RC6
5 likes1,712 views
The document describes RC6, a block cipher proposed as a candidate for the Advanced Encryption Standard (AES). RC6 is based on RC5 but adapted to meet AES requirements. It operates on 128-bit blocks using a variable number of rounds, rotations, XORs and additions modulated by a key-dependent S-box. Implementation results show RC6 encrypting/decrypting over 100 megabits/second on modern processors. Security analysis finds no known practical attacks against RC6 even with a reduced number of rounds. The designers conclude RC6 meets AES requirements by being simple, fast and secure.
![Description of RC6
u RC6-w/r/b parameters:
– Word size in bits: w ( 32 )( lg(w) = 5 )
– Number of rounds: r ( 20 )
– Number of key bytes: b ( 16, 24, or 32 )
u Key Expansion:
– Produces array S[ 0 … 2r + 3 ] of w-bit
round keys.
u Encryption and Decryption:
– Input/Output in 32-bit registers A,B,C,D
RC6 Primitive Operations
A + B Addition modulo 2
w
A - B Subtraction modulo 2
w
A ⊕ B Exclusive-Or
A <<< B Rotate A left by amount in
low-order lg(w ) bits of B
A >>> B Rotate A right, similarly
(A,B,C,D) = (B,C,D,A) Parallel assignment
A x B Multiplication modulo 2
w
RC5](https://image.slidesharecdn.com/soutnance-160604153234/85/RC6-3-320.jpg)
![RC6 Encryption (Generic)
B = B + S[ 0 ]
D = D + S[ 1 ]
for i = 1 to r do
{
t = ( B x ( 2B + 1 ) ) <<< lg( w )
u = ( D x ( 2D + 1 ) ) <<< lg( w )
A = ( ( A ⊕ t ) <<< u ) + S[ 2i ]
C = ( ( C ⊕ u ) <<< t ) + S[ 2i + 1 ]
(A, B, C, D) = (B, C, D, A)
}
A = A + S[ 2r + 2 ]
C = C + S[ 2r + 3 ]
RC6 Encryption (for AES)
B = B + S[ 0 ]
D = D + S[ 1 ]
for i = 1 to 20 do
{
t = ( B x ( 2B + 1 ) ) <<< 5
u = ( D x ( 2D + 1 ) ) <<< 5
A = ( ( A ⊕ t ) <<< u ) + S[ 2i ]
C = ( ( C ⊕ u ) <<< t ) + S[ 2i + 1 ]
(A, B, C, D) = (B, C, D, A)
}
A = A + S[ 42 ]
C = C + S[ 43 ]](https://image.slidesharecdn.com/soutnance-160604153234/85/RC6-4-320.jpg)
![RC6 Decryption (for AES)
C = C - S[ 43 ]
A = A - S[ 42 ]
for i = 20 downto 1 do
{
(A, B, C, D) = (D, A, B, C)
u = ( D x ( 2D + 1 ) ) <<< 5
t = ( B x ( 2B + 1 ) ) <<< 5
C = ( ( C - S[ 2i + 1 ] ) >>> t ) ⊕ u
A = ( ( A - S[ 2i ] ) >>> u ) ⊕ t
}
D = D - S[ 1 ]
B = B - S[ 0 ]
Key Expansion (Same as RC5’s)
u Input: array L[ 0 … c-1 ] of input key words
u Output: array S[ 0 … 43 ] of round key words
u Procedure:
S[ 0 ] = 0xB7E15163
for i = 1 to 43 do S[i] = S[i-1] + 0x9E3779B9
A = B = i = j = 0
for s = 1 to 132 do
{ A = S[ i ] = ( S[ i ] + A + B ) <<< 3
B = L[ j ] = ( L[ j ] + A + B ) <<< ( A + B )
i = ( i + 1 ) mod 44
j = ( j + 1 ) mod c }](https://image.slidesharecdn.com/soutnance-160604153234/85/RC6-5-320.jpg)
![From RC5 to RC6
in seven easy steps
(1) Start with RC5
RC5 encryption inner loop:
for i = 1 to r do
{
A = ( ( A ⊕ B ) <<< B ) + S[ i ]
( A, B ) = ( B, A )
}
Can RC5 be strengthened by having rotation
amounts depend on all the bits of B?](https://image.slidesharecdn.com/soutnance-160604153234/85/RC6-6-320.jpg)
![High-order bits of B x (2B+1)
u The high-order bits of
f(B) = B x ( 2B + 1 ) = 2B
2
+ B
depend on all the bits of B .
