Cryptography Reference
In-Depth Information
Kelsey, Schneier, and Wagner succeeded, after all, in attacking a 14-round
version of RC5P in practice; a Pentium-133 took about 3 hours for this attack.
They then turned their method against the
M6
algorithm, which is based on
Japanese research and supposedly used in the FireWire standard. Against M6,
a mod-5 attack and subsequently a mod-257 attack led to the goal. (Notice that
3, 5, and 257 all divide 2
32
1, i.e., 2
32
leaves a remainder of 1 when divided
by these prime numbers. This is decisive in this type of cryptanalysis.) The
results are devastating: one single known plaintext suffices to find the 40-bit
key 16 times faster than by brute force, and with a few dozen known plaintexts
it can be found 512 times faster. A minor modification of the M6 algorithm
might effectively help prevent such attacks.
−
The use of the XOR operation
and
the addition in both RC5 and RC6 (see
Section 5.4.4) is also decisive for their security. Mixing operations with various
algebraic structures still appears to be key for high security. Not without reason
is this principle implemented in practice in IDEA.
Of course, we cannot exclude the fact that somebody might discover a totally
new method to attack RC5. It might well be that RC5 in its current form will
be considered to be insecure one day. If and when this happens, the algorithm
will have advanced the theory. However, I think that an encryption with a
sufficiently large number of rounds (e.g., 16) is secure against the known theory;
at least the RC5a modification from Section 5.4.3 is.
Cryptanalyzing the One-Round RC5
You probably remember how we defined the product algorithm in Section 4.1.4:
'Simple, cryptologically relatively unsure steps are made one after the other.'
How does this look with RC5? Is RC5-32/1/* (one round, optional key length)
cryptologically insecure?
Even if nobody would use one-round RC5 in practice, the issue is a welcome
opportunity for us to make an excursion into cryptanalysis. I can finally show
you a real 'bit fiddling' attack in a reproducible way in this topic. Being familiar
with these considerations will perhaps help you to understand Section 5.7.1,
which is more relevant for practice.
The differential cryptanalysis by Kaliski and Yin discussed above requires 128
chosen
plaintexts for RC5-32/1/*. Of course, this is far from being optimal,
because it's an attack against RC5 with many rounds. I found a plaintext attack
against the one-round method, for which three (almost)
arbitrary
plaintexts
