New State Recovery Attack on RC4

  • Alexander Maximov
  • Dmitry Khovratovich
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5157)


The stream cipher RC4 was designed by R. Rivest in 1987, and it is a widely deployed cipher. In this paper we analyse the class RC4-N of RC4-like stream ciphers, where N is the modulus of operations, as well as the length of internal arrays. Our new attack is a state recovery attack which accepts the keystream of a certain length, and recovers the internal state. For the reduced RC4-100, our attack has total complexity of around 293 operations, whereas the best previous attack (from Knudsen et al.) needs 2236 of time.

The complexity of the attack applied to the original RC4-256 depends on the parameters of specific states (patterns), which are in turn hard to discover. Extrapolated parameters from smaller patterns give us the attack of complexity about 2241, and it is much smaller than the complexity of the best known previous attack 2779. The algorithm of the new attack was implemented and verified on small cases.


RC4 state recovery attack key recovery attack 


  1. [BC08]
    Biham, E., Carmeli, Y.: Efficient reconstruction of rc4 keys from internal states. In: Fast Software Encryption 2008. Lecture Notes in Computer Science. Springer, Heidelberg (to appear, 2008)Google Scholar
  2. [FM00]
    Fluhrer, S.R., McGrew, D.A.: Statistical analysis of the alleged RC4 keystream generator. In: Schneier, B. (ed.) FSE 2000. LNCS, vol. 1978, pp. 19–30. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  3. [Gol97]
    Golić, J.D.: Linear statistical weakness of alleged RC4 keystream generator. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 226–238. Springer, Heidelberg (1997)Google Scholar
  4. [KMP+98]
    Knudsen, L.R., Meier, W., Preneel, B., Rijmen, V., Verdoolaege, S.: Analysis methods for (alleged) RC4. In: Ohta, K., Pei, D. (eds.) ASIACRYPT 1998. LNCS, vol. 1514, pp. 327–341. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  5. [Man01]
    Mantin, I.: Analysis of the stream cipher RC4. Master’s thesis, The Weizmann Institute of Science, Department of Applied Math and Computer Science, Rehovot 76100, Israel (2001)Google Scholar
  6. [Man05]
    Mantin, I.: Predicting and distinguishing attacks on RC4 keystream generator. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 491–506. Springer, Heidelberg (2005)Google Scholar
  7. [Max05]
    Maximov, A.: Two linear distinguishing attacks on VMPC and RC4A and weakness of RC4 family of stream ciphers. In: Gilbert, H., Handschuh, H. (eds.) FSE 2005. LNCS, vol. 3557, pp. 342–358. Springer, Heidelberg (2005)Google Scholar
  8. [MK08]
    Maximov, A., Khovratovich, D.: New state recovery attack on RC4 (accessed May 27, 2008) (2008),
  9. [MS01]
    Mantin, I., Shamir, A.: Practical attack on broadcast RC4. In: Matsui, M. (ed.) FSE 2001. LNCS, vol. 2355, pp. 152–164. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  10. [MT98]
    Mister, S., Tavares, S.E.: Cryptanalysis of RC4-like ciphers. In: Tavares, S., Meijer, H. (eds.) SAC 1998. LNCS, vol. 1556, pp. 131–143. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  11. [PP04]
    Paul, S., Preneel, B.: A new weakness in the RC4 keystream generator and an approach to improve the security of the cipher. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 245–259. Springer, Heidelberg (2004)Google Scholar
  12. [Sch96]
    Schneier, B.: Applied Cryptography: Protocols, Algorithms, and Source Code in C, 2nd edn. John Wiley&Sons, New York (1996)zbMATHGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2008

Authors and Affiliations

  • Alexander Maximov
    • 1
  • Dmitry Khovratovich
    • 1
  1. 1.Laboratory of Algorithmics, Cryptology and SecurityUniversity of LuxembourgLuxembourg

Personalised recommendations