The RC Encryption Algorithm Ronald L Rivest MIT Lab oratory for Computer Science Technology Square Cambridge Mass rivesttheorylcsmitedu Abstract This do cument describ es the RC encryption algorithm a fast symmetric blo ck cipher suitable for hardware or software imple mentations A novel feature of RC is the heavy use of datadependent rotationsRC has a variable word size a variable numb er of rounds and avariableleng th secret key The encryption and decryption algorithms are exceptionally simple Intro duction RC was designed with the following ob jectives in mind RC should b e a symmetric block cipher The same secret cryptographic key is used for encryption and for decryption The plaintext and ciphertext are xedlength bit sequences blo cks RC should b e suitable for hardware or software This means that RC should use only computational primitive op erations commonly found on typ ical micropro cessors RC should b e fast This moreorless implies that RC b e wordoriented the basic computational op erations should b e op erators that work on full words of data at a time RC should b e adaptable to processors of dierent wordlengths For example as bit pro cessors b ecome available it should b e p ossible for RC to exploit their longer word length Therefore the number w of bits in a word is a parameter of RC dierentchoices of this parameter result in dierentRC algorithms RC should b e iterative in structure with a variable number of roundsThe user can explicitly manipulate the tradeo b etween higher sp eed and higher security The numb er of rounds r is a second parameter of RC RC should have a variablelength cryptographic key The user can cho ose the level of security appropriate for his application or as required by external considerations such as exp ort restrictions The key length b in bytes is thus a third parameter of RC RC should b e simple It should b e easy to implement More imp ortantly a simpler structure is p erhaps more interesting to analyze and evaluate so that the cryptographic strength of RC can b e more rapidly determined RC is a trademark of RSA Data SecurityPatent p ending RC should havea low memory requirement so that it may b e easily imple mented on smart cards or other devices with restricted memory Last but not least RC should provide high security when suitable param eter values are chosen In addition during the developmentofRC we b egan to fo cus our atten tion on a intriguing new cryptographic primitive datadependent rotationsin which one word of intermediate results is cyclically rotated by an amount deter mined bytheloworder bits of another intermediate result Wethus develop ed an additional goal RC should highlight the use of datadependent rotations and encourage the assessment of the cryptographic strength datadep endent rotations can provide The RC encryption algorithm presented here hop efully meets all of the ab ove goals Our use of hop efully refers of course to the fact that this is still a new prop osal and the cryptographic strength of RC is still b eing determined AParameterized Family of Encryption Algorithms In this section we discuss in somewhat greater detail the parameters of RC and the tradeos involved in cho osing various parameters As noted ab ove RC is wordoriented all of the basic computational op er ations have w bit words as inputs and outputs RC is a blo ckcipher with a twoword input plaintext blo ck size and a twoword ciphertext output blo ck size The nominal choice for w is bits for whichRC has bit plaintext and ciphertext blo ck sizes RC is welldened for any w although for simplicity it is prop osed here that only the values and b e allowable The number r of rounds is the second parameter of RC Cho osing a larger numb er of rounds presumably provides an increased level of securityWenote here that RC uses an expanded key table S that is derived from the users supplied secret key The size t of table S also dep ends on the number r of rounds S has t r words Cho osing a larger numb er of rounds therefore also implies a need for somewhat more memory There are thus several distinct RC algorithms dep ending on the choice of parameters w and r We summarize these parameters b elow w This is the wordsize in bits eachword contains u w bit bytes The nominal value of w is bits allowable values of w are and RC encrypts twoword blo cks plaintext and ciphertext blo cks are each w bits long r This is the numb er of rounds Also the expanded key table S contains t r words Allowable values of r are In addition to w and r RChasavariablelength secret cryptographic key sp ecied by parameters b and K b The number of bytes in the secret key K Allowable values of b are K The bbyte secret key K K K b For notational convenience we designate a particular parameterized RC algorithm as RCwrbFor example RC has bit words rounds a byte bit secret key variable and an expanded key table of words Parameters may b e dropp ed from last to rst to talk ab out RC with the dropp ed parameters unsp ecied For example one may ask Howmany rounds should one use in RC We prop ose RC as providing a nominal choice of parameters That is the nominal values of the parameters provide for w bit words rounds and bytes of keyFurther analysis is needed to analyze the securityof this choice For RC we suggest increasing the numb er of rounds to r We suggest that in an implementation all of the parameters given ab ove maybepackaged together to form an RC control blockcontaining the following elds v byte version number hex for version here w byte r byte b byte Kbbytes A control blo ckisthus represented using b bytes For example the control blo ck C A D F BB in hexadecimal sp ecies an RC algorithm version with bit words rounds and a byte bit key RC keymanagement schemes would then typically manage and transmit entire RC control blo cks containing all of the relevant parameters in addition to the usual secret cryptographic key variable Discussion of Parameterization In this section we discuss the extensive parameterization that RC provides We should rst note that it is not intended that RC b e secure for all p ossible parameter values For example r provides essentially no encryption and r is easily broken And cho osing b clearly gives no security On the other hand cho osing the maximum allowable parameter values would be overkill for most applications Weallow a range of parameter values so that users may select an encryption algorithm whose security and sp eed are optimized for their application while providing an evolutionary path for adjusting their parameters as necessary in the future As an example consider the problem of replacing DES with an equivalent RC algorithm One might reasonable cho ose RC as such a replace ment The inputoutput blo cks are w bits long just as in DES The numb er of rounds is also the same although eachRC round is more liketwo DES rounds since all data registers rather than just half of them are up dated in one RC round Finally DES and RC eachhave bit byte secret keys Unlike DES which has no parameterization and hence no exibilityRC p ermits upgrades as necessaryFor example one can upgrade the ab ovechoice for a DES replacement to an bit key bymoving to RC As technology improves and as the true strength of RC algorithms b ecomes b etter understo o d through analysis the most appropriate parameter values can b e chosen The choice of r aects b oth encryption sp eed and securityFor some appli cations high sp eed may b e the most critical requirementone wishes for the b est security obtainable within a given encryption time requirement Cho osing a small value of r say r mayprovide some security alb eit mo dest within the given sp eed constraint In other applications suchaskey management security is the primary con cern and sp eed is relatively unimp ortant Cho osing r roundsmightbe appropriate for such applications Since RC is a new design further study is required to determine the securityprovided byvarious values of r RC users may wish to adjust the values of r they use based on the results of such studies Similarly the word size w also aects sp eed and securityFor example cho os ing a value of w larger than the register size of the CPU can degrade encryption sp eed The word size w is primarily for researchers who wish to examine the security prop erties of a natural scaleddown RC As bit pro cessors b ecome common one can movetoRC as a natural extension of RC It may also b e convenient to sp ecify w or larger if RC is to b e used as the basis for a hash function in order to have bit or larger inputoutput blo cks It may b e considered unusual and risky to sp ecify an encryption algorithm that p ermits insecure parameter choices Wehavetwo resp onses to this criticism A xed set of parameters may b e at least as dangerous since the parameters can not b e increased when necessary Consider the problem DES has now its key size is to o short and there is no easy way to increase it It is exp ected that implementors will provide implementations that ensure that suitably large parameters are chosen While unsafe choices mightbe usable in principle they would b e forbidden in practice It is not exp ected that a typical RC implementation will work with any RC control blo ck Rather it mayonlywork for certain xed parameter values or parameters in a certain range The parameters w r andb in a received or transmitted RC control blo ck are then merely used for typecheckingvalues other than those supp orted by the implementation will b e disallowed
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages11 Page
-
File Size-