The RC4+ stream cipher was proposed as an alternative to the well known RC4 stream cipher. It was claimed by the authors that this new stream cipher was designed to overcome all the weaknesses reported against the alleged RC4 stream cipher. In the design specifications of RC4+, the authors make use of an 8‐bit design parameter called pad that is fixed to the value 0xAA . The first distinguishing attack on RC4+ based on the bias of its first output byte was shown in a previous paper. In this paper, it was also mentioned that the distinguishing attack would still hold if the pad used in RC4+ is fixed to any even 8‐bit constant other than 0xAA . Therefore, the question that naturally arises is whether the design of RC4+ can be protected by fixing the pad parameter to some constant odd value. In this paper, we try to answer this very question. We show that the design is still vulnerable by mounting a distinguishing attack even if the pad is fixed to some constant 8‐bit odd value. Surprisingly, we find that if the value of the pad is made equal to 0x03 , the design provides maximum resistance to distinguishing attacks. Lastly, we return to the original cipher, that is, in which pad is set to 0xAA and unearth another bias in the second output byte of the cipher. Thereafter, we will present a generalized way of finding biases in every M ‐th output byte (M ≥3) of RC4+, that is, Z _(M ), based on the Hamming weight of m ≡ M modN . Finally, we improve the differential fault attack on RC4+ proposed in a previous paper, both in terms of number of faults required and the computational complexity. In fact, we reduce the number of faults by around 11264 on average, and our algorithm is around 2~(6) times faster. Copyright ? 2015 John Wiley & Sons, Ltd. This paper provides an in‐depth security analysis of the RC4+ stream cipher. Previously unknown long‐term biases in the keystream are found and proven. The authors also suggest a small tweak that might improve the resistance of the cipher to such attacks.
展开▼
机译:提出了RC4 +流密码来替代众所周知的RC4流密码。作者声称,这种新的流密码旨在克服针对所谓的RC4流密码所报告的所有弱点。在RC4 +的设计规范中,作者使用一个称为pad的8位设计参数,该参数固定为值0xAA。先前的论文中显示了基于RC4 +的第一个输出字节的偏差的第一个区别攻击。在本文中,还提到如果将RC4 +中使用的填充固定为0xAA以外的任何偶数8位常量,区分攻击仍然有效。因此,自然产生的问题是,通过将pad参数固定为某个恒定的奇数值,是否可以保护RC4 +的设计。在本文中,我们试图回答这个问题。我们表明,即使将填充板固定为某个恒定的8位奇数值,该设计仍会受到明显的攻击而容易受到攻击。令人惊讶的是,我们发现,如果将填充的值设置为等于0x03,则该设计可最大程度地抵抗区分攻击。最后,我们返回原始密码,即将pad设置为0xAA,并在密码的第二个输出字节中发现另一个偏置。此后,我们将提出一种通用方法,基于RC4 +的每个 M个输出字节( M≥3),即 Z _( M)查找偏差。汉明的权重为 m≡ M mod N。最后,从所需的故障数量和计算复杂度两方面,我们改进了先前论文中提出的针对RC4 +的差分故障攻击。实际上,我们平均减少了11264个故障,并且算法快了2到(6)倍。版权? 2015 John Wiley&Sons,Ltd.本文提供了RC4 +流密码的深入安全性分析。发现并证明了密钥流中以前未知的长期偏差。作者还提出了一个小调整,可能会提高密码对此类攻击的抵抗力。
展开▼
