New State Recovery Attack on RC4

(1)

AlexanderMaximovandDmitryKhovratovich

LaboratoryofAlgorithmics,CryptologyandSecurity

UniversityofLuxembourg

6,rueRichardCoudenhove-Kalergi,L-1359Luxembourg

[email protected], [email protected]

Abstract. ThestreamcipherRC4wasdesigned by R.Rivestin1987,

andithasaverysimpleandelegant structure.Itisprobably themost

deployedcipherontheEarth.

InthispaperweanalysetheclassRC4-

N

ofRC4-likestreamciphers, where

N

is the modulus of operations, as well as the lengthof inter-nalarrays.Ournewattackis astaterecoveryattackwhichacceptsthe

keystream ofa certain length, and recoversthe internal state. For the

originalRC4-256,ourattackhastotalcomplexityofaround

2

241

opera-tions,whereasthebestpreviousattackneeds

2

779

oftime.Moreover,we

showthatifthesecretkeyisoflength

N

bitsorlonger,thenewattack worksfasterthananexhaustivesearch.Thealgorithmoftheattackwas

implementedandveriedonsmallcases.

Keywords:RC4, staterecoveryattack,keyrecoveryattack.

1 Introduction

RC4[Sch96]isastreamcipherdesignedbyRonRivestin1987,andsincethenit

hasbeenimplementedin manyvarious softwareapplications toensure privacy

in communication.It is, perhaps,the mostwidely deployedstream cipher and

its mostcommonapplication is toprotectInternettrac in the SSLprotocol.

Moreover,ithasbeenimplementedinMicrosoftLotus,OracleSecure SQL,etc.

ThedesignofRC4waskeptsecretuntil1994when itwasanonymouslyleaked

to themembers of the Cypherpunk community. A bit later the correctness of

thealgorithmwasconrmed.

InthispaperwestudyafamilyRC4-

N

ofRC4likestreamciphers,where

N

isthemodulusofoperations.TheinternalstateofRC4istworegisters

i, j

∈

Z

N

and a permutation

S

of all elements of

Z

N

. Thus, RC4 has a huge state of

log

2 (

N

2 N

!)

bits.Fortheoriginalversion,when

N

= 256

,thesize ofthestateis

≈

1700

bits. This makesanytime-memory trade-o attacksimpractical.

RC4-256usesavariablelengthkeyfrom 1to256bytesforitsinitialisation.

TheinitialisationprocedureofRC4hasbeenthoroughlyanalysedinalarge

numberofvariouspapers,seee.g.[MS01,Man01,PP04].Theseresultsshowthat

theinitialisationofRC4isweak,andthesecretkeycanberecoveredwithasmall

portionofdata/time.Becauseoftheseattacks,RC4canberegardedasbroken.

(2)

manycryptanalysiseorts.Inmostanalysesthescenarioassumesthatkeystream

ofsomelengthisgiven,andeitheradistinguishing([Gol97,FM00,Max05,Man05])

orastaterecovery([KMP

+

98])attackisofinterest.Astaterecoveryattackcan

beusedto determinetheactualsecuritylevelofacipher,iftheinitial internal

stateisconsideredasasecretkey.Therststaterecoveryattackwasproposed

by Knudsen et alin 1998 [KMP

+

98]. Thishad a computationalcomplexity of

2

779

.Someminorimprovementswerefoundinotherliterature,e.g.[MT98],but

still,thereisnoattackevencloseto

2

700

.Oneinterestingattempttoimprovethe

analysiswasrecentlydonein [Man05].Although thatattackis onlyapotential

one,thepretendingtimecomplexityclaimedwasaround

2

290

.

In this paper we propose a new state recoveryattack on RC4-

N

. For the

originaldesignRC4-256thetotaltimecomplexityoftheattackislessthan

2

241

,

requiringkeystreamof asimilarlength.This meansthatthere isnoadditional

gaininusingasecretkeylongerthan30bytes.Wealsoshowthatingeneralifthe

secretkeyisoflength

N

bits orlongerthenewattackisfaster thanexhaustive

keysearch.

The idea of the new attack is asfollows.The algorithm searches fora

placeinthekeystreamwheretheprobabilityofaspecicinternalstate,

compli-antwithachosenpattern,ishigh.Afterwards,thenewstaterecoveryalgorithm

isusedtogetherwithasmallportionofdata(around

2 N

outputwords)inorder

torecovertheinternalstateofthecipherinaniterativemanner.Thisalgorithm

hasbeenimplementedandveriedforsmallvaluesof

N

,ithasdeterminedthe

correctinternalstateineverysimulationrun.Thesuccessrateofthefullattack

is shown to beat least 98%. For large values of

N

, where simulationswere

impossible,anupperbound fortheaveragecomplexityoftheattackis derived

andcalculated.

This paper is organizedas follows. In Section 2 thenew iterativestate

re-coveryalgorithm isdescribedindetail.Afterwards,Section3introducesvarious

propertiesofapatternthatareneededfortherecoveringalgorithm.Aneective

searchingalgorithmtondsuchpatternsisalsoproposedinAppendixB(dueto

thepagelimitationandclarityofpresentation).Section4describesseveral

tech-niquesto detectspecicstatesbyobservingthekeystream,andalsointroduces

additional properties of a pattern needed for detection purposes. Theoretical

analysis of the staterecoveryalgorithm and derivation of itscomplexity

func-tionsareperformedinAppendixC.Allpiecesoftheattackarethencombinedin

Section5.Finally,weperformasetofsimulationsoftheattack,summarizethe

resultsand concludein Section 6.Thepaperends withsuggestionsfor further

improvementsandopenproblemsinSection 7.

1.1 Notations

All internal variablesof RC4 are overthering

Z

N

, where

N

is thesize of the

ring.TospecifyaparticularinstanceofthecipherwedenoteitbyRC4-

N

.Thus,

theoriginaldesignisRC4-

256

.Wheneverapplicable,

+

and

−

areperformedin

(3)

t

.Thekeystreamisdenotedby

z

= (

z

1 , z

2 , . . .

)

,where

zi

is avalue

0 ≤

zi

< N

.

Inalltablesprobabilitiesandcomplexitieswillbegiveninalogarithmicalform

withbase2.

1.2 Description ofthe KeystreamGenerator RC4-

N

The newattacktargets thekeystreamgeneration phaseof RC4 and,thus, the

initialisationprocedurewillnotbedescribed.Wereferto,e.g., [Sch96]forafull

descriptionofRC4.Aftertheinitialisationprocedure,thekeystreamgeneration

algorithmofRC4begins.ItsdescriptionisgiveninFigure 1.

Internalvariables:

i, j

integersin

Z

N

S[0

. . . N

−

1]

apermutationofintegers

0 . . . N

−

1 S[

· ]

isinitialisedwiththesecretkey The keystreamgeneratorRC4-

N

i

=

j

= 0

Loopuntilwegetenoughsymbolsover

Z

N

(A)

i

=

i

+ 1

(B)

j

=

j

+

S[i]

(C)swap(

S[i], S[j]

) (D)

z

t

=

S[S[i] +

S

[j]]

Fig.1.ThekeystreamgenerationalgorithmofRC4-

N

.

