RC4のLong-term Glimpseにおける新しいNegative Biases

Slide 1

Slide 1 text

. . . . . . . RC4ͷLong-Term Glimpseʹ͓͚Δ ৽͍͠Negative Biases ΩʔϫʔυɿετϦʔϜ҉߸, RC4, Glimpse, long-term, negative biases 2014-05-ISEC ๺཮ઌ୺Պֶٕज़େֶӃେֶ ৘ใՊֶݚڀՊ ˓ҏ౻ ཽഅɹٶ஍ ॆࢠ ҏ౻ ཽഅ (๺཮ઌ୺Պֶٕज़େֶӃେֶ) 2014-05-ISEC 2014. 5. 9 1 / 23

Slide 2

Slide 2 text

RC4 ͷ Long-Term Glimpse ʹ͓͚Δ৽͍͠ Negative Biases ໨࣍ 1. എܠ 2. طଘݚڀ - RC4 ʹର͢Δ߈ܸ - Glimpse Theorem[5], Maitra-Gupta Theorem[6] 3. ४උ 4. ৽͍͠ Negative Biases 5. ࣮ݧ݁Ռ 6. ·ͱΊ ҏ౻ ཽഅ (๺཮ઌ୺Պֶٕज़େֶӃେֶ) 2014-05-ISEC 2014. 5. 9 2 / 23

Slide 3

Slide 3 text

RC4 ͷ Long-Term Glimpse ʹ͓͚Δ৽͍͠ Negative Biases എܠ RC4 1987 ೥։ൃͷετϦʔϜ҉߸ SSL/TLS, WPA ౳Ͱ޿͘ར༻ ༷ʑͳ੬ऑੑͷଘࡏ bias Λར༻༷ͨ͠ʑͳ߈ܸͷଘࡏ ҏ౻ ཽഅ (๺཮ઌ୺Պֶٕज़େֶӃେֶ) 2014-05-ISEC 2014. 5. 9 3 / 23

Slide 4

Slide 4 text

RC4 ͷ Long-Term Glimpse ʹ͓͚Δ৽͍͠ Negative Biases طଘݚڀ RC4 ʹର͢Δ߈ܸ ࣝผ߈ܸɼฏจճ෮߈ܸ [2, 4, 8, 10] PRGA ͷग़ྗʹ bias ͕ଘࡏ͢Δ͜ͱΛར༻ͨ͠߈ܸ Broadcast RC4 ҏ౻ ཽഅ (๺཮ઌ୺Պֶٕज़େֶӃେֶ) 2014-05-ISEC 2014. 5. 9 4 / 23

Slide 5

Slide 5 text

RC4 ͷ Long-Term Glimpse ʹ͓͚Δ৽͍͠ Negative Biases طଘݚڀ ݤճ෮߈ܸ [7, 11] PRGA ͷग़ྗͱൿີݤؒʹ bias ͕͋Δ͜ͱΛར༻ͨ͠߈ܸ ಺෦ঢ়ଶ෮ݩ߈ܸ [1, 3, 5, 6, 9] PRGA ͷग़ྗͱ಺෦ঢ়ଶؒʹ bias ͕͋Δ͜ͱΛར༻ͨ͠߈ܸ RC4 ʹର͢Δ߈ܸͰ͸ bias ͕ॏཁͳݤ ҏ౻ ཽഅ (๺཮ઌ୺Պֶٕज़େֶӃେֶ) 2014-05-ISEC 2014. 5. 9 5 / 23

Slide 6

Slide 6 text

RC4 ͷ Long-Term Glimpse ʹ͓͚Δ৽͍͠ Negative Biases طଘݚڀ ಺෦ঢ়ଶ෮ݩ߈ܸ – Glimpse Theorem[5] 1996 ೥ʹ Jenkins ͕ࣔͨ͠ PRGA ͷग़ྗͱ಺෦ঢ়ଶؒͷ bias Bias in event Probability Sr[jr] = ir − Zr 2/N Sr[ir] = jr − Zr 2/N ҏ౻ ཽഅ (๺཮ઌ୺Պֶٕज़େֶӃେֶ) 2014-05-ISEC 2014. 5. 9 6 / 23

Slide 7

Slide 7 text

RC4 ͷ Long-Term Glimpse ʹ͓͚Δ৽͍͠ Negative Biases طଘݚڀ ಺෦ঢ়ଶ෮ݩ߈ܸ – Glimpse Theorem[5] – Maitra-Gupta Theorem[6] 2013 ೥ʹ Maitra Β͕ࣔͨ͠ Long-Term Glimpse Bias in event Condition Probability Sr[r + 1] = N − 1 Zr+1 = Zr 2/N Sr[r + 1] = N − 1 Zr+1 = Zr ∧ Zr+1 = r + 2 3/N ҏ౻ ཽഅ (๺཮ઌ୺Պֶٕज़େֶӃେֶ) 2014-05-ISEC 2014. 5. 9 7 / 23

Slide 8

Slide 8 text

RC4 ͷ Long-Term Glimpse ʹ͓͚Δ৽͍͠ Negative Biases طଘݚڀ ݕূ࣮ݧ . . . Bias in event Condition Probability Sr[r + 1] = N − 1 Zr+1 = Zr 2/N Sr[r + 1] = N − 1 Zr+1 = Zr ∧ Zr+1 = r + 2 3/N Maitra-Gupta Theorem[6] ͷਖ਼౰ੑΛ֬ೝ ҏ౻ ཽഅ (๺཮ઌ୺Պֶٕज़େֶӃେֶ) 2014-05-ISEC 2014. 5. 9 8 / 23

Slide 9

Slide 9 text

RC4 ͷ Long-Term Glimpse ʹ͓͚Δ৽͍͠ Negative Biases طଘݚڀ ݕূ࣮ݧ . . . Bias in event Condition Probability Sr[r + 1] = 0 Zr+1 = Zr 0 ? Sr[r + 1] = 0 Zr+1 = Zr ∧ Zr+1 = r + 2 0 ? ৽͍͠ negative biases ͷൃݟ ⇒ ཧ࿦తͳূ໌ ҏ౻ ཽഅ (๺཮ઌ୺Պֶٕज़େֶӃେֶ) 2014-05-ISEC 2014. 5. 9 9 / 23

Slide 10

Slide 10 text

RC4 ͷ Long-Term Glimpse ʹ͓͚Δ৽͍͠ Negative Biases ४උ දهɾԾఆ r ϥ΢ϯυ਺ N ಺෦ঢ়ଶͷஔ׵਺ʢbyteʣ (N = 256) Sr r ϥ΢ϯυͷ PRGA ͷ಺෦ঢ়ଶ ir , jr ಺෦ঢ়ଶͷϙΠϯλ Zr = Sr[tr] r ϥ΢ϯυͷग़ྗɼtr ͸ͦͷϙΠϯλ PRGA: ٖࣅཚ਺ੑ શࣄ৅͕ϥϯμϜʢ֬཰ 1 N ʣ . . ࣮ݧʹΑͬͯ஋͕Ұ༷ʹ෼෍͞Ε ͍ͯΔͱ֬ೝͰ͖ͨࣄ৅ʹؔͯ͠ɼ શͯϥϯμϜͳࣄ৅ͱԾఆ ҏ౻ ཽഅ (๺཮ઌ୺Պֶٕज़େֶӃେֶ) 2014-05-ISEC 2014. 5. 9 10 / 23

Slide 11

Slide 11 text

RC4 ͷ Long-Term Glimpse ʹ͓͚Δ৽͍͠ Negative Biases ४උ PRGA Algorithm 1 PRGA 1: r ← 0, i0 ← 0, j0 ← 0 2: loop 3: r ← r + 1 4: ir ← ir−1 + 1 5: jr ← jr−1 + Sr−1[ir] 6: Swap(Sr−1[ir], Sr−1[jr]) 7: tr ← Sr[ir] + Sr[jr] 8: Zr ← Sr[tr] 9: Output: Zr 10: end loop ex. S0[1] = 8, S0[8] = 7, S0[15] = 5 i1 = i0 + 1 = 1 j1 = j0 + S0[i1] = S0[1] = 8 t1 = S1[1] + S1[8] = 15 . . . Z1 = S1[15] = 5 ҏ౻ ཽഅ (๺཮ઌ୺Պֶٕज़େֶӃେֶ) 2014-05-ISEC 2014. 5. 9 11 / 23

