New Form of Permutation Bias and Secret Key Leakage in Keystream - PowerPoint PPT Presentation

New Form of Permutation Bias and Secret Key Leakage in Keystream Bytes of RC4 Subhamoy Maitra , ISI, Kolkata Goutam Paul , Jadavpur University, Kolkata

Roadmap • Introduction • Related Work and Contribution • Bias in the Permutation • Key Leakage in the Keystream • Conclusion February 12, 2008 Goutam Paul, FSE-2008 2

Introduction

General Structure of Stream Cipher February 12, 2008 Goutam Paul, FSE-2008 4

RC4 • One of the most popular stream ciphers • Designed by Ron Rivest in 1987 • Used in SSL, TLS, WEP, WPA, AOCE, Oracle Secure SQL etc. • Not completely cracked yet, even after two decades of its discovery February 12, 2008 Goutam Paul, FSE-2008 5

Data Structure of RC4 [ ] { } − K K S 0 , , N 1 : A permutatio n of 0 , 1 , ,N- 1 . − K key [ 0 , , l 1 ] : The secret key of l bytes. − = K K [ 0 , , N 1 ] : K [ i ] key [ i mod l ]. i : Determinis tic index. : Pseudorand om index. j All additions are additions modulo . N February 12, 2008 Goutam Paul, FSE-2008 6

Key Scheduling Algorithm (KSA) Initializa tion : = − K For 0 , , 1 i N [ ] = S i i ; = j 0 ; Scrambling : = − K For i 0 , , N 1 [ ] [ ] = + + j j S i K i ; [ ] [ ] ( ) ; Swap S i , S j February 12, 2008 Goutam Paul, FSE-2008 7

Pseudo-Random Generation Algorithm (PRGA) Initializa tion : = = i j 0 ; Output Keystream Generation Loop : = + i i 1 [ ] = + j j S i ; [ ] [ ] ( ) Swap S i , S j ; [ ] [ ] = + t S i S j ; [ ] ; = Output z S t February 12, 2008 Goutam Paul, FSE-2008 8

Related Work and Contribution

Important Existing Results • Roos (sci.crypt 1995) observed some correlation between – the permutation bytes S [ y ] and some functions f [ y ] of the secret key bytes – the first keystream byte z 1 and the initial key bytes subject to some conditions • G. Paul and S. Maitra (SAC 2007) proved – the above empirical observations of Roos – that such weakness is intrinsic to the KSA • G. Paul, S. Rathi and S. Maitra (WCC 2007) showed – a new bias of the first output byte z 1 towards the first three secret key bytes February 12, 2008 Goutam Paul, FSE-2008 10

Important Existing Results … contd • Fluhrer, Mantin and Shamir (SAC 2001) – the invariance weakness, known-IV attack and related key attack • Mantin (Asiacrypt 2005) – using above, showed secret key leakage at the 257-th keystream output byte • Mantin and Shamir (FSE 2001) – a bias in the second output byte, namely, bias of z 2 = 0 • S. Paul and Preneel (FSE 2004) – a bias in the equality of the first two output bytes, i.e., bias of z 1 = z 2 • Klein (Draft 2006) and Tews et. al. (Eprint 2007/120) – bias in the initial keystream bytes z r towards the functions f [ r ] of the secret key bytes February 12, 2008 Goutam Paul, FSE-2008 11

Our Contributions 1. A new form of bias: S [ S [ y ] ] with functions f [ y ] of the secret key bytes 2. A general framework for identifying biases in the keystream bytes and use it to find (a) Biases at the 256 th and 257 th keystream output bytes (difference with Mantin,2005 : no conditions on the secret key and IV) (b) New biases in the initial keystream output bytes, namely, biases of z r towards the functions f [ r -1] (a new type, completely different from Klein, 2006 and Tews, 2007 ) Propagation of biases beyond 257 th rounds of PRGA: 3. Chain-like propagation, if j is known February 12, 2008 Goutam Paul, FSE-2008 12

