19
A flurry of new ciphers were introduced in the wake of the standardisation of the DES. Many 20
of them have been broken quickly, however, some also introduced novel design ideas which 21
have resurfaced many times since. We present here just four such ciphers: Madryga, NewDES, 22
KeeLoq and FEAL. 23
3.3.1 Madryga
24
Madryga was designed by William Madryga [FD84]. We briefly discuss it because some of its 25
design choices that have proven influential later. 26
The algorithm works with arbitrary key and block lengths. Key schedule consists in first XOR- 27
ing the key with a magic constant (that must be defined for each key size) and then rotating the 28
key to the left by three bits before each round. 29
The state is processed three bytes at a time, cyclically. Each round the “window” of processing 30
is moved by a byte along the state. So if the cipher were working on bytes 2, 3 and 4, at the 31
following round it would process bytes 3, 4 and 5. 32
The operations in each round are very simple: The rightmost byte in the window is XORed 33
with the rightmost byte of the (current) key, It XORs a key byte with the rightmost byte, and 34
rotates the other two as one block. The rotation depends on the output of the XOR, hence it is 35
both state and key dependent. 36
The cipher makes at least 8 cyclic passes over the whole state - the state at the end of the last 37
cycle is the ciphertext. 1
Decryption is easily implemented, since the rotation amount can be obtained before undoing 2
the XOR. 3
3.3.1.1 Remarks 4
The cyclic processing of arbitrarily long states is one of the distinctive features of Block TEA 5
(Subsection3.12.3 on page 162) and XXTEA (Subsection3.12.5 on page 164). 6
The byte-wise processing of the state without complex bit permutation layers makes the cipher 7
easy to implement and very efficient in software. This is a deign principle that has been adopted 8
(to varying degrees) in several other ciphers, such as IDEA (with 16 bit words, see Section3.6 9
on page 144), the SAFER family of ciphers (Section3.8 on page 150), and most of the ciphers 10
designed according to the wide-trails strategy. 11
A few subsequent ciphers also use variable rotations, such as RC5 (Section 3.10 on page 158), 12
and RC6 (Section3.15 on page 168). 13
3.3.1.2 Cryptanalysis 14
All of Madryga’s operations are linear - there is no source of nonlinearity such as the DES S- 15
boxes or other logical or arithmetic operations. 16
Madryga’s worst flaw is that it does not exhibit the desired avalanche effect [GDC90] – in general 17
changes in one byte induce changes in the previous byte of the state and in at most the next two. 18
Therefore, if the block is too large, changes may not propagate sufficiently. 19
Also, Eli Biham (in a personal communication to Bruce Schneier, cf. [Sch96], Section 13.2) no- 20
ticed that“the parity of all the bits of the plaintext and the cipher text is a constant, depending only on
21
the key. So, if you have one plaintext and its corresponding ciphertext, you can predict the parity of the
22
ciphertext for any plaintext.”
23
Ken Shirrif [Shi95] proved that Madryga is susceptible to differential cryptanalysis. The key 24
can be determined with as little as 5,000 chosen plaintexts, and 10,000 on average. 25
Alex Biryukov and Eyal Kushilevitz in [BK98a] improved this attack twice. Firstly, with a differ- 26
ential attack requiring only 16 chosen-plaintext pairs. Secondly, they turned it into a ciphertext 27
only attack, with only reasonable assumptions on the statistical distribution of the bytes in the 28
plaintext. The attack requires only212ciphertexts. 29
3.3.1.3 Intellectual Property 30
We are not aware of patents on Madryga. However, since the cipher was disclosed in 1984, any 31
patent would have already expired. 32
3.3.2 NewDES
33
Robert Scott designed NewDES in 1985 as a possible replacement for DES [Sco85]. It operates 34
on 64-bit blocks of plaintext with a 120-bit key. The state is divided into 8 one-byte blocks and 35
the key into 15 one-byte subkeys. 36
The cipher has 17 equal rounds and no initial or final permutation. The subkeys are considered 37
Figure 3.4: A Cycle (Two Rounds) of NewDES in0 in1 in2 in3 in4 in5 in6 in7 𝑆 𝑆 𝑆 𝑆 𝑆 𝑆 𝑆 𝑆
out0 out1 out2 out3 out4 out5 out6 out7 𝑘𝑖 𝑘𝑖+1 𝑘𝑖+2 𝑘𝑖+3 𝑘𝑖+4 𝑘𝑖+5 𝑘𝑖+6
cyclically and each round uses seven consecutive subkeys. 1
A cycle, i.e. two rounds of NewDES are depicted in Figure3.4: The 17th round consists in just
2
