Full Plaintext Recovery Attack on Broadcast RC4 [chapter]

Takanori Isobe, Toshihiro Ohigashi, Yuhei Watanabe, Masakatu Morii
2014 Lecture Notes in Computer Science  
This paper investigates the practical security of RC4 in broadcast setting where the same plaintext is encrypted with different user keys. We introduce several new biases in the initial (1st to 257th) bytes of the RC4 keystream, which are substantially stronger than known biases. Combining the new biases with the known ones, a cumulative list of strong biases in the first 257 bytes of the RC4 keystream is constructed. We demonstrate a plaintext recovery attack using our strong bias set of
more » ... l bytes by the means of a computer experiment. Almost all of the first 257 bytes of the plaintext can be recovered, with probability more than 0.8, using only 2 32 ciphertexts encrypted by randomly-chosen keys. We also propose an efficient method to extract later bytes of the plaintext, after the 258th byte. The proposed method exploits our bias set of first 257 bytes in conjunction with the digraph repetition bias proposed by Mantin in EUROCRYPT 2005, and sequentially recovers the later bytes of the plaintext after recovering the first 257 bytes. Once the possible candidates for the first 257 bytes are obtained by our bias set, the later bytes can be recovered from about 2 34 ciphertexts with probability close to 1. Key words: RC4, broadcast setting, plaintext recovery attack, bias, experimentally-verified attack, SSL/TLS, multi-session setting RC4, designed by Rivest in 1987, is one of most widely used stream ciphers in the world. It is adopted in many software applications and standard protocols such as SSL/TLS, WEP, Microsoft Lotus and Oracle secure SQL. RC4 consists of a key scheduling algorithm (KSA) and a pseudo-random generation algorithm (PRGA). The KSA converts a user-provided variable-length key (typically, 5-32 bytes) into an initial state S consisting of a permutation of {0, 1, 2, . . . , N − 1}, where N is typically 256. The PRGA generates a keystream Z 1 , Z 2 , . . ., Z r , . . . from S, where r is a round number of the PRGA. Z r is XOR-ed with the Algorithm 1 RC4 Algorithm KSA(K[0 . . . ℓ−1]): for [i] and S[j] Output Z ← S[S[i] + S[j]] end loop r-th plaintext byte P r to obtain the ciphertext byte C r . The algorithm of RC4 is shown in Algorithm 1, where + denotes arithmetic addition modulo N , ℓ is the key length, and i and j are used to point to the locations of S, respectively. Then, S[x] denotes the value of S indexed x. After the disclosure of its algorithm in 1994, RC4 has attracted intensive cryptanalytic efforts over past 20 years. Distinguishing attacks, which attempt to distinguish an RC4 keystream from a random stream, were proposed in [4, 3, 10, 11, 14, 16, 8] . State recovery attack, which recovers a full state instead of the user-provided key, was shown by Knudsen et al. [7], and it was improved by Maximov and Khovratovich [13] . Other types of attacks are also proposed, e.g., key collision attack [12] , keystream predictive attack [10] and key recovery attacks from a state [15, 1] . In FSE 2001, Mantin and Shamir presented an attack on RC4 in the broadcast setting where the same plaintext is encrypted with different user keys [11] . The Mantin-Shamir attack can extract the second byte of the plaintext from only Ω(N ) ciphertexts encrypted with randomly-chosen different keys by exploiting a bias of Z 2 . Specifically, the event Z 2 = 0 occurs with twice the expected probability of a random one. In FSE 2011, Maitra, Paul and Sen Gupta showed that Z 3 , Z 4 , . . . , Z 255 are also biased to 0 [8]. Then the bytes 3 to 255 can also be recovered in the broadcast setting, from Ω(N 3 ) ciphertexts. Although the broadcast attacks were theoretically estimated, we find that three questions are still open in terms of a practical security of broadcast RC4.
doi:10.1007/978-3-662-43933-3_10 fatcat:eemv7yxxerdzfmivpo4fkz6fiy