Cryptanalysis of Rcplike Stream Ciphers

Home , Stream cipher attacks, WAKE (cipher)

Cryptanalysis of RCPlike Stream Ciphers

by Serge Mister

A thesis submitted to the Department of EIectrical and Computer Engineering in conformity with the requirements for the degree of Master of Science (Engineering)

Queen7sUniversity Kingston, Ontario, Canada May 1998 Copyright (ZJ Serge Mister, 1998 National Library Bibliothèque nationale 1+1 .cm, du Canada Acquisitions and Acquisitions et Bibliographie Services services bibliographiques 395 Wellington Street 395. nie Wellington OttawaON K1AON4 Ottawa ON KI A ON4 Canada Canada

The author has granted a non- L'auteur a accordé une licence non exclusive licence allowing the exclusive permettant à la National Library of Canada to Bibliothèque nationale du Canada de reproduce, loan, distribute or sell reproduire, prêter, distribuer ou copies of this thesis in microform, vendre des copies de cette thèse sous paper or electronic formats. la forme de microfiche/fïlm, de reproduction sur papier ou sur format électronique.

The author retains ownership of the L'auteur conserve la propriété du copyright in this thesis. Neither the droit d'auteur qui protège cette thèse. thesis nor substantial extracts fkom it Ni la thèse ni des extraits substantiels may be printed or otherwise de celle-ci ne doivent être imprimés reproduced without the author's ou autrement reproduits sans son permission. autorisation. Abstract

Cryptography is one important building block used in communication systems to provide confidentiality and authenticity Stream ciphers, ciphers which encrypt data one bit or a few bits at a tirne. have been used for many years in environments where low delay and high speed are a requirement. Until recentl- most stream ciphers were generally constructed using a set of linear feedback shift registers and a nonlinear combiner. Although these offer advantages in terms of ease of analysis and efficient hardware implementation, t heir low performance in software settings and the increasing success of correlation attacks has lead to the proposal of software-oriented stream ciphers. RClo a stream cipher designed by Rivest for RSA Data Security Inc., has found several commercial applications. but little public analysis has been done to date. In this thesis, alleged RC4 (hereafter called RC4') is described and existing analysis outlined. The properties of RCl: and in particular its cycle structure, are discussed. Several variant s of a basic "tracking" attack are analysed, providing experimental results for scaled-dom versions of RC4. For euample, the state of a 5 bit RCClike cipher can be obtained from a portion of the keystream using 242 steps, while the nominal keyspace of the systern is 2l6'. In addition to presenting an interpretation of the results, the thesis contains experimental data offering insight into the RC4 algorithm and its security. This analysis shows that. although the full-size RC4 remains secure against known atta&; keystreams are distinguishable from randomly generated bit streams, and the RC4 key can easily be recovered if a significant fraction of the full cycle of keystream bits is generated. The tracking attacks discussed provide a significant irnprovement over the exhaustive search of the full RC4 keyspace. More work is necessary to make these attacks practical in the case where a reduced keyspace is used. Because the expected RC4 cycle length is vast and only a small portion of the full RC4 keyspace is used in practice, such facts may not pose an immediate concern.

lU;hile RC4 remains a trade secret of RSA Data Security Inc., the aigorithm described in [25] is believed to be output-compatible with RC4. This thesis discusses the algorithm given in [25], and is referred to as RC4 for convenience. Acknowledgment s

I would like to thank rny supervisor. Dr. S. E. Tavares, for his supervision and guidance throughout this project . Thanks also to Mike Wiener for his helpful suggestions, and to the Natural Sciences and Engineering Research Council (XSERC). the School of Graduate Studies and Research of Queen's University and Communications and Information Technologv Ontario (CITO) for their financial support of this work. Contents

Abstract

Acknow ledgment s

Contents

List of Tables v

List of Figures vi

List of Symbols vii

I Introduction 1 1.1 Overview and Motivation ...... 1 1.2 General Cryptographic Systems ...... 3 1.3 Stream Ciphers ...... 5 1.3.1 Linear Feedback Shift Register Based Designs ...... 6 .-. 1.3.2 Other Designs ...... i 1.4 Propert ies of Stream Ciphers ...... 7 1.5 RC4 Stream Cipher ...... 8 1.6 Background on Cycle Structures ...... 11

2 Literature Review 13 2.1 Stream Cipher Proposais ...... 13 2.1.1 Linear Feedback Shift Register Based Stream Ciphers ..... 13 2.1.2 SEAL ...... 15 2.2 Cryptanalysis of Stream Ciphers ...... 15 2.3 Cryptanalysis of RC4 ...... 16 2.3.1 Sci. Crypt Discussion Sumrnary ...... 17 2.3.2 A class of weak keys in RC4 ...... 18 2.3.3 Linear Statistical Weaknesses in RC4 ...... 20 2.3.4 Cornments Gom RSA ...... 21 3 Periodicity Analysis of RC4 24 3.1 Charactenzation of RCI Cycles ...... 24 3.2 A Partitioning of RC1 Cycles ...... 28

4 Systematic Cryptanalysis of RC4 36 1.1 ObtainingaKeyfromtheRC4State ...... 36 -1.2 Fornard Tracking Attack ...... 37 4.3 Efficient Starting Points for Forward Tracking ...... 44 1.1 Backtracking Attack ...... 18 4.5 Probabilistic Xttacks ...... 49 4.5.1 Probabilistic Mode1 of RC4 ...... 50 4.5.2 Laddered Backtracking Attack ...... 51 1.5.3 Most Probable Path Backtracking &ta& ...... 54 4.6 Practicd Attach in Lnusual Scenanos ...... 39 4.7 Sumrnary of Attack Performance ...... 61

5 Conclusion 62 3.1 SummaryandDiscussion ...... 62 5.2 Suggestions for Further Study ...... 63

APPENDICES 69

A Short Cycles of RC4-3 69 -4 .1 -1 Cycle of Length 24 ...... 70 A.2 -4 Second Cycle of Length 24 ...... 71 A.3 -4 Third Cycle of Length 21 ...... 72 A.4 -4 Fourth Cycle of Length 24 ...... 73

B Detailed Key Distribution for n = 2 and n = 3 74 B.1 Key Distribution for n = 2 ...... 75 B.2 Key Distribution for n = 3 ...... 83

C Forward Tracking Algorithm in Detail 93

D Probabilistic Information in RC4-4 97

Vit a List of Tables

Nominal and Effective Key Sizes for RC3-n ...... 10

Deilation of RC4 Gap Lengths from those of Random Keystream . . 18

Possible Periods for RC1 with Word Length 2 and 3 ...... 26 Expected Cycle Lengths for a Randomly Chosen Invertible Mapping . 27 Cycle Lengths for a Random Permutation With 2580480 elements (n= 3) 29

Solutions Found by Fonvard Tracking for a Nonzero Keystream . . . 41 Solutions Found by Fonvard Tracking for a Zero Keystream . . . . . 41 Solutions Found by Forward Tracking for a Zero Keystream (approx.) 13 Complexity of the Fomwd Tracking Algorithm ...... 45 Time to Recover Key, Soned by Path Count (n = 4) . . . - . . . . . 46 Average Fomard Tracking Search Time ...... 46 Keystreams bhirnizing 'iode Count in the Forward Tracking Attack 48 Solutions Found by Backtracking for a Nonzero Keystrearn ...... 49 Guess Success Probability of Most Probable Depth 6 Path Backtrack- ing-4ttack...... 59 Complexity of Most Probable Depth 6 Path Backtracking Attack . . 60 Time to Recover RCCn Key with Multiple Keystreams . . . . . Estimated Upper Bound on the "'T'rue" Keyspace of RCCn . . . RC4-4 State Sequence for an Initial Key k = {O, 1,1,1) . . . . . RC14 State Probability Matrix - 1 Keystream Byte -4nalysed . RC4-4 State Probability Matrix - 3 Keystream Bytes Anaiysed . RC4-4 State Probability Matrix - 6 Keystream Bytes -4nalysed . RC4-4 State Probability Matrix - 9 Keystream Bytes Analysed . RCM State Probability Matrix - 10 Keystream Bytes -4nalysed RC44 State Probability Matrix - 11 Keystream Bytes -4nalysed RC4-4 State Probability Matrix - 12 Keystream Bytes -2nalysed RC4-4 State Probability Yatrix - 13 Keystream Bytes halysed List of Figures

- The General Structure of a Stream Cipher . - . . - ...... - - - 3 A Linear Feedback Shift Register Based Stream Cipher . . . - . . - - 6 The -4lleged RC4 Stream Cipher ...... 10 The Cycle Map for the Function f (z) = x2 + 7 mod 31 ...... 11 The Cycle Map for the Function f (z) = xi + 7 mod 31 ...... - 12 LFSR Based Stream Cipher Examples ...... - 14

RCC3 Cycle Distribution Compared with a Random Permutation . . 28 The Right Shift Operation for an RC4n State ...... 30 Partitioning of an RC4 Cycle ...... 34

Fonvard Tracking Algorithm for n = 2. and a O Keystream of Length 4 40 Xumber of Nodes Visited During Forward Trachg ...... 44 Time to Recover Key. Sorted by Node Count at Depths 1 and 2 (n = 4) 45 Time to Recover Key, Sorted by Node Count at Depths 3 and 1 (n = 4) 47 Time to Recover Key. Sorted by Node Count at Depths 5 and 6 (n = 4) 47 Laddered Backtracking Attack ...... - - - 52 Tree Diagram for blost Probable Depth 2 Path Backtracking Attack . 55 List of Symbols

The ith word of the ciphertext. See the definition of Ki for more e'cplanation.

If D is an RC4 state (see the entq for (2'' j'? SI)): the state obtained by initialking RC4 to state D and performing t encryptions. (2r.jr. Sf) .ln RC1 state defined by i = ir.j = j'. S = Sr. (rjr-{ - - Sn}An RC4 state defined by i = ir. j = j', S = {SA, - : s;*-l}- In descriptions of RCClike algorithms, the counter i which is part of the state of RC4. It is also used as a general count er when no confusion would result . In descriptions of RC41ike algorithms, the counter j which is part of the state of RC4. It is also used as a general counter mhen no confusion would result. The ith word of the key used to initialize RCglike algorithms. This key is of length 1- and the words of the key

are ko,. . . ? kr-l. The ith word of the generated keystream. In an RCP like system, this word is XORed with the corresponding plaintext word Pito produce the ciphertext word Ci. The word length of the stream cipher RC4-n. The ith word of the plaintext. See the definition of & for more explanation. .- * LIST OF FIGC'RES vlll

The RCPlike cipher which processes its input in n bit blocks. Its state thus consists of an s-box S with 2" entries (denoted So,. . . , S2n-i ). and two counters. i and j. taking integer values between O and 2^ - 1. RC4-8 is the most commonly used implementation. The s-box which is part of the state of RC4-like algorithms. The ith entry of the s-box S w-hich is part of the state of RC4-like algorithms. The +box obtained by cyclically rotating the entries of S to the right by d. Specificdly, let S' = Then Si = S.-a dmod2"- The set of integers. Chapter 1 Introduction

1.1 Overview and Motivation

With the increasing prominence of wireless communication systems and computer networks. the need for reliable communication systems allowing user authentication and confidentiality is becoming tvidespread. Cryptography is one important approach for achieving these goals.

When a cryptographic system is to be uçed in an application. many factors must be taken into account. These include:

Security The system should withstand any attacks to which it may be subjected.

Speed The implementation must operate at a satisfactory speed. Delay is a related

factor.

Complexity High complexity generally translates into things like higher costs, and

increased power dissipation.

-4s with most practicai design probiems, a balance between these factors must be chosen, which takes into account the specific requirernents of the application. In a specific cryptographic application, such as the protection of data between a bank

1 and an automatic teller machine. data authenticity may be more important than confidentiality, and a noticeable del- could be tolerated if it is necessary to meet t hose secunt- const raints.

Stream ciphers are desirable when confidentialit- high speed, and low delay are required. Applications t hus include cellular telephones? teleconferencing systems. and other realtirne communication systems. -4 number of the Stream ciphers in use today remain propriet- and as a result few stream ciphers have been extensively analysed in the public literature. In addition, man? stream ciphers have been based on the use of linear feedback shift registers, a mode1 most suitable for hardware designs.

In this work. alleged RCI (hereafter referred to as RC4l), a fast software-oriented stream cipher. is analysed. RC1 has found widespread use[23], partially because it has special export status for shon (40 bit) key lengths[lô].

In this thesis. general results on stream ciphers are reviewed and properties of the RC4 stream cipher are analysed. Finally. attacks on weakened versions of RC4 are presented along with estimates of the complexity of these attacks for the full-size cipher. This work serves to summarize previous, often informal. research on RCI, and to extend that analysis. presenting possible new avenues for cryptanalysis. Chapter 1 continues with an overview of cryptography, stream ciphers, and related mat hematical background. In Chapter 2. a survey of the existing stream cipher research is presented.

Chapter 3 discusses the periodicity structure of the RC4 cipher, which is used as a basis for cryptanalysis in Chapter 4. Finally, conclusions are presented in Chapter 3. 'While RC4 remains a rrade secret of RS4 Data Security hc.,the algorithm described in [23] is believed to be output-compatible with RC4. This thesis discusses the aigorithm given in (251, and is referred to as RC4 for convenience. CEMPTER 1. 1-VTROD U'CTIO!W 1.2 General cryptographic Systems

C-ptography is the use of transformations of data intended to make the data useless to one's opponents[4]. Such systems address two basic goals: priiacy and authenticity

Privacy is the requirement that no information about the content of a message can be obtained by outsiders from observation of the data transmitted to a recipient.

Authenticity is the requirement that the recipient receives a guarantee that the data has not been rnodSed by an intruder. and has been sent by the claimed sender.

One building block for designing cryptographic systems is an encryption device. which takes a message (the plaintezt) and key (the encryption key): and produces a data Stream (the czphertezt) from which only the intended recipient (s) can extract the original message. The recipient uses a decryption device. which inputs ciphertext and a key (the decryption key), and outputs the corresponding plaintext.

There are two general £?ameworks for constructing these encqtion devices; private key system and public key systemî. In a private key system, the deczyption key can easily be calculated if the encryption key is known. In many private key systems: the two keys are in fact identical. In public key systems. it is computationally infeasible to calculate the decryption key from the encryption key. Currently, public key systems offer the adwtage of simpler key management, but at the expense of reduced speed and increased enc~ptioncomplexity.

-4 second way of classifying encryption devices is based on the way they process t.heir data. -4 block czpher encrypts and decrypts data in large (e.g. 2 64 bits) blocks.

Shorter messages must then be padded' for example, by adding leading O bits if they are to be encoded. Stream czphers, on the other hand? process data in small blocks; traditionally one bit at a time. but as software implementations are becoming more popular. cornrnonly eight bits at a time. Generally speaking, stream ciphers are faster than the corresponding block cipherç. and have the admutage of loa processing delay.

However. care is necessary to guard against message tampering, a problem more easily avoided with block ciphers.

These two divisions are completely complernentarv; both private and public key bl~ckciphers ex&: & do priwte and public key stream ciphers. In this thesis. the ernphasis will be on private key stream ciphers.

Aside from performance issues. the most important aspect of an encryption system is that it should be secure: without knowledge of the key, it should be cornputationally infeasible to recover the hidden message. For practicd systems, it is presently not possible to prove absolute security because this would require ascertaining the failure of attacks using both currently known and yet to be discovered techniques.

Before a system cornes into Mdespread use. it is therefore extensively analysed in the hopes of discovering any fatal flaws. Cryptosystems are analysed based on certain assumptions. In a czphertezt-only attack. an intruder is assumed to be capable of intercepting any ciphertext that is sent. but the plaintext is never revealed. In a knovn plaintezt attack, it is assumed that the attacker can see both the ciphertext and corresponding plaintext for al1 transmitted messages. The chosen plaintezt attack additionally allows the attacker to receive the ciphertext corresponding to messages of his or her choosing. .4nalogously. the chosen czphertezt attack allows the attacker to obtain the plaintext corresponding to ciphertexts of his/her choosing. In al1 cases, it is assumed that the encryption system (except for the decryption key) is completely known, and the attacker's task is to recover the decryption key or a plaintext which Next State Caiculator 4

Keystream Generator '1;' Pi -1 Encryption Function t

Figure 1.1: The General Structure of a Stream Cipher hefshe does not hon a priori.

1.3 Stream Ciphers

Figure 1.1 illustrates a general stream cipher where Pi.IC,. and Cl denote the plaintext: keystream. and ciphertex*, respectively. The picture is inspired by those in

[1. 171. Two special cases are often identified; synchronow and usynchronous (or self-synchronizing) stream ciphers. The former have the property that the keystream is independent of the plaintext input (and thus the next state calculator does not use the ciphertext as input). This implies that the sender and recipient keystream generators must be synchronized. The latter cipher has a state entirely determined by the values of a (finite) fixed number of ciphertext words. in addition to a fixed key.

The remaining discussion will be restricted to synchronous stream ciphers. 1.3.1 Linear Feedback Shift Register Based Designs

Linear feed back shift register (LFSR) based Stream ciphers. as illustrated in Figure 1.2

[23], are currently the most understood. Such systems are comprised of several LFSRs whose output is generally combined using a nonlinear combiner. and the key is the initial state of the LFSRs. Maqv variants of this approach have been andysed:

Nonlinear

Figure 1.3: A Linear Feedback Shift Register Based Stream Cipher

[25] provides an overview. The designs use one or more of the following techniques to render crypt analysis more difficult:

Csing one of the LFSRs to choose which of the other LFSR's output will be the

output of the -stem.

Csing one of the LFSRs to clock one or more of the others.

Using a chain of LFSRs; with each one clocking the next.

Many of the proposed designs have been broken (at lest theoretically) by correlation attacks (see Section 2.2). 1.3.2 Other Designs

Because linear feedback shft register based systems generally produce one bit of output at a the, the- are most efficient in hardware implementation. Software irnplementations tend to be much slower. and as a result several propos& for sohare- oriented stream ciphers have been made. These include SEAL [20]: RC1 [19]: and

WAKE [27]. These and others are descnbed in [Xi].

1.4 Properties of Stream Ciphers

In order for a stream cipher to be secure. the keystream generated by it must have certain properties. The following properties might be considered necessary:

The cipher should produce keystreams which pass al1 statistical randomness

tests.

Most keys should generate keystreams of long period.

Otherwise, the stream cipher will be limited to encrypting only relatively

short messages.

In addition, several properties. alrhough if absent may not lead to a direct method of attack, remain desirable because they remove additional structure which might be exploitable in a new attack. These include:

The cipher should have a fevï long cycles' not many shorter ones.

Most stream ciphers generate keystreams that are periodic. Having many

short cycles may allow the problem of cryptanalysis to be reduced to the

analogous problem in each of the small cycles. If these can be readily

distinguished, information is immediately obtained about the keystream. CHAPTER 1. INTRODUCTION 8

0 For each cycle, a large fraction of the cycle should be usable nithout cornpro-

mising the secrecy of the key.

For many ciphers. many keys will initialize the system to a state in a given

cycle. If one portion of a cycle provides information about another. this

can lead to attacks based on obsening the same message encrypted under

several keys.

1.5 RC4 Stream Cipher

RC4 is a Stream cipher operating on n-bit words. Its key is variable-length, from 1 to

Zn n-bit mrds. Although RC4 is still strictly a trade secret of RSA Data Security Inc. source code for the algonthm was posted to the cipherpunks mailing list in 1994. and indications are that this is in fact the true RC4 algorithm [l: 18: 251. The algorithm is most commonly used with n = 8.

The following description of RC4 is based on that given in [25]. To use RCI. a key is first used to initialize the 3" word s-box S and counters i and j through

Algorithm 1.5.1- The keystream IC is then generated using Algorithm 1.5.2. Algorit hm 1.5.1 (RC4 Init ializat ion)

Input: ko?. .. kl-l, the user S key, represented by 1 n-bit words.

Output: The initial state of RC4 (2: j. and S).

1. Forz from O to 2* - 1

2. For z bom O to 2" - 1

(a) Set S, = z. 4. For i from O to 2" - 1

(a) Set j = j + Sii K1mod 2".

(b) Swap Siad Sj.

5. Set i = O and j = 0. Algorithm 1.5.2 (Keystream Generation)

Input: 2: j, and S: the state of RC4.

Output: The next word in the keystream. and the next RC4 state (2. j?and SI.

1. Set i =.z + 1 mod 2".

2. Set j = j + Si rnod 2".

3. Swap Siand S,.

1. Output Ss,+% modln as the next word in the keystream.

The keystream generation algonthm is depicted in Figure 1.3. From these descnp tions, it can be seen that the initialization routine employs the userk key to generate a "randomlf' chosen permutation. The keystream generation stage, in addition to producing the output keystream; causes the state to evolve sloivly by exchanging two of the s-box entries on each iteration.

In the analysis of RC4, it is useful to differentiate between the nominal and effective key lengths. The distinction &ses because. although a key of length n2" bits can be input to Algorithm 1.5.1, the effect is the selection of a permutation of 2n values, which has log,(Zn!) bits of entropy. n2" will be called the nominal key length, and 1. Increment i by 1 2. Increment j by Si 3. Swap Si and S, 4. Output Sq+$

Figure 1.3: The Alleged RC4 Stream Cipher log, (2*!) mil1 be called the effective key length. Table 1.1 tabulates these for several values of n.

1 RC4 Word Size Yominal Key Length (bits) Effective Key Length (bits) 3- 8 4.38 3 34 15.30 4- 64 44.25 3 160 117.66 6 384 296.00

CI I 896 716.16 8 2048 1684.00 9 4608 3875.11

Table 1.1: Nominal and Effective Key Sizes for RC1-n

An analysis of the properties of this system is given in later chapters. In that analysis. the state of RC4 will be denoted (i: j; {So,. . . . S2"4)) or (i;ji S). If D =

(i' j, S) is a state of RC4: then D(t) is the state of RC4 after t keystream bytes have been generated with the system initialized to state D. The notation RC4-n will be used to specify the word length of the cipher explicitly CHAPTER 1. IXTROD b-CT10.N 1.6 Background on Cycle Structures

If the output of the algorithm is ignored. keystream generation with RC4 can be thought of as the iteration of a deterministic function f : S + S where S denotes the set of RC4 States. The iteration is of the form

Since the set S is finite. there must exist two distinct integen a and b such that

Da= Q, (that is, the sequence must produce at least one output more than once).

At that point. it will be tme that Da,, = Db+ for all t. From point a. the sequence is periodic Rith period b - a. This is illustrated in Figure 1.4 for a non-invertible function, and in Figure 1.3 for an invertible mapping.

Figure 1.4: The Cycle Map for the Function f (x) = z2 + 7 mod 31

Each of the figures is divided into two parts; the one on the right depicts the complete cycle information for the specified function; while the left portion illustrates the sequence obtained by iterating the function from the starting value z = 2. In Figure 1.5: The Cycle Map for the Function f (x) = x' + 7 mod 31 the case of a non-invertible mapping, the sequence of values obtained by iterating the function is composed of a tail portion followed by a cyclic portion. In the case of invertible mappings. the sequence is always penodic because a tail implies that two values of the input result in the same output value for at least one pair of inputs.

The cycle length is defined to be the number of edges (or nodes) in the repeating portion of a sequence. and the tail length is the nurnber of edges in the non-repeating portion. The plength is the nurnber of distinct values appehng in the sequence[î].

From Figure 1.4, the function x2 + 7 rnod 31 with starting value 2 has a tail length of 4 and a cycle length of 4. The plength is thus 8. From Figure 1.5, the function x7 + 7 rnod 31 has a cycle length of 11 for a starting value of 2. It will be useful to compare the properties of RC4 with those expected for arbitrarily chosen ("random" ) permutations. Discussions of additional properties of the cycle distribution of such random mappings and permutations can be found in [T, 2' 261.

Tables 3.2 and 3.3 show the distribution of cycle lengths for random permutations. Chapter 2

Literat ure Review

2.1 Stream Cipher Proposais

In this section: a bief overview of linear feedback shift registers is provided. The software-oriented stream cipher SEAL is presented for cornparison with RC4: which was introduced in Section 1.5.

2.1.1 Linear Feedback Shift Register Based Stream Ciphers

Many stream ciphers based on the use of shift registers (LFSRs) have been proposed.

At least two factors make LFSR based designs attractive[li]:

Well understood background theory

The cycling properties of linear feedback shift registers are well known. LFSRs

can produce long cycles having good statistical randomness properties. In par-

ticular, if a primitive polynomial over GF(2)of degree L defines the LFSR[l'i],

the sequence will have period 2L - 1: the maximum possible, and satisS several

randomness properties. Efficient hardware implementation

Shift registers can easily be constmcted in hardwe such that an output bit

can be produced after each clock cycle.

In addition to the general structure of Figure 1.2. four concrete variations are illustrated in Figure 2.1. The examples of Figure 2.1 are discussed in [25]. 'iluch of the pioneering work on LFSR based stream ciphers was done b~ Rueppel[23].

Summanon Gcnemor Shruiking Generator

LFSR 2

aock iFSR 3 1

Figure 2.1: LFSR Based Stream Cipher Exarnples SEAL is a software optimized encryption algorithm firçt published in [20]. Since then.

one attack (see [13]) has been found, and the algorithm has been revised [XI.SEAL

is described as a pseudo-random hction famil5 as defined in [9]. It consists of two

parts: an initialization function and a keystream generation function.

The initialization function takes two parameters, a and Lm-' the secret key and

maximum sequence length respectively, and initializes three tables- The initialization function makes use of the secure hash algorithm: SHA-1 [6], to produce the three tables. The only objective of the initialization is that the tables be 'iandom" : no

particular structure is desired. The particular algorithm used is not described here.

When initialization is complete, the keystream generation function inputs a sequence nurnber and sequence length, and outputs a sequence of that length. The keystream generation function can be cdled multiple times after the initialization function. The keystream can be used to enc-pt a plaintext by XORing the two.

2.2 Cryptandysis of Stream Ciphers

Because of the prominence of linear feedback shift register based stream ciphers: the complexity notions defined by them have proved useful in attacking stream ciphers.

Consider an infinit e binary sequence s, and the corresponding s~bsequences~sN, consisting of the first N terms of S. The linear complexity of the binary sequence s is defined as: ( O if s is the constant zero sequence x if no LFSR generates s d otherwise. where d is the smallest integer such that there = exists an LFSR of length d generating s The linear complexity of a finite bin- sequence s" is the length of the shortest LFSR generating rhe sequence as its initial terrns. and the linear cornplexity profile of an infinite sequence s is the sequence LI,L2: . . . : of the linear complexity of s', s2. s3: . . ..

The BerlekampMassey algorithm [l?]can be used to effectively determine the linear complexity of a finite sequence and to determine the corresponding LFSR. It recov- ers this information after observing 2d bits of the keystream? where d is its linear complexi~.

In practice. Stream ciphers use one or more combining functions or other ~LY- ing devices to obscure the output of the LFSR, preventing the direct application of the Berlekamphlassey algorithm. However, if the combiner allows some information about the individual LFSR outputs to le&, the algorithm can be applied in combina- tion with another. Correlation attacks are one rneans of recovering the LFSR output sequences from the keystream data. In essence. such attacks attempt to constnict a linear function of the combiner inputs which is highly correlated with the keystream output. This correlation can be used to determine the initial state of a subset of the

LFSRs, then exhaustive search is used to determine the remaining unknown state.

This attack can be successful against memoryless nonlinear combiners. because it has been shown that for these at least one linear function of the combiner inputs is correlated with the output[28]. Recent work shows that the attack rernains feasible for nonlinear combiners with memory as well [24].

2.3 Cryptanalysis of RC4

Few publicly available cryptanalyses have been performed on RC4 to date. 'iluch discussion was generated on the Internet newsgroup sci.crypt about RC4: probably at least partially due to the way in which the RCI algorithm was obtained. The results are summarized in the following sections.

2.3.1 Sci.Crypt Discussion Summary

The RC-1 algorithm vas first posred to r he cipherpunks mailing list , then fiom there to the sci-cqpt ht ernet discussion group on September 13. 1994[1]. Another contributor confirmed that the output of the posted algorithm was in agreement with that of legitimate RC4 sobare[l8]. Some analysis followed this initial post ing, leading to several results. Because of the informa1 nature of the discussion group, only selected postings have been summarized here:

Biased Gap Distribution in RC4

The observation that RC4 keystrearns are slightly biased was first reported in [14].

Consider a sequence sj of symbols. where each element can be anq. one of 2" symbols.

Define the gap at s, to be the smallest integer t 2 0 such that si = For a truly randorn sequence, the probability that t = k is given by:

Table 2.1 shows the ratio of the actual to the expected gap probability, based on a sample of approximately 230 elements of an arbitrarily chosen RC4 keystream. For al1 dues of n, gaps of length O are more likely than expected, and gaps of length

1 are less likely than expected. In support of this, it has also been observed that the probability that Si = O is lower than expected and that the probability that

Si= 2" - 1 is higher than expected after a gap of length O. Table 2.1: Deviation of RC4 Gap Lengths from those of Randorn Keystream

A Probabilistic Attack for Weakened Versions of RC4

In 1141: a simple attack on RC4 which seems to work for n 5 3 was suggested. The attack assigns an arbitrary permutation to the s-box S then iterates the keystream generation function. If the output of the algorithm does not match the observed ke-tream? the entry containing the desired output is swapped with the entq which would be output by the algorithm. The hope is that S converges to the correct one but no rationale is given for the attack. and the convergence appears to fail for n 2 1.

A Set of Short Cycles

Suppose that i = a?j = a + 1. and Sail= 1 for some a. Shen, after one iteration. i = a + 1: j = a + 2, and Sa+*= 1. Thus. the original relationship is presemed. Each such cycle has length 2" - (2" - 1): and (2* - 2)! such cycles exist. Note however that. because RC4 is initialized to i = j = O' these cycles never occur in practice. These observations were first made in [5] and outlined in [la].

2.3.2 A class of weak keys in RC4

Several postings observed that the RC4 key initialization algorithm is not one which generates a random permutation without bias. This is evploited in one substantial newsgroup posting[22], in nhich a class of weak keys. for which the initial bi-te of the keystream is highly correlated with the first few key bytes. is discussed. The basic idea is as follows. Considering the RC4 initialization function (Algorithm l.5.l), it can be observed that the words of the key are used sequentiall~and that each entry of S is swapped (possibl- with itself) at least once' at the step where counter i points to it. The probability that this is the only step where an s-bos entry St is swapped. on the assumption that j is a uniformly distributed random variable. is

The exponent is 2" - 1 because when i = t, a swap with j = t hano effect. For n = 8: this probability works out to 0.37. This estimate, combined with the asçumption that during the first portion of the initialization process s-box entries nrill satieSt = t. can be used to predict the most likely values of the entries of the s-box after initialization with the key in terms of the leading words of the key The most likely value is found to be:

In addition. it can be noted that. if SI = 1: the first word of the keystream is

&- From (2.2). Si = 1 will occur with highest probability if ko + k1 = i) mod 2*, in which case S2 = k2 + 3 rnod 2^ is the most likely initial keystream word. This idea can be exploited by assuming at the outset that the user's key is weak (with ko + kl = O mod 2R)and that k2 + 3 mod 2" is the first keystream byte Ko.For n = 8, the first event occurs with probability &, and the second with probability 0.138 (a number computed expenmentally by the authon in [22]). Thus. the search space has been reduced by a factor of 216, but the search will succeed only with probability CHUTER 2. LITER4TLRE REWEW 30

0.138/256, For an effective improvement factor of 216 - 0.138/256 = 35.3 zz z5-! -4 second exploit, using an assumed linear relationship between successive session keys. provides au effective reduction in search space of 18 bits.

2.3-3 Linear Statistical Weaknesses in RC4

It has been shown that. if the keystream is grouped into blocks of LW bits' rvith M larger than the internai memory of the keystream generator (272 i n 2" for RC4). then a linear relationship between bits of the keystream having probability different frorn $ must exist(l0, 111.

In [12]. the author derives a linear mode1 of RC4 using the linear sequential circuit approximation (LSCA) method. The mode1 is successful in part because the s-box evolves slowly. Denote b~ (i,j, S): (if,j': Sr),and (i", j"' S") the RC4 state at the end of each of three consecutive keystream generation iterations. Then the first three keystream bytes generated are Ko = SsitSj, = S+, , and & = S&+7:l and, using superscnpts to denote bit selection, the second binaq- derivative of the least significant bit of the keystrearn is (K?)t K?))+ (KY)+ @))= ~:f)+ Ky) &ere the addition is mod 3. Csing the slow evolution of the 5-box to approximate S = S' = S" and linearizing S by assuming Sk z k, the second derivative becomes requiring six linearizations. The authors show that the mode1 has correlation coeffi- cient 15. T3"'and that 64n/225 keystream bytes are needed to detect the statistical weakness. The method could be used to distinguish RC4 fkom other ciphers. to determine the word size n: and possibly to aid in plaintext uncertainty reduction.

2.3.4 Cornrnents from RSA

RSA Data Security Inc. has made several comments after the posting of the RC4 code: including the following:

Path: msuinfo!uwm.edu!lll-wi~en.llnl.gov!ames!wa~kato!auckl and.ac - nz !neus From: [email protected] (Bruce Schneier) Newsgroups: sci.crypt,talk.politics.crypto,alt.secwity,alt-privacy, comp.security.misc Subject: RC4 Source Code Posted - A Response from RSA Data Security, Inc . Date: 18 Sep 1994 08:23:03 GMT Organization: Chinet - Public Access UNIX Lines: 38 Message-ID: <35gtd7 [email protected]> NNTP-Posting-Host: csl3.cs.aukuni.ac.nz X-Newsreader: NN version 6.5.O $7 (NOV) Xref: msuinfo sci.crypt:32068 talk.politics.crypto:7279 alt .securlty : 18819 alt .privacy: 19004 comp.security.misc:11760

As most of you probably know, source code to RC4 was anonymously posted to sci-crypt and to the Cypherpunks mailing List, and is now available for anonymous ftp from sites ail over the world. The following is RSA Data Security, Inc.'s response to this. It seems like they wish to stuff the genie back into the bottle. Bruce

>From Mercury ! RSA. COM! jim Fri Sep 16 18 :42 :29 1994 Return-Path : Date : Fri, 16 Sep 94 16 :08:34 PDT From : jim@RSA. COM (Jim Bidzos) To: schneierQchinet.chinet.com Subject : Thank you Bob Anderson (fwd)

FYI ... IJdappreciate if you posted this wherever you saw RC4 ...

WARNING NOTICE

It has corne to RSA Data Security's attention that certain MA trade secrets, in the form of confidential and proprietary source code, have been misappropriated and disclosed. Please be advised that these acts, as vell as any retransmission or use of this misappropriated source code is a violation of the Uniform Trade Secrets Act and various other state and federal laws. Any person or entity that acquires, discloses or uses this information is subject to criminal and civil penalties including an injunction, compensatory damages, punitive damages and payment of UA's attorneys fees.

RSA considers this misappropriation to be most serious. Not only is this act a violation of lav, but its publication is a gross abuse of the Internet. RSA has begun an investigation and will proceed with legal action against anyone found to have violated its intellectual property rights. news2.aimnet.com!athena.mittedu!bal,duin From: [email protected] (Robert Baldwin) Newsgroups: sci.crypt,alt.security.pgp,talk.politics.crypto Subject: RSA's comments on weak RC4 keys Date: 29 Sep 95 l8:31:23 Organization : RSA Data Security , Inc . Lines: 29 Distribution: world Message-ID: ~BALDWIN.95Sep29183123Qchirality.rsa.com> NNTP-Posting-Host: rsa-com Xref: msunews sci.crypt:44644 alt.security.pgp:44327 talk.politics.crypto:13053 Here is a relevant comment from my employer about the excellent work that Andrew Roos has been doing on RC4. --Bob Baldwin

------September 29, 1995 Statement from RSADSI

RSA Data Security Inc. has been follouing the emerging reports of a ueakness in certain keys for the RC4 cipher. RSADSI's researchers have been aware of this particular property of the RC4 cipher for over a year. Most ciphers have a property whereby an enormous amount of known plaintext vil1 provide a slight reduction in exhaustive key searching. The linear cryptanalysis of the DES cipher is an well knom example of this. Limitations like this in the underlying ciphers are addressed by follouing sound advice on the design of the overall cryptographic system.

Products that include RC4 from RSADSI are not compromised by this attack. Companies that license the BSafe cryptography toolkit have always been given advice that overcomes this limitation of the RC4 cipher, and this is true even for products that were built >before< this specific problem vas discovered by the researchers at RSADSI. These researchers also monitor al1 developments in the field of cryptography and cryptanalysis so they can keep RSADSI's customers appraised relevant developments. Chapter 3 Periodicity Analysis of RC4

3.1 Characterization of RC4 Cycles

Because RC4 has a finite number of States' it must eventually be periodic. In fact, because RC4 encryption is a deterministic, reversible operation, the system is penodic regardless of the initial state. Also, because the counter i in the algorithm goes through the 2" values 0,.. . ,2" - 1 sequentiallq: the period must be divisible by 2".

These observations lead to the following statement: Fact 3.1.1

For dl keys, RCI-n is periodic, with period T = 2" z for some positive integer z. The first state to re-appear as RC4 evolves is the initial state.

'lote that in discussing the period of a Stream cipher, the distinction between the penod of the full state of the cipher (the penod of the cipher) and the penod of the keystream, which could be any factor of the cipher period, must be made. The cipher period is discussed here.

Table 3.1 lists the set of periods possible for RC4 ciphers of word length 2 and

3. These were determined experimentally, by exhaustively t~ngal1 possible permutations for the initial state of the s-box (with i and j set to zero). For each due of the period. the number of cycles with that period is listed. and the number of initial states in each cycle is given. For example. For n = 3, two cycles of length

935196 exist. 15010 initial states are contained in the first cycle. and 13274 initial states are contained in the second. 'iote that, aithough Algorithm 4.1.1 shows that every permutation appears as a starting state of RC4. this does not imply that al1 permutations are equally likely to occur. However. given the RC4 initialization algorithm (Algorithm 1-51)and the detailed data in Appendiu B, the assurnption that al1 permutations are approximately equally likely seems valid. The last three columns

Nill be explained in Section 3.2.

For comparison. a table of the expected cycle lengths for a randomly chosen invertible mapping is given in Table 3.2[26]. Note that the data in this table is an approximation. because the results presented in [26] are asymptotic. Additional results on the cycle distribution of random mappings can be found in [2].

The evpected cycle length distribution for random permutations of 2580480 elements (corresponding to RC1-3) was obtained experimentally by generating 1500 permutations at random and determining their cycle distribution. The results are presented in Table 3.3. where the average cycle length of the i-th longest cycle is given in romr i7 along with the corresponding standard deviation and minimum and maximum cycle lengths observed. The data in this table is comparable to the asymp totic results of Table 3.2, indicating that the asymptotic results are relevant for the size of the permutations being considered.

It can be argued that RC4 should behave like a randorn permutation, in the sense that its cycle structure should be similar to that of a random permutation. Figure 3.1 plots the expected cycle length of a random permutation, with error bars indicating hgII 2112 II Tt'"Z +s+g

Table 3.1: Possible Periods for RC4 with Word Length 2 and 3 384 elements (n = 2) 2580480 elements (n= 3) 5.35 . 1015 elements (n = 4) '240 1611071 3.34. 1oi5 a40819 1.12 - 10'" 227898 4.73 - 1014 10410'2 2.16 - 10'" 49405 1.03 10''' 23934 4.97 - 1013 11733 2.44 1013 5794 1-20- loi3 2874 5.96 . 1012 1429 2.97 10l2 712 1.48 1012 355 7-37 1o1l 177 3-68 . 10" 89 1.84 - 10" 44 9.19 10'' 22 4.59 10l0 II 2.30 10" 6 1.15 10l0 3 5.73 109 2.89 10' 1.45 - 10' 6.96 108 3-75 108

Table 3.2: Expected Cycle Lengths for a Randomly Chosen Invertible Mapping [26] CHAPTER 3- PERIODICITY ..1X.4 LYSE OF RC4 28 the minimum and maximum cycle lengths observed in the experiment. The RC1-3 cycle lengths plotted alongside show that for the long cycle lengths, RC1 does resemble a random permutation. but a larger proportion of elements are in shorter cycles than would be the case in a randomly chosen invertible mapping. Additional properties of the distribution of RC4 cycle lengths are given in the next section, in Theorem 3.2.3.

Cycle Lengths of Random Permutations Compared with RC4-3 1 1 1 I I I 1 1 Random Permutation * RC4-3 -----

O 5 10 15 20 25 30 35 40 Cycle Number (sorted by Iength)

Figure 3.1: RC4-3 Cycle Distribution Compared with a Random Permutation

3.2 A Partitioning of RC4 Cycles

From an RC4 state (i,j,{So,. . . ,S2n-L})' it will be useful to consider the "right shift y d' of that state, defined to be (i + d?j + d: {SO-dmod pi . . . > SZn-l-d)). The S-box 1 Cycle 1 Average Length 1 Standard Deviation 1 Min. Length 1 Max. Lenah

Table 3.3: Cycle Lengths for a Random Permutation With 2580480 elements (n = 3) Original System System Right Shifted by 1 (ij3o,-.-.SN-l ) (i+l,j+l,S .SO

Figure 3.2: The Right Shift Operation for an RCI-n State resulting from a right shift by d of a syçtem (i,j, S) is denoted SBd. The right shift is illustrated in Figure 3.2. The term "right shift'? is appropriate because. when the

RC4 state is written horizontally as (2, j, {So,Si: . . . ? S2n-,, S2n-1})7a right shift b- one is (i + 1 j + 1: {Sp- 1, SO,SI. . . . < S2n -*)) and thus the s-box has been cyclically shifted right by one.

Given an RC1-n system in an arbitrary state (i, j7S) , consider the system obtained by rotating S to the right by an integer d, and incrementing both i and j by d. The keystream generation algorithm for this modified system is:

1. Set i' =if+ 1 mod2".

2. Set j' = j' + Si, mod 2".

3. Swap Si, and Si,.

4. Output S;: ,,, ,. as the next word in the keystream. '1 1. Set if = if+ 1 mod2".

2- Set j' = j' + Sir -d mod 2" mod Y.

n~hichbecomes:

1. Set ir=i+d+1mod2".

2. Set j' = j + d + Simod 2".

4. Output SSi+S,-dmad2nas the next word in the keystream.

In the above, it is assumed that the keystream generation algorithm is applied in step to both the original and the modified system. Cornparing this to the keystream generation algorithm for the original system. it can be observed that only the output of the systern has changed, but in a simple way; SS,+S,-dmod2n is output instead of Ssiis1. Meanwhiie, the relationships i' = i + d mod 2": j' = j + d mod 2": and

S' = SBd are preserved as the two systems evolve. This observation, combined with the fact that S is a permutation. fields the following result, observed independently in [15]: Theorem 3.2.1

Suppose that, for a given key, an RC4-n system goes through the state (i', j': Si) and that the cycle length for this key is S. Shen any cycle going through one or more states of the fom (if + d,j' + d, sfWd)(where d is an integer) has period T and the sbift relationship between the states is maintained as the two sqstems evolve. In addition. if the output sequences are cornpared word for word as the sptems evolve beyond those states, the outputs el! always differ if d 9 O mod 2" and will always agree O thenvise.

Consider a cycle of period T.and an arbitrary RC1 state (i', j'?S') in that cycle.

Then al1 shifts of this state belong to a cycle of length T. If there are only a few cycles of length T (as dlbe the case if T is large), then more than one may appear in the same cycle. The following theorem holds: Theorem 3.2.2 (Cycle Partitioning)

Let 71 be a cycle of penod T and let D = (if,j', Sr) be aqv state in the cycle- Let dl;.. . , dk-l (k < Y)be the right shfts of D in the order they appear as RCI evolves from state D (do = O is understood). Then the distance (expressed as the number of enc-ptions) betrveen successive shifts is given by T/k,and for any other state.

Dr: in the same cycle, the right shifts of D' dl,. . . , dk-l are the ody rjght shifts of D' appearing ~LZthe cycle' and appear in that order. Figure 3.3 iflustrates this partitioning, with a = T/k and k = 4. 3 in the diagram represents a fked number of enc-ptions (see the proof).

Proof: Denote by D, the right shift by dt of D. Let 1 be the greatest distance between two consecutive shifts and denote the corresponding shifts da and ,,d k.

Suppose that for some b, the distance s between db and dhi ,,d t was smaller than 1.

By Theorem 3.2.1, Daremains a right shift of 4 as the systems evolve. Since Db(s) is a right shift of Da, D,(s) must be a right shift of Da.Thus, the distance between

Da and Da+l,od >t is less than or equal to S. But that distance is 1, contradicting the assumption that s < 2. Therefore, no smaller distance exists, and the shifts are at equal distances from each other. The second part of the theorem follows by

Theorem 3.5.1 and the fact that an>-state in the cycle can be obtained by repeated encryption (a+ 3 encryptions in Figure 3.3) starting at any state D. A

In fact. only certain orderings of the shifts present in a given cycle are possible because Theorem 3.2.2 irnplies that 4,l - d, is constant in a cycle. dl must then be a generator for the shifts in the cycle? and d, = i - dl mod Zn. The 1st three columns of Table 3.1 confirm this statement for RC4-3 and RC4-3. In this table, the "Shift

Generator" ent- is the value of dl, and the entry "Offset" is the distance between successive shifts. Finally, the "Shifts Found" table enurnerates the right shifts of the initial state found in each cycle. Al1 of these results were obtained experimentall.

Note that in al1 cases, T/k = Offsetas required by the theorem. For example, for the cycles of length 472. a distance of 118 exists between shifts, the shifts appear in the order {O. 6.1' 2). and 47214 = 118. The entry {O} in the "Shifts Found7' column indicates that no shifts of the initial state appear in the cycle.

Theorem 3.2.2 characterizes individual cycles of a given length. It is also possible to obtain information about the distribution of cycles using the already discussed shift invariance of RC4: Theorem 3.2.3

Suppose that, for a given n, RC4 has a cycle of period T and k right shifes of the initial state are present in the cycle (including the initial state). Then k = 2' for some integer z 5 n; and 2n-z other cycles of period T exist.

Proof: From Theorem 3.2.2, di is a generator for the set of shifts, and do,. . . ,dk-i is an additive subgroup of 0,. . . : 2" - 1. Since the number of elements in a subgroup Figure 3.3: Partitioning of an RCI Cycle must divide the order of the group, k)2", or k = 2' for some z. Because 2" shifts of a given state exist, and each must belong to a cycle of length T, 2"/2' = 2"-' other disjoint cycles must exist. A

In interpreting this theorem, the following should be taken into account:

Theorem 3.2.3 does not imply that the number of cycles of a given length is a

power of two. Define two cycles to be unrelated if no shift of a state in one of

the cycles appears in the other. The number of cycles of a given length would

be a power of two if it was true that al1 unrelated cycles have different periods.

In fact. it would be necessary to have at least three unrelated cycles of the same

period for the statement to be false. Because it seems fairly unlikely that several

unrelated cycles would have the sarne period, it is likely, but not a certainty,

that the number of cycles of a aven penod is a power of two. In order for the statement of Theorem 3.2.3 to be correct, it is necessart- to

include al1 cycles which would be obtainable if i and j could be initiaiized

arbitrady by the key scheduling algonthm. Otherwise, cycles which never pas

through a state with i = O and j = O would be excluded.

The data in Table 3.1 proildes examples of the application of this theorem. The first point is illustrated by RC4-3 for a cycle length of 120. In this case. two cycles exist, and al1 shifts of the initial state are contained in the same cycle. Thus, the two cycles are unrelatedo but still have the same cycle length. If a third such unrelated cycle existed, the total number of cycles of penod 120 would have been 3. which is

not a factor of Sn.

The cycles for RC4-3 of length 24 are one example in which. although tmly four cvcles of this length exist: only 2 are used in practice because the remaining two never pass through a state with i = O and j = O. This can be verified bÿ examining

Appendix A and noting that no shift by 1 or by 2 of the states given have i = j =

O for the 6rst and second cycles listed (and hence i = O: j = O never occurs in

the third and fourth cycles). Thus? these cycles illustrate the second point. More detailed information about the cycles appearing in RC4-2 and RC4-3 can be found in

Appendix B. Experimental attempts at determining the cycle lengths in RC4-4 were

unsuccessful, indicating that any cycles of length less than 232 are rare' an observation

consistent with the permutation data of Table 3.2. Chapter 4

Systematic Cryptanalysis of RC4

4.1 Obtaining a Key from the RC4 State

Suppose that the initial state of the s-box (the dues of So, . . . S2n- i) was knouvn.

Shen a key which would result in that initial state could be calculated with the following algorithm: Algorithm 4.1.1 (Recovering a key from an initial state)

Input: Sb, . . . Sin-, : the initia[ state of the s-box.

Output: ko, . . . k2" -1 a key which produces the given initial state.

(a) Set Sz = z.

2. Set j = 0.

3. Fori fiom O t02~- 1

(a) Let t be the index for whkh S, = Si.

(b) Set ki = t - j - Si rnod 2".

At the end of this procedure. ko. . . . . kZn-, is a key for which the desired initial state dlresult. Note that this procedure will typically produce a full length key. In most

applications. RC1-n is used with a key length much smaller than this (for esample

RCC8 with 10 or 80 bit keys). For most attacks. however, any key is useful to the cryptanalyst so long as it generates the correct keystream.

For most wriablelength ciphers. increasing the key length can onl- increase the security of the cryptosystem. For RC4, however. this remains true only provided that the key length is substantially smaller than the maximum allowed key length; a full length key generating a given initial state can easily be cornputed, allowing attacks described in Section 4.6 to be carried out. Also. as the key length increases the probability of several keys mapping to the same initial state increases.

