[Ach] Network Operations Division Cryptographic Requirements

Aaron Zauner azet at azet.org
Wed Mar 8 14:11:40 CET 2017

> On 08 Mar 2017, at 12:39, Hanno Böck <hanno at hboeck.de> wrote:
> On Wed, 8 Mar 2017 12:25:27 +0000
> Aaron Zauner <azet at azet.org> wrote:
>> Yeah, it's not really up to date. I guess purging the first 1024
>> bytes in the bitstream of RC4 would make bias attacks far harder as
>> the biases are at the beginning of the stream. In general this seems
>> to be stupid advice, though.
> It was actually common advice for "safe" RC4 usage for quite a while to
> throw away the first bytes. TLS also does that. I don't recall the exact
> order of events and which paper established what, but over time the
> number of bytes that had to be thrown away grew larger and larger and
> at some point it was shown that RC4 has smaller biases all over the
> keystream and there's no amount of bytes to throw away that makes it
> safe in all situations.

Are you aware of any reasonable attacks on the smaller biases?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.cert.at/pipermail/ach/attachments/20170308/54dd36c4/attachment.sig>

More information about the Ach mailing list