At 1:29 PM -0400 7/1/99, I wrote:
>
>How much of an improvement 56 bit DES actually give over the customary
>implementation of "40-bit" RC4 is open to question. Naively the difference
>is 16 bits or a factor of 64K. However, as I understand it, the "40-bit"
>RC4 is actually 128 bit RC4 with 88 bits of key revealed, effectively
>serving as 88 bits of salt. But there is no way to use salt with DES, so a
>search engine can easily test for many keys at the same time. For a
>survelance operation one could imagine searching against hundreds of keys
>at once.
>
>Also I did a back-of-the-envelope estimate that suggests RC4 takes about
>the same amount of silicon as DES for a custom logic search engine, but
>runs about 200 times slower due to the key setup. Together these effects
>could eliminate most of that 64K improvement factor.
>
>It might be better to use "56-bit" RC4 (i.e. 128 bit with 72 bits revealed)
>if this would still be exportable.
>
I must retract part of what I wrote above. Using DES in feedback mode (e.g.
CBC) along with a random or unique IV prevents the attack I described, with
the IV providing essentially the same benefits as salt. Thus 56-bit DES-CBC
should be a major improvement over "40-bit" RC4. On the other hand, I still
contend DES-ECB would be a step backward. Does the IETF's DES proposal
include feedback and a suitable IV?
I think there is some relevance here to the more political question of
whether IETF should bless any DES implimentation. Details matter. Well
thought out and publicly reviewed standards are vital, even for weak
encryption.
Arnold Reinhold
