From: thad@hammerhead.com (Thaddeus J. Beier)
Date: Sun, 10 Sep 95 19:02:06 PDT
To: cypherpunks@toad.com
Subject: Re: 64 bit crypto
Message-ID: <199509110157.SAA01073@hammerhead.com>
MIME-Version: 1.0
Content-Type: text/plain



John A. Limpert says:
> Why would the attacker need to run the key setup 65536 times?

I could have been more clear.

Forgive a little bit of code...

Here is the beginning of the alleged RC4:
		for(counter = 0; counter < 256; counter++)
					state[counter] = counter;
        index2 = 0;
        key->x = key->y = index1 = index2 = 0;
        for(counter = 0; counter < 256; counter++)
        {
                index2 = (key_data_ptr[index1] + state[counter] + index2) % 256;
                swap_byte(&state[counter], &state[index2]);

                index1 = (index1 + 1) % key_data_len;
        }

If it was changed to

		for(counter = 0; counter < 256; counter++)
                    state[counter] = counter;
        key->x = key->y = index1 = index2 = 0;
		for(i = 0; i < 65536) {	/* stir the pot a long time */
			for(counter = 0; counter < 256; counter++)
			{
					index2 = (key_data_ptr[index1] + state[counter] + index2) % 256;
					swap_byte(&state[counter], &state[index2]);

					index1 = (index1 + 1) % key_data_len;
			}
		}

Then the prepare_key routine would take much much longer.

The idea is that a 64 bit crypto routine can be arbitrarily
secure against brute-forcing, if you are willing to pay a
runtime penalty every time you use it.

thad
-- Thaddeus Beier                   email:  thad@hammerhead.com
   Technology Development             vox:  408) 286-3376
   Hammerhead Productions             fax:  408) 292-8624