Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Analysis of Non-fortuitous Predictive States of the RC4 Keystream Generator Souradyuti Paul and Bart Preneel K.U. Leuven, ESAT/COSIC Indocrypt 2003 India.

Published bySamantha Liliana Dawson Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Analysis of Non-fortuitous Predictive States of the RC4 Keystream Generator Souradyuti Paul and Bart Preneel K.U. Leuven, ESAT/COSIC Indocrypt 2003 India."— Presentation transcript:

1 1 Analysis of Non-fortuitous Predictive States of the RC4 Keystream Generator Souradyuti Paul and Bart Preneel K.U. Leuven, ESAT/COSIC Indocrypt 2003 India Habitat Center December 8, 2003

2 2 Overview of the Presentation n Description of RC4 n Definition of a Predictive State and its Importance n Upper Bound on the Number of Outputs of a Predictive State n Definition of a Non-fortuitous Predictive State n Determination of Non-fortuitous Predictive States u Of Length 1 and 2 u General Approach n Conclusions

3 3 Overview of the Presentation n Description of RC4 n Definition of a Predictive State and its Importance n Upper Bound on the Number of Outputs of a Predictive State n Definition of a Non-fortuitous Predictive State n Determination of Non-fortuitous Predictive States u Of Length 1 and 2 u General Approach n Conclusions

4 4 Description of RC4 n Based on Exchange Shuffle Paradigm n The Algorithm Runs in Two Phases u Key-scheduling Algorithm u Pseudo-random Generation Algorithm n Pseudo-random Bytes are Bit-wise X-Ored with the Plaintext Bytes in Succession to Generate the Ciphertexts.

5 5 Key-scheduling Algorithm n A Variable Size Key (K) Turns an Array (S) of Identity Permutation into a ‘Random’ Permutation n The Size of the Key K= 40 to 256 Bits in All Practical Applications n The Size of the Array N = 256 Bytes in All Practical Applications

6 6 Key-scheduling Algorithm Input (S, K) 1. for (i = 0 to N-1) S[i] = i ; 2. j = 0; 3. for (i = 0 to N-1) j = (j + K[i mod l] + S[i] ) mod N; Swap (S[i], S[j] );

7 7 Key-scheduling Algorithm Input (S, K) 1. for (i = 0 to N-1) S[i] = i ; 2. j = 0; 3. for (i = 0 to N-1) j = (j + K[i mod l] + S[i] ) mod N; Swap (S[i], S[j] );

8 8 Pseudo-random Generation Algorithm Input (S) 1. i = 0; 2. j = 0; 3. i = i + 1; 4. j = (j + S[i] ) mod N; 5. Swap (S[i], S[j]); 6. I = (S[i] + S[j]) mod N ; 7. Output = S[I];

9 9 Input (S) 1. i = 0; 2. j = 0; 3. i = i + 1; round 4. j = (j + S[i] ) mod N; 5. Swap (S[i], S[j]); 6. I = (S[i] + S[j]) mod N ; 7. Output = S[I]; Pseudo-random Generation Algorithm

10 10 Overview of the Presentation n Description of RC4 n Definition of a Predictive State n Definition of a Non-fortuitous Predictive State n Main Contributions n Upper Bound on the Number of Outputs of a Predictive State and its Importance n Determination of Non-fortuitous Predictive States u Of Length 1 and 2 u General Approach n Conclusions

11 11  An a-state of RC4 is only a known elements of the S-box together with i and j at some round denoted by round 0. n In the next c rounds b output bytes are produced where c 1 and round 1 produces output. n This internal state of RC4 at round 0 is defined to be b-predictive a-state. Predictive States of RC4

12 12 ……… Round: 0 1 … … r …. c i Predictive States of RC4 Snapshot at Round 0 Number of Known elements in the S-box is a. j

13 13 ………… Round: 0 1 … … r …. c ij Outputs: Z 1 Z 2 Z 3 …… Z b Predictive States of RC4 Snapshot at Round c Number of Predicted Outputs is b.

14 14 Overview of the Presentation n Description of RC4 n Definition of a Predictive State n Definition of a Non-fortuitous Predictive State n Main Contributions n Upper Bound on the Number of Outputs of a Predictive State and its Importance n Determination of Non-fortuitous Predictive States u Of Length 1 and 2 u General Approach n Conclusions

15 15 Non-fortuitous Predictive States n Consider the a-predictive a-states. n If a elements of the S-box are consecutive and so are the a outputs then the state is a Fortuitous State of length a. n All other a-predictive a-states are Non- fortuitous Predictive States of length a.

