Input limitations on the RC6 cipher
$begingroup$
RSA has limitation in input size for encryption and decryption.
- Can RC6 be used for encryption and decryption of files larger than 5 MB?
- Is there any limitation for input size?
- Is RC6 safe for using encryption or has it faced any attacks?
encryption rsa rc6
edited Jan 26 at 3:29
forest
4,3501641
asked Nov 21 '18 at 7:50
Anu DavisAnu Davis
138119
$endgroup$
add a comment |
$begingroup$
RSA has limitation in input size for encryption and decryption.
- Can RC6 be used for encryption and decryption of files larger than 5 MB?
- Is there any limitation for input size?
- Is RC6 safe for using encryption or has it faced any attacks?
encryption rsa rc6
edited Jan 26 at 3:29
forest
4,3501641
asked Nov 21 '18 at 7:50
Anu DavisAnu Davis
138119
$endgroup$
add a comment |
$begingroup$
RSA has limitation in input size for encryption and decryption.
- Can RC6 be used for encryption and decryption of files larger than 5 MB?
- Is there any limitation for input size?
- Is RC6 safe for using encryption or has it faced any attacks?
encryption rsa rc6
edited Jan 26 at 3:29
forest
4,3501641
asked Nov 21 '18 at 7:50
Anu DavisAnu Davis
138119
$endgroup$
RSA has limitation in input size for encryption and decryption.
- Can RC6 be used for encryption and decryption of files larger than 5 MB?
- Is there any limitation for input size?
- Is RC6 safe for using encryption or has it faced any attacks?
encryption rsa rc6
encryption rsa rc6
edited Jan 26 at 3:29
forest
4,3501641
asked Nov 21 '18 at 7:50
Anu DavisAnu Davis
138119
edited Jan 26 at 3:29
forest
4,3501641
asked Nov 21 '18 at 7:50
Anu DavisAnu Davis
138119
edited Jan 26 at 3:29
forest
4,3501641
edited Jan 26 at 3:29
forest
4,3501641
edited Jan 26 at 3:29
forest
4,3501641
4,3501641
asked Nov 21 '18 at 7:50
Anu DavisAnu Davis
138119
asked Nov 21 '18 at 7:50
Anu DavisAnu Davis
138119
asked Nov 21 '18 at 7:50
Anu DavisAnu Davis
138119
138119
add a comment |
add a comment |
3 Answers
3
active
oldest
votes
$begingroup$
RC6 is secure, and has no effective limit on input size.
RSA is an asymmetric cipher. It is not designed for general purpose encryption, and so has a very tight limit on the amount of data that can be encrypted. In fact, unlike symmetric ciphers, textbook RSA is based on a mathematical problem, so the ciphertext is the plaintext raised to an public exponent, modulo a large public integer. This modular operation puts a hard limit on the length of the plaintext to be encrypted. Note that RSA is not used to encrypt anything directly. It is used to encrypt a smaller symmetric key which is then used to protect the confidentiality of further communications.
RC6 is a symmetric block cipher. The amount of data that can be encrypted with a single key depends on the mode of operation in use, as well as the block size of the cipher. For a cipher with 128-bit blocks, like RC6, the amount of data it can securely encrypt is vast. To put it into hard numbers, in order to have an already astronomically small 2-32 chance of leaking a little bit of information from one 128-bit block in CBC mode, you need to encrypt more than four petabytes of data with one key. A mere five megabytes is nothing.
There are no known attacks which weaken RC6 to the point that breaking it is practical. As it did not win the AES competition however, it has received comparatively less analysis. A large amount of information on its security can be found by searching "rc6 cryptanalysis pdf".
Obligatory disclaimer: Choosing the cipher is the easiest part of implementing a secure cryptosystem. If you are designing your own cryptosystem, don't. Simply using RC6 is not enough to provide security. You need to choose the proper mode of operation, use authentication, use a secure KDF if the key is to be derived from a password, mitigate a variety of attacks if used on the network (reflection, replay, man-in-the-middle, etc). Don't think that, just because you are using a secure cipher, that the data you encrypt is secure.
answered Nov 21 '18 at 8:06
forestforest
4,3501641
$endgroup$
add a comment |
$begingroup$
Usually you don't encrypt data / messages directly with RSA, rather you encrypt a symmetric key for future encryptions.
This has the advantage that it's more efficient to encrypt and decrypt data, because symmetric cryptography is faster than asymmetric cryptography.
Can RC6 be used for encrytion and decryption of files larger than 5 MB?
Yes.
Is there any limitation for input size?
When encrypting data with a symmetric block cipher, which uses blocks of n bits, some security concerns begin to appear when the amount of data encrypted with a single key comes close to $2^n/2$ blocks, i.e. $n*2^{n/2}$ bits.
This means that there is indeed a limit of data to encrypt but it's so large that it should never be a problem. AES-128 bit encryption for example can safely encrypt data of over 250 Million TB.
Is RC6 safe for using encryption or has it faced any attacks?
RC6 is considered to be safe.
answered Nov 21 '18 at 8:15
AleksanderRasAleksanderRas
2,6371834
$endgroup$
1
$begingroup$
I'm not sure how what Wikipedia stated is a problem. It just means that some NSA malware used RC6. It doesn't mean that RC6 is broken, just that they used it. If anything, it means they trust it (or that it's so obscure that antimalware programs are unlikely to recognize it).
$endgroup$
– forest
Nov 21 '18 at 8:16
1
$begingroup$
@forest Edited my answer.
$endgroup$
– AleksanderRas
Nov 21 '18 at 11:46
$begingroup$
@AnuDavis No need to say "thanks". That's what the forum is here for.
$endgroup$
– AleksanderRas
Nov 21 '18 at 11:47
$begingroup$
@ AleksanderRas ok
$endgroup$
– Anu Davis
Nov 21 '18 at 11:51
$begingroup$
a question : RC6 uses variable rotation , is it vulnerable to timing (side channel attack) ?
$endgroup$
– hardyrama
Nov 22 '18 at 3:37
|
show 2 more comments
$begingroup$
RSA doesn't really have a limit on what can be encrypted. It is possible to encrypt many separate messages using RSA. Splitting an message into separate parts before encryption allows you to encrypt many parts of data without the risk of loosing confidentiality.
This will however take a lot of CPU time, it will expand each part of the message and it will not provide any kind of integrity protection (but neither do known modes of operation such as CBC). So asymmetric encryption is not used for bulk encryption, it is only used for small messages where asymmetric encryption is required and the byte count needs to kept low.
Instead asymmetric algorithms (ciphers and key establishment schemes) are commonly used to encrypt or derive a symmetric key - such as a symmetric key for RC6 - which then can be used to encrypt the data itself. This is called a hybrid cryptosystem as it both relies on asymmetric and symmetric cryptography.
Can RC6 be used for encryption and decryption of files larger than 5 MB?
Not by itself. RC6 is a block cipher and can therefore only be used to encrypt blocks of data. RC6 has a block size of 128 bits. To encrypt data you will have to use a mode of operation. The amount of data that can be encrypted is then a function of the mode of operation and the block size. It also depends on the way the mode of operation is applied, especially how the IV is constructed. The amount of messages (files) that may be encrypted may also be restricted.
When used in a block cipher mode of operation, 5MB is a relatively small amount of data.
Is there any limitation for input size?
Yes. It can be calculated for specific modes of operation. There are certainly modes of operations such as GCM that have smaller limits then that you would expect for the block size. GCM has a limit of "just" 64 GiB of data. That's much larger than 5 MB, but it is much smaller than you would expect for a cipher such as AES or RC6 with a block size of 128 bits.
Counter mode (CTR mode), when used correctly on a single message, can be used to encrypt $2^{128}$ blocks of data, with each block containing 16 bytes. That's $10^{37}$ times all the data in the world. That means that this mode of operation has no practical limit for single messages (implementations may limit you to $2^{64}$ or even $2^{32}$ counter values / blocks in extreme cases).
With these kind of sizes you may expect that the amount of data to encrypt is generally not used to choose a specific mode of operation, especially not for 128 bit block ciphers: almost any mode of operation will provide higher limits than required. Other properties of the mode of operation are generally considered more important. GCM for instance provides authenticated encryption that protects the message against change, while CTR or CBC mode does not.
Is RC6 safe for using encryption or has it faced any attacks?
RC6 has not been broken. But it has not been selected to be AES either. That means that there has been less incentive to find attacks on it. As one of the AES finalists it certainly has been thoroughly examined though, and no attacks were found.
Finding good support for it, such as known good implementations or hardware implementations of it will be harder. This is especially true when it comes to authenticated modes. It could also mean that side channel attacks are more likely because of this. Generally we prefer just to use AES (Rijndael) for this reason - even though the AES algorithm may be more vulnerable in principle.
answered Nov 21 '18 at 14:58
Maarten Bodewes♦Maarten Bodewes
55.1k679196
$endgroup$
$begingroup$
After $2^{128}$ the counter is set to $0$ in CTR. Is there a problem that one can continue?
$endgroup$
– kelalaka
Nov 21 '18 at 19:01
$begingroup$
Yes it turns into a many time pad.
$endgroup$
– Maarten Bodewes♦
Nov 21 '18 at 20:27
$begingroup$
It is better to be in the answer :)
$endgroup$
– kelalaka
Nov 21 '18 at 20:30
$begingroup$
I'll put it in the answer when somebody reaches $2^{127}$ blocks ;) This question is not about CTR mode, they can look it up on the site if required.
$endgroup$
– Maarten Bodewes♦
Nov 21 '18 at 21:27
1
$begingroup$
One issue to consider about RC6 is that implementation on CPUs lacking a 32-bit barrel shifter (including some low-end 32-bit CPUs) is slow, and potentially subject to timing attack.
$endgroup$
– fgrieu
Nov 22 '18 at 6:49
add a comment |
Your Answer
StackExchange.ifUsing("editor", function () {
return StackExchange.using("mathjaxEditing", function () {
StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix) {
StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [["$", "$"], ["\\(","\\)"]]);
});
});
}, "mathjax-editing");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "281"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f64215%2finput-limitations-on-the-rc6-cipher%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
$begingroup$
RC6 is secure, and has no effective limit on input size.
RSA is an asymmetric cipher. It is not designed for general purpose encryption, and so has a very tight limit on the amount of data that can be encrypted. In fact, unlike symmetric ciphers, textbook RSA is based on a mathematical problem, so the ciphertext is the plaintext raised to an public exponent, modulo a large public integer. This modular operation puts a hard limit on the length of the plaintext to be encrypted. Note that RSA is not used to encrypt anything directly. It is used to encrypt a smaller symmetric key which is then used to protect the confidentiality of further communications.
RC6 is a symmetric block cipher. The amount of data that can be encrypted with a single key depends on the mode of operation in use, as well as the block size of the cipher. For a cipher with 128-bit blocks, like RC6, the amount of data it can securely encrypt is vast. To put it into hard numbers, in order to have an already astronomically small 2-32 chance of leaking a little bit of information from one 128-bit block in CBC mode, you need to encrypt more than four petabytes of data with one key. A mere five megabytes is nothing.
There are no known attacks which weaken RC6 to the point that breaking it is practical. As it did not win the AES competition however, it has received comparatively less analysis. A large amount of information on its security can be found by searching "rc6 cryptanalysis pdf".
Obligatory disclaimer: Choosing the cipher is the easiest part of implementing a secure cryptosystem. If you are designing your own cryptosystem, don't. Simply using RC6 is not enough to provide security. You need to choose the proper mode of operation, use authentication, use a secure KDF if the key is to be derived from a password, mitigate a variety of attacks if used on the network (reflection, replay, man-in-the-middle, etc). Don't think that, just because you are using a secure cipher, that the data you encrypt is secure.
answered Nov 21 '18 at 8:06
forestforest
4,3501641
$endgroup$
add a comment |
$begingroup$
RC6 is secure, and has no effective limit on input size.
RSA is an asymmetric cipher. It is not designed for general purpose encryption, and so has a very tight limit on the amount of data that can be encrypted. In fact, unlike symmetric ciphers, textbook RSA is based on a mathematical problem, so the ciphertext is the plaintext raised to an public exponent, modulo a large public integer. This modular operation puts a hard limit on the length of the plaintext to be encrypted. Note that RSA is not used to encrypt anything directly. It is used to encrypt a smaller symmetric key which is then used to protect the confidentiality of further communications.
RC6 is a symmetric block cipher. The amount of data that can be encrypted with a single key depends on the mode of operation in use, as well as the block size of the cipher. For a cipher with 128-bit blocks, like RC6, the amount of data it can securely encrypt is vast. To put it into hard numbers, in order to have an already astronomically small 2-32 chance of leaking a little bit of information from one 128-bit block in CBC mode, you need to encrypt more than four petabytes of data with one key. A mere five megabytes is nothing.
There are no known attacks which weaken RC6 to the point that breaking it is practical. As it did not win the AES competition however, it has received comparatively less analysis. A large amount of information on its security can be found by searching "rc6 cryptanalysis pdf".
Obligatory disclaimer: Choosing the cipher is the easiest part of implementing a secure cryptosystem. If you are designing your own cryptosystem, don't. Simply using RC6 is not enough to provide security. You need to choose the proper mode of operation, use authentication, use a secure KDF if the key is to be derived from a password, mitigate a variety of attacks if used on the network (reflection, replay, man-in-the-middle, etc). Don't think that, just because you are using a secure cipher, that the data you encrypt is secure.
answered Nov 21 '18 at 8:06
forestforest
4,3501641
$endgroup$
add a comment |
$begingroup$
RC6 is secure, and has no effective limit on input size.
RSA is an asymmetric cipher. It is not designed for general purpose encryption, and so has a very tight limit on the amount of data that can be encrypted. In fact, unlike symmetric ciphers, textbook RSA is based on a mathematical problem, so the ciphertext is the plaintext raised to an public exponent, modulo a large public integer. This modular operation puts a hard limit on the length of the plaintext to be encrypted. Note that RSA is not used to encrypt anything directly. It is used to encrypt a smaller symmetric key which is then used to protect the confidentiality of further communications.
RC6 is a symmetric block cipher. The amount of data that can be encrypted with a single key depends on the mode of operation in use, as well as the block size of the cipher. For a cipher with 128-bit blocks, like RC6, the amount of data it can securely encrypt is vast. To put it into hard numbers, in order to have an already astronomically small 2-32 chance of leaking a little bit of information from one 128-bit block in CBC mode, you need to encrypt more than four petabytes of data with one key. A mere five megabytes is nothing.
There are no known attacks which weaken RC6 to the point that breaking it is practical. As it did not win the AES competition however, it has received comparatively less analysis. A large amount of information on its security can be found by searching "rc6 cryptanalysis pdf".
Obligatory disclaimer: Choosing the cipher is the easiest part of implementing a secure cryptosystem. If you are designing your own cryptosystem, don't. Simply using RC6 is not enough to provide security. You need to choose the proper mode of operation, use authentication, use a secure KDF if the key is to be derived from a password, mitigate a variety of attacks if used on the network (reflection, replay, man-in-the-middle, etc). Don't think that, just because you are using a secure cipher, that the data you encrypt is secure.
answered Nov 21 '18 at 8:06
forestforest
4,3501641
$endgroup$
RC6 is secure, and has no effective limit on input size.
RSA is an asymmetric cipher. It is not designed for general purpose encryption, and so has a very tight limit on the amount of data that can be encrypted. In fact, unlike symmetric ciphers, textbook RSA is based on a mathematical problem, so the ciphertext is the plaintext raised to an public exponent, modulo a large public integer. This modular operation puts a hard limit on the length of the plaintext to be encrypted. Note that RSA is not used to encrypt anything directly. It is used to encrypt a smaller symmetric key which is then used to protect the confidentiality of further communications.
RC6 is a symmetric block cipher. The amount of data that can be encrypted with a single key depends on the mode of operation in use, as well as the block size of the cipher. For a cipher with 128-bit blocks, like RC6, the amount of data it can securely encrypt is vast. To put it into hard numbers, in order to have an already astronomically small 2-32 chance of leaking a little bit of information from one 128-bit block in CBC mode, you need to encrypt more than four petabytes of data with one key. A mere five megabytes is nothing.
There are no known attacks which weaken RC6 to the point that breaking it is practical. As it did not win the AES competition however, it has received comparatively less analysis. A large amount of information on its security can be found by searching "rc6 cryptanalysis pdf".
Obligatory disclaimer: Choosing the cipher is the easiest part of implementing a secure cryptosystem. If you are designing your own cryptosystem, don't. Simply using RC6 is not enough to provide security. You need to choose the proper mode of operation, use authentication, use a secure KDF if the key is to be derived from a password, mitigate a variety of attacks if used on the network (reflection, replay, man-in-the-middle, etc). Don't think that, just because you are using a secure cipher, that the data you encrypt is secure.
answered Nov 21 '18 at 8:06
forestforest
4,3501641
edited Nov 22 '18 at 7:24
answered Nov 21 '18 at 8:06
forestforest
4,3501641
answered Nov 21 '18 at 8:06
forestforest
4,3501641
answered Nov 21 '18 at 8:06
forestforest
4,3501641
4,3501641
add a comment |
add a comment |
$begingroup$
Usually you don't encrypt data / messages directly with RSA, rather you encrypt a symmetric key for future encryptions.
This has the advantage that it's more efficient to encrypt and decrypt data, because symmetric cryptography is faster than asymmetric cryptography.
Can RC6 be used for encrytion and decryption of files larger than 5 MB?
Yes.
Is there any limitation for input size?
When encrypting data with a symmetric block cipher, which uses blocks of n bits, some security concerns begin to appear when the amount of data encrypted with a single key comes close to $2^n/2$ blocks, i.e. $n*2^{n/2}$ bits.
This means that there is indeed a limit of data to encrypt but it's so large that it should never be a problem. AES-128 bit encryption for example can safely encrypt data of over 250 Million TB.
Is RC6 safe for using encryption or has it faced any attacks?
RC6 is considered to be safe.
answered Nov 21 '18 at 8:15
AleksanderRasAleksanderRas
2,6371834
$endgroup$
1
$begingroup$
I'm not sure how what Wikipedia stated is a problem. It just means that some NSA malware used RC6. It doesn't mean that RC6 is broken, just that they used it. If anything, it means they trust it (or that it's so obscure that antimalware programs are unlikely to recognize it).
$endgroup$
– forest
Nov 21 '18 at 8:16
1
$begingroup$
@forest Edited my answer.
$endgroup$
– AleksanderRas
Nov 21 '18 at 11:46
$begingroup$
@AnuDavis No need to say "thanks". That's what the forum is here for.
$endgroup$
– AleksanderRas
Nov 21 '18 at 11:47
$begingroup$
@ AleksanderRas ok
$endgroup$
– Anu Davis
Nov 21 '18 at 11:51
$begingroup$
a question : RC6 uses variable rotation , is it vulnerable to timing (side channel attack) ?
$endgroup$
– hardyrama
Nov 22 '18 at 3:37
|
show 2 more comments
$begingroup$
Usually you don't encrypt data / messages directly with RSA, rather you encrypt a symmetric key for future encryptions.
This has the advantage that it's more efficient to encrypt and decrypt data, because symmetric cryptography is faster than asymmetric cryptography.
Can RC6 be used for encrytion and decryption of files larger than 5 MB?
Yes.
Is there any limitation for input size?
When encrypting data with a symmetric block cipher, which uses blocks of n bits, some security concerns begin to appear when the amount of data encrypted with a single key comes close to $2^n/2$ blocks, i.e. $n*2^{n/2}$ bits.
This means that there is indeed a limit of data to encrypt but it's so large that it should never be a problem. AES-128 bit encryption for example can safely encrypt data of over 250 Million TB.
Is RC6 safe for using encryption or has it faced any attacks?
RC6 is considered to be safe.
answered Nov 21 '18 at 8:15
AleksanderRasAleksanderRas
2,6371834
$endgroup$
1
$begingroup$
I'm not sure how what Wikipedia stated is a problem. It just means that some NSA malware used RC6. It doesn't mean that RC6 is broken, just that they used it. If anything, it means they trust it (or that it's so obscure that antimalware programs are unlikely to recognize it).
$endgroup$
– forest
Nov 21 '18 at 8:16
1
$begingroup$
@forest Edited my answer.
$endgroup$
– AleksanderRas
Nov 21 '18 at 11:46
$begingroup$
@AnuDavis No need to say "thanks". That's what the forum is here for.
$endgroup$
– AleksanderRas
Nov 21 '18 at 11:47
$begingroup$
@ AleksanderRas ok
$endgroup$
– Anu Davis
Nov 21 '18 at 11:51
$begingroup$
a question : RC6 uses variable rotation , is it vulnerable to timing (side channel attack) ?
$endgroup$
– hardyrama
Nov 22 '18 at 3:37
|
show 2 more comments
$begingroup$
Usually you don't encrypt data / messages directly with RSA, rather you encrypt a symmetric key for future encryptions.
This has the advantage that it's more efficient to encrypt and decrypt data, because symmetric cryptography is faster than asymmetric cryptography.
Can RC6 be used for encrytion and decryption of files larger than 5 MB?
Yes.
Is there any limitation for input size?
When encrypting data with a symmetric block cipher, which uses blocks of n bits, some security concerns begin to appear when the amount of data encrypted with a single key comes close to $2^n/2$ blocks, i.e. $n*2^{n/2}$ bits.
This means that there is indeed a limit of data to encrypt but it's so large that it should never be a problem. AES-128 bit encryption for example can safely encrypt data of over 250 Million TB.
Is RC6 safe for using encryption or has it faced any attacks?
RC6 is considered to be safe.
answered Nov 21 '18 at 8:15
AleksanderRasAleksanderRas
2,6371834
$endgroup$
Usually you don't encrypt data / messages directly with RSA, rather you encrypt a symmetric key for future encryptions.
This has the advantage that it's more efficient to encrypt and decrypt data, because symmetric cryptography is faster than asymmetric cryptography.
Can RC6 be used for encrytion and decryption of files larger than 5 MB?
Yes.
Is there any limitation for input size?
When encrypting data with a symmetric block cipher, which uses blocks of n bits, some security concerns begin to appear when the amount of data encrypted with a single key comes close to $2^n/2$ blocks, i.e. $n*2^{n/2}$ bits.
This means that there is indeed a limit of data to encrypt but it's so large that it should never be a problem. AES-128 bit encryption for example can safely encrypt data of over 250 Million TB.
Is RC6 safe for using encryption or has it faced any attacks?
RC6 is considered to be safe.
answered Nov 21 '18 at 8:15
AleksanderRasAleksanderRas
2,6371834
edited Nov 21 '18 at 11:43
answered Nov 21 '18 at 8:15
AleksanderRasAleksanderRas
2,6371834
answered Nov 21 '18 at 8:15
AleksanderRasAleksanderRas
2,6371834
answered Nov 21 '18 at 8:15
AleksanderRasAleksanderRas
2,6371834
2,6371834
1
$begingroup$
I'm not sure how what Wikipedia stated is a problem. It just means that some NSA malware used RC6. It doesn't mean that RC6 is broken, just that they used it. If anything, it means they trust it (or that it's so obscure that antimalware programs are unlikely to recognize it).
$endgroup$
– forest
Nov 21 '18 at 8:16
1
$begingroup$
@forest Edited my answer.
$endgroup$
– AleksanderRas
Nov 21 '18 at 11:46
$begingroup$
@AnuDavis No need to say "thanks". That's what the forum is here for.
$endgroup$
– AleksanderRas
Nov 21 '18 at 11:47
$begingroup$
@ AleksanderRas ok
$endgroup$
– Anu Davis
Nov 21 '18 at 11:51
$begingroup$
a question : RC6 uses variable rotation , is it vulnerable to timing (side channel attack) ?
$endgroup$
– hardyrama
Nov 22 '18 at 3:37
|
show 2 more comments
1
$begingroup$
I'm not sure how what Wikipedia stated is a problem. It just means that some NSA malware used RC6. It doesn't mean that RC6 is broken, just that they used it. If anything, it means they trust it (or that it's so obscure that antimalware programs are unlikely to recognize it).
$endgroup$
– forest
Nov 21 '18 at 8:16
1
$begingroup$
@forest Edited my answer.
$endgroup$
– AleksanderRas
Nov 21 '18 at 11:46
$begingroup$
@AnuDavis No need to say "thanks". That's what the forum is here for.
$endgroup$
– AleksanderRas
Nov 21 '18 at 11:47
$begingroup$
@ AleksanderRas ok
$endgroup$
– Anu Davis
Nov 21 '18 at 11:51
$begingroup$
a question : RC6 uses variable rotation , is it vulnerable to timing (side channel attack) ?
$endgroup$
– hardyrama
Nov 22 '18 at 3:37
1
1
$begingroup$
I'm not sure how what Wikipedia stated is a problem. It just means that some NSA malware used RC6. It doesn't mean that RC6 is broken, just that they used it. If anything, it means they trust it (or that it's so obscure that antimalware programs are unlikely to recognize it).
$endgroup$
– forest
Nov 21 '18 at 8:16
$begingroup$
I'm not sure how what Wikipedia stated is a problem. It just means that some NSA malware used RC6. It doesn't mean that RC6 is broken, just that they used it. If anything, it means they trust it (or that it's so obscure that antimalware programs are unlikely to recognize it).
$endgroup$
– forest
Nov 21 '18 at 8:16
1
1
$begingroup$
@forest Edited my answer.
$endgroup$
– AleksanderRas
Nov 21 '18 at 11:46
$begingroup$
@forest Edited my answer.
$endgroup$
– AleksanderRas
Nov 21 '18 at 11:46
$begingroup$
@AnuDavis No need to say "thanks". That's what the forum is here for.
$endgroup$
– AleksanderRas
Nov 21 '18 at 11:47
$begingroup$
@AnuDavis No need to say "thanks". That's what the forum is here for.
$endgroup$
– AleksanderRas
Nov 21 '18 at 11:47
$begingroup$
@ AleksanderRas ok
$endgroup$
– Anu Davis
Nov 21 '18 at 11:51
$begingroup$
@ AleksanderRas ok
$endgroup$
– Anu Davis
Nov 21 '18 at 11:51
$begingroup$
a question : RC6 uses variable rotation , is it vulnerable to timing (side channel attack) ?
$endgroup$
– hardyrama
Nov 22 '18 at 3:37
$begingroup$
a question : RC6 uses variable rotation , is it vulnerable to timing (side channel attack) ?
$endgroup$
– hardyrama
Nov 22 '18 at 3:37
|
show 2 more comments
$begingroup$
RSA doesn't really have a limit on what can be encrypted. It is possible to encrypt many separate messages using RSA. Splitting an message into separate parts before encryption allows you to encrypt many parts of data without the risk of loosing confidentiality.
This will however take a lot of CPU time, it will expand each part of the message and it will not provide any kind of integrity protection (but neither do known modes of operation such as CBC). So asymmetric encryption is not used for bulk encryption, it is only used for small messages where asymmetric encryption is required and the byte count needs to kept low.
Instead asymmetric algorithms (ciphers and key establishment schemes) are commonly used to encrypt or derive a symmetric key - such as a symmetric key for RC6 - which then can be used to encrypt the data itself. This is called a hybrid cryptosystem as it both relies on asymmetric and symmetric cryptography.
Can RC6 be used for encryption and decryption of files larger than 5 MB?
Not by itself. RC6 is a block cipher and can therefore only be used to encrypt blocks of data. RC6 has a block size of 128 bits. To encrypt data you will have to use a mode of operation. The amount of data that can be encrypted is then a function of the mode of operation and the block size. It also depends on the way the mode of operation is applied, especially how the IV is constructed. The amount of messages (files) that may be encrypted may also be restricted.
