Fast Software Encryption

Volume 6733 of the series Lecture Notes in Computer Science pp 199-217

Attack on Broadcast RC4 Revisited

  • Subhamoy MaitraAffiliated withApplied Statistics Unit, Indian Statistical Institute
  • , Goutam PaulAffiliated withDepartment of Computer Science and Engineering, Jadavpur University
  • , Sourav Sen GuptaAffiliated withApplied Statistics Unit, Indian Statistical Institute


In this paper, contrary to the claim of Mantin and Shamir (FSE 2001), we prove that there exist biases in the initial bytes (3 to 255) of the RC4 keystream towards zero. These biases immediately provide distinguishers for RC4. Additionally, the attack on broadcast RC4 to recover the second byte of the plaintext can be extended to recover the bytes 3 to 255 of the plaintext given Ω(N 3) many ciphertexts. Further, we also study the non-randomness of index j for the first two rounds of PRGA, and identify a strong bias of j 2 towards 4. This in turn provides us with certain state information from the second keystream byte.


Bias Broadcast RC4 Cryptanalysis Distinguishing Attack Keystream RC4 Stream Cipher