# New Attacks on IDEA with at Least 6 Rounds

Article

First Online:

- 619 Downloads
- 4 Citations

## Abstract

IDEA is a 64-bit block cipher with 128-bit keys which was introduced by Lai and Massey in 1991. The best previously published attack on IDEA could only handle 6 of its 8.5-rounds. In this paper, we combine a highly optimized meet-in-the-middle attack with a keyless version of the Biryukov–Demirci relation to obtain a greatly improved attack on 6-round IDEA which requires only two known plaintexts, and the first key recovery attacks on versions of IDEA with 6.5 to 8.5 rounds.

## Key words

IDEA Cryptanalysis Biryukov–Demirci relation Zero-in-the-Middle attack## Notes

### Acknowledgements

The authors thank Willi Meier and the anonymous referees for their constructive and helpful comments.

## References

- [1]K. Aoki, Y. Sasaki, Preimage attacks on one-block MD4, 63-step MD5 and more, in
*Proceedings of Selected Areas in Cryptography 2008*. Lecture Notes in Computer Science, vol. 5381 (Springer, Berlin, 2009), pp. 103–119 CrossRefGoogle Scholar - [2]E.S. Ayaz, A.A. Selçuk, Improved DST cryptanalysis of IDEA, in
*Proceedings of Selected Areas in Cryptography 2006*. Lecture Notes in Computer Science, vol. 4356 (Springer, Berlin, 2007), pp. 1–14 CrossRefGoogle Scholar - [3]E. Biham, A. Biryukov, A. Shamir, Miss in the middle attacks on IDEA and Khufu, in
*Proceedings of Fast Software Encryption 1999*. Lecture Notes in Computer Science, vol. 1636 (Springer, Berlin, 1999), pp. 124–138 CrossRefGoogle Scholar - [4]E. Biham, O. Dunkelman, N. Keller, New cryptanalytic results on IDEA, in
*Advances in Cryptology, Proceedings of ASIACRYPT 2006*. Lecture Notes in Computer Science, vol. 4284 (2006), pp. 412–427 CrossRefGoogle Scholar - [5]E. Biham, O. Dunkelman, N. Keller, A new attack on 6-round IDEA, in
*Proceedings of Fast Software Encryption 2007*. Lecture Notes in Computer Science, vol. 4593 (Springer, Berlin, 2007), pp. 211–224 CrossRefGoogle Scholar - [6]A. Biryukov, J. Nakahara Jr., B. Preneel, J. Vandewalle, New weak-key classes of IDEA, in
*Proceedings of Information and Communications Security 2002*. Lecture Notes in Computer Science, vol. 2513 (Springer, Berlin, 2002), pp. 315–326 Google Scholar - [7]A. Biryukov, D. Khovratovich, Related-key cryptanalysis of the full AES-192 and AES-256, in
*Advances in Cryptology, Proceedings of ASIACRYPT 2009*. Lecture Notes in Computer Science, vol. 5912 (Springer, Berlin, 2009), pp. 1–18 CrossRefGoogle Scholar - [8]N. Borisov, M. Chew, R. Johnson, D. Wagner, Multiplicative differentials, in
*Proceedings of Fast Software Encryption 2002*. Lecture Notes in Computer Science, vol. 2365 (Springer, Berlin, 2002), pp. 17–33 CrossRefGoogle Scholar - [9]J. Borst, L.R. Knudsen, V. Rijmen, Two attacks on reduced round IDEA, in
*Advances in Cryptology, Proceedings of EUROCRYPT 1997*. Lecture Notes in Computer Science, vol. 1233 (Springer, Berlin, 1997), pp. 1–13 Google Scholar - [10]D. Chaum, J.-H. Evertse, Cryptanalysis of DES with a reduced number of rounds: sequences of linear factors in block ciphers, in
*Advances in Cryptology, Proceedings of CRYPTO 1985*. Lecture Notes in Computer Science, vol. 218 (Springer, Berlin, 1986), pp. 192–211 Google Scholar - [11]J. Daemen, R. Govaerts, J. Vandewalle, Cryptanalysis of 2.5 rounds of IDEA (Extended Abstract). Technical report 93/1, Department of Electrical Engineering, ESAT–COSIC, KU Leuven, Belgium (1993) Google Scholar
- [12]J. Daemen, R. Govaerts, J. Vandewalle, Weak keys for IDEA, in
*Advances in Cryptology, Proceedings of CRYPTO 1993*. Lecture Notes in Computer Science, vol. 773 (Springer, Berlin, 1994), pp. 224–231 Google Scholar - [13]H. Demirci, Square-like attacks on reduced rounds of IDEA, in
