IDEA - A Salad of Block Ciphers

James Massey and his PhD student Xuejia Lai designed the International Data Encryption Al- 8

gorithm (IDEA) on behalf of the Swiss company Ascom Tech AG and published its details in 9

1991 [LM90]. The primary reference for IDEA is Lai’s PhD Thesis [Lai92]. 10

IDEA is an improvement on a previous cipher by the same authors, theProposed Encryption

Standard(PES) [LM90]. Lai and Massey, together with Sean Murphy, showed that differential 12

cryptanalysis could be used to recover PES keys [LMM91]. PES was then corrected, and the 13

resulting cipher, initially called IPES (Improved PES), later was renamed to IDEA. The name 14

IDEA is a trademark. The cipher was patented, but the patents are now expired. 15

IDEA is used in Pretty Good Privacy (PGP) v2.0, and was incorporated after the original cipher 16

used in v1.0, BassOmatic, was found to be insecure. IDEA is an optional algorithm in the 17

OpenPGP standard. It is also used for Pay-TV applications. 18

IDEA is an iterative block cipher, and it is one of the oldest public designs of an iterative SPN 19

that is not a Feistel network, in fact this design has its own name, the Lai-Massey Design, after 20

the names of the architects of the cipher (cfr. Section1.5 on page 37). 21

IDEA operates on 64-bit blocks using a 128-bit key. It consists of a series of eight identical 22

rounds, depicted in Figure3.9 on the facing page, followed by an output transformation called 23

the “half-round” and depicted in Figure3.10. Each 64-bit block is split into 4 16-bit fields and 24

all operations are performed on 16-bit values, with a high level of parallelism. At the end of 25

each round two of the 16-bit fields are swapped. The half-round starts by undoing the swap at 26

the end of the previous round, which in practice is just optimized away. 27

A full round is composed of two parts. The first part is a key mixing half-round. The second 28

part is a 32-to-32-bit Multiplication-Addition Box (MA Box) bracketed by XOR operations to 29

first reduce the input from 64 bits to 32, and then to spread the output of the MA Box on the 30

whole 64-bit block. 31

Each round uses six 16-bit subkeys, while the half-round uses four, a total of 52 for 8.5 rounds. 32

The first eight subkeys are extracted directly from the key, with𝑘₁ from the first round being 33

the lower 16 bits, and𝑘₂from the second round being the upper 16 bits. Further groups of eight 34

subkeys are created by rotating the main key to the left 25 bits before repeating the same round 35

key extraction procedure. 36

IDEA has a successor, IDEA NXT (Section3.23 on page 195), that was originally called FOX. 37

Figure 3.9: A Round of IDEA

in0 in1 in2 in3

out0 out1 out2 out3

𝑘0 𝑘1 𝑘4 𝑘2 𝑘3 𝑘5 MA Box

Figure 3.10: IDEA’s Final Half-Round

in0 in1 in2 in3

out0 out1 out2 out3

𝑘0 𝑘1 𝑘2 𝑘3

⊙denotes multiplication modulo216+ 1, where the zero value represents216. ⊞and⊕denote addition modulo216and bitwise XOR, respectively.

3.6.1 Design Principles

• IDEA’s design intends to mitigate the slower diffusion typical of Feistel networks while at 2

the same time keeping the latter design’s advantage of using the same data obfuscation path 3

for both encryption and decryption. However, this is achieved at the price that there is linear 4

function of the state that is invariant upon application of the round function. This is solved 5

by applying a simple state permutation and non-linear key mixing. 6

• IDEA achieves non-linearity by combining different operations on mutually “incompatible” 7

algebraic structures. Indeed MA stands for multiplication-addition where multiplication is 8

in the multiplicative group of the integers modulo 216+ 1and addition is modulo216. A 9

third operation used in the cipher is bitwise XOR. Any two of these three operations do not 10

satisfy any distributive or associative law. 11

This incompatibility eliminates any exploitable algebraic property thus making it very diffi- 12

cult – if not infeasible – to solve the cipher algebraically. 13

• Modular multiplication produces huge mathematical complexity while consuming very few 14

clock cycles on modern processors. It thus greatly contributes to security and efficiency of 15

the cipher. The use of the modulo𝑝 = 216₊₁_{is very ingenious, since being}_𝑝_{prime, modular}

multiplication by a fixed value in the set𝒮 = [1, .., 𝑝 − 1]is a biijection on the set of values 17

in the same set𝒮 – and all the values in the set are represented in just16bits by using the 18

zero value to represent𝑝 − 1 = 216_.

