Re: rc4 ksa modification



On Jan 30, 12:36 pm, LightBit <grpin...@xxxxxxxxx> wrote:
Hello!

I made some modification to standard rc4 ksa, but I'm not sure if it's
ok?

#include <stddef.h>
#include <stdint.h>

struct rc4
{
        uint8_t s[256];
        uint8_t i;
        uint8_t j;

};

void rc4_ksa(struct rc4 *s, const uint8_t *k, const unsigned int klen)
{
        unsigned int i;
        unsigned int j;
        uint8_t t;

        s->i = 0;
        s->j = 0;

        for(i = 0; i < 256; i++) s->s[i] = i;

        /* mix key twice plus 256 for shorter keys, against weak keys?
(instead of drop) */
        for(j = 0, i = (klen << 1) + 256; i; i--)
        {
                s->j = s->j + s->s[s->i] + k[j++];
                if(j == klen) j = 0;

                t = s->s[s->i];
                s->s[s->i] = s->s[s->j];
                s->s[s->j] = t;

                s->i++;
        }
        /* standard rc4 sets s->i = s->j = 0 here, but what is the point?
(It's better if attacker doesn't know i and j) */

The whole point of dropping bytes is to have swaps that aren't so
correlated to the key. I think it sets i/j to zero so they're not
part of the state. Unfortunately, most implementations have to allow
for partial processing so they're there anyways.

That said, RC4 is not exactly a good design to work on

1. It's slow in hardware (8-bit memory access + 258-bytes == huge)

2. It's not much [if any] faster than AES-CTR

3. It's not a scientific design (no theory talks to its strength)

Tom
.