The Macgu N Block Cipher Algorithm

The MacGun Blo ck Cipher Algorithm

Matt Blaze

ATT Bell Lab oratories

Crawfords Corner Road Holmdel NJ USA

mabresearchattcom

Bruce Schneier

Counterpane Systems

Fair Oaks Avenue Oak Park IL USA

schneierchinetcom

Abstract This pap er introduces MacGun a bit co deb o ok blo ck

cipher Many of its characteristics blo ck size applicatio n domain p er

formance and implementation structure are similar to those of the US

Data Encryption Standard DES It is based on a Feistel network in

which the cleartext is split into two sides with one side rep eatedly mo d

ied according to a keyed function of the other Previous blo ck ciphers

of this design such as DES op erate on equal length sides MacGun is

unusual in that it is based on a generalized unbalanced Feistel network

GUFN in which each round of the cipher mo dies only bits accord

ing to a function of the other We describ e the general characteristics

of MacGun architecture and implementation and give a complete sp ec

ication for the round bit key version of the cipher

Introduction

Feistel ciphers op erate by alternately encrypting the bits in one side of their

input based on a keyed nonlinear function of the bits in the other This is done

rep eatedly for a xed number of rounds It is b elieved that when iterated over

suciently many rounds even relatively simple nonlinear functions can provide

high security Traditionally such ciphers split their input blo ck evenly ab out the

middle a bit cipher would op erate on two bit internal blo cks swapping

the left the target block and right the control block sides with each round

Several imp ortant blo ck ciphers including DES are built up on this structure

We say these ciphers are based on balanced Feistel networks BFNs since b oth

sides are of equal length

This pap er describ es a blo ck cipher called MacGun that is based on a

variant of this structure the generalized unbalanced Feistel network GUFN

in which the target and control blo cks need not b e of equal length GUFNs

esp ecially those in which the target blo ck is smaller than the control blo ck

app ear to have a number of attractive prop erties for cipher design particularly

Several cryptographic hash functions such as MD and SHA employ an unbalanced structure similar in some resp ects to a GUFN

with resp ect to the design of the nonlinear function The principles underlying

GUFNs are discussed in

As its name suggests MacGun is intended primarily as a catalyst for dis

cussion and analysis We b elieve it may also prove a practical high security blo ck

cipher suitable for general use as an alternative to DES It op erates on bit

blo cks of data with an internal structure containing a bit target blo ck and

a bit control blo ck on in the notation of In principle almost

any length key and any number of rounds may b e used although we sp ecify

rounds and a bit key as standard

Architecture

We have b een conservative in most asp ects of MacGuns design isolating most

of its novel features to those parts of the design related to its unbalanced struc

ture As such much of our design is adapted directly from DES We hop e that

the many similarities b etween DES and MacGun will invite analysis of their

dierences

Basically the input cipherblo ck is partitioned into four bit words from

left to right In each round the three rightmost words comprise the control

blo ck and are bitwise exclusiveORed XORed with three words derived from

the key These bits are then split eight ways according to a xed p ermutation

to provide input to eight functions of six bits the Sb oxes each pro ducing

two bits of output The Sb ox output bits are then XORed according to

another xed p ermutation with the bits in the leftmost target word Finally

the leftmost word is rotated into the rightmost p osition The cipher can b e

reversed by a similar pro cess with the key derived bits applied in reverse order

Design Principles

Because each round op erates on only half as many bits as in a BFN as

opp osed to we use rounds twice as many as in DES in our standard

version Because there are twice as many rounds however there are also a total of

twice as many key bits XORed with the control blo cks These bits are obtained

from the bit key with the key expansion function describ ed in the next

section

We adapt our Sb oxes directly from those of DES The eight DES Sb oxes

each pro duce four bits of output Since we require only two bits from each for

a total of bits we use only the outer two output bits from each Sb ox

In each round each control blo ck bit is XORed with one derived key bit and

provides one input to exactly one Sb ox There is no expansion p ermutation

since the number of control bits equals the number of Sb ox inputs The control

bits are mapp ed to Sb ox inputs according to a xed p ermutation This

p ermutation was designed so that each Sb ox receives two of its six inputs from each of the three registers in the control blo ck

