Fast Software Encryption

Volume 4593 of the series Lecture Notes in Computer Science pp 211-224

A New Attack on 6-Round IDEA

  • Eli BihamAffiliated withComputer Science Department, Technion, Haifa 32000
  • , Orr DunkelmanAffiliated withKatholieke Universiteit Leuven, Dept. of Electrical Engineering ESAT/SCD-COSIC, Kasteelpark Arenberg 10, B-3001 Leuven-Heverlee
  • , Nathan KellerAffiliated withEinstein Institute of Mathematics, Hebrew University, Jerusalem 91904


IDEA is a 64-bit block cipher with 128-bit keys introduced by Lai and Massey in 1991. IDEA is one of the most widely used block ciphers, due to its inclusion in several cryptographic packages, such as PGP. Since its introduction in 1991, IDEA has withstood extensive cryptanalytic effort, but no attack was found on the full (8.5-round) variant of the cipher.

In this paper we present the first known attack on 6-round IDEA faster than exhaustive key search. The attack exploits the weak key-schedule algorithm of IDEA, and combines Square-like techniques with linear cryptanalysis to increase the number of rounds that can be attacked. The attack is the best known attack on IDEA. We also improve previous attacks on 5-round IDEA and introduce a 5-round attack which uses only 16 known plaintexts.