2 New State Recovery Algorithm

2.1 PreviousAnalysis: Knudsen'sAttack

In[KMP

+

98]Knudsenetal.havepresentedabasicrecursivealgorithmtorecover

theinternal stateof RC4.It starts atsomepoint

t

in thekeystream

z

given

k

knowncellsof thepermutation

St

,which helpstherecursionto cancelunlikely

branches. The idea of the algorithm is simple. At every time

t

we have four

unknowns:

jt, St

[

it

]

, St

[

jt

]

, S

t

−

1 [

zt

]

.

(1)

Onecansimplysimulatethepseudorandomgenerationalgorithmand,when

nec-essary,guesstheseunknownvaluesinordertocontinuethesimulation.The

re-cursionstepsbackwardwhenacontradictionisreachedduetopreviouslywrong

guesses.Additionally,it canbeassumedthat some

k

valuesareaprioriknown

(guessed, given, or derived somehow), and this may reduce the complexity of

the attack signicantly. An important note is that theknown

k

valuesshould

(4)

Theprecisecomplexityoftheattackwascalculatedin[KMP

+

98],andseveral

tables for various values of

N

and

k

were given in Appendices D.1 and D.2

of [Man01]. As an example, the complete state recovery attack on RC4-256

wouldrequiretimearound

2

779

.

2.2 OurAlgorithm forState Recovery

Inthissectionweproposeanimprovedversionofthestaterecoveryalgorithm.

Assume that, at sometime

t

in awindowof length

w

+ 1

of thekeystream

z

,

allthevalues

jt, jt

+1

, jt

+2

, . . . , jt

+

w

areknown.Thismeansthatfor

w

stepsthe

values

St

+1

[

it

+1

]

, . . . , Si

+

w

[

it

+

w

]

areknownaswell,sincetheyarederivedas

St

+1

[

it

+1

] =

jt

+1

−

jt,

∀

t.

(2)

Consequently,

w

equationsofthefollowingkindcanbecollected:

S

k

−

1 [

zk

] =

Sk

[

ik

] +

Sk

[

jk

]

,

k

=

t

+ 1

, . . . , t

+

w,

(3)

whereonlytwovariablesareunknown,

S

_k

−

1 [

zk

]

,

Sk

[

jk

]

,

(4)

insteadoffourinKnudsen'sattack,see(1).Letthesetofconsecutive

w

equations

oftheform(3)becalledawindowof length

w

.

Since all

j

s in the window are known, then allswapsdone during these

w

steps are known as well. This makes it possible to map the positions of the

internal state

St

atanytime

t

to thepositions ofsomechosengroundstate

St0

atsomegroundtime

t

0

inthewindow.Forsimplicity,letusset

t

0 = 0

.

Ournewstaterecoveryalgorithmisarecursivealgorithm,showninFigure2.

It startswithacollectionof

w

equations,andattemptsto solvethem. Asingle

equationiscalledsolvedorprocessedifitscorrespondingunknowns(4)havebeen

explicitlyderivedor guessed. Duringtheprocess, thewindowwill dynamically

increase and decrease.When thelength of the window

w

is longenough(say,

w

= 2

N

), andallequationsaresolved, thegroundstate

S

0

islikelytobefully

recovered.

Now we givea moredetailed description of thedierentparts of the

algo-rithm.

Iterative Recovering (IR) Block TheIterative Recovering blockreceivesa

number

a

of active equations (not yet processed) in the window of length

w

asinput, andtries to derivethevaluesof

St

[

jt

]

sand

S

−

1 t

[

zt

]

s.Todothat,the

IR blockgoesthroughtwostepsiteratively, until no morenewderivations are

possible.Ifallpreviousguesseswerecorrect,thenallnewlyderivedvalues(cells

ofthegroundstate)will becorrectwithprobability1.Otherwise,whentheIR

(5)

Iterative

Recovering

Window

Expansion

Find and Guess the

Maximum Clique

Contradiction?

Are all

equations in the window

solved?

Are new

equations available?

Guess One

S

[

i

]

no

yes

no

recursion

backward

recursion

forward

recursion

forward

1.

4.

3.

2. yes

Fig.2.Newstaterecoveryalgorithm.

A. Assumethat,foroneoftheactiveequationsitsoutputsymbol

zt

isalready

allocated somewhere in the ground state. I.e., the value

S

−

1 t

[

zt

]

is known,

andthesecond unknown

St

[

jt

]

canexplicitlybederivedusing (3).

Acontradictionarisesif(a)

St

[

jt

]

isalreadyallocatedanditis notequalto

thederivedvalue;(b)thederivedvaluealreadyexistsinsomeothercell.

B. Alreadyallocated values may give the value of

St

[

jt

]

in another equation.

Consequently,anewvalue

S

−

1 t

[

zt

]

canbederivedvia(3),whichmight

pos-siblycauseacontradiction.

Find and Guess the Maximum Clique (MC) Block If no more active

equations can explicitely be solved,

S

−

1 t

[

zt

]

for one

t

has to be guessed. The

Find and Guess the Maximum Clique block analyses given active equations,

andchoosestheelementthatgivesthemaximumnumberof newderivationsin

consecutiverecursivecalls oftheIRblock. Thiselementisthenguessed.

Theanalysis isverysimple.Let

a

activeequationsbevertices

vt

in agraph

representation.Twovertices

vt

0

and

vt

00

areconnectedif

zt

0 =

zt

00

and/or

St

0 [

jt

0 ]

and

St

00 [

jt

00 ]

refer (likepointers)to thesamecellof theground state.Guessing anyunknown variablein anyconnected subgraphsolvesall equationsinvolved

in that subgraph.Therefore,letus callthese subgraphscliques. TheMC block

searchesforamaximumclique,andthenguess one

S

−

1 t

[

zt

]

foroneofthe

equa-tionsbelongingto theclique.Afterwards,theIRblockiscalledrecursively.

WindowExpansion(WE)Block Obviously,themoreequationswehavethe

faster the algorithm works.Therefore, a new equation is added to the system

(6)

ontheleafsoftherecursion.

GuessOne

S[i]

(GSi)Block Iftherearenoactiveequationsbuttheground

state

S

0

is not yet fully determined, the windowis then expanded by adirect

guessof

S

[

i

]

,infrontorinbackofthewindow.ThentheWE,IRandMCblocks

continuetoworkasusual.Additionalheuristicscanbeappliedforchoosingwhich

sideofthewindowtobeexpandedforalargersuccess.

AppendixA providesanexamplethatshowsthestepsoftheoutlined

algo-rithm.

3 Precomputations: Finding Good Patterns

Thealgorithmpresentedintheprevioussectionisusedinthefullstaterecovery

attackasapartofit.Everytimewhenthealgorithm isrunningatsomepoint

of thekeystream,its eectiveness depends on certainproperties ofthe current

internalstate.Althoughthesepropertiesarenotvisiblefortheintruder,shemay

have agood guess aboutplaces in thekeystream where the internal statehas

goodproperties(seeSection 4),and applythestaterecoveryalgorithm onlyat

thoseplaces.

