Weaknesses in the Key Scheduling Algorithm of RC Scott Fluhrer Itsik Mantin and Adi Shamir Cisco Systems Inc West Tasman Drive San Jose CA sfluhrerciscocom Computer Science department The Weizmann Institute Rehovot Israel fitsikshamirgwisdomweizman nac il Abstract In this pap er we presentseveral weaknesses in the key schedul ing algorithm of RC and describ e their cryptanalytic signicance We identify a large number of weak keys in which knowledge of a small number of key bits suces to determine many state and output bits with nonnegligible probability We use these weak keys to construct new distinguishers for RC and to mount related key attacks with prac tical complexities Finallywe show that RC is completely insecure in a common mo de of op eration which is used in the widely deployed Wired EquivalentPrivacy proto col WEP which is part of the standard in which a xed secret key is concatenated with known IV mo diers in order to encrypt dierent messages Our new passive ciphertextonly at tack on this mo de can recover an arbitrarily long key in a negligible amount of time which grows only linearly with its size b oth for and bit IV mo diers Intro duction RC is the most widely used stream cipher in software applications It was designed by Ron Rivest in and kept as a trade secret until it leaked out in n RC has a secret internal state whichisapermutation of all the N p ossible n bits words along with two indices in it In practical applications n and thus RC has a huge state of log bits In this pap er we analyze the Key Scheduling Algorithm KSA whichderives the initial state from a variablesizekey and describ e two signicantweaknesses of this pro cess The rst weakness is the existence of large classes of weak keys in which a small part of the secret key determines a large number of bits of the initial permutation KSA output In addition the Pseudo Random Gen eration Algorithm PRGA translates these patterns in the initial p ermutation into patterns in the prex of the output stream and thus RC has the undesir able prop erty that for these weak keys its initial outputs are disprop ortionally aected by a small number of key bits These weak keys have length which is q divisible by some nontrivial p ower of two ie m for some q When Here and in the rest of the pap er is the number of words of K where eachword contains n bits RC uses suchaweak key of words xing n q bits of K as a n particular pattern determines qN bits of the initial p ermutation with prob ability of one half and determines various prexes of the output stream with various probabilities dep ending on their length The second weakness is a related key vulnerability which applies when part of the key presented to the KSA is exp osed to the attacker It consists of the observation that when the same secret part of the key is used with numerous dierent exp osed values an attacker can rederive the secret part by analyzing the initial word of the keystreams with relatively little work This concatena tion of a long term secret part with an attacker visible part is a commonly used mo de of RC and in particular it is used in the WEP Wired Equivalent Pri vacy proto col which protects many wireless networks Our new attackonthis mo de is practical for anykey size and for any mo dier size including the bit recommended in the original WEP and the bit recommended in the revised version WEP The pap er is organized in the following way In Section we describ e RC and previous results ab out its security In Section we consider a slightly mo d ied variant of the Key Scheduling Algorithm called KSA and provethat a particular pattern of a small number of key bits suces to completely determine a large numb er of state bits Afterwards weshow that this weakness of KSA which we denote as the invariance weakness exists in a weaker form also in the original KSA In Section weshow that with high probability the patterns of initial states asso ciated with these weak keys also propagate into the rst few outputs and thus a small number of weak key bits determine a large num b er of bits in the output stream In Section we describ e several cryptanalytic applications of the invariance weakness including a new typ e of distinguisher In Sections and we describ e the second weakness which we denote as the IV weakness and show that a common metho d of using RC is vulnerable to a practical attack due to this weakness In Section weshowhow b oth these weaknesses can separately b e used in a related key attack In the app endices we examine how the IV weakness can b e used to attack a real system app endix A how the invariance weakness can b e used to construct a ciphertextonly distin guisher and to prove that RC