When used in a block cipher mode of operation, 5MB is a relatively small amount of data.
Is there any limitation for input size?
Yes. It can be calculated for specific modes of operation. There are certainly modes of operations such as GCM that have smaller limits then that you would expect for the block size. GCM has a limit of "just" 64 GiB of data. That's much larger than 5 MB, but it is much smaller than you would expect for a cipher such as AES or RC6 with a block size of 128 bits.
Counter mode (CTR mode), when used correctly on a single message, can be used to encrypt $2^{128}$ blocks of data, with each block containing 16 bytes. That's $10^{37}$ times all the data in the world. That means that this mode of operation has no practical limit for single messages (implementations may limit you to $2^{64}$ or even $2^{32}$ counter values / blocks in extreme cases).
With these kind of sizes you may expect that the amount of data to encrypt is generally not used to choose a specific mode of operation, especially not for 128 bit block ciphers: almost any mode of operation will provide higher limits than required. Other properties of the mode of operation are generally considered more important. GCM for instance provides authenticated encryption that protects the message against change, while CTR or CBC mode does not.
Is RC6 safe for using encryption or has it faced any attacks?
RC6 has not been broken. But it has not been selected to be AES either. That means that there has been less incentive to find attacks on it. As one of the AES finalists it certainly has been thoroughly examined though, and no attacks were found.
Finding good support for it, such as known good implementations or hardware implementations of it will be harder. This is especially true when it comes to authenticated modes. It could also mean that side channel attacks are more likely because of this. Generally we prefer just to use AES (Rijndael) for this reason - even though the AES algorithm may be more vulnerable in principle.
answered Nov 21 '18 at 14:58
Maarten Bodewes♦Maarten Bodewes
55.1k679196
$endgroup$
$begingroup$
After $2^{128}$ the counter is set to $0$ in CTR. Is there a problem that one can continue?
$endgroup$
– kelalaka
Nov 21 '18 at 19:01
$begingroup$
Yes it turns into a many time pad.
$endgroup$
– Maarten Bodewes♦
Nov 21 '18 at 20:27
$begingroup$
It is better to be in the answer :)
$endgroup$
– kelalaka
Nov 21 '18 at 20:30
$begingroup$
I'll put it in the answer when somebody reaches $2^{127}$ blocks ;) This question is not about CTR mode, they can look it up on the site if required.
$endgroup$
– Maarten Bodewes♦
Nov 21 '18 at 21:27
1
$begingroup$
One issue to consider about RC6 is that implementation on CPUs lacking a 32-bit barrel shifter (including some low-end 32-bit CPUs) is slow, and potentially subject to timing attack.
$endgroup$
– fgrieu
Nov 22 '18 at 6:49
add a comment |
$begingroup$
RSA doesn't really have a limit on what can be encrypted. It is possible to encrypt many separate messages using RSA. Splitting an message into separate parts before encryption allows you to encrypt many parts of data without the risk of loosing confidentiality.
This will however take a lot of CPU time, it will expand each part of the message and it will not provide any kind of integrity protection (but neither do known modes of operation such as CBC). So asymmetric encryption is not used for bulk encryption, it is only used for small messages where asymmetric encryption is required and the byte count needs to kept low.
Instead asymmetric algorithms (ciphers and key establishment schemes) are commonly used to encrypt or derive a symmetric key - such as a symmetric key for RC6 - which then can be used to encrypt the data itself. This is called a hybrid cryptosystem as it both relies on asymmetric and symmetric cryptography.
Can RC6 be used for encryption and decryption of files larger than 5 MB?
Not by itself. RC6 is a block cipher and can therefore only be used to encrypt blocks of data. RC6 has a block size of 128 bits. To encrypt data you will have to use a mode of operation. The amount of data that can be encrypted is then a function of the mode of operation and the block size. It also depends on the way the mode of operation is applied, especially how the IV is constructed. The amount of messages (files) that may be encrypted may also be restricted.
When used in a block cipher mode of operation, 5MB is a relatively small amount of data.
Is there any limitation for input size?
Yes. It can be calculated for specific modes of operation. There are certainly modes of operations such as GCM that have smaller limits then that you would expect for the block size. GCM has a limit of "just" 64 GiB of data. That's much larger than 5 MB, but it is much smaller than you would expect for a cipher such as AES or RC6 with a block size of 128 bits.
Counter mode (CTR mode), when used correctly on a single message, can be used to encrypt $2^{128}$ blocks of data, with each block containing 16 bytes. That's $10^{37}$ times all the data in the world. That means that this mode of operation has no practical limit for single messages (implementations may limit you to $2^{64}$ or even $2^{32}$ counter values / blocks in extreme cases).
With these kind of sizes you may expect that the amount of data to encrypt is generally not used to choose a specific mode of operation, especially not for 128 bit block ciphers: almost any mode of operation will provide higher limits than required. Other properties of the mode of operation are generally considered more important. GCM for instance provides authenticated encryption that protects the message against change, while CTR or CBC mode does not.
Is RC6 safe for using encryption or has it faced any attacks?
RC6 has not been broken. But it has not been selected to be AES either. That means that there has been less incentive to find attacks on it. As one of the AES finalists it certainly has been thoroughly examined though, and no attacks were found.
Finding good support for it, such as known good implementations or hardware implementations of it will be harder. This is especially true when it comes to authenticated modes. It could also mean that side channel attacks are more likely because of this. Generally we prefer just to use AES (Rijndael) for this reason - even though the AES algorithm may be more vulnerable in principle.
answered Nov 21 '18 at 14:58
Maarten Bodewes♦Maarten Bodewes
55.1k679196
$endgroup$
$begingroup$
After $2^{128}$ the counter is set to $0$ in CTR. Is there a problem that one can continue?
