"Analysis and Implementation of RC4 Stream Cipher"
Total Page:16
File Type:pdf, Size:1020Kb
Analysis and Implementation of RC4 Stream Cipher A thesis presented to Indian Statistical Institute in fulfillment of the thesis requirement for the degree of Doctor of Philosophy in Computer Science by Sourav Sen Gupta under the supervision of Professor Subhamoy Maitra Applied Statistics Unit INDIAN STATISTICAL INSTITUTE Kolkata, West Bengal, India, 2013 To the virtually endless periods of sweet procrastination that kept me sane during the strenuous one-night stands with my thesis. i ii Abstract RC4 has been the most popular stream cipher in the history of symmetric key cryptography. Designed in 1987 by Ron Rivest, RC4 is the most widely deployed commercial stream cipher, having applications in network protocols such as SSL, WEP, WPA and in Microsoft Windows, Apple OCE, Secure SQL, etc. The enigmatic appeal of the cipher has roots in its simple design, which is undoubtedly the simplest for any practical cryptographic algorithm to date. In this thesis, we focus on the analysis and implementation of RC4. For the first time in RC4 literature, we report significant keystream bi- ases depending on the length of RC4 secret key. In the process, we prove two empirical biases that were experimentally reported and used in recent attacks against WEP and WPA by Sepehrdad, Vaudenay and Vuagnoux in EUROCRYPT 2011. In addition to this, we present a conclusive proof for the extended keylength dependent biases in RC4, a follow-up problem to our keylength dependent results, identified and partially solved by Isobe, Ohigashi, Watanabe and Morii in FSE 2013. In a recent result by AlFardan, Bernstein, Paterson, Poettering and Schuldt, to appear in USENIX Security Symposium 2013, the authors ob- served a bias of the first output byte towards 129. While attempting the proof of this bias, we observed that the bias occurs prominently only for certain lengths of the RC4 secret key. In addition, our findings revealed that this bias may be related to the old and unsolved problem of ‘anomalies’ in the distribu- tion of the state array S0, right after the Key Scheduling Algorithm. In this connection, we prove the bias in (S0[128] = 127), a problem left open for more iii than a decade since the observation of anomaly pairs by Mantin in 2001. Subsequently, we present theoretical proofs of some significant initial-round empirical biases involving the state variables of RC4, observed by Sepehrdad, Vaudenay and Vuagnoux in SAC 2010. We also study the non-random behavior of index j and completely characterize the first two instances j1, j2 of the index. In the same part of the thesis, we show that there are certain events in the RC4 keystream that leak state information with probability 3/N, higher than the best existing glimpse correlations identified by Jenkins in 1996. We further study the short-term and long-term biases in RC4 keystream bytes. In the process, we derive the complete probability distribution of the first byte of RC4 keystream, a problem left open for a decade since the ob- servation by Mironov in CRYPTO 2002. In addition to this, we contradict a claim by Mantin and Shamir from FSE 2001 by proving that there exist positive biases towards zero for all the initial bytes 3 to 255 of RC4. In the recent work of AlFardan, Bernstein, Paterson, Poettering and Schuldt, extensive computations were conducted to identify significant short- term single-byte keystream biases of RC4, some of which already exist in the current literature, and some of which are new. We prove (almost) all new, unproved or partially proved significant biases observed in the aforesaid work. We also investigate for long-term non-randomness in the keystream, and prove a new long-term bias of RC4. Our proofs and observations in this thesis, along with their connections to the contemporary and old results, provide a comprehensive view on the state-of-the-art literature in RC4 cryptanalysis. In the second part of this thesis, we systematically study the hardware implementation of RC4, and propose the fastest known design for the cipher. For the first time in the literature, we exploit the idea of loop unrolling in RC4 hardware design, and subsequently combine hardware pipelining to loop unrolling in a hybrid architecture that produces 2 bytes-per-cycle throughput in RC4. This is better than the existing 3 cycles-per-byte design by Kitsos, Kostopoulos, Sklavos and Koufopavlou, and the 3 cycles-per-byte and 1 cycle- per-byte patents of Matthews Jr. We have optimized and implemented our proposed designs using VHDL description, synthesized with 130 nm, 90 nm and 65 nm fabrication technologies, for proper comparison with existing designs in terms of keystream throughput and hardware footprint. iv Acknowledgments You can’t connect the dots looking forward; you can only connect them looking backwards. – Steve Jobs Looking back at