the upper half of the cycle represented in the Figure. The cipher can be viewed as a Feistel 3
network on two 32-bit branches with two alternating, different F-functions. 4
It has a very simple structure. The eight blocks of the state are divided into two sets of four. 5
During a round one set of four blocks is transformed non-linearly and XORed to the other set 6
of four blocks – then the roles are reversed and the second set of blocks is used to transform the 7
values of the first set (but the two halves are not perfectly symmetrical). Hence, there are eight 8
non-linear transformations per cycle, four per round. The non linear transformation consists in 9
XORing the input with a subkey (in seven cases) or with another block of the state (in one case) 10
and feeding this value into an 8-bit S-box. The values of the 8-bit S-box have been derived form 11
the Declaration of Independence – and therefore it’s a set of “nothing up my sleeve numbers,” 12
not a cryptographically designed S-box. 13
The first 8 cycles use each 7 subkeys alternatively, and the last round uses 4 subkeys. Thus, each 14
byte of the 120-bit key is used exactly 4 times. A similar key schedule is used in the Bielorussian 15
cipher BelT (Section3.33 on page 214). 16
The designer showed that NewDES exhibits the full avalanche effect after seven rounds: every 17
ciphertext bit depends on every plaintext bit and key bit. NewDES has the same complemen- 18
tation property that DES has: namely, that if𝐸𝐾(𝑃)= 𝐶,then𝐸𝐾(𝑃)= 𝐶, where𝑥is the bitwise 19
complement of x. 20
The cipher can be made quite fast in software, because of its byte-oriented structure. It can be 21
implemented either compactly or efficiently in hardware as well, because it uses just a small 1
amount of different operations in a fairly regular pattern, but at the same time up to four state 2
block transformations can be easily parallelised. The same parallelism can be exploited in SW 3
on 16- or 32-bit architectures. 4
3.3.2.1 Cryptanalysis 5
Only a small amount of cryptanalysis has been published on NewDES. The complementation 6
property makes brute force attacks faster by a factor of 2. 7
Bruce Schneier reports in [Sch96], Section 13.3, a few observations by Eli Biham: changing a 8
full byte in all the key and data bytes leads to another complementation property, reducing the 9
complexity of bruce force attacks by a factor28; a related-key attack can break NewDES with 10
233chosen-key chosen plaintexts.
11
John Kelsey, Bruce Schneier, and David Wagner’s related-key cryptanalysis [KSW97] breaks 12
NewDES with232known plaintexts and one related key. 13
When informed of this attack, Scott modified the NewDES key schedule to resist rotational 14
related key cryptanalysis. The new key schedule starts with the 15 bytes of the key𝑘0, 𝑘1, … , 𝑘14,
15
and then instead of repeating them, it first XORs all the bytes of the sequence first with 𝑘7, 16
then𝑘8, and finally𝑘9. The resulting cipher is called NewDES-1996. However, in [KSW97] it is 17
shown that NewDES-1996 can be completely broken with 24 related-key probes and 530 chosen 18
plaintext/ciphertext queries. 19
3.3.2.2 Remarks 20
The design is interesting, however it has some obvious weaknesses: 21
• The S-box displays poor linear and differential properties; and 22
• Diffusion is slow as, in the current form, full diffusion is only achieved after 7 rounds. 23
3.3.3 KeeLoq
24
KeeLoq is a proprietary block cipher designed by Gideon Kuhn for south african company Nan- 25
oteq Pty Ltd in the mid 80’s It was sold to Microchip Technology Inc in 1995. It is specially de- 26
signed for compact implementation in hardware. Based on Kuhn’s work on self-synchronising 27
stream ciphers [Kuh88], Keeloq is an unbalanced Feistel cipher based on a NLFSR (non-linear 28
feedback shift register). KeeLoq was meant for lightweight HW implementations [KBS90] and 29
is still used in many remote keyless entry systems by several car manufacturers. 30
KeeLoq accepts 64-bit keys and encrypts 32-bit blocks by executing its single-bit NLFSR for 528 31
rounds. An important component in the feedback function is the non-linear function𝔫(often 32
named after the hexadecimal value3A5C742E𝑥) that is given as 33
𝔫(𝑎, 𝑏, 𝑐, 𝑑, 𝑒)= 𝑑 ⊕ 𝑒 ⊕ 𝑎𝑐 ⊕ 𝑎𝑒 ⊕ 𝑏𝑐 ⊕ 𝑏𝑒 ⊕ 𝑐𝑑 ⊕ 𝑑𝑒 ⊕ 𝑎𝑏𝑐 ⊕ 𝑎𝑏𝑑 ⊕ 𝑎𝑐𝑒 ⊕ 𝑎𝑑𝑒
where𝑎, 𝑏, 𝑐, 𝑑 and𝑒are bits number 1, 9, 20, 26 and 31 of the NLFSR state during encryption 34
and bits number 0, 8, 19, 25 and 30 during decryption. This function is specified by a table in 35
