Cryptography Reference
In-Depth Information
The design goal was thoroughly missed. The first attack by means of differential
cryptanalysis that was published at all was not the famous attack Biham and
Shamir launched against DES, as you might expect, but the one by Murphy
[MurFEAL] against FEAL-4 in 1990: the algorithm can be broken with as little
as 20 chosen plaintexts. In contrast to DES, this is
very
practicable indeed!
The developers' response was FEAL-8. Biham and Shamir came along and
showed that differential cryptanalysis is more effective than brute force against
FEAL
with up to 32 rounds
. The number of chosen plaintexts for FEAL-4
dropped to 8 (!), and was 10 000 for FEAL-8, and FEAL-16 required 2
28
chosen plaintexts or 2
37
.
5
(corresponds to 1.5 Tbytes) known plaintexts.
The designers then came up with FEAL-NX which uses 128-bit keys. Biham
and Shamir didn't fall down on showing that their attack works just as effec-
tively against this algorithm.
In their linear cryptanalysis attack in 1992, Matsui and Yamagishi broke FEAL-
4 using
five known
plaintexts (40 bytes)! FEAL-8 would have required 2
15
(32 768) known plaintexts.
Meanwhile, differential linear cryptanalysis can be used to break FEAL-8 with
only
twelve chosen
plaintexts.
FEAL is an impressive example of the progress modern cryptanalysis has made
during the past few years: while 10 000 chosen plaintexts were necessary to
attack FEAL-8 in 1990, that number was down to 12 five years later. The
unsuccessful improvement of this algorithm shows that new ideas can turn a
weak algorithm into a secure one only fundamentally.
Implementations of FEAL-8 and FEAL-NX are given on the Web site associ-
ated with this topic (see
www.wileyeurope.com/go/cryptology
).
5.7.4 Other Algorithms: SEAL and Blowfish
In closing our discussion of known algorithms, I will briefly describe the SEAL
stream cipher and the Blowfish block algorithm below.
SEAL
Similarly to RC5,
SEAL
is a relatively young algorithm — it was first intro-
duced by Rogaway and Coppersmith [RogCoSeal] in 1994. (We know Copper-
smith from the DES development; he is thought to be an excellent cryptanalyst.)
SEAL is a stream cipher, i.e., it takes a key to compute a secret key sequence
and XOR it with the ciphertext. The method has three outstanding features: