Abstract. In this paper, contrary to the claim of Mantin and Shamir (FSE 2001), we prove that there exist biases in the initial bytes (3 to 255) of the RC4 keystream towards zero. These biases immediately provide distinguishers for RC4. Additionally, the attack on broadcast RC4 to recover

practical ciphertext-only attack on RC4 in some broadcast applications, in which the same plaintext is sent to multiple recipients under different keys.

only 234 ciphertexts. Key words: RC4, broadcast setting, plaintext recovery attack, bias, experimentally-verified attack 1

an adaptive adversary who can choose which parties to corrupt as the protocol progresses. Moreover, they prove an impossibility result for adaptively secure broadcast in their setting. We argue that the communication model adopted by Hirt and Zikas is unrealistically pessimistic. We revisit the problem

Abstract. In this paper we revisit a known but ignored weakness of the RC4 keystream generator, where secret state info leaks to the generated keystream, and show that this leakage, also known as Jenkins’ correlation or the RC4 glimpse, can be used to attack RC4 in several modes. Our main result

Abstract not found

I would like to thank Prof. Dr. Torsten Braun, head of the Computer Network and Distributed Systems group (RVS), for supervising this work and for his insightful advises. Prof. Dr. Torsten Braun encouraged and motivated me to publish my research results and he provided me the opportunity to present the work on various conferences, for which I thank him. I would also like to thank Prof. Dr. Roger Wattenhofer, responsible for the Koreferat of this work. Also, Prof. Dr. Oscar Nierstrasz who was willing to be the co-examinator of this work deserves many thanks. Many thanks go to my colleagues of the RVS group and of the IAM for our various interesting discussions about all kinds of topics and for making the institute a very pleasant and friendly place to work at. Special thanks go to David Steiner, Marc Steinemann, Matthias Scheidegger, Florian Baumgartner, Ruy De Oliveira, and Attila Weyland. There are many students who worked with me and helped a lot in developing and implementing. Among them I especially thankful to Thomas Bernoulli,

. This gap is not necessarily determined by a constant factor as a function of the false positive and negative rate, as one would expect. Rather this gap is also a function of the number of samples of the distinguishing attack. We perform a case study on RC4 stream cipher to demonstrate that the typical

to the dependence of the first two bytes of the RC4 key in WPA, both derived from the same byte of the IV. Our result on the nature of the first keystream byte provides a significantly improved distinguisher for RC4 used in WPA than what had been pre-sented by Sepehrdad et al. (2011-12). Further, we revisit

the observation by Mironov [CRYPTO 2002]. Further, the existence of positive biases towards zero for all the initial bytes 3 to 255 is proved and exploited towards a generalized broadcast attack on RC4 stream cipher.