(24 bytes) normally suffice. This is quite interesting: RC5-32/1/* also supplies

a statistically 'well randomized' text and uses 128 key bits in CBC mode.

The one-round RC5 is easy to describe:

Let the plaintext half blocks (each 32 bits long) be A and B , and assume the

key consists of 32-bit words S 0 ,S 1 ,S 2 , and S 3 . To determine the ciphertext half

blocks A 1 and B 1 , we compute

A 0 =A+S 0

B 0 =B+S 1

A 1 = ((A 0

⊕

B 0 ) <<< k 0 ) +S 2 (1)

B 1 = ((B 0

⊕

A 1 ) <<< k 1 ) +S 3 (2)

Where k 0 or k 1 is the value from the five least significant bits of B 0 or A 1 ,

respectively.

Assuming that both A and B (the plaintext) and A 1 and B 1 (the ciphertext)

are known, we try to recover the keys, (S i ) i = 0 ,..., 3 , from as small a number

of plaintexts and ciphertexts as possible. (We are not interested in the method

used by RC5 to generate keys S i from a byte field here. Once we know S i we

can decrypt.)

We begin with equation (2). Since our assumption was that we know A 1 ,we

also know k 1 , so that we can represent subkey S 1 as a function of S 3 that we

can compute:

S 1 = (((B 1 -S 3 ) >>> k 1 )

⊕

A 1 )- B(3)

From among the ciphertexts available, we find two with k 1 values that differ

as little as possible, but are not equal. This prerequisite is almost always met

in practice: with ten known 'random' ciphertexts, for example, the probability

that all k 1 are equal is not more than 2 − 45 (approximately 3 ∗ 10 − 14 ) . Moreover,

with four different ciphertexts at hand, there are two k 1 values that differ by

32 / 4 = 8 at most. The more different ciphertexts we have the smaller the

smallest positive difference of any two k 1 .

Now, having picked out two such plaintext - ciphertext pairs, we turn to equa-

tion (3) for both pairs, writing the equation with the largest k 1 value first. We

subtract the second equation from the first, which causes a zero to appear on