4037:
655:(LFSRs), which, while efficient in hardware, are less so in software. The design of RC4 avoids the use of LFSRs and is ideal for software implementation, as it requires only byte manipulations. It uses 256 bytes of memory for the state array, S through S, k bytes of memory for the key, key through key, and integer variables, i, j, and K. Performing a modular reduction of some value modulo 256 can be done with a
939:: over all the possible RC4 keys, the statistics for the first few bytes of output keystream are strongly non-random, leaking information about the key. If the nonce and long-term key are simply concatenated to generate the RC4 key, this long-term key can be discovered by analysing a large number of messages encrypted with this key. This and related effects were then used to break the
861:
when Goutam Paul, Siddheshwar Rathi and
Subhamoy Maitra proved the keystream–key correlation and, in another work, Goutam Paul and Subhamoy Maitra proved the permutation–key correlations. The latter work also used the permutation–key correlations to design the first algorithm for complete key reconstruction from the final permutation after the KSA, without any assumption on the key or
865:. This algorithm has a constant probability of success in a time, which is the square root of the exhaustive key search complexity. Subsequently, many other works have been performed on key reconstruction from RC4 internal states. Subhamoy Maitra and Goutam Paul also showed that the Roos-type biases still persist even when one considers nested permutation indices, like
889:, who showed that the second output byte of the cipher was biased toward zero with probability 1/128 (instead of 1/256). This is due to the fact that if the third byte of the original state is zero, and the second byte is not equal to 2, then the second output byte is always zero. Such bias can be detected by observing only 256 bytes.
413:
2265:
Goutam Paul, Siddheshwar Rathi and
Subhamoy Maitra. On Non-negligible Bias of the First Output Byte of RC4 towards the First Three Bytes of the Secret Key. Proceedings of the International Workshop on Coding and Cryptography (WCC) 2007, pages 285–294 and Designs, Codes and Cryptography Journal, pages
1305:
RC4 is a modified version of RC4 with a more complex three-phase key schedule (taking about three times as long as RC4, or the same as RC4-drop512), and a more complex output function which performs four additional lookups in the S array for each byte output, taking approximately 1.7 times as long as
1045:
In 2013, a group of security researchers at the
Information Security Group at Royal Holloway, University of London reported an attack that can become effective using only 2 encrypted messages. While yet not a practical attack for most purposes, this result is sufficiently close to one that it has led
996:
used this analysis to create aircrack-ptw, a tool that cracks 104-bit RC4 used in 128-bit WEP in under a minute. Whereas the
Fluhrer, Mantin, and Shamir attack used around 10 million messages, aircrack-ptw can break 104-bit keys in 40,000 frames with 50% probability, or in 85,000 frames with 95%
912:
The complete characterization of a single step of RC4 PRGA was performed by
Riddhipratim Basu, Shirshendu Ganguly, Subhamoy Maitra, and Goutam Paul. Considering all the permutations, they proved that the distribution of the output is not uniform given i and j, and as a consequence, information about
860:
In 1995, Andrew Roos experimentally observed that the first byte of the keystream is correlated with the first three bytes of the key, and the first few bytes of the permutation after the KSA are correlated with some linear combination of the key bytes. These biases remained unexplained until 2007,
2306:
Riddhipratim Basu, Subhamoy Maitra, Goutam Paul and Tanmoy
Talukdar. On Some Sequences of the Secret Pseudo-random Index j in RC4 Key Scheduling. Proceedings of the 18th International Symposium on Applied Algebra, Algebraic Algorithms and Error Correcting Codes (AAECC), 8–12 June 2009, Tarragona,
1377:
In 2016, Banik and Isobe proposed an attack that can distinguish Spritz from random noise. In 2017, Banik, Isobe, and Morii proprosed a simple fix that removes the distinguisher in the first two keystream bytes, requiring only one additional memory access without diminishing software performance
778:
alongside the key. This means that if a single long-term key is to be used to securely encrypt multiple streams, the protocol must specify how to combine the nonce and the long-term key to generate the stream key for RC4. One approach to addressing this is to generate a "fresh" RC4 key by
2316:
Subhamoy Maitra and Goutam Paul. New Form of
Permutation Bias and Secret Key Leakage in Keystream Bytes of RC4. Proceedings of the 15th Fast Software Encryption (FSE) Workshop, 10–13 February 2008, Lausanne, Switzerland, pages 253–269, vol. 5086, Lecture Notes in Computer Science,
1359:. A hardware accelerator of Spritz was published in Secrypt, 2016 and shows that due to multiple nested calls required to produce output bytes, Spritz performs rather slowly compared to other hash functions such as SHA-3 and the best known hardware implementation of RC4.
848:
In March 2013, there were new attack scenarios proposed by Isobe, Ohigashi, Watanabe and Morii, as well as AlFardan, Bernstein, Paterson, Poettering and
Schuldt that use new statistical biases in RC4 key table to recover plaintext with large number of TLS encryptions.
1107:
As mentioned above, the most important weakness of RC4 comes from the insufficient key schedule; the first bytes of output reveal information about the key. This can be corrected by simply discarding some initial portion of the output stream. This is known as
234:. From there, it spread to many sites on the Internet. The leaked code was confirmed to be genuine, as its output was found to match that of proprietary software using licensed RC4. Because the algorithm is known, it is no longer a trade secret. The name
281:
weakening or breaking RC4 used in SSL/TLS. The main factors in RC4's success over such a wide range of applications have been its speed and simplicity: efficient implementations in both software and hardware were very easy to develop.
362:
algorithm is used to initialize the permutation in the array "S". "keylength" is defined as the number of bytes in the key and can be in the range 1 ≤ keylength ≤ 256, typically between 5 and 16, corresponding to a
142:. While it is remarkable for its simplicity and speed in software, multiple vulnerabilities have been discovered in RC4, rendering it insecure. It is especially vulnerable when the beginning of the output
976:
The
Fluhrer, Mantin and Shamir attack does not apply to RC4-based SSL, since SSL generates the encryption keys it uses for RC4 by hashing, meaning that different SSL sessions have unrelated keys.
1249:
Although stronger than RC4, this algorithm has also been attacked, with
Alexander Maximov and a team from NEC developing ways to distinguish its output from a truly random sequence.
4017:
3847:
1267:
iterating 3 × 256 = 768 times rather than 256, and with an optional additional 768 iterations to incorporate an initial vector. The output generation function operates as follows:
2297:
Mete Akgun, Pinar Kavak, Huseyin Demirci. New Results on the Key Scheduling Algorithm of RC4. INDOCRYPT 2008, pages 40–52, vol. 5365, Lecture Notes in Computer Science, Springer.
3109:
1091:. Dubbed the Numerous Occurrence MOnitoring & Recovery Exploit (NOMORE) attack, it is the first attack of its kind that was demonstrated in practice. Their attack against
1046:
to speculation that it is plausible that some state cryptologic agencies may already have better attacks that render RC4 insecure. Given that, as of 2013, a large amount of
1623:
1054:, if these hypothetical better attacks exist, then this would make the TLS-with-RC4 combination insecure against such attackers in a large number of practical scenarios.
2288:
Eli Biham and Yaniv Carmeli. Efficient Reconstruction of RC4 Keys from Internal States. FSE 2008, pages 270–288, vol. 5086, Lecture Notes in Computer Science, Springer.
961:
Protocols can defend against this attack by discarding the initial portion of the keystream. Such a modified algorithm is traditionally called "RC4-drop", where
3700:
3318:
1057:
In March 2015, researcher to Royal Holloway announced improvements to their attack, providing a 2 attack against passwords encrypted with RC4, as used in TLS.
1246:
Although the algorithm required the same number of operations per output byte, there is greater parallelism than RC4, providing a possible speed improvement.
3563:
1258:
1120:
177:
1450:
4075:
2359:
1099:
within 75 hours. The attack against WPA-TKIP can be completed within an hour and allows an attacker to decrypt and inject arbitrary packets.
1703:
2636:
1963:
2970:
2886:
2779:
2726:
2451:
2186:
903:
showed that the first and the second bytes of the RC4 were also biased. The number of required samples to detect this bias is 2 bytes.
3266:
2427:
564:
providing access to a random number generator originally based on RC4. The API allows no seeding, as the function initializes itself using
3195:
196:
in 1987. While it is officially termed "Rivest Cipher 4", the RC acronym is alternatively understood to stand for "Ron's Code" (see also
1417:
984:
In 2005, Andreas Klein presented an analysis of the RC4 stream cipher, showing more correlations between the RC4 keystream and the key.
833:
It is noteworthy, however, that RC4, being a stream cipher, was for a period of time the only common cipher that was immune to the 2011
3247:
3175:
3113:
2114:
1739:
2089:
436:
For as many iterations as are needed, the PRGA modifies the state and outputs a byte of the keystream. In each iteration, the PRGA:
3693:
3625:
3311:
3149:
3036:
2276:
1025:
known (all other elements can be assumed empty), then the maximum number of elements that can be produced deterministically is also
922:
796:
3237:
2275:
Goutam Paul and Subhamoy Maitra. Permutation after RC4 Key Scheduling Reveals the Secret Key. SAC 2007, pages 360–377, vol. 4876,
909:
and David McGrew also showed attacks that distinguished the keystream of the RC4 from a random stream given a gigabyte of output.
