Cryptology ePrint Archive: Report 2002/067

(Not So) Random Shuffles of RC4

Ilya Mironov

Abstract: Most guidelines for implementation of the RC4 stream cipher recommend discarding the first 256 bytes of its output. This recommendation is based on the empirical fact that known attacks can either cryptanalyze RC4 starting at any point, or become harmless after these initial bytes are dumped. The motivation for this paper is to find a conservative estimate for the number of bytes that should be discarded in order to be safe. To this end we propose an idealized model of RC4 and analyze it applying the theory of random shuffles. Based on our analysis of the model we recommend dumping at least 512 bytes.

Category / Keywords: secret-key cryptography / stream ciphers, RC4, random shuffling,

Publication Info: Crypto'02

Date: received 1 Jun 2002

Contact author: mironov at cs stanford edu

Available format(s): Postscript (PS) | Compressed Postscript (PS.GZ) | PDF | BibTeX Citation

Version: 20020603:183816 (All versions of this report)

Short URL: ia.cr/2002/067

Discussion forum: Show discussion | Start new discussion