u Let B = B31B30B29 … B1B0 in binary.
u Flipping bit i of input B
– Leaves bits 0 … i-1 of f(B) unchanged,
– Flips bit i of f(B) with probability one,
– Flips bit j of f(B) , for j > i , with
probability approximately 1/2 (1/4…1),
– is likely to change some high-order bit.
for i = 1 to r do
{
t = ( B x ( 2B + 1 ) ) <<< 5
A = ( ( A ⊕ B ) <<< t ) + S[ i ]
( A, B ) = ( B, A )
}
But now much of the output of this nice
multiplication is being wasted...
(2) Quadratic Rotation Amounts](https://image.slidesharecdn.com/soutnance-160604153234/85/RC6-8-320.jpg)
![for i = 1 to r do
{
t = ( B x ( 2B + 1 ) ) <<< 5
A = ( ( A ⊕ t ) <<< t ) + S[ i ]
( A, B ) = ( B, A )
}
Now AES requires 128-bit blocks.
We could use two 64-bit registers, but
64-bit operations are poorly supported
with typical C compilers...
(3) Use t, not B, as xor input
(4) Do two RC5’s in parallel
Use four 32-bit regs (A,B,C,D), and do
RC5 on (C,D) in parallel with RC5 on (A,B):
for i = 1 to r do
{
t = ( B x ( 2B + 1 ) ) <<< 5
A = ( ( A ⊕ t ) <<< t ) + S[ 2i ]
( A, B ) = ( B, A )
u = ( D x ( 2D + 1 ) ) <<< 5
C = ( ( C ⊕ u ) <<< u ) + S[ 2i + 1 ]
( C, D ) = ( D, C )
}](https://image.slidesharecdn.com/soutnance-160604153234/85/RC6-9-320.jpg)
![(5) Mix up data between copies
Switch rotation amounts between copies,
and cyclically permute registers instead of
swapping:
for i = 1 to r do
{
t = ( B x ( 2B + 1 ) ) <<< 5
u = ( D x ( 2D + 1 ) ) <<< 5
A = ( ( A ⊕ t ) <<< u ) + S[ 2i ]
C = ( ( C ⊕ u ) <<< t ) + S[ 2i + 1 ]
(A, B, C, D) = (B, C, D, A)
}
One Round of RC6
55
ff
A B C D
<<<<<<
<<< <<<
S[2i] S[2i+1]
A B C D
t u](https://image.slidesharecdn.com/soutnance-160604153234/85/RC6-10-320.jpg)
![(6) Add Pre- and Post-Whitening
B = B + S[ 0 ]
D = D + S[ 1 ]
for i = 1 to r do
{
t = ( B x ( 2B + 1 ) ) <<< 5
u = ( D x ( 2D + 1 ) ) <<< 5
A = ( ( A ⊕ t ) <<< u ) + S[ 2i ]
C = ( ( C ⊕ u ) <<< t ) + S[ 2i + 1 ]
(A, B, C, D) = (B, C, D, A)
}
A = A + S[ 2r + 2 ]
C = C + S[ 2r + 3 ]
B = B + S[ 0 ]
D = D + S[ 1 ]
for i = 1 to 20 do
{
t = ( B x ( 2B + 1 ) ) <<< 5
u = ( D x ( 2D + 1 ) ) <<< 5
A = ( ( A ⊕ t ) <<< u ) + S[ 2i ]
C = ( ( C ⊕ u ) <<< t ) + S[ 2i + 1 ]
(A, B, C, D) = (B, C, D, A)
}
A = A + S[ 42 ]
C = C + S[ 43 ]
(7) Set r = 20 for high security
Final RC6
(based on analysis)](https://image.slidesharecdn.com/soutnance-160604153234/85/RC6-11-320.jpg)
RC6
- 1. The RC6 Block Cipher: A simple fast secure AES proposal Ronald L. Rivest MIT Matt Robshaw RSA Labs Ray Sidney RSA Labs Yiqun Lisa Yin RSA Labs (August 21, 1998) Outline u Design Philosophy u Description of RC6 u Implementation Results u Security u Conclusion
