Author(s): Bruce Schneier

ISBN: 0471128457

Publication Date: 01/01/96

Previous | Table of Contents | Next |

These subkeys must all be calculated before encryption or decryption.

To encrypt a 1024-byte block *X:*

**(1)**Divide*X*into 256 32-bit sub-blocks:*X*_{0},*X*_{1},*X*_{2},...,*X*_{255}.**(2)**Permute the sub-blocks of*X*according to*P*.**(3)**For*r*= 0 to 3

For*g*= 0 to 63*A*=*X*_{(4g)<<<2r}*B*=*X*_{(4g+1)<<<2r}*C*=*X*_{(4g+2)<<<2r}*D*=*X*_{(4g+3)<<<2r}- For step
*s*= 0 to 7*A*=*A*⊕ (*B*+ f_{r}(*B,C,D*) +*S*_{512r+8 g+s})*TEMP*=*D**D*=*C**C*=*B**B*=*A*<<< 5*A*=*TEMP*

*X*_{(4g)<<<2r}=*A**X*_{(4g+1)<<<2r}=*B**X*_{(4g+2)<<<2r}=*C**X*_{(4g+3)<<<2r}=*D*

**(4)**Recombine*X*_{0},*X*_{1},*X*_{2},...,*X*_{255}to form the ciphertext.

The functions f_{r}(*B,C,D*) are similar to those used in MD5:

- f
_{0}(*B,C,D*) = (*B*Λ*C*) ν ((¬*B*) Λ*D*) - f
_{1}(*B,C,D*) = (*B*Λ*D*) ν (*C*Λ (¬*D*)) - f
_{2}(*B,C,D*) =*B*⊕*C*⊕*D* - f
_{3}(*B,C,D*) =*C*⊕ (*B*ν (¬*D*))

Decryption is the reverse process.

Generating the subkeys is a large task. Here is how the permutation array, *P*, could be generated from an 80-bit key, *K*.

**(1)**Initialize*K*_{0},*K*_{1},*K*_{2},...,*K*_{9}with the 10 bytes of*K*.**(2)**For*i*= 10 to 255*K*_{i}=*K*_{i - 2}⊕*K*_{i - 6}⊕*K*_{i - 7}⊕*K*_{i - 10}

**(3)**For*i*= 0 to 255,*P*_{i}=*i***(4)***m*= 0**(5)**For*j*= 0 to 1- For
*i*= 256 to 1 step -1*m*= (*K*_{256 - i}+*K*_{257 - i}) mod*i**K*_{257 - i}=*K*_{257 - i}<<< 3- Swap
*P*_{i}and*P*_{i - 1}

- For

The S-array of 2048 32-bit words could be generated in a similar manner, either from the same 80-bit key or from another key. The authors caution that these details should “be viewed as motivational; there may very well be alternative schemes which are both more efficient and offer improved security” [810].

Crab was proposed as a testbed of new ideas and not as a working algorithm. It uses many of the same techniques as MD5. Biham has argued that a very large block size makes an algorithm easier to cryptanalyze [160]. On the other hand, Crab may make efficient use of a very large key. In such a case, “easier to cryptanalyze” might not mean much.

This is a 64-bit block algorithm from Japan [769]. SXAL8 is the basic algorithm; MBAL is an expanded version with a variable block length. Since MBAL does some clever things internally, the authors claim that they can get adequate security with only a few rounds. With a block length of 1024 bytes, MBAL is about 70 times faster than DES. Unfortunately, [1174] shows that MBAL is susceptible to differential cryptanalysis, and [865] shows that it is susceptible to linear cryptanalysis.

RC5 is a block cipher with a variety of parameters: block size, key size, and number of rounds. It was invented by Ron Rivest and analyzed by RSA Laboratories [1324,1325].

There are three operations: XOR, addition, and rotations. Rotations are constant-time operations on most processors and variable rotations are a nonlinear function. These rotations, which depend on both the key and the data, are the interesting operation.

RC5 has a variable-length block, but this example will focus on a 64-bit data block. Encryption uses 2*r* + 2 key-dependent 32-bit words—*S*_{0}, *S*_{1}, *S*_{2},..., *S*_{2r + 1}—where *r* is the number of rounds. We’ll generate those words later. To encrypt, first divide the plaintext block into two 32-bit words: *A* and *B*. (RC5 assumes a little-endian convention for packing bytes into words: The first byte goes into the low-order bit positions of register *A*, etc.) Then:

*A*=*A*+*S*_{0}*B*=*B*+*S*_{1}- For
*i*= 1 to*r:**A*= ((*A*⊕*B*) <<<*B*) +*S*_{2i}*B*= ((*B*⊕*A*) <<<*A*) +*S*_{2i + 1}

The output is in the registers *A* and *B*.

Decryption is just as easy. Divide the plaintext block into two words, *A* and *B*, and then:

- For
*i*=*r*down to 1:*B*= ((*B*–*S*_{2i + 1}) >>>*A*) ⊕*A**A*= ((*A*–*S*_{2i}) >>>*B*) ⊕*B*

*B*=*B*–*S*_{1}*A*=*A*–*S*_{0}

The symbol “>>>” is a right circular shift. Of course, all addition and subtraction are mod 2^{32}.

Creating the array of keys is more complicated, but also straightforward. First, copy the bytes of the key into an array, *L*, of *c* 32-bit words, padding the final word with zeros if necessary. Then, initialize an array, *S*, using a linear congruential generator mod 2^{32}:

*S*_{0}= P- for
*i*= 1 to 2(*r*+ 1) – 1:*S*_{i}= (*S*_{i - 1}+ Q) mod 2^{32}

P = 0xb7e15163 and Q = 0x9e3779b9; these constants are based on the binary representation of e and phi.

Finally, mix *L* into *S:*

*i*=*j*= 0*A*=*B*= 0- do 3
*n*times (where*n*is the maximum of 2(*r*+ 1) and*c*):*A*=*S*_{i}= (*S*_{i}+*A*+*B*) <<< 3*B*=*L*_{j}= (*L*_{j}+*A*+*B*) <<< (*A*+*B*)

*i*= (*i*+ 1) mod 2(*r*+ 1)*j*= (*j*+ 1) mod*c*

Previous | Table of Contents | Next |