rotor alternative?

[Paul Rubin]

Peter Hansen <peter at engcorp.com> writes:
> That's kind of the heart of the matter right there: just how good _is_
> rotor, compared to modern algorithms?  Can anyone describe it perhaps
> in comparison with DES/3DES using a kind of "equivalent key size" estimate?

That's not really a sensible question to ask.  The WW2 Enigma machine,
for example, had much more key space than DES/3DES, but it was
vulnerable to cryptanalytic attacks that were far more effective than
brute force.  Rotor itself looks to have been written quite
carelessly.  It's basically a bunch of linear-congruential PRNG's
which are notoriously weak as ciphers.

> My guess is that it's so insecure that most people wouldn't really want
> to use it if they knew how insecure it was, or they would actually decide
> that something like XORing the data is actually adequate and stick with
> that.

It's best to go with that assumption even if breaking rotor is
actually a bit harder.

> I suspect that those who want rotor actually want something stronger
> than it really is, but could actually get by with something even weaker
> than it is (though they don't believe that), and leaving it out of the 
> standard library isn't a real problem, just a perceived one.

Actually it's the other way, lots of people think they can get by with
rotor or with something weaker, when they really need something
stronger.  Leaving rotor IN the standard library is a real problem.