Glimpse of RC4 Keywords: RC4, correlation, long-term Glimpse Ryoma Ito Atsuko Miyaji Japan Advanced Institute of Science and Technology WISA 2014 @ Korea August 26, 2014 Ryoma Ito (JAIST) New Integrated Long-Term Glimpse of RC4 (WISA 2014) August 26, 2014 1 / 28
PRGA Previous works Our motivation . . . 2 New results on long-term Glimpse New negative biases New positive biases and integrated long-term Glimpse Proof of our results . . . 3 Experimental results and Conclusion Ryoma Ito (JAIST) New Integrated Long-Term Glimpse of RC4 (WISA 2014) August 26, 2014 2 / 28
widely used in various applications (SSL/TLS, WEP, WPA, etc) Notation r: number of rounds N: number of arrays in state (typically N = 256) ir , jr : indices of state for the r-th round Sr tr : index of output keystream for the r-th round Zr Ryoma Ito (JAIST) New Integrated Long-Term Glimpse of RC4 (WISA 2014) August 26, 2014 3 / 28
correlations between one output keystream and a state location Long-term Glimpse [MS13] correlations between two consecutive output keystreams and a state location The results of Glimpse correlations Bias in event Condition Probability Glimpse Theorem Theorem 1 Sr[jr] = ir − Zr – 2/N Sr[ir] = jr − Zr – 2/N Long-term Glimpse Theorem 2 Sr[r + 1] = N − 1 Zr+1 = Zr 2/N Theorem 3 Sr[r + 1] = N − 1 Zr+1 = Zr 3/N Zr+1 = r + 2*1 *1Theorem 3 is a special case of Theorem 2. Ryoma Ito (JAIST) New Integrated Long-Term Glimpse of RC4 (WISA 2014) August 26, 2014 6 / 28
positive biases. . Our motivation from two important problems . . . 1. Is there a dual case of Theorems 2 and 3? (a value of Sr[r + 1] with negative bias) 2. Is there another positive bias in addition to Theorems 2 and 3? Ryoma Ito (JAIST) New Integrated Long-Term Glimpse of RC4 (WISA 2014) August 26, 2014 8 / 28
Introduction RC4 Cryptanalysis of PRGA Previous works Our motivation . . . 2 New results on long-term Glimpse New negative biases New positive biases and integrated long-term Glimpse Proof of our results . . . 3 Experimental results and Conclusion Ryoma Ito (JAIST) New Integrated Long-Term Glimpse of RC4 (WISA 2014) August 26, 2014 9 / 28
problem 1: Is there a dual case of Theorem 2? . . Pr(Sr[r + 1] = N − 1|Zr+1 = Zr) ≈ 2 N . . We can find a dual case of Theorem 2 as Theorem 4! Ryoma Ito (JAIST) New Integrated Long-Term Glimpse of RC4 (WISA 2014) August 26, 2014 10 / 28
problem 1: Is there a dual case of Theorem 3? . . Pr(Sr[r + 1] = N − 1|Zr+1 = Zr ∧ Zr+1 = r + 2) ≈ 3 N . . We can find a dual case of Theorem 3 as Theorem 5! Ryoma Ito (JAIST) New Integrated Long-Term Glimpse of RC4 (WISA 2014) August 26, 2014 11 / 28
New negative biases . Theorem 4 . . . After the r-th round of PRGA for r ≥ 1, we have Pr(Sr[r + 1] = 0|Zr+1 = Zr) ≈ 2 N2 ( 1 − 1 N ) . . Theorem 5 . . . After the r-th round of PRGA for r ≥ 1 and ∀x ∈ [0, N − 1], we have Pr(Sr[r + 1] = 0|Zr+1 = Zr ∧ Zr+1 = r + x) ≈ 1 N ( 1 − 2 N2 ) if x = 1 2 N2 ( 1 − 1 N ) if x = 255 1 N2 ( 1 − 2 N ) if x = N − r (x 1, 255). Ryoma Ito (JAIST) New Integrated Long-Term Glimpse of RC4 (WISA 2014) August 26, 2014 12 / 28
long-term Glimpse Solve the problem 2: Is there another positive bias? . . Bias in event: Sr[r + 1] = N − x | Zr+1 = Zr ∧ Zr+1 = r + 1 + x . . We can find new positive biases as Theorem 6! Ryoma Ito (JAIST) New Integrated Long-Term Glimpse of RC4 (WISA 2014) August 26, 2014 13 / 28
long-term Glimpse Result 2: New positive biases and integrated long-term Glimpse . Theorem 6 . . . After the r-th round of PRGA for r ≥ 1 and ∀x ∈ [2, N − 1], we have Pr(Sr[r + 1] = N − x|Zr+1 = Zr ∧ Zr+1 = r + 1 + x) ≈ 2 N ( 1 − 1 N + 1 N2 ) . . Theorem 7 (Integrated long-term Glimpse) . . . Bias in event Condition Probability Theorem 5 Sr[r + 1] = N − 0 Zr+1 = Zr ∧ Zr+1 = r + 1 + 0 1 N ( 1 − 2 N2 ) Theorem 3 Sr[r + 1] = N − 1 Zr+1 = Zr ∧ Zr+1 = r + 1 + 1 1 N ( 3 − 6 N + 2 N2 ) *2 Theorem 6 Sr[r + 1] = N − x Zr+1 = Zr ∧ Zr+1 = r + 1 + x 2 N ( 1 − 1 N + 1 N2 ) (∀x ∈ [2, N − 1]) (∀x ∈ [2, N − 1]) *2The probability of long-term Glimpse can be precisely revised to 1 N (3 − 6 N + 2 N2 ). Ryoma Ito (JAIST) New Integrated Long-Term Glimpse of RC4 (WISA 2014) August 26, 2014 14 / 28
