Arcfour is a stream cipher that produces a byte keystream B = {b(i)}**infinity (i=0), where a key K is used to select the initial state S(0), and the b(i) are produced by the state transition delta(S(i)) = S(i+1). Let the byte length of K be |K|, and let S(0)(K) be the initial state produced by K. Two keys K(1), K(2) are considered equivalent if S(0)(K(1))=S(0)(K(2)), and further K(2) is weak if |K(1)| < |K(2)|. We show that there is a class of weak keys based on the notion of string periodicity which contains 256 weak 40-bit keys and 2**64 weak 128-bit keys. We
exhibit 128-bit keys whose entropy is no more than a byte.
We also present an algorithm for constructing the initial contents of the Arcfour state machine based on observing B(256) = {b(i)}(i=0)**255. The method is significantly faster than exhaustive search for initial the state S(0), and shows that no additional security against brute-force attacks is expected to be achieved by selecting keys K for which |K| >/= 57. Also it shows that if Arcfour is scaled down to operate on 4-bit values with 64-bit keys, say suitable for smart card environments, the state contents can be recovered in approximately 10**7 operations.
By: Luke O'Connor
Published in: RZ3019 in 1998
LIMITED DISTRIBUTION NOTICE:
This Research Report is available. This report has been submitted for publication outside of IBM and will probably be copyrighted if accepted for publication. It has been issued as a Research Report for early dissemination of its contents. In view of the transfer of copyright to the outside publisher, its distribution outside of IBM prior to publication should be limited to peer communications and specific requests. After outside publication, requests should be filled only by reprints or legally obtained copies of the article (e.g., payment of royalties). I have read and understand this notice and am a member of the scientific community outside or inside of IBM seeking a single copy only.
Questions about this service can be mailed to reports@us.ibm.com .