RC5

Infobox block cipher
name = RC5


caption = One round (two half-rounds) of the RC5 block cipher
designers = Ron Rivest
publish date = 1994
derived from =
derived to = RC6, Akelarre
key size = 0 to 2040 bits (128 suggested)
block size = 32, 64 or 128 bits (64 suggested)
structure = Feistel-like network
rounds = 1-255 (12 suggested originally)
cryptanalysis = 12-round RC5 (with 64-bit blocks) is susceptible to a differential attack using 2⁴⁴ chosen plaintexts.In cryptography, RC5 is a block cipher notable for its simplicity. Designed by Ronald Rivest in 1994cite conference|last=Rivest|first=R. L.|year=1994|title=The RC5 Encryption Algorithm|booktitle=Proceedings of the Second International Workshop on Fast Software Encryption (FSE) 1994e|pages=86–96|url=http://theory.lcs.mit.edu/~rivest/Rivest-rc5rev.pdf|format=pdf] , "RC" stands for "Rivest Cipher", or alternatively, "Ron's Code" (compare RC2 and RC4). The Advanced Encryption Standard (AES) candidate RC6 was based on RC5.

Description

Unlike many schemes, RC5 has a variable block size (32, 64 or 128 bits), key size (0 to 2040 bits) and number of rounds (0 to 255). The original suggested choice of parameters were a block size of 64 bits, a 128-bit key and 12 rounds.

A key feature of RC5 is the use of data-dependent rotations; one of the goals of RC5 was to prompt the study and evaluation of such operations as a cryptographic primitive. RC5 also consists of a number of modular additions and eXclusive OR (XOR)s. The general structure of the algorithm is a Feistel-like network. The encryption and decryption routines can be specified in a few lines of code. The key schedule, however, is more complex, expanding the key using an essentially one-way function with the binary expansions of both e and the golden ratio as sources of "nothing up my sleeve numbers". The tantalising simplicity of the algorithm together with the novelty of the data-dependent rotations has made RC5 an attractive object of study for cryptanalysts.

Cryptanalysis

12-round RC5 (with 64-bit blocks) is susceptible to a differential attack using 2⁴⁴ chosen plaintexts.Biryukov A. and Kushilevitz E. (1998). Improved Cryptanalysis of RC5. EUROCRYPT 1998.] 18–20 rounds are suggested as sufficient protection.

RSA Security, which has a patent on the algorithm, [Rivest, R. L, "Block Encryption Algorithm With Data Dependent Rotation", US patent|5724428, issued on 3 March 1998.] offered a series of US$10,000 prizes for breaking ciphertexts encrypted with RC5, but these contests have been discontinued as of May 2007. A number of these challenge problems have been tackled using distributed computing, organised by Distributed.net. Distributed.net has brute-forced RC5 messages encrypted with 56- and 64-bit keys, and is, as of December 3rd, 2002, working on cracking a 72-bit key. At the current rate, it will take approximately 1,000 years to test every possible key, and thus guarantee completion of the project. [http://stats.distributed.net/projects.php?project_id=8]

ee also

* Madryga
* Red Pike

References

External links

* [http://people.csail.mit.edu/rivest/Rivest-rc5.pdf Rivest's paper describing the cipher]
* [http://www.users.zetnet.co.uk/hopwood/crypto/scan/cs.html#RC5 SCAN's entry for the cipher]
* [http://www.rsasecurity.com/rsalabs/node.asp?id=2251 RSA Laboratories FAQ — What are RC5 and RC6?]
* [http://research.cyber.ee/~lipmaa/crypto/link/block/rc5.php Helger Lipmaa's links on RC5]
* [http://www.google.com/search?q=Patent+5724428 RSA's patent via Google.]