International Data Encryption Algorithm: Difference between revisions
imported>Sandy Harris (start page with text removed from block cipher) |
imported>Sandy Harris No edit summary |
||
Line 1: | Line 1: | ||
IDEA | The '''International Data Encryption Algorithm''' or '''IDEA''' | ||
<ref name=idea>{{citation | <ref name=idea>{{citation | ||
| author = X. Lai | | author = X. Lai | ||
Line 7: | Line 7: | ||
| date = 1992 | | date = 1992 | ||
}}</ref> | }}</ref> | ||
is | is a European standard [[block cipher]]. It is an iterated block cipher, but does not have a Feistel structure. Block size is 64 bits, key 128. No S-boxes are used. | ||
IDEA achieves non-linearity by mixing operations from three different algebraic systems. All operations have 16-bit words as both input and output. Two are just bitwise XOR and addition modulo 2<sup>16</sup>. The third is basically multiplication, modulo 2<sup>16</sup>+1, but with some additional code so the "x*0 yields zero for all x" case does not weaken the cipher. | IDEA achieves non-linearity by mixing operations from three different algebraic systems. All operations have 16-bit words as both input and output. Two are just bitwise XOR and addition modulo 2<sup>16</sup>. The third is basically multiplication, modulo 2<sup>16</sup>+1, but with some additional code so the "x*0 yields zero for all x" case does not weaken the cipher. | ||
== IDEA multiplication == | |||
To see how the IDEA multiplication works, consider the multiplication table modulo 5: | To see how the IDEA multiplication works, consider the multiplication table modulo 5: | ||
Line 68: | Line 68: | ||
Change NBITS to 16 and you have real IDEA multiplication, operating on 16-bit quantities. This works correctly because MOD is then the prime 2<sup>16</sup>+1. On a 32-bit processor, you need to add a bit of extra code to avoid having MAX*MAX overflow a 32-bit register, but that is the only special case. | Change NBITS to 16 and you have real IDEA multiplication, operating on 16-bit quantities. This works correctly because MOD is then the prime 2<sup>16</sup>+1. On a 32-bit processor, you need to add a bit of extra code to avoid having MAX*MAX overflow a 32-bit register, but that is the only special case. | ||
== Overheads == | |||
The IDEA multiplication operation is highly non-linear and has good avalanche properties; every output bit depends on all the inputs. It is not nearly as cheap as addition or XOR, but it is reasonably fast on a modern 32-bit or larger CPU. In most environments it will be more expensive than S-box lookups but in some, such as an embedded processor with limited cache, it may be cheaper. | The IDEA multiplication operation is highly non-linear and has good avalanche properties; every output bit depends on all the inputs. It is not nearly as cheap as addition or XOR, but it is reasonably fast on a modern 32-bit or larger CPU. In most environments it will be more expensive than S-box lookups but in some, such as an embedded processor with limited cache, it may be cheaper. | ||
In any case, IDEA uses only 8 rounds so it can afford a moderately expensive operation in the round function. | In any case, IDEA uses only 8 rounds so it can afford a moderately expensive operation in the round function. | ||
==References== | |||
{{reflist|2} |
Revision as of 18:27, 19 April 2009
The International Data Encryption Algorithm or IDEA [1] is a European standard block cipher. It is an iterated block cipher, but does not have a Feistel structure. Block size is 64 bits, key 128. No S-boxes are used.
IDEA achieves non-linearity by mixing operations from three different algebraic systems. All operations have 16-bit words as both input and output. Two are just bitwise XOR and addition modulo 216. The third is basically multiplication, modulo 216+1, but with some additional code so the "x*0 yields zero for all x" case does not weaken the cipher.
IDEA multiplication
To see how the IDEA multiplication works, consider the multiplication table modulo 5:
0 1 2 3 4
0 0 0 0 0 0 1 0 1 2 3 4 2 0 2 4 1 3 3 0 3 1 4 2 4 0 4 3 2 1
If we take out the zeros, we get this table:
1 2 3 4
1 1 2 3 4 2 2 4 1 3 3 3 1 4 2 4 4 3 2 1
Here all output values occur equally often and every column and every row is a permutation of the set (1,2,3,4). These properties are provably true for any multiplication modulo a prime modulus.
Our inputs are 2-bit numbers (0,1,2,3). We map them to (4,1,2,3) and then multiply them modulo 5; all multiplications use the non-zero part of the table. Results are in (1,2,3,4), which we map back to (1,2,3,0) so we get 2-bit output.
C code for IDEA multiplication of 2-bit numbers (range 0-3) would be:
#define NBITS 2 #define MAX (1<<NBITS) #define MOD (MAX+1)
unsigned idea_multiply(unsigned x, unsigned y) { unsigned z ;
// make sure inputs are in range x %= MAX ; y %= MAX ;
// adjust the range // avoid multiplying by zero if( x == 0 ) x = MAX ; if( y == 0 ) y = MAX ;
// calculate the result // see table above z = (x*y) % MOD ;
// adjust it // avoid returning MAX if( z == MAX ) z = 0 ;
return( z ) ; }
Change NBITS to 16 and you have real IDEA multiplication, operating on 16-bit quantities. This works correctly because MOD is then the prime 216+1. On a 32-bit processor, you need to add a bit of extra code to avoid having MAX*MAX overflow a 32-bit register, but that is the only special case.
Overheads
The IDEA multiplication operation is highly non-linear and has good avalanche properties; every output bit depends on all the inputs. It is not nearly as cheap as addition or XOR, but it is reasonably fast on a modern 32-bit or larger CPU. In most environments it will be more expensive than S-box lookups but in some, such as an embedded processor with limited cache, it may be cheaper.
In any case, IDEA uses only 8 rounds so it can afford a moderately expensive operation in the round function.
References
{{reflist|2}
- ↑ X. Lai (1992), "On the Design and Security of Block Ciphers", ETH Series in Information Processing, v. 1