1 analysis of non-fortuitous predictive states of the rc4 keystream generator souradyuti paul and...

1

Analysis of Non-fortuitous Predictive States of the

RC4 Keystream Generator

Souradyuti Paul and Bart PreneelK.U. Leuven, ESAT/COSIC

Indocrypt 2003India Habitat CenterDecember 8, 2003

2

Overview of the Presentation Description of RC4 Definition of a Predictive State and its Importance Upper Bound on the Number of Outputs of a

Predictive State Definition of a Non-fortuitous Predictive State Determination of Non-fortuitous Predictive States

Of Length 1 and 2 General Approach

Conclusions

3

Overview of the Presentation Description of RC4 Definition of a Predictive State and its Importance Upper Bound on the Number of Outputs of a

Predictive State Definition of a Non-fortuitous Predictive State Determination of Non-fortuitous Predictive States

Of Length 1 and 2 General Approach

Conclusions

4

Description of RC4 Based on Exchange Shuffle Paradigm

The Algorithm Runs in Two Phases

Key-scheduling Algorithm

Pseudo-random Generation Algorithm

Pseudo-random Bytes are Bit-wise X-Ored with the Plaintext Bytes in Succession to Generate the Ciphertexts.

5

Key-scheduling Algorithm A Variable Size Key (K) Turns an Array (S) of Identity

Permutation into a ‘Random’ Permutation

The Size of the Key K= 40 to 256 Bits in All Practical Applications

The Size of the Array N = 256 Bytes in All Practical Applications

6

Key-scheduling AlgorithmInput (S, K)

1. for (i = 0 to N-1)S[i] = i ;

2. j = 0;

3. for (i = 0 to N-1) j = (j + K[i mod l] + S[i] ) mod N; Swap (S[i], S[j] );

7

Key-scheduling AlgorithmInput (S, K)

1. for (i = 0 to N-1) S[i] = i ;

2. j = 0;

3. for (i = 0 to N-1) j = (j + K[i mod l] + S[i] ) mod N; Swap (S[i], S[j] );

8

Pseudo-random Generation AlgorithmInput (S)

1. i = 0;2. j = 0;3. i = i + 1;4. j = (j + S[i] ) mod N;5. Swap (S[i], S[j]);6. I = (S[i] + S[j]) mod N ;7. Output = S[I];

9

Input (S)

1. i = 0;2. j = 0;3. i = i + 1; round4. j = (j + S[i] ) mod N;5. Swap (S[i], S[j]);6. I = (S[i] + S[j]) mod N ;7. Output = S[I];

Pseudo-random Generation Algorithm

10

Overview of the Presentation Description of RC4 Definition of a Predictive State Definition of a Non-fortuitous Predictive State Main Contributions Upper Bound on the Number of Outputs of a

Predictive State and its Importance Determination of Non-fortuitous Predictive States

Of Length 1 and 2 General Approach

Conclusions

11

An a-state of RC4 is only a known elements of the S-box together with i and j at some round denoted by round 0.

In the next c rounds b output bytes are produced where c <= N where b>1 and round 1 produces output.

This internal state of RC4 at round 0 is defined to be b-predictive a-state.

Predictive States of RC4

12

… … …

Round: 0 1 … … r …. c

i

Predictive States of RC4

Snapshot at Round 0

Number of Known elements in the S-box is a.

j

13

… … … …

Round: 0 1 … … r …. c

i j

Outputs: Z1 Z2 Z3 …… Zb

Predictive States of RC4

Snapshot at Round c

Number of Predicted Outputs is b.

14

Overview of the Presentation Description of RC4 Definition of a Predictive State Definition of a Non-fortuitous Predictive State Main Contributions Upper Bound on the Number of Outputs of a

Predictive State and its Importance Determination of Non-fortuitous Predictive States

Of Length 1 and 2 General Approach

Conclusions

15

Non-fortuitous Predictive States Consider the a-predictive a-states.

If a elements of the S-box are consecutive and so are the a outputs then the state is a Fortuitous State of length a.

All other a-predictive a-states are Non-fortuitous Predictive States of length a.

16

Overview of the Presentation Description of RC4 Definition of a Predictive State Definition of a Non-fortuitous Predictive State Main Contributions Upper Bound on the Number of Outputs of a

Predictive State and its Importance Determination of Non-fortuitous Predictive States

Of Length 1 and 2 General Approach

Conclusions

17

Main Contributions

We give an upper bound on the number of predicted outputs b for a b-predictive a-state

We also give an algorithm which is better than exhaustive search to determine Non-fortuitous Predictive States for small values of a

18

Overview of the Presentation Description of RC4 Definition of a Predictive State Definition of a Non-fortuitous Predictive State Main Contributions Upper Bound on the Number of Outputs of a

Predictive State and its Importance Determination of Non-fortuitous Predictive States

Of Length 1 and 2 General Approach

Conclusions

19

For a b-Predictive a-Stateb <= a (Sketch of the Proof)

The claim was left as a conjecture by Mantin and Shamir, 2001.