371:. S is then processed for 256 iterations in a similar way to the main PRGA, but also mixes in bytes of the key at the same time.
2203:
1538:
1392:
1088:
842:
640:
157:
As of 2015, there is speculation that some state cryptologic agencies may possess the capability to break RC4 when used in the
3019:
Banik, Subhadeep; Isobe, Takanori (20 March 2016). "Cryptanalysis of the Full Spritz Stream Cipher". In Peyrin, Thomas (ed.).
1788:
4070:
3896:
3620:
3610:
2432:
1406:
1080:
652:
291:
146:
is not discarded, or when nonrandom or related keys are used. Particularly problematic uses of RC4 have led to very insecure
2568:
873:. These types of biases are used in some of the later key reconstruction methods for increasing the success probability.
667:
These test vectors are not official, but convenient for anyone testing their own RC4 program. The keys and plaintext are
3686:
3304:
1513:
112:
611:
until 2022. Instead, a separate library, libbsd, offers the function; it was updated to use ChaCha20 in 2016. In 2022,
4012:
3967:
3780:
819:
811:
780:
258:
article on RC4 in his own course notes in 2008 and confirmed the history of RC4 and its code in a 2014 paper by him.
1482:
Where a protocol is marked with "(optionally)", RC4 is one of multiple ciphers the system can be configured to use.
3891:
3594:
3453:
1263:
Variably Modified Permutation Composition (VMPC) is another RC4 variant. It uses similar key schedule as RC4, with
881:
The keystream generated by the RC4 is biased to varying degrees towards certain sequences, making it vulnerable to
231:
4007:
1491:
561:
2452:"Interim technology for wireless LAN security: WPA to replace WEP while industry develops new security standard"
1663:
298:). As with any stream cipher, these can be used for encryption by combining it with the plaintext using bitwise
3997:
3987:
3842:
3589:
2535:
1470:
1422:
1387:
1371:
1092:
1084:
1047:
940:
838:
800:
303:
278:
274:
262:
158:
151:
3061:
2908:
2757:
2169:
Pouyan Sepehrdad; Serge Vaudenay; Martin Vuagnoux (2011). "Discovery and Exploitation of New Biases in RC4".
4065:
3992:
3982:
3785:
3745:
3738:
3728:
3723:
1438:
1229:
511:
1071:
At the Black Hat Asia 2015 Conference, Itsik Mantin presented another attack against SSL using RC4 cipher.
989:
3733:
2948:
2864:
1396:
955:
266:
147:
3223:
1329:
GeneratingOutput: i := i + 1 a := S j := j + a Swap S and S
1005:
A combinatorial problem related to the number of inputs and outputs of the RC4 cipher was first posed by
4080:
4040:
3886:
3832:
3661:
3635:
3488:
2455:
1051:
882:
862:
317:
To generate the keystream, the cipher makes use of a secret internal state which consists of two parts:
227:
2994:
2368:
2062:
950:. This caused a scramble for a standards-based replacement for WEP in the 802.11 market and led to the
4002:
3926:
3656:
2828:
Yukiyasu Tsunoo; Teruo Saito; Hiroyasu Kubo; Maki Shigeri; Tomoyasu Suzaki; Takeshi Kawabata (2005),
2758:"A New Weakness in the RC4 Keystream Generator and an Approach to Improve the Security of the Cipher"
2469:
1772:
1605:
1426:
993:
827:
368:
270:
98:
20:
2953:
2869:
2658:
255:
3765:
3584:
2532:
A New Weakness in the RC4 Keystream Generator and an Approach to Improve the Security of the Cipher
1784:
1444:
1411:
1366:, Spritz can be used to build a cryptographic hash function, a deterministic random bit generator (
928:
906:
823:
784:
775:
1967:
1951:
Legacy arc4random(3) API from OpenBSD reimplemented using the ChaCha20 PRF, with per-thread state.
1006:
932:
3871:
3855:
3802:
3651:
3042:
3023:. Lecture Notes in Computer Science. Vol. 9783. Springer Berlin Heidelberg. pp. 63–77.
2408:
1066:
792:
337:
3278:
3232:
2531:
2437:
2335:
2804:
Two Linear Distinguishing Attacks on VMPC and RC4A and Weakness of RC4 Family of Stream Ciphers
2703:
2344:
2250:
Andrew Roos. A Class of Weak Keys in the RC4 Stream Cipher. Two posts in sci.crypt, message-id
2010:
1460:
985:
576:"A Replacement Call for Random" for ARC4 as a mnemonic, as it provides better random data than
499:) with the next byte of the message to produce the next byte of either ciphertext or plaintext.
3931:
3921:
3792:
3191:
3171:
3145:
3032:
2966:
2882:
2775:
2722:
2501:
A. Klein, Attacks on the RC4 stream cipher, Designs, Codes and Cryptography (2008) 48:269–286.
2182:
2110:
1297:
This was attacked in the same papers as RC4A, and can be distinguished within 2 output bytes.
845:
is used with all of the other ciphers supported by TLS 1.0, which are all block ciphers.
2855:
1463:, an early June 2008 computer virus for Microsoft Windows, which takes documents hostage for
1029:
in the next 256 rounds. This conjecture was put to rest in 2004 with a formal proof given by
636:
Proposed new random number generators are often compared to the RC4 random number generator.
3866:
3433:
3077:
3069:
3024:
2958:
2874:
2765:
2712:
2398:
2174:
2130:"ssl - Safest ciphers to use with the BEAST? (TLS 1.0 exploit) I've read that RC4 is immune"
2071:
1776:
1595:
947:
553:
1749:
3553:
3548:
3523:
3397:
3241:
2749:
2523:
2327:
1363:
1131:
1030:
892:
1989:
346:
algorithm (KSA). Once this has been completed, the stream of bits is generated using the
277:
in 1999, until it was prohibited for all versions of TLS by RFC 7465 in 2015, due to the
2863:, Lecture Notes in Computer Science, vol. 3017, Springer-Verlag, pp. 210–225,
2764:, Lecture Notes in Computer Science, vol. 3017, Springer-Verlag, pp. 245–259,
2711:, Lecture Notes in Computer Science, vol. 2442, Springer-Verlag, pp. 304–319,
2387:"A Complete Characterization of the Evolution of RC4 Pseudo Random Generation Algorithm"
3941:
3861:
3822:
3770:
3755:
3615:
3468:
3423:
3159:
3066:
IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences
2549:
1823:
787:. However, many applications that use RC4 simply concatenate key and nonce; RC4's weak
3259:
2947:, Lecture Notes in Computer Science, vol. 5365, Springer-Verlag, pp. 27–39,
1355:
In 2014, Ronald Rivest gave a talk and co-wrote a paper on an updated redesign called
659:
with 255 (which is equivalent to taking the low-order byte of the value in question).
503:
Each element of S is swapped with another element at least once every 256 iterations.
4059:
4022:
3977:
3936:
3916:
3812:
3775:
3750:
3568:
3528:
3508:
3498:
3463:
3327:
3139:
2029:"VMPC-R: Cryptographically Secure Pseudo-Random Number Generator, Alternative to RC4"
1902:
807:
139:
3046:
2829:
1906:
1681:
1547:
624:
According to manual pages shipped with the operating system, in the 2017 release of
3972:
3817:
3807:
3797:
3760:
3709:
2753:
2527:
2412:
2331:
2228:
Nadhem AlFardan; Dan Bernstein; Kenny Paterson; Bertram Poettering; Jacob Schuldt.
1843:
1801:
1507:
1432:
1414:(insecure implementation since nonce remains unchanged when documents get modified)
1135:
1034:
951:
896:
834:
815:
788:
632:
operating systems, Apple replaced RC4 with AES in its implementation of arc4random.
525:
496:
359:
342:
307:
299:
251:
212:
193:
123:
46:
2574:. Information Security Group, Royal Holloway, University of London. Archived from
1725:
510:
GeneratingOutput: i := (i + 1) mod 256 j := (j + S) mod 256
261:
RC4 became part of some commonly used encryption protocols and standards, such as
3073:
2878:
2770:
2104:
1935:
416:
The lookup stage of RC4. The output byte is selected by looking up the values of
302:; decryption is performed the same way (since exclusive or with given data is an
3951:
3503:
3361:
3215:
3208:
3201:
3028:
2962:
2622:
2385:
Basu, Riddhipratim; Ganguly, Shirshendu; Maitra, Subhamoy; Paul, Goutam (2008).
