Attack on Broadcast RC4 Revisited
In this paper, contrary to the claim of Mantin and Shamir (FSE 2001), we prove that there exist biases in the initial bytes (3 to 255) of the RC4 keystream towards zero. These biases immediately provide distinguishers for RC4. Additionally, the attack on broadcast RC4 to recover the second byte of the plaintext can be extended to recover the bytes 3 to 255 of the plaintext given Ω(N3) many ciphertexts. Further, we also study the non-randomness of index j for the first two rounds of PRGA, and identify a strong bias of j2 towards 4. This in turn provides us with certain state information from the second keystream byte.
KeywordsBias Broadcast RC4 Cryptanalysis Distinguishing Attack Keystream RC4 Stream Cipher
- 1.Jenkins, R.J.: ISAAC and RC4 (1996), http://burtleburtle.net/bob/rand/isaac.html
- 3.Mantin, I.: Analysis of the stream cipher RC4. Master’s Thesis, The Weizmann Institute of Science, Israel (2001), http://www.wisdom.weizmann.ac.il/~itsik/RC4/Papers/Mantin1.zip
- 9.Sepehrdad, P., Vaudenay, S., Vuagnoux, M.: Statistical Attack on RC4 Distinguishing WPA. Accepted at EUROCRYPT 2011 (2011)Google Scholar