RC4: Non-Randomness in the index j and some results on its Cycles - - PowerPoint PPT Presentation

RC4: Non-Randomness in the index j and some results on its Cycles

Chandratop Chakraborty, Pranab Chakraborty, Subhamoy Maitra

PES University, Wipro Limited, Indian Statistical Institute [chandratop@protonmail.ch, kojagori@gmail.com, subho@isical.ac.in] December 16, 2019

RC4

Outline of the talk

Basics

Stream Cipher RC4: Brief History RC4: Description

Our Results

Non-Randomness in j Properties of RC4 Cycles

Concluding remarks

RC4

Stream Cipher: Basics

RC4

Stream Cipher Principle

Mi Zi Encryption Ci = Mi ⊕ Zi Ci Decryption Mi = Ci ⊕ Zi Mi Zi Example Message Mi 1 1 · · · ⊕ ⊕ ⊕ ⊕ ⊕ · · · Keystream Zi 1 1 1 · · · Ciphertext Ci 1 1 1 · · ·

RC4

Basic Idea

Parties: Alice (Sender/Receiver) and Bob (Receiver/Sender) Procedure Alice and Bob share a stream of random data (keystream) Zi, where i = 0, 1, . . . The plaintext stream Mi is XOR-ed with Zi to generate the cipher stream Ci. [Ci = Mi ⊕ Zi] The cipher stream Ci is XOR-ed with Zi to generate the plaintext stream Mi. [Mi = Ci ⊕ Zi]

RC4

Perfect Secrecy/One Time Pad

Information Theoretic Security: Shannon (1949) Ciphertext should reveal no “information” about plaintext Example: One Time Pad (Miller 1882, Vernam 1917) One Time Pad Alice and Bob may sit on a table and toss an unbiased coin enough number of times to generate the keystream bits Once some portion of the keystream is used for encryption, it will never be used again Not practical!

RC4

Pseudorandom Generator

Alice and Bob share a small key key of length l, e.g., toss the coin for l = 128 times to generate the secret key Initialize the state using some deterministic algorithm (Key Scheduling Algorithm: KSA) on a classical computer with this secret key. The key will not be used after KSA After the initialization, the algorithm will keep on generating random-looking bitstream, the keystream bits z (z0, z1, . . .) This is Pseudo Random Generation Algorithm (PRGA)

RC4

RC4: Brief History

RC4

RC4: Rivest Cipher/Ron’s Code?

Most popular software stream cipher Developed by Ron Rivest, 1987? Proprietary algorithm of RSA Data Security Inc. Leaked in Cypherpunks mailing list, September 9, 1994 by Anonymous (email id: nobody@jpunix.com) Quite a few interesting email exchanges after that (available in web) Alleged RC4

RC4

RC4: most widely deployed stream cipher

Secure Sockets Layer (SSL) Transport Layer Security (TLS) IEEE 802.11b (Wi-Fi): Wired Equivalent Privacy (WEP) IEEE 802.11i: Wi-Fi Protected Access (WPA) Apple Open Collaboration Environment (AOCE) Microsoft Windows Lotus Notes Oracle Secure SQL etc.

RC4

RC4: More than three decades of research

Perhaps the simplest encryption algorithm, only four (4) lines

• f design

Simple structure of RC4 has always attracted the cryptologists

Including stalwarts like Golic, Shamir, Biham, Preneel, Rijman, Vaudney (and many other well known researchers) Publications in Crypto, Eurocrypt, Asiacrypt, FSE, Journal of Cryptology PhD thesis of Sourav SenGupta, the PC Co-Chair of Indocrypt 2019

RC4

RC4: More than three decades of research (contd.)

