Cryptology ePrint Archive: Report 2012/264

On the (In)Security of IDEA in Various Hashing Modes

Lei Wei and Thomas Peyrin and Przemyslaw Sokolowski and San Ling and Josef Pieprzyk and Huaxiong Wang

Abstract: In this article, we study the security of the IDEA block cipher when it is used in various simple-length or double-length hashing modes. Even though this cipher is still considered as secure, we show that one should avoid its use as internal primitive for block cipher based hashing. In particular, we are able to generate instantaneously free-start collisions for most modes, and even semi-free-start collisions, pseudo-preimages or hash collisions in practical complexity. This work shows a practical example of the gap that exists between secret-key and known or chosen-key security for block ciphers. Moreover, we also settle the 20-year-old standing open question concerning the security of the Abreast-DM and Tandem-DM double-length compression functions, originally invented to be instantiated with IDEA. Our attacks have been verified experimentally and work even for strengthened versions of IDEA with any number of rounds.

Category / Keywords: secret-key cryptography / IDEA, block cipher, hash function, cryptanalysis, collision, preimage

Publication Info: Full version of FSE 2012 article

Date: received 9 May 2012

Contact author: thomas peyrin at gmail com

Available format(s): PDF | BibTeX Citation

Version: 20120514:161251 (All versions of this report)

Discussion forum: Show discussion | Start new discussion


[ Cryptology ePrint archive ]