Input limitations on the RC6 cipher












2












$begingroup$


RSA has limitation in input size for encryption and decryption.




  • Can RC6 be used for encryption and decryption of files larger than 5 MB?

  • Is there any limitation for input size?

  • Is RC6 safe for using encryption or has it faced any attacks?










share|improve this question











$endgroup$

















    2












    $begingroup$


    RSA has limitation in input size for encryption and decryption.




    • Can RC6 be used for encryption and decryption of files larger than 5 MB?

    • Is there any limitation for input size?

    • Is RC6 safe for using encryption or has it faced any attacks?










    share|improve this question











    $endgroup$















      2












      2








      2


      3



      $begingroup$


      RSA has limitation in input size for encryption and decryption.




      • Can RC6 be used for encryption and decryption of files larger than 5 MB?

      • Is there any limitation for input size?

      • Is RC6 safe for using encryption or has it faced any attacks?










      share|improve this question











      $endgroup$




      RSA has limitation in input size for encryption and decryption.




      • Can RC6 be used for encryption and decryption of files larger than 5 MB?

      • Is there any limitation for input size?

      • Is RC6 safe for using encryption or has it faced any attacks?







      encryption rsa rc6






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Jan 26 at 3:29









      forest

      4,3501641




      4,3501641










      asked Nov 21 '18 at 7:50









      Anu DavisAnu Davis

      138119




      138119






















          3 Answers
          3






          active

          oldest

          votes


















          5












          $begingroup$

          RC6 is secure, and has no effective limit on input size.



          RSA is an asymmetric cipher. It is not designed for general purpose encryption, and so has a very tight limit on the amount of data that can be encrypted. In fact, unlike symmetric ciphers, textbook RSA is based on a mathematical problem, so the ciphertext is the plaintext raised to an public exponent, modulo a large public integer. This modular operation puts a hard limit on the length of the plaintext to be encrypted. Note that RSA is not used to encrypt anything directly. It is used to encrypt a smaller symmetric key which is then used to protect the confidentiality of further communications.



          RC6 is a symmetric block cipher. The amount of data that can be encrypted with a single key depends on the mode of operation in use, as well as the block size of the cipher. For a cipher with 128-bit blocks, like RC6, the amount of data it can securely encrypt is vast. To put it into hard numbers, in order to have an already astronomically small 2-32 chance of leaking a little bit of information from one 128-bit block in CBC mode, you need to encrypt more than four petabytes of data with one key. A mere five megabytes is nothing.



          There are no known attacks which weaken RC6 to the point that breaking it is practical. As it did not win the AES competition however, it has received comparatively less analysis. A large amount of information on its security can be found by searching "rc6 cryptanalysis pdf".





          Obligatory disclaimer: Choosing the cipher is the easiest part of implementing a secure cryptosystem. If you are designing your own cryptosystem, don't. Simply using RC6 is not enough to provide security. You need to choose the proper mode of operation, use authentication, use a secure KDF if the key is to be derived from a password, mitigate a variety of attacks if used on the network (reflection, replay, man-in-the-middle, etc). Don't think that, just because you are using a secure cipher, that the data you encrypt is secure.






          share|improve this answer











          $endgroup$





















            3












            $begingroup$

            Usually you don't encrypt data / messages directly with RSA, rather you encrypt a symmetric key for future encryptions.



            This has the advantage that it's more efficient to encrypt and decrypt data, because symmetric cryptography is faster than asymmetric cryptography.




            Can RC6 be used for encrytion and decryption of files larger than 5 MB?




            Yes.




            Is there any limitation for input size?




            When encrypting data with a symmetric block cipher, which uses blocks of n bits, some security concerns begin to appear when the amount of data encrypted with a single key comes close to $2^n/2$ blocks, i.e. $n*2^{n/2}$ bits.



            This means that there is indeed a limit of data to encrypt but it's so large that it should never be a problem. AES-128 bit encryption for example can safely encrypt data of over 250 Million TB.




            Is RC6 safe for using encryption or has it faced any attacks?




            RC6 is considered to be safe.






            share|improve this answer











            $endgroup$









            • 1




              $begingroup$
              I'm not sure how what Wikipedia stated is a problem. It just means that some NSA malware used RC6. It doesn't mean that RC6 is broken, just that they used it. If anything, it means they trust it (or that it's so obscure that antimalware programs are unlikely to recognize it).
              $endgroup$
              – forest
              Nov 21 '18 at 8:16








            • 1




              $begingroup$
              @forest Edited my answer.
              $endgroup$
              – AleksanderRas
              Nov 21 '18 at 11:46










            • $begingroup$
              @AnuDavis No need to say "thanks". That's what the forum is here for.
              $endgroup$
              – AleksanderRas
              Nov 21 '18 at 11:47










            • $begingroup$
              @ AleksanderRas ok
              $endgroup$
              – Anu Davis
              Nov 21 '18 at 11:51










            • $begingroup$
              a question : RC6 uses variable rotation , is it vulnerable to timing (side channel attack) ?
              $endgroup$
              – hardyrama
              Nov 22 '18 at 3:37



















            3












            $begingroup$

            RSA doesn't really have a limit on what can be encrypted. It is possible to encrypt many separate messages using RSA. Splitting an message into separate parts before encryption allows you to encrypt many parts of data without the risk of loosing confidentiality.



            This will however take a lot of CPU time, it will expand each part of the message and it will not provide any kind of integrity protection (but neither do known modes of operation such as CBC). So asymmetric encryption is not used for bulk encryption, it is only used for small messages where asymmetric encryption is required and the byte count needs to kept low.



            Instead asymmetric algorithms (ciphers and key establishment schemes) are commonly used to encrypt or derive a symmetric key - such as a symmetric key for RC6 - which then can be used to encrypt the data itself. This is called a hybrid cryptosystem as it both relies on asymmetric and symmetric cryptography.






