International Data Encryption Algorithm
The International Data Encryption Algorithm (IDEA) is a symmetric-key block cipher that processes 64-bit plaintext blocks into 64-bit ciphertext blocks using a 128-bit key, consisting of 8 full rounds followed by a half-round output transformation.[1][2] Developed by Xuejia Lai and James L. Massey at the Swiss Federal Institute of Technology in Zürich, it was first proposed in 1990 as the Proposed Encryption Standard (PES) and improved and finalized as IDEA in 1991, with the goal of replacing the aging Data Encryption Standard (DES) by providing stronger security through a balanced mix of operations from incompatible algebraic groups.[1][2]
IDEA's core strength lies in its use of three pairwise incompatible group operations on 16-bit sub-blocks: bitwise exclusive-OR (XOR), addition modulo $2^{16}, and multiplication modulo $2^{16} + 1 (with special handling for zero in multiplication).[1][2] These are applied in a generalized Feistel network structure, where each round splits the 64-bit block into four 16-bit sub-blocks and applies a novel "MA-box" transformation for diffusion and confusion, derived from 52 unique 16-bit sub-keys generated by rotating and partitioning the 128-bit user key.[2] Decryption mirrors encryption but uses inverse sub-keys, ensuring the same algorithm works in reverse with minimal additional computation.[2] The design deliberately avoids reliance on any single mathematical structure to resist cryptanalytic attacks like differential and linear cryptanalysis, which were emerging threats at the time.[1]
Commercialized by Ascom Systec Ltd., which held patents on IDEA (Swiss patent PCT/CH91/00117 and international equivalents) until their expiration in 2012, the algorithm saw adoption in secure communications software, notably as the default symmetric cipher in Pretty Good Privacy (PGP) version 2.0 and later releases up to PGP 5.0, replacing the insecure BassOmatic from PGP 1.0.[3] It was also integrated into other tools like early versions of GnuPG under royalty-free licensing terms granted by Ascom for non-commercial use, contributing to its role in promoting email and file encryption during the 1990s.[3]
From a security perspective, the full 8.5-round IDEA remains unbroken by any practical attack better than exhaustive key search across its $2^{128} key space, with only theoretical weaknesses identified for reduced-round variants and rare "weak keys" occurring with negligible probability ($2^{-77}).[2] However, its 64-bit block size imposes fundamental limitations in modern contexts, capping secure data volumes at approximately $2^{32} blocks (about 32 GB) in modes like CBC due to birthday paradox collisions, making it unsuitable for high-volume encryption without modes providing integrity or larger effective blocks.[4] As a result, IDEA has been largely supplanted by AES and other 128-bit block ciphers in standards like OpenPGP (RFC 4880), though it retains historical significance and occasional use in legacy systems.[3]
History and Development
Origins and Designers
The International Data Encryption Algorithm (IDEA) was designed by Xuejia Lai, a Chinese cryptographer, and James L. Massey, an American cryptographer and professor at the Swiss Federal Institute of Technology in Zurich (ETH Zurich).[5][6] Their collaboration stemmed from Lai's doctoral work under Massey's supervision at ETH Zurich, where Lai's PhD thesis focused on the design principles and security analysis of block ciphers, including the foundational Lai-Massey scheme that underpins IDEA's structure.[6][7]
Development of the algorithm began in the late 1980s as part of broader research at ETH Zurich into secure symmetric-key block ciphers capable of replacing aging standards like the Data Encryption Standard (DES).[5] Initially proposed in 1990 as the Proposed Encryption Standard (PES), the cipher evolved through iterative improvements informed by emerging cryptanalytic techniques.[5] By 1991, an enhanced version named the Improved Proposed Encryption Standard (IPES) was introduced, which was later renamed IDEA to reflect its international applicability and finalized design.[8]
The primary motivation for IDEA's creation was to overcome DES's vulnerabilities, including its 56-bit effective key length, which was increasingly susceptible to brute-force attacks, and to provide robust protection against newly discovered threats such as differential cryptanalysis, introduced by Eli Biham and Adi Shamir in 1990 and subsequently analyzed by Lai, Massey, and collaborator Sean Murphy in their refinement of PES.[8] To ensure long-term security, the designers specified a 128-bit key size, significantly extending resistance to exhaustive search compared to DES, while maintaining a 64-bit block size for compatibility with existing systems.[8] This focus on algebraic diversity and resistance to known attacks positioned IDEA as a forward-looking alternative in the evolving landscape of symmetric cryptography.[6]
Evolution from PES
The Proposed Encryption Standard (PES), introduced by Xuejia Lai and James L. Massey in 1990, served as the direct predecessor to the International Data Encryption Algorithm (IDEA). PES was a symmetric-key block cipher operating on 64-bit plaintext blocks using a 128-bit key, incorporating three key algebraic operations—modular addition, bitwise XOR, and modular multiplication—to achieve confusion and diffusion through an iterated structure based on the Lai-Massey scheme. This design emphasized mixing incompatible group operations to resist known cryptanalytic attacks at the time, marking an early application of the Lai-Massey paradigm in block cipher construction.[7]
Following the discovery of differential cryptanalysis by Eli Biham and Adi Shamir in 1990, which demonstrated vulnerabilities in PES after just a few rounds, Lai and colleagues refined the algorithm to enhance its resistance. The resulting improvements, developed between 1990 and 1991, introduced targeted modifications to the round function and key schedule, increasing the number of rounds from PES's 8 full rounds to IDEA's 8.5 rounds (eight full rounds plus a final half-round output transformation) to promote better avalanche effects and diffusion properties. These changes ensured that IDEA maintained the core operations of modular addition (modulo $2^{16}), XOR, and multiplication (modulo $2^{16} + 1) while fortifying the cipher against differential attacks requiring significantly more chosen plaintexts. The first full specification of IDEA, originally termed the Improved Proposed Encryption Standard (IPES), was published by Lai, Massey, and Sean Murphy in 1991 at EUROCRYPT '91.
IDEA's development also involved patent protection to support its commercialization. An initial patent application was filed in Switzerland on May 18, 1990 (CH A 1690/90), followed by filings in the United States on May 16, 1991 (leading to US Patent 5,214,703, issued May 25, 1993) and Europe on the same date (EP 0482154 B1, issued June 30, 1993).[9] These patents covered the specific round structure and key derivation process, enabling licensed implementations in standards like ISO/IEC 9979. Later evolutions, such as IDEA NXT introduced in 2005 as a patented extension with a wider block size and additional nonlinear components, built on this foundation but addressed emerging threats like advanced linear cryptanalysis.
Design Principles
Cipher Specifications
The International Data Encryption Algorithm (IDEA) is a symmetric-key block cipher that employs a modified Lai-Massey scheme to process data securely.[5] This structure combines bitwise operations, modular addition, and modular multiplication to achieve confusion and diffusion, distinguishing it from Feistel-based designs like DES.[10]
IDEA operates on fixed-size blocks of 64 bits for both plaintext input and ciphertext output, dividing each block into four 16-bit sub-blocks or words for internal processing.[5] The cipher uses a 128-bit key, which is expanded into 52 16-bit subkeys to drive the transformations across its rounds.[11] It consists of eight full rounds followed by a final output transformation, often described as 8.5 rounds in total, providing a balance between computational efficiency and resistance to cryptanalytic attacks.[12]
The design of IDEA prioritizes a harmonious integration of security, processing speed, and implementation simplicity, making it suitable for both software and hardware environments prevalent in the early 1990s.[5] Unlike DES, which shares the same 64-bit block size but relies on a shorter 56-bit effective key length, IDEA's 128-bit key was engineered to withstand brute-force attacks feasible with the era's computational resources.[11]
Core Operations
The International Data Encryption Algorithm (IDEA) employs three fundamental algebraic operations on 16-bit sub-blocks to achieve its transformations: bitwise XOR (denoted ⊕), modular addition (denoted ⊞), and modular multiplication (denoted ⊠). These operations are applied to mix plaintext sub-blocks with key sub-blocks, ensuring both confusion and diffusion in the cipher's design. Developed by Xuejia Lai and James L. Massey, these primitives were selected for their computational efficiency on 16-bit processors common in the early 1990s, while providing incompatible algebraic structures that resist straightforward algebraic attacks.[2]
Bitwise XOR (⊕) performs bit-by-bit addition modulo 2 without carry, combining two 16-bit words such that each output bit is 1 if the corresponding input bits differ. Formally, for 16-bit words a = (a_{15}, \dots, a_0) and b = (b_{15}, \dots, b_0) in binary, the result is a \oplus b = (a_{15} \oplus b_{15}, \dots, a_0 \oplus b_0), where \oplus denotes modulo-2 addition. This operation draws from the vector space over GF(2), enabling linear mixing of bits essential for initial diffusion.[2]
Modular addition (⊞) adds two 16-bit words modulo $2^{16} = 65{,}536, wrapping around to prevent overflow beyond 16 bits. It is defined as:
a \boxplus b =
\begin{cases}
a + b & \text{if } a + b < 2^{16}, \\
a + b - 2^{16} & \text{otherwise}.
