Further Non-randomness in RC4, RC4A and VMPC

Designs, Codes and Cryptography manuscript No.

(will be inserted by the editor)

Further Non-randomness in RC4, RC4A and VMPC Santanu Sarkar

the date of receipt and acceptance should be inserted later

Abstract In this paper we identify several new biases for RC4, RC4A and VMPC,

which are designed in similar paradigm. Naturally, these biases provide new distinguishers for the psedo-random keystream generated from these algorithms. In particular, our result provides the strongest distinguisher against VMPC. Keywords: Bias, Cryptanalysis, Distinguisher, RC4, RC4A, Stream Ciphers, VMPC.

1 Introduction

Over the last three decades of research and development in stream ciphers, a number of designs have been proposed and analyzed by the cryptology community. One of the main ideas for building a stream cipher relies on constructing a pseudorandom permutation and thereafter extracting pseudorandom words from this permutation. Till date, the most popular stream cipher among the cryptologists has been RC4 (or alleged RC4). Apart from being used in network protocols such as SSL, TLS, WEP and WPA, the cipher also uses in Microsoft Windows, Apple AOCE, etc. RC4 is a byte oriented stream cipher where each keystream word is of n = 8 bits in size. It has an internal state which is a permutation of all possible n-bit integers, that is, a permutation of length N = 2n (typically 256) words. The size of the secret key K is 5 to 30 bytes in general. This is used to produce the initial permutation (claimed pseudorandom) through a key scheduling algorithm (KSA). Then from the internal state the pseudorandom generation algorithm (PRGA) produces output bytes which get XOR-ed with the plaintext bytes to generate ciphertexts. RC4 has faced rigorous analysis over the last two decades due to its simple structure. In 2001, Mantin and Shamir [7] observed that the 2nd byte of RC4 keystream is biased towards zero with a probability 2/N , twice that in case of a random byte-stream. This bias arises from the non-random byte-extraction routine of RC4 PRGA. The bias produces a distinguisher of complexity O(N ) for RC4. Chennai Mathematical Institute, Chennai, India E-mail: [email protected]

2

Santanu Sarkar

In SAC 2010, Sepehrdad et al. [13] presented many empirical biases on the initial keystream bytes, state variables and secret key of RC4. Recently in FSE 2011, Maitra et al. [6] proved that all the initial bytes from 3 to 255 have positive bias towards zero. Note that RC4 is not suitable for 16/32 bit architecture as output keystream in RC4 is 8-bit. Also there are several distinguishing attacks. To overcome these problems, several variants of RC4 have been proposed. Many of them are much faster than RC4. All these ciphers are based on arrays, modular addition, rotation/swap and memory access. Among them Py is the most popular one. It was designed by Biham et al. [1] and it was selected in the phase 2 of the eStream portfolio. A weakness of this cipher was observed in [11]. In FSE 2004 [10], Paul et al. proposed another variant of RC4 called RC4A. Other popular RC4 variants are Py6 [2], IA [4], NGG [9], GGHN [3], VMPC [16], etc. In Asiacrypt 2006, Paul and Preneel [12] studied weakness of these array based stream ciphers. RC4A was designed to resist most known attacks on RC4. In [8] the bias of the second output keystream byte of RC4A was exploited. Using this bias, RC4A was distinguished from a random source using 258 keystream bytes. The bias between first and third output in RC4A was presented in [15] where the distinguishing attack required 224 keystream bytes. In FSE 2004 [16], another RC4 variant VMPC (Variably Modified Permutation Composition) was proposed. A distinguishing attack on VMPC was first presented in [8] that required 232 keystream bytes. Later another distinguishing attack on VMPC was proposed in [15]. This attack requires 240 keystream bytes.

1.0.1 Notation

We use the following notation throughout this paper. For round t ≥ 1 of RC4 PRGA, we denote the indices by it , jt , the output keystream byte by Zt , and the permutations before and after the swap by St−1 and St respectively. The output bytes at later rounds of RC4 are denoted as ZkN +l for integers k ≥ 0 and 0 ≤ l ≤ N − 1. The initial permutation of RC4 PRGA will be denoted by S0 .

