Different attacks on the RC4 stream cipher

Similar documents
RC4. Invented by Ron Rivest. A stream cipher Generate keystream byte at a step

Stream Ciphers. Stream Ciphers 1

Information Security CS526

Statistical Analysis of the Alleged RC4 Keystream Generator

Key Collisions of the RC4 Stream Cipher

Information Security CS526

Plaintext Recovery Attacks Against WPA/TKIP

Double-DES, Triple-DES & Modes of Operation

Cryptanalysis of RC4(n, m) Stream Cipher

Cryptography. Summer Term 2010

Full Plaintext Recovery Attack on Broadcast RC4

Chapter 6 Contemporary Symmetric Ciphers

Cryptography. Dr. Michael Schneider Chapter 10: Pseudorandom Bit Generators and Stream Ciphers

All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP and TLS

Stream ciphers. Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 91

INTERNATIONAL JOURNAL OF PURE AND APPLIED RESEARCH IN ENGINEERING AND TECHNOLOGY

Chapter 6: Contemporary Symmetric Ciphers

AN INTEGRATED BLOCK AND STREAM CIPHER APPROACH FOR KEY ENHANCEMENT

Dierential-Linear Cryptanalysis of Serpent? Haifa 32000, Israel. Haifa 32000, Israel

Weaknesses in the Key Scheduling Algorithm of RC4

Practical Aspects of Modern Cryptography

Differential-Linear Cryptanalysis of Serpent

Analyzing Wireless Security in Columbia, Missouri

PRNGs & DES. Luke Anderson. 16 th March University Of Sydney.

Comp527 status items. Crypto Protocols, part 2 Crypto primitives. Bart Preneel July Install the smart card software. Today

Winter 2011 Josh Benaloh Brian LaMacchia

Cryptography and Network Security Chapter 7

A SIMPLE 1-BYTE 1-CLOCK RC4 DESIGN AND ITS EFFICIENT IMPLEMENTATION IN FPGA COPROCESSOR FOR SECURED ETHERNET COMMUNICATION

A Class of Weak Keys in the RC4 Stream Cipher Preliminary Draft

On the Applicability of Distinguishing Attacks Against Stream Ciphers

Pseudo-random number generators

Summary on Crypto Primitives and Protocols

Managing and Securing Computer Networks. Guy Leduc. Chapter 7: Securing LANs. Chapter goals: security in practice: Security in the data link layer

Introduction to Cryptography. Lecture 3

Is Your Wireless Network Being Hacked?

Stream Ciphers - RC4. F. Sozzani, G. Bertoni, L. Breveglieri. Foundations of Cryptography - RC4 pp. 1 / 16

The Final Nail in WEP s Coffin

Enhancing Security of Improved RC4 Stream Cipher by Converting into Product Cipher

Efficiency Optimisation Of Tor Using Diffie-Hellman Chain

Overview of Security

Cryptography and Network Security

05 - WLAN Encryption and Data Integrity Protocols

Evaluation of RC4 Stream Cipher July 31, 2002

Random number generation

Data Encryption Standard (DES)

Cryptanalysis. Ed Crowley

Tel Aviv University. The Iby and Aladar Fleischman Faculty of Engineering

Cryptography ThreeB. Ed Crowley. Fall 08

Analysis of Involutional Ciphers: Khazad and Anubis

Wireless Network Security Spring 2015

A Cache Timing Analysis of HC-256

Breaking Grain-128 with Dynamic Cube Attacks

Linear Cryptanalysis of Reduced Round Serpent

Wireless Security. Comp Sci 3600 Security. Attacks WEP WPA/WPA2. Authentication Encryption Vulnerabilities

Cryptography CS 555. Topic 11: Encryption Modes and CCA Security. CS555 Spring 2012/Topic 11 1

Wireless Network Security Spring 2016

Side channel attack: Power Analysis. Chujiao Ma, Z. Jerry Shi CSE, University of Connecticut

Network Security Essentials Chapter 2

Improved Truncated Differential Attacks on SAFER

Lab Configure Enterprise Security on AP

Syrvey on block ciphers

An implementation of super-encryption using RC4A and MDTM cipher algorithms for securing PDF Files on android

3 Symmetric Key Cryptography 3.1 Block Ciphers Symmetric key strength analysis Electronic Code Book Mode (ECB) Cipher Block Chaining Mode (CBC) Some

