DOCSLIB.ORG

The RC5 Encryption Algorithm?

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

The RC Encryption Algorithm Ronald L Rivest MIT Lab oratory for Computer Science Technology Square Cambridge Mass rivesttheorylcsmitedu Revised March Abstract This do cument describ es the RC encryption algorithm a fast symmetric blo ck cipher suitable for hardware or software imple mentations A novel feature of RC is the heavy use of datadependent rotationsRC has a variable word size a variable numb er of rounds and avariableleng th secret key The encryption and decryption algorithms are exceptionally simple Intro duction RC was designed with the following ob jectives in mind RC should b e a symmetric block cipher The same secret cryptographic key is used for encryption and for decryption The plaintext and ciphertext are xedlength bit sequences blo cks RC should b e suitable for hardware or software This means that RC should use only computational primitive op erations commonly found on typ ical micropro cessors RC should b e fast This moreorless implies that RC b e wordoriented the basic computational op erations should b e op erators that work on full words of data at a time RC should b e adaptable to processors of dierent wordlengths For example as bit pro cessors b ecome available it should b e p ossible for RC to exploit their longer word length Therefore the number w of bits in a word is a parameter of RC dierentchoices of this parameter result in dierentRC algorithms RC should b e iterative in structure with a variable number of roundsThe user can explicitly manipulate the tradeo b etween higher sp eed and higher security The numb er of rounds r is a second parameter of RC RC should have a variablelength cryptographic key The user can cho ose the level of security appropriate for his application or as required by external considerations such as exp ort restrictions The key length b in bytes is thus a third parameter of RC RC is a trademark of RSA Data SecurityPatent p ending RC should b e simple It should b e easy to implement More imp ortantly a simpler structure is p erhaps more interesting to analyze and evaluate so that the cryptographic strength of RC can b e more rapidly determined RC should havea low memory requirement so that it may b e easily imple mented on smart cards or other devices with restricted memory Last but not least RC should provide high security when suitable param eter values are chosen In addition during the developmentofRC we b egan to fo cus our atten tion on a intriguing new cryptographic primitive datadependent rotationsin which one word of intermediate results is cyclically rotated by an amount deter mined bytheloworder bits of another intermediate result Wethus develop ed an additional goal RC should highlight the use of datadependent rotations and encourage the assessment of the cryptographic strength datadep endent rotations can provide The RC encryption algorithm presented here hop efully meets all of the ab ove goals Our use of hop efully refers of course to the fact that this is still a new prop osal and the cryptographic strength of RC is still b eing determined AParameterized Family of Encryption Algorithms In this section we discuss in somewhat greater detail the parameters of RC and the tradeos involved in cho osing various parameters As noted ab ove RC is wordoriented all of the basic computational op er ations have w bit words as inputs and outputs RC is a blo ckcipher with a twoword input plaintext blo ck size and a twoword ciphertext output blo ck size The nominal choice for w is bits for whichRC has bit plaintext and ciphertext blo ck sizes RC is welldened for any w although for simplicity it is prop osed here that only the values and b e allowable The number r of rounds is the second parameter of RC Cho osing a larger numb er of rounds presumably provides an increased level of securityWenote here that RC uses an expanded key table S that is derived from the users supplied secret key The size t of table S also dep ends on the number r of rounds S has t r words Cho osing a larger numb er of rounds therefore also implies a need for somewhat more memory There are thus several distinct RC algorithms dep ending on the choice of parameters w and r We summarize these parameters b elow w This is the wordsize in bits eachword contains u w bit bytes The nominal value of w is bits allowable values of w are and RC encrypts twoword blo cks plaintext and ciphertext blo cks are each w bits long r This is the numb er of rounds Also the expanded key table S contains t r words Allowable values of r are In addition to w and r RC has a variablelength secret cryptographic key sp ecied by parameters b and K b The number of bytes in the secret key K Allowable values of b are K The bbyte secret key K K K b For notational convenience we designate a particular parameterized RC algorithm as RCwrbFor example RC has bit words rounds a byte bit secret key variable and an expanded key table of words Parameters may b e dropp ed from last to rst to talk ab out RC with the dropp ed parameters unsp ecied For example one may ask Howmany rounds should one use in RC We prop ose RC as providing a nominal choice of parameters That is the nominal values of the parameters provide for w bit words rounds and bytes of keyFurther analysis is needed to analyze the securityof this choice For RC we suggest increasing the numb er of rounds to r We suggest that in an implementation all of the parameters given ab ove maybepackaged together to form an RC control blockcontaining the following elds v byte version number hex for version here w byte r byte b byte Kbbytes A control blo ckisthus represented using b bytes For example the control blo ck C A D F BB in hexadecimal sp ecies an RC algorithm version with bit words rounds and a byte bit key RC keymanagement schemes would then typically manage and transmit entire RC control blo cks containing all of the relevant parameters in addition to the usual secret cryptographic key variable Discussion of Parameterization In this section we discuss the extensive parameterization that RC provides We should rst note that it is not intended that RC b e secure for all p ossible parameter values For example r provides essentially no encryption and r is easily broken And cho osing b clearly gives no security On the other hand cho osing the maximum allowable parameter values would be overkill for most applications Weallow a range of parameter values so that users may select an encryption algorithm whose security and sp eed are optimized for their application while providing an evolutionary path for adjusting their parameters as necessary in the future As an example consider the problem of replacing DES with an equivalent RC algorithm One might reasonable cho ose RC as such a replace ment The inputoutput blo cks are w bits long just as in DES The numb er of rounds is also the same although eachRC round is more liketwo DES rounds since all data registers rather than just half of them are up dated in one RC round Finally DES and RC eachhave bit byte secret keys Unlike DES which has no parameterization and hence no exibilityRC p ermits upgrades as necessaryFor example one can upgrade the ab ovechoice for a DES replacement to an bit key bymoving to RC As technology improves and as the true strength of RC algorithms b ecomes b etter understo o d through analysis the most appropriate parameter values can b e chosen The choice of r aects b oth encryption sp eed and securityFor some appli cations high sp eed may b e the most critical requirementone wishes for the b est security obtainable within a given encryption time requirement Cho osing a small value of r say r mayprovide some security alb eit mo dest within the given sp eed constraint In other applications suchaskey management security is the primary con cern and sp eed is relatively unimp ortant Cho osing r roundsmightbe appropriate for such applications Since RC is a new design further study is required to determine the securityprovided byvarious values of r RC users may wish to adjust the values of r they use based on the results of such studies Similarly the word size w also aects sp eed and securityFor example cho os ing a value of w larger than the register size of the CPU can degrade encryption sp eed The word size w is primarily for researchers who wish to examine the security prop erties of a natural scaleddown RC As bit pro cessors b ecome common one can movetoRC as a natural extension of RC It may also b e convenient to sp ecify w or larger if RC is to b e used as the basis for a hash function in order to have bit or larger inputoutput blo cks It may b e considered unusual and risky to sp ecify an encryption algorithm that p ermits insecure parameter choices Wehavetwo resp onses to this criticism A xed set of parameters may b e at least as dangerous since the parameters can not b e increased when necessary Consider the problem DES has now its key size is to o short and there is no easy way to increase it It is exp ected that implementors will provide implementations that ensure that suitably large parameters are chosen While unsafe choices mightbe usable in principle they would b e forbidden in practice It is not exp ected that a typical RC implementation will work with any RC control blo ck Rather it mayonlywork for certain xed parameter values or parameters in a certain range The parameters w r andb in a received or transmitted RC control blo ck are then merely used for typecheckingvalues other than those supp orted by the implementation
Recommended publications
  • US 2007/0043.668A1 Baxter Et Al

