## Differential Cryptanalysis of Feal and N-Hash (1991)

Citations: | 31 - 2 self |

### BibTeX

@INPROCEEDINGS{Biham91differentialcryptanalysis,

author = {Eli Biham and Adi Shamir},

title = {Differential Cryptanalysis of Feal and N-Hash},

booktitle = {},

year = {1991},

pages = {1--16},

publisher = {Springer-Verlag}

}

### OpenURL

### Abstract

In [1,2] we introduced the notion of differential cryptanalysis and described its application to DES[11] and several of its variants. In this paper we show the applicability of differential cryptanalysis to the Feal family of encryption algorithms and to the N-Hash hash function. In addition, we show how to transform differential cryptanalytic chosen plaintext attacks into known plaintext attacks. 1 Introduction Feal is a family of encryption algorithms, which are designed to have simple and efficient software implementations on eight-bit microprocessors. The original member of this family, called Feal-4[13], had four rounds. This version was broken by Den Boer[3] using a chosen plaintext attack with 100 to 10000 ciphertexts. The designers of Feal reacted by creating a second version, called Feal-8[12,9] in which the number of rounds was increased to eight, while the F function was not changed. Feal-8 was broken by the differential cryptanalytic chosen plaintext attack described in thi...

### Citations

543 | Differential Cryptanalysis of DES-like Cryptosystems
- Biham, Shamir
- 1991
(Show Context)
Citation Context ...on-differential attack with about 100000 known plaintexts. 2 Differential Cryptanalysis of Feal The notion of differential cryptanalysis and its application to DES-like cryptosystems are described in =-=[1,2]-=-. The basic tool of differential cryptanalytic attacks is a pair of ciphertexts whose corresponding plaintexts have a particular difference. The method analyses many pairs with the same difference, as... |

23 |
The FEAL cipher family
- Miyaguchi
- 1990
(Show Context)
Citation Context ...roken by the differential cryptanalytic chosen plaintext attack described in this paper. As a result, two new versions were added to the family: FealN [6] with any even number N of rounds, and Feal-NX=-=[7]-=- with an extended 128-bit key. In addition, The designers proposed a more complex eight-round version called N-Hash[8] as a cryptographically strong hash function which maps arbitrarily long inputs in... |

13 |
The cryptanalysis of FEAL-4 with 20 chosen plaintexts
- Murphy
- 1990
(Show Context)
Citation Context ...cks on Feal were published. The one analyses Feal-8 using 10000 encryptions[5]. This attack is partially derived from the attack described in this paper. The other analyses Feal-4 using 20 encryptions=-=[10]-=-. The main results reported in this paper are as follows: Feal-8 is breakable under a chosen plaintext attack with 2000 ciphertexts. Feal-N can be broken faster than via exhaustive search for any Ns31... |

10 |
128-bit hash function (N-hash
- Miyaguchi, Ohta, et al.
- 1990
(Show Context)
Citation Context ... were added to the family: FealN [6] with any even number N of rounds, and Feal-NX[7] with an extended 128-bit key. In addition, The designers proposed a more complex eight-round version called N-Hash=-=[8]-=- as a cryptographically strong hash function which maps arbitrarily long inputs into 128-bit values. Recently, two chosen plaintext attacks on Feal were published. The one analyses Feal-8 using 10000 ... |

8 |
Fast data encryption algorithm FEAL
- Shimizu, Miyaguchi
- 1987
(Show Context)
Citation Context ...-4[13], had four rounds. This version was broken by Den Boer[3] using a chosen plaintext attack with 100 to 10000 ciphertexts. The designers of Feal reacted by creating a second version, called Feal-8=-=[12,9]-=- in which the number of rounds was increased to eight, while the F function was not changed. Feal-8 was broken by the differential cryptanalytic chosen plaintext attack described in this paper. As a r... |

4 | On the F-function of FEAL - Fumy - 1988 |

4 |
Fast Data Encryption Algorithm FEAL-8, Review of electrical communications laboratories
- Miyaguchi, Shiraishi, et al.
- 1988
(Show Context)
Citation Context ...-4[13], had four rounds. This version was broken by Den Boer[3] using a chosen plaintext attack with 100 to 10000 ciphertexts. The designers of Feal reacted by creating a second version, called Feal-8=-=[12,9]-=- in which the number of rounds was increased to eight, while the F function was not changed. Feal-8 was broken by the differential cryptanalytic chosen plaintext attack described in this paper. As a r... |

1 |
A Statistical Attack on the FEAL-8
- Gilbert, Chasse
- 1990
(Show Context)
Citation Context ...ographically strong hash function which maps arbitrarily long inputs into 128-bit values. Recently, two chosen plaintext attacks on Feal were published. The one analyses Feal-8 using 10000 encryptions=-=[5]-=-. This attack is partially derived from the attack described in this paper. The other analyses Feal-4 using 20 encryptions[10]. The main results reported in this paper are as follows: Feal-8 is breaka... |

1 |
FEAL-N specifications, technical note
- Miyaguchi
- 1989
(Show Context)
Citation Context ...hile the F function was not changed. Feal-8 was broken by the differential cryptanalytic chosen plaintext attack described in this paper. As a result, two new versions were added to the family: FealN =-=[6]-=- with any even number N of rounds, and Feal-NX[7] with an extended 128-bit key. In addition, The designers proposed a more complex eight-round version called N-Hash[8] as a cryptographically strong ha... |