Measuring Avalanche Properties on RC4 Stream Cipher Variants

Abstract

In the last three decades, the RC4 has been the most cited stream cipher, due to a large amount of research carried out on its operation. In this sense, dissimilar works have been presented on its performance, security, and usability. One of the distinguishing features that stand out the most is the sheer number of RC4 variants proposed. Recently, a weakness has been reported regarding the existence of statistical dependence between the inputs and outputs of the RC4, based on the use of the strict avalanche criterion and the bit independence criterion. This work analyzes the influence of this weakness in some of its variants concerning RC4. The five best-known variants of RC4 were compared experimentally and classified into two groups according to the presence or absence of such a weakness.

1. Introduction

A stream cipher is a method widely used to cipher large volumes of information per unit of time. Thus, scenarios, such as mobile telephony, wireless networks, and cloud computing use this method as an encryption option [1]. Examples such as the encryption E0 in Bluetooth [2], A5 in GSM [3], and RC4 in wired equivalent privacy (WEP), Wi-Fi protected access (WPA), WAP2 [4] have been reported in the literature.

In this respect, it is impossible not to highlight the RC4 stream cipher, which has been mentioned on several occasions as the most used stream cipher in practice [4], mostly due to its inclusion in other scenarios such as Secure Sockets Layer (SSL), Transport Layer Security (TLS), Microsoft Windows, Lotus Notes, Apple Open Collaboration Environment (AOCE), and Oracle Secure SQL [4].

However, in the last decade, some applications [5,6] avoided the RC4 encryption, given some weaknesses found [7]. Although it is not considered safe [8], RC4 continues to motivate a lot of research [8,9,10], and it is cited to measure the effectiveness of methods that analyze weaknesses in stream ciphers [11,12,13] or the performance of applications that make use of cryptography [14,15,16].

Many of these investigations consist of proposals for modifications to the RC4 stream cipher, which has resulted in a considerable number of variants of this cipher being reported; without much effort, it is possible to find more than 20 variants in the literature [17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40]. All of these variants seek to increase the performance, usability, or security of the encryptor.

However, not a few have included reports on the weaknesses of the RC4 that remain in these variants or other new ones reported [4].

While the studies on the RC4 stream cipher continue, research on the proposed variants have also increased, to verify the safety of these variants concerning RC4. This work analyzes the influence of one of the weaknesses reported in the literature on RC4 in the five best known (and most referenced) variants.

2. Motivation

In international literature, up until the first decade of the 21st century, the cryptographic analysis of stream ciphers or random number generators has become customary by applying statistical tests to their outputs to measure their degrees of randomness [41,42,43]. There are numerous statistics among those grouped in the batteries of NIST [44], Diehard [45], TestU01 [46], and Knuth [47], among others [48].

These tests have become standard, but since the first decade of this century, there has been a considerable increase in studies that show the inability of these tests in detecting other weaknesses that lead to the appearance of related keys, considerably weak keys due to the provocation of patterns in outputs, statistical dependence between inputs and outputs, statistical dependence between internal state and outputs, etc. Weaknesses that can cause attacks [49,50], which are practical or not, are considered to maintain a cipher in the suite of some computer applications.

In this way, it is essential to avoid the previous weakness and to have methods to detect it in the design and evaluation stage of the algorithm. In particular, it is necessary to have statistical tests that are capable of detecting the existence of significant statistical dependencies between the inputs and outputs of stream ciphers. In general, there are very few statistical test reports to detect the existence of statistical dependencies between the outputs and inputs of a stream cipher. Therefore, the design of statistical tests that allow for their evaluation in this sense is highly important in cryptography. In [49,50], Algorithms 1 and 2 were presented to extend the strict avalanche and bit independence criteria stream ciphers, respectively.