Sb ox outputs are distributed across the target bits No Sb ox output go es

to a bit p osition that is used as a direct input to itself in the next four rounds

Observe that each of the three control registers contains bits pro duced in a

dierent round of the cipher and that each encrypted bit provides input to three

dierent Sb oxes in the next three rounds b efore it is encrypted again

The cipher is designed for implementation in either hardware or software

Permutations were chosen to minimize the number of shift and mask op erations

and to allow timememory optimizations in a software implementation

Algorithm Description

Data Structures and Notation

We use the following notation

represents a bit bitwise exclusiveOR XOR op eration

is the conventional assignment op erator except as noted b elow

w x y z i copies the data from bit interface i from lowest to highest bit

p osition into bit registers w x y and z resp ectively

i w x y z copies the bits from bit registers w x y and z resp ectively into

interface i from lowest to highest bit p osition

s t u v w x y z copies w x y and z to s t u and v resp ectively in parallel

eg x y y x swaps x and y

w ( F x y z selects according to a xed p ermutation bits from x y and z

as input to function F storing the function output in bits of w selected

according to a xed p ermutation

The cipher employs the following internal structures

I O are the bit external input and output interfaces

0:::63 0:::63

left a b c t are bit registers on which all cryptographic op erations are p er

formed r represents the least signicant bit of r r the most signicant

0 15

k is a bit secret key parameter

0:::127

K is a table of bit words containing an expansion of k as

explained b elow

Sb oxes and Permutations

Nonlinearity in the encryption and key setup pro cesses is provided primarily

through eight functions or Sb oxes denoted S S each taking six bits of

1 8

input selected from the a b and c registers and pro ducing two bits of output

which are XORed into the left register

Inputs to each Sb ox are selected uniquely from the a b and c registers as

sp ecied in Table In this table input bit is the least signicant bit Outputs

from each Sb ox are distributed across the bit target blo ck as sp ecied in

Table Each Sb ox is dened as a bit mapping of input values to outputs as given in Table

Input Bit

Sb ox

S a a b b c c

1 2 5 6 9 11 13

S a a b b c c

2 1 4 7 10 8 14

S a a b b c c

3 3 6 8 13 0 15

S a a b b c c

4 12 14 1 2 4 10

S a a b b c c

5 0 10 3 14 6 12

S a a b b c c

6 7 8 12 15 1 5

S a a b b c c

7 9 15 5 11 2 7

S a a b b c c

8 11 13 0 4 3 9

Table SBox Input Permutation

Output Bit

Sb ox

S t t

1 0 1

S t t

2 2 3

S t t

3 4 5

S t t

4 6 7

S t t

5 8 9

S t t

6 10 11

S t t

7 12 13

S t t

8 14 15

Table SBox Output Permutation

Key Setup

Each round of the cipher uses the secret key parameter to p erturb the Sb oxes

by bitwise XOR against the Sb ox inputs Each round thus requires key bits

To convert the bit k parameter to a sequence of bit values for each round

the K table MacGun uses an iterated version of its own blo ck encryption

function See Figure

Blo ck Encryption

Blo ck encryption is dened in Figure

Blo ck Decryption Blo ck decryption is similar to blo ck encryption and is dened in Figure

