Adam Back says:
Similarly to having to remember not to re-use IVs.
Ah, but you get "remembering" not to re-use IVs for free -- you just
use random ones, or for some block modes just non-repeating IVs.
True.
Using random offsets is impractical due to the performance penalty of
spinning the PRNG by 2^(IV size).
Also true - however limited offsets could be used more or less
safely with small-size plaintexts (say, up to a few KBytes)...
rc4-key-shedule( iv || s2k( passphrase ) )
A possibility. Would need more time to evaluate it...
It has a sort of precedent, so must (one presumes!) have been looked
at in that the export versions of SSL cipher suites with RC4
(RC4-40-RSA-MD5) use the construct...
(:-) So much the better.
Probably: rc4-key-schedule ( s2k( iv || passphrase ) )
would be better as it uses the hash in the s2k for mixing rather than
relying partly on rc4 key schedule (which the rc4-key-schedule( iv ||
s2k (passphrase) does ).
Probably...
Ah, yes, I suspected you were thinking of SEAL in your earlier
comments on offsets :-) ... SEAL is more than a stream cipher, it is a
pseudo-random function family, so spinning to arbitrary points comes
for free with SEAL. Very nice, agreed. But that trick doesn't work
with RC4.
(:-( What can I say... But maybe, just maybe the idea can be [partially]
"ported"...
--
Regards,
Uri uri(_at_)watson(_dot_)ibm(_dot_)com
-=-=-=-=-=-=-
<Disclaimer>