DIFFERENTIAL CRYPTANALYSIS OF RC5

In this paper we investigate the strength of the secret-key algorithm RC5 proposed by Ron Rivest. The target version of RC5 works on words o f 32 bits, has 12 rounds and a user-selected key of 128 bits. Kaliski and Yin estimated the strength of RC5 by differential and linear crypt analysis. They conjectured that their linear analysis is optimal and t hat the use of 12 rounds for RC5 is sufficient to make both differenti al and linear cryptanalysis impractical. In this paper we show that th e differential analysis made by Kaliski and Yin is not optimal. We giv e differential attacks better by up to a factor of 512. Also we show t hat RC5 has many weak keys with respect to differential attacks. This weakness relies on the structure of the cipher and not on the key sche dule. Finally we discuss some possible extensions of our attacks and s ome modifications of RC5 in order to improve the resistance against ou r differential attacks.