Kaliski B.S.On the security of the RC5 encryption algorithm.1998
.pdf5. The Current Status of RC5 |
7 |
obtain information about the secret or private key by recording and analyzing the time used for cryptographic operations that involve the key. Kocher observed that RC5 may be subject to timing attacks if RC5 is implemented on platforms for which the time for computing a single rotation is proportional to the rotation amount. However, RC5 can easily be implemented in such a way as to be invulnerable to timing attacks. Many modern processors have constant-time rotation, addition, and exclusive-or instructions. Other processors may have a rotation or shift time that depends linearly with the amount of rotation, but in this case it is usually easy to arrange the work so that the total compute time is data-independent, for example, by computing a rotate of t bits using a left-shift of t bits and a right-shift of w , t bits. In either case, the RC5 encrypt/decrypt time is data-independent, causing any potential timing attacks to fail.
With regards to the less sophisticated brute-force attack of trying each key in turn, the security of RC5 is obviously dependent on the length of the encryption key that is used (as is the case with all ciphers). RC5 has the attractive feature that the length of the key can be varied (unlike with DES for instance) and so the level of security against these attacks can be tuned to suit the application. With the launch of the RSA Data Security SecretKey Challenge [20], it is hoped that the resistance of ciphers to exhaustive key search attacks can be more accurately gauged in the future. To help in this assessment, various texts encrypted with RC5 with di erent length keys have been posted as a challenge to the community. Some of these challenges, such as RC5 with a 40-bit, 48-bit and 56-bit key were solved within a number of months of the announcement of the Challenge [20], as was expected. It is anticipated that some of the longer key lengths will remain an unsolved challenge for some considerable time to come.
5The Current Status of RC5
The results to date on the cryptanalysis of RC5 have been very encouraging. We observe that RC5 with 12 rounds and 64-bit block size give roughly the same security as DES against analytical attacks { 244 chosen plaintext pairs for RC5 as opposed to 243 known plaintexts for DES. The extra speed of RC5 allows one to use extra rounds, thereby providing an additional margin of safety. Based on the known results, we conclude that RC5 with 16 rounds and 64-bit block size can provide good security against existing analytical attacks.
With the cipher receiving considerable attention from cryptanalysts world-
8 |
The Security of RC5 |
wide, a picture of the security o ered by RC5 has been quick to develop. Acceptance of the cipher is growing, and RC5 has been discussed for inclusion in various standards e orts and has been published by the IETF in RFC2040 [1]. Three years on, it seems that the RC5 block cipher o ers a computationally inexpensive way of providing secure encryption.
Part II
Detailed Analysis of RC5
6Notation
In Rivest's description of RC5 [17], a round consists of two equations, and in each equation, either A or B is modi ed while the other remains unchanged. We will refer to each equation as a half-round. So one half-round of RC5 is similar to a full round in DES [16]. For ease of discussions, we adopt the common notation for Feistel ciphers2 and rewrite RC5 as follows.
L1 = L0 + S0
R1 = R0 + S1 for i = 2 to n do
Li = Ri,1
Ri = ((Li,1 Ri,1) <<< Ri,1 ) + Si
We will use the above description of RC5 throughout the report. We will refer to the two equations which involve (Li,1; Ri,1 ) and (Li; Ri) as the ith half-round of RC5. Hence, the two initial equations (L1 = L0 + S0 and R1 = R0 + S1 ) together are considered as the rst half-round, and RC5 contains n = 2r + 1 half-rounds in total. The input block (plaintext) is (L0; R0 ) and the output block (ciphertext) is (Ln; Rn). For ease of notation, we will change S[i] to Si.
Some additional notation is as follows. For a binary vector x of length w,
we label the bit positions from the most signi cant bit to the least signi cant bit as w , 1; : : : ; 1;0. We use x[s] to denote the sth bit of x and x[s::t]
(s t) to denote the sth through tth bits of x. Finally, we use lg(w) to denote log2 (w). Note that x mod w = x[lg(w) , 1::0] are the bits of x that are used to determine a rotation by x.
2Strictly speaking, RC5 is not a Feistel cipher, since the round function of a Feistel cipher has the general form of Ri = Li,1 f(Ri,1 ; Si).
