New Integrated Long-term Glimpse of RC4

Transcript

1. . . . . . . . New Integrated Long-Term

   Glimpse of RC4 Keywords: RC4, correlation, long-term Glimpse Ryoma Ito Atsuko Miyaji Japan Advanced Institute of Science and Technology WISA 2014 @ Korea August 26, 2014 Ryoma Ito (JAIST) New Integrated Long-Term Glimpse of RC4 (WISA 2014) August 26, 2014 1 / 28

2. Introduction Outline . . . 1 Introduction RC4 Cryptanalysis of

   PRGA Previous works Our motivation . . . 2 New results on long-term Glimpse New negative biases New positive biases and integrated long-term Glimpse Proof of our results . . . 3 Experimental results and Conclusion Ryoma Ito (JAIST) New Integrated Long-Term Glimpse of RC4 (WISA 2014) August 26, 2014 2 / 28

3. Introduction RC4 Stream cipher designed by Ron Rivest in 1987

   widely used in various applications (SSL/TLS, WEP, WPA, etc) Notation r: number of rounds N: number of arrays in state (typically N = 256) ir , jr : indices of state for the r-th round Sr tr : index of output keystream for the r-th round Zr Ryoma Ito (JAIST) New Integrated Long-Term Glimpse of RC4 (WISA 2014) August 26, 2014 3 / 28

4. Introduction PRGA Algorithm 1 PRGA 1: r ← 0, i0

   ← 0, j0 ← 0 2: loop 3: r ← r + 1 4: ir ← ir−1 + 1 5: jr ← jr−1 + Sr−1[ir] 6: Swap(Sr−1[ir], Sr−1[jr]) 7: tr ← Sr[ir] + Sr[jr] 8: Output: Zr ← Sr[tr] 9: end loop . state transition diagram in PRGA . . . Ryoma Ito (JAIST) New Integrated Long-Term Glimpse of RC4 (WISA 2014) August 26, 2014 4 / 28

5. Introduction Cryptanalysis of PRGA Weakness the existence of positive and

   negative biases Cryptanalysis distinguishing attack [SMPS12, SSPM13, IOWM13] state recovery attack [KMPRV98, MK08, DMPS11] key recovery attack [SVV10, SMPS11, MPSLM13] Ryoma Ito (JAIST) New Integrated Long-Term Glimpse of RC4 (WISA 2014) August 26, 2014 5 / 28

6. Introduction Previous works Glimpse correlations [Jenkins96, MS13] Glimpse Theorem [Jenkins96]

   correlations between one output keystream and a state location Long-term Glimpse [MS13] correlations between two consecutive output keystreams and a state location The results of Glimpse correlations Bias in event Condition Probability Glimpse Theorem Theorem 1 Sr[jr] = ir − Zr – 2/N Sr[ir] = jr − Zr – 2/N Long-term Glimpse Theorem 2 Sr[r + 1] = N − 1 Zr+1 = Zr 2/N Theorem 3 Sr[r + 1] = N − 1 Zr+1 = Zr 3/N Zr+1 = r + 2*1 *1Theorem 3 is a special case of Theorem 2. Ryoma Ito (JAIST) New Integrated Long-Term Glimpse of RC4 (WISA 2014) August 26, 2014 6 / 28

7. Introduction Previous works Long-term Glimpse [MS13] *1Theorem 3 is a

   special case of Theorem 2. Ryoma Ito (JAIST) New Integrated Long-Term Glimpse of RC4 (WISA 2014) August 26, 2014 7 / 28

8. Introduction Our motivation Theorems 2 and 3 give cases with

   positive biases. . Our motivation from two important problems . . . 1. Is there a dual case of Theorems 2 and 3? (a value of Sr[r + 1] with negative bias) 2. Is there another positive bias in addition to Theorems 2 and 3? Ryoma Ito (JAIST) New Integrated Long-Term Glimpse of RC4 (WISA 2014) August 26, 2014 8 / 28

9. New results on long-term Glimpse Outline . . . 1

   Introduction RC4 Cryptanalysis of PRGA Previous works Our motivation . . . 2 New results on long-term Glimpse New negative biases New positive biases and integrated long-term Glimpse Proof of our results . . . 3 Experimental results and Conclusion Ryoma Ito (JAIST) New Integrated Long-Term Glimpse of RC4 (WISA 2014) August 26, 2014 9 / 28

10. New results on long-term Glimpse New negative biases Solve the

    problem 1: Is there a dual case of Theorem 2? . . Pr(Sr[r + 1] = N − 1|Zr+1 = Zr) ≈ 2 N . . We can find a dual case of Theorem 2 as Theorem 4! Ryoma Ito (JAIST) New Integrated Long-Term Glimpse of RC4 (WISA 2014) August 26, 2014 10 / 28

