This page uses content from Wikipedia and is licensed under CC BYSA.
The ICE Feistel function


General  

Designers  Matthew Kwan 
First published  1997 
Derived from  DES 
Cipher detail  
Key sizes  64 bits (ICE), 64×n bits (ICEn) 
Block sizes  64 bits 
Structure  Feistel network 
Rounds  16 (ICE), 8 (ThinICE), 16×n (ICEn) 
Best public cryptanalysis  
Differential cryptanalysis can break 15 out of 16 rounds of ICE with complexity 2^{56}. ThinICE can be broken using 2^{27} chosen plaintexts with a success probability of 95%. 
In cryptography, ICE (Information Concealment Engine) is a symmetrickey block cipher published by Kwan in 1997. The algorithm is similar in structure to DES, but with the addition of a keydependent bit permutation in the round function. The keydependent bit permutation is implemented efficiently in software. The ICE algorithm is not subject to patents, and the source code has been placed into the public domain.
ICE is a Feistel network with a block size of 64 bits. The standard ICE algorithm takes a 64bit key and has 16 rounds. A fast variant, ThinICE, uses only 8 rounds. An openended variant, ICEn, uses 16n rounds with 64n bit key.
Van Rompay et al. (1998) attempted to apply differential cryptanalysis to ICE. They described an attack on ThinICE which recovers the secret key using 2^{23} chosen plaintexts with a 25% success probability. If 2^{27} chosen plaintexts are used, the probability can be improved to 95%. For the standard version of ICE, an attack on 15 out of 16 rounds was found, requiring 2^{56} work and at most 2^{56} chosen plaintexts.
ICE is a 16round Feistel network. Each round uses a 32→32 bit F function, which uses 60 bits of key material.
The structure of the F function is somewhat similar to DES: The input is expanded by taking overlapping fields, the expanded input is XORed with a key, and the result is fed to a number of reducing Sboxes which undo the expansion.
First, ICE divides the input into 4 overlapping 10bit values. They are bits 0–9, 8–17, 16–25, and 24–33 of the input, where bits 32 and 33 are copies of bits 0 and 1.
Second is a keyed permutation, which is unique to ICE. Using a 20bit permutation subkey, bits are swapped between halves of the 40bit expanded input. (If subkey bit i is 1, then bits i and i+20 are swapped.)
Third, the 40bit value is exclusiveORed with 40 more subkey bits.
Fourth, the value is fed through 4 10bit Sboxes, each of which produces 8 bits of output. (These are much larger than DES's 8 6→4 bit Sboxes.)
Fifth, the Sbox output bits are permuted so that each Sbox's outputs are routed to each 4bit field of 32bit word, including 2 of the 8 "overlap" bits duplicated during the next round's expansion.
Like DES, a software implementation would typically store the Sboxes prepermuted, in 4 1024×32 bit lookup tables.