Security of RC4 Stream Cipher

A Plaintext Recovery Attack on Broadcast RC4
(e.g. the multi session attack of RC4 on SSL/TLS)

We published a first plaintext recovery attack of RC4 in the broadcast setting where same plaintext is encrypted by different user keys at FSE 2013 (earlier than AlFardan-Bernstein-Paterson-Poettering-Schuldt Results).

[1] Takanori ISOBE, Toshihiro OHIGASHI, Yuhei WATANABE, and Masakatu MORII, "Full Plaintext Recovery Attack on Broadcast RC4," Proc. the 20th International Workshop on Fast Software Encryption (FSE 2013), Mar. 10-13, 2013. (Submission deadline: November 12, 2012)
The broadcast setting is easily converted into the multi session setting of SSL/TLS.

Summary of results of our paper is as follows

In addition, we give theoritical reasons why first 255 bytes of the keystream have such strong biases.

Pre-proceedings version of this paper and its slide are available at (paper) and (slide).


This web page is tentative one, and we will move this page into other web server after few days/weeks.

Updating Information