Paper 2012/264
On the (In)Security of IDEA in Various Hashing Modes
Lei Wei, Thomas Peyrin, Przemyslaw Sokolowski, San Ling, Josef Pieprzyk, and Huaxiong Wang
Abstract
In this article, we study the security of the IDEA block cipher when it is used in various simple-length or double-length hashing modes. Even though this cipher is still considered as secure, we show that one should avoid its use as internal primitive for block cipher based hashing. In particular, we are able to generate instantaneously free-start collisions for most modes, and even semi-free-start collisions, pseudo-preimages or hash collisions in practical complexity. This work shows a practical example of the gap that exists between secret-key and known or chosen-key security for block ciphers. Moreover, we also settle the 20-year-old standing open question concerning the security of the Abreast-DM and Tandem-DM double-length compression functions, originally invented to be instantiated with IDEA. Our attacks have been verified experimentally and work even for strengthened versions of IDEA with any number of rounds.
Metadata
- Available format(s)
-
PDF
- Category
- Secret-key cryptography
- Publication info
- Published elsewhere. Full version of FSE 2012 article
- Keywords
- IDEAblock cipherhash functioncryptanalysiscollisionpreimage
- Contact author(s)
- thomas peyrin @ gmail com
- History
- 2012-05-14: received
- Short URL
- https://ia.cr/2012/264
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2012/264,
author = {Lei Wei and Thomas Peyrin and Przemyslaw Sokolowski and San Ling and Josef Pieprzyk and Huaxiong Wang},
title = {On the (In)Security of {IDEA} in Various Hashing Modes},
howpublished = {Cryptology {ePrint} Archive, Paper 2012/264},
year = {2012},
url = {https://eprint.iacr.org/2012/264}
}