Algorithm 1 SAC stream ciphers algorithm

Input:  f, n, m, ${\alpha }_1$, ${\alpha }_2$, D. Output:  If f satisfies the SAC 1: $T=0$ 2: for $i=1\to n$ do 3:     for $r=1\to l$ do 4:         Compute $V_r^i=Y_r\oplus Y_r^i$ 5:     end for 6:     for $j=1\to m$ do 7:         if ${\chi }_{v_{·j}^i}^2>{\chi }_{{\alpha }_1,1}^2$ then 8:            $T=T+1$ 9:         end if 10:     end for 11: end for 12: if$Z_T>Z_{1-{\alpha }_2}$thenf does not satisfy the SAC 13: elsef satisfies the SAC 14: end if

Algorithm 2 BIC stream ciphers algorithm

Input:  f, n, m, ${\alpha }_1$, ${\alpha }_2$, D. Output:  If f satisfies the BIC 1: $T=0$ 2: for $i=1\to n$ do 3:     for $r=1\to l$ do 4:         Compute $V_r^i=Y_r\oplus Y_r^i$ 5:     end for 6:     for each $(j,k)$ do 7:         if ${{\chi }^2}_{s_{jk}^i}>{{\chi }^2}_{{\alpha }_1,1}$ then 8:            $T=T+1$ 9:         end if 10:     end for 11: end for 12: if$Z_T>Z_{1-{\alpha }_2}$thenf does not satisfy the BIC 13: elsef satisfies the BIC 14: end if

In applying both criteria, the RC4 stream cipher was used as a test case to evaluate the effectiveness of the proposed algorithms experimentally [49,50]. As a result, it was shown that the RC4 presents a weakness of statistical dependence when large input keys are used. Although this weakness is not new, it has been reported in previous works. It is interesting to highlight the proposed evaluation using these two algorithms to determine its presence. As mentioned, there are numerous modification proposals on the RC4 stream cipher. The main motivation of this work is to evaluate whether some of the RC4 variants present this weakness. For this, both algorithms will be applied to the five most well-known RC4 variants RC4+ [27], VMPC [25], RC4A [26], NGG [23], and GGHN [24]. The results will be compared experimentally with those obtained for RC4.

3. SAC and BIC

Let $D=\left\{X_r\right|1\le r\le l\}$ the set of n-bit inputs $X_r$ of a function (cipher) $f:{\mathbb{F}}_2^n\to {\mathbb{F}}_2^m$ and $Y_r=f\left(X_r\right)$ the output of m bits corresponding to the input $X_r$ for each $1\le r\le l$, where $n,m\in \mathbb{N}$. In [51] the difference between the outputs $Y_r=f\left(X_r\right)$ and $Y_r^i=f\left(X_r^i\right)$ corresponding to the inputs $X_r$ and $X_r^i$ is called the avalanche vector $V_r^i=Y_r\oplus Y_r^i$, where $X_r^i=X_r\oplus e_i$, with $e_i,1\le i\le n$, denoting the unit vectors $e_1=(1,0,\dots ,0,0,0),\dots ,e_n=(0,0,\dots ,0,0,1)$.

Each $V_r^i=Y_r\oplus Y_r^i=(v_{r1}^i,v_{r2}^i,\dots ,v_{rm}^i)$, where $v_{rj}^i\in {\mathbb{F}}_2$, with $1\le j\le m$ and $1\le i\le n$, is called an avalanche variable, represents the row r of the matrix $H^i$ defined in

Table 1. Expected value and observed values for each cipher in SAC.

	Expected	RC4	RC4A	NGG	VMPC	RC4+	GGHN
Number of failures T	656	26,251	53,168	36,522	679	664	719

in [50].

Based on its definition, the strict avalanche criterion (SAC) [51] checks whether changing any input bit implies changing approximately half of the output bits. It is said that f satisfies the SAC if for all i, every avalanche variable $v_{·j}^i$ with $1\le j\le m$ and $1\le i\le n$, follows a binomial distribution with parameters l and $1/2$, that is, $v_{·j}^i\sim B(l,1/2)$. On the other hand, the bit independence criterion (BIC) [51] measures the degree of independence between each pair $v_{·j}^i,v_{·k}^i$ of avalanche variables, with $1\le j,k\le m$.

In this way, the two criteria measure a different characteristic of the effect of changing one bit of the input on the output bits. The SAC verifies uniformity in the distribution of each output bit, while the BIC measures the degree of independence between the output bits. One important characteristic is to measure whether there is a correlation between these two criteria [52]. In [53], it was concluded that these two tests are quite uncorrelated by using the absolute correlation coefficient.

Both algorithms have in common the construction of the avalanche matrix. This matrix constitutes the basis for the detection of statistical dependency between the inputs and outputs of f. It can be seen that the BIC has a longer execution time when comparing all pairs of random variables.

