Advances in Cryptology — CRYPTO 2002

Volume 2442 of the series Lecture Notes in Computer Science pp 304-319


(Not So) Random Shuffles of RC4

  • Ilya MironovAffiliated withComputer Science Department, Stanford University


Most guidelines for implementation of the RC4 stream cipher recommend discarding the first 256 bytes of its output. This recommendation is based on the empirical fact that known attacks can either cryptanalyze RC4 starting at any point, or become harmless after these initial bytes are dumped. The motivation for this paper is to find a conservative estimate for the number of bytes that should be discarded in order to be safe. To this end we propose an idealized model of RC4 and analyze it applying the theory of random shuffles. Based on our analysis of the model we recommend dumping at least 512 bytes.