Introduction
RC5 is a fast symmetric block cipher suitable for hardware
or software implementations. A novel feature
of RC5 is the heavy use of data-dependent rotations.
RC5 has a variable-length secret key, providing flexibility
in its security level.
RC5 is a parameterized algorithm, and a particular
RC5 algorithm is designated as RC5-w/r/b. We
summarize these parameters below:
w The word size, in bits. The standard value is 32
bits; allowable values are 16, 32, and 64. RC5
encrypts two-word blocks: plaintext and
ciphertext blocks are each 2w bits long.
r The number of rounds. Allowable values are
0, 1, …, 255.
b The number of bytes in the secret key K. Allowable
values of b are 0, 1, …, 255.
RC5 uses an “expanded key table” S, derived from the
user’s supplied secret key K. The size t of table S depends
on the number r of rounds: S has t = 2(r+1) words.
It is not intended that RC5 be secure for all possible
parameter values. On the other hand, choosing the
maximum parameter values would be overkill for most
applications.
We provide a variety of parameter settings so that
users may select an encryption algorithm whose
security and speed are optimized for their application,
while providing an evolutionary path for adjusting
their parameters as necessary in the future. As an
example, RC5-32/16/7 is an RC5 algorithm with the
number of rounds and the length of key equivalent to DES. Unlike unparameterized DES, however, an RC5
user can easily upgrade the above choice to an 80-bit
key by moving to RC5-32/16/10.
As technology improves, and as the true strength of
RC5 algorithms becomes better understood through
analysis, the most appropriate parameters can be chosen.
We propose RC5-32/12/16 as providing a “nominal”
choice of parameters. Further analysis is needed
to analyze the security of this choice.
Overview of the Algorithm
RC5 consists of three components: a key expansion
algorithm, an encryption algorithm, and a decryption
algorithm. These algorithms use the following three
primitive operations (and their inverses).
1. Two’s complement addition of words, denoted by
“+”. This is modulo-2w addition.
2. Bit-wise exclusive-OR of words, denoted by ³.
3. A left-rotation (or “left-spin”) of words: the
rotation of word x left by y bits is denoted x <<< y.
Only the lg(w) low-order bits of y are used to
determine the rotation amount, so that y is
interpreted modulo w.
Encryption and Decryption
We assume that the input block is given in two w-bit
registers A and B. We also assume that key-expansion
has already been performed, so that the array
S[0...t-1] has been computed. Below is the encryption
algorithm in pseudo-code. The output is also
placed in registers A and B.
A = A + S[0];
B = B + S[1];
FOR i = 1 TO r DO
A = ((A ³ B) <<< B) + S[2*i];
B = ((B ³ A) <<< A) + S[2*i+1];
We note the exceptional simplicity of this five-line
algorithm. We also note that each RC5 round updates
both registers A and B, whereas a “round” in
DES updates only half of its registers. An RC5 “halfround”
(one of the assignment statements updating
A or B in the body of the loop above) is thus perhaps
more analogous to a DES round.
The decryption algorithm can be easily derived from
the encryption algorithm.
RC5 is a fast symmetric block cipher suitable for hardware
or software implementations. A novel feature
of RC5 is the heavy use of data-dependent rotations.
RC5 has a variable-length secret key, providing flexibility
in its security level.
RC5 is a parameterized algorithm, and a particular
RC5 algorithm is designated as RC5-w/r/b. We
summarize these parameters below:
w The word size, in bits. The standard value is 32
bits; allowable values are 16, 32, and 64. RC5
encrypts two-word blocks: plaintext and
ciphertext blocks are each 2w bits long.
r The number of rounds. Allowable values are
0, 1, …, 255.
b The number of bytes in the secret key K. Allowable
values of b are 0, 1, …, 255.
RC5 uses an “expanded key table” S, derived from the
user’s supplied secret key K. The size t of table S depends
on the number r of rounds: S has t = 2(r+1) words.
It is not intended that RC5 be secure for all possible
parameter values. On the other hand, choosing the
maximum parameter values would be overkill for most
applications.
We provide a variety of parameter settings so that
users may select an encryption algorithm whose
security and speed are optimized for their application,
while providing an evolutionary path for adjusting
their parameters as necessary in the future. As an
example, RC5-32/16/7 is an RC5 algorithm with the
number of rounds and the length of key equivalent to DES. Unlike unparameterized DES, however, an RC5
user can easily upgrade the above choice to an 80-bit
key by moving to RC5-32/16/10.
As technology improves, and as the true strength of
RC5 algorithms becomes better understood through
analysis, the most appropriate parameters can be chosen.
We propose RC5-32/12/16 as providing a “nominal”
choice of parameters. Further analysis is needed
to analyze the security of this choice.
Overview of the Algorithm
RC5 consists of three components: a key expansion
algorithm, an encryption algorithm, and a decryption
algorithm. These algorithms use the following three
primitive operations (and their inverses).
1. Two’s complement addition of words, denoted by
“+”. This is modulo-2w addition.
2. Bit-wise exclusive-OR of words, denoted by ³.
3. A left-rotation (or “left-spin”) of words: the
rotation of word x left by y bits is denoted x <<< y.
Only the lg(w) low-order bits of y are used to
determine the rotation amount, so that y is
interpreted modulo w.
Encryption and Decryption
We assume that the input block is given in two w-bit
registers A and B. We also assume that key-expansion
has already been performed, so that the array
S[0...t-1] has been computed. Below is the encryption
algorithm in pseudo-code. The output is also
placed in registers A and B.
A = A + S[0];
B = B + S[1];
FOR i = 1 TO r DO
A = ((A ³ B) <<< B) + S[2*i];
B = ((B ³ A) <<< A) + S[2*i+1];
We note the exceptional simplicity of this five-line
algorithm. We also note that each RC5 round updates
both registers A and B, whereas a “round” in
DES updates only half of its registers. An RC5 “halfround”
(one of the assignment statements updating
A or B in the body of the loop above) is thus perhaps
more analogous to a DES round.
The decryption algorithm can be easily derived from
the encryption algorithm.
Post a Comment