New Linear Correlations related to State Information of RC4 PRGA using IV in WPA Keywords: RC4, WPA, Linear correlations Ryoma Ito Atsuko Miyaji Japan Advanced Institute of Science and Technology Supported by Japan Science and Tecjnology Agency (JST CREST） FSE 2015 @ Istanbul, Turkey March 11, 2015

Ryoma Ito & Atsuko Miyaji (JAIST)  designed by Rivest in 1987.  Two algorithms: KSA  PRGA Background-RC4 stream cipher Background 2 March 11, 2015 FSE 2015 @ Istanbul, Turkey  Correlations are further increased by:  Application-related setting : SSL/TLS, broadcast encryption  [MS02], [MPS11], [IOWM14],  Key setting in applications: WEP, WPA [GMMPS14] linear correlations between keystreams and keys KSA 0 1 2 PRGA Internal state 0 1 2 N-1 Z1 , Z2 , Z3 , …, Zr keystream K S0 S0 K Si  Correlations between Key and internal state S0 , Si , keystream Zi  [Roos95], [FM01], [PM07], [Klein08] Our target

Ryoma Ito & Atsuko Miyaji (JAIST) Our motivations: focus on (unknown) internal states Background Motivation and Contribution 3 March 11, 2015 FSE 2015 @ Istanbul, Turkey  Linear correlations among unknown internal state and keys (known in WPA and unknown in generic) Our linear equations unknown internal states: Xr ϵ {Sr [ir+1 ], Sr [ jr+1 ], jr+1 , tr+1 }, r ϵ [0, 256], a, b, c, d ϵ {-1, 0, 1}, e ϵ {-3, -2, -1, 0, 1, 2, 3} Xr =a･Zr+1 +b･K[0]+c･K[1]+d･K[2]+e State recovery attack in [KMPRV98]  Recover four unknown internal states, Sr [ir+1 ], Sr [ jr+1 ], jr+1 , tr+1, by computing optimum solutions

Ryoma Ito & Atsuko Miyaji (JAIST) Our contributions Background Motivation and Contribution 4 March 11, 2015 FSE 2015 @ Istanbul, Turkey  Prove 7 theorems with significant biases Linear correlations RC4 WPA Results S0 [i1 ]=K[0] 0.001450 0 Theorems 1, 2 S0 [i1 ]=K[0]-K[1]-3 0.005337 0.007848 Theorem 3 S0 [i1 ]=K[0]-K[1]-1 0.003922 0.007877 Theorem 4 S255 [i256 ]=K[0] 0.137294 0.138047 Theorem 5 S255 [i256 ]=K[1] 0.003911 0.037189 Theorem 6 Sr [ir+1 ]=K[0]+K[1]+1 a sawtooth distribution Theorem 7 Note: The probability of random association is 1/N (=0.003906)  Discover more than 150 linear correlations  Biases in between Sr [ir+1 ] and {K[0], K[1], K[2], Zr+1 } for r ϵ [0, 256]  Biases in between {S0 [ j1 ], S1 [ j2 ], j2 , t1 , t2 , t3 } and {K[0], K[1], K[2], Zr+1 }

Ryoma Ito & Atsuko Miyaji (JAIST)  Preliminary  RC4 stream cipher, WPA (TKIP key generation)  Previous Analysis  Roos biases: correlations between Key and initial state S0  [GMMPS14] : Key-bias K[0]+K[1] under TKIP (known) linear correlations between keystreams and Key (known)  Our results  linear correlations between Internal states S and Key (known)  Prove theoretically (Example: Pr(S255 [i256 ]=K[0])～0.138)  Accuracy is checked by experiments  Conclusion Outline of talk 5 March 11, 2015 FSE 2015 @ Istanbul, Turkey Outline