16 16 Overview of the Presentation n Description of RC4 n Definition of a Predictive State n Definition of a Non-fortuitous Predictive State n Main Contributions n Upper Bound on the Number of Outputs of a Predictive State and its Importance n Determination of Non-fortuitous Predictive States u Of Length 1 and 2 u General Approach n Conclusions

17 17 Main Contributions n We give an upper bound on the number of predicted outputs b for a b-predictive a-state n We also give an algorithm which is better than exhaustive search to determine Non- fortuitous Predictive States for small values of a

18 18 Overview of the Presentation n Description of RC4 n Definition of a Predictive State n Definition of a Non-fortuitous Predictive State n Main Contributions n Upper Bound on the Number of Outputs of a Predictive State and its Importance n Determination of Non-fortuitous Predictive States u Of Length 1 and 2 u General Approach n Conclusions

19 19 For a b-Predictive a-State b <= a (Sketch of the Proof) n The claim was left as a conjecture by Mantin and Shamir, 2001. n The bound on c, which was 2N in the original conjecture, is wrong. When a=N, b is infinitely large. n The claim is true when c <= N. n Clearly a-predictive a-states are important. n The proof is by contradiction.

20 20 For a b-Predictive a-State b <= a (Sketch of the Proof) n Assume b>a. n S[i] is always occupied with a known element at each round till the c th round is reached otherwise the execution is stopped. n Maximum one element can be filled in a vacant place in one round. n Maximum of (c-b) locations can be filled with known elements in c rounds. n Therefore, b known elements at round 0 leads to contradiction.

21 21 Importance of Predictive States when b = a n Assume Internal States and External States (i.e., Outputs) of RC4 are ‘random’ for a fixed i. n For Predictive States when b = a, the elements of the S-box elements can be predicted with the maximum probability, that is 1/N, when outputs are known. n The larger the number of a-predictive a-states the higher is the probability for one of them to occur.

22 22 Overview of the Presentation n Description of RC4 n Definition of a Predictive State n Definition of a Non-fortuitous Predictive State n Main Contributions n Upper Bound on the Number of Outputs of a Predictive State and its Importance n Determination of Non-fortuitous Predictive States u Of Length 1 and 2 u General Approach n Conclusions

23 23 Determination of Non-fortuitous Predictive States n An efficient algorithm to determine the Fortuitous States of small length is designed by Fluhrer and McGrew, 2000. n The main problems to determine the Non- fortuitous Predictive States are The inter-element-gaps of the S-box elements are not known. The inter-element-gaps of the S-box elements change after each round.

24 24 Overview of the Presentation n Description of RC4 n Definition of a Predictive State n Definition of a Non-fortuitous Predictive State n Main Contributions n Upper Bound on the Number of Outputs of a Predictive State and its Importance n Determination of Non-fortuitous Predictive States u Of Length 1 and 2 u General Approach n Conclusions

25 25 The Set of Non-fortuitous Predictive States of length 1 is Empty x Index: 0 1 2 2x-1 2 x... x N-1 i j  Any 1-predictive 1-state is a Fortuitous State.  The number of 1-predictive 1-states is N.

26 26 The Set of Non-fortuitous Predictive States of length 2 is Empty … Index: 0 1 2 r … r’ N-1 i Outputs: Z 1 Index: 0 1 2 r … r’ N-1 i Empty  Therefore, r’-r = 1, otherwise RC4 halts.

27 27 The Set of Non-fortuitous Predictive States of length 2 is Empty ij Possibility 1 1 I Finney’s Forbidden State after the 1 st round. Therefore, not possible. Outputs: Z 1 Index: p 1 p 2 p 3 p 4 p 5

28 28 The Set of Non-fortuitous Predictive States of length 2 is Empty ij Possibility 2 2 Outputs: Z 1 After the 1 st round Index: p 1 p 2 p 3 p 4 p 5

29 29 The Set of Non-fortuitous Predictive States of length 2 is Empty ij Possibility 2 2 After the 2 nd round Index: p 1 p 2 p 3 p 4 p 5

30 30 Index: p 1 p 2 p 3 p 4 p 5 The Set of Non-fortuitous Predictive States of length 2 is Empty ij Possibility 2 2 Empty After the 3 rd round

31 31 Overview of the Presentation n Description of RC4 n Definition of a Predictive State n Definition of a Non-fortuitous Predictive State n Main Contributions n Upper Bound on the Number of Outputs of a Predictive State and its Importance n Determination of Non-fortuitous Predictive States u Of Length 1 and 2 u General Approach n Conclusions

32 32 Determination of Non-fortuitous Predictive States: A General Approach n The inter-element-gap is the number of vacant places between two successive elements of the S-box. n The possible inter-element-gaps of the a- predictive a-states are determined from that of (a-1)-predictive (a-1)-states recursively. n Once the inter-element-gaps are known then we apply an algorithm similar to the one by Fluhrer and McGrew, 2000.

33 33 Overview of the Presentation n Description of RC4 n Definition of a Predictive State n Definition of a Non-fortuitous Predictive State n Main Contributions n Upper Bound on the Number of Outputs of a Predictive State and its Importance n Determination of Non-fortuitous Predictive States u Of Length 1 and 2 u General Approach n Conclusions

34 34 Conclusions n We obtained an important combinatorial result that an a-state of RC4 can not produce more than a outputs in the next N rounds. n A practical algorithm is designed to determine a special set of RC4 states known as Non-fortuitous States which reduce the data complexity of all known attacks on RC4.

Download ppt "1 Analysis of Non-fortuitous Predictive States of the RC4 Keystream Generator Souradyuti Paul and Bart Preneel K.U. Leuven, ESAT/COSIC Indocrypt 2003 India."

