RC6 Cipher Created by Ronald Rivest et al.
l. for AES submission Follows the evolution of RC5 cipher Parameterized family of algorithms
Improvements over RC5 Uses four w-bit registers Integer multiplication Quadratic equation Fixed bit shifting
Main design objective: simplicity Not reported vulnerable to any known practical attacks Consists of three components Key expansion algorithm Identical to RC5 version
Block encryption algorithm Block decryption algorithm
RC6 Structure Specification: RC6-w/r/b w is the word size in bits r is the number of non-negative rounds b is the key size in bits
Round Stages Pre-whitening r rounds Post-whitening
Pre-whitening Removes inference of part of the input to the first round of encryption
r rounds
Uses integer multiplication Uses a quadratic equation f(x) = x(2x + 1)(mod 2w)
Uses fixed bit shifting All of the above are required for sufficient diffusion
Final RC6 Structure Post-whitening Key Setup The user supplies a key of b bytes, where 0 b 255 The key bytes are zero-padded and stored in little-endian order Diffusion Integer multiplication ensures that the bits used for rotation amounts depend on the bits of x, which is a word or register The quadratic equation increases the avalanche of changes per round The bit shift complicates more advanced cryptanalytic attacks (2r+4) words are derived and stored in a round key array S Removes inference of part of the input to the last round of encryption
RC6 Encryption B and D are pre-whitened The loop controls the rounds defined by r A and C are post-whitened Input: Plaintext stored in four w-bit input registers A,B,C,D Number r of rounds w-bit round keys S*0,,2r + 3+ Output: Ciphertext stored in A,B,C,D Procedure: B = B + S[0] D = D + S[1] for i = 1 to r do { t = (B x (2B + 1)) <<< log2 w u = (D x (2D + 1)) <<< log2 w A = ((A t) <<< u) + S[2i] C = ((C u) <<< t) + S[2i+ 1] (A,B,C,D) = (B,C,D,A)
�} A = A + S[2r + 2] C = C + S[2r + 3]
(Rivest et al., 1998a)
RC6 Decryption C and A are pre-whitened The loop runs in reverse for r rounds D and B are post-whitened Input: Ciphertext stored in four w-bit input registers A,B,C,D Number r of rounds w-bit round keys S*0,,2r + 3+ Output: Plaintext stored in A,B,C,D Procedure: C = C - S[2r + 3] A = A - S[2r + 2] for i = r downto 1 do { (A,B,C,D) = (D,A,B,C) u = (D x (2D + 1)) <<< log2 w t = (B x (2B + 1)) <<< log2 w C = ((C - S[2i + 1]) >>> t) u A = ((A - S[2i]) >>> u) t } D = D - S[1] B = B - S[0]
(Rivest et al., 1998a)
RC6 for AES RC6-32/20/[16,24,32] 32-bit words 128-bit block size / 4 registers 20 rounds 16-, 24-, and 32-bit keys are available Input: Plaintext stored in four w-bit input registers A,B,C,D 20 rounds 32-bit round keys S[0,,43] Output: Ciphertext stored in A,B,C,D Procedure: B = B + S[0] //Pre-whitening D = D + S[1] for i = 1 to 20 do { t = (B x (2B + 1)) <<< 5 u = (D x (2D + 1)) <<< 5 A = ((A t) <<< u) + S[2i] C = ((C u) <<< t) + S[2i+ 1]
�(A,B,C,D) = (B,C,D,A) } A = A + S[42] //Post-whitening C = C + S[43]
More RC6 for AES
(Shimoyama et al., 2000)
AES Candidacy To meet the architectural constraints, the use of four w-bit registers permitted better 32-bit implementations RC5 uses 64-bit operations and the constraints do not involve proper implementations
The 20 rounds were chosen from linear cryptanalysis results 16 rounds could be compromised with linear cryptanalysis
Research Appeal Research appeal has expanded the already large knowledge base RC5 has existing research
Simplicity of the cipher has enticed cryptanalysts to evaluate it Stands open to simple and complex analysis
�Performance Compactness permits implementation in limited space Performance is reported good on most platforms studied in the AES competition According to the final AES report, even when performance suffers from variants, the performance loss is not severe Encryption uses very little memory Security Attacks All known attacks are theoretical Brute Force Not feasible due to plaintext limit of 2128 Ruled to provide an adequate margin of security for AES criteria Proof of security comes from the evaluations performed on RC5 and during AES competition Impervious to any known attacks, with AES parameter values Decryption has high memory requirements because of an absent on-the-fly round key computation
Linear Cryptanalysis Effective up to 16 rounds
Differential Cryptanalysis Effective up to 12 rounds
Statistical Attack Analyze distributions to discover round keys
Bibliography 1. Rivest, R.L., Robshaw, M.J.B., Sidney, R., & Yin, Y.L (1998a). [Link] The RC6 Block Cipher. URL:
2. Shimoyama, T., Takeuchi, K., & Hayakawa, J. (2000). Correlation Attack to the Block Cipher RC5 and the Simplified Variants of RC6. 3rd AES Conference (AES3). URL: [Link] [Link]
