ICE (cipher)
In cryptography, ICE (Information Concealment Engine) is a symmetric-key block cipher published by Kwan in 1997. The algorithm is similar in structure to DES, but with the addition of a key-dependent bit permutation in the round function. The key-dependent bit permutation is implemented efficiently in software. The ICE algorithm is not subject to patents, and the source code has been placed into the public domain.
The ICE Feistel function | |
General | |
---|---|
Designers | Matthew Kwan |
First published | 1997 |
Derived from | DES |
Cipher detail | |
Key sizes | 64 bits (ICE), 64×n bits (ICE-n) |
Block sizes | 64 bits |
Structure | Feistel network |
Rounds | 16 (ICE), 8 (Thin-ICE), 16×n (ICE-n) |
Best public cryptanalysis | |
Differential cryptanalysis can break 15 out of 16 rounds of ICE with complexity 256. Thin-ICE can be broken using 227 chosen plaintexts with a success probability of 95%. |
ICE is a Feistel network with a block size of 64 bits. The standard ICE algorithm takes a 64-bit key and has 16 rounds. A fast variant, Thin-ICE, uses only 8 rounds. An open-ended variant, ICE-n, uses 16n rounds with 64n bit key.
Van Rompay et al. (1998) attempted to apply differential cryptanalysis to ICE. They described an attack on Thin-ICE which recovers the secret key using 223 chosen plaintexts with a 25% success probability. If 227 chosen plaintexts are used, the probability can be improved to 95%. For the standard version of ICE, an attack on 15 out of 16 rounds was found, requiring 256 work and at most 256 chosen plaintexts.
Structure
ICE is a 16-round Feistel network. Each round uses a 32→32 bit F function, which uses 60 bits of key material.
The structure of the F function is somewhat similar to DES: The input is expanded by taking overlapping fields, the expanded input is XORed with a key, and the result is fed to a number of reducing S-boxes which undo the expansion.
First, ICE divides the input into 4 overlapping 10-bit values. They are bits 0–9, 8–17, 16–25, and 24–33 of the input, where bits 32 and 33 are copies of bits 0 and 1.
Second is a keyed permutation, which is unique to ICE. Using a 20-bit permutation subkey, bits are swapped between halves of the 40-bit expanded input. (If subkey bit i is 1, then bits i and i+20 are swapped.)
Third, the 40-bit value is exclusive-ORed with 40 more subkey bits.
Fourth, the value is fed through 4 10-bit S-boxes, each of which produces 8 bits of output. (These are much larger than DES's 8 6→4 bit S-boxes.)
Fifth, the S-box output bits are permuted so that each S-box's outputs are routed to each 4-bit field of 32-bit word, including 2 of the 8 "overlap" bits duplicated during the next round's expansion.
Like DES, a software implementation would typically store the S-boxes pre-permuted, in 4 1024×32 bit lookup tables.
References
- Matthew Kwan, The Design of the ICE Encryption Algorithm, Fast Software Encryption 1997, pp. 69–82 .
- Bart van Rompay, Lars R. Knudsen and Vincent Rijmen, Differential Cryptanalysis of the ICE Encryption Algorithm, Fast Software Encryption 1998, pp270–283 (PDF).