\end{cases}
This ring operation (from \mathbb{Z}/2^{16}\mathbb{Z}) introduces carry effects that propagate changes across bits, contributing to avalanche-like diffusion.[2]
Modular multiplication (⊠) multiplies two 16-bit words modulo $2^{16} + 1 = 65{,}537, a Fermat prime ensuring the multiplicative group is a field. To handle zero, which lacks an inverse, 0 is mapped to $2^{16} before multiplication, and if the result equals $2^{16}, it is remapped to 0. Formally:
a \boxtimes b = (a \cdot b) \mod (2^{16} + 1),
with the mapping $0 \mapsto 2^{16} and $2^{16} \mapsto 0. For decryption, the modular inverse of a non-zero sub-key is computed using the extended Euclidean algorithm, as the modulus's primality guarantees invertibility. This operation, from the multiplicative group of \mathbb{Z}/(2^{16}+1)\mathbb{Z}, provides non-linear mixing incompatible with XOR and addition.[2]
The choice of these operations ensures non-commutativity and incompatibility between algebraic groups—XOR in a vector space over GF(2), addition in a ring of characteristic $2^{16}, and multiplication in a field of characteristic 65{,}537—promoting thorough intermixing of data and keys to thwart cryptanalytic attacks relying on algebraic structure. Their implementation is straightforward in hardware and software, with multiplications optimized via table lookups or shifts on 16-bit architectures.[2]
Encryption Process
Round Structure
The International Data Encryption Algorithm (IDEA) processes a 64-bit plaintext block through 8 full rounds followed by a half-round output transformation, utilizing a Lai-Massey scheme to ensure balanced diffusion and confusion via three incompatible group operations: bitwise XOR (⊕), addition modulo $2^{16} (+), and multiplication modulo $2^{16} + 1 (×). The plaintext is split into four 16-bit words P_1, P_2, P_3, P_4. Each full round employs six 16-bit subkeys K_1 to K_6, transforming the input words into output words for the next iteration, while the half-round uses four additional subkeys to finalize the 64-bit ciphertext C_1 C_2 C_3 C_4. This structure promotes security by mixing operations that do not commute or associate, preventing algebraic simplifications in cryptanalysis. For multiplication modulo $2^{16} + 1 = 65537, if an operand is 0 it is replaced by $2^{16}; if the result is $2^{16} it is replaced by 0, ensuring the operation is a bijection on 16-bit words.[2]
In a full round, the transformation begins with key mixing on the input words:
- Compute Y_1 = P_1 \times K_1
- Compute Y_2 = P_2 + K_2
- Compute Y_3 = P_3 + K_3
- Compute Y_4 = P_4 \times K_4
Next, XOR the results from opposite halves to form inputs to the round's core:
- Y_5 = Y_1 \oplus Y_3
- Y_6 = Y_2 \oplus Y_4
The central component is the key-dependent MA-box (multiplication-addition box), a 2×2 structure that applies the remaining subkeys to Y_5 and Y_6 for nonlinear diffusion:
- Y_7 = Y_5 \times K_5
- Y_8 = Y_6 + Y_7
- Y_9 = Y_8 \times K_6
- Y_{10} = Y_7 + Y_9
The MA-box outputs Y_9 and Y_{10}, which are then XORed with the initial transformed words to produce the round outputs, with the middle two crossed:
- P'_1 = Y_1 \oplus Y_9
- P'_2 = Y_3 \oplus Y_9
- P'_3 = Y_2 \oplus Y_{10}
- P'_4 = Y_4 \oplus Y_{10}
These P'_i become the inputs to the subsequent round. The MA-box's crossed operations ensure that a single-bit change in input affects all output bits with high probability, achieving full diffusion in minimal steps.[2]
The logical flow of the MA-box can be diagrammed as: compute Y_7 = Y_5 \times K_5, add Y_6 to Y_7 to get Y_8, multiply Y_8 by K_6 to get Y_9, add Y_9 to Y_7 to get Y_{10}; the outputs Y_9 and Y_{10} then cross-XOR with the pre-MA transformed words to balance the halves.[2]
