Cryptography Reference
In-Depth Information
by interfering with the clock frequency at a clock time computed exactly. It
is perhaps not too bold to assume that this might suppress the execution of
the last RC5 round. Using the same plaintext, this supplies the ciphering result
after
r
−
1 and
r
rounds, i.e., the plaintext and ciphertext for the one-round
RC5! Now we can finally use the knowledge we gained in the previous section
and compute the subkeys of the last round in three trials. Next we suppress
round
r
−
1. Since we already know the last round's subkeys, we can decrypt
this one round and analogously compute the subkeys of the last round but one.
This means that 36 ciphering trials would probably be required for the 12-round
method — a matter of fractions of seconds in any event. And all this without
the parties concerned noticing anything.
Don't interpret this attack as a weakness of RC5. Such nasty methods can crack
almost every algorithm — surely including the RC5a method introduced below,
though I currently don't know how (you may have to suppress half rounds).
5.4.3 The RC5a Modification
Knudsen and Meier's attacks against RC5 exploit the fact that there is no rota-
tion in some steps. Even the improved method by Biryukov and Kushilevitz
studies only pairs where the same rotation occurs in all steps. Rotation intro-
duces confusion and diffusion to the algorithm, which appears to still be hard
to crack. In this respect, the results from Figure 5.15 are not entirely satis-
factory. I propose a modification which I call
RC5a
. It deviates only slightly
from the original. Moreover, it is just as fast as the original, except for the key
generation, but increases the 'mixing' factor considerably.
The idea is as follows: keys
S
2
i
and
S
2
i
+
1
are added to the rotated words in
the
i
th round. We denote the keys as
S
[2
∗
i
] and
S
[2
∗
i
+
1], like in the C
programming language, for technical reasons:
⊕
A = ((A
B) <<< B) + S[2*i]
⊕
B = ((B
A) <<< A) + S[2*i + 1]
We modify these steps such that keys
S
[2
∗
i
]or
S
[2
∗
i
+
1], respectively, can
each be chosen from a larger set of 2
K
keys, depending on either
B
or
A
. Each
S
[
j
] is 'replaced' by an
independent
set of keys; this set is called the
keybox
.
It makes decryption possible.
What effect does this change have? If the last five bits of
B
are equal to 0
in the first equation, then ciphering the last five bits of
A
leads to an addition
