[610] in cryptography@c2.net mail archive
Re: The unmentionable algorithm
daemon@ATHENA.MIT.EDU (Steven Bellovin)
Mon Apr 21 13:33:14 1997
To: jamesd@echeque.com
cc: coderpunks@toad.com, cryptography@c2.net
Date: Sat, 19 Apr 1997 18:38:30 -0400
From: Steven Bellovin <smb@research.att.com>
RC4 seems to me clearly superior to all other symmetric
key algorithms. Its elegant simplicity makes it unlikely
that there is some hidden flaw that no one has yet discovered,
and it has withstood concentrated and vigorous attack by many
great cryptographers, and it is very fast.
I'll stay away from the legal part of your posting; the technical
aspects do deserve some comment.
First, RC4 is a stream cipher, not a block cipher. That gives it
certain characteristics, not always desirable. For example, in the
absence of strong authentication, an enemy can make *predictable*
changes to the ciphetext. Similarly, if used by itself there's no
standard way to take advantage of an IV to disguise common prefixes.
(It might be amusing to define something like CBC on top of a stream
cipher.) It depends on an implied counter to determine its state at any
time; this makes it unsuitable for datagram environments. Etc. (Not
that stream ciphers are worse than block ciphers; they're merely
different.)
Second, I think you overestimate the virtue of simplicity here. DES
itself is simple, except for the S-box design -- and for years, we had
lots of DES-like cipher designs, all intended to avoid the ``hidden flaw''
that NSA had inserted in the S-boxes. Of course, around 1991 Biham
and Shamir demonstrated that the S-boxes were really quite strong, and
that random -- and hence simpler -- ones were actually weaker.
Personally, I've long had qualms about the key setup process. It's
never been obvious to me that it achieves a flat distribution across
the input key space. There's going to be a paper published soon that
does some analysis of RC4; I'll be curious to see the results.
