[1140] in cryptography@c2.net mail archive
Re: RSA publishes RC2 for IETF Review
daemon@ATHENA.MIT.EDU (John Kelsey)
Tue Jul 1 16:49:13 1997
To: cryptography <cryptography@c2.net>
From: John Kelsey <kelsey@plnet.net>
Date: Mon, 30 Jun 97 11:27:00 CDT
Subject: Re: <fw> RSA publishes RC2 for IETF Review
Cc: cryptography@c2.net
From: colin@nyx.net (Colin Plumb)
Date: Fri, 27 Jun 97 17:48:49 MDT
>Come, now, there are more in that press release. The one
>that really cracked me up was
>
>"RSA is pleased to make its intellectual property available to the IETF =
in
>support of standards," added Steve Dusse, chief technology officer of =
RSA.
>
>Uh huh. Right. "The cat got out of the bag on the net last year, and
>still nobody wants it, so here."
Yes. For what it's worth, I think RC2 is very likely to be secure. It's=
just that it's fairly slow, and encumbered by licencing issues. I posted=
some preliminary cryptanalysis of RC2 to Cypherpunks and sci.crypt last
year; Lars Knudsen has also done some work on RC2. Neither of us found =
any
practical attacks. The best differential characteristics I could find =
for
RC2 are single-bit differences--these tend to make it through one ``round=
''
(four steps) with probability 2^{-4}. With 16 rounds, suppose a 4-R atta=
ck
is possible. (I think Lars was able to do this--my best was a 2-R attack=
,
and it recovered relatively few key bits per right pair, so it needed *lo=
ts*
of chosen plaintext pairs). Now, knowing the plaintext block, you can =
push
your difference through the first round with probability one, and you can=
make sure that it makes it into the high-order position once, which means
that it gets one ``round'' with 2^{-3} probability. Thus, you get a righ=
t
pair out of round 12 with probability 2^{-47}, or out of round 14 with =
probability 2^{-55}. I couldn't seem to get any good linear approximatio=
ns,
though I didn't spend much time on them: Each bit quickly becomes depend=
ent
on lots of other bits.
Even without the licensing issues, though, I don't expect RC2 to catch =
on
as a widely-used cipher. We have SAFER-SK128 for low-end processors (512=
bytes
of ROM tables and about 26 bytes of RAM needed), and lots of ciphers (Blo=
wfish,
CAST-128, IDEA, triple-DES, DESX) that give us good enough performance =
on
high-end machines. I can't see what RC2 will add to this.
Is RSA allowing unrestricted use of RC2, or is this still something where
there are potential legal issues with using it?
> -Colin