$endgroup$
– kelalaka
Nov 21 '18 at 19:01
$begingroup$
Yes it turns into a many time pad.
$endgroup$
– Maarten Bodewes♦
Nov 21 '18 at 20:27
$begingroup$
It is better to be in the answer :)
$endgroup$
– kelalaka
Nov 21 '18 at 20:30
$begingroup$
I'll put it in the answer when somebody reaches $2^{127}$ blocks ;) This question is not about CTR mode, they can look it up on the site if required.
$endgroup$
– Maarten Bodewes♦
Nov 21 '18 at 21:27
1
$begingroup$
One issue to consider about RC6 is that implementation on CPUs lacking a 32-bit barrel shifter (including some low-end 32-bit CPUs) is slow, and potentially subject to timing attack.
$endgroup$
– fgrieu
Nov 22 '18 at 6:49
add a comment |
$begingroup$
RSA doesn't really have a limit on what can be encrypted. It is possible to encrypt many separate messages using RSA. Splitting an message into separate parts before encryption allows you to encrypt many parts of data without the risk of loosing confidentiality.
This will however take a lot of CPU time, it will expand each part of the message and it will not provide any kind of integrity protection (but neither do known modes of operation such as CBC). So asymmetric encryption is not used for bulk encryption, it is only used for small messages where asymmetric encryption is required and the byte count needs to kept low.
Instead asymmetric algorithms (ciphers and key establishment schemes) are commonly used to encrypt or derive a symmetric key - such as a symmetric key for RC6 - which then can be used to encrypt the data itself. This is called a hybrid cryptosystem as it both relies on asymmetric and symmetric cryptography.
Can RC6 be used for encryption and decryption of files larger than 5 MB?
Not by itself. RC6 is a block cipher and can therefore only be used to encrypt blocks of data. RC6 has a block size of 128 bits. To encrypt data you will have to use a mode of operation. The amount of data that can be encrypted is then a function of the mode of operation and the block size. It also depends on the way the mode of operation is applied, especially how the IV is constructed. The amount of messages (files) that may be encrypted may also be restricted.
When used in a block cipher mode of operation, 5MB is a relatively small amount of data.
Is there any limitation for input size?
Yes. It can be calculated for specific modes of operation. There are certainly modes of operations such as GCM that have smaller limits then that you would expect for the block size. GCM has a limit of "just" 64 GiB of data. That's much larger than 5 MB, but it is much smaller than you would expect for a cipher such as AES or RC6 with a block size of 128 bits.
Counter mode (CTR mode), when used correctly on a single message, can be used to encrypt $2^{128}$ blocks of data, with each block containing 16 bytes. That's $10^{37}$ times all the data in the world. That means that this mode of operation has no practical limit for single messages (implementations may limit you to $2^{64}$ or even $2^{32}$ counter values / blocks in extreme cases).
With these kind of sizes you may expect that the amount of data to encrypt is generally not used to choose a specific mode of operation, especially not for 128 bit block ciphers: almost any mode of operation will provide higher limits than required. Other properties of the mode of operation are generally considered more important. GCM for instance provides authenticated encryption that protects the message against change, while CTR or CBC mode does not.
Is RC6 safe for using encryption or has it faced any attacks?
RC6 has not been broken. But it has not been selected to be AES either. That means that there has been less incentive to find attacks on it. As one of the AES finalists it certainly has been thoroughly examined though, and no attacks were found.
Finding good support for it, such as known good implementations or hardware implementations of it will be harder. This is especially true when it comes to authenticated modes. It could also mean that side channel attacks are more likely because of this. Generally we prefer just to use AES (Rijndael) for this reason - even though the AES algorithm may be more vulnerable in principle.
answered Nov 21 '18 at 14:58
Maarten Bodewes♦Maarten Bodewes
55.1k679196
$endgroup$
RSA doesn't really have a limit on what can be encrypted. It is possible to encrypt many separate messages using RSA. Splitting an message into separate parts before encryption allows you to encrypt many parts of data without the risk of loosing confidentiality.
This will however take a lot of CPU time, it will expand each part of the message and it will not provide any kind of integrity protection (but neither do known modes of operation such as CBC). So asymmetric encryption is not used for bulk encryption, it is only used for small messages where asymmetric encryption is required and the byte count needs to kept low.
Instead asymmetric algorithms (ciphers and key establishment schemes) are commonly used to encrypt or derive a symmetric key - such as a symmetric key for RC6 - which then can be used to encrypt the data itself. This is called a hybrid cryptosystem as it both relies on asymmetric and symmetric cryptography.
Can RC6 be used for encryption and decryption of files larger than 5 MB?
Not by itself. RC6 is a block cipher and can therefore only be used to encrypt blocks of data. RC6 has a block size of 128 bits. To encrypt data you will have to use a mode of operation. The amount of data that can be encrypted is then a function of the mode of operation and the block size. It also depends on the way the mode of operation is applied, especially how the IV is constructed. The amount of messages (files) that may be encrypted may also be restricted.
When used in a block cipher mode of operation, 5MB is a relatively small amount of data.
Is there any limitation for input size?
Yes. It can be calculated for specific modes of operation. There are certainly modes of operations such as GCM that have smaller limits then that you would expect for the block size. GCM has a limit of "just" 64 GiB of data. That's much larger than 5 MB, but it is much smaller than you would expect for a cipher such as AES or RC6 with a block size of 128 bits.
