Generalization of Roos bias in RC4 and some results on key-keystream relations

Sabyasachi Dey; Santanu Sarkar

doi:10.1515/jmc-2016-0061

Artikel Open Access

Generalization of Roos bias in RC4 and some results on key-keystream relations

Sabyasachi Dey und Santanu Sarkar

Veröffentlicht/Copyright: 31. Januar 2018

Veröffentlicht von

Veröffentlichen auch Sie bei De Gruyter Brill

Manuskript einreichen Informationen für Autor*innen

Aus der Zeitschrift Journal of Mathematical Cryptology Band 12 Heft 1

Abstract

RC4 has attracted many cryptologists due to its simple structure. In [9], Paterson, Poettering and Schuldt reported the results of a large scale computation of RC4 biases. Among the biases reported by them, we try to theoretically analyze a few which show very interesting visual patterns. We first study the bias which relates the key stream byte zi with i-k⁢[0], where k⁢[0] is the first byte of the secret key. We then present a generalization of the Roos bias. In 1995, Roos observed the bias of initial bytes S⁢[i] of the permutation after KSA towards fi=∑r=1ir+∑r=0iK⁢[r]. Here we study the probability of S⁢[i] equaling fy=∑r=1yr+∑r=0yK⁢[r] for i≠y. Our generalization provides a complete correlation between zi and i-fy. We also analyze the key-keystream relation zi=fi-1 which was studied by Maitra and Paul [6] in FSE 2008. We provide more accurate formulas for the probability of both zi=i-fi and zi=fi-1 for different i’s than the existing works.

Keywords: Cryptanalysis; keystream; RC4; Roos bias; stream cipher

MSC 2010: 94A60

1 Introduction

RC4 is a stream cipher which has been widely used worldwide and has become one of the most popular ciphers in the world for the last 25 years. RC4 is a very simple cipher and can be implemented only in a few lines of code. This cipher was designed by Ron Rivest in 1987. Its first application was in Data security. It was also used in RSA Lotus Notes. Though RC4 was a trade secret in the beginning, in 1994 it was published. The first adoption of this cipher was done by the network protocol TLS. Later it has been used in WEP in 1997 [18], SSL in 1995, WPA in 2003 [19], etc.

At first, we describe the design of RC4 briefly. It has two components. The first component is the key scheduling algorithm (KSA) and the other one the pseudo-random generation algorithm (PRGA). Here, all the operations are done modulo 256. The KSA takes an identity permutation S of 0 to 255. By using an ℓ-byte secret key, it scrambles the identity permutation over ℤN, and derives another permutation. After the completion of KSA, PRGA generates a pseudo-random sequence of keystream bytes, using the scrambled permutation of KSA for z1,z2,…. After each iteration from 0 to 255, an output zi is produced. These are bitwise XOR-ed with the plaintext to produce the ciphertext. Both for the KSA and the PRGA, two indices i and j are used in the permutation. In both of these, a swap between S⁢[i] and S⁢[j] takes place.

KSA.

N=256;Initialization: For i=0,…,N-1S⁢[i]=i; j=0; Scrambling: For i=0,…,N-1j=(j+S⁢[i]+K⁢[i]); Swap(S⁢[i],S⁢[j]).

PRGA.

Initialization: i=j=0; Keystream Generation Loop: i=i+1; j=j+S⁢[i]; Swap(S⁢[i], S⁢[j]); t=S⁢[i]+S⁢[j]; Output z=S⁢[t].

We use SrKSA, irKSA and jrKSA to denote the permutation and the two indices after the r-th round of RC4 KSA. Hence SNKSA is the permutation after the complete key scheduling. By Sr,ir,jr we denote the permutation and the two indices after the r-th round of RC4 PRGA. So SNKSA=S0. We use Ia,b to denote the indicator function. So

Ia,b={1for ⁢a=b,0for ⁢a≠b.

Also, by the notation fy we denote the expression y⁢(y+1)2+∑r=0yK⁢[r] (0≤y≤N-1), which plays a vital role in most of the proposed attacks on RC4.

For having such a simple design, many cryptologists have been attracted to this cipher. Throughout the last 25 years, multiple weaknesses of RC4 have been found. One of the most remarkable attacks was presented by Fluhrer, Mantin and Shamir [2] in 2001. This attack was based on the weaknesses in the key scheduling algorithm. In 1995, Roos [12] observed that after the KSA, the most likely value of SNKSA⁢[y] for the first few values of y is given by SNKSA⁢[y]=fy. The experimentally found values of the probabilities P(SNKSA[y]=fy) decrease from 0.37 to 0.006 as y increases from 0 to 47. Later, the theoretical proof of this was given by Paul and Maitra in SAC 2007 [11]. Recently, Sarkar and Venkateswarlu [13] improved the analysis of [11]. Paul and Maitra [11] also discussed a reconstruction algorithm to find the key from the final permutation SN after KSA using Roos biases. Klein [5] observed correlations between keystreams and key using Roos biases. In FSE 2008, Maitra and Paul [6] showed that not only the permutation bytes SNKSA⁢[y], but also the bytes SNKSA⁢[SNKSA⁢[y]], SNKSA⁢[SNKSA⁢[SNKSA⁢[y]]], etc. are biased towards fy. Then in SAC 2010, Sepehrdad, Vaudenay and Vuagnoux [15] showed some biases on the state variables, initial keystream bytes and secret key of RC4. They also gave a key recovery attack on RC4 in WPA. In Eurocrypt 2011, Sepehrdad, Vaudenay and Vuagnoux [16] presented an attack on WEP by using all the previous known attacks in the literature and by introducing a few new correlations.

In USENIX 2013, AlFardan, Bernstein, Paterson, Poettering and Schuldt [1] used a Bayesian statistical method that recovers plaintexts in a broadcast attack model, i.e., plaintexts that are repeatedly encrypted with different keys under RC4. AlFardan et al. successfully used their idea to attack the cryptographic protocol TLS by exploiting biases in RC4 keystreams. In FSE 2014, Paterson, Schuldt and Poettering [10] and Sengupta, Maitra, Meier, Paul and Sarkar [14] exploited independently keystream and key correlations to recover plaintext in WPA since the first three bytes of the RC4 key in WPA are public. In Asiacrypt 2014, Paterson, Poettering and Schuldt [9] improved the attack of [10]. They performed large-scale computations using the Amazon EC2 cloud computing infrastructure to obtain accurate estimates of the single-byte and double-byte distributions.

