Columbia crypto box

Steven M. Bellovin smb at research.att.com
Mon Feb 10 23:10:37 EST 2003 

In message <5.1.0.14.2.20030211131643.02a92418 at 203.30.171.11>, Greg Rose writes
:
>At 06:12 PM 2/10/2003 -0500, Steven M. Bellovin wrote:
>> >In any case, WEP would clearly look very different if it had been designed
>> >by cryptographers, and it almost certainly wouldn't use RC4.  Look at
>> >CCMP, for instance: it is 802.11i's chosen successor to, and re-design
>> >of, WEP.  CCMP uses AES, not RC4, and I think that was a smart move.
>> >
>>
>>A block cipher is clearly a better choice here.  But there were some
>>rational reasons for selecting RC4 (even though I think that on
>>balance, the choice was very wrong).
>
>I agree that on balance, the implementation of RC4 for WEP was very wrong. 
>But by your own numbers (and on the assumption that RC4 generates bytes 
>twice as fast as AES and that the cost of keying is equivalent to 
>generating 256 bytes) RC4 should win, computationally, on packets greater 
>than 256 bytes.

As I said, there was some rational engineering in there...
>
>More modern stream ciphers such as SOBER-t32, SNOW2.0 and Turing, all of 
>which explicitly support Initialisation Vectors to generate distinct 
>streams, perform much better than AES for a job like this. I happen to have 
>the numbers to hand for a comparison of my implementation of Turing vs. 
>Brian Gladman's highly optimised AES (because the paper is being presented 
>in two weeks at FSE), and computationally speaking Turing overtakes at 
>about 100 bytes and generates bytes about 5 times faster from there on. 
>SNOW2.0 overtakes almost straight away, and generates bytes about 3 times 
>faster (haven't measured that myself, but I believe it). The combination of 
>Turing for encryption and HMAC-SHA-1 for MAC outperforms AES even in OCB 
>mode on my laptop.
>
>(Lest anyone ask, no, I'm not suggesting adopting Turing or SNOW2.0... 
>they're too new. And I'm not trying to promote my own cipher particularly. 
>But...)
>
>You said: "A block cipher is clearly a better choice here." This is almost, 
>for me, the canonical case for a stream cipher. What's clear to you isn't 
>clear to me. Can you elucidate, please?

We have a set of independent messages here.  Stream ciphers are 
generally intended for -- well, streams.  TLS is a good example of 
where I think they can be used.  They also work well with asynchronous 
bytes with irregular arrival time, with a requirement for very low 
overhead (i.e., typed characters, except for the lack of error 
propagation and the predictable change issue).  We have here a set of 
discrete blocks, with no connection between them.  While I certainly 
agree that a MAC is necessary even with a block cipher, it's much more 
critical for a stream cipher, given the ability (noted by Borisov et 
al.) for an attacker to change bits in the destination IP address to 
cause the packet to be routed to a host of the attacker's choice.  
Whether or not that can be done profitably with a block cipher would
depend on the cipher's block size and the packet format.

But it may, ultimately, be a matter of taste....

		--Steve Bellovin, http://www.research.att.com/~smb (me)
		http://www.wilyhacker.com (2nd edition of "Firewalls" book)



---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com

More information about the cryptography mailing list