RC6—The elegant AES choice Ron Rivest rivest @mit .edu Mat t Robshaw mrobshaw@supanet .com Yiqun Lisa Yin yiqun@nt t mcl.com RC6 is t he right AES choice N Securit y N Perf ormance N Ease of implement at ion N Simplicit y N Flexibilit y
RC6 is simple: only 12 lines B = B + S[ 0 ] D = D + S[ 1 ] f or i = 1 to 20 do { t = ( B x ( 2B + 1 ) ) < < < 5 u = ( D x ( 2D + 1 ) ) < < < 5 A = ( ( A ⊕ t ) < < < u ) + S[ 2i ] C = ( ( C ⊕ u ) < < < t ) + S[ 2i + 1 ] (A, B, C, D) = (B, C, D, A) } A = A + S[ 42 ] C = C + S[ 43 ] Simplicit y N Facilit at es and encourages analysis – allows rapid underst anding of securit y – makes direct analysis st raight f orward (cont r ast wit h Mar s and Twof ish) N Enables easy implement at ion – allows compiler s t o pr oduce high-qualit y code – obviat es complicat ed opt imizat ions – pr ovides good per f or mance wit h minimal ef f or t
RC6 securit y is well-analyzed N RC6 is probably most st udied AES f inalist – RC6 is based on RC5 – RC6 analysis builds direct ly on RC5 analysis – or iginal RC6 analysis is ver y det ailed – RC6 simplif ied var iant s st udied ext ensively – small-scale ver sions allowed exper iment at ion RC6 key schedule is rock-solid N St udied f or more t han six years N Secure – t hor ough mixing – one-way f unct ion – no key separ at ion (cf . Twof ish) – no relat ed-key at t acks (cf . Rij ndael)
Original analysis st ill accurat e N RC6 meet s original design crit eria N Securit y est imat es f rom 1998 st ill good t oday; independent analyses support ive. N Secure, even in t heory, even wit h analysis improvement s f ar beyond t hose seen f or DES during it s lif et ime N RC6 provides a solid, well-t uned margin f or securit y 32-bit Perf ormance N Excellent perf ormance N 32-bit CPUs are –NI ST ref erence plat f orm –a signif icant f ract ion of inst alled comput ers t hroughout t he AES lif et ime –becoming more prevalent in cheaper devices (e.g. ARM)
Smart Card Suit abilit y N RC6 f it s in t he cheapest smart cards, and well-suit ed f or many (e.g. ARM processor) N Bandwidt h, not CPU, likely t o be most signif icant bot t leneck N 8-bit CPUs will become f ar less import ant over t he AES lif et ime Perf ormance on 64-bit CPUs N Generally good 64-bit perf ormance N I A64-perf ormance only f air but anomalous -- slower t han Pent ium! – Not e 3x impr ovement wit h I A64++ N Fut ure chips will opt imize AES N I n addit ion, RC6 gains dramat ically wit h mult i-block processing compared t o ot her schemes
Maj or Trends: J ava and DSPs N I ncreasing use of J ava – f or e-commer ce and embedded apps. – RC6 pr ovides excellent speed wit h minimal code size and memor y usage N I ncreasing use of DSP chips – likely t o be mor e signif icant t han I A64 or 8-bit pr ocessor s – RC6 gives excellent per f or mance Flexibilit y N RC6 is f ully paramet erized – key size, number of r ounds, and block lengt h can be readily changed – well-suit ed f or hash f unct ions N RC6 is only AES f inalist t hat nat urally gives DES and t riple-DES compat ible variant s (64-bit blocks)
How do we grade candidat es? N Secur it y (cor r obor at ed) N Per f or mance (speed+memor y) – 32-bit (30%) – J ava (20%) – DSP (15%) – 64-bit (15%) – Hardware (15%) – 8-bit (5%) N Ease of implement at ion N Simplicit y N Flexibilit y Overall: 40/ 25/ 15/ 10/ 10 Conclusions N RC6 is a simple yet r emar kably st r ong cipher – good perf ormance on most import ant plat f orms – simple t o code f or good perf ormance – excellent f lexibilit y – t he most st udied f inalist – t he best underst ood f inalist N RC6 is t he secur e and “elegant ” choice f or t he AES
(The End)
Recommend
More recommend
