Community hub
0 subscribers8 pages, 0 posts
Recent from talks
Be the first to start a discussion here.
Be the first to start a discussion here.
Be the first to start a discussion here.
Be the first to start a discussion here.
Contribute something
Welcome to the community hub built to collect knowledge and have discussions related to RC5.
Nothing was collected or created yet.
from Wikipedia
 One round (two half-rounds) of the RC5 block cipher | |
| General | |
|---|---|
| Designers | Ron Rivest |
| First published | 1994 |
| Successors | RC6, Akelarre |
| Cipher detail | |
| Key sizes | 0 to 2040 bits (128 suggested) |
| Block sizes | 32, 64 or 128 bits (64 suggested) |
| Structure | Feistel-like network |
| Rounds | 1-255 (12 suggested originally) |
| Best public cryptanalysis | |
| 12-round RC5 (with 64-bit blocks) is susceptible to a differential attack using 244 chosen plaintexts.[1] | |
In cryptography, RC5 is a symmetric-key block cipher notable for its simplicity. Designed by Ronald Rivest in 1994,[2] According to Ron Rivest, RC stands for "Ron's Code"[3] but its documentation gives only RC5 as its name[2]. The Advanced Encryption Standard (AES) candidate RC6 was based on RC5.
Description
[edit]Unlike many schemes, RC5 has a variable block size (32, 64 or 128 bits), key size (0 to 2040 bits), and number of rounds (0 to 255). The original suggested choice of parameters were a block size of 64 bits, a 128-bit key, and 12 rounds.
A key feature of RC5 is the use of data-dependent rotations; one of the goals of RC5 was to prompt the study and evaluation of such operations as a cryptographic primitive.[citation needed] RC5 also consists of a number of modular additions and eXclusive OR (XOR)s. The general structure of the algorithm is a Feistel-like network, similar to RC2. The encryption and decryption routines can be specified in a few lines of code. The key schedule, however, is more complex, expanding the key using an essentially one-way function with the binary expansions of both e and the golden ratio as sources of "nothing up my sleeve numbers". The tantalising simplicity of the algorithm together with the novelty of the data-dependent rotations has made RC5 an attractive object of study for cryptanalysts.[according to whom?] RC5 is basically denoted as RC5-w/r/b where w=word size in bits, r=number of rounds, b=number of bytes in the key.
Algorithm
[edit]RC5 encryption and decryption both expand the random key into 2(r+1) words that will be used sequentially (and only once each) during the encryption and decryption processes. All of the below comes from Rivest's revised paper on RC5.[4]
Key expansion
[edit]The key expansion algorithm is illustrated below, first in pseudocode, then example C code copied directly from the reference paper's appendix.
Following the naming scheme of the paper, the following variable names are used:
- w – The length of a word in bits, typically 16, 32 or 64. Encryption is done in 2-word blocks.
- u = w/8 – The length of a word in bytes.
- b – The length of the key in bytes.
- K[] – The key, considered as an array of bytes (using 0-based indexing).
- c – The length of the key in words (or 1, if b = 0).
- L[] – A temporary working array used during key scheduling, initialized to the key in words.
- r – The number of rounds to use when encrypting data.
- t = 2(r+1) – the number of round subkeys required.
- S[] – The round subkey words.
