Re: Conficker C and Ron Rivest




Greg Rose wrote:

The reason I tend to mention the distinguisher
first is that it is absolutely inherent in RC4,
and can't be worked around.

The state of the art for RC4 implementations is RC4-drop[N] with
keys that are generated by a strong RNG or a hash function. See
[ http://www.users.zetnet.co.uk/hopwood/crypto/scan/cs.html#RC4-drop ].

Even RC4-drop[N] has a keystream that is distinguishable from
random given 2^31 to 2^32 bytes (2GB-4GB)of the stream, but
there is no known distinguisher for RC4-drop[N] when less than
2^3 bytes (1GB) of stream are generated from a key.

Also see [ http://www.rsa.com/rsalabs/node.asp?id=2009 ],
which claims

"The 'heart' of RC4 is its exceptionally simple and extremely
efficient pseudo-random generator. The recent attacks relate
only to the key-scheduling algorithm, not to the generator.
There are at present no known practical attacks against this
generator when initialized with a randomly-chosen initial state."

--
Guy Macon
<http://www.GuyMacon.com/>

.