[Cryptography] RC4 again (actual security, scalability and other discussion)

Nemo nemo at self-evident.org
Sun Mar 9 12:31:57 EDT 2014

This entire discussion is premised on falsehoods.

The people attacking our systems, now and (especially) in the future,
are *smarter than we are*. That means they can and will imagine things
that you and I cannot.

There are two possible ways to deal with this fact: (1) Keep adding
complexity to your design until you do not see how to break it; or (2)
_simplify_ your design untl it is provably secure, based on minimal
assumptions, against "unrealistically" powerful attackers.

Academic cryptographers work on (2) because (1) has failed over and
over and over and over again.

So the question is not: "How can the adversary break our system?" The
question is: "How much power can we assume the adversary has and still
prove that we can win?"

Academic cryptography has discovered lots of concepts -- PRFs, PRPs,
IND-CPA, IND-CCA, etc. -- and proven that if you start with a
primitive satisfying one concept, and then you build a protocol around
that primitive like so-and-so, then you obtain a system that provably
satisfies some other concept.

There simply is no other rational approach to thwart people who are
smarter than you.

Now, RC4 has been known for at least 15 years not to satisfy *any*
relevant concepts as a cryptographic primitive. So it makes less than
no sense to use it in any design for the past 15 years, never mind the

In my experience, there are only two kinds of engineers: Those who get
all of this right away, and those who never will. (The Linux
/dev/random designers are the canonical example of the latter.) From a
practical standpoint, one core goal should be to keep the second kind
of engineer far away from all discussions, designs, and
implementations of anything remotely related to security.

 - Nemo

More information about the cryptography mailing list