            Can RC6 be used for encryption and decryption of files larger than 5 MB?




            Not by itself. RC6 is a block cipher and can therefore only be used to encrypt blocks of data. RC6 has a block size of 128 bits. To encrypt data you will have to use a mode of operation. The amount of data that can be encrypted is then a function of the mode of operation and the block size. It also depends on the way the mode of operation is applied, especially how the IV is constructed. The amount of messages (files) that may be encrypted may also be restricted.



            When used in a block cipher mode of operation, 5MB is a relatively small amount of data.




            Is there any limitation for input size?




            Yes. It can be calculated for specific modes of operation. There are certainly modes of operations such as GCM that have smaller limits then that you would expect for the block size. GCM has a limit of "just" 64 GiB of data. That's much larger than 5 MB, but it is much smaller than you would expect for a cipher such as AES or RC6 with a block size of 128 bits.



            Counter mode (CTR mode), when used correctly on a single message, can be used to encrypt $2^{128}$ blocks of data, with each block containing 16 bytes. That's $10^{37}$ times all the data in the world. That means that this mode of operation has no practical limit for single messages (implementations may limit you to $2^{64}$ or even $2^{32}$ counter values / blocks in extreme cases).



            With these kind of sizes you may expect that the amount of data to encrypt is generally not used to choose a specific mode of operation, especially not for 128 bit block ciphers: almost any mode of operation will provide higher limits than required. Other properties of the mode of operation are generally considered more important. GCM for instance provides authenticated encryption that protects the message against change, while CTR or CBC mode does not.






            Is RC6 safe for using encryption or has it faced any attacks?




            RC6 has not been broken. But it has not been selected to be AES either. That means that there has been less incentive to find attacks on it. As one of the AES finalists it certainly has been thoroughly examined though, and no attacks were found.



            Finding good support for it, such as known good implementations or hardware implementations of it will be harder. This is especially true when it comes to authenticated modes. It could also mean that side channel attacks are more likely because of this. Generally we prefer just to use AES (Rijndael) for this reason - even though the AES algorithm may be more vulnerable in principle.






            share|improve this answer











            $endgroup$













            • $begingroup$
              After $2^{128}$ the counter is set to $0$ in CTR. Is there a problem that one can continue?
              $endgroup$
              – kelalaka
              Nov 21 '18 at 19:01










            • $begingroup$
              Yes it turns into a many time pad.
              $endgroup$
              – Maarten Bodewes
              Nov 21 '18 at 20:27










            • $begingroup$
              It is better to be in the answer :)
              $endgroup$
              – kelalaka
              Nov 21 '18 at 20:30










            • $begingroup$
              I'll put it in the answer when somebody reaches $2^{127}$ blocks ;) This question is not about CTR mode, they can look it up on the site if required.
              $endgroup$
              – Maarten Bodewes
              Nov 21 '18 at 21:27








            • 1




              $begingroup$
              One issue to consider about RC6 is that implementation on CPUs lacking a 32-bit barrel shifter (including some low-end 32-bit CPUs) is slow, and potentially subject to timing attack.
              $endgroup$
              – fgrieu
              Nov 22 '18 at 6:49











            Your Answer





            StackExchange.ifUsing("editor", function () {
            return StackExchange.using("mathjaxEditing", function () {
            StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix) {
            StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [["$", "$"], ["\\(","\\)"]]);
            });
            });
            }, "mathjax-editing");

            StackExchange.ready(function() {
            var channelOptions = {
            tags: "".split(" "),
            id: "281"
            };
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function() {
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled) {
            StackExchange.using("snippets", function() {
            createEditor();
            });
            }
            else {
            createEditor();
            }
            });

            function createEditor() {
            StackExchange.prepareEditor({
            heartbeatType: 'answer',
            autoActivateHeartbeat: false,
            convertImagesToLinks: false,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: null,
            bindNavPrevention: true,
            postfix: "",
            imageUploader: {
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            },
            noCode: true, onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            });


            }
            });














            draft saved

            draft discarded


















            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f64215%2finput-limitations-on-the-rc6-cipher%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown

























            3 Answers
            3






            active

            oldest

            votes








            3 Answers
            3






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes









            5












            $begingroup$

            RC6 is secure, and has no effective limit on input size.



            RSA is an asymmetric cipher. It is not designed for general purpose encryption, and so has a very tight limit on the amount of data that can be encrypted. In fact, unlike symmetric ciphers, textbook RSA is based on a mathematical problem, so the ciphertext is the plaintext raised to an public exponent, modulo a large public integer. This modular operation puts a hard limit on the length of the plaintext to be encrypted. Note that RSA is not used to encrypt anything directly. It is used to encrypt a smaller symmetric key which is then used to protect the confidentiality of further communications.



            RC6 is a symmetric block cipher. The amount of data that can be encrypted with a single key depends on the mode of operation in use, as well as the block size of the cipher. For a cipher with 128-bit blocks, like RC6, the amount of data it can securely encrypt is vast. To put it into hard numbers, in order to have an already astronomically small 2-32 chance of leaking a little bit of information from one 128-bit block in CBC mode, you need to encrypt more than four petabytes of data with one key. A mere five megabytes is nothing.



            There are no known attacks which weaken RC6 to the point that breaking it is practical. As it did not win the AES competition however, it has received comparatively less analysis. A large amount of information on its security can be found by searching "rc6 cryptanalysis pdf".





            Obligatory disclaimer: Choosing the cipher is the easiest part of implementing a secure cryptosystem. If you are designing your own cryptosystem, don't. Simply using RC6 is not enough to provide security. You need to choose the proper mode of operation, use authentication, use a secure KDF if the key is to be derived from a password, mitigate a variety of attacks if used on the network (reflection, replay, man-in-the-middle, etc). Don't think that, just because you are using a secure cipher, that the data you encrypt is secure.






            share|improve this answer











            $endgroup$


















              5












              $begingroup$

              RC6 is secure, and has no effective limit on input size.



