Input limitations on the RC6 cipher












2














RSA has limitation in input size for encryption and decryption.




  • Can RC6 be used for encrytion and decryption of files larger than 5 MB?

  • Is there any limitation for input size?

  • Is RC6 safe for using encryption or has it faced any attacks?










share|improve this question





























    2














    RSA has limitation in input size for encryption and decryption.




    • Can RC6 be used for encrytion and decryption of files larger than 5 MB?

    • Is there any limitation for input size?

    • Is RC6 safe for using encryption or has it faced any attacks?










    share|improve this question



























      2












      2








      2


      3





      RSA has limitation in input size for encryption and decryption.




      • Can RC6 be used for encrytion and decryption of files larger than 5 MB?

      • Is there any limitation for input size?

      • Is RC6 safe for using encryption or has it faced any attacks?










      share|improve this question















      RSA has limitation in input size for encryption and decryption.




      • Can RC6 be used for encrytion and decryption of files larger than 5 MB?

      • Is there any limitation for input size?

      • Is RC6 safe for using encryption or has it faced any attacks?







      encryption rsa rc6






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Nov 21 at 21:42









      Maarten Bodewes

      52.8k677191




      52.8k677191










      asked Nov 21 at 7:50









      Anu Davis

      118119




      118119






















          3 Answers
          3






          active

          oldest

          votes


















          5














          RC6 is secure, and has no effective limit on input size.



          RSA is an asymmetric cipher. It is not designed for general purpose encryption, and so has a very tight limit on the amount of data that can be encrypted. In fact, unlike symmetric ciphers, textbook RSA is based on a mathematical problem, so the ciphertext is the plaintext raised to an public exponent, modulo a large public integer. This modular operation puts a hard limit on the length of the plaintext to be encrypted. Note that RSA is not used to encrypt anything directly. It is used to encrypt a smaller symmetric key which is then used to protect the confidentiality of further communications.



          RC6 is a symmetric block cipher. The amount of data that can be encrypted with a single key depends on the mode of operation in use, as well as the block size of the cipher. For a cipher with 128-bit blocks, like RC6, the amount of data it can securely encrypt is vast. To put it into hard numbers, in order to have an already astronomically small 2-32 chance of leaking a little bit of information from one 128-bit block in CBC mode, you need to encrypt more than four petabytes of data with one key. A mere five megabytes is nothing.



          There are no known attacks which weaken RC6 to the point that breaking it is practical. As it did not win the AES competition however, it has received comparatively less analysis. A large amount of information on its security can be found by searching "rc6 cryptanalysis pdf".





          Obligatory disclaimer: Choosing the cipher is the easiest part of implementing a secure cryptosystem. If you are designing your own cryptosystem, don't. Simply using RC6 is not enough to provide security. You need to choose the proper mode of operation, use authentication, use a secure KDF if the key is to be derived from a password, mitigate a variety of attacks if used on the network (reflection, replay, man-in-the-middle, etc). Don't think that, just because you are using a secure cipher, that the data you encrypt is secure.






          share|improve this answer























          • Thanks for the answer
            – Anu Davis
            Nov 21 at 9:02



















          3














          RSA doesn't really have a limit on what can be encrypted. It is possible to encrypt many separate messages using RSA. Splitting an message into separate parts before encryption allows you to encrypt many parts of data without the risk of loosing confidentiality.



          This will however take a lot of CPU time, it will expand each part of the message and it will not provide any kind of integrity protection (but neither do known modes of operation such as CBC). So asymmetric encryption is not used for bulk encryption, it is only used for small messages where asymmetric encryption is required and the byte count needs to kept low.



          Instead asymmetric algorithms (ciphers and key establishment schemes) are commonly used to encrypt or derive a symmetric key - such as a symmetric key for RC6 - which then can be used to encrypt the data itself. This is called a hybrid cryptosystem as it both relies on asymmetric and symmetric cryptography.






          Can RC6 be used for encryption and decryption of files larger than 5 MB?




          Not by itself. RC6 is a block cipher and can therefore only be used to encrypt blocks of data. RC6 has a block size of 128 bits. To encrypt data you will have to use a mode of operation. The amount of data that can be encrypted is then a function of the mode of operation and the block size. It also depends on the way the mode of operation is applied, especially how the IV is constructed. The amount of messages (files) that may be encrypted may also be restricted.



          When used in a block cipher mode of operation, 5MB is a relatively small amount of data.




          Is there any limitation for input size?




          Yes. It can be calculated for specific modes of operation. There are certainly modes of operations such as GCM that have smaller limits then that you would expect for the block size. GCM has a limit of "just" 64 GiB of data. That's much larger than 5 MB, but it is much smaller than you would expect for a cipher such as AES or RC6 with a block size of 128 bits.



          Counter mode (CTR mode), when used correctly on a single message, can be used to encrypt $2^{128}$ blocks of data, with each block containing 16 bytes. That's $10^{37}$ times all the data in the world. That means that this mode of operation has no practical limit for single messages (implementations may limit you to $2^{64}$ or even $2^{32}$ counter values / blocks in extreme cases).



