On differential and linear cryptanalysis of the RC5 encryption algorithm

This paper analyzes the security of the RC5 encryption algorithm against differential and linear cryptanalysis. RC5 is a new block cipher recently designed by Ron Rivest. It has a variable word size, a variable number of sounds, and a variable-length secret key. In RC5, the secret key is used to fill an expanded key table which is then used in encryption. Both our differential and linear attacks on RC5 recover every bit of the expanded key table without any exhaustive search. However, the plaintext requirement is strongly dependent on the number of rounds. For 64-bit block size, our differential attack on nine-round RC5 uses 2(45) chosen plaintext pairs (about the same as DES), while 2(62) pairs are needed for la-round RC5. Similarly, our linear attack on five-round RC5 uses 2(47) known plaintexts (about the same as DES), and the plaintext requirement is impractical for more than six rounds. We conjecture that the linear approximations used in our linear cryptanalysis are optimal. Thus, we conclude that Rivest's suggested use of 12 rounds is sufficient to make differential and linear cryptanalysis of RC5 impractical.