From: raph@netcom.com (Raph Levien)
Date: Tue, 13 Dec 94 11:32:16 PST
To: cypherpunks@toad.com
Subject: Re: More 40-bit RC4 nonsense
Message-ID: <199412131931.LAA27397@netcom9.netcom.com>
MIME-Version: 1.0
Content-Type: text/plain


Sticking my foot in my mouth, I wrote:

>    If I recall correctly, the first byte out of the RC4 stream has
> about a 40% chance of being the first byte of the key. Thus, if the

Wrong. It _is_ true that the first byte of the key has a 40%
probability of being the first byte of the initial state vector. It is
_not_ true that the first byte of the initial state vector is the
first byte out of the RC4 stream. Next time I will check the (alleged)
source code before making a fool of myself.

Thus, my attack shortcut will not work.

Kipp Hickman informs me that the salt is concatenated with the secret
part in such a way that the secret portion is least significant. This
seems wise because of the key/statevector characteristic, but wouldn't
make too much difference either way in practice.

Sorry for the confusion.

Raph