- Pw – The first magic constant, defined as Odd((e − 2) × 2w), where Odd is the nearest odd integer to the given input, e is the base of the natural logarithm, and w is defined above. For common values of w, the associated values of Pw are given here in hexadecimal:
- For w = 16: 0xB7E1
- For w = 32: 0xB7E15163
- For w = 64: 0xB7E151628AED2A6B
- Qw – The second magic constant, defined as Odd((𝜙 − 1) × 2w), where Odd is the nearest odd integer to the given input, where 𝜙 is the golden ratio, and w is defined above. For common values of w, the associated values of Qw are given here in hexadecimal:
- For w = 16: 0x9E37
- For w = 32: 0x9E3779B9
- For w = 64: 0x9E3779B97F4A7C15
# Break K into words
# u = w / 8
c = ceiling(max(b, 1) / u)
# L is initially a c-length list of 0-valued w-length words
for i = b-1 down to 0 do:
L[i / u] = (L[i / u] <<< 8) + K[i]
# Initialize key-independent pseudorandom S array
# S is initially a t=2(r+1) length list of undefined w-length words
S[0] = P_w
for i = 1 to t-1 do:
S[i] = S[i - 1] + Q_w
# The main key scheduling loop
i = j = 0
A = B = 0
do 3 * max(t, c) times:
A = S[i] = (S[i] + A + B) <<< 3
B = L[j] = (L[j] + A + B) <<< (A + B)
i = (i + 1) % t
j = (j + 1) % c
# return S
The example source code is provided from the appendix of Rivest's paper on RC5. The implementation is designed to work with w = 32, r = 12, and b = 16.
void RC5_SETUP(unsigned char *K)
{
// w = 32, r = 12, b = 16
// c = max(1, ceil(8 * b/w))
// t = 2 * (r+1)
WORD i, j, k, u = w/8, A, B, L[c];
for (i = b-1, L[c-1] = 0; i != -1; i--)
L[i/u] = (L[i/u] << 8) + K[i];
for (S[0] = P, i = 1; i < t; i++)
S[i] = S[i-1] + Q;
for (A = B = i = j = k = 0; k < 3 * t; k++, i = (i+1) % t, j = (j+1) % c)
{
A = S[i] = ROTL(S[i] + (A + B), 3);
B = L[j] = ROTL(L[j] + (A + B), (A + B));
}
}
Encryption
[edit]Encryption involved several rounds of a simple function, with 12 or 20 rounds seemingly recommended, depending on security needs and time considerations. Beyond the variables used above, the following variables are used in this algorithm:
- A, B - The two words composing the block of plaintext to be encrypted.
A = A + S[0]
B = B + S[1]
for i = 1 to r do:
A = ((A ^ B) <<< B) + S[2 * i]
B = ((B ^ A) <<< A) + S[2 * i + 1]
# The ciphertext block consists of the two-word wide block composed of A and B, in that order.
return A, B
The example C code given by Rivest is this.
void RC5_ENCRYPT(WORD *pt, WORD *ct)
{
WORD i, A = pt[0] + S[0], B = pt[1] + S[1];
for (i = 1; i <= r; i++)
{
A = ROTL(A ^ B, B) + S[2*i];
B = ROTL(B ^ A, A) + S[2*i + 1];
}
ct[0] = A; ct[1] = B;
}
Decryption
[edit]Decryption is a fairly straightforward reversal of the encryption process. The below pseudocode shows the process.
for i = r down to 1 do:
B = ((B - S[2 * i + 1]) >>> A) ^ A
A = ((A - S[2 * i]) >>> B) ^ B
B = B - S[1]
A = A - S[0]
return A, B
The example C code given by Rivest is this.
void RC5_DECRYPT(WORD *ct, WORD *pt)
{
WORD i, B=ct[1], A=ct[0];
for (i = r; i > 0; i--)
{
B = ROTR(B - S[2*i + 1], A) ^ A;
A = ROTR(A - S[2*i], B) ^ B;
}
pt[1] = B - S[1]; pt[0] = A - S[0];
}
Cryptanalysis
[edit]Twelve-round RC5 (with 64-bit blocks) is susceptible to a differential attack using 244 chosen plaintexts.[1] 18–20 rounds are suggested as sufficient protection.