The recent attacks on RC4-based protocols have led to the consensus that RC4 is insecure and should be phased out. For an example, Vanhoef and Piessens [17] presented an attack on TLS and WPA using RC4 (USENIX 2015). Also, Jha, Banik, Isobe and Ohigashi [4] presented some works on joint distribution of keystream biases. These works show that RC4 is still an active area of research.

Our contribution and the organisation of the paper.

In Asiacrypt 2014, Paterson et al. [9] showed a significant negative bias of zi towards i-K⁢[0] (see [9, Figure 2]). But so far there was no theoretical justification behind this. In Section 2, for the first time we give a theoretical justification for this bias.
In 1995, Roos [12] observed the relation between SNKSA⁢[i] and fi. This observation was later justified in [11]. We generalize the Roos bias in Section 3 and study the relation between SNKSA⁢[i] and fy for i≠y.
In Section 3, our generalized Roos bias gives complete distribution of zi and i-fy for y≠i. We observe a significant negative bias between zi and i-fi+t for a small positive integer t.
Klein discovered the correlation between zi and i-fi for 1≤i≤N-1. Maitra and Paul [6] proved these biases theoretically in FSE 2008. Using our general result of Theorem 3.7, we revisit this problem. In Table 1, we compare our result to the previous one. Our analysis gives much closer values to the experimental values.
In FSE 2008, Maitra and Paul [6] also studied the biases between zi and fi-1 for i=1 and 3≤i≤N-1. In Section 4, we analyze the bias of zi towards fi-1. In Table 3, we present the comparative study between our result and [6]. In this case also, our analysis gives a much better approximation to the experimental values than the work [6].

2 Negative bias of zi towards i-K⁢[0]

Let us start with the following lemma.

Lemma 2.1.

After KSA, 𝑃(SNKSA[i]=K[0])=1N(1-1N)(N-1-i) for i≥1.

Proof.

If SiKSA⁢[ji+1KSA]=K⁢[0], after the swap, Si+1KSA⁢[iKSA]=K⁢[0]. Now

P(SiKSA[ji+1KSA]=K[0])=1N

since ji+1KSA is random. Also SNKSA⁢[i] will be K⁢[0] only if the jKSA’s cannot touch i again, i.e., if all ji+2KSA,…,jNKSA are different from i, then SNKSA⁢[i] will be K⁢[0]. The probability of ji+2KSA,ji+3KSA,…,jNKSA≠i is (1-1N)(N-1-i). Therefore, P(SNKSA[i]=K[0])=1N(1-1N)(N-1-i) for i≥1. ∎

Now we have the following result.

Lemma 2.2.

In PRGA, for i≥1,

𝑃(Si-1[i]=K[0])=pi(1-1N)i-1+1N(1-1N)i-2∑l=1i-1pl+∑r=2i-11Nr(1-1N)i-r-1∑l=1i-1pl(i-l-1r-1),

where pi=1N⁢(1-1N)(N-1-i).

Proof.

We find the probability of this event by breaking it into mutually disjoint events and finding their probabilities separately.

Event 1: After the completion of KSA, K⁢[0] is in the i-th location of the array (whose probability is pi from Lemma 2.1), and this position is not touched by j1,…,ji-1. The probability of this event is pi⁢(1-1N)i-1.
Event 2: After the completion of KSA, K⁢[0] is in some l-th location of the array (whose probability is pl), where 1≤l≤i-1. This position is not touched by j1,…,jl-1. Then jl=i. After that, jl+1,…,ji-1≠i. Since l can vary from 1 to i-1, the total probability of the above path is
∑l=1i-11N⁢(1-1N)i-2⁢pl.
Event 3: After the completion of KSA, K⁢[0] is in l-th location of the array, where 1≤l≤i-1. This position is not touched by j1,…,jl-1. Then jl=t for l+1≤t≤i-1. After that, jl+1,…,jt-1≠t. Then jt=i. Also jt+1,…,ji-1≠i. The total probability of this path is
∑l=1i-1∑t=l+1i-11N2⁢(1-1N)i-3⁢pl.
Similarly, K⁢[0] can come to the i-th location with more than two jumps. If it comes through the (r+1)-st jump, the total probability will be
1Nr⁢(1-1N)i-r-1⁢∑l1=1i-1∑l2=l1+1i-1∑l3=l2+1i-1…⁢∑lr=lr-1+1i-1pl1=1Nr⁢(1-1N)i-r-1⁢∑l1=1i-1pl1⁢(∑l2=l1+1i-1∑l3=l2+1i-1…⁢∑lr=lr-1+1i-11)
=1Nr⁢(1-1N)i-r-1⁢∑l1=1i-1pl1⁢(i-l1-1r-1).

Thus adding the probabilities of these three disjoint events, we have

P(Si-1[i]=K[0])=pi(1-1N)i-1+1N(1-1N)i-2∑l=1i-1pl+∑r=2i-11Nr(1-1N)i-r-1∑l=1i-1pl(i-l-1r-1).∎

We can use this lemma to find the probability P(zi=i-K[0]). The following result gives a bias of zi towards (i-K⁢[0]).

Theorem 2.3.

We have

𝑃(zi=i-K[0])={𝑃(S0[1]=K[0])⋅1N⋅(1-1N)+(1-1N+1N2)1Nfor ⁢i=1,𝑃(Si-1[i]=K[0])⋅1N+(1-1N)1Nfor ⁢i>1.

Proof.

First consider i>1.

