(Non-)Random Sequences from (Non-)Random Permutations—Analysis of RC4 Stream Cipher

Sourav Sen Gupta, Subhamoy Maitra, Goutam Paul, Santanu Sarkar
2012 Journal of Cryptology  
RC4 has been the most popular stream cipher in the history of symmetric key cryptography. Its internal state contains a permutation over all possible bytes from 0 to 255, and it attempts to generate a pseudorandom sequence of bytes (called keystream) by extracting elements of this permutation. Over the last twenty years, numerous cryptanalytic results on RC4 stream cipher have been published, many of which are based on non-random (biased) events involving the secret key, the state variables,
more » ... the keystream of the cipher. Though biases based on the secret key is common in RC4 literature, none of the existing ones depends on the length of the secret key. In the first part of this paper, we investigate the effect of RC4 keylength on its keystream, and report significant biases involving the length of the secret key. In the process, we prove the two known empirical biases that were experimentally reported and used in recent attacks against WEP and WPA by Sepehrdad, Vaudenay and Vuagnoux in EUROCRYPT 2011. After our current work, there remains no bias in the literature of WEP and WPA attacks without a proof. In the second part of the paper, we present theoretical proofs of some significant initial-round empirical biases observed by Sepehrdad, Vaudenay and Vuagnoux in SAC 2010. In the third part, we present the derivation of the complete probability distribution of the first byte of RC4 keystream, a problem left open for a decade since the observation by Mironov in CRYPTO 2002. Further, the existence of positive biases towards zero for all the initial bytes 3 to 255 is proved and exploited towards a generalized broadcast attack on RC4. We also investigate for long-term non-randomness in the keystream, and prove a new long-term bias of RC4. Roos biases [29] Roos weak keys [29] Wagner weak keys [39] Glimpse bias [12] Golic long-term bias [8] Branch and Bound [15] Cycle structures [25] Related-keys [11] Iterative probabilistic cryptanalysis [9] Digraph probabilities [6] Broadcast attack [19] FMS WEP attack [7] Non-random Z1 [24] Partial known state [34] Mantin's ABSAB [20] Mantin WEP att. [21] Klein WEP attack [14] Modular Equations [28] TWP WEP attack [36] VV WEP attack [38] Hill climbing search [35] Key-Keystream correlation [27] Nested state entries [16] New long-term bias (conditional) [2] Generative pattern [23] Iterative probabilistic reconstruction [10] Difference Equations [4] Bit by bit approach [13] Key Byte Grouping [1] Key collisions [22] Bidirectional search [3] TB WEP & WPA attacks [37] SVV biases in key and state variables [32] Keylength biases [30] Broadcast revisited [17] WPA distinguisher [33] SVV WEP & WPA attacks [33] Key collisions [5] SVV WEP & WPA attacks (revised) [31] Biases and Distinguishers State recovery attacks Key recovery
doi:10.1007/s00145-012-9138-1 fatcat:jc6baa44djbi7ojqsmtxpypr3q