Full Plaintext Recovery Attack

on Broadcast RC4
Takanori Isobe1 , Toshihiro Ohigashi2 , Yuhei Watanabe1 , and Masakatu Morii1
1

Kobe University
1-1 Rokkoudai, Nada-ku, Kobe 657-8501, Japan
[email protected]
[email protected] [email protected]
2
Hiroshima University
1-4-2 Kagamiyama, Higashi-Hiroshima, Hiroshima 739-8511, Japan
[email protected]

Abstract. This paper investigates the practical security of RC4 in broadcast setting where the same plaintext is encrypted with dierent user
keys. We introduce several new biases in the initial (1st to 257th) bytes
of the RC4 keystream, which are substantially stronger than known biases. Combining the new biases with the known ones, a cumulative list of
strong biases in the rst 257 bytes of the RC4 keystream is constructed.
We demonstrate a plaintext recovery attack using our strong bias set of
initial bytes by the means of a computer experiment. Almost all of the
rst 257 bytes of the plaintext can be recovered, with probability more
than 0.8, using only 232 ciphertexts encrypted by randomly-chosen keys.
We also propose an ecient method to extract later bytes of the plaintext, after the 258th byte. The proposed method exploits our bias set of
rst 257 bytes in conjunction with the digraph repetition bias proposed
by Mantin in EUROCRYPT 2005, and sequentially recovers the later
bytes of the plaintext after recovering the rst 257 bytes. Once the possible candidates for the rst 257 bytes are obtained by our bias set, the
later bytes can be recovered from about 234 ciphertexts with probability
close to 1.
Key words: RC4, broadcast setting, plaintext recovery attack, bias,
experimentally-veried attack, SSL/TLS, multi-session setting

Introduction

RC4, designed by Rivest in 1987, is one of most widely used stream ciphers in
the world. It is adopted in many software applications and standard protocols
such as SSL/TLS, WEP, Microsoft Lotus and Oracle secure SQL. RC4 consists
of a key scheduling algorithm (KSA) and a pseudo-random generation algorithm
(PRGA). The KSA converts a user-provided variable-length key (typically, 532
bytes) into an initial state S consisting of a permutation of {0, 1, 2, . . . , N 1},
where N is typically 256. The PRGA generates a keystream Z1 , Z2 , . . ., Zr ,
. . . from S, where r is a round number of the PRGA. Zr is XOR-ed with the

Algorithm 1 RC4 Algorithm

PRGA(K):
i0
j0
S KSA(K)
loop
ii+1
j j + S[i]
Swap S[i] and S[j]
Output Z S[S[i] + S[j]]
end loop

KSA(K[0 . . . 1]):
for i = 0 to N 1 do
S[i] i
end for
j0
for i = 0 to N 1 do
j j + S[i] + K[i mod ]
Swap S[i] and S[j]
end for

r-th plaintext byte Pr to obtain the ciphertext byte Cr . The algorithm of RC4
is shown in Algorithm 1, where + denotes arithmetic addition modulo N , is
the key length, and i and j are used to point to the locations of S, respectively.
Then, S[x] denotes the value of S indexed x.
After the disclosure of its algorithm in 1994, RC4 has attracted intensive
cryptanalytic eorts over past 20 years. Distinguishing attacks, which attempt
to distinguish an RC4 keystream from a random stream, were proposed in [4,
3, 10, 11, 14, 16, 8]. State recovery attack, which recovers a full state instead of
the user-provided key, was shown by Knudsen et al. [7], and it was improved
by Maximov and Khovratovich [13]. Other types of attacks are also proposed,
e.g., key collision attack [12], keystream predictive attack [10] and key recovery
attacks from a state [15, 1].
In FSE 2001, Mantin and Shamir presented an attack on RC4 in the broadcast setting where the same plaintext is encrypted with dierent user keys [11].
The Mantin-Shamir attack can extract the second byte of the plaintext from only
(N ) ciphertexts encrypted with randomly-chosen dierent keys by exploiting
a bias of Z2 . Specically, the event Z2 = 0 occurs with twice the expected probability of a random one. In FSE 2011, Maitra, Paul and Sen Gupta showed that
Z3 , Z4 , . . . , Z255 are also biased to 0 [8]. Then the bytes 3 to 255 can also be
recovered in the broadcast setting, from (N 3 ) ciphertexts.
Although the broadcast attacks were theoretically estimated, we nd that
three questions are still open in terms of a practical security of broadcast RC4.
1. Are the biases exploited in the previous attacks the strongest biases for the
initial bytes 1 to 255?
2. While the previous results [11, 8] estimate only lower bounds (), how many
ciphertexts encrypted with dierent keys are actually required for a practical
attack on broadcast RC4?
3. Is it possible to eciently recover the later bytes of the plaintext, after byte
256?

1.1

Our Contribution

In this paper, we provide answers to all the aforesaid questions. To begin with,
we introduce a new bias regarding Z1 , which is a conditional bias such that
Z1 is biased to 0 when Z2 is 0. Using this bias in conjunction with the bias of
Z2 = 0 [11], the rst byte of a plaintext is extracted from (N 2 ) ciphertexts
encrypted with dierent keys. Although the strong bias of the rst byte, which is
a negative bias towards zero, has already been pointed out in [14, 6], it requires
(N 3 ) ciphertexts to extract the rst byte of the plaintext. Thus, the new
conditional bias observed by us is very useful, because the number of required
ciphertexts to recover the rst byte reduces by a factor of N/2 compared the
straightforward method. Besides, we introduce new strong biases, i.e., Z3 = 131,
Zr = r for 3 r 255, and extended keylength-dependent biases such that
Zx = x for x = 2, 3, . . . , 7 and = 16, which are extensions of the keylengthdependent biases in which only the parameter of x = 1 is considered [5]. These
new biases are substantially stronger than known biases of Zr = 0 in case of
certain bytes within Z3 , Z4 , . . . , Z255 . After providing theoretical considerations
for these biases, we experimentally conrm the validity of the same. Combining
the new biases with known biases, we construct a cumulative list of strongest
known biases in Z1 , Z2 , . . . , Z255 . At the same time, we experimentally show two
new biases of Z256 and Z257 , and add these to our bias set. Note that biases of
Z2 , Z3 , . . . , Z257 included in our bias set are strongest biases amongst all single
positive and negative biases of each byte when a 16-byte (128-bit) key is used.
We demonstrate a plaintext recovery attack using our bias set by the computer experiment, and estimate the number of required ciphertexts and success
probability when N = 256. Almost all rst 257 bytes, P1 , P2 , . . . , P257 , can be
extracted with probability more than 0.8 from 232 ciphertexts encrypted by
randomly-chosen keys. Given 234 ciphertexts, all bytes of P1 , P2 , . . . , P257 can be
narrowed down to two candidates each with probability one. This is a rst practical security evaluation of broadcast RC4 using all known biases of the cipher,
and some new ones that we observe.
Finally, an ecient method to extract later bytes of the plaintext, namely
bytes after P258 , is given. It exploits our bias set of Z1 , Z2 , . . . , Z257 in conjunction with the digraph repetition bias proposed by Mantin [10], and then
sequentially recovers bytes of the plaintext. Once the possible candidates for
P1 , P2 , . . . , P257 are obtained by our bias set, Pr (r 258) are recovered from
about 234 ciphertexts with probability one. Since the digraph repetition bias is
a long-term bias, which occurs in any keystream byte, our sequential method is
expected to recover any plaintext byte from only ciphertexts produced by dierent randomly-chosen keys. We show that the rst 250 bytes 1000 T bytes of
the plaintext can be recovered from 234 ciphertexts with probability of 0.97170.
Also, the broadcast setting is converted into the multi-session setting of
SSL/TLS where the target plaintext block are repeatedly sent in the same position in the plaintexts in multiple sessions.
3

Known Attacks on Broadcast RC4

This section briey reviews known attacks on RC4 in the broadcast setting where
the same plaintext is encrypted with dierent randomly-chosen keys.
2.1

Mantin-Shamir (MS) Attack

Mantin and Shamir rst presented a broadcast RC4 attack exploiting a bias of
Z2 [11].
Theorem 1 [11] Assume that the initial permutation S is randomly chosen
from the set of all the possible permutations of {0, 1, 2, . . . , N 1}. Then the
probability that the second output byte of RC4 is 0 is approximately N2 .
2
This probability is estimated as 256
when N = 256. Based on this bias, the
broadcast RC4 attack is demonstrated by Theorems 2 and 3.

