Key Recovery from State Information - RC4: Stream Cipher and Its Variants - page 103

Cryptography Reference

In-Depth Information

Subtracting, we get the result. Note that the term 2 r stands for the number

of ways in which a set of r indices may be a filter or a non-filter.

As an illustration, we present C d,F for different values of d and F with

l = 16 in Table 4.10.

F

32

20

16

12

8

2 27.81

2 27.31

2 24.72

2 18.11

2 3.58

d = 2

d = 3

2 30.56

2 30.38

2 29.02

2 24.86

2 15.95

2 31.47

2 31.35

2 30.38

2 27.17

2 20.14

d = 4

TABLE 4.10: C d,F for different F and d values with l = 16.

Though we have assumed that l divides N in the above analysis, the same

idea works when l is not a factor of N. One only needs to map the indices

from the right end of S to the appropriate key bytes.

4.7.2 Application of Filter Sequences in Bidirectional Key

Search

The theoretical properties of filter sequences discussed in the previous

subsection can be used to devise a novel key retrieval algorithm.

Suppose that after the RC4 KSA is over, the final permutation S N and

the final value j N of the index j are known. The update rule for the KSA is

j y+1 = j y + S y [y] + K[y],

0 ≤ y ≤N −1.

Since S 0 is the identity permutation and j 0 = 0, we have j 1 = K[0]. Thus, if

index 0 is a filter, then K[0] is known. Again, if index N − 2 is a filter, then

j N−1 is known and hence K[l−1] = K[N −1] can be determined as

j N

−j N−1

−S N−1 [N −1] = j N

−j N−1

−S N [j N ].

Moreover, if two consecutive indices y−1 and y happen to be filters, 1 ≤y ≤

N−2, then j y and j y+1 are known and S y [y] = y from the definition of filters.

Thus, the correct value of the key byte K[y mod l] can be extracted as

K[y mod l] = j y+1

−j y

−y.

For complete key recovery, apart from the knowledge of the final permu-

tation S N and the final value j N of the pseudo-random index j, we also need

to assume that a d-favorable (t,t ′ )-bisequence exists. Given such a sequence,

our algorithm does not require one to guess more than d many key bytes at a

time. For faster performance, one should keep d small (typically, 4).

The basic strategy for full key recovery is as follows. First, a partial key

recovery is performed using the filters in the interval

[0,M −1]∪[N −1−M,N −2],

Next Page

RC4: Stream Cipher and Its Variants

Search WWH ::

Custom Search

Home