1 analysis of non-fortuitous predictive states of the rc4 keystream generator souradyuti paul and...
DESCRIPTION
3 Overview of the Presentation n Description of RC4 n Definition of a Predictive State and its Importance n Upper Bound on the Number of Outputs of a Predictive State n Definition of a Non-fortuitous Predictive State n Determination of Non-fortuitous Predictive States u Of Length 1 and 2 u General Approach n ConclusionsTRANSCRIPT
![Page 1: 1 Analysis of Non-fortuitous Predictive States of the RC4 Keystream Generator Souradyuti Paul and Bart Preneel K.U. Leuven, ESAT/COSIC Indocrypt 2003 India](https://reader034.vdocument.in/reader034/viewer/2022052607/5a4d1b557f8b9ab0599a907a/html5/thumbnails/1.jpg)
1
Analysis of Non-fortuitous Predictive States of the
RC4 Keystream Generator
Souradyuti Paul and Bart PreneelK.U. Leuven, ESAT/COSIC
Indocrypt 2003India Habitat CenterDecember 8, 2003
![Page 2: 1 Analysis of Non-fortuitous Predictive States of the RC4 Keystream Generator Souradyuti Paul and Bart Preneel K.U. Leuven, ESAT/COSIC Indocrypt 2003 India](https://reader034.vdocument.in/reader034/viewer/2022052607/5a4d1b557f8b9ab0599a907a/html5/thumbnails/2.jpg)
2
Overview of the Presentation Description of RC4 Definition of a Predictive State and its Importance Upper Bound on the Number of Outputs of a
Predictive State Definition of a Non-fortuitous Predictive State Determination of Non-fortuitous Predictive States
Of Length 1 and 2 General Approach
Conclusions
![Page 3: 1 Analysis of Non-fortuitous Predictive States of the RC4 Keystream Generator Souradyuti Paul and Bart Preneel K.U. Leuven, ESAT/COSIC Indocrypt 2003 India](https://reader034.vdocument.in/reader034/viewer/2022052607/5a4d1b557f8b9ab0599a907a/html5/thumbnails/3.jpg)
3
Overview of the Presentation Description of RC4 Definition of a Predictive State and its Importance Upper Bound on the Number of Outputs of a
Predictive State Definition of a Non-fortuitous Predictive State Determination of Non-fortuitous Predictive States
Of Length 1 and 2 General Approach
Conclusions
![Page 4: 1 Analysis of Non-fortuitous Predictive States of the RC4 Keystream Generator Souradyuti Paul and Bart Preneel K.U. Leuven, ESAT/COSIC Indocrypt 2003 India](https://reader034.vdocument.in/reader034/viewer/2022052607/5a4d1b557f8b9ab0599a907a/html5/thumbnails/4.jpg)
4
Description of RC4 Based on Exchange Shuffle Paradigm
The Algorithm Runs in Two Phases
Key-scheduling Algorithm
Pseudo-random Generation Algorithm
Pseudo-random Bytes are Bit-wise X-Ored with the Plaintext Bytes in Succession to Generate the Ciphertexts.
![Page 5: 1 Analysis of Non-fortuitous Predictive States of the RC4 Keystream Generator Souradyuti Paul and Bart Preneel K.U. Leuven, ESAT/COSIC Indocrypt 2003 India](https://reader034.vdocument.in/reader034/viewer/2022052607/5a4d1b557f8b9ab0599a907a/html5/thumbnails/5.jpg)
5
Key-scheduling Algorithm A Variable Size Key (K) Turns an Array (S) of Identity
Permutation into a ‘Random’ Permutation
The Size of the Key K= 40 to 256 Bits in All Practical Applications
The Size of the Array N = 256 Bytes in All Practical Applications
![Page 6: 1 Analysis of Non-fortuitous Predictive States of the RC4 Keystream Generator Souradyuti Paul and Bart Preneel K.U. Leuven, ESAT/COSIC Indocrypt 2003 India](https://reader034.vdocument.in/reader034/viewer/2022052607/5a4d1b557f8b9ab0599a907a/html5/thumbnails/6.jpg)
6
Key-scheduling AlgorithmInput (S, K)
