These subkeys must all be calculated before encryption or decryption.

To encrypt a 1024-byte block X:

(1)  Divide X into 256 32-bit sub-blocks: X₀, X₁, X₂,..., X₂₅₅.

(2)  Permute the sub-blocks of X according to P.

(3)  For r = 0 to 3
For g = 0 to 63

A = X_(4g)<<<2r

B = X_(4g+1)<<<2r

C = X_(4g+2)<<<2r

D = X_(4g+3)<<<2r

For step s = 0 to 7

A = A ⊕ (B + f_r(B,C,D) + S_{512r+8 g+s})

TEMP = D

D = C

C = B

B = A <<< 5

A = TEMP

X_(4g)<<<2r = A

X_(4g+1)<<<2r = B

X_(4g+2)<<<2r = C

X_(4g+3)<<<2r = D

(4)  Recombine X₀, X₁, X₂,..., X₂₅₅ to form the ciphertext.

The functions f_r(B,C,D) are similar to those used in MD5:

f₀(B,C,D) = (B Λ C) ν ((¬ B) Λ D)

f₁(B,C,D) = (B Λ D) ν (C Λ (¬ D))

f₂(B,C,D) = B ⊕ C ⊕ D

f₃(B,C,D) = C ⊕ (B ν (¬ D))

Decryption is the reverse process.

Generating the subkeys is a large task. Here is how the permutation array, P, could be generated from an 80-bit key, K.

(1)  Initialize K₀, K₁, K₂,..., K₉ with the 10 bytes of K.

(2)  For i = 10 to 255

K_i = K_{i - 2} ⊕ K_{i - 6} ⊕ K_{i - 7} ⊕ K_{i - 10}

(3)  For i = 0 to 255, P_i = i

(4)  m = 0

(5)  For j = 0 to 1

For i = 256 to 1 step -1

m = (K_{256 - i} + K_{257 - i}) mod i

K_{257 - i} = K_{257 - i} <<< 3

Swap P_i and P_{i - 1}

The S-array of 2048 32-bit words could be generated in a similar manner, either from the same 80-bit key or from another key. The authors caution that these details should “be viewed as motivational; there may very well be alternative schemes which are both more efficient and offer improved security” [810].

Crab was proposed as a testbed of new ideas and not as a working algorithm. It uses many of the same techniques as MD5. Biham has argued that a very large block size makes an algorithm easier to cryptanalyze [160]. On the other hand, Crab may make efficient use of a very large key. In such a case, “easier to cryptanalyze” might not mean much.

14.7 SXAL8/MBAL

This is a 64-bit block algorithm from Japan [769]. SXAL8 is the basic algorithm; MBAL is an expanded version with a variable block length. Since MBAL does some clever things internally, the authors claim that they can get adequate security with only a few rounds. With a block length of 1024 bytes, MBAL is about 70 times faster than DES. Unfortunately, [1174] shows that MBAL is susceptible to differential cryptanalysis, and [865] shows that it is susceptible to linear cryptanalysis.

14.8 RC5

RC5 is a block cipher with a variety of parameters: block size, key size, and number of rounds. It was invented by Ron Rivest and analyzed by RSA Laboratories [1324,1325].

There are three operations: XOR, addition, and rotations. Rotations are constant-time operations on most processors and variable rotations are a nonlinear function. These rotations, which depend on both the key and the data, are the interesting operation.

RC5 has a variable-length block, but this example will focus on a 64-bit data block. Encryption uses 2r + 2 key-dependent 32-bit words—S₀, S₁, S₂,..., S_{2r + 1}—where r is the number of rounds. We’ll generate those words later. To encrypt, first divide the plaintext block into two 32-bit words: A and B. (RC5 assumes a little-endian convention for packing bytes into words: The first byte goes into the low-order bit positions of register A, etc.) Then:

A = A + S₀

B = B + S₁

For i = 1 to r:

A = ((A ⊕ B) <<< B) + S_2i

B = ((B ⊕ A) <<< A) + S_{2i + 1}

The output is in the registers A and B.

Decryption is just as easy. Divide the plaintext block into two words, A and B, and then:

For i = r down to 1:

B = ((B – S_{2i + 1}) >>> A) ⊕ A

A = ((A – S_2i) >>> B) ⊕ B

B = B – S₁

A = A – S₀

The symbol “>>>” is a right circular shift. Of course, all addition and subtraction are mod 2³².

Creating the array of keys is more complicated, but also straightforward. First, copy the bytes of the key into an array, L, of c 32-bit words, padding the final word with zeros if necessary. Then, initialize an array, S, using a linear congruential generator mod 2³²:

S₀ = P

for i = 1 to 2(r + 1) – 1:

S_i = (S_{i - 1} + Q) mod 2³²

P = 0xb7e15163 and Q = 0x9e3779b9; these constants are based on the binary representation of e and phi.

Finally, mix L into S:

i = j = 0

A = B = 0

do 3n times (where n is the maximum of 2(r + 1) and c):

A = S_i = (S_i + A + B) <<< 3

B = L_j = (L_j + A + B) <<< (A + B)

i = (i + 1) mod 2(r + 1)

j = (j + 1) mod c