key expansion;encryption;decryption;data-dependent rotations;primitive operations;differential cryptanalysis; linear cryptanalysis;Rivest;Kalinski;Yin;block size;security">


Question 76. What is RC5?

RC5 [Riv95] is a fast block cipher designed by Rivest for RSA Data Security. It is a parameterized algorithm with a variable block size, a variable key size, and a variable number of rounds. The block size can be 32, 64, or 128 bits long. The number of rounds can range from 0 to 255. The key can range from 0 bits to 2048 bits in size. Such built-in variability provides flexibility in levels of security and efficiency.

There are three routines in RC5: key expansion, encryption , and decryption. In the key-expansion routine, the user-provided secret key is expanded to fill a key table whose size depends on the number of rounds. The key table is then used in both encryption and decryption. The encryption routine consists of three primitive operations: addition, bitwise exclusive-or, and rotation. The exceptional simplicity of RC5 makes it easy to implement and analyze. Indeed, like RSA, RC5 can be written on the "back of the envelope" (except for key expansion).

The security of RC5 is provided by the heavy use of data-dependent rotations and the mixture of different operations. In particular, the use of data-dependent rotations helps defeat differential and linear cryptanalysis (see Question 58 and Question 59), and Kaliski and Yin [KY95] found that RC5 with a block size of 64 bits and 12 or more rounds provides good security against differential and linear cryptanalysis.

RSA Data Security is in the process of patent application for RC5.