Better to know some... than all 


IDEAThe cipher named IDEA (International Data Encryption Algorithm) encrypts 64bit plaintext to 64bit ciphertext blocks, using a 128bit input key K. Based in part on a novel generalization of the Feistel structure, it consists of 8 computationally identical rounds followed by an output transformation. Round r uses six 16bit subkeys K^{(r)}_{i} , 1 i 6, to transform a 64bit input X into an output of four 16bit blocks, which are input to the next round. The round 8 output enters the output transformation, employing four additional subkeys K^{(9)}_{i} , 1 i 4 to produce the final ciphertext Y = (Y1; Y2; Y3; Y4). All subkeys are derived from K. A dominant design concept in IDEA is mixing operations from three different algebraic groups of 2^{n} elements. The corresponding group operations on subblocks a and b of bitlength n = 16 are bitwise XOR: ab; addition mod 2^{n}: (a+b) AND 0xFFFF, denoted ab; and (modified) multiplication mod 2^{n}+1, with 0 Z_{2n} associated with 2^{n} Z_{2n+1}: ab. The key schedule of Algorithm may be converted into a table which lists, for each of the 52 keys blocks, which 16 (consecutive) bits of the input key K form it. IDEA decryption: Decryption is achieved using Algorithm with the ciphertext Y provided as input M, and the same encryption key K, but the following change to the key schedule. First use K to derive all encryption subkeys K^{(r)} _{i} ; from these compute the decryption subkeys K^{'(r)} _{i} per Table; then use K^{'(r)}_{i} in place of K^{(r)}_{i} in Algorithm . In Table, K_{i} denotes the additive inverse (mod 2^{16}) of K_{i}: the integer u = (2^{16} +K_{i}) AND 0xFFFF, 0 u 2^{16} 1. K1 _{i} denotes the multiplicative inverse (mod 2^{16} +1) of K_{i}, also in {0,1,…,2^{16}1}, derivable by the Extended Euclidean algorithm, which on inputs a b 0 returns integers x and y such that ax + by = gcd(a; b). Using a = 2^{16} + 1 and b = K_{i}, the gcd is always 1 (except for K_{i} = 0, addressed separately) and thus K^{1}_{i} = y, or 2^{16} +1+y if y < 0. When K_{i} = 0, this input is mapped to 2^{16} (since the inverse is defined by K_{i}K^{1}_{i} = 1;) and (2^{16})^{1} = 2^{16} is then defined to give K^{1}_{i} = 0. Definition of : In IDEA, ab corresponds to a (modified) multiplication, modulo 2^{16}+1, of unsigned 16bit integers a and b, where 0 Z_{216} is associated with 2^{16} Z^{*} _{216+1} as follows: if a = 0 or b = 0, replace it by 2^{16} (which is=1 mod 2^{16} + 1) prior to modular multiplication; and if the result is 2^{16}, replace this by 0. Thus, maps two 16 bit inputs to a 16bit output. Pseudocode foris as follows (for ordinary multiplication mod 2^{16} + 1), for c a 32bit unsigned integer: if (a = 0) r (0x10001  b) (since 2^{16}b =b), elseif (b = 0) r (0x10001  a) (by similar reasoning), else {c ab; r ((c AND 0xFFFF)  (c >>16)); if (r < 0) r (0x10001 +r)}, with return value (r AND 0xFFFF) in all 3 cases. Implementing ab mod 2^{n}+1: Multiplication mod 2^{16}+1may be efficiently implemented as follows, for 0 a,b 2^{16}. Let c = ab = c_{0}  2^{32} +c_{H}  2^{16} +c_{L}, where c_{0}{0; 1} and 0 c_{L}; c_{H} < 2^{16}. To compute c^{'} = c mod (2^{16} + 1), first obtain cL and cH by standard multiplication. For a = b = 2^{16}, note that c_{0} = 1, c_{L} = c_{H} = 0, and c^{'} = (1)(1) = 1, since 2^{16} =1 mod (2^{16}+1); otherwise, c_{0} = 0. Consequently, c^{'} = c_{L}  c_{H} + c_{0} if c_{L} c_{H}, while c^{'} = c_{L}  c_{H} + (2^{16} + 1) if c_{L} < c_{H} (since then  2^{16} < c_{L}  c_{H} < 0). Security of IDEA: For the full 8round IDEA, other than attacks on weak keys, no published attack is better than exhaustive search on the 128bit key space. The security of IDEA currently appears bounded only by the weaknesses arising from the relatively small (compared to its keylength) blocklength of 64 bits. 