    US 2007/0043.668A1 Baxter Et Al

    US 2007.0043.668A1 (19) United States (12) Patent Application Publication (10) Pub. No.: US 2007/0043.668A1 Baxter et al. (43) Pub. Date: Feb. 22, 2007 (54) METHODS AND SYSTEMS FOR Related U.S. Application Data NEGOTABLE-INSTRUMENT FRAUD PREVENTION (63) Continuation of application No. 10/371,984, filed on Feb. 20, 2003, now Pat. No. 7,072,868. (75) Inventors: Craig A. Baxter, Castle Rock, CO (US); John Charles Ciaccia, Parker, Publication Classification CO (US); Rodney J. Esch, Littleton, CO (US) (51) Int. Cl. G06Q 99/00 (2006.01) Correspondence Address: (52) U.S. Cl. ................................................................ 705/50 TOWNSEND AND TOWNSEND AND CREW, LLP (57) ABSTRACT TWO EMBARCADERO CENTER EIGHTH FLOOR SAN FRANCISCO, CA 94111-3834 (US) An authentication value is provided in a magnetic-ink field of a negotiable instrument. The authentication value is (73) Assignee: First Data Corporation, Greenwood derived from application of an encryption algorithm defined Village, CO (US) by a secure key. The authentication value may be used to authenticate the instrument through reapplication of the (21) Appl. No.: 11/481,062 encryption algorithm and comparing the result with the authentication value. The instrument is authenticated if there (22) Filed: Jul. 3, 2006 is a match between the two. 530 instrument Presented at Port of Sae instrument Conveyed to First Financial MCR line Scanned and instrument 534 Institution Authenticated at Point of Sale 538 Electronic Package Generated with MICR-Line Information andlor image 542 Electronic
  • Block Ciphers

    Block Ciphers

    Block Ciphers Chester Rebeiro IIT Madras CR STINSON : chapters 3 Block Cipher KE KD untrusted communication link Alice E D Bob #%AR3Xf34^$ “Attack at Dawn!!” message encryption (ciphertext) decryption “Attack at Dawn!!” Encryption key is the same as the decryption key (KE = K D) CR 2 Block Cipher : Encryption Key Length Secret Key Plaintext Ciphertext Block Cipher (Encryption) Block Length • A block cipher encryption algorithm encrypts n bits of plaintext at a time • May need to pad the plaintext if necessary • y = ek(x) CR 3 Block Cipher : Decryption Key Length Secret Key Ciphertext Plaintext Block Cipher (Decryption) Block Length • A block cipher decryption algorithm recovers the plaintext from the ciphertext. • x = dk(y) CR 4 Inside the Block Cipher PlaintextBlock (an iterative cipher) Key Whitening Round 1 key1 Round 2 key2 Round 3 key3 Round n keyn Ciphertext Block • Each round has the same endomorphic cryptosystem, which takes a key and produces an intermediate ouput • Size of the key is huge… much larger than the block size. CR 5 Inside the Block Cipher (the key schedule) PlaintextBlock Secret Key Key Whitening Round 1 Round Key 1 Round 2 Round Key 2 Round 3 Round Key 3 Key Expansion Expansion Key Key Round n Round Key n Ciphertext Block • A single secret key of fixed size used to generate ‘round keys’ for each round CR 6 Inside the Round Function Round Input • Add Round key : Add Round Key Mixing operation between the round input and the round key. typically, an ex-or operation Confusion Layer • Confusion layer : Makes the relationship between round Diffusion Layer input and output complex.
  • Report on the AES Candidates

    Report on the AES Candidates

    Rep ort on the AES Candidates 1 2 1 3 Olivier Baudron , Henri Gilb ert , Louis Granb oulan , Helena Handschuh , 4 1 5 1 Antoine Joux , Phong Nguyen ,Fabrice Noilhan ,David Pointcheval , 1 1 1 1 Thomas Pornin , Guillaume Poupard , Jacques Stern , and Serge Vaudenay 1 Ecole Normale Sup erieure { CNRS 2 France Telecom 3 Gemplus { ENST 4 SCSSI 5 Universit e d'Orsay { LRI Contact e-mail: [email protected] Abstract This do cument rep orts the activities of the AES working group organized at the Ecole Normale Sup erieure. Several candidates are evaluated. In particular we outline some weaknesses in the designs of some candidates. We mainly discuss selection criteria b etween the can- didates, and make case-by-case comments. We nally recommend the selection of Mars, RC6, Serp ent, ... and DFC. As the rep ort is b eing nalized, we also added some new preliminary cryptanalysis on RC6 and Crypton in the App endix which are not considered in the main b o dy of the rep ort. Designing the encryption standard of the rst twentyyears of the twenty rst century is a challenging task: we need to predict p ossible future technologies, and wehavetotake unknown future attacks in account. Following the AES pro cess initiated by NIST, we organized an op en working group at the Ecole Normale Sup erieure. This group met two hours a week to review the AES candidates. The present do cument rep orts its results. Another task of this group was to up date the DFC candidate submitted by CNRS [16, 17] and to answer questions which had b een omitted in previous 1 rep orts on DFC.
  • A Lightweight Encryption Algorithm for Secure Internet of Things

