Re: reflecting on RC4

James A. Donald (jamesd@echeque.com)
Sat, 20 Feb 1999 17:26:58 -0800

• Next message: EKR: "Re: SSL sans RSA"
• Previous message: James A. Donald: "Re: SSL sans RSA"
• In reply to: Martin Grap: "Re: SSL sans RSA"

    --
At 11:56 PM 2/17/99 -0800, Alex Alten wrote:
> The attack I was thinking of is to discover the
> arrangement of the 256 byte substitution array after key
> setup. Since you know the resulting pad bytes and the
> start state the only entropy is in the array itself (a
> result of random shuffling). Basically there are two
> operations that count (the swap doesn't add strength in
> this attack scenario).
>
> x = (S[i] + S[j]) mod 256 P = S[x]
>
> P is the final pad byte. x, i, & j are byte sized.
>
> So S[i] and S[j] each have 8 bits of entropy (the
>1 6 I first noticed). S[x] is known but x itself is
> probably another 8 bits of entropy. This means that each P
> is probably the result of 24 bits of entropy. At worst
> doing this for each array element requires another 8 bits.
> So the resistance to attack is 32 bits maximum?

Slightly less than 2048 bits, since you have to about two
hundred array elements.

    --digsig
         James A. Donald
     6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
     Meix0yXx+/5TlvuI++fL5iCqdbgTIZV779OkrCvt
     4Tfn4nX6CV9aPmH+pq2JraWb5n+cWaRYxCvx4IK47

-----------------------------------------------------
We have the right to defend ourselves and our property, because
of the kind of animals that we are. True law derives from this
right, not from the arbitrary power of the omnipotent state.

http://www.jim.com/jamesd/      James A. Donald

• Next message: EKR: "Re: SSL sans RSA"
• Previous message: James A. Donald: "Re: SSL sans RSA"
• In reply to: Martin Grap: "Re: SSL sans RSA"