7. A General Idea for Attacking RC5 |
9 |
7A General Idea for Attacking RC5
In this section, we describe a general idea for attacking RC5 by analyzing the structure of the RC5 encryption routine. The idea is used in both our di erential and our linear cryptanalysis. Note that to attack RC5, one can try to nd either the original secret key or the expanded key table S. If the latter approach is used, then the attack is independent of the length of the secret key. In this report, we will focus on the latter approach.
The general idea is to reduce the problem of computing the entire expanded key table S to the problem of computing Ln,1[b] for some 0 b w , 1. (Note that Ln,1[b] is a bit in the next-to-last half-round and is not visible from the ciphertext.) At a high level, the reduction is accomplished in the following two steps.
1.Reduce the problem of computing S to the problem of computing
the last subkey Sn. This is based on the iterative structure of the encryption routine.
2.Reduce the problem of computing Sn to the problem of computing Ln,1[b]. This is based on the structure of the last half-round.
In what follows, we focus on the last half-round and explain in more detail how the reduction works in step 2. Consider the two equations in the last half-round:
Ln = Rn,1;
Rn = ((Ln,1 Rn,1 ) <<< Rn,1) + Sn:
There are four variables in the second equation, and two of them, Rn and Rn,1(= Ln), are known from the ciphertext. Therefore, if we can obtain information about Ln,1, it will immediately give us information about the subkey Sn. To make such a relation concrete, we establish an equation that relates certain bits of the four variables for each xed rotation amount Rn,1 mod w.
We rst consider a special case where (b + Rn,1) mod w = 0. In this case, the bit Ln,1 [b] Rn,1 [b] moves to bit position 0 after the rotation. We thus have
Rn[0] = (Ln,1 [b] Rn,1[b]) Sn[0]: |
(1) |
Since Rn[0] and Rn,1[b] are known, if we can compute Ln,1[b], then we can obtain Sn [0], the least signi cant bit of subkey Sn.
10 |
The Security of RC5 |
The general case where (b + Rn,1) mod w = s is a little more involved since there is a carry e ect due to the addition of Sn when s 6= 0. Let
Y = (Ln,1 Rn,1) <<< Rn,1;
and so
Rn = Y + Sn:
Let
carry(s) = carry out from Y [s , 1::0] + Sn[s , 1::0]. Then we have that
Rn[s] = |
Y [s] Sn[s] carry(s) |
|
= |
(Ln,1[b] Rn,1[b]) Sn[s] carry(s): |
(2) |
If Sn[s , 1::0] is known, then given a ciphertext (Ln; Rn ), we can compute the carry out carry(s) by comparing Sn[s , 1::0] with Rn[s , 1::0]. Once we obtain both carry(s) and Ln,1[b], we can compute Sn[s].
We are now in a position to give the full details of the reduction in step 2. Let B denote an algorithm which computes Ln,1[b] given a plaintext/ciphertext pair. Figure 1 contains pseudocode for computing Sn using algorithm B.
for s = 0 to w , 1
select a plaintext/ciphertext pair (L0; R0)=(Ln; Rn) such that (b + Rn,1) mod w = s
compute Ln,1[b] using algorithm B if s = 0, then carry(0) = 0
if s 1
if Sn[s , 1::0] Rn[s , 1::0] then carry(s) = 0
else carry(s) = 1
Sn[s] = Ln,1[b] Rn,1[b] carry(s)
Figure 1: Pseudocode for computing the last subkey Sn.
Assuming that RC5 is a pseudorandom function, the rotation amount s = Rn,1 mod w = Ln mod w is random for a randomly chosen plaintext.
8. RC5 and Di erential Cryptanalysis |
11 |
Thus, when enough random plaintexts are gathered, all possible values of s will occur, and hence all bits of Sn can be recovered.
From the above discussions, we see that an algorithm that can compute Ln,1[b] is very useful for recovering Sn. By the reduction in step 1, the same algorithm can also be used to recover other subkeys. More speci cally, when we try to recover subkey Si (i < n), we can \unwrap" n,i half-rounds using subkeys Si+1; : : : ; Sn (which are already known) to obtain the outputs from the ith half-round (the corresponding \ciphertexts" of Si). Then we can compute Li,1[b] and Si in a similar fashion (See Figure 1).