A number of these challenge problems have been tackled using distributed computing, organised by Distributed.net. Distributed.net has brute-forced RC5 messages encrypted with 56-bit and 64-bit keys and has been working on cracking a 72-bit key since November 3, 2002.[5] As of July 26, 2023, 10.409% of the keyspace has been searched and based on the rate recorded that day, it would take a little more than 59 years to complete 100% of the keyspace.[6] The task has inspired many new and novel developments in the field of cluster computing.[7]
RSA Security, which had a (now expired) patent on the algorithm,[8] offered a series of US$10,000 prizes for breaking ciphertexts encrypted with RC5, but these contests were discontinued as of May 2007.[5] As a result, distributed.net decided to fund the monetary prize. The individual who discovers the winning key will receive US$1,000, their team (if applicable) will receive US$1,000, and the Free Software Foundation will receive US$2,000.[9]
See also
[edit]References
[edit]- ^ a b Biryukov, Alex; Kushilevitz, Eyal (31 May 1998). Improved Cryptanalysis of RC5 (PDF). EUROCRYPT 1998. doi:10.1007/BFb0054119.
- ^ a b Rivest, R. L. (1994). "The RC5 Encryption Algorithm" (PDF). Proceedings of the Second International Workshop on Fast Software Encryption (FSE) 1994e. pp. 86–96. Archived from the original (PDF) on 2007-04-17. Retrieved 2004-12-18.
- ^ "Rivest FAQ at csail.mit.edu".
- ^ "The RC5 Encryption Algorithm" (PDF). people.csail.mit.edu. Archived from the original (PDF) on September 21, 2018.
- ^ a b "distributed.net: Project RC5". www.distributed.net. Retrieved 14 December 2019.
- ^ "stats.distributed.net - RC5-72 Overall Project Stats". stats.distributed.net.
- ^ "PlayStation 3 supercomputer places UMass Dartmouth #1 in the world in code cracking challenge list" (Press release). University of Massachusetts Dartmouth. 24 September 2014. Archived from the original on 2022-06-29. Retrieved 2024-01-24.
- ^ Rivest, R. L, "Block Encryption Algorithm With Data Dependent Rotation", U.S. patent 5,724,428, issued on 3 March 1998, expired 1 November 2015.
- ^ "distributed.net: staff blogs – 2008 – September – 08". Retrieved 15 December 2019.
External links
[edit]- Rivests's revised paper describing the cipher
- Rivest's original paper
- SCAN's entry for the cipher
- RSA Laboratories FAQ — What are RC5 and RC6?
- Helger Lipmaa's links on RC5
from Grokipedia
RC5 is a symmetric-key block cipher designed by Ronald L. Rivest of the Massachusetts Institute of Technology in 1994, notable for its simplicity, speed, and parameterization to balance security and performance across hardware and software implementations.[1] The algorithm operates on blocks of data using a variable word size w (typically 16, 32, or 64 bits, resulting in block sizes of 32, 64, or 128 bits), a variable number of rounds r (from 0 to 255, with common values of 8 to 16), and a variable key length b (from 0 to 255 bytes, up to 2040 bits), denoted in the form RC5-w/r/b.[2] Its core operations rely on three primitive arithmetic and logical functions—modular addition, XOR, and left rotation—combined with data-dependent rotations to enhance diffusion and confusion in each round.[1]
The design of RC5 emphasizes adaptability, allowing users to select parameters based on required security levels and computational resources; for instance, RC5-32/12/16 provides strong protection suitable for replacing older ciphers like DES, while supporting modes such as ECB, CBC, CFB, and OFB for practical applications.[2] Key expansion derives a subkey array S from the user key using fixed constants derived from the golden ratio (φ), ensuring even distribution and resistance to weak keys.[3] Encryption begins by XORing the plaintext block (split into two words A and B) with initial subkeys, followed by r iterations of rotation, addition, and XOR operations that progressively mix the data.[1]
RC5 was publicly released to encourage widespread analysis and adoption, with its patent held by RSA Data Security until expiration, and it has been standardized in documents like RFC 2040 for interoperability in protocols.[2] Although not selected for the AES standard due to preferences for fixed-parameter ciphers, RC5 remains influential for its innovative use of rotations and parameter flexibility, influencing subsequent block cipher designs.[3]
