Cryptography Reference
In-Depth Information
On retaining the standard KSA in Layer 1
One may argue that Layer 1 is unnecessary and Layers 2, 3 would have
taken care of all the existing weaknesses of RC4. While this might be true,
Layers 2 and 3, when operated on identity permutation, might introduce some
new weaknesses not yet known. It is a fact that RC4 KSA has some weak-
nesses, but it also reduces the correlation of the secret key with the per-
mutation entries and other biases, at least to some extent compared to the
beginning of the KSA. In the process, the permutation is randomized to a
certain degree. The structure of RC4 KSA is simple and elegant and easy
to analyze. First, this KSA is allowed to run over the identity permutation,
so that the exact biases that are to be removed in the subsequent layers are
identified. In summary, the KSA + keeps the good features of RC4 KSA, and
removes only the bad ones.
9.4.2 PRGA + : Modifications to RC4 PRGA
The main cryptanalytic results about PRGA that are taken into consider-
ation in designing PRGA + are listed below.
1. Correlations between the keystream output bytes and the secret key,
discussed in Sections 5.5 and 5.6.
2. Distinguishing attacks described in Chapter 6.
3. State recovery from the keystream addressed in Section 5.8.
4. Key recovery in the WEP mode (these exploit the weaknesses of both
the KSA and the PRGA) presented in Chapter 7.
KSA + is designed in such a manner that one cannot get secret key cor-
relations from the permutation bytes. This guarantees that the keystream
output bytes, which are some combination of the permutation entries, cannot
have any correlation with the secret key. As argued in Section 9.4.1, IVs in
KSA + cannot be easily exploited to mount an attack. Thus, only two weak-
nesses, enlisted in Item (2) and (3) above, need to be targeted in the design
of PRGA + .
Recall that for any byte b, b R (respectively b L ) denotes the byte after right
(respectively left) shifting b by n bits. For r ≥ 1, the permutation, the indices
i,j and the keystream output byte after round r of PRGA + are denoted by
S r , i r , j r and z r respectively, in the same way as in RC4 PRGA.
The main idea behind the design of PRGA + is masking the output byte
such that it does not directly come out from any permutation entry.
• Two entries from the permutation are added modulo 256 (a nonlinear
operation) and then the outcome is XOR-ed with a third entry (for
masking non-uniformity).
Search WWH ::




Custom Search