1.1 Contribution and organization of the paper – In FSE 2001 [7], Mantin and Shamir proved that P (Z2 = 0) ≈

whereas it should have been

1

N

2

in RC4, for an ideal cipher. So if the probability P (Z2 = N

1−

2

x) is the same for all other non-zero values of x, then P (Z2 = x) ≈ N −N1 , which 1 is 0.003891 for N = 256. In Section 2, We have proved P (Z2 = 2) ≈ N − N32 , which is 0.003860 for N = 256. – After that we have presented a new weakness of RC4A. We have proved that

the second byte produced by RC4A has a positive bias towards 2 in Section 3. – Next in Section 4, we propose a new distinguisher of VMPC. We can distinguish VMPC from a random source using N 3 output samples. This is the best

distinguishing attack on VMPC. In Table 2 (Section 4), we compare our result on VMPC with the existing works.

Further Non-randomness in RC4, RC4A and VMPC

S (identity) K i=0 j=0

RC4 KSA (rounds = 256)

3

RC4 PRGA S (rounds = # bytes required) (after KSA)

j = j + S[i] + K[i] Swap S[i] ↔ S[j] i=i+1

i=0 j=0

Z

i=i+1 j = j + S[i] Swap S[i] ↔ S[j] Z = S[S[i] + S[j]]

Fig. 1 Key-Scheduling Algorithm and Pseudo-Random Generation Algorithm of RC4.

2 Negative bias in Z2 towards two

RC4 consists of two major components, the Key Scheduling Algorithm (KSA) and the Pseudo-Random Generation Algorithm (PRGA). The internal permutation is of N bytes, and so is the key K . However, the original secret key is of length typically between 5 to 30 bytes, and is repeated to form the expanded key K . The KSA turns the secret key K into a permutation S of 0, 1, . . . , N − 1. After that PRGA uses this permutation to generate output keystream. Any addition used in the RC4 description in this paper, is in general addition modulo N unless specified otherwise. The RC4 algorithm is as shown in Fig. 1. 1 Now we will show that the probability of Z2 = 2 is N − N32 . Theorem 1 Assume that the initial permutation S0 of RC4 PRGA is randomly chosen from the set of all permutations of {0, 1, . . . , N − 1}. Then the probability that the second output byte of RC4 keystream is 2 is approximately 1/N − 3/N 2 . Proof We will prove that if S0 [1] = 2 or S0 [2] = 0 or S0 [2] = 2, Z2 can not be two. S0 [1] = 2: First consider the case S0 [1] = 2. After the first round j = S0 [1] = 2 and S1 [2] = 2. So in the next step, value of j will be 2 + S1 [2] = 2 + 2 = 4. Let S1 [4] = Y . Since S1 [2] = 2 and S1 is a permutation, Y 6= 2. Now after the second swap value of the keystream Z2 will be S2 [Y + 2], which can not be 2 as S2 [4] = 2 and Y = 6 2. S0 [2] = 0: Now consider the situation when S0 [2] = 0. If S0 [1] 6= 2, from the analysis of [7] we know that Z2 will be 0 always. If S0 [1] = 2, from the previous analysis Z2 = 6 2. S0 [2] = 2: Finally consider the case S0 [2] = 2. Let S0 [1] = X and S0 [X ] = Y . Then after first swap value of j will be X and S1 [1] = Y, S1 [X ] = 2. Let S1 [X + 2] = Z . After second swap, value of j will be X + 2. Now Z2 = S1 [X + 4] 6= 2.

Now consider the event E , E = {S0 [1] = 2} ∪ {S0 [2] = 0} ∪ {S0 [2] = 2}.

  3 3 Hence P(E ) = N − N (N1−1) ≈ N , as the events S0 [1] = 2, S0 [2] = 2 and S0 [2] = 0, S0 [2] = 2 are impossible. In the case of E c , we assume P(Z2 = 2) occurs with

4

Santanu Sarkar

1

due to random association. Hence, N

P[Z1 = 2] = P[Z2 = 2 | E ] · P[E ] + P[Z2 = 2 | E c ] · P[E c ] ≈ 0 · 3/N + 1/N · (1 − 3/N ) = 1/N − 3/N 2 . u t

To the best of our knowledge, except the bias Z2 = 0, all the known biases in the keystream are less or equal to N12 . Hence the bias presented in this case is the second maximum bias in this direction. Experiment with 1 billion random 1 keys demonstrate that P (Z2 = 2) = 0.003860 (away from 256 = 0.003906). These conform to the theoretical value. In Figure 2, we have plotted the experimental values of P(Z2 = x) for x ∈ [1, 255].

↑ P(Z2 = x)

P(Z2 = x) 2 1− N N −1 1 − N32 N

0

64

128

192

255

x→

Fig. 2 Distribution of P(Z2 = x) for x ∈ [1, 255].