In this section we will dene patterns (see Denition 1), they determine

hugesets ofinternal stateswith commonproperties. If,for instance, apattern

has a largewindow then this certainly helps decreasingthe complexity of the

algorithm. However,the probabilitythat theinternal stateiscompliantwitha

certainpatterndecreaseswiththenumberofconditionsputonthepattern.

Inthis sectionwediscusspropertiesof patterns that inuence onthe

com-plexityof theattack, andalso studytheir availability. Wehavealso developed

anecientalgorithmforndingthesepaterns,anditislocatedinAppendixB.

3.1 Generative States

Letusstartwiththefollowingdenition

Denition1 (

d

-orderpattern). A

d

-order patternisatuple

A

=

{

i, j, P, V

}

,

i, j

∈

Z

N

,

(5)

where

P

and

V

are two vectors from

Z

d

N

with pairwise distinct elements. At a

time

t

the internal state issaid tobecompliant with

A

if

it

=

i, jt

=

j

,and

d

cells of the state

St

with indices from

P

contain corresponding values from

V

.

u

t

Theexample in Figure 4in Appendix A illustrates how a 5-order pattern

allowstoreceiveawindowoflength15.However,thehighertheorder,theless

(7)

Denition2 (

w

-generative pattern). A pattern

A

is called

w

-generative

iffor anyinternalstatecompliantwith

A

the next

w

clockingsallowtoderive

w

equations ofthe form (3),i.e., consecutive

w

+ 1

values of

j

sareknown.

u

t

Table 1 demonstrates a 4-order 7-generative pattern

A

={-7,-8,{-6, -5, -4,

0}, {6,-1,2,-2}},that supports theabovedenitions. Eightequations involve

symbolsofthekeystream

zt

+1

, . . . , zt

+8

associatedwithacertaintime

t

.Wesay

thatthekeystream istrueiftheinternalstateattime

t

iscompliantwiththe

pattern,otherwisewesaythekeystream israndom.

Letanotherpattern

B

bederivedfrom

A

as

B

=

A

+

τ

=

{

i

+

τ, j

+

τ, P

+

τ, V

}

,

(6)

for some shift

τ

. The pattern

B

is likely to be

w

-generative as well. This

happenswhenthepropertiesof

A

areindependentof

N

,whichistheusualcase.

i

t

j

t

S

[i]

S[j]

S[i] +

S

[j]

z

t

−

6 −

5 −

4 −

3 −

2 −

1 0 1 2 3 4 5

−

7 −

8

6 −

1 2

x

1 x

2 x

3 −

2 x

4 x

5 x

6 x

7 x

8 −

6 −

2 6

x

2 6 +

x

2 ∗

x

2 −

1 2

x

1

6 x

3 −

2 x

4 x

5 x

6 x

7 x

8 −

5 −

3 −

1 x

1 −

1 +

x

1 ∗

x

2 x

1

2 −

1 6

x

3 −

2 x

4 x

5 x

6 x

7 x

8 −

4 −

1 2

x

3 2 +

x

3 ∗

x

2 x

1 x

3 −

1 6

2 −

2 x

4 x

5 x

6 x

7 x

8 −

3 −

2 −

1

6

5 x

8 x

2 x

1 x

3

6 −

1 2

−

2 x

4 x

5 x

6 x

7 x

8 −

2 −

3 −

1

6

5 x

8 x

2 x

1 x

3 −

1 6

2 −

2 x

4 x

5 x

6 x

7 x

8 −

1 −

1 2

2

4 x

7 x

2 x

1 x

3 −

1 6

2 −

2 x

4 x

5 x

6 x

7 x

8

0 −

3 −

2 −

1 −

3 −

2 x

1 x

3 −

2 6

2 −

1 x

4 x

5 x

6 x

7 x

8

1 ∗

x

4 ∗

∗

Table 1.Anexampleofa4-order7-generativepattern.

3.2 Availability

Wehavedoneasetofsimulationsinordertondmaximum

w

-generative

d

-order

patterns, denoted by

M

d

. Theresults are given in Table 7(a)in Appendix D.

Searchingforahighorderpatternisachallengingtasksincethecomputational

complexitygrowsexponentiallywith

d

.Thebestresultachievedinourworkis

a

14

-order

76

-generativepattern

M14

.

Realvaluesfromoursimulations Approximatedvalues

d

=

2 3 4 5 6 7 8 9 1011121314 151617 18 19 20 21

w

max

=

6101521273137425055616876 828894100106112118

Table2.Dependencyofthemaximum

w

from

d

,simulatedandapproximatedvalues.

Table2showsthedependencyofamaximumachievablegenerativeness

w

max

from the order

d

. We can note that this dependency is almost linear, and it

(8)

Conjecture1. Therateof

w

max

d

≈

6

as

d

→ ∞

. 1

u

t

That conjecture allows us to make a prediction about certain parameters

for patterns with large

d

. These could not be found due to a very high

pre-computationcomplexity,but theyareneededtoanalysetheattackforlarge

N

(

N

= 128

,

256

in Table3). However,giventhose parameters,

d

and

w

, wecan

derivetheoreticalcomplexitiesof theattackonaverage.This hasbeendonein

Appendix C.

Anecientsearchalgorithmforpatterns withdesiredpropertiesisgivenin

Appendix B.

4 Detection of Patterns in the Keystream

Intheprevioussectionwehavestudiedpropertiesofapatternthataredesirable

forthestaterecoveryalgorithmto workfastand ecient.Wehavealso shown

(in Appendix B) howthese patterns canbefound, and introduced an ecient

searchingalgorithm.

InthissectionweshowhowtheinternalstateofRC4,complianttoachosen

pattern, can be detected by observing the keystream. If the detection is very

good,thenthestaterecoveryalgorithmmightonlyhavetobeexecutedonce,at

therightlocationinthekeystream.

Thedetectionmechanismitselfcanbetrivial(nodetectionatall),inwhich

case the algorithm has to be run at every position of the keystream. On the

other hand, a good detection may require a deep analysis of the keystream,

wherespecicpropertiesofthepatterncanbeusedeciently.

4.1 First Levelof Analysis

TheinternalstateofRC4compliantto a

d

-orderpattern

A

canberegardedas

aninternaleventwithprobability

Pr

{

E

int

}

=

N

−

d

−

1 .

(7)

Whentheinternaleventoccurs,therecouldexistanexternalevent

E

ext

ob-servedinthekeystream,andassociatedwiththepattern

A

,i.e.,

Pr

{

E

ext

|

E

int

}

=

1

.ApplyingBayes'lawwecanderivethedetectionprobability

P

det

ofthepattern

A

in thekeystreamas

P

det

= Pr

{

E

int

|

E

ext

}

=

Pr

{

E

int

}

Pr

{

E

ext

}

.

(8)

1

Indeed,thejumpof

w

max

as

d

incrementsbyoneisthesequence

Γ

={4,5,6,6,4, 6,5,8,5,6,7,8,

. . .

