Cryptography Reference
In-Depth Information
Among 100 million random pairs of 16-byte keys and 64-bit plaintext blocks tested,
there were plaintext bits which, when changed, did not influence the rotations of
RC5 ('influence' means the number of places that are rotated changes). Such cases
were found as follows:
34 732 with 7-round RC5;
1915 with 8-round RC5;
104 with 9-round RC5; and
15 with 10-round RC5.
Up to the 11th round, every plaintext bit influenced a rotation (there were probably
exceptions, but 100 million trials were obviously not enough to find them).
Figure 5.14: Modified plaintext bits influencing the rotations in RC5.
I cannot confirm the last statement. In my own trials, I created 100 million
random pairs of 16-byte keys and 64-bit plaintext blocks. For each of these
pairs, I initially stored the amounts by which things are rotated in each of the
twelve rounds. Subsequently, I changed one bit one after another in all 64 bit
positions in the plaintext and compared the rotations with the 'ground setting'.
I found that there are still cases where a modified plaintext bit influences no
rotation even after ten rounds. Figure 5.14 shows the specific results.
Differential Cryptanalysis
The first attack against RC5 by means of differential cryptanalysis was pre-
sented by Kaliski and Yin at the CRYPTO '95 Conference [KalisRC5]. The
results spoke in favor of RC5: a 6-round RC5 required 2 31 chosen plaintexts
(i.e., approximately one billion, or 8 Gbytes); 8 rounds required 2 39 ; 10 rounds
required 2 50 ; and finally 2 62 were required for 12 rounds. The computation
time grows as you would expect: a Sun-4 workstation (considered a rather
slow computer today) worked for 10 minutes to attack a 5-round RC5, but it
worked for not less than 12 hours against a 6-round RC5 (corresponding to 2 25
and 2 31
plaintexts).
For practical purposes, these values are not interesting. In theory, however, they
represent progress: 2 62
chosen plaintexts are clearly faster than brute force.
Search WWH ::




Custom Search