What you will learn. Summary Question and Answer

On the (In)security of Stream Ciphers Based on Arrays and Modular Addition

Network Security Essentials

Solutions to exam in Cryptography December 17, 2013

A General Analysis of the Security of Elastic Block Ciphers

All your Wireless belongs to us

U-II BLOCK CIPHER ALGORITHMS

Cryptanalysis of Block Ciphers: A Survey

c Eli Biham - March 13, Cryptanalysis of Modes of Operation (4) c Eli Biham - March 13, Cryptanalysis of Modes of Operation (4)

Course Business. Midterm is on March 1. Final Exam is Monday, May 1 (7 PM) Allowed to bring one index card (double sided) Location: Right here

New Cryptanalytic Results on IDEA

Bytes Table 3. Complexity of the attack by the size of the known plaintext

Attacks on Advanced Encryption Standard: Results and Perspectives

Stream Ciphers An Overview

Introduction to Cryptography. Lecture 3

Cryptographic Hash Functions

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018

Elastic Block Ciphers: The Feistel Cipher Case

Differential Cryptanalysis of the Stream Ciphers Py, Py6 and Pypy

A Configuration Protocol for Embedded Devices on Secure Wireless Networks

Symmetric Key Algorithms. Definition. A symmetric key algorithm is an encryption algorithm where the same key is used for encrypting and decrypting.

A Mathematical Proof. Zero Knowledge Protocols. Interactive Proof System. Other Kinds of Proofs. When referring to a proof in logic we usually mean:

Zero Knowledge Protocols. c Eli Biham - May 3, Zero Knowledge Protocols (16)

Princess Nora Bint Abdulrahman University College of computer and information sciences Networks department Networks Security (NET 536)

Lecture 15: Public Key Encryption: I

Wireless Security Security problems in Wireless Networks

Release note Tornaborate

Security in IEEE Networks

On the Diculty of Software Key Escrow. Abstract. At Eurocrypt'95, Desmedt suggested a scheme which allows individuals to encrypt

How many DES keys, on the average, encrypt a particular plaintext block to a particular ciphertext block?

Symmetric Encryption 2: Integrity

CSC 474/574 Information Systems Security

Multimedia in the Internet

Realtime C&C Zeus Packet Detection Based on RC4 Decryption of Packet Length Field

Elastic Block Ciphers: Method, Security and Instantiations

Principles of Information Security, Fourth Edition. Chapter 8 Cryptography

A Related-Key Attack on TREYFER

Transcription:

Different attacks on the RC4 stream cipher Andreas Klein Ghent University Dept. of Pure Mathematics and Computer Algebra Krijgslaan 281 - S22 9000 Ghent Belgium

Overview The RC4 algorithm

Overview The RC4 algorithm Wireless LAN

Overview The RC4 algorithm Wireless LAN Distinguishing Attacks

Overview The RC4 algorithm Wireless LAN Distinguishing Attacks Fortuitous states

Overview The RC4 algorithm Wireless LAN Distinguishing Attacks Fortuitous states Weaknesses in the key scheduling phase The FMS-attack

Overview The RC4 algorithm Wireless LAN Distinguishing Attacks Fortuitous states Weaknesses in the key scheduling phase The FMS-attack A new attack A correlation in the RC4 pseudo random generator The basic version of the attack Using only few sessions Optimisation for WEP

Overview The RC4 algorithm Wireless LAN Distinguishing Attacks Fortuitous states Weaknesses in the key scheduling phase The FMS-attack A new attack A correlation in the RC4 pseudo random generator The basic version of the attack Using only few sessions Optimisation for WEP RC4A

The RC4 algorithm RC4 key scheduling 1: {initialization} 2: for i from 0 to n 1 do 3: S[i] := i 4: end for 5: j := 0 6: {generate a random permutation} 7: for i from 0 to n 1 do 8: j := (j + S[i] + K[i mod l]) mod n 9: Swap S[i] and S[j] 10: end for

The RC4 algorithm RC4 pseudo random generator 1: {initialization} 2: i := 0 3: j := 0 4: {generate pseudo random sequence} 5: loop 6: i := (i + 1) mod n 7: j := (j + S[i]) mod n 8: Swap S[i] and S[j] 9: k := (S[i] + S[j]) mod n 10: print S[k] 11: end loop

Wireless LAN Wireless LAN encrypts the packages with RC4.