Slide 12

Slide 12 text

RC4 ͷ Long-Term Glimpse ʹ͓͚Δ৽͍͠ Negative Biases ৽͍͠ Negative Biases ৽͍͠ Negative Biases . Theorem 4 . . . RC4 PRGA ͷ r ϥ΢ϯυ (r ≥ 1) ʹ͓͍ͯɼԼهͷ֬཰͕੒Γཱͭɽ Pr(Sr[r + 1] = 0|Zr+1 = Zr) ≈ 2 N2 · ( 1 − 1 N ) . Theorem 5 . . . RC4 PRGA ͷ r ϥ΢ϯυ (r ≥ 1) ʹ͓͍ͯɼx ∈ ZN ͱ͢ΔͱԼهͷ֬཰͕ ੒Γཱͭɽ Pr(Sr[r + 1] = 0|Zr+1 = Zr ∧ Zr+1 = x) ≈                            1 N · ( 1 − 2 N2 ) if x = r + 1 2 N2 · ( 1 − 1 N ) if x = r − 1 1 N2 · ( 1 − 2 N ) otherwise ҏ౻ ཽഅ (๺཮ઌ୺Պֶٕज़େֶӃେֶ) 2014-05-ISEC 2014. 5. 9 12 / 23

Slide 13

Slide 13 text

RC4 ͷ Long-Term Glimpse ʹ͓͚Δ৽͍͠ Negative Biases ৽͍͠ Negative Biases ৽͍͠ Negative Biases . Theorem 4 . . . RC4 PRGA ͷ r ϥ΢ϯυ (r ≥ 1) ʹ͓͍ͯɼԼهͷ֬཰͕੒Γཱͭɽ Pr(Sr[r + 1] = 0|Zr+1 = Zr) ≈ 2 N2 · ( 1 − 1 N ) ূ໌ͷྲྀΕ ओཁͳࣄ৅ A, B Λఆٛ A := (Sr[r + 1] = 0), B := (Zr+1 = Zr) ⇒ Pr(A|B) ≈ 2 N2 · ( 1 − 1 N ) ϕΠζͷఆཧ Pr(A|B) · Pr(B) = Pr(B|A) · Pr(A) = Pr(A ∧ B) ˞ Pr(A) ≈ Pr(B) ≈ 1 N ʢϥϯμϜͳࣄ৅ʣ ⇒ Pr(A|B) ≈ Pr(B|A) ҏ౻ ཽഅ (๺཮ઌ୺Պֶٕज़େֶӃେֶ) 2014-05-ISEC 2014. 5. 9 13 / 23

Slide 14

Slide 14 text

RC4 ͷ Long-Term Glimpse ʹ͓͚Δ৽͍͠ Negative Biases ৽͍͠ Negative Biases ূ໌ͷྲྀΕ . . PRGA Step5 jr+1 = jr + Sr[r + 1] ⇒ Pr(jr+1 = jr |A) = 1 . Path . . . 1. jr = r 2. jr = r + 1 3. jr r, r + 1 ҏ౻ ཽഅ (๺཮ઌ୺Պֶٕज़େֶӃେֶ) 2014-05-ISEC 2014. 5. 9 14 / 23

Slide 15

Slide 15 text

RC4 ͷ Long-Term Glimpse ʹ͓͚Δ৽͍͠ Negative Biases ৽͍͠ Negative Biases Proof of Theorem 4 (Path 1: jr = r) . . ҏ౻ ཽഅ (๺཮ઌ୺Պֶٕज़େֶӃେֶ) 2014-05-ISEC 2014. 5. 9 15 / 23

