SlideShare a Scribd company logo
The RC6 Block Cipher:
A simple fast secure
AES proposal
Ronald L. Rivest MIT
Matt Robshaw RSA Labs
Ray Sidney RSA Labs
Yiqun Lisa Yin RSA Labs
(August 21, 1998)
Outline
u Design Philosophy
u Description of RC6
u Implementation Results
u Security
u Conclusion
Design Philosophy
u Leverage our experience with RC5: use
data-dependent rotations to achieve a
high level of security.
u Adapt RC5 to meet AES requirements
u Take advantage of a new primitive for
increased security and efficiency:
32x32 multiplication, which executes
quickly on modern processors, to
compute rotation amounts.
Description of RC6
Description of RC6
u RC6-w/r/b parameters:
– Word size in bits: w ( 32 )( lg(w) = 5 )
– Number of rounds: r ( 20 )
– Number of key bytes: b ( 16, 24, or 32 )
u Key Expansion:
– Produces array S[ 0 … 2r + 3 ] of w-bit
round keys.
u Encryption and Decryption:
– Input/Output in 32-bit registers A,B,C,D
RC6 Primitive Operations
A + B Addition modulo 2
w
A - B Subtraction modulo 2
w
A ⊕ B Exclusive-Or
A <<< B Rotate A left by amount in
low-order lg(w ) bits of B
A >>> B Rotate A right, similarly
(A,B,C,D) = (B,C,D,A) Parallel assignment
A x B Multiplication modulo 2
w
RC5
RC6 Encryption (Generic)
B = B + S[ 0 ]
D = D + S[ 1 ]
for i = 1 to r do
{
t = ( B x ( 2B + 1 ) ) <<< lg( w )
u = ( D x ( 2D + 1 ) ) <<< lg( w )
A = ( ( A ⊕ t ) <<< u ) + S[ 2i ]
C = ( ( C ⊕ u ) <<< t ) + S[ 2i + 1 ]
(A, B, C, D) = (B, C, D, A)
}
A = A + S[ 2r + 2 ]
C = C + S[ 2r + 3 ]
RC6 Encryption (for AES)
B = B + S[ 0 ]
D = D + S[ 1 ]
for i = 1 to 20 do
{
t = ( B x ( 2B + 1 ) ) <<< 5
u = ( D x ( 2D + 1 ) ) <<< 5
A = ( ( A ⊕ t ) <<< u ) + S[ 2i ]
C = ( ( C ⊕ u ) <<< t ) + S[ 2i + 1 ]
(A, B, C, D) = (B, C, D, A)
}
A = A + S[ 42 ]
C = C + S[ 43 ]
RC6 Decryption (for AES)
C = C - S[ 43 ]
A = A - S[ 42 ]
for i = 20 downto 1 do
{
(A, B, C, D) = (D, A, B, C)
u = ( D x ( 2D + 1 ) ) <<< 5
t = ( B x ( 2B + 1 ) ) <<< 5
C = ( ( C - S[ 2i + 1 ] ) >>> t ) ⊕ u
A = ( ( A - S[ 2i ] ) >>> u ) ⊕ t
}
D = D - S[ 1 ]
B = B - S[ 0 ]
Key Expansion (Same as RC5’s)
u Input: array L[ 0 … c-1 ] of input key words
u Output: array S[ 0 … 43 ] of round key words
u Procedure:
S[ 0 ] = 0xB7E15163
for i = 1 to 43 do S[i] = S[i-1] + 0x9E3779B9
A = B = i = j = 0
for s = 1 to 132 do
{ A = S[ i ] = ( S[ i ] + A + B ) <<< 3
B = L[ j ] = ( L[ j ] + A + B ) <<< ( A + B )
i = ( i + 1 ) mod 44
j = ( j + 1 ) mod c }
From RC5 to RC6
in seven easy steps
(1) Start with RC5
RC5 encryption inner loop:
for i = 1 to r do
{
A = ( ( A ⊕ B ) <<< B ) + S[ i ]
( A, B ) = ( B, A )
}
Can RC5 be strengthened by having rotation
amounts depend on all the bits of B?
u Modulo function?
Use low-order bits of ( B mod d )
Too slow!
u Linear function?
Use high-order bits of ( c x B )
Hard to pick c well!
u Quadratic function?
Use high-order bits of ( B x (2B+1) )
Just right!
Better rotation amounts?
B x (2B+1) is one-to-one mod 2
w
Proof: By contradiction. If B ≠ C but
B x (2B + 1) = C x (2C + 1) (mod 2
w
)
then
(B - C) x (2B+2C+1) = 0 (mod 2
w
)
But (B-C) is nonzero and (2B+2C+1) is
odd; their product can’t be zero! o
Corollary:
B uniform à B x (2B+1) uniform
(and high-order bits are uniform too!)
High-order bits of B x (2B+1)
u The high-order bits of
f(B) = B x ( 2B + 1 ) = 2B
2
+ B
depend on all the bits of B .
u Let B = B31B30B29 … B1B0 in binary.
u Flipping bit i of input B
– Leaves bits 0 … i-1 of f(B) unchanged,
– Flips bit i of f(B) with probability one,
– Flips bit j of f(B) , for j > i , with
probability approximately 1/2 (1/4…1),
– is likely to change some high-order bit.
for i = 1 to r do
{
t = ( B x ( 2B + 1 ) ) <<< 5
A = ( ( A ⊕ B ) <<< t ) + S[ i ]
( A, B ) = ( B, A )
}
But now much of the output of this nice
multiplication is being wasted...
(2) Quadratic Rotation Amounts
for i = 1 to r do
{
t = ( B x ( 2B + 1 ) ) <<< 5
A = ( ( A ⊕ t ) <<< t ) + S[ i ]
( A, B ) = ( B, A )
}
Now AES requires 128-bit blocks.
We could use two 64-bit registers, but
64-bit operations are poorly supported
with typical C compilers...
(3) Use t, not B, as xor input
(4) Do two RC5’s in parallel
Use four 32-bit regs (A,B,C,D), and do
RC5 on (C,D) in parallel with RC5 on (A,B):
for i = 1 to r do
{
t = ( B x ( 2B + 1 ) ) <<< 5
A = ( ( A ⊕ t ) <<< t ) + S[ 2i ]
