[rc5] Why do we do this?

Stephen Langasek vorlon at dodds.net
Fri Oct 31 22:55:18 EST 1997

For the most part, I agree with you, but I had a couple of problems with
your first paragraph...

On Fri, 31 Oct 1997, Kevin van Haaren wrote:

> I've seen this subject broached a couple of times and it usually boils
> down to: "to show the goverment we need stronger encryption".  This is
> bull.  The goverment WANTS weak encryption (soon they'll want us to
> remove the locks on our house to make searches easier).  The amount of
> time it took us to break RC5 probably tells them that RC5-56 is TOO
> STRONG.  They'd actually have to spend money to crack RC5 - something
> they don't want to do.  Remember we had the advantage of a known phrase
> at the beginning of the message, this makes decrypting significantly
> easier.  Decrypting a totally unknown message requires dictionary
> lookups to verify a "possible" hits.  This means more cycles.

You're operating under the assumption that the United States has a
monolithic government. We don't.  When you say that the "government" wants
weak encryption, you're really talking about a single segment of the
government: the enforcement agencies who have become overly self-important
as of late.  They know as well as anyone what they're doing by trying to
limit encryption, but they're not the ones that make the laws.  Political
bias aside ;), Congress and the President don't share the big-brother
vision of the FBI lackeys... Freeh and friends have to convince Congress
to pass the restrictions they want, just as we have to try to convince
them to repeal restrictions.

In truth, the cracking of RC5-56, or of DES, or even of RC5-80 doesn't
sway the laws one way or the other... at least, not /inherently/.  What we
do here provides raw facts about the strengths of encryption, but one
should never trust the facts to speak for themselves before a legislative
body.  RSA didn't set up these contests because they thought the cracking
alone would result in looser standards, they set them up because it
provides *them* with ammunition when they go before Congress (time and
time and time again :) to argue their case.  Ultimately, the facts are on
our side (or at least, RSA seems to think so, and many of us do too), so
it's to our advantage to provide as many hard facts about encryption as we
can.  *That's* what we're doing here.  It's not our job to add the spin to
the story; that's RSA's job.  But RSA has to have something that they can
put a spin on... that's our job.

And the bitter truth is, as long as it feels like it took to crack RC5-56,
*we did it at no cost*.  Most people aren't too worried about the Internet
itself rising up and snatching their encrypted data, because by and large,
the Internet isn't malevolent. :-)  The problem is with, as they say, a
"dedicated enemy."  The FBI and NSA aren't as poor as they'd like to make
themselves out to be before Congress.  They could spend the cash, and they
could crack RC5-56 thousands of times faster.  For that matter, so could
most corporations these days.  That's why we need to keep the encryption
frontier moving forward.

                                -Steve Langasek

P.S.--for the record, show of hands--how many government agents do we have
lurking on this list? ;-)


To unsubscribe, send email to majordomo at llamas.net with 'unsubscribe rc5' in the body.

More information about the rc5 mailing list