11. New results on long-term Glimpse New negative biases Solve the

    problem 1: Is there a dual case of Theorem 3? . . Pr(Sr[r + 1] = N − 1|Zr+1 = Zr ∧ Zr+1 = r + 2) ≈ 3 N . . We can find a dual case of Theorem 3 as Theorem 5! Ryoma Ito (JAIST) New Integrated Long-Term Glimpse of RC4 (WISA 2014) August 26, 2014 11 / 28

12. New results on long-term Glimpse New negative biases Result 1:

    New negative biases . Theorem 4 . . . After the r-th round of PRGA for r ≥ 1, we have Pr(Sr[r + 1] = 0|Zr+1 = Zr) ≈ 2 N2 ( 1 − 1 N ) . . Theorem 5 . . . After the r-th round of PRGA for r ≥ 1 and ∀x ∈ [0, N − 1], we have Pr(Sr[r + 1] = 0|Zr+1 = Zr ∧ Zr+1 = r + x) ≈                                1 N ( 1 − 2 N2 ) if x = 1 2 N2 ( 1 − 1 N ) if x = 255 1 N2 ( 1 − 2 N ) if x = N − r (x 1, 255). Ryoma Ito (JAIST) New Integrated Long-Term Glimpse of RC4 (WISA 2014) August 26, 2014 12 / 28

13. New results on long-term Glimpse New positive biases and integrated

    long-term Glimpse Solve the problem 2: Is there another positive bias? . . Bias in event: Sr[r + 1] = N − x | Zr+1 = Zr ∧ Zr+1 = r + 1 + x . . We can find new positive biases as Theorem 6! Ryoma Ito (JAIST) New Integrated Long-Term Glimpse of RC4 (WISA 2014) August 26, 2014 13 / 28

14. New results on long-term Glimpse New positive biases and integrated

    long-term Glimpse Result 2: New positive biases and integrated long-term Glimpse . Theorem 6 . . . After the r-th round of PRGA for r ≥ 1 and ∀x ∈ [2, N − 1], we have Pr(Sr[r + 1] = N − x|Zr+1 = Zr ∧ Zr+1 = r + 1 + x) ≈ 2 N ( 1 − 1 N + 1 N2 ) . . Theorem 7 (Integrated long-term Glimpse) . . . Bias in event Condition Probability Theorem 5 Sr[r + 1] = N − 0 Zr+1 = Zr ∧ Zr+1 = r + 1 + 0 1 N ( 1 − 2 N2 ) Theorem 3 Sr[r + 1] = N − 1 Zr+1 = Zr ∧ Zr+1 = r + 1 + 1 1 N ( 3 − 6 N + 2 N2 ) *2 Theorem 6 Sr[r + 1] = N − x Zr+1 = Zr ∧ Zr+1 = r + 1 + x 2 N ( 1 − 1 N + 1 N2 ) (∀x ∈ [2, N − 1]) (∀x ∈ [2, N − 1]) *2The probability of long-term Glimpse can be precisely revised to 1 N (3 − 6 N + 2 N2 ). Ryoma Ito (JAIST) New Integrated Long-Term Glimpse of RC4 (WISA 2014) August 26, 2014 14 / 28

15. New results on long-term Glimpse Proof of our results Proof

    of Theorem 4 . Theorem 4 . . . Pr(Sr[r + 1] = 0|Zr+1 = Zr) ≈ 2 N2 ( 1 − 1 N ) proof sketch 1. define main events A := (Sr [r + 1] = 0), B := (Zr+1 = Zr ) 2. compute Pr(B|A) in five paths jr = r (Path 1 ← Path 1-1 + Path 1-2) jr = r + 1 (Path 2) jr r, r + 1 (Path 3 ← Path 3-1 + Path 3-2) 3. apply Bayes’ Theorem to compute Pr(A|B) . . We assume the uniform randomness of other certain events approximate the probability of random association 1/N. Ryoma Ito (JAIST) New Integrated Long-Term Glimpse of RC4 (WISA 2014) August 26, 2014 15 / 28

16. New results on long-term Glimpse Proof of our results Proof

    of Theorem 4 (Compute Pr(B|A) in Path 1: jr = r) . . Ryoma Ito (JAIST) New Integrated Long-Term Glimpse of RC4 (WISA 2014) August 26, 2014 16 / 28