Present Status (from wiki)

Some state cryptologic agencies may possess the capability to break RC4 when used in the TLS protocol IETF has published RFC 7465 to prohibit the use of RC4 in TLS Google, Mozilla and Microsoft have issued similar recommendations

Still it is used in many protocols as complete replacement will take a substantial amount of time and effort

RC4

RC4: Description

RC4

RC4: Data Structure

S-array of size N = 256 bytes Secret key k of size l = 5 to 32 bytes (in general) Expanded key K of N = 256 bytes Two indices i and j Output: Stream of bytes Key Expansion: K[i] = k[i mod l] k = {k0, k1, . . . , kl−1} K = {k0, k1, . . . , kl−1, k0, k1, . . . , kl−1, . . .}

RC4

RC4: Key Scheduling Algorithm (KSA)

(Initialize S-box to identity permutation of {0, 1, . . . , 255}) for i = 0, . . . , 255

S[i] = i;

(Swap several times to provide a pseudorandom permutation) Initialize counter: j = 0; for i = 0, . . . , 255

j = j + S[i] + K[i]; Swap: S[i] ↔ S[j];

Addition modulo N = 256

RC4

RC4: Pseudo-Random Generation Algorithm (PRGA)

Four lines of design Initialize the counters: i = j = 0; While you need keystream bytes

1

i = i + 1;

2

j = j + S[i];

3

Swap S[i] ↔ S[j];

4

Output Z = S[S[i] + S[j]];

Addition modulo N = 256

RC4

RC4 Random Bit String

pseudo Random Generation

RC4

RC4 Operation

Plaintext Byte: P Pseudo-Random Byte: Z Ciphertext Byte: C Encryption C = P ⊕ Z Decryption P = C ⊕ Z How Large is the State space for N = 256? (28)! × (28)2 ≈ 21700

Strength of RC4 relies on KSA, PRGA

RC4

Our contributions

Study on non-randomness in the pseudo-random index j

The condition for removal of Finney cycle directly injects non-randomness in j Our results are glimpses of j given the key stream byte z at different rounds The knowledge of z reveals information regarding the value of the pseudorandom index j, which is an weakness of the cipher from a cryptanalytic point of view

RC4

Our contributions (contd.)

Study of cycle structures in RC4

We theoretically show how the permutation is shifted with certain specific values of i, j and thus generates a cycle We run experiments for N = 16 and find certain interesting patterns for short cycles in the reduced version of RC4

RC4

Non-randomness in j

RC4

Non-randomness issues

There are several non-randomness issues in RC4 and many of those results are exploited in different kinds of cryptanalysis For N = 256, the state space of RC4 is (28)! × (28)2 ≈ 21700. Thus, for proper uniform randomness, the cycle should be of the same length However, that is possibly not true as evident for experimental results for N = 16 Finney cycle is another example, but that cannot happen for i = j = 0 initialization

RC4

Issues related to Finney Cycle

It has been observed by Finney that if S[i] = 1 and j = i + 1, then RC4 lands into a short cycle of length N(N − 1) Note that the condition is S[i] = 1 in the pre-swap stage, that is before swapping S[i] and S[j] in the PRGA Fortunately (or knowing this very well), the design of RC4 by Rivest considers the initialization of RC4 PRGA as i = j = 0 Thus, during RC4 PRGA, the Finney cycle cannot occur, i.e., if (S[i] = 1), then (j = i + 1). This provides non-randomness in j

RC4

Finney Cycle induces non-randomness in j

Theorem During RC4 PRGA, Pr(j = i + 1) = 1

N − 1 N2 , under certain usual

assumptions. Proof. We have Pr(j = i + 1) = Pr(j = i + 1, S[i] = 1) + Pr(j = i + 1, S[i] = 1) = 0 + Pr(j = i + 1|S[i] = 1) · Pr(S[i] = 1) = 1 N · (1 − 1 N ) = 1 N − 1 N2 . Here we consider Pr(j = i + 1|S[i] = 1) = 1

N under usual

randomness assumption (it has been checked by experiments too). Further, considering S as a random permutation, we get Pr(S[i] = 1) = 1 − 1

N .

RC4

A non-existence result on sequence of j

Theorem During RC4 PRGA, in 3 consecutive rounds (r, r + 1 and r + 2), j cannot take 3 consecutive integer values. In other words, there is no r such that jr+2 = jr+1 + 1 = jr + 2. Proof. Let us first consider the situation where j has been increased by 1 from round r to round r + 1. So jr + 1 = jr+1, which implies Sr[ir + 1] = Sr+1[jr+1] = 1. It should be noted that in RC4 PRGA, a Finney cycle cannot happen. Hence, ir+1 cannot take the value

• f (jr+1 − 1). Hence Sr+1[ir+1 + 1] cannot be 1. Thus it would not

be possible to have jr+2 = jr+1 + 1.

RC4

Some related non-randomness results

During RC4 PRGA, Pr(jr+2 = jr + 2) = 1

N − 1 N2

During RC4 PRGA, Pr(jr+2 = jr + 2|ir+1 = zr+1 + 1) = 1

N − 2 N2 + 1 N3

The value of j can remain constant, i.e., (jr = jr+1 = jr+2) for at most three consecutive rounds (r, r + 1 and r + 2) In other words there cannot exist any r for which (jr = jr+1 = jr+2 = jr+3) In two consecutive rounds (r and r + 1), if the value of j remains constant (i.e., jr = jr+1) then Sr+1[jr+1] must be 0 During RC4 PRGA, there cannot be a continuously decreasing sequence of j having length more than 3. In other words there cannot exist any r for which (jr − jr+1) = (jr+1 − jr+2) = (jr+2 − jr+3) = k where (k < N − 1)

RC4

Some related non-randomness results (contd.)

During RC4 PRGA, in any arbitrary round r, if jr = 0, Sr[ir + 1] = (ir + 2) and Sr[ir + 2] = 0, then in round (r + 2), the value of z must be 0, i.e., zr+2 = 0 During RC4 PRGA, (i) Pr(zr+2 = 0|jr = 0) = 2

N − 1 N2 , and

(ii) Pr(jr = 0|zr+2 = 0) = 2

N − 1 N2

During RC4 PRGA, Pr(jr−1 = jr|ir = zr) = 2

N − 1 N2

During RC4 PRGA, if the value of index j remains constant for three consecutive rounds (r, r + 1 and r + 2), i.e., jr = jr+1 = jr+2, then zr+1 can not be equal to zr+2 During RC4 PRGA, in any arbitrary round r, if jr = 0, ir = 0 and Sr[0] = 0, then zr = 0. Similarly, in round r, if jr = 0, ir = (N − 1) and Sr[ir + 1] = 0, then zr+1 = 0

RC4

Properties of RC4 Cycles

RC4

The issues

The main question is whether we can find a short cycle in RC4 other than the Finney cycle In RC4, all the non-Finney states together can not form a single cycle Experiments for N = 8 have already been completed in Mister and Tavares (1998) We provide experimental results for N = 16 after a long time There are short cycles of length 80, 96 for N = 16 The experiments for N = 16 requires quite large computational effort

RC4

A Theorem

Theorem Let S0 be the initial permutation of S-Box (i = 0, j = 0) in an RC4 cycle with right-shifts that appear as per sequence of (d1, d2, ..., dk−1) where d0(= dk) represents the original permutation or in other words a complete rotation by N(= 2n)

• places. In that case,

(i) k = LCM(N,d1)

d1

, where LCM stands for Least Common Multiplier; (ii) k must be of the form of 2m where m is in {1, 2, . . . , n}; (iii) If T is the length of the cycle that starts with (i = 0, j = 0, S0), then there must be at least

N 2m = 2(n−m)

disjoint cycles in the state space of RC4 having cycle length of T; (iv) ( T

k − d1) must be divisible by N apart from the condition that

T must be divisible by N.

RC4

Conclusion & Future Directions

One important direction could be to exploit many such biases and attempt a state recovery attack While we could not characterize the short cycles theoretically,

• ur experimental observations may provide a direction towards
• btaining them for N = 256

We have already obtained several generalized expressions over what we have presented in this paper. For example, sequence

• f j cannot be y, x, x, 2x − y

We are revisiting different kinds of Glimpses (information about state variables from keystream) in RC4 for new

• bservations.

“Is RC4 dead? Long live RC4!” Thank you

RC4