Cryptanalysis of Ake98

  • Jorge Nakahara Júnior
  • Daniel Santana de Freitas
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3348)


This paper describes a linear attack on the Ake98 block cipher, an updated version of the Akelarre cipher presented by Alvarez et al. at the SAC’96 Workshop. The new attacks require the assumption of weak keys. It is demonstrated that Ake98 does not introduce enough security measures to counter cryptanalytic attacks, both in a known-plaintext and in a ciphertext-only setting. A key-recovery attack on 4.5-round Ake98, for instance, is applicable to a weak-key class of size 2108, and requires only 71 known plaintexts, with an effort of 71· 271 half-round decryptions. Moreover, the existence of weak keys precludes the use of Ake98 as a building block for other cryptographic primitives, such as in Davies-Meyer Hash mode. Attacks using weak keys can be applied up to 11.5 rounds of Ake98 with less effort than an exhaustive key search. But, Ake98 with 8.5 rounds is already slower than IDEA, RC6 or AES, which implies that this updated version of the Akelarre cipher does not seem to provide significant advantages (security or efficiency) compared to the former, more established ciphers.


cryptanalysis Akelarre Ake98 IDEA RC5 RC6 AES 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Biham, E.: Performance of Optimized Implementations of the NESSIE Primitives (October 2002),
  2. 2.
    Biryukov, A., Nakahara Jr., J., Preneel, B., Vandewalle, J.: New Weak-Key Classes of IDEA. In: Deng, R.H., Qing, S., Bao, F., Zhou, J. (eds.) ICICS 2002. LNCS, vol. 2513, pp. 315–326. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  3. 3.
    Álvarez Marañón, G.: Contribución al estudio de la estructura interna del conjunto de Mandelbrot y aplicaciones en criptografía, Facultad de Informática, Universidad Politécnica de Madrid, PhD Dissertation (September 2000),
  4. 4.
    Alvarez, G., de la Guia, D., Montoya, F., Peinado, A.: Akelarre: a new Block Cipher Algorithm. In: 3rd Selected Areas in Cryptography (SAC) Workshop, pp. 1–14 (1996)Google Scholar
  5. 5.
    Daemen, J., Rijmen, V.: AES Proposal: Rijndael. In: First AES Conference, California, USA (1998),
  6. 6.
    Ferguson, N., Schneier, B.: Cryptanalysis of Akelarre. In: 4th Selected Areas in Cryptography (SAC) Workshop, pp. 201–212 (1997)Google Scholar
  7. 7.
    Hawkes, P.M.: Asymptotic Bounds on Differential Probabilities and an Analysis of the Block Cipher IDEA, PhD Dissertation, The University of Queensland, St. Lucia, Australia (December 1998)Google Scholar
  8. 8.
    Knudsen, L.R., Rijmen, V.: Ciphertext-Only Attack on Akelarre. Cryptologia XXIV(2), 135–147 (2000)CrossRefGoogle Scholar
  9. 9.
    Lai, X.: On the Design and Security of Block Ciphers. In: Massey, J.L. (ed.) ETH Series in Information Processing, vol. 1. Hartung-Gorre Verlag, Konstanz (1995)Google Scholar
  10. 10.
    Menezes, A.J., van Oorschot, P.C., Vanstone, S.: Handbook of Applied Cryptography. CRC Press, Boca Raton (1997)zbMATHGoogle Scholar
  11. 11.
    Rivest, R.L.: The RC5 Encryption Algorithm. In: Preneel, B. (ed.) FSE 1994. LNCS, vol. 1008, pp. 86–96. Springer, Heidelberg (1995)Google Scholar
  12. 12.
    Rivest, R.L., Robshaw, M.J.B., Sidney, R., Yin, Y.L.: The RC6 Block Cipher. In: First AES Conference, California, USA (1998),

Copyright information

© Springer-Verlag Berlin Heidelberg 2004

Authors and Affiliations

  • Jorge Nakahara Júnior
    • 1
  • Daniel Santana de Freitas
    • 2
  1. 1.  
  2. 2.LabSEC, Laboratório de Segurança em ComputaçãoUFSCBrazil

Personalised recommendations