Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 A New Weakness in the RC4 Keystream Generator and an Approach to Improve the Security of the Cipher Souradyuti Paul and Bart Preneel K.U. Leuven, ESAT/COSIC.

Published byShanna Dennis Modified over 8 years ago

Similar presentations

Presentation on theme: "1 A New Weakness in the RC4 Keystream Generator and an Approach to Improve the Security of the Cipher Souradyuti Paul and Bart Preneel K.U. Leuven, ESAT/COSIC."— Presentation transcript:

1 1 A New Weakness in the RC4 Keystream Generator and an Approach to Improve the Security of the Cipher Souradyuti Paul and Bart Preneel K.U. Leuven, ESAT/COSIC FSE 2004 New Delhi, India February 6, 2004

2 2 Overview of the Presentation n Description of RC4 n Main Contributions n Anomaly in the first two bytes of RC4 n Estimating the bias in the first two bytes of RC4 n RC4A: A New Stream Cipher n Design Principle of RC4A n Conclusions

3 3 Description of RC4 n based on an exchange shuffle paradigm n the algorithm Runs in Two Phases u key-scheduling algorithm u pseudo-random generation algorithm n pseudorandom bytes are bit-wise XORed with the plaintext bytes

4 4 RC4 (1987) n designed by Ron Rivest (MIT) n leaked out in 1994 n Key Scheduling Algorithm: S[0..255] secret table derived from user key K (usually 40 to 256 bits) for i=0 to 255 S[i]:=i j:=0 for i=0 to 255 j:=(j + S[i] + K[i]) mod 256 swap S[i] and S[j] i:=0, j:=0

5 5 RC4 (1987) Pseudo-random Generation Algorithm: Generate keystream which is added to plaintext i:=i+1 j:=(j + S[i]) mod 256 swap S[i] and S[j] t:=(S[i] + S[j]) mod 256 output S[t] 000 205 001 092 002 013... 093 033 094 162 095 079... 254 099 255 143 i j t 16292

6 6 Main Contributions n A ‘new’ statistical bias in the distribution of the first two output bytes. n Existence of the Bias after dropping the first N bytes. n A possible method to improve the security and performance of the cipher.

7 7 The First Two Outputs are Unequal When S 0 [1]=2 2XZ Index: 0 1 2 3 4 N-1 ij  Assume that after the key scheduling algorithm P[S 0 [1]=2]=1/N.

8 8 X2 Z Index: 0 1 2 3 4 …. N-1 i Output: S 1 [X+2] j The First Two Outputs are Unequal When S 0 [1]=2 (Contd.) XZ 2 Index: 0 1 2 3 4 …. N-1 i Output: S 2 [Z+2] j  S 1 [X+2] ≠ S 2 [Z+2]

9 9 Strong Distinguisher n A Distinguisher is an Algorithm which distinguishes a stream of bits from a perfectly random stream of bits. n A Strong Distinguisher is a distinguisher which detects bias at particular locations of several randomly chosen stream of bits.

10 10 Quantifying the Bias n We assume that the first two output bytes are equal with probability 1/N when S 0 [1] ≠ 2. n Therefore, the probability that the first two output bytes are equal is 1/N(1-1/N). n Sample Size to ‘noticeably’ distinguish RC4 keystream from random stream of bits is O(N 3 ) bytes. n Experiments show 2 24 pairs of bytes suffice to show the bias for N= 256.

11 11 Distinguishing Attacks on RC4 Authors YearNo. of bytes Mantin and Shamir 2001 2 8 Mironov 20022 10.74 Our distinguisher 20042 25 Fluhrer and McGrew 20002 30.6 Golic 19972 44.7

12 12 The Bias after Dropping the initial N Bytes n We assume that P[j = 0]=1/N after the initial N rounds. n Therefore, after dropping the initial N bytes the probability that the first two output bytes are equal is 1/N(1-1/N 2 ). n In this case, O(N 5 ) bytes are required to ‘reliably’ distinguish RC4 outputs from random outputs. n Experimentally, 2 32 pairs of bytes suffice to detect the bias for N= 256.