( A, B ) = ( B, A )
u = ( D x ( 2D + 1 ) ) <<< 5
C = ( ( C ⊕ u ) <<< u ) + S[ 2i + 1 ]
( C, D ) = ( D, C )
}
(5) Mix up data between copies
Switch rotation amounts between copies,
and cyclically permute registers instead of
swapping:
for i = 1 to r do
{
t = ( B x ( 2B + 1 ) ) <<< 5
u = ( D x ( 2D + 1 ) ) <<< 5
A = ( ( A ⊕ t ) <<< u ) + S[ 2i ]
C = ( ( C ⊕ u ) <<< t ) + S[ 2i + 1 ]
(A, B, C, D) = (B, C, D, A)
}
One Round of RC6
55
ff
A B C D
<<<<<<
<<< <<<
S[2i] S[2i+1]
A B C D
t u
(6) Add Pre- and Post-Whitening
B = B + S[ 0 ]
D = D + S[ 1 ]
for i = 1 to r do
{
t = ( B x ( 2B + 1 ) ) <<< 5
u = ( D x ( 2D + 1 ) ) <<< 5
A = ( ( A ⊕ t ) <<< u ) + S[ 2i ]
C = ( ( C ⊕ u ) <<< t ) + S[ 2i + 1 ]
(A, B, C, D) = (B, C, D, A)
}
A = A + S[ 2r + 2 ]
C = C + S[ 2r + 3 ]
B = B + S[ 0 ]
D = D + S[ 1 ]
for i = 1 to 20 do
{
t = ( B x ( 2B + 1 ) ) <<< 5
u = ( D x ( 2D + 1 ) ) <<< 5
A = ( ( A ⊕ t ) <<< u ) + S[ 2i ]
C = ( ( C ⊕ u ) <<< t ) + S[ 2i + 1 ]
(A, B, C, D) = (B, C, D, A)
}
A = A + S[ 42 ]
C = C + S[ 43 ]
(7) Set r = 20 for high security
Final RC6
(based on analysis)
RC6 Implementation Results
Less than two clocks per bit of plaintext !
Java Borland C Assembly
Setup 110000 2300 1108
Encrypt 16200 616 254
Decrypt 16500 566 254
CPU Cycles / Operation
Java Borland C Assembly
Setup 1820 86956 180500
Encrypt 12300 325000 787000
Decrypt 12100 353000 788000
Operations/Second (200MHz)
Java Borland C Assembly
Encrypt 0.197
1.57
5.19
41.5
12.6
100.8
Decrypt 0.194
1.55
5.65
45.2
12.6
100.8
Encryption Rate (200MHz)
MegaBytes / second
MegaBits / second
Over 100 Megabits / second !
On an 8-bit processor
u On an Intel MCS51 ( 1 Mhz clock )
u Encrypt/decrypt at 9.2 Kbits/second
(13535 cycles/block;
from actual implementation)
u Key setup in 27 milliseconds
u Only 176 bytes needed for table of
round keys.
u Fits on smart card (< 256 bytes RAM).
Custom RC6 IC
u 0.25 micron CMOS process
u One round/clock at 200 MHz
u Conventional multiplier designs
u 0.05 mm
2
of silicon
u 21 milliwatts of power
u Encrypt/decrypt at 1.3 Gbits/second
u With pipelining, can go faster, at cost
of more area and power
RC6 Security Analysis
Analysis procedures
u Intensive analysis, based on most
effective known attacks (e.g. linear
and differential cryptanalysis)
u Analyze not only RC6, but also several
“simplified” forms (e.g. with no
quadratic function, no fixed rotation
by 5 bits, etc…)
Linear analysis
u Find approximations for r-2 rounds.
u Two ways to approximate A = B <<< C
– with one bit each of A, B, C (type I)
– with one bit each of A, B only (type II)
– each have bias 1/64; type I more useful
u Non-zero bias across f(B) only when
input bit = output bit. (Best for lsb.)
u Also include effects of multiple linear
approximations and linear hulls.
Estimate of number of plaintext/ciphertext
pairs required to mount a linear attack.
(Only 2
128
such pairs are available.)
Rounds Pairs
8 247
12 283
16 2119
20 RC6 2155
24 2191
Security against linear attacks
Infeasible
Differential analysis
u Considers use of (iterative and non-
iterative) (r-2)-round differentials as
well as (r-2)-round characteristics.
u Considers two notions of “difference”:
– exclusive-or
– subtraction (better!)
u Combination of quadratic function and
fixed rotation by 5 bits very good at
thwarting differential attacks.
An iterative RC6 differential
u A B C D
1<<16 1<<11 0 0
1<<11 0 0 0
0 0 0 1<<s
0 1<<26 1<<s 0
1<<26 1<<21 0 1<<v
1<<21 1<<16 1<<v 0
1<<16 1<<11 0 0
u Probability = 2-91
Estimate of number of plaintext pairs
required to mount a differential attack.
(Only 2
128
such pairs are available.)
Rounds Pairs
8 256
12 2117
16 2190
20 RC6 2238
24 2299
Security against
differential attacks
Infeasible
Security of Key Expansion
u Key expansion is identical to that of
RC5; no known weaknesses.
u No known weak keys.
u No known related-key attacks.
u Round keys appear to be a “random”
function of the supplied key.
u Bonus: key expansion is quite “one-
way”---difficult to infer supplied key
from round keys.
Conclusion
u RC6 more than meets the
requirements for the AES; it is
– simple,
– fast, and
– secure.
u For more information, including copy
of these slides, copy of RC6
description, and security analysis, see
www.rsa.com/rsalabs/aes
(The End)

More Related Content

What's hot

370410176 moshell-commands
370410176 moshell-commands370410176 moshell-commands
370410176 moshell-commands
nanker phelge
 
LTE-Advanced Physical Layer
LTE-Advanced Physical LayerLTE-Advanced Physical Layer
LTE-Advanced Physical Layer
Praveen Kumar
 
Abis Over IP/Abis Optimization on-site Workshop
Abis Over IP/Abis Optimization on-site WorkshopAbis Over IP/Abis Optimization on-site Workshop
Abis Over IP/Abis Optimization on-site Workshop
etkisizcom
 
LTE RADIO PROTOCOLS
LTE RADIO PROTOCOLSLTE RADIO PROTOCOLS
LTE RADIO PROTOCOLS
brkavyashree
 
Cisco data center support
Cisco data center supportCisco data center support
Cisco data center support
Krunal Shah
 
Juniper Networks Router Architecture
Juniper Networks Router ArchitectureJuniper Networks Router Architecture
Juniper Networks Router Architecture
lawuah
 
I2C Protocol
I2C ProtocolI2C Protocol
I2C Protocol
Abhijeet kapse
 
Lte ue initial attach & detach from networkx
Lte ue initial attach & detach from networkxLte ue initial attach & detach from networkx
Lte ue initial attach & detach from networkx
tharinduwije
 
Simplified Call Flow Signaling: Registration - The Attach Procedure
Simplified Call Flow Signaling: Registration - The Attach ProcedureSimplified Call Flow Signaling: Registration - The Attach Procedure
Simplified Call Flow Signaling: Registration - The Attach Procedure
3G4G
 
DRAM Cell - Working and Read and Write Operations
DRAM Cell - Working and Read and Write OperationsDRAM Cell - Working and Read and Write Operations
DRAM Cell - Working and Read and Write Operations
Naman Bhalla
 
Ims conference-call
Ims conference-callIms conference-call
Ims conference-call
Govind Dolare
 
Dt notes part 2
Dt notes part 2Dt notes part 2
Dt notes part 2
syedusama7
 
Introduction to Assembly Language
Introduction to Assembly LanguageIntroduction to Assembly Language
Introduction to Assembly Language
Motaz Saad
 
Arm cortex R(real time)processor series
Arm cortex R(real time)processor series Arm cortex R(real time)processor series
Arm cortex R(real time)processor series
Ronak047
 
Re usable continuous-time analog sva assertions
Re usable continuous-time analog sva assertionsRe usable continuous-time analog sva assertions
Re usable continuous-time analog sva assertions
Régis SANTONJA
 
Внутренняя архитектура IOS-XE: средства траблшутинга предачи трафика на ASR1k...
Внутренняя архитектура IOS-XE: средства траблшутинга предачи трафика на ASR1k...Внутренняя архитектура IOS-XE: средства траблшутинга предачи трафика на ASR1k...
Внутренняя архитектура IOS-XE: средства траблшутинга предачи трафика на ASR1k...
Cisco Russia
 
VoLTE Flows and CS network
VoLTE Flows and CS networkVoLTE Flows and CS network
VoLTE Flows and CS network
Karel Berkovec
 
54495209 umts-3 g-wcdma-call-flows
54495209 umts-3 g-wcdma-call-flows54495209 umts-3 g-wcdma-call-flows
54495209 umts-3 g-wcdma-call-flows
Noppadol Loykhwamsuk
 
LTE (Long Term Evolution) Introduction
LTE (Long Term Evolution) IntroductionLTE (Long Term Evolution) Introduction
LTE (Long Term Evolution) Introduction
Guisun Han
 
Minor Project- AES Implementation in Verilog
Minor Project- AES Implementation in VerilogMinor Project- AES Implementation in Verilog
Minor Project- AES Implementation in Verilog
Hardik Manocha
 

What's hot (20)

370410176 moshell-commands
370410176 moshell-commands370410176 moshell-commands
370410176 moshell-commands
 
LTE-Advanced Physical Layer
LTE-Advanced Physical LayerLTE-Advanced Physical Layer
LTE-Advanced Physical Layer
 
Abis Over IP/Abis Optimization on-site Workshop
Abis Over IP/Abis Optimization on-site WorkshopAbis Over IP/Abis Optimization on-site Workshop
Abis Over IP/Abis Optimization on-site Workshop
 
LTE RADIO PROTOCOLS
LTE RADIO PROTOCOLSLTE RADIO PROTOCOLS
LTE RADIO PROTOCOLS
 
Cisco data center support
Cisco data center supportCisco data center support
Cisco data center support
 
Juniper Networks Router Architecture
Juniper Networks Router ArchitectureJuniper Networks Router Architecture
Juniper Networks Router Architecture
 
I2C Protocol
I2C ProtocolI2C Protocol
I2C Protocol
 
Lte ue initial attach & detach from networkx
Lte ue initial attach & detach from networkxLte ue initial attach & detach from networkx
Lte ue initial attach & detach from networkx
 
Simplified Call Flow Signaling: Registration - The Attach Procedure
Simplified Call Flow Signaling: Registration - The Attach ProcedureSimplified Call Flow Signaling: Registration - The Attach Procedure
Simplified Call Flow Signaling: Registration - The Attach Procedure
 
DRAM Cell - Working and Read and Write Operations
DRAM Cell - Working and Read and Write OperationsDRAM Cell - Working and Read and Write Operations
DRAM Cell - Working and Read and Write Operations
 
Ims conference-call
Ims conference-callIms conference-call
Ims conference-call
 
Dt notes part 2
Dt notes part 2Dt notes part 2
Dt notes part 2
 
Introduction to Assembly Language
Introduction to Assembly LanguageIntroduction to Assembly Language
Introduction to Assembly Language
 
Arm cortex R(real time)processor series
Arm cortex R(real time)processor series Arm cortex R(real time)processor series
Arm cortex R(real time)processor series
 
Re usable continuous-time analog sva assertions
Re usable continuous-time analog sva assertionsRe usable continuous-time analog sva assertions
Re usable continuous-time analog sva assertions
 
Внутренняя архитектура IOS-XE: средства траблшутинга предачи трафика на ASR1k...
Внутренняя архитектура IOS-XE: средства траблшутинга предачи трафика на ASR1k...Внутренняя архитектура IOS-XE: средства траблшутинга предачи трафика на ASR1k...
Внутренняя архитектура IOS-XE: средства траблшутинга предачи трафика на ASR1k...
 