3 New bias of RC4A

RC4A is another variant of RC4. In this cipher, two arrays S (1) , S (2) are used instead of one array. From one chosen key k1 , another key k2 is generated from a pseudorandom bit generator using k1 as the seed. Now applying KSA of RC4, two arrays S (1) , S (2) are generated using the keys k1 and k2 respectively. In keystream generation process two variables j1 , j2 are used corresponding to S (1) , S (2) . The index pointer t1 = S (1) [i] + S (1) [j1 ] points to S (2) instead of S (1) .

Further Non-randomness in RC4, RC4A and VMPC

5

RC4A PRGA

(rounds = # bytes required)

S (1) , S (2) (after KSA)

Z (1) i=i+1 j1 = j1 + S (1) [i]

Z (2)

Swap S (1) [i] ↔ S (1) [j1 ]

i=0

Z

(1)

=S

(2)

[S

(1)

[i] + S

(1)

[j1 ]]

j2 = j2 + S (2) [i]

j1 = 0

Swap S (2) [i] ↔ S (2) [j2 ]

j2 = 0

Z (2) = S (1) [S (2) [i] + S (2) [j2 ]]

Fig. 3 Pseudo-Random Generation Algorithm of RC4A.

Similarly index pointer t2 = S (2) [i] + S (2) [j2 ] points to S (1) . The PRGA of RC4A is as shown in Fig. 3. Now we will prove that second byte generated by RC4A has positive bias (2) towards 2. In fact we will show that P (Z1 = 2) ≈ N 1−1 . To prove our result, we shall need the following result due to [5]. Theorem 2 Assume initial permutation S is taken uniformly from the set of all possible permutation of the set {0, 1, . . . , N − 1}. Then for the first index toucher t, we have 1 2 − . P(t = 2) = N N (N − 1)

Another result of RC4 which will be used in proving our result is from [14]. Lemma 1 After the first round of RC4 PRGA, the probability P(S1 [u] = u) is:

X   P(S0 [1] = X ∧ S0 [X ] = 1),  P(S0 [1] = 1) +  X6 = 1 X P(S1 [u] = u) =  P(S0 [1] = X ∧ S0 [u] = u),   P(S0 [1] = u) +

u = 1; u 6= 1.

X6=u

Now we will prove the following simple lemma. (2)

Lemma 2 P(Z1

= t2 ) ≈

2

N.

(1)

Proof Assume P(S0 [X ] = Y ) = So for u = 6 1 (1)

1

N

for 0 ≤ X, Y ≤ N − 1.

(1)

P(S1 [u] = u) = P(S0 [1] = u) +

X

(1)

(1)

P(S0 [1] = X ∧ S0 [u] = u)

X6=u

N −1 + ≈ N N2

1

≈

2 N

. (1)

Using similar approach for u = 1, it can be proved P(S1 [u] = u) ≈ (2) (1) (2) 2 Since Z1 = S1 [t2 ], P(Z1 = t2 ) ≈ N .

2

N.

u t

6

Santanu Sarkar

Now we will prove the following result on RC4A. Theorem 3 The probability that the second output byte is equal to two is (2)

P(Z1

= 2) ≈

1 N −1

.

Proof Denote the index toucher of second output byte by t2 . (2)

P[Z1

(2)

= 2] = P[Z1

= 2 ∧ t2 = 2] +

N −1 X

P[Z2 = 2 ∧ t2 = x].

x=0 x6=2

Now from Theorem 2 and Lemma 2, (2)

P[Z1

(2)

= 2 ∧ t2 = 2] = P[Z1 = t2 | t2 = 2]P(t2 = 2) 2 2 ≈

=

N

·

N

4 N2

Also for x 6= 2, (2)

P[Z1

(2)

Hence, P[Z1

(2)

= 2 ∧ t2 = x] = P[t2 = x]P[Z1 = 2 |t2 = x]
2 1− N (1) P[S1 [x] = 2] ≈ N −1   2 2  1− N 2 (1) = as P[S1 [2] = 2] ≈ N −1 N = 2] ≈

4

N2

+

(1− N2 )2 N −1

=

1

u t

N −1 .

1 Note that N 1−1 > N + N12 . Hence with a sample size of N 3 , one can distinguish RC4A from a random source. So, when N = 256, distinguishing attacks require less than 224 output samples. In Table 1, we compare our result with the existing works.

