(Not So) Random Shuffles of RC4
CRYPTO '02 Proceedings of the 22nd Annual International Cryptology Conference on Advances in Cryptology
A Practical Attack on Broadcast RC4
FSE '01 Revised Papers from the 8th International Workshop on Fast Software Encryption
New Form of Permutation Bias and Secret Key Leakage in Keystream Bytes of RC4
Fast Software Encryption
New State Recovery Attack on RC4
CRYPTO 2008 Proceedings of the 28th Annual conference on Cryptology: Advances in Cryptology
Discovery and exploitation of new biases in RC4
SAC'10 Proceedings of the 17th international conference on Selected areas in cryptography
Statistical attack on RC4 distinguishing WPA
EUROCRYPT'11 Proceedings of the 30th Annual international conference on Theory and applications of cryptographic techniques: advances in cryptology
Predicting and distinguishing attacks on RC4 keystream generator
EUROCRYPT'05 Proceedings of the 24th annual international conference on Theory and Applications of Cryptographic Techniques
How to find short RC4 colliding key pairs
ISC'11 Proceedings of the 14th international conference on Information security
Proof of empirical RC4 biases and new key correlations
SAC'11 Proceedings of the 18th international conference on Selected Areas in Cryptography
On the evolution of GGHN cipher
INDOCRYPT'11 Proceedings of the 12th international conference on Cryptology in India
SEC'13 Proceedings of the 22nd USENIX conference on Security
Hi-index | 0.00 |
In this paper, contrary to the claim of Mantin and Shamir (FSE 2001), we prove that there exist biases in the initial bytes (3 to 255) of the RC4 keystream towards zero. These biases immediately provide distinguishers for RC4. Additionally, the attack on broadcast RC4 to recover the second byte of the plaintext can be extended to recover the bytes 3 to 255 of the plaintext given Ω(N3) many ciphertexts. Further, we also study the non-randomness of index j for the first two rounds of PRGA, and identify a strong bias of j2 towards 4. This in turn provides us with certain state information from the second keystream byte.