key expansion;encryption;decryption;data-dependent rotations;primitive operations;differential cryptanalysis;
linear cryptanalysis;Rivest;Kalinski;Yin;block size;security">
### Question 76. What is RC5?

RC5 [Riv95] is a fast block cipher designed by Rivest for RSA Data Security.
It is a parameterized algorithm with a variable block size, a variable
key size, and a variable number of rounds. The block size can be 32, 64,
or 128 bits long. The number of rounds can range from 0 to 255. The key
can range from 0 bits to 2048 bits in size. Such built-in variability provides
flexibility in levels of security and efficiency.

There are three routines in RC5: *key expansion,* *encryption
*, and *decryption*. In the key-expansion routine, the user-provided
secret key is expanded to fill a key table whose size depends on the number
of rounds. The key table is then used in both encryption and decryption.
The encryption routine consists of three primitive operations: addition,
bitwise exclusive-or, and rotation. The exceptional simplicity of RC5 makes
it easy to implement and analyze. Indeed, like RSA, RC5 can be written
on the "back of the envelope" (except for key expansion).

The security of RC5 is provided by the heavy use of data-dependent rotations
and the mixture of different operations. In particular, the use of data-dependent
rotations helps defeat differential and linear cryptanalysis (see Question
58 and Question 59), and Kaliski and Yin
[KY95]
found that RC5 with a block size of 64 bits and 12 or more rounds provides
good security against differential and linear cryptanalysis.

RSA Data Security is in the process of patent application for RC5.