Life After DES: New Methods, New Attacks - Cryptology Unlocked

Cryptography Reference

In-Depth Information

Analogous to Figure 5.14, the following number of cases where no rotation is

influenced results with the RC5a algorithm when using K

=

4(2 4

=

16 keys in

one keybox):

5179 with 7-round RC5a;

220 with 8-round RC5a;

11 with 9-round RC5a; and

0 with 10-round RC5a.

Figure 5.15: Influence of changed plaintext bits on the rotations in the modi-

fied RC5a algorithm.

Of course, the 'meager' information of key K from Figure 5.13 in RC5a is

'distributed' over more bytes than in RC5. From the information-theory per-

spective, the subkeys are anything but independent. But you know this sort of

discussion from other cryptographic algorithms: ciphering a lot of information

(a long plaintext) by means of little information (namely the key) does not

mean that the plaintext information is exposed entirely or in part — at least in

practice that is.

We can probably handle successive keys S [ j ] as we would handle independent

random quantities with a clear conscience. I cannot imagine an attack that

exploits some rule as to how the bits of S [2 ∗ i ∗ KB + j ] vary in dependence on

j = 0 , 1 ,..., 2 K

− 1.

Can you use mod- n cryptanalysis to attack RC5a? I don't know, but I don't

think so. I originally modified RC5 in this specific way to make finding subsets

without rotation improbable. In view of mod- n cryptanalysis, I am no longer

interested in this argument. But RC5a offers yet another security reserve: one

has to reconstruct more subkeys for each round, e.g., 16 times more, than with

RC5, an otherwise identical method. This probably increases the number of

known plaintexts required so much that one wouldn't do better than with brute

force, unless the number of rounds was heavily reduced.

Anyway, I hope that RC5 (and RC5a with it, of course) will continue to prove

secure. The algorithm can effortlessly 'grow' with the hardware. Its security

can be increased by the number of rounds at the cost of performance, just as

well as the block size and the key length, which are actually limited arbitrarily

(a 12-round method uses a total of 104-byte subkeys, i.e., 832 bits!). RC5

Search WWH ::

Custom Search

Home