We remark that there may be other algorithms for computing the bits of Ln,1. If so, such algorithms could be extended to an attack against RC5 using the basic idea that we have described in this section. Furthermore, there may be other attacks than di erential and linear cryptanalysis to which the techniques described in this section may apply. At this time, however, no alternative e ective techniques are known to exit.
8RC5 and Di erential Cryptanalysis
In this section, we will study the security of RC5 against di erential cryptanalysis. We will present the details of the rst di erential attack [7] on RC5. The techniques used in this attack is quite illustrative: they show how to form characteristics for RC5 and how to use certain special characteristics at the end of the r rounds to e ectively compute the subkeys. We will also summarize the key ideas in the two subsequent improved di erential attacks on RC5 [9, 3].
Later in the section, we will discuss the role of data-dependent rotations in helping prevent di erential attacks. Finally, we analyze what are called Markov properties of RC5. Such properties are interesting since they potentially allow one to make additional claims on the resistance of a cipher to di erential style attacks.
8.1The rst di erential attack on RC5
8.1.1Characteristics for a half-round of RC5
Roughly speaking, a characteristic for a half-round consists of an input difference and output di erence together with the associated probability. Following the notation in [2], we denote such a characteristic by = ( P ; T ), where
12 |
The Security of RC5 |
P |
|
0 |
0 |
|
; Ri,1 |
|
= |
(Li,1 |
; Ri,1) = (Li,1 |
Li,1 |
Ri,1); |
||
T |
= |
(Li0 ; Ri0) = (Li Li ; Ri Ri ): |
|
|||
Intuitively, if a pair of inputs to a half-round have di erent rotation amounts, then the pair of outputs from the half-round will di er in many di erent ways (see x8.3 for an analytical justi cation). Consequently, we will focus on characteristics for which the pair of inputs have the same rotation amounts. Let es denote the w-bit binary vector which is 1 in bit s and 0 everywhere else. For most of the characteristics that we present below, each half of P and T is either zero or es for s lg(w), implying that the rotation amounts will be the same.
We will calculate the probability associated with a half-round characteristic by averaging over both the pair of inputs and subkey Si. This is for the reason of simplicity. There may be keys for which the probability is higher and others for which it is lower. However, assuming the key expansion of RC5 is good, subkeys will be essentially independent of one another, and hence the overall probability of a characteristic for n half-rounds will be close to what we would expect for nearly all keys. Implementation results also con rm that this appears to be reasonable.
Table 2 lists ve half-round characteristics that will used in the di erential attack. When analyzing these probabilities, we use the fact that for random inputs x and y with x y = es and random key Si, the probability that (x + Si) (y + Si) = es is at least 1=2.
|
P |
T |
conditions |
probability |
||||||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1 |
(0; es) |
(es; es) |
s lg(w) |
p |
1 |
|
|
1 |
|
|
|
|||
w |
2 |
|||||||||||||
2 |
(es; es) |
(es; 0) |
s lg(w) |
p = 1 |
||||||||||
3 |
(es; 0) |
(0; et ) |
s; t lg(w) |
p |
1 |
|
|
1 |
|
|
|
|||
w |
2 |
|||||||||||||
4 |
(0; es) |
(es; et) |
s; t lg(w); t 6= s |
p |
1 |
|
|
1 |
|
|
|
|||
w |
2 |
|||||||||||||
|
|
|
s; t lg(w); t 6= s; u > v |
|
|
|
|
|
|
|
|
|
|
|
5 |
(es; et) |
(et; eu ev ) |
t , s = (u , v) mod w |
p |
1 |
|
1 |
|
1 |
|
||||
w |
2 |
2 |
||||||||||||
Table 2: Useful characteristics for a single half-round.
8. RC5 and Di erential Cryptanalysis |
13 |
For characteristics 3, 4, and 5, there are many possible output differences T for each input di erence P . In particular, for each choice ofP , there are (w , lg(w)) choices of parameter t for 3 , (w , lg(w) , 1) choices of parameter t for 4, and w choices of parameters (u; v) for 5.
For the rst half-round, there are three characteristics that hold with probability 1:
10 : P = T = (0; ew,1), which may be joined with 1 ,
20 : P = T = (ew,1; ew,1), which may be joined with 2, and30 : P = T = (ew,1; 0) which may be joined with 3 .
These characteristics are particularly useful.
