ICE (cipher)

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search
ICE (cipher) InfoBox Diagram.png
The ICE Feistel function
DesignersMatthew Kwan
First published1997
Derived fromDES
Cipher detail
Key sizes64 bits (ICE), 64×n bits (ICE-n)
Block sizes64 bits
StructureFeistel network
Rounds16 (ICE), 8 (Thin-ICE), 16×n (ICE-n)
Best public cryptanalysis
Differential cryptanalysis can break 15 out of 16 rounds of ICE with complexity 256. Thin-ICE can be broken using 227 chosen plaintexts with a success probability of 95%.

In cryptography, ICE (Information Concealment Engine) is a symmetric-key block cipher published by Kwan in 1997. The algorithm is similar in structure to DES, but with the addition of a key-dependent bit permutation in the round function. The key-dependent bit permutation is implemented efficiently in software. The ICE algorithm is not subject to patents, and the source code has been placed into the public domain.

ICE is a Feistel network with a block size of 64 bits. The standard ICE algorithm takes a 64-bit key and has 16 rounds. A fast variant, Thin-ICE, uses only 8 rounds. An open-ended variant, ICE-n, uses 16n rounds with 64n bit key.

Van Rompay et al. (1998) attempted to apply differential cryptanalysis to ICE. They described an attack on Thin-ICE which recovers the secret key using 223 chosen plaintexts with a 25% success probability. If 227 chosen plaintexts are used, the probability can be improved to 95%. For the standard version of ICE, an attack on 15 out of 16 rounds was found, requiring 256 work and at most 256 chosen plaintexts.


ICE is a 16-round Feistel network. Each round uses a 32→32 bit F function, which uses 60 bits of key material.

The structure of the F function is somewhat similar to DES: The input is expanded by taking overlapping fields, the expanded input is XORed with a key, and the result is fed to a number of reducing S-boxes which undo the expansion.

First, ICE divides the input into 4 overlapping 10-bit values. They are bits 30, 31 and 0–7 of the input for the first 10-bit value and for the next values 6–15, 14–23, and 22–31.

Second is a keyed permutation, which is unique to ICE. Using a 20-bit permutation subkey, bits are swapped between halves of the 40-bit expanded input. (If subkey bit i is 1, then bits i and i+20 are swapped.)

Third, the 40-bit value is XORed with 40 more subkey bits.

Fourth, the value is fed through 4 10-bit S-boxes, each of which produces 8 bits of output. (These are much larger than DES's 8 6→4 bit S-boxes.)

Fifth, the S-box output bits are permuted so that each S-box's outputs are routed to each 4-bit field of 32-bit word, including 2 of the 8 "overlap" bits duplicated during the next round's expansion.

Like DES, a software implementation would typically store the S-boxes pre-permuted, in 4 1024×32 bit lookup tables.


  • Matthew Kwan, The Design of the ICE Encryption Algorithm, Fast Software Encryption 1997, pp. 69–82 [1].
  • Bart van Rompay, Lars R. Knudsen and Vincent Rijmen, Differential Cryptanalysis of the ICE Encryption Algorithm, Fast Software Encryption 1998, pp270–283 (PDF).

External links[edit]