          With these kind of sizes you may expect that the amount of data to encrypt is generally not used to choose a specific mode of operation, especially not for 128 bit block ciphers: almost any mode of operation will provide higher limits than required. Other properties of the mode of operation are generally considered more important. GCM for instance provides authenticated encryption that protects the message against change, while CTR or CBC mode does not.






          Is RC6 safe for using encryption or has it faced any attacks?




          RC6 has not been broken. But it has not been selected to be AES either. That means that there has been less incentive to find attacks on it. As one of the AES finalists it certainly has been thoroughly examined though, and no attacks were found.



          Finding good support for it, such as known good implementations or hardware implementations of it will be harder. This is especially true when it comes to authenticated modes. It could also mean that side channel attacks are more likely because of this. Generally we prefer just to use AES (Rijndael) for this reason - even though the AES algorithm may be more vulnerable in principle.






          share|improve this answer























          • After $2^{128}$ the counter is set to $0$ in CTR. Is there a problem that one can continue?
            – kelalaka
            Nov 21 at 19:01










          • Yes it turns into a many time pad.
            – Maarten Bodewes
            Nov 21 at 20:27










          • It is better to be in the answer :)
            – kelalaka
            Nov 21 at 20:30










          • I'll put it in the answer when somebody reaches $2^{127}$ blocks ;) This question is not about CTR mode, they can look it up on the site if required.
            – Maarten Bodewes
            Nov 21 at 21:27








          • 1




            One issue to consider about RC6 is that implementation on CPUs lacking a 32-bit barrel shifter (including some low-end 32-bit CPUs) is slow, and potentially subject to timing attack.
            – fgrieu
            Nov 22 at 6:49



















          2














          Usually you don't encrypt data / messages directly with RSA, rather you encrypt a symmetric key for future encryptions.



          This has the advantage that it's more efficient to encrypt and decrypt data, because symmetric cryptography is faster than asymmetric cryptography.




          Can RC6 be used for encrytion and decryption of files larger than 5 MB?




          Yes.




          Is there any limitation for input size?




          When encrypting data with a symmetric block cipher, which uses blocks of n bits, some security concerns begin to appear when the amount of data encrypted with a single key comes close to $2^n/2$ blocks, i.e. $n*2^{n/2}$ bits.



          This means that there is indeed a limit of data to encrypt but it's so large that it should never be a problem. AES-128 bit encryption for example can safely encrypt data of over 250 Million TB.




          Is RC6 safe for using encryption or has it faced any attacks?




          RC6 is considered to be safe.






          share|improve this answer



















          • 1




            I'm not sure how what Wikipedia stated is a problem. It just means that some NSA malware used RC6. It doesn't mean that RC6 is broken, just that they used it. If anything, it means they trust it (or that it's so obscure that antimalware programs are unlikely to recognize it).
            – forest
            Nov 21 at 8:16












          • Thanks for the answer
            – Anu Davis
            Nov 21 at 9:03






          • 1




            @forest Edited my answer.
            – AleksanderRas
            Nov 21 at 11:46










          • @AnuDavis No need to say "thanks". That's what the forum is here for.
            – AleksanderRas
            Nov 21 at 11:47










          • @ AleksanderRas ok
            – Anu Davis
            Nov 21 at 11:51











          Your Answer





          StackExchange.ifUsing("editor", function () {
          return StackExchange.using("mathjaxEditing", function () {
          StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix) {
          StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [["$", "$"], ["\\(","\\)"]]);
          });
          });
          }, "mathjax-editing");

          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "281"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: false,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: null,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          noCode: true, onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f64215%2finput-limitations-on-the-rc6-cipher%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          3 Answers
          3






          active

          oldest

          votes








          3 Answers
          3






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          5














          RC6 is secure, and has no effective limit on input size.



          RSA is an asymmetric cipher. It is not designed for general purpose encryption, and so has a very tight limit on the amount of data that can be encrypted. In fact, unlike symmetric ciphers, textbook RSA is based on a mathematical problem, so the ciphertext is the plaintext raised to an public exponent, modulo a large public integer. This modular operation puts a hard limit on the length of the plaintext to be encrypted. Note that RSA is not used to encrypt anything directly. It is used to encrypt a smaller symmetric key which is then used to protect the confidentiality of further communications.



          RC6 is a symmetric block cipher. The amount of data that can be encrypted with a single key depends on the mode of operation in use, as well as the block size of the cipher. For a cipher with 128-bit blocks, like RC6, the amount of data it can securely encrypt is vast. To put it into hard numbers, in order to have an already astronomically small 2-32 chance of leaking a little bit of information from one 128-bit block in CBC mode, you need to encrypt more than four petabytes of data with one key. A mere five megabytes is nothing.



          There are no known attacks which weaken RC6 to the point that breaking it is practical. As it did not win the AES competition however, it has received comparatively less analysis. A large amount of information on its security can be found by searching "rc6 cryptanalysis pdf".





          Obligatory disclaimer: Choosing the cipher is the easiest part of implementing a secure cryptosystem. If you are designing your own cryptosystem, don't. Simply using RC6 is not enough to provide security. You need to choose the proper mode of operation, use authentication, use a secure KDF if the key is to be derived from a password, mitigate a variety of attacks if used on the network (reflection, replay, man-in-the-middle, etc). Don't think that, just because you are using a secure cipher, that the data you encrypt is secure.






          share|improve this answer























          • Thanks for the answer
            – Anu Davis
            Nov 21 at 9:02
















          5














          RC6 is secure, and has no effective limit on input size.



          RSA is an asymmetric cipher. It is not designed for general purpose encryption, and so has a very tight limit on the amount of data that can be encrypted. In fact, unlike symmetric ciphers, textbook RSA is based on a mathematical problem, so the ciphertext is the plaintext raised to an public exponent, modulo a large public integer. This modular operation puts a hard limit on the length of the plaintext to be encrypted. Note that RSA is not used to encrypt anything directly. It is used to encrypt a smaller symmetric key which is then used to protect the confidentiality of further communications.



          RC6 is a symmetric block cipher. The amount of data that can be encrypted with a single key depends on the mode of operation in use, as well as the block size of the cipher. For a cipher with 128-bit blocks, like RC6, the amount of data it can securely encrypt is vast. To put it into hard numbers, in order to have an already astronomically small 2-32 chance of leaking a little bit of information from one 128-bit block in CBC mode, you need to encrypt more than four petabytes of data with one key. A mere five megabytes is nothing.



          There are no known attacks which weaken RC6 to the point that breaking it is practical. As it did not win the AES competition however, it has received comparatively less analysis. A large amount of information on its security can be found by searching "rc6 cryptanalysis pdf".





          Obligatory disclaimer: Choosing the cipher is the easiest part of implementing a secure cryptosystem. If you are designing your own cryptosystem, don't. Simply using RC6 is not enough to provide security. You need to choose the proper mode of operation, use authentication, use a secure KDF if the key is to be derived from a password, mitigate a variety of attacks if used on the network (reflection, replay, man-in-the-middle, etc). Don't think that, just because you are using a secure cipher, that the data you encrypt is secure.






          share|improve this answer























          • Thanks for the answer
            – Anu Davis
            Nov 21 at 9:02














          5












          5








          5






          RC6 is secure, and has no effective limit on input size.



          RSA is an asymmetric cipher. It is not designed for general purpose encryption, and so has a very tight limit on the amount of data that can be encrypted. In fact, unlike symmetric ciphers, textbook RSA is based on a mathematical problem, so the ciphertext is the plaintext raised to an public exponent, modulo a large public integer. This modular operation puts a hard limit on the length of the plaintext to be encrypted. Note that RSA is not used to encrypt anything directly. It is used to encrypt a smaller symmetric key which is then used to protect the confidentiality of further communications.



          RC6 is a symmetric block cipher. The amount of data that can be encrypted with a single key depends on the mode of operation in use, as well as the block size of the cipher. For a cipher with 128-bit blocks, like RC6, the amount of data it can securely encrypt is vast. To put it into hard numbers, in order to have an already astronomically small 2-32 chance of leaking a little bit of information from one 128-bit block in CBC mode, you need to encrypt more than four petabytes of data with one key. A mere five megabytes is nothing.



          There are no known attacks which weaken RC6 to the point that breaking it is practical. As it did not win the AES competition however, it has received comparatively less analysis. A large amount of information on its security can be found by searching "rc6 cryptanalysis pdf".





          Obligatory disclaimer: Choosing the cipher is the easiest part of implementing a secure cryptosystem. If you are designing your own cryptosystem, don't. Simply using RC6 is not enough to provide security. You need to choose the proper mode of operation, use authentication, use a secure KDF if the key is to be derived from a password, mitigate a variety of attacks if used on the network (reflection, replay, man-in-the-middle, etc). Don't think that, just because you are using a secure cipher, that the data you encrypt is secure.






          share|improve this answer














          RC6 is secure, and has no effective limit on input size.



          RSA is an asymmetric cipher. It is not designed for general purpose encryption, and so has a very tight limit on the amount of data that can be encrypted. In fact, unlike symmetric ciphers, textbook RSA is based on a mathematical problem, so the ciphertext is the plaintext raised to an public exponent, modulo a large public integer. This modular operation puts a hard limit on the length of the plaintext to be encrypted. Note that RSA is not used to encrypt anything directly. It is used to encrypt a smaller symmetric key which is then used to protect the confidentiality of further communications.



          RC6 is a symmetric block cipher. The amount of data that can be encrypted with a single key depends on the mode of operation in use, as well as the block size of the cipher. For a cipher with 128-bit blocks, like RC6, the amount of data it can securely encrypt is vast. To put it into hard numbers, in order to have an already astronomically small 2-32 chance of leaking a little bit of information from one 128-bit block in CBC mode, you need to encrypt more than four petabytes of data with one key. A mere five megabytes is nothing.



          There are no known attacks which weaken RC6 to the point that breaking it is practical. As it did not win the AES competition however, it has received comparatively less analysis. A large amount of information on its security can be found by searching "rc6 cryptanalysis pdf".





