Attack on broadcast RC4 revisited

Authors:
Subhamoy Maitra;Goutam Paul;Sourav Sen Gupta
Affiliations:
Applied Statistics Unit, Indian Statistical Institute, Kolkata, India;Department of Computer Science and Engineering, Jadavpur University, Kolkata, India;Applied Statistics Unit, Indian Statistical Institute, Kolkata, India
Venue:
FSE'11 Proceedings of the 18th international conference on Fast software encryption
Year:
2011

Citing 7
Cited 4

(Not So) Random Shuffles of RC4

CRYPTO '02 Proceedings of the 22nd Annual International Cryptology Conference on Advances in Cryptology
A Practical Attack on Broadcast RC4

FSE '01 Revised Papers from the 8th International Workshop on Fast Software Encryption
New Form of Permutation Bias and Secret Key Leakage in Keystream Bytes of RC4

Fast Software Encryption
New State Recovery Attack on RC4

CRYPTO 2008 Proceedings of the 28th Annual conference on Cryptology: Advances in Cryptology
Discovery and exploitation of new biases in RC4

SAC'10 Proceedings of the 17th international conference on Selected areas in cryptography
Statistical attack on RC4 distinguishing WPA

EUROCRYPT'11 Proceedings of the 30th Annual international conference on Theory and applications of cryptographic techniques: advances in cryptology
Predicting and distinguishing attacks on RC4 keystream generator

EUROCRYPT'05 Proceedings of the 24th annual international conference on Theory and Applications of Cryptographic Techniques

How to find short RC4 colliding key pairs

ISC'11 Proceedings of the 14th international conference on Information security
Proof of empirical RC4 biases and new key correlations

SAC'11 Proceedings of the 18th international conference on Selected Areas in Cryptography
On the evolution of GGHN cipher

INDOCRYPT'11 Proceedings of the 12th international conference on Cryptology in India
On the security of RC4 in TLS

SEC'13 Proceedings of the 22nd USENIX conference on Security

Quantified Score

Hi-index	0.00

Visualization

Abstract

In this paper, contrary to the claim of Mantin and Shamir (FSE 2001), we prove that there exist biases in the initial bytes (3 to 255) of the RC4 keystream towards zero. These biases immediately provide distinguishers for RC4. Additionally, the attack on broadcast RC4 to recover the second byte of the plaintext can be extended to recover the bytes 3 to 255 of the plaintext given Ω(N3) many ciphertexts. Further, we also study the non-randomness of index j for the first two rounds of PRGA, and identify a strong bias of j2 towards 4. This in turn provides us with certain state information from the second keystream byte.