[2279] in cryptography@c2.net mail archive
Re: exporting blowfish
daemon@ATHENA.MIT.EDU (Bill Frantz)
Fri Mar 13 10:13:32 1998
In-Reply-To: <199803122216.JAA03227@avalon.qualcomm.com>
Date: Thu, 12 Mar 1998 23:34:38 -0800
To: Greg Rose <ggr@qualcomm.com>, michael shiplett <walrus@ans.net>
From: Bill Frantz <frantz@netcom.com>
Cc: cryptography@c2.net
At 2:16 PM -0800 3/12/98, Greg Rose wrote:
>michael shiplett writes:
>>In trying to get an license to export from the US, I was just told
>>that the use of blowfish is limited not to 40-bits but to 32-bits. Has
>>anyone else run into this?
>
>I haven't run into this specific example, but it
>doesn't surprise me at all. Blowfish has a large
>key schedule overhead (by design). The 40 bit
>limit was imposed to allow NSA brute-force attacks
>to succeed at (what they think of as) reasonable
>cost.
>
>The other example I am aware of involved
>computing a relatively large 256-byte involution
>table based on the key. We don't yet have a
>ruling about whether 40 bits will be acceptable
>or not, but there is no guarantee that it will
>be... except for RC4 which was worked into the
>regulations specifically, you still need specific
>one-time approval.
>
>They might even allow 56-bit ROT-13, you never do
>know... :-)
Note that it takes 511 rounds of Blowfish to set up the key schedule. If
we take the liberty of rounding that up to 512 ==> 2**9. Now 32 bits of
Blowfish sounds an awful like 40 bits of something else whose key can be
scheduled in two encryption times. 32+9 == 40+1.
-------------------------------------------------------------------------
Bill Frantz | If hate must be my prison | Periwinkle -- Consulting
(408)356-8506 | lock, then love must be | 16345 Englewood Ave.
frantz@netcom.com | the key. - Phil Ochs | Los Gatos, CA 95032, USA