Slide 16

Slide 16 text

Slide 17

Slide 17 text

Slide 18

Slide 18 text

Slide 19

Slide 19 text

Slide 20

Slide 20 text

RC4 ͷ Long-Term Glimpse ʹ͓͚Δ৽͍͠ Negative Biases ৽͍͠ Negative Biases Proof of Theorem 4 (Path 1: jr = r) . . Path 1-1 ir = 1 ∧ X = tr+1 = 1 ⇒ Zr+1 = Zr = 0 (probability 1) ҏ౻ ཽഅ (๺཮ઌ୺Պֶٕज़େֶӃେֶ) 2014-05-ISEC 2014. 5. 9 15 / 23

Slide 21

Slide 21 text

RC4 ͷ Long-Term Glimpse ʹ͓͚Δ৽͍͠ Negative Biases ৽͍͠ Negative Biases Proof of Theorem 4 (Path 1: jr = r) . . Path 1-1 ir = 1 ∧ X = tr+1 = 1 ⇒ Zr+1 = Zr = 0 (probability 1) Path 1-2 ir = 254 ∧ X = tr+1 = 255 ⇒ Zr+1 = Zr = 255 (probability 1) ҏ౻ ཽഅ (๺཮ઌ୺Պֶٕज़େֶӃେֶ) 2014-05-ISEC 2014. 5. 9 15 / 23

Slide 22

Slide 22 text

RC4 ͷ Long-Term Glimpse ʹ͓͚Δ৽͍͠ Negative Biases ৽͍͠ Negative Biases Proof of Theorem 4 (Path 1: jr = r) Path 1-1 Pr(Path 1-1) = Pr(B|A ∧ jr = r ∧ ir = 1 ∧ tr+1 = 1) = 1 Path 1-2 Pr(Path 1-2) = Pr(B|A ∧ jr = r ∧ ir = 254 ∧ tr+1 = 255) = 1 Path 1 Pr(B|A ∧ jr = r) = Pr(Path 1-1) · Pr(ir = 1 ∧ tr+1 = 1) + Pr(Path 1-2) · Pr(ir = 254 ∧ tr+1 = 255) ≈ 1 · ( 1 N · 1 N ) + 1 · ( 1 N · 1 N ) = 2 N2 Pr(Path 1) = 2 N2 ҏ౻ ཽഅ (๺཮ઌ୺Պֶٕज़େֶӃେֶ) 2014-05-ISEC 2014. 5. 9 16 / 23

Slide 23

Slide 23 text

RC4 ͷ Long-Term Glimpse ʹ͓͚Δ৽͍͠ Negative Biases ৽͍͠ Negative Biases Proof of Theorem 4 (Path 2: jr = r + 1) . . ҏ౻ ཽഅ (๺཮ઌ୺Պֶٕज़େֶӃେֶ) 2014-05-ISEC 2014. 5. 9 17 / 23

Slide 24

Slide 24 text

Slide 25

Slide 25 text

Slide 26

Slide 26 text

Slide 27

Slide 27 text

Slide 28

Slide 28 text

RC4 ͷ Long-Term Glimpse ʹ͓͚Δ৽͍͠ Negative Biases ৽͍͠ Negative Biases Proof of Theorem 4 (Path 2: jr = r + 1) . . Sr = Sr+1 ∧ X 0 Sr+1[X] Sr[0] ⇒ Zr+1 Zr (probability 1) ҏ౻ ཽഅ (๺཮ઌ୺Պֶٕज़େֶӃେֶ) 2014-05-ISEC 2014. 5. 9 17 / 23

Slide 29

Slide 29 text

RC4 ͷ Long-Term Glimpse ʹ͓͚Δ৽͍͠ Negative Biases ৽͍͠ Negative Biases Proof of Theorem 4 (Path 2: jr = r + 1) . . Sr = Sr+1 ∧ X 0 Sr+1[X] Sr[0] ⇒ Zr+1 Zr (probability 1) Path 2 Pr(B|A ∧ jr = r + 1) = 0 Pr(Path 2) = 0 ҏ౻ ཽഅ (๺཮ઌ୺Պֶٕज़େֶӃେֶ) 2014-05-ISEC 2014. 5. 9 17 / 23

