RC5

RC5 is a symmetric-key block cipher designed by Ronald L. Rivest of the Massachusetts Institute of Technology in 1994, notable for its simplicity, speed, and parameterization to balance security and performance across hardware and software implementations.^[1] The algorithm operates on blocks of data using a variable word size w (typically 16, 32, or 64 bits, resulting in block sizes of 32, 64, or 128 bits), a variable number of rounds r (from 0 to 255, with common values of 8 to 16), and a variable key length b (from 0 to 255 bytes, up to 2040 bits), denoted in the form RC5-w/r/b.^[2] Its core operations rely on three primitive arithmetic and logical functions—modular addition, XOR, and left rotation—combined with data-dependent rotations to enhance diffusion and confusion in each round.^[1] The design of RC5 emphasizes adaptability, allowing users to select parameters based on required security levels and computational resources; for instance, RC5-32/12/16 provides strong protection suitable for replacing older ciphers like DES, while supporting modes such as ECB, CBC, CFB, and OFB for practical applications.^[2] Key expansion derives a subkey array S from the user key using fixed constants derived from the golden ratio (φ), ensuring even distribution and resistance to weak keys.^[3] Encryption begins by XORing the plaintext block (split into two words A and B) with initial subkeys, followed by r iterations of rotation, addition, and XOR operations that progressively mix the data.^[1] RC5 was publicly released to encourage widespread analysis and adoption, with its patent held by RSA Data Security until expiration, and it has been standardized in documents like RFC 2040 for interoperability in protocols.^[2] Although not selected for the AES standard due to preferences for fixed-parameter ciphers, RC5 remains influential for its innovative use of rotations and parameter flexibility, influencing subsequent block cipher designs.^[3]

Introduction

Description

RC5 is a parameterized family of symmetric key block ciphers designed for efficient implementation in both hardware and software environments. Invented by Ronald Rivest of the Massachusetts Institute of Technology, it emphasizes simplicity and adaptability to varying computational resources.^[4] The core structure of RC5 operates as an iterative Feistel-like network, processing plaintext blocks consisting of two w-bit words through a variable number of rounds. It relies on just three primitive operations: bitwise exclusive-or (XOR), addition modulo $2^w, and left rotation by a data-dependent amount. These operations enable a streamlined design that promotes both speed and security without complex substitutions or permutations.^[4] RC5's flexibility arises from its tunable parameters: the word size w (in bits, typically 16, 32, or 64, yielding a block size of $2w bits), the key length b (in bytes, ranging from 0 to 255), and the number of rounds r (from 0 to 255). The original proposal recommended the configuration RC5-32/12/16, corresponding to a 64-bit block, 128-bit key, and 12 rounds. A key innovation in RC5 is its use of data-dependent rotations, which introduce non-linearity and enhance diffusion across the block.^[4]

Parameters

RC5 is a parameterized family of block ciphers, with a specific instance denoted as RC5-w/r/b, where w is the word size in bits, r is the number of rounds, and b is the key size in bytes.^[5] The word size w determines the length of the words on which operations are performed and thus the block size, which is 2w bits; allowable values are 16, 32, or 64 bits, with 32 bits (yielding a standard 64-bit block) being the nominal choice for most implementations.^[5] Smaller w values enable faster execution on hardware with limited word-processing capabilities, while larger w enhances security by increasing the block size and the complexity of arithmetic operations modulo $2^w.^[5] The computations involve data-dependent rotations by amounts derived from word additions modulo $2^w, making larger w more computationally intensive due to wider bit rotations and modular additions.^[5] The key size b ranges from 0 to 255 bytes (providing key lengths of 0 to 2040 bits in multiples of 8 bits), offering flexibility for varying security needs; a 128-bit key (b=16) is recommended for adequate protection against brute-force attacks.^[5] Longer keys increase resistance to exhaustive search but require more time in the key expansion phase, which mixes the key into subkeys using operations scaled to w-bit words.^[5] The number of rounds r ranges from 0 to 255, with 12 rounds originally proposed as a balance between security and efficiency; higher r strengthens the cipher against cryptanalytic attacks at the cost of additional iterations of the core mixing operations.^[5] In the algorithm's notation, the plaintext (and ciphertext) block is treated as two w-bit words, A and B.^[5] The secret key consists of b bytes, which are loaded into an array of c = \lceil b / (w/8) \rceil w-bit words for key expansion.^[5] The key expansion produces a subkey array S of 2(r + 1) w-bit words, which are used in the encryption and decryption rounds.^[5]

History

Development

RC5 was invented by Ronald L. Rivest, a professor at the Massachusetts Institute of Technology, in 1994 as a symmetric-key block cipher designed to address the limitations of older standards like the Data Encryption Standard (DES), which had a fixed key size and was becoming vulnerable to emerging computational threats.^[4] Rivest first presented the algorithm at the CRYPTO '94 conference, held in Santa Barbara, California, where it was published in the proceedings as part of Advances in Cryptology.^[6] The primary motivations for developing RC5 stemmed from the need for a cipher that could adapt to rapidly evolving processor technologies in the 1990s, offering flexibility in key length, block size, and number of rounds to suit various security requirements without sacrificing performance.^[4] Rivest aimed to create an algorithm that was simple and efficient, emphasizing minimal primitive operations—such as exclusive-or, addition modulo $2^w, and data-dependent rotations—to ensure it could be implemented quickly in both software and hardware environments, including on resource-constrained devices like smart cards.^[4] This design philosophy was influenced by the simplicity of Rivest's earlier RC4 stream cipher, but adapted for block encryption to provide a versatile alternative to DES amid growing demands for standardized, high-speed cryptography.^[7] The initial publication appeared in Rivest's 1994 paper, "The RC5 Encryption Algorithm," which outlined the cipher's parameterized structure (with word size w, rounds r, and key bytes b) tuned for contemporary hardware like 32-bit microprocessors, positioning RC5 for general-purpose adoption in software applications and embedded systems.^[4] Early considerations focused on balancing security and speed, with parameters such as RC5-32/12/16 recommended for replacing DES in typical 1990s computing scenarios.^[4]

Patent and Licensing

The RC5 block cipher is covered by U.S. Patent No. 5,724,428, titled "Block encryption algorithm with data-dependent rotations," invented by Ronald L. Rivest and assigned to RSA Data Security Inc. (later RSA Security). The patent application was filed on November 1, 1995, and granted on March 3, 1998, encompassing the core RC5 algorithm and its variants that employ data-dependent word rotations for encryption.^[8] RSA Security managed licensing for RC5 during the patent's term; commercial implementations typically required paid licenses, while non-commercial, academic, and research uses were permitted without fees.^[4] This licensing model allowed broad experimentation in open-source and educational contexts but imposed financial barriers on proprietary software and hardware products.^[9] The patent term, governed by U.S. law for applications filed after June 8, 1995, extended 20 years from the filing date, resulting in expiration on November 1, 2015. Following expiration, RC5 entered the public domain, eliminating all licensing restrictions and enabling unrestricted global implementation in any context. The patent's enforcement during its active period limited RC5's commercial adoption in the late 1990s and early 2000s, as organizations favored unencumbered alternatives to avoid royalty fees, contributing to the preference for patent-free ciphers like the Advanced Encryption Standard (AES) in standards and products. Post-expiration, while RC5 remains viable for niche applications, its historical licensing constraints have sustained lower prevalence compared to royalty-free successors.

Algorithm

Key Expansion

The key expansion in RC5 derives a set of subkeys from the user-provided secret key, producing an array S of t = 2(r + 1) words, where each word is w bits wide and r is the number of rounds.^[4] The input is the secret key K, an array of b bytes where $0 < b \leq 255, which is first converted into an array L of c = \lceil b / u \rceil words, with u = w / 8 bytes per word; if necessary, the key is zero-padded to fill the last word.^[4] This expansion ensures that the subkeys are thoroughly mixed and diffused, independent of any structure in the original key, to support the cipher's security.^[4] The process begins with initializing the subkey array S. The first subkey is set to a magic constant P_w, defined as the odd integer closest to (e - 2) \times 2^w, where e \approx 2.718281828459\ldots is the base of the natural logarithm; for the nominal word size w = 32, P_{32} = 0xB7E15163 in hexadecimal.^[4] Subsequent subkeys are then computed iteratively: for i = 1 to t-1, S = S[i-1] + Q_w, where Q_w is another magic constant, the odd integer closest to (\phi - 1) \times 2^w and \phi = (1 + \sqrt{5})/2 \approx 1.618033988749\ldots is the golden ratio; for w = 32, Q_{32} = 0x9E3779B9.^[4] These constants are chosen to promote good diffusion properties during the mixing phase that follows.^[4] The key mixing step then combines the initialized S with the key words in L through a loop that runs for $3 \times \max(t, c) iterations to ensure even diffusion regardless of the relative sizes of the arrays.^[4] Initialize variables A = 0, B = 0, i = 0, and j = 0. For each iteration:

