3.6.4 What are RC5 and RC6?
RC5 [Riv95] is a fast block cipher designed by Ronald Rivest for RSA Data Security (now RSA Security) in 1994. It is a parameterized algorithm with a variable block size, a variable key size, and a variable number of rounds. Allowable choices for the block size are 32 bits (for experimentation and evaluation purposes only), 64 bits (for use a drop-in replacement for DES), and 128 bits. The number of rounds can range from 0 to 255, while the key can range from 0 bits to 2040 bits in size. Such built-in variability provides flexibility at all levels of security and efficiency.
There are three routines in RC5: key expansion, encryption, and decryption. In the key-expansion routine, the user-provided secret key is expanded to fill a key table whose size depends on the number of rounds. The key table is then used in both encryption and decryption. The encryption routine consists of three primitive operations: integer addition, bitwise XOR, and variable rotation. The exceptional simplicity of RC5 makes it easy to implement and analyze. Indeed, like the RSA system, the encryption steps of RC5 can be written on the "back of an envelope".
The heavy use of data-dependent rotations and the mixture of different operations provide the security of RC5. In particular, the use of data-dependent rotations helps defeat differential and linear cryptanalysis (see Question 2.4.5).
In the five years since RC5 was proposed, there have been numerous studies of RC5's security [KY95] [KM96] [BK98] [Sel98]. Each study has provided a greater understanding of how RC5's structure and components contribute to its security. For a summary of known cryptanalytic results, see the survey article [Yin97].
RC6 is a block cipher based on RC5 and designed by Rivest, Sidney, and Yin for RSA Security. Like RC5, RC6 is a parameterized algorithm where the block size, the key size, and the number of rounds are variable; again, the upper limit on the key size is 2040 bits. The main goal for the inventors has been to meet the requirements of the AES (see Section 3.3). Indeed, RC6 is among the five finalists (see Question 3.3.2).
There are two main new features in RC6 compared to RC5: the inclusion of integer multiplication and the use of four b/4-bit working registers instead of two b/2-bit registers as in RC5 (b is the block size). Integer multiplication is used to increase the diffusion achieved per round so that fewer rounds are needed and the speed of the cipher can be increased. The reason for using four working registers instead of two is technical rather than theoretical. Namely, the default block size of the AES is 128 bits; while RC5 deals with 64-bit operations when using this block size, 32-bit operations are preferable given the intended architecture of the AES
The U.S. patent office granted the RC5 patent to RSA Data Security (now RSA Security) in May 1997. RC6 is proprietary of RSA Security but can be freely used for research and evaluation purposes during the AES evaluation period. We emphasize that if RC6 is selected for the AES, RSA Security will not require any licensing or royalty payments for products using the algorithm; there will be no restrictions beyond those specified for the AES by the U.S. government. However, RC6 may remain a trademark of RSA Security.