1 / 34

Analysis of Non-fortuitous Predictive States of the RC4 Keystream Generator

Analysis of Non-fortuitous Predictive States of the RC4 Keystream Generator. Souradyuti Paul and Bart Preneel K.U. Leuven, ESAT/COSIC. Indocrypt 2003 India Habitat Center December 8, 2003. Overview of the Presentation. Description of RC4

bridie
Download Presentation

Analysis of Non-fortuitous Predictive States of the RC4 Keystream Generator

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Analysis of Non-fortuitous Predictive States of the RC4 Keystream Generator Souradyuti Paul and Bart Preneel K.U. Leuven, ESAT/COSIC Indocrypt 2003 India Habitat Center December 8, 2003

  2. Overview of the Presentation • Description of RC4 • Definition of a Predictive State and its Importance • Upper Bound on the Number of Outputs of a Predictive State • Definition of a Non-fortuitous Predictive State • Determination of Non-fortuitous Predictive States • Of Length 1 and 2 • General Approach • Conclusions

  3. Overview of the Presentation • Description of RC4 • Definition of a Predictive State and its Importance • Upper Bound on the Number of Outputs of a Predictive State • Definition of a Non-fortuitous Predictive State • Determination of Non-fortuitous Predictive States • Of Length 1 and 2 • General Approach • Conclusions

  4. Description of RC4 • Based on Exchange Shuffle Paradigm • The Algorithm Runs in Two Phases • Key-scheduling Algorithm • Pseudo-random Generation Algorithm • Pseudo-random Bytes are Bit-wise X-Ored with the Plaintext Bytes in Succession to Generate the Ciphertexts.

  5. Key-scheduling Algorithm • A Variable Size Key (K) Turns an Array (S) of Identity Permutation into a ‘Random’ Permutation • The Size of the Key K=40to 256 Bits in All Practical Applications • The Size of the Array N = 256 Bytes in All Practical Applications

  6. Key-scheduling Algorithm Input (S, K) 1. for (i = 0 to N-1) S[i] = i ; 2. j = 0; 3. for (i = 0 to N-1) j = (j + K[i mod l] + S[i] ) mod N; Swap (S[i], S[j] );

  7. Key-scheduling Algorithm Input (S, K) 1. for (i = 0 to N-1) S[i] = i ; 2. j = 0; 3. for (i = 0 to N-1) j = (j + K[i mod l] + S[i] ) mod N; Swap (S[i], S[j] );

  8. Pseudo-random Generation Algorithm Input (S) 1. i = 0; 2. j = 0; 3. i = i + 1; 4. j = (j + S[i] ) mod N; 5. Swap (S[i],S[j]); 6. I = (S[i] + S[j]) mod N ; 7. Output = S[I];

  9. Pseudo-random Generation Algorithm Input (S) 1. i = 0; 2. j = 0; 3. i = i + 1; round 4. j = (j + S[i] ) mod N; 5. Swap (S[i], S[j]); 6. I = (S[i] + S[j]) mod N ; 7. Output = S[I];

  10. Overview of the Presentation • Description of RC4 • Definition of a Predictive State • Definition of a Non-fortuitous Predictive State • Main Contributions • Upper Bound on the Number of Outputs of a Predictive State and its Importance • Determination of Non-fortuitous Predictive States • Of Length 1 and 2 • General Approach • Conclusions

  11. Predictive States of RC4 • An a-state of RC4 is only a known elements of the S-box together with i and j at some round denoted by round 0. • In the next c rounds b output bytes are produced where c <= N where b>1 and round 1 produces output. • This internal state of RC4 at round 0 is defined to be b-predictive a-state.

  12. Predictive States of RC4Snapshot at Round 0 Round: 0 1 … … r …. c i j Number of Known elements in the S-box is a.

  13. Predictive States of RC4Snapshot at Roundc Round: 0 1 … … r …. c i j Outputs:Z1 Z2 Z3 …… Zb Number of Predicted Outputs is b.

  14. Overview of the Presentation • Description of RC4 • Definition of a Predictive State • Definition of a Non-fortuitous Predictive State • Main Contributions • Upper Bound on the Number of Outputs of a Predictive State and its Importance • Determination of Non-fortuitous Predictive States • Of Length 1 and 2 • General Approach • Conclusions

  15. Non-fortuitous Predictive States • Consider the a-predictive a-states. • If a elements of the S-box are consecutive and so are the a outputs then the state is a Fortuitous State of length a. • All other a-predictive a-states are Non-fortuitous Predictive States of length a.