A ← ((S[i] + A + B) ≪ 3) mod 2^w
S[i] ← A
i ← (i + 1) mod t

B ← ((L[j] + A + B) ≪ (A + B mod 2^w)) mod 2^w
L[j] ← B
j ← (j + 1) mod c
A ← ((S[i] + A + B) ≪ 3) mod 2^w
S[i] ← A
i ← (i + 1) mod t

B ← ((L[j] + A + B) ≪ (A + B mod 2^w)) mod 2^w
L[j] ← B
j ← (j + 1) mod c

Here, \ll denotes left rotation, and all operations are performed modulo $2^w to keep values within word size.^[4] The rotation amounts in the mixing—fixed by 3 for S and variable as A + B for L—help avalanche the changes across the subkeys and key words.^[4] Once complete, the array S[0 \dots t-1] provides the subkeys used in the encryption process, with even indices typically for additions and odd for XORs in rounds.^[4]

Encryption

The RC5 encryption algorithm operates on a 2w-bit plaintext block, divided into two w-bit words denoted as A and B, where w is the word size (typically 16, 32, or 64 bits). The process utilizes a set of 2(r+1) subkeys derived from the secret key, stored in an array S[0..2r+1], with r being the number of rounds (typically 12 or more). All arithmetic additions are performed modulo $2^w, and left rotations are by an amount taken modulo w to ensure the shift value stays within the word size.^[4] Encryption begins with an initialization step to incorporate the initial subkeys:

A \leftarrow A + S{{grok:render&&&type=render_inline_citation&&&citation_id=0&&&citation_type=wikipedia}} \pmod{2^w}

B \leftarrow B + S{{grok:render&&&type=render_inline_citation&&&citation_id=1&&&citation_type=wikipedia}} \pmod{2^w}

This primes the data for mixing with the key material.^[4] The core of the encryption consists of r iterative rounds, each applying a simple yet effective transformation that leverages data-dependent operations for diffusion and confusion. In round i (for i = 1 to r):
First, update A using an exclusive-or (XOR) of A and B, followed by a left rotation by the value of B (modulo w), and then addition of the corresponding subkey:
A \leftarrow ((A \oplus B) \ll B) + S[2i] \pmod{2^w}
Then, symmetrically update B using the new A:
B \leftarrow ((B \oplus A) \ll A) + S[2i+1] \pmod{2^w}
The data-dependent rotation—where the shift amount is derived directly from the data itself—promotes a strong avalanche effect, ensuring that small changes in the input propagate rapidly through subsequent rounds, enhancing resistance to differential analysis.^[4] Following the r rounds, the final values of A and B form the 2w-bit ciphertext block, with no additional transformations applied. The complete encryption pseudocode is as follows:

A ← A + S[0]  (mod 2^w)
B ← B + S[1]  (mod 2^w)
for i = 1 to r do
    A ← ((A ⊕ B) <<< B) + S[2i]  (mod 2^w)
    B ← ((B ⊕ A) <<< A) + S[2i+1]  (mod 2^w)
output A || B  (as [ciphertext](/page/Ciphertext))
A ← A + S[0]  (mod 2^w)
B ← B + S[1]  (mod 2^w)
for i = 1 to r do
    A ← ((A ⊕ B) <<< B) + S[2i]  (mod 2^w)
    B ← ((B ⊕ A) <<< A) + S[2i+1]  (mod 2^w)
output A || B  (as [ciphertext](/page/Ciphertext))

Here, ⊕ denotes XOR, <<< denotes left rotation, and || denotes concatenation. This structure ensures the algorithm's simplicity while achieving high performance on both hardware and software platforms.^[4]

Decryption

The decryption process for RC5 inverts the encryption operations to recover the plaintext from the ciphertext, using the same expanded key schedule and parameters as encryption. It takes as input the 2w-bit ciphertext, split into two w-bit words A and B, along with the subkey array S[0..2r+1] derived from the key expansion.^[4] Then, for each round i from r down to 1, the round function is inverted. Specifically, B is first updated as B ← ((B - S[2i+1]) right-rotate by A) XOR A, followed by A ← ((A - S[2i]) right-rotate by B) XOR B. These steps mirror the encryption rounds but apply the operations in reverse order, with the rotation amounts now derived from the updated values of the other word.^[4] Finally, the initial additions are undone: B ← B - S^[10], followed by A ← A - S. The resulting words A and B form the w-bit plaintext blocks. For clarity, the core reverse round operations can be expressed as:

