Toshihiro Ohigashi

Full Plaintext Recovery Attack on Broadcast RC4

This paper investigates the practical security of RC4 in broadcast setting where the same plaintext is encrypted with different user keys. We introduce several new biases in the initial (1st to 257th) bytes of the RC4 keystream, which are substantially stronger than known biases. Combining the new biases with the known ones, a cumulative list of strong biases in the first 257 bytes of the RC4 keystream is constructed. We demonstrate a plaintext recovery attack using our strong bias set of initial bytes by the means of a computer experiment. Almost all of the first 257 bytes of the plaintext can be recovered, with probability more than 0.8, using only \(2^{32}\) ciphertexts encrypted by randomly-chosen keys. We also propose an efficient method to extract later bytes of the plaintext, after the 258th byte. The proposed method exploits our bias set of first 257 bytes in conjunction with the digraph repetition bias proposed by Mantin in EUROCRYPT 2005, and sequentially recovers the later bytes of the plaintext after recovering the first 257 bytes. Once the possible candidates for the first 257 bytes are obtained by our bias set, the later bytes can be recovered from about \(2^{34}\) ciphertexts with probability close to 1.

How to Recover Any Byte of Plaintext on RC4

In FSE 2013, Isobe et al. proposed efficient plaintext recovery attacks on RC4 in the broadcast setting where the same plaintext is encrypted with different user keys. Their attack is able to recover first 1000 terabytes of a plaintext with probability of almost one, given

Some Proofs of Joint Distributions of Keystream Biases in RC4

2^{34}

Implementation and Evaluation of Secure Outsourcing Scheme for Secret Sharing Scheme on Cloud Storage Services

ciphertexts encrypted by different keys. Since their attack essentially exploits biases in the initial 1st to 257th bytes of the keystream, it does not work any more if such initial bytes are disregarded. This paper proposes two advanced plaintext recovery attacks that can recover any byte of a plaintext without relying on initial biases, i.e., our attacks are feasible even if initial bytes of the keystream are disregarded. The first attack is the modified Isobe et al.s attack. Using the partial knowledge of the target plaintext, e.g., only 6 bytes of the plaintext, the other bytes can be recovered with the high probability from

Slide Property of RAKAPOSHI and Its Application to Key Recovery Attack

2^{34}

A Practical Message Falsification Attack on WPA

ciphertexts. The second attack does not require any previous knowledge of a plaintext. In order to achieve it, we develop a guess-and-determine plaintext recovery method based on two strong long-term biases. Given