Some New Weaknesses in the RC4 Stream Cipher [chapter]

Jing Lv, Bin Zhang, Dongdai Lin
2014 Lecture Notes in Computer Science  
In FSE 2011, Maitra and Paul observed that there exists negative bias in the first byte of the RC4 keystream towards 0. In this paper, we give our theoretical proof of this bias. This bias immediately provide distinguisher for RC4, and ciphertext only attack on broadcast RC4. Additionally, we discover some new weaknesses of the keystream bytes even after the first N rounds of the PRGA, where N is the size of the RC4 permutation, generally, N = 256. The weaknesses in turn provide us with certain
more » ... state information from the keystream bytes no matter how many initial bytes are thrown away. Keywords: RC4 · Broadcast RC4 · Ciphertext only attack · Distinguishing attack · State recovery attack.
doi:10.1007/978-3-319-05149-9_2 fatcat:zr7ctdt6irclxhiuxzrablvvtq