              RSA is an asymmetric cipher. It is not designed for general purpose encryption, and so has a very tight limit on the amount of data that can be encrypted. In fact, unlike symmetric ciphers, textbook RSA is based on a mathematical problem, so the ciphertext is the plaintext raised to an public exponent, modulo a large public integer. This modular operation puts a hard limit on the length of the plaintext to be encrypted. Note that RSA is not used to encrypt anything directly. It is used to encrypt a smaller symmetric key which is then used to protect the confidentiality of further communications.



              RC6 is a symmetric block cipher. The amount of data that can be encrypted with a single key depends on the mode of operation in use, as well as the block size of the cipher. For a cipher with 128-bit blocks, like RC6, the amount of data it can securely encrypt is vast. To put it into hard numbers, in order to have an already astronomically small 2-32 chance of leaking a little bit of information from one 128-bit block in CBC mode, you need to encrypt more than four petabytes of data with one key. A mere five megabytes is nothing.



              There are no known attacks which weaken RC6 to the point that breaking it is practical. As it did not win the AES competition however, it has received comparatively less analysis. A large amount of information on its security can be found by searching "rc6 cryptanalysis pdf".





              Obligatory disclaimer: Choosing the cipher is the easiest part of implementing a secure cryptosystem. If you are designing your own cryptosystem, don't. Simply using RC6 is not enough to provide security. You need to choose the proper mode of operation, use authentication, use a secure KDF if the key is to be derived from a password, mitigate a variety of attacks if used on the network (reflection, replay, man-in-the-middle, etc). Don't think that, just because you are using a secure cipher, that the data you encrypt is secure.






              share|improve this answer











              $endgroup$
















                5












                5








                5





                $begingroup$

                RC6 is secure, and has no effective limit on input size.



                RSA is an asymmetric cipher. It is not designed for general purpose encryption, and so has a very tight limit on the amount of data that can be encrypted. In fact, unlike symmetric ciphers, textbook RSA is based on a mathematical problem, so the ciphertext is the plaintext raised to an public exponent, modulo a large public integer. This modular operation puts a hard limit on the length of the plaintext to be encrypted. Note that RSA is not used to encrypt anything directly. It is used to encrypt a smaller symmetric key which is then used to protect the confidentiality of further communications.



                RC6 is a symmetric block cipher. The amount of data that can be encrypted with a single key depends on the mode of operation in use, as well as the block size of the cipher. For a cipher with 128-bit blocks, like RC6, the amount of data it can securely encrypt is vast. To put it into hard numbers, in order to have an already astronomically small 2-32 chance of leaking a little bit of information from one 128-bit block in CBC mode, you need to encrypt more than four petabytes of data with one key. A mere five megabytes is nothing.



                There are no known attacks which weaken RC6 to the point that breaking it is practical. As it did not win the AES competition however, it has received comparatively less analysis. A large amount of information on its security can be found by searching "rc6 cryptanalysis pdf".





                Obligatory disclaimer: Choosing the cipher is the easiest part of implementing a secure cryptosystem. If you are designing your own cryptosystem, don't. Simply using RC6 is not enough to provide security. You need to choose the proper mode of operation, use authentication, use a secure KDF if the key is to be derived from a password, mitigate a variety of attacks if used on the network (reflection, replay, man-in-the-middle, etc). Don't think that, just because you are using a secure cipher, that the data you encrypt is secure.






                share|improve this answer











                $endgroup$



                RC6 is secure, and has no effective limit on input size.



                RSA is an asymmetric cipher. It is not designed for general purpose encryption, and so has a very tight limit on the amount of data that can be encrypted. In fact, unlike symmetric ciphers, textbook RSA is based on a mathematical problem, so the ciphertext is the plaintext raised to an public exponent, modulo a large public integer. This modular operation puts a hard limit on the length of the plaintext to be encrypted. Note that RSA is not used to encrypt anything directly. It is used to encrypt a smaller symmetric key which is then used to protect the confidentiality of further communications.



                RC6 is a symmetric block cipher. The amount of data that can be encrypted with a single key depends on the mode of operation in use, as well as the block size of the cipher. For a cipher with 128-bit blocks, like RC6, the amount of data it can securely encrypt is vast. To put it into hard numbers, in order to have an already astronomically small 2-32 chance of leaking a little bit of information from one 128-bit block in CBC mode, you need to encrypt more than four petabytes of data with one key. A mere five megabytes is nothing.



                There are no known attacks which weaken RC6 to the point that breaking it is practical. As it did not win the AES competition however, it has received comparatively less analysis. A large amount of information on its security can be found by searching "rc6 cryptanalysis pdf".





                Obligatory disclaimer: Choosing the cipher is the easiest part of implementing a secure cryptosystem. If you are designing your own cryptosystem, don't. Simply using RC6 is not enough to provide security. You need to choose the proper mode of operation, use authentication, use a secure KDF if the key is to be derived from a password, mitigate a variety of attacks if used on the network (reflection, replay, man-in-the-middle, etc). Don't think that, just because you are using a secure cipher, that the data you encrypt is secure.







                share|improve this answer














                share|improve this answer



                share|improve this answer








                edited Nov 22 '18 at 7:24

























                answered Nov 21 '18 at 8:06









                forestforest

                4,3501641




                4,3501641























                    3












                    $begingroup$

                    Usually you don't encrypt data / messages directly with RSA, rather you encrypt a symmetric key for future encryptions.



                    This has the advantage that it's more efficient to encrypt and decrypt data, because symmetric cryptography is faster than asymmetric cryptography.




                    Can RC6 be used for encrytion and decryption of files larger than 5 MB?




                    Yes.




                    Is there any limitation for input size?




                    When encrypting data with a symmetric block cipher, which uses blocks of n bits, some security concerns begin to appear when the amount of data encrypted with a single key comes close to $2^n/2$ blocks, i.e. $n*2^{n/2}$ bits.



                    This means that there is indeed a limit of data to encrypt but it's so large that it should never be a problem. AES-128 bit encryption for example can safely encrypt data of over 250 Million TB.




                    Is RC6 safe for using encryption or has it faced any attacks?




                    RC6 is considered to be safe.






                    share|improve this answer











                    $endgroup$









                    • 1




                      $begingroup$
                      I'm not sure how what Wikipedia stated is a problem. It just means that some NSA malware used RC6. It doesn't mean that RC6 is broken, just that they used it. If anything, it means they trust it (or that it's so obscure that antimalware programs are unlikely to recognize it).
                      $endgroup$
                      – forest
                      Nov 21 '18 at 8:16








                    • 1




                      $begingroup$
                      @forest Edited my answer.
                      $endgroup$
                      – AleksanderRas
                      Nov 21 '18 at 11:46










                    • $begingroup$
                      @AnuDavis No need to say "thanks". That's what the forum is here for.
                      $endgroup$
                      – AleksanderRas
                      Nov 21 '18 at 11:47










                    • $begingroup$
                      @ AleksanderRas ok
                      $endgroup$
                      – Anu Davis
                      Nov 21 '18 at 11:51










                    • $begingroup$
                      a question : RC6 uses variable rotation , is it vulnerable to timing (side channel attack) ?
                      $endgroup$
                      – hardyrama
                      Nov 22 '18 at 3:37
















                    3












                    $begingroup$

                    Usually you don't encrypt data / messages directly with RSA, rather you encrypt a symmetric key for future encryptions.



                    This has the advantage that it's more efficient to encrypt and decrypt data, because symmetric cryptography is faster than asymmetric cryptography.




                    Can RC6 be used for encrytion and decryption of files larger than 5 MB?




                    Yes.




                    Is there any limitation for input size?




                    When encrypting data with a symmetric block cipher, which uses blocks of n bits, some security concerns begin to appear when the amount of data encrypted with a single key comes close to $2^n/2$ blocks, i.e. $n*2^{n/2}$ bits.



                    This means that there is indeed a limit of data to encrypt but it's so large that it should never be a problem. AES-128 bit encryption for example can safely encrypt data of over 250 Million TB.




                    Is RC6 safe for using encryption or has it faced any attacks?




                    RC6 is considered to be safe.






                    share|improve this answer











                    $endgroup$









                    • 1




                      $begingroup$
                      I'm not sure how what Wikipedia stated is a problem. It just means that some NSA malware used RC6. It doesn't mean that RC6 is broken, just that they used it. If anything, it means they trust it (or that it's so obscure that antimalware programs are unlikely to recognize it).
                      $endgroup$
                      – forest
                      Nov 21 '18 at 8:16








                    • 1




                      $begingroup$
                      @forest Edited my answer.
                      $endgroup$
                      – AleksanderRas
                      Nov 21 '18 at 11:46










                    • $begingroup$
                      @AnuDavis No need to say "thanks". That's what the forum is here for.
                      $endgroup$
                      – AleksanderRas
                      Nov 21 '18 at 11:47










                    • $begingroup$
                      @ AleksanderRas ok
                      $endgroup$
                      – Anu Davis
                      Nov 21 '18 at 11:51










                    • $begingroup$
                      a question : RC6 uses variable rotation , is it vulnerable to timing (side channel attack) ?
                      $endgroup$
                      – hardyrama
                      Nov 22 '18 at 3:37














                    3












                    3








                    3





                    $begingroup$

                    Usually you don't encrypt data / messages directly with RSA, rather you encrypt a symmetric key for future encryptions.



                    This has the advantage that it's more efficient to encrypt and decrypt data, because symmetric cryptography is faster than asymmetric cryptography.




                    Can RC6 be used for encrytion and decryption of files larger than 5 MB?




                    Yes.




                    Is there any limitation for input size?




                    When encrypting data with a symmetric block cipher, which uses blocks of n bits, some security concerns begin to appear when the amount of data encrypted with a single key comes close to $2^n/2$ blocks, i.e. $n*2^{n/2}$ bits.



                    This means that there is indeed a limit of data to encrypt but it's so large that it should never be a problem. AES-128 bit encryption for example can safely encrypt data of over 250 Million TB.




                    Is RC6 safe for using encryption or has it faced any attacks?




                    RC6 is considered to be safe.






                    share|improve this answer











                    $endgroup$



                    Usually you don't encrypt data / messages directly with RSA, rather you encrypt a symmetric key for future encryptions.



                    This has the advantage that it's more efficient to encrypt and decrypt data, because symmetric cryptography is faster than asymmetric cryptography.




                    Can RC6 be used for encrytion and decryption of files larger than 5 MB?




                    Yes.




                    Is there any limitation for input size?




                    When encrypting data with a symmetric block cipher, which uses blocks of n bits, some security concerns begin to appear when the amount of data encrypted with a single key comes close to $2^n/2$ blocks, i.e. $n*2^{n/2}$ bits.



                    This means that there is indeed a limit of data to encrypt but it's so large that it should never be a problem. AES-128 bit encryption for example can safely encrypt data of over 250 Million TB.




                    Is RC6 safe for using encryption or has it faced any attacks?