Consider the event A:((Si-1[i]≠K[0])∩(Si-1[ji]=i-K[0])). So after the swap, Si⁢[i]=i-K⁢[0] and Si⁢[ji]≠K⁢[0]. So zi=Si⁢[Si⁢[i]+Si⁢[ji]]≠Si⁢[i]=i-K⁢[0].
Next consider the event B:((Si-1[i]=K[0])∩(Si-1[ji]=i-K[0])). Then
zi=Si⁢[Si⁢[i]+Si⁢[ji]]=Si⁢[i]=i-K⁢[0].
Now consider the event C=(A∪B)c. In this case, P(zi=i-K[0])=1N, considering a random association. Also P(C)=1-P(A∪B)=1-P(Si-1[ji]=i-K[0])=1-1N.

Thus,

P(zi=i-K[0])=P(zi=i-K[0]∣A)P(A)+P(zi=i-K[0]∣B)P(B)+P(zi=i-K[0]∣C)P(C)

=0⋅P⁢(A)+1⋅P⁢(B)+1N⋅P⁢(C)

=P(Si-1[i]=K[0])⋅1N+(1-1N)1N.

Now for i=1, we have j1=1 when S0⁢[1]=1. In this case, B is an impossible event. So for i=1 we take

A:((S0[1]≠K[0])∩(S0[j1]=1-K[0])∩(K[0]≠1)),

B:((S0[i]=K[0])∩(S0[j1]=1-K[0])∩(K[0]≠1)).

In this case,

P(z1=1-K[0])=P(S0[1]=K[0])⋅1N⋅(1-1N)+(1-1N+1N2)1N.∎

Figure 1

Distribution of P(zi=i-K[0]) for i∈[1,255].

In Figure 1, we plot the theoretical as well as experimental values of P(zi=i-K[0]) with key length 16, where the experiments have been run over 100 billion trials of RC4 PRGA with randomly generated keys.

3 Generalization of Roos bias and bias of zi=i-fy

A theoretical justification of the Roos bias has first appeared in [11]. Recently, the work of [11] has been revisited in [13]. We need the following result of [13, Lemma 2].

Lemma 3.1.

In KSA, the probability of 𝑃(Si+1KSA[i]=fi) can be given by

(∏r=1i(1-rN)+p1)⋅(1-iN)⋅(1-1N)i+1N⋅[1-((1-iN)⋅(1-1N)i+iN⋅(1-1N)i

+(1-iN)⋅(1-(1-1N)i))⋅∏r=1i(1-rN)-(p1+p2)(1-iN)(1-1N)i],

where

p1=∑c=1∞1Φ⁢(b-μσ)-Φ⁢(-μσ)⋅1σ⁢∫c⁢N-0.5min⁡{c⁢N+0.5,i⁢(i+1)/2}ϕ⁢(x-μσ)⁢𝑑x,

p2=∑c=0∞1Φ⁢(b-μσ)-Φ⁢(-μσ)⋅1σ⁢∫0.5+c⁢Nmin⁡{(c+1)⁢N-0.5,i⁢(i+1)/2}ϕ⁢(x-μσ)⁢𝑑x,

μ=∑p=0i∑x=0p-1(1-1N)x⁢1N⁢(p-x),

σ2=∑p=0i[∑x=0p-1(1-1N)x⁢1N⁢(p-x)2-(∑x=0r-1(1-1N)x⁢1N⁢(p-x))2],

where ϕ⁢(x)=e-12⁢x22⁢π is the density function of the standard normal distribution.

Also the following result is proved in [13, Theorem 2].

Lemma 3.2.

We have

𝑃(SNKSA[i]=fi)=𝑃(Si+1KSA[i]=fi)⋅(1-1N)N-1-i+(1-𝑃(Si+1KSA[i]=fi))⋅∑t=i+1N-11N2(1-1N)N-1-t.

Now we find P(SNKSA[i]=fy) for 0≤i≤N-1 and 1≤y≤N-1 with i≠y.

Lemma 3.3.

For i≠y with y≥1, we have

𝑃(SNKSA[i]=fy)=1N(1-1N)N-i-1+(1-𝑃(Sy+1KSA[y]=fy)-1N)(∑t=i+1N-11N2⋅(1-1N)N-1-t).

Proof.

We have two cases.

Case I: Let SiKSA⁢[ji+1KSA]=fy. This happens with probability 1N. So after the swap, Si+1KSA⁢[i] becomes fy. Also ji+2KSA,…,jNKSA≠i. So the probability of this path is 1N⁢(1-1N)N-i-1. On the other hand, if SiKSA⁢[ji+1]=fy and i∈{ji+2KSA,…,jNKSA}, then SNKSA⁢[i] will be always different from fy.
Case II: If i<y and Sy+1KSA⁢[y]=fy, then SNKSA⁢[i] cannot be fy as the y-th location of the array S cannot move to the left when the running index is greater than y. On the other hand, if i>y and Sy+1KSA⁢[y]=fy, then SNKSA⁢[i] can be fy only through the first event. So we need Sy+1KSA≠fy. Let us consider the scenario where StKSA⁢[t]=fy for some t>i. This holds with probability 1N. Suppose that jt+1KSA=i and jt+2KSA,…,jNKSA are all different from i. Hence after the swap we get St+1KSA⁢[i]=fy, and this location is not disturbed in further rounds of KSA. This path holds with probability 1N2⋅(1-1N)N-1-t.

Thus if i≠y, then

P(SNKSA[i]=fy)=1N(1-1N)N-i-1⋅1+1N(1-(1-1N)N-i-1)⋅0

+(1-P(Sy+1KSA[y]=fy)-1N)(∑t=i+1N-11N2⋅(1-1N)N-1-t).∎

In Figure 2, we present both theoretical and experimental results for P(SNKSA[i]=fy) for 0≤i,y≤50 with i≠y. From the figure it is clear there are some anomalies when the length of the keys is 16. This is because there are some fy’s whose parities are the same when the key length is 16. We will discuss this issue for key-keystream relations in Theorem 3.9.

Figure 2

Probability P(SNKSA[i]=fy) for 0≤i, y≤50 with i≠y. Here (a) are the theoretical values and (b) the experimental results with a 16 byte key, and (c) are the experimental results with a 256 byte key.

(a)

(b)

(c)

Lemma 3.4.