          Obligatory disclaimer: Choosing the cipher is the easiest part of implementing a secure cryptosystem. If you are designing your own cryptosystem, don't. Simply using RC6 is not enough to provide security. You need to choose the proper mode of operation, use authentication, use a secure KDF if the key is to be derived from a password, mitigate a variety of attacks if used on the network (reflection, replay, man-in-the-middle, etc). Don't think that, just because you are using a secure cipher, that the data you encrypt is secure.







          share|improve this answer














          share|improve this answer



          share|improve this answer








          edited Nov 22 at 7:24

























          answered Nov 21 at 8:06









          forest

          2,586831




          2,586831












          • Thanks for the answer
            – Anu Davis
            Nov 21 at 9:02


















          • Thanks for the answer
            – Anu Davis
            Nov 21 at 9:02
















          Thanks for the answer
          – Anu Davis
          Nov 21 at 9:02




          Thanks for the answer
          – Anu Davis
          Nov 21 at 9:02











          3














          RSA doesn't really have a limit on what can be encrypted. It is possible to encrypt many separate messages using RSA. Splitting an message into separate parts before encryption allows you to encrypt many parts of data without the risk of loosing confidentiality.



          This will however take a lot of CPU time, it will expand each part of the message and it will not provide any kind of integrity protection (but neither do known modes of operation such as CBC). So asymmetric encryption is not used for bulk encryption, it is only used for small messages where asymmetric encryption is required and the byte count needs to kept low.



          Instead asymmetric algorithms (ciphers and key establishment schemes) are commonly used to encrypt or derive a symmetric key - such as a symmetric key for RC6 - which then can be used to encrypt the data itself. This is called a hybrid cryptosystem as it both relies on asymmetric and symmetric cryptography.






          Can RC6 be used for encryption and decryption of files larger than 5 MB?




          Not by itself. RC6 is a block cipher and can therefore only be used to encrypt blocks of data. RC6 has a block size of 128 bits. To encrypt data you will have to use a mode of operation. The amount of data that can be encrypted is then a function of the mode of operation and the block size. It also depends on the way the mode of operation is applied, especially how the IV is constructed. The amount of messages (files) that may be encrypted may also be restricted.



          When used in a block cipher mode of operation, 5MB is a relatively small amount of data.




          Is there any limitation for input size?




          Yes. It can be calculated for specific modes of operation. There are certainly modes of operations such as GCM that have smaller limits then that you would expect for the block size. GCM has a limit of "just" 64 GiB of data. That's much larger than 5 MB, but it is much smaller than you would expect for a cipher such as AES or RC6 with a block size of 128 bits.



          Counter mode (CTR mode), when used correctly on a single message, can be used to encrypt $2^{128}$ blocks of data, with each block containing 16 bytes. That's $10^{37}$ times all the data in the world. That means that this mode of operation has no practical limit for single messages (implementations may limit you to $2^{64}$ or even $2^{32}$ counter values / blocks in extreme cases).



          With these kind of sizes you may expect that the amount of data to encrypt is generally not used to choose a specific mode of operation, especially not for 128 bit block ciphers: almost any mode of operation will provide higher limits than required. Other properties of the mode of operation are generally considered more important. GCM for instance provides authenticated encryption that protects the message against change, while CTR or CBC mode does not.






          Is RC6 safe for using encryption or has it faced any attacks?




          RC6 has not been broken. But it has not been selected to be AES either. That means that there has been less incentive to find attacks on it. As one of the AES finalists it certainly has been thoroughly examined though, and no attacks were found.



          Finding good support for it, such as known good implementations or hardware implementations of it will be harder. This is especially true when it comes to authenticated modes. It could also mean that side channel attacks are more likely because of this. Generally we prefer just to use AES (Rijndael) for this reason - even though the AES algorithm may be more vulnerable in principle.






          share|improve this answer























          • After $2^{128}$ the counter is set to $0$ in CTR. Is there a problem that one can continue?
            – kelalaka
            Nov 21 at 19:01










          • Yes it turns into a many time pad.
            – Maarten Bodewes
            Nov 21 at 20:27










          • It is better to be in the answer :)
            – kelalaka
            Nov 21 at 20:30










          • I'll put it in the answer when somebody reaches $2^{127}$ blocks ;) This question is not about CTR mode, they can look it up on the site if required.
            – Maarten Bodewes
            Nov 21 at 21:27








          • 1




            One issue to consider about RC6 is that implementation on CPUs lacking a 32-bit barrel shifter (including some low-end 32-bit CPUs) is slow, and potentially subject to timing attack.
            – fgrieu
            Nov 22 at 6:49
















          3














          RSA doesn't really have a limit on what can be encrypted. It is possible to encrypt many separate messages using RSA. Splitting an message into separate parts before encryption allows you to encrypt many parts of data without the risk of loosing confidentiality.



          This will however take a lot of CPU time, it will expand each part of the message and it will not provide any kind of integrity protection (but neither do known modes of operation such as CBC). So asymmetric encryption is not used for bulk encryption, it is only used for small messages where asymmetric encryption is required and the byte count needs to kept low.



          Instead asymmetric algorithms (ciphers and key establishment schemes) are commonly used to encrypt or derive a symmetric key - such as a symmetric key for RC6 - which then can be used to encrypt the data itself. This is called a hybrid cryptosystem as it both relies on asymmetric and symmetric cryptography.






          Can RC6 be used for encryption and decryption of files larger than 5 MB?




          Not by itself. RC6 is a block cipher and can therefore only be used to encrypt blocks of data. RC6 has a block size of 128 bits. To encrypt data you will have to use a mode of operation. The amount of data that can be encrypted is then a function of the mode of operation and the block size. It also depends on the way the mode of operation is applied, especially how the IV is constructed. The amount of messages (files) that may be encrypted may also be restricted.



          When used in a block cipher mode of operation, 5MB is a relatively small amount of data.




          Is there any limitation for input size?




          Yes. It can be calculated for specific modes of operation. There are certainly modes of operations such as GCM that have smaller limits then that you would expect for the block size. GCM has a limit of "just" 64 GiB of data. That's much larger than 5 MB, but it is much smaller than you would expect for a cipher such as AES or RC6 with a block size of 128 bits.



          Counter mode (CTR mode), when used correctly on a single message, can be used to encrypt $2^{128}$ blocks of data, with each block containing 16 bytes. That's $10^{37}$ times all the data in the world. That means that this mode of operation has no practical limit for single messages (implementations may limit you to $2^{64}$ or even $2^{32}$ counter values / blocks in extreme cases).



          With these kind of sizes you may expect that the amount of data to encrypt is generally not used to choose a specific mode of operation, especially not for 128 bit block ciphers: almost any mode of operation will provide higher limits than required. Other properties of the mode of operation are generally considered more important. GCM for instance provides authenticated encryption that protects the message against change, while CTR or CBC mode does not.






          Is RC6 safe for using encryption or has it faced any attacks?




          RC6 has not been broken. But it has not been selected to be AES either. That means that there has been less incentive to find attacks on it. As one of the AES finalists it certainly has been thoroughly examined though, and no attacks were found.



          Finding good support for it, such as known good implementations or hardware implementations of it will be harder. This is especially true when it comes to authenticated modes. It could also mean that side channel attacks are more likely because of this. Generally we prefer just to use AES (Rijndael) for this reason - even though the AES algorithm may be more vulnerable in principle.






          share|improve this answer























          • After $2^{128}$ the counter is set to $0$ in CTR. Is there a problem that one can continue?
            – kelalaka
            Nov 21 at 19:01










          • Yes it turns into a many time pad.
            – Maarten Bodewes
            Nov 21 at 20:27










          • It is better to be in the answer :)
            – kelalaka
            Nov 21 at 20:30










          • I'll put it in the answer when somebody reaches $2^{127}$ blocks ;) This question is not about CTR mode, they can look it up on the site if required.
            – Maarten Bodewes
            Nov 21 at 21:27








          • 1




            One issue to consider about RC6 is that implementation on CPUs lacking a 32-bit barrel shifter (including some low-end 32-bit CPUs) is slow, and potentially subject to timing attack.
            – fgrieu
            Nov 22 at 6:49














          3












          3








          3






          RSA doesn't really have a limit on what can be encrypted. It is possible to encrypt many separate messages using RSA. Splitting an message into separate parts before encryption allows you to encrypt many parts of data without the risk of loosing confidentiality.



          This will however take a lot of CPU time, it will expand each part of the message and it will not provide any kind of integrity protection (but neither do known modes of operation such as CBC). So asymmetric encryption is not used for bulk encryption, it is only used for small messages where asymmetric encryption is required and the byte count needs to kept low.



          Instead asymmetric algorithms (ciphers and key establishment schemes) are commonly used to encrypt or derive a symmetric key - such as a symmetric key for RC6 - which then can be used to encrypt the data itself. This is called a hybrid cryptosystem as it both relies on asymmetric and symmetric cryptography.






          Can RC6 be used for encryption and decryption of files larger than 5 MB?




          Not by itself. RC6 is a block cipher and can therefore only be used to encrypt blocks of data. RC6 has a block size of 128 bits. To encrypt data you will have to use a mode of operation. The amount of data that can be encrypted is then a function of the mode of operation and the block size. It also depends on the way the mode of operation is applied, especially how the IV is constructed. The amount of messages (files) that may be encrypted may also be restricted.



          When used in a block cipher mode of operation, 5MB is a relatively small amount of data.




          Is there any limitation for input size?




          Yes. It can be calculated for specific modes of operation. There are certainly modes of operations such as GCM that have smaller limits then that you would expect for the block size. GCM has a limit of "just" 64 GiB of data. That's much larger than 5 MB, but it is much smaller than you would expect for a cipher such as AES or RC6 with a block size of 128 bits.



          Counter mode (CTR mode), when used correctly on a single message, can be used to encrypt $2^{128}$ blocks of data, with each block containing 16 bytes. That's $10^{37}$ times all the data in the world. That means that this mode of operation has no practical limit for single messages (implementations may limit you to $2^{64}$ or even $2^{32}$ counter values / blocks in extreme cases).



