# FEAL > Mediated Wiki article. Canonical URL: https://mediated.wiki/source/FEAL > Markdown URL: https://mediated.wiki/source/FEAL.md > Source: https://en.wikipedia.org/wiki/FEAL > Source revision: 1180505569 > License: Creative Commons Attribution-ShareAlike 4.0 International (https://creativecommons.org/licenses/by-sa/4.0/) Block cipher This article includes a list of general references, but it lacks sufficient corresponding inline citations. Please help to improve this article by introducing more precise citations. (September 2015) (Learn how and when to remove this message) FEAL The FEAL Feistel function General Designers Akihiro Shimizu and Shoji Miyaguchi (NTT) First published FEAL-4 in 1987; FEAL-N/NX in 1990 Cipher detail Key sizes 64 bits (FEAL), 128 bits (FEAL-NX) Block sizes 64 bits Structure Feistel network Rounds Originally 4, then 8, then variable (recommended 32) Best public cryptanalysis Linear cryptanalysis can break FEAL-4 with 5 known plaintexts (Matsui and Yamagishi, 1992). A differential attack breaks FEAL-N/NX with fewer than 31 rounds (Biham and Shamir, 1991). In [cryptography](/source/Cryptography), **FEAL** (the **Fast data Encipherment Algorithm**) is a [block cipher](/source/Block_cipher) proposed as an alternative to the [Data Encryption Standard](/source/Data_Encryption_Standard) (DES), and designed to be much faster in software. The [Feistel](/source/Feistel_cipher) based algorithm was first published in 1987 by [Akihiro Shimizu](https://en.wikipedia.org/w/index.php?title=Akihiro_Shimizu&action=edit&redlink=1) and [Shoji Miyaguchi](https://en.wikipedia.org/w/index.php?title=Shoji_Miyaguchi&action=edit&redlink=1) from [NTT](/source/Nippon_Telegraph_and_Telephone). The cipher is susceptible to various forms of [cryptanalysis](/source/Cryptanalysis), and has acted as a catalyst in the discovery of [differential](/source/Differential_cryptanalysis) and [linear cryptanalysis](/source/Linear_cryptanalysis). There have been several different revisions of FEAL, though all are [Feistel ciphers](/source/Feistel_cipher), and make use of the same basic round function and operate on a [64-bit block](/source/Block_size_(cryptography)). One of the earliest designs is now termed **FEAL-4**, which has four rounds and a [64-bit key](/source/Key_(cryptography)). Problems were found with FEAL-4 from the start: Bert den Boer related a weakness in an unpublished rump session at the same conference where the cipher was first presented. A later paper (den Boer, 1988) describes an attack requiring 100–10000 [chosen plaintexts](/source/Chosen_plaintext), and Sean Murphy (1990) found an improvement that needs only 20 chosen plaintexts. Murphy and den Boer's methods contain elements similar to those used in [differential cryptanalysis](/source/Differential_cryptanalysis). The designers countered by doubling the number of rounds, **FEAL-8** (Shimizu and Miyaguchi, 1988). However, eight rounds also proved to be insufficient — in 1989, at the Securicom conference, [Eli Biham](/source/Eli_Biham) and [Adi Shamir](/source/Adi_Shamir) described a differential attack on the cipher, mentioned in (Miyaguchi, 1989). Gilbert and Chassé (1990) subsequently published a statistical attack similar to differential cryptanalysis which requires 10000 pairs of chosen plaintexts. In response, the designers introduced a variable-round cipher, **FEAL-N** (Miyaguchi, 1990), where "N" was chosen by the user, together with **FEAL-NX**, which had a larger 128-bit key. Biham and Shamir's differential cryptanalysis (1991) showed that both FEAL-N and FEAL-NX could be broken faster than exhaustive search for N ≤ 31. Later attacks, precursors to linear cryptanalysis, could break versions under the [known plaintext](/source/Known_plaintext) assumption, first (Tardy-Corfdir and Gilbert, 1991) and then (Matsui and Yamagishi, 1992), the latter breaking FEAL-4 with 5 known plaintexts, FEAL-6 with 100, and FEAL-8 with 215. In 1994, Ohta and Aoki presented a linear cryptanalytic attack against FEAL-8 that required 212 known plaintexts.