2254:
2251:
2178:
2041:
1608:
1589:
1518:
1096:
672:
656:
322:
254:
has never officially released the algorithm; Rivest has, however, linked to the
2488:
1780:
965:
is the number of initial keystream bytes that are dropped. The SCAN default is
3911:
3881:
3876:
3837:
3630:
2936:"Analysis of RC4 and Proposal of Additional Layers for Better Security Margin"
2575:
2147:
2058:
1744:
1624:"Microsoft continues RC4 encryption phase-out plan with .NET security updates"
1010:
936:
886:
364:
216:
189:
42:
3163:
2717:
2307:
Spain, pages 137–148, vol. 5527, Lecture Notes in Computer Science, Springer.
2075:
1119:
A number of attempts have been made to strengthen RC4, notably Spritz, RC4A,
176:
A number of attempts have been made to strengthen RC4, notably Spritz, RC4A,
3901:
3543:
3473:
3407:
3204:– Improved Arcfour Modes for the Secure Shell (SSH) Transport Layer Protocol
1013:
in 2001, whereby, of the total 256 elements in the typical state of RC4, if
852:
The use of RC4 in TLS is prohibited by RFC 7465 published in February 2015.
573:
568:. The use of RC4 has been phased out in most systems implementing this API.
295:
223:
220:
170:
143:
2337:
Analysis of Non-fortuitous Predictive States of the RC4 Keystream Generator
2129:
424:, adding them together modulo 256, and then using the sum as an index into
215:, but in September 1994, a description of it was anonymously posted to the
1564:
3946:
3906:
3356:
2403:
2386:
1540:
Analysis of Energy Consumption of RC4 and AES Algorithms in Wireless LANs
1400:
589:
569:
69:
2489:"RSA Security Response to Weaknesses in Key Scheduling Algorithm of RC4"
2090:"RSA Security Response to Weaknesses in Key Scheduling Algorithm of RC4"
1824:"6.857 Computer and Network Security Spring 2008: Lectures and Handouts"
3402:
3376:
3351:
3164:"Chapter 17 – Other Stream Ciphers and Real Random-Sequence Generators"
3082:
2848:
771:
593:
166:
3248:
RSA Security Response to Weaknesses in Key Scheduling Algorithm of RC4
2939:
1867:
514:
of S and S t := (S + S) mod 256 K := S output K
3827:
3493:
3458:
3428:
3392:
2173:. Lecture Notes in Computer Science. Vol. 6544. pp. 74–91.
1664:"That earth-shattering NSA crypto-cracking: Have spooks smashed RC4?"
1600:
1464:
944:
597:
577:
3097:
2912:
2685:"RC4 NOMORE: Numerous Occurrence MOnitoring & Recovery Exploit"
401:
255 j := (j + S + key) mod 256 swap values of S and S
3538:
3060:
Banik, Subhadeep; Isobe, Takanori; Morii, Masakatu (1 June 2017).
2935:
2802:
2699:
2603:. Information Security Group, Royal Holloway, University of London
1503:
1475:
900:
668:
625:
612:
604:
411:
326:
3168:
Applied Cryptography: Protocols, Algorithms, and Source Code in C
2600:
2229:
2028:
1881:
1429:(was optional and then the use of RC4 was prohibited in RFC 7465)
1236:
S2 + S1] j2 := j2 + S2 swap values of S2 and S2
1228:
GeneratingOutput: i := i + 1 j1 := j1 + S1
3558:
3533:
3483:
3478:
3346:
3341:
1499:
1495:
1367:
367:
of 40–128 bits. First, the array "S" is initialized to the
162:
3682:
3300:
2550:"HTTPS cookie crypto CRUMBLES AGAIN in hands of stats boffins"
629:
412:
205:
201:
197:
3192:
Original posting of RC4 algorithm to Cypherpunks mailing list
3096:
Hongjun Wu, "The Misuse of RC4 in Microsoft Word and Excel".
2684:
2511:
1682:"Mozilla Security Server Side TLS Recommended Configurations"
855:
19:
This article is about the stream cipher. For other uses, see
3062:"Analysis and Improvements of the Full Spritz Stream Cipher"
1844:"Spritz – a spongy RC4-like stream cipher and hash function"
1510:
that, like RC4, are designed to be very simple to implement.
1050:
traffic uses RC4 to avoid attacks on block ciphers that use
2361:
Statistical Analysis of the Alleged RC4 Keystream Generator
2011:"GNU C Library Finally Adds arc4random Functions For Linux"
1704:"Security Advisory 2868725: Recommendation to disable RC4"
165:
has published RFC 7465 to prohibit the use of RC4 in TLS;
116:
Modified Alleged RC4 on Intel Core 2: 13.9 cycles per byte
2831:
The Most Efficient Distinguishing Attack on VMPC and RC4A
2146:
Isobe, Takanori; Ohigashi, Toshihiro (10–13 March 2013).
2106:
Hidden Keys to Software Break-Ins and Unauthorized Entry
1192:
Second, the operation is repeated (without incrementing
2042:"Pseudo-Random Number Generator RC4 Period Improvement"
3848:
Cryptographically secure pseudorandom number generator
2426:
Fluhrer, Scott R.; Mantin, Itsik; Shamir, Adi (2001).
1279:GeneratingOutput: a := S j := S
336:
The permutation is initialized with a variable-length
1116:
is typically a multiple of 256, such as 768 or 1024.
340:, typically between 40 and 2048 bits, using the
3288:
1990:"Update arc4random module from OpenBSD and LibreSSL"
1347:
This algorithm has not been analyzed significantly.
1138:
have proposed an RC4 variant, which they call RC4A.
969:= 768 bytes, but a conservative value would be
927:
In 2001, a new and surprising discovery was made by
856:
Roos' biases and key reconstruction from permutation
565:
3960:
3716:
3644:
3603:
3577:
3446:
3416:
3385:
3375:
3334:
2428:"Weaknesses in the Key Scheduling Algorithm of RC4"
585:
557:
107:
97:
82:
68:
63:
53:
38:
33:
2934:Subhamoy Maitra; Goutam Paul (19 September 2008),
2510:Erik Tews, Ralf-Philipp Weinmann, Andrei Pyshkin.
2204:"Attack of the week: RC4 is kind of broken in TLS"
1467:by obscuring them with RC4 and RSA-1024 encryption
1171:First, the basic RC4 algorithm is performed using
943:("wired equivalent privacy") encryption used with
885:. The best such attack is due to Itsik Mantin and
841:. The attack exploits a known weakness in the way
1922:ChaCha based random number generator for OpenBSD.
1748:(Mailing list). 9 September 1994. Archived from
1657:
1655:
1653:
770:Unlike a modern stream cipher (such as those in
2995:"Hardware Accelerator for Stream Cipher Spritz"
2683:Mathy Vanhoef; Frank Piessens (9 August 2015).
1842:Rivest, Ron; Schuldt, Jacob (27 October 2014).
332:Two 8-bit index-pointers (denoted "i" and "j").
238:is trademarked, so RC4 is often referred to as
3225:A Stream Cipher Encryption Algorithm "Arcfour"
2993:Debjyoti Bhattacharjee; Anupam Chattopadhyay.
3694:
3312:
3110:"Skype's encryption procedure partly exposed"
1837:
1835:
1833:
1537:P. Prasithsangaree; P. Krishnamurthy (2003).
641:distinguish its output from a random sequence
8:
3265:Fluhrer; Mantin; Shamir (Summer–Fall 2002).
2975:, Cryptology ePrint Archive: Report 2008/396
2807:, Cryptology ePrint Archive: Report 2007/070
2731:, Cryptology ePrint Archive: Report 2002/067
314:, rather than a prepared stream, are used.
28:
3701:
3687:
3679:
3382:
3319:
3305:
3297:
3293:
3289:
2367:. FSE 2000. pp. 19–30. Archived from
1083:presented new attacks against RC4 in both
822:(MAC), then encryption is vulnerable to a
3081:
2952:
2868:
2849:"VMPC One-Way Function and Stream Cipher"
2769:
2716:
2402:
2266:123–134, vol. 49, no. 1-3, December 2008.
2052:
2050:
1599:
1583:
1581:
1370:), an encryption algorithm that supports
1259:Variably Modified Permutation Composition
1167:is incremented, two bytes are generated:
408:Pseudo-random generation algorithm (PRGA)
3211:– Test Vectors for the Stream Cipher RC4
677:
484:as an index to fetch a third element of
219:mailing list. It was soon posted on the
3228:. I-D draft-kaukonen-cipher-arcfour-03.
2941:Progress in Cryptology - INDOCRYPT 2008
2601:"On the Security of RC4 in TLS and WPA"
2569:"On the Security of RC4 in TLS and WPA"
2472:Standard Cryptographic Algorithm Naming
1529:
1272:All arithmetic is performed modulo 256.
592:. The implementations of arc4random in
138:, meaning Alleged RC4, see below) is a
3138:Paul, Goutam; Subhamoy Maitra (2011).