          With these kind of sizes you may expect that the amount of data to encrypt is generally not used to choose a specific mode of operation, especially not for 128 bit block ciphers: almost any mode of operation will provide higher limits than required. Other properties of the mode of operation are generally considered more important. GCM for instance provides authenticated encryption that protects the message against change, while CTR or CBC mode does not.






          Is RC6 safe for using encryption or has it faced any attacks?




          RC6 has not been broken. But it has not been selected to be AES either. That means that there has been less incentive to find attacks on it. As one of the AES finalists it certainly has been thoroughly examined though, and no attacks were found.



          Finding good support for it, such as known good implementations or hardware implementations of it will be harder. This is especially true when it comes to authenticated modes. It could also mean that side channel attacks are more likely because of this. Generally we prefer just to use AES (Rijndael) for this reason - even though the AES algorithm may be more vulnerable in principle.






          share|improve this answer














          RSA doesn't really have a limit on what can be encrypted. It is possible to encrypt many separate messages using RSA. Splitting an message into separate parts before encryption allows you to encrypt many parts of data without the risk of loosing confidentiality.



          This will however take a lot of CPU time, it will expand each part of the message and it will not provide any kind of integrity protection (but neither do known modes of operation such as CBC). So asymmetric encryption is not used for bulk encryption, it is only used for small messages where asymmetric encryption is required and the byte count needs to kept low.



          Instead asymmetric algorithms (ciphers and key establishment schemes) are commonly used to encrypt or derive a symmetric key - such as a symmetric key for RC6 - which then can be used to encrypt the data itself. This is called a hybrid cryptosystem as it both relies on asymmetric and symmetric cryptography.






          Can RC6 be used for encryption and decryption of files larger than 5 MB?




          Not by itself. RC6 is a block cipher and can therefore only be used to encrypt blocks of data. RC6 has a block size of 128 bits. To encrypt data you will have to use a mode of operation. The amount of data that can be encrypted is then a function of the mode of operation and the block size. It also depends on the way the mode of operation is applied, especially how the IV is constructed. The amount of messages (files) that may be encrypted may also be restricted.



          When used in a block cipher mode of operation, 5MB is a relatively small amount of data.




          Is there any limitation for input size?




          Yes. It can be calculated for specific modes of operation. There are certainly modes of operations such as GCM that have smaller limits then that you would expect for the block size. GCM has a limit of "just" 64 GiB of data. That's much larger than 5 MB, but it is much smaller than you would expect for a cipher such as AES or RC6 with a block size of 128 bits.



          Counter mode (CTR mode), when used correctly on a single message, can be used to encrypt $2^{128}$ blocks of data, with each block containing 16 bytes. That's $10^{37}$ times all the data in the world. That means that this mode of operation has no practical limit for single messages (implementations may limit you to $2^{64}$ or even $2^{32}$ counter values / blocks in extreme cases).



          With these kind of sizes you may expect that the amount of data to encrypt is generally not used to choose a specific mode of operation, especially not for 128 bit block ciphers: almost any mode of operation will provide higher limits than required. Other properties of the mode of operation are generally considered more important. GCM for instance provides authenticated encryption that protects the message against change, while CTR or CBC mode does not.






          Is RC6 safe for using encryption or has it faced any attacks?




          RC6 has not been broken. But it has not been selected to be AES either. That means that there has been less incentive to find attacks on it. As one of the AES finalists it certainly has been thoroughly examined though, and no attacks were found.



          Finding good support for it, such as known good implementations or hardware implementations of it will be harder. This is especially true when it comes to authenticated modes. It could also mean that side channel attacks are more likely because of this. Generally we prefer just to use AES (Rijndael) for this reason - even though the AES algorithm may be more vulnerable in principle.







          share|improve this answer














          share|improve this answer



          share|improve this answer








          edited Nov 22 at 4:57

























          answered Nov 21 at 14:58









          Maarten Bodewes

          52.8k677191




          52.8k677191












          • After $2^{128}$ the counter is set to $0$ in CTR. Is there a problem that one can continue?
            – kelalaka
            Nov 21 at 19:01










          • Yes it turns into a many time pad.
            – Maarten Bodewes
            Nov 21 at 20:27










          • It is better to be in the answer :)
            – kelalaka
            Nov 21 at 20:30










          • I'll put it in the answer when somebody reaches $2^{127}$ blocks ;) This question is not about CTR mode, they can look it up on the site if required.
            – Maarten Bodewes
            Nov 21 at 21:27








          • 1




            One issue to consider about RC6 is that implementation on CPUs lacking a 32-bit barrel shifter (including some low-end 32-bit CPUs) is slow, and potentially subject to timing attack.
            – fgrieu
            Nov 22 at 6:49


















          • After $2^{128}$ the counter is set to $0$ in CTR. Is there a problem that one can continue?
            – kelalaka
            Nov 21 at 19:01










          • Yes it turns into a many time pad.
            – Maarten Bodewes
            Nov 21 at 20:27










          • It is better to be in the answer :)
            – kelalaka
            Nov 21 at 20:30










          • I'll put it in the answer when somebody reaches $2^{127}$ blocks ;) This question is not about CTR mode, they can look it up on the site if required.
            – Maarten Bodewes
            Nov 21 at 21:27








