International Association for Cryptologic Research

International Association
for Cryptologic Research


Paper: (Not So) Random Shuffles of RC4

Ilya Mironov
Search ePrint
Search Google
Abstract: Most guidelines for implementation of the RC4 stream cipher recommend discarding the first 256 bytes of its output. This recommendation is based on the empirical fact that known attacks can either cryptanalyze RC4 starting at any point, or become harmless after these initial bytes are dumped. The motivation for this paper is to find a conservative estimate for the number of bytes that should be discarded in order to be safe. To this end we propose an idealized model of RC4 and analyze it applying the theory of random shuffles. Based on our analysis of the model we recommend dumping at least 512 bytes.
  title={(Not So) Random Shuffles of RC4},
  booktitle={IACR Eprint archive},
  keywords={secret-key cryptography / stream ciphers, RC4, random shuffling,},
  note={Crypto'02 11839 received 1 Jun 2002},
  author={Ilya Mironov},