In SAC and BIC, the random variable T measures the number of failures of the null hypothesis $H_0$ presented in [49,50]. In the case of the SAC criterion

$$T=\sum _{i=1}^n\sum _{j=1}^{m}t(v_{·j}^i,{\alpha }_1),$$

and for the BIC criterion,

$$T=\sum _{i=1}^n\sum _{j=1}^{m-1}\sum _{k>j}^{m}t(v_{·j}^i,v_{·k}^i,{\alpha }_1),$$

T can be approximated by the normal distribution with the mean and variance presented in [50] by,

$$Z_T=\frac{T-E\left(T\right|H_0)}{\sqrt{{\sigma }^2\left(T\right|H_0)}}\sim N(0,1).$$

where $t(v_{·j}^i,{\alpha }_1)$ and $t(v_{·j}^i,v_{·k}^i,{\alpha }_1)$ take value 1 if $H_0$ is rejected with significance ${\alpha }_1$ or 0 otherwise.

To compare the $Z_T$ value with the $N(0,1)$ distribution, a significance level ${\alpha }_2$ is selected. Then, it is tested if f does not satisfy the BIC if $Z_T>Z_{1-{\alpha }_2}$ where $Z_{1-{\alpha }_2}$ is the critical value of the normal distribution table with a significance level ${\alpha }_2$.

4. RC4 Stream Cipher Description

Ron Rivest designed the RC4 algorithm in 1987 for the company RSA Data Security [4]. Its implementation is straightforward and fast and aims to generate sequences in units of one byte and allow keys of different lengths. The internal state of RC4 consists of a permutation S of the numbers $0,\dots ,N-1$ and two indices $i,j\in \{0,\dots ,N-1\}$. The index i is known, while j and the permutation S remain secret.

The RC4 comprises two components: the key scheduling algorithm (KSA) and the pseudo-random generator algorithm (PRGA). The KSA generates an initial state from the input parameter K. This starts with an array $\{0,1,\dots ,N-1\}$ where $N=256$ by default. In the end, an initial state $S_N$ is obtained, see Algorithm 3.

Algorithm 3 RC4 key-scheduling

1: for $i=0\to 255$ do 2:     $S\left[i\right]\leftarrow i$ 3: end for 4: $j\leftarrow 0$ 5: for $i=0\to 255$ do 6:     $j\leftarrow (j+S[i]+K[imodkeyLength\left]\right)mod256$ 7:     Swap $S\left[i\right]$ and $S\left[j\right]$ 8: end for

Once the initial state is obtained, it is used by the PRGA. The purpose of the PRGA is to generate the output sequence, in this case in bytes (Algorithm 4).

Algorithm 4 RC4 pseudo-random generator

1: $i\leftarrow 0$ 2: $j\leftarrow 0$ 3: while Generating Output do 4:     $i\leftarrow (i+1)mod256$ 5:     $j\leftarrow (j+S[i\left]\right)mod256$ 6:     Swap $S\left[i\right]$ and $S\left[j\right]$ 7:     Output $S\left[\right(S\left[i\right]+S\left[j\right])mod256]$ 8: end while

There are a variety of results on the weaknesses of the RC4 cipher [4], especially in the non-pseudorandomness of the permutation resulting from the KSA [11,54,55], and the reflection of input patterns in the outputs and the permutation [12,56,57].

5. RC4 Stream Cipher Variants Description

Numerous variants of the RC4 stream cipher algorithm have been proposed in the literature, many poorly referenced. Each variant seeks to solve or strengthen the RC4 algorithm against reported weaknesses or improve its practice performance. In this section, we present the most well-known and referenced variants.

5.1. RC4+ Algorithm

The stream cipher RC4+ was proposed in [27] to exploit the qualities of the RC4 algorithm and provide additional tools, to obtain a greater margin of safety by adding some operations to its structure. Modifications in both algorithms of the RC4 cipher are proposed and are called KSA+ and PRGA+ (see Algorithms 5 and 6).

The KSA+ consists of three basic scramblings, scrambling with IV, and zigzag scrambling. The initialization and the first layer basic scrambling are the same as in the original RC4 KSA. The second layer shuffles the permutation using IVs and the secret key K, and in the third layer, more shuffling is achieved in a zigzag way (see Algorithm 5).

