Permutation After RC4 Key Scheduling Reveals the Secret Key

  • Goutam Paul
  • Subhamoy Maitra
Conference paper

DOI: 10.1007/978-3-540-77360-3_23

Part of the Lecture Notes in Computer Science book series (LNCS, volume 4876)
Cite this paper as:
Paul G., Maitra S. (2007) Permutation After RC4 Key Scheduling Reveals the Secret Key. In: Adams C., Miri A., Wiener M. (eds) Selected Areas in Cryptography. SAC 2007. Lecture Notes in Computer Science, vol 4876. Springer, Berlin, Heidelberg


A theoretical analysis of the RC4 Key Scheduling Algorithm (KSA) is presented in this paper, where the nonlinear operation is swapping among the permutation bytes. Explicit formulae are provided for the probabilities with which the permutation bytes after the KSA are biased to the secret key. Theoretical proofs of these formulae have been left open since Roos’s work (1995). Based on this analysis, an algorithm is devised to recover the l bytes (i.e., 8l bits, typically 5 ≤ l ≤ 16) secret key from the final permutation after the KSA with constant probability of success. The search requires O(24l) many operations which is the square root of the exhaustive key search complexity 28l. Further, a generalization of the RC4 KSA is analyzed corresponding to a class of update functions of the indices involved in the swaps. This reveals an inherent weakness of shuffle-exchange kind of key scheduling.


Bias Cryptanalysis Key Scheduling Permutation RC4 Stream Cipher 
Download to read the full conference paper text

Copyright information

© Springer-Verlag Berlin Heidelberg 2007

Authors and Affiliations

  • Goutam Paul
    • 1
  • Subhamoy Maitra
    • 2
  1. 1.Department of Computer Science and Engineering, Jadavpur University, Kolkata 700 032India
  2. 2.Applied Statistics Unit, Indian Statistical Institute, 203, B T Road, Kolkata 700 108India

Personalised recommendations