Lecture Notes in Computer Science vol:2851 pages:267-279
ISC 2003 date:October 01-03, 2003
This paper presents an analysis of the PES cipher in a similar setting as done by Daemen et al. at Crypto'93 for IDEA. The following results were obtained for 8.5-round PES: a linear weak-key class of size 248, two differential weak-key classes of size 241, and two differential-linear weak-key classes of size 2(62). For 17-round PES (double PES): a linear weak-key class of size 27, and a differential weak-key class of size 27 were found. These attacks demonstrate that doubling the number of rounds in PES is not enough to avoid weak keys. These findings were possible because the cipher structure from PES to IDEA was changed but the key schedule algorithm remained the same. Daemen suggested a modified key schedule for IDEA in order to avoid weak keys. We found a differential weak-key class of size 2(83) for 2.5-round IDEA under his redesigned key schedule, and a differential-linear weak-key class of size 2(68) for 3.5-round IDEA. The presence of weak keys has some consequences. Recall that without weak-key assumptions there are no known attacks on more than 4.5 rounds of IDEA. Furthermore, the existence of weak keys may imply that the block cipher becomes unsuitable in stream cipher and hash function constructions.