The RC Encryption Algorithm

Ronald L Rivest

MIT Lab oratory for Computer Science

Technology Square Cambridge Mass

rivesttheorylcsmitedu

Revised March

Abstract This do cument describ es the RC encryption algorithm a

fast symmetric blo ck cipher suitable for hardware or software imple

mentations A novel feature of RC is the heavy use of datadependent

rotationsRC has a variable word size a variable numb er of rounds and

avariableleng th secret key The encryption and decryption algorithms

are exceptionally simple

Intro duction

RC was designed with the following ob jectives in mind

RC should b e a symmetric block cipher The same secret cryptographic key

is used for encryption and for decryption The plaintext and ciphertext are

xedlength bit sequences blo cks

RC should b e suitable for hardware or software This means that RC

should use only computational primitive op erations commonly found on typ

ical micropro cessors

RC should b e fast This moreorless implies that RC b e wordoriented

the basic computational op erations should b e op erators that work on full

words of data at a time

RC should b e adaptable to processors of dierent wordlengths For example

as bit pro cessors b ecome available it should b e p ossible for RC to exploit

their longer word length Therefore the number w of bits in a word is a

parameter of RC dierentchoices of this parameter result in dierentRC

algorithms

RC should b e iterative in structure with a variable number of roundsThe

user can explicitly manipulate the tradeo b etween higher sp eed and higher

security The numb er of rounds r is a second parameter of RC

RC should have a variablelength cryptographic key The user can cho ose

the level of security appropriate for his application or as required by external

considerations such as exp ort restrictions The key length b in bytes is thus

a third parameter of RC

RC is a trademark of RSA Data SecurityPatent p ending

RC should b e simple It should b e easy to implement More imp ortantly

a simpler structure is p erhaps more interesting to analyze and evaluate so

that the cryptographic strength of RC can b e more rapidly determined

RC should havea low memory requirement so that it may b e easily imple

mented on smart cards or other devices with restricted memory

Last but not least RC should provide high security when suitable param

eter values are chosen

In addition during the developmentofRC we b egan to fo cus our atten

tion on a intriguing new cryptographic primitive datadependent rotationsin

which one word of intermediate results is cyclically rotated by an amount deter

mined bytheloworder bits of another intermediate result Wethus develop ed

an additional goal

RC should highlight the use of datadependent rotations and encourage

the assessment of the cryptographic strength datadep endent rotations can

provide

The RC encryption algorithm presented here hop efully meets all of the

ab ove goals Our use of hop efully refers of course to the fact that this is still a

new prop osal and the cryptographic strength of RC is still b eing determined

AParameterized Family of Encryption Algorithms

In this section we discuss in somewhat greater detail the parameters of RC

and the tradeos involved in cho osing various parameters

As noted ab ove RC is wordoriented all of the basic computational op er

ations have w bit words as inputs and outputs RC is a blo ckcipher with a

twoword input plaintext blo ck size and a twoword ciphertext output blo ck

size The nominal choice for w is bits for whichRC has bit plaintext and

ciphertext blo ck sizes RC is welldened for any w although for simplicity

it is prop osed here that only the values and b e allowable

The number r of rounds is the second parameter of RC Cho osing a larger

numb er of rounds presumably provides an increased level of securityWenote

here that RC uses an expanded key table S that is derived from the users

supplied secret key The size t of table S also dep ends on the number r of rounds