}.Obviously,forsmall

d

thisjumpissmall,anditisnotable that thejump increasesfor larger

d

.Inoursimulationsheuristicswereused(see SectionB)whensearchingpatternsfor

d

≥

6

.Thismeansthatourjumps inthe sequence

Γ

could possibly be larger if anoptimal searching techniqueis applied, sinceourheuristiccannotguaranteethatwegetapatternwiththelongestwindow.

(9)

Our goalin this section is to study possibleexternal events withhigh

P

det

in

orderto increasethedetectionofthepattern.

Denition3 (

l

-denitive pattern). A

w

-generative pattern

A

is called

l

-denitiveif thereare exactly

l

outof

w

equations withdetermined

S

[

j

]

s.

u

t

It means that in

l

equations

S

[

i

] +

S

[

j

]

are known. If, additionally,

z

0 ₌

S

[

S

[

i

] +

S

[

j

]]

isalsoknown,thenthecorrectvalueof

zt

=

z

0

attherightposition

t

ofthekeystream

z

detectsthecasethe stateattime

t

ispossiblycompliant

tothe pattern.Otherwise,when

zt

6 =

z

0

,itsaysthatthestateattime

t

cannot

becompliant tothepattern.

Fordetectionpurposesalarge

l

(upto

d

)isimportant.Fromourexperiments

wefoundthat,however,alarge

l

canbeachieved viaaslight reductionofthe

parameter

w

.Thisleadsusto onemoreconjecture.

Conjecture2. For any

d

and

w

=

w

max

−

λ

there exist a pattern with

l

=

d

,

where

λ

isrelativelysmall 2

.

u

t

Inthefollowingdenitionweintroduceotherpropertiesofapatterthatare

importantforitsgooddetectionviathekeystream.

Denition4 (

bα, bβ, bγ

-α,β,γ

predictive pattern). Letus havean

l

-denitive

pattern

A

andconsider only thoseequationswhere

S

[

j

]

saredetermined. Then,

the pattern

A

iscalled

bα

-α

predictive iffor

bα

of the

l

equations

S

[

S

[

i

] +

S

[

j

]]

isdetermined. Forthe remaining

l

−

bα

equationstwoadditional denitionsare

as follows. The pattern

A

iscalled

bβ

-β

predictive if for

bβ

pairs of the

l

−

bα

equationstheunknowns

S

[

S

[

i

]+

S

[

j

]]

smustbethesame.Thesetof

bβ

pairsmust

be of full rank. The pattern

A

is called

bγ

-γ

predictive if the

l

−

bα

equations

containexactly

bγ

dierent variables of

S

[

S

[

i

] +

S

[

j

]]

.

u

t

Thesetypesofpredictivenessareotherpropertiesofapatternvisibleinthe

keystream.Forexample,itisnotonlynecessarytosearchforknown

z

0

values(

bα

ofsuch),butonecanalsorequirethatcertainpairsofthekeystreamsymbols(

bβ

ofsuch)areequal

zt

0 =

zt

00

, whichalsohelpstodetectthepatternsignicantly. Theparameter

bα

is usually quite moderate and to haveit larger than 15

isquitedicult.However,theothercriteriaaremoreexibleandcanbelarge.

Thesenewparametersfollowtheconstraint

bα

+

bβ

+

bγ

=

l

≤

d.

(9)

Considertheremaining

w

−

l

equationsofthepattern

A

where

S

[

j

]

sarenot

determined.Letat timeinstances

t

1

and

t

2

onepairofthese equationsbesuch

2

Table 6(a) inAppendixDcontains patterns

X

s with

l

=

d

where

w

is still large, which supports the above conjecture. Indeed, Table 4 in Appendix B shows how

(10)

thatthe

S

[

i

]

valuesandthe

S

[

j

]

pointersareequal.Ifthedistance

∆t

=

t

2 −

t

1

issmall,itislikelythattheoutput

z

1

isthesameas

z

2

.Theprobabilityofthis

eventis

Pr

{

z

1 =

z

2 |

∆t

}

>

1 −

∆t

_N

·

1 −

_N

1 ∆

t

≈

exp

−

2 _N

∆t

.

(10)

Denition5 (

bθ

-θ

predictive pattern).Apattern

A

iscalled

bθ

-θ

predictive

ifthenumberofsuchpairs(describedabove)is

bθ

.Letthetimedistancesofthese

pairs be

∆

1 , . . . , ∆b

θ

,thenthe cumulativedistanceisthesum

Πθ

=

Σi∆i

u

t

These four types of predictiveness are direct external events for a pattern.

One should observe the keystream and search for certain

bα

symbols, check

another

bβ

and

bθ

pairs of symbolsthat theyare equal,and also checkthat a

group of

bγ

symbols are dierent from the values of

V

and from each other.

Thus,wehave

Pr

{

E

ext

}

=

N

−

b

α

−

b

β

−

b

θ

· (

N

−

d

)!

N

b

γ

(

N

−

d

−

bγ

)!

Pr

{

E

int

} ≈

N

−

d

−

1

· e

−

2 Π

θ

/N

.

(11)

The example in Table 1 is a

4

-denitive

bα

= 1

, bβ

= 1

, bγ

= 2

, bθ

= 0

-predictivepattern.Fordetectiononehastotestthat

zt

+6

=

−

2 , zt

+3

=

zt

+4

,and

zt

+4

, zt

+5

aredierentfrom theinitialvaluesat

V

and

zt

+4

6 =

zt

+5

.I.e., when,

forexample,

N

= 64

,thedetection probabilityis

64 −

5 _÷

₍₆₄

−

2 _·

₆₀

_·

₅₉

_/

₆₄

2 ₎

_≈

64 −

2 .

96

3

.

4.2 Second Level of Analysis

Infact,therst levelof analysisallowsto detectapatternwith probability at

most

N

−

1

(because

j

isnotdetectable),whereaswiththesecondlevelofanalysis

itcanbe1.Letusintroduceatechniquethat wecallachainof patterns.

Denition6 (chain of patterns

A

→

B

, distance, intersection). Let us

have two patterns

A

=

{

ia, ja

, Pa, Va

}

and

B

=

{

ib, jb, Pb, Vb

}

. An event when

two patterns appear in the keystream within the shortestpossible time distance

σ

iscalledchain of patterns,andisdenotedas

A

→

B

if

B

appears after

A

.

Thechaindistance

σ

betweentwopatterns

A

and

B

istheshortestpossible

timebetween

A

'sendingand

B

'sbeginning of theirwindows,i.e.,

σ

=

ib

−

(

ia

+

wa

) mod

N.