Theorem 2 [11] Let X and Y be two distributions, and suppose that the event
e happens in X with probability p and in Y with probability p (1 + q). Then for
small p and q, O( pq1 2 ) samples suce to distinguish X from Y with a constant
probability of success.
In this case, p and q are given as p = 1/N and q = 1. The number of samples is
about N .
Theorem 3 [11] Let P be a plaintext, and let C (1) , C (2) , . . . , C (k) be the RC4
encryptions of P under k uniformly distributed keys. Then, if k = (N ), the
second byte of P can be reliably extracted from C (1) , C (2) , . . . , C (k) .
(i)

(i)

(i)

(i)

(i)

According to the relation C2 = P2 Z2 , if Z2 = 0 holds, then C2 is same

(i)
as P2 . From Theorem 1, Z2 = 0 occurs with twice the expected probability of
(k)
(2)
(1)
a random one. Thus, most frequent byte in amongst C2 , C2 , . . . , C2 is likely
to be P2 itself. When N = 256, it requires more than 28 ciphertexts encrypted
with randomly-chosen keys.
2.2

Maitra, Paul and Sen Gupta (MPS) Attack

Maitra, Paul and Sen Gupta showed that Z3 , Z4 , . . . , Z255 are also biased to 0 [8,
6]. Although the MS attack assumes that an initial permutation S is random,
the MPS attack exploits biases of S after the KSA [9]. Let Sr [x] be the value of
S indexed x after r round, where S0 is the initial state of RC4 after the KSA.
Biases of the initial state of the PRGA are given as follow.
Proposition 1 [9] After the end of KSA, for 0 u N 1, 0 v N 1,
)
{ 1 ( N 1 v
(( N ) + (1 ( NN1 )v )) ( NN1 )N u1 (v u),
N
Pr(S0 [u] = v) = 1
N 1 N u1
+ ( NN1 )v
(v > u).
N ( N )
4

The probability of Sr1 [r] in the PRGA are given as the follows.
Theorem 4 [6]
imately

For 3 r N 1, the probability Pr(Sr1 [r] = v) is approx-

)r2
(
)w (
)r3w
(
r1
rt
Pr(S1 [t] = v) r t 1
1
1
Pr(S1 [r] = v) 1
+

1
,
N
w! N
N
N
t=2 w=0
where Pr(S1 [t] = v) is given as

Pr(S0 [1] = 1) + X=1 Pr(S0 [1] = X S0 [X] = 1) (t = 1, v

= X S0 [X] = v)
(t = 1, v
X=1,v Pr(S0 [1]

Pr(S1 [t] = v) =
Pr(S
[1]
=
t)
+
Pr(S
[1]
=
X

S
[t]
=
t)
(t
= 1, v

0
0
0
X=t

Pr(S
[1]
=
X

S
[t]
=
v)
(t
= 1, v
0
0
X=t,v

= 1),
= 1),
= t),
= t).

Then, the bias of Pr(Zr = 0) is estimated as follows.

Theorem 5 [6] For 3 r N 1, Pr(Zr = 0) is approximately
Pr(Zr = 0)

1
cr
+ 2,
N
N

where cr is given as
{ N
(N Pr(Sr1 [r] = r) 1)
cr = NN1
N 1 (N Pr(Sr1 [r] = r) 1)

N 2
N 1

(r = 3),
(r = 3).

Since the parameters of p and q are given as p = 1/N and q = cr /N , The number
of required ciphertexts with dierent keys for the extraction of P3 , P4 , . . . , P255
is roughly estimated as (N 3 ).

New Biases : Theory and Experiment

This section introduces four new biases in the keystream of RC4. To begin with,
we prove a conditional bias of Z1 towards 0 when Z2 = 0. After that, we present
new biases in the events, Z3 = 131, Zr = r, and extended keylength-dependent
biases, which are substantially stronger than the known biases such as Zr = 0.
Then, we construct a cumulative list of strong biases in Z1 , Z2 , . . . , Z257 to mount
an ecient plaintext recovery attack on broadcast RC4.
3.1

Bias of Z1 = 0|Z2 = 0

A new conditional bias such that Z1 is biased to 0 when Z2 = 0 is given as

Theorem 6.
3

The theorems with respect to Zr = 0 in [8] and [6] are slightly dierent. This paper
uses the results from the full version [6].

Theorem 6 Pr(Z1 = 0|Z2 = 0) is approximately

1 (
1) 1 1
Pr(Z1 = 0|Z2 = 0) Pr(S0 [1] = 1) + (1 Pr(S0 [1] = 1))
+ .
2
N
2 N
Proof. Two cases of S0 [2] = 0 and S0 [2] = 0 are considered. As mentioned in
[11], when Z2 is 0, S0 [2] is also 0 with probability of 21 .
S0 [2] = 0
For i = 1, if S0 [1] is 1, the index j is updated as j = S0 [i] = S0 [1] = 1. Then
the rst output byte Z1 is expressed as follows (see Fig. 1),
Z1 = S1 [S1 [i] + S1 [j]] = S1 [S1 [1] + S1 [1]] = S1 [2] = S0 [2] = 0.
Assuming that Z1 = 0 holds with probability of
probability of Pr(Z1 = 0|S0 [2] = 0) is estimated as

1
N

when S0 [1] = 1, the

Pr(Z1 = 0|S0 [2] = 0) = Pr(S0 [1] = 1) + (1 Pr(S0 [1] = 1))

S0 [2] = 0
Suppose that the event of Z1 = 0 occurs with probability of
0|S0 [2] = 0) is estimated as
Pr(Z1 = 0|S0 [2] = 0) =

1
N.

1
.
N

Then Pr(Z1 =

1
.
N

Therefore Pr(Z1 = 0|Z2 = 0) is approximately

Pr(Z1 = 0|Z2 = 0) = Pr(Z1 = 0|S0 [2] = 0) Pr(S0 [2] = 0|Z2 = 0)
+Pr(Z1 = 0|S0 [2] = 0) Pr(S0 [2] = 0|Z2 = 0)
1 (
1) 1 1
Pr(S0 [1] = 1) + (1 Pr(S0 [1] = 1))
+ .
2
N
2 N

When N = 256, Pr(S0 [1] = 1) is obtained by Proposition 1.

((
) (
(
)) (
)254 )
1
1
1
1
Pr(S0 [1] = 1) =

+ 1

= 0.0038966.
256
256
256
256
Then, Pr(Z1 = 0|Z2 = 0) is computed as
(
)
1
1
1 1
Pr(Z1 = 0|Z2 = 0) = Pr(S0 [1] = 1) + (1 Pr(S0 [1] = 1))
+
2
256
2 256
= 0.0058470 = 27.418 = 28 (1 + 21.009 ).
Since the experimental value of Pr(Z1 = 0|Z2 = 0) for 240 randomly-chosen
keys is obtained as 0.0058109 = 28 (1 + 21.036 ), the theoretical value is
correctly approximated.
6

From this bias, Pr(Z1 = 0 Z2 = 0) can also be estimated, as follows.