Slide 30

Slide 30 text

RC4 ͷ Long-Term Glimpse ʹ͓͚Δ৽͍͠ Negative Biases ৽͍͠ Negative Biases Proof of Theorem 4 (Path 3: jr r, r + 1) . . ҏ౻ ཽഅ (๺཮ઌ୺Պֶٕज़େֶӃେֶ) 2014-05-ISEC 2014. 5. 9 18 / 23

Slide 31

Slide 31 text

Slide 32

Slide 32 text

Slide 33

Slide 33 text

Slide 34

Slide 34 text

Slide 35

Slide 35 text

RC4 ͷ Long-Term Glimpse ʹ͓͚Δ৽͍͠ Negative Biases ৽͍͠ Negative Biases Proof of Theorem 4 (Path 3: jr r, r + 1) . . Path 3-1 X + Y = tr = jr ∧ Y = tr+1 = r + 1 ⇒ Zr+1 = Zr = r + 1 (probability 1) ҏ౻ ཽഅ (๺཮ઌ୺Պֶٕज़େֶӃେֶ) 2014-05-ISEC 2014. 5. 9 18 / 23

Slide 36

Slide 36 text

RC4 ͷ Long-Term Glimpse ʹ͓͚Δ৽͍͠ Negative Biases ৽͍͠ Negative Biases Proof of Theorem 4 (Path 3: jr r, r + 1) . . Path 3-1 X + Y = tr = jr ∧ Y = tr+1 = r + 1 ⇒ Zr+1 = Zr = r + 1 (probability 1) Path 3-2 X + Y = tr = r + 1 ∧ Y = tr+1 = jr+1 ⇒ Zr+1 = Zr = 0 (probability 1) ҏ౻ ཽഅ (๺཮ઌ୺Պֶٕज़େֶӃେֶ) 2014-05-ISEC 2014. 5. 9 18 / 23

Slide 37

Slide 37 text

RC4 ͷ Long-Term Glimpse ʹ͓͚Δ৽͍͠ Negative Biases ৽͍͠ Negative Biases Proof of Theorem 4 (Path 3: jr r, r + 1) Path 3-1 Pr(Path 3-1) = Pr(B|A ∧ jr r, r + 1 ∧ tr = jr ∧ tr+1 = r + 1) = 1 Path 3-2 Pr(Path 3-2) = Pr(B|A ∧ jr r, r + 1 ∧ tr = r + 1 ∧ tr+1 = jr+1) = 1 Path 3 Pr(B|A ∧ jr r, r + 1) = Pr(Path 3-1) · Pr(tr = jr ∧ tr+1 = r + 1) + Pr(Path 3-2) · Pr(tr = r + 1 ∧ tr+1 = jr+1) Pr(Path 3) = 2 N2 ≈ 1 · ( 1 N · 1 N ) + 1 · ( 1 N · 1 N ) = 2 N2 ҏ౻ ཽഅ (๺཮ઌ୺Պֶٕज़େֶӃେֶ) 2014-05-ISEC 2014. 5. 9 19 / 23

Slide 38

Slide 38 text

RC4 ͷ Long-Term Glimpse ʹ͓͚Δ৽͍͠ Negative Biases ৽͍͠ Negative Biases Proof of Theorem 4 All Path Pr(B|A) = Pr(Path 1) · Pr(jr = r) + Pr(Path 2) · Pr(jr = r + 1) + Pr(Path 3) · Pr(jr r, r + 1) ≈ 2 N2 · 1 N + 0 · 1 N + 2 N2 · ( 1 − 2 N ) = 2 N2 · ( 1 − 1 N ) ≈ Pr(A|B) Pr(Sr[r + 1] = 0 | Zr+1 = Zr) ≈ 2 N2 · ( 1 − 1 N ) ˙ ҏ౻ ཽഅ (๺཮ઌ୺Պֶٕज़େֶӃେֶ) 2014-05-ISEC 2014. 5. 9 20 / 23