(12)

The intersection of

A

and

B

is the number

ξ

of positions in

A

that are

reused in

B

. These positions must not appear as

S

[

i

]

during

σ

clockings while

the chaindistancebetween

A

and

B

isapproached.

u

t

3

Since

γ

(11)

For example, let

A

=

{

0 ,

{

1 ,

3 ,

5 ,

6 ,

7 ,

8 ,

22 ,

23 }

,

{

2 ,

8 ,

−

3 ,

−

2 ,

1 ,

7 ,

4 ,

−

9 }}

and

B

=

{

34 ,

{

35 ,

36 ,

37 ,

38 ,

39 ,

44 ,

48 ,

52 }

,

{

8 ,

−

2 ,

1 ,

2 ,

4 ,

−

5 ,

3 }}

.After

wa

=

30

clockingstherstpatternbecomes

A

0 ₌

_{

₃₀

_,

₂₈

_,

_{

₁₅

_,

₂₈

_,

₃₀

_,

₃₅

_,

₃₆

_,

₃₇

_,

₃₈

_,

₃₉

_}

_,

{−

3 ,

−

9 ,

7 ,

8 ,

−

2 ,

1 ,

2 ,

4 }}

.Obviously,the last

ξ

= 5

positions canbereusedin

B

,andafter

σ

= 4

clockingsanewpattern

B

(

wb

= 34

)canappearif

jt

+34

=

jb

.

Theprobabilitythat thechain

A

→

B

appearsis

N

−

9 _·

_N

−

4

,multipliedbythe

probabilitythat

5

elementsfrom

A

0

stayatthesamelocationsduringthenext4

clockings.Thisismuchlargerthanthetrivial

N

−

9 _·

_N

−

9

.Thus,amoregeneral

theoremcanbestated.

Theorem1 (chainprobability).Theprobability ofachain

A

→

B

toappear

is

P

A

→

B

= Pr

{

E

int

} ≈

N

−

(

d

a

+

d

b

+2

−

ξ

)

· e

−

2(

Π

θa

+

Π

θb

)

/N

· e

−

ξ

.

(13)

Proof. In [Man01 ] it has been shown that

ξ

elements stay in place during

N

clockingswith an approximate probability

e

−

ξ

. The remaining part comes from

an assumptionthat theinternal stateisrandom, fromwherethe proof follows.

u

t

Obviously,theprobabilityoftheexternaleventforthechainis

Pr

{

E

ext

}

=

N

−

(

b

αa

+

b

βa

+

b

θa

)

−

(

b

αb

+

b

βb

+

b

θb

)

,

(14)

whichcanbesmallerthan

Pr

{

E

int

}

(see

Y4

inTable6inAppendixD),confusing

theequation (8). This happens since

Pr

{

E

ext

}

iscalculated assumingthat the

keystreamis random.However,inRC4onlyaportionoftheobservedexternal

probabilityspacecanappear(whichisanothersourceforadistinguishingattack,

but it is out of scopeof this paper). Therefore, in the case when

Pr

{

E

ext

}

<

Pr

{

E

int

}

wesimplyassumethatthedetectionprobabilityis1.

Table6inAppendixDpresentsafewexampleswithagoodtrade-o(based

onourintuition)between

w

anddetectabilityforvarious

d

.Sincethe

computa-tion timefor searching such patternswith multiple desired properties is really

huge,onlyafewexamplesforsmall

d

weregiven. However,webelievethat for

large

d

it is possibleto detect such patterns with ahigh probability, up to 1,

applyingthetwoproposedlevelsofanalysis.

5 Complete State Recovery Attack on RC4

5.1 Attack Scenario and Total Complexity

Recall pattern detection techniques from Section 4. In the attack scenario an

adversaryanalysesthekeystreamateverytime

t

,andappliesthestaterecovery

(12)

be

P

det

,thenthe total time

CT

anddata

CD

complexities ofthe attackare

CT

= Pr

{

E

int

}

−

1 + (

P

det

−

1 −

1)

· C

Rand

+ 1

· C

True

,

CD

= Pr

{

E

int

}

−

1 .

(15)

u

t

5.2 Success Rateof the Attack

The complexities

C

True

and

C

Random

are upper bounds for theaverage time the

algorithm requires.It meansthat forsome casesitcould takemoretime than

these bounds. In order to guarantee the upper bound of the total (not

aver-age)time complexityonecanterminate thealgorithm after,forexample,

C

thr

operations.Inthiscasethesuccessrateoftheattackcanbedetermined.

0

5

10

15

20

25

30

35

0

0.01

0.02

0.03

0.04

0.05

0.06

0.07

PSfragreplacements

k

P

r

{

C

T

r

u

e

=

2 k

}

0

5

10

15

20

25

30

35

0

0.2

0.4

0.6

0.8

1

PSfragreplacements

k

P

r

{

C

T

r

u

e

<

2 k

}

Fig.3.Probabilitydensity(left)andcumulative(right)functionsofthetime

C

True

in logarithmicalform(

k

= log

2 C

True

).Thescenariois

N

= 64,

M

8

and2000samples.

Figure 3 shows density and cumulative functions for the time complexity

of an exampleattack scenario.It showsthat around98% of allsimulations of

the attackhave time smallerthan the average

2

29 .

28

(vertical line). Whenthe

keystreamisrandomtheterminationmakestheaveragetimebound

C

Random

even

smaller,sincetherandomcaseislikelytoberepeatedverymanytimesandthe

secondtermin(15)can onlydecrease.

TheplotsinFigure3alsoshowthateveniftheterminationofthealgorithm

isdoneonthelevel

C

thr

=

√

C

True

(

≈

2

15

),thesuccessrateoftheattackisstill

veryhigh.I.e., thestaterecoveryalgorithmonRC4-64canbedonein time

2

15

with success probability 35%!If a similar situation happens for large

N

(e.g.,

N

= 256

),thenthefulltimecomplexitycanbesignicantlydecreased(perhaps,

(13)

We haveselected aset of test caseswith various parametersand patters, and

derivedtotaldataandtimecomplexitiesofthenewattack.Table3presentsthe

resultsofthiswork.Forexample,when

N

= 64

,thetotalcomplexityofthenew

attackis upper bounded by

2

60

, ifthe pattern

X9

is used. Thisis much faster

than, for example, Knudsen's attack, which complexity for this case is

2

132 .

6

.

Evenif

d

= 9

elementsofthestateare known,Knudsen'sattackneeds

2

98 .

1

of

time, whichis still much higher. Thecomplexity ofapotentialattackrecently

discussedbyI.Mantinin[Man05] 4

isalsohigher.AsitwasshowninSection5.2,

thesuccessrateof thenewattackisatleast98%.

N

= 64

N

= 100

N

= 128

N

= 160

N

= 200

N

= 256

Cases I II III IV V VI VII VIII IX X XI XII XIII

Descriptionsofthecases(

?

arehypotheticalcases) Pattern

M

8 Y

8 X

9 X

11 M

13 M

14 ?

M

14 ?

M

14 ?

M

14 ?

d

8 8 9 11 13 14 17 14 18 14 23 14 29

w

37 29 41 49 68 76 92 76 102 76 132 76 168

l

6 6 5 11 9 10 10 10 10 10 14 10 17

b

α

0 4 4 9 0 0 10 0 11 0 10 0 11

b

β

1 1 0 0 2 2 0 2 0 2 2 2 4

b

γ

5 1 1 2 7 8 0 8 0 8 2 8 2

b

θ

0 0 2 0 2 2 0 2 7 2 4 2 12

Π

θ

0 0 4 0 4 4 0 4 4 4

Internal/external/detectionprobabilities

P

int

-54.0-65.8-60.0 -79.7 -93.0 -105.0-112.0 -109.8-139.1 -114.7-183.5 -120.0-240.0

P

ext

-6.0 -60.0-36.0 -59.8 -26.6 -28.0 -70.0 -29.3 -131.8 -30.6 -122.3 -32.0 -216.0

P

det

-48.0 -5.8 -24.0 -19.9 -66.4 -77.0 -42.0 -80.5 -7.3 -84.1 -61.2 -88.0 -24.0

Complexitiesofthestaterecoveryalgorithm

whenthekeystreamistrue/random

Theor. 20.5 58.2 22.8 107.8 10.0 71.3 71.7 191.1 131.7 317.4 121.3 507.4 217.1

C

R

a

n

d

Attun. 15.5 57.8 107.5 66.3 179.2 302.6 491.8

Theor. 35.0 64.9 30.9 120.4 34.5 94.7 102.0 213.0 138.2 335.6 157.5 519.6 225.4

Attun. 30.3 57.6 108.3 31.8 85.5 185.1 309.9 501.8

C

T

r

u

e

Real 29.3 29.1

Totaldata/timecomplexity,andthecomparison

withpreviousattacks

C

K

(0)

132.6 236.6 324.8 431.4 572.0 779.7

Kn

ud-sen's

C

K

(d)

101.7101.7 98.1 189.3181.0 261.3 256.9 364.6 346.1 501.9 458.2 705.9 629.3

Mantin's

po-tentialattack

73 114 147 186 243 290

C

D

54.0 65.8 60.0 79.7 93.0 105.0 112.0 109.8 139.1 114.7 183.4 120.0 240.0

Our attac

k

C

T

63.5 63.4 60.0 127.4 93.1 143.4 113.7 271.7 140.4 386.7 184.0 579.8 241.7

Table3.Simulationresultsandcomparisonswithpreviousattacks.

4

Mantin detects a large numberof bytes of the state, and thenapplies Knudsen's

attack giventhosebytes.However,tomaketheseknownstoreducethecomplexity

(14)

tack, includingtheoretical (

∆

= 0

) and attuned(

∆

= 2

) valuesfor

C

Rand

and

C

True

.Whenitwaspossible,therealattackon atrue keystreamwassimulated

(realcomplexitiesfor

C

True

areshowninitalic).Inthesesimulationsthecomplete

stateofRC4wassuccessfullyrecoveredforeveryrandomlygeneratedkeystream

compliantwiththecorrespondingpattern.

Forlarger

N

,patternsofahighorderareneededtoreceiveanattackoflow

complexity.Thelargestpatternthatwecouldndinthisworkis

M14

,andthis

wasappliedtoattackRC4-

N

with

N

= 128

,

160 ,

200 ,

256

.Theseattackscenarios

arethosethatwehaveinourhandsalready.However,thecomplexitiesreceived

arenotoptimal,buttheyarestilllowerthaninKnudsen'sattack.Conjecture1

andalsodiscussionsinSection4makeitpossibletoapproximatetheparameters

ofahypotheticalpatternthat islikelyto exist(

?

patterns).Tobesecure,we

relate

d

and

w

as

w

= 6

d

−

6

,withacondencegapof

6

positions.Theremaining

parameterswerechosenmoderateaswell. Astheresult,weobtainedanattack

onRC4-256withthe(upperbounded)totalcomplexityof

2

241 .

7

,andthisisthe

beststaterecoveryattackknownatthemoment.

Ingeneral,wehavenotedthefollowingtendency. ForRC4-

N

withasecret

key of length

N

bits or longer, the new attack can recoverthe internal state

muchfaster thanan exhaustivesearch.This observation canalsobe seenfrom

theresultsin Table3.

Asthelastpointofthediscussionswenotethat thekeyrecoveryattackcan

beeasilyconvertedfromastaterecoveryattack.Thereareseveralpapersdealing

withrecoveringthesecretkeyfromaknowninternalstate[MS01,Man01,PM07].

However,this part works much faster thancurrentlyknown state recovery

at-tacks,and,therefore,wejustrefertothesepaperswithoutgivingdetails.

7 Further Improvements and Open Problems

Patterndetectionimprovements.WithachainofpatternsdescribedinSection4

onecouldreachagooddetection.However,notonlyforwarddirectionof

chain-ingcanbeconsidered,butalsobackwardone.Additionally,thereisapossibility

toanalyselongersequencesofpatternsinordertohaveagooddetectability.

An-otherideaistouseunusualrecyclablepatternsinasimilarmannerasin[Man05].

Thedierenceisthatthesepatternsarebothrecyclableandhavealongwindow.

Forexample,

A

=

{

0 ,

−

4 ,

{

6 ,

4 ,

1 ,

5 ,

3 }

,

{

0 ,

1 ,

7 ,

−

2 ,

−

1 }}

.

Staterecovery algorithm improvement. TheGSi blockcanchoosethecorner

(leftorright)ofthewindowtobeextendedbyanadditionalheuristicanalysisof

thecurrentsituationduringtheprocess.Anotherimprovementisachievedifthe

MCblockcouldspeculativelyruntherecursionforadditional1-3extraforward

stepsforeverypossibleguess,and,afterwards,makesuch aguessforwhichthe

numberofsubbranchesistheminimum.Theaveragetimeoftheattackforthis

strategyisreduced.

(15)

theoret-complexityisneeded.This wouldallowamoreaccurateestimationofthetotal

complexity,and itmightimprovethe complexitiesin Table3signicantly.

An-otherinterestingproblemistodeterminethedensityfunctionoftherecovering

algorithm,likewiseinFigure3.Thismayallowustodecreasethecomplexityin

squareroottimes,maintainingahighsuccessrate.

Other open problems. The search for patterns of a higher order with long

windows is another challengingopen question. We have shown that there are

chainsofpatternswithshortdistances.Therstpatternisusedforthe

recover-ingalgorithm,andthesecondoneisfordetection.However,anotherinteresting

questioniswhetherornotthesecondpatterncanalsobeusedintherecovering

algorithm.

Webelievethattheoutlinedopenproblemshaveahugepotentialforreducing

the complexity of the attack on RC4. Perhaps, very soon we will be witnessing

an attackofcomplexity lower than

2

128

onthe full RC4-256.

Acknowledgements

WethankMartinHellandalsoanonymousreviewersfortheirsignicanteditorial

comments.

References

[FM00] S.R. Fluhrerand D. A.McGrew. Statistical analysis of thealleged RC4

keystreamgenerator.InB.Schneier,editor,FastSoftwareEncryption2000,

volume1978ofLecture NotesinComputerScience,pages1930.

Springer-Verlag,2000.

[Gol97] J.Dj.Goli¢.LinearstatisticalweaknessofallegedRC4keystreamgenerator.

In W. Fumy, editor, Advances in CryptologyEUROCRYPT'97, volume

1233ofLectureNotesinComputerScience,pages226238.Springer-Verlag,

1997.

[KMP

+

98] L.R.Knudsen,W.Meier,B.Preneel,V.Rijmen,andS.Verdoolaege.

