Requesting feedback on patched RC4-variant

Matthijs van Duin matthijs at cds.nl
Fri Apr 20 12:26:15 EDT 2001 

I needed a high-speed stream cipher in REALbasic, which has 
exceptionally poor support for the kind of operations needed (no 
unsigned 32-bit integers, no bitshift)

I already made an RC4 implementation a while ago, but the algorithm 
has some problems, outlined in the recent crack of the encryption of 
wireless networking. (IEEE something)

[Those have to do with stream ciphers in general and exploited no
specific features of RC4. --Perry]

To avoid this, I basically patched RC4 in two ways: 1. add cipher 
block chaining  2. make the state-permutations depend on the data, to 
make long-term changes to the pseudorandom data stream RC4 generates. 
I hope this will make my application immune to the attack done on 
wireless networking (which would be vulnerable with RC4 since I also 
use CRC for integrity checking).

I'm however not (yet ;) an expert on cryptography, so I'm not 
entirely sure whether I didn't mutilate the algorithm in such a way I 
introduced major new weaknesses.. I'd therefore greatly appreciate 
some feedback on this.

I already did some statistical tests.. and it turned out that when a 
single bit of an input byte is altered, 50% of the bits of the 
corresponding output byte and all following bytes get toggled.. so 
that's a good sign already.



All integers are unsigned 8-bits. In my code, I use combination of 
xor and addition intentionally, because the interactions between 
carryless and carrying operations cause interesting effects, I think.


Original RC4: (in pseudo-C, for one byte)

x++
y = y + s[x];
swap(s[x], s[y]);

data = data ^ s[s[x] + s[y]];



My encryption code: (in pseudo-C, for one byte)

x++
y = y + s[x];
swap(s[x], s[y]);

v = data + c;	// Cipher block chaining
c = v ^ s[s[x] + s[y]];
data = s[c];	// I had a reason for this post-wash.. I can't remember

y = y ^ v;	// make s-box permutation depend on data



My decryption code: (in pseudo-C, for one byte)

x++
y = y + s[x];
swap(i[s[x]], i[s[y]]);	// i = inverse of s
swap(s[x], s[y]);

e = i[data];
v = e ^ s[s[x] + s[y]];
data = v - c;
c = e;

y = y ^ v;


  -xmath

Matthijs van Duin
- PGP Key: 0xB6205CCB   <finger://PGPkey_DH@hmvd.cds.nl> -
- FP: D73C 9EE3 5F6B E5D5 8E19  2CBE 4648 8C3E B620 5CCB -



---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com

More information about the cryptography mailing list