Cryptography Reference
In-Depth Information
(24 bytes) normally suffice. This is quite interesting: RC5-32/1/* also supplies
a statistically 'well randomized' text and uses 128 key bits in CBC mode.
The one-round RC5 is easy to describe:
Let the plaintext half blocks (each 32 bits long) be
A
and
B
, and assume the
key consists of 32-bit words
S
0
,S
1
,S
2
, and
S
3
. To determine the ciphertext half
blocks
A
1
and
B
1
, we compute
A
0
=A+S
0
B
0
=B+S
1
A
1
= ((A
0
⊕
B
0
)
<<< k
0
)
+S
2
(1)
B
1
= ((B
0
⊕
A
1
)
<<< k
1
)
+S
3
(2)
Where
k
0
or
k
1
is the value from the five least significant bits of
B
0
or
A
1
,
respectively.
Assuming that both
A
and
B
(the plaintext) and
A
1
and
B
1
(the ciphertext)
are known, we try to recover the keys, (S
i
)
i
=
0
,...,
3
, from as small a number
of plaintexts and ciphertexts as possible. (We are not interested in the method
used by RC5 to generate keys
S
i
from a byte field here. Once we know
S
i
we
can decrypt.)
We begin with equation (2). Since our assumption was that we know
A
1
,we
also know
k
1
, so that we can represent subkey
S
1
as a function of
S
3
that we
can compute:
S
1
= (((B
1
-S
3
)
>>> k
1
)
⊕
A
1
)- B(3)
From among the ciphertexts available, we find two with
k
1
values that differ
as little as possible, but are not equal. This prerequisite is almost always met
in practice: with ten known 'random' ciphertexts, for example, the probability
that all
k
1
are equal is not more than 2
−
45
(approximately 3
∗
10
−
14
)
. Moreover,
with four different ciphertexts at hand, there are two
k
1
values that differ by
32
/
4
=
8 at most. The more different ciphertexts we have the smaller the
smallest positive difference of any two
k
1
.
Now, having picked out two such plaintext - ciphertext pairs, we turn to equa-
tion (3) for both pairs, writing the equation with the largest
k
1
value first. We
subtract the second equation from the first, which causes a zero to appear on