After 8 full rounds, the half-round (output transformation) applies a truncated version without the central XORs or MA-box, using subkeys K_{49} to K_{52}, with crossed additions:
- C_1 = P_1 \times K_{49}
- C_2 = P_3 + K_{50}
- C_3 = P_2 + K_{51}
- C_4 = P_4 \times K_{52}
where the P_i are the outputs from the 8th round. This simplifies the final step while maintaining consistency with the round operations.[2]
The following pseudocode illustrates one full round (subkeys indexed per round as K{{grok:render&&&type=render_inline_citation&&&citation_id=1&&&citation_type=wikipedia}} to K{{grok:render&&&type=render_inline_citation&&&citation_id=6&&&citation_type=wikipedia}}):
function full_round(P1, P2, P3, P4, K):
Y1 = multiply_mod(P1, K[1]) // × mod 2^16 + 1, with 0 → 2^16 handling
Y2 = add_mod(P2, K[2]) // + mod 2^16
Y3 = add_mod(P3, K[3]) // + mod 2^16
Y4 = multiply_mod(P4, K[4]) // × mod 2^16 + 1, with 0 → 2^16 handling
Y5 = Y1 XOR Y3
Y6 = Y2 XOR Y4
Y7 = multiply_mod(Y5, K[5])
Y8 = add_mod(Y6, Y7)
t1 = multiply_mod(Y8, K[6])
t2 = add_mod(Y7, t1)
P1_new = Y1 XOR t1
P2_new = Y3 XOR t1
P3_new = Y2 XOR t2
P4_new = Y4 XOR t2
return P1_new, P2_new, P3_new, P4_new
function full_round(P1, P2, P3, P4, K):
Y1 = multiply_mod(P1, K[1]) // × mod 2^16 + 1, with 0 → 2^16 handling
Y2 = add_mod(P2, K[2]) // + mod 2^16
Y3 = add_mod(P3, K[3]) // + mod 2^16
Y4 = multiply_mod(P4, K[4]) // × mod 2^16 + 1, with 0 → 2^16 handling
Y5 = Y1 XOR Y3
Y6 = Y2 XOR Y4
Y7 = multiply_mod(Y5, K[5])
Y8 = add_mod(Y6, Y7)
t1 = multiply_mod(Y8, K[6])
t2 = add_mod(Y7, t1)
P1_new = Y1 XOR t1
P2_new = Y3 XOR t1
P3_new = Y2 XOR t2
P4_new = Y4 XOR t2
return P1_new, P2_new, P3_new, P4_new
The overall encryption iterates this 8 times, followed by the half-round.[2]
Key Schedule
The key schedule of the International Data Encryption Algorithm (IDEA) expands the 128-bit master key into 52 distinct 16-bit subkeys used across eight full rounds and a final half-round output transformation. The process begins by loading the 128-bit key into a register and partitioning it into eight consecutive 16-bit words, conventionally denoted as K_1 through K_8. These initial words directly provide the first eight subkeys, extracted sequentially as 16-bit blocks from the register.[2]
To generate subsequent subkeys, the entire 128-bit register undergoes a cyclic left rotation by 25 bits, after which the next eight 16-bit words are extracted in the same manner. This rotation-and-extraction step is repeated eight more times, yielding a total of nine sets of eight subkeys, though only 52 are utilized: six per full round for the eight rounds (48 subkeys) and four for the output transformation. The choice of a 25-bit shift ensures the subkeys are unique and avoids repetition, as the greatest common divisor of 25 and 128 is 1, providing a full cycle through the key material without periodic overlaps.[2]
Subkeys are indexed as Z_i^{(r)} for the i-th subkey in round r, where the first four subkeys in each round (Z_1^{(r)} to Z_4^{(r)}) are used for the initial key mixing (two multiplications and two additions) and the remaining two (Z_5^{(r)}, Z_6^{(r)}) for multiplications in the MA-box. When these multiplication subkeys are zero, they are specially interpreted as $2^{16} (equivalent to -1 \mod 2^{16}+1) during the encryption operations to maintain invertibility, though no adjustment occurs in the schedule itself.[2]
Decryption Process
