Attack on Broadcast RC4

Transcription

1 Attack on Broadcast RC4 Revisited S. Maitra 1 G. Paul 2 S. Sen Gupta 1 1 Indian Statistical Institute, Kolkata 2 Jadavpur University, Kolkata FSE 2011, Lyngby, Denmark 15 February 2011

2 Outline of the Talk Introduction Basics of RC4 Stream Cipher Motivation and Contribution Our Result: Bias of Output Bytes Computing the Bias Exploiting the Bias Attack on RC4 Broadcast Scheme Study: on-randomness of j on-randomness in Different Rounds Conclusion Summary of the Paper 2 of 26

3 Introduction RC4 Stream Cipher Designed by Ron Rivest in 1987 Data Structure S-array of size = 256 bytes Key k of size 5 to 16 bytes Final key K of = 256 bytes Two indices i and j Output: Stream of bytes Photo: 3 of 26

4 Introduction RC4 Stream Cipher Key Scheduling Algo (KSA) j = j + S[i] + K[i] i j of 26

5 Introduction RC4 Stream Cipher Key Scheduling Algo (KSA) j = j + S[i] + K[i] i j Pseudo-Random Gen. Algo (PRGA) j = j + S[i] S[i] + S[j] i j Z 4 of 26

6 Introduction Cryptanalysis of RC4 More than 20 years of cryptanalytic results Finney Cycle [1994] Key-Output Correlation [Roos, 1995] [Paul & Maitra, 2007, 2008] Key-Permutation Correlation [Roos, 1995] [Paul & Maitra, 2007] on-randomness of Permutation [Mantin, 2001] Fault Attacks [Hoch & Shamir, 2004] [Mantin, 2005] [Biham et al, 2005] State Recovery [Knudsen et al, 1998] [Tomasevic et al, 2004] [Maximov, 2008] on-random event: Glimpse Bias [Jenkins, 1996] 5 of 26

7 Introduction Cryptanalysis of RC4 More than 20 years of cryptanalytic results Finney Cycle [1994] Key-Output Correlation [Roos, 1995] [Paul & Maitra, 2007, 2008] Key-Permutation Correlation [Roos, 1995] [Paul & Maitra, 2007] on-randomness of Permutation [Mantin, 2001] Fault Attacks [Hoch & Shamir, 2004] [Mantin, 2005] [Biham et al, 2005] State Recovery [Knudsen et al, 1998] [Tomasevic et al, 2004] [Maximov, 2008] on-random event: Glimpse Bias [Jenkins, 1996] Distinguishing Attacks 5 of 26

8 Introduction Distinguishing Attacks Goal: Find an event which occurs with different probability in RC4 than in case of a perfectly random source. Existing Distinguishers Digraph Repetition Bias (Occurrence of ABTAB) [Mantin, 2001] Biased Second Output Byte (z 2 = 0) [Mantin & Shamir, 2001] A set of new linear biases of RC4 [Sepehrdad et al, 2010]... a few more in this work 6 of 26

9 Introduction Motivation for this Work FSE A Practical Attack on Broadcast RC4. I. Mantin and A. Shamir. LCS 2355, pp , Main Claim: Pr(z 2 = 0) 2 (bias of second byte) 7 of 26

10 Introduction Motivation for this Work FSE A Practical Attack on Broadcast RC4. I. Mantin and A. Shamir. LCS 2355, pp , Main Claim: Pr(z 2 = 0) 2 (bias of second byte) Two related claims 1. Pr(z r = 0) 1 at PRGA rounds 3 r Pr(z r = 0 j r = 0) > 1 and Pr(z r = 0 j r 0) < 1 for 3 r 255. These two biases, when combined, cancel each other to give no bias at z r = 0 for rounds 3 to of 26

11 Introduction Contribution of this Work FSE Attack on Broadcast RC4 Revisited. 1. Pr(z r = 0) 1 at PRGA rounds 3 r 255. Pr(z r = 0) 1 for 3 r 255 Additional results exploiting the above bias 8 of 26

12 Introduction Contribution of this Work FSE Attack on Broadcast RC4 Revisited. 1. Pr(z r = 0) 1 at PRGA rounds 3 r 255. Pr(z r = 0) 1 for 3 r 255 Additional results exploiting the above bias 2. Pr(z r = 0 j r = 0) > 1 and Pr(z r = 0 j r 0) < 1 for 3 r 255. These two biases, when combined, cancel each other to give no bias at z r = 0 for rounds 3 to 255. Further investigation of the events Careful analysis of non-randomness of j 8 of 26

