Damien Miller <[EMAIL PROTECTED]> writes:
> What risks does using a predictable IV bring?
[...]
> Would the system be weakened if I was to use just the block number?
I'd avoid it. You needn't do something computationally onerous --
getting a pseudorandom stream from an RC4 generator will be fine --
but if you use a nice known sequence of sequential IVs you are going
to end up feeding slowly varying known goo into the crypto
algorithm. Although this isn't quite what one does when trying to get
texts for differential cryptanalysis, it does feel uncomfortably
similar, no?
Given that an RC4 generator takes next to no time to knock out eight
bytes of IV for you, why not do that and avoid possible future risk?
Since the application is IVs, even if there are flaws in RC4 they
won't hurt you -- the point is just that you end up with a nice bit
shuffled IV sequence.
Perry