Here, denotes left rotation, and all operations are performed modulo to keep values within word size.[4] The rotation amounts in the mixing—fixed by 3 for and variable as for —help avalanche the changes across the subkeys and key words.[4] Once complete, the array provides the subkeys used in the encryption process, with even indices typically for additions and odd for XORs in rounds.[4]
A \leftarrow A + S{{grok:render&&&type=render_inline_citation&&&citation_id=0&&&citation_type=wikipedia}} \pmod{2^w}
B \leftarrow B + S{{grok:render&&&type=render_inline_citation&&&citation_id=1&&&citation_type=wikipedia}} \pmod{2^w}
This primes the data for mixing with the key material.[4] The core of the encryption consists of r iterative rounds, each applying a simple yet effective transformation that leverages data-dependent operations for diffusion and confusion. In round i (for i = 1 to r):
First, update A using an exclusive-or (XOR) of A and B, followed by a left rotation by the value of B (modulo w), and then addition of the corresponding subkey:
Then, symmetrically update B using the new A:
The data-dependent rotation—where the shift amount is derived directly from the data itself—promotes a strong avalanche effect, ensuring that small changes in the input propagate rapidly through subsequent rounds, enhancing resistance to differential analysis.[4] Following the r rounds, the final values of A and B form the 2w-bit ciphertext block, with no additional transformations applied. The complete encryption pseudocode is as follows:
Here, ⊕ denotes XOR, <<< denotes left rotation, and || denotes concatenation. This structure ensures the algorithm's simplicity while achieving high performance on both hardware and software platforms.[4]
Introduction
Description
RC5 is a parameterized family of symmetric key block ciphers designed for efficient implementation in both hardware and software environments. Invented by Ronald Rivest of the Massachusetts Institute of Technology, it emphasizes simplicity and adaptability to varying computational resources.[4] The core structure of RC5 operates as an iterative Feistel-like network, processing plaintext blocks consisting of two w-bit words through a variable number of rounds. It relies on just three primitive operations: bitwise exclusive-or (XOR), addition modulo , and left rotation by a data-dependent amount. These operations enable a streamlined design that promotes both speed and security without complex substitutions or permutations.[4] RC5's flexibility arises from its tunable parameters: the word size (in bits, typically 16, 32, or 64, yielding a block size of bits), the key length (in bytes, ranging from 0 to 255), and the number of rounds (from 0 to 255). The original proposal recommended the configuration RC5-32/12/16, corresponding to a 64-bit block, 128-bit key, and 12 rounds. A key innovation in RC5 is its use of data-dependent rotations, which introduce non-linearity and enhance diffusion across the block.[4]Parameters
RC5 is a parameterized family of block ciphers, with a specific instance denoted as RC5-w/r/b, where w is the word size in bits, r is the number of rounds, and b is the key size in bytes.[5] The word size w determines the length of the words on which operations are performed and thus the block size, which is 2w bits; allowable values are 16, 32, or 64 bits, with 32 bits (yielding a standard 64-bit block) being the nominal choice for most implementations.[5] Smaller w values enable faster execution on hardware with limited word-processing capabilities, while larger w enhances security by increasing the block size and the complexity of arithmetic operations modulo .[5] The computations involve data-dependent rotations by amounts derived from word additions modulo , making larger w more computationally intensive due to wider bit rotations and modular additions.[5] The key size b ranges from 0 to 255 bytes (providing key lengths of 0 to 2040 bits in multiples of 8 bits), offering flexibility for varying security needs; a 128-bit key (b=16) is recommended for adequate protection against brute-force attacks.[5] Longer keys increase resistance to exhaustive search but require more time in the key expansion phase, which mixes the key into subkeys using operations scaled to w-bit words.[5] The number of rounds r ranges from 0 to 255, with 12 rounds originally proposed as a balance between security and efficiency; higher r strengthens the cipher against cryptanalytic attacks at the cost of additional iterations of the core mixing operations.[5] In the algorithm's notation, the plaintext (and ciphertext) block is treated as two w-bit words, A and B.[5] The secret key consists of b bytes, which are loaded into an array of c = \lceil b / (w/8) \rceil w-bit words for key expansion.[5] The key expansion produces a subkey array S of 2(r + 1) w-bit words, which are used in the encryption and decryption rounds.[5]History