13 Our Result: Bias of Output Bytes Our Result Bias of Output Bytes 9 of 26

14 Our Result: Bias of Output Bytes Our Result Output bytes 3 to 255 are also biased to Zero Theorem For 3 r 255, the probability that the r-th RC4 keystream byte is equal to 0 is Pr(z r = 0) 1 + c r 2. where c r is given by [ ( 1 ) r + ( 1 ) r 1 ( 1 ) 1 ] [ ( 1 ) r 2 ] of 26

15 Our Result: Bias of Output Bytes Motivation for Proof (our result) Proposition (Jenkins Correlation) After the r-th (r 1) round of the PRGA, Pr(S r [j r ] = i r z r ) = Pr(S r [i r ] = j r z r ) 2. Corollary After the r-th (r 1) round of the PRGA, Pr(z r = r S r 1 [r]) of 26

16 Our Result: Bias of Output Bytes Motivation for Proof (our result) Proposition (Jenkins Correlation) After the r-th (r 1) round of the PRGA, Pr(S r [j r ] = i r z r ) = Pr(S r [i r ] = j r z r ) 2. Corollary After the r-th (r 1) round of the PRGA, Pr(z r = r S r 1 [r]) 2. How about Pr(S r 1 [r] = r)? 11 of 26

17 Our Result: Bias of Output Bytes Mantin s Observation At the end of KSA, for 0 u 1, 0 v 1, [ ( Pr(S 0 [u] = v) = 1 1 ) v ( + 1 ( ) 1 v ) ( 1 ) u 1 ] [ ( Pr(S 0 [u] = v) = 1 1 ) u 1 ( + 1 ) v ] v u v > u 12 of 26

18 Our Result: Bias of Output Bytes Mantin s Observation At the end of KSA, for 0 u 1, 0 v 1, [ ( Pr(S 0 [u] = v) = 1 1 ) v ( + 1 ( ) 1 v ) ( 1 ) u 1 ] [ ( Pr(S 0 [u] = v) = 1 1 ) u 1 ( + 1 ) v ] v u v > u Does this propagate to PRGA? 12 of 26

19 Our Result: Bias of Output Bytes Sketch of Proof (our result) Mantin s Observation: Bias for S 0 [r] = r S r 1 [r] = r may happen in two ways: 1. S 0 [r] = r and i, j never touches this cell 2. S 0 [r] r but S r 1 [r] = r occurs at random 13 of 26

20 Our Result: Bias of Output Bytes Sketch of Proof (our result) Mantin s Observation: Bias for S 0 [r] = r S r 1 [r] = r may happen in two ways: 1. S 0 [r] = r and i, j never touches this cell 2. S 0 [r] r but S r 1 [r] = r occurs at random Lemma For r 3, the probability that S r 1 [r] = r is [ ( ) ] 1 r 1 Pr(S r 1 [r] = r) Pr(S 0 [r] = r) of 26

21 Our Result: Bias of Output Bytes Sketch of the Proof (our result) z r = 0 can be branched as follows: S r 1 [r] = r (lemma) and z r = r S r 1 [r] (Jenkin) S r 1 [r] r (lemma) and z r = 0 (random) 14 of 26

22 Our Result: Bias of Output Bytes Sketch of the Proof (our result) z r = 0 can be branched as follows: S r 1 [r] = r (lemma) and z r = r S r 1 [r] (Jenkin) S r 1 [r] r (lemma) and z r = 0 (random) Hence the result: Pr(z r = 0) 1 + c r 2 with c r = [ ( 1 ) r + ( 1 ) r 1 ( 1 ) 1 ] [ ( 1 ) r 2 ] of 26

23 Our Result: Bias of Output Bytes umerical Bound on c r max c r = c 3 = and min c r = c 255 = r r Pr(z r = 0) of 26

24 Our Result: Bias of Output Bytes Experimental Verification umber of trials = 1 Billion Key size = 16 Bytes [ote: Sepehrdad et al (2010) do not cover these biases] 16 of 26

