Designs, Codes and Cryptography

, Volume 82, Issue 1–2, pp 131–148 | Cite as

Revisiting (nested) Roos bias in RC4 key scheduling algorithm



RC4 is one of the most popular stream cipher with wide industrial applications, it has received serious attention in cryptology literature in the last 2 decades. In 1995, Roos pointed out that the elements \(S_N[y]\) of the permutation \(S_N\) after the key scheduling algorithm for the first few values of y are biased to certain combinations of secret key bytes. These correlations were theoretically studied by Paul and Maitra (SAC, 2007). The formula for the correlation probabilities provided by them gives a wrong impression that the probabilities decrease as the value of y becomes larger, which is not true. In this paper, we point out some gaps in their analysis and present a detailed analysis of Roos bias. We provide a more accurate formula for the correlation probabilities. We further study nested Roos type biases and present comparison results. These types of biases are used to reconstruct key from the permutation \(S_N\) for better success probability.


Stream cipher Cryptanalysis RC4 Roos bias 

Mathematics Subject Classification



  1. 1.
    AlFardan N., Bernstein D., Paterson K., Poettering B., Schuldt J.: On the security of RC4 in TLS. In: USENIX 2013, pp. 305–320 (2013).
  2. 2.
    Biham E., Carmeli Y.: Efficient reconstruction of RC4 keys from internal states. In: FSE 2008. LNCS, vol. 5086, pp. 270–288 (2008).Google Scholar
  3. 3.
    Isobe T., Ohigashi T., Watanabe Y., Morii M.: Full plaintext recovery attack on broadcast RC4. In: FSE 2013. LNCS, vol. 8424, pp. 179–202 (2013).Google Scholar
  4. 4.
    Klein A.: Attacks on the RC4 stream cipher. Des. Codes Cryptogr. 48(3), 269–286 (2008)Google Scholar
  5. 5.
    Maitra S., Paul G.: New form of permutation bias and secret key leakage in keystream bytes of RC4. In: FSE 2008. LNCS, vol. 5086, pp. 253–269 (2008).Google Scholar
  6. 6.
    Maitra S., Paul G., Sen Gupta S.: Attack on broadcast RC4 Revisited. In: FSE 2011. LNCS, vol. 6733, pp. 199–217 (2011).Google Scholar
  7. 7.
    Mantin I.: Analysis of the stream cipher RC4. Masters Thesis, The Weizmann Institute of Science, Israel (2001).Google Scholar
  8. 8.
    Mantin I., Shamir A.: A practical attack on broadcast RC4. In: FSE 2001. LNCS, vol. 2355, pp. 152–164 (2002).Google Scholar
  9. 9.
    Maitra S., Paul G., Sarkar S., Lehmann M., Meier W.: New results on generalization of Roos-type biases and related keystreams of RC4. In: Africacrypt 2008. LNCS, vol. 7918, pp. 222–239 (2002)Google Scholar
  10. 10.
    McKague M.E.: Design and analysis of RC4-like stream ciphers. Master’s Thesis, University of Waterloo, Canda (2005).Google Scholar
  11. 11.
    Patel J.K., Read C.B.: Handbook of the Normal Distribution. CRC Press, Boca Raton (1996).Google Scholar
  12. 12.
    Paul G., Maitra S.: Permutation after RC4 key scheduling reveals the secret key. In: SAC. LNCS, vol. 4876, pp. 360–377 (2007).Google Scholar
  13. 13.
    Paul G., Rathi S., Maitra S.: On non-negligible bias of the first output byte of RC4 towards the first three bytes of the secret key. Des. Codes Cryptogr. 49(1–3), 123–134 (2008).Google Scholar
  14. 14.
    Paterson K.G., Poettering B., Schuldt J.C.N.: Plaintext recovery attacks against WPA/TKIP. In: FSE. LNCS, vol. 8540, pp. 325–349 (2014).Google Scholar
  15. 15.
    Paterson K.G., Poettering B., Schuldt J. C.N.: Big bias hunting in amazonia: large-scale computation and exploitation of RC4 biases (Invited Paper). In: ASIACRYPT 2014. LNCS, vol. 8873, pp. 398–419 (2014).Google Scholar
  16. 16.
    Roos A.: A class of weak keys in the RC4 stream cipher. Two posts in sci.crypt, message-id 43u1eh$, 44ebge$, (1995).Google Scholar
  17. 17.
    Sage: Open Source Mathematics Software.
  18. 18.
    Sepehrdad P., Vaudenay S., Vuagnoux M.: Statistical attack on RC4—Distinguishing WPA. In: EUROCRYPT. LNCS, vol. 6632, pp. 343–363 (2011).Google Scholar
  19. 19.
    IEEE 802.11. Wireless LAN medium access control (MAC) and physical layer (PHY) specification (1997).Google Scholar
  20. 20.
    IEEE 802.11i. Wireless LAN medium access control (MAC) and physical layer (PHY) specification: amendment 6: medium access control (MAC) security enhancements (2004).Google Scholar

Copyright information

© Springer Science+Business Media New York 2016

Authors and Affiliations

  1. 1.Department of MathematicsIndian Institute of Technology MadrasChennaiIndia
  2. 2.Computer Science UnitIndian Statistical Institute - Chennai CentreChennaiIndia

Personalised recommendations