RC4: Non-Randomness in the index j and some results on its Cycles - PowerPoint PPT Presentation

RC4: Non-Randomness in the index j and some results on its Cycles Chandratop Chakraborty, Pranab Chakraborty, Subhamoy Maitra PES University, Wipro Limited, Indian Statistical Institute [chandratop@protonmail.ch, kojagori@gmail.com, subho@isical.ac.in] December 16, 2019 RC4

Outline of the talk Basics Stream Cipher RC4: Brief History RC4: Description Our Results Non-Randomness in j Properties of RC4 Cycles Concluding remarks RC4

Stream Cipher: Basics RC4

Stream Cipher Principle Z i Z i C i M i Encryption Decryption M i C i = M i ⊕ Z i M i = C i ⊕ Z i Example Message M i 0 1 1 0 0 · · · ⊕ ⊕ ⊕ ⊕ ⊕ · · · Keystream Z i 1 1 0 0 1 · · · Ciphertext C i 1 0 1 0 1 · · · RC4

Basic Idea Parties: Alice (Sender/Receiver) and Bob (Receiver/Sender) Procedure Alice and Bob share a stream of random data (keystream) Z i , where i = 0 , 1 , . . . The plaintext stream M i is XOR-ed with Z i to generate the cipher stream C i . [ C i = M i ⊕ Z i ] The cipher stream C i is XOR-ed with Z i to generate the plaintext stream M i . [ M i = C i ⊕ Z i ] RC4

Perfect Secrecy/One Time Pad Information Theoretic Security: Shannon (1949) Ciphertext should reveal no “information” about plaintext Example: One Time Pad (Miller 1882, Vernam 1917) One Time Pad Alice and Bob may sit on a table and toss an unbiased coin enough number of times to generate the keystream bits Once some portion of the keystream is used for encryption, it will never be used again Not practical! RC4

Pseudorandom Generator Alice and Bob share a small key key of length l , e.g., toss the coin for l = 128 times to generate the secret key Initialize the state using some deterministic algorithm (Key Scheduling Algorithm: KSA) on a classical computer with this secret key. The key will not be used after KSA After the initialization, the algorithm will keep on generating random-looking bitstream , the keystream bits z ( z 0 , z 1 , . . . ) This is Pseudo Random Generation Algorithm (PRGA) RC4

RC4: Brief History RC4

RC4: Rivest Cipher/Ron’s Code? Most popular software stream cipher Developed by Ron Rivest, 1987? Proprietary algorithm of RSA Data Security Inc. Leaked in Cypherpunks mailing list, September 9, 1994 by Anonymous (email id: nobody@jpunix.com ) Quite a few interesting email exchanges after that (available in web) Alleged RC4 RC4

RC4: most widely deployed stream cipher Secure Sockets Layer (SSL) Transport Layer Security (TLS) IEEE 802.11b (Wi-Fi): Wired Equivalent Privacy (WEP) IEEE 802.11i: Wi-Fi Protected Access (WPA) Apple Open Collaboration Environment (AOCE) Microsoft Windows Lotus Notes Oracle Secure SQL etc. RC4

RC4: More than three decades of research Perhaps the simplest encryption algorithm, only four (4) lines of design Simple structure of RC4 has always attracted the cryptologists Including stalwarts like Golic, Shamir, Biham, Preneel, Rijman, Vaudney (and many other well known researchers) Publications in Crypto, Eurocrypt, Asiacrypt, FSE, Journal of Cryptology PhD thesis of Sourav SenGupta, the PC Co-Chair of Indocrypt 2019 RC4

RC4: More than three decades of research (contd.) Present Status (from wiki) Some state cryptologic agencies may possess the capability to break RC4 when used in the TLS protocol IETF has published RFC 7465 to prohibit the use of RC4 in TLS Google, Mozilla and Microsoft have issued similar recommendations Still it is used in many protocols as complete replacement will take a substantial amount of time and effort RC4

RC4: Description RC4

RC4: Data Structure S -array of size N = 256 bytes Secret key k of size l = 5 to 32 bytes (in general) Expanded key K of N = 256 bytes Two indices i and j Output: Stream of bytes Key Expansion: K [ i ] = k [ i mod l ] k = { k 0 , k 1 , . . . , k l − 1 } K = { k 0 , k 1 , . . . , k l − 1 , k 0 , k 1 , . . . , k l − 1 , . . . } RC4

RC4: Key Scheduling Algorithm (KSA) (Initialize S -box to identity permutation of { 0 , 1 , . . . , 255 } ) for i = 0 , . . . , 255 S [ i ] = i ; (Swap several times to provide a pseudorandom permutation) Initialize counter: j = 0; for i = 0 , . . . , 255 j = j + S [ i ] + K [ i ]; Swap: S [ i ] ↔ S [ j ]; Addition modulo N = 256 RC4

RC4: Pseudo-Random Generation Algorithm (PRGA) Four lines of design Initialize the counters: i = j = 0; While you need keystream bytes i = i + 1; 1 j = j + S [ i ]; 2 Swap S [ i ] ↔ S [ j ]; 3 Output Z = S [ S [ i ] + S [ j ]]; 4 Addition modulo N = 256 RC4

