New Form of Permutation Bias and Secret Key Leakage in Keystream - - PowerPoint PPT Presentation

new form of permutation bias and secret key leakage in
SMART_READER_LITE
LIVE PREVIEW

New Form of Permutation Bias and Secret Key Leakage in Keystream - - PowerPoint PPT Presentation

Jan 16, 2024 165 likes •536 views

New Form of Permutation Bias and Secret Key Leakage in Keystream Bytes of RC4 Subhamoy Maitra , ISI, Kolkata Goutam Paul , Jadavpur University, Kolkata Roadmap Introduction Related Work and Contribution Bias in the Permutation

slide-1
SLIDE 1

New Form of Permutation Bias and Secret Key Leakage in Keystream Bytes of RC4

Subhamoy Maitra, ISI, Kolkata Goutam Paul, Jadavpur University, Kolkata

slide-2
SLIDE 2

February 12, 2008 Goutam Paul, FSE-2008 2

Roadmap

  • Introduction
  • Related Work and Contribution
  • Bias in the Permutation
  • Key Leakage in the Keystream
  • Conclusion
slide-3
SLIDE 3

Introduction

slide-4
SLIDE 4

February 12, 2008 Goutam Paul, FSE-2008 4

General Structure of Stream Cipher

slide-5
SLIDE 5

February 12, 2008 Goutam Paul, FSE-2008 5

RC4

  • One of the most popular stream ciphers
  • Designed by Ron Rivest in 1987
  • Used in SSL, TLS, WEP, WPA, AOCE,

Oracle Secure SQL etc.

  • Not completely cracked yet, even after two

decades of its discovery

slide-6
SLIDE 6

February 12, 2008 Goutam Paul, FSE-2008 6

Data Structure of RC4

[ ]

{ }

. modulo additions are additions All index.

  • m

Pseudorand : index. tic Determinis : ]. mod [ ] [ : ] 1 , , [ bytes.

  • f

key secret The : ] 1 , , [ . 1 1

  • f

n permutatio A : 1 , , N j i l i key i K N K l l key ,N- , , N S = − − − K K K K

slide-7
SLIDE 7

February 12, 2008 Goutam Paul, FSE-2008 7

Key Scheduling Algorithm (KSA)

[ ] [ ] [ ] [ ] [ ] ( );

, Swap ; 1 , , For : ; ; 1 , , For : j S i S i K i S j j N i Scrambling j i i S N i tion Initializa + + = − = = = − = K K

slide-8
SLIDE 8

February 12, 2008 Goutam Paul, FSE-2008 8

Pseudo-Random Generation Algorithm (PRGA)

[ ] [ ] [ ] ( ) [ ] [ ] [ ];

Output ; ; , Swap ; 1 : ; : t S z j S i S t j S i S i S j j i i Loop Generation Keystream Output j i tion Initializa = + = + = + = = =

slide-9
SLIDE 9

Related Work and Contribution

slide-10
SLIDE 10

February 12, 2008 Goutam Paul, FSE-2008 10

Important Existing Results

  • Roos (sci.crypt 1995) observed some correlation

between

– the permutation bytes S[y] and some functions f[y] of the secret key bytes – the first keystream byte z1 and the initial key bytes subject to some conditions

  • G. Paul and S. Maitra (SAC 2007) proved

– the above empirical observations of Roos – that such weakness is intrinsic to the KSA

  • G. Paul, S. Rathi and S. Maitra (WCC 2007) showed

– a new bias of the first output byte z1 towards the first three secret key bytes

slide-11
SLIDE 11

February 12, 2008 Goutam Paul, FSE-2008 11

Important Existing Results …contd

  • Fluhrer, Mantin and Shamir (SAC 2001)

– the invariance weakness, known-IV attack and related key attack

  • Mantin (Asiacrypt 2005)

– using above, showed secret key leakage at the 257-th keystream output byte

  • Mantin and Shamir (FSE 2001)

– a bias in the second output byte, namely, bias of z2 = 0

  • S. Paul and Preneel (FSE 2004)

– a bias in the equality of the first two output bytes, i.e., bias of z1 = z2

  • Klein (Draft 2006) and Tews et. al. (Eprint 2007/120)

– bias in the initial keystream bytes zr towards the functions f[r]

