[5234] in cryptography@c2.net mail archive
Re:
daemon@ATHENA.MIT.EDU (James A. Donald)
Tue Jul 27 10:32:48 1999
Date: Tue, 27 Jul 1999 00:19:58 -0700
To: Anonymous <nobody@replay.com>, cryptography@c2.net
From: "James A. Donald" <jamesd@echeque.com>
In-Reply-To: <199907261844.UAA10498@mail.replay.com>
--
At 08:44 PM 7/26/99 +0200, Anonymous wrote:
> Even aside from active attacks, there is a possible problem based on
> the fact that RC4 can "almost" fall into a repeated-state situation.
> RC4's basic iteration looks like:
>
> (1) i += 1;
> (2) j += s[i];
> (3) swap (s[i], s[j]);
> (4) output s[s[i] + s[j]];
>
> (everything is mod 256)
>
> The danger is that if it ever gets into the state j = i+1, s[j] = 1,
> then it will stay that way. It will increment i, then add s[i] to j,
> which will also increment j. Then which it swaps s[i] and s[j] it will
> make s[j] be 1 again.
>
> However in normal use this never happens, because this condition
> propagates backwards as well as forwards; if we ever are in this state,
> we always were in this state. And since we don't start that way, we
> never get that way.
Why don't we start that way?
The initialization rule is for i = 0 to 255
j = j+ s[i] + input(i)
swap s[i], s[j]
next i;
To go bad at the end of initialization it has to wind up in the
state j=1 (which can always be forced true by some suitable input, and
s[1] =1;
What stops it from ending up with s[1]=1?
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
I74FW8FWqNrBf8CzhrSySvYMn3IFcXLYeEAZ3Aa5
4qqMSWYxGsuLx8//wSmIWClleg+wVE07flJBnrFKb
