Cryptography Reference
In-Depth Information
last places, because these values are not 'disturbed' by carryovers from
additions. In RC6, these are the five most significant bits of
t
, which
additionally depend on
B
in a very complicated way.
As a sideline, the transformation of
t(B)
is unambiguous, which means
that all possible 2
32
values of
t
are accepted even if
B
traverses all pos-
sible values (proving this is a moderately hard task for mathematicians).
This is important, because it ensures, for example, that the
A
⊕
t
opera-
tion will not only link the word
A
with 'partial information' on
B
, which
is critical for the diffusion.
•
The (
A, C
) and (
B,D
) pairs mix even more than the cyclic swapping
of the four words after each round in that the rotation amounts and the
'XOR' partners —
t
and
u
from
B
and
D
— are computed and applied to
A
and
C
concurrently.
The closer a look you take at RC6, the simpler and cleverer you will find this
algorithm. It appears to be the one with the shortest description out of all AES
candidates; this is the only reason I can describe it here fully.
However, there are two minor drawbacks. First, the integer multiplication sug-
gests where the algorithm runs most effectively: on 32-bit processors. Things
look less good with 8-bit smartcards, where the data rotation is costly. And sec-
ond, while the usual cryptanalytic attacks against RC6 have failed so far, I agree
with Schneier's comments on the mod-3 cryptanalysis (see Section 5.4.2): here
too, an effective attack is prevented by XOR and addition. Moreover, the trans-
formation
t(B)
=
B(
2
B
+
1
)
produces only remainders 0 and 1 when dividing
by 3. This type of 'distortion' could 'survive' the cleverly constructed round
function if it weren't for said XOR.
In contrast, the mod-3 cryptanalysis seems to be less effective against RC5a,
however at the cost of increased memory requirement. Apart from patent rights,
as there may be, RC5a is still attractive indeed. Of course, RC6 could be simi-
larly modified into an RC6a algorithm, but I don't see a need for the time being.
Nevertheless, no symmetric algorithm since DES has been cryptanalyzed as
thoroughly and with such good results as the five AES final candidates, includ-
ing RC6.
5.5 Rijndael Becomes AES and Replaces DES
Even before Deep Crack, the DES crack computer (see Section 4.4.1), was
built, scientists, industries, and government authorities understood that the days