*Proceedings of Selected Areas in Cryptography 2002*. Lecture Notes in Computer Science, vol. 2595 (Springer, Berlin, 2003), pp. 147–159 CrossRefGoogle Scholar - [14]H. Demirci, A.A. Selçuk, E. Türe, A new meet-in-the-middle attack on the IDEA block cipher, in
*Proceedings of Selected Areas in Cryptography 2003*. Lecture Notes in Computer Science, vol. 3006 (Springer, Berlin, 2004), pp. 117–129 CrossRefGoogle Scholar - [15]W. Diffie, M.E. Hellman, Exhaustive cryptanalysis of the NBS data encryption standard.
*Computer***10**(6), 74–84 (1977) CrossRefGoogle Scholar - [16]Electronic Frontier Foundations,
*Cracking DES: Secrets of Encryption Research, Wiretap Politics & Chip Design*(O’Reilly, Sebastopol, 1998) Google Scholar - [17]P. Hawkes, Differential-linear weak keys classes of IDEA, in
*Advances in Cryptology, Proceedings if EUROCRYPT 1998*. Lecture Notes in Computer Science, vol. 1403 (Springer, Berlin, 1998), pp. 112–126 Google Scholar - [18]P. Hawkes, L. O’Connor, On applying linear cryptanalysis to IDEA, in
*Advances in Cryptology, Proceedings of ASIACRYPT 1996*. Lecture Notes in Computer Science, vol. 1163 (Springer, Berlin, 1996), pp. 105–115 Google Scholar - [19]P. Junod, New attacks against reduced-round versions of IDEA, in
*Proceedings of Fast Software Encryption 2005*. Lecture Notes in Computer Science, vol. 3557 (Springer, Berlin, 2005), pp. 384–397 CrossRefGoogle Scholar - [20]J. Kelsey, B. Schneier, D. Wagner, Key-schedule cryptoanalysis of IDEA, G-DES, GOST, SAFER, and triple-DES, in
*Advances in Cryptology, Proceedings of CRYPTO 1996*. Lecture Notes in Computer Science, vol. 1109 (Springer, Berlin, 1996), pp. 237–251 Google Scholar - [21]D. Khovratovich, G. Leurent, C. Rechberger, Narrow-bicliques: cryptanalysis of Full IDEA, in
*Advances in Cryptology, Proceedings of EUROCRYPT 2012*. Lecture Notes in Computer Science, vol. 7237 (Springer, Berlin, 2012), pp. 392–410 CrossRefGoogle Scholar - [22]X. Lai, J.L. Massey, S. Murphy, Markov ciphers and differential cryptanalysis, in
*Advances in Cryptology, Proceedings of EUROCRYPT 1991*. Lecture Notes in Computer Science, vol. 547 (Springer, Berlin, 1992), pp. 17–38 Google Scholar - [23]W. Meier, On the security of the IDEA block cipher, in
*Advances in Cryptology, Proceedings of EUROCRYPT 1993*. Lecture Notes in Computer Science, vol. 765 (Springer, Berlin, 1994), pp. 371–385 Google Scholar - [24]R.C. Merkle, M.E. Hellman, On the security of multiple encryption.
*Commun. ACM***24**(7), 465–467 (1981) CrossRefMathSciNetGoogle Scholar - [25]J. Nakahara Jr., P.S.L.M. Barreto, B. Preneel, J. Vandewalle, H.Y. Kim, SQUARE Attacks Against Reduced-Round PES and IDEA Block Ciphers, IACR Cryptology ePrint Archive, Report 2001/068 (2001) Google Scholar
- [26]J. Nakahara Jr., B. Preneel, J. Vandewalle, The Biryukov–Demirci attack on reduced-round versions of IDEA and MESH ciphers, in
*Proceedings of Australasian Conference on Information Security and Privacy 2004*. Lecture Notes in Computer Science, vol. 3108 (Springer, Berlin, 2004), pp. 98–109 Google Scholar - [27]H. Raddum, Cryptanalysis of IDEA-X/2, in
*Proceedings of Fast Software Encryption 2003*. Lecture Notes in Computer Science, vol. 2887 (Springer, Berlin, 2003), pp. 1–8 CrossRefGoogle Scholar - [28]X. Sun, X. Lai, The key-dependent attack on block ciphers, in
*Advances in Cryptology, Proceedings of ASIACRYPT 2009*. Lecture Notes in Computer Science, vol. 5912 (2009), pp. 19–36 CrossRefGoogle Scholar - [29]L. Wei, C. Rechberger, J. Guo, H. Wu, H. Wang, S. Ling, Improved meet-in-the-middle cryptanalysis of KTANTAN, in
*Proceedings of Australasian Conference on Information Security and Privacy 2011*. Lecture Notes in Computer Science, vol. 6812 (Springer, Berlin, 2011), pp. 433–438. Full version available at: IACR Cryptology ePrint Archive, Report 2011/201 (2011) Google Scholar

## Copyright information

© International Association for Cryptologic Research 2013