    A Lightweight Encryption Algorithm for Secure Internet of Things

    Pre-Print Version, Original article is available at (IJACSA) International Journal of Advanced Computer Science and Applications, Vol. 8, No. 1, 2017 SIT: A Lightweight Encryption Algorithm for Secure Internet of Things Muhammad Usman∗, Irfan Ahmedy, M. Imran Aslamy, Shujaat Khan∗ and Usman Ali Shahy ∗Faculty of Engineering Science and Technology (FEST), Iqra University, Defence View, Karachi-75500, Pakistan. Email: fmusman, [email protected] yDepartment of Electronic Engineering, NED University of Engineering and Technology, University Road, Karachi 75270, Pakistan. Email: firfans, [email protected], [email protected] Abstract—The Internet of Things (IoT) being a promising and apply analytics to share the most valuable data with the technology of the future is expected to connect billions of devices. applications. The IoT is taking the conventional internet, sensor The increased number of communication is expected to generate network and mobile network to another level as every thing mountains of data and the security of data can be a threat. The will be connected to the internet. A matter of concern that must devices in the architecture are essentially smaller in size and be kept under consideration is to ensure the issues related to low powered. Conventional encryption algorithms are generally confidentiality, data integrity and authenticity that will emerge computationally expensive due to their complexity and requires many rounds to encrypt, essentially wasting the constrained on account of security and privacy [4]. energy of the gadgets. Less complex algorithm, however, may compromise the desired integrity. In this paper we propose a A. Applications of IoT: lightweight encryption algorithm named as Secure IoT (SIT).
  • Identifying Open Research Problems in Cryptography by Surveying Cryptographic Functions and Operations 1

    Identifying Open Research Problems in Cryptography by Surveying Cryptographic Functions and Operations 1

    International Journal of Grid and Distributed Computing Vol. 10, No. 11 (2017), pp.79-98 http://dx.doi.org/10.14257/ijgdc.2017.10.11.08 Identifying Open Research Problems in Cryptography by Surveying Cryptographic Functions and Operations 1 Rahul Saha1, G. Geetha2, Gulshan Kumar3 and Hye-Jim Kim4 1,3School of Computer Science and Engineering, Lovely Professional University, Punjab, India 2Division of Research and Development, Lovely Professional University, Punjab, India 4Business Administration Research Institute, Sungshin W. University, 2 Bomun-ro 34da gil, Seongbuk-gu, Seoul, Republic of Korea Abstract Cryptography has always been a core component of security domain. Different security services such as confidentiality, integrity, availability, authentication, non-repudiation and access control, are provided by a number of cryptographic algorithms including block ciphers, stream ciphers and hash functions. Though the algorithms are public and cryptographic strength depends on the usage of the keys, the ciphertext analysis using different functions and operations used in the algorithms can lead to the path of revealing a key completely or partially. It is hard to find any survey till date which identifies different operations and functions used in cryptography. In this paper, we have categorized our survey of cryptographic functions and operations in the algorithms in three categories: block ciphers, stream ciphers and cryptanalysis attacks which are executable in different parts of the algorithms. This survey will help the budding researchers in the society of crypto for identifying different operations and functions in cryptographic algorithms. Keywords: cryptography; block; stream; cipher; plaintext; ciphertext; functions; research problems 1. Introduction Cryptography [1] in the previous time was analogous to encryption where the main task was to convert the readable message to an unreadable format.
  • A Novel Construction of Efficient Substitution-Boxes Using Cubic

