Re: Conficker C and Ron Rivest



Unruh <unruh-spam@xxxxxxxxxxxxxx> writes:


No, the point of this discussion was whether or not RC4 was as safe to use
for encryption as is AES. These musings are whether or not there are some
simple ways of massaging RC4 so that the "cosmetic" distinguishers in RC4
which bother some people could be eliminated. Note that if one believed
that a technique like the one I suggested would remove the distinguishers,
and would therefor make people feel that RC4 was safe again, then that
would be evidence to me that those distiguishers were just cosmetic flaws
and not the "completely broken" flaws that has been claimed for them.


Let me amplify on that "cosmetic" comment. Lets take AES based stream
cypher, and let us assume that it really really is a PRNG, with no biases.
Now, let us change that stream such that I go through the output and I
throw away every 1000 value of FF in the output stream. The resultant
stream cypher will have a distinguisher. It has 1-1/1000 fewer FF on
average than it has any other chacters. However, it would seem to me that
despite that distinguisher, that stream cypher would protect the cleartext
just as would the original AES stream cypher, except for communications
which had a redundancy of something like 256000^2 (squared because Poisson
statistics cannot distinguish a bias in less than N^2 outputs).
Ie, as far as using it to protect communications, that AES based stream
cypher with its distinguisher would be just as good as the original. That
distinguisher is "cosmetic" and not a security hole ( except for situations
like I described.)
So yes, this stream is weaker than the original on some special cleartexts,
but those are so special that almost noone need worry about them.


.



Relevant Pages

  • Re: RC4, With Homebrew MAC...
    ... Though MD5 and SHA-1 would be faster than AES I think AES in CTR ... RC4 is shown to be very fast here because the machine I ran this on ... > your software discard some of the first outputs of the stream. ... > About your MAC, literature says that is not easy to get a good MAC ...
    (sci.crypt)
  • Re: Randomness: All youll ever need to know
    ... that AES is secure, iff the adversary has no feasible means of telling ... fewer resourced than are necessary to try all keys. ... The attacker can certainly try various keys, ... distinguisher, ...
    (sci.crypt)
  • Re: commutative property of algorithms
    ... Stream cyphers often are commutative, ... Concerning AES, for example since I am somewhat rusty on it these ... permutation wouldn't, in general, and AES seems to ...
    (sci.crypt)
  • Re: Randomness: All youll ever need to know
    ... that AES is secure, iff the adversary has no feasible means of telling ... fewer resourced than are necessary to try all keys. ... The attacker can certainly try various keys, ... distinguisher, ...
    (sci.crypt)
  • Re: A basic cryptanalysis question
    ... >features over BICOM he fails to recognize. ... You can also generate key stream in advance ... when using say radio links are better handled in the over data protocal ... feature is something even the inventors of AES don't understand ...
    (sci.crypt)