of Theorem 4 . Theorem 4 . . . Pr(Sr[r + 1] = 0|Zr+1 = Zr) ≈ 2 N2 ( 1 − 1 N ) proof sketch 1. define main events A := (Sr [r + 1] = 0), B := (Zr+1 = Zr ) 2. compute Pr(B|A) in five paths jr = r (Path 1 ← Path 1-1 + Path 1-2) jr = r + 1 (Path 2) jr r, r + 1 (Path 3 ← Path 3-1 + Path 3-2) 3. apply Bayes’ Theorem to compute Pr(A|B) . . We assume the uniform randomness of other certain events approximate the probability of random association 1/N. Ryoma Ito (JAIST) New Integrated Long-Term Glimpse of RC4 (WISA 2014) August 26, 2014 15 / 28
of Theorem 4 (Compute Pr(B|A) in Path 1: jr = r) . . tr tr+1 with probability 1 since 2X X. If event B occurs, Sr+1[tr+1] must be swapped from Sr [tr ]. tr must be next to tr+1 . Compute Pr(B|A ∧ jr = r) in two subpaths. Ryoma Ito (JAIST) New Integrated Long-Term Glimpse of RC4 (WISA 2014) August 26, 2014 16 / 28
of Theorem 4 (Compute Pr(B|A) in Path 2: jr = r + 1) . . Event B never occurs. tr tr+1 with probability 1 since X 0. Sr+1[tr+1] can not be swapped from Sr [tr ]. Pr(Path 2) = 0 Ryoma Ito (JAIST) New Integrated Long-Term Glimpse of RC4 (WISA 2014) August 26, 2014 19 / 28
of Theorem 4 (Compute Pr(B|A) in Path 3: jr r, r + 1) . . tr tr+1 with probability 1 since X + Y Y. If event B occurs, Sr+1[tr+1] must be swapped from Sr [tr ]. Compute Pr(B|A ∧ jr r, r + 1) in two subpaths. Ryoma Ito (JAIST) New Integrated Long-Term Glimpse of RC4 (WISA 2014) August 26, 2014 20 / 28
of Theorem 4 (Compute Pr(B|A) in Path 3: jr r, r + 1) . . Path 3-1 X + Y = tr = jr ∧ Y = tr+1 = r + 1 ⇒ Zr+1 = Zr = r + 1 (probability 1) Ryoma Ito (JAIST) New Integrated Long-Term Glimpse of RC4 (WISA 2014) August 26, 2014 21 / 28
of Theorem 4 (Compute Pr(B|A) in Path 3: jr r, r + 1) . . Path 3-1 X + Y = tr = jr ∧ Y = tr+1 = r + 1 ⇒ Zr+1 = Zr = r + 1 (probability 1) Path 3-2 X + Y = tr = r + 1 ∧ Y = tr+1 = jr+1 ⇒ Zr+1 = Zr = 0 (probability 1) Ryoma Ito (JAIST) New Integrated Long-Term Glimpse of RC4 (WISA 2014) August 26, 2014 21 / 28
Previous works Our motivation . . . 2 New results on long-term Glimpse New negative biases New positive biases and integrated long-term Glimpse Proof of our results . . . 3 Experimental results and Conclusion Ryoma Ito (JAIST) New Integrated Long-Term Glimpse of RC4 (WISA 2014) August 26, 2014 24 / 28
Memory 3.8 GiB CPU Intel Core i5-3230M 2.6GHz Language C Compiler gcc 4.6.3 Number of Keys 224 (randomly chosen) Keystream 224 bytes for each key evaluate the percentage of relative error = |experimental value − theoretical value| experimental value × 100(%) Ryoma Ito (JAIST) New Integrated Long-Term Glimpse of RC4 (WISA 2014) August 26, 2014 25 / 28
value Theoretical value (%) Theorem 4 0.000030522 0.000030398 0.406 Theorem 5 for x = 1 0.003922408 0.003906131 0.415 for x = 255 0.000030683 0.000030398 0.929 for x = N − r 0.000015259 0.000015140 0.780 (x 1, 255) Theorem 6 0.007812333 0.007782102 0.387 is small enough in each case such as < 1(%). . . We can check the accuracy of biases shown in Theorems 4 to 6. Ryoma Ito (JAIST) New Integrated Long-Term Glimpse of RC4 (WISA 2014) August 26, 2014 26 / 28
. 1. Is there a dual case of the results in [MS13]? 2. Is there another positive bias in addition to the results in [MS13]? Results We have discovered two dual cases of long-term Glimpse in [MS13] and new positive biases. These long-term Glimpse can be integrated to biases of Sr [r + 1] ∈ [0, N − 1]. Future works search new biases apply new biases to state recovery attack on RC4 Ryoma Ito (JAIST) New Integrated Long-Term Glimpse of RC4 (WISA 2014) August 26, 2014 27 / 28
itorym
a1da4
monochromegane
ksudoh
masatoto
upura
k951286
de9uch1
dmattsun
chemical_tree
okdt
miso2024
yukinobaba
marktimemedia
bkeepers
matthewcrist
csswizardry
tammyeverts
aleyda
reverentgeek
garrettdimon
bcantrill
kneath
rasmusluckow
![Introduction Previous works Glimpse correlations [Jenkins96, MS13] Glimpse Theorem [Jenkins96]](https://files.speakerdeck.com/presentations/27ed04e7d85f47439c48a7c23a9860d4/slide_5.jpg){kind=link}
![Introduction Previous works Long-term Glimpse [MS13] *1Theorem 3 is a](https://files.speakerdeck.com/presentations/27ed04e7d85f47439c48a7c23a9860d4/slide_6.jpg){kind=link}