2823:
2821:
2801:Alexander Maximov (22 February 2007),
2512:Breaking 104-bit WEP in under a minute
1333:b := S; S := S; S := b;
1287:b := S; S := b; S := a)
1224:i := 0 j1 := 0 j2 := 0
1221:All arithmetic is performed modulo 256
671:, the keystream and ciphertext are in
584:In OpenBSD 5.5, released in May 2014,
432:is used as a byte of the key stream K.
27:
2567:AlFardan; et al. (8 July 2013).
2232:. Royal Holloway University of London
2109:. A-List Publishing. pp. 92–93.
2092:. RSA Laboratories. 1 September 2001.
1911:BSD Cross Reference, OpenBSD src/lib/
826:. The cipher is also vulnerable to a
818:. If not used together with a strong
269:in 2003/2004 for wireless cards; and
173:have issued similar recommendations.
7:
2705:Advances in Cryptology – CRYPTO 2002
1940:BSD Cross Reference, NetBSD src/lib/
1546:. GLOBECOM '03. IEEE. Archived from
913:j is always leaked into the output.
2358:Scott R. Fluhrer; David A. McGrew.
2064:A Practical Attack on Broadcast RC4
1934:riastradh, ed. (16 November 2014).
1643:Introduction to Modern Cryptography
1418:Microsoft Point-to-Point Encryption
1079:In 2015, security researchers from
639:Several attacks on RC4 are able to
572:for the new arc4random include the
3141:RC4 Stream Cipher and Its Variants
3112:. www.h-online.com. Archived from
2857:Fast Software Encryption, FSE 2004
2762:Fast Software Encryption, FSE 2004
2391:Journal of Mathematical Cryptology
1964:"arc4random – NetBSD Manual Pages"
1645:, Chapman and Hall/CRC, p. 77
1453:Mechanism Digest-MD5 (optionally,
1374:with associated data (AEAD), etc.
1283:S + 1]] Swap S and S
799:(which is famous for breaking the
548:RC4-based random number generators
348:pseudo-random generation algorithm
14:
3260:(in)Security of the WEP algorithm
2700:"(Not So) Random Shuffles of RC4"
2277:Lecture Notes in Computer Science
1771:Bob Jenkins (15 September 1994).
1622:Lucian Constantin (14 May 2014).
923:Fluhrer, Mantin and Shamir attack
917:Fluhrer, Mantin and Shamir attack
797:Fluhrer, Mantin and Shamir attack
651:Many stream ciphers are based on
4036:
4035:
3244: (archived 21 February 2015)
3098:https://eprint.iacr.org/2005/007
2202:Green, Matthew (12 March 2013).
1662:John Leyden (6 September 2013).
774:), RC4 does not take a separate
520:Thus, this produces a stream of
130:(Rivest Cipher 4, also known as
3218:– Prohibiting RC4 Cipher Suites
2637:"Briefings – March 26 & 27"
2230:"On the Security of RC4 in TLS"
2148:"Security of RC4 Stream Cipher"
1399:, but can be configured to use
653:linear-feedback shift registers
250:) to avoid trademark problems.
4076:Pseudorandom number generators
3897:Information-theoretic security
2659:"Attacking SSL when using RC4"
2433:Selected Areas in Cryptography
2171:Selected Areas in Cryptography
2070:. FSE 2001. pp. 152–164.
1588:Andrei Popov (February 2015).
1407:BitTorrent protocol encryption
830:if not implemented correctly.
354:Key-scheduling algorithm (KSA)
1:
2548:John Leyden (15 March 2013).
2538:– FSE 2004, pp. 245–259.
1706:. Microsoft. 12 November 2013
1591:Prohibiting RC4 Cipher Suites
495:then bitwise exclusive ORed (
3611:block ciphers in stream mode
3074:10.1587/transfun.E100.A.1296
2879:10.1007/978-3-540-25937-4_14
2771:10.1007/978-3-540-25937-4_16
2698:Ilya Mironov (1 June 2002),
1641:J. Katz; Y. Lindell (2014),
1514:Advanced Encryption Standard
1311:All arithmetic modulo 256.
758:45A01F645FC35B383552544B9BF5
4013:Message authentication code
3968:Cryptographic hash function
3781:Cryptographic hash function
3029:10.1007/978-3-662-52993-5_4
2963:10.1007/978-3-540-89754-5_3
2179:10.1007/978-3-642-19574-7_5
1565:"Crypto++ 5.6.0 Benchmarks"
1356:
1265:j := S + key) mod 256]
1141:RC4A uses two state arrays
820:message authentication code
292:pseudorandom stream of bits
4097:
3892:Harvest now, decrypt later
3595:alternating step generator
1802:"Manual Pages: arc4random"
1319:are left and right shift,
1256:
1064:
920:
843:cipher-block chaining mode
542:ciphertext = plaintext ⊕ K
306:). This is similar to the
273:in 1995 and its successor
18:
4031:
4008:Post-quantum cryptography
3678:
3518:
3513:
3296:
3292:
3068:. E100.A (6): 1296–1305.
2470:"RC4-drop(nbytes) in the
2103:Sklyarov, Dmitry (2004).
1907:"libc/crypt/arc4random.c"
877:Biased outputs of the RC4
619:, also based on ChaCha20.
615:added its own version of
3998:Quantum key distribution
3988:Authenticated encryption
3843:Random number generation
3590:self-shrinking generator
3267:"Attacks On RC4 and WEP"
3021:Fast Software Encryption
2718:10.1007/3-540-45708-9_20
2536:Fast Software Encryption
2208:Cryptography Engineering
2076:10.1007/3-540-45473-X_13
1740:"Thank you Bob Anderson"
1457:, obsoleted in RFC 6331)
1423:Transport Layer Security
1372:authenticated encryption
1216:Thus, the algorithm is:
1181:, but in the last step,
560:, an API originating in
506:i := 0 j := 0
472:exchanges the values of
310:, except that generated
3993:Public-key cryptography
3983:Symmetric-key algorithm
3786:Key derivation function
3746:Cryptographic primitive
3739:Authentication protocol
3729:Outline of cryptography
3724:History of cryptography
3170:(2nd ed.). Wiley.
2847:Bartosz Zoltak (2004),
1936:"libc/gen/arc4random.c"
1439:Remote Desktop Protocol
1395:(default algorithm for
783:a long-term key with a
256:English Knowledge (XXG)
3734:Cryptographic protocol
2436:: 1–24. Archived from
2150:. Hiroshima University
1905:, ed. (21 July 2014).
979:
883:distinguishing attacks
607:, which did not offer
433:
4071:Broken stream ciphers
3887:End-to-end encryption
3833:Cryptojacking malware
3662:stream cipher attacks
2347:2003. pp. 52–67.
1095:can decrypt a secure
1052:cipher block chaining
1041:Royal Holloway attack
1001:Combinatorial problem
990:Ralf-Philipp Weinmann
863:initialization vector
603:Linux typically uses
488:(the keystream value
415:
111:7 cycles per byte on
4003:Quantum cryptography
3927:Trusted timestamping
3657:correlation immunity
3233:SCAN's entry for RC4
2909:"CryptoLounge: RC4A"
2581:on 22 September 2013
2404:10.1515/JMC.2008.012
1427:Secure Sockets Layer
1337:c := S + S
1017:number of elements (
828:stream cipher attack
701:EB9F7781B734CA72A719
588:was modified to use
480:, then uses the sum
385:255 S := i
369:identity permutation
329:(denoted "S" below).
325:of all 256 possible
211:RC4 was initially a
188:RC4 was designed by
21:RC4 (disambiguation)
3766:Cryptographic nonce
3585:shrinking generator
3335:Widely used ciphers
3277:(2). Archived from
1553:on 3 December 2013.
1504:Corrected Block TEA
1412:Microsoft Office XP
1382:RC4-based protocols
973:= 3072 bytes.
824:bit-flipping attack
793:related-key attacks
791:then gives rise to
600:also use ChaCha20.
463:, and adds that to
30:
3872:Subliminal channel
3856:Pseudorandom noise
3803:Key (cryptography)
3652:correlation attack
3284:on 2 January 2015.
3222:Kaukonen; Thayer.
1478:(in modified form)
1149:, and two indexes
1067:Bar mitzvah attack
1061:Bar mitzvah attack
712:BBF316E8D940AF0AD3
482:S + S (modulo 256)
434:
59:(designed in 1987)
4053:
4052:
4049:
4048:
3932:Key-based routing
3922:Trapdoor function
3793:Digital signature
3674:
3673:
3670:
3669:
3442:
3441:
2972:978-3-540-89753-8
2915:on 1 October 2011
2888:978-3-540-22171-5
2781:978-3-540-22171-5
2728:978-3-540-44050-5
2188:978-3-642-19573-0
2040:Chefranov, A. G.