In PRGA,

𝑃(Si-1[i]=fy)=𝑃(SNKSA[i]=fy)(1-1N)i-1+∑r=1i-11Nr(1-1N)i-r-1(∑l=1i-1𝑃(SNKSA[l]=fy)(i-l-1r-1))

for 1≤i≤N-1 and 1≤y≤N-1.

Proof.

This is similar to the proof of Lemma 2.2. ∎

Now consider the following event C1 for an occurrence of zi=i-fi for i≥1:

SNKSA⁢[i]=fi,
j1,…,ji-1≠i,
Si-1⁢[ji]≠i-fi.

Since Si⁢[i]+Si⁢[ji]≠fi+i-fi=i, we have P(zi=i-fi)=1N-1. The above path holds with the probability ai=P(SNKSA[i]=fi)(1-1N)i.

Now we prove the following theorems.

Theorem 3.5.

We have

𝑃(z1=1-fy)={𝑃(S0[1]=fy)1N(1-1N)+a11N-1I1,y+(1-1N+1N2-a1I1,y)1Nfor ⁢y≠2,𝑃(S0[1]=fy)⋅1N⋅(1-1N)+(1-1N+1N2-(2N-1N2)⋅𝑃(S0[2]=f2))1Nfor ⁢y=2,

where a1=𝑃(SNKSA[1]=f1)(1-1N).

Proof.

Here the events are

A:(S0[1]≠fy∩S0[j1]=1-fy∩fy≠0) and B:(S0[1]=fy∩S0[j1]=1-fy∩fy≠0).

One can see that P(z1=1-fy∣A)=0 and P(z1=1-fy∣B)=1.

Also if S0⁢[1]+S0⁢[S0⁢[1]]=2 and S0⁢[2]=f2, then z1 will always be different from 1-f2. Also, we have P(S0[1]+S0[S0[1]]=2)=2N-1N2 as one path comes from S0⁢[1]=1. Hence the required result follows. ∎

Similarly, we find the bias of z2 towards 2-fy in the next theorem.

Theorem 3.6.

We have

𝑃(z2=2-fy)={𝑃(S1[2]=fy)⋅1N+a21N-1I2,y+(1-1N-a2I2,y)1Nfor ⁢y≤2,𝑃(S1[2]=fy)⋅1N+β⋅1N-1+(1-1N-α-β)1Nfor ⁢y>2,

where

α=(2N-1N2)⁢(η+1N⋅(1-η)⋅(1-1N)),

β=(1-2N+1N2)⁢(η+1N⋅(1-η)⋅(1-1N)),

η=∏i=1y(1-iN)⋅(1-yN)⋅(1-1N)N,

a2=𝑃(SNKSA[2]=f2)(1-1N)2.

Proof.

For y≤2, the paths are the same as in Theorem 2.3. But for y>2, we have two more paths:

C:((S1[y]=fy)∩(fy≠2)∩(z2=0)),
D:((S1[y]=fy)∩(fy≠2)∩(z2≠0)).

We have P(z2=2-fy∣C)=0. Also P(z2=2-fy∣D)=1N-1 as z2≠0,fy≠2.

Now consider the events jtKSA∉{t,…,y} for 1≤t≤y, fy∉{0,1,…,y-1}, jtKSA≠fy for 1≤t≤y. Then Sy+1KSA⁢[y]=fy. Also if jy+2KSA,…,jNKSA,j1≠fy, we have S1⁢[y]=fy. Call this path E. Here

P⁢(E)=∏i=1y(1-iN)⋅(1-yN)⋅(1-1N)N.

One can see [11] that P(S1[y]=fy∣E)=1. Also assume P(S1[y]=fy∣Ec)=1N. From [8] we know that P(z2=0)=2N-1N2. We have

P(C)=P(S1[y]=fy∩fy≠2)P(z2=0)

=(2N-1N2)(P(S1[y]=fy∩fy≠2∩E)+P(S1[y]=fy∩fy≠2∩Ec))

=(2N-1N2)(P(E)+P(S1[y]=fy∣Ec)⋅P(Ec)⋅P(fy≠2))

=(2N-1N2)⁢(P⁢(E)+1N⋅(1-P⁢(E))⋅(1-1N)).

Similarly, P⁢(D)=(1-2N+1N2)⁢(P⁢(E)+1N⋅(1-P⁢(E))⋅(1-1N)). ∎

Now, for all i greater than 2, the following theorem gives the probability P(zi=i-fy).

Theorem 3.7.

We have

𝑃(zi=i-fy)=𝑃(Si-1[i]=fy)⋅1N+ai1N-1Ii,y+(1-1N-aiIi,y)1N

for 3≤i≤N-1 and 1≤y≤N-1, where ai=𝑃(SNKSA[i]=fi)(1-1N)i-1(1-1N).

Proof.

Similarly to the proof of Theorem 2.3, we consider the events A:((Si-1[i]≠K[0])∩(Si-1[ji]=i-K[0])) and B:((Si-1[i]=K[0])∩(Si-1[ji]=i-K[0])). In these cases, P(zi=i-fy) are 0 and 1, respectively.

Next we consider C=(A∪B)c. Then P⁢(C)=(1-1N). But in case of i=y, the event C can be divided into two mutually disjoint events C1 and C1c (as mentioned just before Theorem 3.5). Evaluating the probabilities of all these events, we get the result. ∎

Figure 3

Probability P(zi=i-fy) for 1≤i≤50,0≤y≤50 with i≠y. Here (a) are thetheoretical values and (b) the experimental results with a 16 byte key.

(a)

(b)

In Figure 3, we present both theoretical and experimental results for P(zi=i-fy) for 1≤i≤50,0≤y≤50 with i≠y. From the figure it is clear that there are some anomalies. Among them the probability of z2=2-f31 is the most significant. We observe P(z2=2-f31)=1N+0.82N2. However, if the key length is 256, we get P(z2=2-f31)=1N-0.11N2, which matches exactly with the theoretical value. When the key length is 16, we have the following result.

Theorem 3.8.