                    RC6 is considered to be safe.







                    share|improve this answer














                    share|improve this answer



                    share|improve this answer








                    edited Nov 21 '18 at 11:43

























                    answered Nov 21 '18 at 8:15









                    AleksanderRasAleksanderRas

                    2,6371834




                    2,6371834








                    • 1




                      $begingroup$
                      I'm not sure how what Wikipedia stated is a problem. It just means that some NSA malware used RC6. It doesn't mean that RC6 is broken, just that they used it. If anything, it means they trust it (or that it's so obscure that antimalware programs are unlikely to recognize it).
                      $endgroup$
                      – forest
                      Nov 21 '18 at 8:16








                    • 1




                      $begingroup$
                      @forest Edited my answer.
                      $endgroup$
                      – AleksanderRas
                      Nov 21 '18 at 11:46










                    • $begingroup$
                      @AnuDavis No need to say "thanks". That's what the forum is here for.
                      $endgroup$
                      – AleksanderRas
                      Nov 21 '18 at 11:47










                    • $begingroup$
                      @ AleksanderRas ok
                      $endgroup$
                      – Anu Davis
                      Nov 21 '18 at 11:51










                    • $begingroup$
                      a question : RC6 uses variable rotation , is it vulnerable to timing (side channel attack) ?
                      $endgroup$
                      – hardyrama
                      Nov 22 '18 at 3:37














                    • 1




                      $begingroup$
                      I'm not sure how what Wikipedia stated is a problem. It just means that some NSA malware used RC6. It doesn't mean that RC6 is broken, just that they used it. If anything, it means they trust it (or that it's so obscure that antimalware programs are unlikely to recognize it).
                      $endgroup$
                      – forest
                      Nov 21 '18 at 8:16








                    • 1




                      $begingroup$
                      @forest Edited my answer.
                      $endgroup$
                      – AleksanderRas
                      Nov 21 '18 at 11:46










                    • $begingroup$
                      @AnuDavis No need to say "thanks". That's what the forum is here for.
                      $endgroup$
                      – AleksanderRas
                      Nov 21 '18 at 11:47










                    • $begingroup$
                      @ AleksanderRas ok
                      $endgroup$
                      – Anu Davis
                      Nov 21 '18 at 11:51










                    • $begingroup$
                      a question : RC6 uses variable rotation , is it vulnerable to timing (side channel attack) ?
                      $endgroup$
                      – hardyrama
                      Nov 22 '18 at 3:37








                    1




                    1




                    $begingroup$
                    I'm not sure how what Wikipedia stated is a problem. It just means that some NSA malware used RC6. It doesn't mean that RC6 is broken, just that they used it. If anything, it means they trust it (or that it's so obscure that antimalware programs are unlikely to recognize it).
                    $endgroup$
                    – forest
                    Nov 21 '18 at 8:16






                    $begingroup$
                    I'm not sure how what Wikipedia stated is a problem. It just means that some NSA malware used RC6. It doesn't mean that RC6 is broken, just that they used it. If anything, it means they trust it (or that it's so obscure that antimalware programs are unlikely to recognize it).
                    $endgroup$
                    – forest
                    Nov 21 '18 at 8:16






                    1




                    1




                    $begingroup$
                    @forest Edited my answer.
                    $endgroup$
                    – AleksanderRas
                    Nov 21 '18 at 11:46




                    $begingroup$
                    @forest Edited my answer.
                    $endgroup$
                    – AleksanderRas
                    Nov 21 '18 at 11:46












                    $begingroup$
                    @AnuDavis No need to say "thanks". That's what the forum is here for.
                    $endgroup$
                    – AleksanderRas
                    Nov 21 '18 at 11:47




                    $begingroup$
                    @AnuDavis No need to say "thanks". That's what the forum is here for.
                    $endgroup$
                    – AleksanderRas
                    Nov 21 '18 at 11:47












                    $begingroup$
                    @ AleksanderRas ok
                    $endgroup$
                    – Anu Davis
                    Nov 21 '18 at 11:51




                    $begingroup$
                    @ AleksanderRas ok
                    $endgroup$
                    – Anu Davis
                    Nov 21 '18 at 11:51












                    $begingroup$
                    a question : RC6 uses variable rotation , is it vulnerable to timing (side channel attack) ?
                    $endgroup$
                    – hardyrama
                    Nov 22 '18 at 3:37




                    $begingroup$
                    a question : RC6 uses variable rotation , is it vulnerable to timing (side channel attack) ?
                    $endgroup$
                    – hardyrama
                    Nov 22 '18 at 3:37











                    3












                    $begingroup$

                    RSA doesn't really have a limit on what can be encrypted. It is possible to encrypt many separate messages using RSA. Splitting an message into separate parts before encryption allows you to encrypt many parts of data without the risk of loosing confidentiality.



                    This will however take a lot of CPU time, it will expand each part of the message and it will not provide any kind of integrity protection (but neither do known modes of operation such as CBC). So asymmetric encryption is not used for bulk encryption, it is only used for small messages where asymmetric encryption is required and the byte count needs to kept low.



                    Instead asymmetric algorithms (ciphers and key establishment schemes) are commonly used to encrypt or derive a symmetric key - such as a symmetric key for RC6 - which then can be used to encrypt the data itself. This is called a hybrid cryptosystem as it both relies on asymmetric and symmetric cryptography.






                    Can RC6 be used for encryption and decryption of files larger than 5 MB?




                    Not by itself. RC6 is a block cipher and can therefore only be used to encrypt blocks of data. RC6 has a block size of 128 bits. To encrypt data you will have to use a mode of operation. The amount of data that can be encrypted is then a function of the mode of operation and the block size. It also depends on the way the mode of operation is applied, especially how the IV is constructed. The amount of messages (files) that may be encrypted may also be restricted.



                    When used in a block cipher mode of operation, 5MB is a relatively small amount of data.




                    Is there any limitation for input size?




                    Yes. It can be calculated for specific modes of operation. There are certainly modes of operations such as GCM that have smaller limits then that you would expect for the block size. GCM has a limit of "just" 64 GiB of data. That's much larger than 5 MB, but it is much smaller than you would expect for a cipher such as AES or RC6 with a block size of 128 bits.