1232:of S1 and S1
952:IEEE 802.11i
948:wireless networks
806:Because RC4 is a
763:
762:
554:operating systems
312:pseudorandom bits
120:
119:
4088:
4039:
4038:
3867:Insecure channel
3703:
3696:
3689:
3680:
3383:
3321:
3314:
3307:
3298:
3294:
3290:
3285:
3283:
3229:
3196:Archived version
3181:
3155:
3126:
3125:
3123:
3121:
3106:
3100:
3094:
3088:
3087:
3085:
3057:
3051:
3050:
3016:
3010:
3009:
3007:
3005:
2999:
2990:
2984:
2983:
2982:
2980:
2956:
2946:
2931:
2925:
2924:
2922:
2920:
2911:. Archived from
2905:
2899:
2898:
2897:
2895:
2872:
2862:
2853:
2844:
2838:
2837:
2836:
2825:
2816:
2815:
2814:
2812:
2798:
2792:
2791:
2790:
2788:
2773:
2746:
2740:
2739:
2738:
2736:
2720:
2710:
2695:
2689:
2688:
2680:
2674:
2673:
2671:
2669:
2663:
2655:
2649:
2648:
2646:
2644:
2633:
2627:
2626:
2619:
2613:
2612:
2610:
2608:
2597:
2591:
2590:
2588:
2586:
2580:
2573:
2564:
2558:
2557:
2545:
2539:
2521:
2515:
2508:
2502:
2499:
2493:
2492:
2484:
2478:
2477:
2466:
2460:
2459:
2454:. Archived from
2448:
2442:
2441:
2423:
2417:
2416:
2406:
2382:
2376:
2375:
2373:
2366:
2355:
2349:
2348:
2342:
2324:
2318:
2314:
2308:
2304:
2298:
2295:
2289:
2286:
2280:
2273:
2267:
2263:
2257:
2248:
2242:
2241:
2239:
2237:
2225:
2219:
2218:
2216:
2214:
2199:
2193:
2192:
2166:
2160:
2159:
2157:
2155:
2143:
2137:
2127:
2121:
2120:
2100:
2094:
2093:
2086:
2080:
2079:
2069:
2054:
2045:
2038:
2032:
2027:Bartosz Zoltak.
2025:
2019:
2018:
2015:www.phoronix.com
2007:
2001:
2000:
1998:
1996:
1986:
1980:
1979:
1977:
1975:
1966:. Archived from
1960:
1954:
1953:
1948:
1946:
1931:
1925:
1924:
1919:
1917:
1899:
1893:
1892:
1890:
1888:
1878:
1872:
1871:
1864:
1858:
1857:
1855:
1853:
1848:
1839:
1828:
1827:
1820:
1814:
1813:
1811:
1809:
1798:
1792:
1791:
1773:"Re: RC4 ?"
1768:
1762:
1761:
1759:
1757:
1736:
1730:
1729:
1722:
1716:
1715:
1713:
1711:
1700:
1694:
1693:
1691:
1689:
1678:
1672:
1671:
1659:
1648:
1646:
1638:
1632:
1631:
1619:
1613:
1612:
1603:
1601:10.17487/RFC7465
1585:
1576:
1575:
1573:
1571:
1561:
1555:
1554:
1552:
1545:
1534:
1364:sponge functions
1336:
1325:
1291:i := i + 1
1290:
1274:
1266:
1223:
1211:
1207:
1201:
1197:
1188:
1185:is looked up in
1184:
1180:
1174:
1166:
1160:
1154:
1148:
1144:
1028:
972:
968:
964:
872:
868:
759:
754:
748:
747:04D46B053CA87B59
743:
736:
731:
725:
720:
713:
708:
702:
697:
678:
587:
559:
543:
539:
533:
523:
491:
487:
483:
479:
475:
468:
462:
458:
454:
445:
431:
427:
423:
419:
290:RC4 generates a
113:original Pentium
92:
88:
77:
31:
4096:
4095:
4091:
4090:
4089:
4087:
4086:
4085:
4056:
4055:
4054:
4045:
4027:
3956:
3712:
3707:
3666:
3640:
3599:
3573:
3438:
3412:
3371:
3330:
3325:
3281:
3264:
3242:Wayback Machine
3221:
3188:
3178:
3160:Schneier, Bruce
3158:
3152:
3137:
3134:
3132:Further reading
3129:
3119:
3117:
3116:on 11 July 2010
3108:
3107:
3103:
3095:
3091:
3059:
3058:
3054:
3039:
3018:
3017:
3013:
3003:
3001:
2997:
2992:
2991:
2987:
2978:
2976:
2973:
2954:10.1.1.215.7178
2944:
2933:
2932:
2928:
2918:
2916:
2907:
2906:
2902:
2893:
2891:
2889:
2870:10.1.1.469.8297
2860:
2851:
2846:
2845:
2841:
2834:
2827:
2826:
2819:
2810:
2808:
2800:
2799:
2795:
2786:
2784:
2782:
2750:Souradyuti Paul
2748:
2747:
2743:
2734:
2732:
2729:
2708:
2697:
2696:
2692:
2682:
2681:
2677:
2667:
2665:
2661:
2657:
2656:
2652:
2642:
2640:
2635:
2634:
2630:
2621:
2620:
2616:
2606:
2604:
2599:
2598:
2594:
2584:
2582:
2578:
2571:
2566:
2565:
2561:
2547:
2546:
2542:
2524:Souradyuti Paul
2522:
2518:
2509:
2505:
2500:
2496:
2486:
2485:
2481:
2468:
2467:
2463:
2458:on 9 July 2012.
2450:
2449:
2445:
2440:on 2 June 2004.
2425:
2424:
2420:
2384:
2383:
2379:
2371:
2364:
2357:
2356:
2352:
2340:
2328:Souradyuti Paul
2326:
2325:
2321:
2315:
2311:
2305:
2301:
2296:
2292:
2287:
2283:
2274:
2270:
2264:
2260:
2249:
2245:
2235:
2233:
2227:
2226:
2222:
2212:
2210:
2201:
2200:
2196:
2189:
2168:
2167:
2163:
2153:
2151:
2145:
2144:
2140:
2134:serverfault.com
2128:
2124:
2117:
2102:
2101:
2097:
2088:
2087:
2083:
2067:
2056:
2055:
2048:
2039:
2035:
2026:
2022:
2009:
2008:
2004:
1994:
1992:
1988:
1987:
1983:
1973:
1971:
1962:
1961:
1957:
1944:
1942:
1933:
1932:
1928:
1915:
1913:
1901:
1900:
1896:
1886:
1884:
1880:
1879:
1875:
1868:"arc4random(3)"
1866:
1865:
1861:
1851:
1849:
1846:
1841:
1840:
1831:
1822:
1821:
1817:
1807:
1805:
1800:
1799:
1795:
1770:
1769:
1765:
1755:
1753:
1752:on 22 July 2001
1738:
1737:
1733:
1724:
1723:
1719:
1709:
1707:
1702:
1701:
1697:
1687:
1685:
1680:
1679:
1675:
1661:
1660:
1651:
1640:
1639:
1635:
1621:
1620:
1616:
1587:
1586:
1579:
1569:
1567:
1563:
1562:
1558:
1550:
1543:
1536:
1535:
1531:
1527:
1488:
1403:instead of RC4)
1384:
1378:substantially.