8.1.2Characteristics of RC5
In this section, we show how to join the half-round characteristics described in x8.1.1 to form characteristics for RC5 in its entirety.
We rst note that two characteristics can be joined together if the output di erence T of the rst one and the input di erence P of the second one are the same. For example, 3 with parameters (s1; t1) can be joined to1 with parameter s2 if t1 = s2. Therefore, the possible ways to join theve characteristics in Table 2 are 1- 2, 2- 3, 3- 1, 3- 4 , and 4 - 5. ( 1 may be viewed as a special case of 4 in which s = t. It is useful to distinguish between them since 1 cannot be joined with 5.)
Two particular ways of joining the half-round characteristics will be especially useful: The rst one is = 1- 2- 3, a characteristic for three half-rounds that can be repeatedly joined with itself. The second one is 4-5, giving a characteristic for two half-rounds that can be used to compute Ln,1 mod w. (More details including generalizations of 4- 5 are given in x8.1.3.)
Based on the earlier discussions, we can now construct characteristics for n half-rounds of RC5, which we will denote by n. Characteristic n consists of a sequence of half-round characteristics. Since there are many possible values for the parameters of some of the half-round characteristics, there are many possible paths (corresponding to many intermediate di erences (L0i; Ri0 ) for 1 i n , 1) from P 0 to C0 for n, all of which have the same probability p. If we let N denote the total number of possible paths for n, then we de ne the probability associated with n as p n = Np.
For di erent values of n, Table 3 lists the plaintext di erence P 0, the sequence of half-round characteristics in n, and the probability3 given by
3(1) The factor 14 in 5 in Table 3 can be mostly eliminated by taking the carry e ect
14 |
|
|
|
|
|
|
|
|
|
The Security of RC5 |
||||
p n . |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
n |
|
P0 |
|
|
|
|
|
|
n |
|
p n |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
w,lg(w),1 |
|
w,lg(w) |
m 1 |
|
|
|
|
|
|
|
|
1 |
0 |
- - - - 4- 5 |
|
(2w)2 |
|
, |
|
3m |
|
(0; ew,1) |
|
|
|
|
|
|
|
|||||
|
|
|
|
|
|
w |
|
|
||||||
|
|
|
|
|
|
|
|
|
|
w,lg(w),1 |
w,lg(w) |
|
m |
|
3m + 1 |
|
(ew,1; 0) |
|
|
3 |
0 |
- 3 - - - - 4- 5 |
|
|
(2w)2 |
|
|
||
|
|
|
|
1 |
|
|
||||||||
|
|
|
|
|
|
|
|
|
|
w,lg(w),1 |
w,lg(w) |
|
m |
|
3m + 2 |
|
(ew,1; ew,1 ) |
2 |
0 |
- 2- 3 - - - - 4- 5 |
|
|
(2w)2 |
|
|
||||
|
|
1 |
|
|
||||||||||
Table 3: Useful characteristics for n half-rounds and their associated probability.
A right pair with respect to n consists of two plaintexts P; P and their ciphertexts C; C such that for all 0 i n, the corresponding di erence (L0i; R0i) has a form speci ed by one of the sequences of the half-round characteristics for n. For i n , 1, a characteristic i, its associated probability p i , and a right pair with respect to i can be de ned in a similar way.
Note that the type of the characteristics used in the di erential attack on RC5 is quite di erent from the characteristics used in attacks on other block ciphers, e.g. DES. In particular, for a given plaintext di erence P0 and ciphertext di erence C0, there are many possible paths (intermediate di erences) from P 0 to C0, each occuring with the same probability. This di erential e ect help boost the probability of getting a right pair.
8.1.3Using right pairs to compute the subkeys
Here we rst show how to compute the last subkey Sn using a right pair with respect to the characteristic n. Then we analyze the number of right pairs needed to recover every bit of Sn. For i < n, subkey Si can be obtained similarly using right pairs with respect to i, following the reduction method we outlined in x7.
Let 4 and 5 be the characteristics for the (n , 1)th and nth halfrounds, respectively. Let s; t; u; v be the parameters for 5 so that s; t are the parameters for 4. By considering the (n , 1)th half-round, we can obtain the following formula:
Ln,1 mod w = Rn,2 mod w = (t , s) mod w:
into account when analyzing output di erences. Hence the factor does not appear in p n in Table 4. (2) When n = 3m, the probability associated with the rst occurrence of the half-round characteristic 1 is w1 instead of 21w since the parameter s = w , 1.