• All operations and values depend on the input, the secret key, and the choice of register sizes 20

– no fixed constants are combined with the input, not even “nothing up my sleeve numbers.” 21

• Key schedule is kept very simple, leaving the burden of the confusion of the key bits mostly 22

to the data obfuscation path. 23

3.6.2 Cryptanalysis

The key schedule is the main weakness of the cipher since keys with too many zeros and ones or 2

long repeating patterns lead to predictable modular multiplications. As a consequence several 3

classes of weak keys have been identified, that reduce the security somewhat. However, the 4

cipher per se is not broken. Until recently, the best cryptanalytic results so far just shave one 5

bit of security out of a reduced 6-round version of the cipher [BDK07a] (see also [BNPV02, 6

NPV03,BDKS11]). At Eurocrypt 2012 Dmitry Khovratovich, Gaëtan Leurent, and Christian 7

Rechberger [KLR12] presented an important breakthrough in IDEA cryptanalysis: they break 8

the first six rounds with memory241 _{and time}₂118.9_{, 7.5 rounds with memory}₂52 _{and time}

2123.9, and full IDEA with memory252(259) and time2126.06(2125.97). 10

On the occasion of the expiration of the European patent protecting IDEA, Pascal Junod wrote 11

in his blog (http://crypto.junod.info/2011/05/) : 12

IDEA is really an amazing block cipher and definitely deserves a seat in the Crypto Hall

of Fame. [...] One salient feature of the IDEA block cipher is that, despite its (too) simple

key-schedule, it has withstood 20 years of intense cryptanalysis, and IDEA is therefore a

prominent counter-example to Shamir’s law (“A cipher is generally broken after 13 years”).

In summary, IDEA remains a very nice piece of engineering!

3.6.3 Advantages

IDEA leads to very compact and quite fast SW implementations. See for instance “IDEA in 448 19

bytes of 80x86” athttp://cypherspace.org/adam/rsa/idea.html. 20

3.6.4 Disadvantages

• IDEA has a large class of weak keys. 22

• It requires separate HW or at least considerable additional resources to support encryption 23

and decryption. 24

• Decryption is often slower or requires the use of a large precomputed table, mostly because 25

of the key schedule. Whereas the key schedule can be run in parallel with encryption, about 26

2/3 of the round keys must be inverted modulo216_{+ 1.}

• Whereas in SW it is possible to attain very good performance, the multiplication unit takes 28

significant area in HW, and other ciphers rely on more economical ways to attain non lin- 29

earity. 30

3.6.5 Intellectual Property

Ascom Tech AG, the owned of IDEA, and the Kudelski group later created the MediaCrypt 32

joint venture in November 1999, to whom the rights of IDEA were transferred. MediaCrypt 33

was tmerged with Nagravision S.A. in November 2006. 34

The name IDEA is trademarked. The following patents covered aspects of IDEA: U.S. Patent 35

5,214,703,EU Patent EP0482154, and Japan Patent JP322544B2. 36

Figure 3.11: A Round of MESH-64 in0 in1 in2 in3 𝑘0, … , 𝑘3 𝑘₀′, … , 𝑘₃′ 𝑘4 𝑘5 𝑘6 Odd R ound K ey Mixing Ev en R ound K ey Mixing R ound (Common P art)

Figure 3.12: A Round of MESH-96 in0 in1 in2 in3 in4 in5 𝑘0, … , 𝑘5 𝑘₀′, … , 𝑘′₅ 𝑘6 𝑘7 𝑘8 3.6.6 MESH 1

Jorge Nakahara Jr., Vincent Rijmen, Bart Preneel and Joos Vandewalle designed MESH, a fam- 2

ily of ciphers strongly inspired by IDEA [JRPV03]. The main differences are the variable block 3

size (64, 96and128bits) and the larger MA-boxes: just as the IDEA MA-box combines mul- 4

tiplications and additions in a2 × 2checkerboard pattern, the MESH MA-boxes combine the 5

same operations in a similar way, but in larger grids. Figure 3.11and Figure 3.12represent 6

rounds of MESH-64 and MESH-96, respectively. MESH-128 is similar to MESH-96, but it has 7

eight branches instead of six, and the MA-box is a4 × 4addition/multiplication checkerboard 8

instead of3 × 3. 9

The even rounds differ from the odd rounds only in the order of multiplications and additions 10

for the key mixing in the first “row” of the round. The ciphers, like IDEA, undo the branch 11

permutation and perform a final key mixing in the last round. The number of rounds of MESH- 12

64, MESH-96, and MESH-128 is 8.5, 10.5 and 12.5 respectively. 13

The key schedule of MESH is more complex than that of IDEA, in order to prevent weak keys: 14

First, several constants𝑐_𝑖 are generated as powers of an element of𝔽₂16; The first eight 16-bit

subkeys are just obtained by XORing the 16-bit words of the master key with the first eight con- 16

stants; Each successive subkey is obtained by a recursive function that combines XOR, addition 17

modulo 16, a fixed cyclic shift and addition of a constant𝑐_𝑖. A weakness that the cipher shares 18

with IDEA is that multiplicative inverses of several subkeys are required. 19

Jorge Nakahara Jr., Bart Preneel and Joos Vandewalle prove in [JPV04] that attacks that have 20

been proved effective against IDEA are less effective against MESH. There are currently no 1

attack on the full MESH ciphers. 2

For more details we refer to the paper. 3

In document A Salad of Block Ciphers (Page 148-152)