    A Novel Construction of Efficient Substitution-Boxes Using Cubic

    entropy Article A Novel Construction of Efficient Substitution-Boxes Using Cubic Fractional Transformation Amjad Hussain Zahid 1,2, Muhammad Junaid Arshad 2 and Musheer Ahmad 3,* 1 Department of Computer Science, University of Management and Technology, Lahore 54000, Pakistan; [email protected] 2 Department of Computer Science, University of Engineering and Technology, Lahore 54000, Pakistan; [email protected] 3 Department of Computer Engineering, Jamia Millia Islamia, New Delhi 110025, India * Correspondence: [email protected]; Tel.: +91-112-698-0281 Received: 27 January 2019; Accepted: 28 February 2019; Published: 5 March 2019 Abstract: A symmetric block cipher employing a substitution–permutation duo is an effective technique for the provision of information security. For substitution, modern block ciphers use one or more substitution boxes (S-Boxes). Certain criteria and design principles are fulfilled and followed for the construction of a good S-Box. In this paper, an innovative technique to construct substitution-boxes using our cubic fractional transformation (CFT) is presented. The cryptographic strength of the proposed S-box is critically evaluated against the state of the art performance criteria of strong S-boxes, including bijection, nonlinearity, bit independence criterion, strict avalanche effect, and linear and differential approximation probabilities. The performance results of the proposed S-Box are compared with recently investigated S-Boxes to prove its cryptographic strength. The simulation and comparison analyses validate that the proposed S-Box construction method has adequate efficacy to generate efficient candidate S-Boxes for usage in block ciphers. Keywords: substitution box; cubic fractional transformation; block ciphers; security 1. Introduction Cryptography helps individuals and organizations to protect their data.
  • Rc5 Algorithm: Potential Cipher Solution for Security in Wireless Body Sensor Networks (Wbsn)

    Rc5 Algorithm: Potential Cipher Solution for Security in Wireless Body Sensor Networks (Wbsn)

    International Journal Of Advanced Smart Sensor Network Systems ( IJASSN ), Vol 2, No.3, July 2012 RC5 ALGORITHM: POTENTIAL CIPHER SOLUTION FOR SECURITY IN WIRELESS BODY SENSOR NETWORKS (WBSN) Dhanashri H. Gawali1 and Vijay M. Wadhai2 1Department of E&TC, Maharashtra Academy of Engineering, Alandi(D), Pune, India [email protected] 2MAEER’s MIT College of Engineering, Pune, India [email protected] ABSTRACT The patient-related data stored in the WBSN plays an important role in medical diagnosis and treatment; hence it is essential to ensure the security of these data. Access to patient-related data must be strictly limited only to authorized users; otherwise, the patient’s privacy could be abused. There has been very little study done in encryption algorithms suitable for WBSN. In this paper we focus on RC5 encryption algorithm as a potential cipher solution for providing data protection in WBSN. RC5 can be considered as one of the best ciphers in terms of overall performance, when used in nodes with limited memory and processing capabilities. In WBSN the size of data varies for different medical (health parameters such as ECG, EEG, Blood pressure, Blood Sugar etc) or nonmedical (video, audio etc) applications. RC5 is a highly efficient and flexible cryptographic algorithm, for which many parameters (key size, block size, number of rounds) can be adjusted to tradeoff security strength with power consumption and computational overhead. Thus RC5 with suitable parameters may perform well for WBSN applications with different data size. Implementations for WBSN nodes are in evolving stage now. This paper further presents a brief survey of various implementations of RC5 algorithm to convince its suitability for WBSN.
  • Foreword by Whitfield Diffie Preface About the Author Chapter 1

