2002
DOI: 10.1007/3-540-45473-x_13
|View full text |Cite
|
Sign up to set email alerts
|

A Practical Attack on Broadcast RC4

Abstract: Abstract. RC4 is the most widely deployed stream cipher in software applications. In this paper we describe a major statistical weakness in RC4, which makes it trivial to distinguish between short outputs of RC4 and random strings by analyzing their second bytes. This weakness can be used to mount a practical ciphertext-only attack on RC4 in some broadcast applications, in which the same plaintext is sent to multiple recipients under different keys.

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...
1
1
1
1

Citation Types

4
194
2
3

Year Published

2007
2007
2016
2016

Publication Types

Select...
5
3
1

Relationship

0
9

Authors

Journals

citations
Cited by 188 publications
(203 citation statements)
references
References 4 publications
4
194
2
3
Order By: Relevance
“…Mantin and Shamir [13] also show that the second word of the output is slightly more probable to be 0 than any other value. Using this bias they are able to build a prefix distinguisher for RC4, based on only about N short streams.…”
Section: Previous Attacksmentioning
confidence: 94%
“…Mantin and Shamir [13] also show that the second word of the output is slightly more probable to be 0 than any other value. Using this bias they are able to build a prefix distinguisher for RC4, based on only about N short streams.…”
Section: Previous Attacksmentioning
confidence: 94%
“…The multi-key setting can be seen as a generalization of the multi-user setting of Chatterjee et al [19], where encryption queries of only one plaintext P are allowed under keys K i . 4 This multi-user setting is then again a further generalization of the broadcast setting of Mantin and Shamir [45], where the plaintext P is unknown to the attacker.…”
Section: Three Attack Settingsmentioning
confidence: 99%
“…The main directions of cryptanalysis in this area are 1. finding correlations between the keystream output bytes and the secret key [31,39,24,15] and key recovery in the IV mode [6,17,11,34,38] (these exploit the weaknesses of both the KSA and the PRGA), 2. recovering the RC4 permutation from the keystream output bytes [12,35,21] and 3. identifying distinguishers [16,29,18].…”
Section: Prga + : Modifications To Rcprgamentioning
confidence: 99%
“…In [16], it was proved that P (z 2 = 0) = 2 N instead of the uniformly random case of 1 N . This originates from the fact that when S N [2] = 0 and S N [1] = 2 after the KSA, the second keystream output byte z 2 takes the value 0.…”
Section: Resisting Distinguishing Attacksmentioning
confidence: 99%