1. for (i = 0 to N-1)S[i] = i ;
2. j = 0;
3. for (i = 0 to N-1) j = (j + K[i mod l] + S[i] ) mod N; Swap (S[i], S[j] );
![Page 7: 1 Analysis of Non-fortuitous Predictive States of the RC4 Keystream Generator Souradyuti Paul and Bart Preneel K.U. Leuven, ESAT/COSIC Indocrypt 2003 India](https://reader034.vdocument.in/reader034/viewer/2022052607/5a4d1b557f8b9ab0599a907a/html5/thumbnails/7.jpg)
7
Key-scheduling AlgorithmInput (S, K)
1. for (i = 0 to N-1) S[i] = i ;
2. j = 0;
3. for (i = 0 to N-1) j = (j + K[i mod l] + S[i] ) mod N; Swap (S[i], S[j] );
![Page 8: 1 Analysis of Non-fortuitous Predictive States of the RC4 Keystream Generator Souradyuti Paul and Bart Preneel K.U. Leuven, ESAT/COSIC Indocrypt 2003 India](https://reader034.vdocument.in/reader034/viewer/2022052607/5a4d1b557f8b9ab0599a907a/html5/thumbnails/8.jpg)
8
Pseudo-random Generation AlgorithmInput (S)
1. i = 0;2. j = 0;3. i = i + 1;4. j = (j + S[i] ) mod N;5. Swap (S[i], S[j]);6. I = (S[i] + S[j]) mod N ;7. Output = S[I];
![Page 9: 1 Analysis of Non-fortuitous Predictive States of the RC4 Keystream Generator Souradyuti Paul and Bart Preneel K.U. Leuven, ESAT/COSIC Indocrypt 2003 India](https://reader034.vdocument.in/reader034/viewer/2022052607/5a4d1b557f8b9ab0599a907a/html5/thumbnails/9.jpg)
9
Input (S)
1. i = 0;2. j = 0;3. i = i + 1; round4. j = (j + S[i] ) mod N;5. Swap (S[i], S[j]);6. I = (S[i] + S[j]) mod N ;7. Output = S[I];
Pseudo-random Generation Algorithm
![Page 10: 1 Analysis of Non-fortuitous Predictive States of the RC4 Keystream Generator Souradyuti Paul and Bart Preneel K.U. Leuven, ESAT/COSIC Indocrypt 2003 India](https://reader034.vdocument.in/reader034/viewer/2022052607/5a4d1b557f8b9ab0599a907a/html5/thumbnails/10.jpg)
10
Overview of the Presentation Description of RC4 Definition of a Predictive State Definition of a Non-fortuitous Predictive State Main Contributions Upper Bound on the Number of Outputs of a
Predictive State and its Importance Determination of Non-fortuitous Predictive States
Of Length 1 and 2 General Approach
Conclusions
![Page 11: 1 Analysis of Non-fortuitous Predictive States of the RC4 Keystream Generator Souradyuti Paul and Bart Preneel K.U. Leuven, ESAT/COSIC Indocrypt 2003 India](https://reader034.vdocument.in/reader034/viewer/2022052607/5a4d1b557f8b9ab0599a907a/html5/thumbnails/11.jpg)
11
An a-state of RC4 is only a known elements of the S-box together with i and j at some round denoted by round 0.
In the next c rounds b output bytes are produced where c <= N where b>1 and round 1 produces output.
This internal state of RC4 at round 0 is defined to be b-predictive a-state.
Predictive States of RC4
![Page 12: 1 Analysis of Non-fortuitous Predictive States of the RC4 Keystream Generator Souradyuti Paul and Bart Preneel K.U. Leuven, ESAT/COSIC Indocrypt 2003 India](https://reader034.vdocument.in/reader034/viewer/2022052607/5a4d1b557f8b9ab0599a907a/html5/thumbnails/12.jpg)
12
… … …
Round: 0 1 … … r …. c
i
Predictive States of RC4
Snapshot at Round 0
Number of Known elements in the S-box is a.
j
![Page 13: 1 Analysis of Non-fortuitous Predictive States of the RC4 Keystream Generator Souradyuti Paul and Bart Preneel K.U. Leuven, ESAT/COSIC Indocrypt 2003 India](https://reader034.vdocument.in/reader034/viewer/2022052607/5a4d1b557f8b9ab0599a907a/html5/thumbnails/13.jpg)
13
… … … …
Round: 0 1 … … r …. c
i j
Outputs: Z1 Z2 Z3 …… Zb
Predictive States of RC4
Snapshot at Round c
Number of Predicted Outputs is b.
