1994-09-15 - Re: thoughts on RC4

Header Data

From: Mike Johnson second login <exabyte!gedora!mikej2@uunet.uu.net>
To: Bill Sommerfeld <gedora!uunet!orchard.medford.ma.us!sommerfeld@uunet.uu.net>
Message Hash: 81b2d336d64b46753b6075f750b3858473f6de0eb668dc7083b65d6d7a687640
Message ID: <Pine.3.89.9409151639.A26111-0100000@gedora>
Reply To: <199409151705.NAA00703@orchard.medford.ma.us>
UTC Datetime: 1994-09-15 22:41:47 UTC
Raw Date: Thu, 15 Sep 94 15:41:47 PDT

Raw message

From: Mike Johnson second login <exabyte!gedora!mikej2@uunet.uu.net>
Date: Thu, 15 Sep 94 15:41:47 PDT
To: Bill Sommerfeld <gedora!uunet!orchard.medford.ma.us!sommerfeld@uunet.uu.net>
Subject: Re: thoughts on RC4
In-Reply-To: <199409151705.NAA00703@orchard.medford.ma.us>
Message-ID: <Pine.3.89.9409151639.A26111-0100000@gedora>
MIME-Version: 1.0
Content-Type: text/plain




On Thu, 15 Sep 1994, Bill Sommerfeld wrote:

> > I wonder if the NSA would approve it?  I think it was Bill Sommerfield
> > who pointed out that it was a little curious that NSA approves RC4 with a
> > 40 bit key when hardware-assisted search like the DES key cracker would
> > appear to be impractical.
> 
> Actually, I'm not sure that it's that impractical, but I don't know a
> heck of a lot about VLSI or hardware design.  A fully pipelined chip
> would require significantly more more chip area than the DES cracker,
> but you probably don't need that.  I'm pretty sure you could make a
> blazingly fast, non-pipelined, chip with a "key setup" unit and then a
> "trial encrypt" unit which run in parallel; you clock the key setup
> unit 256 times to set up the key, then the key gets fed to the trial
> encrypt unit where it gets tried against the known
> plaintext/ciphertext pair..
>... 

Don't forget the precomputation attack.  The key setup only has to be done
2^40 times, ever.  The initial state of the stream cipher can be stored on
a set of tapes that are read in parallel to perform the brute force
attack. 






Thread