialization weaknesses [2], [5], [13] that can serve for the RC4 distinguishing. It is still an open question if these results can be used in the RC4 practical cryptanalysis. Although this stream cipher was published in 1994, concrete cryptanalytic algorithms have been very rare in the literature up to now. Actually nowadays, the most important algorithms for decipherment of RC4 are an algorithm formulated by Knudsen et al. [6] and the other, very similar one, by Mister and Tavares [9]. These algorithms exploit the combinatorial nature of RC4 to reduce the search space as an improvement over the exhaustive search. Although without a real threat for the security of the cipher, the mentioned algorithms could be used in completing the internal state, given some additional information [8].

In this paper, the efforts regarding RC4 stream cipher cryptanalysis are devoted to finding maximum amount of information about the current state available at a given time and to formulating a cryptanalytic attack based on this information. Therefore, we propose the tree representation [16] of the RC4 algorithm which contains a set of trees, each for one output symbol. The nodes and branches of these trees encompass all possible information at a given time. However, since the trees are progressively large, we could not exploit practically all available information in the attack. This problem is immanent in all other attacks. In our algorithm we propose an analytical abstraction named the general conditions of the tree information in order to consider a reasonable amount of information [15]. Each general condition practically represents all conditions from a subtree. The general conditions are organized into the tree structure. Our algorithm searches this tree applying the hill-climbing strategy to find the internal state. The information gained from general conditions can also be used in other attacks on RC4 cipher and increase their efficiency. In this paper we suggest the modification of the backtracking algorithm that is given in Ref. [6].

The rest of the paper is organized in the following way. The general approach to the cryptanalysis of the stream ciphers based on table permutation is described in Section 2 with corresponding subsections about tree representation of information, the search algorithm and complexity analysis. Section 3 describes how the general approach is applied to the RC4 cryptanalysis. Section 4 presents the modified backtracking algorithm where corresponding subsections show the modification of general conditions, the effects of modified conditions examination and the complexity analysis. Conclusions are given in Section 5.

Section snippets

General approach

The stream ciphers based on the table-shuffling principle use a relatively big table that slowly varies in time under the control of itself. In this paper we consider a class of table-shuffling based stream ciphers where the next-state function permutes the internal state table entries, and the output function determines a position of output symbol in the table. As can be seen, the previous internal state directly affects the next one. Although it does not seem so at first sight, the swapping

Attacking the RC4

The proposed general approach is applied to the cryptanalysis of the RC4 stream cipher. As given in [14], the internal state of RC4 at time t consists of a permutation table S_t of 2ⁿ different n-bit values and of two n-bit pointers i_t and j_t. For the pointers i₀ and j₀ initialized to zero, the RC4 algorithm can be described as $i_{t} = t,$ $j_{t} = j_{t - 1} + S_{t - 1} (t),$ $S_{t} (t) = S_{t - 1} (j_{t}), S_{t} (j_{t}) = S_{t - 1} (t),$ $Z_{t} = S_{t} (S_{t} (t) + S_{t} (j_{t})) .$ As can be seen, a new table is generated in each iteration by the permutation of two elements of the

Improving the backtracking algorithm

This section presents the incorporation of our approach based on the general conditions into the RC4 attack given in [6] in strive to further improve its efficiency that was the best published one until now. In the first subsection we present the modification of the original algorithm. Since in the modified backtracking algorithm the general conditions are used in a specific environment implied by the original algorithm, they can be simplified in a way presented in Section 4.2. The effects of

Conclusions

We have proposed the general approach to the cryptanalysis of a class of table-shuffling based stream ciphers, which promotes an idea of using all information available at a given time. The information is organized into the trees from which the general conditions are analytically extracted. After that, the general conditions are, according to their probabilities, ordered into the tree of general conditions, which is searched using the hill-climbing strategy in order to reconstruct the initial

References (16)

R.R. Yager
OWA trees and their role in security modeling using attack trees
Information Science
(2006)
E. Biham et al.
Impossible fault analysis of RC4 and differential fault analysis, Fast Software Encryption 2005
Lecture Notes in Computer Science
(2005)
S. Fluhrer et al.
Weakness in the key scheduling algorithm of RC4, Selected Areas in Cryptography 2001
Lecture Notes in Computer Science
(2001)
S. Fluhrer et al.
Statistical analysis of the alleged RC4 Keystream Generator, Fast Software Encryption 2000
Lecture Notes in Computer Science
(2000)
J. Golić
Linear statistical weakness of alleged RC4 Keystream Generator, Advances in Cryptology – EUROCRYPT ‘97
Lecture Notes in Computer Science
(1997)
A. Grosul, D. Wallach, A related-key cryptanalysis of RC4, Rice University, Technical Report TR-00-358, June...
L. Knudsen et al.
“Analysis methods for (alleged) RC4”, Advances in Cryptology – ASIACRYPT ‘98
Lecture Notes in Computer Science
(1998)
I. Mantin
Predicting and distinguishing attacks on RC4 Keystream generator, Advances in Cryptology – EUROCRYPT 20 05
Lecture Notes in Computer Science
(2005)

There are more references available in the full text version of this article.

