The RC5 block cipher has a word-oriented architecture for variable word sizes w = 16,32, or 64 bits. It has an extremely compact description, and is suitable for hardware or software. The number of rounds r and the key byte-length b are also variable. It is successively more completely identified as RC5-u>, RC5-w/r, and RC5-w/r/b. RC5-32/12/16 is considered a common choice of parameters; r = 12 rounds are recommended for RC5-32, and r = 16 for RC5-64.
Algorithm 7.115 specifies RC5. Plaintext and ciphertext are blocks of bitlength 2w. Each of r rounds updates both «'-bit data halves, using 2 subkeys in an input transformation and 2 more for each round. The only operations used, all on «.'-bit words, are addition mod 2W (EB), XOR (ф), and rotations (left <-> and right <-0. The XOR operation is Unear, while the addition may be considered nonlinear depending on the metric for linearity. The data- dependent rotations featured in RC5 are the main nonlinear operation used: x ^ у denotes cyclically shifting a «'-bit word left у bits; the rotation-count у may be reduced mod w (the low-order lg(«,') bits of у suffice). The key schedule expands a key of b bytes into 2r + 2 subkeys Ki of w bits each. Regarding packing/unpacking bytes into words, the byte-order is little-endian: for w = 32, the first plaintext byte goes in the low-order end of A, the fourth in ,4’s high-order end, the fifth in B’s low order end, and so on.
7.115 Algorithm RC5 encryption (w-bit wordsize, r rounds, 6-byte key)
INPUT: 2u;-bit plaintext M = (A, B); r; key К = A'... K[b - 1].
OUTPUT: 2u>-bit ciphertext C. (For decryption, see Note 7.117.)
- 1. Compute 2r + 2 subkeys Ко,... , K2r+i by Algorithm 7.116 from inputs К and r.
- 2. A 4- А В K0, В 4- В ЕВ К. (Use addition modulo 2W.)
- 3. For i from 1 to r do: A 4— ((d®£?) «-> В) EB K2i, В <- ((J3®d) <-> А) ЕВ K21+1.
- 4. The output is C a- (A. B).
- 7.116 Algorithm RC5 key schedule
INPUT: word bitsize w number of rounds r; 6-byte key A'... K[b - 1].
OUTPUT: subkeys K0,... , K2r+1 (where Kt is w bits).
- 1. Let и = w/8 (number of bytes per word) and c = /u (number of words К fills). Pad К on the right with zero-bytes if necessary to achieve a byte-count divisible by и (i.e., K[j] <- 0 for b < j < c ■ и — 1). For i from 0 to c - 1 do: L, <- J2j=0 ^ K[i ■ и + j] (i.e., fill Li low-order to high-order byte using each byte of K[- once).
- 2. Ко <- Pw', for i from 1 to 2r + 1 do: Kt <- Kt-1 Ш Qw. (Use Table 7.14.)
- 3. i 0, j -t— 0, A 0, В «— 0, t -t— max(c, 2r + 2). For s from 1 to 31 do:
- (a) Ii t— (Ki BB A ffl В) —3 3, A r— К,, i — i + 1 mod (2v -I- 2).
- (b) Lj t— (Lj ffldffl B) ^—5 (A BB В), В 4— Lj, j 4— j + 1 mod c.
- 4. The output is K0, К1,... , K2r+1- (Tlie Li are not used.)
- 7.117 Note (RC5 decryption) Decryption uses the Algorithm 7.115 subkeys, operating on ciphertext C = (A, B) as follows (subtraction is mod 2W, denoted E3). For i from r down to 1 do: В 4— ((В В /v2?-j-i) 4^ А^фА, A — ((-d В K2i) <—^ В^фВ. Fmally A/ — (A В K0, В В Ki).
B7E15162 8AED2A6B 9E3779B9 7F4A7C15
Table 7.14: RC5 magic constants (given as hex strings).
7.118 Example (RC5-32/12/16 test vectors) For the hexadecimal plaintext M = 65C178B2 84D197CC and key К = 5269F149 D41BA015 2497574D 7F15312 5, RC5 with w = 32, r = 12, and b = 16 generates ciphertext С = EB44E415 DA319824. В
Other block ciphers
LOKI’91 (and earlier, LOKF 89) was proposed as a DES alternative with a larger 64-bit key, a matching 64-bit blocksize, and 16 rounds. It differs from DES mainly in key-scheduling and the /-function. The /-function of each round uses four identical 12-to-8 bit S-boxes,
4 input bits of which select one of 16 functions, each of which implements exponentiation with a fixed exponent in a different representation of GF(28). While no significant exploitable weaknesses have been found in LOKI’91 when used for encryption, related-key attacks (see page 281) are viewed as a certificational weakness.
Khufu and Khafre are DES-like ciphers which were proposed as fast software-oriented alternatives to DES. They have 64-bit blocks, 8 x 32 bit S-boxes, and a variable number of rounds (typically 16, 24, or 32). Khufu keys may be up to 512 bits. Khafre keys have bitlength that is a multiple of 64 (64 and 128-bit keys are typical); 64 key bits are XORed onto the data block before the first and thereafter following every 8 rounds. Whereas a DES round involves eight 6-to-4 bit S-boxes, one round of Khufu involves a single 8-to-32 bit table look-up, with a different S-box for every 8 rounds. The S-boxes are generated pseu- dorandomly front the user key. Khafre uses fixed S-boxes generated pseudorandomly from an initial S-box constructed from random numbers published by the RAND corporation in 1955. Under the best currently known attacks, 16-round Khufu and 24-round Khafre are each more difficult to break than DES.