RC6 ( Rivest Cipher 6) is a 1998 designed by Ronald Rivest and other symmetric block encryption. RC6 is a further development of RC5 and used as well as this data-dependent rotations, and in addition the multiplication of data. The known time of development theoretical attacks against RC5 should be prevented in the bud.

RC6 was a candidate for the election of the Advanced Encryption Standard ( AES) and counted there - along with Twofish, Rijndael, MARS and Serpent - the finalists. It was ( NIST) classified by the National Institute of Standards and Technology as " reasonable certainty " - as well as Rijndael, which was finally elected to the AES. RC6 is simpler in construction than the other finalists, thereby reducing the risk of deployment errors is reduced, and it is relatively efficient to implement in software.

  • 2.1 Chosen -plaintext
  • 2.2 Known plaintext
  • 2.3 Licensing


RC6 has a variable block size, round numbers (0-255) and key lengths ( 0-2040 bits). A specific choice of these parameters is commonly referred to as " RC6-w/r/b " - w is the length in bits of a data word, the number of rounds r and b the length of the key. A block is always made of four data words, the block size is so bits. The AES candidate was RC6-32/20 with block size 128 bits, 20 rounds, and key lengths of 128, 192 and 256 bits.

Primitive operations as the algorithm used, the addition () and multiplication ( ) (each modulo ), the bit-wise XOR (), and the left rotation (), the A is rotated about bit positions.

Encrypting and decrypting

Given a plaintext block in Little endian representation, which consists of the data words A, B, C, D, and the round key S0 to S2r 3. In this case, the logarithm of the word length to base 2, the block is referred encrypted by:

As with RC5 be used S0 and S1 for Key whitening.

The decryption of a ciphertext block corresponding to the reversal of this algorithm.

Key Expansion

The expansion of RC6 algorithm, which calculates the round key S0 to S2r 3 was taken over unchanged from RC5 substantially. First, the round key Sk are initialized by constants on a fixed initial state. P and Q are - as with RC5 - odd integers that are generated with the Euler's number e and the golden ratio Φ depending on the block size used (Table ).

Then the secret key is split into c words to the length of w, and if needed the last word is padded with zeros. The following code calculates the final round key:


Chosen -plaintext

2001 reported by Tetsu Iwata and Kaoru Kurosawa of the Tokyo Institute of Technology, that an idealized RC6 with 4 rounds is not a pseudorandom permutation - an attacker with polynomially many encryption Try the result of the block cipher can therefore be distinguished from random noise. In the same year, Henri Gilbert, Helena glove, Antoine Joux, Serge Vaudenay presented an act building on this property, statistical attack before, with the help of which - for w = 32 - with 2118 pairs of chosen plaintexts and their ciphers bits of the round key for up to 13 can be reconstructed rounds. With a memory requirement of about 2112 and 2122 necessary operations, this attack can also be used as a known-plaintext attack against 14 rounds. Because of this - because of the requirements of virtually not feasible - Attack the authors concluded that the 20 rounds of the AES candidates were not overly much.


1999 found Borst, Preneel and Vandevalle that the published of them are based on linear approximations based attack on RC5 against RC6 is essential ineffective and insufficient to the arrangements which RC6 developers.


For the method, the RSA RC6 was awarded U.S. Patents 5,724,428 and 5,835,600.