                    Counter mode (CTR mode), when used correctly on a single message, can be used to encrypt $2^{128}$ blocks of data, with each block containing 16 bytes. That's $10^{37}$ times all the data in the world. That means that this mode of operation has no practical limit for single messages (implementations may limit you to $2^{64}$ or even $2^{32}$ counter values / blocks in extreme cases).



                    With these kind of sizes you may expect that the amount of data to encrypt is generally not used to choose a specific mode of operation, especially not for 128 bit block ciphers: almost any mode of operation will provide higher limits than required. Other properties of the mode of operation are generally considered more important. GCM for instance provides authenticated encryption that protects the message against change, while CTR or CBC mode does not.






                    Is RC6 safe for using encryption or has it faced any attacks?




                    RC6 has not been broken. But it has not been selected to be AES either. That means that there has been less incentive to find attacks on it. As one of the AES finalists it certainly has been thoroughly examined though, and no attacks were found.



                    Finding good support for it, such as known good implementations or hardware implementations of it will be harder. This is especially true when it comes to authenticated modes. It could also mean that side channel attacks are more likely because of this. Generally we prefer just to use AES (Rijndael) for this reason - even though the AES algorithm may be more vulnerable in principle.






                    share|improve this answer











                    $endgroup$













                    • $begingroup$
                      After $2^{128}$ the counter is set to $0$ in CTR. Is there a problem that one can continue?
                      $endgroup$
                      – kelalaka
                      Nov 21 '18 at 19:01










                    • $begingroup$
                      Yes it turns into a many time pad.
                      $endgroup$
                      – Maarten Bodewes
                      Nov 21 '18 at 20:27










                    • $begingroup$
                      It is better to be in the answer :)
                      $endgroup$
                      – kelalaka
                      Nov 21 '18 at 20:30










                    • $begingroup$
                      I'll put it in the answer when somebody reaches $2^{127}$ blocks ;) This question is not about CTR mode, they can look it up on the site if required.
                      $endgroup$
                      – Maarten Bodewes
                      Nov 21 '18 at 21:27








                    • 1




                      $begingroup$
                      One issue to consider about RC6 is that implementation on CPUs lacking a 32-bit barrel shifter (including some low-end 32-bit CPUs) is slow, and potentially subject to timing attack.
                      $endgroup$
                      – fgrieu
                      Nov 22 '18 at 6:49
















                    3












                    $begingroup$

                    RSA doesn't really have a limit on what can be encrypted. It is possible to encrypt many separate messages using RSA. Splitting an message into separate parts before encryption allows you to encrypt many parts of data without the risk of loosing confidentiality.



                    This will however take a lot of CPU time, it will expand each part of the message and it will not provide any kind of integrity protection (but neither do known modes of operation such as CBC). So asymmetric encryption is not used for bulk encryption, it is only used for small messages where asymmetric encryption is required and the byte count needs to kept low.



                    Instead asymmetric algorithms (ciphers and key establishment schemes) are commonly used to encrypt or derive a symmetric key - such as a symmetric key for RC6 - which then can be used to encrypt the data itself. This is called a hybrid cryptosystem as it both relies on asymmetric and symmetric cryptography.






                    Can RC6 be used for encryption and decryption of files larger than 5 MB?




                    Not by itself. RC6 is a block cipher and can therefore only be used to encrypt blocks of data. RC6 has a block size of 128 bits. To encrypt data you will have to use a mode of operation. The amount of data that can be encrypted is then a function of the mode of operation and the block size. It also depends on the way the mode of operation is applied, especially how the IV is constructed. The amount of messages (files) that may be encrypted may also be restricted.



                    When used in a block cipher mode of operation, 5MB is a relatively small amount of data.




                    Is there any limitation for input size?




                    Yes. It can be calculated for specific modes of operation. There are certainly modes of operations such as GCM that have smaller limits then that you would expect for the block size. GCM has a limit of "just" 64 GiB of data. That's much larger than 5 MB, but it is much smaller than you would expect for a cipher such as AES or RC6 with a block size of 128 bits.



                    Counter mode (CTR mode), when used correctly on a single message, can be used to encrypt $2^{128}$ blocks of data, with each block containing 16 bytes. That's $10^{37}$ times all the data in the world. That means that this mode of operation has no practical limit for single messages (implementations may limit you to $2^{64}$ or even $2^{32}$ counter values / blocks in extreme cases).



                    With these kind of sizes you may expect that the amount of data to encrypt is generally not used to choose a specific mode of operation, especially not for 128 bit block ciphers: almost any mode of operation will provide higher limits than required. Other properties of the mode of operation are generally considered more important. GCM for instance provides authenticated encryption that protects the message against change, while CTR or CBC mode does not.






                    Is RC6 safe for using encryption or has it faced any attacks?




                    RC6 has not been broken. But it has not been selected to be AES either. That means that there has been less incentive to find attacks on it. As one of the AES finalists it certainly has been thoroughly examined though, and no attacks were found.