left a b c k

063

for h to do

for i to do

for j to do

t ( S a K i b K i c K i

left left t

left a b c a b c left

K h left

K h a

K h b

left a b c k

64127

for h to do

for i to do

for j to do

t ( S a K i b K i c K i

left left t

left a b c a b c left

K h K h left

K h K h a

K h K h b

Fig MacGun Key Setup

left a b c I

for i to do

for j to do

t ( S a K i b K i c K i

left left t

left a b c a b c left

O left a b c

Fig MacGun Blo ck Encryption

c left a b I

for i downto do

for j to do

t ( S a K i b K i c K i

left left t

left a b c c left a b

O left a b c

Fig MacGun Blo ck Decryption

Table MacGun SBoxes

Implementation Performance and Applications

Feistel ciphers with their many p ermutation op erations and table lo okups are

particularly well suited to hardware implementation Because p ermutations in

hardware are free they are implemented with simple connections and b e

cause Sb ox lo okups can o ccur in parallel each round can b e implemented with

conventional mo dern hardware in two clo ck cycles

Software implementations of Feistel ciphers on generalpurp ose computers

are typically much slower than their hardware counterparts since the Sb oxes

must b e evaluated in sequence and bit p ermutations must b e simulated with

shifts ANDs ORs and other op erators Dep ending on the sp ecic p ermutations

and Sb ox structures however many of these op erations can b e made faster

with table lo okups and by combining several op erations into one

The p ermutations in MacGun have b een designed explicitly to p ermit soft

ware optimization First the six inputs to each Sb ox are from dierent bits from

each of the a b and c registers allowing the three registers to b e masked and

ORed together without individual shifting for a single lo okup for each Sb ox

Furthermore for each Sb ox there is a unique mate Sb ox with which it shares

no common inputs This allows the eight Sb oxes to b e paired o and lo oked

up two at a time with a single entry table containing the combined outputs

of b oth Sb oxes The pairs are S S S S S S and S S

1 2 3 4 5 7 6 8

An optimized software implementation given in the App endix of round

MacGun runs at close to the sp eed of optimized round DES in software

An implementation on a pro cessor has a bandwidth of ab out Mbps

a reasonable DES implementation on the same pro cessor runs at Mbps

The MacGun interface is similar to that of DES except for the larger

keyspace It can b e used with the standard FIPS mo des of op eration

Note that key setup is an explicitly time consuming pro cess This is intended to

discourage exhaustive search of p o orly chosen keys In an implementation where

rapid selection among many keys is required such as a packetbased network

security proto col the bit expanded key may b e passed directly as the

cryptovariable

Exp eriments with MacGun are detailed in

While we b elieve the GUFN structure is sup erior to the conventional BFN

cipher structure much more discussion and analysis is required b efore we can

recommend its use for protecting sensitive data We encourage attacks against

MacGun in particular and the GUFN structure in general

References

H Feistel Cryptography and Computer Privacy Scientic American May

J Lacy DP Mitchell and WM Schell CryptoLib Cryptography in Software

Proceedings of USENIX Security Symposium IV Octob er

National Bureau of Standards Data Encryption Standard Federal Information

Processing Standards Publication US Government Printing Oce Washington

National Bureau of Standards Data Encryption Standard Mo des of Op eration

Federal Information Processing Standards Publication US Government Printing

Oce Washington DC

National Institute for Standards and Technology Secure Hash Standard Federal

Information Processing Standard Publication US Government Printing Oce

April

R Rivest The MD Message Digest Algorithm RFC IETF April

B Schneier and M Blaze Unbalanced Feistel Network Blo ck Ciphers To appear

App endix Optimized C Language Implementation