17. New results on long-term Glimpse Proof of our results Proof

    of Theorem 4 (Compute Pr(B|A) in Path 1: jr = r) . . Ryoma Ito (JAIST) New Integrated Long-Term Glimpse of RC4 (WISA 2014) August 26, 2014 16 / 28

18. New results on long-term Glimpse Proof of our results Proof

    of Theorem 4 (Compute Pr(B|A) in Path 1: jr = r) . . Ryoma Ito (JAIST) New Integrated Long-Term Glimpse of RC4 (WISA 2014) August 26, 2014 16 / 28

19. New results on long-term Glimpse Proof of our results Proof

    of Theorem 4 (Compute Pr(B|A) in Path 1: jr = r) . . tr tr+1 with probability 1 since 2X X. If event B occurs, Sr+1[tr+1] must be swapped from Sr [tr ]. tr must be next to tr+1 . Compute Pr(B|A ∧ jr = r) in two subpaths. Ryoma Ito (JAIST) New Integrated Long-Term Glimpse of RC4 (WISA 2014) August 26, 2014 16 / 28

20. New results on long-term Glimpse Proof of our results Proof

    of Theorem 4 (Compute Pr(B|A) in Path 1: jr = r) . . Path 1-1 ir = 1 ∧ X = tr+1 = 1 ⇒ Zr+1 = Zr = 0 (probability 1) Ryoma Ito (JAIST) New Integrated Long-Term Glimpse of RC4 (WISA 2014) August 26, 2014 17 / 28

21. New results on long-term Glimpse Proof of our results Proof

    of Theorem 4 (Compute Pr(B|A) in Path 1: jr = r) . . Path 1-1 ir = 1 ∧ X = tr+1 = 1 ⇒ Zr+1 = Zr = 0 (probability 1) Path 1-2 ir = 254 ∧ X = tr+1 = 255 ⇒ Zr+1 = Zr = 255 (probability 1) Ryoma Ito (JAIST) New Integrated Long-Term Glimpse of RC4 (WISA 2014) August 26, 2014 17 / 28

22. New results on long-term Glimpse Proof of our results Proof

    of Theorem 4 (Compute Pr(B|A) in Path 1: jr = r) Path 1-1 Pr(Path 1-1) = Pr(B|A ∧ jr = r ∧ ir = 1 ∧ tr+1 = 1) = 1 Path 1-2 Pr(Path 1-2) = Pr(B|A ∧ jr = r ∧ ir = 254 ∧ tr+1 = 255) = 1 Path 1 Pr(B|A ∧ jr = r) = Pr(Path 1-1) · Pr(ir = 1 ∧ tr+1 = 1) + Pr(Path 1-2) · Pr(ir = 254 ∧ tr+1 = 255) ≈ 1 · ( 1 N · 1 N ) + 1 · ( 1 N · 1 N ) = 2 N2 Pr(Path 1) ≈ 2 N2 Ryoma Ito (JAIST) New Integrated Long-Term Glimpse of RC4 (WISA 2014) August 26, 2014 18 / 28

23. New results on long-term Glimpse Proof of our results Proof

    of Theorem 4 (Compute Pr(B|A) in Path 2: jr = r + 1) . . Event B never occurs. tr tr+1 with probability 1 since X 0. Sr+1[tr+1] can not be swapped from Sr [tr ]. Pr(Path 2) = 0 Ryoma Ito (JAIST) New Integrated Long-Term Glimpse of RC4 (WISA 2014) August 26, 2014 19 / 28

24. New results on long-term Glimpse Proof of our results Proof

    of Theorem 4 (Compute Pr(B|A) in Path 3: jr r, r + 1) . . tr tr+1 with probability 1 since X + Y Y. If event B occurs, Sr+1[tr+1] must be swapped from Sr [tr ]. Compute Pr(B|A ∧ jr r, r + 1) in two subpaths. Ryoma Ito (JAIST) New Integrated Long-Term Glimpse of RC4 (WISA 2014) August 26, 2014 20 / 28

25. New results on long-term Glimpse Proof of our results Proof

    of Theorem 4 (Compute Pr(B|A) in Path 3: jr r, r + 1) . . Path 3-1 X + Y = tr = jr ∧ Y = tr+1 = r + 1 ⇒ Zr+1 = Zr = r + 1 (probability 1) Ryoma Ito (JAIST) New Integrated Long-Term Glimpse of RC4 (WISA 2014) August 26, 2014 21 / 28