1353:
1345:
1330:
1323:is exclusive OR
1309:
1303:
1295:
1284:
1270:
1264:
1261:
1255:
1244:
1219:
1209:
1206:
1203:
1199:
1196:
1193:
1186:
1182:
1179:
1176:
1172:
1165:
1162:
1159:
1156:
1153:
1150:
1146:
1142:
1132:Souradyuti Paul
1129:
1105:
1077:
1069:
1063:
1043:
1031:Souradyuti Paul
1026:
1003:
994:Andrei Pychkine
982:
970:
966:
962:
925:
919:
893:Souradyuti Paul
879:
870:
866:
858:
768:
757:
752:
746:
741:
734:
729:
723:
718:
711:
706:
700:
695:
665:
649:
550:
541:
535:
529:
521:
518:
489:
485:
481:
477:
473:
464:
460:
456:
450:
441:
429:
425:
421:
417:
410:
405:
356:
288:
230:within days by
226:, where it was
186:
115:
90:
86:
75:
58:
54:First published
24:
17:
12:
11:
5:
4094:
4092:
4084:
4083:
4078:
4073:
4068:
4066:Stream ciphers
4058:
4057:
4051:
4050:
4047:
4046:
4044:
4043:
4032:
4029:
4028:
4026:
4025:
4020:
4018:Random numbers
4015:
4010:
4005:
4000:
3995:
3990:
3985:
3980:
3975:
3970:
3964:
3962:
3958:
3957:
3955:
3954:
3949:
3944:
3942:Garlic routing
3939:
3934:
3929:
3924:
3919:
3914:
3909:
3904:
3899:
3894:
3889:
3884:
3879:
3874:
3869:
3864:
3862:Secure channel
3859:
3853:
3852:
3851:
3840:
3835:
3830:
3825:
3823:Key stretching
3820:
3815:
3810:
3805:
3800:
3795:
3790:
3789:
3788:
3783:
3773:
3771:Cryptovirology
3768:
3763:
3758:
3756:Cryptocurrency
3753:
3748:
3743:
3742:
3741:
3731:
3726:
3720:
3718:
3714:
3713:
3708:
3706:
3705:
3698:
3691:
3683:
3676:
3675:
3672:
3671:
3668:
3667:
3665:
3664:
3659:
3654:
3648:
3646:
3642:
3641:
3639:
3638:
3633:
3628:
3623:
3618:
3616:shift register
3613:
3607:
3605:
3601:
3600:
3598:
3597:
3592:
3587:
3581:
3579:
3575:
3574:
3572:
3571:
3566:
3561:
3556:
3551:
3546:
3541:
3536:
3531:
3526:
3521:
3516:
3511:
3506:
3501:
3496:
3491:
3486:
3481:
3476:
3471:
3466:
3461:
3456:
3450:
3448:
3444:
3443:
3440:
3439:
3437:
3436:
3431:
3426:
3420:
3418:
3414:
3413:
3411:
3410:
3405:
3400:
3395:
3389:
3387:
3380:
3373:
3372:
3370:
3369:
3364:
3359:
3354:
3349:
3344:
3338:
3336:
3332:
3331:
3328:Stream ciphers
3326:
3324:
3323:
3316:
3309:
3301:
3287:
3286:
3262:
3256:
3255:
3251:
3250:
3245:
3238:Attacks on RC4
3235:
3230:
3219:
3212:
3205:
3198:
3187:
3186:External links
3184:
3183:
3182:
3177:978-0471117094
3176:
3156:
3150:
3133:
3130:
3128:
3127:
3101:
3089:
3052:
3037:
3011:
3000:. Secrypt 2016
2985:
2971:
2926:
2900:
2887:
2839:
2817:
2793:
2780:
2741:
2727:
2690:
2675:
2650:
2628:
2623:"RC4 must die"
2614:
2592:
2559:
2540:
2516:
2503:
2494:
2479:
2461:
2443:
2418:
2397:(3): 257–289.
2377:
2374:on 2 May 2014.
2350:
2319:
2309:
2299:
2290:
2281:
2268:
2258:
2243:
2220:
2194:
2187:
2161:
2138:
2122:
2116:978-1931769303
2115:
2095:
2081:
2057:Itsik Mantin;
2046:
2033:
2020:
2002:
1981:
1970:on 6 July 2020
1955:
1926:
1894:
1873:
1859:
1829:
1815:
1793:
1763:
1731:
1717:
1695:
1673:
1649:
1633:
1614:
1577:
1556:
1528:
1526:
1523:
1522:
1521:
1516:
1511:
1506:– A family of
1498:also known as
1487:
1484:
1480:
1479:
1473:
1468:
1458:
1448:
1442:
1436:
1430:
1420:
1415:
1409:
1404:
1390:
1383:
1380:
1352:
1349:
1308:
1302:
1299:
1269:
1257:Main article:
1254:
1251:
1218:
1214:
1213:
1204:
1194:
1190:
1177:
1163:
1157:
1151:
1128:
1125:
1104:
1101:
1076:
1073:
1065:Main article:
1062:
1059:
1042:
1039:
1002:
999:
981:
980:Klein's attack
978:
921:Main article:
918:
915:
878:
875:
857:
854:
767:
764:
761:
760:
755:
753:Attack at dawn
750:
744:
738:
737:
732:
727:
721:
715:
714:
709:
704:
698:
692:
691:
688:
685:
682:
664:
661:
648:
647:Implementation
645:
634:
633:
622:
621:
620:
549:
546:
534:to obtain the
505:
501:
500:
493:
470:
455:th element of
447:
409:
406:
373:
360:key-scheduling
355:
352:
343:key-scheduling
334:
333:
330:
287:
284:
185:
182:
118:
117:
109:
105:
104:
101:
95:
94:
84:
80:
79:
72:
66:
65:
61:
60:
57:Leaked in 1994
55:
51:
50:
40:
36:
35:
15:
13:
10:
9:
6:
4:
3:
2:
4093:
4082:
4079:
4077:
4074:
4072:
4069:
4067:
4064:
4063:
4061:
4042:
4034:
4033:
4030:
4024:
4023:Steganography
4021:
4019:
4016:
4014:
4011:
4009:
4006:
4004:
4001:
3999:
3996:
3994:
3991:
3989:
3986:
3984:
3981:
3979:
3978:Stream cipher
3976:
3974:
3971:
3969:
3966:
3965:
3963:
3959:
3953:
3950:
3948:
3945:
3943:
3940:
3938:
3937:Onion routing
3935:
3933:
3930:
3928:
3925:
3923:
3920:
3918:
3917:Shared secret
3915:
3913:
3910:
3908:
3905:
3903:
3900:
3898:
3895:
3893:
3890:
3888:
3885:
3883:
3880:
3878:
3875:
3873:
3870:
3868:
3865:
3863:
3860:
3857:
3854:
3849:
3846:
3845:
3844:
3841:
3839:
3836:
3834:
3831:
3829:
3826:
3824:
3821:
3819:
3816:
3814:
3813:Key generator
3811:
3809:
3806:
3804:
3801:
3799:
3796:
3794:
3791:
3787:
3784:
3782:
3779:
3778:
3777:
3776:Hash function
3774:
3772:
3769:
3767:
3764:
3762:
3759:
3757:
3754:
3752:
3751:Cryptanalysis
3749:
3747:
3744:
3740:
3737:
3736:
3735:
3732:
3730:
3727:
3725:
3722:
3721:
3719:
3715:
3711:
3704:
3699:
3697:
3692:
3690:
3685:
3684:
3681:
3677:
3663:
3660:
3658:
3655:
3653:
3650:
3649:
3647:
3643:
3637:
3634:
3632:
3629:
3627:
3624:
3622:
3619:
3617:
3614:
3612:
3609:
3608:
3606:
3602:
3596:
3593:
3591:
3588:
3586:
3583:
3582:
3580:
3576:
3570:
3567:
3565:
3562:
3560:
3557:
3555:
3552:
3550:
3547:
3545:
3542:
3540:
3537:
3535:
3532:
3530:
3527:
3525:
3522:
3520:
3517:
3515:
3512:
3510:
3507:
3505:
3502:
3500:
3497:
3495:
3492:
3490:
3487:
3485:
3482:
3480:
3477:
3475:
3472:
3470:
3467:
3465:
3462:
3460:
3457:
3455:
3452:
3451:
3449:
3447:Other ciphers
3445:
3435:
3432:
3430:
3427:
3425:
3422:
3421:
3419:
3415:
3409:
3406:
3404:
3401:
3399:
3396:
3394:
3391:
3390:
3388:
3384:
3381:
3378:
3374:
3368:
3365:
3363:
3360:
3358:
3355:
3353:
3350:
3348:
3345:
3343:
3340:
3339:
3337:
3333:
3329:
3322:
3317:
3315:
3310:
3308:
3303:
3302:
3299:
3295:
3291:
3280:
3276:
3272:
3268:
3263:
3261:
3258:
3257:
3253:
3252:
3249:
3246:
3243:
3239:
3236:
3234:
3231:
3227:
3226:
3220:
3217:
3213:
3210:
3206:
3203:
3199:
3197:
3193:
3190:
3189:
3185:
3179:
3173:
3169:
3165:
3161:
3157:
3153:
3151:9781439831359
3147:
3144:. CRC Press.
3143:
3142:
3136:
3135:
3131:
3115:
3111:
3105:
3102:
3099:
3093:
3090:
3084:
3079:
3075:
3071:
3067:
3063:
3056:
3053:
3048:
3044:
3040:
3038:9783662529928
3034:
3030:
3026:
3022:
3015:
3012:
2996:
2989:
2986:
2974:
2968:
2964:
2960:
2955:
2950:
2943:
2942:
2937:
2930:
2927:
2914:
2910:
2904:
2901:
2890:
2884:
2880:
2876:
2871:
2866:
2859:
2858:
2850:
2843:
2840:
2833:
2832:
2824:
2822:
2818:
2806:
2805:
2797:
2794:
2783:
2777:
2772:
2767:
2763:
2759:
2755:
2751:
2745:
2742:
2730:
2724:
2719:
2714:
2707:
2706:
2701:
2694:
2691:
2686:
2679:
2676:
2660:
2654:
2651:
2638:
2632:
2629:
2624:
2618:
2615:
2602:
2596:
2593:
2577:
2570:
2563:
2560:
2555:
2551:
2544:
2541:
2537:
2533:
2529:
2525:
2520:
2517:
2513:
2507:
2504:
2498:
2495:
2490:
2487:Rivest, Ron.
