(Not So) Random Shuffles of RC4

  • Ilya Mironov
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2442)


Most guidelines for implementation of the RC4 stream cipher recommend discarding the first 256 bytes of its output. This recommendation is based on the empirical fact that known attacks can either cryptanalyze RC4 starting at any point, or become harmless after these initial bytes are dumped. The motivation for this paper is to find a conservative estimate for the number of bytes that should be discarded in order to be safe. To this end we propose an idealized model of RC4 and analyze it applying the theory of random shuffles. Based on our analysis of the model we recommend dumping at least 512 bytes.


Variation Distance Stream Cipher Output Stream Statistical Anomaly Fast Software Encryption 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. Dia88.
    P. Diaconis. Group Representations in Probability and Statistics. Lecture Notes-Monograph Series, vol. 11, IMS, Hayward, CA, 1988.zbMATHGoogle Scholar
  2. Dur01.
    G. Durfee. Distinguishers for the RC4 stream cipher. Manuscript, 2001.Google Scholar
  3. Fin94.
    H. Finney. An RC4 cycle that can’t happen. Post in sci.crypt, message-id 35hq1u$, 18 September, 1994.Google Scholar
  4. FM00.
    S. Fluhrer and D. McGrew. Statistical analysis of the alleged RC4 keystream generator. In proceedings Fast Software Encryption 2000, pp. 19–30, Lecture Notes in Computer Science, vol. 1978, Springer-Verlag, 2000.Google Scholar
  5. FMS01.
    S. Fluhrer, I. Mantin, and A. Shamir. Weaknesses in the key scheduling algorithm of RC4. In proceedings SAC 2001, pp. 1–24, Eighth Annual Workshop on Selected Areas in Cryptography, August 2001.Google Scholar
  6. Gold01.
    O. Goldreich. The Foundations of Cryptography. Basic tools. Cambridge University Press, Cambridge, England, 2001.Google Scholar
  7. GM01.
    D. Goldstein and D. Moews. The identity is the most likely exchange shuffle for large n. available from Scholar
  8. Goli97.
    J. Golić. Linear statistical weakness of alleged RC4 keystream generator. In proceedings Eurocrypt’ 97, LNCS 1233, Springer-Verlag, 1997.Google Scholar
  9. Gro77.
    J. Grossman. Problem E 2645. Amer. Math. Month., vol. 84(3), p. 217, 1977.CrossRefGoogle Scholar
  10. GW00.
    A. Grosul and D. Wallach. A related-key analysis of RC4. TR00-358, Rice University, 2000.Google Scholar
  11. K+98.
    L. Knudsen, W. Meier, B. Preneel, V. Rijmen, and S. Verdoolaege. Analysis methods for (alleged) RC4. In proceedings Asiacrypt’ 98, Lecture Notes in Computer Science, vol. 1514, Springer-Verlag, 1998.Google Scholar
  12. Knu75.
    D. Knuth. The Art of Computer Programming. Second Edition. Addison-Wesley, Reading, MA, 1975.Google Scholar
  13. Man01.
    I. Mantin. Analysis of the stream cipher RC4. Master’s Thesis, Weizmann Insitute, Israel, 2001.Google Scholar
  14. MS01.
    I. Mantin and A. Shamir. A practical attack on broadcast RC4. In proceedings Fast Software Encryption 2001, Springer-Verlag, 2001.Google Scholar
  15. Mat88.
    P. Matthews. A strong uniform time for random transpositions. Journal of Theoretical Probability, vol. 1(4), 1988.Google Scholar
  16. Mir02.
    I. Mironov. (Not So) Random Shuffles of RC4. Full version of this paper. Cryptology ePrint Archive, Report 2002/106, available from, 2002.
  17. Mis98.
    S. Mister. Cryptanalysis of RC4-like ciphers. Master’s Thesis, Queen’s University, Kingston, Ontario, Canada. May 1998.Google Scholar
  18. MT98.
    S. Mister and S. Tavares. Cryptanalysis of RC4-like ciphers. In proceedings SAC’ 98, Fifth Annual Workshop on Selected Areas in Cryptography, 1998.Google Scholar
  19. Riv01.
    R. Rivest. RSA Security response to weaknesses in key scheduling algorithm of RC4. Technical note available from RSA Security, Inc. site., 2001.
  20. RB81.
    D. Robbins and E. Bolker. The bias of three pseudo-random shuffles. Acquationes Mathematicae, vol. 22, pp. 268–292, 1981.zbMATHCrossRefMathSciNetGoogle Scholar
  21. Roo95.
    A. Roos. Class of weak keys in the RC4 stream cipher. Two posts in sci.crypt, message-id 43u1eh$ and 44ebge$, 1995.Google Scholar
  22. Rue86.
    R. Rueppel. Analysis and Design of Stream Ciphers. Springer-Verlag, 1986.Google Scholar
  23. Sal01.
    L. Saloff-Coste, Probability on groups: random walks and invariant diffusions. Notices of the American Mathemtatical Society, vol. 48(9), pp. 968–977. 2001.zbMATHMathSciNetGoogle Scholar
  24. SS92.
    F. Schmidt and R. Simion, Card shuffling and a transformation on S n. Acquationes Mathematicae, vol. 44, pp. 11–34, 1992.zbMATHCrossRefMathSciNetGoogle Scholar
  25. SIR02.
    A. Stubblefield, J. Ioannidis, and A. Rubin. Using the Fluhrer, Mantin, and Shamir attack to break WEP. In proceedings NDSS’ 02. 2002.Google Scholar
  26. Tho65.
    E. Thorp. Problem E 1763. Amer. Math. Month., vol. 72(2), p. 183, 1965.CrossRefMathSciNetGoogle Scholar
  27. Wag95.
    D. Wagner. My RC4 weak keys. Post in sci.crypt, message-id 447o1l$cbj@cnn.princeton.EDU, 26 September, 1995.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2002

Authors and Affiliations

  • Ilya Mironov
    • 1
  1. 1.Computer Science DepartmentStanford UniversityUSA

Personalised recommendations