Pr(Z1 = 0 Z2 = 0) = Pr(Z2 = 0) Pr(Z1 = 0|Z2 = 0).
When N = 256, it is estimated as
Pr(Z1 = 0 Z2 = 0) =

2
27.418 = 214.418 = 216 (1 + 20.996 ).
256

This type of bias, called digraph bias, was proved as a long term bias by Fluhrer
and McGrew [3]. However, such a strong bias in initial bytes was not reported.
Specically, the probability of the general long-term digraph bias is estimated as
216 (1 + 28 ) in [3] when N = 256, while that of our bias is 216 (1 + 20.996 ).
Thus our result reveals that the digraph bias in initial bytes is much stronger
than what is estimated in [3].
Note that we searched for the similar form of conditional biases in rst 256
bytes of the RC4 keystream. In particular, we check following specic patterns,
(Zra = X|Zr = Y ) for 0 X, Y 255, 2 r 256, 1 a 8. However, such
a strong bias could not be found in our experiment, while all conditional biases
are not covered.
Application to Broadcast RC4 attack: Using this new conditional bias of
Z1 = 0|Z2 = 0 in conjunction with the bias of Z2 = 0 [11], the rst byte of the
plaintext can be eciently extracted, where N = 256. After 217 ciphertexts with
randomly-chosen keys are collected, following procedures are performed.
Step 1 Extract the second byte of the target plaintext, P2 , from 28 ciphertexts [11].
Step 2 Find the ciphertext in which Z2 = 0 is XOR-ed by the computation
of C2 P2 . Then, 210 = 217 2/256 ciphertexts matching this criterion are
expected to be obtained.
Step 3 Regard the most frequent byte in the rst byte C1 of these matching
210 ciphertexts as P1 .
In Step 3, using the bias of Pr(Z1 = 0|Z2 = 0) = 28 (1 + 21.009 ), P1 is
1
extracted from remaining 210 ( 28 (21.009
)2 ) ciphertexts by Theorems 2 and 3,
assuming the relation of C1 = P1 Z1 = P1 holds. Although the bias of the rst
byte has already been pointed out in [14, 6], it requires 224 ciphertexts to extract
the rst byte using the known biases, because the probability of the strongest
bias, which is a negative bias of Z1 towards 0, is estimated as about 28 (128 )
[6]. Thus, the new conditional bias identied by us is very ecient, because the
number of required ciphertexts reduces by a factor close to N/2 compared to
that of the straightforward method.
3.2

Bias of Z3 = 131

A new bias of Z3 = 131, which is stronger than Z3 = 0 [8, 6], is given as

Theorem 7.
7

S0
0

S0

131

256

131

256

S1

131

128

Increment
1

256
0

S2

i j (=S0[i]=1)

131

128

131

131

131

128

256

Swap(S0[i], S0[j])
0

i=1
j = S0[1] = 131

256

ij
0

131 128

256

S3

ij

i=3
j = 3 + S2[3]
= 3 + 128 = 131

256

Z3 = S3[S3[3] + S3[131]]
= S3[131 + 128]
= S3[3] = 131

Z1 = S1[S1[1] + S1[1]] = S1[2] = 0

Fig. 1. Event for bias of Z1 = 0|Z2 = 0

i=2
j = 131 + S1[2]
= 131 + 128 = 3

Fig. 2. Event for bias of Z3 = 131

Theorem 7 Pr(Z3 = 131) is approximately

Pr(Z3 = 131) Pr(S0 [1] = 131) Pr(S0 [2] = 128) +
(1 Pr(S0 [1] = 131) Pr(S0 [2] = 128)) 1/N.
Proof. Suppose the events S0 [1] = 131 and S0 [2] = 128 occur after the KSA. For
i = 1, j is updated as S0 [1] = 131. After S0 [1] and S0 [131] are swapped, S1 [131]
becomes 131. For i = 2, j is updated as 131+S1 [2] = 131+S0 [2] = 131+128 = 3,
and S1 [2] and S1 [3] are swapped. Then S2 [3] = 128 is obtained. Finally, for
i = 3, j is updated as 3 + S2 [3] = 3 + 128 = 131. After S2 [3] and S2 [131] are
swapped, S3 [3] = 131 and S3 [131] = 128 holds. Then, a third output byte Z3 is
Z3 = S3 [S3 [3] + S3 [131]] = S3 [131 + 128] = S3 [3] = 131. Thus, when S0 [1] = 131
and S0 [2] = 128 hold, Z3 = 131 holds with probability one. Figure 2 depicts this
event.
Assuming that in other cases, that is when S0 [1] = 131 or S0 [2] = 128, the
event Z3 = 131 holds with probability of 1/N , the probability of Pr(Z3 = 131)
is estimated as
Pr(Z3 = 131) Pr(S0 [1] = 131) Pr(S0 [2] = 128) +
(1 Pr(S0 [1] = 131) Pr(S0 [2] = 128)) 1/N.

When N = 256, by Proposition 1, Pr(S0 [1] = 131) and Pr(S0 [2] = 128) are
estimated as
1
Pr(S0 [1] = 131) =

256
1

Pr(S0 [2] = 128) =

256

((
((

255
256
255
256

)25611

(
+

)25621

(
+

255
256
255
256

)131 )
= 0.0037848,
)128 )
= 0.0038181.

Thus, Pr(Zr = 131) is computed as

Pr(Z3 = 131) 0.0039206 = 28 (1 + 28.089 ).
8

Sr - 1

i=r

256

Sr - 1

i=r

j-r

Swap(Sr - 1[i], Sr - 1[j])

Swap(Sr - 1[i], Sr - 1[j])

0

Sr

i=r

256

256

Sr

Zr = Sr[Sr[r] + Sr[j]] = Sr[r] = r

i=r

j-r

256

Zr = Sr[Sr[r] + Sr[j]] = Sr[j] = r

Fig. 3. Event (Case 1) for bias of Zr = r

Fig. 4. Event (Case 2) for bias of Zr = r

Since experimental value of this bias for 240 randomly-chosen keys is obtained as
0.0039204 = 28 (1 + 28.109 ), the theoretical value is correctly approximated.
Let us compare it to the bias of Z3 = 0 of the MPS attack [8, 6]. The experimental value for 240 randomly-chosen keys is obtained as
Pr(Z3 = 0) = 0.0039116 = 28 (1 + 29.512 ).
Thus, the bias of Z3 = 131 is stronger than that of Z3 = 0.
We should utilize Z3 = 131 instead of Z3 = 0 for the ecient plaintext
recovery attack. When Z3 = 131 and Z3 = 0 are jointly used, two candidates
of P3 remain. Thus, in order to detect one correct value of P3 , the only use of
Z3 = 131 is more ecient.
3.3

Bias of Zr = r for 3 r N 1

We also present a new bias in the event Zr = r for 3 r N 1, whose

probabilities are very close to those of Zr = 0 [8], and the new biases are stronger
than those of Zr = 0 in some rounds. Thus, for an ecient attack, we need to
carefully consider which biases are stronger in each round. The probability of
Zr = r is given as Theorem 8.
Theorem 8 Pr(Zr = r) for 3 r N 1 is approximately
1
1 N 2
+ pr1,r

+
N
N
N
1
1
1
1
(1 pr1,0
pr1,r
(1 pr1,0 )
2) ,
N
N
N
N

Pr(Zr = r) pr1,0

where pr1,0 = Pr(Sr1 [r] = 0) and pr1,r = Pr(Sr1 [r] = r).

