Cryptanalysis of F.E.A.L.
At Eurocrypt 87 the blockcipher F.E.A.L. was presented . Earlier algorithms called F.E.A.L-1 and F.E.A.L-2 had been submitted to standarization organizations but this was presumably the final version. It is a Feistel cipher, but in contrast to D.E.S., a software implementation does not require a table look-up. The intention was a fast software implementation and also an avoidance of discussions about random tables. As Walter Fumy indicated at Crypto 87  a certain transformation on 32 bits used by the cipher was not complete in contrast to a remark made during the presentation of F.E.A.L. at Eurocrypt 87. Furthermore, the transformation is too close to a quadratic function on the input.
I am informed that after my informal expose at Crypto 87 about certain vulnerabilities of F.E.A.L, its designers have created F.E.A.L.-8 with twice as many rounds. Later on again versions were renamed. The (definite?) version in the abstracts  without a serial number got version number 1.00 and F.E.A.L.-8 got version number 2.00 in the proceedings of Eurocrypt ’87 . In this paper we shall show that F.E.A.L. as presented at Eurocrypt 87 is vulnerable for a chosen plaintext attack which requires at most ten thousand plaintexts.
- 1.W. Fumy, On the F-function of FEAL, lecture at Crypto 87.Google Scholar
- 2.A. Shimizu & S. Miyaguchi, Fast data encipherment algorithm FEAL, Abstracts of Eurocrypt 87.Google Scholar
- 3.A. Shimizu & S. Miyaguchi, Fast Data Encipherment Algorithm FEAL, Advances in Cryptology-Eurocrypt’ 87, Lecture Notes in Computer Science 304.Google Scholar