Cryptanalysis of WIDEA

  • Gaëtan Leurent
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8424)


WIDEA is a family of block ciphers designed by Junod and Macchetti in 2009 as an extension of IDEA to larger block sizes (256 and 512 bits for the main instances WIDEA-\(4\) and WIDEA-\(8\)) and larger key sizes (512 and 1024 bits, respectively). WIDEA-\(w\) is composed of \(w\) parallel copies of the IDEA block cipher, with an MDS matrix to provide diffusion between them. An important motivation was to use WIDEA to design a hash function.

In this paper we present low complexity attacks on WIDEA based on truncated differentials. We show a distinguisher for the full WIDEA with complexity only \(2^{65}\), and we use the distinguisher in a key-recovery attack with complexity \(w \cdot 2^{68}\). We also show a collision attack on WIDEA-\(8\) if it is used to build a hash function using the Merkle-Damgård mode of operation.

The attacks exploit the parallel structure of WIDEA and the limited diffusion between the IDEA instances, using differential trails where the MDS diffusion layer is never active. In addition, we use structures of plaintext to reduce the data complexity.


Cryptanalysis Block cipher Hash function Truncated differential IDEA WIDEA HIDEA 



We would like to thanks the anonymous reviewers for very detailed comments. In particular, they noticed a mistake in our description of IDEA and WIDEA (our implementation of the attack used the correct algorithm, though).

The author is supported by the ERC project CRASH. Part of this work was done while the author was at the university of Luxembourg, supported by the AFR grant PDR-10-022 of the FNR.


  1. 1.
    Biham, E., Dunkelman, O., Keller, N.: A new attack on 6-round IDEA. In: Biryukov, A. (ed.) FSE 2007. LNCS, vol. 4593, pp. 211–224. Springer, Heidelberg (2007) Google Scholar
  2. 2.
    Biham, E., Dunkelman, O., Keller, N.: A unified approach to related-key attacks. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 73–96. Springer, Heidelberg (2008) Google Scholar
  3. 3.
    Biham, E., Dunkelman, O., Keller, N., Shamir, A.: New data-efficient attacks on 6-round IDEA. Cryptology ePrint Archive, Report 2011/417 (2011).
  4. 4.
    Biryukov, A., Nakahara Jr, J., Preneel, B., Vandewalle, J.: New weak-key classes of IDEA. In: Deng, R.H., Qing, S., Bao, F., Zhou, J. (eds.) ICICS 2002. LNCS, vol. 2513, pp. 315–326. Springer, Heidelberg (2002) Google Scholar
  5. 5.
    Daemen, J., Govaerts, R., Vandewalle, J.: Weak keys for IDEA. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 224–231. Springer, Heidelberg (1994) Google Scholar
  6. 6.
    Hawkes, P.: Differential-linear weak key classes of IDEA. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 112–126. Springer, Heidelberg (1998) Google Scholar
  7. 7.
    Nakahara Jr, J.: Differential and linear attacks on the full WIDEA-n block ciphers (under Weak Keys). In: Pieprzyk, J., Sadeghi, A.-R., Manulis, M. (eds.) CANS 2012. LNCS, vol. 7712, pp. 56–71. Springer, Heidelberg (2012) Google Scholar
  8. 8.
    Junod, P.: IDEA: past, present, and future. Early Symmetric Crypto (2010).
  9. 9.
    Junod, P., Macchetti, M.: Revisiting the IDEA Philosophy. In: Dunkelman, O. (ed.) FSE 2009. LNCS, vol. 5665, pp. 277–295. Springer, Heidelberg (2009) Google Scholar
  10. 10.
    Khovratovich, D., Leurent, G., Rechberger, C.: Narrow-Bicliques: cryptanalysis of full IDEA. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 392–410. Springer, Heidelberg (2012) Google Scholar
  11. 11.
    Lai, X., Massey, J.L.: A proposal for a new block encryption standard. In: Damgård, I.B. (ed.) EUROCRYPT 1990. LNCS, vol. 473, pp. 389–404. Springer, Heidelberg (1991) Google Scholar
  12. 12.
    Lai, X., Massey, J.L.: Markov ciphers and differential cryptanalysis. In: Davies, D.W. (ed.) EUROCRYPT 1991. LNCS, vol. 547, pp. 17–38. Springer, Heidelberg (1991) Google Scholar
  13. 13.
    Mendel, F., Rijmen, V., Toz, D., Varıcı, K.: Collisions for the WIDEA-8 compression function. In: Dawson, E. (ed.) CT-RSA 2013. LNCS, vol. 7779, pp. 162–173. Springer, Heidelberg (2013) Google Scholar
  14. 14.
    Sun, X., Lai, X.: The key-dependent attack on block ciphers. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 19–36. Springer, Heidelberg (2009) Google Scholar
  15. 15.
    van Oorschot, P.C., Wiener, M.J.: Parallel collision search with application to hash functions and discrete logarithms. In: Denning, D.E., Pyle, R., Ganesan, R., Sandhu, R.S. (eds.) ACM Conference on Computer and Communications Security, pp. 210–218. ACM (1994)Google Scholar
  16. 16.
    Vaudenay, S.: On the Lai-Massey scheme. In: Lam, K.-Y., Okamoto, E., Xing, Ch. (eds.) ASIACRYPT 1999. LNCS, vol. 1716, pp. 8–19. Springer, Heidelberg (1999) Google Scholar
  17. 17.
    Wei, L., Peyrin, T., Sokołowski, P., Ling, S., Pieprzyk, J., Wang, H.: On the (In)security of IDEA in various hashing modes. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 163–179. Springer, Heidelberg (2012) Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2014

Authors and Affiliations

  1. 1.UCL Crypto GroupLouvain-la-NeuveBelgium

Personalised recommendations