S has t r words Cho osing a larger numb er of rounds therefore also

implies a need for somewhat more memory

There are thus several distinct RC algorithms dep ending on the choice

of parameters w and r We summarize these parameters b elow

w This is the wordsize in bits eachword contains u w bit bytes

The nominal value of w is bits allowable values of w are and

RC encrypts twoword blo cks plaintext and ciphertext blo cks are each

w bits long

r This is the numb er of rounds Also the expanded key table S contains

t r words Allowable values of r are

In addition to w and r RC has a variablelength secret cryptographic key

sp ecied by parameters b and K

b The number of bytes in the secret key K Allowable values of b are

K The bbyte secret key K K K b

For notational convenience we designate a particular parameterized RC

algorithm as RCwrbFor example RC has bit words rounds

a byte bit secret key variable and an expanded key table of

words Parameters may b e dropp ed from last to rst to talk ab out RC with the

dropp ed parameters unsp ecied For example one may ask Howmany rounds

should one use in RC

We prop ose RC as providing a nominal choice of parameters

That is the nominal values of the parameters provide for w bit words

rounds and bytes of keyFurther analysis is needed to analyze the securityof

this choice For RC we suggest increasing the numb er of rounds to r

We suggest that in an implementation all of the parameters given ab ove

maybepackaged together to form an RC control blockcontaining the following

elds

v byte version number hex for version here

w byte

r byte

b byte

Kbbytes

A control blo ckisthus represented using b bytes For example the control

blo ck

C A D F BB in hexadecimal

sp ecies an RC algorithm version with bit words rounds and a

byte bit key RC keymanagement schemes would then

typically manage and transmit entire RC control blo cks containing all of the

relevant parameters in addition to the usual secret cryptographic key variable

Discussion of Parameterization

In this section we discuss the extensive parameterization that RC provides

We should rst note that it is not intended that RC b e secure for all p ossible

parameter values For example r provides essentially no encryption and

r is easily broken And cho osing b clearly gives no security

On the other hand cho osing the maximum allowable parameter values would

be overkill for most applications

Weallow a range of parameter values so that users may select an encryption

algorithm whose security and sp eed are optimized for their application while

providing an evolutionary path for adjusting their parameters as necessary in the future

As an example consider the problem of replacing DES with an equivalent

RC algorithm One might reasonable cho ose RC as such a replace

ment The inputoutput blo cks are w bits long just as in DES The

numb er of rounds is also the same although eachRC round is more liketwo

DES rounds since all data registers rather than just half of them are up dated in

one RC round Finally DES and RC eachhave bit byte secret

keys

Unlike DES which has no parameterization and hence no exibilityRC

p ermits upgrades as necessaryFor example one can upgrade the ab ovechoice for

a DES replacement to an bit key bymoving to RC As technology

improves and as the true strength of RC algorithms b ecomes b etter understo o d

through analysis the most appropriate parameter values can b e chosen

The choice of r aects b oth encryption sp eed and securityFor some appli

cations high sp eed may b e the most critical requirementone wishes for the

b est security obtainable within a given encryption time requirement Cho osing

a small value of r say r mayprovide some security alb eit mo dest within

the given sp eed constraint

In other applications suchaskey management security is the primary con

cern and sp eed is relatively unimp ortant Cho osing r roundsmightbe

appropriate for such applications Since RC is a new design further study is

required to determine the securityprovided byvarious values of r RC users

may wish to adjust the values of r they use based on the results of such studies

Similarly the word size w also aects sp eed and securityFor example cho os

ing a value of w larger than the register size of the CPU can degrade encryption

sp eed The word size w is primarily for researchers who wish to examine

the security prop erties of a natural scaleddown RC As bit pro cessors

b ecome common one can movetoRC as a natural extension of RC It

may also b e convenient to sp ecify w or larger if RC is to b e used as

the basis for a hash function in order to have bit or larger inputoutput

blo cks

It may b e considered unusual and risky to sp ecify an encryption algorithm

that p ermits insecure parameter choices Wehavetwo resp onses to this criticism

A xed set of parameters may b e at least as dangerous since the parameters

can not b e increased when necessary Consider the problem DES has now

its key size is to o short and there is no easy way to increase it

It is exp ected that implementors will provide implementations that ensure

that suitably large parameters are chosen While unsafe choices mightbe

usable in principle they would b e forbidden in practice

It is not exp ected that a typical RC implementation will work with any

RC control blo ck Rather it mayonlywork for certain xed parameter values

or parameters in a certain range The parameters w r andb in a received or

transmitted RC control blo ck are then merely used for typecheckingvalues

other than those supp orted by the implementation will b e disallowed The ex

ibilityofRC is thus utilized at the system design stage when the appropriate

parameters are chosen rather than at run time when unsuitable parameters

mightbechosen byanunwary user

Finallywe note that RC might b e used in some applications that do not re

quire cryptographic securityFor example one might consider using RC

with no secret key applied to inputs to generate a sequence of pseudo

random numb ers to b e used in a randomized computation

Notation and RC Primitive Op erations

We use lgx to denote the basetwo logarithm of x

RC uses only the following three primitive op erations and their inverses

w

Twos complement addition of words denoted by This is mo dulo

addition The inverse op eration subtraction is denoted

Bitwise exclusiveOR of words denoted by

A leftrotation or leftspin of words the cyclic rotation of word x left by

y bits is denoted xy Here y is interpreted mo dulo w so that when w is

apower of two only the lgw loworder bits of y are used to determine the

rotation amount The inverse op eration rightrotation is denoted xy

These op erations are directly and eciently supp orted by most pro cessors

A distinguishing feature of RC is that the rotations are rotations byvari

able plaintextdep endent amounts We note that on mo dern micropro cessors

avariablerotation xy takes constant time the time is indep endentofthe

rotation amount y We also note that rotations are the only nonlinear op erator

in RC there are no nonlinear substitution tables or other nonlinear op era

tors The strength of RC dep ends heavily on the cryptographic prop erties of

datadep endent rotations

The RC Algorithm

In this section we describ e the RC algorithm which consists of three comp o

nents a key expansion algorithm an encryption algorithm and a decryption

algorithm We present the encryption and decryption algorithms rst

Recall that the plaintext input to RC consists of two w bit words whichwe

denote A and B RecallalsothatRC uses an expanded key table S t

consisting of t r w bit words The keyexpansion algorithm initializes

S from the users given secret key parameter K We note that the S table in

RC encryption is not an Sb ox such asisusedby DES RC uses the entries

in S sequentially one at a time

We assume standard littleendian conventions for packing bytes into inputoutput

blo cks the rst byte o ccupies the loworder bit p ositions of register A and so on