2483:
2480:
2475:
2473:
2465:
2462:
2457:
2453:
2447:
2444:
2439:
2435:
2434:
2429:
2422:
2419:
2414:
2410:
2405:
2400:
2396:
2392:
2388:
2381:
2378:
2370:
2363:
2362:
2354:
2351:
2346:
2339:
2338:
2333:
2329:
2323:
2320:
2313:
2310:
2303:
2300:
2294:
2291:
2285:
2282:
2278:
2272:
2269:
2262:
2259:
2255:
2252:
2247:
2244:
2231:
2224:
2221:
2209:
2205:
2198:
2195:
2190:
2184:
2180:
2176:
2172:
2165:
2162:
2149:
2142:
2139:
2135:
2131:
2126:
2123:
2118:
2112:
2108:
2107:
2099:
2096:
2091:
2085:
2082:
2077:
2073:
2066:
2065:
2060:
2053:
2051:
2047:
2043:
2037:
2034:
2030:
2024:
2021:
2016:
2012:
2006:
2003:
1991:
1985:
1982:
1969:
1965:
1959:
1956:
1952:
1941:
1937:
1930:
1927:
1923:
1912:
1908:
1904:
1898:
1895:
1883:
1882:"OpenBSD 5.5"
1877:
1874:
1869:
1863:
1860:
1845:
1838:
1836:
1834:
1830:
1825:
1819:
1816:
1804:. 5 June 2013
1803:
1797:
1794:
1789:
1786:
1782:
1778:
1774:
1767:
1764:
1751:
1747:
1746:
1741:
1735:
1732:
1727:
1721:
1718:
1705:
1699:
1696:
1683:
1677:
1674:
1669:
1665:
1658:
1656:
1654:
1650:
1644:
1637:
1634:
1629:
1628:ComputerWorld
1625:
1618:
1615:
1610:
1607:
1602:
1597:
1593:
1592:
1584:
1582:
1578:
1566:
1560:
1557:
1549:
1542:
1541:
1533:
1530:
1524:
1520:
1517:
1515:
1512:
1509:
1508:block ciphers
1505:
1501:
1497:
1493:
1490:
1489:
1485:
1483:
1477:
1474:
1472:
1469:
1466:
1462:
1459:
1456:
1452:
1449:
1446:
1443:
1440:
1437:
1434:
1431:
1428:
1424:
1421:
1419:
1416:
1413:
1410:
1408:
1405:
1402:
1398:
1394:
1391:
1389:
1386:
1385:
1381:
1379:
1375:
1373:
1369:
1365:
1360:
1358:
1350:
1348:
1344:
1340:
1334:
1328:
1324:
1320:
1316:
1312:
1307:
1300:
1298:
1294:
1288:
1282:
1278:
1273:
1268:
1260:
1252:
1250:
1247:
1243:
1239:
1235:
1231:
1227:
1222:
1217:
1191:
1170:
1169:
1168:
1161:. Each time
1139:
1137:
1133:
1126:
1124:
1122:
1117:
1115:
1111:
1102:
1100:
1098:
1094:
1090:
1086:
1082:
1075:NOMORE attack
1074:
1072:
1068:
1060:
1058:
1055:
1053:
1049:
1040:
1038:
1036:
1032:
1024:
1020:
1016:
1012:
1008:
1000:
998:
997:probability.
995:
991:
987:
977:
974:
959:
957:
953:
949:
946:
942:
938:
934:
930:
924:
916:
914:
910:
908:
907:Scott Fluhrer
904:
902:
898:
894:
890:
888:
884:
876:
874:
864:
853:
850:
846:
844:
840:
836:
831:
829:
825:
821:
817:
816:block ciphers
813:
810:, it is more
809:
808:stream cipher
804:
802:
798:
794:
790:
786:
782:
777:
773:
765:
756:
751:
745:
740:
739:
733:
728:
722:
717:
716:
710:
705:
699:
694:
693:
689:
686:
683:
680:
679:
676:
674:
670:
662:
660:
658:
654:
646:
644:
642:
637:
631:
627:
623:
618:
614:
610:
606:
602:
601:
599:
595:
591:
583:
582:
581:
579:
575:
571:
567:
563:
555:
547:
545:
538:
532:
527:
517:
513:
509:
504:
498:
494:
471:
467:
453:
449:looks up the
448:
444:
439:
438:
437:
414:
407:
404:
400:
396:
392:
388:
384:
380:
376:
372:
370:
366:
361:
353:
351:
349:
345:
344:
339:
331:
328:
324:
320:
319:
318:
315:
313:
309:
305:
301:
297:
293:
285:
283:
280:
276:
272:
268:
264:
259:
257:
253:
249:
245:
241:
237:
233:
229:
225:
222:
218:
214:
209:
207:
203:
199:
195:
191:
183:
181:
179:
174:
172:
168:
164:
160:
155:
153:
149:
145:
141:
140:stream cipher
137:
133:
129:
125:
114:
110:
106:
102:
100:
96:
85:
81:
73:
71:
67:
64:Cipher detail
62:
56:
52:
48:
44:
41:
37:
32:
26:
22:
16:Stream cipher
4081:Free ciphers
3973:Block cipher
3818:Key schedule
3808:Key exchange
3798:Kleptography
3761:Cryptosystem
3710:Cryptography
3366:
3282:(PostScript)
3279:the original
3274:
3270:
3224:
3167:
3140:
3118:. Retrieved
3114:the original
3104:
3092:
3065:
3055:
3020:
3014:
3002:. Retrieved
2988:
2977:, retrieved
2940:
2929:
2917:. Retrieved
2913:the original
2903:
2892:, retrieved
2856:
2842:
2830:
2809:, retrieved
2803:
2796:
2785:, retrieved
2761:
2754:Bart Preneel
2744:
2733:, retrieved
2704:
2693:
2678:
2666:. Retrieved
2653:
2641:. Retrieved
2631:
2617:
2605:. Retrieved
2595:
2583:. Retrieved
2576:the original
2562:
2554:The Register
2553:
2543:
2528:Bart Preneel
2519:
2506:
2497:
2482:
2471:
2464:
2456:the original
2446:
2438:the original
2431:
2421:
2394:
2390:
2380:
2369:the original
2360:
2353:
2336:
2332:Bart Preneel
2322:
2312:
2302:
2293:
2284:
2271:
2261:
2246:
2234:. Retrieved
2223:
2211:. Retrieved
2207:
2197:
2170:
2164:
2152:. Retrieved
2141:
2133:
2125:
2105:
2098:
2084:
2063:
2036:
2023:
2014:
2005:
1993:. Retrieved
1984:
1972:. Retrieved
1968:the original
1958:
1950:
1943:. Retrieved
1939:
1929:
1921:
1914:. Retrieved
1910:
1897:
1887:21 September
1885:. Retrieved
1876:
1862:
1850:. Retrieved
1818:
1806:. Retrieved
1796:
1766:
1754:. Retrieved
1750:the original
1743:
1734:
1726:"Rivest FAQ"
1720:
1708:. Retrieved
1698:
1686:. Retrieved
1676:
1668:The Register
1667:
1642:
1636:
1627:
1617:
1590:
1570:22 September
1568:. Retrieved
1559:
1548:the original
1539:
1532:
1500:eXtended TEA
1481:
1454:
1447:(optionally)
1441:(optionally)
1435:(optionally)
1433:Secure Shell
1376:
1361:
1354:
1346:
1342:
1341:(S + S) ⊕ S
1338:
1332:
1326:
1322:
1318:
1314:
1310:
1304:
1296:
1292:
1286:
1280:
1276:
1275:i := 0
1271:
1262:
1248:
1245:
1241:
1237:
1233:
1225:
1220:
1215:
1140:
1136:Bart Preneel
1130:
1118:
1113:
1109:
1106:
1103:RC4 variants
1078:
1070:
1056:
1044:
1035:Bart Preneel
1022:
1018:
1014:
1007:Itsik Mantin
1004:
983:
975:
960:
926:
911:
905:
897:Bart Preneel
891:
880:
859:
851:
847:
839:TLS 1.0
835:BEAST attack
832:
814:than common
805:
789:key schedule
769:
724:6044DB6D41B7
666:
663:Test vectors
650:
638:
635:
616:
608:
551:
536:
530:
519:
515:
507:
502:
465:
451:
442:
435:
402:
398:
394:
390:
389:j := 0
386:
382:
378:
374:
357:
347:
341:
335:
316:
311:
308:one-time pad
300:exclusive or
289:
265:in 1997 and
260:
252:RSA Security
247:
243:
239:
235:
213:trade secret
210:
194:RSA Security
187:
175:
159:TLS protocol
156:
135:
131:
127:
124:cryptography
121:
47:RSA Security
25:
3961:Mathematics
3952:Mix network
3271:CryptoBytes
3083:10356/81487
2668:19 November
2643:19 November
2607:6 September
2585:6 September
2279:, Springer.
1745:Cypherpunks
1519:CipherSaber
1362:Like other
1306:basic RC4.
1230:swap values
1123:, and RC4.
1097:HTTP cookie
1021:≤ 256) are
954:effort and
803:standard).
