Statistical Analysis of the Alleged RC4 Keystream Generator

  • Scott R. Fluhrer
  • David A. McGrew
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 1978)


The alleged RC4 keystream generator is examined, and a method of explicitly computing digraph probabilities is given. Using this method, we demonstrate a method for distinguishing 8-bit RC4 from randomness. Our method requires less keystream output than currently published attacks, requiring only 230:6 bytes of output. In addition, we observe that an attacker can, on occasion, determine portions of the internal state with nontrivial probability. However, we are currently unable to extend this observation to a full attack.


  1. 1.
    Blahut, R., „Principles and Practice of Information Theory”, Addison-Wesley, 1983.Google Scholar
  2. 2.
    Golić, J., „Linear Models for a Time-Variant Permutation Generator”, IEEE Transactions on Information Theory, vol. 45,No.7, pp. 2374–2382, Nov. 1999CrossRefzbMATHGoogle Scholar
  3. 3.
    Golić, J., ”Linear Statistical Weakness of Alleged RC4 Keystream Generator”, Proceedings of EUROCRYPT’ 97, Springer-Verlag.Google Scholar
  4. 4.
    Knudsen, L., Meier, W., Preneel, B., Rijmen, V., and Verdoolaege, S., “Analysis Methods for (Alleged) RC4”, Proceedings of ASIACRYPT’ 99, Springer-Verlag.Google Scholar
  5. 5.
    Mister, S. and Tavares, S., “Cryptanalysis of RC4-like Ciphers”, in the Workshop Record of the Workshop on Selected Areas in Cryptography (SAC’ 98), Aug. 17-18, 1998, pp. 136–148.Google Scholar
  6. 6.
    Rivest, R., „The RC4 encryption algorithm”, RSA Data Security, Inc, Mar. 1992Google Scholar
  7. 7.
    RSA Laboratories FAQ, Question 3.6.3,
  8. 8.
    Schneier, B., “Applied Cryptography”, New York: Wiley, 1996.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2001

Authors and Affiliations

  • Scott R. Fluhrer
    • 1
  • David A. McGrew
    • 1
  1. 1.Cisco Systems, Inc.San Jose

Personalised recommendations