- 2. Design Philosophy u Leverage our experience with RC5: use data-dependent rotations to achieve a high level of security. u Adapt RC5 to meet AES requirements u Take advantage of a new primitive for increased security and efficiency: 32x32 multiplication, which executes quickly on modern processors, to compute rotation amounts. Description of RC6
- 3. Description of RC6 u RC6-w/r/b parameters: – Word size in bits: w ( 32 )( lg(w) = 5 ) – Number of rounds: r ( 20 ) – Number of key bytes: b ( 16, 24, or 32 ) u Key Expansion: – Produces array S[ 0 … 2r + 3 ] of w-bit round keys. u Encryption and Decryption: – Input/Output in 32-bit registers A,B,C,D RC6 Primitive Operations A + B Addition modulo 2 w A - B Subtraction modulo 2 w A ⊕ B Exclusive-Or A <<< B Rotate A left by amount in low-order lg(w ) bits of B A >>> B Rotate A right, similarly (A,B,C,D) = (B,C,D,A) Parallel assignment A x B Multiplication modulo 2 w RC5
- 4. RC6 Encryption (Generic) B = B + S[ 0 ] D = D + S[ 1 ] for i = 1 to r do { t = ( B x ( 2B + 1 ) ) <<< lg( w ) u = ( D x ( 2D + 1 ) ) <<< lg( w ) A = ( ( A ⊕ t ) <<< u ) + S[ 2i ] C = ( ( C ⊕ u ) <<< t ) + S[ 2i + 1 ] (A, B, C, D) = (B, C, D, A) } A = A + S[ 2r + 2 ] C = C + S[ 2r + 3 ] RC6 Encryption (for AES) B = B + S[ 0 ] D = D + S[ 1 ] for i = 1 to 20 do { t = ( B x ( 2B + 1 ) ) <<< 5 u = ( D x ( 2D + 1 ) ) <<< 5 A = ( ( A ⊕ t ) <<< u ) + S[ 2i ] C = ( ( C ⊕ u ) <<< t ) + S[ 2i + 1 ] (A, B, C, D) = (B, C, D, A) } A = A + S[ 42 ] C = C + S[ 43 ]
- 5. RC6 Decryption (for AES) C = C - S[ 43 ] A = A - S[ 42 ] for i = 20 downto 1 do { (A, B, C, D) = (D, A, B, C) u = ( D x ( 2D + 1 ) ) <<< 5 t = ( B x ( 2B + 1 ) ) <<< 5 C = ( ( C - S[ 2i + 1 ] ) >>> t ) ⊕ u A = ( ( A - S[ 2i ] ) >>> u ) ⊕ t } D = D - S[ 1 ] B = B - S[ 0 ] Key Expansion (Same as RC5’s) u Input: array L[ 0 … c-1 ] of input key words u Output: array S[ 0 … 43 ] of round key words u Procedure: S[ 0 ] = 0xB7E15163 for i = 1 to 43 do S[i] = S[i-1] + 0x9E3779B9 A = B = i = j = 0 for s = 1 to 132 do { A = S[ i ] = ( S[ i ] + A + B ) <<< 3 B = L[ j ] = ( L[ j ] + A + B ) <<< ( A + B ) i = ( i + 1 ) mod 44 j = ( j + 1 ) mod c }
- 6. From RC5 to RC6 in seven easy steps (1) Start with RC5 RC5 encryption inner loop: for i = 1 to r do { A = ( ( A ⊕ B ) <<< B ) + S[ i ] ( A, B ) = ( B, A ) } Can RC5 be strengthened by having rotation amounts depend on all the bits of B?