VoLTE Flows and CS network
VoLTE Flows and CS networkVoLTE Flows and CS network
VoLTE Flows and CS network
 
54495209 umts-3 g-wcdma-call-flows
54495209 umts-3 g-wcdma-call-flows54495209 umts-3 g-wcdma-call-flows
54495209 umts-3 g-wcdma-call-flows
 
LTE (Long Term Evolution) Introduction
LTE (Long Term Evolution) IntroductionLTE (Long Term Evolution) Introduction
LTE (Long Term Evolution) Introduction
 
Minor Project- AES Implementation in Verilog
Minor Project- AES Implementation in VerilogMinor Project- AES Implementation in Verilog
Minor Project- AES Implementation in Verilog
 

Similar to RC6

Digital VLSI - Unit 2.pptx
Digital VLSI - Unit 2.pptxDigital VLSI - Unit 2.pptx
Digital VLSI - Unit 2.pptx
SanjaiPrasad
 
Unit 4 dica
Unit 4 dicaUnit 4 dica
Unit 4 dica
Pavan Mukku
 
Agilent ADS 模擬手冊 [實習1] 基本操作與射頻放大器設計
Agilent ADS 模擬手冊 [實習1] 基本操作與射頻放大器設計Agilent ADS 模擬手冊 [實習1] 基本操作與射頻放大器設計
Agilent ADS 模擬手冊 [實習1] 基本操作與射頻放大器設計
Simen Li
 
EE8351 DLC
EE8351 DLCEE8351 DLC
EE8351 DLC
rmkceteee
 
A109211002 switchingtheoryandlogicdesign1
A109211002 switchingtheoryandlogicdesign1A109211002 switchingtheoryandlogicdesign1
A109211002 switchingtheoryandlogicdesign1
jntuworld
 
2015 16combinepdf
2015 16combinepdf2015 16combinepdf
2015 16combinepdf
madhesi
 
LCDF3_Chap_10_P1.ppt
LCDF3_Chap_10_P1.pptLCDF3_Chap_10_P1.ppt
LCDF3_Chap_10_P1.ppt
brainxMagic
 
Gate Computer Science Solved Paper 2007
Gate Computer Science Solved Paper 2007 Gate Computer Science Solved Paper 2007
Gate Computer Science Solved Paper 2007
Rohit Garg
 
FPGA based BCH Decoder
FPGA based BCH DecoderFPGA based BCH Decoder
FPGA based BCH Decoder
ijsrd.com
 
DLD BOOLEAN EXPRESSIONS
DLD BOOLEAN EXPRESSIONSDLD BOOLEAN EXPRESSIONS
DLD BOOLEAN EXPRESSIONS
naresh414857
 
Unit 1 PDF.pptx
Unit 1 PDF.pptxUnit 1 PDF.pptx
Unit 1 PDF.pptx
ChandraV13
 
affTA09 - LampiranA
affTA09 - LampiranAaffTA09 - LampiranA
affTA09 - LampiranA
Muhammad Affandes
 
15CS32 ADE Module 3
15CS32 ADE Module 315CS32 ADE Module 3
15CS32 ADE Module 3
RLJIT
 
Solution of matlab chapter 1
Solution of matlab chapter 1Solution of matlab chapter 1
Solution of matlab chapter 1
AhsanIrshad8
 
Digital logic design1
Digital logic design1Digital logic design1
Digital logic design1
jntuworld
 
3306565.ppt
3306565.ppt3306565.ppt
3306565.ppt
JP Chicano
 
NET_Solved ans
NET_Solved ansNET_Solved ans
NET_Solved ans
Farhana Sathath
 
microprocessors
microprocessorsmicroprocessors
microprocessors
Hossam Zein
 
Ec2203 digital electronics questions anna university by www.annaunivedu.org
Ec2203 digital electronics questions anna university by www.annaunivedu.orgEc2203 digital electronics questions anna university by www.annaunivedu.org
Ec2203 digital electronics questions anna university by www.annaunivedu.org
annaunivedu
 
Number systems and Boolean Reduction
Number systems and Boolean ReductionNumber systems and Boolean Reduction
Number systems and Boolean Reduction
Dhaval Shukla
 

Similar to RC6 (20)

Digital VLSI - Unit 2.pptx
Digital VLSI - Unit 2.pptxDigital VLSI - Unit 2.pptx
Digital VLSI - Unit 2.pptx
 
Unit 4 dica
Unit 4 dicaUnit 4 dica
Unit 4 dica
 
Agilent ADS 模擬手冊 [實習1] 基本操作與射頻放大器設計
Agilent ADS 模擬手冊 [實習1] 基本操作與射頻放大器設計Agilent ADS 模擬手冊 [實習1] 基本操作與射頻放大器設計
Agilent ADS 模擬手冊 [實習1] 基本操作與射頻放大器設計
 
EE8351 DLC
EE8351 DLCEE8351 DLC
EE8351 DLC
 
A109211002 switchingtheoryandlogicdesign1
A109211002 switchingtheoryandlogicdesign1A109211002 switchingtheoryandlogicdesign1
A109211002 switchingtheoryandlogicdesign1
 