13 13 Distinguishers after N bytes Authors YearNo. of bytes Fluhrer and McGrew 20002 30.6 Our distinguisher 20042 33 Golic 19972 44.7

14 14 Recommendation n Experimentally, our distinguisher works better, partly due to the huge difference between the permutation space and the key space. The fact necessarily implies non-uniformity of the distribution of the initial permutation. n Based on this observation we recommend to dump at least 2N bytes of RC4 outputs in all future applications of it.

15 15 RC4A: A Modification of RC4 n Two phases for RC4A - Key Scheduling Algorithm and after that the Pseudo-random Generation Algorithm. n We only modify the Pseudo-random Generation Algorithm of RC4 in order to achieve better Security. n The Key Scheduling Algorithm of RC4 is assumed to be ‘perfect’ and used in RC4A.

16 16 RC4A: Main Motivation n most of the known attacks on RC4 exploit the correlation between the outputs and random input variables n main objective is to make outputs depend on more random variables n to reduce the number of instructions per output byte. n exchange shuffle model

17 17 RC4A: Description n Take a key K 1 and generate another key K 2 using a pseudorandom bit generator (e.g. RC4). n Generate two random permutations of N elements, namely S 1 and S 2, using K 1 and K 2 on the identity permutation respectively. n To generate S 1 and S 2 we may use the Key Scheduling Algorithm of RC4.

18 18 RC4A: Description of the Pseudorandom Generation Algorithm of RC4A Input (S 1, S 2 ) 1. i:= 0, j 1 :=0, j 2 :=0; 2. i:= (i +1) mod N; 3. j 1 :=(j 1 + S 1 [i] ) mod N; 4. Swap S 1 [i] and S 1 [j 1 ]; 5. I:=(S 1 [i] + S 1 [j 1 ]) mod N ; 6. Output:= S 2 [I];

19 19 RC4A: Description of the Pseudorandom Generation Algorithm of RC4A (contd.) 7. j 2 :=(j 2 + S 2 [i]) mod N; 8. Swap S 2 [i] and S 2 [j 2 ]; 9. I:=(S 2 [i]+ S 2 [j 2 ]) mod N ; 10. Output:= S 1 [I]; 11. Repeat from Step 2.

20 20 Security: RC4A Vs RC4 n Number of Internal States of RC4A is approximately N 3.(N!) 2 compared to N 2.N! for RC4. n At every round of RC4A, one output byte depends on at least three variables compared to only two variables for RC4. n The upper bound on the probability of guessing maximum number of elements of the permutation from known outputs is 1/N 2 compared to 1/N for RC4 under reasonable assumptions.

21 21 Security: RC4A Vs RC4 (Contd.) n The Computation Cost to derive the secret Internal State of RC4A is much higher (C 2 compared to C under reasonable assumptions). n The number of Fortuitous States is less than in RC4A. n The ‘Second Byte’ attack on RC4 by Mantin and Shamir is also weakened in RC4A (N 3 bytes).

22 22 Prospect of a fast stream cipher n RC4A uses fewer instructions: the i pointer is incremented once to generate two successive output bytes. n Existence of parallel steps.

23 23 Remarks on RC4A n It seems convincing to even improve RC4A. n The main idea was to decorrelate an index pointer and the value pointed to by the index. n The attack by Golic is still difficult to remove. n Generation of outputs of more than 8 bits: A possible future work.

24 24 Conclusions n We detected a new bias that does not disappear after N rounds. n A new stream cipher is designed after a simple modification of RC4.

Download ppt "1 A New Weakness in the RC4 Keystream Generator and an Approach to Improve the Security of the Cipher Souradyuti Paul and Bart Preneel K.U. Leuven, ESAT/COSIC."

Similar presentations

Stream Ciphers Part 1  Cryptography 3 Stream Ciphers.

