Requesting feedback on patched RC4-variant

Steven M. Bellovin smb at
Tue Apr 24 18:23:48 EDT 2001

In message < at>, Greg Rose writes:

>Anyway, as a lover of stream ciphers, I just get upset when people point 
>out the bit-twiddling attack, without realising that they are implicitly 
>endorsing using block ciphers without robust integrity protection instead. 
>If it needs integrity protection, add a MAC, and the ciphers are on even 
>ground again.

Not quite, for reasons that are illustrated by the WEP incident.
If you reuse a key with a stream cipher, the results are catastrophic.  
That isn't true with, say, CBC and a block cipher.  Furthermore, the 
bit-twiddling attack on a stream cipher without a MAC is more serious 
than the corresponding attack on CBC, since the attacker can change 
particular bits without error propagation.

To be sure, MACs are very much needed with either cipher, but the 
failure modes aren't always the same.

		--Steve Bellovin,

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list