2015 16combinepdf
2015 16combinepdf2015 16combinepdf
2015 16combinepdf
 
LCDF3_Chap_10_P1.ppt
LCDF3_Chap_10_P1.pptLCDF3_Chap_10_P1.ppt
LCDF3_Chap_10_P1.ppt
 
Gate Computer Science Solved Paper 2007
Gate Computer Science Solved Paper 2007 Gate Computer Science Solved Paper 2007
Gate Computer Science Solved Paper 2007
 
FPGA based BCH Decoder
FPGA based BCH DecoderFPGA based BCH Decoder
FPGA based BCH Decoder
 
DLD BOOLEAN EXPRESSIONS
DLD BOOLEAN EXPRESSIONSDLD BOOLEAN EXPRESSIONS
DLD BOOLEAN EXPRESSIONS
 
Unit 1 PDF.pptx
Unit 1 PDF.pptxUnit 1 PDF.pptx
Unit 1 PDF.pptx
 
affTA09 - LampiranA
affTA09 - LampiranAaffTA09 - LampiranA
affTA09 - LampiranA
 
15CS32 ADE Module 3
15CS32 ADE Module 315CS32 ADE Module 3
15CS32 ADE Module 3
 
Solution of matlab chapter 1
Solution of matlab chapter 1Solution of matlab chapter 1
Solution of matlab chapter 1
 
Digital logic design1
Digital logic design1Digital logic design1
Digital logic design1
 
3306565.ppt
3306565.ppt3306565.ppt
3306565.ppt
 
NET_Solved ans
NET_Solved ansNET_Solved ans
NET_Solved ans
 
microprocessors
microprocessorsmicroprocessors
microprocessors
 
Ec2203 digital electronics questions anna university by www.annaunivedu.org
Ec2203 digital electronics questions anna university by www.annaunivedu.orgEc2203 digital electronics questions anna university by www.annaunivedu.org
Ec2203 digital electronics questions anna university by www.annaunivedu.org
 
Number systems and Boolean Reduction
Number systems and Boolean ReductionNumber systems and Boolean Reduction
Number systems and Boolean Reduction
 

Recently uploaded

Rent remote desktop server mangohost .net
Rent remote desktop server mangohost .netRent remote desktop server mangohost .net
Rent remote desktop server mangohost .net
pdfsubmission50
 
Week 1 - Pendidikan Pancasila - Gr 1.docx
Week 1 - Pendidikan Pancasila - Gr 1.docxWeek 1 - Pendidikan Pancasila - Gr 1.docx
Week 1 - Pendidikan Pancasila - Gr 1.docx
JunaManroe1
 
Vip Girls Call ServiCe Chennai X00XXX00XX Tanisha Best High Class Chennai Ava...
Vip Girls Call ServiCe Chennai X00XXX00XX Tanisha Best High Class Chennai Ava...Vip Girls Call ServiCe Chennai X00XXX00XX Tanisha Best High Class Chennai Ava...
Vip Girls Call ServiCe Chennai X00XXX00XX Tanisha Best High Class Chennai Ava...
samyanvichadda
 
Trump Assassination Shirt Trump Assassination Shirt
Trump Assassination Shirt Trump Assassination ShirtTrump Assassination Shirt Trump Assassination Shirt
Trump Assassination Shirt Trump Assassination Shirt
exgf28
 
DASH, presented by Elly Tawhai at PacNOG 33
DASH, presented by Elly Tawhai at PacNOG 33DASH, presented by Elly Tawhai at PacNOG 33
DASH, presented by Elly Tawhai at PacNOG 33
APNIC
 
Lordsexch ID: An Ultimate Online Cricket ID Provider In India
Lordsexch ID: An Ultimate Online Cricket ID Provider In IndiaLordsexch ID: An Ultimate Online Cricket ID Provider In India
Lordsexch ID: An Ultimate Online Cricket ID Provider In India
exchangeid32
 
How God led me to DTS? Through many different signs and connections that I c...
How God led me to DTS? Through many different signs and connections that  I c...How God led me to DTS? Through many different signs and connections that  I c...
How God led me to DTS? Through many different signs and connections that I c...
AshishMohan57
 
SisAi World - Software is AI - Providing AI as Software - Protecting the Inte...
SisAi World - Software is AI - Providing AI as Software - Protecting the Inte...SisAi World - Software is AI - Providing AI as Software - Protecting the Inte...
SisAi World - Software is AI - Providing AI as Software - Protecting the Inte...
QingjieDu1
 
Team Cymru Community Services,Overview of all public services
Team Cymru Community Services,Overview of all public servicesTeam Cymru Community Services,Overview of all public services
Team Cymru Community Services,Overview of all public services
Bangladesh Network Operators Group
 
Study of international anticancer research trends.pdf
Study of international anticancer research trends.pdfStudy of international anticancer research trends.pdf
Study of international anticancer research trends.pdf
Preston University
 
University of California, Riverside diploma
University of California, Riverside diplomaUniversity of California, Riverside diploma
University of California, Riverside diploma
eufdev
 
Open Source TCP or Netflow Log Server Using Graylog
Open Source TCP or Netflow Log Server Using GraylogOpen Source TCP or Netflow Log Server Using Graylog
Open Source TCP or Netflow Log Server Using Graylog
Bangladesh Network Operators Group
 
New York Institute of Technology degree Cert diploma offer
New York Institute of Technology degree Cert diploma offerNew York Institute of Technology degree Cert diploma offer
New York Institute of Technology degree Cert diploma offer
ubovu
 
Enhancing seamless access using TIGERfed
Enhancing seamless access using TIGERfedEnhancing seamless access using TIGERfed
Enhancing seamless access using TIGERfed
Bangladesh Network Operators Group
 
