ICE Design Decisions

This section is an attempt to explain, fairly briefly, why certain design decisions were made.

The Feistel structure

The Feistel structure, as used by DES and LOKI to name but a few, has a number of advantages.

The 64-bit block and key size

The 64-bit block size and default 64-bit key size were chosen for a variety of reasons.

Keyed Permutation

This is one of the few original ideas incorporated into ICE, so the reasoning will be explained in a bit more detail. The inspiration for the use of keyed permutation comes from the salt value in the Unix password encryption function, crypt(3), designed by Ken Thompson and Denis Ritchie at AT&T Bell laboratories.

From an aesthetic point of view it has a certain consistency. The cornerstone of block cipher design has been the use of substitution and permutation networks to encrypt data. Keyed substitution, usually in the form of XORing key bits with an S-box input, has been commonly used, and it is felt that keyed permutation should complement this nicely.

To begin with, keyed permutation gives ICE immunity to complementation weaknesses. These result from situations where key and plaintext bits are inverted, but cancel each other out at the inputs to the S-boxes, causing the S-boxes to produce identical outputs. However, if key bits are inverted in ICE, the S-boxes will receive their inputs from totally different bits, and thus not regularly produce identical outputs.

A great challenge to cryptosystem designers has been resistance to differential cryptanalysis. Although the keyed permutation used in ICE doesn't grant immunity to differential cryptanalysis, it does greatly reduce its effectiveness.

Differential cryptanalysis relies an attacker sending XOR differences to the inputs of S-boxes, where the S-boxes will then produces an XOR difference as output with some probability. But because these input bits are being permuted in ICE, the attacker does not know which S-box will receive the bit.

An attacker can bypass the keyed permutation by using input differences whose leftmost 16 bits are the same as the rightmost 16 bits (called symmetric inputs), but this means the attacker now has to target at least two S-boxes at a time, so the probability of success is typically squared or worse.

Similarly, linear cryptanalysis is forced to use symmetric inputs, again with much lower probabilities.

The S-boxes

The S-boxes in ICE were primarily designed to be resistant to differential cryptanalysis, and in particular to symmetric attacks. The way the S-boxes are generated, from 16 offsets and 16 primes, was chosen so that the boxes were parameterised. This enabled software to automate the generation and evaluation of millions upon millions of different possible S-boxes.

In an ideal world, every possible Galois Field prime and XOR offset would be tried, and the resulting S-boxes evaluated. However, with 30 Galois primes to try in 16 positions, and 16 8-bit offsets to choose, this would require more than 10^71 evaluations. As result, the selection process was done in incremental steps.

With respect to differential cryptanalysis, it makes no difference if all the XOR offsets in a row are XORed with a constant, or if the positions of the primes are XORed with a constant, so there were still 1024 choices available for each S-box. None of these choices would have any effect on differential (and, it turns out, linear) cryptanalysis, so some new, and increasingly arbitrary, criteria were used to narrow down the choice of parameters.

The Key Schedule

ICE has been designed with an extensible key schedule to permit a tradeoff between speed and security. The following design criteria were used for all the ICE variants.