Development
RC5 was invented by Ronald L. Rivest, a professor at the Massachusetts Institute of Technology, in 1994 as a symmetric-key block cipher designed to address the limitations of older standards like the Data Encryption Standard (DES), which had a fixed key size and was becoming vulnerable to emerging computational threats.[4] Rivest first presented the algorithm at the CRYPTO '94 conference, held in Santa Barbara, California, where it was published in the proceedings as part of Advances in Cryptology.[6] The primary motivations for developing RC5 stemmed from the need for a cipher that could adapt to rapidly evolving processor technologies in the 1990s, offering flexibility in key length, block size, and number of rounds to suit various security requirements without sacrificing performance.[4] Rivest aimed to create an algorithm that was simple and efficient, emphasizing minimal primitive operations—such as exclusive-or, addition modulo , and data-dependent rotations—to ensure it could be implemented quickly in both software and hardware environments, including on resource-constrained devices like smart cards.[4] This design philosophy was influenced by the simplicity of Rivest's earlier RC4 stream cipher, but adapted for block encryption to provide a versatile alternative to DES amid growing demands for standardized, high-speed cryptography.[7] The initial publication appeared in Rivest's 1994 paper, "The RC5 Encryption Algorithm," which outlined the cipher's parameterized structure (with word size , rounds , and key bytes ) tuned for contemporary hardware like 32-bit microprocessors, positioning RC5 for general-purpose adoption in software applications and embedded systems.[4] Early considerations focused on balancing security and speed, with parameters such as RC5-32/12/16 recommended for replacing DES in typical 1990s computing scenarios.[4]Patent and Licensing
The RC5 block cipher is covered by U.S. Patent No. 5,724,428, titled "Block encryption algorithm with data-dependent rotations," invented by Ronald L. Rivest and assigned to RSA Data Security Inc. (later RSA Security). The patent application was filed on November 1, 1995, and granted on March 3, 1998, encompassing the core RC5 algorithm and its variants that employ data-dependent word rotations for encryption.[8] RSA Security managed licensing for RC5 during the patent's term; commercial implementations typically required paid licenses, while non-commercial, academic, and research uses were permitted without fees.[4] This licensing model allowed broad experimentation in open-source and educational contexts but imposed financial barriers on proprietary software and hardware products.[9] The patent term, governed by U.S. law for applications filed after June 8, 1995, extended 20 years from the filing date, resulting in expiration on November 1, 2015. Following expiration, RC5 entered the public domain, eliminating all licensing restrictions and enabling unrestricted global implementation in any context. The patent's enforcement during its active period limited RC5's commercial adoption in the late 1990s and early 2000s, as organizations favored unencumbered alternatives to avoid royalty fees, contributing to the preference for patent-free ciphers like the Advanced Encryption Standard (AES) in standards and products. Post-expiration, while RC5 remains viable for niche applications, its historical licensing constraints have sustained lower prevalence compared to royalty-free successors.Algorithm
Key Expansion
The key expansion in RC5 derives a set of subkeys from the user-provided secret key, producing an array of words, where each word is bits wide and is the number of rounds.[4] The input is the secret key , an array of bytes where , which is first converted into an array of words, with bytes per word; if necessary, the key is zero-padded to fill the last word.[4] This expansion ensures that the subkeys are thoroughly mixed and diffused, independent of any structure in the original key, to support the cipher's security.[4] The process begins with initializing the subkey array . The first subkey is set to a magic constant , defined as the odd integer closest to , where is the base of the natural logarithm; for the nominal word size , in hexadecimal.[4] Subsequent subkeys are then computed iteratively: for to , , where is another magic constant, the odd integer closest to and is the golden ratio; for , .[4] These constants are chosen to promote good diffusion properties during the mixing phase that follows.[4] The key mixing step then combines the initialized with the key words in through a loop that runs for iterations to ensure even diffusion regardless of the relative sizes of the arrays.[4] Initialize variables , , , and . For each iteration:A ← ((S[i] + A + B) ≪ 3) mod 2^w
