Re: Conficker C and Ron Rivest

Greg Rose wrote:

The reason I tend to mention the distinguisher
first is that it is absolutely inherent in RC4,
and can't be worked around.

The state of the art for RC4 implementations is RC4-drop[N] with
keys that are generated by a strong RNG or a hash function. See
[ ].

Even RC4-drop[N] has a keystream that is distinguishable from
random given 2^31 to 2^32 bytes (2GB-4GB)of the stream, but
there is no known distinguisher for RC4-drop[N] when less than
2^3 bytes (1GB) of stream are generated from a key.

Also see [ ],
which claims

"The 'heart' of RC4 is its exceptionally simple and extremely
efficient pseudo-random generator. The recent attacks relate
only to the key-scheduling algorithm, not to the generator.
There are at present no known practical attacks against this
generator when initialized with a randomly-chosen initial state."

Guy Macon