![Page 14: 1 Analysis of Non-fortuitous Predictive States of the RC4 Keystream Generator Souradyuti Paul and Bart Preneel K.U. Leuven, ESAT/COSIC Indocrypt 2003 India](https://reader034.vdocument.in/reader034/viewer/2022052607/5a4d1b557f8b9ab0599a907a/html5/thumbnails/14.jpg)
14
Overview of the Presentation Description of RC4 Definition of a Predictive State Definition of a Non-fortuitous Predictive State Main Contributions Upper Bound on the Number of Outputs of a
Predictive State and its Importance Determination of Non-fortuitous Predictive States
Of Length 1 and 2 General Approach
Conclusions
![Page 15: 1 Analysis of Non-fortuitous Predictive States of the RC4 Keystream Generator Souradyuti Paul and Bart Preneel K.U. Leuven, ESAT/COSIC Indocrypt 2003 India](https://reader034.vdocument.in/reader034/viewer/2022052607/5a4d1b557f8b9ab0599a907a/html5/thumbnails/15.jpg)
15
Non-fortuitous Predictive States Consider the a-predictive a-states.
If a elements of the S-box are consecutive and so are the a outputs then the state is a Fortuitous State of length a.
All other a-predictive a-states are Non-fortuitous Predictive States of length a.
![Page 16: 1 Analysis of Non-fortuitous Predictive States of the RC4 Keystream Generator Souradyuti Paul and Bart Preneel K.U. Leuven, ESAT/COSIC Indocrypt 2003 India](https://reader034.vdocument.in/reader034/viewer/2022052607/5a4d1b557f8b9ab0599a907a/html5/thumbnails/16.jpg)
16
Overview of the Presentation Description of RC4 Definition of a Predictive State Definition of a Non-fortuitous Predictive State Main Contributions Upper Bound on the Number of Outputs of a
Predictive State and its Importance Determination of Non-fortuitous Predictive States
Of Length 1 and 2 General Approach
Conclusions
![Page 17: 1 Analysis of Non-fortuitous Predictive States of the RC4 Keystream Generator Souradyuti Paul and Bart Preneel K.U. Leuven, ESAT/COSIC Indocrypt 2003 India](https://reader034.vdocument.in/reader034/viewer/2022052607/5a4d1b557f8b9ab0599a907a/html5/thumbnails/17.jpg)
17
Main Contributions
We give an upper bound on the number of predicted outputs b for a b-predictive a-state
We also give an algorithm which is better than exhaustive search to determine Non-fortuitous Predictive States for small values of a
![Page 18: 1 Analysis of Non-fortuitous Predictive States of the RC4 Keystream Generator Souradyuti Paul and Bart Preneel K.U. Leuven, ESAT/COSIC Indocrypt 2003 India](https://reader034.vdocument.in/reader034/viewer/2022052607/5a4d1b557f8b9ab0599a907a/html5/thumbnails/18.jpg)
18
Overview of the Presentation Description of RC4 Definition of a Predictive State Definition of a Non-fortuitous Predictive State Main Contributions Upper Bound on the Number of Outputs of a
Predictive State and its Importance Determination of Non-fortuitous Predictive States
Of Length 1 and 2 General Approach
Conclusions
![Page 19: 1 Analysis of Non-fortuitous Predictive States of the RC4 Keystream Generator Souradyuti Paul and Bart Preneel K.U. Leuven, ESAT/COSIC Indocrypt 2003 India](https://reader034.vdocument.in/reader034/viewer/2022052607/5a4d1b557f8b9ab0599a907a/html5/thumbnails/19.jpg)
19
For a b-Predictive a-Stateb <= a (Sketch of the Proof)
The claim was left as a conjecture by Mantin and Shamir, 2001.
The bound on c, which was 2N in the original conjecture, is wrong. When a=N, b is infinitely large.
The claim is true when c <= N. Clearly a-predictive a-states are important. The proof is by contradiction.
![Page 20: 1 Analysis of Non-fortuitous Predictive States of the RC4 Keystream Generator Souradyuti Paul and Bart Preneel K.U. Leuven, ESAT/COSIC Indocrypt 2003 India](https://reader034.vdocument.in/reader034/viewer/2022052607/5a4d1b557f8b9ab0599a907a/html5/thumbnails/20.jpg)
20
For a b-Predictive a-Stateb <= a (Sketch of the Proof)
Assume b>a. S[i] is always occupied with a known element
at each round till the cth round is reached otherwise the execution is stopped.
Maximum one element can be filled in a vacant place in one round.
Maximum of (c-b) locations can be filled with known elements in c rounds.
Therefore, b known elements at round 0 leads to contradiction.
![Page 21: 1 Analysis of Non-fortuitous Predictive States of the RC4 Keystream Generator Souradyuti Paul and Bart Preneel K.U. Leuven, ESAT/COSIC Indocrypt 2003 India](https://reader034.vdocument.in/reader034/viewer/2022052607/5a4d1b557f8b9ab0599a907a/html5/thumbnails/21.jpg)
21
Importance of Predictive States when b = a
Assume Internal States and External States (i.e., Outputs) of RC4 are ‘random’ for a fixed i.
For Predictive States when b = a, the elements of the S-box elements can be predicted with the maximum probability, that is 1/N, when outputs are known.
The larger the number of a-predictive a-states the higher is the probability for one of them to occur.
![Page 22: 1 Analysis of Non-fortuitous Predictive States of the RC4 Keystream Generator Souradyuti Paul and Bart Preneel K.U. Leuven, ESAT/COSIC Indocrypt 2003 India](https://reader034.vdocument.in/reader034/viewer/2022052607/5a4d1b557f8b9ab0599a907a/html5/thumbnails/22.jpg)
22
Overview of the Presentation Description of RC4 Definition of a Predictive State Definition of a Non-fortuitous Predictive State Main Contributions Upper Bound on the Number of Outputs of a
Predictive State and its Importance Determination of Non-fortuitous Predictive States
Of Length 1 and 2 General Approach
Conclusions
![Page 23: 1 Analysis of Non-fortuitous Predictive States of the RC4 Keystream Generator Souradyuti Paul and Bart Preneel K.U. Leuven, ESAT/COSIC Indocrypt 2003 India](https://reader034.vdocument.in/reader034/viewer/2022052607/5a4d1b557f8b9ab0599a907a/html5/thumbnails/23.jpg)
23
Determination of Non-fortuitous Predictive States
An efficient algorithm to determine the Fortuitous States of small length is designed by Fluhrer and McGrew, 2000.
The main problems to determine the Non-fortuitous Predictive States are
The inter-element-gaps of the S-box elements are not known. The inter-element-gaps of the S-box elements change after each round.
![Page 24: 1 Analysis of Non-fortuitous Predictive States of the RC4 Keystream Generator Souradyuti Paul and Bart Preneel K.U. Leuven, ESAT/COSIC Indocrypt 2003 India](https://reader034.vdocument.in/reader034/viewer/2022052607/5a4d1b557f8b9ab0599a907a/html5/thumbnails/24.jpg)
24
Overview of the Presentation Description of RC4 Definition of a Predictive State Definition of a Non-fortuitous Predictive State Main Contributions Upper Bound on the Number of Outputs of a
Predictive State and its Importance Determination of Non-fortuitous Predictive States
Of Length 1 and 2 General Approach
Conclusions
![Page 25: 1 Analysis of Non-fortuitous Predictive States of the RC4 Keystream Generator Souradyuti Paul and Bart Preneel K.U. Leuven, ESAT/COSIC Indocrypt 2003 India](https://reader034.vdocument.in/reader034/viewer/2022052607/5a4d1b557f8b9ab0599a907a/html5/thumbnails/25.jpg)
25
The Set of Non-fortuitous Predictive States of length 1 is Empty
x
Index: 0 1 2 2x-1 2 x ... x N-1
i j
Any 1-predictive 1-state is a Fortuitous State.
The number of 1-predictive 1-states is N.
![Page 26: 1 Analysis of Non-fortuitous Predictive States of the RC4 Keystream Generator Souradyuti Paul and Bart Preneel K.U. Leuven, ESAT/COSIC Indocrypt 2003 India](https://reader034.vdocument.in/reader034/viewer/2022052607/5a4d1b557f8b9ab0599a907a/html5/thumbnails/26.jpg)
26
The Set of Non-fortuitous Predictive States of length 2 is Empty
…Index: 0 1 2 r … r’ N-1
iOutputs: Z1
Index: 0 1 2 r … r’ N-1
i
Empty
Therefore, r’-r = 1, otherwise RC4 halts.
![Page 27: 1 Analysis of Non-fortuitous Predictive States of the RC4 Keystream Generator Souradyuti Paul and Bart Preneel K.U. Leuven, ESAT/COSIC Indocrypt 2003 India](https://reader034.vdocument.in/reader034/viewer/2022052607/5a4d1b557f8b9ab0599a907a/html5/thumbnails/27.jpg)
27
The Set of Non-fortuitous Predictive States of length 2 is Empty
i j
Possibility 1
1
Finney’s Forbidden State after the 1st round. Therefore, not possible.