so that the fourth byte o ccupies the highorder bit p ositions in A the fth byte

o ccupies the loworder bit p ositions in B and the eighth last byte o ccupies the

highorder bit p ositions in B

Encryption

We assume that the input blo ck is given in two w bit registers A and B We

also assume that keyexpansion has already b een p erformed so that the array

S t has b een computed Here is the encryption algorithm in pseudoco de

A A S

B B S

for i to r do

A A B BS i

B B A AS i

The output is in the registers A and B

We note the exceptional simplicity of this line algorithm

We also note that eachRC round up dates both registers A and B whereas

a round in DES up dates only half of its registers An RC halfround one

of the assignment statements up dating A or B in the b o dy of the lo op ab ove is

thus p erhaps more analogous to a DES round

Decryption

The decryption routine is easily derived from the encryption routine

for i r downto do

B B S i A A

A A S i B B

B B S

A A S

Key Expansion

The keyexpansion routine expands the users secret key K to ll the expanded

key array S sothat S resembles an arrayoft r random binary words

determined by K The key expansion algorithm uses two magic constants and

consists of three simple algorithmic parts

Denition of the Magic Constants The keyexpansion algorithm uses two

wordsized binary constants P and Q They are dened for arbitrary w as

w w

follows

w

P Odde

w

w

Q Odd

w

where

e base of natural logarithms

golden ratio

and where Oddxistheoddinteger nearest to x rounded up if x is an even in

teger although this wont happ en here For w and these constants

are given b elow in binary and in hexadecimal

P be

Q e

P be

Q eb

P

beaedab

Q

ebfac

Converting the Secret Key from Bytes to Words The rst algorithmic

step of key expansion is to copy the secret key K b into an array Lc

of c dbue words where u wisthenumber of bytesword This op eration

is done in a natural manner using u consecutivekey bytes of K to ll up each

successiveword in Lloworder byte to highorder byte Any unlled byte p osi

tions of L are zero ed In the case that b c we reset c to and set L to

zero

On littleendian machines suchasanIntel the ab ovetaskcanbe

accomplished merely by zeroing the array L and then copying the string K

directly into the memory p ositions representing L The following pseudoco de

achieves the same eect assuming that all bytes are unsigned and that array

L is initially zero ed everywhere

c dmaxb ue

for i b downto do

Liu Liu K i

Initializing the Array S The second algorithmic step of key expansion is

to initialize array S to a particular xed keyindep endent pseudorandom bit

w

pattern using an arithmetic progression mo dulo determined by the magic

constants P and Q Since Q is o dd the arithmetic progression has p erio d

w w w

w

S P

w

for i to t do

S iS i Q w

Mixing in the Secret Key The third algorithmic step of key expansion is

to mix in the users secret key in three passes over the arrays S and LMore

precisely due to the p otentially dierent sizes of S and L the larger array will

b e pro cessed three times and the other may b e handled more times

i j

A B

do maxt c times

A S i S iA B

B Lj Lj A B A B

i i modt

j j modc

The keyexpansion function has a certain amount of onewayness it is not

so easy to determine K from S

Discussion

A distinguishing feature of RC is its heavy use of datadependent rotations

the amount of rotation p erformed is dep endent on the input data and is not

predetermined

The encryptiondecryption routines are very simple While other op erations

such as substitution op erations could have b een included in the basic round

op erations our ob jective is to fo cus on the datadep endent rotations as a source