  • f the secret key bytes
slide-12
SLIDE 12

February 12, 2008 Goutam Paul, FSE-2008 12

Our Contributions

1. A new form of bias:

S[S[y]] with functions f[y] of the secret key bytes

2. A general framework for identifying biases in the keystream bytes and use it to find

(a) Biases at the 256th and 257th keystream output bytes (difference with Mantin,2005: no conditions on the secret key and IV) (b) New biases in the initial keystream output bytes, namely, biases of zr towards the functions f[r-1] (a new type, completely different from Klein, 2006 and Tews, 2007)

3. Propagation of biases beyond 257th rounds of PRGA:

Chain-like propagation, if j is known

slide-13
SLIDE 13

Bias in the Permutation

slide-14
SLIDE 14

February 12, 2008 Goutam Paul, FSE-2008 14

Our Notations

( )

[ ]

. 1 , 2 1 n. permutatio identity) , (typically initial The : . 1 , 1 that Note . 1 KSA, the

  • f

round th

  • after the

n Permutatio : − ≤ ≤ + + = − ≤ ≤ + = ≤ ≤

=

N y x K y y f S N i i r N r r S

y x y r

slide-15
SLIDE 15

February 12, 2008 Goutam Paul, FSE-2008 15

How P(Sr [Sr [1]] = f1) Changes with KSA Rounds r, 1≤ r ≤ N

slide-16
SLIDE 16

February 12, 2008 Goutam Paul, FSE-2008 16

After the 2nd Round of KSA

[ ] [ ]

( )

[ ] [ ]

( )

[ ]

( ) ( )

[ ] [ ]

. 1 1 that Note . 2 1 1 1 (b) . 2 4 3 1 (a) : 1 Lemma

1 2 1 2 2 3 2 1 2 2

+ + = ≈ ≤ ∧ = + − = = K K f N S f S S P N N N f S S P

slide-17
SLIDE 17

February 12, 2008 Goutam Paul, FSE-2008 17

Recursion

[ ] [ ]

( )

[ ]

( ) ( )

( )

. 1 2 1 2 , 3 for Then . 2 for , 1 1 1 Let : 2 Lemma

2 2 1 1 − −

⎟ ⎠ ⎞ ⎜ ⎝ ⎛ − ⎟ ⎠ ⎞ ⎜ ⎝ ⎛ − + ⎟ ⎠ ⎞ ⎜ ⎝ ⎛ − = ≥ ≥ − ≤ ∧ = =

r r r r r r r

N N N N N p N N p r r r S f S S P p

slide-18
SLIDE 18

February 12, 2008 Goutam Paul, FSE-2008 18

After the Complete Key Scheduling

[ ] [ ] [ ] [ ]

( )

( ) ( ) ( )

136 . value this , 256 For . 1 1 2 1 2 1 1 1 : 1 Theorem

1 2 1 2 2 2

≈ = ⎟ ⎠ ⎞ ⎜ ⎝ ⎛ − ≈ ⎟ ⎠ ⎞ ⎜ ⎝ ⎛ − ⎟ ⎠ ⎞ ⎜ ⎝ ⎛ − + ⎟ ⎠ ⎞ ⎜ ⎝ ⎛ − = + + =

− − −

N N N N N N N N N N K K S S P

N N N N N

slide-19
SLIDE 19

February 12, 2008 Goutam Paul, FSE-2008 19

Generalizations: P(SN[y] = fy), P(SN[SN[y]] = fy), P(SN[SN[SN[y]]] = fy) vs. y

slide-20
SLIDE 20

February 12, 2008 Goutam Paul, FSE-2008 20

Result for Two Levels of Nesting

[ ] [ ]

( )

( ) ( ) ( ) ( ) ( )

. 1 1 1 1 1 , 31 For : 2 Theorem

3 2 2 1 1 2 2 1 2 2 2 1 − + + − + − + − + +

⎟ ⎠ ⎞ ⎜ ⎝ ⎛ − ⎟ ⎠ ⎞ ⎜ ⎝ ⎛ − ⎟ ⎠ ⎞ ⎜ ⎝ ⎛ − − + ⎟ ⎠ ⎞ ⎜ ⎝ ⎛ − + ⎟ ⎠ ⎞ ⎜ ⎝ ⎛ − ≈ = ≤ ≤

N y y N y y y N y y y N N

N N N y N N y N N N N N N N y f y S S P y

slide-21
SLIDE 21

February 12, 2008 Goutam Paul, FSE-2008 21

Where Does It Lead to

  • In a similar manner, the association of

SN[SN…[SN[y]]…] and fy can be studied

  • These results are combinatorially

interesting

  • Cryptanalytic implications are not

immediate, but possible

  • We use the nonrandom association of

SN[SN[1]] with f[1] to find a new bias at the

257th keystream byte z257

slide-22
SLIDE 22

Key Leakage in the Keystream

slide-23
SLIDE 23

February 12, 2008 Goutam Paul, FSE-2008 23

Some More Notations

( ) [ ]