Wireless LAN Wireless LAN encrypts the packages with RC4. The older protocol WEP uses keys of the form initialisation vector main key. The newer protocol WPA uses a temporal key hash to compute the session key.

Wireless LAN Wireless LAN encrypts the packages with RC4. The older protocol WEP uses keys of the form initialisation vector main key. The newer protocol WPA uses a temporal key hash to compute the session key. WEP is broken.

Errors in WEP The main key has only 5 bytes. (Corrected in later implementations.)

Errors in WEP The main key has only 5 bytes. (Corrected in later implementations.) The initialisation vector consists of only 3 bytes. This leads to a birthday attack.

Errors in WEP The main key has only 5 bytes. (Corrected in later implementations.) The initialisation vector consists of only 3 bytes. This leads to a birthday attack. The protocol adds CRC-checksums to the packages before encrypting. This is the wrong order.

Errors in WEP The main key has only 5 bytes. (Corrected in later implementations.) The initialisation vector consists of only 3 bytes. This leads to a birthday attack. The protocol adds CRC-checksums to the packages before encrypting. This is the wrong order. Public known header informations are encrypted. This leads to known plain text attacks without an enhancement of security.

Errors in WEP The main key has only 5 bytes. (Corrected in later implementations.) The initialisation vector consists of only 3 bytes. This leads to a birthday attack. The protocol adds CRC-checksums to the packages before encrypting. This is the wrong order. Public known header informations are encrypted. This leads to known plain text attacks without an enhancement of security. People use wireless LAN where they could use standard LAN, even in high security areas.

Distinguishing Attacks Goal Distinguish the RC4 pseudo random sequence from a true random sequence.

Distinguishing Attacks Goal Distinguish the RC4 pseudo random sequence from a true random sequence. Golić 1997: The sum of the last bits at time step t and t + 2 is correlated to 1, 2 40 bytes of the RC4 pseudo random sequence are distinguishable from a true random sequence.

Distinguishing Attacks Goal Distinguish the RC4 pseudo random sequence from a true random sequence. Golić 1997: The sum of the last bits at time step t and t + 2 is correlated to 1, 2 40 bytes of the RC4 pseudo random sequence are distinguishable from a true random sequence. Fluhrer, McGrew 2000: Correlations between two successive output bytes, 2 30 bytes are sufficient to distinguish RC4 from random noise.

Fortuitous states Defintion An RC4 state (S-Box, i and j) in which only m consecutive S-Box elements are known and only those m elements participate in producing the next m successive outputs, is call a fortuitous state of length m.

Fortuitous states Defintion An RC4 state (S-Box, i and j) in which only m consecutive S-Box elements are known and only those m elements participate in producing the next m successive outputs, is call a fortuitous state of length m. length m 2 3 4 5 6 number of fortuitous states 516 290 6540 25419 101819

Fortuitous states Defintion An RC4 state (S-Box, i and j) in which only m consecutive S-Box elements are known and only those m elements participate in producing the next m successive outputs, is call a fortuitous state of length m. length m 2 3 4 5 6 number of fortuitous states 516 290 6540 25419 101819 If we observe the output of a fortuitous state, we know the corresponding S-Box entries with probability 1 n.

Fortuitous states Defintion An RC4 state (S-Box, i and j) in which only m consecutive S-Box elements are known and only those m elements participate in producing the next m successive outputs, is call a fortuitous state of length m. length m 2 3 4 5 6 number of fortuitous states 516 290 6540 25419 101819 If we observe the output of a fortuitous state, we know the corresponding S-Box entries with probability 1 n. Predictive states and non-fortuitous states are generalisation of that concept.

Fortuitous states Defintion An RC4 state (S-Box, i and j) in which only m consecutive S-Box elements are known and only those m elements participate in producing the next m successive outputs, is call a fortuitous state of length m. length m 2 3 4 5 6 number of fortuitous states 516 290 6540 25419 101819 If we observe the output of a fortuitous state, we know the corresponding S-Box entries with probability 1 n. Predictive states and non-fortuitous states are generalisation of that concept. No practical attack using fortuitous states is known.

Weaknesses in the key scheduling phase

Weaknesses in the key scheduling phase There are 256 256 possible keys of full length, but only 256! different S-Box states. Since 256! does not divide 256 256, we know that the distribution of the initial S-Box permutation must differ from the uniform distribution.

