International Association
for Cryptologic Research

Name: Goutam Paul
Topic: Analysis and Design of RC4 and Its Variants
Category: secret-key cryptography

Description: The main focus of this thesis is the analysis of RC4 stream cipher and its implications in the design issues of shuffle-exchange paradigm of stream cipher.\r\n

\r\nThe RC4 stream cipher has two components. These are the Key Scheduling Algorithm (KSA) and the Pseudo-Random Generation Algorithm (PRGA). The KSA uses a secret key $K[0\\ldots l-1]$ of $l$ bytes to scramble a permutation $S[0\\ldots N-1]$ of $N$ bytes using two indices $i$ and $j$. The PRGA uses this scrambled permutation and performs further shuffle-exchanges to produce keystream output bytes $z_1, z_2, z_3,\\ldots$.\r\n

\r\nFirst, we perform a detailed theoretical analysis of RC4 KSA. We derive explicit formulae for the probabilities with which the permutation bytes $S[y]$ at any stage of the KSA are biased to the secret key. Theoretical proofs of these probabilities have been left open since Roos\' observation (1995). Along the same line, we analyze a generalization of the RC4 KSA corresponding to a class of update functions of\r\nthe indices involved in the swaps and find that such weaknesses are intrinsic in shuffle-exchange kind of key scheduling. Moreover, for the first time we show that biases towards the secret key also exist in $S[S[y]], S[S[S[y]]]$, and so on, for initial values of $y$. We also study a weakness of the RC4 Key Scheduling Algorithm (KSA) that has already been noted by Mantin and Mironov. We present a simple proof that each permutation byte after the KSA is\r\nsignificantly biased (either positive or negative) towards many values in the range $0, \\ldots, N-1$. Further, we present a detailed empirical study over Mantin\'s work when the theoretical formulae vary significantly from\r\nexperimental results due to repetition of short keys in RC4.\r\n

\r\nBased on our analysis of the key scheduling, for the first time we show that the secret key of RC4 can be recovered from the state information in a time much less than the exhaustive search with good probability. Our research ge[...]