On non-randomness of the permutation after RC4 key scheduling

Authors:
Goutam Paul;Subhamoy Maitra;Rohit Srivastava
Affiliations:
Department of Computer Science and Engineering, Jadavpur University, Kolkata, India;Indian Statistical Institute, Kolkata, India;Department of Computer Science and Engineering, Institute of Technology, Banaras Hindu University, Varanasi, UP, India
Venue:
AAECC'07 Proceedings of the 17th international conference on Applied algebra, algebraic algorithms and error-correcting codes
Year:
2007

Citing 6
Cited 3

(Not So) Random Shuffles of RC4

CRYPTO '02 Proceedings of the 22nd Annual International Cryptology Conference on Advances in Cryptology
A Practical Attack on Broadcast RC4

FSE '01 Revised Papers from the 8th International Workshop on Fast Software Encryption
Linear statistical weakness of alleged RC4 keystream generator

EUROCRYPT'97 Proceedings of the 16th annual international conference on Theory and application of cryptographic techniques
Permutation after RC4 key scheduling reveals the secret key

SAC'07 Proceedings of the 14th international conference on Selected areas in cryptography
A practical attack on the fixed RC4 in the WEP mode

ASIACRYPT'05 Proceedings of the 11th international conference on Theory and Application of Cryptology and Information Security
Predicting and distinguishing attacks on RC4 keystream generator

EUROCRYPT'05 Proceedings of the 24th annual international conference on Theory and Applications of Cryptographic Techniques

New Form of Permutation Bias and Secret Key Leakage in Keystream Bytes of RC4

Fast Software Encryption
Analysis of RC4 and Proposal of Additional Layers for Better Security Margin

INDOCRYPT '08 Proceedings of the 9th International Conference on Cryptology in India: Progress in Cryptology
New Correlations of RC4 PRGA Using Nonzero-Bit Differences

ACISP '09 Proceedings of the 14th Australasian Conference on Information Security and Privacy

Quantified Score

Hi-index	0.00

Visualization

Abstract

Here we study a weakness of the RC4 Key Scheduling Algorithm (KSA) that has already been noted by Mantin and Mironov. Consider the RC4 permutation S of N (usually 256) bytes and denote it by SN after the KSA. Under reasonable assumptions we present a simple proof that each permutation byte after the KSA is significantly biased (either positive or negative) towards many values in the range 0, ..., N - 1. These biases are independent of the secret key and thus present an evidence that the permutation after the KSA can be distinguished from random permutation without any assumption on the secret key. We also present a detailed empirical study over Mantin's work when the theoretical formulae vary significantly from experimental results due to repetition of short keys in RC4. Further, it is explained how these results can be used to identify new distinguishers for RC4 keystream.