Outputs: Z1
Index: p1 p2 p3 p4 p5
![Page 28: 1 Analysis of Non-fortuitous Predictive States of the RC4 Keystream Generator Souradyuti Paul and Bart Preneel K.U. Leuven, ESAT/COSIC Indocrypt 2003 India](https://reader034.vdocument.in/reader034/viewer/2022052607/5a4d1b557f8b9ab0599a907a/html5/thumbnails/28.jpg)
28
The Set of Non-fortuitous Predictive States of length 2 is Empty
i j
Possibility 2
2
Outputs: Z1
After the 1st round
Index: p1 p2 p3 p4 p5
![Page 29: 1 Analysis of Non-fortuitous Predictive States of the RC4 Keystream Generator Souradyuti Paul and Bart Preneel K.U. Leuven, ESAT/COSIC Indocrypt 2003 India](https://reader034.vdocument.in/reader034/viewer/2022052607/5a4d1b557f8b9ab0599a907a/html5/thumbnails/29.jpg)
29
The Set of Non-fortuitous Predictive States of length 2 is Empty
i j
Possibility 2
2
After the 2nd round
Index: p1 p2 p3 p4 p5
![Page 30: 1 Analysis of Non-fortuitous Predictive States of the RC4 Keystream Generator Souradyuti Paul and Bart Preneel K.U. Leuven, ESAT/COSIC Indocrypt 2003 India](https://reader034.vdocument.in/reader034/viewer/2022052607/5a4d1b557f8b9ab0599a907a/html5/thumbnails/30.jpg)
30
Index: p1 p2 p3 p4 p5
The Set of Non-fortuitous Predictive States of length 2 is Empty
i j
Possibility 2
2
Empty
After the 3rd round
![Page 31: 1 Analysis of Non-fortuitous Predictive States of the RC4 Keystream Generator Souradyuti Paul and Bart Preneel K.U. Leuven, ESAT/COSIC Indocrypt 2003 India](https://reader034.vdocument.in/reader034/viewer/2022052607/5a4d1b557f8b9ab0599a907a/html5/thumbnails/31.jpg)
31
Overview of the Presentation Description of RC4 Definition of a Predictive State Definition of a Non-fortuitous Predictive State Main Contributions Upper Bound on the Number of Outputs of a
Predictive State and its Importance Determination of Non-fortuitous Predictive States
Of Length 1 and 2 General Approach
Conclusions
![Page 32: 1 Analysis of Non-fortuitous Predictive States of the RC4 Keystream Generator Souradyuti Paul and Bart Preneel K.U. Leuven, ESAT/COSIC Indocrypt 2003 India](https://reader034.vdocument.in/reader034/viewer/2022052607/5a4d1b557f8b9ab0599a907a/html5/thumbnails/32.jpg)
32
Determination of Non-fortuitous Predictive States: A General Approach
The inter-element-gap is the number of vacant places between two successive elements of the S-box.
The possible inter-element-gaps of the a-predictive a-states are determined from that of (a-1)-predictive (a-1)-states recursively.
Once the inter-element-gaps are known then we apply an algorithm similar to the one by Fluhrer and McGrew, 2000.
![Page 33: 1 Analysis of Non-fortuitous Predictive States of the RC4 Keystream Generator Souradyuti Paul and Bart Preneel K.U. Leuven, ESAT/COSIC Indocrypt 2003 India](https://reader034.vdocument.in/reader034/viewer/2022052607/5a4d1b557f8b9ab0599a907a/html5/thumbnails/33.jpg)
33
Overview of the Presentation Description of RC4 Definition of a Predictive State Definition of a Non-fortuitous Predictive State Main Contributions Upper Bound on the Number of Outputs of a
Predictive State and its Importance Determination of Non-fortuitous Predictive States
Of Length 1 and 2 General Approach
Conclusions
![Page 34: 1 Analysis of Non-fortuitous Predictive States of the RC4 Keystream Generator Souradyuti Paul and Bart Preneel K.U. Leuven, ESAT/COSIC Indocrypt 2003 India](https://reader034.vdocument.in/reader034/viewer/2022052607/5a4d1b557f8b9ab0599a907a/html5/thumbnails/34.jpg)
34
Conclusions
We obtained an important combinatorial result that an a-state of RC4 can not produce more than a outputs in the next N rounds.
A practical algorithm is designed to determine a special set of RC4 states known as Non-fortuitous States which reduce the data complexity of all known attacks on RC4.