Cryptography Reference
In-Depth Information
•
After the last round, set
A=A+S2r+2
C=C+S2r+3
•
Keys are generated exactly as in RC5.
Figure 5.16:
(
continued
).
The product of this development work is called
RC6
and is very similar to
RC5. You can find a description in Figure 5.16 and on our Web site, where
you will also find the source code in C.
The decryption results quite easily from the ciphering rule.
How do RC5 and RC6 differ, and what do they have in common?
•
The most important operation in both methods is the data-dependent
rotation. It guarantees extraordinarily strong diffusion and confusion and
cannot be attacked effectively at present.
•
RC6 initially reminds you of two RC5 methods running in parallel, except
that the cyclic swapping of the four words —
A, B, C, D
— 'mixes' both
methods after each round. This becomes even more striking if you com-
pose an RC5 round from two 'half rounds' in the form
A=(A
⊕
B) <<< B) + S
i
(A,B) = (B,A)
(i.e., swapping the two half words after each [half] round, similarly to a
Feistel algorithm).
•
The decisive improvement versus RC5 is the computation of two helper
quantities,
t
and
u
, in each round. The transformation
t(B)
=
B(
2
B
+
1
)
has the property that the five most significant bits of
t
depend on all bits
of
B
(which is the main reason for the left rotation when computing
t
and
u
; in other words, the five most significant bits of
B(
2
B
+
1
)
determine
the rotation of
A
t
).
Compare this with RC5, where only the five least significant bits of
B
determine how
A
⊕
⊕
B
is rotated. Cryptanalysts tend to 'kick in' at these