of cryptographic strength

Some of the expanded key table S is initially added to the plaintext and

each round ends by adding expanded key from S to the intermediate values just

computed This assures that each round acts in a p otentially dierent manner

in terms of the rotation amounts used

The xor op erations back and forth b etween A and B provide some avalanche

prop erties causing a singlebit change in an input blo cktocausemultiplebit

changes in following rounds

Implementation

The encryption algorithm is very compact and can b e co ded eciently in assem

bly language on most pro cessors The table S is b oth quite small and accessed

sequentiallyminimizing issues of cache size

A reference implementation of RC together with some sample

inputoutput pairs is provided in the App endix

This nonoptimized reference implementation encrypts K bytessecond

on a Mhz laptop bit Borland C compiler and M bytessecond

on a Sparc gcc compiler These sp eeds can certainly b e improved In assem

bly language the rotation op erator is directly accessible an assemblylanguage

routine for the can p erform each halfround with just four instructions An

initial assemblylanguage implementation runs at M bytessec on a MHz

SLC A Pentium should b e able to encrypt at several megabytessecond

Analysis

This section contains some preliminary results on the strength of RC Much

more work remains to b e done Here we rep ort the results of two exp eriments

studying howchanging the numb er of rounds aects prop erties of RC

The rst test involved examining the uniformity of correlation b etween in

put and output bits We found that four rounds suced to get very uniform

correlations b etween individual input and output bits in RC

The second test checked to see if the datadep endent rotation amounts de

p ended on every plaintext bit in million trials with random plaintext and

keys That is wechecked whether ipping a plaintext bit caused some intermedi

ate rotation to b e a rotation by a dierent amount We found that eight rounds in

RC were sucient to cause each message bit to aect some rotation amount

The numb er of rounds chosen in practice should always b e at least as great

if not substantially greater than these simple tests would suggest As noted

ab ove we suggest rounds as a nominal choice for RC and rounds

for RC

RCs datadep endent rotations may help frustrate dierential cryptanalysis

BihamShamir and linear cryptanalysis Matsui since bits are rotated

to random p ositions in each round

There is no obvious way in whichanRC key can b e weak other than by

b eing to o short

Iinvite the reader to help determine the strength of RC

Acknowledgements

Id like to thank Burt Kaliski Yiqun Lisa Yin Paul Ko cher and everyone else

at RSA Lab oratories for their comments and constructive criticisms and Mikael

Pettersson for p ointing out an error in an earlier version of this pap er zero

length keys were handled incorrectly I thank Ray Sydney for p ointing out that

in the earlier version of this pap er the test examples were incorrectly printed

out in bytereversed order Id also like to thank Karl A Siil for bringing to

my attention a cipher due to W E Madryga that also uses datadep endent

rotations alb eit in a rather dierent manner

References

E Biham and A Shamir A Dierential Cryptanalysis of the Data Encryption Stan

dard SpringerVerlag

W E Madryga A high p erformance encryption algorithm In Computer Security

A Global Chal lenge pages North Holland Elsevier Science Publishers

Mitsuru Matsui The rst exp erimental cryptanalysis of the Data Encryption Stan

dard In Yvo G Desmedt editor Proceedings CRYPTO pages Springer Lecture Notes in Computer Science No

App endix

RCREFC Reference implementation of RC in C

Copyright C RSA Data Security Inc

include stdioh

typedef unsigned long int WORD Should be bit bytes

define w word size in bits

define r number of rounds

define b number of bytes in key

define c number words in key

c maxceilbw

define t size of table S r words

WORD St expanded key table

WORD P xbe Q xeb magic constants

Rotation operators x must be unsigned to get logical right shift

define ROTLxy xyw xwyw

define ROTRxy xyw xwyw

void RCENCRYPTWORD pt WORD ct WORD input ptoutput ct

WORD i AptS BptS

for i ir i

A ROTLABBSi

B ROTLBAASi

ct A ct B

void RCDECRYPTWORD ct WORD pt WORD input ctoutput pt

WORD i Bct Act

for ir i i

B ROTRBSiAA

A ROTRASiBB

pt BS pt AS

void RCSETUPunsigned char K secret input key Kb

WORD i j k uw A B Lc

Initialize L then S then mix key into S

for ibLc i i Liu LiuKi

for SPi it i Si SiQ

for ABijk kt kiitjjc t c

A Si ROTLSiAB

B Lj ROTLLjABAB

void printwordWORDA

WORDk

for kkwk printflXAkxFF

void main

WORD i j k pt pt ct

unsigned char keyb

if sizeofWORD

printfRC error WORD has d bytesnsizeofWORD

printfRC examplesn

for iii

Initialize pt and key pseudorandomly based on previous ct

ptct ptct

for jjbj keyj ctj

Setup encrypt and decrypt

RCSETUPkey

RCENCRYPTptct

RCDECRYPTctpt

Print out results checking for decryption failure

printfnd key i

for j jb j printfXkeyj

printfn plaintext printwordpt printwordpt

printf ciphertext printwordct printwordct

printfn

if ptpt ptpt

printfDecryption Error

RC examples

key

plaintext ciphertext ADBEEBFD

key FBEBAACE

plaintext ADBEEBFD ciphertext FCACBB

key EAEBFFDBBBDC

plaintext FCACBB ciphertext FBBFC

key DCDBAFBBFBAF

plaintext FBBFC ciphertext CBDCC

key FDBADF

plaintext CBDCC ciphertext EBEDA

a

This article was pro cessed using the L T X macro package with LLNCS style E