Abstract
This paper analyzes the security of the RC5 encryption algorithm against differential and linear cryptanalysis. RC5 is a new block cipher recently designed by Ron Rivest. It has a variable word size, a variable number of rounds, and a variable-length secret key. In RC5, the secret key is used to fill an expanded key table which is then used in encryption. Both our differential and linear attacks on RC5 recover every bit of the expanded key table without any exhaustive search. However, the plaintext requirement is strongly dependent on the number of rounds. For 64-bit block size, our differential attack on nine-round RC5 uses 245 chosen plaintext pairs (about the same as DES), while 262 pairs are needed for 12-round RC5. Similarly, our linear attack on five-round RC5 uses 247 known plaintexts (about the same as DES), and the plaintext requirement is impractical for more than six rounds. We conjecture that the linear approximations used in our linear cryptanalysis are optimal. Thus, we conclude that Rivest’s suggested use of 12 rounds is sufficient to make differential and linear cryptanalysis of RC5 impractical.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
E. Biham and A. Shamir. Differential Cryptanalysis of the Data Encryption Standard. Springer-Verlag, New York, 1993.
B. S. Kaliski Jr. and M. J. B. Robshaw. Linear cryptanalysis using multiple approximations. In Y. G. Desmedt, editor, Advances in Cryptology — Crypto’ 94, pages 26–39, Springer Verlag, New York, 1994.
B. S. Kaliski and Y. L. Yin. On the Security of the RC5 Encryption Algorithm. Technical Report, RSA Laboratories. In preparation.
X. Lai, J. L. Massey, and S. Murphy. Markov ciphers and differential cryptanalysis. In D. W. Davies, editor, Advances in Cryptology — Eurocrypt’ 91, pages 17–38, Springer Verlag, Berlin, 1991.
S. K. Lanford and M. E. Hellman. Differential-linear cryptanalysis In Y. G. Desmedt, editor, Advances in Cryptology — Crypto’ 94, pages 17–25, Springer-Verlag, New York, 1994.
M. Matsui. The first experimental cryptanalysis of the Data Encryption Standard. In Y. G. Desmedt, editor, Advances in Cryptology — Crypto’ 94, pages 1–11, Springer-Verlag, New York, 1994.
M. Matsui. Linear cryptanalysis method for DES cipher. In T. Helleseth, editor, Advances in Cryptology — Eurocrypt’ 93, pages 386–397, Springer-Verlag, Berlin, 1994.
National Institute of Standards and Technology (NIST). FIPS Publication 46-2: Data Encryption Standard. December 30, 1993.
R. L. Rivest. The RC5 encryption algorithm. In Proceedings of the Workshop on Cryptographic Algorithms, K. U. Leuven, December 1994. To appear.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 1995 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Kaliski, B.S., Yin, Y.L. (1995). On Differential and Linear Cryptanalysis of the RC5 Encryption Algorithm. In: Coppersmith, D. (eds) Advances in Cryptology — CRYPT0’ 95. CRYPTO 1995. Lecture Notes in Computer Science, vol 963. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-44750-4_14
Download citation
DOI: https://doi.org/10.1007/3-540-44750-4_14
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-60221-7
Online ISBN: 978-3-540-44750-4
eBook Packages: Springer Book Archive