How to Recover Any Byte of Plaintext on RC4

@inproceedings{Ohigashi2013HowTR,
  title={How to Recover Any Byte of Plaintext on RC4},
  author={Toshihiro Ohigashi and Takanori Isobe and Yuhei Watanabe and Masakatu Morii},
  booktitle={Selected Areas in Cryptography},
  year={2013}
}
In FSE 2013, Isobe et al. proposed efficient plaintext recovery attacks on RC4 in the broadcast setting where the same plaintext is encrypted with different user keys. Their attack is able to recover first 1000 terabytes of a plaintext with probability of almost one, given $$2^{34}$$ ciphertexts encrypted by different keys. Since their attack essentially exploits biases in the initial 1st to 257th bytes of the keystream, it does not work any more if such initial bytes are disregarded. This… 
Cryptanalysis of the Full Spritz Stream Cipher
TLDR
A state recovery attack on Spritz is looked at, in a special situation when the cipher enters a class of weak states, and a state recovery algorithm that betters the $$2^{1400}$$ step algorithm of Ankele et al. at Latincrypt 2015 is demonstrated.
Analysing and exploiting the Mantin biases in RC4
TLDR
This work explores the use of the Mantin biases to recover plaintexts from RC4-encrypted traffic, and provides a more fine-grained analysis of these biases than in Mantin’s original work, which shows that the original analysis was incorrect in certain cases.
Attacks Only Get Better: Password Recovery Attacks Against RC4 in TLS
TLDR
This work validates the truism that attacks only get better with time: it obtain good success rates in recovering user passwords with 226 encryptions, whereas the previous generation of attacks required around 234 encryptions to recover an HTTP session cookie.
Tornado Attack on RC4 with Applications to WEP & WPA
TLDR
This paper reports extremely fast and optimized active and passive attacks against IEEE 802.11 wireless communication protocol WEP and a key recovery and a distinguishing attack against WPA, and describes several attacks on WPA.
Statistical attacks on cookie masking for RC4
TLDR
A detailed analysis of TLS Scramble and MCookies when used in conjunction with RC4 in SSL/TLS shows that both are vulnerable to variants of the known attacks against RC 4 in SSL /TLS exploiting the Mantin biases.
Non-uniformities in the RC 4 Stream Cipher Simon Campbell under the supervision of Prof
TLDR
The size of some nonuniformities of RC4 in TLS that were recently reported are verified and methods and results quantifying the vulnerability to eavesdropping of messages encrypted by RC4 by adding their voice to those urging that RC4 no longer be used.
Dependence in IV-Related Bytes of RC4 Key Enhances Vulnerabilities in WPA
TLDR
A disciplined study of RC4 biases resulting specifically in such a scenario, and proves the interesting sawtooth distribution of the first byte in WPA and the similar nature for the biases in the initial keystream bytes towards zero.
Big Bias Hunting in Amazonia: Large-Scale Computation and Exploitation of RC4 Biases (Invited Paper)
TLDR
This work performs large-scale computations to obtain accurate estimates of the single-byte and double-byte distributions in the early portions of RC4 keystreams for the WPA/TKIP context and uses these distributions in a novel variant of the previous plaintext recovery attacks.
Results on significant anomalies of state values after key scheduling algorithm in RC4
TLDR
In this study, the authors provide the theoretical proofs of all significant anomalies of RC4 in the 16-byte key setting and the theoretical justification of the zig-zag type distribution of the 31st output byte ofRC4.
Further non-randomness in RC4, RC4A and VMPC
  • Santanu Sarkar
  • Computer Science, Mathematics
    Cryptography and Communications
  • 2014
TLDR
This paper identifies new bias for RC4 and its variants RC4A and VMPC, which are designed in a similar paradigm and provide new distinguishers for the pseudo-random keystream generated from these algorithms.
...
...

References

SHOWING 1-10 OF 11 REFERENCES
Full Plaintext Recovery Attack on Broadcast RC4
TLDR
Several new biases in the initial (1st to 257th) bytes of the RC4 keystream, which are substantially stronger than known biases are introduced, which enable a plaintext recovery attack using a strong bias set of initial bytes.
Predicting and Distinguishing Attacks on RC4 Keystream Generator
  • I. Mantin
  • Computer Science, Mathematics
    EUROCRYPT
  • 2005
TLDR
The statistical distribution of the keystream generator used by the stream ciphers RC4 and RC4A is analyzed to discovery of statistical biases of the digraphs distribution of RC4/RC4A generated streams, and a family of patterns in RC4 keystreams whose probabilities are several times their probabilities in random streams.
Attack on Broadcast RC4 Revisited
TLDR
This paper proves that there exist biases in the initial bytes of the RC4 keystream towards zero, and identifies a strong bias of j2 towards 4, which provides distinguishers for RC4.
(Non-)Random Sequences from (Non-)Random Permutations—Analysis of RC4 Stream Cipher
TLDR
The effect of RC4 keylength on its keystream is investigated, and significant biases involving the length of the secret key are reported, and the existence of positive biases towards zero for all the initial bytes 3 to 255 is proved and exploited towards a generalized broadcast attack on RC4.
(Not So) Random Shuffles of RC4
TLDR
An idealized model of RC4 is proposed and a conservative estimate for the number of bytes that should be discarded in order to be safe is found, which recommends dumping at least 512 bytes.
A Practical Attack on Broadcast RC4
TLDR
A major statistical weakness in RC4 makes it trivial to distinguish between short outputs of RC4 and random strings by analyzing their second bytes, which can be used to mount a practical ciphertext-only attack on RC4 in some broadcast applications.
On the Security of RC4 in TLS
TLDR
C ciphertext-only plaintext recovery attacks against TLS when RC4 is selected for encryption are presented, building on recent advances in the statistical analysis of RC4, and on new findings announced in this paper.
On the Security of RC4 in TLS and WPA
TLDR
These attacks build on recent advances in the statistical analysis of RC4, and on new ndings announced in this paper, and are supported by an experimental evaluation of the feasibility of the attacks.
Proof of Empirical RC4 Biases and New Key Correlations
TLDR
It is established that certain conditional biases reported earlier are correlated with a third event with much higher probability, which gives rise to the discovery of new keylength-dependent biases of RC4, some as high as 50/N, where N is the size of the RC4 permutation.
Statistical Analysis of the Alleged RC4 Keystream Generator
TLDR
A method for distinguishing 8-bit RC4 from randomness is demonstrated and it is observed that an attacker can, on occasion, determine portions of the internal state with nontrivial probability.
...
...