Top 50 Telephone Conversation Sample Examples For IT Industries.pdf
Top 50 Telephone Conversation Sample Examples For IT Industries.pdfTop 50 Telephone Conversation Sample Examples For IT Industries.pdf
Top 50 Telephone Conversation Sample Examples For IT Industries.pdf
Krishna L
 
My President is bulletproof t shirts hoodie
My President is bulletproof t shirts hoodieMy President is bulletproof t shirts hoodie
My President is bulletproof t shirts hoodie
exgf28
 
upgrade to zabbix-7 0 como atualiza lts1
upgrade to zabbix-7 0 como atualiza lts1upgrade to zabbix-7 0 como atualiza lts1
upgrade to zabbix-7 0 como atualiza lts1
diogolsew
 
Best Skills to Learn for Freelancing.pdf
Best Skills to Learn for Freelancing.pdfBest Skills to Learn for Freelancing.pdf
Best Skills to Learn for Freelancing.pdf
Million-$-Knowledge {Million Dollar Knowledge}
 
Saint Louis University diploma
Saint Louis University diplomaSaint Louis University diploma
Saint Louis University diploma
eufdev
 
Understanding Threat Intelligence | What is Threat Intelligence
Understanding Threat Intelligence | What is Threat IntelligenceUnderstanding Threat Intelligence | What is Threat Intelligence
Understanding Threat Intelligence | What is Threat Intelligence
Lumiverse Solutions Pvt Ltd
 

Recently uploaded (20)

Rent remote desktop server mangohost .net
Rent remote desktop server mangohost .netRent remote desktop server mangohost .net
Rent remote desktop server mangohost .net
 
Week 1 - Pendidikan Pancasila - Gr 1.docx
Week 1 - Pendidikan Pancasila - Gr 1.docxWeek 1 - Pendidikan Pancasila - Gr 1.docx
Week 1 - Pendidikan Pancasila - Gr 1.docx
 
Vip Girls Call ServiCe Chennai X00XXX00XX Tanisha Best High Class Chennai Ava...
Vip Girls Call ServiCe Chennai X00XXX00XX Tanisha Best High Class Chennai Ava...Vip Girls Call ServiCe Chennai X00XXX00XX Tanisha Best High Class Chennai Ava...
Vip Girls Call ServiCe Chennai X00XXX00XX Tanisha Best High Class Chennai Ava...
 
Trump Assassination Shirt Trump Assassination Shirt
Trump Assassination Shirt Trump Assassination ShirtTrump Assassination Shirt Trump Assassination Shirt
Trump Assassination Shirt Trump Assassination Shirt
 
DASH, presented by Elly Tawhai at PacNOG 33
DASH, presented by Elly Tawhai at PacNOG 33DASH, presented by Elly Tawhai at PacNOG 33
DASH, presented by Elly Tawhai at PacNOG 33
 
Lordsexch ID: An Ultimate Online Cricket ID Provider In India
Lordsexch ID: An Ultimate Online Cricket ID Provider In IndiaLordsexch ID: An Ultimate Online Cricket ID Provider In India
Lordsexch ID: An Ultimate Online Cricket ID Provider In India
 
How God led me to DTS? Through many different signs and connections that I c...
How God led me to DTS? Through many different signs and connections that  I c...How God led me to DTS? Through many different signs and connections that  I c...
How God led me to DTS? Through many different signs and connections that I c...
 
SisAi World - Software is AI - Providing AI as Software - Protecting the Inte...
SisAi World - Software is AI - Providing AI as Software - Protecting the Inte...SisAi World - Software is AI - Providing AI as Software - Protecting the Inte...
SisAi World - Software is AI - Providing AI as Software - Protecting the Inte...
 
Team Cymru Community Services,Overview of all public services
Team Cymru Community Services,Overview of all public servicesTeam Cymru Community Services,Overview of all public services
Team Cymru Community Services,Overview of all public services
 
Study of international anticancer research trends.pdf
Study of international anticancer research trends.pdfStudy of international anticancer research trends.pdf
Study of international anticancer research trends.pdf
 
University of California, Riverside diploma
University of California, Riverside diplomaUniversity of California, Riverside diploma
University of California, Riverside diploma
 
Open Source TCP or Netflow Log Server Using Graylog
Open Source TCP or Netflow Log Server Using GraylogOpen Source TCP or Netflow Log Server Using Graylog
Open Source TCP or Netflow Log Server Using Graylog
 
New York Institute of Technology degree Cert diploma offer
New York Institute of Technology degree Cert diploma offerNew York Institute of Technology degree Cert diploma offer
New York Institute of Technology degree Cert diploma offer
 
Enhancing seamless access using TIGERfed
Enhancing seamless access using TIGERfedEnhancing seamless access using TIGERfed
Enhancing seamless access using TIGERfed
 
Top 50 Telephone Conversation Sample Examples For IT Industries.pdf
Top 50 Telephone Conversation Sample Examples For IT Industries.pdfTop 50 Telephone Conversation Sample Examples For IT Industries.pdf
Top 50 Telephone Conversation Sample Examples For IT Industries.pdf
 
My President is bulletproof t shirts hoodie
My President is bulletproof t shirts hoodieMy President is bulletproof t shirts hoodie
My President is bulletproof t shirts hoodie
 
upgrade to zabbix-7 0 como atualiza lts1
upgrade to zabbix-7 0 como atualiza lts1upgrade to zabbix-7 0 como atualiza lts1
upgrade to zabbix-7 0 como atualiza lts1
 
Best Skills to Learn for Freelancing.pdf
Best Skills to Learn for Freelancing.pdfBest Skills to Learn for Freelancing.pdf
Best Skills to Learn for Freelancing.pdf
 
Saint Louis University diploma
Saint Louis University diplomaSaint Louis University diploma
Saint Louis University diploma
 