26. New results on long-term Glimpse Proof of our results Proof

    of Theorem 4 (Compute Pr(B|A) in Path 3: jr r, r + 1) . . Path 3-1 X + Y = tr = jr ∧ Y = tr+1 = r + 1 ⇒ Zr+1 = Zr = r + 1 (probability 1) Path 3-2 X + Y = tr = r + 1 ∧ Y = tr+1 = jr+1 ⇒ Zr+1 = Zr = 0 (probability 1) Ryoma Ito (JAIST) New Integrated Long-Term Glimpse of RC4 (WISA 2014) August 26, 2014 21 / 28

27. New results on long-term Glimpse Proof of our results Proof

    of Theorem 4 (Compute Pr(B|A) in Path 3: jr r, r + 1) Path 3-1 Pr(Path 3-1) = Pr(B|A ∧ jr r, r + 1 ∧ tr = jr ∧ tr+1 = r + 1) = 1 Path 3-2 Pr(Path 3-2) = Pr(B|A ∧ jr r, r + 1 ∧ tr = r + 1 ∧ tr+1 = jr+1) = 1 Path 3 Pr(B|A ∧ jr r, r + 1) = Pr(Path 3-1) · Pr(tr = jr ∧ tr+1 = r + 1) + Pr(Path 3-2) · Pr(tr = r + 1 ∧ tr+1 = jr+1) ≈ 1 · ( 1 N · 1 N ) + 1 · ( 1 N · 1 N ) = 2 N2 Pr(Path 3) ≈ 2 N2 Ryoma Ito (JAIST) New Integrated Long-Term Glimpse of RC4 (WISA 2014) August 26, 2014 22 / 28

28. New results on long-term Glimpse Proof of our results Proof

    of Theorem 4 All Paths Pr(B|A) = Pr(Path 1) · Pr(jr = r) + Pr(Path 2) · Pr(jr = r + 1) + Pr(Path 3) · Pr(jr r, r + 1) ≈ 2 N2 · 1 N + 0 · 1 N + 2 N2 · ( 1 − 2 N ) = 2 N2 ( 1 − 1 N ) apply Bayes’ Theorem Pr(A|B) = Pr(B|A) · Pr(A) Pr(B) ≈ Pr(B|A) ≈ 2 N2 ( 1 − 1 N ) we get Pr(Sr[r + 1] = 0|Zr+1 = Zr) ≈ 2 N2 ( 1 − 1 N ) (proved) Ryoma Ito (JAIST) New Integrated Long-Term Glimpse of RC4 (WISA 2014) August 26, 2014 23 / 28

29. Outline . . . 1 Introduction RC4 Cryptanalysis of PRGA

    Previous works Our motivation . . . 2 New results on long-term Glimpse New negative biases New positive biases and integrated long-term Glimpse Proof of our results . . . 3 Experimental results and Conclusion Ryoma Ito (JAIST) New Integrated Long-Term Glimpse of RC4 (WISA 2014) August 26, 2014 24 / 28

30. Experimental results Experimental environment OS Ubuntu 12.04 (32 bit) Linux

    Memory 3.8 GiB CPU Intel Core i5-3230M 2.6GHz Language C Compiler gcc 4.6.3 Number of Keys 224 (randomly chosen) Keystream 224 bytes for each key evaluate the percentage of relative error = |experimental value − theoretical value| experimental value × 100(%) Ryoma Ito (JAIST) New Integrated Long-Term Glimpse of RC4 (WISA 2014) August 26, 2014 25 / 28

31. Experimental results Comparison between experimental and theoretical values Results Experimental

    value Theoretical value (%) Theorem 4 0.000030522 0.000030398 0.406 Theorem 5 for x = 1 0.003922408 0.003906131 0.415 for x = 255 0.000030683 0.000030398 0.929 for x = N − r 0.000015259 0.000015140 0.780 (x 1, 255) Theorem 6 0.007812333 0.007782102 0.387 is small enough in each case such as < 1(%). . . We can check the accuracy of biases shown in Theorems 4 to 6. Ryoma Ito (JAIST) New Integrated Long-Term Glimpse of RC4 (WISA 2014) August 26, 2014 26 / 28

32. Conclusion . Our motivation from two important problems . .

    . 1. Is there a dual case of the results in [MS13]? 2. Is there another positive bias in addition to the results in [MS13]? Results We have discovered two dual cases of long-term Glimpse in [MS13] and new positive biases. These long-term Glimpse can be integrated to biases of Sr [r + 1] ∈ [0, N − 1]. Future works search new biases apply new biases to state recovery attack on RC4 Ryoma Ito (JAIST) New Integrated Long-Term Glimpse of RC4 (WISA 2014) August 26, 2014 27 / 28

33. Thank you for your kind attention! Ryoma Ito (JAIST) New

    Integrated Long-Term Glimpse of RC4 (WISA 2014) August 26, 2014 28 / 28