Re: Conficker C and Ron Rivest
- From: Bill Unruh <unruh@xxxxxxxxxxxxxx>
- Date: Wed, 25 Mar 2009 17:44:25 GMT
Unruh <unruh-spam@xxxxxxxxxxxxxx> writes:
No, the point of this discussion was whether or not RC4 was as safe to use
for encryption as is AES. These musings are whether or not there are some
simple ways of massaging RC4 so that the "cosmetic" distinguishers in RC4
which bother some people could be eliminated. Note that if one believed
that a technique like the one I suggested would remove the distinguishers,
and would therefor make people feel that RC4 was safe again, then that
would be evidence to me that those distiguishers were just cosmetic flaws
and not the "completely broken" flaws that has been claimed for them.
Let me amplify on that "cosmetic" comment. Lets take AES based stream
cypher, and let us assume that it really really is a PRNG, with no biases.
Now, let us change that stream such that I go through the output and I
throw away every 1000 value of FF in the output stream. The resultant
stream cypher will have a distinguisher. It has 1-1/1000 fewer FF on
average than it has any other chacters. However, it would seem to me that
despite that distinguisher, that stream cypher would protect the cleartext
just as would the original AES stream cypher, except for communications
which had a redundancy of something like 256000^2 (squared because Poisson
statistics cannot distinguish a bias in less than N^2 outputs).
Ie, as far as using it to protect communications, that AES based stream
cypher with its distinguisher would be just as good as the original. That
distinguisher is "cosmetic" and not a security hole ( except for situations
like I described.)
So yes, this stream is weaker than the original on some special cleartexts,
but those are so special that almost noone need worry about them.