S[i] ← A
i ← (i + 1) mod t
B ← ((L[j] + A + B) ≪ (A + B mod 2^w)) mod 2^w
L[j] ← B
j ← (j + 1) mod c
A ← ((S[i] + A + B) ≪ 3) mod 2^w
S[i] ← A
i ← (i + 1) mod t
B ← ((L[j] + A + B) ≪ (A + B mod 2^w)) mod 2^w
L[j] ← B
j ← (j + 1) mod c
Encryption
The RC5 encryption algorithm operates on a 2w-bit plaintext block, divided into two w-bit words denoted as A and B, where w is the word size (typically 16, 32, or 64 bits). The process utilizes a set of 2(r+1) subkeys derived from the secret key, stored in an array S[0..2r+1], with r being the number of rounds (typically 12 or more). All arithmetic additions are performed modulo , and left rotations are by an amount taken modulo w to ensure the shift value stays within the word size.[4] Encryption begins with an initialization step to incorporate the initial subkeys:A \leftarrow A + S{{grok:render&&&type=render_inline_citation&&&citation_id=0&&&citation_type=wikipedia}} \pmod{2^w}
B \leftarrow B + S{{grok:render&&&type=render_inline_citation&&&citation_id=1&&&citation_type=wikipedia}} \pmod{2^w}
This primes the data for mixing with the key material.[4] The core of the encryption consists of r iterative rounds, each applying a simple yet effective transformation that leverages data-dependent operations for diffusion and confusion. In round i (for i = 1 to r):
First, update A using an exclusive-or (XOR) of A and B, followed by a left rotation by the value of B (modulo w), and then addition of the corresponding subkey:
Then, symmetrically update B using the new A:
The data-dependent rotation—where the shift amount is derived directly from the data itself—promotes a strong avalanche effect, ensuring that small changes in the input propagate rapidly through subsequent rounds, enhancing resistance to differential analysis.[4] Following the r rounds, the final values of A and B form the 2w-bit ciphertext block, with no additional transformations applied. The complete encryption pseudocode is as follows:
A ← A + S[0] (mod 2^w)
B ← B + S[1] (mod 2^w)
for i = 1 to r do
A ← ((A ⊕ B) <<< B) + S[2i] (mod 2^w)
B ← ((B ⊕ A) <<< A) + S[2i+1] (mod 2^w)
output A || B (as [ciphertext](/page/Ciphertext))
A ← A + S[0] (mod 2^w)
B ← B + S[1] (mod 2^w)
for i = 1 to r do
A ← ((A ⊕ B) <<< B) + S[2i] (mod 2^w)
B ← ((B ⊕ A) <<< A) + S[2i+1] (mod 2^w)
output A || B (as [ciphertext](/page/Ciphertext))
Decryption
The decryption process for RC5 inverts the encryption operations to recover the plaintext from the ciphertext, using the same expanded key schedule and parameters as encryption. It takes as input the 2w-bit ciphertext, split into two w-bit words A and B, along with the subkey array S[0..2r+1] derived from the key expansion.[4] Then, for each round i from r down to 1, the round function is inverted. Specifically, B is first updated as B ← ((B - S[2i+1]) right-rotate by A) XOR A, followed by A ← ((A - S[2i]) right-rotate by B) XOR B. These steps mirror the encryption rounds but apply the operations in reverse order, with the rotation amounts now derived from the updated values of the other word.[4] Finally, the initial additions are undone: B ← B - S[10], followed by A ← A - S. The resulting words A and B form the w-bit plaintext blocks. For clarity, the core reverse round operations can be expressed as: where denotes right rotation by the specified number of bits (modulo w), and indices denote the state after each reverse round.[4] The reversibility of RC5's decryption stems from the invertibility of its primitive operations: subtraction undoes addition modulo , a right rotation by a known amount (the value of the other word) inverts a left rotation, and XOR is its own inverse. This ensures that applying decryption to the output of encryption yields the original plaintext, establishing a bijection for each parameter set (b, r, w).[4]Security Analysis
Known Attacks
RC5 was introduced in 1994 with claims of resistance to known cryptanalytic techniques, but subsequent analysis revealed vulnerabilities in reduced-round variants and specific parameter sets. Initial cryptanalytic efforts focused on differential and linear methods, with the first results published in 1995 by Kaliski and Yin, who described differential attacks requiring up to chosen plaintexts for 9-round RC5-32 and linear attacks needing known plaintexts for 5 rounds.[11] These early attacks highlighted potential weaknesses in the data-dependent rotations and modular additions, though they were impractical for the nominal 12-round version.[11] Differential cryptanalysis proved the most effective against full-round RC5 variants. In 1997, Knudsen and Meier refined the approach, identifying high-probability differentials and demonstrating that RC5-32/12 has approximately weak keys susceptible to attack with chosen plaintexts, a significant improvement over prior work.[12] Building on this, Biryukov and Kushilevitz introduced a partial differential technique in 1998, enabling a practical attack on the full 12-round RC5-32/12/128 using only chosen plaintexts and time, exploiting biases in the modular additions across multiple rounds.[13] For higher rounds, differential attacks remain feasible only up to 14 rounds with increased complexity exceeding , rendering them impractical.[13] Linear cryptanalysis also targets reduced-round RC5 effectively. The 1995 analysis by Kaliski and Yin outlined an attack on 5-round RC5-32 requiring known plaintexts to recover subkeys, based on linear approximations of the rotation and XOR operations.[11] Selçuk later showed in 1998 that this attack overestimated the bias due to key-dependent effects, providing corrected linear hulls requiring approximately known plaintexts for 5-round RC5-32, and for 6 rounds, with even higher costs for 7 or more rounds.[14] These results underscore the cipher's vulnerability to linear approximations in early rounds but confirm that full 12+ rounds resist linear attacks under standard assumptions.[14] The key schedule of RC5 exhibits weaknesses under related-key scenarios and for certain key classes. Knudsen and Meier noted in 1997 that the schedule's reliance on simple mixing allows related-key differentials to propagate through low-round variants (up to 4-5 rounds) with probability greater than , enabling key recovery with chosen plaintexts under related-key queries.[12] Additionally, biases in the modular addition operation—such as non-uniform distribution modulo small primes—can be exploited in the first few rounds to distinguish RC5 from random permutations using plaintexts, as explored in partitioning attacks analogous to mod cryptanalysis. Heys identified linearly weak keys for 12-round RC5-32/12/128, where linear approximations hold with bias , allowing subkey recovery with known plaintexts.[15] No practical attacks exist on RC5-32 with 14 or more rounds using standard 128-bit keys, as complexities exceed for both differential and linear methods; recommended parameters mitigate these by increasing rounds.[13] However, the 64-bit block size limits security against generic attacks like birthday collisions to effort in multi-block modes, a concern amplified by modern computational capabilities. As of 2025, no practical attacks on full-round RC5 with 14 or more rounds and standard keys have emerged beyond these classical methods.[16]Recommended Parameters
The original recommendations for RC5 parameters, as proposed by its designer Ron Rivest, specified a word size bits (yielding a 64-bit block), 12 rounds (), and a 128-bit key ( bytes).[17] These choices aimed to balance security and performance for software implementations on 32-bit processors.[17] Subsequent cryptanalysis revealed vulnerabilities in the original configuration, particularly to differential attacks on the 12-round version with 64-bit blocks, which can be broken using approximately chosen plaintexts. To mitigate known differential attacks, updated guidance recommends increasing the number of rounds to to for , providing a sufficient security margin against current analytical techniques.[18] For enhanced security, a larger word size of (128-bit block) is preferred, paired with at least 16 rounds as originally suggested for this variant.[17] Key sizes should be at least 128 bits to resist brute-force attacks with current computational resources, with 256 bits recommended for long-term protection against advances in exhaustive search.[17] Regarding block size, the 64-bit option () should be avoided in new designs due to the risk of collisions after approximately blocks in common modes of operation, such as CBC, which could enable practical attacks on large datasets.[18] The 128-bit block () offers adequate security for most applications under classical computing threats but lacks resistance to post-quantum attacks like Grover's algorithm on key search.[17] Increasing enhances security linearly with computational cost, as each round adds modular additions, XORs, and data-dependent rotations; this trade-off is particularly relevant for resource-constrained embedded systems, where to may still be viable if paired with larger .[17] As of 2025, RC5 is not recommended for new cryptographic systems due to its age and the availability of more thoroughly vetted alternatives like AES or ChaCha20, which offer stronger guarantees against both classical and emerging threats.[18] However, it remains viable for legacy applications when using boosted parameters such as , , and bytes to maintain adequate protection.Implementations and Usage
Software Implementations
The reference implementation of RC5, provided by Ronald Rivest in 1994, consists of non-optimized C code for the RC5-32/12/16 variant, which can be readily adapted to different platforms due to its use of basic arithmetic operations.[4] RC5 is supported in several established cryptographic libraries, including OpenSSL (deprecated since version 3.0 and available only via the legacy provider), the C++ library Crypto++, and the Java library Bouncy Castle. In Python, RC5 can be implemented using third-party libraries such as custom modules, though it is not part of the standard cryptography package. RC5 performs efficiently in software owing to its reliance on simple operations like integer addition, XOR, and bit rotation, making it particularly well-suited for 32-bit processors.[4] For instance, a 16-round RC5 implementation achieved approximately 25 clock cycles per byte on a 200 MHz Pentium II processor in 1999 benchmarks.[19] The algorithm's portability stems from its variable parameters for block size (32, 64, or 128 bits), key size (0 to 2040 bits), and number of rounds (0 to 255), enabling straightforward adaptation to 8-bit, 16-bit, 32-bit, or 64-bit environments without specialized hardware requirements.[4] Although RC5 has been removed from modern standards such as TLS 1.3 due to security concerns with reduced rounds, it persists in legacy systems and is often employed for educational purposes or in non-critical applications.[20]Distributed.net Challenge
In 1997, distributed.net launched its efforts to demonstrate the strength of the RC5 block cipher through distributed computing challenges, beginning with the successful cracking of a 56-bit key variant in just 250 days.[21] The RC5-72 project, targeting a 72-bit key in the RC5-32/12/9 configuration, specifically commenced on December 3, 2002, following the completion of the 64-bit challenge.[22] Sponsored initially by RSA Laboratories, the project offered a US$10,000 prize for discovering the unknown secret key, to be distributed among the finder ($1,000), their team (6,000), and distributed.net ($2,000); however, RSA discontinued the official challenges in May 2007, after which the effort continued under private sponsorship without altering the prize structure.[22] The project employs a brute-force search across the full 2^{72} keyspace, coordinated through volunteer-run client software available in languages including C, Java, and assembly, which download work units (key blocks) from "Bovine" servers and report results upon completion.[22] To ensure accuracy, clients perform RC5 encryptions on a fixed plaintext-ciphertext pair for each candidate key, verifying matches against known values.[23] As of November 18, 2025, participants have searched 14.925% of the keyspace, equivalent to over 705 quintillion keys tested, at a recent rate of approximately 3.7 trillion keys per second.[24] At current rates, the project is projected to exhaust the keyspace in approximately 34 years (12,557 days at the recent rate), underscoring RC5's resistance to exhaustive attack even with global volunteer computing resources spanning over two decades.[24] No solution has been found as of 2025, and the ongoing effort serves as a benchmark for advancements in computational power and distributed systems, highlighting RC5's foundational role in early crowd-sourced cryptography demonstrations.[22]References
- The RC5 encryption algorithm is a fast, symmetric block cipher suitable for hardware or software implementations. A novel feature of RC5 is the heavy use of ...Missing: original | Show results with:original