795:, like the
690:Ciphertext
673:hexadecimal
657:bitwise AND
566:/dev/random
512:swap values
440:increments
323:permutation
286:Description
279:RC4 attacks
248:alleged RC4
232:Bob Jenkins
217:Cypherpunks
180:, and RC4.
4060:Categories
3912:Ciphertext
3882:Decryption
3877:Encryption
3838:Ransomware
3631:T-function
3578:Generators
3454:Achterbahn
3254:RC4 in WEP
2979:4 November
2919:4 November
2894:4 November
2811:4 November
2787:4 November
2735:4 November
2154:27 October
2059:Adi Shamir
1945:13 January
1916:13 January
1870:. OpenBSD.
1852:26 October
1808:2 February
1710:4 December
1525:References
1212:is output.
1198:again) on
1011:Adi Shamir
887:Adi Shamir
735:1021BF0420
617:arc4random
609:arc4random
586:arc4random
558:arc4random
537:ciphertext
524:which are
365:key length
304:involution
190:Ron Rivest
93:effective)
83:State size
43:Ron Rivest
3902:Plaintext
3544:SOBER-128
3474:KCipher-2
3408:SOSEMANUK
3379:Portfolio
3214:RFC
3207:RFC
3200:RFC
2949:CiteSeerX
2865:CiteSeerX
2474:database"
2345:Indocrypt
2317:Springer.
1995:6 January
1974:6 January
1781:sci.crypt
1777:Newsgroup
1688:3 January
1684:. Mozilla
1496:Block TEA
1461:Gpcode.AK
1240:S1 + S2]
1081:KU Leuven
986:Erik Tews
812:malleable
707:Plaintext
687:Plaintext
684:Keystream
574:backronym
570:Man pages
531:plaintext
528:with the
522:K, K, ...
296:keystream
246:(meaning
224:newsgroup
221:sci.crypt
171:Microsoft
148:protocols
144:keystream
70:Key sizes
39:Designers
4041:Category
3947:Kademlia
3907:Codetext
3850:(CSPRNG)
3417:Hardware
3386:Software
3357:Crypto-1
3162:(1995).
3047:16296315
2756:(2004),
2236:13 March
2213:12 March
2061:(2001).
1486:See also
1455:historic
1445:Kerberos
1401:AES-CCMP
1343:endwhile
1317:>>
1313:<<
1293:endwhile
1242:endwhile
1112:, where
1108:RC4-drop
1089:WPA-TKIP
766:Security
590:ChaCha20
556:include
552:Several
516:endwhile
430:S(S + S)
350:(PRGA).
150:such as
3717:General
3645:Attacks
3434:Trivium
3403:Salsa20
3377:eSTREAM
3240:at the
3004:29 July
2413:9613837
2256:, 1995.
2044:. 2006.
2031:. 2010?
1903:deraadt
1785:Usenet:
1779::
929:Fluhrer
781:hashing
772:eSTREAM
594:FreeBSD
562:OpenBSD
492:below);
240:ARCFOUR
184:History
167:Mozilla
136:ARCFOUR
34:General
3828:Keygen
3604:Theory
3554:Turing
3549:Spritz
3524:Scream
3494:Phelix
3489:Panama
3459:F-FCSR
3429:MICKEY
3398:Rabbit
3393:HC-128
3352:ChaCha
3174:
3148:
3120:8 July
3045:
3035:
2969:
2951:
2885:
2867:
2778:
2725:
2664:. 2015
2639:. 2015
2411:
2185:
2113:
1787:
1756:28 May
1465:ransom
1357:Spritz
1351:Spritz
1339:output
1281:output
1238:output
1234:output
1210:S1+S2]
1208:, and
992:, and
945:802.11
937:Shamir
933:Mantin
742:Secret
598:NetBSD
580:does.
578:rand()
403:endfor
387:endfor
228:broken
99:Rounds
89:bits (
3858:(PRN)
3626:NLFSR
3539:SOBER
3469:ISAAC
3424:Grain
3043:S2CID
2998:(PDF)
2945:(PDF)
2861:(PDF)
2852:(PDF)
2835:(PDF)
2709:(PDF)
2662:(PDF)
2579:(PDF)
2572:(PDF)
2409:S2CID
2372:(PDF)
2365:(PDF)
2341:(PDF)
2068:(PDF)
1847:(PDF)
1551:(PDF)
1544:(PDF)
1476:Skype
1327:while
1277:while
1226:while
1183:S1+S1
901:COSIC
785:nonce
776:nonce
730:pedia
669:ASCII
626:macOS
613:glibc
605:glibc
540:. So
526:XORed
508:while
497:XORed
327:bytes
108:Speed
3621:LFSR
3569:WAKE
3564:VMPC
3559:VEST
3534:SNOW
3529:SEAL
3519:RC4A
3514:RC4+
3509:QUAD
3499:Pike
3484:ORYX
3479:MUGI
3464:FISH
3347:A5/2
3342:A5/1
3216:7465
3209:6229
3202:4345
3172:ISBN
3146:ISBN
3122:2010
3033:ISBN
3006:2016
2981:2011
2967:ISBN
2921:2011
2896:2011
2883:ISBN
2813:2011
2789:2011
2776:ISBN
2737:2011
2723:ISBN
2670:2016
2645:2016
2609:2013
2587:2013
2526:and
2253:and
2238:2013
2215:2013
2183:ISBN
2156:2014
2111:ISBN
1997:2016
1976:2015
1947:2015
1918:2015
1889:2014
1854:2014
1810:2018
1758:2007
1712:2013
1690:2015
1609:7465
1572:2015
1502:and
1451:SASL
1393:TKIP
1368:DRBG
1315:and
1253:VMPC
1202:and
1175:and
1155:and
1145:and
1134:and
1127:RC4A
1121:VMPC
1087:and
1033:and
1023:only
1009:and
935:and
895:and
719:Wiki
628:and
476:and
420:and
395:from
379:from
358:The
244:ARC4
204:and
178:VMPC
169:and
163:IETF
132:ARC4
91:1684
87:2064
78:bits
76:2048
3367:RC4
3078:hdl
3070:doi
3025:doi
2959:doi
2875:doi
2766:doi
2713:doi
2399:doi
2175:doi
2072:doi
1606:RFC
1596:doi
1492:TEA
1471:PDF
1397:WPA
1388:WEP
1301:RC4
1093:TLS
1085:TLS
1048:TLS
956:WPA
941:WEP
899:of
871:S]]
869:or
837:on
801:WEP
696:Key
681:Key
630:iOS
391:for
375:for
338:key
294:(a
275:TLS
271:SSL
267:WPA
263:WEP
242:or
236:RC4
208:).
206:RC6
202:RC5
198:RC2
192:of
152:WEP
134:or
128:RC4
122:In
74:40–
29:RC4
4062::
3636:IV
3504:Py
3362:E0
3273:.
3269:.
3194:,
3166:.
3076:.
3064:.
3041:.
3031:.
2965:,
2957:,
2938:,
2881:,
2873:,
2854:,
2820:^
2774:,
2760:,
2752:;
2721:,
2702:,
2552:.
2534:.
2530:,
2430:.
2407:.
2393:.
2389:.
2343:.
2334:.
2330:;
2206:.
2181:.
2132:.
2049:^
2013:.
1949:.
1938:.
1920:.
1909:.
1832:^
1783:.
1775:.
1742:.
1666:.
1652:^
1626:.
1604:.
1594:.
1580:^
1494:,
1425:/
1205:j2
1200:S2
1187:S2
1178:j1
1173:S1
1158:j2
1152:j1
1147:S2
1143:S1
1037:.
988:,
958:.
931:,
867:S]
675:.
643:.
596:,
544:.
459:,
428:;
399:to
397:0
393:i
383:to
381:0
377:i
321:A
200:,
161:.
154:.
126:,
3702:e
3695:t
3688:v
3320:e
3313:t
3306:v
3275:5
3180:.
3154:.
3124:.
3086:.
3080::
3072::
3049:.
3027::
3008:.
2961::
2923:.
2877::
2768::
2715::
2687:.
2672:.
2647:.
2625:.
2611:.
2589:.
2556:.
2514:.
2491:.
2476:.
2415:.
2401::
2395:2
2240:.
2217:.
2191:.
2177::
2158:.
2136:.
2119:.
2078:.
2074::
2017:.
1999:.
1978:.
1891:.
1856:.
1826:.
1812:.
1790:.
1760:.
1728:.
1714:.
1692:.
1670:.
1647:.
1630:.
1611:.
1598::
1574:.
1335:)
1331:(
1321:⊕
1289:)
1285:(
1195:i
1189:.
1164:i
1114:N
1110:N
1027:x
1019:x
1015:x
971:n
967:n
963:n
749:…
726:…
703:…
490:K
486:S
478:S
474:S
469:;
466:j
461:S
457:S
452:i
446:;
443:i
426:S
422:S
418:S
103:1
49:)
45:(
23:.
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.