Anal-ysismethodsfor(alleged)RC4.InK.OhtaandD.Pei,editors,Advancesin

CryptologyASIACRYPT'98, volume1998 of Lecture Notes in Computer

Science,pages327341.Springer-Verlag,1998.

[Man01] I.Mantin. AnalysisofthestreamcipherRC4. Master's thesis,The

Weiz-mann Institute of Science, Department of Applied Math and Computer

Science,Rehovot76100,Israel.,2001.

[Man05] I.Mantin. PredictinganddistinguishingattacksonRC4keystream

gener-ator. InR.Cramer,editor,AdvancesinCryptologyEUROCRYPT2005,

volume3494ofLectureNotesinComputerScience,pages491506,2005.

[Max05] A. Maximov. TwolineardistinguishingattacksonVMPCandRC4A and

weaknessofRC4familyofstreamciphers.InH.GilbertandH.Handschuh,

(16)

editor, Fast Software Encryption 2001, volume 2355 of Lecture Notes in

Computer Science,pages152164.Springer-Verlag,2001.

[MT98] S.MisterandS.E.Tavares. CryptanalysisofRC4-likeciphers. InSelected

Areas in CryptographySAC 1998, Lecture Notes in Computer Science,

pages131143,1998.

[PM07] G.Paul and S.Maitra. Permutationafter RC4keyshedulingreveals the

secretkey. InSelectedAreasinCryptographySAC 2007,volume4876 of

Lecture NotesinComputerScience,pages360377.Springer-Verlag,2007.

Available at http://eprint.iacr.org/2007/208, June1, 2007 (accessed

Jan-uary10,2008).

[PP04] S.Pauland B.Preneel. AnewweaknessintheRC4keystreamgenerator

and an approach to improve the security of the cipher. In B. Roy and

W.Meier,editors,Fast SoftwareEncryption 2004,volume3017of Lecture

NotesinComputerScience,pages245259.Springer-Verlag,2004.

[Sch96] B.Schneier.AppliedCryptography:Protocols,Algorithms,andSourceCode

in C. John Wiley&Sons,New York,NY,2nd edition, 1996. ISBN

0-471-11709-9.

A Example Support for the State Recovery Algorithm

Figure4illustratesanexampleoftheprocessoftheIRblock.Intheexamplewe

startwithspecicvaluesof

i

and

j

,andalso

d

= 5

cellsofthestate

S

arelled

with certain values,whereas the remainingcells are unknown. This constraint

allowstocollect

w

= 15

equationsoftheform(3).Thekeystreamisgiveninthe

rightmostcolumnofthetable.

Therstiteration,inFigure4(b), ndsthat

z

6 = 4

and

z

8 =

−

2

arealready

allocated, thus solvingequations 6and 8(

s

4 = 10

, s

9 = 5

). Afterwards, given

s

9 = 5

, the IR block solvesthe equation 14and successfully checksfor a

con-tradiction, inFigure 4(c).Finally,after thestep(e) fouradditionalcellsofthe

state

S

werederivedwithprobability1.

WhentheIRblockisprocessed,theinputtotheMCblockisthemaximum

cliqueofsize4equationswith5unknowns,showninFigure4(f).Itmeansthat

guessingonlyoneunknowndeterminesfour otherones.Furthermore,thespace

of possible guesses is signicantly reduced due to the higher probability of a

contradictiontooccur.

B Searching Technique

Sincethesearchspacefora

d

-orderpatterngrowsexponentiallywith

d

,only

pat-ternsoforder

d

≤

6

wereanalysedbeforeinvariousliterature,e.g.,in[Man05].In

thissectionwesuggestafewtechniquesthat acceleratethissearchsignicantly,

andallowto searchandanalysepatternsof orderupto

d

≤

15

, approximately,

onausualdesktop PC.

First,weneed to makesome observations on the construction of patterns.

(17)

Thepartofthestate

S

t

attime

t

,justbeforetheswap-operation

i

t

+1

j

t

+1

1 2 3 4 5 6 7 8 9 1011121314 15 16 17 18 19 20

S

[

i

]

S

[

j

]

z

1 8 4 -2 1 8 -4

s

1 s

2 s

3 s

4 s

5 s

6 s

7 s

8 s

9 s

10 s

11 s

12 s

13 s

14 s

15

4

s

3

18 2 6

s

3

-2 1 8 -4

s

1 s

2

4

s

4 s

5 s

6 s

7 s

8 s

9 s

10 s

11 s

12 s

13 s

14 s

15

-2

s

1

29 3 7

s

3 s

1

1 8 -4-2

s

2

4

s

4 s

5 s

6 s

7 s

8 s

9 s

10 s

11 s

12 s

13 s

14 s

15

1

s

2

6 4 15

s

3 s

1 s

2

8 -4-2 1 4

s

4 s

5 s

6 s

7 s

8 s

9 s

10 s

11 s

12 s

13 s

14 s

15

8

s

10

16 5 11

s

3 s

1 s

2 s

10

-4-2 1 4

s

4 s

5 s

6 s

7 s

8 s

9

8

s

11 s

12 s

13 s

14 s

15

-4

s

6

5 6 9

s

3 s

1 s

2 s

10 s

6

-2 1 4

s

4 s

5

-4

s

7 s

8 s

9

8

s

11 s

12 s

13 s

14 s

15

-2

s

4

4 7 10

s

3 s

1 s

2 s

10 s

6 s

4

1 4 -2

s

5

-4

s

7 s

8 s

9

8

s

11 s

12 s

13 s

14 s

15

1

s

5

12 8 14

s

3 s

1 s

2 s

10 s

6 s

4 s

5

4 -2 1 -4

s

7 s

8 s

9

8

s

11 s

12 s

13 s

14 s

15

4

s

9

-2 9 12

s

3 s

1 s

2 s

10 s

6 s

4 s

5 s

9

-2 1 -4

s

7 s

8

4 8

s

11 s

12 s

13 s

14 s

15

-2

s

7

21 10 13

s

3 s

1 s

2 s

10 s

6 s

4 s

5 s

9 s

7

1 -4 -2

s

8

4 8

s

11 s

12 s

13 s

14 s

15

1

s

8

6 11 9

s

3 s

1 s

2 s

10 s

6 s

4 s

5 s

9 s

7 s

8

-4 -2 1 4 8

s

11 s

12 s

13 s

14 s

15

-4

s

7

9 12 7

s

3 s

1 s

2 s

10 s

6 s

4 s

5 s

9

-4

s

8 s

7

-2 1 4 8

s

11 s

12 s

13 s

14 s

15

-2

s

5

1 13 8

s

3 s

1 s

2 s

10 s

6 s

4

-2

s

9

-4

s

8 s

7 s

5

1 4 8

s

11 s

12 s

13 s

14 s

15

1

s

9

10 14 12

s

3 s

1 s

2 s

10 s

6 s

4

-2 1 -4

s

8 s

7 s

5 s

9

4 8

s

11 s

12 s

13 s

14 s

15

4

s

5

16 15 20

s

3 s

1 s

2 s

10 s

6 s

4

-2 1 -4

s

8 s

7

4

s

9 s

5

8

s

11 s

12 s

13 s

14 s

15

8

s

15

17 16 ?

