RC6The elegant AES choice Ron Rivest rivest @mit .edu Mat t - - PDF document

RC6—The elegant AES choice

Ron Rivest

rivest @mit .edu

Mat t Robshaw

mrobshaw@supanet .com

Yiqun Lisa Yin

yiqun@nt t mcl.com

RC6 is t he right AES choice

N Securit y N Perf ormance N Ease of implement at ion N Simplicit y N Flexibilit y

RC6 is simple: only 12 lines

B = B + S[ 0 ]

D = D + S[ 1 ] f or i = 1 to 20 do { t = ( B x ( 2B + 1 ) ) < < < 5 u = ( D x ( 2D + 1 ) ) < < < 5 A = ( ( A ⊕ t ) < < < u ) + S[ 2i ] C = ( ( C ⊕ u ) < < < t ) + S[ 2i + 1 ] (A, B, C, D) = (B, C, D, A) } A = A + S[ 42 ] C = C + S[ 43 ]

Simplicit y

N Facilit at es and encourages analysis

– allows rapid underst anding of securit y – makes direct analysis st raight f orward (cont r ast wit h Mar s and Twof ish)

N Enables easy implement at ion

– allows compiler s t o pr oduce high-qualit y code – obviat es complicat ed opt imizat ions – pr ovides good per f or mance wit h minimal ef f or t

RC6 securit y is well-analyzed

N RC6 is probably most st udied AES f inalist

– RC6 is based on RC5 – RC6 analysis builds direct ly on RC5 analysis – or iginal RC6 analysis is ver y det ailed – RC6 simplif ied var iant s st udied ext ensively – small-scale ver sions allowed exper iment at ion

RC6 key schedule is rock-solid

N St udied f or more t han six years N Secure

– t hor ough mixing – one-way f unct ion – no key separ at ion (cf . Twof ish) – no relat ed-key at t acks (cf . Rij ndael)

Original analysis st ill accurat e

N RC6 meet s original design crit eria N Securit y est imat es f rom 1998 st ill

good t oday; independent analyses support ive.

N Secure, even in t heory, even wit h

analysis improvement s f ar beyond t hose seen f or DES during it s lif et ime

N RC6 provides a solid, well-t uned margin

f or securit y

32-bit Perf ormance

N Excellent perf ormance N 32-bit CPUs are

–NI ST ref erence plat f orm –a signif icant f ract ion of inst alled comput ers t hroughout t he AES lif et ime –becoming more prevalent in cheaper devices (e.g. ARM)

Smart Card Suit abilit y

N RC6 f it s in t he cheapest smart

cards, and well-suit ed f or many (e.g. ARM processor)

N Bandwidt h, not CPU, likely t o be

most signif icant bot t leneck

N 8-bit CPUs will become f ar less

import ant over t he AES lif et ime

Perf ormance on 64-bit CPUs

N Generally good 64-bit perf ormance N I A64-perf ormance only f air but

anomalous--slower t han Pent ium!

– Not e 3x impr ovement wit h I A64++

N Fut ure chips will opt imize AES N I n addit ion, RC6 gains dramat ically wit h

mult i-block processing compared t o

• t her schemes

Maj or Trends: J ava and DSPs

N I ncreasing use of J ava

– f or e-commer ce and embedded apps. – RC6 pr ovides excellent speed wit h minimal code size and memor y usage

N I ncreasing use of DSP chips

– likely t o be mor e signif icant t han I A64 or 8-bit pr ocessor s – RC6 gives excellent per f or mance

Flexibilit y

N RC6 is f ully paramet erized

– key size, number of r ounds, and block lengt h can be readily changed – well-suit ed f or hash f unct ions

N RC6 is only AES f inalist t hat nat urally

gives DES and t riple-DES compat ible variant s (64-bit blocks)

How do we grade candidat es?

N Secur it y (cor r obor at ed) N Per f or mance (speed+memor y)

– 32-bit (30%) – J ava (20%) – DSP (15%) – 64-bit (15%) – Hardware (15%) – 8-bit (5%)

N Ease of implement at ion N Simplicit y N Flexibilit y

Overall: 40/ 25/ 15/ 10/ 10

Conclusions

N RC6 is a simple yet r emar kably st r ong cipher

– good perf ormance on most import ant plat f orms – simple t o code f or good perf ormance – excellent f lexibilit y – t he most st udied f inalist – t he best underst ood f inalist

N RC6 is t he secur e and “elegant ” choice f or

t he AES

(The End)