Understanding Threat Intelligence | What is Threat Intelligence
Understanding Threat Intelligence | What is Threat IntelligenceUnderstanding Threat Intelligence | What is Threat Intelligence
Understanding Threat Intelligence | What is Threat Intelligence
 

RC6

  • 1. The RC6 Block Cipher: A simple fast secure AES proposal Ronald L. Rivest MIT Matt Robshaw RSA Labs Ray Sidney RSA Labs Yiqun Lisa Yin RSA Labs (August 21, 1998) Outline u Design Philosophy u Description of RC6 u Implementation Results u Security u Conclusion
  • 2. Design Philosophy u Leverage our experience with RC5: use data-dependent rotations to achieve a high level of security. u Adapt RC5 to meet AES requirements u Take advantage of a new primitive for increased security and efficiency: 32x32 multiplication, which executes quickly on modern processors, to compute rotation amounts. Description of RC6
  • 3. Description of RC6 u RC6-w/r/b parameters: – Word size in bits: w ( 32 )( lg(w) = 5 ) – Number of rounds: r ( 20 ) – Number of key bytes: b ( 16, 24, or 32 ) u Key Expansion: – Produces array S[ 0 … 2r + 3 ] of w-bit round keys. u Encryption and Decryption: – Input/Output in 32-bit registers A,B,C,D RC6 Primitive Operations A + B Addition modulo 2 w A - B Subtraction modulo 2 w A ⊕ B Exclusive-Or A <<< B Rotate A left by amount in low-order lg(w ) bits of B A >>> B Rotate A right, similarly (A,B,C,D) = (B,C,D,A) Parallel assignment A x B Multiplication modulo 2 w RC5
  • 4. RC6 Encryption (Generic) B = B + S[ 0 ] D = D + S[ 1 ] for i = 1 to r do { t = ( B x ( 2B + 1 ) ) <<< lg( w ) u = ( D x ( 2D + 1 ) ) <<< lg( w ) A = ( ( A ⊕ t ) <<< u ) + S[ 2i ] C = ( ( C ⊕ u ) <<< t ) + S[ 2i + 1 ] (A, B, C, D) = (B, C, D, A) } A = A + S[ 2r + 2 ] C = C + S[ 2r + 3 ] RC6 Encryption (for AES) B = B + S[ 0 ] D = D + S[ 1 ] for i = 1 to 20 do { t = ( B x ( 2B + 1 ) ) <<< 5 u = ( D x ( 2D + 1 ) ) <<< 5 A = ( ( A ⊕ t ) <<< u ) + S[ 2i ] C = ( ( C ⊕ u ) <<< t ) + S[ 2i + 1 ] (A, B, C, D) = (B, C, D, A) } A = A + S[ 42 ] C = C + S[ 43 ]
  • 5. RC6 Decryption (for AES) C = C - S[ 43 ] A = A - S[ 42 ] for i = 20 downto 1 do { (A, B, C, D) = (D, A, B, C) u = ( D x ( 2D + 1 ) ) <<< 5 t = ( B x ( 2B + 1 ) ) <<< 5 C = ( ( C - S[ 2i + 1 ] ) >>> t ) ⊕ u A = ( ( A - S[ 2i ] ) >>> u ) ⊕ t } D = D - S[ 1 ] B = B - S[ 0 ] Key Expansion (Same as RC5’s) u Input: array L[ 0 … c-1 ] of input key words u Output: array S[ 0 … 43 ] of round key words u Procedure: S[ 0 ] = 0xB7E15163 for i = 1 to 43 do S[i] = S[i-1] + 0x9E3779B9 A = B = i = j = 0 for s = 1 to 132 do { A = S[ i ] = ( S[ i ] + A + B ) <<< 3 B = L[ j ] = ( L[ j ] + A + B ) <<< ( A + B ) i = ( i + 1 ) mod 44 j = ( j + 1 ) mod c }
  • 6. From RC5 to RC6 in seven easy steps (1) Start with RC5 RC5 encryption inner loop: for i = 1 to r do { A = ( ( A ⊕ B ) <<< B ) + S[ i ] ( A, B ) = ( B, A ) } Can RC5 be strengthened by having rotation amounts depend on all the bits of B?
  • 7. u Modulo function? Use low-order bits of ( B mod d ) Too slow! u Linear function? Use high-order bits of ( c x B ) Hard to pick c well! u Quadratic function? Use high-order bits of ( B x (2B+1) ) Just right! Better rotation amounts? B x (2B+1) is one-to-one mod 2 w Proof: By contradiction. If B ≠ C but B x (2B + 1) = C x (2C + 1) (mod 2 w ) then (B - C) x (2B+2C+1) = 0 (mod 2 w ) But (B-C) is nonzero and (2B+2C+1) is odd; their product can’t be zero! o Corollary: B uniform à B x (2B+1) uniform (and high-order bits are uniform too!)
  • 8. High-order bits of B x (2B+1) u The high-order bits of f(B) = B x ( 2B + 1 ) = 2B 2 + B depend on all the bits of B . u Let B = B31B30B29 … B1B0 in binary. u Flipping bit i of input B – Leaves bits 0 … i-1 of f(B) unchanged, – Flips bit i of f(B) with probability one, – Flips bit j of f(B) , for j > i , with probability approximately 1/2 (1/4…1), – is likely to change some high-order bit. for i = 1 to r do { t = ( B x ( 2B + 1 ) ) <<< 5 A = ( ( A ⊕ B ) <<< t ) + S[ i ] ( A, B ) = ( B, A ) } But now much of the output of this nice multiplication is being wasted... (2) Quadratic Rotation Amounts
  • 9. for i = 1 to r do { t = ( B x ( 2B + 1 ) ) <<< 5 A = ( ( A ⊕ t ) <<< t ) + S[ i ] ( A, B ) = ( B, A ) } Now AES requires 128-bit blocks. We could use two 64-bit registers, but 64-bit operations are poorly supported with typical C compilers... (3) Use t, not B, as xor input (4) Do two RC5’s in parallel Use four 32-bit regs (A,B,C,D), and do RC5 on (C,D) in parallel with RC5 on (A,B): for i = 1 to r do { t = ( B x ( 2B + 1 ) ) <<< 5 A = ( ( A ⊕ t ) <<< t ) + S[ 2i ] ( A, B ) = ( B, A ) u = ( D x ( 2D + 1 ) ) <<< 5 C = ( ( C ⊕ u ) <<< u ) + S[ 2i + 1 ] ( C, D ) = ( D, C ) }