. 1 , 2 1 : Recall . 1 PRGA, the

  • f

round th

  • after the

byte

  • utput

Keystream : KSA). after the n permutatio the (i.e., PRGA the before n Permutatio : . 1 PRGA, the

  • f

round th

  • after the

indices The : and . 1 PRGA, the

  • f

round th

  • after the

n Permutatio : − ≤ ≤ + + = ≥ ≥ ≥

=

N y x K y y f r r z S S r r j i r r S

y x y r N G G r G r G r

slide-24
SLIDE 24

February 12, 2008 Goutam Paul, FSE-2008 24

Existing Results Needed

[ ]

( )

( )

[ ]

( )

. 1 , 2 : 1996) (Jenkins, 2 n Propositio . 1 , 1 1 : 2007) SAC Maitra, and (Paul 1 n Propositio

1 2 1

≥ = − = − ≤ ≤ + ⎟ ⎠ ⎞ ⎜ ⎝ ⎛ − ⎟ ⎠ ⎞ ⎜ ⎝ ⎛ − ≈ =

− + +

r N i S r z P N y N N N N y N f y S P

G r G r r N y y y N

slide-25
SLIDE 25

February 12, 2008 Goutam Paul, FSE-2008 25

Framework for New Biases

[ ] ( ) [ ] ( )

[ ]

( )

( )

. 1 1 1 1 1 , 1 2 For : 2 Corollary . 1 1 1 , 2 for Then . some for Let : 3 Lemma

1 2 1 1 1 , 1 ,

N N N N N N N N r N f r S P N r N N N N q X i S P N t r t X q X i S P

r N r r r G r t r r t G r G r r t G r G

t

+ ⎥ ⎥ ⎦ ⎤ ⎢ ⎢ ⎣ ⎡ − ⎟ ⎠ ⎞ ⎜ ⎝ ⎛ − ⎥ ⎥ ⎦ ⎤ ⎢ ⎢ ⎣ ⎡ + ⎟ ⎠ ⎞ ⎜ ⎝ ⎛ − ⎟ ⎠ ⎞ ⎜ ⎝ ⎛ − = = − ≤ ≤ + ⎥ ⎥ ⎦ ⎤ ⎢ ⎢ ⎣ ⎡ − ⎟ ⎠ ⎞ ⎜ ⎝ ⎛ − = = + ≤ ≤ + = =

− + + − − − −

slide-26
SLIDE 26

February 12, 2008 Goutam Paul, FSE-2008 26

Framework for New Biases …contd

[ ]

( ) ( )

( )

. 1 , 1 1 Then . 1 , Let : 4 Lemma

1

≥ + = − = ≥ = =

r w N f r z P r w f i S P

r i r r i G r G r

G r G r

slide-27
SLIDE 27

February 12, 2008 Goutam Paul, FSE-2008 27

Bias in the Initial Keystream Bytes

( ) ( )

( )

. 1 1 1 1 1 1 1 , 1 2 For (2) . 1 1 1 1 1 (1) : 3 Theorem

1 2 1 2 1 1

⎟ ⎟ ⎟ ⎠ ⎞ ⎜ ⎜ ⎜ ⎝ ⎛ + ⎥ ⎥ ⎦ ⎤ ⎢ ⎢ ⎣ ⎡ − ⎟ ⎠ ⎞ ⎜ ⎝ ⎛ − ⎥ ⎥ ⎦ ⎤ ⎢ ⎢ ⎣ ⎡ + ⎟ ⎠ ⎞ ⎜ ⎝ ⎛ − ⎟ ⎠ ⎞ ⎜ ⎝ ⎛ − + = − = − ≤ ≤ ⎟ ⎟ ⎠ ⎞ ⎜ ⎜ ⎝ ⎛ + ⎟ ⎠ ⎞ ⎜ ⎝ ⎛ − + = − =

− + + +

N N N N N N N N r N N f r z P N r N N N N f z P

r N r r r r N

slide-28
SLIDE 28

February 12, 2008 Goutam Paul, FSE-2008 28

Probability Values Given by Theorem 3

slide-29
SLIDE 29

February 12, 2008 Goutam Paul, FSE-2008 29

Bias in the 256th Keystream Byte

( )

