## Breaking RC5 Without Rotation

From: andrew cooke <andrew@...>

Date: Tue, 19 Nov 2013 00:51:58 -0300

This is the first task in Scheneier's DIY course on block ciphers -
https://www.schneier.com/paper-self-study.html - so presumably it should be
easy.

The task is for 8 rounds.  I managed zero and was stuck at 1.  Then this
evening I had a neat idea for how to do 1 round - you can see the test at
https://github.com/andrewcooke/BlockCipherSelfStudy.jl/blob/master/src/Experiment.jl#L5
- but there is no way I can scale that to 8 rounds.

So I went to bed.  And as soon as my head hit the pillow, I got it (I think /
hope).

The frustrating thing was, without rotation, RC5 is "linear".  Hence it should
be easy.  That's what everyone implies.  But it wasn't clear to me what
"linear" meant.  In particular, RC5 combines addition (mod 2^32) with XOR.
And XOR is addition mod 2.  And so I was thinking - how can I make those work
together?  I imagined my little spinnning clock hands, which is pretty much
the limit of my intuition for modular arithmetic, and it struck me that I can
fit one inside the other!

All that means, really, is that I start with the least significant bit.  That,
I can solve for (I think!).  And with that, I can do the next bit (the carrys

So I am writing this down now so I can go back to bed without worrying I will
forget...

Andrew

PS Maybe I am too optimistic.  Why does he limit it to 8 rounds?  Need to
sleep, must stop thinking...