RC4 is a widely-used stream cipher, adopted in many standard protocols, such as WEP, WPA and SSL/TLS, as a standard encryption algorithm. Isobe et al. proposed a plaintext recovery attack on RC4 in the broadcast setting, where the same plaintext is encrypted with different secret keys. Their attack is able to recover the first 257bytes by exploiting the biases of the initial bytes of a keystream. In this paper, we propose two types of full plaintext recovery attacks that are able to recover all the bytes, even after the 258th byte, of a plaintext, unlike Isobe et al.'s attack. To achieve this, we combine the use of multiple keystream biases appropriately. The first attack utilizes the initial byte biases and Mantin's long-term bias. This attack can recover the first 1000 terabytes of a plaintext from 234 ciphertexts with a probability of almost one. The second attack is based on two long-term biases. Since this attack does not rely on the biases of the initial bytes of the RC4 keystream, it can recover any byte of a plaintext, even if the initial bytes are disregarded. Given 235 ciphertexts encrypted by different keys, any byte of a target plaintext can be recovered with a probability close to one.

A variant of the self-shrinking generator (SSG) proposed at ICISC 2006, which we call SSG-XOR, was claimed to have better cryptographic properties than SSG in a practical setting. It was also claimed that SSG-XOR will be more secure than SSG. But we show that SSG-XOR has no advantage over SSG from the viewpoint of practical cryptanalysis, especially the guess-and-determine attack.

Guess-and-Determine (GD) attacks have recently been proposed for the effective analysis of word-oriented stream ciphers. This paper discusses GD attacks on clock-controlled stream ciphers, which use irregular clocking for a non-linear function. The main focus is the analysis of irregular clocking for GD attacks. We propose GD attacks on a typical clock-controlled stream cipher AA5, and calculate the process complexity of our proposed GD attacks. In the attacks, we assume that the clocking of linear feedback shift registers (LFSRs) is truly random. An important consideration affecting the practicality of these attacks is the question of whether these assumptions are realistic. Because in practice, the clocking is determined by the internal states. We implement miniature ciphers to evaluate the proposed attacks, and show that they are applicable. We also apply the GD attacks to other clock controlled stream ciphers and compare them. Finally, we discuss some properties of GD attacks on clock-controlled stream ciphers and the effectiveness of the clock controllers. Our research results contain information that are useful in the design of clock-controlled stream ciphers.