J. Borst, L.R. Knudsen, V. Rijmen, "Two attacks on reduced IDEA," Advances in Cryptology, Proceedings of Eurocrypt '97, LNCS 1233, W. Fumy, Ed., Springer-Verlag, 1997, pp. 1--13. 33  Home/Search   Document Not in Database   Summary   Related Articles   Check

....boomerang attack, NESSIE. 1 Introduction The International Data Encryption Algorithm (IDEA) 8 10] is 64 bit block cipher using a 128 bit secret key. IDEA consists of eight rounds followed by an output transformation. In the last decade considerable cryptanalytic e#ort was concentrated on IDEA [1, 3 7, 11], however, despite that e#ort the cryptanalytic progress was very slow. Till now the best attack [1] breaks 4.5 rounds out of 8.5 rounds and it requires the knowledge of all 2 complexity of analysis is 2 . In the same decade some weak key classes for the full 8.5 round IDEA were found. In ....

Borst, J., Knudsen, L.R., Rijmen, V.: Two Attacks on Reduced IDEA (extended abstract), Advances in Cryptology, Eurocrypt'97, LNCS 1233, W. Fumy, Ed., Springer-Verlag, 1997, 1--13.

....on more than 4.5 rounds. The known results are quoted in the submission. It appears that IDEA is immune against di#erential cryptanalysis, linear cryptanalysis, higher order and truncated di#erential attacks and impossible di#erential attacks. IDEA has resisted intensive cryptanalytic e#orts [86, 31, 56, 97, 63, 20, 53, 60]. The first attacks on IDEA [86, 31] could attack up to 2.5 rounds. In [20] an attack on 3.5 rounds was described, and in [11] an attack on 4.5 rounds was presented. These attacks require a large number of chosen plaintexts and a large complexity. During the assessment process an integral attack ....

....against di#erential cryptanalysis, linear cryptanalysis, higher order and truncated di#erential attacks and impossible di#erential attacks. IDEA has resisted intensive cryptanalytic e#orts [86, 31, 56, 97, 63, 20, 53, 60] The first attacks on IDEA [86, 31] could attack up to 2.5 rounds. In [20], an attack on 3.5 rounds was described, and in [11] an attack on 4.5 rounds was presented. These attacks require a large number of chosen plaintexts and a large complexity. During the assessment process an integral attack for consistency was found [60] but it does not endanger the cipher s ....

J. Borst, L. Knudsen, and V. Rijmen. Two attacks on reduced idea (extended abstract). In Advances in Cryptology -- EUROCRYPT '97, LNCS 1233, pages 1--13. Springer, 1997. 111

....combination with reasonable security. In particular, the block cipher IDEA [LM90,LMM91] is believed to be very secure due to the proper interaction between three different group operations. Although, apart from DES, IDEA seems to be the most studied block cipher, no currently known attack (e.g. BKR97] DGV94] or [Haw98] against the full IDEA performs better than exhaustive search. Interaction between three different group operations adds confidence in IDEA s security, but the frequent use of multiplication does not allow fast software implementations on common microprocessors (Table 1) ....

Johan Borst, Lars R. Knudsen, and Vincent Rijmen. Two Attacks on Reduced IDEA. In Walter Fumy, editor, Advances in Cryptology --- EUROCRYPT '97, pages 1--13. Springer-Verlag, 1997.

No context found.

J. Borst, L.R. Knudsen, V. Rijmen, "Two attacks on reduced IDEA," Advances in Cryptology, Proceedings of Eurocrypt '97, LNCS 1233, W. Fumy, Ed., Springer-Verlag, 1997, pp. 1--13. 33

No context found.

J. Borst, L.R. Knudsen, V. Rijmen, "Two attacks on reduced IDEA," Advances in Cryptology, Proceedings of Eurocrypt '97, LNCS 1233, W. Fumy, Ed., Springer-Verlag, 1997, pp. 1--13.

No context found.

Borst,J., Knudsen,L.R., Rijmen,V.: Two Attacks on Reduced IDEA, In: Fumy, W. (ed.): Advances in Cryptology, Eurocrypt'97, LNCS, Vol. 1233. Springer-Verlag (1997), 1--13.

No context found.

J. Borst, L.R. Knudsen, V. Rijmen, "Two attacks on reduced IDEA," Advances in Cryptology, Proc. Eurocrypt'97, LNCS 1233, W. Fumy, Ed., Springer-Verlag, 1997, pp. 1--13.

....operations. An array of four 16 bit words R[0] R[3] are used to hold the initial plaintext, the intermediate results, and the final ciphertext. Indices to this array are always given modulo 4. MIX R[i] The primitive MIX R[i] operation is defined as follows, where s[0] 1, s[1] 2, s[2] = 3, and s[3] 5. Here j is a global variable so that K[j] is always the first key word in the expanded key which has not yet been used in a MIX operation. R[i] R[i] K[j] R[i Gamma 1] R[i Gamma 2] R[i Gamma 1] R[i Gamma 3] j = j 1; R[i] R[i] s[i] MIXING round ....

....that K[j] is always the first key word in the expanded key which has not yet been used in a MIX operation. R[i] R[i] K[j] R[i Gamma 1] R[i Gamma 2] R[i Gamma 1] R[i Gamma 3] j = j 1; R[i] R[i] s[i] MIXING round A MIXING round consists of MIX R[0] MIX R[1] MIX R[2], MIX R[3] MASH R[i] The primitive MASH R[i] operation is defined as follows: R[i] R[i] K[R[i Gamma 1] 003f x ] MASHING round A MASHING round consists of MASH R[0] MASH R[1] MASH R[2] MASH R[3] The entire encryption operation can now be described as follows. Here j is a global ....

[Article contains additional citation context not shown here]

J. Borst, L.R. Knudsen, and V. Rijmen. Two attacks on reduced IDEA. In W. Fumy, editor, Advances in Cryptology --- Eurocrypt '97, volume 1233 of Lecture Notes in Computer Science, pages 1--13, 1997. Springer Verlag.

No context found.

J. Borst, L. Knudsen, V. Rijmen, \Two Attacks on Reduced IDEA (extended abstract) ," Advances in Cryptology, Proceedings Eurocrypt'97, LNCS 1233, W. Fumy, Ed., Springer-Verlag, 1997, pp. 1-13.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC