Abstract
Most guidelines for implementation of the RC4 stream cipher recommend discarding the first 256 bytes of its output. This recommendation is based on the empirical fact that known attacks can either cryptanalyze RC4 starting at any point, or become harmless after these initial bytes are dumped. The motivation for this paper is to find a conservative estimate for the number of bytes that should be discarded in order to be safe. To this end we propose an idealized model of RC4 and analyze it applying the theory of random shuffles. Based on our analysis of the model we recommend dumping at least 512 bytes.
Supported by nsf contract #CCR-9732754.
Chapter PDF
References
P. Diaconis. Group Representations in Probability and Statistics. Lecture Notes-Monograph Series, vol. 11, IMS, Hayward, CA, 1988.
G. Durfee. Distinguishers for the RC4 stream cipher. Manuscript, 2001.
H. Finney. An RC4 cycle that can’t happen. Post in sci.crypt, message-id 35hq1u$c72@news1.shell, 18 September, 1994.
S. Fluhrer and D. McGrew. Statistical analysis of the alleged RC4 keystream generator. In proceedings Fast Software Encryption 2000, pp. 19–30, Lecture Notes in Computer Science, vol. 1978, Springer-Verlag, 2000.
S. Fluhrer, I. Mantin, and A. Shamir. Weaknesses in the key scheduling algorithm of RC4. In proceedings SAC 2001, pp. 1–24, Eighth Annual Workshop on Selected Areas in Cryptography, August 2001.
O. Goldreich. The Foundations of Cryptography. Basic tools. Cambridge University Press, Cambridge, England, 2001.
D. Goldstein and D. Moews. The identity is the most likely exchange shuffle for large n. arXiv:math.co/0010066 available from arXiv.org.
J. Golić. Linear statistical weakness of alleged RC4 keystream generator. In proceedings Eurocrypt’ 97, LNCS 1233, Springer-Verlag, 1997.
J. Grossman. Problem E 2645. Amer. Math. Month., vol. 84(3), p. 217, 1977.
A. Grosul and D. Wallach. A related-key analysis of RC4. TR00-358, Rice University, 2000.
L. Knudsen, W. Meier, B. Preneel, V. Rijmen, and S. Verdoolaege. Analysis methods for (alleged) RC4. In proceedings Asiacrypt’ 98, Lecture Notes in Computer Science, vol. 1514, Springer-Verlag, 1998.
D. Knuth. The Art of Computer Programming. Second Edition. Addison-Wesley, Reading, MA, 1975.
I. Mantin. Analysis of the stream cipher RC4. Master’s Thesis, Weizmann Insitute, Israel, 2001.
I. Mantin and A. Shamir. A practical attack on broadcast RC4. In proceedings Fast Software Encryption 2001, Springer-Verlag, 2001.
P. Matthews. A strong uniform time for random transpositions. Journal of Theoretical Probability, vol. 1(4), 1988.
I. Mironov. (Not So) Random Shuffles of RC4. Full version of this paper. Cryptology ePrint Archive, Report 2002/106, available from http://www.eprint.iacr.org, 2002.
S. Mister. Cryptanalysis of RC4-like ciphers. Master’s Thesis, Queen’s University, Kingston, Ontario, Canada. May 1998.
S. Mister and S. Tavares. Cryptanalysis of RC4-like ciphers. In proceedings SAC’ 98, Fifth Annual Workshop on Selected Areas in Cryptography, 1998.
R. Rivest. RSA Security response to weaknesses in key scheduling algorithm of RC4. Technical note available from RSA Security, Inc. site. http://www.rsasecurity.com/rsalabs/technotes/wep.html, 2001.
D. Robbins and E. Bolker. The bias of three pseudo-random shuffles. Acquationes Mathematicae, vol. 22, pp. 268–292, 1981.
A. Roos. Class of weak keys in the RC4 stream cipher. Two posts in sci.crypt, message-id 43u1eh$1j3@hermes.is.co.za and 44ebge$llf@hermes.is.co.za, 1995.
R. Rueppel. Analysis and Design of Stream Ciphers. Springer-Verlag, 1986.
L. Saloff-Coste, Probability on groups: random walks and invariant diffusions. Notices of the American Mathemtatical Society, vol. 48(9), pp. 968–977. 2001.
F. Schmidt and R. Simion, Card shuffling and a transformation on S n . Acquationes Mathematicae, vol. 44, pp. 11–34, 1992.
A. Stubblefield, J. Ioannidis, and A. Rubin. Using the Fluhrer, Mantin, and Shamir attack to break WEP. In proceedings NDSS’ 02. 2002.
E. Thorp. Problem E 1763. Amer. Math. Month., vol. 72(2), p. 183, 1965.
D. Wagner. My RC4 weak keys. Post in sci.crypt, message-id 447o1l$cbj@cnn.princeton.EDU, 26 September, 1995.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2002 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Mironov, I. (2002). (Not So) Random Shuffles of RC4. In: Yung, M. (eds) Advances in Cryptology — CRYPTO 2002. CRYPTO 2002. Lecture Notes in Computer Science, vol 2442. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-45708-9_20
Download citation
DOI: https://doi.org/10.1007/3-540-45708-9_20
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-44050-5
Online ISBN: 978-3-540-45708-4
eBook Packages: Springer Book Archive