2. 1.0 Introduction
This work is based on [1].
The biclique attack framework was recently introduced as a way to add more rounds to a
meetinthemiddle attack while potentially keeping the same time complexity. Apply and extend
the recently introduced biclique framework to IDEA and for the first time describe an approach to
noticeably speedup keyrecovery for the full 8.5 round IDEA.
1.1 Meet in the Middle Attacks
The MeetintheMiddle attack attempts to find a value using both of the range (ciphertext) and
domain (plaintext) of the composition of several functions (or block ciphers) such that the
forward mapping through the first functions is the same as the backward mapping (inverse
image) through the last functions, quite literally meeting in the middle of the composed function.
● ∀ ∈ :
and save each together with corresponding in a set A
● ∀ ∈ :
and compare each new with the set A
When a match is found, keep kf1,kb1 as candidate keypair in a table T. Test pairs in T on a new
pair of (P,C) to confirm validity. If the keypair does not work on this new pair, do MITM again on a
new pair of (P,C).
3. 2.0 IDEA
The International Data Encryption Standard" (IDEA) is one of the longest standing and most
analyzed ciphers known. It was designed by Lai and Massey in 1991. In cryptography, the
International Data Encryption Algorithm (IDEA) is a block cipher designed by James Massey of
ETH Zurich and Xuejia Lai and was first described in 1991. As a block cipher, it is also
symmetric. The algorithm was intended as a replacement for the Data Encryption Standard
(DES). IDEA is a minor revision of an earlier cipher, Proposed Encryption Standard (PES); IDEA
was originally called Improved PES (IPES).
IDEA operates on 64bit blocks using a 128bit key. IDEA derives much of its security by
interleaving operations from different groups — modular addition and multiplication, and bitwise
eXclusive OR (XOR).
Note that a "break" is any attack which requires less than 2128 operations; the 6round attack
requires 264 known plaintexts and 2126.8 operations.
4. 3.0 Biclique Attack
A biclique is a set of internal states, which are constructed in the first or in the last rounds of a
cipher and mapped to each other by specifically chosen keys [1]. Attacks using biclique was
originally designed for cryptanalysis of hash functions, however, later it was applied to the block
ciphers. The idea behind this attack is to break the block cipher key sets into set of keys, where
each key in the group is tested using meetinthemiddle technique.
Let’s consider the permutation based key schedule as in IDEA with 3 set of key bits; Kb, Kf, Kg.
In a key group the value Kg is fixed (and hence enumerates the groups), and Kb and Kf take all
possible values.
g = mapping describing a cipher round
A biclique for the group Kg
=> {Si} {Cj} sets of states
When plaintexts (S) and corresponding ciphertexts are given, function g maps the states S into
C as following.
To test the keys within a group, a variable v is calculated in both directions as depicted by the
following equations. In this case the mapping function is called as chunks (g1 and g2).
If the cost of computing V is Cg1 and Cg2, the biclique construction cost if Cbiclique, and the cost of
rechecking key candidates on other state bits of plaintext/ciphertext pairs is Crecheck, then the
computation complexity of testing single group is:
Cbiclique + 2|Kf|
Cg1 + 2|Kb|
Cg2 + Crecheck
The following figure depicts key testing with biclique of three plaintexts and three internal states.
5. A narrow biclique technique limits the length of a biclique to the number of rounds needed for the
full diffusion.
This technique occupies minimal number of footprint for the computation.
6. 4.0 Key Recovery for the Full IDEA
Authors have used a short search program to to find optimal values for Kf
and Kb
. Based on the
search, the following key partitioning is chosen.
Kg
(guess): bits K0...40, 42...47, 50...124
Kf
(forward): bits K125...127
Kb (backward): bits K41, 48, 49
The full IDEA is partitioned into a biclique, chunks, and the matching parts according to the
following table and figure.
7. The following relation, which is called as BiryukovDemirci relation serves as internal variable for
the matching in round 46.
8. 5.0 Bibliography
[1] Dmitry Khovratovich, Gaëtan Leurent, and Christian Rechberger. 2012. NarrowBicliques:
cryptanalysis of full IDEA. In Proceedings of the 31st Annual international conference on Theory
and Applications of Cryptographic Techniques (EUROCRYPT'12), David Pointcheval and
Thomas Johansson (Eds.). SpringerVerlag, Berlin, Heidelberg, 392410.