3

Most cryptographic primitives I've seen rotate by a constant. RC5 did something different though:

Diagram of RC5, a Feistel cipher. One side is fed into the other as a rotation amount.

For a word size $w=2^n$, you can take the last $n$ bits of a value as a rotation amount. There's more sophisticated variants like that used in RC6.

To give these values a name: $A \lll B$.

Some good things:

  • Rotations are fast
  • Provides some diffusion
  • Has some nonlinear properties
  • Can be strong when combined with other operations

Some bad things:

  • Parity of $A$ is preserved
  • Differences in $A$ are preserved
  • Only a few bits in $B$ are used
  • Differences in $B$ may not have an effect (or have little effect)
  • Less differences if $A$ is mostly (or all) 0s or 1s
  • Less differences with alignment in $A$
  • Multiple variable rotations are not proportionally better

There's probably some more subtle weaknesses that make it more susceptible to differential cryptanalysis, but nothing that totally breaks it I think, or RC5 would be unusable.

forest
  • 15,626
  • 2
  • 49
  • 103
EPICI
  • 359
  • 2
  • 7

1 Answers1

4

One issue is that data-dependent rotations (such as you describe) is patented by RSA data security (or, at least, was, the patent may have expired). RC5 and RC6 was created by the holder of this patent, however such a patent could be enforced against someone else, and so people have shied away from it.

More minor issues would include:

  • It is likely to take variable time on lower-end CPUs, and hence potentially vulnerable to time-based side channel attacks.

  • Such variable rotates are moderately expensive in hardware (when they need to be implemented in constant time); yes, you can construct a barrel shifter, but that takes a number of gates and interconnects.

poncho
  • 154,064
  • 12
  • 239
  • 382