On the Entropy of Arcfour Keys

Arcfour is a stream cipher that produces a byte keystream B fbig i where a keyK is used to select the initial state S and the bi are produced by the state transition Si Si Let the byte length of K be jKj and let S K be the initial state produced by K Two keys K K are considered equivalent if S K S K and further K is weak if jK j jK j We show that there is a class of weak keys based on the notion of string periodicity which contains weak bit keys and weak bit keys We exhibit bit keys whose entropy is no more than a byte We also present an algorithm for constructing the initial contents of the Arcfour state machine based on observing B fbig i The method is signi cantly faster than exhaustive search for initial the state S and shows that no additional security against brute force attacks is expected to be achieved by selecting keys K for which jKj Also it shows that if Arcfour is scaled down to operate on bit values with bit keys say suitable for smart card environments the state contents can be recovered in approximately operations