Full Plaintext Recovery Attack on Broadcast RC4

@inproceedings{Isobe2013FullPR,
  title={Full Plaintext Recovery Attack on Broadcast RC4},
  author={Takanori Isobe and Toshihiro Ohigashi and Yuhei Watanabe and Masakatu Morii},
  booktitle={FSE},
  year={2013}
}
This paper investigates the practical security of RC4 in broadcast setting where the same plaintext is encrypted with different user keys. We introduce several new biases in the initial (1st to 257th) bytes of the RC4 keystream, which are substantially stronger than known biases. Combining the new biases with the known ones, a cumulative list of strong biases in the first 257 bytes of the RC4 keystream is constructed. We demonstrate a plaintext recovery attack using our strong bias set of… 
How to Recover Any Byte of Plaintext on RC4
TLDR
Two advanced plaintext recovery attacks that can recover any byte of a plaintext without relying on initial biases are proposed, i.e., the authors' attacks are feasible even if initial bytes of the keystream are disregarded.
Cryptanalysis of the Full Spritz Stream Cipher
TLDR
A state recovery attack on Spritz is looked at, in a special situation when the cipher enters a class of weak states, and a state recovery algorithm that betters the $$2^{1400}$$ step algorithm of Ankele et al. at Latincrypt 2015 is demonstrated.
Analysing and exploiting the Mantin biases in RC4
TLDR
This work explores the use of the Mantin biases to recover plaintexts from RC4-encrypted traffic, and provides a more fine-grained analysis of these biases than in Mantin’s original work, which shows that the original analysis was incorrect in certain cases.
Improvement on a Full Plaintext Recovery Attack against RC4
TLDR
A new full plaintext recovery attack is proposed by combining Isobe et al.
Some New Weaknesses in the RC4 Stream Cipher
TLDR
This paper gives the theoretical proof of negative bias in the first byte of the RC4 keystream towards 0, and discovers some new weaknesses of the keystream bytes even after the first rounds of the PRGA.
Proving TLS-attack related open biases of RC4
TLDR
The current article proves these new and unproved biases in RC4, and in the process discovers intricate non-randomness within the cipher, and proves the anomaly in the 128th element of the permutation after the key scheduling algorithm.
Non-uniformities in the RC 4 Stream Cipher Simon Campbell under the supervision of Prof
TLDR
The size of some nonuniformities of RC4 in TLS that were recently reported are verified and methods and results quantifying the vulnerability to eavesdropping of messages encrypted by RC4 by adding their voice to those urging that RC4 no longer be used.
Modification of RC4 algorithm to increase its security by using mathematical operations
TLDR
A new algorithm proposed by using initial state factorial to solve the correlation issue between public known outputs of the internal state and making this algorithm is robust against attack by using an additional state table with the same length of the state to contain the factorial of initial state elements.
Proving the biases of Salsa and ChaCha in differential attack
TLDR
This paper theoretically explains the reason of a particular key bit of Salsa to be probabilistically neutral, the first attempt to provide a theoretical justification of the idea of differential key recovery attack against these two ciphers.
Fast Software Encryption
  • G. Leander
  • Computer Science, Mathematics
    Lecture Notes in Computer Science
  • 2015
TLDR
Two new attacks on TWINE-128 reduced to 25 rounds are presented that have a slightly higher overall complexity than the 25round attack presented by Wang and Wu at ACISP 2014, but a lower data complexity.
...
...

References

SHOWING 1-10 OF 28 REFERENCES
Attack on Broadcast RC4 Revisited
TLDR
This paper proves that there exist biases in the initial bytes of the RC4 keystream towards zero, and identifies a strong bias of j2 towards 4, which provides distinguishers for RC4.
Predicting and Distinguishing Attacks on RC4 Keystream Generator
  • I. Mantin
  • Computer Science, Mathematics
    EUROCRYPT
  • 2005
TLDR
The statistical distribution of the keystream generator used by the stream ciphers RC4 and RC4A is analyzed to discovery of statistical biases of the digraphs distribution of RC4/RC4A generated streams, and a family of patterns in RC4 keystreams whose probabilities are several times their probabilities in random streams.
Discovery and Exploitation of New Biases in RC4
TLDR
A technique to automatically reveal linear correlations in the PRGA of RC4 is presented and 9 new exploitable correlations have been revealed, which lead to a key recovery attack on WEP with only 9800 encrypted packets (less than 20 seconds), instead of 24200 for the best previous attack.
A New Weakness in the RC4 Keystream Generator and an Approach to Improve the Security of the Cipher
TLDR
A new pseudorandom bit generator, named RC4A, which is based on RC4’s exchange shuffle model is proposed, and it is shown that the new cipher offers increased resistance against most attacks that apply to RC4.
(Non-)Random Sequences from (Non-)Random Permutations—Analysis of RC4 Stream Cipher
TLDR
The effect of RC4 keylength on its keystream is investigated, and significant biases involving the length of the secret key are reported, and the existence of positive biases towards zero for all the initial bytes 3 to 255 is proved and exploited towards a generalized broadcast attack on RC4.
New State Recovery Attack on RC4
TLDR
A state recovery attack which accepts the keystream of a certain length, and recovers the internal state, and it is much smaller than the complexity of the best known previous attack 2779.
Proof of Empirical RC4 Biases and New Key Correlations
TLDR
It is established that certain conditional biases reported earlier are correlated with a third event with much higher probability, which gives rise to the discovery of new keylength-dependent biases of RC4, some as high as 50/N, where N is the size of the RC4 permutation.
Key Collisions of the RC4 Stream Cipher
This paper studies "colliding keys" of RC4 that create the same initial state and hence generate the same pseudo-random byte stream. It is easy to see that RC4 has colliding keys when its key size is
Permutation After RC4 Key Scheduling Reveals the Secret Key
  • G. Paul, S. Maitra
  • Computer Science, Mathematics
    Selected Areas in Cryptography
  • 2007
TLDR
A theoretical analysis of the RC4 Key Scheduling Algorithm is presented, where the nonlinear operation is swapping among the permutation bytes, and an algorithm is devised to recover the l bytes from the final permutation after the KSA with constant probability of success.
A Practical Attack on Broadcast RC4
TLDR
A major statistical weakness in RC4 makes it trivial to distinguish between short outputs of RC4 and random strings by analyzing their second bytes, which can be used to mount a practical ciphertext-only attack on RC4 in some broadcast applications.
...
...