This page uses content from Wikipedia and is licensed under CC BYSA.
One round (two halfrounds) of the RC5 block cipher


General  

Designers  Ron Rivest 
First published  1994 
Successors  RC6, Akelarre 
Cipher detail  
Key sizes  0 to 2040 bits (128 suggested) 
Block sizes  32, 64 or 128 bits (64 suggested) 
Structure  Feistellike network 
Rounds  1255 (12 suggested originally) 
Best public cryptanalysis  
12round RC5 (with 64bit blocks) is susceptible to a differential attack using 2^{44} chosen plaintexts.^{[1]} 
In cryptography, RC5 is a symmetrickey block cipher notable for its simplicity. Designed by Ronald Rivest in 1994,^{[2]} RC stands for "Rivest Cipher", or alternatively, "Ron's Code" (compare RC2 and RC4). The Advanced Encryption Standard (AES) candidate RC6 was based on RC5.
Unlike many schemes, RC5 has a variable block size (32, 64 or 128 bits), key size (0 to 2040 bits) and number of rounds (0 to 255). The original suggested choice of parameters were a block size of 64 bits, a 128bit key and 12 rounds.
A key feature of RC5 is the use of datadependent rotations; one of the goals of RC5 was to prompt the study and evaluation of such operations as a cryptographic primitive^{[citation needed]}. RC5 also consists of a number of modular additions and eXclusive OR (XOR)s. The general structure of the algorithm is a Feistellike network. The encryption and decryption routines can be specified in a few lines of code. The key schedule, however, is more complex, expanding the key using an essentially oneway function with the binary expansions of both e and the golden ratio as sources of "nothing up my sleeve numbers". The tantalising simplicity of the algorithm together with the novelty of the datadependent rotations has made RC5 an attractive object of study for cryptanalysts^{[according to whom?]}. The RC5 is basically denoted as RC5w/r/b where w=word size in bits, r=number of rounds, b=number of 8bit bytes in the key.
RC5 encryption and decryption both expand the random key into 2(r+1) words that will be used sequentially (and only once each) during the encryption and decryption processes. All of the below comes from Rivest's revised paper on RC5.^{[3]}
The key expansion algorithm is illustrated below, first in pseudocode, then example C code copied directly from the reference paper's appendix.
Following the naming scheme of the paper, the following variable names are used:
# Break K into words
# u = w / 8
c = ceiling( max(b, 1) / u )
# L is initially a clength list of 0valued wlength words
for i = b1 down to 0 do:
L[i/u] = (L[i/u] << 8) + K[i]
# Initialize keyindependent pseudorandom S array
# S is initially a t=2(r+1) length list of undefined wlength words
S[0] = P_w
for i = 1 to t1 do:
S[i] = S[i1] + Q_w
# The main key scheduling loop
i = j = 0
A = B = 0
do 3 * max(t, c) times:
A = S[i] = (S[i] + A + B) <<< 3
B = L[j] = (L[j] + A + B) <<< (A + B)
i = (i + 1) % t
j = (j + 1) % c
# return S
The example source code is provided from the appendix of Rivest's paper on RC5. The implementation is designed to work with w = 32, r = 12, and b = 16.
void RC5_SETUP(unsigned char *K)
{
// w = 32, r = 12, b = 16
// c = max(1, ceil(8 * b/w))
// t = 2 * (r+1)
WORD i, j, k, u = w/8, A, B, L[c];
for(i = b1, L[c1] = 0; i != 1; i)
L[i/u] = (L[i/u] << 8) + K[i];
for(S[0] = P, i = 1; i < t; i++)
S[i] = S[i1] + Q;
for(A = B = i = j = k = 0; k < 3 * t; k++, i = (i+1) % t, j = (j+1) % c)
{
A = S[i] = ROTL(S[i] + (A + B), 3);
B = L[j] = ROTL(L[j] + (A + B), (A + B));
}
}
Encryption involved several rounds of a simple function. 12 or 20 rounds seem to be recommended, depending on security needs and time considerations. Beyond the variables used above, the following variables are used in this algorithm:
A = A + S[0]
B = B + S[1]
for i = 1 to r do:
A = ((A ^ B) <<< B) + S[2 * i]
B = ((B ^ A) <<< A) + S[2 * i + 1]
# The ciphertext block consists of the twoword wide block composed of A and B, in that order.
return A, B
The example C code given by Rivest is this.
void RC5_ENCRYPT(WORD *pt, WORD *ct)
{
WORD i, A = pt[0] + S[0], B = pt[1] + S[1];
for(i = 1; i <= r; i++)
{
A = ROTL(A ^ B, B) + S[2*i];
B = ROTL(B ^ A, A) + S[2*i + 1];
}
ct[0] = A; ct[1] = B;
}
Decryption is a fairly straightforward reversal of the encryption process. The below pseudocode shows the process.
for i = r down to 1 do:
B = ((B  S[2 * i + 1]) >>> A) ^ A
A = ((A  S[2 * i]) >>> B) ^ B
B = B  S[1]
A = A  S[0]
return A, B
The example C code given by Rivest is this.
void RC5_DECRYPT(WORD *ct, WORD *pt)
{
WORD i, B=ct[1], A=ct[0];
for(i = r; i > 0; i)
{
B = ROTR(B  S[2*i + 1], A) ^ A;
A = ROTR(A  S[2*i], B) ^ B;
}
pt[1] = B  S[1]; pt[0] = A  S[0];
}
12round RC5 (with 64bit blocks) is susceptible to a differential attack using 2^{44} chosen plaintexts.^{[1]} 18–20 rounds are suggested as sufficient protection.
RSA Security, which had a patent on the algorithm,^{[4]} offered a series of US$10,000 prizes for breaking ciphertexts encrypted with RC5, but these contests have been discontinued as of May 2007. A number of these challenge problems have been tackled using distributed computing, organised by Distributed.net. Distributed.net has bruteforced RC5 messages encrypted with 56bit and 64bit keys, and is working on cracking a 72bit key; as of February 2018, 5.02% of the keyspace has been searched. At the current rate, it will take approximately 166 years to test every possible remaining key, and thus guarantee completion of the project.^{[5]} The task has inspired many new and novel developments in the field of cluster computing.^{[6]}