Various attacks against RC5 have been analyzed intensively. A known plaintext attack has not been reported that it works on so higher round as a chosen plaintext attack, but it can work more efficiently and practically. In this paper, we investigate a known plaintext attack against RC5 by improving a correlation attack. As for a known plaintext attack against RC5, the best known result is a linear cryptanalysis. They have reported that RC5-32 with 10 rounds can be broken by 264 plaintexts under the heuristic assumption: RC5-32 with r rounds can be broken with a success probability of 90% by using 26r+4 plaintexts. However, their assumption seems to be highly optimistic. Our known plaintext correlation attack can break RC5-32 with 10 rounds (20 half-rounds) in a more strict sense with a success probability of 90% by using 263.67 plaintexts. Furthermore, our attack can break RC5-32 with 21 half-rounds in a success probability of 30% by using 263.07 plaintexts.

We investigate the cryptanalysis of reduced-round RC6 without whitening. Up to now, key recovery algorithms against the reduced-round RC6 itself, the reduced-round RC6 without whitening, and even the simplified variants have been infeasible on a modern computer. In this paper, we propose an efficient and feasible key recovery algorithm against reduced-round RC6 without whitening. Our algorithm is very useful for analyzing the security of the round-function of RC6. Our attack applies to a rather large number of rounds. RC6 without whitening with r rounds can be broken with a success probability of 90% by using 28.1r - 13.8 plaintexts. Therefore, our attack can break RC6 without whitening with 17 rounds by using 2123.9 plaintexts with a probability of 90%.

The χ2-attack was originally proposed by Knudsen and Meier. This attack is one of the most effective attacks for RC6. The χ2-attack can be used for both distinguishing attacks and for key recovery attacks. Although, up to the present, theoretical analysis of χ2-attacks, especially the relation between a distinguishing attack and a key recovery attack, has not been discussed, the security against key recovery attacks has been often discussed by the results of distinguishing attacks. In this paper, we investigate the theoretical relation between the distinguishing attack and the key recovery attack, and prove one theorem to evaluate the exact security against the key recovery attacks by using the results of the distinguishing attack. Furthermore we propose two key recovery attacks against RC5-64 and implement them. Our best key recovery attack can analyze RC5-64 with 16 rounds by using 2125.23 plaintexts with a success probability of 30%. This result works faster than exhaustive key search. As far as the authors know, this is the best result of known plaintext attacks to RC5-64. We also apply our theory on our key recovery attacks and demonstrate the validity.