<HTML>
<HEAD> <TITLE> Cryptanalysis of ICE </TITLE> </HEAD>
<BODY>
<H1> Cryptanalysis of ICE </H1>

As a new cipher, ICE has not yet undergone rigorous third-party
cryptanalysis. These are the results of the author's own cryptanalysis.

<P>
<H3> Weak keys </H3>

ICE has no weak keys. Weak, or self-decrypting, keys are keys
which, if they are used to encrypt the same data twice, produce the
original unencrypted data. DES has four of them.

<P>
There are no semi-weak keys either. Semi-weak keys come in pairs, where
the second key decrypts the first. DES has 16 of them, including the
four weak keys.

<P>
A weak or semi-weak key occurs if there is another key that generates
an identical key schedule, but in the reverse order. These keys can be
found by setting up a series of linear (under XOR) equations expressing
the fact that the schedule of key 1 is the reverse of the schedule of
key 2, then solving the equations. The number of independent variables
in the solution gives the log base 2 of the number of weak keys.

<P>
For ICE, there were 960 equations (16 rounds, 60 bits per round) and
129 variables (2 x 64-bit keys, plus an inversion bit). The solution
was "1=0", which means that there are no keys that satisfy the equations.

<P>
<H3> Key inversion weaknesses </H3>

ICE has no key-inversion weaknesses. These occur when inverting
certain bits in the key and plaintext simply cause bits to invert
in the ciphertext. DES has one weakness of this sort.

<P>
They are caused in DES by the fact that key bits are only used with
the XOR function. If both key and plaintext bits are inverted, the
inversions are cancelled out by the XOR function, and DES behaves
linearly. However, ICE also uses key bits to permute the outputs
of the E boxes, so if the key is inverted, the S-boxes will receive
totally different inputs.

<P>
<H3> Differential cryptanalysis </H3>

ICE levels 1 and above cannot be broken by differential
cryptanalysis. However, there is a possibility that Thin-ICE
can be broken by a chosen-plaintext attack with roughly 2^56 
encryptions. This has been calculated by simply multiplying the
round-by-round probabilities, so it is not yet certain whether
it yields a valid attack. DES can be broken by differential
cryptanalysis with 2^47 encryptions.

<P>
The use of keyed permutation after the E boxes means that an attacker
cannot know which S-box will be affected by a particular input bit.
However, since the keyed permutation acts to simply swap bits between
the left and right halves of a 32-bit value, the attacker can use inputs
whose leftmost 16 bits are the same as the rightmost 16 bits. This
enables the attacker to send known differences to the S-boxes, but
it usually also means that twice as many S-boxes have to be attacked
simultaneously, often with low-probability differences. This typically
at least squares the number of pairs required to achieve a result.

<P>
The best input differences for attacking the ICE F-function are
<TT>b2d6b2d6</TT> and <TT>cad6cad6</TT>, both of which produce a
zero output difference with probability 4320/2^40. They can be
combined into 5-round characteristics which have a probability of
2^-55.85, and it is these characteristics that may be able to
break Thin-ICE, which is an 8-round cipher.

<P>
<H3> Linear cryptanalysis </H3>

None of the ICE variants appear to be breakable by linear cryptanalysis.
Even Thin-ICE, the weakest variant, seems to need over 2^82 encryptions
to be reliably broken, but since it is only a 64-bit cipher, there
aren't that many plaintexts available. DES can be broken with
approximately 2^43 encryptions.

<P>
The resistance of ICE to linear cryptanalysis is due to the larger
S-boxes, and to the keyed permutation, which roughly squares the effort
otherwise required.

<P>
<H3> Related-key cryptanalysis </H3>

This attack relies on simple relations between subkeys in adjacent
rounds. ICE is not suseptible to this attack because it uses an
irregular key rotation schedule, meaning that there is no consistent
relationship between subkeys. DES is also resistant to this attack.

<P>
<H3> Meet-in-the-middle attacks </H3>

If you encrypt data twice, with two different keys, you usually find
yourself susceptible to a meet-in-the-middle attack. That is why
Triple-DES is used instead of double encryption, despite the factor
of three speed penalty.

<P>
ICE avoids this weakness in its extended variants by extending the
key schedule with insertions in the middle of the schedule. Although
ICE-<EM>n</EM> effectively encrypts the data <EM>n</EM> times with
<EM>n</EM> different 64-bit keys, it does this not by encrypting with
one key after another, but by doing half encryptions (i.e. the first
8 rounds) <EM>n</EM> times, then doing the second halves <EM>n</EM>
times.

<P>
<H3> Codebook reconstruction attacks </H3>

It must be remembered that any 64-bit cipher can be broken under a
chosen-plaintext attack in 2^64 time and memory by simply constructing
a lookup table of all 2^64 possible plaintext/ciphertext pairs. This
is regardless of the key size and how well the cipher has been designed.

<P>
So it must be remembered that although the strength of ICE-<EM>n</EM>
under ciphertext-only attacks is probably 2^64<EM>n</EM>, the strength
of all ICE variants under chosen-plaintext is, at best, 2^64.

</BODY>
</HTML>