When the length of the key is 16, then

𝑃(z2=2-f31)=2N(2N-1N2)+(1-2N+1N2)(N2-1N-1)2N.

Proof.

We divide it into two disjoint events, A:(z2=0) and B:(z2≠0). We know that P⁢(A)=2N-1N2 and P⁢(B)=(1-2N+1N2). Also one can see that, if the length of the key is 16, then

f31=496+2⁢∑i=031K⁢[i]=496+2⁢∑i=015K⁢[i]

is always even. Hence P(f31=2)=2N. So,

P(z2=2-f31)=P(z2=2-f31∩z2=0)+P(z2=2-f31∩z2≠0)

=P(z2=2-f31∣z2=0)P(z2=0)+P(z2=2-f31∣z2≠0)P(z2≠0)

=P(f31=2∣z2=0)⋅P(z2=0)+P(z2=2-f31∣z2≠0)P(z2≠0)

=2N⁢(2N-1N2)+(1-2N+1N2)⁢(N2-1N-1)⁢2N.∎

Theorem 3.8 gives P(z2=2-f31)=1N+1N2, which matches closely with the experimental value. We also have another set of biases when the key length is 16.

Theorem 3.9.

We have

𝑃(z3+r=3+r-f35+r)=((2N-1N2)2N+(1-2N)N-1(1-2N))𝑃(S3+r-1[3+r]=f3+r)

+((1-2N)N-1⋅2N+1N(1-2N))⋅(1-𝑃(S3+r-1[3+r]=f3+r))

for r≥0, when the length of the key is 16.

Proof.

We have

f35+r-f3+r=(∑i=035+r(i+K⁢[i]))-(∑i=03+r(i+K⁢[i]))

=(∑i=035+ri-∑i=03+ri)+(∑i=035+rK⁢[i]-∑i=03+rK⁢[i])

=624+32⁢r+(∑i=4+r35+rK⁢[i])

=624+32⁢r+(∑i=4+r19+rK⁢[i]+∑i=20+r35+rK⁢[i])

=624+32⁢r+(∑i=4+r19+rK⁢[i]+∑j=4+r19+rK⁢[j+16]) (j=(i-16))

=624+32⁢r+(∑i=4+r19+rK⁢[i]+∑j=4+r19+rK⁢[j]) (since the key length is 16 and K[j+16]=K[j])

=624+32⁢r+2⁢(∑i=4+r19+rK⁢[i]).

One can see that f35+r-f3+r will always be even, which means that f3+r and f35+r will be of the same parity for r≥0, i.e., either both are even or both are odd (exclusive) when the length of the key is 16. So for one value of f3+r, there are N2 possible values for f35+r. So P(f35+r=f3+r)=2N. Also P(zr=r-Sr-1[r])=2N-1N2 by Jenkins’ Correlation [3].

Now,

P(z3+r=3+r-f35+r)=P(z3+r=3+r-f35+r∣S3+r-1[3+r]=f3+r-1)P(S3+r-1[3+r]=f3+r)

+P(z3+r=3+r-f35+r∣S3+r-1[3+r]≠f3+r)P(S3+r-1[3+r]≠f3+r)

=(P(z3+r=3+r-f35+r∣S3+r-1[3+r]=f3+r∩f3+r=f35+r)

P(f3+r=f35+r)+P(z3+r=3+r-f35+r∣S3+r-1[3+r]=f3+r∩f3+r≠f35+r)

P(f3+r≠f35+r))P(S3+r-1[3+r]=f3+r)

+(P(z3+r=3+r-f35+r∣S3+r-1[3+r]≠f3+r∩f3+r=f35+r)P(f3+r=f35+r)

+P(z3+r=3+r-f35+r∣S3+r-1[3+r]≠f3+r∩f3+r≠f35+r)P(f3+r≠f35+r))

P(S3+r-1[3+r]≠f3+r)

=((2N-1N2)2N+(1-2N)N-1(1-2N))P(S3+r-1[3+r]=f3+r)

+((1-2N)N-12N+1N(1-2N))(1-P(S3+r-1[3+r]=f3+r)).∎

Using Lemma 3.4, we can find P(S3+r-1[3+r]=f3+r). From Theorem 3.9 we calculate P(z3+r=3+r-f35+r), which is (1N+0.31N2) when r=0, and decreases as r increases.

Remark 3.10.

In Theorem 3.8 and Theorem 3.9, we justified two biases observed in the experiment for key length 16. However, using the same argument, we can generalize the results for any key length. If the key length is ℓ, we will observe a similar bias in P(z2=2-f2⁢ℓ-1) and P(z3+r=3+r-f3+2⁢ℓ+r). These biases can be explained similarly, i.e., f2⁢ℓ-1 and (f3+2⁢ℓ+r-f3+r) are always even. So this increases the probabilities P(f2⁢ℓ-1=2) and P(f3+2⁢ℓ+r=f3+r) to 2N.

3.1 Probability zi=i-fi

Let us first start with y=i. In this case, results were discovered in [5] and proved rigorously in [6]. It was shown in [6, Theorem 3] that

P(z1=1-f1)=1N(1+(N-1N)N+2+1N),

P(zi=i-fi)=1N(1+[(N-iN)(N-1N)[i⁢(i+1)2+N]+1N]⋅[(N-1N)i-1-1N]+1N) for i∈[2,N-1].

Using Table 1, we present our comparative study of the correlation probabilities. We present the theoretical values of P(zi=i-fi) for 1≤i≤64 according to Theorem 3.5 and also according to the above formulas from [6]. We have calculated the values pi, which are required to find the coefficients ai in P(zi=i-fi), using numerical methods available in [20]. The experimental values are averaged over 100 billion key schedulings, where the keys are of length 16 and are randomly generated.

