Diierential Cryptanalysis of the Ice Encryption Algorithm

ICE is a 64-bit block cipher presented at the Fast Software Encryption Workshop in January 1997. It introduced the concept of a keyed permutation to improve the resistance against diierential and linear cryptanalysis. In this paper we will show however that we can use low Hamming weighted diierences to perform a practical, key dependent , diierential attack on ICE. The main conclusion is that the keyed permutation is not as eeective as it was conjectured to be. 1 The ICE Algorithm ICE 7], which stands for Information Concealment Engine, is a 64-bit Feistel block cipher with a structure similar to DES, the Data Encryption Standard 5]. The standard ICE algorithm takes a 64-bit key and uses 16 subkeys in 16 rounds. There is a fast variant, Thin-ICE, which uses 8 rounds with a 64-bit key, and there are open-ended variants ICE-n which use 16n rounds and 64n-bit keys. Description of the round function The ICE round function F maps 32-bit inputs to 32-bit outputs, using a 60-bit subkey. First the 32-bit input is expanded to a 40-bit value. A 20-bit subkey performs a keyed permutation and a 40-bit subkey is exored to the resulting value. Finally it uses four 10 to 8-bit S-boxes and a permutation to obtain the 32-bit result of the round function.