Algorithm 5 KSA+

Input:  Secret key $K\left[0\dots N-1\right]$, initialization vector $IV\left[0\dots N-1\right].$ Output:  Shuffled permutation $S[0\dots N-1]$. 1: for $i=0\to N-1$ do                                                                                            ▹ Initialization 2:     $S\left[i\right]=i$ 3: end for 4: $j=0$ 5: for $i=0\to N-1$ do                                                                        ▹ Layer 1 Basic Scrambling 6:     $j=(j+S\left[i\right]+K[imodkeyLength])modN$ 7:     $Swap\left(S\right[i],S[j\left]\right)$ 8: end for 9: for $i=N/2-1\mathbf{down} \mathbf{to}0$ do                                                      ▹ Layer 2: Scrambling with $IV$ 10:     $j=\left(\right(j+S\left[i\right]\left)modN\right)\oplus \left(\right(K\left[imodkeyLength\right]+IV\left[imodIVLength\right]\left)modN\right)$ 11:     $Swap\left(S\right[i],S[j\left]\right)$ 12: end for 13: for  $i=N/2\to N-1$  do 14:     $j=\left(\right(j+S\left[i\right]\left)modN\right)\oplus \left(\right(K\left[imodkeyLength\right]+IV\left[imodIVLength\right]\left)modN\right)$ 15:     $Swap\left(S\right[i],S[j\left]\right)$ 16: end for 17: for $y=0\to N-1$ do                                                                   ▹ Layer 3: Zigzag Scrambling 18:     if $y\equiv 0mod2$ then 19:         $i=y/2$ 20:     else 21:         $i=N-(y+1)/2$ 22:         $j=(j+S[i]+K[imodkeyLength\left]\right)modN$ 23:         $Swap\left(S\right[i],S[j\left]\right)$ 24:     end if 25: end for

KSA+ was designed in order to avoid secret key correlations from the permutation bytes and to guarantee that the keystream output bytes cannot have any correlation with the secret key. In the design of the PRGA+ algorithm (see Algorithm 6), the main cryptanalytic results about RC4 PRGA was taken into consideration.

Algorithm 6 PRGA+

Input:  KSA shuffled permutation $S[0\dots N-1]$. Output:  Pseudo-random keystream bytes z. 1: $j=0$ 2: for  $i=0\to L$  do 3:     $i=(i+1)modN$ 4:     $j=(j+S[i\left]\right)modN$ 5:     $Swap\left(S\right[i],S[j\left]\right)$ 6:     $t=\left(S\right[i]+S[j\left]\right)modN$ 7:     $t^{\prime }=((S[(i\gg 3)\oplus (j\ll 5)]+S[(i\ll 5)\oplus (j\gg 3)])modN)\oplus 0\mathrm{xAA}$ 8:     $t^{″}=(j+S\left[j\right])modN$ 9:     Output $z=(S\left[t\right]+S\left[t^{\prime }\right])\oplus S\left[t^{″}\right]$ 10: end for

Where ≫ and ≪ mean right shifting and left shifting, respectively, and L is the number of output bytes. The proposed design is based on avoiding that each output byte depends only on one input of the permutation. In this sense, they incorporate the exclusive or operation ⊕ and two new indices $t^{\prime }$, and $t^{″}$.

5.2. RC4A Algorithm

The stream cipher RC4A was proposed in [26] with the objective to reduce the correlations between output bytes and internal variables by increasing the internal state (see Algorithms 7 and 8).

Algorithm 7 RC4A KSA

Input:  Secret keys $K_1[0\dots N-1]$ and $K_2[0\dots N-1]$. Output:  Shuffled permutation $S_1[0\dots N-1]$ and $S_2[0\dots N-1]$. 1: for  $i=0\to N-1$  do 2:     $S_1\left[i\right]=i$ 3:     $S_2\left[i\right]=i$ 4: end for 5: $j_1=0$ 6: $j_2=0$ 7: for  $i=0\to N-1$  do 8:     $j_1=(j_1+S_1\left[i\right]+K_1[imodkeyLength])modN$ 9:     $Swap(S_1\left[i\right],S_1\left[j_1\right])$ 10: end for 11: for  $i=0\to N-1$  do 12:     $j_2=(j_2+S_2\left[i\right]+K_2[imodkeyLength])modN$ 13:     $Swap(S_2\left[i\right],S_2\left[j_2\right])$ 14: end for

The difference between the algorithms RC4A KSA (see Algorithm 7) and KSA RC4 is that the first generates two state table by using two different keys. Thus, secret internal state of RC4A consists of two permutations $S_1,S_2$ and three variables $i,j_1,j_2$.

