论文信息 - Differential-Linear Cryptanalysis of IDEA

Differential-Linear Cryptanalysis of IDEA

In this paper we describe an attack on 3 rounds of IDEA, making use of linear as well as diierential cryptanalytic techniques. The attack is independent of the key schedule. The main attack requires at most 2 29 chosen plaintext pairs and a workload of about 2 49 additions modulo 2 16 + 1 to nd two subkeys or their additive inverses modulo 2 16 + 1. Further we describe a method, which then can nd two more subkeys or their additive inverses modulo 2 16 + 1, which needs less than 10 of the already encrypted pairs and a total workload of at most 2 33 multiplications modulo 2 16 +1. This attack is more powerful than all previously published general attacks on the IDEA structure.

Johan Borst

[1] Mitsuru Matsui,et al. The First Experimental Cryptanalysis of the Data Encryption Standard , 1994, CRYPTO.

[2] Luke O'Connor. On the Distribution of Characteristics in Bijective Mappings , 1993, EUROCRYPT.

[3] Xuejia Lai,et al. A Proposal for a New Block Encryption Standard , 1991, EUROCRYPT.

[4] Xuejia Lai,et al. Markov Ciphers and Differential Cryptanalysis , 1991, EUROCRYPT.

[5] Joos Vandewalle,et al. Weak Keys for IDEA , 1994, CRYPTO.

[6] Mitsuru Matsui,et al. Linear Cryptanalysis Method for DES Cipher , 1994, EUROCRYPT.

[7] Willi Meier,et al. On the Security of the IDEA Block Cipher , 1994, EUROCRYPT.