4.2 Forward Tracking Attack

Since Algorithm 1.1.1 produces a key which is equivalent to the original, finding the key in RC4 is equivalent to finding the initiai state of the s-box. Lie nonTconcentrate on determining that initial state. One method of doing so is 'fonvard tracking'; obseMng the output of the dgorithm, and determining the possible sbox states from the output data. In general terms. the following algorithm is one possible implementation of the idea: Algorit hm 4.2.1 (Forward Tracking Overview)

Input: c,the observed keystream. Output: A list of possible RC4 states. CHAPTER 4. SYSTEMATIC CRYPT4iWLYSI.S OF RC4

2. Set i = O? j = 0: and z = 0.

3. Repeat:

(a) Set i = i i-1 mod 2".

(b) If Siis unassigned, continue with the remainder of the algorithm for each

possible assignment of Si.

(d) If S, is unassigned. continue with the remainder of the algorithm for each

possible assignment of Sj .

(e) Swap Siand Sj .

(f) Set t = Si + Sj mod 2".

(g) If St is unassigned and K, does not yet appear in the s-box: set St = IC,.

(h) If St # IC,, the state information is incorrect. Te-nate this round.

(i) Increment 2.

(3) If z is equd to the length of the keystream, output the current state as a

solution and terzninate the m.

This algorithm outputs all possible states that RCI could be in, given that it output the given keystream. A more detailed description cm be found in the appendices,

Algorithm C.0.1.

In fact, the algorithm is a depth-first searching algorithm: it searches through a tree in which each node at depth d is a value for the pair (i,j, S) which could result after the first d keystream elements have been produced, as depicted in Figure 4.1. The number of nodes in the tree (excluding the one at depth O) represents the complexity of the algorithm. assuming that the time needed to identi. the nodes providing a valid solution is negligible. Because this basic algorithm ni11 be extended in several ways in the sections which follow~it is important to understand the steps involved in generating Figure 4.1. Those are as follows:

1. Initially. before any keystream has been observed. al1 states are equally likely

and the counters i and j are set to zero. This is represented by the node

(0.0, {?.7. ?. ?}), corresponding to 4! distinct starting states.

2. RC4 keystream generation (see Algorithm 1.5.2) is now undertaken. i is incre-

mented to 1. and a value must be assigned to Si= Si. Four possibilities exist;

SI = 0. SI = 1. SI = 2. and SI = 3, and these must be considered in tum.

3. If SI = O. then j is still O after adjusting j and the state is (1-0. {O. 7. ?. ?))

after swapping S, and Sj. The value O was observed as the first keystream byte-

and thus S, + S, = O. This would imply that SI = O, which is not possible since

So = O. Thus. the initial choice does not lead to a potential solution.

4. If SI = 1 were chosen, then j = 1 after adjustment, and swapping Siand S,

has no effect. The observed keystream output requires that Ssois = S2 = 0:

which leads to the possible solution (1,1, {?,1,0, ?)).

5- Similarly. if Si = 2. then, after the swapping step the state is (1,2?{?, ?. 2, ?})

and Ssi+s2= O, or SSiç2= O must be arranged. This can be done in one way;

Si = i and S3 =O.

6. Finally. if Sl = 3, the state (1: 3. {O, 1, ?, 3)) is the only possibility. Observed Keysueam ...... AI1 initial scates cm generace ihe keystream of luigth O comctly. B Depth O None ......

(31.{?.0.1.?})

...... 1......

(3.0.(3.0. 1 .7}) 1 node. 1 toal states A unique solution has been found ......

: Depth 3 O. 0, 0. O

Figure 4.1: Fonvard Tracking Algorithm for n = 2: and a O Keystream of Length 1

7. Caming on in this fashion starting at each of the nodes at depth 1 leads to the

remainder of the diagram shown.

Tables 4.1 and 2.2 illustrate the performance of the forward tracking scheme by tabulating the number of nodes at each depth d in the tree. In Table 4.1, the keystream is that generated by an arbitrarily chosen key, wbile in Table 4.2, an al1 zero keystream is assumed. Note that each node can represent more than one solution. because unspecified entries can be arbitrarily assigned. The number listed under

"Total" in the tables is the total number of solutions found.

Several observations can be made regarding these tables: Depth Tot- al Total- Tot al 1 8 5280 8.24 . 10~~ 2 5 1238 2.50 - 10~~ 3 1 188 7.84 . 1030 4 1 26 5 1 3 6 1 1 7 1 1 8 1 1 1 1 1 1 1 1 1 1 1 1 14 1 1 15 1 1 1 -1

Table 1.1: Solutions Found by Fonvard Tracking for a Nonzero Keystream

n=4 Depth Total Total Nodes Tot al 1 4 1220496076800 871 7-95 10~~ 2 2 226208505600 20597 7-44-10~~ 3 1 14675230080 389709 2.37 - 103' 4 1 1040150160 6077586 7.85 - IO*' 5 1 76249920 75097752 2.66 102' 6 1 5172684 738438021 8.71 - 10~~ 7 O 338653 8 O 29378 9 O 1902 10 O 118 Il O 11 12 O 1 13 O O 14 O O 15 O O 16 O O

Table 4.2: Solutions Found by Forward Tracking for a Zero Keystream It is possible chat the number of nodes as a function of depth does not simply

increase then decrease as it does in the cases shown. Only the total number of

solutions (which depends both on the number of nodes and on the number of

unassigned entnes in the çbox at each node) is expected to decrease monoton-

ically as the depth increases. because the amount of uncertainty in the state

decreases as the number of keystream bytes read increases.

For the nonzero keystream case, the total number of solutions cannot decrease

to O because a vdid key was used to generate the keystream. In the experiments

conducted so far. it has always been the case that, for a large enough keystream

sample, the RC4 state is uniquely identified. However, it is still possible that

distinct but equivalent States exist.

For the zero keystream case- the total number of solutions usually decreases

to O because most RCI systems cannot output a constant value indefinitely.

An RC4 cipher can only output a constant keystream if it operates in a cycle

for which al1 right shifts are in other cycles. This follows from the periodicity

analysis (see Theorem 3 -2.1) .

Comparing the two tableso it appears that for a keystream containing many

repeated zeros it is easier to recover the state than for an arbitrarily chosen

keystream. This property will be discussed in more detail in Section 4.3.

Tables 4.1 and 4.2 could not be completed for the n = 5 case because of computer resource limitations. However, Table 4.3 provides estimated values for the case of

an al1 zero keystream. The estimates were obtained by assuming that al1 nodes at a CH-APTER 4. SYSTEhI-4TlC CRkFTA-WALYSIS OF RCI 43 given deprh have approximately the same number of descendents. 1\11 of the data is represented graphically in Figure 4.2.

n = 5 (estimate) Depth Total 7.95 1033 2.66 - 10~~ F 7.73 - 103~ 2.73 - 102' 9.83 102' 3.16 - 10~~ 1.20 - 102" 3.77 10~~ 1.47 10~~ 4.28 - 1020 1.43 - 10'' 4.49 -101' 2.56 - 1oL6 9.17 - 10L4 3.23 - 1013 1.12 . 1oL2 4.99 . loLO 1.30 - 10' 4.27 - 10' 1 20 7.11 - 10"

Table 4.3: Solutions Found by Forward Tracking for a Zero Keystream (approx.)

Using the data in Tables 4.1, 1.2. and 4.3, an estimate of the complexity of forward tracking can be obtained by counting the total number of nodes visited in the trees. These estimates are provided in Table 4.4. For cornparisono the effective key length of RCI for the given word size is included in the table. The fonvard tracking procedure significantly reduces the search effort required to recover the initial state.

Extrapolating the results to RCPB, the forward trading effort is still rnuch larger than that required for exhaustively searching the keys of a length which would be used in current applications, but the results do give a measure of the maximum effective Number of Nodes Which Can Generate A Keystrearn Of A Given Length I I 1 1 1 1 1 I 1 n=2. zero keystream o n=2. nonzero keystrearn ----. n=3, zero keystream + n=3, nonzero keystream ---- n=4. zero keystream 0 n=4. nonzero keystream -.- - n=5. zero keystream (exact) x n5.zero keystream (approx) A n5. nonzero keystream (exact) ------

2 4 6 8 10 12 14 16 18 20 Keystream Length (x)

Figure 4.2: Yuruber of Xodes Visited During Fonvard Tracking

4 strength of the cipher.

4.3 Efficient Starting Points for Forward Tracking

Experiment shows that the time required to recover the initial state using the forward tracking algorithm varies depending on the keystream observed. To generate

Figures 4-3-45, 7500 keystreams were randomly generated with a word length of 4, and the forward tracking algorithm was executed on them, keeping track of the number of nodes Msited at each depth in the search. h graph was constructed for each depth. plotting the total execution time of the forward tracking algorithm versus the r Condition Cornplexit- RC1 Effective Key Length (bits) n = 2, nonzero keystream z4 4.58 n = 3, nonzero keystream 28 15.30 n = 4, nonzero keystream 220 44.25 n = 2, zero keystream 23 4.58 n = 3, zero keystream 27 15.30 n = 4, zero keystream -317 44.25 n = 5, zero keystream -742 117.66

Table 4.4: Complexity of the Forward Tracking Algorithm

O I iOD >om IODO >000D lmom RD- Dus- Figure 4.3: Time to Recover Key. Sorted by Node Count at Depths 1 and 2 (n = 4) number of nodes at that depth. Table 4.5 summarizes the graphs by listing for each depth the minimum and maximum tracking times for the set of trial nins which re- sulted in a node count between the minimum and maximum indicated. The graphs show that, as a general de,a lower number of nodes at a given depth implies a faster completion time for the forward tracking algorithm.

This information demonstrates that , in attacking a keystream by forward tracking, it is beneficial to carefully select the point in the keystream at which to attack. For example, choosing a point in the keystream where the output is constant for a large number of subsequent outputs reduces the fornard tracking time, as demonstrated in

Table 4.6. Depth Max Piode Min Time i Mau Time Samples Percentage 1(4 Found 1

Table 4.5: Time to Recover Key. Soned by Path Count (n = 4)

Condition f Iterations Performed 1 Average Time (s)

Table 4.6: -4verage Fonvard Tracking Search Time Figure 4.4: Time to Recover Key, Soned by Node Count at Depths 3 and 1 (n= 1)

Trrimairnrrirmoi-4.bniokrsaCMr~J Tmmçlrpr*.lmhhl.Sm&IqaCMa~S 31 s

30 = -

- 28- g II -

10 - 10 -

J - *. . - ru.*

TdDmO O IoOOm le 1- laam k-06 -CM Pisi- Figure 4.5: Time to Recover Kei Sorted by Xode Count at Depths 5 and 6 (n= 1)

Yot al1 repeated keystream bytes lead to the same number of nodes at the end of the sequence. In fact' in some cases a smaller number of nodes can be obtained by a pattern other than a constant keystream. Table 4.7 lists the keystream sequences mhich minimize the number of nodes in the tree at the end of that sequence.

It should be noted that one problem with searching a keystream for a good starting point for attack is that the RC4 index counter j is known only at the beginning of the keystream. Thus, attacks beginning in the rniddle of the keystream must exhaustively seazch for j, increasing the search effort by a factor of 2"; a factor which is in practice not recovered by the decrease in search effort for each ked j. However, in light of the properties of RC4 described in Chapter 2, it is often recommended that the first RC4 Block Length Keystream Length 1 Sequence Paths Remaining 3 1 12 2 5 5 3 626 4 2230

Table 4.7: Keystreams Shimizing Xode Count in the Fomd Tracking Attack few keystream bytes be discarded as part of the initialization of RC4. In this case. the value of j is not known and the factor of 2" appears regardles of the starting point chosen for attack.

Backtracking At tack

Instead of analysing the keystream in the order it is generated, it is dso possible to recover the RC4 state by using the observed keystream in reverse order. One disadvantage is that the value of j is known at the start of the keystreamo but not at the end. Thus' a backtracking state recovery algorithm must try al1 possible values of j. However, in light of the discussion at the end of the previous section. a forward tracking attack will often not have this advantage.

Experinient shows that, neglecting the loss of the value of j at the start of the attack, backtracking is more efficient than forward tracking, although the total number of paths searched remains approximately the same. This is likely caused by the fact that it is easier to find valid paths at a given depth when backtracking since the keystream immediately fixes a portion of the state. For reference, Table 4.8 provides node count information for the backtracking

attack with an arbitrady chosen keystream. Xote in comparing it with Table 4.1

that the figures in Table 4.8 are expected to be a factor of 2" larger than those

Table 4.1 because j is unknown at the end of the keystream.

