Prev: On the classification of ciphers
Next: A C-code for permutation polynomials mod 2^n
From: Mok-Kong Shen on 26 Mar 2010 07:30
Maaartin wrote:

> The period? I've just found "The random permutation that implements
> RC4 is likely to have a period larger than 10**100". Do you need more?

The general method of such estimations interests me. Could you please
give a reference?

Thanks,

M. K. Shen
From: Tom St Denis on 26 Mar 2010 08:52
On Mar 26, 7:30 am, Mok-Kong Shen <mok-kong.s...(a)t-online.de> wrote:
> Maaartin wrote:
> > The period? I've just found "The random permutation that implements
> > RC4 is likely to have a period larger than 10**100". Do you need more?
>
> The general method of such estimations interests me. Could you please
> give a reference?

There isn't a proof of the period for RC4, people estimate it to be
large because there doesn't appear to really be degenerative states
and the state is fairly large. I wouldn't suspect that it's on the
order of 256! but it's probably certainly larger than need be for
every 128-bit key.

In reality though people should just be using a standard block cipher
in CTR mode if they need streaming like properties.

Also, I can't re-iterate this enough, GPG is free.

Tom
From: unruh on 26 Mar 2010 11:58
On 2010-03-26, Mok-Kong Shen <mok-kong.shen(a)t-online.de> wrote:
> unruh wrote:
>
>>> But do you consider it is sufficient to do one single swapping of
>>> two elements in the 16-bit case, when one output is created, as is done
>>> in the 8-bit case? (For the percentage change would be comparatively
>>> tiny.) I became interested in the 16-bit case, because I surmise (I
>>> might be wrong, of course, I don't know) that for a similar 16-bit
>>> case the period would be very greately increased.
>>
>> Period? I guess I would not worry about 2^(2^11).
>
> I still miss your answer to my question of how many swaps need
> to be optimally done.

For what? 16 bit RC4? No idea, but I suspect that one is fine, except
that one needs to discard a fair amount of the intial stream to get rid
of the intial biases.
As I recall, the original recommendations were to discard only a few (
something like 10) of the intial output from 8 bit rc4, but practice
discards something like 256 to play it safe. Exactly how many to discard
from rc4 16 bit I have no idea. But I also have absolutely no idea why
you want to use 16 bit rc4. Your initial reason has proven to be
wrong.

>
> M. K. Shen
From: Mok-Kong Shen on 26 Mar 2010 13:58
unruh wrote:

> For what? 16 bit RC4? No idea, but I suspect that one is fine, except
> that one needs to discard a fair amount of the intial stream to get rid
> of the intial biases.
> As I recall, the original recommendations were to discard only a few (
> something like 10) of the intial output from 8 bit rc4, but practice
> discards something like 256 to play it safe. Exactly how many to discard
> from rc4 16 bit I have no idea. But I also have absolutely no idea why
> you want to use 16 bit rc4. Your initial reason has proven to be
> wrong.

I recall that you wrote: "If you really want to impliment RC4 on words
you just need a 60000 entry mixing matrix." I wanted to indicate that's
not that simple. For in my humble view one has to investigate the
question whether a single swapping per step is sufficient as you
claimed.

M. K. Shen
First  |  Prev  | 
Pages: 1 2 3 4 5 6
Prev: On the classification of ciphers
Next: A C-code for permutation polynomials mod 2^n