Weaknesses in the key scheduling phase There are 256 256 possible keys of full length, but only 256! different S-Box states. Since 256! does not divide 256 256, we know that the distribution of the initial S-Box permutation must differ from the uniform distribution. Mironov 2002: The identity is the most likely initial permutation and the cycle (1, 2,..., n 1, 0) is the most unlikely initial permutation.

Weaknesses in the key scheduling phase There are 256 256 possible keys of full length, but only 256! different S-Box states. Since 256! does not divide 256 256, we know that the distribution of the initial S-Box permutation must differ from the uniform distribution. Mironov 2002: The identity is the most likely initial permutation and the cycle (1, 2,..., n 1, 0) is the most unlikely initial permutation. Suggestion: Do not use the first 12 256 bytes of the RC4 pseudo random sequence to avoid a possible exploitation of this weakness.

The FMS-attack

The FMS-attack The basic version of the FMS-attack assumes session keys of the form initialisation vector main key. The initialisation vector should be 3 bytes long.

The FMS-attack The basic version of the FMS-attack assumes session keys of the form initialisation vector main key. The initialisation vector should be 3 bytes long. We consider only initialisation vectors of the form (3, 255, X ).

The FMS-attack The basic version of the FMS-attack assumes session keys of the form initialisation vector main key. The initialisation vector should be 3 bytes long. We consider only initialisation vectors of the form (3, 255, X ). In the first step of the key scheduling, j is set to 3 and S-Box has the value 4, 1, 2, 0, 4, 5,..., 255.

The FMS-attack The basic version of the FMS-attack assumes session keys of the form initialisation vector main key. The initialisation vector should be 3 bytes long. We consider only initialisation vectors of the form (3, 255, X ). In the first step of the key scheduling, j is set to 3 and S-Box has the value 4, 1, 2, 0, 4, 5,..., 255. In the next step, i is increased to 1 and j is increased by S[1] + K[1] = 1 + 255 0 mod 256. The S-box has the value 4, 0, 2, 1, 4, 5,..., 255.

The FMS-attack The basic version of the FMS-attack assumes session keys of the form initialisation vector main key. The initialisation vector should be 3 bytes long. We consider only initialisation vectors of the form (3, 255, X ). In the first step of the key scheduling, j is set to 3 and S-Box has the value 4, 1, 2, 0, 4, 5,..., 255. In the next step, i is increased to 1 and j is increased by S[1] + K[1] = 1 + 255 0 mod 256. The S-box has the value 4, 0, 2, 1, 4, 5,..., 255. The value X is known so we can compute the third step of the key scheduling.

The FMS-attack We can express the value t of S[3] after the fourth step of the key scheduling as a function in X and the unknown key byte K.

The FMS-attack We can express the value t of S[3] after the fourth step of the key scheduling as a function in X and the unknown key byte K. The probability that S[0], S[1] and S[3] are not changed in the remaining 252 steps of the key scheduling is approximately (1 3 256 )252 1 e 3 0.05.

The FMS-attack We can express the value t of S[3] after the fourth step of the key scheduling as a function in X and the unknown key byte K. The probability that S[0], S[1] and S[3] are not changed in the remaining 252 steps of the key scheduling is approximately (1 3 256 )252 1 e 3 0.05. With probability > 0.05 we observe t as first byte of the RC4 pseudo-random sequence.

The FMS-attack We can express the value t of S[3] after the fourth step of the key scheduling as a function in X and the unknown key byte K. The probability that S[0], S[1] and S[3] are not changed in the remaining 252 steps of the key scheduling is approximately (1 3 256 )252 1 e 3 0.05. With probability > 0.05 we observe t as first byte of the RC4 pseudo-random sequence. About 60 sessions of the (3, 255, X ) are sufficient to reconstruct the first key byte K.

The FMS-attack We can express the value t of S[3] after the fourth step of the key scheduling as a function in X and the unknown key byte K. The probability that S[0], S[1] and S[3] are not changed in the remaining 252 steps of the key scheduling is approximately (1 3 256 )252 1 e 3 0.05. With probability > 0.05 we observe t as first byte of the RC4 pseudo-random sequence. About 60 sessions of the (3, 255, X ) are sufficient to reconstruct the first key byte K. Once K is known, we can treat it as part of the initialisation vector and reconstruct the other key bytes.