Proof. Let ir and jr be r-th i and j, respectively. For ir = r, an output Zr is
expressed as
Zr = Sr [Sr [ir ] + Sr [jr ]] = Sr [Sr [r] + Sr1 [r]].
Then, let us consider four independent cases.
Case 1 : Sr1 [r] = 0 Sr [r] = r
Case 2 : Sr1 [r] = r Sr [r] = jr r jr = r, r + r
9

Case 3 : Sr1 [r] = 0 Sr [r] = r Sr1 [r]

Case 4 : Sr1 [r] = 0 Sr [r] = r
In Case 1 and Case 2, the output is always Zr = r. On the other hand, in Case
3 and Case 4, the output is not Zr = r.
Case 1 : Sr1 [r] = 0 Sr [r] = r
The output is expressed as Zr = Sr [Sr [r] + Sr1 [r]] = Sr [r + 0] = Sr [r] = r (see
Fig. 3). Then, the probability of Zr = r is one. Here Sr [r] is chosen by pointer
j. Since jr for r 3 behaves randomly [8], Sr [r] is assumed to be uniformly
random. it is estimated as
1
Pr(Sr1 [r] = 0 Sr [r] = r) = pr1,0 .
N
Case 2 : Sr1 [r] = r Sr [r] = jr r jr = r, r + r
The output is expressed as Zr = Sr [Sr [r] + Sr1 [r]] = Sr [jr r + r] = Sr [jr ] =
Sr1 [r] = r (see Fig. 4). Then, the probability of Zr = r is one. Similar to Case
1, Sr [r] is assumed to be uniformly random.
When jr = r, the probability of Zr = r is zero because of the relation of
Zr = Sr [Sr [r] + Sr1 [r]] = Sr [0 + r] = Sr [r] = 0. Also, when jr = r + r, since
Sr [r] = r and Zr = Sr [Sr [r] + Sr1 [r]] = Sr [r + r] = r, the probability of Zr = r
is zero. Thus, the conditions of jr = r, r + r are necessary for Zr = r. Then, it
is estimated as
1 N 2
Pr(Sr1 [r] = r Sr [r] = jr r jr = r, r + r) = pr1,r

.
N
N
Case 3 : Sr1 [r] = 0 Sr [r] = r Sr1 [r]
The equation of Zr = Sr [r Sr1 [r] + Sr1 [r]] = Sr [r] holds. Then, Sr [r] =
r Sr1 [r] is not r, because Sr1 [r] is not 0. Thus, it is estimated as
Pr(Sr1 [r] = 0 Sr [r] = r Sr1 [r]) = (1 pr1,0 )

1
.
N

Case 4 : Sr1 [r] = 0 Sr [r] = r

The output is expressed as Zr = Sr [r + Sr1 [r]]. According to the equation of
Sr1 [r] = 0, The probability of Zr = r is zero. Thus, it is estimated as
Pr(Sr1 [r] = (0, r) Sr [r] = r Sr1 [r]) = (1 pr1,0 )

1
.
N

Assuming that in other cases, Zr = r holds with probability of 1/N , the

probability of Pr(Zr = r) is estimated as
1 N 2
1
+ pr1,r

+
N
N
N
1
1
1
1
(1 pr1,0
pr1,r
(1 pr1,0 )
2) .
N
N
N
N

Pr(Zr = r) pr1,0

10

0.00394
Experimental value
Theoretical value
Random

Probability of the event Zr = r

0.00393
0.00392
0.00391
0.00390
0.00389
0.00388
0.00387
0.00386
0.00385
0

50

100
150
Round number (r)

200

250

Fig. 5. Theoretical values and experimental values of Zr = r

Here, pr1,r and pr1,0 are obtained from Theorem 4. Figure 5 shows the
comparison of theoretical values and experimental values of Zr = r for 240
randomly-chosen keys when N = 256. Since the theoretical values do not exactly coincide with the experimental values, we do not claim that Theorem 8
completely prove this bias. We guess that several minor events are not covered
in our approach. However, the order of the bias seems to be well matched. At
least it can be said that the main event causing this bias is discovered.

3.4

Extended Keylength-dependent Biases

Extended keylength-dependent biases, which are extensions of keylength-dependent

biases [17, 5], are the bias of Z = when the key length is bytes. For example,
when using a 128-bit key (16 bytes), Z16 is biased to 16 (= 240). In addition
to it, we show that when the key length is bytes, Zx is also biased to x
(x = 2, 3, 4, 5, 6, 7), e.g., Zr = r for r = 32, 48, 64, 80, 96, 112, assuming = 16.
Importantly, the extended keylength-dependent biases are much stronger than
the other known biases such as Zr = 0 and Zr = r. Table 1 shows experimental
values of the extended keylength-dependent bias Zr = r, Zr = 0, and Zr = r
for 240 randomly-chosen keys, when r is a multiple of the key length, = 16 in
this case.
The probability of these biases is given as Theorem 9 (the proof is in Appendix A).
Theorem 9 When r = x (x = 1, 2, . . . , 7), the probability of Pr(Zr = r) is
approximately
Pr(Zr = r)

(
)
1
1
1
+
1

r + (1 r ) ,
2
2
N
N
N
11

Table 1. Experimental values of Zr = r, Zr = 0 and Zr = r

r
16
32
48
64
80
96
112

Pr(Zr = r)
2 (1 + 24.811 )
28 (1 + 25.383 )
28 (1 + 25.938 )
28 (1 + 26.496 )
28 (1 + 27.224 )
28 (1 + 27.911 )
28 (1 + 28.666 )
8

Pr(Zr = 0)
2 (1 + 27.714 )
28 (1 + 27.880 )
28 (1 + 28.043 )
28 (1 + 28.244 )
28 (1 + 28.407 )
28 (1 + 28.577 )
28 (1 + 28.747 )
8

Experimental value
Theoretical value
Random

0.00405
Probability of the event Zr=-r

Pr(Zr = r)
2 (1 + 27.762 )
28 (1 + 27.991 )
28 (1 + 28.350 )
28 (1 + 28.664 )
28 (1 + 29.052 )
28 (1 + 29.351 )
28 (1 + 29.732 )
8

0.00400

0.00395

0.00390
0

20

40
60
80
Round number (r)

100

120

Fig. 6. Experimental values and theoretical values of Zr = r when = 16 for r =

16, 32, 48, 64, 80, 96, 112

where
r =

(
)
1
r+1

N2
N
)y (
)yr (
)N y+2r4
(
N
1

2
3
1
1
1
,

1
N
N
N
y=r+1

and r = Pr(Sr [jr ] = 0) = Pr(Sr1 [r] = 0).

Figure 6 shows our experimental values for 240 randomly-chosen keys and
theoretical values of these extended keylength-dependent biases. Since theoretical and experimental values have almost the same value, theoretical values are
correctly approximated.
3.5

Cumulative Bias Set of First 257 Bytes

When N = 256, a set of strong biases in Z1 , Z2 , . . . , Z255 is given in Table 2.

Our new biases, namely the ones involving Z1 , Z3 , Z32 , Z48 , Z64 , Z80 , Z96 ,
12

0.003940

Zr = 0
Zr = r

0.003935

Probability

0.003930
0.003925
0.003920
0.003915
0.003910
0.003905
0.003900
0

50

100
150
Round number (r)

200

250

Fig. 7. Comparison between Zr = 0 and Zr = r for 3 r 255

Z112 , are included. Here, let us compare between the biases of Zr = 0 [8, 6] and
Zr = r, whose probabilities are of the same order, and are very close in the range
3 r 255. According to our experiments with 240 randomly-chosen keys (see
Fig. 7), Zr = r is stronger than Zr = 0 in Z5 , Z6 , . . . , Z31 . Thus we choose the
bias Zr = r in Z5 , Z6 , . . . , Z31 and the bias Zr = 0 in the other cases as the
strongest bias except for the cases involving Z3 , Z16 , Z32 , Z48 , Z64 , Z80 , Z96 ,
Z112 . Besides, we experimentally found two new biases for the events Z256 = 0
and Z257 = 0, and added these to our bias set, while we could not provide
the theoretical proofs. Note that it is experimentally conrmed that biases of
Z2 , Z3 , . . . , Z257 included in our bias set are strongest known biases amongst all
the positive and negative biases that have been discovered for these bytes.
For the rst time, we propose a cumulative list of strongest known biases in
the initial bytes of RC4 that can be exploited in a practical attack against the
broadcast mode of the cipher.

