*Ron is associate director of the MIT Laboratory for Computer Science, a coinventor of the RSA public-key cryptosystem, and a cofounder of RSA Data Security Inc. He can be contacted at rivest@theory.lcs.mit.edu. RC5 and RSA-RC5 are trademarks of RSA Data Security Inc. Patent pending.*

*w*is the word size, in bits. The standard value is 32 bits; allowable values are 16, 32, and 64. RC5 encrypts two-word blocks: plaintext and ciphertext blocks are each 2*w*bits long.*r*is the number of rounds. Allowable values are 0, 1_255.- The number of bytes in the secret key
*K*. Allowable values of*b*are 0, 1_255.

RC5 is not intended to be secure for all possible parameter values. On the other hand, choosing the maximum parameter values would be overkill for most applications.

We provide a variety of parameter settings so that users may select an encryption algorithm whose security and speed are optimized for their application, while providing an evolutionary path for adjusting their parameters as necessary in the future.

For example, RC5-32/16/7 is an RC5 algorithm with the number of rounds and the length of key equivalent to DES. Unlike unparameterized DES, however, an RC5 user can upgrade the choice for a DES replacement to an 80-bit key by moving to RC5-32/16/10.

As technology improves, and as the true strength of RC5 algorithms becomes better understood through analysis, the most appropriate parameters can be chosen. We propose RC5-32/12/16 as providing a "nominal" choice of parameters. Further analysis is needed to analyze the security of this choice.

- Two's complement addition of words, denoted by "+". This is modulo-2
^{w}addition. - Bit-wise exclusive-OR of words, denoted by .
- A left-rotation (or "left-spin") of words: the rotation of word
*x*left by*y*bits is denoted*x <<< y*. Only the lg(*w*) low-order bits of*y*are used to determine the rotation amount, so that*y*is interpreted modulo*w*.

The key-expansion function has a certain amount of "one-wayness": It is not so easy to determine *K* from *S*.

For encryption, we assume that the input block is given in two *w*-bit registers, *A* and *B*, and the ouput is also placed in the registers *A* and *B*. Example 1 is a pseudocode version of the encryption algorithm. The output is in the registers *A* and *B*. The decryption routine is easily derived from the encryption routine.

I invite the reader to help determine the strength of RC5.

Example 1 Pseudocode of RC5 encryption algorithm.

Copyright © 1995, *Dr. Dobb's Journal*