Columbia crypto box

Arnold G. Reinhold reinhold at
Mon Feb 10 22:51:36 EST 2003

At 6:12 PM -0500 2/10/03, Steven M. Bellovin wrote:
>In message <b295ds$l66$1 at>, David Wagner writes:
>>Trei, Peter wrote:
>>>The weird thing about WEP was its choice of cipher. It used RC4, a
>>>stream cipher, and re-keyed for every block. . RC4 is
>>>not really intended for this application. Today we'd
>>>have used a block cipher with varying IVs if neccessary
>>>I suspect that RC4 was chosen for other reasons - ease of
>>>export, smallness of code, or something like that. It runs fast,
>>>but rekeying every block loses most of that advantage.
>>It's hard to believe that RC4 was chosen for technical reasons.
>>The huge cost of key setup per packet (equivalent to generating 256
>>bytes of keystream and then throwing it away) should dominate the other
>>potential advantages of RC4.
>I'm not sure you're right.  While 40-50% of packets are about 40 bytes
>long -- see for some
>older statistics -- most *bytes* are carried by larger packets.  From
>that same site, about 75% of the bytes are carried by packets over 500
>bytes long.
>A quick awk script suggests that given that packet size distribution,
>the total workload to use WEP-style encryption is about double the
>number of bytes.  The overhead is thus substantial -- but RC4's cost
>per byte is quite low, so it was probably a net win.  Other studies
>suggest that LAN packet size distribution is somewhat different, with
>more large packets; that would lower the overhead.

It's worth remembering that the original WEP used 40 bit keys. For 
some time, RC4 with 40 bit keys was the only crypto system that could 
be exported without a license.  It's hard for me to believe that 
export concerns were not the primary factor in the initial choice of 

Arnold Reinhold

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list