Experimental Results of Plaintext Recovery Attack

We demonstrate a plaintext recovery attack using our cumulative bias set of rst
257 bytes by a computer experiment, when N = 256, and estimate the number
of required ciphertexts and the probability of success for our attack. The details
of our experiment are as follows.
Step 1 Randomly generate a target plaintext P .
Step 2 Encrypt P with 2x randomly-chosen keys, and obtain 2x ciphertexts C.
Step 3 Find most frequent byte in each byte, and extract Pr , assuming Pr =
Cr Zr where Zr is the value of the keystream byte from our bias set.
In the case of P1 , the method mentioned in Section 3.1 is used for ecient
extraction of P1 . Specically, after P2 is recovered, we extract P1 by using the
conditional bias such that Z1 = 0 when Z2 = 0.
13

Table 2. Cumulative bias set of rst 257 bytes

r
1
2
3
4
515
16
1731
32
3347
48
4963
64
6579
80
8195
96
97111
112
113255
256
257

Strongest known bias of Zr

Z1 = 0|Z2 = 0 (Our)
Z2 = 0 [11]
Z3 = 131 (Our)
Z4 = 0 [8]
Zr = r (Our)

Prob.(Theoretical)
28 (1 + 21.009 )
28 (1 + 20 )
28 (1 + 28.089 )
28 (1 + 27.581 )
max: 28 (1 + 27.627 )
min: 28 (1 + 27.737 )
Z16 = 240 [5]
28 (1 + 24.841 )
Zr = r (Our)
max: 28 (1 + 27.759 )
min: 28 (1 + 27.912 )
Z32 = 224 (Our)
28 (1 + 25.404 )
Zr = 0 [8]
max: 28 (1 + 27.897 )
min: 28 (1 + 28.050 )
Z48 = 208 (Our)
28 (1 + 25.981 )
Zr = 0 [8]
max: 28 (1 + 28.072 )
min: 28 (1 + 28.224 )
Z64 = 192 (Our)
28 (1 + 26.576 )
Zr = 0 [8]
max: 28 (1 + 28.246 )
min: 28 (1 + 28.398 )
Z80 = 176 (Our)
28 (1 + 27.192 )
Zr = 0 [8]
max: 28 (1 + 28.420 )
min: 28 (1 + 28.571 )
Z96 = 160 (Our)
28 (1 + 27.831 )
Zr = 0 [8]
max: 28 (1 + 28.592 )
min: 28 (1 + 28.741 )
Z112 = 144 (Our)
28 (1 + 28.500 )
Zr = 0 [8]
max: 28 (1 + 28.763 )
min: 28 (1 + 210.052 )
Z256 = 0 (negative bias) (Our)
N/A
Z257 = 0 (Our)
N/A

Prob.(Experimental)
28 (1 + 21.036 )
28 (1 + 20.002 )
28 (1 + 28.109 )
28 (1 + 27.611 )
max: 28 (1 + 27.335 )
min: 28 (1 + 27.535 )
28 (1 + 24.811 )
max: 28 (1 + 27.576 )
min: 28 (1 + 27.839 )
28 (1 + 25.383 )
max: 28 (1 + 27.868 )
min: 28 (1 + 28.039 )
28 (1 + 25.938 )
max: 28 (1 + 28.046 )
min: 28 (1 + 28.238 )
28 (1 + 26.496 )
max: 28 (1 + 28.223 )
min: 28 (1 + 28.376 )
28 (1 + 27.224 )
max: 28 (1 + 28.398 )
min: 28 (1 + 28.565 )
28 (1 + 27.911 )
max: 28 (1 + 28.570 )
min: 28 (1 + 28.722 )
28 (1 + 28.666 )
max: 28 (1 + 28.760 )
min: 28 (1 + 210.041 )
28 (1 29.407 )
28 (1 + 29.531 )

We perform the above experiment for 256 dierent plaintexts in the cases
where 26 , 27 , . . . , 235 ciphertexts with randomly-chosen keys are given. Figure 8
shows the probability of successfully recovering the values of P1 , P2 , P3 , P5 , and
P16 for each amount of ciphertexts. Here, the success probability is estimated by
the number of correctly-extracted plaintexts for each byte. For example, if the
target byte of only 100 plaintexts out of 256 plaintexts can be correctly recovered,
the probability is estimated as 0.39 (= 100/256). The second byte of plaintext P2
can be extracted from 212 ciphertexts with probability one. In previous attacks
such as the MS attack [11] and the MPS attack [8], the number of required
ciphertexts is theoretically estimated only in terms of the lower bound . Our
results rst reveal the concrete number of ciphertexts, and the corresponding
success probability.
Figure 9 shows that the success probability of extracting each byte Pr (1
r 257) when 224 , 228 , 232 , 235 ciphertexts are given. Note that the probability
14

1.0

1.0

0.8

Success Probability

Success Probability

0.8

0.6

0.4
P1
P2
P3
P5
P16

0.2

0.0
5

10

15

20

25

30

224
228
232
235

0.6

0.4

0.2

0.0

35

50

100
150
Round number (r)

The number of ciphertexts (2x)

Fig. 8. Relation of the number of ciphertexts and success probability of recovering

P1 , P2 , P3 , P5 , and P16

250

Number of plaintext bytes

Success Probability

224
228
232
234

0.6

0.4

0.2

250

Fig. 9. Success probability of extracting

Pr (1 r 257) with dierent number
of samples (one candidate)

1.0

0.8

200

one candidate

200

150

100

50

0.0
0

50

100
150
Round number (r)

200

250

10

15

20

25

30

35

The number of ciphertexts (2x)

Fig. 10. Success probability of extracting

Pr (1 r 257) with dierent number of
samples (two candidates)

Fig. 11. The number of plaintext bytes

that are extracted with ve times higher
than that of a random guess

of a random guess is 1/256 = 0.00390625. Given 232 ciphertexts, all bytes of

P1 , P2 , . . . , P257 can be extracted with probability more than 0.5. In addition,
most bytes can be extracted with probability more than 0.8. Also, the bytes
having stronger bias such as P1 , P2 , P16 , P32 , P48 , P64 , are extracted from
only 224 ciphertexts with high probability. However, even if 235 ciphertexts are
given, the probability does not become one in some bytes. It is guessed that in
such bytes, the dierence of probability of the strongest known bias (as in our
cumulative bias set) and the second one is very small. Thus, more ciphertexts
are required for an attack with probability one.
We additionally utilize the second most frequent byte in the ciphertexts for
extracting plaintext bytes. In other words, two candidates are obtained by using
the relation of Pr = Cr Zr , where Cr are most and second most frequent ciphertext bytes and Zr is chosen from our bias set. This result is shown in Fig. 10,
and its success probability is estimated as the probability that the guess for the
15

correct plaintext byte is narrowed down to two possible candidates. Note that the
probability of a random guess for such a scenario is 2/256 = 0.0078125. Given
234 ciphertexts, each byte of P1 , P2 , . . . , P257 can be extracted with probability
one. In this case, although we can not obtain the correct byte of the plaintext, it
is narrowed down to only two candidates. For the experiments of Fig. 9 and 10,
it requires about one day if one uses a single CPU core (Intel(R) Core(TM) i7
CPU 920@ 2.67GHz) to obtain the result of one plaintext, where 256 plaintexts
are used.
Figure 11 shows the number of plaintext bytes that are extracted with ve
times higher probability than that of a random guess, i.e., where the success
5
probability is more than 256
. Given 229 ciphertexts, all the plaintext bytes
P1 , P2 , . . . , P257 are guessed with much higher probability than random guesses.

