SECURITY AND COMMUNICATION NETWORKS

Security Comm. Networks 2016; 9:2093–2099

Published online 17 February 2016 in Wiley Online Library (wileyonlinelibrary.com). DOI: 10.1002/sec.1465

RESEARCH ARTICLE

On the estimation of the second largest eigenvalue of

Markov ciphers
Weijia Xue1 , Tingting Lin1 , Xin Shun1 , Fenglei Xue2 and Xuejia Lai1 *
1
Institute of Cryptology and Information Security, Department of Computer Science and Engineering, Shanghai Jiao Tong
University, Shanghai 200240, China
2
Department of Mathematics, Shanghai Jiao Tong University, Shanghai 200240, China

ABSTRACT
Differential cryptanalysis is an effective tool in modern cryptanalysis. The differential chain of a Markov cipher forms
a Markov chain, and the second largest eigenvalue (SLE) of the transition matrix determines the number of iterations
such that the Markov cipher can resist differential cryptanalysis. Owing to the huge scale of the transition matrix, it is
infeasible to compute the SLE. Thus, an estimation method would be desirable. We find two methods to estimate the
SLE by using the elements of the row-stochastic matrix in the literature. Their advantage is parallel computing, without
generating the complete matrix. We apply these two methods to the transition matrix of International Data Encryption
Algorithm(8) and investigate the accuracy of such estimation. Because the International Data Encryption Algorithm is
a primitive Markov cipher, its transition matrix will converge to a uniform distribution. We use the power of the initial
transition matrix to estimate the SLE for different number of rounds and compare the results. The errors of the estimation
will be acceptable after several rounds when there are less zero elements in the transition matrix and the distribution is
more uniform. Moreover, we present a simple relation between the SLE and the number of iterations that the Markov
cipher requires against differential cryptanalysis and show the necessary condition of the matrix decomposition method.
Copyright © 2016 John Wiley & Sons, Ltd.

KEYWORDS
Markov cipher; transition matrix; the second largest eigenvalue; differential cryptanalysis; block cipher; IDEA
*Correspondence
Xuejia Lai, 3-423 SEIEE Building, 800 Dong Chuan Rd, Minhang District, Shanghai, 200240, China.
E-mail: lai-xj@cs.sjtu.edu.cn

1. INTRODUCTION According to the definition of IDEA, we can also employ

With the fast development of communication and inter-
net technologies, the phase of fifth-generation mobile
networks or fifth-generation wireless systems (5G) is com-
ing [1], cloud-assisted vehicular delay tolerant networks
(DTNs) have been utilized in wide-ranging applications
[2], and Internet of Things is playing a more and more
important role after its showing up [3,4]. For all of them,
security is an issue worth considering. While cryptogra-
phy is the foundation of security, cryptanalysis is another
important branch of cryptology. As an important part of
symmetric key cryptography, the block cipher is a core
component of some cryptographic systems, such as data
encryption, message authentication, and key management.
The block cipher IDEA (acronym of International Data
Encryption Algorithm) [5,6] is a 64-bit block-iterated
cipher with 128-bit key, based on the design concept
of mixing operations from different algebraic groups.
group operations for smaller groups, such as 2-bit, 4-bit,
and 8-bit integers; thus, we have mini versions of IDEA,
that is, IDEA(8), IDEA(16), and IDEA(32).
There are many analyses and attacks on IDEA in the
literature. Khovratovich et al. [7] applied and extended
the biclique framework to IDEA. Sequentially, for the
first time, they described an approach to noticeably speed-
ing up key recovery for the full 8.5-round IDEA. Other
attacks on reduced IDEA include key-dependent attack
[8], higher-order differential-linear attack [9], linear attack
[9,10], meet-in-the-middle attack [11–13], and impossible
differential attack [14].
Differential cryptanalysis, proposed by Biham and
Shamir [15], is a chosen plaintext attack to find the
secret key of iterated ciphers. It deploys a high-
probability differential (˛, ˇ), where ˛, ˇ are the dif-
ference of the plaintexts and that of their corresponding
ciphertexts, respectively.

Copyright © 2016 John Wiley & Sons, Ltd. 2093

On the estimation of the SLE of Markov ciphers
Markov cipher [5] was introduced to analyze the secu-
rity of IDEA against differential cryptanalysis. If an iter-
ated cipher is a Markov cipher and its round subkeys
are independent, then the sequence of differences at each
round output forms a Markov chain. Thus, we can denote
the element of the transition matrix as the probability of the
differential. The complexity of differential cryptanalysis
attack will increase exponentially with the round number,
and the complexity is directly related to the eigenvalue of
the transition matrix. The second largest eigenvalue (SLE)
of the transition matrix has the second largest magnitude,
and it determines the number of iterations that the Markov
cipher requires against differential cryptanalysis.
In numerical analysis, one of the most important prob-
lems is designing efficient and stable algorithms for find-
ing the eigenvalues of a matrix. The QR algorithm [16],
the power method [16], and the subspace iteration algo-
rithm [17] are all methods of computing eigenvalues. The
QR algorithm can be used to compute all the eigenval-
ues of a matrix, but for a large scale matrix, it is very
time-consuming. The power method is a classic algorithm
to compute the largest eigenvalue of a matrix, and com-
bined with some other techniques, it can compute some
specific eigenvalues. The subspace iteration algorithm can
be viewed as a block generalization of the power method.
Chen et al. [18] compared the aforementioned three
algorithms and concluded that the subspace iteration algo-
rithm is the better choice. They deployed the subspace
iteration algorithm to calculate the SLE and showed that
IDEA(16) is secure against differential cryptanalysis after
five rounds while IDEA(8) needs seven rounds. Their com-
putation on IDEA(16) took several days, and only the
transition matrix for one round was generated. It is diffi-
cult to compute the SLE of the transition matrix for more
than one round for these methods all need generating the
complete transition matrix and the multiplication of matri-
ces becomes a problem. On the other hand, it is hard to
improve the time complexity by parallel computation.
Many methods were proposed for computing eigenval-
ues of the stochastic matrix. However, for the large scale
transition matrix in practice, there is no helpful algorithm
for computing the SLE, so it is necessary to study the
estimation method for the SLE.
1.1. Contributions
In this paper, we first present a simple relation between the
SLE and the number of iterations that the Markov cipher
requires against differential cryptanalysis. We show the
necessary condition of the matrix decomposition method
[19] is that, there is at least one row in the matrix with-
out zero elements. Subsequently, in order to evaluate the
applying conditions and estimation results of two existing
methods of estimating the SLE, we apply them to IEDA(8)
for several rounds. The feasibility of applying these two
methods to IDEA(16) and IDEA(32) is also discussed. The
advantage of the two methods is parallel computing, with-
out generating the complete transition matrix. But when
2094
W. Xue et al.
there are many zero elements or the distribution is not so
uniform, the estimation is not helpful.
As an extension to this paper, we encourage researchers
to study on proper estimating methods of the SLE of the
transition matrix. Schmitt and Rothlauf [20] evaluated the
eigenvalues of the transition matrix of the Markov chain
and proved that the convergence rate of a genetic algorithm
is determined by the SLE of the transition matrix. Boyd
et al. [21] analyzed the averaging problem under the gossip
constraint for an arbitrary network graph and found that the
averaging time of a gossip algorithm depends on the SLE
of a doubly stochastic matrix characterizing the algorithm.
1.2. Organization
The rest of this paper is organized as follows. Section 2
introduces the background knowledge of Markov ciphers.
Section 3 lists the matrix decomposition method and two
inequalities for the estimation of the SLE. Section 4 uses
the inequalities on the transition matrices of IDEA(8)
and discusses the feasibility of applying the methods to
IDEA(16) and IDEA(32). Section 5 concludes this paper.
2. MARKOV CIPHERS
In this section, we introduce the definition of Markov
ciphers, the transition matrix, together with the relation
between the SLE of the transition matrix and the number of
iterations for the security against differential cryptanalysis.
2.1. Definition of Markov ciphers
We consider the encryption of a pair of distinct plain-
texts by an r-round iterated cipher. The difference Y(i)
between two m-bit blocks Y(i) and Y * (i) is defined as
Y(i) = Y(i) ˝ Y * (i)–1
where ˝ denotes a specified group operation on the set of
m-bit blocks and Y * (i)–1 denotes the inverse of the element
Y * (i) in the group.
From the pair of encryptions, we obtain the sequence
of differences
Y(0), Y(1), : : : , Y(r)
where Y(0) = X and Y * (0) = X * denote the plaintext pair
so that Y(0) = X, Y(i) and Y * (i) for (0 < i < r) are the
outputs of the ith round, which are also the inputs to the
(i + 1)th round and Y(r) and Y * (r) are the outputs of the rth
round. The subkey for the ith round is denoted
 as Z (i) , and
f is the round function such that Y(i) = f Y(i – 1), Z (i) .
A sequence of discrete random variables v0 , v1 , : : : , vr
is a Markov chain if, for 0  i < r (where r = 1
is allowed),
P(vi+1 = ˇi+1 |vi = ˇi , vi–1 = ˇi–1 , : : : , v0 = ˇ0 )
= P(vi+1 = ˇi+1 |vi = ˇi )
Security Comm. Networks 2016; 9:2093–2099 © 2016 John Wiley & Sons, Ltd.
DOI: 10.1002/sec
W. Xue et al. On the estimation of the SLE of Markov ciphers

A Markov chain is called homogeneous if P(vi+1 = ˇ|vi = matrices, iteration will give rise to secure ciphers against
˛) is independent of i for all ˛ and ˇ. differential cryptanalysis [5].

Definition 1 ([5]). An iterated cipher with round function Lemma 1 ([5]). Suppose the hypothesis of stochastic
f is a Markov cipher if there is a group operation ˝ for equivalence is true, then, in an attack on an r-round
defining differences such that, for all choices of ˛ (˛ ¤ e), iterated cipher by differential cryptanalysis, the data
where e is the neutral element of the group, and ˇ (ˇ ¤ e), complexity
 
P(Y = ˇ|X = ˛, X =  ) 1
Comp(r)  2/ pmax – m (2)
2 –1
where Y = f (X, Z) and Y * = f (X * , Z), is independent of 
when the subkey Z is uniformly random, or, equivalently, if where pmax = max˛ maxˇ P(Y(r – 1) = ˇ|X = ˛)
and m is the block length of the plaintext. In particular, if
P(Y = ˇ|X = ˛, X =  ) pmax  2m1–1 , then a differential cryptanalysis attack will
not succeed.
= P(Y(1) = ˇ1 |X = ˛)
Lemma 2 (Perron-Frobenius Theory, [5]). For a prim-
for all choices of  when the subkey Z is uniformly random.
itive Markov cipher, there is an ", such that for any
non-zero (˛, ˇ),
Theorem 1 ([5]). If an r-round iterated cipher is a
Markov cipher and the r round subkeys are indepen- 1
dent and uniformly random, then the sequence of differ- |P(Y(r) = ˇ|X = ˛) – m |  o("r ), |"| < 1 (3)
2 –1
ences X = Y(0), Y(1), : : : , Y(r) is a homogeneous
Markov chain. Moreover, this Markov chain is stationary if By Lemmas 1 and 2, we obtain the following theorem.
X is uniformly distributed over the non-neutral elements It describes a simple relation between the SLE and the
of the group. number of iterations for the security against differential
cryptanalysis.
2.2. Transition matrix
Theorem 2. Let 2 denote the SLE of the transition
For any Markov cipher, let ˘ denote the transition matrix; if r0 is the smallest integer such that
matrix of the homogeneous Markov chain X =
Y(0), Y(1), : : : , Y(r). The (i, j) entry in ˘ is r –1
20  2–(m–1) (4)
P(Y(1) = ˛j |X = ˛i ) where ˛1 , ˛2 , : : : , ˛M is some
agreed-upon ordering of the M possible values of X and then the Markov cipher is practically secure against a
M = 2m – 1 for an m-bit cipher. Then, for every r  1, differential cryptanalysis attacker after r rounds for all
h i r > r0 .
(r)
˘ r = pij = [P(Y(r) = ˛j |X = ˛i )] (1)
Proof. Replace r by r0 – 1 in (3), and let " be 2 ,
The algorithm for computing one-round transition
1 r –1
matrix from X to Y is described as follows [18]: |P(Y(r0 – 1) = ˇ|X = ˛) – m |  20
2 –1
Step 1 Select a known plaintext X, then traverse X. use the same definition pmax in Lemma 1 and (4),
Step 2 For every X, traverse subkey Z (1) , compute
the corresponding X * , and obtain Y under 1
Z (1) ; add the result to the count of the corre- pmax – m  2–(m–1)
2 –1
sponding state.
Step 3 After traversing Z (1) , we have obtained the cor- by Lemma 1, Comp(r)  2m . The attack requires about 2m
responding row; divide the elements of that row plaintexts, which means the entire mapping defined by the
by (26k –1) to obtain the transition matrix, where encryption function is known.
k is the length of the subkey.

Note that, six subkeys are used in one round of IDEA.
2.3. Security of Markov ciphers
The transition matrix ˘ is primitive if and only if there
is an r0 such that ˘ r0 has a column that contains no
zero element. For Markov ciphers with primitive transition
3. ESTIMATION OF THE
EIGENVALUE
In this section, we discuss the matrix decomposition
method that can determine the modulus of the SLE, the
requirement for the decomposition, and two inequalities
for the estimation of the SLE.

Security Comm. Networks 2016; 9:2093–2099 © 2016 John Wiley & Sons, Ltd. 2095
DOI: 10.1002/sec
On the estimation of the SLE of Markov ciphers W. Xue et al.

3.1. The matrix decomposition method A bound generally weaker, in view of (6),
( n n
)
The matrix decomposition method [19] can determine the X X
modulus of the SLE. ||  min a – min ais , max ais – a (7)
i i
s=1 s=1
Lemma 3 ([19]). Let P be an nn row-stochastic matrix.
was obtained by Brauer (1971), and partially by Lynn and
Let c be a real number such that 0  c  1. Let E be the
Timlake [23].
n  n rank-one row-stochastic matrix E = evT , where e is
From (7), we know that SLE is less than or equal to
the n-vector whose elements are all ei = 1 and v is an n-
a minus the sum of the minimum in each column and is
vector that represents a probability distribution.
also less than or equal to the sum of the maximum in each
Define the matrix A = [cP + (1 – c)E]T . Its SLE |2 |  c.
column minus a. The estimation of (5) is more accurate,
the SLE is not more than half of the maximal Manhattan
Lemma 4 ([19]). Further, if P has at least two irre-
distance between any two rows.
ducible closed subsets, then the SLE of A is given
The time complexity of (5) is O(n3 ), while that of (7) is
by 2 = c.
only O(n2 ).
Considering parallel computing, given the complete
Thus, if we find a decomposition for A like this, we can
transition matrix, we can compute the Manhattan distance
determine the estimation of the SLE by c.
with other rows for each row and then seek out the maximal
one, so (5) can be parallel computed. For (7), every col-
Theorem 3. If a matrix A has a decomposition A = [cP +
umn can be sorted independently, having high parallelism.
(1 – c)E]T , where c ¤ 1, then there is at least one row
Although the time complexity is the same with the power
without zero elements.
method and the subspace iteration algorithm, as the high
parallelism, it can save much time in computing.
Proof. As A = [cP + (1 – c)E]T , for any i, j, Aji = cPij +
In order to compute the SLE, both the power method
(1 – c)Eij .
and the subspace iteration algorithm need to generate the
And for P and E are both row-stochastic matrices, whose
complete transition matrix. However, using (7) to estimate
elements are nonnegative, we can obtain Aji  (1 – c)Eij .
the SLE, we can keep only the current row, rather than the
For E = evT , the elements in each column of E are equal;  whole matrix, and refresh temporary variables recording
thus, we conclude that for any j, (1 – c)Eij i.e., (1 – c)vj is
the minimum and maximum of each column. As a result, it
less than or equal to the minimum of the jth row of A.
can save much space complexity.
As a result, if the minima in every row of A are zero, then
all the elements of E (i.e.,v) are zero. So, there is at least
one row of A without zero elements.
4. EXPERIMENTAL RESULTS
Note that, the initial transition matrix of IDEA(8) has
In this section, we respectively use (5) and (7) on the tran-
zero elements in every row, so we can not estimate its SLE
sition matrices of mini IDEA(8) and evaluate them. The
by this method.
applicability of the method on the transition matrices of
IDEA(m), like IDEA(16), IDEA(32), and IDEA(64), is
3.2. Estimation of the second
also discussed.
largest eigenvalue

E. Seneta introduced the estimation of the SLE of the row- 4.1. Results for IDEA(8)
stochastic matrix [22].
We used a CPP (C++, a programming language) pro-
Theorem 4 ([22]). Let A = {aij }ni,j=1
be a matrix with gram to get the transition matrix of different round num-
bers and then computed the actual value of the SLE
constant row sums a, and suppose  is an eigenvalue of A
via MATLAB, both on an ordinary PC. At the same
other than a. Then
time, we used (5) and (7) on the matrices and got the
X n estimation of the SLE, then compared them with the
1
||  max |ais – ajs | (5) actual ones.
2 i,j As the initial transition matrix is very sparse, there is no
s=1
helpful estimation. The transition matrix for two rounds is
Moreover, the right-hand bound may be written in either of the square of the initial matrix, and that for three rounds
the alternative forms is the cube of the initial matrix and so on. Because of the
primitivity of IDEA, the number of zero elements in the
n n
!
X   X transition matrix will greatly reduce after several rounds,
a–min min ais , ajs , max max(ais , ajs ) –a (6) and the estimating will work. In this case, we can analyze
i,j i,j
s=1 s=1 the SLE estimation and its property.

2096 Security Comm. Networks 2016; 9:2093–2099 © 2016 John Wiley & Sons, Ltd.
DOI: 10.1002/sec
W. Xue et al. On the estimation of the SLE of Markov ciphers

Table I. The estimations of the second largest eigenvalue by Table II. The estimations of the number of iterations by (7).
(7) and the actual values.
Rounds 2 (estimation) r0
Pn Pn
Rounds 1 – s=1 mini ais s=1 maxi ais – 1 Actual
1 1 +1
1 1 17.0625 0.4421 2 0.981270095 257.61892726
2 0.962891 4.521729 0.1954 3 0.787577904 21.318981420
3 0.488518 1.407959 0.0864 4 0.672953510 13.250156876
4 0.205088 0.523334 0.0382 5 0.618952523 11.114154939
5 0.090842 0.201441 0.0169 6 0.582204134 9.969724479
6 0.038945 0.075363 0.0075 7 0.562093463 9.422389498
7 0.017728 0.031929 0.0033 8 0.548822080 9.086973590
8 0.008231 0.012959 0.0015

Table III. The estimations of the second largest eigenvalue by

(5) and the actual values.

Rounds 1 max Pn |a – a | Actual

2 i,j s=1 is js

1 1 0.4421
2 0.7401 0.1954
3 0.3002 0.0864
4 0.1369 0.0382
5 0.0721 0.0169
6 0.0249 0.0075
7 0.0131 0.0033
8 0.0067 0.0015

Figure 1. The estimations of the second largest eigenvalue by

(7) and the actual values.
The smallest model of IDEA is IDEA(8) with 8-bit
block size; thanks to its small scale, we can do most of
the computation and operation. The scale of the transition
matrix of IDEA(8) is 255  255, and by choosing data type
double for the matrix elements, the whole matrix (512 kB)
can be stored in memory.
The key space of IDEA(8) is (0, 212 –1), with size 4096,
and the space of the difference is (0, 28 – 1), with size 256.
So, the computational scale of the initial transition matrix
is 4096  256 = 220 . The time complexity of matrix mul-
tiplication is 256  256  256 = 224 . They both can be
computed by an ordinary PC.
We use (7) on the transition matrices for each round
number of IDEA(8) and get the estimation of the SLE.
Details are in Table I.
FromP Table I, the actualP
value of the SLE is always less
than 1 – ns=1 mini ais and ns=1 maxi ais – 1, which means
this method can be used
P to estimate the SLE
P in practice. We
further compare 1 – ns=1 mini ais and ns=1 maxi ais – 1.
The estimation by the minimum is always less than the esti-
mation by the maximum in the same row, so it is obvious
that using the minimum to estimate is more effective.
P In the
second row (i.e., two rounds), the value of 1– ns=1 mini ais
is less than 1, which means there is at least one row of the
transition matrix without zero elements. We can get help-
ful estimations from the second round, and as the round
number increases, the estimation will be more accurate.
Because of the primitivity of IDEA, the transition matrix is
more and more uniform; thus, the estimation is more and
more effective, as shown in Figure 1.
The main use of the SLE is to estimate the security of
the Markov cipher against a differential cryptanalysis and
determine the number of iterations.
According to the SLE estimation in Table I and
Theorem 2, we estimate the number of iterations. Here,
we compare all the SLE estimations for one round, that
is to say, the SLE of the transition matrix ˘ is computed
from the estimation of ˘ r for r rounds (estimated by the
minimum, the second column of Table I),
q
2 = r
02 (8)
where 2 is the SLE of ˘ and 02 is the SLE estimation of
˘ r . For comparison, the number of iterations estimated by
the actual value of 2 (0.4421) is 6.944518818.
In Table II, there are great errors in the first two rows.
There are still some errors in the third row, about three
times of the actual value. Until the sixth row, the errors are
acceptable. However, there is no zero element in the transi-
tion matrix for three rounds. In addition, it means that there
is no impossible differential of IDEA(8) longer than two
rounds when the subkey is uniformly random.
So, if one wants to use this method to estimate the SLE,
it is better to ensure that there is no zero element in the
transition matrix.
Then, we use (5) to estimate as well.

Security Comm. Networks 2016; 9:2093–2099 © 2016 John Wiley & Sons, Ltd. 2097
DOI: 10.1002/sec
On the estimation of the SLE of Markov ciphers W. Xue et al.

Figure 2. The estimations of the second largest eigenvalue by
(5) and the actual values.
Table IV. The estimations of the number of iterations by (5).
The key space of IDEA(16) is (0, 224 – 1), and the space
of the difference is (0, 216 – 1). So, the computational scale
of the initial transition matrix is 240 . The time complex-
ity of matrix multiplication is 248 , difficult for an ordinary
PC. The computation of the initial transition matrix takes
several days.
Considering there are still some errors in the estima-
tion for three rounds IDEA(8), the errors in the estimation
for two rounds IDEA(16) may be unacceptable. On the
other hand, matrix multiplication is inevitable to com-
puter transition matrices for more rounds, which will be
progressively difficult.
As the computation of the transition matrices is not easy
and the estimation method needs uniform distribution of
the matrix, which means the method will not work well for
the first several rounds, the two estimating methods are not
applicable to other IDEA(m), unlike IDEA(8).

Rounds 2 (estimation) r0
5. CONCLUSION
1 1 +1
2 0.860290649 33.242620856 In this paper, we applied two estimating methods to the
3 0.669581680 13.096745499 transition matrix of IDEA(8) to estimate the SLE and
4 0.608276253 10.760159255 compared the two methods. The errors of the estimation
5 0.590999418 10.225440137 will be acceptable after several rounds. Their advantage is
6 0.540380777 8.883311305 parallel computing, without generating the complete tran-
7 0.538317820 8.834623094 sition matrix. However, when there are many zero elements
8 0.534883684 8.754489335 or the distribution is not so uniform, the estimation of
the methods is not helpful. The matrix multiplication is
P
Comparing the value of 12 maxi,j ns=1 |ais – ajs | in inevitable, so applying to other IDEA(m) is not easy. Find-
Table III and the estimations in Table I, the estimation of ing some new effective estimating methods for the SLE of
(5) is more strict, closer to the actual value. Similarly, this the transition matrix is a valuable thing in the future.
method is effective when there is no zero element in the
transition matrix.
Figure 2 shows the relation between the estimations ACKNOWLEDGEMENTS
of the SLE by (5) and the actual values. With the num-
ber of rounds increasing, the estimations get closer to the This work was supported by the National Natural Science
actual values. Foundation of China (61272440, 61472251, U1536101),
Again, we estimate the number of iterations, detailed in China Postdoctoral Science Foundation (2013M531174,
Table IV. 2014T70417), and Science and Technology on Communi-
Until the fourth row, the errors are smaller, and the esti- cation Security Laboratory.
mation can be used in the security against a differential
cryptanalysis.
Comparing Tables IV and II, the advantage of the pre-
cision by (5) is not so obvious at last. Taking the time REFERENCES
complexity and parallel computing into consideration, (7)
is better than (5). 1. Yan Z, Zhang P, Vasilakos AV. A security and trust
framework for virtualized networks and software-
4.2. Discussion of IDEA(m) defined networking. Security and Communication Net-
works 2015, DOI: 10.1002/sec.1243.
The subblocks of IDEA(16) are 4-bit, compared with 2-bit
2. Zhou J, Dong X, Cao Z. Vasilakos AV. Secure and
subblocks of IDEA(8). The scale of the transition matrix of
privacy preserving protocol for cloud-based vehicular
IDEA(16) is 65535  65535, and the data type is double.
The space needed to store the whole matrix is 65535  DTNs. IEEE Transactions on Information Forensics
65535  8byte = 32 GB, far beyond memory size of an and Security 2015; 10(6): 1299–1314.
ordinary PC, so file I/O is inevitable. But for (7), every row 3. Jing Q, Vasilakos AV, Wan J, Lu J, Qiu D. Security
can be computed independently, and one row whose size is of the Internet of Things: perspectives and challenges.
512 kB can be stored in memory. Wireless Networks 2014; 20(8): 2481–2501.

2098 Security Comm. Networks 2016; 9:2093–2099 © 2016 John Wiley & Sons, Ltd.
DOI: 10.1002/sec
W. Xue et al.
4. Yan Z, Zhang P, Vasilakos AV. A survey on trust man-
agement for internet of things. Journal of network and
computer applications 2014; 42: 120–134.
5. Lai X, Massey JL, Murphy S. Markov ciphers and
differential cryptanalysis. Advances in Cryptology-
EUROCRYPT91, Springer: Brighton, 1991; 17–38.
6. Lai X. On the design and security of block ciphers.
PhD Thesis, Diss. Techn, Wiss ETH Zürich, Nr. 9752,
Ref.: JL Massey; Korref.: H. Bühlmann, 1992.
7. Khovratovich D, Leurent G, Rechberger C. Narrow-
bicliques: cryptanalysis of full IDEA. Advances
in Cryptology–EUROCRYPT 2012, Springer: Cam-
bridge, 2012; 392–410.
8. Sun X, Lai X. The key-dependent attack on block
ciphers. Advances in Cryptology–ASIACRYPT 2009,
Springer: Tokyo, 2009; 19–36.
9. Biham E, Dunkelman O, Keller N. A new attack on
6-round IDEA. Fast Software Encryption, Springer:
Luxembourg, 2007; 211–224.
10. Biham E, Dunkelman O, Keller N. New cryptana-
lytic results on IDEA. Advances in Cryptology–ASIA-
CRYPT 2006, Springer: Shanghai, 2006; 412–427.
11. Ayaz ES, Selċuk AA. Improved DST cryptanalysis
of IDEA. Selected Areas in Cryptography, Springer:
Montreal, 2007; 1–14.
12. Demirci H, Selċuk AA, Türe E. A new meet-in-the-
middle attack on the IDEA block cipher. Selected
Areas in Cryptography, Springer: Ottawa, 2004;
117–129.
13. Biham E, Dunkelman O, Keller N, Shamir A. New
attacks on IDEA with at least 6 rounds. Journal of
Cryptology 2015; 28(2): 209–239.
Security Comm. Networks 2016; 9:2093–2099 © 2016 John Wiley & Sons, Ltd.
DOI: 10.1002/sec
On the estimation of the SLE of Markov ciphers
14. Biham E, Biryukov A, Shamir A. Miss in the middle
attacks on IDEA and Khufu. Fast Software Encryption,
Springer: Rome, 1999; 124–138.
15. Biham E, Shamir A. Differential cryptanalysis of DES-
like cryptosystems. Journal of CRYPTOLOGY 1991;
4(1): 3–72.
16. Golub GH, Van Loan CF. Matrix computations, Vol. 3.
JHU Press: Baltimore, 2012.
17. Saad Y. Numerical methods for large eigenvalue prob-
lems, Vol. 158. SIAM: Philadelphia, 1992.
18. Chen J, Xue D, Lai X. An analysis of international
data encryption algorithm (IDEA) security against dif-
ferential cryptanalysis. Wuhan University Journal of
Natural Sciences 2008; 13(6): 697–701.
19. Haveliwala T, Kamvar S. The second eigenvalue of the
Google matrix. Technical Report, Stanford University,
Stanford, 2003.
20. Schmitt F, Rothlauf F. On the importance of the second
largest eigenvalue on the convergence rate of genetic
algorithms. Proceedings of the Genetic and Evolu-
tionary Computation Conference, Morgan Kaufmann:
San Francisco, 2001; 559–564.
21. Boyd S, Ghosh A, Prabhakar B, Shah D. Random-
ized gossip algorithms. IEEE/ACM Transactions on
Networking (TON) 2006; 14(SI): 2508–2530.
22. Seneta E. Non-negative matrices and Markov chains.
Springer Science & Business Media, Berlin, 2006.
23. Lynn MS, Timlake WP. Bounds for Perron eigenvec-
tors and subdominant eigenvalues of positive matri-
ces. Linear Algebra and its Applications 1969; 2 (2):
143–152.
2099