Bias in the Permutation

Our Notations ≤ ≤ S : Permutatio n after the r - th round of the KSA, 1 r N . r = + ≤ ≤ − Note that 1 , 0 1 . r i i N : The initial (typically , identity) permutatio n. S 0 ( ) + y [ ] y y 1 ∑ = + ≤ ≤ − f K x , 0 y N 1 . y 2 = x 0 February 12, 2008 Goutam Paul, FSE-2008 14

How P ( S r [ S r [1] ] = f 1 ) Changes with KSA Rounds r , 1 ≤ r ≤ N February 12, 2008 Goutam Paul, FSE-2008 15

After the 2 nd Round of KSA Lemma 1 : [ [ ] ] ( ) 3 4 2 = = − + (a) P S S 1 f . 2 2 1 2 3 N N N [ [ ] ] [ ] ( ( ) ( ) ) 2 = ∧ ≤ ≈ (b) P S S 1 f S 1 1 . 2 2 1 2 N [ ] [ ] = + + Note that f K 0 K 1 1 . 1 February 12, 2008 Goutam Paul, FSE-2008 16

Recursion Lemma 2 : [ [ ] ] [ ] ( ( ) ( ) ) = = ∧ ≤ − ≥ Let 1 1 1 , for 2 . p P S S f S r r r r r 1 r ≥ Then for r 3 , ( ) − − − − 2 2 r ⎛ ⎞ ⎛ ⎞ ⎛ ⎞ N 2 1 N 2 N 1 = + ⎜ ⎟ ⎜ ⎟ ⎜ ⎟ p p . − r r 1 ⎝ ⎠ ⎝ ⎠ ⎝ ⎠ N N N N February 12, 2008 Goutam Paul, FSE-2008 17

After the Complete Key Scheduling Theorem 1 : [ [ ] ] [ ] [ ] ( ) = + + P S S 1 K 0 K 1 1 N N ( ) ( ) − − − 2 N 2 − − 2 N 1 ⎛ ⎞ ⎛ ⎞ ⎛ ⎞ 2 N 1 N 2 N 1 = + ⎟ ⎜ ⎟ ⎜ ⎟ ⎜ ⎝ ⎠ ⎝ ⎠ ⎝ ⎠ N N N N ( ) − − 2 N 1 ⎛ ⎞ N 1 ≈ ⎜ ⎟ . ⎝ ⎠ N = ≈ For N 256 , this value 0 . 136 February 12, 2008 Goutam Paul, FSE-2008 18

Generalizations: P ( S N [ y ] = f y ), P ( S N [ S N [ y ] ] = f y ), P ( S N [ S N [ S N [ y ] ] ] = f y ) vs. y February 12, 2008 Goutam Paul, FSE-2008 19

Result for Two Levels of Nesting Theorem 2 : ( ) [ [ ] ] ≤ ≤ = For 0 y 31 , P S S y f N N y ( ) ( ) + + y y 1 ( ) y y 1 ( ) + − − + − − 2 N 2 − y 2 N 1 ⎛ ⎞ ⎛ ⎞ y N 1 1 N 1 2 2 ≈ + ⎜ ⎟ ⎜ ⎟ ⎝ ⎠ ⎝ ⎠ N N N N ( ) + y y 1 + − − − − − 2 N 3 ⎛ ⎞ ⎛ ⎞ ⎛ ⎞ 1 1 N y N y N 2 + ⎜ ⎟ ⎜ ⎟ ⎜ ⎟ . ⎝ ⎠ ⎝ ⎠ ⎝ ⎠ N N N February 12, 2008 Goutam Paul, FSE-2008 20

Where Does It Lead to • In a similar manner, the association of S N [ S N… [ S N [ y ] ]… ] and f y can be studied • These results are combinatorially interesting • Cryptanalytic implications are not immediate, but possible • We use the nonrandom association of S N [ S N [1] ] with f [1] to find a new bias at the 257 th keystream byte z 257 February 12, 2008 Goutam Paul, FSE-2008 21

Key Leakage in the Keystream

Some More Notations ≥ G S : Permutatio n after the r - th round of the PRGA, r 1 . r ≥ G G i and j : The indices after the r - th round of the PRGA, r 1 . r r G S : Permutatio n before the PRGA 0 (i.e., the permutatio n S after the KSA). N ≥ z : Keystream output byte after the r - th round of the PRGA, r 1 . r ( ) + y [ ] 1 y y ∑ = + ≤ ≤ − Recall : f K x , 0 y N 1 . y 2 = x 0 February 12, 2008 Goutam Paul, FSE-2008 23

Existing Results Needed Propositio n 1 (Paul and Maitra, SAC 2007) : ( ) + y y 1 + − − N ( ) ⎛ ⎞ ⎛ ⎞ [ ] N y N 1 1 2 = ≈ + ≤ ≤ − ⎜ ⎟ ⎜ ⎟ P S y f , 0 y N 1 . N y ⎝ ⎠ ⎝ ⎠ N N N Propositio n 2 (Jenkins, 1996) : [ ] ( ) 2 = − = ≥ G G P z r S i , r 1 . − r r 1 r N February 12, 2008 Goutam Paul, FSE-2008 24

Framework for New Biases Lemma 3 : [ ] ( ) = = + ≤ ≤ + G G Let P S i X q for some X . Then for t 2 r t N , r t , r t ⎡ ⎤ − − [ ] ( ) − r t 1 ⎛ ⎞ N 1 1 1 = = − + ⎜ ⎟ G G ⎢ ⎥ P S i X q . − r 1 r t , r ⎝ ⎠ ⎢ ⎥ N N N ⎣ ⎦ Corollary 2 : ≤ ≤ − For 2 r N 1 , ( ) ⎡ + ⎤ r r 1 ⎡ ⎤ + − ( ) − − N − r 1 ⎛ ⎞ ⎛ ⎞ ⎛ ⎞ [ ] N r N 1 1 N 1 1 1 ⎢ ⎥ 2 = = + − + ⎜ ⎟ ⎜ ⎟ ⎜ ⎟ ⎢ ⎥ G P S r f . − ⎢ ⎥ 1 r r ⎝ ⎠ ⎝ ⎠ ⎝ ⎠ ⎢ ⎥ N N N N N N ⎣ ⎦ ⎣ ⎦ February 12, 2008 Goutam Paul, FSE-2008 25

Framework for New Biases … contd Lemma 4 : ( ) [ ] = = ≥ G G Let P S i f w , r 1 . Then − G r 1 r r i r ( ) 1 ( ) = − = + ≥ P z r f 1 w , r 1 . G r r i N r February 12, 2008 Goutam Paul, FSE-2008 26

Bias in the Initial Keystream Bytes Theorem 3 : ⎛ ⎞ + − N 2 ⎛ ⎞ ( ) 1 N 1 1 ⎜ ⎟ = − = + + ⎜ ⎟ (1) P z 1 f 1 . ⎜ ⎟ 1 1 ⎝ ⎠ N N N ⎝ ⎠ ≤ ≤ − (2) For 2 1 , r N ( ) ⎛ ⎞ ⎡ ⎤ + r r 1 + ⎡ − ⎤ ⎜ − − N − r 1 ⎟ ⎛ ⎞ ⎛ ⎞ ⎛ ⎞ ( ) 1 N r N 1 1 N 1 1 1 ⎢ ⎥ 2 = − = + + − + ⎜ ⎟ ⎜ ⎟ ⎢ ⎜ ⎟ ⎥ ⎜ ⎟ P z r f 1 . ⎢ ⎥ r r ⎝ ⎠ ⎝ ⎠ ⎝ ⎠ ⎜ ⎟ ⎢ ⎥ N N N N N N N ⎣ ⎦ ⎣ ⎦ ⎝ ⎠ February 12, 2008 Goutam Paul, FSE-2008 27

Probability Values Given by Theorem 3 February 12, 2008 Goutam Paul, FSE-2008 28