How to Recover Bytes of the Plaintext after P258

In this section, we propose an ecient method to recover later bytes of the

plaintext, namely bytes after P258 . The method using our bias in initial bytes
is not directly applied to extract these bytes, because it exploits biases existing
in only the initial keystream. For the extraction of the later bytes, a long-term
bias, which occurs in any keystream bytes, is utilized. In particular, the digraph
repetition bias (also called ABSAB bias) proposed by Mantin [10], which is the
strongest known long-term bias, is used. Combining it with our cumulative bias
set of Z1 , Z2 , . . . , Z257 , we can sequentially recover bytes of a plaintext, even
after P258 , given only the ciphertexts.
5.1

Best Known Long-term Bias (ABSAB bias) [10]

ABSAB bias is statistical biases of the digraph distribution in the RC4 keystream.
Specically, digraphs AB tend to repeat with short gaps S between them, e.g.,
ABAB, ABCAB and ABCDAB, where gap S is dened as zero, C, and CD,
respectively. The detail of ABSAB bias is expressed as follows,
Zr || Zr+1 = Zr+2+G || Zr+3+G for G 0,

(1)

where || is a concatenation. The probability that Eq. (1) holds is given as Theorem 10.
Theorem 10 [10] For small values of G the probability of the pattern ABSAB
in RC4 keystream, where S is a G-byte string, is (1 + e(48G)/N /N ) 1/N 2 .
For the enhancement of these biases, combining use of ABSAB biases with
dierent G is considered by using the following lemma for the discrimination.
Lemma 1 [10] Let X and Y be two distributions and suppose that the independent events {Ei : 1 i k } occur with probabilities pX (Ei ) = pi in X and
p
Y (Ei ) = (1 + bi ) pi in Y. Then the discrimination D of the distributions is

2
i pi bi .
16

The number of required samples for distinguishing the biased distribution from
the random distribution with probability of 1 is given as the following lemma.
Lemma 2 [10] The number of samples that is required for distinguishing two
distributions that have discrimination D with success rate 1 (for both directions) is (1/D) (1 2) log2 1
.
This lemma shows that in the broadcast RC4 attack, given D and the number
of samples Nciphertext , the success probability for distinguishing the distribution
of correct candidate plaintext byte (the biased distribution) from the distribution
of one wrong candidate of plaintext byte (a random distribution) is a constant.
Prdistingush denotes this probability.
5.2

Plaintext Recovery Method using ABSAB Bias and Our Bias

Set

The following equation allows us to eciently use ABSAB bias in the broadcast
RC4 attack.
(Cr || Cr+1 ) (Cr+2+G || Cr+3+G )
= (Pr Zr || Pr+1 Zr+1 ) (Pr+2+G Zr+2+G || Pr+3+G Zr+3+G )
= (Pr Pr+2+G Zr Zr+2+G || Pr+1 Pr+3+G Zr+1 Zr+3+G ). (2)
Assuming that Eq. (1) (the event of the ABSAB bias) holds, the relation of
plaintexts and ciphertexts without keystreams is obtained, i.e., (Cr || Cr+1 )
(Cr+2+G || Cr+3+G ) = (Pr Pr+2+G || Pr+1 Pr+3+G ) = (Pr || Pr+1 )
(Pr+2+G || Pr+3+G ).
However, in the straight way, we can not combine these relations with different G to enhance the biases, as we do in the distinguishing attack setting.
When the value of G is dierent, the above equation is surely dierent even if
r is properly chosen. For example, in the cases of (r and G = 1) and (r + 1
and G = 0), right parts of equations are given as (Pr || Pr+1 ) (Pr+3 || Pr+4 )
and (Pr+1 || Pr+2 ) (Pr+3 || Pr+4 ), respectively. Thus, due to independent use
of these equations with dierent G, we are not able to eciently make use of
ABSAB bias in the broadcast setting.
In order to get rid of this problem, we give a method that sequentially recovers
the plaintext after P258 with the knowledge of pre-guessed plaintext bytes. For
example, in the cases of (r and G = 1) and (r + 1 and G = 0), if Pr , Pr+1 ,
and Pr+2 are already known, the two equations with respected to (Pr+3 || Pr+4 )
is obtained by transposing Pr , Pr+1 , and Pr+2 to the left part of the equation.
Then, these equations with dierent G can be merged.
Suppose that P1 , P2 , . . . , P257 are guessed by our cumulative bias set of the
initial bytes, where the success probability of nding these bytes are evaluated
in Section 4. Then we aim to sequentially nd Pr for r = 258, 259, . . . , PM AX by
using ABSAB biases of G = 0, 1, . . . , GM AX . The detailed procedures are given
as follows.
17

Step 1 Obtain C2583GM AX , C2582GM AX , . . . , CPM AX in each ciphertext, and

make frequency tables Tcount [r][G] of (Cr3G || Cr2G ) (Cr1 || Cr ) for
all r = 258, 259, . . . , PM AX and G = 0, 1, . . . , GM AX , where (Cr3G || Cr2G )
(Cr1 || Cr ) = (Pr3G || Pr2G ) (Pr1 || Pr ) only if Eq. (1) holds.
Step 2 Set r = 258.
Step 3 Guess the value of Pr .
Step 3.1 For G = 0, 1, . . . , GM AX , convert Tcount [r][G] into a frequency
table Tmarge [r] of (Pr1 || Pr ) by using pre-guessed values of Pr3GM AX ,
. . . , Pr2 , and merge counter values of all tables.
Step 3.2 Make a frequency table Tguess [r] indexed by only Pr from Tmarge [r]
with knowledge of the Pr1 . To put it more precisely, using a pre-guessed
value of Pr1 , only Tables Tmarge [r] corresponding to the value of Pr1
is taken into consideration. Finally, regard most frequency one in table
Tguess [r] as the correct Pr .
Step 4 Increment r. If r = PM AX + 1, terminate this algorithm. Otherwise, go
to Step 3.
The bytes of the plaintext are correctly extracted from Tmarge [r] only if it
is distinguished from other N 2 1 wrong candidate distributions. Assuming
that wrong candidates are randomly distributed, a probability of the correct
2
extraction from Tmarge [r] is estimated as (Prdistingush )N 1 . In Step 3.2, our
method converts Tmarge [r] into Tguess [r] by using knowledge of Pr1 , where
Tguess [r] has N 1 wrong candidates. It enables us to reduce the number of wrong
candidates from N 2 1 to N 1. Then, a probability of the correct extraction
from Tguess [r] is estimated as (Prdistingush )N 1 , which is 1/(Prdistingush )N +1
times higher than that of Tmarge [r]. Therefore, the table reduction technique of
Step 3.2 enables us to further optimize the attack.
Experimental Results: We perform practical experiments using our algorithm
to nd P258 , P259 , P260 , and P261 (PM AX = 261). As a parameter of ABSAB
bias, GM AX = 63 is chosen, because the increase of D is converged around
GM AX = 63. Then, D is estimated as D = 228.0 . The success probability of
our algorithm for recovering Pr (r 258) when 230 to 234 ciphertexts are given
is shown in Table 3, where the number of tests is 256. Note that P1 , P2 , . . . , P257
are obtained by using our bias set (candidate one) with success probability as
shown in Fig. 9. For this experiment, it requires about one week if one uses a
single CPU core (Intel(R) Core(TM) i7 CPU 920@ 2.67GHz) to get the result
of one plaintext, where 256 plaintexts are used.
Interestingly, given 234 ciphertexts, P258 , P259 , P260 , and P261 can be recovered with probability one, while the success probability of some bytes in
P1 , P2 , . . . , P257 is not one. Combining multiple biases allows us to omit negative
eects of some uncorrected value of P1 , P2 , . . . , P257 . Although our experiment
is performed until P261 , the success probability is expected not to change even
in the case of later bytes, because ABSAB bias is a long-term bias.
Let us discuss the success probability of extracting bytes after P262 when
234 ciphertexts are given. According to Lemma 2 and D = 228.0 , 234 ciphertexts allow us to distinguish an RC4 keystream from a random stream with the
18

Table 3. Success Probability of our algorithm for recovering Pr (r 258).

