# State-Recovery Analysis of Spritz

## Abstract

RC4 suffered from a range of plaintext-recovery attacks using statistical biases, which use substantial, albeit close-to-practical, amounts of known keystream in applications such as TLS or WEP/WPA. Spritz was recently proposed at the rump session of CRYPTO 2014 as a slower redesign of RC4 by Rivest and Schuldt, aiming at reducing the statistical biases that lead to these attacks on RC4.

Even more devastating than those plaintext-recovery attacks from large amounts of keystream would be state- or key-recovery attacks from small amounts of known keystream. For RC4, there is unsubstantiated evidence that they may exist, the situation for Spritz is however not clear, as resistance against such attacks was not a design goal.

In this paper, we provide the first cryptanalytic results on Spritz and introduce three different state recovery algorithms. Our first algorithm recovers an internal state, requiring only a short segment of keystream, with an approximated complexity of \( 2^{1400}\), which is much faster than exhaustive search through all possible states, but is still far away from a practical attack. Furthermore, we introduce a second algorithm that uses a pattern in the keystream to reduce the number of guessed values in our state recovery algorithm. Our third algorithm uses a probabilistic approach by considering the permutation table as probability distribution.

All in all, rather than showing a weakness, our analysis supports the conjecture that compared to RC4, Spritz may also provide higher resistance against potentially devastating state-recovery attacks.

## Keywords

Spritz RC4 Stream cipher State recovery Cryptanalysis## Supplementary material

## References

- 1.Rivest, R.L., Schuldt, J.C.N.: Spritz–a spongy RC4-like stream cipher and hash function (2014). http://people.csail.mit.edu/rivest/pubs/RS14.pdf
- 2.Duong, T., Rizzo, J.: Here come the \(\oplus \) Ninjas. BEAST attack (2011)Google Scholar
- 3.Al Fardan, N., Paterson, K.: Lucky thirteen: breaking the TLS and DTLS record protocols. In: 2013 IEEE Symposium on Security and Privacy (SP), pp. 526–540 (2013)Google Scholar
- 4.Moeller, B., Duong, T., Kotowicz, K.: This POODLE Bites: Exploiting The SSL 3.0 Fallback (2014). https://www.openssl.org/bodo/ssl-poodle.pdf
- 5.AlFardan, N.J., Bernstein, D.J., Paterson, K.G., Poettering, B., Schuldt, J.C.N.: On the Security of RC4 in TLS and WPA (2013). http://www.isg.rhul.ac.uk/tls/RC4biases.pdf
- 6.Fluhrer, S.R., Mantin, I., Shamir, A.: Weaknesses in the key scheduling algorithm of RC4. In: Vaudenay, S., Youssef, A.M. (eds.) SAC 2001. LNCS, vol. 2259, p. 1. Springer, Heidelberg (2001) Google Scholar
- 7.Schneier, B.: The NSA Is Breaking Most Encryption on the Internet (2013). https://www.schneier.com/blog/archives/2013/09/the_nsa_is_brea.html
- 8.Bartosz, Z.: VMPC One-Way Function and Stream Cipher. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 210–225. Springer, Heidelberg (2004) Google Scholar
- 9.Bartosz, Z.: Statistical weakness in Spritz against VMPC-R: in search for the RC4 replacement. Cryptology ePrint Archive, Report 2014/985 (2014)Google Scholar
- 10.Knudsen, L.R., Meier, W., Preneel, B., Rijmen, V., Verdoolaege, S.: Analysis methods for (alleged) RC4. In: Ohta, K., Pei, D. (eds.) ASIACRYPT 1998. LNCS, vol. 1514, pp. 327–341. Springer, Heidelberg (1998) Google Scholar
- 11.Maximov, A., Khovratovich, D.: New state recovery attack on RC4. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 297–316. Springer, Heidelberg (2008) Google Scholar
- 12.Golic, J., Morgari, G.: Iterative Probabilistic Reconstruction of RC4 Internal States. Cryptology ePrint Archive, Report 2008/348 (2008). http://eprint.iacr.org/2008/348
- 13.Ankele, R.: (2015). https://github.com/ralphankele/Spritz