Requesting feedback on patched RC4-variant

Matthijs van Duin matthijs at cds.nl
Fri Apr 20 12:26:15 EDT 2001

```I needed a high-speed stream cipher in REALbasic, which has
exceptionally poor support for the kind of operations needed (no
unsigned 32-bit integers, no bitshift)

I already made an RC4 implementation a while ago, but the algorithm
has some problems, outlined in the recent crack of the encryption of
wireless networking. (IEEE something)

[Those have to do with stream ciphers in general and exploited no
specific features of RC4. --Perry]

To avoid this, I basically patched RC4 in two ways: 1. add cipher
block chaining  2. make the state-permutations depend on the data, to
make long-term changes to the pseudorandom data stream RC4 generates.
I hope this will make my application immune to the attack done on
wireless networking (which would be vulnerable with RC4 since I also
use CRC for integrity checking).

I'm however not (yet ;) an expert on cryptography, so I'm not
entirely sure whether I didn't mutilate the algorithm in such a way I
introduced major new weaknesses.. I'd therefore greatly appreciate
some feedback on this.

I already did some statistical tests.. and it turned out that when a
single bit of an input byte is altered, 50% of the bits of the
corresponding output byte and all following bytes get toggled.. so
that's a good sign already.

All integers are unsigned 8-bits. In my code, I use combination of
xor and addition intentionally, because the interactions between
carryless and carrying operations cause interesting effects, I think.

Original RC4: (in pseudo-C, for one byte)

x++
y = y + s[x];
swap(s[x], s[y]);

data = data ^ s[s[x] + s[y]];

My encryption code: (in pseudo-C, for one byte)

x++
y = y + s[x];
swap(s[x], s[y]);

v = data + c;	// Cipher block chaining
c = v ^ s[s[x] + s[y]];
data = s[c];	// I had a reason for this post-wash.. I can't remember

y = y ^ v;	// make s-box permutation depend on data

My decryption code: (in pseudo-C, for one byte)

x++
y = y + s[x];
swap(i[s[x]], i[s[y]]);	// i = inverse of s
swap(s[x], s[y]);

e = i[data];
v = e ^ s[s[x] + s[y]];
data = v - c;
c = e;

y = y ^ v;

-xmath

Matthijs van Duin
- PGP Key: 0xB6205CCB   <finger://PGPkey_DH@hmvd.cds.nl> -
- FP: D73C 9EE3 5F6B E5D5 8E19  2CBE 4648 8C3E B620 5CCB -

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com

```