The decryption process in the International Data Encryption Algorithm (IDEA) mirrors the encryption structure, employing the same sequence of 8 full rounds followed by a half-round output transformation, but with the 52 subkeys applied in reverse order and each subkey inverted according to the operation it governs. This symmetry ensures that applying the decryption steps to ciphertext recovers the original plaintext uniquely. The inversion leverages the algebraic properties of the underlying operations: addition and XOR over \mathbb{Z}/2^{16}\mathbb{Z}, and multiplication over \mathbb{Z}/(2^{16}+1)\mathbb{Z}, where $2^{16}+1 = 65537 is prime, guaranteeing invertibility for nonzero elements.[2]
To prepare the decryption subkeys from those generated for encryption, the sequence is reversed such that the subkeys for the first decryption round derive from the last encryption round's subkeys (and vice versa), with specific inverses applied based on usage. For subkeys involved in multiplication (Z_1, Z_4, Z_5, Z_6 per round), the modular multiplicative inverse is computed modulo $2^{16}+1 using the extended Euclidean algorithm to find Z_i^{-1} such that Z_i^{-1} \cdot Z_i \equiv 1 \pmod{2^{16}+1}. For subkeys in addition (Z_2, Z_3), the additive inverse is taken as -Z_i \mod 2^{16}, effectively replacing addition with subtraction in the decryption round. Subkeys for XOR remain unchanged, as XOR is its own inverse. The final half-round uses the inverted subkeys from the encryption's output transformation (last four subkeys), and the initial decryption transformation uses the inverses of the first four encryption subkeys, adjusted to reverse the input mixing precisely. These inversions are precomputed once per key, yielding the full set of 52 decryption subkeys.[2]
The decryption begins by loading the 64-bit ciphertext into four 16-bit words P_1, P_2, P_3, P_4, which serve as input to the first inverse round using the inverted subkeys from the eighth encryption round. Each full round applies the inverted Lai-Massey transformation: multiplication by the inverse subkey for P_1 and P_4, addition (now subtraction) for P_2 and P_3, followed by the modified addition box (MA-box) with XOR inverses. After 8 such rounds, the half-round inverts the initial encryption transformation by applying the remaining four inverted subkeys in reverse operational order, yielding the plaintext words. The inverse of addition is formally a \ominus b = (a - b) \mod 2^{16}, while inverse multiplication solves for x in x \cdot b \equiv a \pmod{2^{16}+1}. Computations for multiplicative inverses rely on the extended Euclidean algorithm for efficiency, as the modulus is prime. The zero-handling in multiplication is similarly inverted.[2]
The invertibility of the entire process is guaranteed by the Lai-Massey scheme's design, which composes bijective operations from distinct algebraic groups, ensuring that each round and the overall cipher permutation is perfectly reversible without information loss. This structure avoids the need for separate decryption algorithms, as the same core routine suffices with adjusted subkeys, promoting efficient implementations.[2]
Security Analysis
The International Data Encryption Algorithm (IDEA) was designed with inherent resistance to differential cryptanalysis, a technique introduced in 1991 that targets probabilistic relationships between plaintext pairs and their corresponding ciphertexts. By incorporating non-linear operations such as modular multiplication modulo $2^{16} + 1 (the prime 65537), IDEA disrupts the propagation of differences across rounds, making high-probability differentials difficult to exploit. An early analysis by the algorithm's designers demonstrated that breaking the full 8.5-round IDEA via differential cryptanalysis would require approximately $2^{47} chosen plaintexts, a complexity deemed impractical even with 1990s computational resources.
IDEA also exhibits strong resistance to linear cryptanalysis, which seeks linear approximations between plaintext, ciphertext, and key bits to recover the key with fewer known plaintexts than brute force. The use of modular multiplications in its core operations introduces non-linearity that breaks potential linear approximations, as these operations do not preserve linearity in the same way as XOR or addition alone. Studies have confirmed that the probability of useful linear trails in IDEA is sufficiently low to prevent effective key recovery attacks, with the best approximations yielding biases too small for practical exploitation across the full cipher.
The most advanced known attack on the full IDEA remains the biclique cryptanalysis, introduced in 2012, which extends meet-in-the-middle techniques using biclique structures to partition the key space more efficiently. This attack achieves a time complexity of $2^{126.1} operations for recovering a 128-bit key, requiring $2^{126.1} data and negligible memory beyond that, representing only a minor improvement over exhaustive search ($2^{128}). As of 2025, this remains infeasible with current or foreseeable hardware, affirming IDEA's security margin against generic key-recovery methods.[13]
Other cryptanalytic efforts have targeted reduced-round variants of IDEA but have not threatened the full design. For instance, a meet-in-the-middle attack on 6-round IDEA achieves key recovery with a time complexity of approximately $2^{112} encryptions and 16 known plaintexts, while attacks on 7.5-round IDEA require $2^{114} time and $2^{63} chosen plaintexts. No full-round practical breaks have emerged, with all known attacks limited to theoretical demonstrations on fewer rounds.[12]
A theoretical limitation arises from IDEA's 64-bit block size, which exposes it to birthday attacks in modes like CBC after approximately $2^{32} blocks of data (about 32 GB), potentially allowing collisions that leak information. However, this bound pertains to mode-of-operation security rather than the cipher's key strength and can be mitigated by key rotation or using authenticated modes, leaving the core algorithm secure.[14]
Recent academic assessments as of 2025 continue to view the original IDEA as unbroken against standard cryptanalysis, though proposals for enhancements—such as integrating chaotic maps like the Hanon map into key generation or round functions—aim to further bolster resistance for specific applications like audio encryption. These modifications expand the effective key space and diffusion properties without altering the base structure. Exceptions like weak keys exist but are addressed separately and do not undermine the general resistance profile.[15][16]
Weak Keys and Vulnerabilities
In 1993, researchers identified classes of weak keys in the International Data Encryption Algorithm (IDEA) due to its simple key schedule, where certain 128-bit keys cause subkeys in specific rounds to become all zeros or all ones, resulting in linear relations that simplify cryptanalysis.[17] These weak keys arise from patterns such as repeated 16-bit words or large numbers of zero bits in the key, with one prominent class containing approximately $2^{51} keys that exhibit differential weaknesses.[17] Subsequent analysis expanded this to additional classes totaling up to $2^{64} weak keys overall.
The impact of these weak keys enables distinguishing attacks on the full cipher or key recovery on reduced-round variants with low computational effort; for instance, membership in the primary $2^{51}-key class can be tested using just two encryptions and solving a system of 16 nonlinear Boolean equations involving 12 variables, achievable in roughly $2^{32} operations.[17] Such vulnerabilities stem directly from the key schedule's lack of diffusion, allowing attackers to exploit predictable subkey structures without requiring extensive data.