Algorithm 8 RC4A PRGA

Input:  KSA shuffled permutations $S_1[0\dots N-1]$ and $S_2[0\dots N-1]$. Output:  Pseudo-random keystream bytes z. 1: $j_1=0$ 2: $j_2=0$ 3: for  $i=0\to L$  do 4:     $i=(i+1)modN$ 5:     $j_1=(j_1+S_1\left[i\right])modN$ 6:     $Swap(S_1\left[i\right],S_1\left[j_1\right])$ 7:     Output $z_1=S_2[(S_1\left[i\right]+S_1\left[j_1\right])modN]$ 8:     $j_2=(j_2+S_2\left[i\right])modN$ 9:     $Swap(S_2\left[i\right],S_2\left[j_2\right])$ 10:     Output $z_2=S_1[(S_2\left[i\right]+S_2\left[j_2\right])modN]$ 11: end for

In each round two output bytes are generated, the first byte is generated from $S_2$ and the second byte is generated from $S_1$. Thus, this cipher speed up the RC4 encryption.

5.3. VMPC Algorithm

In [25] was proposed the algorithm VMPC (see Algorithms 9 and 10), whose name comes from “Variably Modified Permutation Composition”, which is based in the transformation $z=S[S_k\left[S_{k-1}\right[\dots \left[S_1\left[S\left[x\right]\right]\right]$$\dots \left]\right]],0\le x\le N-1$, where $x\in \{0,1,\dots ,N\}$ and $S_k\left[x\right]=(S\left[x\right]+k)modN$. Such transformation is called a k-level VMPC function.

Algorithm 9 VMPC KSA

Input:  Secret keys $K[0\dots N-1]$ and $IV[0\dots N-1]$. Output:  Shuffled permutation $S[0\dots N-1]$. 1: for  $i=0\to N$  do 2:     $S\left[i\right]=i$ 3: end for 4: $j=0$ 5: for  $k=0\to 3N-1$  do 6:     $i=kmodN$ 7:     $j=S\left[\right(j+S\left[i\right]+K[kmodkeyLength])modN]$ 8:     $Swap\left(S\right[i],S[j\left]\right)$ 9: end for 10: for  $k=0\to 3N-1$  do 11:     $i=kmodN$ 12:     $j=S\left[\right(j+S\left[i\right]+IV[imodIVLength])modN$ 13:     $Swap\left(S\right[i],S[j\left]\right)$ 14: end for

In the KSA, the main differences from RC4 are that the length of loop where permutation S is updated six times more than RC4—firstly, three times with the key, and after three times more with the initialization vector IV. The second update is an optional loop in KSA used by the designer to improve the diffusion using an initialization vector. However, designer statements show that it is possible to obtain good diffusion without using the initialization vector.

Algorithm 10 VMPC PRGA

Input:  KSA Shuffled permutation $S[0\dots N-1]$, the last key dependence value of the index j. Output:  Pseudo-random keystream bytes z. 1: for  $i=0\to L$  do 2:     $j=S\left[\right(j+S\left[i\right])modN]$ 3:     Output $z=S\left[\right(S\left[S\right[j\left]\right]+1)modN]$ 4:     $Swap\left(S\right[i],S[j\left]\right)$ 5:     $i=(i+1)modN$ 6: end for

5.4. NGG Algorithm

In [24], the authors proposed some modifications to the RC4 algorithm to expand RC4 to $32/64$ bits with a table size significantly smaller than $2^{32}$ or $2^{64}$. The proposed algorithm used different word and table sizes. The authors tried to keep the original structure of RC4 as much as possible, but the proposed changes affect some underlying design principles in which the security of RC4 is based (see Algorithms 11 and 12).

Algorithm 11 NGG KSA

Input:  Secret keys $K[0\dots N-1]$ and a pre-computed random array $a[0\dots N-1]$. Output:  Shuffled permutation $S[0\dots N-1]$. 1: for  $i=0\to N-1$  do 2:     $S\left[i\right]=a\left[i\right]$ 3: end for 4: $j=0$ 5: for  $i=0\to N-1$  do 6:     $j=S\left[\right(j+S\left[i\right]+K[imodkeyLength])modN$ 7:     $Swap\left(S\right[i],S[j\left]\right)$ 8:     $S\left[i\right]=S\left[i\right]+S\left[j\right]modM$ 9: end for

The new algorithm was denoted by $RC4(n,m)$ where $N=2^n$ is the size of the array S in word, m is the word size in bits, and $n\le m$. It can be noted that the contents of the array S do not constitute a complete permutation of 32-bit or 64-bit words.