I Depth Total- Total Tot al Tot al 1 24 40320 20922789888000 2.63 - 103' 2 4 5028 1310998348800 8.23 10~~ 3 1 608 81663120000 2.57 - 103* 4 1 119 5069636616 5 1 13 323008118 6 1 4 20355861 7 1 1 1265303 8 1 1 77597 9 1 1 4667 10 1 1 269 11 1 1 28 12 I 1 I 13 1 1 1 14 1 1 1 15 1 1 I 16 1 1 1

Table 4.8: Solutions Found by Backtracking for a Ionzero Keystream

4.5 Probabilistic Attacks

One of the drawbacks of the tracking algonthms presented so fuis that they cannot readily be distributed across severai processors. In addition. they tend to extensively analyse very few keystream bytes instead of partially analysing a large number as do most successful attacks. In this section, a probabilistic mode1 of RC4 is developed and combined with the tracking attacks to obtain a more effective attack using more keystrearn data. CH4P TER 4. SYSTE&Ii4TICCRYPT-4iWLYSIS OF RCI

4.5.1 Probabilistic Model of RC4

Define the probabilistic state of RC4 to be the matrix

where t is the number of keystream bytes output so far and P(S, = 0)is loosely the absolute probability that Sa has value 8. Label the rows and columns from O to 2" and from O to 2" - 1 respectively.

To determine Pt+' from Pt. consider again the keystream generation function

(-Algorithm 1.5.2): reproduced belon-:

1. Set i = i+ 1 mod 2".

2. Set j =j+ Si mod 2".

3. Swap S* and S, .

4. Output Ssz+s, mod as the nesx word in the keystream.

It can be seen that -4lgorithrn 4-51calculates Pt+ in a natural way:

Algorithm 4.5.1 (Probabilistic Model State Propagation)

Input: Pt, the curent state probability rnatrix.

Output: Pt+', the next sta te probability matri.-.

1. Set i=t+lrnod2".

2. For a! kom O to 2" - 1 3. For

(a) For 3 from O to 2" - 1

4. Fora fiom O to 2" - 1

Steps 1 and 2 of Algorithrns 1.5.2 and 4.5.1 coincide. and Step 3 of Algonthm 1-52 coincides with Steps 3 and 4 of Algorithm 1.3.1.

The model just descnbed illustrates the difisive nature of the key generation algorithm: the row of the probability matnu pointed to by i is mapped in Step 4 of hlgorithm 4.3.1 to a weighted average of the first 2" rom of the matriu.

4.5.2 Laddered Backtracking Attack

One use of the probabilistic model of Section 4.5.1 is to combine it with the backtracking attack of Section 4.4. For the full size RC48, the backtracking attack by itself would require an unreasonable amount of time on even a high-end worksta- tion. -4 backtrack to a depth of three remains feasible. taking 8 hours on a 167MHz

CltraSparc. but still leaves many possibilities for the initial permutation. Figure 4.6 illustrates an approach which allows the concatenation of many depth t searches in an attempt to obtain more information about the initial state. Backtracking is applied to successive blocks of t keystream bytes, and the set of solutions found used to determine the probability matrix at the beginning of the block. This matrix is combined with the one calculated from the previous stage, and the output propagated to the end of the block using Algorithm 4-51.

(&+-]Propagate

i,,,,,,) [+] Propagate

Pb zt )C Combine )

Figure 4.6: Laddered Backtracking Att ack

In this attack. al1 of the backtracking steps are independent, and can thus be carried out in parallel. The propagate and combine steps are likely to be much faster, but must be done serially. The attack could succeed if the information obtained by backtracking and combining was not completely difised by the propagation step.

The probability matrix could then converge to a permutation of the identity matrix

(in which case the cornplete initial state would be known) or at least provide a guide for a partial exhaustive search.

The probability matrix asçociated with the backtracking step can be calculated as outlined in Algorithm 4-52. CK4PTER 4. SYSTEM4TIC CRE'PT4NALYSIS OF RC4

Algorithm 4.5.2 (RC4 State Probability Matrix Calculation)

Input: The set of solutions found b-backtracking.

Output: P? the corresponding state probability matrix.

1. Initialize all entries of the probability matrix P to zero.

2- For each possible solution (if,j', {S;, Si:.. . . S&-,)) (n-here some of the Si may

b e un assigned) :

(a) Let f be the number of unassigned elements in S'.

(b) For t fkom O to 2" - 1 do

i. If S, has been assigned value a. add f! to Pt,, .

ii. If St is unassigned. add (f - 1)! to each entry Pt.a for each of the f

dues 3 not yet assigned to the s-box.

3. Divide every entry in each rom- by the sum of the entries in the roa: unless that

surn is zero.

To get an idea of how Algorithm 4.5.2 functions? sample probability data is provided in Appendix D. From this data. it can be seen that only very partial information about the RC4 state can be obtained by this method unless most of the keystream required for complet e backtracking analysis has been obtained. For example, the value of j could be inferred correctly from the probability matrix only after 12 keystream bytes have been read, while analysing 13 keystream bytes would suftice to uniquely determine the RC4 state in the exarnple given. However. care should be taken in interpreting this data; in the exarnple of Appendix D, the most likely value of Sl is 4, which has associated probability 0.125. This implies that, of dl keys generating d as their first keystream byte. 12.5 O/c have SI = 4: it just happens that the key {O: 1.1.1) is among the 87.5 % which do not.

The main hurdle in implementing this attack is to determine a suitable combining function. which should re-enforce agreements between the two input probability matrices. Two approaches have been tried? but both have been unsuccessful:

Using the probability rnatrix hmone propagated keystream block to weight

solutions of the backtradüng algorithm in the next block. Thus. if the solution

(if,jf. {S&. . . . Si,-,)) is found by backtracking, it is given weight

when calculating the backtracking probability rnatrix.

Calculating the element-b-element weighted average of the mo inputs to the

combining function. If PL-, is the output of the propagation step of block k - 1.

is the output of the combiner for bloclc k.

4.5.3 Most Probable Path Backtracking Attack

Another possibility for attack is to use a probabilistic mode1 to guide the backtracking attack of Section 4.4. As before, the backtracking attack executes the keystream generation algorithm (Algorithm 1.5.2) in reverse, working its way fiom the end to the beginning of the keystream. Every time that the algorithm needs to assign a value to an S-box entry? it executes another backtracking search, starting from the current position in the keystream. to a depth 6. Solutions found by the inner backtracking search are propagated to the current position (by applying the keystream generation function k times), and the RC-I state probability matrix is constructed using the result. The most probable path backtracking algorithm then assigns the s-bos entry by choosing the one which has the highest ent- in the probability matrix.

The most probable depth b path backtracking attack is described in more detail in Algorithm 4.5.3. The tree diagram searched by a most probable path depth 2 backtracking attack is shom in Figure 4.7. where the nodes in bold indicate that the- are the most likely node at that Ievel.

Figure 4.7: Tree Diagram for Most Probable Depth 2 Path Backtracking Attack

Algorithm 4.5.3 (Most Probable Depth 6 Path Backtracking Attack)

Input: 1, the Iength of the keystream, and ICo, . . . : ICl- : the observed keystream.

Output: The most Iikely initial state (2, j: and S).

1- Mark all entries St as unassigned. 3. Choose j arbitruiiy as a value between O and 2" - 1 (inclusive).'

4. Repeat until z < 0:

(a) If the value Kz has dready been assigned somewhere in the s-box, set a

to the position such that Sa = Kz.Otherttise:

i. Execute a backtracking analysis starting at the current position, to a

depth of 6. Iterate .Algorithm 1.5.2 on each solution found, and use

the result to calculate the RC4 state probability matrix.

ii. Set a to the row containing the highest due in coiumn Kz of the

probability matrix. If the highest probability found was 0, the state

information is incorrect. Teminate this round.

iii. Set Sa = K=.

(b) 2Y Siis unassigned:

i. Execute a backtracking analysis starting at the current position, to a

depth of 6. Iterate -4lgorithm 1-52 on each solution found? and use

the result to calculate the RC4 state probability mat&

ii. Set Si to the column containing the highest value in row i of the

probability matrix. If the highest probabiljty found was 0, the state

idormation is incorrect. Terminate tbis round.

'Strictly speaking, a depth-kt search to depth 6 should be performed, and j chosen to be the most commonly observed value of j in the set of solutions, but the data in Appendix D indicates that little is gained by doing so. (d) If S, is unassigned and neededsj is not alreaQ assigned elsewliere in the

çbox. set Sj = neededsj.

(e) If Sj f neededsj, the Stace information is incorrect. Terminate this round.

(f) Swap Siand Sj-

(g) Set j = j - S* mod 2".

(h) Set i = i - 1 mod 2".

(i) Decrement z.

As written, Algorithm 4.5.3 executes only a single cornplete depth-first search, terminating if it finds an inconsistency, but it cm easily be modified to perform a cornplete depth-first search (as do the original forward tracking and backtracking algorithms) by modifying steps 4(a)ii and 4(b)ii. For a full depth-Brst search. al1 of the entries with nonzero probability should be tried, in order of decreasing probabiiity.

In this case. the search algorithm must evaluate the tradeoff between continuing to search in the given tree. and abandoning the node in favour of a branch in a higher level (or from a different keystream altogether).

To understand the tradeoff, suppose that tirne Tl was required to generate the set of nodes at the current depth, and that theT2 was required to check for solutions for the most likely node at the current depth. Let fi1be the probability assigned to the current node at the previous depth. and PI2be the probability of the next most-likely node at the previous depth. Let P21be the probability of the current node at the current depth, and Pm be the probability of the next most-likely node at the current depth. Assuming that a large number of nodes exist at both depths (and thus that the probabilities do not change after it has been determined that no solution has been found at a given node). the dgonthm should retum to the previous depth if

that is

Tables 4.9 and 4.10 provide information helpful for assessing the performance of

the probabilistic tracking algorithm for the case where only one path is followed at a

given depth- The first table lists the experimentally obtained probability of success

for each guess made by the algorithm. The data is approximate; the probability

listed is the highest probability found in the probability rnatr~x.even if that choice

does not correspond to the correct choice. Whether or not the guess would have

been correct. the correct value is used by the algorithm as it continues the search.

This approach was necessary because no mns have completed to date (for n 2 4.

but experiment with the n = 3 case shows that the results obtained are consistent).

The second table provides a measure of the attack complexity. The "Expected Trials" colurnn lists the expected number of iterations needed for al1 the guesses to be correct

(i.e. it is the reciprocal of the product of the entries in the corresponding column of

Table 4.9), Trial Complesity" is the number of nodes visited when performing the inner depth-first searches. and "Total Complexity" is the product.

The data shows that, for the word sizes analysed, the total complexity for this method is greater than that needed for a full depth-first search when the complexity of the inner backtracking is taken into account. In order to make this attack successful, a partial e-xhaustive search. which tries several of the most likely choices instead of just one, would be required. .41so, techniques for avoiding a full inner depth-first Table 4.9: Guess Success Probability of Uost Probable Depth 6 Path Backtracking At t ack search would increase the efficiency of the algorithm.

4.6 Practical Attacks in Unusual Scenarios

Suppose that a user encrypts a fked message using e keys, ail generating an initial state in the same cycle. Then, if the keystreams could be recovered and the data was long enough, for any pair of keystreams IC and IC' there would be an offset d such that # for al1 t. Having found d for every key pair, it would then be possible to use the forward tracking algxithm but adding e symbols to the s-box at a time instead of one. Experiment shows that this can dramatically improve the performance of the fornard tracking algorithm, as illustrated in Table 4.11. Search Parameters Expected Triais 1 Trial Complexity Total Complexïty 23s-79* n=4,D=3 9ia.11- 1 209083

Table 4.10: Complexity of Most Probable Depth 6 Path Backtracking Attack

n Keystreams Time Node Count (listed at each depth) -1vailable- Needed (s) 4 3 0.01 4 4 0.02 4 3 0.07 4 2 O .4 4 1 16.48

16.73 47-02 937

Table 4.11: Time to Recover RC4-n Key with Multiple Keystreams CHA PTER 4. SYSTELCL~TICCRYPT-AIVA LYSE OF RCI 4.7 Summary of Attack Performance

Table 1.12 lists the complexity of recovering the RC4 state for different word sizes, using the attacks discussed in this chapter. In one sense the complexity gives an upper bound on the "tme" key length of the cipher, because it represents the maximum amount of work needed to recover a key. If no attacks were feasible, an exhaustive search of the entire keyspace would be needed to recover the key. It is interesting to

Sominal Effective True True 1 Word Size Key Space Keyspace Keyspace 1 Keyspace 1 RC4 (arbitrary keystream) (zero keystream) 94 93

Table 4.13: Estimated Upper Bound on the 'T'me'' Keyspace of RCCn note that the tme complexities listed are all below 2128.while 128 bits is becoming a commonly used key size. It seems likely that a word size of 7 or 8 is required to achieve this level of security in RC4. Chapter 5 Conclusion

5.1 Summary and Discussion

Given the analysis available to date, RC4 remains a secure Stream cipher. Attacks such as forward tracking substantially reduce the effort needed to recover a key relative to the maximum allowable key size of the cipher. For example with a word size of 5, a nominal keyspace of 21607the RC4 initial state can be recovered in 2'2 steps for certain keystreams. In order to become practically relevant, the attacks would need to exploit the reduced keyspace for shorter keys, but to date the RC4 initialization algorithm remains a barrier. The attacks do provide an upper bounc! on the "effective" key length of RC4. which is lower than the number of RC4 initial states. Thus. the large keyspace cannot be effectively used.

