Paper 2002/067

(Not So) Random Shuffles of RC4

Ilya Mironov

Abstract

Most guidelines for implementation of the RC4 stream cipher recommend discarding the first 256 bytes of its output. This recommendation is based on the empirical fact that known attacks can either cryptanalyze RC4 starting at any point, or become harmless after these initial bytes are dumped. The motivation for this paper is to find a conservative estimate for the number of bytes that should be discarded in order to be safe. To this end we propose an idealized model of RC4 and analyze it applying the theory of random shuffles. Based on our analysis of the model we recommend dumping at least 512 bytes.

Metadata
Available format(s)
PDF PS
Category
Secret-key cryptography
Publication info
Published elsewhere. Crypto'02
Keywords
stream ciphersRC4random shuffling
Contact author(s)
mironov @ cs stanford edu
History
2002-06-03: received
Short URL
https://ia.cr/2002/067
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2002/067,
      author = {Ilya Mironov},
      title = {(Not So) Random Shuffles of RC4},
      howpublished = {Cryptology ePrint Archive, Paper 2002/067},
      year = {2002},
      note = {\url{https://eprint.iacr.org/2002/067}},
      url = {https://eprint.iacr.org/2002/067}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.