Counter mode (CTR mode), when used correctly on a single message, can be used to encrypt $2^{128}$ blocks of data, with each block containing 16 bytes. That's $10^{37}$ times all the data in the world. That means that this mode of operation has no practical limit for single messages (implementations may limit you to $2^{64}$ or even $2^{32}$ counter values / blocks in extreme cases).
With these kind of sizes you may expect that the amount of data to encrypt is generally not used to choose a specific mode of operation, especially not for 128 bit block ciphers: almost any mode of operation will provide higher limits than required. Other properties of the mode of operation are generally considered more important. GCM for instance provides authenticated encryption that protects the message against change, while CTR or CBC mode does not.
Is RC6 safe for using encryption or has it faced any attacks?
RC6 has not been broken. But it has not been selected to be AES either. That means that there has been less incentive to find attacks on it. As one of the AES finalists it certainly has been thoroughly examined though, and no attacks were found.
Finding good support for it, such as known good implementations or hardware implementations of it will be harder. This is especially true when it comes to authenticated modes. It could also mean that side channel attacks are more likely because of this. Generally we prefer just to use AES (Rijndael) for this reason - even though the AES algorithm may be more vulnerable in principle.
answered Nov 21 '18 at 14:58
Maarten Bodewes♦Maarten Bodewes
55.1k679196
edited Nov 22 '18 at 4:57
answered Nov 21 '18 at 14:58
Maarten Bodewes♦Maarten Bodewes
55.1k679196
answered Nov 21 '18 at 14:58
Maarten Bodewes♦Maarten Bodewes
55.1k679196
answered Nov 21 '18 at 14:58
Maarten Bodewes♦Maarten Bodewes
55.1k679196
55.1k679196
$begingroup$
After $2^{128}$ the counter is set to $0$ in CTR. Is there a problem that one can continue?
$endgroup$
– kelalaka
Nov 21 '18 at 19:01
$begingroup$
Yes it turns into a many time pad.
$endgroup$
– Maarten Bodewes♦
Nov 21 '18 at 20:27
$begingroup$
It is better to be in the answer :)
$endgroup$
– kelalaka
Nov 21 '18 at 20:30
$begingroup$
I'll put it in the answer when somebody reaches $2^{127}$ blocks ;) This question is not about CTR mode, they can look it up on the site if required.
$endgroup$
– Maarten Bodewes♦
Nov 21 '18 at 21:27
1
$begingroup$
One issue to consider about RC6 is that implementation on CPUs lacking a 32-bit barrel shifter (including some low-end 32-bit CPUs) is slow, and potentially subject to timing attack.
$endgroup$
– fgrieu
Nov 22 '18 at 6:49
add a comment |
$begingroup$
After $2^{128}$ the counter is set to $0$ in CTR. Is there a problem that one can continue?
$endgroup$
– kelalaka
Nov 21 '18 at 19:01
$begingroup$
Yes it turns into a many time pad.
$endgroup$
– Maarten Bodewes♦
Nov 21 '18 at 20:27
$begingroup$
It is better to be in the answer :)
$endgroup$
– kelalaka
Nov 21 '18 at 20:30
$begingroup$
I'll put it in the answer when somebody reaches $2^{127}$ blocks ;) This question is not about CTR mode, they can look it up on the site if required.
$endgroup$
– Maarten Bodewes♦
Nov 21 '18 at 21:27
1
$begingroup$
One issue to consider about RC6 is that implementation on CPUs lacking a 32-bit barrel shifter (including some low-end 32-bit CPUs) is slow, and potentially subject to timing attack.
$endgroup$
– fgrieu
Nov 22 '18 at 6:49
$begingroup$
After $2^{128}$ the counter is set to $0$ in CTR. Is there a problem that one can continue?
$endgroup$
– kelalaka
Nov 21 '18 at 19:01
$begingroup$
After $2^{128}$ the counter is set to $0$ in CTR. Is there a problem that one can continue?
$endgroup$
– kelalaka
Nov 21 '18 at 19:01
$begingroup$
Yes it turns into a many time pad.
$endgroup$
– Maarten Bodewes♦
Nov 21 '18 at 20:27
$begingroup$
Yes it turns into a many time pad.
$endgroup$
– Maarten Bodewes♦
Nov 21 '18 at 20:27
$begingroup$
It is better to be in the answer :)
$endgroup$
– kelalaka
Nov 21 '18 at 20:30
$begingroup$
It is better to be in the answer :)
$endgroup$
– kelalaka
Nov 21 '18 at 20:30
$begingroup$
I'll put it in the answer when somebody reaches $2^{127}$ blocks ;) This question is not about CTR mode, they can look it up on the site if required.
$endgroup$
– Maarten Bodewes♦
Nov 21 '18 at 21:27
$begingroup$
I'll put it in the answer when somebody reaches $2^{127}$ blocks ;) This question is not about CTR mode, they can look it up on the site if required.
$endgroup$
– Maarten Bodewes♦
Nov 21 '18 at 21:27
1
1
$begingroup$
One issue to consider about RC6 is that implementation on CPUs lacking a 32-bit barrel shifter (including some low-end 32-bit CPUs) is slow, and potentially subject to timing attack.
$endgroup$
– fgrieu
Nov 22 '18 at 6:49
$begingroup$
One issue to consider about RC6 is that implementation on CPUs lacking a 32-bit barrel shifter (including some low-end 32-bit CPUs) is slow, and potentially subject to timing attack.
$endgroup$
– fgrieu
Nov 22 '18 at 6:49
add a comment |
Thanks for contributing an answer to Cryptography Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
Use MathJax to format equations. MathJax reference.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f64215%2finput-limitations-on-the-rc6-cipher%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
