(Not So) Random Shuffles of RC4
Most guidelines for implementation of the RC4 stream cipher recommend discarding the first 256 bytes of its output. This recommendation is based on the empirical fact that known attacks can either cryptanalyze RC4 starting at any point, or become harmless after these initial bytes are dumped. The motivation for this paper is to find a conservative estimate for the number of bytes that should be discarded in order to be safe. To this end we propose an idealized model of RC4 and analyze it applying the theory of random shuffles. Based on our analysis of the model we recommend dumping at least 512 bytes.
KeywordsVariation Distance Stream Cipher Output Stream Statistical Anomaly Fast Software Encryption
- Dur01.G. Durfee. Distinguishers for the RC4 stream cipher. Manuscript, 2001.Google Scholar
- Fin94.H. Finney. An RC4 cycle that can’t happen. Post in sci.crypt, message-id email@example.com, 18 September, 1994.Google Scholar
- FM00.S. Fluhrer and D. McGrew. Statistical analysis of the alleged RC4 keystream generator. In proceedings Fast Software Encryption 2000, pp. 19–30, Lecture Notes in Computer Science, vol. 1978, Springer-Verlag, 2000.Google Scholar
- FMS01.S. Fluhrer, I. Mantin, and A. Shamir. Weaknesses in the key scheduling algorithm of RC4. In proceedings SAC 2001, pp. 1–24, Eighth Annual Workshop on Selected Areas in Cryptography, August 2001.Google Scholar
- Gold01.O. Goldreich. The Foundations of Cryptography. Basic tools. Cambridge University Press, Cambridge, England, 2001.Google Scholar
- GM01.D. Goldstein and D. Moews. The identity is the most likely exchange shuffle for large n. arXiv:math.co/0010066 available from arXiv.org.Google Scholar
- Goli97.J. Golić. Linear statistical weakness of alleged RC4 keystream generator. In proceedings Eurocrypt’ 97, LNCS 1233, Springer-Verlag, 1997.Google Scholar
- GW00.A. Grosul and D. Wallach. A related-key analysis of RC4. TR00-358, Rice University, 2000.Google Scholar
- K+98.L. Knudsen, W. Meier, B. Preneel, V. Rijmen, and S. Verdoolaege. Analysis methods for (alleged) RC4. In proceedings Asiacrypt’ 98, Lecture Notes in Computer Science, vol. 1514, Springer-Verlag, 1998.Google Scholar
- Knu75.D. Knuth. The Art of Computer Programming. Second Edition. Addison-Wesley, Reading, MA, 1975.Google Scholar
- Man01.I. Mantin. Analysis of the stream cipher RC4. Master’s Thesis, Weizmann Insitute, Israel, 2001.Google Scholar
- MS01.I. Mantin and A. Shamir. A practical attack on broadcast RC4. In proceedings Fast Software Encryption 2001, Springer-Verlag, 2001.Google Scholar
- Mat88.P. Matthews. A strong uniform time for random transpositions. Journal of Theoretical Probability, vol. 1(4), 1988.Google Scholar
- Mir02.I. Mironov. (Not So) Random Shuffles of RC4. Full version of this paper. Cryptology ePrint Archive, Report 2002/106, available from http://www.eprint.iacr.org, 2002.
- Mis98.S. Mister. Cryptanalysis of RC4-like ciphers. Master’s Thesis, Queen’s University, Kingston, Ontario, Canada. May 1998.Google Scholar
- MT98.S. Mister and S. Tavares. Cryptanalysis of RC4-like ciphers. In proceedings SAC’ 98, Fifth Annual Workshop on Selected Areas in Cryptography, 1998.Google Scholar
- Riv01.R. Rivest. RSA Security response to weaknesses in key scheduling algorithm of RC4. Technical note available from RSA Security, Inc. site. http://www.rsasecurity.com/rsalabs/technotes/wep.html, 2001.
- Roo95.A. Roos. Class of weak keys in the RC4 stream cipher. Two posts in sci.crypt, message-id firstname.lastname@example.org and email@example.com, 1995.Google Scholar
- Rue86.R. Rueppel. Analysis and Design of Stream Ciphers. Springer-Verlag, 1986.Google Scholar
- SIR02.A. Stubblefield, J. Ioannidis, and A. Rubin. Using the Fluhrer, Mantin, and Shamir attack to break WEP. In proceedings NDSS’ 02. 2002.Google Scholar
- Wag95.D. Wagner. My RC4 weak keys. Post in sci.crypt, message-id firstname.lastname@example.org.EDU, 26 September, 1995.Google Scholar