1 A New Weakness in the RC4 Keystream Generator and an Approach to Improve the Security of the Cipher Souradyuti Paul and Bart Preneel K.U. Leuven, ESAT/COSIC FSE 2004 New Delhi, India February 6, 2004

2 Overview of the Presentation n Description of RC4 n Main Contributions n Anomaly in the first two bytes of RC4 n Estimating the bias in the first two bytes of RC4 n RC4A: A New Stream Cipher n Design Principle of RC4A n Conclusions

3 Description of RC4 n based on an exchange shuffle paradigm n the algorithm Runs in Two Phases u key-scheduling algorithm u pseudo-random generation algorithm n pseudorandom bytes are bit-wise XORed with the plaintext bytes

4 RC4 (1987) n designed by Ron Rivest (MIT) n leaked out in 1994 n Key Scheduling Algorithm: S[0..255] secret table derived from user key K (usually 40 to 256 bits) for i=0 to 255 S[i]:=i j:=0 for i=0 to 255 j:=(j + S[i] + K[i]) mod 256 swap S[i] and S[j] i:=0, j:=0

5 RC4 (1987) Pseudo-random Generation Algorithm: Generate keystream which is added to plaintext i:=i+1 j:=(j + S[i]) mod 256 swap S[i] and S[j] t:=(S[i] + S[j]) mod 256 output S[t] i j t 16292

6 Main Contributions n A ‘new’ statistical bias in the distribution of the first two output bytes. n Existence of the Bias after dropping the first N bytes. n A possible method to improve the security and performance of the cipher.

7 The First Two Outputs are Unequal When S 0 [1]=2 2XZ Index: N-1 ij  Assume that after the key scheduling algorithm P[S 0 [1]=2]=1/N.

8 X2 Z Index: …. N-1 i Output: S 1 [X+2] j The First Two Outputs are Unequal When S 0 [1]=2 (Contd.) XZ 2 Index: …. N-1 i Output: S 2 [Z+2] j  S 1 [X+2] ≠ S 2 [Z+2]

9 Strong Distinguisher n A Distinguisher is an Algorithm which distinguishes a stream of bits from a perfectly random stream of bits. n A Strong Distinguisher is a distinguisher which detects bias at particular locations of several randomly chosen stream of bits.

10 Quantifying the Bias n We assume that the first two output bytes are equal with probability 1/N when S 0 [1] ≠ 2. n Therefore, the probability that the first two output bytes are equal is 1/N(1-1/N). n Sample Size to ‘noticeably’ distinguish RC4 keystream from random stream of bits is O(N 3 ) bytes. n Experiments show 2 24 pairs of bytes suffice to show the bias for N= 256.

11 Distinguishing Attacks on RC4 Authors YearNo. of bytes Mantin and Shamir Mironov Our distinguisher Fluhrer and McGrew Golic

12 The Bias after Dropping the initial N Bytes n We assume that P[j = 0]=1/N after the initial N rounds. n Therefore, after dropping the initial N bytes the probability that the first two output bytes are equal is 1/N(1-1/N 2 ). n In this case, O(N 5 ) bytes are required to ‘reliably’ distinguish RC4 outputs from random outputs. n Experimentally, 2 32 pairs of bytes suffice to detect the bias for N= 256.

13 Distinguishers after N bytes Authors YearNo. of bytes Fluhrer and McGrew Our distinguisher Golic

14 Recommendation n Experimentally, our distinguisher works better, partly due to the huge difference between the permutation space and the key space. The fact necessarily implies non-uniformity of the distribution of the initial permutation. n Based on this observation we recommend to dump at least 2N bytes of RC4 outputs in all future applications of it.

15 RC4A: A Modification of RC4 n Two phases for RC4A - Key Scheduling Algorithm and after that the Pseudo-random Generation Algorithm. n We only modify the Pseudo-random Generation Algorithm of RC4 in order to achieve better Security. n The Key Scheduling Algorithm of RC4 is assumed to be ‘perfect’ and used in RC4A.

16 RC4A: Main Motivation n most of the known attacks on RC4 exploit the correlation between the outputs and random input variables n main objective is to make outputs depend on more random variables n to reduce the number of instructions per output byte. n exchange shuffle model

17 RC4A: Description n Take a key K 1 and generate another key K 2 using a pseudorandom bit generator (e.g. RC4). n Generate two random permutations of N elements, namely S 1 and S 2, using K 1 and K 2 on the identity permutation respectively. n To generate S 1 and S 2 we may use the Key Scheduling Algorithm of RC4.

18 RC4A: Description of the Pseudorandom Generation Algorithm of RC4A Input (S 1, S 2 ) 1. i:= 0, j 1 :=0, j 2 :=0; 2. i:= (i +1) mod N; 3. j 1 :=(j 1 + S 1 [i] ) mod N; 4. Swap S 1 [i] and S 1 [j 1 ]; 5. I:=(S 1 [i] + S 1 [j 1 ]) mod N ; 6. Output:= S 2 [I];

19 RC4A: Description of the Pseudorandom Generation Algorithm of RC4A (contd.) 7. j 2 :=(j 2 + S 2 [i]) mod N; 8. Swap S 2 [i] and S 2 [j 2 ]; 9. I:=(S 2 [i]+ S 2 [j 2 ]) mod N ; 10. Output:= S 1 [I]; 11. Repeat from Step 2.

20 Security: RC4A Vs RC4 n Number of Internal States of RC4A is approximately N 3.(N!) 2 compared to N 2.N! for RC4. n At every round of RC4A, one output byte depends on at least three variables compared to only two variables for RC4. n The upper bound on the probability of guessing maximum number of elements of the permutation from known outputs is 1/N 2 compared to 1/N for RC4 under reasonable assumptions.

21 Security: RC4A Vs RC4 (Contd.) n The Computation Cost to derive the secret Internal State of RC4A is much higher (C 2 compared to C under reasonable assumptions). n The number of Fortuitous States is less than in RC4A. n The ‘Second Byte’ attack on RC4 by Mantin and Shamir is also weakened in RC4A (N 3 bytes).

22 Prospect of a fast stream cipher n RC4A uses fewer instructions: the i pointer is incremented once to generate two successive output bytes. n Existence of parallel steps.

23 Remarks on RC4A n It seems convincing to even improve RC4A. n The main idea was to decorrelate an index pointer and the value pointed to by the index. n The attack by Golic is still difficult to remove. n Generation of outputs of more than 8 bits: A possible future work.

24 Conclusions n We detected a new bias that does not disappear after N rounds. n A new stream cipher is designed after a simple modification of RC4.