Cryptography Reference
In-Depth Information
Input: Two key-dependent scrambled permutations S
1
[0...N −1] and
S
2
[0...N −1].
Output: Pseudo-random keystream bytes.
Initialization:
i = j
1
= j
2
= 0;
Output Keystream Generation Loop:
i = i + 1;
j
1
= j
1
+ S
1
[i];
Swap(S
1
[i], S
1
[j
1
]);
t
1
= S
1
[i] + S
1
[j
1
];
Output = S
2
[t
1
];
j
2
= j
2
+ S
2
[i];
Swap(S
2
[i], S
2
[j
2
]);
t
2
= S
2
[i] + S
2
[j
2
];
Output = S
1
[t
2
];
Algorithm 9.1.3: RC4A PRGA
bytes and that for RC4A requires 2
58
keystream bytes. Shortly, better attacks
based on the non-uniformity of the first few keystream bytes were reported
in [182]. These improved distinguishers for VMPC and RC4A require 2
38
and
2
23
keystream bytes respectively. Subsequently, a corrected version [114] of
the paper [113] appeared and reported a data complexity of 2
40
keystream
bytes for distinguishing VMPC from random stream. It is not surprising that
the ABTAB distinguisher [109] for RC4 described in Section 6.3.1 also works
for RC4A.
Several variants of RC4 and RC4-like ciphers have been described in [118],
such as Chameleon and RC4B. These are less popular in terms of practical
use and we omit their descriptions here.
9.2 Word-Oriented Variants
In [118, Chapter 6], two new ciphers, named Sheet Bend and Bowline,
were developed by expanding RC4 to 32 bits. The work [126] proposed a
generalization of RC4 with an aim to expand RC4 to 32/64 bits with a state
size much smaller than 2
32
or 2
64
. The new algorithm is called RC4(n,m),
where N = 2
n
is the size of the state array in words, m is the word size in
bits, n ≤ m. Later, the name NGG was adopted for this cipher after the
initials of its designers. NGG KSA and PRGA update the indices i,j in the
same way as do the RC4 KSA and PRGA respectively. In the NGG KSA, the
array S is initialized to a precomputed random array a. Then, S[i] and S[j]
