The χ2-attack was originally proposed by Knudsen and Meier. This attack is one of the most effective attacks for RC6. The χ2-attack can be used for both distinguishing attacks and for key recovery attacks. Although, up to the present, theoretical analysis of χ2-attacks, especially the relation between a distinguishing attack and a key recovery attack, has not been discussed, the security against key recovery attacks has been often discussed by the results of distinguishing attacks. In this paper, we investigate the theoretical relation between the distinguishing attack and the key recovery attack, and prove one theorem to evaluate the exact security against the key recovery attacks by using the results of the distinguishing attack. Furthermore we propose two key recovery attacks against RC5-64 and implement them. Our best key recovery attack can analyze RC5-64 with 16 rounds by using 2125.23 plaintexts with a success probability of 30%. This result works faster than exhaustive key search. As far as the authors know, this is the best result of known plaintext attacks to RC5-64. We also apply our theory on our key recovery attacks and demonstrate the validity.

Various attacks against RC5 have been analyzed intensively. A known plaintext attack has not been reported that it works on so higher round as a chosen plaintext attack, but it can work more efficiently and practically. In this paper, we investigate a known plaintext attack against RC5 by improving a correlation attack. As for a known plaintext attack against RC5, the best known result is a linear cryptanalysis. They have reported that RC5-32 with 10 rounds can be broken by 264 plaintexts under the heuristic assumption: RC5-32 with r rounds can be broken with a success probability of 90% by using 26r+4 plaintexts. However, their assumption seems to be highly optimistic. Our known plaintext correlation attack can break RC5-32 with 10 rounds (20 half-rounds) in a more strict sense with a success probability of 90% by using 263.67 plaintexts. Furthermore, our attack can break RC5-32 with 21 half-rounds in a success probability of 30% by using 263.07 plaintexts.

This letter gives a study of additionY=X+K mod 2w which is used in some cryptosystems as RC5. Our results enables us to express the differential and linear probability of addition as a function of addendK. To detect a good differential characteristics or linear approximation of a cryptosystem in which extended key is used as addend, we need to consider how the characteristics or approximations behave depending upon the value of the addend, which are clarified by our results.

In estimating the vulnerability of a block cipher to differential cryptanalysis and linear cryptanalysis, we must consider the fact that the differential probability and the linear probability vary with the key. In the case of cryptosystems where the round key is XORed to the input data of each round, the difference in both types of probability with different keys is regarded as negligible. However, this is not the case with RC5. This paper makes a primary analysis of the key-dependency of linear probability of RC5. Throughout this paper we study "precise" linear probability. We find some linear approximations that have higher deviation (bias) for some keys than the "best linear approximation" claimed by Kaliski and Yin in CRYPTO'95. Using one linear approximation, we find 10 weak keys of RC5-4/2/2 with linear probability 2-1, 2 weak keys of RC5-4/5/16 with linear probability 2-2, and a weak key of RC5-16/5/16 with linear probability 2-15.4, while Kaliski-Yin's "best biases" are 2-3, 2-9, and 2-17, respectively.