RC2 is a symmetric cryptography primitive created by Ronald Rivest in 1987. It is a 64-bit symmetric-key block cipher that was designed to be efficient in software and to offer adjustable strength through a variable-length secret key. The name "RC" is commonly expanded as "Rivest Cipher" or colloquially as "Ron's Code." While once widely used in commercial software, RC2 is now considered largely historic and has been superseded by more modern ciphers.
Design and structure
RC2 operates on 64-bit blocks and performs a total of 18 rounds. Its internal structure is often described as a source-heavy Feistel-like arrangement; the algorithm alternates between two different round types commonly called "mixing" and "mashing." The sequence of rounds is fixed and interleaved in the following pattern:
- 5 mixing rounds
- 1 mashing round
- 6 mixing rounds
- 1 mashing round
- 5 mixing rounds
Mixing rounds apply several small nonlinear operations and rotations to the four 16-bit words that make up the 64-bit block; a single mixing round consists of four repeated "mix-up" transformations. Mashing rounds are simpler and introduce key-dependent additions: they add words from an expanded key to the internal state, helping to diffuse key material into the data path. The overall design emphasizes operations that are inexpensive on general-purpose CPUs: word rotations, additions, and table lookups.
Key schedule and parameters
RC2 accepts a variable-length input key; the algorithm expands that key into an internal expanded key consisting of 64 words of 16 bits each (an internal array often described in the literature). The expansion algorithm mixes every bit of the supplied key into those 64 words in a manner intended to distribute key influence across rounds. Because the expanded key is measured in 16-bit words, implementations typically handle the cipher as four 16-bit words per data block. For protocol-level references and parameter guidance see the published specification and standards that implemented RC2 for compatibility and portability details.
History and standardization
RC2 was developed while Rivest worked with RSA Security and was commissioned for use by commercial products such as Lotus Notes. The development and export of RC2 were influenced by U.S. export controls on cryptography in the late 1980s; Lotus requested a version suitable for export, and the U.S. National Security Agency suggested specific modifications that were incorporated into the final design. After review and negotiation, RC2 was approved for export in the late 1980s. For contemporary explanations of its provenance and export context, see historical accounts and archived technical notes Feistel background and manufacturer documentation available at the time key sizes.
Security and cryptanalysis
At first RC2 was proprietary to RSA Security and details were not public. The algorithm later became publicly known; an anonymous posting in 1996 made the source widely available on the Internet, including Usenet forums such as sci.crypt, and this disclosure allowed the wider cryptographic community to analyze the construction. Subsequent cryptanalysis identified weaknesses: in 1997 Kelsey, Schneier and Wagner published a related-key attack against RC2 that required on the order of 2^34 chosen plaintexts under related-key assumptions, reducing the effective security in certain theoretical models related-key attack. This type of attack assumes the attacker can obtain encryptions under multiple keys that are related in a known way, a capability not common in well-designed protocols but important in evaluating algorithmic resilience.
RC2 was also affected in practice by export controls that limited many implementations to a 40-bit effective key length, a level now recognized as insecure because such short keys are vulnerable to exhaustive search or brute force attack. By modern cryptographic standards, RC2 does not offer the security guarantees of later ciphers (for example AES-family algorithms) and is therefore not recommended for new systems.
Uses, compatibility, and legacy
RC2 appeared in a number of software products and protocols in the 1990s and early 2000s. Its relative simplicity and software performance made it attractive for legacy systems and for contexts where certified or preapproved algorithms were required. Over time, as stronger and better-analyzed ciphers became widely available, RC2 was phased out of most standards and applications. Implementers maintaining legacy support sometimes still encounter RC2-encrypted data and need to understand key sizes and block behavior to interoperate.
Notable facts and references
- Designer: Ronald Rivest; introduced c. 1987; proprietary to RSA Security until public disclosures proprietary.
- Block size: 64 bits; rounds: 18 (mixing and mashing sequence documented in the specification).
- Key expansion: produces 64 16-bit words (internal expanded key) from a variable-length input key; implementations must follow the published schedule for compatibility 16-bit words.
- Historical export and deployment context: collaborated with manufacturers and reviewed by government agencies during export approval processes anonymous posting provides anecdotal history; see product archives RC4 comparisons and vendor notes cryptography.
For further technical and historical material consult archived standards and analyses, including protocol specifications, cryptanalysis papers, and implementation notes that document RC2's parameters and known attacks; many such resources are indexed in public cryptographic literature repositories and historical discussion forums symmetric-key, block cipher, sci.crypt.