Maximov [8] Tsunoo et al. [15] Our

Event (1) (1) Z2k+1 = Z2k+2 (1)

(1)

Z1 = Z2 (2) Z1 = 2

Required Sample Size 258 224 224

Table 1 Comparison of our work on RC4A with existing results.

(2)

Experiments with 1 billion random keys demonstrate that P (Z1 1 + N12 ). 0.003925 ( ≈ N

= 2) =

Further Non-randomness in RC4, RC4A and VMPC

7

VMPC PRGA (rounds = # bytes required)

S, j (after KSA)

j = S[j + S[i]] Z = S[S[S[j]] + 1]

Z

Swap S[i] ↔ S[j] i=i+1

i=0

Fig. 4 Pseudo-Random Generation Algorithm of VMPC. W

Y

X

Z

1

X

j1

Y +1

z

⇓ X 1

Y

W

Z

X

j1

Y +1

Fig. 5 Before and after swap when i = 1. Here second keystream is Z1 = Z.

4 New bias on VMPC

VMPC is another variant of RC4 proposed in FSE 2004 [16]. The key generation algorithm of VMPC is as shown in Fig. 4. We denote the index by jt , the state by St and the output keystream by Zt when i = t. Hence the first output keystream will be Z0 . VMPC byte generation algorithm is presented pictorially in Figure 5. We start with the following lemma. Lemma 3 Let j2 , j3 be the values of j when i = 2, 3 respectively. Then P(j2 = 1|j3 = 2) ≈

2 N

−

1 N2

.

Proof We have j3 = S3 [j2 + S3 [3]], where S3 is the updated state array when i = 3. Note that if j2 = 1 and S3 [3] = 2, j3 will always be 2. Hence

P(j2 = 1 ∧ j3 = 2|S3 [3] = 2) = P(j2 = 1|S3 [3] = 2) =

1 N

.

Again if j2 = 1 and S3 [3] 6= 2, j3 can be 2 due to random association. Hence P(j2 = 1 ∧ j3 = 2) = P(j2 = 1 ∧ j3 = 2 | S3 [3] = 2)P(S3 [3] = 2) + P(j2 = 1 ∧ j3 = 2 | S3 [3] 6= 2)P(S3 [3] 6= 2)   1 1 1 1 1 · + · · 1− = N

= Assuming P(j3 = 2) =

1

N,

2 N2

N

−

N

N

N

1 N3

P(j2 = 1|j3 = 2) =

P(j2 =1∧j3 =2) P(j3 =2)

=

2

N

−

1

N2 .

u t

8

Santanu Sarkar

Now we will prove the following distinguishing attack on VMPC. Theorem 4 Assume initial permutation S are taken uniformly from the set of all possible permutation of the set {0, 1, . . . , N − 1}. Also j is taken uniform at random 1 from the set {0, 1, . . . , N − 1}. Then the probability P(Z1 = Z3 ) ≈ N + N12 , where Z1 , Z3 are keystreams when i = 1 and 3 respectively. Proof P(Z1 = Z3 | j3 = 1): First we will calculate P(Z1 = Z3 | j3 = 1). Consider the event  E = S1 [S1 [j1 ]] + 1 ∈ / {j1 , j2 }, S1 [S1 [j1 ]] + 1 ∈ / {1, 2},  S1 [j1 ] ∈ / {j1 , j2 }, S1 [j1 ] ∈ / { 1, 2} .

Now consider the event E 0 = E ∧ {j2 6= 1}. If E 0 holds together with j3 = 1, then Z3 will always be equal to Z1 . In E 0 , there 9 . Without above conditions, are 9 conditions all together. Hence P(E 0 ) ≈ 1 − N still Z3 can be equal to Z1 due to random association, probability in this path will 1 be N . Hence P(Z1 = Z3 |j3 = 1) = P(Z1 = Z3 |j3 = 1, E 0 )P(E 0 )+ P(Z1 = Z3 |j3 = 1, E 0c )P(E 0c )  1 9 9 + · ≈1· 1− 

N

=1−

9 N

+

N

9 N2

N

= p1 .