the original specifications. The actual NLFSR feedback function is given as 1
𝐹(𝑎, 𝑏, 𝑐, 𝑑, 𝑒, 𝑥, 𝑦, 𝑧)=𝔫(𝑎, 𝑏, 𝑐, 𝑑, 𝑒)⊕(𝑥 ⊕ 𝑦 ⊕ 𝑧)
where𝑥and𝑦are bits 0 and 16 of the NLFSR on encryption and bits 31 and 15 on decryption, 2
and𝑧is a key bit (bit 0 of the key state on encryption and bit 15 of the key state on decryption. 3
The key schedule is simple: the key is copied into a 64-bit register that is then rotated one bit 4
to the left each round. 5
Andrey Bogdanov [Bog07a] points at three fundamental weaknesses of the cipher: 6
• The key schedule is periodic, allowing the use of sliding techniques; 7
• The blocks are just 32 bits; and 8
• Efficient linear approximations of𝔫exist. 9
This allows him to present various attacks, culminating in an attack that needs only time237 10
and using23232-bit known plaintexts [Bog07b]. Soon hereafter, the complexity of the attacks 11
was brought down to just228for about 30% of the key space (also using232known plaintexts)
12
by Nicolas Courtois, Gregory V. Bard and David Wagner in [CBW08] 13
The cipher can also be broken using side channel analysis with only ten power traces. The attack 14
described in [EKM+08] allows efficient recovery of both the secret key of a remote transmitter 15
and the manufacturer key stored in a receiver in just a few minutes, permitting practical the 16
cloning of remote controls. 17
The KeeLoq system is also susceptible to replay attacks. 18
3.3.3.1 Intellectual Property 19
Implementations of the KeeLoq cipher and several systems using it are heavily protected by 20
patents, starting with theU.S. Patent 5,517,187, protecting its implementation in a microchip, 21
which is the IP sold by Nanoteq to Microchip Technology Inc in 1995. 22
3.3.4 FEAL
23
FEAL (the Fast data Encipherment ALgorithm) is a 64-bit block cipher first published in 1987 24
by Akihiro Shimizu and Shoji Miyaguchi from NTT [SM87]. FEAL is a Feistel design. The 25
initial version, now called FEAL-4, was a four-round cipher and used a 64-bit key size. There 26
are options for including parity bits in the key. The cipher was quickly broken: FEAL was first 27
extended to 8 rounds, then to arbitrarily many rounds, and a 128-bit key option was added. Eli 28
Biham and Adi Shamir show in [BS91c] that variants with fewer than 31 rounds can be broken. 29
NTT is still using the cipher: The current version is called FEAL-NX where the even integer 30
𝑁 ⩾ 32is the number of rounds, and X means that the 128-bit key contains no parity bits. 31
As a Feistel network, the encryption path of FEAL is quite standard, but the cipher has a few 32
interesting historical aspects: 33
• Apart from DES-X (Subsection3.2.9 on page 134), it is the oldest cipher we are aware of to 34
use key whitening to improve its strength. 35
Figure 3.5: The FEAL F-function 𝛽0 𝛽1 𝑆1 𝑆0 𝑆0 𝑆1 𝛼 𝐹(𝛼, 𝛽)
Figure 3.6: The FEAL FK-Function
𝛽0, … , 𝛽3 𝑆1 𝑆0 𝑆0 𝑆1 𝛼 𝐹𝐾(𝛼, 𝛽)
• The structure of the FEAL F-function, depicted in Figure3.5, can be viewed is a precursor of 1
the IDEA round function (Section3.6 on page 144and in particular Figure3.9 on page 145): 2
Each half of the input is “compressed” into smaller chunks that are input to a “confusion 3
device” inspired by a Hadamard transform; the confused output is then applied to the rest 4
of the input. In the Figure,𝛼is a 32-bit Feistel branch, whereas𝛽is a 16-bit round key. 5
• Instead of using S-boxes, non-linearity is achieved by combining the XOR with modular 6
addition. In fact, non linear parts of the F-function just consist in the two functions𝑆0(𝑎, 𝑏)= 7
((𝑎 + 𝑏)mod 256)⋘ 2and𝑆1(𝑎, 𝑏)=((𝑎 + 𝑏 + 1)mod 256)⋘ 2. 8
• The key schedule is similar to a Matsui-like Feistel network (cf. Figure1.4 on page 31(b)), 9
where one half of the key is “encrypted” by using the other half as the key. The F-function 10
of the key schedule, called the FK-Function, is similar to the F-function of the cipher: it is 11
depicted in Figure 3.6. The main difference w.r.t. the F-function is that the 32-bit “round 12
key”𝛽is split into four bytes that are each XORed with one of the inputs to the𝑆0 and𝑆1 13
functions. Also, intermediate values of the key scheduling process are saved to be reused at 14
later stages of key scheduling. 15
We note that a XOR and a modular addition share several bits with a strong bias, and this alone 16
is not sufficient to guarantee the hardness of a cipher. This is what ultimately has killed FEAL. 17
3.3.5 Intellectual Property
18
U.S. Patent 4,850,019covered aspects of the cipher. 19