                    Finding good support for it, such as known good implementations or hardware implementations of it will be harder. This is especially true when it comes to authenticated modes. It could also mean that side channel attacks are more likely because of this. Generally we prefer just to use AES (Rijndael) for this reason - even though the AES algorithm may be more vulnerable in principle.






                    share|improve this answer











                    $endgroup$













                    • $begingroup$
                      After $2^{128}$ the counter is set to $0$ in CTR. Is there a problem that one can continue?
                      $endgroup$
                      – kelalaka
                      Nov 21 '18 at 19:01










                    • $begingroup$
                      Yes it turns into a many time pad.
                      $endgroup$
                      – Maarten Bodewes
                      Nov 21 '18 at 20:27










                    • $begingroup$
                      It is better to be in the answer :)
                      $endgroup$
                      – kelalaka
                      Nov 21 '18 at 20:30










                    • $begingroup$
                      I'll put it in the answer when somebody reaches $2^{127}$ blocks ;) This question is not about CTR mode, they can look it up on the site if required.
                      $endgroup$
                      – Maarten Bodewes
                      Nov 21 '18 at 21:27








                    • 1




                      $begingroup$
                      One issue to consider about RC6 is that implementation on CPUs lacking a 32-bit barrel shifter (including some low-end 32-bit CPUs) is slow, and potentially subject to timing attack.
                      $endgroup$
                      – fgrieu
                      Nov 22 '18 at 6:49














                    3












                    3








                    3





                    $begingroup$

                    RSA doesn't really have a limit on what can be encrypted. It is possible to encrypt many separate messages using RSA. Splitting an message into separate parts before encryption allows you to encrypt many parts of data without the risk of loosing confidentiality.



                    This will however take a lot of CPU time, it will expand each part of the message and it will not provide any kind of integrity protection (but neither do known modes of operation such as CBC). So asymmetric encryption is not used for bulk encryption, it is only used for small messages where asymmetric encryption is required and the byte count needs to kept low.



                    Instead asymmetric algorithms (ciphers and key establishment schemes) are commonly used to encrypt or derive a symmetric key - such as a symmetric key for RC6 - which then can be used to encrypt the data itself. This is called a hybrid cryptosystem as it both relies on asymmetric and symmetric cryptography.






                    Can RC6 be used for encryption and decryption of files larger than 5 MB?




                    Not by itself. RC6 is a block cipher and can therefore only be used to encrypt blocks of data. RC6 has a block size of 128 bits. To encrypt data you will have to use a mode of operation. The amount of data that can be encrypted is then a function of the mode of operation and the block size. It also depends on the way the mode of operation is applied, especially how the IV is constructed. The amount of messages (files) that may be encrypted may also be restricted.



                    When used in a block cipher mode of operation, 5MB is a relatively small amount of data.




                    Is there any limitation for input size?




                    Yes. It can be calculated for specific modes of operation. There are certainly modes of operations such as GCM that have smaller limits then that you would expect for the block size. GCM has a limit of "just" 64 GiB of data. That's much larger than 5 MB, but it is much smaller than you would expect for a cipher such as AES or RC6 with a block size of 128 bits.



                    Counter mode (CTR mode), when used correctly on a single message, can be used to encrypt $2^{128}$ blocks of data, with each block containing 16 bytes. That's $10^{37}$ times all the data in the world. That means that this mode of operation has no practical limit for single messages (implementations may limit you to $2^{64}$ or even $2^{32}$ counter values / blocks in extreme cases).



                    With these kind of sizes you may expect that the amount of data to encrypt is generally not used to choose a specific mode of operation, especially not for 128 bit block ciphers: almost any mode of operation will provide higher limits than required. Other properties of the mode of operation are generally considered more important. GCM for instance provides authenticated encryption that protects the message against change, while CTR or CBC mode does not.






                    Is RC6 safe for using encryption or has it faced any attacks?




                    RC6 has not been broken. But it has not been selected to be AES either. That means that there has been less incentive to find attacks on it. As one of the AES finalists it certainly has been thoroughly examined though, and no attacks were found.



                    Finding good support for it, such as known good implementations or hardware implementations of it will be harder. This is especially true when it comes to authenticated modes. It could also mean that side channel attacks are more likely because of this. Generally we prefer just to use AES (Rijndael) for this reason - even though the AES algorithm may be more vulnerable in principle.






                    share|improve this answer











                    $endgroup$



                    RSA doesn't really have a limit on what can be encrypted. It is possible to encrypt many separate messages using RSA. Splitting an message into separate parts before encryption allows you to encrypt many parts of data without the risk of loosing confidentiality.



                    This will however take a lot of CPU time, it will expand each part of the message and it will not provide any kind of integrity protection (but neither do known modes of operation such as CBC). So asymmetric encryption is not used for bulk encryption, it is only used for small messages where asymmetric encryption is required and the byte count needs to kept low.



                    Instead asymmetric algorithms (ciphers and key establishment schemes) are commonly used to encrypt or derive a symmetric key - such as a symmetric key for RC6 - which then can be used to encrypt the data itself. This is called a hybrid cryptosystem as it both relies on asymmetric and symmetric cryptography.






                    Can RC6 be used for encryption and decryption of files larger than 5 MB?




                    Not by itself. RC6 is a block cipher and can therefore only be used to encrypt blocks of data. RC6 has a block size of 128 bits. To encrypt data you will have to use a mode of operation. The amount of data that can be encrypted is then a function of the mode of operation and the block size. It also depends on the way the mode of operation is applied, especially how the IV is constructed. The amount of messages (files) that may be encrypted may also be restricted.



                    When used in a block cipher mode of operation, 5MB is a relatively small amount of data.




                    Is there any limitation for input size?




                    Yes. It can be calculated for specific modes of operation. There are certainly modes of operations such as GCM that have smaller limits then that you would expect for the block size. GCM has a limit of "just" 64 GiB of data. That's much larger than 5 MB, but it is much smaller than you would expect for a cipher such as AES or RC6 with a block size of 128 bits.



                    Counter mode (CTR mode), when used correctly on a single message, can be used to encrypt $2^{128}$ blocks of data, with each block containing 16 bytes. That's $10^{37}$ times all the data in the world. That means that this mode of operation has no practical limit for single messages (implementations may limit you to $2^{64}$ or even $2^{32}$ counter values / blocks in extreme cases).



                    With these kind of sizes you may expect that the amount of data to encrypt is generally not used to choose a specific mode of operation, especially not for 128 bit block ciphers: almost any mode of operation will provide higher limits than required. Other properties of the mode of operation are generally considered more important. GCM for instance provides authenticated encryption that protects the message against change, while CTR or CBC mode does not.






