Linear Cryptanalysis of RC5 and RC6

  • Johan Borst
  • Bart Preneel
  • Joos Vandewalle
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 1636)


In this paper we evaluate the resistance of the block cipher RC5 against linear cryptanalysis. We describe a known plaintext attack that can break RC5-32 (blocksize 64) with 10 rounds and RC5-64 (blocksize 128) with 15 rounds. In order to do this we use techniques related to the use of multiple linear approximations. Furthermore the success of the attack is largely based on the linear hull-effect. To our knowledge, at this moment these are the best known plaintext attacks on RC5, which have negligible storage requirements and do not make any assumption on the plaintext distribution. Furthermore we discuss the impact of our attacking method on the AES-candidate RC6, whose design was based on RC5.


Success Probability Block Cipher Deviation Direction Linear Hull Linear Cryptanalysis 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. [BK98]
    A. Biryukov, E. Kushilevitz, “Improved Cryptanalysis of RC5, ” Proc. Eurocrypt’ 98, LNCS 1403, Springer-Verlag, 1998, pp. 85–99.Google Scholar
  2. [BS93]
    E. Biham, A. Shamir, Differential Cryptanalysis of the Data Encryption Standard, Springer-Verlag, 1993.Google Scholar
  3. [HM97]
    C. Harpes, J.L. Massey, “Partitioning Cryptanalysis, ” Fast Software Encryption, LNCS 1267, Springer-Verlag, 1997, pp. 13–27.CrossRefGoogle Scholar
  4. [KM96]
    L.R. Knudsen, W. Meier, “Improved Differential Attacks on RC5,” Proc. Crypto’96, LNCS 1109, Springer-Verlag, 1996, pp. 216–228.Google Scholar
  5. [KR94]
    B.S. Kaliski, M.J.B. Robshaw, “Linear Cryptanalysis Using Multiple Approximations,” Proc. Eurocrypt’94, LNCS 950, Springer-Verlag, 1995, pp. 26–39.Google Scholar
  6. [KY95]
    B.S. Kaliski, Y.L. Yin, “On Differential and Linear Cryptanalysis of the RC5 Encryption Algorithm,” Proc. Crypto’95, LNCS 963, Springer-Verlag, 1995, pp. 171–184.Google Scholar
  7. [KY98]
    B.S. Kaliski, Y.L. Yin, “On the Security of the RC5 Encryption Algorithm,” RSA Laboratories Technical Report TR-602, Version 1.0, September 1998, available via
  8. [Mat93]
    M. Matsui, “Linear cryptanalysis method for DES cipher,” Proc. Eurocrypt’93, LNCS 765, Springer-Verlag, 1994, pp. 386–397.Google Scholar
  9. [Mat94]
    M. Matsui, “The first experimental cryptanalysis of the Data Encryption Standard,” Proc. Crypto’94, LNCS 839, Springer-Verlag, 1994, pp. 1–11.Google Scholar
  10. [Nyb94]
    K. Nyberg, “Linear Approximations of Block Ciphers,” Proc. Eurocrypt’94, LNCS 950, Springer-Verlag, 1995, pp. 439–444.Google Scholar
  11. [Riv95]
    R.L. Rivest, “The RC5 Encryption Algorithm,” Fast Software Encryption, LNCS 1008, Springer-Verlag, 1995, pp. 86–96.Google Scholar
  12. [RC6.1]
    R.L. Rivest, M.J.B. Robshaw, R. Sidney, Y.L. Yin, “The RC6 Block Cipher. v1.1,” AES Proposal, 1998, available via
  13. [RC6.2]
    S. Contini, R.L. Rivest, M.J.B. Robshaw, Y.L. Yin, “The Security of the RC6 Block Cipher. v1.0,” 1998, available via
  14. [RC6.3]
    S. Contini, R.L. Rivest, M.J.B. Robshaw, Y.L. Yin, “Linear Hulls and RC6 (DRAFT),” September, 1998.Google Scholar
  15. [Sel98]
    A.A. Selçcuk, “New Results in Linear Cryptanalysis of RC5,” Fast Software Encryption, LNCS 1372, Springer-Verlag, 1998, pp. 1–16.CrossRefGoogle Scholar
  16. [Vau96]
    S. Vaudenay, “An Experiment on DES-Statistical Cryptanalysis,” Proc. 3rd ACM Conference on Computer Security, ACM Press, 1996, pp. 139–147.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 1999

Authors and Affiliations

  • Johan Borst
    • 1
  • Bart Preneel
    • 1
  • Joos Vandewalle
    • 1
  1. 1.K.U. Leuven, Dept. Elektrotechniek-ESAT/COSICHeverleeBelgium

Personalised recommendations