P(Z1 = Z3 | j3 = 2): Now we will calculate P(Z1 = Z3 | j3 = 2). We have P(Z1 = Z3 ∧ j3 = 2) = P(Z1 = Z3 ∧ j3 = 2 ∧ E ∧ j2 = 1) + P(Z1 = Z3 ∧ j3 = 2 ∧ (E c ∪ j2 6= 1)) Now P(Z1 = Z3 ∧ j3 = 2 ∧ E ∧ j2 = 1) = P(Z1 = Z3 | j3 = 2 ∧ E ∧ j2 = 1)· P(j3 = 2 ∧ E ∧ j2 = 1) ≈ P(Z1 = Z3 | j3 = 2 ∧ E ∧ j2 = 1) · P(E ) · P(j3 = 2 ∧ j2 = 1)

= P(Z1 = Z3 | j3 = 2 ∧ E ∧ j2 = 1) · P(E ) · P(j2 = 1 | j3 = 2) · P(j3 = 2)

If the event E holds with j3 = 2 and j2 = 1, then Z3 will be always equal to Z1 . 8 . Again from Lemma 3, we know Also the event E holds with probability 1 − N 2 that probability of j2 = 1 given j3 = 2 is N − N12 . Hence     8 1 2 1 P(Z1 = Z3 ∧ j3 = 2 ∧ E ∧ j2 = 1) = 1 · 1 − · − 2 · . N

N

N

N

Further Non-randomness in RC4, RC4A and VMPC

9

Now if the event E holds with j3 = 2 and j2 6= 1, Z3 will be always different to Z1 . Hence P(Z1 = Z3 ∧ j3 = 2 ∧ (E c ∪ j2 6= 1)) = P(Z1 = Z3 ∧ j3 = 2 ∧ E c ). When E does not hold, but due to random association Z3 can be equal to Z1 . So, P(Z1 = Z3 ∧ j3 = 2 ∧ E c ) = P(Z1 = Z3 ) · P(j3 = 2) · P(E c ) 1 1 8 · · = N N N
1
8 2 Hence, P(Z1 = Z3 ∧ j3 = 2) = 1 − N · N − N12 · N + N83 . Finally we get    8 2 1 8 P(Z1 = Z3 |j3 = 2) = 1 − − 2 + 2 = p2 . N

N

N

N

P(Z1 = Z3 | j3 6= 1, 2): Now consider the case when j3 ∈ / {1, 2}. So, We are interested to calculate P(Z1 = Z3 |j3 = x), where x ∈ / {1, 2}. By tracing the state, one can note that when the event E holds, Z1 can not be Z3 given j3 = x. Hence we have P(Z1 = Z3 |j3 = x) = P(E c ) · P(Z1 = Z3 |j3 = x, E c ) 1 = P(E c ) · N

= =

8 N

·

1 N

8 N2

= p3 . Hence P(Z1 = Z3 ) = P(Z1 = Z3 |j3 = 1)P(j3 = 1) + P(Z1 = Z3 |j3 = 2)P(j3 = 2)   N −1 X p1 p2 2 + P(Z1 = Z3 |j3 = x)P(j3 = x) = + + p3 1 − . N

x=0 x∈{ / 1,2}

N

N

Now putting the values of p1 , p2 and p3 in the above expression, we have 1 1 1 16 8 1 P(Z1 = Z3 ) = + 2− 3+ 4 ≈ + 2. N

N

N

N

N

N

u t 3

Hence with a sample of size N , one can mount a distinguishing attack on VMPC. So for N = 256, with a sample of size 224 one can distinguish VMPC from a random number generator. The best distinguisher for this cipher is due to [8] with sample size 232 . Using exactly the same approach as Theorem 4, we have the most significant long term bias on VMPC in the following lemma. Conjecture 1 Assume that the initial permutation S is taken uniformly from the set of all possible permutations of the set {0, 1, . . . , N − 1}. Also j is taken uniformly at random from the set {0, 1, . . . , N − 1}. Then the probability P(ZkN +1 = ZkN +3 ) ≈ th 1 1 keystream byte and k is a non-negative integer. N + N 2 , where Zl is the l + 1

Experiments with 1 billion sample size show that P (ZkN +1 = ZkN +3 ) = 1 + N12 ). 0.003921 (≈ N

10

Santanu Sarkar

Maximov [8] Tsunoo et al. [15] Our

Event ZkN = ZkN +1 = 0 ZkN = ZkN +1 ZkN +1 = ZkN +3

Required Sample size N4 N5 N3

Table 2 Comparison of our result on VMPC with the existing works.