the last few years that I have spent at Indian Statistical Institute as a doctoral student, I see several people who have significantly influenced the course of my thesis, as well as my life. I take this opportunity to offer my gratitude to all who stood beside me in the hardest of times. First and foremost, I extend my heartfelt gratitude to my PhD supervisor, Prof. Subhamoy Maitra, Indian Statistical Institute, Kolkata. The ease with which Subhamoy-da converted our ‘student-supervisor’ relationship into a last- ing friendship, will remain an eternal mystery to me. Every research problem that we have discussed, debated upon and solved, has enriched my academic outlook; and every morsel of experience that he has kindly shared with me will continue to add value to my life. I will always be grateful to Subhamoy-da for being my friend, philosopher and guide during the last few years; primarily because he kept his sanity and sense of humor alive whenever I lost mine! It was a delight working with my collaborators and co-authors – Prof. Bha- bani P Sinha of ISI Kolkata, Prof. Dr.-Ing. Anupam Chattopadhyay of RWTH Aachen, Dr. Goutam Paul of Jadavpur University, Dr. Santanu Sarkar of CMI Chennai and Dr. Koushik Sinha of HP Labs India. Their academic insight and vision have taught me a lot over the last few years, and I look forward to further collaborations with them in the future. I would like to specially thank Goutam-da and Anupam-da for mentoring and supporting me in numerous ways, academic and otherwise, during the course of this thesis. I would like to express my sincerest gratitude to the esteemed anonymous reviewers of my thesis for their invaluable comments, which helped me improve the technical presentation and editorial quality of the thesis to a great extent. v I am thankful to Applied Statistics Unit, ISI Kolkata for supporting me during the formative years of my doctoral studies; Centre of Excellence in Cryptology, ISI Kolkata, funded by DRDO, Government of India, for support- ing parts of my research; and MPSoC Architectures, UMIC Research Centre, RWTH Aachen University, Germany, for hosting me during Summer 2011. I have always idolized Prof. Bimal Roy, Director, Indian Statistical Insti- tute, without whose active support and unparalleled vision, the field of Cryp- tology would probably not exist in Indian academia in the first place. I extend my sincerest gratitude to Bimal-da; it is because of him that I could get the perfect academic ambiance at the Institute, and the coveted exposure in this niche area that would otherwise remain only a distant dream for me. I am indebted to Prof. Rana Barua, Prof. Palash Sarkar, Dr. Kishan Chand Gupta and Dr. Mridul Nandi for several invaluable discussions during the tenure of my PhD. I would also like to thank my past and present colleagues at ISI Kolkata, Sibu-da, Mrinal-da, Somitra-da, Sumanta-da, Pinaki-da, Ashish- da, Sushmita-di, Srimanta-da, Rishi-da, Sumit-da, Tapas-da, Indranil-da, Subhadeep-da, Sanjay, Subhabrata, Somindu, Shashank, Samiran, Nilanjan, Avik, Satrajit and Pratyay, for providing me with an adorable social support. Special thanks to Rishi-da, as it was only through the uncountably many philo- sophical and technical discussions with him that I could see myself through the most arduous times during the last few years. I humbly acknowledge the kind support of Cryptology Research Society of India, and that of Mr. Amitabha Sinha (our beloved Amitabha-da), during my stay at ISI Kolkata. I am also thankful to the Director’s office, the Dean’s office, the ASU, BIRU and CoEC offices, and all administrative sectors of the Institute, for their continuous support to make my life smooth at the Institute. My family has always been the ‘happy place’ for me; even in the hardest of times. This thesis could not be completed without the ardent support and inspiration from my parents, Baapi and Maa, who made me what I am by resting their unflinching faith in me at every step of my life. Undoubtedly the most significant contribution towards this thesis has been made by Sananda – my wife, who painstakingly accepted the thesis as her co-wife, night after night, even during the first year of our marriage. Thank you Love! vi Contents Abstract.................................. iii Contents.................................. vii List of Tables............................... xiii List of Figures............................... xv 1 Preliminaries and Motivation1 1.1 Scope of this Thesis.........................2 1.2 Stream Ciphers...........................3 1.2.1 One-Time Pad and Perfect Secrecy............3 1.2.2 Generic model for Stream Ciphers.............4 1.2.3 Cryptanalysis of Stream Ciphers..............7 1.2.4 Practical Designs...................... 11 1.3 Motivation of the Thesis...................... 13 1.3.1 Description of RC4..................... 14 1.3.2 Choice of RC4 for analysis and implementation....