has low sampling resistance app endices B and C and how to derive the secret key from an early p ermutation state app endix D RC and Its Security Description of RC RC consists of two parts describ ed in Figure Akey scheduling algorithm KSA whichturnsarandomkey whose typical size is bits into an initial p ermutation S of f N g and an output generation part PRGA which uses this p ermutation to generate a pseudorandom output sequence The PRGA initializes two indices i and j to and then lo ops over four simple op erations which increment i as a counter increment j pseudo randomly exchange the twovalues of S pointed to by i and j and output the value of S p ointed to by S i S j Notethatevery entry of S is swapp ed at least once p ossibly with itself within any N consecutive rounds and thus the p ermutation S evolves fairly rapidly during the output generation pro cess The KSA consists of N lo ops that are similar to the PRGA round op eration It initializes S to b e the identity p ermutation and i and j to and applies the PRGA round op eration N times stepping i across S and up dating j by adding S i and the next word of the key in cyclic order Wewillcalleach round of KSA a step KSAK PRGAK Initialization Initialization For i N i S ii j j Generation lo op Scrambling i i For i N j j S i j j S iK i mo d SwapS iSj SwapS iSj Output z S S iS j Fig The Key Scheduling Algorithm and the PseudoRandom Generation Algorithm Previous Attacks on RC Due to the huge eectivekey of RC attacking the PRGA seems to b e infea sible the b est known attack on this part requires time that exceeds The only practical results related to the PRGA deal with the construction of dis tinguishers Fluhrer and McGrew describ ed in FM how to distinguish RC outputs from random strings with data A b etter distinguisher which re quires data was describ ed by Mantin and Shamir in MS However this distinguisher could only b e used to mount a partial attackonRC in broadcast applications The fact that the initialization of RC is very simple stimulated considerable researchonthismechanism of RC In particular Ro os discovered in Ro oa class of weak keys that reduces their eective size byve bits and Grosul and Wallachshowed in GW that for large keys whose size is close to N words RC is vulnerable to a related key attack More analysis of the securityofRC can b e found in KMP Goland MT Here and in the rest of the pap er all the additions are carried out mo dulo N The Invariance Weakness Due to space limitations weprove here the invariance weakness only for a sim plied variant of the KSA whichwe denote as KSA and describ e in Figure The only dierence between them is that KSA up dates i at the beginning of the lo op whereas KSA up dates i at the end of the lo op After formulating and proving the existence of this weakness in KSA we describ e the mo dications required to apply this analysis to the real KSA a KSAK KSA K For i N For i N S ii S ii i i j j Rep eat N times Rep eat N times j j S iK i mo d i i SwapS iSj j j S iK i mo d i i SwapS iSj a KSA is rewritten in a waywhich claries the relation to KSA Fig KSA vs KSA Denitions Denition Let S bea permutation of f N g t be an index in S and mo d b b be some integer Then if S t t the permutation S is said to bconserve the index t Otherwise the permutation S is said to bunconserve the index t Denote the p ermutation S and the indices i and j after round t of KSA as S i t t and j resp ectively Denote the numb er of indices that a p ermutation bconserves t as I S For the sake of simplicitywe often write I instead of I S b t b t Denition Apermutation S of f N g is bconserving if I S N b and is almost bconserving if I S N b Denition Let b be integers and let K bean words key Then K is cal led a bexact key if for any index tKt mo d t mo d bIncase K and msbK K is cal ledasp ecial bexact key Notice that for this condition to hold it is necessary but not sucient that b j The Weakness def q Theorem Let q n and be integers and b Suppose that b j and let K be a bexact key of words Then the permutation S KSA K is bconserving Before getting to the pro of itself wewillprove an auxiliary lemma Lemma If i j mo d bthenI I t t t t Pro of The only op eration that might aect S and mayb e I istheswapping op eration However when i and j are equivalent mo d b S bconserves t t t i j if and only if S bconserved j i Thus the number of indices S t t t t t bconserves remains the same ut Pro ofof Theorem Wewillproveby induction on t that for any t N it turns out that I S N and i j mo d b This in particular implies that b t t t I N which makes the output p ermutation bconserving N For t b efore the rst round the claim is trivial b ecause i j and S is the identity