Differential cryptanalysis of the data encryption standard
Differential cryptanalysis of the data encryption standard
Linear cryptanalysis method for DES cipher
EUROCRYPT '93 Workshop on the theory and application of cryptographic techniques on Advances in cryptology
The First Experimental Cryptanalysis of the Data Encryption Standard
CRYPTO '94 Proceedings of the 14th Annual International Cryptology Conference on Advances in Cryptology
Linear Cryptanalysis Using Multiple Approximations
CRYPTO '94 Proceedings of the 14th Annual International Cryptology Conference on Advances in Cryptology
Differential-Linear Cryptanalysis
CRYPTO '94 Proceedings of the 14th Annual International Cryptology Conference on Advances in Cryptology
Markov ciphers and differential cryptanalysis
EUROCRYPT'91 Proceedings of the 10th annual international conference on Theory and application of cryptographic techniques
Known Plaintext Correlation Attack against RC5
CT-RSA '02 Proceedings of the The Cryptographer's Track at the RSA Conference on Topics in Cryptology
Cryptanalysis of the Reduced-Round RC6
ICICS '02 Proceedings of the 4th International Conference on Information and Communications Security
A Chosen Plaintext Linear Attack on Block Cipher CIKS-1
ICICS '02 Proceedings of the 4th International Conference on Information and Communications Security
SAC '98 Proceedings of the Selected Areas in Cryptography
Fast Encryption Algorithm Spectr-H64
MMM-ACNS '01 Proceedings of the International Workshop on Information Assurance in Computer Networks: Methods, Models, and Architectures for Network Security
Improved Differential Attacks on RC5
CRYPTO '96 Proceedings of the 16th Annual International Cryptology Conference on Advances in Cryptology
On Bias Estimation in Linear Cryptanalysis
INDOCRYPT '00 Proceedings of the First International Conference on Progress in Cryptology
On the Design and Security of RC2
FSE '98 Proceedings of the 5th International Workshop on Fast Software Encryption
New Results in Linear Cryptanalysis of RC5
FSE '98 Proceedings of the 5th International Workshop on Fast Software Encryption
Linear Cryptanalysis of RC5 and RC6
FSE '99 Proceedings of the 6th International Workshop on Fast Software Encryption
Mod n Cryptanalysis, with Applications Against RC5P and M6
FSE '99 Proceedings of the 6th International Workshop on Fast Software Encryption
Improved Analysis of Some Simplified Variants of RC6
FSE '99 Proceedings of the 6th International Workshop on Fast Software Encryption
Multiple Linear Cryptanalysis of a Reduced Round RC6
FSE '02 Revised Papers from the 9th International Workshop on Fast Software Encryption
Probing Attacks on Tamper-Resistant Devices
CHES '99 Proceedings of the First International Workshop on Cryptographic Hardware and Embedded Systems
Visualisation of wormholes in underwater sensor networks: a distributed approach
International Journal of Security and Networks
XOR and non-XOR differential probabilities
EUROCRYPT'99 Proceedings of the 17th international conference on Theory and application of cryptographic techniques
| Hi-index | 0.00 |
This paper analyzes the security of the RC5 encryption algorithm against differential and linear cryptanalysis. RC5 is a new block cipher recently designed by Ron Rivest. It has a variable word size, a variable number of rounds, and a variable-length secret key. In RC5, the secret key is used to fill an expanded key table which is then used in encryption. Both our differential and linear attacks on RC5 recover every bit of the expanded key table without any exhaustive search. However, the plaintext requirement is strongly dependent on the number of rounds. For 64-bit block size, our differential attack on nine-round RC5 uses 245 chosen plaintext pairs (about the same as DES), while 262 pairs are needed for 12-round RC5. Similarly, our linear attack on live-round RC5 uses 247 known plaintexts (about the same as DES), and the plaintext requirement is impractical for more than six rounds. We conjecture that the linear approximations used in our linear cryptanalysis are optimal. Thus, we conclude that Rivest's suggested use of 12 rounds is sufficient to make differential and linear cryptanalysis of RC5 impractical.