Cited by (31)

A new form of initialization vectors in the FMS attack of RC4 in WEP
2021, Procedia Computer Science
S. Fluhrer, I. Mantin and A. Shamir (FMS) had put forward a fascinating attack of the key of RC4 in Wired Equivalent Privacy (WEP) protocol on the basis of special initialization vectors (IVs) of pattern (3, 255, v). Inspired by the FMS attack, this paper tries to find new pattern of IVs that can be used for recovering the key of RC4 in WEP. We discovered that IVs of new pattern (v, 257-v, 255) can also be used in the FMS attack in a very similar way. Combining the new pattern with the previous pattern (3, 255, v) could result in a higher proportion of IVs that can be exploited in the FMS attack.
RC4 encryption - A literature survey
2015, Procedia Computer Science
A chronological survey demonstrating the cryptanalysis of RC4 stream cipher is presented in this paper. We have summarized the various weaknesses of RC4 algorithm followed by the recently proposed enhancements available in the literature. It is established that innovative research efforts are required to develop secure RC4 algorithm, which can remove the weaknesses of RC4, such as biased bytes, key collisions, and key recovery attacks on WPA. These flaws in RC4 are still offering an open challenge for developers. Hence our chronological survey corroborates the fact that even though researchers are working on RC4 stream cipher since last two decades, it still offers a plethora of research issues. The attraction of community towards RC4 is still alive.
Studies on the distribution of the shortest linear recurring sequences
2009, Information Sciences
The distribution of the shortest linear recurrence (SLR) sequences in the Z/(p) field and over the Z/(p^e) ring is studied. It is found that the length of the shortest linear recurrent (SLRL) is always equal to n/2, if n is even and n/2 + 1 if n is odd in the Z/(p) field, respectively. On the other hand, over the Z/(p^e) ring, the number of sequences with length n can also be calculated. The recurring distribution regulation of the shortest linear recurring sequences is also found. To solve the problem of calculating the SLRL, a new simple representation of the Berlekamp–Massey algorithm is developed as well.
Finding the differential characteristics of block ciphers with neural networks
2008, Information Sciences
We have developed a model to represent the differential operation of block ciphers in order to help finding differential characteristics. Through this model, the whole space of differential characteristics for a block cipher is represented by a multi-level weighted directed graph. In this way, the problem of finding the best differential characteristic for a block cipher reduces to the problem of finding the minimum-weight multi-branch path between two known nodes in the proposed graph. In this paper, we use recurrent neural networks to find such a path in the differential operation graph of a block cipher. The path is found through minimization of the network cost function. We use the Hopfield network and the Boltzmann machine with and without chaos to minimize the cost function. Chaos is introduced to assist the network to escape from the local minima of the cost function. Experimental results indicate the usefulness of the approach and comparison of the performance of the used techniques shows that the Boltzmann machine algorithm incorporating simulated annealing produces the best result.
Cryptographic properties of some binary generalized cyclotomic sequences with the length p<sup>2</sup>
2008, Information Sciences
Herein, the cryptographic properties of some generalized cyclotomic sequences, with the period p², are investigated. Results show that these sequences always possess good balance and linear complexity (larger than half the period). Their autocorrelation functions are shown to be three-valued if $p \equiv 3 (mod 4)$ , and five-valued otherwise. Moreover, the distribution of patterns of length 2 are discussed.
The linear complexity of new generalized cyclotomic binary sequences of order four
2008, Information Sciences

View all citing articles on Scopus

^☆: This work has been partially supported by the Ministries of Science and Technology of Serbia (# IT.1.24.0041) and Spain (# TIC2003-09061-C03-02 and the “Ramon y Cajal” program).

¹: Tel.: +381 11 2774 024; fax: +381 11 2776 583.

²: Tel.: +34 91 3367322; fax: +34 91 3367323.

View full text

Finding an internal state of RC4 stream cipher☆

Abstract

Introduction

Section snippets

General approach

Attacking the RC4

Improving the backtracking algorithm

Conclusions

Information Science

Impossible fault analysis of RC4 and differential fault analysis, Fast Software Encryption 2005

Lecture Notes in Computer Science

Weakness in the key scheduling algorithm of RC4, Selected Areas in Cryptography 2001

Lecture Notes in Computer Science

Statistical analysis of the alleged RC4 Keystream Generator, Fast Software Encryption 2000

Lecture Notes in Computer Science

Linear statistical weakness of alleged RC4 Keystream Generator, Advances in Cryptology – EUROCRYPT ‘97

Lecture Notes in Computer Science

“Analysis methods for (alleged) RC4”, Advances in Cryptology – ASIACRYPT ‘98

Lecture Notes in Computer Science

Predicting and distinguishing attacks on RC4 Keystream generator, Advances in Cryptology – EUROCRYPT 20 05

Lecture Notes in Computer Science