Algorithm 12 NGG PRGA

Input:  KSA Shuffled array $S[0\dots N-1]$. Output:  Pseudo-random keystream bytes z. 1: $j=0$ 2: for  $i=0\to L$  do 3:     $i=(i+1)modN$ 4:     $j=(j+S[i\left]\right)modN$ 5:     $Swap\left(S\right[i],S[j\left]\right)$ 6:     Output $z=S\left[\right(\left(S\right[i]+S[j\left]\right)modM)modN]$ 7:     $S\left[\right(\left(S\right[i]+S[j\left]\right)modM)modN]=\left(S\right[i]+S[j\left]\right)modM$ 8: end for

Where $N=2^n,M=2^m$.

5.5. GGHN Algorithm

A version of NGG was introduced in [23], named GGHN cipher. A third variable k is used in KSA and PRGA to increase the security of the cipher, k is initialized in the KSA and is key dependent (see Algorithms 13 and 14).

Algorithm 13 GGHN KSA

Input:  Secret keys $K[0\dots N-1]$ and a pre-computed random array $a[0\dots N-1]$. Output:  Shuffled array $S[0\dots N-1]$. 1: for  $i=0\to N-1$  do 2:     $S\left[i\right]=a\left[i\right]$ 3: end for 4: $j=0,k=0$ 5: repeat 6:     for $i=0\to N-1$ do 7:         $j=S\left[\right(j+S\left[i\right]+K[imodkeyLength])modN$ 8:         $Swap\left(S\right[i],S[j\left]\right)$ 9:         $S\left[i\right]=S\left[i\right]+S\left[j\right]modM$ 10:         $k=(k+S[i\left]\right)modM$ 11:     end for 12: until r times

The value of r can be computed for different values of n and m, see Table 1 in [23]. For example, for $n=8$ and $m=32,r=20$.

Algorithm 14 GGHN PRGA

Input:  KSA Shuffled array $S[0\dots N-1]$. Output:  Pseudo-random keystream bytes z. 1: $j=0$ 2: for  $i=0\to L$  do 3:     $i=(i+1)modN$ 4:     $j=(j+S[i\left]\right)modN$ 5:     $k=(k+S[j\left]\right)modM$ 6:     Output $z=\left(S\right[\left(S\right[i]+S[j\left]\right)modN]+k)modM$ 7:     $S\left[\right(S\left[i\right]+S\left[j\right])modN]=(k+S[j\left]\right)modM$ 8: end for

6. Measuring Avalanche Properties in RC4 Variants

Both statistical tests depend on the parameters n size of inputs, m size of outputs, and l number of inputs. In [50], we discuss and give recommendations for selecting these parameters to guarantee the effectiveness of the tests. The values of $n,m$, and l in this work were selected in such a way that they conform to these recommendations based on the significance levels ${\alpha }_1$ and ${\alpha }_2$ chosen.

6.1. Selecting Parameters $n,m,l$ for Experiments

It is known [11,12,56] that, when using large input keys in the RC4, it is possible to find the so-called “related keys”, which provide outputs whose values are correlated with high probability. Therefore, the maximum possible value of the size of the inputs $n=2048$ bits was selected. According to [50], the increase of the m parameter has the most significant influence on the increase in the execution time of the tests.

Furthermore, it is known [54,55] that the first four RC4 output values have the most significant bias. Thus, from both details, $m=32$ bits was selected. For the number l of entries, the same value used in [50] was chosen, that is, $l=$ 65,538. In the case of the two significance levels ${\alpha }_1$ and ${\alpha }_2$, values that minimize errors were selected in both cases, type I and type II. According to the results in [50], for ${\alpha }_1=0.01$ and ${\alpha }_2=0001$, observed values are obtained that satisfy the theoretically expected values; in this way, these were the chosen values.

6.2. Experiments on the SAC Criterion

When evaluating the SAC criterion, $E\left(T_i\right)=m·{\alpha }_1=32\times 0.01=0.32$ avalanche variable uniformity rejections for each change of bit i, with $1\le i\le n$, and $E\left(T\right)=n·m·{\alpha }_1=2048\times 32\times 0.01\approx 656$ rejects on all changes. Table 1 shows the expected value and the observed values for each cipher, while Figure 1 shows the distribution of the fails per bit changed when evaluating the SAC.