\begin{align*} B_i &= \left( (B_{i+1} - S_{2i+1}) \ggg A_{i+1} \right) \oplus A_{i+1}, \\ A_i &= \left( (A_{i+1} - S_{2i}) \ggg B_i \right) \oplus B_i, \end{align*}

where \ggg denotes right rotation by the specified number of bits (modulo w), and indices denote the state after each reverse round.^[4] The reversibility of RC5's decryption stems from the invertibility of its primitive operations: subtraction undoes addition modulo $2^w, a right rotation by a known amount (the value of the other word) inverts a left rotation, and XOR is its own inverse. This ensures that applying decryption to the output of encryption yields the original plaintext, establishing a bijection for each parameter set (b, r, w).^[4]

Security Analysis

Known Attacks

RC5 was introduced in 1994 with claims of resistance to known cryptanalytic techniques, but subsequent analysis revealed vulnerabilities in reduced-round variants and specific parameter sets. Initial cryptanalytic efforts focused on differential and linear methods, with the first results published in 1995 by Kaliski and Yin, who described differential attacks requiring up to $2^{65} chosen plaintexts for 9-round RC5-32 and linear attacks needing $2^{47} known plaintexts for 5 rounds.^[11] These early attacks highlighted potential weaknesses in the data-dependent rotations and modular additions, though they were impractical for the nominal 12-round version.^[11] Differential cryptanalysis proved the most effective against full-round RC5 variants. In 1997, Knudsen and Meier refined the approach, identifying high-probability differentials and demonstrating that RC5-32/12 has approximately $2^{28} weak keys susceptible to attack with $2^{44} chosen plaintexts, a significant improvement over prior work.^[12] Building on this, Biryukov and Kushilevitz introduced a partial differential technique in 1998, enabling a practical attack on the full 12-round RC5-32/12/128 using only $2^{44} chosen plaintexts and $2^{44} time, exploiting biases in the modular additions across multiple rounds.^[13] For higher rounds, differential attacks remain feasible only up to 14 rounds with increased complexity exceeding $2^{100}, rendering them impractical.^[13] Linear cryptanalysis also targets reduced-round RC5 effectively. The 1995 analysis by Kaliski and Yin outlined an attack on 5-round RC5-32 requiring $2^{47} known plaintexts to recover subkeys, based on linear approximations of the rotation and XOR operations.^[11] Selçuk later showed in 1998 that this attack overestimated the bias due to key-dependent effects, providing corrected linear hulls requiring approximately $2^{55} known plaintexts for 5-round RC5-32, and $2^{78} for 6 rounds, with even higher costs for 7 or more rounds.^[14] These results underscore the cipher's vulnerability to linear approximations in early rounds but confirm that full 12+ rounds resist linear attacks under standard assumptions.^[14] The key schedule of RC5 exhibits weaknesses under related-key scenarios and for certain key classes. Knudsen and Meier noted in 1997 that the schedule's reliance on simple mixing allows related-key differentials to propagate through low-round variants (up to 4-5 rounds) with probability greater than $2^{-[32](/page/32)}, enabling key recovery with $2^{30} chosen plaintexts under related-key queries.^[12] Additionally, biases in the modular addition operation—such as non-uniform distribution modulo small primes—can be exploited in the first few rounds to distinguish RC5 from random permutations using $2^{20} plaintexts, as explored in partitioning attacks analogous to mod n cryptanalysis. Heys identified $2^{28} linearly weak keys for 12-round RC5-32/12/128, where linear approximations hold with bias $2^{-17}, allowing subkey recovery with $2^{17} known plaintexts.^[15] No practical attacks exist on RC5-32 with 14 or more rounds using standard 128-bit keys, as complexities exceed $2^{100} for both differential and linear methods; recommended parameters mitigate these by increasing rounds.^[13] However, the 64-bit block size limits security against generic attacks like birthday collisions to $2^{32} effort in multi-block modes, a concern amplified by modern computational capabilities. As of 2025, no practical attacks on full-round RC5 with 14 or more rounds and standard keys have emerged beyond these classical methods.^[16]

