International Data Encryption Algorithm: Difference between revisions

From Citizendium
Jump to navigation Jump to search
imported>Sandy Harris
(start page with text removed from block cipher)
 
imported>Sandy Harris
No edit summary
Line 1: Line 1:
IDEA
The '''International Data Encryption Algorithm''' or '''IDEA'''
<ref name=idea>{{citation
<ref name=idea>{{citation
  | author = X. Lai
  | author = X. Lai
Line 7: Line 7:
  | date = 1992
  | date = 1992
}}</ref>
}}</ref>
is the '''International Data Encryption Algorithm''', a European standard. It is a iterated block cipher, but does not have a Feistel structure. Block size is 64 bits, key 128. No S-boxes are used.
is a European standard [[block cipher]]. It is an iterated block cipher, but does not have a Feistel structure. Block size is 64 bits, key 128. No S-boxes are used.


IDEA achieves non-linearity by mixing operations from three different algebraic systems. All operations have 16-bit words as both input and output. Two are just bitwise XOR and addition modulo 2<sup>16</sup>. The third is basically multiplication, modulo 2<sup>16</sup>+1, but with some additional code so the "x*0 yields zero for all x" case does not weaken the cipher.
IDEA achieves non-linearity by mixing operations from three different algebraic systems. All operations have 16-bit words as both input and output. Two are just bitwise XOR and addition modulo 2<sup>16</sup>. The third is basically multiplication, modulo 2<sup>16</sup>+1, but with some additional code so the "x*0 yields zero for all x" case does not weaken the cipher.


==== IDEA multiplication ====
== IDEA multiplication ==


To see how the IDEA multiplication works, consider the multiplication table modulo 5:
To see how the IDEA multiplication works, consider the multiplication table modulo 5:
Line 68: Line 68:
Change NBITS to 16 and you have real IDEA multiplication, operating on 16-bit quantities. This works correctly because MOD is then the prime 2<sup>16</sup>+1. On a 32-bit processor, you need to add a bit of extra code to avoid having MAX*MAX overflow a 32-bit register, but that is the only special case.
Change NBITS to 16 and you have real IDEA multiplication, operating on 16-bit quantities. This works correctly because MOD is then the prime 2<sup>16</sup>+1. On a 32-bit processor, you need to add a bit of extra code to avoid having MAX*MAX overflow a 32-bit register, but that is the only special case.


==== Overheads ====
== Overheads ==


The IDEA multiplication operation is highly non-linear and has good avalanche properties; every output bit depends on all the inputs. It is not nearly as cheap as addition or XOR, but it is reasonably fast on a modern 32-bit or larger CPU. In most environments it will be more expensive than S-box lookups but in some, such as an embedded processor with limited cache, it may be cheaper.
The IDEA multiplication operation is highly non-linear and has good avalanche properties; every output bit depends on all the inputs. It is not nearly as cheap as addition or XOR, but it is reasonably fast on a modern 32-bit or larger CPU. In most environments it will be more expensive than S-box lookups but in some, such as an embedded processor with limited cache, it may be cheaper.


In any case, IDEA uses only 8 rounds so it can afford a moderately expensive operation in the round function.
In any case, IDEA uses only 8 rounds so it can afford a moderately expensive operation in the round function.
==References==
{{reflist|2}

Revision as of 18:27, 19 April 2009

The International Data Encryption Algorithm or IDEA [1] is a European standard block cipher. It is an iterated block cipher, but does not have a Feistel structure. Block size is 64 bits, key 128. No S-boxes are used.

IDEA achieves non-linearity by mixing operations from three different algebraic systems. All operations have 16-bit words as both input and output. Two are just bitwise XOR and addition modulo 216. The third is basically multiplication, modulo 216+1, but with some additional code so the "x*0 yields zero for all x" case does not weaken the cipher.

IDEA multiplication

To see how the IDEA multiplication works, consider the multiplication table modulo 5:

   0  1  2  3  4
0  0  0  0  0  0
1  0  1  2  3  4
2  0  2  4  1  3
3  0  3  1  4  2
4  0  4  3  2  1

If we take out the zeros, we get this table:

   1  2  3  4
1  1  2  3  4
2  2  4  1  3
3  3  1  4  2
4  4  3  2  1

Here all output values occur equally often and every column and every row is a permutation of the set (1,2,3,4). These properties are provably true for any multiplication modulo a prime modulus.

Our inputs are 2-bit numbers (0,1,2,3). We map them to (4,1,2,3) and then multiply them modulo 5; all multiplications use the non-zero part of the table. Results are in (1,2,3,4), which we map back to (1,2,3,0) so we get 2-bit output.

C code for IDEA multiplication of 2-bit numbers (range 0-3) would be:

#define NBITS 2
#define MAX (1<<NBITS)
#define MOD (MAX+1)
unsigned idea_multiply(unsigned x, unsigned y)
{
   unsigned z ;
   // make sure inputs are in range
   x %= MAX ;
   y %= MAX ;
   // adjust the range
   // avoid multiplying by zero
   if( x == 0 ) x = MAX ;
   if( y == 0 ) y = MAX ;
   // calculate the result
   // see table above
   z = (x*y) % MOD ;
   // adjust it
   // avoid returning MAX
   if( z == MAX ) z = 0 ;
   return( z ) ;
}

Change NBITS to 16 and you have real IDEA multiplication, operating on 16-bit quantities. This works correctly because MOD is then the prime 216+1. On a 32-bit processor, you need to add a bit of extra code to avoid having MAX*MAX overflow a 32-bit register, but that is the only special case.

Overheads

The IDEA multiplication operation is highly non-linear and has good avalanche properties; every output bit depends on all the inputs. It is not nearly as cheap as addition or XOR, but it is reasonably fast on a modern 32-bit or larger CPU. In most environments it will be more expensive than S-box lookups but in some, such as an embedded processor with limited cache, it may be cheaper.

In any case, IDEA uses only 8 rounds so it can afford a moderately expensive operation in the round function.

References

{{reflist|2}

  1. X. Lai (1992), "On the Design and Security of Block Ciphers", ETH Series in Information Processing, v. 1