Table 1

Comparison of our work with the work [6] and experimental values.

i		P(zi=i-fi)
1–8	[6]	0.005367	0.005332	0.005305	0.005273	0.005237	0.005196	0.005153	0.005106
	Exp.	0.005264	0.005298	0.005280	0.005241	0.005211	0.005169	0.005127	0.005077
	Thm. 3.5	0.005320	0.005298	0.005270	0.005238	0.005202	0.005161	0.005117	0.005070
9–16	[6]	0.005056	0.005005	0.004951	0.004897	0.004842	0.004787	0.004732	0.004677
	Exp.	0.005028	0.004974	0.004921	0.004864	0.004808	0.004751	0.004697	0.004639
	Thm. 3.5	0.005020	0.004968	0.004914	0.004859	0.004803	0.004747	0.004691	0.004636
17–24	[6]	0.004624	0.004572	0.004521	0.004473	0.004426	0.004382	0.00434	0.004301
	Exp.	0.004586	0.004532	0.004481	0.004431	0.004385	0.004338	0.004298	0.004256
	Thm. 3.5	0.004582	0.004529	0.004478	0.004429	0.004382	0.004338	0.004291	0.004252
25–32	[6]	0.004264	0.004230	0.004198	0.004169	0.004142	0.004117	0.004095	0.004075
	Exp.	0.004220	0.004184	0.004154	0.004123	0.004097	0.004073	0.004050	0.004031
	Thm. 3.5	0.004215	0.004181	0.004149	0.004121	0.004094	0.004070	0.004049	0.004029
33–40	[6]	0.004057	0.004041	0.004026	0.004014	0.004002	0.003993	0.003984	0.003976
	Exp.	0.004013	0.003998	0.003985	0.003972	0.003962	0.003953	0.003945	0.003938
	Thm. 3.5	0.004012	0.003997	0.003983	0.003971	0.003961	0.003952	0.003944	0.003937
41–48	[6]	0.003970	0.003964	0.003959	0.003955	0.003952	0.003949	0.003946	0.003944
	Exp.	0.003932	0.003927	0.003922	0.003919	0.003916	0.003914	0.003911	0.003910
	Thm. 3.5	0.003931	0.003926	0.003922	0.003919	0.003916	0.003913	0.003911	0.003909
49–56	[6]	0.003942	0.003940	0.003939	0.003938	0.003937	0.003937	0.003936	0.003935
	Exp.	0.003908	0.003907	0.003906	0.003906	0.003905	0.003905	0.003904	0.003904
	Thm. 3.5	0.003908	0.003907	0.003906	0.003905	0.003905	0.003904	0.003904	0.003904
57–64	[6]	0.003935	0.003935	0.003934	0.003934	0.003934	0.003934	0.003934	0.003934
	Exp.	0.003904	0.003904	0.003904	0.003904	0.003904	0.003905	0.003905	0.003905
	Thm. 3.5	0.003904	0.003904	0.003904	0.003904	0.003904	0.003905	0.003905	0.003905

From Table 1 it is clear that our estimation gives a much better approximation than [6]. One can note that from Table 1, P(zi=i-fi)<1N for i∈[52,64]. The formulas of [6] cannot capture this negative bias. For example, when y=64, the formulas of [6] give P(z64=64-f64)=1N+1.82N2, but actually P(z64=64-f64)<1N.

Remark 3.11.

In [14], Sengupta et al. studied linear relations between the keystream bytes and key. They used these relations to recover plaintexts of WPA as the first three bytes of the key are public. To recover the first byte of plaintext, they used the relation z1=1-f1. From Table 1 one can note that our theoretical estimation of P(z1=1-f1) is better than the existing work [6].

Table 2

Theoretical and experimental values of a few zi=i-fy for y>i.

P(z1=1-f2)		P(z1=1-f3)		P(z1=1-f4)		P(z1=1-f5)		P(z1=1-f6)
Thm.	Exp.	Thm.	Exp.	Thm.	Exp.	Thm.	Exp.	Thm.	Exp.
0.003886	0.003882	0.003897	0.003897	0.003897	0.003998	0.003898	0.003998	0.003898	0.003998
P(z2=2-f3)		P(z2=2-f4)		P(z2=2-f5)		P(z2=2-f6)		P(z2=2-f7)
Thm.	Exp.	Thm.	Exp.	Thm.	Exp.	Thm.	Exp.	Thm.	Exp.
0.003892	0.003891	0.003892	0.003892	0.003892	0.003892	0.003893	0.003892	0.003893	0.003893
P(z3=3-f4)		P(z3=3-f5)		P(z3=3-f6)		P(z3=3-f7)		P(z3=3-f8)
Thm.	Exp.	Thm.	Exp.	Thm.	Exp.	Thm.	Exp.	Thm.	Exp.
0.003897	0.003897	0.003898	0.003897	0.003898	0.003898	0.003898	0.003898	0.003898	0.009899
P(z4=4-f5)		P(z4=4-f6)		P(z4=4-f7)		P(z4=4-f8)		P(z4=4-f9)
Thm.	Exp.	Thm.	Exp.	Thm.	Exp.	Thm.	Exp.	Thm.	Exp.
0.003898	0.003897	0.003898	0.003898	0.003898	0.003898	0.003898	0.003898	0.003899	0.003898

Theorem 3.7 also gives a negative bias of P(zi=i-fy) for y>i. In Table 2, we present a few theoretical and experimental values. The experimental values are averaged over 100 billion different keys, where the keys are of length 16 and are randomly generated.

4 Biases of zi towards fi-1

In this section, we study the probability P(zi=fi-1). In FSE 2008, Maitra and Paul [6] observed this type of biases. In [6, Theorem 6], it is claimed that

P(zi=fi-1)=(N-1N)(N-iN)((N-i+1N)(N-1N)i⁢(i-1)2+i+1N)(N-2N)N-i(N-3N)i-2γi+1N,

where

γi=1N⁢(N-1N)N-1-i+1N⁢(N-1N)-1N⁢(N-1N)N-i.

From [7], we know that γi is the probability of SNKSA⁢[i] equaling zero after KSA.

Let us start with the following lemma.

Lemma 4.1.

In PRGA,

𝑃(Si-1[i]=0)={γi⁢(1-1N)i-1+∑s=1i-31Ns⁢(1-1N)i-1-s⁢∑l=2i-1γl⁢(i-l-2s-1)for ⁢i>3,γi⁢(1-1N)i-1for ⁢1<i≤3.

Proof.

For i>3, we have the following paths:

Let SNKSA⁢[i]=0. This holds with probability γi. Also all j1,…,ji-1 are different from i.
If SNKSA⁢[0]=0 or SNKSA⁢[1]=0, then Si-1⁢[i] will be always different from zero. Again if SNKSA⁢[l]=0 with 1<l<i-1, zero can move through s jumps with 1≤s≤i-3 as zero cannot move forward through i-2 jumps, one jump in each step. This happens with probability
1Ns⁢(1-1N)i-1-s⁢∑l=2i-1γl⁢(i-l-2s-1).
So the total probability for this path is
∑s=1i-31Ns⁢(1-1N)i-1-s⁢∑l=2i-1γl⁢(i-l-2s-1).
For 1<i≤3, we have only the first path.∎

Now we will prove the following bias of zi towards fi-1.

Theorem 4.2.

In PRGA,

𝑃(zi=fi-1)=τρδηψ+(1-τρδηψ-τρδ(1-η)ψ-τρ(1-δ)ηψ-τ(1-ρ)δηψ)⋅1N,

where τ=𝑃(Si-1[i]=0), ρ=𝑃(SNKSA[SNKSA[i-1]]=fi-1), δ=(1-1N)i-2, η=(1-iN), ψ=(1-1N)i-1 and i>2.

Proof.

Consider the following five events:

The first event A1 is Si-1⁢[i]=0.
The second event A2 is SNKSA⁢[SNKSA⁢[i-1]]=fi-1.
A3={(j1≠i-1)∩⋯∩(ji-2≠i-1)}.
A4={(1≠SN[i-1])∩⋯∩(i≠SN[i-1])}.
A5={(j1≠SN[i-1])∩⋯∩(ji-1≠SN[i-1])}.

Now one can see that

P(zi=fi-1∣A1∩A2∩A3∩A4∩A5)=1, P(zi=fi-1∣A1∩A2∩A3∩A4c∩A5)=0,

P(zi=fi-1∣A1∩A2∩A3c∩A4∩A5)=0, P(zi=fi-1∣A1∩A2c∩A3∩A4∩A5)=0.

Also,

P(A1)=P(Si-1[i]=0),

P(A2)=P(SNKSA[SNKSA[i-1]]=fi-1),

P⁢(A3)=(1-1N)i-2,

P⁢(A4)=(1-iN),

P⁢(A5)=(1-1N)i-1.

Assuming zi=fi-1 occurs with 1N in the other cases, we have the required result. ∎

Table 3

Comparison of our work with the work [6] and experimental values for zi=fi-1.

i		P(zi=fi-1)
3–10	[6]	0.004413	0.004400	0.004384	0.004368	0.004350	0.004331	0.004312	0.004292
	Exp.	0.004400	0.004386	0.004376	0.004356	0.004339	0.004321	0.004301	0.004281
	Thm. 4.2	0.004400	0.004387	0.004372	0.004356	0.004339	0.004320	0.004301	0.004281
11–18	[6]	0.004271	0.00425	0.004229	0.004209	0.004188	0.004168	0.004148	0.004129
	Exp.	0.004261	0.004241	0.004220	0.004200	0.004179	0.004162	0.004139	0.004120
	Thm. 4.2	0.004261	0.004240	0.004220	0.004199	0.004179	0.004159	0.004139	0.004120
19–26	[6]	0.004111	0.004093	0.004076	0.004061	0.004046	0.004032	0.004019	0.004007
	Exp.	0.004102	0.004085	0.004068	0.004052	0.004038	0.004024	0.004011	0.003999
	Thm. 4.2	0.004102	0.004085	0.004068	0.004053	0.004038	0.004024	0.004011	0.004000
27–34	[6]	0.003996	0.003986	0.003976	0.003968	0.003960	0.003954	0.003948	0.003942
	Exp.	0.003988	0.003978	0.003969	0.003961	0.003954	0.003950	0.003941	0.003937
	Thm. 4.2	0.003989	0.003979	0.003970	0.003962	0.003954	0.003948	0.003942	0.003937
35–42	[6]	0.003937	0.003933	0.003929	0.003926	0.003923	0.003921	0.003919	0.003917
	Exp.	0.003932	0.003928	0.003924	0.003922	0.003919	0.003917	0.003915	0.003913
	Thm. 4.2	0.003932	0.003929	0.003925	0.003922	0.00392	0.003917	0.003915	0.003914
43–50	[6]	0.003915	0.003914	0.003913	0.003912	0.003911	0.003911	0.003910	0.003910
	Exp.	0.003912	0.003911	0.003910	0.003909	0.003908	0.003907	0.003907	0.003907
	Thm. 4.2	0.003912	0.003911	0.003910	0.003910	0.003909	0.003908	0.003908	0.003908

Now one can find P(SNKSA[SNKSA[i-1]]=fi-1) by using the following theorem of [13].

Theorem 4.3.

After the completion of KSA, the probability 𝑃(SNKSA[SNKSA[i]]=fi) is

(1N(1-1N)N-1-i+β)𝑃(Si+1KSA[i]=fi)+α+(1-α-βN)𝑃(Si+1[i]≠fi),

where

α=(1-2N)N-i-1⁢∏r=1i(1-rN)⁢(1-iN)⁢(1-1N)i-1⁢1N⁢∑s=1i(1-1N)i-s,

β=(N-i-1N)⁢(1-1N)i+1⁢(1-2N)N-i-2.

Using Table 3, we present our comparative study of the correlation probabilities. We present the theoretical values of P(zi=fi-1) for 3≤i≤64 according to Theorem 4.2 and also according to the formulas of [6]. The experimental values are averaged over 100 billion key schedulings, where the keys are of length 16 and are randomly generated. From Table 3 it is clear that our estimation gives a much better approximation than [6].

5 Conclusion

In this paper, we have given a justification of the negative bias between zi with i-k⁢[0] which was observed experimentally by Paterson et al. [9, 10]. Next we have considered a generalization of the Roos bias. We have also presented the complete correlation between zi and i-fy. Our formulas for the probabilities of zi=i-fi and zi=fi-1 give a better approximation than the existing works.