Ryoma Ito & Atsuko Miyaji (JAIST) Algorithm 2 PRGA 1: r  0, i0  0, j0  0 2: for r=0 do 3: ir  ir-1 +1, jr  jr-1 +Sr-1 [ir ] 6: Swap(Sr-1 [ir ], Sr-1 [ jr ]) 7: tr  Sr [ir ]+Sr [ jr ] 8: Output: Zr  Sr [tr ] 9: end loop KSA and PRGA Preliminary RC4 stream cipher and WPA protocol 6 March 11, 2015 FSE 2015 @ Istanbul, Turkey state transition in KSA/PRGA 0 N ・ K: secret key (l bytes) ・ r , N : # of rounds, arrays in S (N=256) ・ Sr K , Sr : r-th round S of KSA, PRGA ・ i, jr K , ir , jr , tr : indices of Sr K , Sr , Zr ・ Zr : output in the r-th round (keystream) Sr-1 Sr ir jr tr Zr Algorithm 1 KSA 1: for i=0 to N-1 do: S0 K[i]  i 2: j0 K  0 3: for i=0 to N-1 do 4: ji+1 K  ji K + Si K[i] + K[i mod l] 5: Swap(Si K[i], Si K[ ji+1 K]) 6: end for

Ryoma Ito & Atsuko Miyaji (JAIST) WPA: Wi-Fi Protected Access Preliminary RC4 stream cipher and WPA protocol 7 March 11, 2015 FSE 2015 @ Istanbul, Turkey  standardized as a substitute for WEP in 2003.  Weak features: a 16-byte RC4 key generation known as TKIP  avoid the known WEP attacks using (IV-related) K[1]=255 [FMS01] First 3-byte RC4 keys K[0], K[1] and K[2] are generated by IV16 K[0]=(IV16 >> 8) & 0xFF K[1]=[(IV16 >> 8) | 0x20] & 0x7F K[2]=IV16 & 0xFF  IV16: last 16-bit IV 0 1 K[0] K[1] K[2] IV16 Correlations：K[0] ≒ K[1]

Ryoma Ito & Atsuko Miyaji (JAIST) Roos’ biases [Roos95] (proved in [PM07]) Previous works [Roos95] 8 March 11, 2015 FSE 2015 @ Istanbul, Turkey S0 [0]=K[0], S0 [1]=K[0]+K[1]+1, S0 [2]=K[0]+K[1]+K[2]+3, … 0 1 2 N S0 Correlations between K and the initial state S0 [0]-S0 [255] Pr(S0 [y] = y(y+1)/2+K[0]+…+K[y]) = (1-y/N)(1-1/N)[y(y+1)/2+N]+1/N K[0] K[0]+K[1]+1 K[0]+K[1]+ K[1]+3 ・Pr(S0 [0]=K[0])=0.371(=α0 ), Pr(S0 [1]=K[0]+K[1]+1)=0.368 (=α1 ) Pretty high biases≫1/N=0.003906 used in our results In WPA, Pr(S0 [0]=K[1])= δ becomes pretty high since K[0]≒K[1]

Ryoma Ito & Atsuko Miyaji (JAIST) Biases induced by TKIP [GMMPS14] Previous works [GMMPS14] 9 March 11, 2015 FSE 2015 @ Istanbul, Turkey  Distribution of K[0]+K[1] in WPA 0 31 128 159 Pr(K[0]+K[1]=v)=0 v is odd, v= 0--31, 128—159.  Induce further correlations between keastreams and key.

Ryoma Ito & Atsuko Miyaji (JAIST) Linear correlations between Zr , K[0], K[1] and K[2] [GMMPS14] Previous works [GMMPS14] 10 March 11, 2015 FSE 2015 @ Istanbul, Turkey Linear equation r ϵ [1, 257], a, b, c ϵ {-1, 0, 1}, d ϵ {-3, -2, -1, 0, 1, 2, 3} Zr =a･K[0]+b･K[1]+c･K[2]+d Byte Linear correlation # of ciphertexts 1 Z1 =-K[0]-K[1] 5･213 = 215.322 3 Z3 =K[0]+K[1]+K[2]+3 219 256 Z256 =-K[0] 219 257 Z257 =-K[0]-K[1] 221 Broadcast attack on WPA ・Linear correlations between keystreams and keys (without proof) Zr , K[0], K[1] and K[2] (known in WPA) ・Apply correlations to broadcast attack [IOWM13] in WPA.  Reduce # of ciphertexts to recover Zr (r ϵ {1, 3, 256, 257})  Previous work required about 230 ciphertexts theoretically [IOWM13].

Ryoma Ito & Atsuko Miyaji (JAIST) Our newly discovered and proved correlations Our results New linear correlations 11 March 11, 2015 FSE 2015 @ Istanbul, Turkey 0 1 2 255 S0 S254 S1 S255 New linear correlations S0 [i1 ] = K[0] (Theorems 1, 2) S0 [i1 ] = K[0]-K[1]-3(Theorem 3) S0 [i1 ] = K[0]-K[1]-1 (Theorem 4) S255 [i256 ]=K[0] (Theorem 5) S255 [i256 ]=K[1] (Theorem 6) Sr [ir+1 ]=K[0]+K[1]+1 (r ϵ [0, N], Theorem 7) Xr =a･Zr+1 +b･K[0]+c･K[1]+d･K[2]+e unknown internal states: Xr ϵ {Sr [ir+1 ], Sr [ jr+1 ], jr+1 , tr+1 } and K[0], K[1], K[2], r ϵ [0, 256], a,b,c,d ϵ {-1, 0, 1}, e ϵ {-3, -2, -1, 0, 1, 2, 3},

Ryoma Ito & Atsuko Miyaji (JAIST) Theorems 1, 2: S0 [i1 ] & K[0], Theorems 3,4: S0 [i1 ], K[0] & K[1] Our results New linear correlations 12 March 11, 2015 FSE 2015 @ Istanbul, Turkey Theorem 1 Pr(S0 [i1 ]=K[0])RC4 =(1-1/N)N-2/N Theorem 2 Pr(S0 [i1 ]=K[0])WPA =0  S0 [i1 ]=K[0] never occurs in WPA.  S0 [i1 ]=K[0]-K[1]-3 and K[0]-K[1]-1 occur with 2/N in WPA. (a double probability of random association) Theorem 3 Pr(S0 [i1 ]=K[0]-K[1]-3)= 2α1 /N+(1-2/N)(1-α1 )/N for RC4, 4α1 /N+(1-4/N)(1-α1 )/N for WPA. Theorem 4 Pr(S0 [i1 ]=K[0]-K[1]-1)= α1 (1+2/N)/N+(1-2/N)(1-α1 )/N for RC4, 4α1 /N+(1-4/N)(1-α1 )/N for WPA. Note: α1 =Pr(S0 [1]=K[0]+K[1]+1) is Roos’ bias.

Ryoma Ito & Atsuko Miyaji (JAIST) Proof sketch of Theorems 1 and 2 Proof of Th 1,2 Proof procedures 13 March 11, 2015 FSE 2015 @ Istanbul, Turkey  If S2 K[0]=K[0], then S0 [1]=K[0] never occurs.  If S2 K[1]=K[0], then S0 [1]=K[0] occurs  Sr K[1]=S2 K[1] for r ϵ [3, N-1]. 0 1 j2 K=0 S0 K S1 K S0 K[0] 1 0 K[0] 1 0 K[0] K[0] 1 j1 K S2 K 254 rounds i i Step 1. (S0 [i1 ]=K[0]) can be decomposed in 5 paths completely. Step 2. S2 K[1]=K[0] occurs in 2 out of 5 paths in generic RC4. in 0 out of 5 paths in WPA. Step 3. Compute Pr(S0 [i1 ]=K[0]). Proof Procedures  j1 K=K[0], j2 K=K[0]+K[1]+S1 K[1] Main Facts in KSA

Ryoma Ito & Atsuko Miyaji (JAIST) Proof of Theorems 1, 2 - Step 1: Decompose to 5 paths 5 Paths 14 March 11, 2015 FSE 2015 @ Istanbul, Turkey 1. Pr(S0 [i1 ]=K[0]) can be decomposed in 5 paths completely.  Path 1-1: K[0]+K[1]=0 and K[0]=1  Path 1-2: K[0]+K[1]=0 and K[0]≠1  Path 2-1: K[0]+K[1]=255 and K[0]=1  Path 2-2: K[0]+K[1]=255 and K[0]≠1  Path 3: K[0]+K[1]≠0, 255  From the algorithm of KSA,  j1 K=K[0]  j2 K=K[0]+K[1]+S1 K[1] 0 1 254 255 K[0]+K[1] ･･･ 0 1 255 K[0] ･･･ Path 2-1, 2-2 Path 1-1, 2-1 Path 3 Proof of Th 1,2

Ryoma Ito & Atsuko Miyaji (JAIST) Proof of Theorems 1, 2 - Step 2: Paths with S2 K[1]=K[0] Proof of Th 1,2 Step 2 15 March 11, 2015 FSE 2015 @ Istanbul, Turkey Path 1-1 and Path 2-2  S2 K[1]=K[0] 0 1 j2 K=0 S0 K S1 K S0 K[0] 1 0 K[0] 1 0 K[0] K[0] 1 j1 K S2 K 254 rounds i i generic RC4: K is uniformly at random Pr(Path 1-1)=1/N2 Pr(Path 2-2)=(1-1/N)/N  If Sr K[1]=S2 K[1] for r ϵ [3, N-1], then S0 [1]=K[0] occurs. Pr(S0 [1]=K[0]|Path 1-1)=(1-1/N)N-2 Pr(S0 [1]=K[0]|Path 2-2)=(1-1/N)N-2 Path 1-1: K[0]+K[1]=0 and K[0]=1 Path 2-2: K[0]+K[1]=255 and K[0]≠1 WPA: Never occurs.

Ryoma Ito & Atsuko Miyaji (JAIST) Proof of Theorems 1, 2 - Step 3: Combining all probabilities Proof of Th 1,2 Step 3 16 March 11, 2015 FSE 2015 @ Istanbul, Turkey Compute Pr(S0 [i1 ]=K[0])RC4  Using Bayes’ theorem.  S0 [i1 ]=K[0] occurs only in either Path 1-1 or Path 2-2. Pr(Path 1-1)=1/N2 Pr(Path 2-2)=(1-1/N)/N Pr(S0 [1]=K[0]|Path 1-1)=(1-1/N)N-2 Pr(S0 [1]=K[0]|Path 2-2)=(1-1/N)N-2 Pr(S0 [i1 ]=K[0])RC4 =Pr(S0 [1]=K[0]|Path 1-1)･Pr(Path 1-1) +Pr(S0 [1]=K[0]|Path 2-2)･Pr(Path 2-2) =(1-1/N)N-2･1/N2+(1-1/N)N-2･(1-1/N)/N =(1-1/N)N-2/N Pr(S0 [i1 ]=K[0])WPA =Pr(S0 [1]=K[0]|Path 1-1)･Pr(Path 1-1) +Pr(S0 [1]=K[0]|Path 2-2)･Pr(Path 2-2)=0

Ryoma Ito & Atsuko Miyaji (JAIST) Theorem 5: S255 [i256 ] = K[0] Our results New linear correlations 17 March 11, 2015 FSE 2015 @ Istanbul, Turkey Theorem 5 Note: α0 =Pr(S0 [0]=K[0]) is Roos’ bias.  S255 [i256 ]=K[0] occurs with the probability of about 0.138 in generic RC4 and WPA. Pr(S255 [i256 ]=K[0])=α0 (1-1/N)255+(1-α0 )(1-(1-1/N)255)/N  Theorem 5 is induced by Roos’ bias, α0 =Pr(S0 [0]=K[0]) α0 =Pr(S0 [0]=K[0])=(1-1/N)N+1/N=0.371

Ryoma Ito & Atsuko Miyaji (JAIST) Theorem 6: S255 [i256 ] = K[1] Our results Theorem 6 18 March 11, 2015 FSE 2015 @ Istanbul, Turkey Note: α0 =Pr(S0 [0]=K[0]) is Roos’ bias, δ=Pr(S0 [0]=K[1]).  S255 [i256 ]=K[1] occurs with the probability of about 0.037 in WPA. Theorem 6 Pr(S255 [i256 ]=K[1])=δ(1-1/N)255+(1-δ)(1-(1-1/N)255)/N  Theorem 6 is induced by Roos’ bias, α0 =Pr(S0 [0]=K[0]).  reflects that the probability of K[1]=K[0] in WPA is 1/4. α0 =Pr(S0 [0]=K[0])=(1-1/N)N+1/N=0.371 δ=Pr(S0 [0]=K[1])=0.094 Lemma 1 (WPA) Pr(S0 [0]=K[1])=(3/N+(1-3/N) α0 )/4

Ryoma Ito & Atsuko Miyaji (JAIST) Theorem 7: Sr [ir+1 ] = K[0]+K[1]+1 for r ϵ [0, N] Our results Theorem 7 19 March 11, 2015 FSE 2015 @ Istanbul, Turkey  A sawtooth distribution reflects distribution of K[0]+K[1] in WPA Theorem 7 Pr(Sr [ir+1 ]=K[0]+K[1]+1) α1 α1 γ1 +(1-β1 )ε2 ε0 (1-1/N)N-1+(1-ε0 )(1-(1-1/N)N-1)/N ζ1 (1-1/N)N-1+(1-ζ1 )(1-(1-1/N)N-1)/N ζr+1 (1-1/N)r-1+Σx=1 to r-1 ηx (1-1/N)r-x-1/N if r=0, if r=1, if r=N-1, if r=N, otherwise. = Note: α1 =Pr(S0 [1]=K[0]+K[1]+1), β1 =Pr(S0 [S0 [1]]=K[0]+K[1]+1), γ1 =Pr(K[0]+K[1]=1) εr =Pr(S0 [r]=K[0]+K[1]+1), ζr =Pr(S1 [r]=K[0]+K[1]+1), ηr =Pr(Sr+1 [ir+1 ]=K[0]+K[1]+1)

Ryoma Ito & Atsuko Miyaji (JAIST) Remarkable Biases in Sr [ir+1 ] for r ϵ [0, N] Our results Theorem 7 20 March 11, 2015 FSE 2015 @ Istanbul, Turkey  A sawtooth distribution reflects K[0]+K[1] in WPA Experimental result of event (Sr [ir+1 ]=K[0]+K[1]+1)  Theorem 7 is induced by the probability of K[0]+K[1] in WPA.

Ryoma Ito & Atsuko Miyaji (JAIST) Results Experimental value Theoretical value ε (%) Theorem 1 0.001449605 0.001445489 0.284 Theorem 2 0 0 0 Theorem 3 for RC4 0.005332558 0.005325263 0.137 for WPA 0.007823541 0.008182569 4.589 Theorem 4 for RC4 0.003922530 0.003898206 0.620 for WPA 0.007851853 0.008182569 4.212 Theorem 5 0.138038917 0.138326988 0.208 Theorem 6 for RC4 0.003909105 0.003893102 0.409 for WPA 0.037186225 0.037105932 0.216 Check the accuracy of Theorems 1-6 Our results Experimental results 21 March 11, 2015 FSE 2015 @ Istanbul, Turkey Comparison between experimental and theoretical value relative error ε ε=(|experimental value – theoretical value|)/experimental value

Ryoma Ito & Atsuko Miyaji (JAIST) Check the accuracy of Theorem 7 Our results Experimental results 22 March 11, 2015 FSE 2015 @ Istanbul, Turkey Comparison between experimental and theoretical value in Theorem 7  Theoretical values closely reflects the experimental values  except Theorems 3 and 4 for WPA, Theorem 7.

Ryoma Ito & Atsuko Miyaji (JAIST) Summary of this work Conclusion 23 March 11, 2015 FSE 2015 @ Istanbul, Turkey We have proved 7 significant biases Open problems  prove the remaining linear correlations  apply newly discovered correlations to the state recovery attacks Linear correlations RC4 WPA Results S0 [i1 ]=K[0] 0.001445489 0 Theorems 1, 2 S0 [i1 ]=K[0]-K[1]-3 0.005325263 0.008182569 Theorem 3 S0 [i1 ]=K[0]-K[1]-1 0.003898206 0.008182569 Theorem 4 S255 [i256 ]=K[0] 0.138326988 0.138326988 Theorem 5 S255 [i256 ]=K[1] 0.003893102 0.037105932 Theorem 6 Sr [ir+1 ]=K[0]+K[1]+1 a sawtooth distribution Theorem 7