Settling the mystery of Zr = r in RC4

  • Sabyasachi DeyEmail author
  • Santanu Sarkar


In this paper, using a matrix, at first we revisit the work of Mantin on finding the probability distribution of the RC4 permutation after the completion of the KSA. After that, we extend the same idea to analyse the probabilities during any iteration of the Pseudo Random Generation Algorithm. Next, we study the bias of Zr = r (where Zr is the r-th output keystream byte), which is one of the significant biases observed in the RC4 output keystream. This bias has played an important role in the plaintext recovery attack proposed by Isobe et al. in FSE 2013. However, the accurate theoretical explanation of the bias of Zr = r is still a mystery. Though several attempts have been made to prove this bias, none of those provides an accurate justification. Here, using the results found with the help of the probability transition matrix we justify this bias of Zr = r accurately and settle this issue. The bias obtained from our proof matches the experimental observations perfectly.


Cryptanalysis KSA PRGA RC4 Bias Stream cipher 



We are sincerely thankful to the anonymous reviewers for their detailed review comments. Their suggestions improved the editorial quality of the paper.


  1. 1.
    AlFardan, N., Bernstein, D., Paterson, K., Poettering, B., Schuldt, J.: On the security of RC4 in TLS. In: USENIX 2013, pp. 305–320. Published online at: (2013)
  2. 2.
    Biham, E., Carmeli, Y.: Efficient reconstruction of RC4 keys from internal States In FSE 2008. LNCS 5086, 270–288 (2008)zbMATHGoogle Scholar
  3. 3.
    Banik, S., Isobe, T.: Cryptanalysis of the full spritz stream cipher. In: FSE 2016, LNCS 9783, pp. 63–77. Available at: (2016)
  4. 4.
    Bricout, R., Murphy, S., Paterson, K.G., van der Merwe, T.: Analysing and Exploiting the Mantin Biases in RC4. In: Designs, Codes and Cryptography. Volume =86, number =4, pages =743–770. (2018)
  5. 5.
    Fluhrer, S.R., Mantin, I., Shamir, A.: Weaknesses in the key scheduling algorithm of RC4. SAC Toronto, Ontario, Canada, August 16–17 (2001)Google Scholar
  6. 6.
    Fluhrer, S.R., McGrew, D.A. (2000)Google Scholar
  7. 7.
    Jha, S., Banik, S., Isobe, T., Ohigashi, T.: Some proofs of joint distribution of keystream biases in RC4. In: INDOCRYPT 2016, LNCS, vol. 10095, pp. 305–321 (2016)Google Scholar
  8. 8.
    Isobe, T., Ohigashi, T., Watanabe, Y., Morii, M.: Full plaintext recovery attack on broadcast RC4. In: FSE LNCS, vol. 8424, pp. 179–202 (2013)Google Scholar
  9. 9.
    Klein, A.: Attacks on the RC4 stream cipher. Des. Codes Crypt. 48(3), 269–286 (2008)MathSciNetCrossRefzbMATHGoogle Scholar
  10. 10.
    Knudsen, L.R., Meier, W., Preneel, B., Rijmen, V., Verdoolaege, S.: Analysis methods for (alleged) RC4. In: ASIACRYPT 1998, LNCS, pp. 327–341 (1514)Google Scholar
  11. 11.
    Maitra, S., Paul, G.: New form of permutation bias and secret key leakage in keystream bytes of RC4. In: FSE 2008, LNCS, vol. 5086, pp. 253–269 (2008)Google Scholar
  12. 12.
    Maitra, S., Paul, G., Sengupta, S.: Attack on broadcast rc4 revisited. In: FSE LNCS, vol. 6733, pp. 199–217 (2011)Google Scholar
  13. 13.
    Mantin, I., Shamir, A.: A practical attack on broadcast RC4. In: FSE LNCS, vol. 2355, pp. 152–164 (2001)Google Scholar
  14. 14.
    Mantin, I.: Analysis of the stream cipher RC4. Master’s Thesis. The Weizmann Institute of Science, Israel (2001)Google Scholar
  15. 15.
    Maximov, A., Khovratovich, D.: New State Recovery Attack on RC4. In: CRYPTO LNCS, vol. 5157, pp. 297–316 (2008)Google Scholar
  16. 16.
    Mironov, I.: (Not So) Random Shuffles of RC4. In CRYPTO 2002, LNCS, vol. 2442, pp. 304–319Google Scholar
  17. 17.
    Paterson, K.G., Poettering, B., Schuldt, J.C.N.: Big bias hunting in amazonia: Large-scale computation and exploitation of RC4 biases (Invited Paper). In: Asiacrypt 2014, LNCS 8873, pp. 398–419Google Scholar
  18. 18.
    Paterson, K.G., Schuldt, J., B. Poettering.: Plaintext recovery attacks against WPA/TKIP. In: FSE 2014, LNCS, vol. 8540, pp. 325–349 (2014)Google Scholar
  19. 19.
    Paul, G., Maitra, S.: Permutation after RC4 key scheduling reveals the secret key. In: SAC LNCS, vol. 4876, pp. 360–377 (2007)Google Scholar
  20. 20.
    Paul, G., Ray, S.: On data complexity of distinguishing attacks versus message recovery attacks on stream ciphers. Des. Codes Crypt. 86(6), 1211–1247 (2018). Available at: MathSciNetCrossRefzbMATHGoogle Scholar
  21. 21.
    Paul, G., Ray, S.: Analysis of burn-in period for RC4 state transition. Cryptogr. Commun. 10(5), 881–908 (2018). Available at: MathSciNetCrossRefzbMATHGoogle Scholar
  22. 22.
    Rivest, R.L., Schuldt, J.C.N.: Spritz - a spongy RC4-like stream cipher and hash function. Available at:
  23. 23.
    Sengupta, S., Maitra, S., Meier, W., Paul, G., Sarkar, S.: Dependence in IV-Related Bytes of RC4 Key Enhances Vulnerabilities in WPA. In: FSE 2014, LNCS 8540, pp. 350–369. Available at:
  24. 24.
    Sengupta, S., Maitra, S., Paul, G., Sarkar, S.: (Non-)random sequences from (Non-)random permutations - analysis of RC4 stream cipher. J. Cryptol. 27(1), 67–108 (2014). Available at CrossRefzbMATHGoogle Scholar
  25. 25.
    Sepehrdad, P., Vaudenay, S., Vuagnoux, M.: Discovery and exploitation of new biases in RC4. SAC LNCS 6632, 343–363 (2010)zbMATHGoogle Scholar
  26. 26.
    Sepehrdad, P., Vaudenay, S., Vuagnoux, M.: Statistical attack on RC4 - distinguishing WPA. EUROCRYPT LNCS 6632, 343–363 (2011)zbMATHGoogle Scholar
  27. 27.
    Sepehrdad, P., Susil, P., Vaudenay, S., Vuagnoux, M.: Smashing WEP in a Passive Attack. In: FSE 2013, LNCS, vol. 8424, pp. 155–178Google Scholar
  28. 28.
    Sepehrdad, P., Susil, P., Vaudenay, S., Vuagnoux, M.: Tornado attack on RC4 with applications to WEP & WPA. IACR cryptology ePrint archive. Available at (2015)
  29. 29.
    Vanhoef, M., Piessens, F.: All your biases belong to us: Breaking RC4 in WPA-TKIP and TLS. USENIX 2016, pp. 1–16. Available at (2016)

Copyright information

© Springer Science+Business Media, LLC, part of Springer Nature 2018

Authors and Affiliations

  1. 1.Department of MathematicsIndian Institute of Technology MadrasChennaiIndia

Personalised recommendations