New State Recovery Attack on RC4

@inproceedings{Maximov2008NewSR,
  title={New State Recovery Attack on RC4},
  author={Alexander Maximov and Dmitry Khovratovich},
  booktitle={CRYPTO},
  year={2008}
}
The stream cipher RC4 was designed by R. Rivest in 1987, and it is a widely deployed cipher. In this paper we analyse the class RC4-Nof RC4-like stream ciphers, where Nis the modulus of operations, as well as the length of internal arrays. Our new attack is a state recovery attack which accepts the keystream of a certain length, and recovers the internal state. For the reduced RC4-100, our attack has total complexity of around 293operations, whereas the best previous attack (from Knudsen et al… 
Expanding Weak-key Space of RC4
TLDR
This attack is the best-known single-key key recovery attack on RC4 with respect to efficiency and is applicable to any keystream, while Teramura et al.
Some Combinatorial Results towards State Recovery Attack on RC4
TLDR
This paper performs a combinatorial analysis of the complexity of RC4 state recovery under the assumption that the values of j are known for several rounds, and reveals a nice combinatorsial structure of the RC4 evolution and establishes certain interesting results related to the complex of state recovery.
Security Analysis of the RC4+ Stream Cipher
TLDR
It is shown that that the RC4+ is vulnerable to differential fault attack and it is possible to recover the entire internal state of the cipher at the beginning of the PRGA by injecting around 217.2 faults.
Cryptanalysis of RC4(n, m) stream cipher
TLDR
A distinguisher for the cipher and a secret key recovery attack that for the L-bit secret key, is able to recover it with about (L/n) · 2n steps is shown and can reconstruct the secret key of RC(8, 32) in less than a second.
Some security results of the RC4+ stream cipher
TLDR
Surprisingly, it is found that if the value of the pad is made equal to 0x03, the design provides maximum resistance to distinguishing attacks, and the differential fault attack on RC4+ is improved, both in terms of number of faults required and the computational complexity.
Distinguishing Attacks on RC4 and A New Improvement of the Cipher
TLDR
In this paper, two new class of statistical biases inherent in RC4 are depicted and it is shown that the RC4 keystream is distinguishable from random no matter how many initial bytes have been dumped.
Quad-RC4: Merging Four RC4 States towards a 32-bit Stream Cipher
TLDR
This paper keeps the basic RC4 structure and combines 4 RC4 states tacitly to design a high throughput stream cipher called Quad-RC4 that produces 32- bit output at every round and is comparable with HC-128, the fastest software stream cipher amongst the eSTREAM nalists.
A Survey on RC4 Stream Cipher
TLDR
A chronological survey of RC4 stream cipher demonstrating its weaknesses followed by the various RC4 enhancements from the literature corroborates the fact that even though researchers are working on RC 4 stream cipher, it still offers a plethora of research issues related to statistical weaknesses in either state or keystream.
On the structural weakness of the GGHN stream cipher
TLDR
It is shown that if an attacker can obtain 2064 specific bits of this internal state of GGHN, then the attacker can deduce the remaining state bits with limited computation, effectively reducing the secret internal state size by approximately a factor of 4.
Cache Timing Analysis of RC4
TLDR
A new state recovery analysis on RC4 using a belief propagation algorithm that works well and its soundness is proved for known or unknown plaintext and only requires that the attacker queries the RC4 encryption process byte by byte for a practical attack.
...
...

References

SHOWING 1-10 OF 11 REFERENCES
Cryptanalysis of RC4-like Ciphers
TLDR
This analysis shows that, although the full-size RC4 remains secure against known attacks, keystreams are distinguishable from randomly generated bit streams, and the RC4 key can be recovered if a significant fraction of the full cycle of keystream bits is generated.
A New Weakness in the RC4 Keystream Generator and an Approach to Improve the Security of the Cipher
TLDR
A new pseudorandom bit generator, named RC4A, which is based on RC4’s exchange shuffle model is proposed, and it is shown that the new cipher offers increased resistance against most attacks that apply to RC4.
Predicting and Distinguishing Attacks on RC4 Keystream Generator
  • I. Mantin
  • Computer Science, Mathematics
    EUROCRYPT
  • 2005
TLDR
The statistical distribution of the keystream generator used by the stream ciphers RC4 and RC4A is analyzed to discovery of statistical biases of the digraphs distribution of RC4/RC4A generated streams, and a family of patterns in RC4 keystreams whose probabilities are several times their probabilities in random streams.
Two Linear Distinguishing Attacks on VMPC and RC4A and Weakness of RC4 Family of Stream Ciphers
TLDR
This paper proposes two linear distinguishing attacks, one on VMPC of complexity 254, and one on RC4A of complexity 258, and investigates the RC4 family of stream ciphers and shows some theoretical weaknesses of such constructions.
Analysis Methods for (Alleged) RC4
TLDR
The analysis methods reveal intrinsic properties of alleged RC4 which are independent of the key scheduling and the key size, and the complexity of one of the attacks is estimated to be less than the time of searching through the square root of all possible initial states.
A Practical Attack on Broadcast RC4
TLDR
A major statistical weakness in RC4 makes it trivial to distinguish between short outputs of RC4 and random strings by analyzing their second bytes, which can be used to mount a practical ciphertext-only attack on RC4 in some broadcast applications.
Efficient Reconstruction of RC4 Keys from Internal States
TLDR
An efficient algorithm for the retrieval of the RC4 secret key, given an internal state is presented, which is several orders of magnitude faster than previously published algorithms.
Statistical Analysis of the Alleged RC4 Keystream Generator
TLDR
A method for distinguishing 8-bit RC4 from randomness is demonstrated and it is observed that an attacker can, on occasion, determine portions of the internal state with nontrivial probability.
Linear Statistical Weakness of Alleged RC4 Keystream Generator
  • J. Golic
  • Computer Science, Mathematics
    EUROCRYPT
  • 1997
A keystream generator known as RC4 is analyzed by the linear model approach. It is shown that the second binary derivative of the least significant bit output sequence is correlated to 1 with the
...
...