[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RC5 Security Information
For those interested in the security of RC5. Here is the
section from the RC5 description document.
--Bob
9. Security Considerations
The RC5 cipher is relatively new so critical reviews are still being
performed. However, the cipher's simple structure makes it easy to analyze
and hopefully easier to assess its strength. Reviews so far are very
promising.
Early results [1] suggest that for RC5 with a 64 bit block size (32 bit
word size), 12 rounds will suffice to resist linear and differential
cyptanalysis. The 128 bit block version has not been studied as much as
the 64 bit version, but it appears that 16 rounds would be an appropriate
minimum. Block sizes less than 64 bits are academically interesting but
should not be used for cryptographic security. Greater security can be
achieved by increasing the number of rounds at the cost of decreasing the
throughput of the cipher.
The length of the secret key helps determine the cipher's resistance to
brute force key searching attacks. A key length of 128 bits should give
adequate protection against brute force key searching by a well funded
opponent for a couple decades [7]. For RC5 with 12 rounds, the key setup
time and data encryption time are the same for all key lengths less than
832 bits, so there is no performance reason for choosing short keys. For
larger keys, the key expansion step will run slower because the user key
table, LL, will be longer than the expanded key table, S. However, the
encryption time will be unchanged since it is only a function of the number
of rounds.
To comply with export regulations it may be necessary to choose keys that
only have 40 unknown bits. A poor way to do this would be to choose a
simple 5 byte key. This should be avoided because it would be easy for an
opponent to pre-compute key searching information. Another common
mechanism is to pick a 128 bit key and publish the first 88 bits. This
method may be weak because it reveals a large number of the entries in the
user key table, LL, and the key expansion algorithm was not designed to
resist attacks when most of LL is known. A better way to conform to the 40
bit rule is to pick a seed value of 128 bits, publish 88 bits of this seed,
run the entire seed through a hash function like MD5 [4], and use the 128
bit output of the hash function as the RC5 key.
In the case of 40 unknown key bits with 88 known key bits (i.e., 88 salt
bits) there should still be 12 or more rounds for the 64 bit block version
of RC5, otherwise the value of adding salt bits to the key is likely to be
lost.
The lifetime of the key also influences security. For high security
applications, the key to any 64 bit block cipher should be changed after
encrypting 2**32 blocks (2**64 blocks for a 128 bit block cipher). For the
case of 64 bit blocks, this rule would recommend changing the key after
2**40 (i.e. 10**12) bytes are encrypted. See Schneier [6] page 183 for
further discussion.
References
[1] Kaliski, Burton S., and Yinqun Lisa Yin, "On Differential and Linear
Cryptanalysis of the RC5 Encryption Algorithm", In Advances in Cryptology -
Crypto '95, pages 171-184, Springer-Verlag, New York, 1995.
[2] Rivest, Ronald L., "The RC5 Encryption Algorithm", In Proceedings of
the Second International Workshop on Fast Software Encryption, pages 86-96,
Leuven Belgium, December 1994.
[3] Rivest, Ronald L., "RC5 Encryption Algorithm", In Dr. Dobbs Journal,
number 226, pages 146-148, January 1995.
[4] Rivest, Ronald L., "The MD5 Message-Digest Algorithm", RFC 1321.
[5] RSA Laboratories, "Public Key Cryptography Standards (PKCS)", RSA Data
Security Inc. See ftp.rsa.com.
[6] Schneier, Bruce, "Applied Cryptography", Second Edition, John Wiley and
Sons, New York, 1996.
[7] Business Software Alliance, Matt Blaze et al., "Minimum Key Length for
Symmetric Ciphers to Provide Adequate Commercial Security",
http://www.bsa.org/bsa/cryptologists.html.