Skip to main content

Weaknesses in the Key Scheduling Algorithm of RC4

Part of the Lecture Notes in Computer Science book series (LNCS,volume 2259)


In this paper we present several weaknesses in the key scheduling algorithm of RC4, and describe their cryptanalytic significance. We identify a large number of weak keys, in which knowledge of a small number of key bits suffices to determine many state and output bits with non-negligible probability. We use these weak keys to construct new distinguishers for RC4, and to mount related key attacks with practical complexities. Finally, we show that RC4 is completely insecure in a common mode of operation which is used in the widely deployed Wired Equivalent Privacy protocol (WEP, which is part of the 802.11 standard), in which a fixed secret key is concatenated with known IV modifiers in order to encrypt different messages. Our new passive ciphertext-only attack on this mode can recover an arbitrarily long key in a negligible amount of time which grows only linearly with its size, both for 24 and 128 bit IV modifiers.


  • Stream Cipher
  • English Text
  • Output Stream
  • Secure Socket Layer
  • Invariance Weakness

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. A. Biryukov, A. Shamir, and D. Wagner. Real time cryptanalysis of A5/1 on a PC. In FSE: Fast Software Encryption, 2000.

    Google Scholar 

  2. Fluhrer and McGrew. Statistical analysis of the alleged RC4 keystream generator. In FSE: Fast Software Encryption, 2000.

    Google Scholar 

  3. Golić. Linear statistical weakness of alleged RC4 keystream generator. In EUROCRYPT: Advances in Cryptology: Proceedings of EUROCRYPT, 1997.

    Google Scholar 

  4. A. L. Grosul and D. S. Wallach. a related-key cryptanalysis of RC4. June 2000.

    Google Scholar 

  5. Knudsen, Meier, Preneel, Rijmen, and Verdoolaege. Analysis methods for (alleged) RC4. In ASIACRYPT: Advances in Cryptology-ASIACRYPT: International Conference on the Theory and Application of Cryptology. LNCS, Springer-Verlag, 1998.

    Google Scholar 

  6. Wireless lan medium access control (MAC) and physical layer (PHY) specifications. (IEEE Standard 802.11), 1999 Edition. L. M. S. C. of the IEEE Computer Society.

    Google Scholar 

  7. I. Mantin and A. Shamir. A practical attack on broadcast RC4. In FSE: Fast Software Encryption, 2001.

    Google Scholar 

  8. Mister and Tavares. Cryptanalysis of RC4-like ciphers. In SAC: Annual International Workshop on Selected Areas in Cryptography. LNCS, 1998.

    Google Scholar 

  9. Arnold Reinhold. The ciphersaber home page. 2001.

    Google Scholar 

  10. A. Roos. A class of weak keys in the RC4 stream cipher. September 1995.

    Google Scholar 

  11. Adam Stubblefield, John Ioannidis, and Aviel D. Rubin. Using the fluhrer, mantin and shamir attack to break WEP. (TD-4ZCPZZ), 2001. AT&T Labs, Technical Report.

    Google Scholar 

  12. D. Wagner. Re: Weak keys in RC4. September 1995.

    Google Scholar 

Download references

Author information

Authors and Affiliations


Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2001 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Fluhrer, S., Mantin, I., Shamir, A. (2001). Weaknesses in the Key Scheduling Algorithm of RC4. In: Vaudenay, S., Youssef, A.M. (eds) Selected Areas in Cryptography. SAC 2001. Lecture Notes in Computer Science, vol 2259. Springer, Berlin, Heidelberg.

Download citation

  • DOI:

  • Published:

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-43066-7

  • Online ISBN: 978-3-540-45537-0

  • eBook Packages: Springer Book Archive