          • 1




            One issue to consider about RC6 is that implementation on CPUs lacking a 32-bit barrel shifter (including some low-end 32-bit CPUs) is slow, and potentially subject to timing attack.
            – fgrieu
            Nov 22 at 6:49
















          After $2^{128}$ the counter is set to $0$ in CTR. Is there a problem that one can continue?
          – kelalaka
          Nov 21 at 19:01




          After $2^{128}$ the counter is set to $0$ in CTR. Is there a problem that one can continue?
          – kelalaka
          Nov 21 at 19:01












          Yes it turns into a many time pad.
          – Maarten Bodewes
          Nov 21 at 20:27




          Yes it turns into a many time pad.
          – Maarten Bodewes
          Nov 21 at 20:27












          It is better to be in the answer :)
          – kelalaka
          Nov 21 at 20:30




          It is better to be in the answer :)
          – kelalaka
          Nov 21 at 20:30












          I'll put it in the answer when somebody reaches $2^{127}$ blocks ;) This question is not about CTR mode, they can look it up on the site if required.
          – Maarten Bodewes
          Nov 21 at 21:27






          I'll put it in the answer when somebody reaches $2^{127}$ blocks ;) This question is not about CTR mode, they can look it up on the site if required.
          – Maarten Bodewes
          Nov 21 at 21:27






          1




          1




          One issue to consider about RC6 is that implementation on CPUs lacking a 32-bit barrel shifter (including some low-end 32-bit CPUs) is slow, and potentially subject to timing attack.
          – fgrieu
          Nov 22 at 6:49




          One issue to consider about RC6 is that implementation on CPUs lacking a 32-bit barrel shifter (including some low-end 32-bit CPUs) is slow, and potentially subject to timing attack.
          – fgrieu
          Nov 22 at 6:49











          2














          Usually you don't encrypt data / messages directly with RSA, rather you encrypt a symmetric key for future encryptions.



          This has the advantage that it's more efficient to encrypt and decrypt data, because symmetric cryptography is faster than asymmetric cryptography.




          Can RC6 be used for encrytion and decryption of files larger than 5 MB?




          Yes.




          Is there any limitation for input size?




          When encrypting data with a symmetric block cipher, which uses blocks of n bits, some security concerns begin to appear when the amount of data encrypted with a single key comes close to $2^n/2$ blocks, i.e. $n*2^{n/2}$ bits.



          This means that there is indeed a limit of data to encrypt but it's so large that it should never be a problem. AES-128 bit encryption for example can safely encrypt data of over 250 Million TB.




          Is RC6 safe for using encryption or has it faced any attacks?




          RC6 is considered to be safe.






          share|improve this answer



















          • 1




            I'm not sure how what Wikipedia stated is a problem. It just means that some NSA malware used RC6. It doesn't mean that RC6 is broken, just that they used it. If anything, it means they trust it (or that it's so obscure that antimalware programs are unlikely to recognize it).
            – forest
            Nov 21 at 8:16












          • Thanks for the answer
            – Anu Davis
            Nov 21 at 9:03






          • 1




            @forest Edited my answer.
            – AleksanderRas
            Nov 21 at 11:46










          • @AnuDavis No need to say "thanks". That's what the forum is here for.
            – AleksanderRas
            Nov 21 at 11:47










          • @ AleksanderRas ok
            – Anu Davis
            Nov 21 at 11:51
















          2














          Usually you don't encrypt data / messages directly with RSA, rather you encrypt a symmetric key for future encryptions.



          This has the advantage that it's more efficient to encrypt and decrypt data, because symmetric cryptography is faster than asymmetric cryptography.




          Can RC6 be used for encrytion and decryption of files larger than 5 MB?




          Yes.




          Is there any limitation for input size?




          When encrypting data with a symmetric block cipher, which uses blocks of n bits, some security concerns begin to appear when the amount of data encrypted with a single key comes close to $2^n/2$ blocks, i.e. $n*2^{n/2}$ bits.



          This means that there is indeed a limit of data to encrypt but it's so large that it should never be a problem. AES-128 bit encryption for example can safely encrypt data of over 250 Million TB.




          Is RC6 safe for using encryption or has it faced any attacks?




          RC6 is considered to be safe.






          share|improve this answer



















          • 1




            I'm not sure how what Wikipedia stated is a problem. It just means that some NSA malware used RC6. It doesn't mean that RC6 is broken, just that they used it. If anything, it means they trust it (or that it's so obscure that antimalware programs are unlikely to recognize it).
            – forest
            Nov 21 at 8:16












          • Thanks for the answer
            – Anu Davis
            Nov 21 at 9:03






          • 1




            @forest Edited my answer.
            – AleksanderRas
            Nov 21 at 11:46










          • @AnuDavis No need to say "thanks". That's what the forum is here for.
            – AleksanderRas
            Nov 21 at 11:47










          • @ AleksanderRas ok
            – Anu Davis
            Nov 21 at 11:51














          2












          2








          2






          Usually you don't encrypt data / messages directly with RSA, rather you encrypt a symmetric key for future encryptions.