The bound on c, which was 2N in the original conjecture, is wrong. When a=N, b is infinitely large.

The claim is true when c <= N. Clearly a-predictive a-states are important. The proof is by contradiction.

20

For a b-Predictive a-Stateb <= a (Sketch of the Proof)

Assume b>a. S[i] is always occupied with a known element

at each round till the cth round is reached otherwise the execution is stopped.

Maximum one element can be filled in a vacant place in one round.

Maximum of (c-b) locations can be filled with known elements in c rounds.

Therefore, b known elements at round 0 leads to contradiction.

21

Importance of Predictive States when b = a

Assume Internal States and External States (i.e., Outputs) of RC4 are ‘random’ for a fixed i.

For Predictive States when b = a, the elements of the S-box elements can be predicted with the maximum probability, that is 1/N, when outputs are known.

The larger the number of a-predictive a-states the higher is the probability for one of them to occur.

22

Overview of the Presentation Description of RC4 Definition of a Predictive State Definition of a Non-fortuitous Predictive State Main Contributions Upper Bound on the Number of Outputs of a

Predictive State and its Importance Determination of Non-fortuitous Predictive States

Of Length 1 and 2 General Approach

Conclusions

23

Determination of Non-fortuitous Predictive States

An efficient algorithm to determine the Fortuitous States of small length is designed by Fluhrer and McGrew, 2000.

The main problems to determine the Non-fortuitous Predictive States are

The inter-element-gaps of the S-box elements are not known. The inter-element-gaps of the S-box elements change after each round.

24

Overview of the Presentation Description of RC4 Definition of a Predictive State Definition of a Non-fortuitous Predictive State Main Contributions Upper Bound on the Number of Outputs of a

Predictive State and its Importance Determination of Non-fortuitous Predictive States

Of Length 1 and 2 General Approach

Conclusions

25

The Set of Non-fortuitous Predictive States of length 1 is Empty

x

Index: 0 1 2 2x-1 2 x ... x N-1

i j

Any 1-predictive 1-state is a Fortuitous State.

The number of 1-predictive 1-states is N.

26

The Set of Non-fortuitous Predictive States of length 2 is Empty

…Index: 0 1 2 r … r’ N-1

iOutputs: Z1

Index: 0 1 2 r … r’ N-1

i

Empty

Therefore, r’-r = 1, otherwise RC4 halts.

27

The Set of Non-fortuitous Predictive States of length 2 is Empty

i j

Possibility 1

1

Finney’s Forbidden State after the 1st round. Therefore, not possible.

Outputs: Z1

Index: p1 p2 p3 p4 p5

28

The Set of Non-fortuitous Predictive States of length 2 is Empty

i j

Possibility 2

2

Outputs: Z1

After the 1st round

Index: p1 p2 p3 p4 p5

29

The Set of Non-fortuitous Predictive States of length 2 is Empty

i j

Possibility 2

2

After the 2nd round

Index: p1 p2 p3 p4 p5

30

Index: p1 p2 p3 p4 p5

The Set of Non-fortuitous Predictive States of length 2 is Empty

i j

Possibility 2

2

Empty

After the 3rd round

31

Overview of the Presentation Description of RC4 Definition of a Predictive State Definition of a Non-fortuitous Predictive State Main Contributions Upper Bound on the Number of Outputs of a

Predictive State and its Importance Determination of Non-fortuitous Predictive States

Of Length 1 and 2 General Approach

Conclusions

32

Determination of Non-fortuitous Predictive States: A General Approach

The inter-element-gap is the number of vacant places between two successive elements of the S-box.

The possible inter-element-gaps of the a-predictive a-states are determined from that of (a-1)-predictive (a-1)-states recursively.

Once the inter-element-gaps are known then we apply an algorithm similar to the one by Fluhrer and McGrew, 2000.

33

Overview of the Presentation Description of RC4 Definition of a Predictive State Definition of a Non-fortuitous Predictive State Main Contributions Upper Bound on the Number of Outputs of a

Predictive State and its Importance Determination of Non-fortuitous Predictive States

Of Length 1 and 2 General Approach

Conclusions

34

Conclusions

We obtained an important combinatorial result that an a-state of RC4 can not produce more than a outputs in the next N rounds.

A practical algorithm is designed to determine a special set of RC4 states known as Non-fortuitous States which reduce the data complexity of all known attacks on RC4.