Stream Ciphers Part 1  Cryptography 3 Stream Ciphers.
An Introduction to Stream Ciphers Zahra Ahmadian Electrical Engineering Department Sahrif University of Technology

An Introduction to Stream Ciphers Zahra Ahmadian Electrical Engineering Department Sahrif University of Technology
Encryption/Decyprtion using RC4 Vivek Ramachandran.

Encryption/Decyprtion using RC4 Vivek Ramachandran.
Block Ciphers and the Data Encryption Standard

Block Ciphers and the Data Encryption Standard
CS457 – Introduction to Information Systems Security Cryptography 1b Elias Athanasopoulos

CS457 – Introduction to Information Systems Security Cryptography 1b Elias Athanasopoulos
Chalmers University of Technology Wireless security Breaking WEP and WPA.

Chalmers University of Technology Wireless security Breaking WEP and WPA.
HSC: Building Stream Cipher from Secure Hash Functions Juncao Li Nov. 29 th 2007 Department of Computer Science Portland State University.

HSC: Building Stream Cipher from Secure Hash Functions Juncao Li Nov. 29 th 2007 Department of Computer Science Portland State University.
RC4 1 RC4 RC4 2 RC4  Invented by Ron Rivest o “RC” is “Ron’s Code” or “Rivest Cipher”  A stream cipher  Generate keystream byte at a step o Efficient.

RC4 1 RC4 RC4 2 RC4  Invented by Ron Rivest o “RC” is “Ron’s Code” or “Rivest Cipher”  A stream cipher  Generate keystream byte at a step o Efficient.
Foundations of Network and Computer Security J J ohn Black Lecture #24 Nov 23 rd 2004 CSCI 6268/TLEN 5831, Fall 2004.

Foundations of Network and Computer Security J J ohn Black Lecture #24 Nov 23 rd 2004 CSCI 6268/TLEN 5831, Fall 2004.
Session 6: Introduction to cryptanalysis part 1. Contents Problem definition Symmetric systems cryptanalysis Particularities of block ciphers cryptanalysis.

Session 6: Introduction to cryptanalysis part 1. Contents Problem definition Symmetric systems cryptanalysis Particularities of block ciphers cryptanalysis.
Lecture 23 Symmetric Encryption

Lecture 23 Symmetric Encryption
Random walks and analysis of algorithms in cryptography Ilya Mironov Stanford University.

Random walks and analysis of algorithms in cryptography Ilya Mironov Stanford University.
Chapter 2 (D) – Contemporary Symmetric Ciphers I am fairly familiar with all the forms of secret writings, and am myself the author of a trifling monograph.

Chapter 2 (D) – Contemporary Symmetric Ciphers "I am fairly familiar with all the forms of secret writings, and am myself the author of a trifling monograph.
Computer Security CS 426 Lecture 3

Computer Security CS 426 Lecture 3
Cryptography and Network Security Chapter 7 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 7 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Block ciphers 2 Session 4. Contents Linear cryptanalysis Differential cryptanalysis 2/48.

Block ciphers 2 Session 4. Contents Linear cryptanalysis Differential cryptanalysis 2/48.
Cryptography and Network Security Chapter 6. Multiple Encryption & DES  clear a replacement for DES was needed theoretical attacks that can break it.

Cryptography and Network Security Chapter 6. Multiple Encryption & DES  clear a replacement for DES was needed theoretical attacks that can break it.
COEN 350 Mobile Security. Wireless Security Wireless offers additional challenges: Physical media can easily be sniffed. War Driving Legal? U.S. federal.

COEN 350 Mobile Security. Wireless Security Wireless offers additional challenges: Physical media can easily be sniffed. War Driving Legal? U.S. federal.
Differential Cryptanalysis - quite similar to linear cryptanalysis - exploits the relationship between the difference of two inputs and the difference.

Differential Cryptanalysis - quite similar to linear cryptanalysis - exploits the relationship between the difference of two inputs and the difference.
One-Time Pad Or Vernam Cipher Sayed Mahdi Mohammad Hasanzadeh Spring 2004.

One-Time Pad Or Vernam Cipher Sayed Mahdi Mohammad Hasanzadeh Spring 2004.

Similar presentations

Ads by Google