  • 10. (5) Mix up data between copies Switch rotation amounts between copies, and cyclically permute registers instead of swapping: for i = 1 to r do { t = ( B x ( 2B + 1 ) ) <<< 5 u = ( D x ( 2D + 1 ) ) <<< 5 A = ( ( A ⊕ t ) <<< u ) + S[ 2i ] C = ( ( C ⊕ u ) <<< t ) + S[ 2i + 1 ] (A, B, C, D) = (B, C, D, A) } One Round of RC6 55 ff A B C D <<<<<< <<< <<< S[2i] S[2i+1] A B C D t u
  • 11. (6) Add Pre- and Post-Whitening B = B + S[ 0 ] D = D + S[ 1 ] for i = 1 to r do { t = ( B x ( 2B + 1 ) ) <<< 5 u = ( D x ( 2D + 1 ) ) <<< 5 A = ( ( A ⊕ t ) <<< u ) + S[ 2i ] C = ( ( C ⊕ u ) <<< t ) + S[ 2i + 1 ] (A, B, C, D) = (B, C, D, A) } A = A + S[ 2r + 2 ] C = C + S[ 2r + 3 ] B = B + S[ 0 ] D = D + S[ 1 ] for i = 1 to 20 do { t = ( B x ( 2B + 1 ) ) <<< 5 u = ( D x ( 2D + 1 ) ) <<< 5 A = ( ( A ⊕ t ) <<< u ) + S[ 2i ] C = ( ( C ⊕ u ) <<< t ) + S[ 2i + 1 ] (A, B, C, D) = (B, C, D, A) } A = A + S[ 42 ] C = C + S[ 43 ] (7) Set r = 20 for high security Final RC6 (based on analysis)
  • 12. RC6 Implementation Results Less than two clocks per bit of plaintext ! Java Borland C Assembly Setup 110000 2300 1108 Encrypt 16200 616 254 Decrypt 16500 566 254 CPU Cycles / Operation
  • 13. Java Borland C Assembly Setup 1820 86956 180500 Encrypt 12300 325000 787000 Decrypt 12100 353000 788000 Operations/Second (200MHz) Java Borland C Assembly Encrypt 0.197 1.57 5.19 41.5 12.6 100.8 Decrypt 0.194 1.55 5.65 45.2 12.6 100.8 Encryption Rate (200MHz) MegaBytes / second MegaBits / second Over 100 Megabits / second !
  • 14. On an 8-bit processor u On an Intel MCS51 ( 1 Mhz clock ) u Encrypt/decrypt at 9.2 Kbits/second (13535 cycles/block; from actual implementation) u Key setup in 27 milliseconds u Only 176 bytes needed for table of round keys. u Fits on smart card (< 256 bytes RAM). Custom RC6 IC u 0.25 micron CMOS process u One round/clock at 200 MHz u Conventional multiplier designs u 0.05 mm 2 of silicon u 21 milliwatts of power u Encrypt/decrypt at 1.3 Gbits/second u With pipelining, can go faster, at cost of more area and power
  • 15. RC6 Security Analysis Analysis procedures u Intensive analysis, based on most effective known attacks (e.g. linear and differential cryptanalysis) u Analyze not only RC6, but also several “simplified” forms (e.g. with no quadratic function, no fixed rotation by 5 bits, etc…)
  • 16. Linear analysis u Find approximations for r-2 rounds. u Two ways to approximate A = B <<< C – with one bit each of A, B, C (type I) – with one bit each of A, B only (type II) – each have bias 1/64; type I more useful u Non-zero bias across f(B) only when input bit = output bit. (Best for lsb.) u Also include effects of multiple linear approximations and linear hulls. Estimate of number of plaintext/ciphertext pairs required to mount a linear attack. (Only 2 128 such pairs are available.) Rounds Pairs 8 247 12 283 16 2119 20 RC6 2155 24 2191 Security against linear attacks Infeasible
  • 17. Differential analysis u Considers use of (iterative and non- iterative) (r-2)-round differentials as well as (r-2)-round characteristics. u Considers two notions of “difference”: – exclusive-or – subtraction (better!) u Combination of quadratic function and fixed rotation by 5 bits very good at thwarting differential attacks. An iterative RC6 differential u A B C D 1<<16 1<<11 0 0 1<<11 0 0 0 0 0 0 1<<s 0 1<<26 1<<s 0 1<<26 1<<21 0 1<<v 1<<21 1<<16 1<<v 0 1<<16 1<<11 0 0 u Probability = 2-91
  • 18. Estimate of number of plaintext pairs required to mount a differential attack. (Only 2 128 such pairs are available.) Rounds Pairs 8 256 12 2117 16 2190 20 RC6 2238 24 2299 Security against differential attacks Infeasible Security of Key Expansion u Key expansion is identical to that of RC5; no known weaknesses. u No known weak keys. u No known related-key attacks. u Round keys appear to be a “random” function of the supplied key. u Bonus: key expansion is quite “one- way”---difficult to infer supplied key from round keys.
  • 19. Conclusion u RC6 more than meets the requirements for the AES; it is – simple, – fast, and – secure. u For more information, including copy of these slides, copy of RC6 description, and security analysis, see www.rsa.com/rsalabs/aes (The End)