> On 08 Mar 2017, at 12:39, Hanno Böck <[email protected]> wrote: > > On Wed, 8 Mar 2017 12:25:27 +0000 > Aaron Zauner <[email protected]> wrote: > >> Yeah, it's not really up to date. I guess purging the first 1024 >> bytes in the bitstream of RC4 would make bias attacks far harder as >> the biases are at the beginning of the stream. In general this seems >> to be stupid advice, though. > > It was actually common advice for "safe" RC4 usage for quite a while to > throw away the first bytes. TLS also does that. I don't recall the exact > order of events and which paper established what, but over time the > number of bytes that had to be thrown away grew larger and larger and > at some point it was shown that RC4 has smaller biases all over the > keystream and there's no amount of bytes to throw away that makes it > safe in all situations.
Are you aware of any reasonable attacks on the smaller biases? Aaron
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Ach mailing list [email protected] http://lists.cert.at/cgi-bin/mailman/listinfo/ach