25 Our Result: Bias of Output Bytes Applications Of the Biases Discovered 17 of 26

26 Our Result: Bias of Output Bytes Appl. 1: A Class of ew Distinguishers E occurs in X with probability p and in Y with probability p(1 + ɛ) implies a possible distinguisher with O(p 1 ɛ 2 ) required samples. In case of our E : z r = 0 for 3 r 255, Random source: p = 1 RC4 Keystream: p(1 + ɛ) = 1 ( 1 + c r ) 18 of 26

27 Our Result: Bias of Output Bytes Appl. 1: A Class of ew Distinguishers E occurs in X with probability p and in Y with probability p(1 + ɛ) implies a possible distinguisher with O(p 1 ɛ 2 ) required samples. In case of our E : z r = 0 for 3 r 255, Random source: p = 1 RC4 Keystream: p(1 + ɛ) = 1 ( 1 + c r ) We get 253 new distinguishers, each requiring O( 3 ) samples! [ote: Mantin & Shamir (2001) distinguisher is much stronger] 18 of 26

28 Our Result: Bias of Output Bytes Appl. 2: Guessing State Information Idea: Guess S r 1 [r] = r using output information z r = 0 Pr(S r 1 [r] = r z r = 0) = Pr(S r 1[r]=r) Pr(z r =0) Pr(z r = 0 S r 1 [r] = r) 2 ( 1 + cr ) ( cr 1 + c r ) of 26

29 Our Result: Bias of Output Bytes Appl. 3: Attack on RC4 Broadcast Scheme Situation: Message M is broadcast to k parties (random keys) Attack: Reliably extract byte(s) of M from the k ciphertexts 20 of 26

30 Our Result: Bias of Output Bytes Appl. 3: Attack on RC4 Broadcast Scheme Situation: Message M is broadcast to k parties (random keys) Attack: Reliably extract byte(s) of M from the k ciphertexts Mantin & Shamir (FSE 2001): Extract 2nd byte of M given k = Ω() We can extract bytes 3 to 255 of M given k = Ω( 3 ) Idea: r-th byte of M gets XOR-ed with z r, which is 0 most often. 20 of 26

31 Study: on-randomness of j Study on-randomness of j 21 of 26

32 Study: on-randomness of j on-randomness of j 1 ote that j 1 = j 0 + S 0 [i 1 ] = 0 + S 0 [1] = S 0 [1], where S 0 is the state array right after KSA is over. Pr(j 1 = v) = Pr(S 0 [1] = v) = 1, v = ( 1 ( ( ( 1 ) 2 ), v = 1 ) 2 ( + 1 ) v ), v > 1 22 of 26

33 Study: on-randomness of j on-randomness of j 1 ote that j 1 = j 0 + S 0 [i 1 ] = 0 + S 0 [1] = S 0 [1], where S 0 is the state array right after KSA is over. Pr(j 1 = v) = Pr(S 0 [1] = v) = 1, v = ( 1 ( ( ( 1 ) 2 ), v = 1 ) 2 ( + 1 ) v ), v > 1 Clearly not random! 22 of 26

34 Study: on-randomness of j on-randomness of j 2 ote that j 2 = j 1 + S 1 [i 2 ] = S 0 [1] + S 1 [2] Pr(j 2 = v) = 1 w=0 Pr(S 0 [1] = w) Pr((S 1 [2] = v w) (S 0 [1] = w)) 23 of 26 Case I. S 0 [1] = 2 S 1 [2] = 2. Pr((S 1 [2] = v 2) (S 0 [1] = 2)) = Case II. S 0 [1] 2 S 1 [2] = S 0 [2]. { 1 if v = 4, 0 otherwise. Pr((S 1 [2] = v w) (S 0 [1] 2)) = Pr(S 0 [2] = v w).

35 Study: on-randomness of j on-randomness of j 2 24 of 26

36 Study: on-randomness of j on-randomness of j 2 Appl: Combine Jenkin s bias Pr(S r [i r ] = j r z r ) = 2 to get Pr(S 2 [i 2 ] = 4 z 2 ) 1 + 4/ of 26 [ote: Sepehrdad et al (2010) do not cover this bias] [ote: j behaves almost random round 3 onwards]

37 Conclusion Summary This paper: Revisiting Mantin Shamir paper from FSE Bias of Keystream bytes towards Zero EW A new class of distinguishers for RC4 Attack on RC4 broadcast scheme along this line Guessing related state information from keystream 2. Strong bias of j 2 towards 4 EW Guessing related state information from keystream 25 of 26

38 Conclusion thank you for your kind attention 26 of 26