Cryptanalysis of Akelarre

We show two practical attacks against the Akelarre block cipher. The best attack retrieves the 128-bit key using less than 100 chosen plaintexts and 2 o -line trial encryptions. Our attacks use a weakness in the round function that preserves the parity of the input, a set of 1-round di erential characteristics with probability 1, and the lack of avalanche and one-way properties in the key-schedule. We suggest some ways of xing these immediate weaknesses, but conclude that the algorithm should be abandoned in favor of better-studied alternatives. 1 Description of Akelarre Akelarre [AGMP96A, AGMP96B] is a 128-bit block cipher that uses the same overall structure as idea [LMM91]; instead of idea's 16-bit sub-blocks Akelarre uses 32-bit sub-blocks. Furthermore, Akelarre does not use modular multiplications, but instead uses a combination of a 128-bit key-dependent rotate at the beginning of each round, and repeated key additions and data-dependent rotations in its MA-box (called an \addition-rotation structure" in Akelarre). 1 Akelarre is de ned for a variable-length key and a variable number of rounds. The authors recommend using Akelarre with four rounds and a 128-bit key; this is the version that we will cryptanalyze.