Tuesday 29 June 2004 — This is 19 years old. Be careful.

I found an implementation of a random number generator today, and the comments said it was using the RC4 algorithm, not to encrypt, but just as a source of randomness. I was intrigued.

RC4 is a symmetric encryption algorithm developed by RSA Security. A key is used to initialize a random number generator. The output of the generator is XOR-ed with the cleartext to produce the cipher. The strength of the cipher is dependent on the “strength” of the randomness, that is, how hard it is to predict what the next random byte will be. (The name is because it was the fourth Rivest Cipher).

The algorithm was proprietary until it was leaked in 1994. Since then, it has been subjected to a great deal of analysis, some of it quite abstruse.

The analysis shows certain subtle weaknesses in RC4. Others have tried to create new similar algorithms without the same weaknesses. For example, Bob Jenkins created ISAAC. Until the mathematicians have spent a decade poring over ISAAC output, there’s really no way to know if it has other unidentified weaknesses.

By the way: Bob Jenkin’s web site is full of all sorts of other interesting stuff, including hashing, perpetual motion machines, and jenny, the combinatorial testing tool I mentioned last month.

## Comments

Mark Eichin9:52 PM on 29 Jun 2004Holger8:58 AM on 1 Jul 2004Damien Katz4:41 PM on 2 Jul 2004## Add a comment: