On the (In)Security of IDEA in Various Hashing Modes
In this paper, the authors study the security of the IDEA block cipher when it is used in various simple-length or double-length hashing modes. Even though this cipher is still considered as secure, they show that one should avoid its use as internal primitive for block cipher based hashing. In particular, they are able to generate instantaneously free-start collisions for most modes, and even semi-free-start collisions, pseudo-preimages or hash collisions in practical complexity. This paper shows a practical example of the gap that exists between secret-key and known or chosen key security for block ciphers.