The MacGun Blo ck Cipher Algorithm Matt Blaze ATT Bell Lab oratories Crawfords Corner Road Holmdel NJ USA mabresearchattcom Bruce Schneier Counterpane Systems Fair Oaks Avenue Oak Park IL USA schneierchinetcom Abstract This pap er introduces MacGun a bit co deb o ok blo ck cipher Many of its characteristics blo ck size applicatio n domain p er formance and implementation structure are similar to those of the US Data Encryption Standard DES It is based on a Feistel network in which the cleartext is split into two sides with one side rep eatedly mo d ied according to a keyed function of the other Previous blo ck ciphers of this design such as DES op erate on equal length sides MacGun is unusual in that it is based on a generalized unbalanced Feistel network GUFN in which each round of the cipher mo dies only bits accord ing to a function of the other We describ e the general characteristics of MacGun architecture and implementation and give a complete sp ec ication for the round bit key version of the cipher Introduction Feistel ciphers op erate by alternately encrypting the bits in one side of their input based on a keyed nonlinear function of the bits in the other This is done rep eatedly for a xed number of rounds It is b elieved that when iterated over suciently many rounds even relatively simple nonlinear functions can provide high security Traditionally such ciphers split their input blo ck evenly ab out the middle a bit cipher would op erate on two bit internal blo cks swapping the left the target block and right the control block sides with each round Several imp ortant blo ck ciphers including DES are built up on this structure We say these ciphers are based on balanced Feistel networks BFNs since b oth sides are of equal length This pap er describ es a blo ck cipher called MacGun that is based on a variant of this structure the generalized unbalanced Feistel network GUFN 1 in which the target and control blo cks need not b e of equal length GUFNs esp ecially those in which the target blo ck is smaller than the control blo ck app ear to have a number of attractive prop erties for cipher design particularly 1 Several cryptographic hash functions such as MD and SHA employ an unbalanced structure similar in some resp ects to a GUFN with resp ect to the design of the nonlinear function The principles underlying GUFNs are discussed in As its name suggests MacGun is intended primarily as a catalyst for dis cussion and analysis We b elieve it may also prove a practical high security blo ck cipher suitable for general use as an alternative to DES It op erates on bit blo cks of data with an internal structure containing a bit target blo ck and a bit control blo ck on in the notation of In principle almost any length key and any number of rounds may b e used although we sp ecify rounds and a bit key as standard Architecture We have b een conservative in most asp ects of MacGuns design isolating most of its novel features to those parts of the design related to its unbalanced struc ture As such much of our design is adapted directly from DES We hop e that the many similarities b etween DES and MacGun will invite analysis of their dierences Basically the input cipherblo ck is partitioned into four bit words from left to right In each round the three rightmost words comprise the control blo ck and are bitwise exclusiveORed XORed with three words derived from the key These bits are then split eight ways according to a xed p ermutation to provide input to eight functions of six bits the Sb oxes each pro ducing two bits of output The Sb ox output bits are then XORed according to another xed p ermutation with the bits in the leftmost target word Finally the leftmost word is rotated into the rightmost p osition The cipher can b e reversed by a similar pro cess with the key derived bits applied in reverse order Design Principles Because each round op erates on only half as many bits as in a BFN as opp osed to we use rounds twice as many as in DES in our standard version Because there are twice as many rounds however there are also a total of twice as many key bits XORed with the control blo cks These bits are obtained from the bit key with the key expansion function describ ed in the next section We adapt our Sb oxes directly from those of DES The eight DES Sb oxes each pro duce four bits of output Since we require only two bits from each for a total of bits we use only the outer two output bits from each Sb ox In each round each control blo ck bit is XORed with one derived key bit and provides one input to exactly one Sb ox There is no expansion p ermutation since the number of control bits equals the number of Sb ox inputs The control bits are mapp ed to Sb ox inputs according to a xed p ermutation This p ermutation was designed so that each Sb ox receives two of its six inputs from each of the three registers in the control blo ck Sb ox outputs are distributed across the target bits No Sb ox output go es to a bit p osition that is used as a direct input to itself in the next four rounds Observe that each of the three control registers contains bits pro duced in a dierent round of the cipher and that each encrypted bit provides input to three dierent Sb oxes in the next three rounds b efore it is encrypted again The cipher is designed for implementation in either hardware or software Permutations were chosen to minimize the number of shift and mask op erations and to allow timememory optimizations in a software implementation Algorithm Description Data Structures and Notation We use the following notation represents a bit bitwise exclusiveOR XOR op eration is the conventional assignment op erator except as noted b elow w x y z i copies the data from bit interface i from lowest to highest bit p osition into bit registers w x y and z resp ectively i w x y z copies the bits from bit registers w x y and z resp ectively into interface i from lowest to highest bit p osition s t u v w x y z copies w x y and z to s t u and v resp ectively in parallel eg x y y x swaps x and y w ( F x y z selects according to a xed p ermutation bits from x y and z as input to function F storing the function output in bits of w selected according to a xed p ermutation The cipher employs the following internal structures I O are the bit external input and output interfaces 0:::63 0:::63 left a b c t are bit registers on which all cryptographic op erations are p er formed r represents the least signicant bit of r r the most signicant 0 15 k is a bit secret key parameter 0:::127 K is a table of bit words containing an expansion of k as explained b elow Sb oxes and Permutations Nonlinearity in the encryption and key setup pro cesses is provided primarily through eight functions or Sb oxes denoted S S each taking six bits of 1 8 input selected from the a b and c registers and pro ducing two bits of output which are XORed into the left register Inputs to each Sb ox are selected uniquely from the a b and c registers as sp ecied in Table In this table input bit is the least signicant bit Outputs from each Sb ox are distributed across the bit target blo ck as sp ecied in Table Each Sb ox is dened as a bit mapping of input values to outputs as given in Table Input Bit Sb ox S a a b b c c 1 2 5 6 9 11 13 S a a b b c c 2 1 4 7 10 8 14 S a a b b c c 3 3 6 8 13 0 15 S a a b b c c 4 12 14 1 2 4 10 S a a b b c c 5 0 10 3 14 6 12 S a a b b c c 6 7 8 12 15 1 5 S a a b b c c 7 9 15 5 11 2 7 S a a b b c c 8 11 13 0 4 3 9 Table SBox Input Permutation Output Bit Sb ox S t t 1 0 1 S t t 2 2 3 S t t 3 4 5 S t t 4 6 7 S t t 5 8 9 S t t 6 10 11 S t t 7 12 13 S t t 8 14 15 Table SBox Output Permutation Key Setup Each round of the cipher uses the secret key parameter to p erturb the Sb oxes by bitwise XOR against the Sb ox inputs Each round thus requires key bits To convert the bit k parameter to a sequence of bit values for each round the K table MacGun uses an iterated version of its own blo ck encryption function See Figure Blo ck Encryption Blo ck encryption is dened in Figure Blo ck Decryption Blo ck decryption is similar to blo ck encryption and is dened in Figure K left a b c k 063 for h to do for i to do for j to do t ( S a K i b K i c K i j left left t left a b c a b c left K h left K h a K h b left a b c k 64127 for h to do for i to do for j to do t ( S a K i b K i c K i j left left t left a b c a b c left K h K h left K h K h a K h K h b Fig MacGun Key Setup left a b c I for i to do for j to do t ( S a K i b K i c K i j left left t left a b c a b c left O left a b c Fig MacGun Blo ck Encryption c left a b I for i downto do for j to do t ( S a K i b K i c K i j left left t left a b c c left a b O left a b c Fig MacGun Blo ck Decryption S 1 S 2 S 3 S 4 S 5 S 6 S 7 S 8 Table MacGun SBoxes Implementation Performance and Applications Feistel ciphers with their many p ermutation op erations and table lo okups are particularly well suited to hardware implementation Because p ermutations in hardware are free they are implemented with simple connections and b e cause Sb ox lo okups can o ccur in parallel each round can b e implemented with conventional mo dern hardware in two clo ck cycles Software implementations of Feistel ciphers on generalpurp ose computers are typically much slower than their hardware counterparts since the Sb oxes must b e evaluated in sequence and bit p ermutations