          This has the advantage that it's more efficient to encrypt and decrypt data, because symmetric cryptography is faster than asymmetric cryptography.




          Can RC6 be used for encrytion and decryption of files larger than 5 MB?




          Yes.




          Is there any limitation for input size?




          When encrypting data with a symmetric block cipher, which uses blocks of n bits, some security concerns begin to appear when the amount of data encrypted with a single key comes close to $2^n/2$ blocks, i.e. $n*2^{n/2}$ bits.



          This means that there is indeed a limit of data to encrypt but it's so large that it should never be a problem. AES-128 bit encryption for example can safely encrypt data of over 250 Million TB.




          Is RC6 safe for using encryption or has it faced any attacks?




          RC6 is considered to be safe.






          share|improve this answer














          Usually you don't encrypt data / messages directly with RSA, rather you encrypt a symmetric key for future encryptions.



          This has the advantage that it's more efficient to encrypt and decrypt data, because symmetric cryptography is faster than asymmetric cryptography.




          Can RC6 be used for encrytion and decryption of files larger than 5 MB?




          Yes.




          Is there any limitation for input size?




          When encrypting data with a symmetric block cipher, which uses blocks of n bits, some security concerns begin to appear when the amount of data encrypted with a single key comes close to $2^n/2$ blocks, i.e. $n*2^{n/2}$ bits.



          This means that there is indeed a limit of data to encrypt but it's so large that it should never be a problem. AES-128 bit encryption for example can safely encrypt data of over 250 Million TB.




          Is RC6 safe for using encryption or has it faced any attacks?




          RC6 is considered to be safe.







          share|improve this answer














          share|improve this answer



          share|improve this answer








          edited Nov 21 at 11:43

























          answered Nov 21 at 8:15









          AleksanderRas

          1,7771525




          1,7771525








          • 1




            I'm not sure how what Wikipedia stated is a problem. It just means that some NSA malware used RC6. It doesn't mean that RC6 is broken, just that they used it. If anything, it means they trust it (or that it's so obscure that antimalware programs are unlikely to recognize it).
            – forest
            Nov 21 at 8:16












          • Thanks for the answer
            – Anu Davis
            Nov 21 at 9:03






          • 1




            @forest Edited my answer.
            – AleksanderRas
            Nov 21 at 11:46










          • @AnuDavis No need to say "thanks". That's what the forum is here for.
            – AleksanderRas
            Nov 21 at 11:47










          • @ AleksanderRas ok
            – Anu Davis
            Nov 21 at 11:51














          • 1




            I'm not sure how what Wikipedia stated is a problem. It just means that some NSA malware used RC6. It doesn't mean that RC6 is broken, just that they used it. If anything, it means they trust it (or that it's so obscure that antimalware programs are unlikely to recognize it).
            – forest
            Nov 21 at 8:16












          • Thanks for the answer
            – Anu Davis
            Nov 21 at 9:03






          • 1




            @forest Edited my answer.
            – AleksanderRas
            Nov 21 at 11:46










          • @AnuDavis No need to say "thanks". That's what the forum is here for.
            – AleksanderRas
            Nov 21 at 11:47










          • @ AleksanderRas ok
            – Anu Davis
            Nov 21 at 11:51








          1




          1




          I'm not sure how what Wikipedia stated is a problem. It just means that some NSA malware used RC6. It doesn't mean that RC6 is broken, just that they used it. If anything, it means they trust it (or that it's so obscure that antimalware programs are unlikely to recognize it).
          – forest
          Nov 21 at 8:16






          I'm not sure how what Wikipedia stated is a problem. It just means that some NSA malware used RC6. It doesn't mean that RC6 is broken, just that they used it. If anything, it means they trust it (or that it's so obscure that antimalware programs are unlikely to recognize it).
          – forest
          Nov 21 at 8:16














          Thanks for the answer
          – Anu Davis
          Nov 21 at 9:03




          Thanks for the answer
          – Anu Davis
          Nov 21 at 9:03




          1




          1




          @forest Edited my answer.
          – AleksanderRas
          Nov 21 at 11:46




          @forest Edited my answer.
          – AleksanderRas
          Nov 21 at 11:46












          @AnuDavis No need to say "thanks". That's what the forum is here for.
          – AleksanderRas
          Nov 21 at 11:47




          @AnuDavis No need to say "thanks". That's what the forum is here for.
          – AleksanderRas
          Nov 21 at 11:47












          @ AleksanderRas ok
          – Anu Davis
          Nov 21 at 11:51




          @ AleksanderRas ok
          – Anu Davis
          Nov 21 at 11:51


















          draft saved

          draft discarded




















































          Thanks for contributing an answer to Cryptography Stack Exchange!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          Use MathJax to format equations. MathJax reference.


          To learn more, see our tips on writing great answers.





          Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


          Please pay close attention to the following guidance:


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f64215%2finput-limitations-on-the-rc6-cipher%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          Popular posts from this blog

          404 Error Contact Form 7 ajax form submitting

          How to know if a Active Directory user can login interactively

          TypeError: fit_transform() missing 1 required positional argument: 'X'