MacGuffin Cipher

Matt Blaze

fast unrolled version

define ROUNDS

define KSIZE ROUNDS

expanded key structure

typedef struct mcgkey

unsigned short valKSIZE

mcgkey

define TSIZE

the sboxes expanded to put the output bits in the right

places note that these are the des sboxes in leftright

not canonical order but with only the outer two output

bits

unsigned short sboxes

x x x x x x x x

xc x x xc x x x x

x xc xc x x x x x

xc x x x x x xc x

x x x xc x xc x x

x xc x x x x xc x

x x x xc xc x x x

x xc x x x x x x

xc x x x x x xc xc

x x x x x x x x

x xc xc x x xc x x

x x x xc xc x x x

x x x x x x x x

xc x x x x x xc xc

x x x xc xc x x x

x x xc x x xc xc x

xc xc x x x x x xc

x x x x x x x x

x x x xc x x xc x

xc x x x x xc x x

x x xc x x xc x x

x x x xc x x xc x

xc x x x xc x x x

x xc x x x xc x x

x xc x x x x x x

x x xc x xc x x xc

x x x x x x x x

xc x x xc x xc x x

x x xc x xc x x x

x x xc x x x x xc

x x x x x xc x x

x x xc x x x x x

xc x x x x x x xc

x xc x x x xc xc x

xc x x x x x x xc

table of sbox outputs expanded for bit input

this one table includes all sboxes just mask off

the output bits not in use

unsigned short stableTSIZE

we exploit two features of the sbox input output perms

first each sbox uses as input two different bits from each

of the three registers in the right side and second

for each sbox there is anothersbox with no common input bits

between them therefore we can lookup two sbox outputs in one

probe of the table just mask off the approprate input bits

in the table below for each of the three registers and OR

together for the table lookup index

these masks are also available below in defines for better

lookup speed in unrolled loops

unsigned short lookupmasks

a b c

x xc x ss

x x x ss

x x xc ss

x x xa ss

this table contains the corresponding output masks for the

lookup procedure mentioned above

similarly available below in defines

unsigned short outputmasks

xf ss xf ss

x ss xcc ss

input and output lookup masks see above

define IN x

define IN xc

define IN x

define OUT xf

define IN x

define OUT xf

define IN x

define IN xc

define OUT x

define IN x

define IN xa

define OUT xcc

initialize the macguffin sbox tables

this takes a while but is only done once

mcginit

unsigned int ijk

int b

input permutation for the sboxes

each row entry is a bit position from

one of the three right hand registers

as follows

aabbcc

static int sbits

for i iTSIZE i

stablei

for j j j

stablei

sboxesjisbitsj

isbitsj

expand key to ek

mcgkeysetkeyek

unsigned char key

mcgkey ek

int ij

unsigned char k

mcginit

bcopykeyk

for i iKSIZE i

ekvali

for i i i

for j j j

mcgblockencryptkiek

ekvalj ki ki

codebook encrypt one block with given expanded key

mcgblockencryptblkkey

unsigned char blk

mcgkey key

unsigned short r r r r a b c

int i

unsigned short ek

copy cleartext into local words

rblkblk

ek keyval

round loop unrolled x

for i iROUNDS i

a r ek b r ek c r ek

r OUT stablea INb INc IN

OUT stablea INb INc IN

a r ek b r ek c r ek

r OUT stablea INb INc IN

OUT stablea INb INc IN

a r ek b r ek c r ek

r OUT stablea INb INc IN

OUT stablea INb INc IN

a r ek b r ek c r ek

r OUT stablea INb INc IN

OUT stablea INb INc IN

copy encrypted words back to output

blk r blk r

codebook decrypt one block with given expanded key

mcgblockdecryptblkkey

unsigned char blk

mcgkey key

unsigned short r r r r a b c

int i

unsigned short ek

copy ciphertext to local words

rblkblk

rblkblk rblkblk

ek keyvalKSIZE

round loop unrolled x

for i iROUNDS i

c r ek b r ek a r ek

r OUT stablea INb INc IN

OUT stablea INb INc IN

c r ek b r ek a r ek

r OUT stablea INb INc IN

OUT stablea INb INc IN

c r ek b r ek a r ek

r OUT stablea INb INc IN

OUT stablea INb INc IN

c r ek b r ek a r ek

r OUT stablea INb INc IN

OUT stablea INb INc IN

copy decrypted bits back to output

blk r blk r

This article was pro cessed using the L T X macro package with LLNCS style E