- 7. u Modulo function? Use low-order bits of ( B mod d ) Too slow! u Linear function? Use high-order bits of ( c x B ) Hard to pick c well! u Quadratic function? Use high-order bits of ( B x (2B+1) ) Just right! Better rotation amounts? B x (2B+1) is one-to-one mod 2 w Proof: By contradiction. If B ≠ C but B x (2B + 1) = C x (2C + 1) (mod 2 w ) then (B - C) x (2B+2C+1) = 0 (mod 2 w ) But (B-C) is nonzero and (2B+2C+1) is odd; their product can’t be zero! o Corollary: B uniform à B x (2B+1) uniform (and high-order bits are uniform too!)
- 8. High-order bits of B x (2B+1) u The high-order bits of f(B) = B x ( 2B + 1 ) = 2B 2 + B depend on all the bits of B . u Let B = B31B30B29 … B1B0 in binary. u Flipping bit i of input B – Leaves bits 0 … i-1 of f(B) unchanged, – Flips bit i of f(B) with probability one, – Flips bit j of f(B) , for j > i , with probability approximately 1/2 (1/4…1), – is likely to change some high-order bit. for i = 1 to r do { t = ( B x ( 2B + 1 ) ) <<< 5 A = ( ( A ⊕ B ) <<< t ) + S[ i ] ( A, B ) = ( B, A ) } But now much of the output of this nice multiplication is being wasted... (2) Quadratic Rotation Amounts
- 9. for i = 1 to r do { t = ( B x ( 2B + 1 ) ) <<< 5 A = ( ( A ⊕ t ) <<< t ) + S[ i ] ( A, B ) = ( B, A ) } Now AES requires 128-bit blocks. We could use two 64-bit registers, but 64-bit operations are poorly supported with typical C compilers... (3) Use t, not B, as xor input (4) Do two RC5’s in parallel Use four 32-bit regs (A,B,C,D), and do RC5 on (C,D) in parallel with RC5 on (A,B): for i = 1 to r do { t = ( B x ( 2B + 1 ) ) <<< 5 A = ( ( A ⊕ t ) <<< t ) + S[ 2i ] ( A, B ) = ( B, A ) u = ( D x ( 2D + 1 ) ) <<< 5 C = ( ( C ⊕ u ) <<< u ) + S[ 2i + 1 ] ( C, D ) = ( D, C ) }
- 10. (5) Mix up data between copies Switch rotation amounts between copies, and cyclically permute registers instead of swapping: for i = 1 to r do { t = ( B x ( 2B + 1 ) ) <<< 5 u = ( D x ( 2D + 1 ) ) <<< 5 A = ( ( A ⊕ t ) <<< u ) + S[ 2i ] C = ( ( C ⊕ u ) <<< t ) + S[ 2i + 1 ] (A, B, C, D) = (B, C, D, A) } One Round of RC6 55 ff A B C D <<<<<< <<< <<< S[2i] S[2i+1] A B C D t u
- 11. (6) Add Pre- and Post-Whitening B = B + S[ 0 ] D = D + S[ 1 ] for i = 1 to r do { t = ( B x ( 2B + 1 ) ) <<< 5 u = ( D x ( 2D + 1 ) ) <<< 5 A = ( ( A ⊕ t ) <<< u ) + S[ 2i ] C = ( ( C ⊕ u ) <<< t ) + S[ 2i + 1 ] (A, B, C, D) = (B, C, D, A) } A = A + S[ 2r + 2 ] C = C + S[ 2r + 3 ] B = B + S[ 0 ] D = D + S[ 1 ] for i = 1 to 20 do { t = ( B x ( 2B + 1 ) ) <<< 5 u = ( D x ( 2D + 1 ) ) <<< 5 A = ( ( A ⊕ t ) <<< u ) + S[ 2i ] C = ( ( C ⊕ u ) <<< t ) + S[ 2i + 1 ] (A, B, C, D) = (B, C, D, A) } A = A + S[ 42 ] C = C + S[ 43 ] (7) Set r = 20 for high security Final RC6 (based on analysis)
- 12. RC6 Implementation Results Less than two clocks per bit of plaintext ! Java Borland C Assembly Setup 110000 2300 1108 Encrypt 16200 616 254 Decrypt 16500 566 254 CPU Cycles / Operation
- 13. Java Borland C Assembly Setup 1820 86956 180500 Encrypt 12300 325000 787000 Decrypt 12100 353000 788000 Operations/Second (200MHz) Java Borland C Assembly Encrypt 0.197 1.57 5.19 41.5 12.6 100.8 Decrypt 0.194 1.55 5.65 45.2 12.6 100.8 Encryption Rate (200MHz) MegaBytes / second MegaBits / second Over 100 Megabits / second !
- 14. On an 8-bit processor u On an Intel MCS51 ( 1 Mhz clock ) u Encrypt/decrypt at 9.2 Kbits/second (13535 cycles/block; from actual implementation) u Key setup in 27 milliseconds u Only 176 bytes needed for table of round keys. u Fits on smart card (< 256 bytes RAM). Custom RC6 IC u 0.25 micron CMOS process u One round/clock at 200 MHz u Conventional multiplier designs u 0.05 mm 2 of silicon u 21 milliwatts of power u Encrypt/decrypt at 1.3 Gbits/second u With pipelining, can go faster, at cost of more area and power
- 15. RC6 Security Analysis Analysis procedures u Intensive analysis, based on most effective known attacks (e.g. linear and differential cryptanalysis) u Analyze not only RC6, but also several “simplified” forms (e.g. with no quadratic function, no fixed rotation by 5 bits, etc…)
- 16. Linear analysis u Find approximations for r-2 rounds. u Two ways to approximate A = B <<< C – with one bit each of A, B, C (type I) – with one bit each of A, B only (type II) – each have bias 1/64; type I more useful u Non-zero bias across f(B) only when input bit = output bit. (Best for lsb.) u Also include effects of multiple linear approximations and linear hulls. Estimate of number of plaintext/ciphertext pairs required to mount a linear attack. (Only 2 128 such pairs are available.) Rounds Pairs 8 247 12 283 16 2119 20 RC6 2155 24 2191 Security against linear attacks Infeasible
- 17. Differential analysis u Considers use of (iterative and non- iterative) (r-2)-round differentials as well as (r-2)-round characteristics. u Considers two notions of “difference”: – exclusive-or – subtraction (better!) u Combination of quadratic function and fixed rotation by 5 bits very good at thwarting differential attacks. An iterative RC6 differential u A B C D 1<<16 1<<11 0 0 1<<11 0 0 0 0 0 0 1<<s 0 1<<26 1<<s 0 1<<26 1<<21 0 1<<v 1<<21 1<<16 1<<v 0 1<<16 1<<11 0 0 u Probability = 2-91
- 18. Estimate of number of plaintext pairs required to mount a differential attack. (Only 2 128 such pairs are available.) Rounds Pairs 8 256 12 2117 16 2190 20 RC6 2238 24 2299 Security against differential attacks Infeasible Security of Key Expansion u Key expansion is identical to that of RC5; no known weaknesses. u No known weak keys. u No known related-key attacks. u Round keys appear to be a “random” function of the supplied key. u Bonus: key expansion is quite “one- way”---difficult to infer supplied key from round keys.
- 19. Conclusion u RC6 more than meets the requirements for the AES; it is – simple, – fast, and – secure. u For more information, including copy of these slides, copy of RC6 description, and security analysis, see www.rsa.com/rsalabs/aes (The End)