  16. Overview of the Presentation • Description of RC4 • Definition of a Predictive State • Definition of a Non-fortuitous Predictive State • Main Contributions • Upper Bound on the Number of Outputs of a Predictive State and its Importance • Determination of Non-fortuitous Predictive States • Of Length 1 and 2 • General Approach • Conclusions

  17. Main Contributions • We give an upper bound on the number of predicted outputs b for a b-predictive a-state • We also give an algorithm which is better than exhaustive search to determine Non-fortuitous Predictive States for small values of a

  18. Overview of the Presentation • Description of RC4 • Definition of a Predictive State • Definition of a Non-fortuitous Predictive State • Main Contributions • Upper Bound on the Number of Outputs of a Predictive State and its Importance • Determination of Non-fortuitous Predictive States • Of Length 1 and 2 • General Approach • Conclusions

  19. For a b-Predictive a-Stateb <= a (Sketch of the Proof) • The claim was left as a conjecture by Mantin and Shamir, 2001. • The bound on c, which was 2N in the original conjecture, is wrong. When a=N, b is infinitely large. • The claim is true when c <= N. • Clearly a-predictive a-states are important. • The proof is by contradiction.

  20. For a b-Predictive a-Stateb <= a (Sketch of the Proof) • Assume b>a. • S[i] is always occupied with a known element at each round till the cth round is reached otherwise the execution is stopped. • Maximum one element can be filled in a vacant place in one round. • Maximum of (c-b) locations can be filled with known elements in c rounds. • Therefore, b known elements at round 0 leads to contradiction.

  21. Importance of Predictive States when b = a • Assume Internal States and External States (i.e., Outputs) of RC4 are ‘random’ for a fixed i. • For Predictive States when b = a, the elements of the S-box elements can be predicted with the maximum probability, that is 1/N, when outputs are known. • The larger the number of a-predictive a-states the higher is the probability for one of them to occur.

  22. Overview of the Presentation • Description of RC4 • Definition of a Predictive State • Definition of a Non-fortuitous Predictive State • Main Contributions • Upper Bound on the Number of Outputs of a Predictive State and its Importance • Determination of Non-fortuitous Predictive States • Of Length 1 and 2 • General Approach • Conclusions

  23. Determination of Non-fortuitous Predictive States • An efficient algorithm to determine the Fortuitous States of small length is designed by Fluhrer and McGrew, 2000. • The main problems to determine the Non-fortuitous Predictive States are • The inter-element-gaps of the S-box elements are not known. • The inter-element-gaps of the S-box elements change after each round.

  24. Overview of the Presentation • Description of RC4 • Definition of a Predictive State • Definition of a Non-fortuitous Predictive State • Main Contributions • Upper Bound on the Number of Outputs of a Predictive State and its Importance • Determination of Non-fortuitous Predictive States • Of Length 1 and 2 • General Approach • Conclusions

  25. The Set of Non-fortuitous Predictive States of length 1 is Empty Index: 0 1 2 2x-1 2 x ... x N-1 i j • Any 1-predictive 1-state is a Fortuitous State. • The number of 1-predictive 1-states is N.

  26. The Set of Non-fortuitous Predictive States of length 2 is Empty Index: 0 1 2 r … r’ N-1 i Outputs: Z1 Empty Index: 0 1 2 r … r’ N-1 i • Therefore, r’-r = 1, otherwise RC4 halts.

  27. The Set of Non-fortuitous Predictive States of length 2 is Empty Index: p1 p2 p3 p4 p5 1 i j Outputs: Z1 • Finney’s Forbidden State after the 1st round. Therefore, not possible. Possibility 1

  28. The Set of Non-fortuitous Predictive States of length 2 is Empty Index: p1 p2 p3 p4 p5 2 i j Outputs: Z1 After the 1st round Possibility 2

  29. The Set of Non-fortuitous Predictive States of length 2 is Empty Index: p1 p2 p3 p4 p5 2 i j After the 2nd round Possibility 2

  30. The Set of Non-fortuitous Predictive States of length 2 is Empty Empty Index: p1 p2 p3 p4 p5 2 i j After the 3rd round Possibility 2

  31. Overview of the Presentation • Description of RC4 • Definition of a Predictive State • Definition of a Non-fortuitous Predictive State • Main Contributions • Upper Bound on the Number of Outputs of a Predictive State and its Importance • Determination of Non-fortuitous Predictive States • Of Length 1 and 2 • General Approach • Conclusions

  32. Determination of Non-fortuitous Predictive States: A General Approach • The inter-element-gap is the number of vacant places between two successive elements of the S-box. • The possible inter-element-gaps of the a-predictive a-states are determined from that of (a-1)-predictive (a-1)-states recursively. • Once the inter-element-gaps are known then we apply an algorithm similar to the one by Fluhrer and McGrew, 2000.

  33. Overview of the Presentation • Description of RC4 • Definition of a Predictive State • Definition of a Non-fortuitous Predictive State • Main Contributions • Upper Bound on the Number of Outputs of a Predictive State and its Importance • Determination of Non-fortuitous Predictive States • Of Length 1 and 2 • General Approach • Conclusions

  34. Conclusions • We obtained an important combinatorial result that an a-state of RC4 can not produce more than a outputs in the next N rounds. • A practical algorithm is designed to determine a special set of RC4 states known as Non-fortuitous States which reduce the data complexity of all known attacks on RC4.

More Related