"Uri" == Uri Blumenthal <uri(_at_)watson(_dot_)ibm(_dot_)com> writes:
Uri> Adam Back says:
First - an observation. Just like a block cipher must have an IV
(PGP > side-stepped this by prepending the message with random
stuff), a > stram cipher must have a stream offset.
I presume by a stream offset you mean that you spin the stream
cipher PRNG for the published offset number of bytes, before using
it to encrypt data.
Uri> Yes, that is not my idea, not any more than using IV for
Uri> block ciphers - and for precisely the same purpose.
This has a number of problems/added complexities I think: - you
have to remember a current offest to avoid re-using offsets (adds
state to symmetric crypto where there is none currently)
Uri> Similarly to having to remember not to re-use IVs.
- you incur the performance penalty of spinning the PRNG by the
offset number of bytes (eg could be 100s of megs).
Uri> Possibly, but again, I'm not "inventing" it - just sharing the
Uri> crypto rules of using stream ciphers with the list. "Don't blame
Uri> the messenger" (:-)
Hm. That sounds like practical stream cyphers will always be insecure
(to the extent that an unknown stream offset has a significant
security benefit).
An IV can (and should be) random -- all bits unpredictable. A stream
offset may be random but it cannot in practice be random in more than
a modest number of low order bits, so the set of likely values is
necessarily small.
Did I miss something?
paul