3

The NSA appears to have chosen RC6 for securing the communication channels for its spyware[1].

I have found the choice curious as the cipher has become somewhat obscure after AES was chosen and it happens to be pretty much the only cipher with data-dependent rotations of any renown.

Under the assumption that the NSA may know something we don't, is there a good reason for why data-dependent rotations would harden a cipher? My attempt at answering this and my understanding is that pretty much all currently popular ciphers opt for simplicity and as a consequence may have exploitable mathematical structure (that is currently unknown to be weak). Another point to this hypothesis is that SHA-2 as put forward by the NSA also happens to be a 'messy' unbalanced-Feistel permutation with a lot of interplay between various nonlinear constructs.

Another possibility for why RC6 was chosen is that it may be efficient when AES-NI and SSE/AVX are disallowed (binaries using them would be trivially flagged as engaging in potential encryption). However after consulting some latency and throughput tables for modern hardware it doesn't appear likely - MUL instructions have 3 times the latency of addition (for eg. ARX) and 1/4th the throughput.

[1] https://arstechnica.com/security/2016/08/code-dumped-online-came-from-omnipotent-nsa-tied-hacking-group/

JulieMa
  • 31
  • 1

2 Answers2

2

The NSA is fond of feistel networks in general. Adding to that, RC5 was used in hardware so RC6 was basically a known quantity. With 256 bytes required in memory for the software, it's also very low-weight compared to most SPNs without hardware support. I'm rather sure that without hardware acceleration, RC6 would beat AES in every software implementation, so that makes RC6 a good candidate when you need something in software that's small.

This is all indeed speculation; however, I believe this all to be true to conversations with Matt Robshaw and with SIMON/SPECK team at NIST lightweight cryptography conference (round 1).

b degnan
  • 5,110
  • 1
  • 27
  • 49
-6

And and another possibility (probable) is that RC6 is easily decipherable in real time by the NSA. See NOBUS. This reference (again, again & again) is the crux of this question.

Apart from the general turkeys, clever turkeys don't vote for Christmas.

Paul Uszak
  • 15,905
  • 2
  • 32
  • 83