# of ciphertexts
230
231
232
233
234

P258
0.003906
0.039062
0.386719
0.964844
1.000000

P259
0.003906
0.007812
0.152344
0.941406
1.000000

P260
0.000000
0.003906
0.070312
0.921875
1.000000

P261
0.000000
0.007812
0.027344
0.902344
1.000000

probability of Prdistinguish = 1 1019 . Then, assuming that wrong candidates

are randomly distributed, the probability of correctly extracting the candidate
from (N 1) wrong candidates is estimated as (Prdistinguish )N 1 . Therefore,
our method enables to extract consecutive (257 + X) bytes of a plaintext with
the probability of ((Prdistinguish )N 1 )X = (Prdistinguish )(N 1)X . For instance,
when X = 240 and X = 250 , the success probabilities are estimated as 0.99997
and 0.97170, respectively.
As a result, by using our sequential method, a large amount of plaintext
bytes, e.g., rst 250 bytes 1000 T bytes, is recovered from 234 ciphertext with
a probability of almost one. Therefore, it can be said that our attack is a full
plaintext recovery attack on broadcast RC4, the rst of its kind proposed in the
literature.

Conclusion

In this paper, we have evaluated the practical security of RC4 in the broadcast
setting. After the introduction of four new biases of the keystream of RC4, i.e.,
the conditional bias of Z1 , the biases of Z3 = 131 and Zr = r for 3 r 255, and
the extended keylength-dependent biases, a cumulative list of strongest known
biases in Z1 , Z2 , . . . , Z257 is given. Then, we demonstrate a practical plaintext
recovery attack using our bias set by a computer experiment. As a result, most
bytes of P1 , P2 , . . . , P257 could be extracted with probability more than 0.8 using
232 ciphertexts encrypted by randomly-chosen keys. Finally, we have proposed
an ecient method to extract bytes of plaintexts after P258 . Our attack is able to
recover any plaintext byte from only ciphertexts generated using dierent keys.
For example, rst 250 bytes of the plaintext are expected to be recovered from
234 ciphertexts with high probability.
Note that our attack on broadcast RC4, as proposed in this paper, utilizes
the advantage of sequential recovery of plaintext bytes. If the initial 256/512/768
bytes of the keystream are suppressed in the protocol, as recommended in case
of RC4 usages [14], our attack does not work any more. However, widely-used
protocols such as SSL/TLS use initial bytes of the keystream. For SSL/TLS,
the broadcast setting is converted into the multi-session setting where the target
plaintext block are repeatedly sent in the same position in the plaintexts in
multiple SSL/TLS sessions [2].
19

Our evaluation reveals that broadcast RC4 is practically vulnerable to the

plaintext recovery attacks as moderate amount of ciphertexts, i.e., 224 to 234
ciphertexts generated by dierent keys, leaks considerable information about
the plaintext. Thus, RC4 is not to be recommended for the encryption in case
of the typical broadcast setting and multi-session setting of SSL/TLS.
Acknowledgments We would like to thank to Sourav Sen Gupta and the
anonymous referees for their fruitful comments and suggestions. We also would
like to thank to Tubasa Tsukaune and Atsushi Nagao for insightful discussions.
This work was supported in part by Grant-in-Aid for Scientic Research (C)
(KAKENHI 23560455) for Japan Society for the Promotion of Science and Cryptography Research and Evaluation Committee (CRYPTREC).

References
1. Eli Biham and Yaniv Carmeli. Ecient Reconstruction of RC4 Keys from Internal
States. In Kaisa Nyberg, editor, FSE, volume 5086 of Lecture Notes in Computer
Science, pages 270288. Springer, 2008.
2. Brice Canvel, Alain P. Hiltgen, Serge Vaudenay, and Martin Vuagnoux. Password
Interception in a SSL/TLS Channel. In Dan Boneh, editor, CRYPTO, volume
2729 of Lecture Notes in Computer Science, pages 583599. Springer, 2003.
3. Scott R. Fluhrer and David A. McGrew. Statistical Analysis of the Alleged RC4
Keystream Generator. In Bruce Schneier, editor, FSE, volume 1978 of Lecture
Notes in Computer Science, pages 1930. Springer, 2000.
4. Jovan Dj. Golic. Linear Statistical Weakness of Alleged RC4 Keystream Generator.
In Walter Fumy, editor, EUROCRYPT, volume 1233 of Lecture Notes in Computer
Science, pages 226238. Springer, 1997.
5. Sourav Sen Gupta, Subhamoy Maitra, Goutam Paul, and Santanu Sarkar. Proof of
Empirical RC4 Biases and New Key Correlations. In Ali Miri and Serge Vaudenay,
editors, Selected Areas in Cryptography, volume 7118 of Lecture Notes in Computer
Science, pages 151168. Springer, 2011.
6. Sourav Sen Gupta, Subhamoy Maitra, Goutam Paul, and Santanu Sarkar. (Non)Random Sequences from (Non-)Random Permutations - Analysis of RC4 stream
cipher. Journal of Cryptology, 2012. (to appear).
7. Lars R. Knudsen, Willi Meier, Bart Preneel, Vincent Rijmen, and Sven Verdoolaege. Analysis Methods for (Alleged) RC4. In Kazuo Ohta and Dingyi Pei,
editors, ASIACRYPT, volume 1514 of Lecture Notes in Computer Science, pages
327341. Springer, 1998.
8. Subhamoy Maitra, Goutam Paul, and Sourav Sengupta. Attack on Broadcast RC4
Revisited. In Antoine Joux, editor, FSE, volume 6733 of Lecture Notes in Computer
Science, pages 199217. Springer, 2011.
9. Itsik Mantin. Analysis of the stream cipher rc4. Masters Thesis, The Weizmann
Institute of Science, Israel, 2001. http://www.wisdom.weizmann.ac.il/~itsik/
RC4/rc4.html.
10. Itsik Mantin. Predicting and Distinguishing Attacks on RC4 Keystream Generator. In Ronald Cramer, editor, EUROCRYPT, volume 3494 of Lecture Notes in
Computer Science, pages 491506. Springer, 2005.

20

11. Itsik Mantin and Adi Shamir. A Practical Attack on Broadcast RC4. In Mitsuru
Matsui, editor, FSE, volume 2355 of Lecture Notes in Computer Science, pages
152164. Springer, 2001.
12. Mitsuru Matsui. Key Collisions of the RC4 Stream Cipher. In Orr Dunkelman,
editor, FSE, volume 5665 of Lecture Notes in Computer Science, pages 3850.
Springer, 2009.
13. Alexander Maximov and Dmitry Khovratovich. New State Recovery Attack on
RC4. In David Wagner, editor, CRYPTO, volume 5157 of Lecture Notes in Computer Science, pages 297316. Springer, 2008.
14. Ilya Mironov. (Not So) Random Shues of RC4. In Moti Yung, editor, CRYPTO,
volume 2442 of Lecture Notes in Computer Science, pages 304319. Springer, 2002.
15. Goutam Paul and Subhamoy Maitra. Permutation After RC4 Key Scheduling
Reveals the Secret Key. In Carlisle M. Adams, Ali Miri, and Michael J. Wiener,
editors, Selected Areas in Cryptography, volume 4876 of Lecture Notes in Computer
Science, pages 360377. Springer, 2007.
16. Souradyuti Paul and Bart Preneel. A New Weakness in the RC4 Keystream Generator and an Approach to Improve the Security of the Cipher. In Bimal K. Roy
and Willi Meier, editors, FSE, volume 3017 of Lecture Notes in Computer Science,
pages 245259. Springer, 2004.
17. Pouyan Sepehrdad, Serge Vaudenay, and Martin Vuagnoux. Discovery and Exploitation of New Biases in RC4. In Alex Biryukov, Guang Gong, and Douglas R.
Stinson, editors, Selected Areas in Cryptography, volume 6544 of Lecture Notes in
Computer Science, pages 7491. Springer, 2010.