The structure of the cycles generated by RC4 is also an inherent weakness because it may be possible, given a cornplete cycle, to obtain the entire RC1 initial state by inspection. Howevever, because RC4 is likely to have an expected cycle length of 21699: the structure does not appear to pose a practical threat.

One of RC4's greatest strengths is that it can sirnply and efficiently manipulate a large state wevhile outputt ing a keystream which sufficiently disguises that intemal state. Attacks presented so far either attack the key schedule or the keystream generation. Those attacking the hyschedule only make use of the first few keystream bytes, and those attacking the keystream use more data but face the much greater task of recovering the full RC4 state. Successful attak will likely need ro take advantage of a yet to be discovered means of identifuing RC? states asociated with

%hart" keys.

5.2 Suggestions for F'urther Study

RC4 is continuing to gain acceptance as an efficient and secure Stream cipher. For example, RC4 is supported in the draft of the Transport Layer Security Protocol[3], a work mhich may replace SSL[8] for cryptographically protecting network connec- tiom. As such, further analysis is warranted to continue to aflirm the security of the algorithm. SpecificalI- the following items ma?; provide important insights:

Examining tradeoffs between probabilistic and exhaustive tracking attacks to

determine the most effective balance.

Determinhg a means of identifying RC4 initial states which correspond to corn-

monly used key sizes, so that these can be distinguished from arbitrary valid

RC4 initial states. Tracking attacks could then confine their search to the size

of the actual keyspace used.

Examining methods for combining the key scheduling algorithm and tracking

attacks to veld attacks which would be effective against commonly used key

sizes. Obtaining results on the attack complevity for RC1 word sizes greater than 3'

completing Table 4-12.

Improving the RC4 initialization algorit hm so that the attacks exploiting it are

defeat ed.

In addition. work deterrnining the actual cycle distribution of the full size RC4 would resolve this issue: although statistically it is unlikely that many keys generate states lying in short cycles. Bibliography

[l] Anonymous. RCI source code. Posting to sci.crypt. Sept. 13. 1994.

[2] R. Arratia and S. Tavaré. The cycle structure of random permutations. The

Annals of Probabilzty, 2O(3): 1567-1591. 1992.

131 T. Dierks and C. Allen. The TLS protocol version 1.0. Internet Draft. ftp://ftp.

iet f.org/internet-drafts/draft-ietf-tls-potoco-O ttNovember 1997.

[4] W. Diffie and M. E. Hellman. Privacy and authentication: An introduction to

cryptograph- Proceedings of the IEEE. 66(3) :397-427. March 19'79.

[5] H. Finney. An RC4 cycle that can't happen. Posting to sci-crypt. Sept. 1994.

[6j FIPS 180-1. Secure Hash Standard. Federal Information Processing Standards

Publication 180-1, CS. Department of Commerce/N.I.S.T. National Technical

Information Seri-ice, Springfield, Virginia. April lia 1995.

[7] P. Flajolet and -4. Odlyzko. Radom mapping statistics. In LNCS 434, Proceed-

zngs of EUROCRYPT '89, pages 329-334, New York, 1990. Springer-Verlag.

[8] A. Freier. P. Karlton, and P. Kocher. The SSL protocol version 3.0. Internet

Draft, http://home.netscape.com/eng/ssl3/draft302.txt. November 1996. [9] 0. Goldreich, S. Goldwasser. and S. Midi. Hom- to constmct random functions.

Journal of the AC11.l. 33(-1):310-217, 1986.

[IO] J. D. Golié. Intrinsic stat istical weakness of keystream generators. In J . Pieprzyk

and R. Safavi-Saini? editors, LMCS 91 7. -4dvances in Cryptology - .GIA CRYPT

'94: pages 91-103' Germany. 1995. Springer.

[Il] J. D. GoIiC. Linear models for keystream generators. In IEEE Transactions on

Cornputers. volume C-45, pages 11-49: Jan. 1996.

[12] J. D. GoliC. Linear statistical weakness of alleged RC4 keystrearn generator. In

Walter Fumy, editor, LNCS 1233, Advances in Cryptology - E UROCRYPT '97.

pages 226-238? Germany, 1997. Springer.

1131 H. Handschuh and H. Gilbert. x2 cqptanalysis of the SEAL encryption algo-

rithm. In Fast Software Encryption: volume 1267. pages 1-12. Sprùiger-Verlag,

1997.

[11] Bob Jenkins. Re: RC4? Posting to sci-crypt. Sept 1994.

[El R. J. Jenkins Jr. IS.L4C and RC4. Internet document at http://ourworld.

compuserve.corn/homepages/bob jenkins/isaa.htm, 1996.

[16] RS.4 Laboratones. RS.4 labs F.4Q. Internet document at http://www.rsa.com/

rsaiabs/newfaq/alg+ech.htrn.

[17] A. J. Menezes, P. C. van Oorschot, and S. -4. Vanstone. Handbook of Applied

Cryptography. CRC Press, New kbrk, 1997.

[18] Eric Rescorla. RC4 compatibility testing. Posting to sci-crypt, Sept. 13, 1994. BIBLIOGRAPHY 67

[19] R. L. Rivest. The RC4 encnrption algorithm. RSA Data Security Inc.. March

1992.

[20] P. Rogaway and D. Coppersmith. h software-oriented enc-ption algorithm.

In Fast Software Encryption, Carnbndge Security Workshop Proceedings? pages

56-63. Springer-Verlag, 1994.

[21] P. Rogaway and D. Coppersmith. A software-optirnized encryption algorithm. In-

ternet document at http://m.cs.ucdavis.edu/- rogaway/papers/seps. Sept.

1997.

(221 -2. Roos. A class of weak keys in the RC4 stream cipher. Posting to sci-crypt.

Sept. 1995.

1231 R. -4. Rueppel. Analyszs and design of stream ciphers. Springer-verlag. Sew

York, 1986.

(241 M. Salmasizadeh? J. GoliC. E. Dawson, and L. Simpson. A systematic procedure

for applying fast correlation attacks to combiners with rnemory. In Workshop

record of the workshop on selected areus in cryptography (SAC '97): pages 102-

1l6? hugust 1997.

1251 Bruce Schneier. Applied Cryptogmphy John Wiley tk Sons, Inc.. Toronto.

Canada. 2nd edition, 1996.

[26] L. A. Shepp and S. P. Lloyd. Ordered cycle lengths in a random permutation.

Transactions of the Amen'can Iliathernatical Society, 121:34û-357, Jan. 1966. [27] D. J. Wheeler. A bulk data encsption aigorithm. In Fast Software Encryp-

tion, Cambridge Secuntg Workshop Proceedings. pages 127- 13.1. Springer-Verlag,

1994.

[28] G. 2. Xiao and J. L. Masse. A spectral characterization of correlation-immune

combining functions. IEEE Transactions on Information Theory. IT-34569-571.

May 1988. Appendix A Short Cycles of RC4-3

The foHomlng sections list the four RC4-3 cycles of length 24. Only the first two are used in practice because no valid RC4 initial States (those sith i = O and j = 0) occur in the rernaining two. In each section: the RC4 state sequence is illustrated: the s-box entries are listed vertically and two arrows denote the pointers i and j. The arrow on the left is 2: and the one on the right is j. APPEND1.X -4- SHORT CYCLES OF RC4-3 A.l A Cycle of Length 24 -4PPEXDlX -4. SHORT CYCLES OF RC4-3 A.2 A Second Cycle of Length 24 APPEXDLX -4. SHORT CYCLES OF RC4-3 A.3 A Third Cycle of Length 24

Sote that this cycle cannot occur in practice because it does not contain a state with APPEhDIX -4. SHORT CYCLES OF RC4-3 A.4 A Fourth Cycle of Length 24

Xote that rhis cycle cannot occur in practice because it does not contain a state with Appendix B

Detailed Key Distribution for n = 2 and n = 3

The folloming sections list key distribution information for n = 2 and n = 3. For each cycle, the cycle length and the location within the cycle of al1 right shifts of the initial state is recorded. For each valid initial state within the cycle, the set of keys generating that initial state is listed. At the end of the cycle list, the total number of cycles and states visited is printed. The data is presented as follows

Cycle A Cycle length: B Right shifts f ound: shift C at D

.*. Total permutations in cycle: E Total keys: F Pennutat ions : Off set G: SA Keys: (total H) SB

where A is an arbitrarily assigned cycle number, B is the length of the cycle, C is the number of right shifts needed to convert the initial state to the state at position D,

E is the number of permutations with i = O and j = O found in the cycle, F is the total number of keys which generate an initial state in the cycle. G is the number of iterations needed to get to the identified state SA. H is the total number of keys generating the state SA: and SB is a key generating that state. Ellipsis ( . . .) are used in the n = 4 case to denote portions of the output that have been deleted due to lack of space.

B.l Key Distribution for n = 2 Cycle O Cycle length: 196 Right shifts found: shift O at 196 shift i at 49 shift 2 at 98 shift 3 at 147 Total permutations in cycle: 12 Total keys : 125 Permutations : Off set Keys :

0 Y 3, 3,

3 Y 1, 2, 1, 3, O,

3Y Off set Keys :

2 Y

3 Y

3 Y 1,

3 Y 0, 3, 3, 2, Off set Keys : 2, 3, 3, 3, O, 1, 3,

2 Y Off set Keys : 1, 2, O, 3, 0 , 1, O, 2, 2, 2, Off set Keys : 1,

3 ¶ 2, 1, O, 1, 3, O, 2, 2, 2, Off set Keys : O,

0 ¶ 1, 2, 3, O,

1 ¶ O, 0, 3, 3, 3, 2, 2, 2,

2 ¶ 2s O, 2 , 3, 3, 2, 0, 2,

3, I 1, Off set 120 : Keys : (total il) 3, 3, 2, 2, 2, O, 2, 3, 3,

2 ¶ 3, 0,

2 ¶ O, O, 3, 3, 3,

1 J 2, 3, 3 , 0, 2, O, 3, 2, 2, O, 2, 1, 0, 1, Off set 48 : Keys : (total 11)

2 ¶ O, 1, 2, 3, 1, 1, 1, 3, 1, 2, 2, 1, 2, 1, O, 2s 1, 2, L 19 3, 0, 1, 3, O, 0, 1, 0, 3, O, 3, O, Off set 12: Keys : (total 10)

1 ¶ 1, 3, 1, 2, 1, 2, 1, 1, 3, O, O, 1, 0, 3, O, 3, 0, 3, 1, 3, 17 O, O, 3, 1, 132 : (total 14) 0s 1 0, 1 3, 1, 1, 0 Cycle 1 Cycle length: 164 Right shifts f ound: shift O at 164 shif t 1 at 41 shif t 2 at 82 shift 3 at 123 Total permutations in cycle: 12 Total keys: 131 Permutations : Offset 152 : Keys : (total 10) 2,

3 Y

1 Y 3,

0 ¶ 3, 03 3,

3 I Off set Keys : (total 8)

0 Y 0, 3,

1 Y 3, O,

3 J 2, 2, 3, 3, 1,

2 J 2, 3,

3 J 1, 3,

3 Y 1 O, O, 1, 2, Off set 60: Keys : (total 9) 3, 1, 3,

1 I 0, 3, O, 3, 0,

3 Y 3, 2,

2 ¶ 3, 1,

1Y 1, 3, 3, 3, 2, Off set Keys : 1, 2, 1, 3, O, O, 2, 2, 2, 3, 2, Off set Keys : 2, 2, 3, 2, 2, 3, O, 1, O? Off set Keys : 0 , 1, O, 3, O, 2, 1, 2, 1, 1, 3, Off set Keys :

Total cycles: 2, visiting 360 States B.2 Key Distribution for n = 3

Cycle O Cycle length: 24 Right shifts found: shif t O at 24 shift 4 at 12 Total permutations in cycle: 1 Permutations : Offset 0: 5, 4,

Cycle 1 Cycle length: 120 Right shifts f ound: shift O at 120 shif t 1 at 105 shif t 2 at 90 shift 3 at 75 shift 4 at 60 shift 5 at 45 shif t 6 at 30 shif t 7 at 15 Total permutations in cycle: 2 Permutations : Off set O: 5, 3, .-. Cycle 2 Cycle length: 120 Right shifts f ound: shif t O at 120 shift 1 at 105 shift 2 at 90 shift 3 at 75 shift 4 at 60 shift 5 at 45 shift 6 at 30 shift 7 at 15 Total permutations in cycle: 2 Permutations : Offset O: 5, 3, ... Cycle 3 Cycle length: 24 Right shifts found: shift O at 24 shift 4 at 12 Total permutations in cycle: 1 Permutations : Offset 0:3,5,6,2,7,0,4, 1

Cycle 4 Cycle length: 264 Right shifts found: shift O at 264 shift 2 at 66 shift 4 at 132 shift 6 at 198 Total permutations in cycle: 5 Permutations : Off set O: 1, 2, ... Cycle 5 Cycle length: 648 Right shifts found: shif t O at 648 shif t 1 at 81 shif t 2 at 162 shif t 3 at 243 shift 4 at 324 shif t 5 at 405 shif t 6 at 486 shift 7 at 567 Total permutations in cycle: 8 Pemutat ions : Off set 0: O, 5, 2, ... Cycle 6 Cycle length: 472 Right shifts found: shif t O at 472 shif t 2 at 354 shif t 4 at 236 shif t 6 at 118 Total permutations in cycle: 7 Pennut ations : B. DET4ILED KEY

Off set 0: 0, ... Cycle 7 Cycle length: 472 Right shifts found: shift O at 472 shift 2 at 354 shift 4 at 236 shift 6 at 118 Total permutations in cycle: 7 Permutations : Off set O: O, 3, ... Cycle 8 Cycle length: 4696 Right shifts found: shift O at 4696 Total permutations in cycle: 80 Permutations : Off set 0: 0, 3,

. *. Cycle 9 Cycle length: 4696 Right shifts found: shift O at 4696 Total permutations in cycle : 77 Permutations: Off set 0: O, 3, . . Cycle 10 Cycle length: 456 Right shifts found: shift O at 456 shift 1 at 57 shift 2 at 114 shift 3 at 171 shift 4 at 228 shift 5 at 285 shift 6 at 342 shift 7 at 399 Total permutations in cycle: 12 Permutations : DISTRIBUTION FOR ;k7 = 2 AND !V = 3

Off set O: 0, 3, 2, 5, 6, 7, 1, 4 ... Cycle 11 Cycle length: 3008 Right shifts found: shift O at 3008 Total permutations in cycle : 50 Permutations : Off set O: O, 3, ... Cycle 12 Cycle length: 4696 Right shifts found: shift O at 4696 Total permutations in cycle : 70 Permutations : Offset O: O, 2, ... Cycle 13 Cycle length: 4696 Right shifts found: shift O at 4696 Total permutations in cycle: 93 Permutations: Off set 0: 0, 2, ... Cycle 14 Cycle length: 3008 Right shifts found: shift O at 3008 Total permutations in cycle: 41 Permutations : Off set O: O, 2, ... Cycle 15 Cycle length: 9624 Right shifts found: shift O at 9624 shif t 2 at 7218 shift 4 at 4812 shift 6 at 2406 Total permutations in cycle : 153 Permutations : Offset ... Cycle 16 Cycle length: 4696 Right shifts found: shif t O at Total permutations in cycle: 61 Permutations : Off set O: O,

.m. Cycle 17 Cycle length: 3008 Right shifts found: shif t O at 3008 Total permutations in cycle: 32 Permutations : Offset 0:0,1,7,6,3,5,2,4 ... Cycle 18 Cycle length: 264 Right shifts found: shif t O at 264 shif t 2 at 66 shif t 4at 132 shif t 6 at 198 Total permutations in cycle: 7 Permutations : Offset O: O, 1, 7, 4, 3,

m.. Cycle 19 Cycle length: 9624 Right shifts found: shif t O at 9624 shif t 2 at 7218 shift 4 at 4812 shif t 6 at 2406 Total permutations in cycle: 149 Permutations : Off set O: O, ... Cycle 20

shif t O at 9432 shift 1 at 3537 shift 2 at 7074 shift 3 at 1179 shift 4 at 4716 shif t 5 at 8253 shif t 6 at 2358 shift 7 at 5895 Total permutations in cycle: 140 Permutations : Off set O: O, 1, 3,

**- Cycle 26 Cycle length: 3008 Right shifts found: shift O at 3008 Total permutations in cycle: 43 Permutations : Off set O: O, 1, 3, ... Cycle 27 Cycle length: 44264 Right shifts found: shift O at 44264 shift 1 at 27665 shift 2 at 11066 shift 3 at 38731 shif t 4 at 22132 shif t 5 at 5533 shift 6 at 33198 shif t 7 at 16599 Total permutations in cycle : 688 Permutations : Off set O: O, 1, 2, *.. Cycle 28 Cycle length: 4696 Right shifts found: shif t O at 4696 Total permutations in cycle: 83 Permutations: Off set O: O, 1 2, VI I I A tli GG d a, A a, rl alvv d V1 riviCiC,9,dW 0, O ww Citn N WC, a~.d~.riri9u-i dd rlddacdcg Q)UM *alUMvlvlC, d YI ri h .rd O a u u d U u d b L 3, U Cycle 33 Cycle length: 29032 Right shifts found: shift O at 29032 shift 4 at 14516 Total permutations in cycle: 488 Permutations : Off set O: O, 1, 2,

S.. Cycle 34 Cycle length: 322120 Right shifts found: shift O at 322120 shif t 1 at 40265 shift 2 at 80530 shift 3 at 120795 shift 4 at 161060 shift 5 at 201325 shift 6 at 241590 shift 7 at 281855 Total permutations in cycle: 5144 Permutations : Off set

S.. Cycle 35 Cycle length: 29032 Right shifts found: shift O at 29032 shift 4 at 14516 Total permutations in cycle: 457 Pennutat ions : Off set O: O, 1, -.. Cycle 36 Cycle length: 955496 Right shifts found: shift O at 955496 shift 2 at 238874 shift 4 at 477748 shift 6 at 716622 Total permutations in cycle: 15010 Permutations : Off set 0:0,1,2,3,4,5,7,6

.** Cycle 37 Cycle length: 955496 Right shifts found: shif t O at 955496 shif t 2 at 238874 shif t 4 at 477748 shif t 6 at 716622 Total permutations in cycle: 15274 Permutations : Off set 0:0,1,2,3,4,5,6,7

a.. Total cycles: 38, visiting 2539680 States Appendix C Forward Tracking Algorithm in Detail

The following is a more detailed description of the fornard tracking algorithm, as

implemented for our tests. In this version. the search is implemented depth first. See

Section 4.3. Algorithm C.O. 1 (Forward Tracking (Detailed Description))

Input: . . . Kim- 1, the obsen-ed keystrearn of length len.

Output: -1 list of possible RCI States. f oru~ardtrack(lC~len)

1. Initialize the array AO... .or12n-lto a random permutation of the integers

O:...,?"-1.

2. Set numavail = P.

3. Set St = unassigned (O 5 t < 2").

4. Set i = O and j = 0.

2. Cdf orwardae(K,len, S, 2, j. avail. numauail) f mwardme(lC,Zen, S: 2, j?avail, numauail) -4PPE-VIX.C. FORWXRD TR4CKIh-G AL GORITHM I.?ï DE T,.1IL

1. If Zen = O. Sol - - . .S2n-i, i: and j is a solution state. Return to the caller.

2. Set psz = O and psj = 0.

3. Set f ixedsi = O adf ixedsj = 0.

1. Set i = (i + 1) mod 2".

3. If S, = unassigned

(a) Set S, = ;ipsi.

(b) Swap and -Apsi -

(d) Set f ixedsi = 1.

6. Set j = (j+ SJ rnod 2".

7- If S, = unassigned and psj < numavail

(a) Set S, = A,,.

(b) Swap -%umwaii- i md bsj

(d) Set f ixedsj = 1.

8. If S, # unassigned

(a) Set t = (Si+ Si)mod 2".

(b) If t = Si then set t = Sj else if t = Sj then set t = Si-

i. Swap S, and S, .

ii. Call /onÿardone(lC i1. len - 1: A: numacail).

iii. Swap Si and S,.

(d) Otherwise. if St = unassigned and Ko E {Ao - . . . -4numauail-}

i. Let z be the ent-for which il, = &.

ii. Set St = A:.

iii. Swap --IL and .inumavaii-.

iv. Set numavail = numavail - 1.

V. Swap S* and Sj-

vi. Cd /orwardone(~+ 1. len - 1 -4. numavad).

vii. Swap S, and Sj-

viii. Set numa~ail= numauail + 1.

Y- Smp AL and Anumat>oil-l-

s-Set St = unassigned.

9. Set haveanothertry = 0.

10. If f ixedsj = 1 then

(a) Set S, = unassigned.

(b) Set numavail = numavail + 1.

(d) Set ps j = psj + 1.

(el If ps j >= numauail then i- If f ixedsi = 1 then

-4. Set Si= unassigned.

B. Set nurnauail = numavail + 1.

C. Swap a-lPsi and -4numov

D. Set psj = 0.

E. Set psi =psi i 1.

F- If psi < numavail then set haueanothertry = 1.

If psj < numavail then set haveanothertry = 1.

11. Othern-ise, if f izedsi = 1 then

(a) Set Si= unassigned.

(b) Set numavail = numaz~ail+- 1.

(4 Swap -Apsz and ~*uma,.ii- 1 -

(d) Set psi = psi + 1.

(e) Set psj = 0.

(f) If psi < numavail then set haveanothertry = 1.

12. If haveanothertry = 1 then goto step 5. Appendix D Probabilistic Information in RC4-4

Tables D.2-D.9 give the probability distribution of the çbox entries and RC4 counter j given that the first t bytes of the ke-stream are available for analysis. RCCl is used in the experiment, and the key is k = (0.1, 1, 1). Table D.1 lists the sequence of States in detail. The largest entry in each rom is in bold, and the correct ent- is underlined.

Step RC44 State Keystream Byte Initial (0,0.{0,3,4,1.d, f,c,e,2,8.a'7.6,9,5,6)) 1 (i,3,{0,104,3,d,f.c,e.2,8,a,7,6,9:5,b)) 3 (2~7,{0,1,e,3~d,j.c,4,2,8,a~7,6.9,5,b)) 3 (3: a, {O' 1. e. a, d, f:c, 4,2,8, 3,7,6, 9: 5,b)) 4 (4,7,{0J7e,a,4, f.~.d.2.8~3.7.6,9,5,b)) 5 (5.6,{0,1,e.a,4,c, f.d,2,8.3,7.619,5,b)) 6 (6,3.{0. 1,e7a,4,f,c,d7Z18,3, 7,6,9,5,b)) 7 (ï,2,{O,1:d,a.l1f:c,e,2'8,3.7,6,9,5,b)) 8 (8,4,{Oll,d,a,2, f,~.e,4~8.3~7,6,9,5,b)) 9 (9,c,{0,17d.a.2, f,~,e,4.6,3,7,8~9,5,b)) 10 (a, f,{0,iId,a,2,f.c,e,4,6,blï.8,9,J,3)) 11 (b:6,{O11,d.a.2, f!7.e,l.6,b,c78,9,5,3)) 12 (c,e.{O, 1.d,ao2,J,7.e,1,6,b,c,5,9,8,3)) 13 (d,7,{0,1,d.a.2, f:7,9.4~6,blc,5,e,8,3))

Table D.1: RCC4 State Sequence for an Initial Key k = {O, 1,1, 1) Table D.2: RCP4 State Probability Matrix - 1 Keystream Byte Analysed Table D.3: RC4-4 State Probability Matrix - 3 Keystream Bytes Analysed Table D.4: RC4-4 State Probability Matrix - 6 Keystream Bytes hnalysed Table D.5: RC44 State Probability Matrix - 9 Keystream Bytes Analysed Table D.6: RC44 State Probability Matrïx - 10 Keystream Bytes ilnalysed Table D.7: RC4-4 State Probability Matrix - 11 Keystream Bytes Analysed Table D.8: RC4-4 State Probability Matrix - 12 Keystream Bytes dnalysed Table 0.9: RC44 State Probability Matrix - 13 Keystream Bytes Analysed IIVIMWL LvnLvn i IWN TEST TARGET (QA-3)

APPLIEi- IMAGE . lnc -.-= 1653 East Main Street --, ,Rochester, NY 14609 USA ------Phone: il6/&l2-OXM Sb- ---- Fax: 716/288-5989