    Foreword by Whitfield Diffie Preface About the Author Chapter 1

    Applied Cryptography: Second Edition - Bruce Schneier Applied Cryptography, Second Edition: Protocols, Algorthms, and Source Code in C by Bruce Schneier Wiley Computer Publishing, John Wiley & Sons, Inc. ISBN: 0471128457 Pub Date: 01/01/96 Foreword By Whitfield Diffie Preface About the Author Chapter 1—Foundations 1.1 Terminology 1.2 Steganography 1.3 Substitution Ciphers and Transposition Ciphers 1.4 Simple XOR 1.5 One-Time Pads 1.6 Computer Algorithms 1.7 Large Numbers Part I—Cryptographic Protocols Chapter 2—Protocol Building Blocks 2.1 Introduction to Protocols 2.2 Communications Using Symmetric Cryptography 2.3 One-Way Functions 2.4 One-Way Hash Functions 2.5 Communications Using Public-Key Cryptography 2.6 Digital Signatures 2.7 Digital Signatures with Encryption 2.8 Random and Pseudo-Random-Sequence Generation Chapter 3—Basic Protocols 3.1 Key Exchange 3.2 Authentication 3.3 Authentication and Key Exchange 3.4 Formal Analysis of Authentication and Key-Exchange Protocols 3.5 Multiple-Key Public-Key Cryptography 3.6 Secret Splitting 3.7 Secret Sharing 3.8 Cryptographic Protection of Databases Chapter 4—Intermediate Protocols 4.1 Timestamping Services 4.2 Subliminal Channel 4.3 Undeniable Digital Signatures 4.4 Designated Confirmer Signatures 4.5 Proxy Signatures 4.6 Group Signatures 4.7 Fail-Stop Digital Signatures 4.8 Computing with Encrypted Data 4.9 Bit Commitment 4.10 Fair Coin Flips 4.11 Mental Poker 4.12 One-Way Accumulators 4.13 All-or-Nothing Disclosure of Secrets Page 1 of 666 Applied Cryptography: Second Edition - Bruce
  • AES3 Presentation

    AES3 Presentation

    Cryptanalytic Progress: Lessons for AES John Kelsey1, Niels Ferguson1, Bruce Schneier1, and Mike Stay2 1 Counterpane Internet Security, Inc., 3031 Tisch Way, 100 Plaza East, San Jose, CA 95128, USA 2 AccessData Corp., 2500 N University Ave. Ste. 200, Provo, UT 84606, USA 1 Introduction The cryptanalytic community is currently evaluating five finalist algorithms for the AES. Within the next year, one or more ciphers will be chosen. In this note, we argue caution in selecting a finalist with a small security margin. Known attacks continuously improve over time, and it is impossible to predict future cryptanalytic advances. If an AES algorithm chosen today is to be encrypting data twenty years from now (that may need to stay secure for another twenty years after that), it needs to be a very conservative algorithm. In this paper, we review cryptanalytic progress against three well-regarded block ciphers and discuss the development of new cryptanalytic tools against these ciphers over time. This review illustrates how cryptanalytic progress erodes a cipher’s security margin. While predicting such progress in the future is clearly not possible, we claim that assuming that no such progress can or will occur is dangerous. Our three examples are DES, IDEA, and RC5. These three ciphers have fundamentally different structures and were designed by entirely different groups. They have been analyzed by many researchers using many different techniques. More to the point, each cipher has led to the development of new cryptanalytic techniques that not only have been applied to that cipher, but also to others. 2 DES DES was developed by IBM in the early 1970s, and standardized made into a standard by NBS (the predecessor of NIST) [NBS77].
  • The RC6TM Block Cipher

    The RC6TM Block Cipher

    TM The RC6 Blo ck Cipher 1 2 2 2 Ronald L. Rivest , M.J.B. Robshaw , R. Sidney , and Y.L. Yin 1 M.I.T. Lab oratory for Computer Science, 545 Technology Square, Cambridge, MA 02139, USA [email protected] 2 RSA Lab oratories, 2955 Campus Drive, Suite 400, San Mateo, CA 94403, USA fmatt,ray,[email protected] Version 1.1 - August 20, 1998 TM Abstract. We intro duce the RC6 blo ck cipher. RC6 is an evolu- tionary improvementofRC5, designed to meet the requirements of the Advanced Encryption Standard AES. LikeRC5, RC6 makes essential use of data-dep endent rotations. New features of RC6 include the use of four working registers instead of two, and the inclusion of integer multi- plication as an additional primitive op eration. The use of multiplication greatly increases the di usion achieved p er round, allowing for greater security, fewer rounds, and increased throughput. 1 Intro duction TM RC6 is a new blo ck cipher submitted to NIST for consideration as the new Advanced Encryption Standard AES. The design of RC6 b egan with a consideration of RC5 [18] as a p otential candidate for an AES submission. Mo di cations were then made to meet the AES requirements, to increase security, and to improve p erformance. The inner lo op, however, is based around the same \half-round" found in RC5. RC5 was intentionally designed to be extremely simple, to invite analysis shedding light on the security provided by extensive use of data-dep endent ro- tations. Since RC5 was prop osed in 1995, various studies [2, 5, 8, 11, 15, 19] have provided a greater understanding of howRC5's structure and op erations contribute to its security.
  • Cryptanalise Aspects on the Block Ciphers of Rc5 and Rc6

