Differential Entropy Analysis of the IDEA Cipher

This paper describes a new cryptanalytic technique that combines differential cryptanalysis with Shannon entropy. We call it differential entropy (DE). The objective is to exploit the non-uniform distribution of output differences from a given mapping as a distinguishing tool in cryptanalysis. Our preferred target is the IDEA block cipher [5] since we detected significantly low entropy at the output of its modular multiplication operation in GF(216 + 1) with 0 ≡ 216 ( ). We further extended this entropy analysis to larger components. We present key-recovery attacks on up to 2.5-round IDEA in the single key-model and without weak-key assumptions. Although there are attacks on the full IDEA cipher [4, 1], our approach is novel and demonstrates new properties of modular multiplication in IDEA. The motivation for this paper came from a simple observation: in conventional differential cryptanalysis (DC) [2] an adversary chooses pairs of plaintexts (P, P ∗) with a carefully chosen difference ∆P = P ⊕ P ∗ that lead to a ciphertext pair (C,C∗) with a predictable target difference ∆C = C ⊕ C∗, with high probability p (compared to a random permutation). Due to the probabilistic nature of the attack, only a fraction, say 1/p, of the chosen data is expected to satisfy ∆C. Consequently, most plaintext pairs are discarded. Thus, if one does not focus only on the highest probability differential trail but rather study the probability distribution of output differences, then one would not have to discard any text pair. To measure the shape of a probability distribution we use Shannon entropy. We are particularly interested in low entropy, which means that the probability distribution is biased towards a few output differences, while the remaining output differences hold with negligible probability. In contrast, a random permutation (over the same domain and range) should have a rather flat probability distribution, which translates into high entropy values. For our attacks, we exploit whenever possible the 16-bit wordwise difference1 8000x, because it bypasses and ⊕ for free. For instance, Subscript x denotes hexadecimal notation.