Re: stream ciphers (Re: 128 bit block ciphers)

[Paul Koning <pkoning@xxxxxxxxx>]

>>>>> "Uri" == Uri Blumenthal <uri@xxxxxxxxxxxxxx> writes:

 Uri> Adam Back says:
 >> > First - an observation. Just like a block cipher must have an IV
 >> (PGP > side-stepped this by prepending the message with random
 >> stuff), a > stram cipher must have a stream offset.
 >> 
 >> I presume by a stream offset you mean that you spin the stream
 >> cipher PRNG for the published offset number of bytes, before using
 >> it to encrypt data.

 Uri> Yes, that is not my idea, not any more than using IV for
 Uri> block ciphers - and for precisely the same purpose.

 >> This has a number of problems/added complexities I think: - you
 >> have to remember a current offest to avoid re-using offsets (adds
 >> state to symmetric crypto where there is none currently)

 Uri> Similarly to having to remember not to re-use IVs.

 >> - you incur the performance penalty of spinning the PRNG by the
 >> offset number of bytes (eg could be 100s of megs).

 Uri> Possibly, but again, I'm not "inventing" it - just sharing the
 Uri> crypto rules of using stream ciphers with the list. "Don't blame
 Uri> the messenger" (:-)

Hm.  That sounds like practical stream cyphers will always be insecure 
(to the extent that an unknown stream offset has a significant
security benefit).

An IV can (and should be) random -- all bits unpredictable.  A stream
offset may be random but it cannot in practice be random in more than
a modest number of low order bits, so the set of likely values is
necessarily small.

Did I miss something?

	paul