Similar presentations

Randomized Algorithms Introduction Rom Aschner & Michal Shemesh.

Randomized Algorithms Introduction Rom Aschner & Michal Shemesh.
Xiutao Feng Institute of Software Chinese Academy of Sciences A Byte-Based Guess and Determine Attack on SOSEMANUK.

Xiutao Feng Institute of Software Chinese Academy of Sciences A Byte-Based Guess and Determine Attack on SOSEMANUK.
1 Introduction to Practical Cryptography Lectures 3/4 Stream Ciphers.

1 Introduction to Practical Cryptography Lectures 3/4 Stream Ciphers.
Stream Ciphers Part 1  Cryptography 3 Stream Ciphers.

Stream Ciphers Part 1  Cryptography 3 Stream Ciphers.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
Analysis of Algorithms CS 302 - Data Structures Section 2.6.

Analysis of Algorithms CS Data Structures Section 2.6.
Near-Duplicates Detection

Near-Duplicates Detection
Algorithms Analysis Lecture 6 Quicksort. Quick Sort 88 14 98 25 62 52 79 30 23 31 Divide and Conquer.

Algorithms Analysis Lecture 6 Quicksort. Quick Sort Divide and Conquer.
Quick Sort, Shell Sort, Counting Sort, Radix Sort AND Bucket Sort

Quick Sort, Shell Sort, Counting Sort, Radix Sort AND Bucket Sort
Bundling Equilibrium in Combinatorial Auctions Written by: Presented by: Ron Holzman Rica Gonen Noa Kfir-Dahav Dov Monderer Moshe Tennenholtz.

Bundling Equilibrium in Combinatorial Auctions Written by: Presented by: Ron Holzman Rica Gonen Noa Kfir-Dahav Dov Monderer Moshe Tennenholtz.
Insertion sort, Merge sort COMP171 Fall 2006. Sorting I / Slide 2 Insertion sort 1) Initially p = 1 2) Let the first p elements be sorted. 3) Insert the.

Insertion sort, Merge sort COMP171 Fall Sorting I / Slide 2 Insertion sort 1) Initially p = 1 2) Let the first p elements be sorted. 3) Insert the.
Insertion sort, Merge sort COMP171 Fall 2006. Sorting I / Slide 2 Insertion sort 1) Initially p = 1 2) Let the first p elements be sorted. 3) Insert the.

Insertion sort, Merge sort COMP171 Fall Sorting I / Slide 2 Insertion sort 1) Initially p = 1 2) Let the first p elements be sorted. 3) Insert the.
Tirgul 10 Rehearsal about Universal Hashing Solving two problems from theoretical exercises: –T2 q. 1 –T3 q. 2.

Tirgul 10 Rehearsal about Universal Hashing Solving two problems from theoretical exercises: –T2 q. 1 –T3 q. 2.
Akelarre 1 Akelarre Akelarre 2 Akelarre  Block cipher  Combines features of 2 strong ciphers o IDEA — “mixed mode” arithmetic o RC5 — keyed rotations.

Akelarre 1 Akelarre Akelarre 2 Akelarre  Block cipher  Combines features of 2 strong ciphers o IDEA — “mixed mode” arithmetic o RC5 — keyed rotations.
RC4 1 RC4 RC4 2 RC4  Invented by Ron Rivest o “RC” is “Ron’s Code” or “Rivest Cipher”  A stream cipher  Generate keystream byte at a step o Efficient.

RC4 1 RC4 RC4 2 RC4  Invented by Ron Rivest o “RC” is “Ron’s Code” or “Rivest Cipher”  A stream cipher  Generate keystream byte at a step o Efficient.
Tirgul 8 Universal Hashing Remarks on Programming Exercise 1 Solution to question 2 in theoretical homework 2.

Tirgul 8 Universal Hashing Remarks on Programming Exercise 1 Solution to question 2 in theoretical homework 2.
Upper Bounds on the Time and Space Complexity of Optimizing Additively Separable Functions Matthew J. Streeter Carnegie Mellon University Pittsburgh, PA.

Upper Bounds on the Time and Space Complexity of Optimizing Additively Separable Functions Matthew J. Streeter Carnegie Mellon University Pittsburgh, PA.
Hellman’s TMTO 1 Hellman’s TMTO Attack. Hellman’s TMTO 2 Popcnt  Before we consider Hellman’s attack, consider simpler Time-Memory Trade-Off  “Population.

Hellman’s TMTO 1 Hellman’s TMTO Attack. Hellman’s TMTO 2 Popcnt  Before we consider Hellman’s attack, consider simpler Time-Memory Trade-Off  “Population.
Foundations of Network and Computer Security J J ohn Black Lecture #24 Nov 23 rd 2004 CSCI 6268/TLEN 5831, Fall 2004.

Foundations of Network and Computer Security J J ohn Black Lecture #24 Nov 23 rd 2004 CSCI 6268/TLEN 5831, Fall 2004.
Study Group Randomized Algorithms Jun 7, 2003 Jun 14, 2003.

Study Group Randomized Algorithms Jun 7, 2003 Jun 14, 2003.

Similar presentations

Ads by Google