Cryptanalysis of F.E.A.L.

  • Bert den Boer
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 330)


At Eurocrypt 87 the blockcipher F.E.A.L. was presented [2]. Earlier algorithms called F.E.A.L-1 and F.E.A.L-2 had been submitted to standarization organizations but this was presumably the final version. It is a Feistel cipher, but in contrast to D.E.S., a software implementation does not require a table look-up. The intention was a fast software implementation and also an avoidance of discussions about random tables. As Walter Fumy indicated at Crypto 87 [1] a certain transformation on 32 bits used by the cipher was not complete in contrast to a remark made during the presentation of F.E.A.L. at Eurocrypt 87. Furthermore, the transformation is too close to a quadratic function on the input.

I am informed that after my informal expose at Crypto 87 about certain vulnerabilities of F.E.A.L, its designers have created F.E.A.L.-8 with twice as many rounds. Later on again versions were renamed. The (definite?) version in the abstracts [2] without a serial number got version number 1.00 and F.E.A.L.-8 got version number 2.00 in the proceedings of Eurocrypt ’87 [3]. In this paper we shall show that F.E.A.L. as presented at Eurocrypt 87 is vulnerable for a chosen plaintext attack which requires at most ten thousand plaintexts.


  1. 1.
    W. Fumy, On the F-function of FEAL, lecture at Crypto 87.Google Scholar
  2. 2.
    A. Shimizu & S. Miyaguchi, Fast data encipherment algorithm FEAL, Abstracts of Eurocrypt 87.Google Scholar
  3. 3.
    A. Shimizu & S. Miyaguchi, Fast Data Encipherment Algorithm FEAL, Advances in Cryptology-Eurocrypt’ 87, Lecture Notes in Computer Science 304.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 1988

Authors and Affiliations

  • Bert den Boer
    • 1
  1. 1.Centre for mathematics and computerscienceAmsterdamThe Netherlands

Personalised recommendations