[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: ARC4 algorithm
- To: bugs_(_at_)_openbsd_(_dot_)_org
- Subject: Re: ARC4 algorithm
- From: Marcus Watts <mdw_(_at_)_umich_(_dot_)_edu>
- Date: Sat, 15 Mar 2003 21:28:57 -0500
> > Leopard9 is also too new to be trusted. It's apparently only about a month
> > old; generally one wants to see 4 years of active investigation before
> > trusting a cryptographic algorithm.
> It might be new, but it passes all of the numerical tests.
> It's certainly a lot better than ARC4.
Passing numerical tests is not a proof of security.
Failing numerical tests does not prove insecurity.
random() passes many numerical tests. It's still lousy.
rc4 with all 0 bytes of output deleted fails should fail many numeric tests.
It's still nearly as secure as the original byte stream.
Shannon's information theory says that given a prng with N bits of
internal state, after 2N output bits, you should be able to start
predicting future output bits with increasingly good accuracy. All
prngs have this issue. The usual assumption is that there's no attack
short of exhaustive search to guess bits. This assumes an open review
process with objective smart people, and still doesn't constitute a
proof. It took people 20 years to understand some of the design issues
> One time pads are unbreakable.
True one time pads have very large keys, a serious key distribution
problem, and aren't a substitute for a random number generator.
One time pads with a prng are not "true" one time pads. Most
stream ciphers do use this design, nearly always with xor. RC4
and DES in OFB mode are both examples of this. You've already
described RC4 as insecure.