8. RC5 and Di erential Cryptanalysis |
15 |
Given the ciphertext di erence (Ln0 ; Rn0 ), |
the values of t; u; v are easily |
obtained from the form of 5 . So we need only compute s in order to get Ln,1 mod w. In the nth half-round, the rotation amount Ln mod w (= Rn,1 mod w) is equal to either (u , t) mod w or (v , t) mod w. Since u, v, t, and Ln are known, it is obvious which case holds. In the rst case s = (v , Ln) mod w and in the second case s = (u , Ln) mod w, and the value of Ln,1 mod w follows.
The key idea in the above analysis is the following:
A certain pattern of the two di erences L0n,1; Rn0 ,1 can reveal the rotation amount Ln,1 mod w.
The pattern can be derived from the ciphertexts.
There may be many possible characteristics for the last two half-rounds that satisfy the above two conditions. The characteristic ( 4; 5) is just one of them, and it is one with small Hamming weights (the number of 1's in a binary vector) in the ciphertext di erence. (See x8.2 for discussions on other possible characteristics.)
Below, we analyze the number of right pairs needed to recover every bit of Sn, and we denote this number by T . We have seen that each right pair allows us to compute Ln,1[lg w , 1::0]. Based on the discussions in x7, we can therefore compute lg w consecutive bits of Sn. The bit positions depend on the rotation amount Ln mod w, which can be assumed to be random for a random right pair. Hence, the probability that there exists a bit Sn[s] which it cannot be computed from any of the T random pairs is at most
w[(w , lg w)=w)]T :
If we set T = 2w, the above probability is less than 1% for w = 16; 32; 64.
8.1.4Analyzing plaintext requirements
In this section, we will analyze the plaintext requirements for implementing a di erential attack on RC5 using the characteristics derived in the previous sections. We will address the issue of noise in the analysis.
We de ned the notion of a right pair in x8.1.2, and here we introduce the notion of a good pair. Formally, a good pair with respect to characteristic n consists of two plaintexts P; P and their ciphertexts C; C such that the input and output di erence (P 0 ; C0) satis es the condition of a right pair with respect to the same characteristic. When implementing a di erential attack in practice, we can only observe good pairs, as opposed to right pairs.
16 |
The Security of RC5 |
A good pair is not necessarily a right pair with respect to n due to certain noise|the sequence of intermediate di erences follows a path di erent from the one speci ed by n. We consider two types of noise:
1.Random noise. For a random pair of plaintexts (that may not be a good pair), the probability that the pair of ciphertexts have the di erence C0 = T is
prand = (w , lg w) w(w , 1)=2 : 22w
This noise is negligible when compared to p n (the probability of a right pair) if n 23 (i.e. r 11). When r 12, the noise becomes dominating.
2.Special noise. For a random good pair (having a xed plaintext dif-
ference P0 = P , there is a non-negligible probability that it is not a right pair due to the special di erence P 0 . To see how this can happen, we recall the characteristics for the last ve half-rounds in a right pair.
The number of non-zero bits in (L0i; Ri0 ) for i = n , 4; : : : ; n are the following:
(1; 1);(1; 0); (0; 1); (1; 1); (1; 2):
A pair of plaintexts with di erence P0 may follow the correct intermediate di erences until the (n , 5)th half-round and then have the following number of non-zero bits in the last ve half-rounds:
(1; 1);(1; 2); (2; 1); (1; 1); (1; 2):
This happens for a fraction of the good pairs, and yields good pairs that are not right pairs. In general, the intermediate di erences can be more complicated and happen with a lower probability. Implementation results show that the fraction of good pairs that are not right pairs is no more than 10% for w = 32.
Bringing all this information together, we now compute the number of
good pairs needed for an attack with a high success rate. When n 23, prand can be ignored. If we generate 2w good pairs, then on average there
are 2w lg(w)=w = 2 lg(w) good pairs that are useful for predicting the value of each bit Sn[s]. With high probability, more than half of the good pairs are right pairs, so a majority vote will yield the correct value of Sn[s]. Therefore, 2w good pairs are enough for n 23.