The FMS-attack We can express the value t of S[3] after the fourth step of the key scheduling as a function in X and the unknown key byte K. The probability that S[0], S[1] and S[3] are not changed in the remaining 252 steps of the key scheduling is approximately (1 3 256 )252 1 e 3 0.05. With probability > 0.05 we observe t as first byte of the RC4 pseudo-random sequence. About 60 sessions of the (3, 255, X ) are sufficient to reconstruct the first key byte K. Once K is known, we can treat it as part of the initialisation vector and reconstruct the other key bytes. The FMS attack needs between 1000000 and 4000000 sessions to reconstruct the main key.

The FMS-attack (Conclusions) Advice Do not use the first bytes of the RC4 pseudo random sequence. Advice Do not rely on the RC4 key scheduling to protect your main-key. Use session keys of the form hash-function(session-id main-key).

A correlation in the RC4 pseudo random generator Theorem Assume that the internal states are uniformly distributed. Then for a fixed public pointer i, we have: P(S[j] + S[k] i mod n) = 2 n (1) For c i mod n we have: P(S[j] + S[k] c mod n) = n 2 n(n 1) (2)

A correlation in the RC4 pseudo random generator Theorem Assume that the internal states are uniformly distributed. Then for a fixed public pointer i, we have: P(S[j] + S[k] i mod n) = 2 n (1) For c i mod n we have: P(S[j] + S[k] c mod n) = n 2 n(n 1) (2) Proof (sketch): Use k S[j] + S[i] mod n to write S[j] + S[k] i k + S[k] i + S[i] mod n. Count the corresponding states. mod n as

The basic version of the attack

The basic version of the attack Assume that the session key has the form main key initialisation vector.

The basic version of the attack Assume that the session key has the form main key initialisation vector. Guess the first key byte K[0].

The basic version of the attack Assume that the session key has the form main key initialisation vector. Guess the first key byte K[0]. Compute the first step of the key scheduling phase.

The basic version of the attack Assume that the session key has the form main key initialisation vector. Guess the first key byte K[0]. Compute the first step of the key scheduling phase. Express the value t of S[1] after the second step of the key scheduling phase as function in K[0] and K[1].

The basic version of the attack Assume that the session key has the form main key initialisation vector. Guess the first key byte K[0]. Compute the first step of the key scheduling phase. Express the value t of S[1] after the second step of the key scheduling phase as function in K[0] and K[1]. The probability that S[1] is not changed in the remaining step of the key scheduling is (1 1 256 )254 1 e.

The basic version of the attack Assume that the session key has the form main key initialisation vector. Guess the first key byte K[0]. Compute the first step of the key scheduling phase. Express the value t of S[1] after the second step of the key scheduling phase as function in K[0] and K[1]. The probability that S[1] is not changed in the remaining step of the key scheduling is (1 1 256 )254 1 e. The first step of the pseudo random generator sets j to S[1].

The basic version of the attack Assume that the session key has the form main key initialisation vector. Guess the first key byte K[0]. Compute the first step of the key scheduling phase. Express the value t of S[1] after the second step of the key scheduling phase as function in K[0] and K[1]. The probability that S[1] is not changed in the remaining step of the key scheduling is (1 1 256 )254 1 e. The first step of the pseudo random generator sets j to S[1]. Apply the theorem to conclude: P(t 1 S[k] mod n) 1 e 2 n + (1 1 e ) n 2 n(n 1) 1.36 n.

The basic version of the attack Assume that the session key has the form main key initialisation vector. Guess the first key byte K[0]. Compute the first step of the key scheduling phase. Express the value t of S[1] after the second step of the key scheduling phase as function in K[0] and K[1]. The probability that S[1] is not changed in the remaining step of the key scheduling is (1 1 256 )254 1 e. The first step of the pseudo random generator sets j to S[1]. Apply the theorem to conclude: P(t 1 S[k] mod n) 1 e 2 n + (1 1 e ) n 2 n(n 1) 1.36 n. We must observe about 25, 000 sessions to recover K[1].

Variants Once the byte K[1] is known, we can attack the bytes K[2] and so on.

Variants Once the byte K[1] is known, we can attack the bytes K[2] and so on. The session keys are not really independent from each other. For a main key of length b bytes, it is possible that j is set to 1 at a time step between 1 and b. If this happens, the basic attack will fail to recover the key byte K[1]. It is possible to cope with such ugly keys.

