Columbia crypto box

Greg Rose ggr at
Mon Feb 10 21:32:01 EST 2003

At 06:12 PM 2/10/2003 -0500, Steven M. Bellovin wrote:
> >In any case, WEP would clearly look very different if it had been designed
> >by cryptographers, and it almost certainly wouldn't use RC4.  Look at
> >CCMP, for instance: it is 802.11i's chosen successor to, and re-design
> >of, WEP.  CCMP uses AES, not RC4, and I think that was a smart move.
> >
>A block cipher is clearly a better choice here.  But there were some
>rational reasons for selecting RC4 (even though I think that on
>balance, the choice was very wrong).

I agree that on balance, the implementation of RC4 for WEP was very wrong. 
But by your own numbers (and on the assumption that RC4 generates bytes 
twice as fast as AES and that the cost of keying is equivalent to 
generating 256 bytes) RC4 should win, computationally, on packets greater 
than 256 bytes.

More modern stream ciphers such as SOBER-t32, SNOW2.0 and Turing, all of 
which explicitly support Initialisation Vectors to generate distinct 
streams, perform much better than AES for a job like this. I happen to have 
the numbers to hand for a comparison of my implementation of Turing vs. 
Brian Gladman's highly optimised AES (because the paper is being presented 
in two weeks at FSE), and computationally speaking Turing overtakes at 
about 100 bytes and generates bytes about 5 times faster from there on. 
SNOW2.0 overtakes almost straight away, and generates bytes about 3 times 
faster (haven't measured that myself, but I believe it). The combination of 
Turing for encryption and HMAC-SHA-1 for MAC outperforms AES even in OCB 
mode on my laptop.

(Lest anyone ask, no, I'm not suggesting adopting Turing or SNOW2.0... 
they're too new. And I'm not trying to promote my own cipher particularly. 

You said: "A block cipher is clearly a better choice here." This is almost, 
for me, the canonical case for a stream cipher. What's clear to you isn't 
clear to me. Can you elucidate, please?


Greg Rose                                       INTERNET: ggr at
Qualcomm Australia          VOICE:  +61-2-9817 4188   FAX: +61-2-9817 5199
Level 3, 230 Victoria Road,      
Gladesville NSW 2111    232B EC8F 44C6 C853 D68F  E107 E6BF CD2F 1081 A37C

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list