Recommended Parameters

The original recommendations for RC5 parameters, as proposed by its designer Ron Rivest, specified a word size w = 32 bits (yielding a 64-bit block), 12 rounds (r = 12), and a 128-bit key (b = 16 bytes).^[17] These choices aimed to balance security and performance for software implementations on 32-bit processors.^[17] Subsequent cryptanalysis revealed vulnerabilities in the original configuration, particularly to differential attacks on the 12-round version with 64-bit blocks, which can be broken using approximately $2^{44} chosen plaintexts. To mitigate known differential attacks, updated guidance recommends increasing the number of rounds to r = 18 to $20 for w = 32, providing a sufficient security margin against current analytical techniques.^[18] For enhanced security, a larger word size of w = 64 (128-bit block) is preferred, paired with at least 16 rounds as originally suggested for this variant.^[17] Key sizes should be at least 128 bits to resist brute-force attacks with current computational resources, with 256 bits recommended for long-term protection against advances in exhaustive search.^[17] Regarding block size, the 64-bit option (w = 32) should be avoided in new designs due to the risk of collisions after approximately $2^{32} blocks in common modes of operation, such as CBC, which could enable practical attacks on large datasets.^[18] The 128-bit block (w = 64) offers adequate security for most applications under classical computing threats but lacks resistance to post-quantum attacks like Grover's algorithm on key search.^[17] Increasing r enhances security linearly with computational cost, as each round adds modular additions, XORs, and data-dependent rotations; this trade-off is particularly relevant for resource-constrained embedded systems, where r = 12 to $16 may still be viable if paired with larger w.^[17] As of 2025, RC5 is not recommended for new cryptographic systems due to its age and the availability of more thoroughly vetted alternatives like AES or ChaCha20, which offer stronger guarantees against both classical and emerging threats.^[18] However, it remains viable for legacy applications when using boosted parameters such as w = 64, r \geq 16, and b \geq 16 bytes to maintain adequate protection.

Implementations and Usage

Software Implementations

The reference implementation of RC5, provided by Ronald Rivest in 1994, consists of non-optimized C code for the RC5-32/12/16 variant, which can be readily adapted to different platforms due to its use of basic arithmetic operations.^[4] RC5 is supported in several established cryptographic libraries, including OpenSSL (deprecated since version 3.0 and available only via the legacy provider), the C++ library Crypto++, and the Java library Bouncy Castle. In Python, RC5 can be implemented using third-party libraries such as custom modules, though it is not part of the standard cryptography package. RC5 performs efficiently in software owing to its reliance on simple operations like integer addition, XOR, and bit rotation, making it particularly well-suited for 32-bit processors.^[4] For instance, a 16-round RC5 implementation achieved approximately 25 clock cycles per byte on a 200 MHz Pentium II processor in 1999 benchmarks.^[19] The algorithm's portability stems from its variable parameters for block size (32, 64, or 128 bits), key size (0 to 2040 bits), and number of rounds (0 to 255), enabling straightforward adaptation to 8-bit, 16-bit, 32-bit, or 64-bit environments without specialized hardware requirements.^[4] Although RC5 has been removed from modern standards such as TLS 1.3 due to security concerns with reduced rounds, it persists in legacy systems and is often employed for educational purposes or in non-critical applications.^[20]

Distributed.net Challenge

In 1997, distributed.net launched its efforts to demonstrate the strength of the RC5 block cipher through distributed computing challenges, beginning with the successful cracking of a 56-bit key variant in just 250 days.^[21] The RC5-72 project, targeting a 72-bit key in the RC5-32/12/9 configuration, specifically commenced on December 3, 2002, following the completion of the 64-bit challenge.^[22] Sponsored initially by RSA Laboratories, the project offered a US$10,000 prize for discovering the unknown secret key, to be distributed among the finder ($1,000), their team ($1,000), a participant-voted non-profit (6,000), and distributed.net ($2,000); however, RSA discontinued the official challenges in May 2007, after which the effort continued under private sponsorship without altering the prize structure.^[22] The project employs a brute-force search across the full 2^{72} keyspace, coordinated through volunteer-run client software available in languages including C, Java, and assembly, which download work units (key blocks) from "Bovine" servers and report results upon completion.^[22] To ensure accuracy, clients perform RC5 encryptions on a fixed plaintext-ciphertext pair for each candidate key, verifying matches against known values.^[23] As of November 18, 2025, participants have searched 14.925% of the keyspace, equivalent to over 705 quintillion keys tested, at a recent rate of approximately 3.7 trillion keys per second.^[24] At current rates, the project is projected to exhaust the keyspace in approximately 34 years (12,557 days at the recent rate), underscoring RC5's resistance to exhaustive attack even with global volunteer computing resources spanning over two decades.^[24] No solution has been found as of 2025, and the ongoing effort serves as a benchmark for advancements in computational power and distributed systems, highlighting RC5's foundational role in early crowd-sourced cryptography demonstrations.^[22]

RC5