5 Conclusion

In this paper we have studied new distinguishers of RC4 and its variants RC4A and VMPC. We have proved that the second output byte of RC4 has negative bias of N32 towards 2. This is second highest distinguisher after the work of [7]. Distinguisher on RC4A in our approach needs N 3 sample size, same as the existing work [15]. In the case of VMPC, we have proved that the fourth output byte has a positive N12 bias towards the second output. This can be easily converted to a long term bias with same complexity. This is the strongest distinguisher against VMPC. The required sample size in our case is N 3 , whereas the existing best attack [8] requires N 4 samples. 1 2 We have observed in RC4 that P(Z2 = N 2 +1) ≈ N − N 2 . In [6], authors proved rth output byte Zr in RC4 has positive bias towards 0 for 3 ≤ r ≤ N − 1. We have observed that Zr also has positive bias towards r for 4 ≤ r ≤ N 2 . In the full version of the paper, we will include these results. Acknowledgment: The author would like to thank Prof. Subhamoy Maitra and the anonymous WCC reviewers for their detailed comments on the technical issues of this paper.

References 1. E. Biham and J. Seberry. Py (Roo): A Fast and Secure Stream Cipher using Rolling Arrays. eSTREAM, ECRYPT Stream Cipher Project, Report 2005/023, 2005. 2. E. Biham and J. Seberry. C Code of Py6. as available from http://www.ecrypt.eu.org/stream/py.html, eSTREAM, ECRYPT Stream Cipher Project, 2005. 3. G. Gong, K. C. Gupta, M. Hell, Y. Nawaz. Towards a General RC4-Like Keystream Generator. In proceedings of CISC 2005, LNCS, Springer, Vol. 3822, pp. 162–174, 2005. 4. R. J. Jenkins Jr. ISAAC. In proceedings of FSE 1996, LNCS, Springer, Vol. 1039, pp. 41–49, 1996. 5. S. Maitra and G. Paul. New Form of Permutation Bias and Secret Key Leakage in Keystream Bytes of RC4. In proceedings of FSE 2008, LNCS, Springer, Vol. 5086, pp. 253–269, 2008. 6. S. Maitra, G. Paul, and S. Sen Gupta. Attack on broadcast RC4 Revisited. In proceedings of FSE 2011, LNCS, Springer, Vol. 6733, pp. 199–217, 2011. 7. I. Mantin and A. Shamir. A Practical Attack on Broadcast RC4. In proceedings of FSE 2001, LNCS, Springer, Vol. 2355, pp. 152–164, 2001. 8. A. Maximov. Two Linear Distinguishing Attacks on VMPC and RC4A and Weakness of the RC4 Family of Stream Ciphers. In proceedings of FSE 2005, LNCS, Springer, Vol. 3557, pp. 342–358, 2005. 9. Y. Nawaz, K. C. Gupta, and G. Gong. A 32-bit RC4-like Keystream Generator. Cryptology ePrint Archive, 2005/175. 10. S. Paul and B. Preneel. A New Weakness in the RC4 Keystream Generator and an Approach to Improve the Security of the Cipher. In proceedings of FSE 2004, LNCS, Springer, Vol. 3017, pp. 245–259, 2004.

Further Non-randomness in RC4, RC4A and VMPC

11

11. S. Paul, B. Preneel and G. Sekar. Distinguishing Attacks on the Stream Cipher Py. In proceedings of FSE 2006, LNCS, Springer, Vol. 4047, pp. 405–421, 2006. 12. S. Paul and B. Preneel. On the (In)security of Stream Ciphers Based on Arrays and Modular Addition. In proceedings of Asiacrypt 2006, LNCS, Springer, Vol. 4284, pp. 69– 73, 2006. 13. P. Sepehrdad, S. Vaudenay and M. Vuagnoux. Discovery and Exploitation of New Biases in RC4. In proceedings of SAC 2010, LNCS, Springer, Vol. 6544, pp. 74–91, 2010. 14. S. Sen Gupta, S. Maitra, G. Paul and S. Sarkar. Proof of Empirical RC4 Biases and New Key Correlations. In proceedings of SAC 2011, LNCS, Springer, Vol. 7118, pp. 151–168, 2011. 15. Y. Tsunoo, T. Saito, H. Kubo, M. Shigeri, T. Suzaki and T. Kawabata. The Most Efficient Distinguishing Attack on VMPC and RC4A. In proceedings of SKEW 2005. 16. B. Zoltak. VMPC One-Way Function and Stream Cipher. In proceedings of FSE 2004, LNCS, Springer, Vol. 3017, pp. 210–225, 2004.