Variants Once the byte K[1] is known, we can attack the bytes K[2] and so on. The session keys are not really independent from each other. For a main key of length b bytes, it is possible that j is set to 1 at a time step between 1 and b. If this happens, the basic attack will fail to recover the key byte K[1]. It is possible to cope with such ugly keys. One can use the attack also against session keys of the form initialisation vector main key.

Variants Once the byte K[1] is known, we can attack the bytes K[2] and so on. The session keys are not really independent from each other. For a main key of length b bytes, it is possible that j is set to 1 at a time step between 1 and b. If this happens, the basic attack will fail to recover the key byte K[1]. It is possible to cope with such ugly keys. One can use the attack also against session keys of the form initialisation vector main key. Combining the idea of this attack with the idea of weak initialisation vectors, we get an attack which does not use the first 256 bytes of the RC4 pseudo random sequence.

Reducing the number of sessions Problem We are not able to observe enough (25000) session.

Reducing the number of sessions Problem We are not able to observe enough (25000) session. Consider the following case: Key length : 128 bits (16 bytes). Number of sessions: 12000.

Reducing the number of sessions Problem We are not able to observe enough (25000) session. Consider the following case: Key length : 128 bits (16 bytes). Number of sessions: 12000. Use the observe sessions to calculate the a posteriori probability for t = f (K[0], K[1]). The a posteriori probability is given by P i = P(t = i the absolute frequencies are f i ) = n j=1 pf j i,j n, n k=1 j=1 pf j k,j with p i,j = p = 1.36 n for i = j and p i,j = q = 1 p n 1 for i j.

Reducing the number of sessions (continued) Compute the a posteriori probabilities for the other key bytes.

Reducing the number of sessions (continued) Compute the a posteriori probabilities for the other key bytes. The a posteriori entropy is about 64.

Reducing the number of sessions (continued) Compute the a posteriori probabilities for the other key bytes. The a posteriori entropy is about 64. Start a complete key search, but test the keys with the highest a posteriori probability first. You can expect to find the right key after 2 64 steps. For comparison a full key search needs 2 128 steps.

Optimisation for WEP Problem It easy to observe extra Wireless LAN Packages (use ARP-spoofing). But is time consuming to store observed sessions.

Optimisation for WEP Problem It easy to observe extra Wireless LAN Packages (use ARP-spoofing). But is time consuming to store observed sessions. E. Tews, R. Weinmann and A. Pyshkin (Darmstadt) found a way to attack the different key bytes in parallel. They use t = S3 1 ((3 + i) X (i + 2)) j i+3 3 S 3 (j) for an estimation of K[i]. (S 3 and j 3 denote the S-box and j after the third step of the key scheduling phase.) The approximation is wrong for a small fraction of the key space. For strong keys, we must still recover the key bytes sequentially. j=3

Definition of RC4A RC4A pseudo random generator 1: {initialization} 2: i := 0 3: j 1 := 0 j 2 := 0 4: {generate pseudo random sequence} 5: loop 6: i := (i + 1) mod n 7: j 1 := (j 1 + S 1 [i]) mod n 8: Swap S 1 [i] and S 1 [j] 9: k 2 := (S 1 [i] + S 1 [j]) mod n 10: print S 2 [k 2 ] 11: j 2 := (j 2 + S 2 [i]) mod n 12: Swap S 2 [i] and S 2 [j] 13: k 1 := (S 2 [i] + S 2 [j]) mod n 14: print S 1 [k 1 ] 15: end loop

Attacking RC4A Theorem Assume that all permutations have the same probability, and that S 1 and S 2 are independent. Then: P(S 1 [j 1 ] + S 1 [k 1 ] + S 2 [j 2 ] + S 2 [k 2 ] 2i mod n) = 1 n 1. (3)

Attacking RC4A Theorem Assume that all permutations have the same probability, and that S 1 and S 2 are independent. Then: P(S 1 [j 1 ] + S 1 [k 1 ] + S 2 [j 2 ] + S 2 [k 2 ] 2i mod n) = 1 n 1. (3) The correlation is weaker than the corresponding correlation of RC4.

Attacking RC4A Theorem Assume that all permutations have the same probability, and that S 1 and S 2 are independent. Then: P(S 1 [j 1 ] + S 1 [k 1 ] + S 2 [j 2 ] + S 2 [k 2 ] 2i mod n) = 1 n 1. (3) The correlation is weaker than the corresponding correlation of RC4. But we can still mount an attack on this correlation.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback