THE CRYPTANALYSIS OF FEAL WITH TWENTY CHOSEN PLAINTEXTS SEAN MURPHY Department of Mathematics Royal Holloway and Bedford New College University of London Egham Surrey TW EX England The FEAL Ciphering Algorithm The FEALN cryptosystem has b een develop ed by NTT as a highly programming ecientblock cipher system as it do es not use lo okup tables It was rst presented in It is essentially an Nround Feistel blo ck cipher op erating on bit blo cks and determined by a bit key FEAL is the standard blo ck cipher but NTT intend that FEAL can b e used in cipher blo ckchaining mo de when plaintexts are not revealed a cryptogram only environment or for data integrity usage The b est published attack on FEAL was given by Den Bo er who used chosen plaintexts to recover the key We shall give a metho d that uses at most twentychosen plaintexts to recover the key Whereas it may b e p ossible to ensure the absence of chosen plaintexts ensuring the absence of twenty plaintexts maywell b e to o restrictive for most uses The functions used to construct FEALN are for i S Z Z Z These i are dened for x y Z by regarding x y as binary numbers x y in the range so S x y Rot x y i Mod i where Rot is a bit rotation to the left S and S are then used to dene two functions Z Z which is used to pro cess the keyandf Z Z Z whichis f Z K used to encipher the plaintext Supp ose a b c Z for i and a a a a a Z etc then i i i c f a b K The author was supp orted by SERC Research Grant GRE is dened in the following manner d a a d a a c S d d b c S d c b c S a c b c S a c b Aschematic representation of f is given in Figure K The key is pro cessed by using f to obtain twelve bit subkeys This is done by K splitting the bit key K into its left and right halves to givetwo bit strings K and L K We can dene R B B K B K L R and for i B f B B B i K i i i The twelve bit subkeys K i used in the enciphering pro cess are then just i the left and right halves of B i so i L R K K B B i i i i with b for i and also that b b Z Now supp ose that a c Z i i b b Z and a a a a a c Z etc then we can dene c f a b as follows d a a b b d a a c S d d c S d c c S a c c S a c Figure is a schematic diagram of f Supp ose we wish to enco de the bit plaintext P Firstlywesplit P into its left and right halves to give bit strings P andP From these we can calculate the L and R L R L P K K L R P P K K K K L R We then p erform rounds of Feistel cipher dened by f and the keys K K K K Thus for i we calculate L R i i R L f R K i i i i Finally the enciphered message is C C C where L R C R K K L C R L K K R Similarlyifweknow the key we can deco de any cryptogram simply by following the ab ove pro cedure in reverse Reformulation of FEAL Algorithm In order to attack the algorithm we shall reformulate it by the metho d given by Den that expresses the linear nature Z Bo er Firstlywe shall dene a function G Z etc then we for i and a a a a a c Z of f Supp ose a c Z i i can dene c Ga by d a a d a a c S d d c S d c c S a c c S a c so clearly f a b Ga a b a b a Therefore Figure is a schematic diagram of G if we take The cryptanalysis of FEAL will dep end up on the fast solution of linear equations involving G This is considered in the next section We nally need to dene two further simple functions Z Z by L R a a a a a a L a a a a a a R where a Z so i B K L i i B K R i i These two functions can b e used to dene the following six bit keydep endent constants M B B R N B B B L M B B L L N B B R R M B B B R N B B L Note that the outer bits in b oth M and N are zero Wearenow in a p osition to rewrite the FEAL algorithm in the following manner X P M L B L R Y P P N R B L B L R L L X X GY R B L B R R Y Y GX R B L B L L X X GY M R B L B R R Y Y GX N R B L C Y N L C X M C R L Again we can deco de a cryptogram by following the ab ove pro cedure in reverse Thus if we can calculate the unknown bits in the constants M M M N N N we can decipher any cryptogram and also use the key pro cessing equations to recover the key The Fast Solution of Linear Equations involvi ng G In order to nd the constants M M M N N N we shall need to solve equations involving the function G The simplest suchproblemsinvolve solving Gx ab for x where a and b are known We can solve this directly since S is an invertible i function in the sense that we can solve S x a b uniquely for xWe can however give i a general metho d to solve irresp ective of whether S is an invertible function There i are two reasons for doing this rstly to show that FEAL is a weak cipher no matter how S is dened and secondly to motivate the solution of linear equations involving G i Thus supp ose G were not invertible then the most naive metho d to solve would b e to calculate Gx a for every x Z However this would require evaluations of G that is S evaluations However supp ose wecheck whether i S z a a z a a b Z This will require S evaluations For most values of z and z for each z z will b e false For those values for which is true we can checkwhether S b z a a b S b x a b S b x a b for values of x x Z stopping when one of the equalities is false If all the equations in and are true then we can recover x and x by x z x x z x to obtain solutions for x Another equation we shall need to solveis Gx a Gx bd where a b d are known constants We can ammend and to give the following equations to b e checked for z z x x Z S z a a z a a Sz b b z b b d S z a a S z b b d S x a S x b d S x a S x b d then gives us solutions for x In this case we will need evaluations of S to check the truth of d for each z z Z Solving will often giveustoomany solutions for x than we can eciently handle so instead we shall often solve simultaneous equations of the form Gx a Gx bd Gx a Gx c e We can do this eciently bychecking whether the analagous pairs of simultaneous equa tions to holds at every stage This will require only evaluations of S to check i the rst pair of simultaneous equations Cho osing the Plaintext s i th i i Let P denote the i plaintext i with P and P b eing the left and right L R i i th halves of P Similarly supp ose C denotes the i co ded plaintext having left and right i i halves C and C We can then dene L R i i i P Q P R L and i i i D C C L R The twenty plaintexts are then chosen according to the following rules Cho ose P P P P P P P randomly randomly P P P P P P P P Cho ose P L L L L L L L L L Dene P P L L P P L L P P L L P P L L Dene i i P P Q i R L P P Q R L P P Q R L Thus wehavechosen seven plaintexts and nine halfplaintexts at random that is random bits out of a total of bits Cryptanalysis of FEAL Referring to equation we see that Y Y GX Y G X GY Y G P M GY L Y GX N C N GD M N L and hence C Y N G P M G Y G D M N L L i Thus for a particular plaintext P i we can dene i i U Y N i i V M GY W M N so b ecomes i i i i i C U GP V GD W L L i i However for i Y Q N and GY is constant and hence U U and i V V and so we can rewrite as i i i C U GP V GD W i L L In order to solve for U V and W we can rst eliminate U by adding two copies of to obtain i i i C C GP V GP V GD W GD W L L L L i Thus if we knew the value of GP V GP V would giveusan L L equation for W alone Consider GaandGa It is easy to see that in b oth cases d and d in are the same and hence only c diers a and a dier only in the rst place so c diers only in the seventh place By a similar reasoning we can evaluate other sums and so wehave Ga Ga Ga Ga Ga Ga Ga Ga Hence from wehave GD W GD W C C L L GD W GD W C C L L This is an equation of the form of so we can solve it eciently and get solutions for W We can eliminate many of these solutions bychecking to see whether they satisfy GD W GD W C C L L GD W C C GD W L L This typically gives us up to ten dierentvalues for W For eachvalue of W we can nd values of V by solving GP V GP V C C GD W GD W L L L L GP V GP V C C GD W GD W L L L L which is again of the form of then gives us U We can then check each triplet i WV U to see if it saties for the other plaintexts with Q Q that is to say i This will usually give us less than twenty triplets WV U For each triplet we can try and solve for the key constants M M M N N N Now U U U Q Q U U U Q Q and so gives us GP V GD W C U L L GP V GD W C U L L These are two equations of the form so we can solve them for V V and V V These twovalues can then b e checked with equation for i If we obtain solutions for V and V we can attempt to calculate the key constant N Equation gives us GQ