Proof of Empirical RC4 Biases and New Key Correlations
In SAC 2010, Sepehrdad, Vaudenay and Vuagnoux have reported some empirical biases between the secret key, the internal state variables and the keystream bytes of RC4, by searching over a space of all linear correlations between the quantities involved. In this paper, for the first time, we give theoretical proofs for all such significant empirical biases. Our analysis not only builds a framework to justify the origin of these biases, it also brings out several new conditional biases of high order. We establish that certain conditional biases reported earlier are correlated with a third event with much higher probability. This gives rise to the discovery of new keylength-dependent biases of RC4, some as high as 50/N, where N is the size of the RC4 permutation. The new biases in turn result in successful keylength prediction from the initial keystream bytes of the cipher.
KeywordsConditional Bias Key Correlation Keylength Prediction RC4
- 3.LAN/MAN Standard Committee. ANSI/IEEE standard 802.11b: Wireless LAN Medium Access Control (MAC) and Physical Layer (phy) Specifications (1999)Google Scholar
- 4.LAN/MAN Standard Committee. ANSI/IEEE standard 802.11i: Amendment 6: Wireless LAN Medium Access Control (MAC) and Physical Layer (phy) Specifications. Draft 3 (2003)Google Scholar
- 6.Mantin, I.: Analysis of the stream cipher RC4. Master’s Thesis, The Weizmann Institute of Science, Israel (2001), http://www.wisdom.weizmann.ac.il/~itsik/RC4/Papers/Mantin1.zip
- 11.Roos, A.: A class of weak keys in the RC4 stream cipher. Two posts in sci.crypt, message-id email@example.com, firstname.lastname@example.org (1995), http://marcel.wanda.ch/Archive/WeakKeys
- 15.Wagner, D.: My RC4 weak keys. Post in sci.crypt, message-id 447o1l$cbj@cnn.Princeton.EDU. (September 26, 1995), http://www.cs.berkeley.edu/~daw/my-posts/my-rc4-weak-keys