Heiko Stamer <stamer(_at_)gaos(_dot_)org> writes:
Hello,
On Mon, Apr 23, 2007 at 05:45:21PM -0400, David Shaw wrote:
I really appreciate if I could read a paper(s) about analysis of this
technique.
http://eprint.iacr.org/2002/067 actually argues for 512 bytes.
Please note the following paper [1] by Andreas Klein, which is submitted
to Designs, Codes and Cryptography. AFAIK his attack is possible, even if
the first bytes of the keystream are discarded.
[1] http://cage.ugent.be/~klein/RC4/RC4-en.ps
The abstract says that the attack works if the initial 256 bytes are
discarded, but the conclusion of the paper says that "If one wants to
use RC4 he should ...discard the output of the first 12 rounds" (i.e.,
12*256 = 3072 bytes).
Reserving a number for RC4 in OpenPGP might make sense, but then again,
given that it seems unclear how many bytes to discard (which you would
have to specify in order to get interoperability), it might be simpler
to have people using RC4 continue to use the private numbers.
Another idea is to have two OpenPGP number allocation for, say,
"RC4-256" and "RC4-3072" which would cover (for RC4-256) discarding 256
bytes, which is used by at least one implementation, and (for RC4-3072)
discarding 3072, which is the most conservative thought-to-be-secure
mode today.
I'd rather just declare RC4 as broken and move on, though.
/Simon