Proof of Theorem 9

In order to prove Theorem 9, we give following Lemma 3 and Theorem 11, which
K
are extensions of Lemma 2 and Theorem 3 in [6]. Let (SrK , iK
r , jr ) be (S, i, j) of
the r-th round in the KSA, respectively.
K
Lemma 3 When r = x (x = 1, 2, . . . , 7), the probability of Pr(Sr+1
[r 1] =
K
r Sr+1 [r] = 0) is approximately
K
Pr(Sr+1
[r

where r =

1
N

1] = r

(
1

)
3 r2
N

K
Sr+1
[r]

(
1

r+1
N

(
)
1
1
= 0) 2 + 1 2 r ,
N
N

K
K
[r] = 0) consists of following events.
Proof. The event of (Sr+1
[r 1] = r Sr+1
K
In the rst round of the KSA, when i1 = 0 and j1K = K[0], the value 0 is
swapped for the value of S0K [K[0]] with probability of one. The index j1K requires
j1K = K[0] {r 1, r, r}, so that the values r 1, r, r are not swapped in
the rst round of the KSA, respectively. In addition to it, it is required that
K[0] {1, 2, . . . , r 2}, so that the value 0 at index K[0] is not touched by
these values of (iK during
with
) the next r 2 rounds of the KSA. ThisKhappens
K
K
probability of 1 r+1
.
From
round
2
to
r

1
of
the
KSA,
j
,
j
,
.
.
.
,
jr1
2
3
N
do not touch the three indices {r, r, K[0]}, respectively. This happens with

21

j1 =K[0]

SK0 0

256

SK1 A

-r

256

-r
K

none of j2 , ..., jr-1

touches the three indices
256

r-1

SKr-1

-r
K

when jr = -r
256
K
r

-r

SKr+1

-r 0

256

K
K
Fig. 12. Event for bias of Sr+1
[r 1] = r Sr+1
[r] = 0

)r2
(
probability of 1 N3
. In the r-th round of the KSA, if the index jrK has
the index r, which happens with probability of 1/N , the value r is swapped
into the index r 1. In the (r + 1)-th round of the KSA, when iK
r+1 = r and
K
= jrK + SrK [r] + K[r] = r + r + K[0] = K[0], the value SrK [r] is swapped
jr+1
for the value SrK [K[0]], and from the above discussion, this index contains the
value 0. Considering the above events to be independent, the probability that
(
)r2 (
)
all of above events happen together is given by r = N1 1 N3
1 r+1
N .
K
K
[r] = 0) holds with
[r 1] = r Sr+1
Assuming that in other cases, (Sr+1
K
2
K
[r] = 0) is
probability of 1/N , the probability of Pr(Sr+1 [r 1] = r Sr+1
estimated as
(
)
1
1
K
K
[r] = 0) 2 + 1 2 r .
[r 1] = r Sr+1
Pr(Sr+1
N
N
K
K
[r] = 0.
[r 1] = r Sr+1
Figure 12 shows the major path of Sr+1

Theorem 11 When r = x (x = 1, 2, . . . , 7), the probability of Pr(Zr = r

Sr [jr ] = 0) is approximately
(
)
1
1
Pr(Zr = r Sr [jr ] = 0) 2 + 1 2 r ,
N
N
where
r =

(
)
1
r+1

N2
N
(
)y (
)yr (
)N y+2r4
N
1

1
2
3

1
1
1
.
N
N
N
y=r+1

Proof. From the algorithm of the PRGA, we have jr = jr1 + Sr1 [r]. Hence,
Sr [jr ] = Sr1 [r] = 0 implies jr = jr1 . In this case, an output Zr is expressed
22

as
Zr = Sr [Sr [ir ] + Sr [jr ]] = Sr [Sr2 [r 1]].
Then, let us consider Pr(Sr [Sr2 [r 1]] = r Sr [jr ] = 0).
K
K
The major path for the joint event (Sr+1
[r1] = rSr+1
[r] = 0) constitutes
the rst part of our main path leading to the target event. The second part can
be constructed as follows. In an index y [r + 1, N ( 1], if )the j K do not
y
touch the index y, we have SyK [y] = y with probability of 1 N1 . From round
r + 2 to y of the KSA, j K do not touch the two indices {r 1, r}, respectively.
(
)yr1
This happens with probability of 1 N2
. In the (y + 1)-th round of the
K
KSA, if the index jy+1
has the index r 1, which happens with probability of
1/N , the value y is swapped for the value r. Then, the value r moves to
K
K
K
Sy+1
[y] = Sy+1
[Sy+1
[r 1]]. For the remaining N y 1 rounds of the KSA
and for the rst r 1 rounds of the PRGA, the j K or j values should not touch
the indices {r 1, S[r 1], r}, respectively. This happens with probability of
(
)N y+r2
1 N3
. Now, we have (Sr1 [Sr2 [r 1]] = r Sr1 [r] = 0). And
then, we should also(have jr) {r1, y} for Sr [Sr2 [r1]] = r. The probability
of this condition is 1 N2 . Then, from algorithm of the PRGA, the output is
Zr = Sr [Sr2 [r 1]] = r. Considering the above events to be independent, the
probability that the second part events happen together is given by
r =

)y (
)yr (
)N y+r2
N
1 (

1
2
3
1

1
1
.
1
N y=r+1
N
N
N

Then, the probability that all of the events happen together is estimated as
r = r r
(
)
1
r+1
= 2 1
N
N
(
)y (
)yr (
)N y+2r4
N
1

1
2
3

1
1
1
.
N
N
N
y=r+1
Assuming that in other cases, Zr = r Sr [jr ] = 0 holds with probability of
1/N 2 , the probability of Pr(Zr = r Sr [jr ] = 0) is approximately
Pr(Zr = r Sr [jr ] = 0)

(
)
1
1
+
1

r .
N2
N2

Figure 13 and 14 show the major path of Zr = r Sr [jr ] = 0.

Using these extended joint events, the theorem 9 is proved as follows.
Proof. We can write Pr(Zr = r) = Pr(Zr = r Sr [jr ] = 0) + Pr(Zr =
r Sr [jr ] = 0), where the rst term is given by Theorem 11. When Sr [jr ] = 0,
23

SK0

256

y
K

none of j1 , ..., jy
touches the indice
r-1

SKy

-r

256

SKy+1

-r

256

none of j
touches the three indices
256

SKN

-r

Fig. 13. Event for bias of Zr = r Sr [jr ] = 0 on KSA

S0

r-1

-r

256

none of j
touches the three indices
256

Sr-2

-r

Sr-1

-r

Sr

-r

jr-1 = jr

256

256

Zr = Sr[Sr[r] + Sr[j]] = Sr[y] = -r

Fig. 14. Event for bias of Zr = r Sr [jr ] = 0 on PRGA

the event Zr = r can be assumed to hold with probability of 1/N . Then, the
probability of Pr(Zr = r) is estimated as
(
)
1
1
1
Pr(Zr = r) 2 + 1 2 r + (1 r ) .
N
N
N

24