RC 5
RC 5
Ronald L. Rivest
MIT Laboratory for Computer Science
545 Technology Square, Cambridge, Mass. 02139
[email protected]
1 Introduction
RC5 was designed with the following objectives in mind.
– RC5 should be a symmetric block cipher. The same secret crypto-
graphic key is used for encryption and for decryption. The plaintext
and ciphertext are fixed-length bit sequences (blocks).
– RC5 should be suitable for hardware or software. This means that
RC5 should use only computational primitive operations commonly
found on typical microprocessors.
– RC5 should be fast. This more-or-less implies that RC5 be word-
oriented: the basic computational operations should be operators that
work on full words of data at a time.
– RC5 should be adaptable to processors of different word-lengths. For
example, as 64-bit processors become available, it should be possible
for RC5 to exploit their longer word length. Therefore, the number
w of bits in a word is a parameter of RC5; different choices of this
parameter result in different RC5 algorithms.
– RC5 should be iterative in structure, with a variable number of rounds.
The user can explicitly manipulate the trade-off between higher speed
and higher security. The number of rounds r is a second parameter of
RC5.
– RC5 should have a variable-length cryptographic key. The user can
choose the level of security appropriate for his application, or as re-
quired by external considerations such as export restrictions. The key
length b (in bytes) is thus a third parameter of RC5.
?
RC5 is a trademark of RSA Data Security. Patent pending.
– RC5 should be simple. It should be easy to implement. More im-
portantly, a simpler structure is perhaps more interesting to analyze
and evaluate, so that the cryptographic strength of RC5 can be more
rapidly determined.
– RC5 should have a low memory requirement, so that it may be easily
implemented on smart cards or other devices with restricted memory.
– (Last but not least!) RC5 should provide high security when suitable
parameter values are chosen.
In addition, during the development of RC5, we began to focus our
attention on a intriguing new cryptographic primitive: data-dependent
rotations, in which one word of intermediate results is cyclically rotated
by an amount determined by the low-order bits of another intermediate
result. We thus developed an additional goal.
– RC5 should highlight the use of data-dependent rotations, and encour-
age the assessment of the cryptographic strength data-dependent ro-
tations can provide.
The RC5 encryption algorithm presented here hopefully meets all of
the above goals. Our use of “hopefully” refers of course to the fact that
this is still a new proposal, and the cryptographic strength of RC5 is still
being determined.
10 20 0C 0A 20 33 7D 83 05 5F 62 51 BB 09 (in hexadecimal)
specifies an RC5 algorithm (version 1.0) with 32-bit words, 12 rounds, and
a 10-byte (80-bit) key “20 33 ... 09”. RC5 “key-management” schemes
would then typically manage and transmit entire RC5 control blocks,
containing all of the relevant parameters in addition to the usual secret
cryptographic key variable.
4.2 Decryption
The decryption routine is easily derived from the encryption routine.
for i = r downto 1 do
B = ((B − S[2 ∗ i + 1]) >> A) ⊕ A;
>
A = ((A − S[2 ∗ i]) >>> B) ⊕ B;
B = B − S[1];
A = A − S[0];
P64 = 1011011111100001010100010110001010001010111011010010101001101011
= b7e151628aed2a6b
Q64 = 1001111000110111011110011011100101111111010010100111110000010101
= 9e3779b97f4a7c15
Converting the Secret Key from Bytes to Words. The first algo-
rithmic step of key expansion is to copy the secret key K[0...b − 1] into
an array L[0...c − 1] of c = db/ue words, where u = w/8 is the number of
bytes/word. This operation is done in a natural manner, using u consec-
utive key bytes of K to fill up each successive word in L, low-order byte
to high-order byte. Any unfilled byte positions of L are zeroed.
On “little-endian” machines such as an Intel ’486, the above task can
be accomplished merely by zeroing the array L, and then copying the
string K directly into the memory positions representing L. The follow-
ing pseudo-code achieves the same effect, assuming that all bytes are
“unsigned” and that array L is initially zeroed.
for i = b − 1 downto 0 do
L[i/u] = (L[i/u] <
<< 8) + K[i];
i = j = 0;
A = B = 0;
do 3 ∗ max(t, c) times:
A = S[i] = (S[i] + A + B) <<< 3;
B = L[j] = (L[j] + A + B) <<< (A + B);
i = (i + 1) mod(t);
j = (j + 1) mod(c);
5 Discussion
6 Implementation
7 Analysis
I’d like to thank Burt Kaliski, Yiqun Lisa Yin, Paul Kocher, and everyone
else at RSA Laboratories for their comments and constructive criticisms.
(Note added in press: I’d also like to thank Karl A. Siil for bringing to my
attention a cipher due to W. E. Madryga [?] that also uses data-dependent
rotations, albeit in a rather different manner.)
References
1. E. Biham and A. Shamir. A Differential Cryptanalysis of the Data Encryption
Standard. Springer-Verlag, 1993.
2. W. E. Madryga. A high performance encryption algorithm. In Computer Security: A
Global Challenge, pages 557–570. North Holland: Elsevier Science Publishers, 1984.
3. Mitsuru Matsui. The first experimental cryptanalysis of the Data Encryption Stan-
dard. In Yvo G. Desmedt, editor, Proceedings CRYPTO 94, pages 1–11. Springer,
1994. Lecture Notes in Computer Science No. 839.
9 Appendix
(Note: RC5REF.C has been removed from the electronic version for com-
pliance with export restrictions. For further information, send E-mail to
[email protected].)
------------------------------------------------------------------
RC5-32/12/16 examples:
1. key = 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
plaintext 00000000 00000000 ---> ciphertext EEDBA521 6D8F4B15
2. key = 91 5F 46 19 BE 41 B2 51 63 55 A5 01 10 A9 CE 91
plaintext EEDBA521 6D8F4B15 ---> ciphertext AC13C0F7 52892B5B
3. key = 78 33 48 E7 5A EB 0F 2F D7 B1 69 BB 8D C1 67 87
plaintext AC13C0F7 52892B5B ---> ciphertext B7B3422F 92FC6903
4. key = DC 49 DB 13 75 A5 58 4F 64 85 B4 13 B5 F1 2B AF
plaintext B7B3422F 92FC6903 ---> ciphertext B278C165 CC97D184
5. key = 52 69 F1 49 D4 1B A0 15 24 97 57 4D 7F 15 31 25
plaintext B278C165 CC97D184 ---> ciphertext 15E444EB 249831DA