                    Is RC6 safe for using encryption or has it faced any attacks?




                    RC6 has not been broken. But it has not been selected to be AES either. That means that there has been less incentive to find attacks on it. As one of the AES finalists it certainly has been thoroughly examined though, and no attacks were found.



                    Finding good support for it, such as known good implementations or hardware implementations of it will be harder. This is especially true when it comes to authenticated modes. It could also mean that side channel attacks are more likely because of this. Generally we prefer just to use AES (Rijndael) for this reason - even though the AES algorithm may be more vulnerable in principle.







                    share|improve this answer














                    share|improve this answer



                    share|improve this answer








                    edited Nov 22 '18 at 4:57

























                    answered Nov 21 '18 at 14:58









                    Maarten BodewesMaarten Bodewes

                    55.1k679196




                    55.1k679196












                    • $begingroup$
                      After $2^{128}$ the counter is set to $0$ in CTR. Is there a problem that one can continue?
                      $endgroup$
                      – kelalaka
                      Nov 21 '18 at 19:01










                    • $begingroup$
                      Yes it turns into a many time pad.
                      $endgroup$
                      – Maarten Bodewes
                      Nov 21 '18 at 20:27










                    • $begingroup$
                      It is better to be in the answer :)
                      $endgroup$
                      – kelalaka
                      Nov 21 '18 at 20:30










                    • $begingroup$
                      I'll put it in the answer when somebody reaches $2^{127}$ blocks ;) This question is not about CTR mode, they can look it up on the site if required.
                      $endgroup$
                      – Maarten Bodewes
                      Nov 21 '18 at 21:27








                    • 1




                      $begingroup$
                      One issue to consider about RC6 is that implementation on CPUs lacking a 32-bit barrel shifter (including some low-end 32-bit CPUs) is slow, and potentially subject to timing attack.
                      $endgroup$
                      – fgrieu
                      Nov 22 '18 at 6:49


















                    • $begingroup$
                      After $2^{128}$ the counter is set to $0$ in CTR. Is there a problem that one can continue?
                      $endgroup$
                      – kelalaka
                      Nov 21 '18 at 19:01










                    • $begingroup$
                      Yes it turns into a many time pad.
                      $endgroup$
                      – Maarten Bodewes
                      Nov 21 '18 at 20:27










                    • $begingroup$
                      It is better to be in the answer :)
                      $endgroup$
                      – kelalaka
                      Nov 21 '18 at 20:30










                    • $begingroup$
                      I'll put it in the answer when somebody reaches $2^{127}$ blocks ;) This question is not about CTR mode, they can look it up on the site if required.
                      $endgroup$
                      – Maarten Bodewes
                      Nov 21 '18 at 21:27








                    • 1




                      $begingroup$
                      One issue to consider about RC6 is that implementation on CPUs lacking a 32-bit barrel shifter (including some low-end 32-bit CPUs) is slow, and potentially subject to timing attack.
                      $endgroup$
                      – fgrieu
                      Nov 22 '18 at 6:49
















                    $begingroup$
                    After $2^{128}$ the counter is set to $0$ in CTR. Is there a problem that one can continue?
                    $endgroup$
                    – kelalaka
                    Nov 21 '18 at 19:01




                    $begingroup$
                    After $2^{128}$ the counter is set to $0$ in CTR. Is there a problem that one can continue?
                    $endgroup$
                    – kelalaka
                    Nov 21 '18 at 19:01












                    $begingroup$
                    Yes it turns into a many time pad.
                    $endgroup$
                    – Maarten Bodewes
                    Nov 21 '18 at 20:27




                    $begingroup$
                    Yes it turns into a many time pad.
                    $endgroup$
                    – Maarten Bodewes
                    Nov 21 '18 at 20:27












                    $begingroup$
                    It is better to be in the answer :)
                    $endgroup$
                    – kelalaka
                    Nov 21 '18 at 20:30




                    $begingroup$
                    It is better to be in the answer :)
                    $endgroup$
                    – kelalaka
                    Nov 21 '18 at 20:30












                    $begingroup$
                    I'll put it in the answer when somebody reaches $2^{127}$ blocks ;) This question is not about CTR mode, they can look it up on the site if required.
                    $endgroup$
                    – Maarten Bodewes
                    Nov 21 '18 at 21:27






                    $begingroup$
                    I'll put it in the answer when somebody reaches $2^{127}$ blocks ;) This question is not about CTR mode, they can look it up on the site if required.
                    $endgroup$
                    – Maarten Bodewes
                    Nov 21 '18 at 21:27






                    1




                    1




                    $begingroup$
                    One issue to consider about RC6 is that implementation on CPUs lacking a 32-bit barrel shifter (including some low-end 32-bit CPUs) is slow, and potentially subject to timing attack.
                    $endgroup$
                    – fgrieu
                    Nov 22 '18 at 6:49




                    $begingroup$
                    One issue to consider about RC6 is that implementation on CPUs lacking a 32-bit barrel shifter (including some low-end 32-bit CPUs) is slow, and potentially subject to timing attack.
                    $endgroup$
                    – fgrieu
                    Nov 22 '18 at 6:49


















                    draft saved

                    draft discarded




















































                    Thanks for contributing an answer to Cryptography Stack Exchange!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid



                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.


                    Use MathJax to format equations. MathJax reference.


                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function () {
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f64215%2finput-limitations-on-the-rc6-cipher%23new-answer', 'question_page');
                    }
                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    這個網誌中的熱門文章

                    Xamarin.form Move up view when keyboard appear

                    Post-Redirect-Get with Spring WebFlux and Thymeleaf

                    Anylogic : not able to use stopDelay()