RC4 Random Bit String pseudo Random Generation RC4

RC4 Operation Plaintext Byte: P Pseudo-Random Byte: Z Ciphertext Byte: C Encryption C = P ⊕ Z Decryption P = C ⊕ Z How Large is the State space for N = 256? (2 8 )! × (2 8 ) 2 ≈ 2 1700 Strength of RC4 relies on KSA, PRGA RC4

Our contributions Study on non-randomness in the pseudo-random index j The condition for removal of Finney cycle directly injects non-randomness in j Our results are glimpses of j given the key stream byte z at different rounds The knowledge of z reveals information regarding the value of the pseudorandom index j , which is an weakness of the cipher from a cryptanalytic point of view RC4

Our contributions (contd.) Study of cycle structures in RC4 We theoretically show how the permutation is shifted with certain specific values of i , j and thus generates a cycle We run experiments for N = 16 and find certain interesting patterns for short cycles in the reduced version of RC4 RC4

Non-randomness in j RC4

Non-randomness issues There are several non-randomness issues in RC4 and many of those results are exploited in different kinds of cryptanalysis For N = 256, the state space of RC4 is (2 8 )! × (2 8 ) 2 ≈ 2 1700 . Thus, for proper uniform randomness, the cycle should be of the same length However, that is possibly not true as evident for experimental results for N = 16 Finney cycle is another example, but that cannot happen for i = j = 0 initialization RC4

Issues related to Finney Cycle It has been observed by Finney that if S [ i ] = 1 and j = i + 1, then RC4 lands into a short cycle of length N ( N − 1) Note that the condition is S [ i ] = 1 in the pre-swap stage, that is before swapping S [ i ] and S [ j ] in the PRGA Fortunately (or knowing this very well), the design of RC4 by Rivest considers the initialization of RC4 PRGA as i = j = 0 Thus, during RC4 PRGA, the Finney cycle cannot occur, i.e., if ( S [ i ] = 1), then ( j � = i + 1). This provides non-randomness in j RC4

Finney Cycle induces non-randomness in j Theorem During RC4 PRGA, Pr( j = i + 1) = 1 1 N − N 2 , under certain usual assumptions. Proof. We have Pr( j = i + 1) = Pr( j = i + 1 , S [ i ] = 1) + Pr( j = i + 1 , S [ i ] � = 1) = 0 + Pr( j = i + 1 | S [ i ] � = 1) · Pr( S [ i ] � = 1) N · (1 − 1 1 N ) = 1 N − 1 = N 2 . Here we consider Pr( j = i + 1 | S [ i ] � = 1) = 1 N under usual randomness assumption (it has been checked by experiments too). Further, considering S as a random permutation, we get Pr( S [ i ] � = 1) = 1 − 1 N . RC4

A non-existence result on sequence of j Theorem During RC4 PRGA, in 3 consecutive rounds (r, r + 1 and r + 2 ), j cannot take 3 consecutive integer values. In other words, there is no r such that j r +2 = j r +1 + 1 = j r + 2 . Proof. Let us first consider the situation where j has been increased by 1 from round r to round r + 1. So j r + 1 = j r +1 , which implies S r [ i r + 1] = S r +1 [ j r +1 ] = 1. It should be noted that in RC4 PRGA, a Finney cycle cannot happen. Hence, i r +1 cannot take the value of ( j r +1 − 1). Hence S r +1 [ i r +1 + 1] cannot be 1. Thus it would not be possible to have j r +2 = j r +1 + 1. RC4

Some related non-randomness results During RC4 PRGA, Pr( j r +2 = j r + 2) = 1 1 N − N 2 During RC4 PRGA, Pr( j r +2 = j r + 2 | i r +1 = z r +1 + 1) = 1 2 1 N − N 2 + N 3 The value of j can remain constant, i.e., ( j r = j r +1 = j r +2 ) for at most three consecutive rounds ( r , r + 1 and r + 2) In other words there cannot exist any r for which ( j r = j r +1 = j r +2 = j r +3 ) In two consecutive rounds ( r and r + 1), if the value of j remains constant (i.e., j r = j r +1 ) then S r +1 [ j r +1 ] must be 0 During RC4 PRGA, there cannot be a continuously decreasing sequence of j having length more than 3. In other words there cannot exist any r for which ( j r − j r +1 ) = ( j r +1 − j r +2 ) = ( j r +2 − j r +3 ) = k where ( k < N − 1) RC4

Some related non-randomness results (contd.) During RC4 PRGA, in any arbitrary round r , if j r = 0, S r [ i r + 1] � = ( i r + 2) and S r [ i r + 2] = 0, then in round ( r + 2), the value of z must be 0, i.e., z r +2 = 0 During RC4 PRGA, (i) Pr( z r +2 = 0 | j r = 0) = 2 1 N − N 2 , and (ii) Pr( j r = 0 | z r +2 = 0) = 2 1 N − N 2 During RC4 PRGA, Pr( j r − 1 = j r | i r = z r ) = 2 1 N − N 2 During RC4 PRGA, if the value of index j remains constant for three consecutive rounds ( r , r + 1 and r + 2), i.e., j r = j r +1 = j r +2 , then z r +1 can not be equal to z r +2 During RC4 PRGA, in any arbitrary round r , if j r = 0, i r � = 0 and S r [0] = 0, then z r � = 0. Similarly, in round r , if j r = 0, i r � = ( N − 1) and S r [ i r + 1] = 0, then z r +1 � = 0 RC4

Properties of RC4 Cycles RC4