To mitigate these issues, the original analysis proposed minor modifications to the key schedule, such as introducing additional bit rotations or permutations to ensure full key diffusion across subkeys and eliminate the linear relations in all rounds.[17] Alternative redesigns, including enhanced round constants or nonlinear transformations in the schedule, have also been suggested to prevent weak key formation while preserving IDEA's efficiency.[18]
Beyond weak keys, IDEA's 64-bit block size introduces risks in certain modes of operation for high-volume data; encrypting more than approximately $2^{32} blocks (about 32 GB) under the same key can lead to ciphertext collisions via the birthday paradox, potentially enabling attacks that recover plaintext information, as demonstrated in analyses of similar 64-bit ciphers.[19] IDEA itself has no inherent major side-channel vulnerabilities in its design, though implementations must address timing or power analysis risks common to block ciphers.[20]
Given the $2^{128} key space, the probability of randomly selecting a weak key is about $2^{-64}, rendering them negligible for most practical uses with strong random key generation. These mitigations and the low incidence make modified versions of IDEA suitable for legacy applications where compatibility is prioritized over adopting newer algorithms.[18]
Implementations and Usage
Patent Status and Availability
The International Data Encryption Algorithm (IDEA) was protected by key patents filed in the early 1990s. The primary U.S. patent, No. 5,214,703, was filed on January 7, 1992, by inventors Xuejia Lai and James L. Massey, and granted on May 25, 1993, to assignee Ascom Tech AG of Switzerland. A corresponding European patent, No. EP 0482154 B1, was filed on May 16, 1991, and granted on June 22, 1994.
Ownership of the patents was initially held by Ascom Tech AG, with licensing responsibilities later transferred to MediaCrypt AG, a related entity focused on cryptographic solutions. Prior to expiration, commercial implementations required licensing fees from MediaCrypt AG, while non-commercial use was permitted without charge; for instance, Pretty Good Privacy (PGP) version 2.0 incorporated IDEA under a non-commercial license agreement with Ascom.[21]
The patents have since expired, rendering IDEA fully available in the public domain worldwide. The European patent expired on May 16, 2011, and the U.S. patent on January 7, 2012, eliminating all royalty obligations for both commercial and non-commercial applications.[22]
Open-source implementations of IDEA are now freely available in established cryptographic libraries. The OpenSSL library provides support for IDEA through its legacy provider, enabling symmetric encryption via the EVP_CIPHER-IDEA interface.[23] Similarly, the Crypto++ C++ library includes a dedicated IDEA class for block cipher operations.
Reference implementations derive from the original algorithm description, including pseudocode outlined in the 1991 proposal paper by Lai and Massey. No standardized hardware acceleration specifications exist for IDEA, though software optimizations are common in modern libraries.
Modern Applications and Legacy Use
The International Data Encryption Algorithm (IDEA) saw early adoption as the default symmetric cipher in Pretty Good Privacy (PGP) version 2.0, released in 1992, where it replaced the insecure BassOmatic algorithm from PGP 1.0 to enable secure email and file encryption.[24] This integration positioned IDEA as a key component in pioneering open-source privacy tools during the 1990s, supporting encrypted communications in early secure email systems and file protection applications.[24]
In the OpenPGP standard defined by RFC 4880, IDEA is listed as an optional symmetric-key algorithm (ID 1) for backward compatibility with legacy PGP implementations, such as those from version 2.6 and earlier, but implementations are not required to generate new content using it and should prefer stronger alternatives like AES or CAST5.[3]
As of 2025, IDEA is rarely deployed in new systems due to its 64-bit block size, which exposes it to practical birthday attacks like SWEET32 when encrypting large volumes of data, making exhaustive search over 2^64 possibilities increasingly feasible with modern computational resources.[14] It has been superseded by the Advanced Encryption Standard (AES) with 128-bit or 256-bit keys, which offers superior security and was selected by NIST in 2001 as the federal block cipher standard, while IDEA received no such approval for U.S. government use. Modern protocols like TLS prioritize larger block sizes to mitigate collision risks, contributing to IDEA's decline, as 64-bit ciphers are deprecated in TLS configurations to prevent vulnerabilities in extended data streams.[25]
Despite its obsolescence, IDEA persists in legacy contexts, including optional support in GnuPG versions 1.4.13 and later (via Libgcrypt 1.6) for decrypting archived PGP data, as well as in some embedded systems and academic cryptographic tools where compatibility with historical implementations is needed.[26] Originally designed for efficiency on resource-constrained 16-bit processors—where its operations like modular multiplication modulo 65,537 enable strong diffusion with relatively low overhead compared to contemporaries like DES—IDEA performs slower than AES on 64-bit hardware today, lacking dedicated instruction set support like AES-NI that accelerates modern bulk encryption.[27]