0.0045. value this , 256 For . 1 1 1 1 1 1 1 : 4 Theorem

2 1 2 1 2

≈ = ⎟ ⎟ ⎠ ⎞ ⎜ ⎜ ⎝ ⎛ + − ⎟ ⎠ ⎞ ⎜ ⎝ ⎛ − + ⎟ ⎠ ⎞ ⎜ ⎝ ⎛ − + = − =

− −

N N N N N N N N N f N z P

N N N

slide-30
SLIDE 30

February 12, 2008 Goutam Paul, FSE-2008 30

Bias in the 257th Keystream Byte

( )

( ) ( )

0.0041. value this , 256 For . 1 1 1 1 1 1 1 : 5 Theorem

1 2 1 3 1 1

≈ = ⎟ ⎟ ⎠ ⎞ ⎜ ⎜ ⎝ ⎛ + ⎟ ⎠ ⎞ ⎜ ⎝ ⎛ − − ⎟ ⎠ ⎞ ⎜ ⎝ ⎛ − + = − + =

− − +

N N N N N N N N f N z P

N N N

slide-31
SLIDE 31

February 12, 2008 Goutam Paul, FSE-2008 31

More New Types of Biases in the Initial Keystream Bytes

( )

( )

. 1 1 1 1 1 1 where , 1 3 2 . 1 1 1 1 , 3 For : 6 Theorem

1 2 1 2 1 1 r N r N r r r r N r r r r r

N N N N N N N N N N N N N N N N N N r N N r N N N f z P N r

− − − − + − + − −

⎟ ⎠ ⎞ ⎜ ⎝ ⎛ − − ⎟ ⎠ ⎞ ⎜ ⎝ ⎛ − + ⎟ ⎠ ⎞ ⎜ ⎝ ⎛ − = + ⎟ ⎠ ⎞ ⎜ ⎝ ⎛ − ⎟ ⎠ ⎞ ⎜ ⎝ ⎛ − ⎟ ⎟ ⎟ ⎠ ⎞ ⎜ ⎜ ⎜ ⎝ ⎛ + ⎟ ⎠ ⎞ ⎜ ⎝ ⎛ − ⎟ ⎠ ⎞ ⎜ ⎝ ⎛ + − ⎟ ⎠ ⎞ ⎜ ⎝ ⎛ − ⎟ ⎠ ⎞ ⎜ ⎝ ⎛ − = = ≤ ≤ η η

slide-32
SLIDE 32

February 12, 2008 Goutam Paul, FSE-2008 32

Probability Values Given by Theorem 6

slide-33
SLIDE 33

February 12, 2008 Goutam Paul, FSE-2008 33

Further Biases if j is known

  • Assume that jt

G is known after round t

  • The value V at index jt

G remains there with

high probability until jt

G is touched by i for

the first time after a few more rounds

  • This immediately leaks V in the keystream
  • utput byte
  • Key leaked, if V is biased to the secret key
slide-34
SLIDE 34

February 12, 2008 Goutam Paul, FSE-2008 34

Example of Such Biases

  • Suppose, we know that j5G=18
  • With probability β5 (given by Corollary 2),

S4G[5] would have remained f5 which would move to index 18 due to the swap in round 5, i.e., S5G[18]= f5

  • With approx. β5 [((N-1)/N))18-5-1 - 1/N] + 1/N probability

(by Lemma 3), f5 would remain in index 18 till the end of round 18-1=17

  • So (by Lemma 4) we get a bias at z18 with 18-f5
slide-35
SLIDE 35

February 12, 2008 Goutam Paul, FSE-2008 35

Example …contd

  • Moreover, in round 18, f5 would move from

index 18 to j18

G

  • If (in addition to j5

G) the value of j18 G is also known, say

j18

G = 3, then we would have S18 G[3]= f5

  • Applying the same line of arguments for round 256+3 =

259, we get a bias of z259 with 259-f5

  • Experiments with 1 billion random keys demonstrate that

in this scenario, the bias of z18 towards 18-f5 is 0.0052 and the bias of z259 towards 259-f5 is 0.0044 (which conform to theoretical values)

slide-36
SLIDE 36

February 12, 2008 Goutam Paul, FSE-2008 36

CONCLUSION

  • We present several new observations on the

weaknesses of RC4

  • This is the first attempt to formally analyze biases of

S[S[y]] towards the secret key

  • We use the above bias (at y = 1) to obtain a new bias in

the keystream towards the secret key beyond the first 256 rounds of the PRGA

  • We also discover another new set of biases in the first 32

keystream bytes towards the secret key

  • We analyze how these biases propagate further down

the keystream, if j is known at some stage of the PRGA