    Cryptanalise Aspects on the Block Ciphers of Rc5 and Rc6

    CRYPTANALISE ASPECTS ON THE BLOCK CIPHERS OF RC5 AND RC6 Erica Mang, Ioan Mang, Constantin Popescu University of Oradea, Romania Department of Computers Science 3-5 Armatei Romane St., 3700 Oradea, Romania E-mail: [email protected], [email protected], [email protected] Abstract. In August 1999, Knudsen and Meier proposed Their attacking algorithm, however, is rather an attack to the block cipher RC6 by using correlations complicated and it does not seem so easy to distinguish derived from x2 tests. In this paper, we improve the good pair and others correctly, because of influences of attack and apply this method to the block cipher RC5 addition of key to the hamming weights of differentials. and simplified variants of RC6, and show some experimental results. We show this approach distinguish In August 1999, Knudsen and Meier posted to the the random permutation and RC5 with of up to 20 internet news an information of their new paper dealing rounds by using chosen ciphertexts attack. We also show with cryptanalysis of RC6 (Knudsen et al. 1999). In the our approach for deriving the last round key of up to 17 paper, they used extremely different technique from the 2 rounds RC5 by using chosen plaintext attack. Moreover, previous approach, that is, correlations obtained from x we show full rounds RC5 with some weak key can be test. In their approach, for fixing each of the least broken by using lesser complexity than that of the significant five bits in some words of plaintexts and exhaustive search. Additionally, this method can be investigate the statistics of the 10-bit integer obtained by applicable to simplified variants of RC6, that is, RC6- concatenating each of the least significant five bits in INFR, RC6-NFR, RC6-I, we observe the attack to these some words of ciphertexts.
  • Why Not 2-DES ?

    Why Not 2-DES ?

    1 Why not 2-DES ? • 2DES: C = DES ( K1, DES ( K2, P ) ) • Seems to be hard to break by “brute force”, approx. 2111 trials • Assume Eve is trying to break 2DES and has a single (P,C) pair Meet-in-the-middle (or Rendesvouz) ATTACK: 56 I. For each possible K’i (where 0 < i < 2 ) 1. Compute C’i = DES ( K’i , P ) 2. Store: [ K’i, C’i ] in table T (sorted by C’i) 56 II. For each possible K”i (where 0 < i < 2 ) -1 1. Compute C”i = DES ( K”i , C ) 2. Lookup C”i in T not expensive! 3. If lookup succeeds, output: K1=K’i, K2=K”i TOTAL COST: O(256) operations + O(256) storage 2 1 DES Variants o 3-DES (triple DES) o C = E(K1, D(K2, E(K1,P) ) ) 112 effective key bits o C = E(K3, D(K2, E(K1,P) ) ) 168 effective key bits o DESx o C= K3 XOR E(K2, (K1 XOR P) ) seems like 184 key bits o Effective key bits approx. 118 o 2-DES: o C = E(K2,E(K1, P)) rendezvous (meet-in-the-middle attack) o Another simple variation: o C = K1 XOR E(K1’, P) weak! 3 DES Variants Why does 3-DES (or generally n-DES) work? Because, as a function, DES is not a group… A “group” is an algebraic structure. One of its properties is that, taking any 2 elements of the group (a,b) and applying an operator F() yields another element c in the group.