At 06:12 PM 2/10/2003 -0500, Steven M. Bellovin wrote:
I agree that on balance, the implementation of RC4 for WEP was very wrong. But by your own numbers (and on the assumption that RC4 generates bytes twice as fast as AES and that the cost of keying is equivalent to generating 256 bytes) RC4 should win, computationally, on packets greater than 256 bytes.>In any case, WEP would clearly look very different if it had been designed >by cryptographers, and it almost certainly wouldn't use RC4. Look at >CCMP, for instance: it is 802.11i's chosen successor to, and re-design >of, WEP. CCMP uses AES, not RC4, and I think that was a smart move. >A block cipher is clearly a better choice here. But there were some rational reasons for selecting RC4 (even though I think that on balance, the choice was very wrong).
More modern stream ciphers such as SOBER-t32, SNOW2.0 and Turing, all of which explicitly support Initialisation Vectors to generate distinct streams, perform much better than AES for a job like this. I happen to have the numbers to hand for a comparison of my implementation of Turing vs. Brian Gladman's highly optimised AES (because the paper is being presented in two weeks at FSE), and computationally speaking Turing overtakes at about 100 bytes and generates bytes about 5 times faster from there on. SNOW2.0 overtakes almost straight away, and generates bytes about 3 times faster (haven't measured that myself, but I believe it). The combination of Turing for encryption and HMAC-SHA-1 for MAC outperforms AES even in OCB mode on my laptop.
(Lest anyone ask, no, I'm not suggesting adopting Turing or SNOW2.0... they're too new. And I'm not trying to promote my own cipher particularly. But...)
You said: "A block cipher is clearly a better choice here." This is almost, for me, the canonical case for a stream cipher. What's clear to you isn't clear to me. Can you elucidate, please?
regards,
Greg.
Greg Rose INTERNET: [EMAIL PROTECTED]
Qualcomm Australia VOICE: +61-2-9817 4188 FAX: +61-2-9817 5199
Level 3, 230 Victoria Road, http://people.qualcomm.com/ggr/
Gladesville NSW 2111 232B EC8F 44C6 C853 D68F E107 E6BF CD2F 1081 A37C
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