[1] ## See also - [N-Hash](/source/N-Hash) ## Notes 1. **[^](#cite_ref-1)** ["Q79: What is FEAL?"](http://x5.net/faqs/crypto/q79.html). X5.net. Retrieved 2013-02-19. ## References - Eli Biham, Adi Shamir: Differential Cryptanalysis of Feal and N-Hash. EUROCRYPT 1991: 1–16 - Bert den Boer, Cryptanalysis of F.E.A.L., EUROCRYPT 1988: 293–299 - Henri Gilbert, Guy Chassé: A Statistical Attack of the FEAL-8 Cryptosystem. CRYPTO 1990: 22–33. - Shoji Miyaguchi: The FEAL Cipher Family. CRYPTO 1990: 627–638 - Shoji Miyaguchi: The FEAL-8 Cryptosystem and a Call for Attack. CRYPTO 1989: 624–627 - Mitsuru Matsui, Atsuhiro Yamagishi: A New Method for Known Plaintext Attack of FEAL Cipher. EUROCRYPT 1992: 81–91 - Sean Murphy, The Cryptanalysis of FEAL-4 with 20 Chosen Plaintexts. *J. Cryptology* **2**(3): 145–154 (1990) - A. Shimizu and S. Miyaguchi, Fast data encipherment algorithm FEAL, Advances in Cryptology — Eurocrypt '87, Springer-Verlag (1988), 267–280. - Anne Tardy-Corfdir, Henri Gilbert: A Known Plaintext Attack of FEAL-4 and FEAL-6. CRYPTO 1991: 172–181 ## External links - [The FEAL home page](http://info.isl.ntt.co.jp/crypt/eng/archive/index.html#feal) - [A sci.crypt article by Peter Gutmann describing FEAL](https://groups.google.com/groups?selm=54gq4q%242d7%40scream.auckland.ac.nz) - [US patent 4850019](http://patft.uspto.gov/netacgi/nph-Parser?TERM1=4850019&u=/netahtml/srchnum.htm&Sect1=PTO1&Sect2=HITOFF&p=1&r=0&l=50&f=S&d=PALL) [Archived](https://web.archive.org/web/20160409112249/http://patft.uspto.gov/netacgi/nph-Parser?TERM1=4850019&u=/netahtml/srchnum.htm&Sect1=PTO1&Sect2=HITOFF&p=1&r=0&l=50&f=S&d=PALL) 2016-04-09 at the [Wayback Machine](/source/Wayback_Machine) v t e Block ciphers (security summary) Common algorithms AES Blowfish DES (internal mechanics, Triple DES) Serpent SM4 Twofish Less common algorithms ARIA Camellia CAST-128 GOST IDEA LEA RC5 RC6 SEED Skipjack TEA XTEA Other algorithms 3-Way Adiantum Akelarre Anubis Ascon BaseKing BassOmatic BATON BEAR and LION CAST-256 Chiasmus CIKS-1 CIPHERUNICORN-A CIPHERUNICORN-E CLEFIA CMEA Cobra COCONUT98 Crab Cryptomeria/C2 CRYPTON CS-Cipher DEAL DES-X DFC E2 FEAL FEA-M FROG G-DES Grand Cru Hasty Pudding cipher Hierocrypt ICE IDEA NXT Intel Cascade Cipher Iraqi Kalyna KASUMI KeeLoq KHAZAD Khufu and Khafre KN-Cipher Kuznyechik Ladder-DES LOKI (97, 89/91) Lucifer M6 M8 MacGuffin Madryga MAGENTA MARS Mercy MESH MISTY1 MMB MULTI2 MultiSwap New Data Seal NewDES Nimbus NOEKEON NUSH PRESENT Prince Q QARMA RC2 REDOC Red Pike S-1 SAFER SAVILLE SC2000 SHACAL SHARK Simon Speck Spectr-H64 Square SXAL/MBAL Threefish Treyfer UES xmx XXTEA Zodiac Design Feistel network Key schedule Lai–Massey scheme Product cipher S-box P-box SPN Confusion and diffusion Round Avalanche effect Block size Key size Key whitening (Whitening transformation) Attack (cryptanalysis) Brute-force (EFF DES cracker) MITM Biclique attack 3-subset MITM attack Algebraic Cube attack Gröbner attack Linear (Piling-up lemma) Differential Impossible Truncated Higher-order Differential-linear Distinguishing (Known-key) Integral/Square Boomerang Mod n Related-key Slide Rotational Side-channel Timing Power-monitoring Electromagnetic Acoustic Differential-fault XSL Interpolation Partitioning Rubber-hose Black-bag Davies Rebound Weak key Tau Chi-square Time/memory/data tradeoff Standardization AES process CRYPTREC NESSIE NSA Suite B CNSA Utilization Initialization vector Mode of operation Padding v t e Cryptography General History of cryptography Outline of cryptography Classical cipher Cryptographic protocol Authentication protocol Cryptographic primitive Cryptanalysis Cryptocurrency Cryptosystem Cryptographic nonce Cryptovirology Hash function Cryptographic hash function Key derivation function Secure Hash Algorithms Digital signature Kleptography Key (cryptography) Key exchange Key generator Key schedule Key stretching Keygen Machines Ransomware Random number generation Cryptographically secure pseudorandom number generator (CSPRNG) Pseudorandom noise (PRN) Secure channel Insecure channel Subliminal channel Encryption Decryption End-to-end encryption Harvest now, decrypt later Information-theoretic security Plaintext Codetext Ciphertext Shared secret Trapdoor function Trusted timestamping Key-based routing Onion routing Garlic routing Kademlia Mix network Mathematics Cryptographic hash function Block cipher Stream cipher Symmetric-key algorithm Authenticated encryption Public-key cryptography Quantum key distribution Quantum cryptography Post-quantum cryptography Message authentication code Random numbers Steganography Category --- Adapted from the Wikipedia article [FEAL](https://en.wikipedia.org/wiki/FEAL) by Wikipedia contributors ([contributor history](https://en.wikipedia.org/wiki/FEAL?action=history)). Available under [Creative Commons Attribution-ShareAlike 4.0 International](https://creativecommons.org/licenses/by-sa/4.0/). Changes may have been made.