[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

*To*: bugs_(_at_)_openbsd_(_dot_)_org*Subject*: Re: ARC4 algorithm*From*: Marcus Watts <mdw_(_at_)_umich_(_dot_)_edu>*Date*: Sat, 15 Mar 2003 21:28:57 -0500

> > Leopard9 is also too new to be trusted. It's apparently only about a month > > old; generally one wants to see 4 years of active investigation before > > trusting a cryptographic algorithm. > > It might be new, but it passes all of the numerical tests. > It's certainly a lot better than ARC4. Passing numerical tests is not a proof of security. Failing numerical tests does not prove insecurity. random() passes many numerical tests. It's still lousy. rc4 with all 0 bytes of output deleted fails should fail many numeric tests. It's still nearly as secure as the original byte stream. Shannon's information theory says that given a prng with N bits of internal state, after 2N output bits, you should be able to start predicting future output bits with increasingly good accuracy. All prngs have this issue. The usual assumption is that there's no attack short of exhaustive search to guess bits. This assumes an open review process with objective smart people, and still doesn't constitute a proof. It took people 20 years to understand some of the design issues with DES. > One time pads are unbreakable. True one time pads have very large keys, a serious key distribution problem, and aren't a substitute for a random number generator. One time pads with a prng are not "true" one time pads. Most stream ciphers do use this design, nearly always with xor. RC4 and DES in OFB mode are both examples of this. You've already described RC4 as insecure. -Marcus

- Prev by Date:
**Re: typo in README.SMP** - Next by Date:
**leave man page** - Previous by thread:
**Re: ARC4 algorithm** - Next by thread:
**two debateable bugs** - Index(es):