(Not So) Random Shuffles of RC4

  • Ilya Mironov
Conference paper

DOI: 10.1007/3-540-45708-9_20

Part of the Lecture Notes in Computer Science book series (LNCS, volume 2442)
Cite this paper as:
Mironov I. (2002) (Not So) Random Shuffles of RC4. In: Yung M. (eds) Advances in Cryptology — CRYPTO 2002. CRYPTO 2002. Lecture Notes in Computer Science, vol 2442. Springer, Berlin, Heidelberg


Most guidelines for implementation of the RC4 stream cipher recommend discarding the first 256 bytes of its output. This recommendation is based on the empirical fact that known attacks can either cryptanalyze RC4 starting at any point, or become harmless after these initial bytes are dumped. The motivation for this paper is to find a conservative estimate for the number of bytes that should be discarded in order to be safe. To this end we propose an idealized model of RC4 and analyze it applying the theory of random shuffles. Based on our analysis of the model we recommend dumping at least 512 bytes.

Download to read the full conference paper text

Copyright information

© Springer-Verlag Berlin Heidelberg 2002

Authors and Affiliations

  • Ilya Mironov
    • 1
  1. 1.Computer Science DepartmentStanford UniversityUSA

Personalised recommendations