At 12:42 AM 7/31/96 -0700, David Wagner wrote:

...

Those estimates assume that a single FPGA can break RC4 in hours. I think that is an extremely optimistic assumption, given the available public information. But perhaps NSA is orders of magnitude ahead of us in chip design (unlikely) or orders of magnitude ahead of us in RC4 cryptanalysis (and we're back to paranoid musings).

...

...

If we assume a machine designed to break *every* message, NSA's response makes more sense.

I feel like I'm leaning over backwards to defend NSA's response, an extremely uncomfortable position (and I could crack my skull when I fall) :-). The most important issue is, what is NSA's state of the art. If we accept their $1000/FPGA chip, then they are indeed at the bleeding edge, and suffering from the associated low chip yields. If they are at the best cost-performance point for 2-3 years ago or whenever they started approving the export of RC4-40, then they are certainly subject to David Wagner's performance limits. Sorry about mangling quotes. :( This was about a year and a half ago. I can't remember the name of it, but this chip fab industry mag was talking about how the NSA was obtaining out side help in fabricating what was at the time a type of ram that did processing off chip in parrallel.

If the chip was basically routing the problem to different sectors and the same sectors of ram did their own processing on different parts of the same problem how many powers of processing time would this increase the same amount of acerage?* * NSA term for processing. Side note: Wired just recently talked about IRAM or Intelligent ram, and how it seems to be the future of high speed computation. PGP encrypted mail preferred. E-Mail me for my key. Scott J. Schryvers <schryver@radiks.net>