Applied Cryptography, Second Edition: Protocols, Algorthms, and Source Code in C (cloth)
(Publisher: John Wiley & Sons, Inc.)
Author(s): Bruce Schneier
ISBN: 0471128457
Publication Date: 01/01/96

Previous Table of Contents Next

These subkeys must all be calculated before encryption or decryption.

To encrypt a 1024-byte block X:

(1)  Divide X into 256 32-bit sub-blocks: X0, X1, X2,..., X255.
(2)  Permute the sub-blocks of X according to P.
(3)  For r = 0 to 3
For g = 0 to 63
A = X(4g)<<<2r
B = X(4g+1)<<<2r
C = X(4g+2)<<<2r
D = X(4g+3)<<<2r
For step s = 0 to 7
A = A ⊕ (B + fr(B,C,D) + S512r+8 g+s)
D = C
C = B
B = A <<< 5
X(4g)<<<2r = A
X(4g+1)<<<2r = B
X(4g+2)<<<2r = C
X(4g+3)<<<2r = D
(4)  Recombine X0, X1, X2,..., X255 to form the ciphertext.

The functions fr(B,C,D) are similar to those used in MD5:

f0(B,C,D) = (B Λ C) ν ((¬ B) Λ D)
f1(B,C,D) = (B Λ D) ν (C Λ (¬ D))
f2(B,C,D) = BCD
f3(B,C,D) = C ⊕ (B ν (¬ D))

Decryption is the reverse process.

Generating the subkeys is a large task. Here is how the permutation array, P, could be generated from an 80-bit key, K.

(1)  Initialize K0, K1, K2,..., K9 with the 10 bytes of K.
(2)  For i = 10 to 255
Ki = Ki - 2Ki - 6Ki - 7Ki - 10
(3)  For i = 0 to 255, Pi = i
(4)  m = 0
(5)  For j = 0 to 1
For i = 256 to 1 step -1
m = (K256 - i + K257 - i) mod i
K257 - i = K257 - i <<< 3
Swap Pi and Pi - 1

The S-array of 2048 32-bit words could be generated in a similar manner, either from the same 80-bit key or from another key. The authors caution that these details should “be viewed as motivational; there may very well be alternative schemes which are both more efficient and offer improved security” [810].

Crab was proposed as a testbed of new ideas and not as a working algorithm. It uses many of the same techniques as MD5. Biham has argued that a very large block size makes an algorithm easier to cryptanalyze [160]. On the other hand, Crab may make efficient use of a very large key. In such a case, “easier to cryptanalyze” might not mean much.


This is a 64-bit block algorithm from Japan [769]. SXAL8 is the basic algorithm; MBAL is an expanded version with a variable block length. Since MBAL does some clever things internally, the authors claim that they can get adequate security with only a few rounds. With a block length of 1024 bytes, MBAL is about 70 times faster than DES. Unfortunately, [1174] shows that MBAL is susceptible to differential cryptanalysis, and [865] shows that it is susceptible to linear cryptanalysis.

14.8 RC5

RC5 is a block cipher with a variety of parameters: block size, key size, and number of rounds. It was invented by Ron Rivest and analyzed by RSA Laboratories [1324,1325].

There are three operations: XOR, addition, and rotations. Rotations are constant-time operations on most processors and variable rotations are a nonlinear function. These rotations, which depend on both the key and the data, are the interesting operation.

RC5 has a variable-length block, but this example will focus on a 64-bit data block. Encryption uses 2r + 2 key-dependent 32-bit words—S0, S1, S2,..., S2r + 1—where r is the number of rounds. We’ll generate those words later. To encrypt, first divide the plaintext block into two 32-bit words: A and B. (RC5 assumes a little-endian convention for packing bytes into words: The first byte goes into the low-order bit positions of register A, etc.) Then:

A = A + S0
B = B + S1
For i = 1 to r:
A = ((AB) <<< B) + S2i
B = ((BA) <<< A) + S2i + 1

The output is in the registers A and B.

Decryption is just as easy. Divide the plaintext block into two words, A and B, and then:

For i = r down to 1:
B = ((BS2i + 1) >>> A) ⊕ A
A = ((AS2i) >>> B) ⊕ B
B = BS1
A = AS0

The symbol “>>>” is a right circular shift. Of course, all addition and subtraction are mod 232.

Creating the array of keys is more complicated, but also straightforward. First, copy the bytes of the key into an array, L, of c 32-bit words, padding the final word with zeros if necessary. Then, initialize an array, S, using a linear congruential generator mod 232:

S0 = P
for i = 1 to 2(r + 1) – 1:
Si = (Si - 1 + Q) mod 232

P = 0xb7e15163 and Q = 0x9e3779b9; these constants are based on the binary representation of e and phi.

Finally, mix L into S:

i = j = 0
A = B = 0
do 3n times (where n is the maximum of 2(r + 1) and c):
A = Si = (Si + A + B) <<< 3
B = Lj = (Lj + A + B) <<< (A + B)
i = (i + 1) mod 2(r + 1)
j = (j + 1) mod c

Previous Table of Contents Next
[an error occurred while processing this directive]