S

[

j

]

+

S

[

i

]

s3

S

[

z

]

z

?

18 =

s1

?

29 s2

?

6 s10

?

16 s6

?

5 s4

?

4 s5

?

16 s15

?

17 s5

?

12 s9

?

-2

s7

?

21 s8

?

6 s7

?

9 s5

?

1 s9

?

10 +4

-2

+1

+8

-4

-2

+4

+8

+1

+4

-2

+1

-4

-2

+1

(a)

PSfragreplacements

S

[

j

]

+

S

[

i

]

s3

S

[

z

]

z

?

18 =

s1

?

29 s2

?

6 s10

?

16 s6

?

5 s

4

4 s5

?

16 s15

?

17 s5

?

12 -2

s7

?

21 s8

?

6 s7

?

9 s5

?

1 ?

10

8

10 =10

10

9

5 s

9 =5

5

5 +4

-2

+1

+8

-4

-2

+4

+8

+1

+4

-2

+1

-4

-2

+1

(b)

PSfrag replacements

S

[

j

]

+

S

[

i

]

s3

+4

S

[

z

]

z

?

18 =

s1

-2

?

29 s2

+1

?

6 s10

+8

?

16 s6

-4

?

5 s4

-2

4 s5

+4

?

16 s15

+8

?

17 s5

+1

?

12 +4

-2

s7

-2

?

21 s8

+1

?

6 s7

-4

?

9 s5

-2

?

1 +1

?

10

8 =10

10

9 s9=5

5

6

10 no

contra-diction!

(c)

PSfragreplacements

S

[

j

]

+

S

[

i

]

s3

+4

S

[

z

]

z

?

18 =

s1

-2

?

29 s2

+1

?

6 s10

+8

?

16 s

6 -4

?

5 s4

-2

4 s5

+4

?

16 s15+8

?

17 s5

+1

?

12 +4

-2

s7

-2

?

21 s8

+1

?

6 s7

-4

?

9 s5

-2

?

1 +1

10

8 =10

10

9 s9=5

5

6

14

18

18 =18

(d)

PSfragreplacements

S

[

j

]

+

S

[

i

]

+4

S

[

z

]

z

?

18 =

s1

-2

?

29 s2

+1

?

6 s10

+8

?

16 s

6 -4

14

5 s4

-2

4 s5

+4

?

16 s15

+8

?

17 s5

+1

?

12 +4

-2

s7

-2

?

21 s8

+1

?

6 s7

-4

?

9 s5

-2

?

1 +1

10

8 =10

10

9 s9=5

5

6

11

7

18 =18

(e)

s

3 =7

7

PSfrag replacements

S

[

j

]

+

S

[

i

]

+4

S

[

z

]

z

18 =

s1

-2

?

29 s2

+1

?

6 s10

+8

?

16 s6

-4

5 s4

-2

4 s5

+4

?

16 s15

+8

?

17 s5

+1

?

12 +4

-2

s7

-2

?

21 s8

+1

?

6 s7

-4

?

9 s5

-2

?

1 +1

10

8 =10

10

9 s9=5

5

6

14

18 =18

s3=7

11

7 (f)

PSfragreplacements

Fig.4.Exampleoftheiterativereconstructionprocess.

AscanbeseenfromTable7inAppendixD, allgood patternsfoundhave

(18)

0

2

4

6

8

10

12

0

5

10

15

20

25

30

35 d=7

d=6

d=5

d=4

d=3

d=2

PSfragreplacements

maxim

um

w

δ

Fig.5.Dependencyofthemaximum

w

from

δ

forvarious

d

.

conservative.Figure5illustratesthedependencyofthemaximumachievable

w

from

δ

.Fromthiswemakethefollowingconjecture.

Conjecture3. A pattern with the largest

w

is likely found among all possible

combinationsfor

i

= 0

, j

∈

Iδ

, V

∈

I

d

δ

,withamoderatevalueof

δ

N

.

u

t

Thisconjecturewillbeusedasthebasisforasignicantimprovementinthe

searchingtechnique ofsuchpatterns.

Table 4 provides the number of patterns for

δ

= 15

, and various values

of

d

and

w

. When

d

and

δ

are xed, the amount of desired patterns can be

exponentiallyincreased by letting

w

be slightlyless than

w

max

. This approach

can help nding patterns with additional properties which are introduced in

Section 4.

d

Thenumberofpatterns

A

d

when

δ

= 15

.

↓

w

→

15141312 11 10 9 8 7 6

4

#

{

A

4 } →

1 3 1026226863523421702114563853012

w

→

21201918 17 16 15 14 13 12 5

#

{

A

5 } →

1 4 6 15 66 252 652 1879 6832 27202

w

→

27262524 23 22 21 20 19 18 6

#

{

A

6 } →

1 2 7 42 81 177 371 799 2646 10159

Table 4.Thenumberofdierentconstraintsforspecic

d

and

w

,when

δ

= 15

.

Therstideaistoset

i

= 0

dueto(6), andfortheremainingvariablesonly

asmallsetofvalues

Iδ

forsome

δ

shouldbetestedduetoConjecture3.

(19)

approach is

O

N

d

|

I

δ

|

d

|

Iδ

|

, which is still very large. Our second idea is to

allocate a new element in

S

only when it is necessary. This will signicantly

decreasethetimecomplexity.

i=0

Loop for

i++

S

[

i

]

is known?

#

of allocated

elements

<d?

j+=S

[

i

]

swap(

S

[

i

]

, S

[

j

])

yes

no

Loop for

S

[

i

]

yes

no

recursion forward

Check the

pro-perties of the

state (

w

,

b

, ...)

and output if

it is "good".

recursion backward

(*)

PSfragreplacements

j

∈

I

δ

∈

I

δ

Fig.6.Recursivealgorithmforsearchingpatternswithlarge

w

.

Thediagram ofarecursivealgorithmexploitingthersttwoideasis shown

in Figure6,butitcan beimprovedwiththefollowingheuristic.Thethirdidea

istostartsearchingforadesiredpatternsomewhereinthemiddleofitsfuture

window.Letussplit

d

as

d

=

d

fwd

+

d

back

andthenstartthealgorithminFigure6

allowingtoallocateexactly

d

fwd

cellsof

S

.Atthepoint

(

∗

)

thecurrentlengthof

thewindow

w

iscomparedwithsomethreshold

w

thr

.If

w

≥

w

thr

,thenasimilar

recursive algorithm starts,but it goes backwardand allocatesremaining

d

back

cellsof

S

.Thisdouble-recursionresultsinapatternwith

w

likelytobecloseto

themaximumpossiblelengthof thewindow.

C Complexity Analysis of the Recovering Attack

Since for largeinputs itis notalwayspossibleto makereal simulationsof the

new recovering attack, we are interested in a theoretical upper bound of its

complexity.Inthissectionweexplainhowthiscomplexitycanbederived,veried

andused.

C.1 Toolfor Simulationsand Analysis