Slide 39

Slide 39 text

RC4 ͷ Long-Term Glimpse ʹ͓͚Δ৽͍͠ Negative Biases ࣮ݧ݁Ռ OS Ubuntu 12.04 (32 bit) Linux Memory 3.8 GiB CPU Intel Core i5-3230M 2.6GHz Language C Compiler gcc 4.6.3 Keystream 240 bytes Number of trial 29 times (average) Biased Event Experimental Probability Theoretical Probability Theorem 4 0.000030502 2 N2 · (1 − 1 N ) = 0.000030398 Theorem 5 (x = r + 1) 0.003919882 1 N · (1 − 2 N2 ) = 0.003906131 Theorem 5 (x = r − 1) 0.000030755 2 N2 · (1 − 1 N ) = 0.000030398 Theorem 5 (x r − 1, r + 1) 0.000015171 1 N2 · (1 − 2 N ) = 0.000015140 ҏ౻ ཽഅ (๺཮ઌ୺Պֶٕज़େֶӃେֶ) 2014-05-ISEC 2014. 5. 9 21 / 23

Slide 40

Slide 40 text

RC4 ͷ Long-Term Glimpse ʹ͓͚Δ৽͍͠ Negative Biases ·ͱΊ ੒Ռ - طଘݚڀ [6] ͷݕূ࣮ݧ͔Β৽͍͠ Negative Biases Λൃݟ ࠓޙͷ՝୊ - ৽͍͠ bias ͷ୳ࡧ - طଘͷ bias ͱ৽͍͠ bias Λ૊Έ߹Θͤͨ߈ܸख๏ͷݕ౼ ҏ౻ ཽഅ (๺཮ઌ୺Պֶٕज़େֶӃେֶ) 2014-05-ISEC 2014. 5. 9 22 / 23

Slide 41

Slide 41 text

RC4 ͷ Long-Term Glimpse ʹ͓͚Δ৽͍͠ Negative Biases ࢀߟจݙ I [1] Apurba Das, Subhamoy Maitra, Goutam Paul, and Santanu Sarkar, “Some Combinatorial Results towards State Recovery Attack on RC4”, ICISS 2011, LNCS 7093, pp. 204-214, 2011. [2] Sourav Sen Gupta, Subhamoy Maitra, Goutam Paul, and Santanu Sarkar, “(Non-)random sequences from (non-)random permutations - analysis of RC4 stream cipher”, Journal of Cryptology, 2013. [3] Sourav Sen Gupta, Subhamoy Maitra, Goutam Paul, and Santanu Sarkar, “Proof of Empirical RC4 Biases and New Key Correlations”, SAC 2010, LNCS 7118, pp. 151-168, 2011. [4] Takanori Isobe, Toshihiro Ohigashi, Yuhei Watanabe, and Masakatu Morii, “Full Plaintext Recovery Attack on Broadcast RC4”, FSE 2013 [5] Jenkins, R.J., ISAAC and RC4 (1996), Published on the Internet at http://burtleburtle.net/bob/rand/isaac.html (last accessed on March 10, 2014) [6] Subhamoy Maitra, and Sourav Sen Gupta, “New Long-Term Glimpse of RC4 Stream Cipher”, ICISS 2013, LNCS 8303, pp. 230-238, 2013. [7] Subhamoy Maitra, Goutam Paul, Santaunu Sarkar, Michael Lehmann, and Willi Meier, “New Results on Generalization of Roos-Type Biases and Related Keystreams of RC4”, AFRICACRYPT 2013, LNCS 7918, pp. 222-239, 2013. [8] Itsik Mantin and Adi Shamir, “A practical attack on broadcast RC4”, FSE 2001, LNCS 2355, pp. 152-164, 2002. [9] Alexander Maximov, and Dmitry Khovratovich, “New State Recovery Attack on RC4”, CRYPTO 2008, LNCS 5157, pp. 297-316, 2008. [10] Santanu Sarkar, Sourav Sen Gupta, Goutam Paul, and Subhamoy Maitra, “Proving TLS-attack related open biases of RC4”, IACR Cryptology ePrint Archive, 2013:508, 2013. [11] Pouyan Sepehrdad, Serge Vaudenay, and Martin Vuagnoux, “Discovery and Exploitation of New Biases in RC4”, SAC 2010, LNCS 6554, pp. 74-91, 2011 ҏ౻ ཽഅ (๺཮ઌ୺Պֶٕज़େֶӃେֶ) 2014-05-ISEC 2014. 5. 9 23 / 23