RC6 Cipher Created by Ronald Rivest et al.

l. for AES submission Follows the evolution of RC5 cipher Parameterized family of algorithms

Improvements over RC5 Uses four w-bit registers Integer multiplication Quadratic equation Fixed bit shifting

Main design objective: simplicity Not reported vulnerable to any known practical attacks Consists of three components Key expansion algorithm Identical to RC5 version

Block encryption algorithm Block decryption algorithm

RC6 Structure Specification: RC6-w/r/b w is the word size in bits r is the number of non-negative rounds b is the key size in bits

Round Stages Pre-whitening r rounds Post-whitening

Pre-whitening Removes inference of part of the input to the first round of encryption

r rounds

Uses integer multiplication Uses a quadratic equation f(x) = x(2x + 1)(mod 2w)

Uses fixed bit shifting All of the above are required for sufficient diffusion

Final RC6 Structure Post-whitening Key Setup The user supplies a key of b bytes, where 0 b 255 The key bytes are zero-padded and stored in little-endian order Diffusion Integer multiplication ensures that the bits used for rotation amounts depend on the bits of x, which is a word or register The quadratic equation increases the avalanche of changes per round The bit shift complicates more advanced cryptanalytic attacks (2r+4) words are derived and stored in a round key array S Removes inference of part of the input to the last round of encryption

RC6 Encryption B and D are pre-whitened The loop controls the rounds defined by r A and C are post-whitened Input: Plaintext stored in four w-bit input registers A,B,C,D Number r of rounds w-bit round keys S*0,,2r + 3+ Output: Ciphertext stored in A,B,C,D Procedure: B = B + S[0] D = D + S[1] for i = 1 to r do { t = (B x (2B + 1)) <<< log2 w u = (D x (2D + 1)) <<< log2 w A = ((A t) <<< u) + S[2i] C = ((C u) <<< t) + S[2i+ 1] (A,B,C,D) = (B,C,D,A)

} A = A + S[2r + 2] C = C + S[2r + 3]

(Rivest et al., 1998a)

RC6 Decryption C and A are pre-whitened The loop runs in reverse for r rounds D and B are post-whitened Input: Ciphertext stored in four w-bit input registers A,B,C,D Number r of rounds w-bit round keys S*0,,2r + 3+ Output: Plaintext stored in A,B,C,D Procedure: C = C - S[2r + 3] A = A - S[2r + 2] for i = r downto 1 do { (A,B,C,D) = (D,A,B,C) u = (D x (2D + 1)) <<< log2 w t = (B x (2B + 1)) <<< log2 w C = ((C - S[2i + 1]) >>> t) u A = ((A - S[2i]) >>> u) t } D = D - S[1] B = B - S[0]

(Rivest et al., 1998a)

RC6 for AES RC6-32/20/[16,24,32] 32-bit words 128-bit block size / 4 registers 20 rounds 16-, 24-, and 32-bit keys are available Input: Plaintext stored in four w-bit input registers A,B,C,D 20 rounds 32-bit round keys S[0,,43] Output: Ciphertext stored in A,B,C,D Procedure: B = B + S[0] //Pre-whitening D = D + S[1] for i = 1 to 20 do { t = (B x (2B + 1)) <<< 5 u = (D x (2D + 1)) <<< 5 A = ((A t) <<< u) + S[2i] C = ((C u) <<< t) + S[2i+ 1]

(A,B,C,D) = (B,C,D,A) } A = A + S[42] //Post-whitening C = C + S[43]

More RC6 for AES

(Shimoyama et al., 2000)

AES Candidacy To meet the architectural constraints, the use of four w-bit registers permitted better 32-bit implementations RC5 uses 64-bit operations and the constraints do not involve proper implementations

The 20 rounds were chosen from linear cryptanalysis results 16 rounds could be compromised with linear cryptanalysis

Research Appeal Research appeal has expanded the already large knowledge base RC5 has existing research

Simplicity of the cipher has enticed cryptanalysts to evaluate it Stands open to simple and complex analysis

Performance Compactness permits implementation in limited space Performance is reported good on most platforms studied in the AES competition According to the final AES report, even when performance suffers from variants, the performance loss is not severe Encryption uses very little memory Security Attacks All known attacks are theoretical Brute Force Not feasible due to plaintext limit of 2128 Ruled to provide an adequate margin of security for AES criteria Proof of security comes from the evaluations performed on RC5 and during AES competition Impervious to any known attacks, with AES parameter values Decryption has high memory requirements because of an absent on-the-fly round key computation

Linear Cryptanalysis Effective up to 16 rounds

Differential Cryptanalysis Effective up to 12 rounds

Statistical Attack Analyze distributions to discover round keys

Bibliography 1. Rivest, R.L., Robshaw, M.J.B., Sidney, R., & Yin, Y.L (1998a). ftp://ftp.rsasecurity.com/pub/rsalabs/rc6/rc6v11.pdf The RC6 Block Cipher. URL:

2. Shimoyama, T., Takeuchi, K., & Hayakawa, J. (2000). Correlation Attack to the Block Cipher RC5 and the Simplified Variants of RC6. 3rd AES Conference (AES3). URL: http://csrc.nist.gov/encryption/aes/round2/conf3/papers/36- tshimoyama.pdf