References

[1] N. AlFardan, D. Bernstein, K. Paterson, B. Poettering and J. Schuldt, On the security of RC4 in TLS, Proceedings of the 22nd USENIX conference on Security – SEC’13, Usenix Association, Berkeley (2013), 305–320. Suche in Google Scholar

[2] S. Fluhrer, I. Mantin and A. Shamir, Weaknesses in the key scheduling algorithm of RC4, Selected Areas in Cryptography – SAC 2001, Lecture Notes in Comput. Sci. 2259, Springer, Berlin (2001), 1–24. 10.1007/3-540-45537-X_1Suche in Google Scholar

[3] R. J. Jenkins, ISAAC and RC4, preprint (1996), http://burtleburtle.net/bob/rand/isaac.html. Suche in Google Scholar

[4] S. Jha, S. Banik, T. Isobe and T. Ohigashi, Some proofs of joint distributions of keystream biases in RC4, Progress in Cryptology – INDOCRYPT 2016, Lecture Notes in Comput. Sci. 10095, Springer, Cham (2016), 305–321. 10.1007/978-3-319-49890-4_17Suche in Google Scholar

[5] A. Klein, Attacks on the RC4 stream cipher, Des. Codes Cryptogr. 48 (2008), no. 3, 269–286. 10.1007/s10623-008-9206-6Suche in Google Scholar

[6] S. Maitra and G. Paul, New form of permutation bias and secret key leakage in keystream bytes of RC4, Fast Software Encryption – FSE 2008, Lecture Notes in Comput. Sci. 5086, Springer, Berlin (2008), 253–269. 10.1007/978-3-540-71039-4_16Suche in Google Scholar

[7] I. Mantin, Analysis of the stream cipher RC4, Master’s Thesis, The Weizmann Institute of Science, Israel, 2001. Suche in Google Scholar

[8] I. Mantin and A. Shamir, A practical attack on broadcast RC4, Fast Software Encryption – FSE 2001, Lecture Notes in Comput. Sci. 2355, Springer, Berlin (2002), 152–164. 10.1007/3-540-45473-X_13Suche in Google Scholar

[9] K. G. Paterson, B. Poettering and J. C. N. Schuldt, Big bias hunting in Amazonia: Large-scale computation and exploitation of RC4 biases (invited paper), Advances in Cryptology – ASIACRYPT 2014. Part I, Lecture Notes in Comput. Sci. 8873, Springer, Heidelberg (2014), 398–419. 10.1007/978-3-662-45611-8_21Suche in Google Scholar

[10] K. G. Paterson, J. Schuldt and B. Poettering, Plaintext recovery attacks against WPA/TKIP, Fast Software Encryption – FSE 2014, Lecture Notes in Comput. Sci. 8540, Springer, Berlin (2014), 325–349. 10.1007/978-3-662-46706-0_17Suche in Google Scholar

[11] G. Paul and S. Maitra, Permutation after RC4 key scheduling reveals the secret key, Selected Areas in Cryptography – SAC 2007, Lecture Notes in Comput. Sci. 4876, Springer, Berlin (2007), 360–377. 10.1007/978-3-540-77360-3_23Suche in Google Scholar

[12] A. Roos, A class of weak keys in the RC4 stream cipher. Two posts in sci.crypt, message-id 43u1eh$1j3@hermes.is.co.za and 44ebge$llf@hermes.is.co.za, preprint (1995). Suche in Google Scholar

[13] S. Sarkar and A. Venkateswarlu, Revisiting (nested) Roos bias in RC4 key scheduling algorithm, Des. Codes Cryptogr. 82 (2017), no. 1–2, 131–148. 10.1007/s10623-016-0219-2Suche in Google Scholar

[14] S. Sengupta, S. Maitra, W. Meier, G. Paul and S. Sarkar, Dependence in IV-related bytes of RC4 key enhances vulnerabilities in WPA, Fast Software Encryption – FSE 2014, Lecture Notes in Comput. Sci. 8540, Springer, Berlin (2014), 350–369. 10.1007/978-3-662-46706-0_18Suche in Google Scholar

[15] P. Sepehrdad, S. Vaudenay and M. Vuagnoux, Discovery and exploitation of new biases in RC4, Selected Areas in Cryptography – SAC 2010, Lecture Notes in Comput. Sci. 6544, Springer, Berlin (2010), 74–91. 10.1007/978-3-642-19574-7_5Suche in Google Scholar

[16] P. Sepehrdad, S. Vaudenay and M. Vuagnoux, Statistical attack on RC4 - distinguishing WPA, Advances in Cryptology – EUROCRYPT 2011, Lecture Notes in Comput. Sci. 6632, Springer, Berlin (2010), 343–363. 10.1007/978-3-642-20465-4_20Suche in Google Scholar

[17] M. Vanhoef and F. Piessens, All your biases belong to us: Breaking RC4, Proceedings of the 24th USENIX Conference on Security Symposium – SEC’ 15, Usenix Association, Berkeley (2016), 97–112. Suche in Google Scholar

[18] IEEE 802.11. Wireless LAN medium access control (MAC) and physical layer (PHY) specification, (1997). Suche in Google Scholar

[19] IEEE 802.11i. Wireless LAN medium access control (MAC) and physical layer (PHY) specification: Amendment 6: Medium access control (MAC) security enhancements (2004). Suche in Google Scholar

[20] Sage: Open Source Mathematics Software, http://www.sagemath.org/. Suche in Google Scholar

Received: 2016-10-28

Revised: 2017-6-11

Accepted: 2018-1-6

Published Online: 2018-1-31

Published in Print: 2018-3-1

This article is distributed under the terms of the Creative Commons Attribution Non-Commercial License, which permits unrestricted non-commercial use, distribution, and reproduction in any medium, provided the original work is properly cited.

Artikel in diesem Heft

https://doi.org/10.1515/jmc-2016-0061

Schlagwörter für diesen Artikel

Cryptanalysis; keystream; RC4; Roos bias; stream cipher

Creative Commons

BY-NC-ND 3.0