It is observed that the RC4A and NGG ciphers do not satisfy the SAC; they even have worse performance than the RC4 stream cipher. This result is not surprising since both variants do not add greater randomness to the operation of the RC4. In the case of the RC4A, the internal state is increased by using two permutation tables instead of one. While in the NGG, the internal state is also increased, but this time, the size in bits of each component of the permutation is increasing. Based on the results achieved, none of these two modifications eliminate this weakness of the RC4; it could even be said that they make it more detectable.

On the other hand, the RC4+, VMPC and GGHN ciphers do satisfy the SAC criterion since they have an observed value of failures very close to the expected value, for the significance level ${\alpha }_2$ chosen.

Table 2. Values of $Z_T$ for each cipher.

	RC4	RC4A	NGG	VMPC	RC4+	GGHN
$Z_T$	1004.87	2061.61	1408.10	0.90	0.34	2.50

shows the $Z_T$ values for each cipher against the critical value $Z_{1-{\alpha }_2}=3.09$.

Remarkably, the NGG and GGHN algorithms are very similar. The difference is that GGHN adds a variable k to the input-dependent internal state. To measure the implication of this variable, the same a arrangement of initial random values was used in both cases for the permutation that is used in the KSA. From the results obtained, it is experimentally demonstrated that this variable makes the difference in the behavior between both variants of RC4.

6.3. Experiments on the BIC Criterion

In the application of the BIC to the ciphers, $E\left(T_i\right)=C_2^m·{\alpha }_1=496\times 0.01=4.96$ avalanche variable uniformity rejections are expected for each bit change i, with $1\le i\le n$, and $E\left(T\right)=n·C_2^m·{\alpha }_1=2048\times 496\times 0.01\approx 10,158$ rejects on all you change.

Table 3. Expected value and observed values for each encryptor in BIC.

	Expected	RC4	RC4A	NGG	VMPC	RC4+	GGHN
Number of failures T	10,158	281,345	564,254	503,561	10,410	10,381	10,261

shows the expected value and the observed values for each cipher, while Figure 2 shows the distribution of the fails per bit changed when evaluating the BIC.

In this case, RC4A and NGG do not satisfy the BIC and maintain a worse behavior than the RC4 stream cipher. However, it is important to highlight how the RC4A from bit $i=1150$, approximately, has a slightly better performance than the NGG. This is due to the rapid trend of the NGG towards the maximum value of possible failures.

The RC4+, VMPC, and GGHN ciphers satisfy the BIC criterion showing stable behavior, with the significance level ${\alpha }_2$ chosen.

Table 4. Values of $Z_T$ for each cipher.

	RC4	RC4A	NGG	VMPC	RC4+	GGHN
$Z_T$	2690.68	5497.67	4895.48	2.50	2.21	1.02

shows the $Z_T$ values for each cipher against the critical value $Z_{1-{\alpha }_2}=3.09$.

These results show that it is possible to obtain different results in both criteria. The GGHN cipher exhibits a better behavior in the BIC than the VMPC and RC4+ ciphers, the opposite of the SAC criterion.

Using the SAC and BIC criteria extended to stream ciphers, one of the weaknesses in RC4 was the existence of statistical dependence between the outputs and inputs of RC4 (avalanche weaknesses). The RC4A and NGG variants were experimentally shown not to satisfy the SAC and BIC tests. Its behavior is even worse than that of the RC4; these variants do not eliminate the statistical dependence between the outputs and inputs of the RC4; on the contrary, they increase it. The VMPC, RC4+, and GGHN variants substantially reduce the statistical dependency between the RC4 inputs and outputs and meet the SAC and BIC tests. It is recommended not to use the RC4A and NGG variants as they do not eliminate the avalanche type weaknesses present in the RC4.

7. Conclusions

RC4 has been one of the most studied stream ciphers in the literature in recent decades, resulting in dozens of variant proposals through various modifications. In this work, five variants of RC4 were analyzed using the SAC and BIC criteria extended to stream ciphers. The VMPC, RC4+, and GGHN variants meet both criteria, while the RC4A and NGG variants do not meet both criteria. Even the NGG variant had worse results than RC4 itself. Future work should apply these criteria to other stream ciphers outside the RC4 scheme.