State recovery of RC4 and Spritz Revisited

We provide an improved complexity analysis of backtracking-based state recovery attacks on RC4 and Spritz. Comparing new estimates with known results on Spritz, our analysis shows a signi cantly lower complexity estimate for simple state recovery attack as well as special state recovery attack. We validated the estimates by performing experiments for selected feasible parameters. We also propose a pre x check optimization for simple state recovery attack on Spritz. We believe that the simple state recovery attack with this optimization and so-called “change order” optimization inspired by Knudsen et al. attack on RC4 constitutes currently the best state recovery attack on Spritz (when no special state is observed).

[1]  Andrei Popov,et al.  Prohibiting RC4 Cipher Suites , 2015, RFC.

[2]  Vincent Rijmen,et al.  Analysis Methods for (Alleged) RC4 , 1998, ASIACRYPT.

[3]  Ronald L. Rivest,et al.  Spritz - a spongy RC4-like stream cipher and hash function , 2016, IACR Cryptol. ePrint Arch..

[4]  Kenneth G. Paterson,et al.  On the Security of RC4 in TLS and WPA , 2013 .

[5]  Adi Shamir,et al.  Weaknesses in the Key Scheduling Algorithm of RC4 , 2001, Selected Areas in Cryptography.

[6]  Takanori Isobe,et al.  Cryptanalysis of the Full Spritz Stream Cipher , 2016, FSE.

[7]  Goutam Paul,et al.  Permutation After RC4 Key Scheduling Reveals the Secret Key , 2007, Selected Areas in Cryptography.

[8]  Masakatu Morii,et al.  How to Recover Any Byte of Plaintext on RC4 , 2013, Selected Areas in Cryptography.

[9]  Adi Shamir,et al.  A Practical Attack on Broadcast RC4 , 2001, FSE.

[10]  Alexander Maximov,et al.  New State Recovery Attack on RC4 , 2008, CRYPTO.

[11]  Jovan Dj. Golic,et al.  Iterative Probabilistic Reconstruction of RC4 Internal States , 2008, IACR Cryptol. ePrint Arch..