Proof of Empirical RC4 Biases and New Key Correlations

@inproceedings{Sengupta2011ProofOE,
  title={Proof of Empirical RC4 Biases and New Key Correlations},
  author={Sourav Sengupta and Subhamoy Maitra and Goutam Paul and Santanu Sarkar},
  booktitle={Selected Areas in Cryptography},
  year={2011}
}
In SAC 2010, Sepehrdad, Vaudenay and Vuagnoux have reported some empirical biases between the secret key, the internal state variables and the keystream bytes of RC4, by searching over a space of all linear correlations between the quantities involved. In this paper, for the first time, we give theoretical proofs for all such significant empirical biases. Our analysis not only builds a framework to justify the origin of these biases, it also brings out several new conditional biases of high… 
Proving empirical key-correlations in RC4
Proving TLS-attack related open biases of RC4
TLDR
The current article proves these new and unproved biases in RC4, and in the process discovers intricate non-randomness within the cipher, and proves the anomaly in the 128th element of the permutation after the key scheduling algorithm.
New Long-Term Glimpse of RC4 Stream Cipher
TLDR
For the first time in RC4 literature, it is shown that there are certain events that leak state information with a probability of 3/N, considerably higher than the existing results.
Full Plaintext Recovery Attack on Broadcast RC4
TLDR
Several new biases in the initial (1st to 257th) bytes of the RC4 keystream, which are substantially stronger than known biases are introduced, which enable a plaintext recovery attack using a strong bias set of initial bytes.
(Non-)Random Sequences from (Non-)Random Permutations—Analysis of RC4 Stream Cipher
TLDR
The effect of RC4 keylength on its keystream is investigated, and significant biases involving the length of the secret key are reported, and the existence of positive biases towards zero for all the initial bytes 3 to 255 is proved and exploited towards a generalized broadcast attack on RC4.
Some results on RC 4 in WPA
TLDR
The interesting zig-zag distribution of the first byte and the similar nature for the biases in the initial keystream bytes to zero are proved, which potentially strengthens the practical plaintext recovery attack on the protocol.
NEW ATTACKS ON RC4A AND VMPC
TLDR
Modifications are proposed for RC4, RC4A and VMPC according to the strong and weak aspects and show that small changes in the design of these ciphers can increase or decrease their resistance against statistical bias attacks significantly.
Further non-randomness in RC4, RC4A and VMPC
  • Santanu Sarkar
  • Computer Science, Mathematics
    Cryptography and Communications
  • 2014
TLDR
This paper identifies new bias for RC4 and its variants RC4A and VMPC, which are designed in a similar paradigm and provide new distinguishers for the pseudo-random keystream generated from these algorithms.
A Survey on RC4 Stream Cipher
TLDR
A chronological survey of RC4 stream cipher demonstrating its weaknesses followed by the various RC4 enhancements from the literature corroborates the fact that even though researchers are working on RC 4 stream cipher, it still offers a plethora of research issues related to statistical weaknesses in either state or keystream.
How to Recover Any Byte of Plaintext on RC4
TLDR
Two advanced plaintext recovery attacks that can recover any byte of a plaintext without relying on initial biases are proposed, i.e., the authors' attacks are feasible even if initial bytes of the keystream are disregarded.
...
1
2
3
...

References

SHOWING 1-10 OF 19 REFERENCES
Discovery and Exploitation of New Biases in RC4
TLDR
A technique to automatically reveal linear correlations in the PRGA of RC4 is presented and 9 new exploitable correlations have been revealed, which lead to a key recovery attack on WEP with only 9800 encrypted packets (less than 20 seconds), instead of 24200 for the best previous attack.
On biases of permutation and keystream bytes of RC4 towards the secret key
  • G. Paul, S. Maitra
  • Computer Science, Mathematics
    Cryptography and Communications
  • 2008
TLDR
A theoretical analysis of the RC4 Key Scheduling Algorithm (KSA) is presented, where the nonlinear operation is swapping among the permutation bytes, and it is shown that the secret key of RC4 can be recovered from the state information in a time much less than the exhaustive search with good probability.
Attack on Broadcast RC4 Revisited
TLDR
This paper proves that there exist biases in the initial bytes of the RC4 keystream towards zero, and identifies a strong bias of j2 towards 4, which provides distinguishers for RC4.
On non-negligible bias of the first output byte of RC4 towards the first three bytes of the secret key
In this paper, we show that the first byte of the keystream output of RC4 has non-negligible bias towards the sum of the first three bytes of the secret key. This result is based on our observation
Weaknesses in the Key Scheduling Algorithm of RC4
TLDR
It is shown that RC4 is completely insecure in a common mode of operation which is used in the widely deployed Wired Equivalent Privacy protocol (WEP, which is part of the 802.11 standard), in which a fixed secret key is concatenated with known IV modifiers in order to encrypt different messages.
Statistical Attack on RC4 - Distinguishing WPA
In this paper we construct several tools for manipulating pools of biases in the analysis of RC4. Then, we show that optimized strategies can break WEP based on 4 000 packets by assuming that the
A Class of Weak Keys in the RC 4 Stream Cipher Preliminary Draft
TLDR
The success of the Cypherpunks’ bruteforce attack on SSL with a 40-bit key indicates that the source code published did accurately implement RC4.
New State Recovery Attack on RC4
TLDR
A state recovery attack which accepts the keystream of a certain length, and recovers the internal state, and it is much smaller than the complexity of the best known previous attack 2779.
Attacks on the RC4 stream cipher
  • Andreas Klein
  • Computer Science, Mathematics
    Des. Codes Cryptogr.
  • 2008
TLDR
The attack described by Fluhrer, Mantin, Shamir in such a way, that it will work, if the weak keys described in that paper are avoided, and a further attack will work if the first 256 Byte of the output remain unused.
Passive-Only Key Recovery Attacks on RC4
TLDR
A passive-only attack able to significantly improve the key recovery process on WEP with a data complexity of 215 eavesdropped packets is described.
...
1
2
...