[RC5] What if RC5-64 is done

bwilson at fers.com bwilson at fers.com
Fri Jun 1 18:50:18 EDT 2001

On the point of "secure enough", distributed.net isn't necessarily proving that

a government or multinational corporation couldn't easily crack RC5-64.  We're

using leftover cycles of a lot of machines.  The network of participants has 
many variables we can't control - computers not always on, network lag, 
duplicated effort, unauthenticated participants, user-adjustable clients (which

means they can be configured wrongly), and even abuse.  DCTI proper only owns 6

computers that have a direct involvement with managing the project - most of 
the fullproxies are owned by the respective staff members.  (Of course, they 
all run dnetc in addition to their other duties.) 

An organization with size, money and intent could build a much more directed 
engine without all these variables, and could attack the problem much more 
quickly.  It is rumored that the (U.S.) National Security Agency has built a 
dedicated RC5 (DES, 3DES, ECC, pick your flavor) engine to permit examination 
of encrypted traffic.  With the state of the art where it is, it is very 
doubtful they can plug in an encrypted message and read it the next day.  
However, if a message is perceived to be important enough, it could be worth 
the investment of a year's time to extract the message.  Likewise for a 
multinational corporation, to read an encrypted message worth $10B, an cash 
investment of $10M seems reasonable. 

Before anyone asks... If the engine exists, why wouldn't someone at the NSA 
have claimed the prize already?  (a) doing so would admit the existence of the

engine, (b) it's probably very busy on important things, (c) if you had enough

money to invest to build something that powerful, what would you need with a 
lousy $10K? 

If it takes us 10 years to crack RC5-64, does that make it safe?  It's probably

safe for your Aunt Martha's cookie recipe.  It's probably not safe enough if 
you're hiding information about Osama Bin Laden.  For the rest of us in 
between, it might be safe enough, for now.
Bruce Wilson, Manager, FERS Business Services
bwilson at fers.com, 312.245.1750, http://www.fers.com/
PGP KeyID: 5430B995, http://www.lasthome.net/~bwilson/

File not found. Make it up as I go along?
         [OK]         [Cancel] 

	rc5 at lists.distributed.net 
	06/02/2001 02:20 
		        To:        rc5 at lists.distributed.net 
		        cc:        (bcc: Bruce Wilson/Chicago/MP/RSMi) 
		        Subject:        Re: [RC5] What if RC5-64 is done

At 01:17 PM 6/1/01 -0400, you wrote:
>It's the first time i hear something about dnet working on RC5-72 and I hope
>it's not in their mind. We have been working on rc5-64 for more than three
>years and a half and we only have 50% done. We better have to work on
>something else since we all know an encryption higher than 64 bits is safe
>since it would be far to long to decrypt.

Even 64-bit is secure enough if it takes thousands of computers 3.5 years to
exhaust even half of the keyspace. 

Personally, I participate more for the daily stats :)
(which BTW seems to be a bit slow today?) 


To unsubscribe, send 'unsubscribe rc5' to majordomo at lists.distributed.net
rc5-digest subscribers replace rc5 with rc5-digest 

To unsubscribe, send 'unsubscribe rc5' to majordomo at lists.distributed.net
rc5-digest subscribers replace rc5 with rc5-digest

More information about the rc5 mailing list