FEAL ( Fast Data Encipherment Algorithm) is a block cipher and is one of the symmetric Feistelchiffren. The aim of the development that emanated from the Japanese telephone company, Nippon Telegraph and Telephone (NTT), was also for small microcontroller to achieve an efficient implementation of an encryption algorithm in software, and thus an alternative to the model developed by American authorities Data Encryption Standard (DES ) to create. DES is to implement only comparatively inefficient in software.

FEAL served in the years after its development in 1987 primarily as a test subject for various attack scenarios on encryption algorithms. In particular, it served to advance the today's essential analysis method, the differential cryptanalysis and linear cryptanalysis in their development. FEAL itself is, when broken in the original versions as FEAL -4 and FEAL -8 and therefore should not be used.


The data block of 64 bits consists of two words and 32 bits. A Feistelrunde consists in the evaluation of the round function F ( image) into a word and XORing the result with the other parts of speech and subsequent exchange of the words:

The function F decomposes the word into four bytes that are each symbolized by a line in the image, and receives as input also a round key ( 2 bytes). Thus, a bitwise XOR operation of two bytes is four times applied, and two each of the functions and evaluated that represent two input bytes on an output byte. First you add the two input bytes modulo, and in the case of is plus 1 is added, whereby the intermediate result arises h. This is rotated by two bit positions to the left:

The cipher also uses key whitening before the first and after the last round.


It was originally developed in 1988 by the development team to Akihiro Shimizu and Shoji Miyaguchi at NTT FEAL -4. This algorithm and its genesis also documented very clearly and with some amusing sequences with the problem which may be associated with the development of secure block cipher algorithms.

Thus, the algorithm in software, achieves high throughput as possible, the number of rounds was set only to four. FEAL -4 was broken in the same year 1988 at Eurocrypt '88 by B. den Boer. Only two years later, the newly developed by him differential cryptanalysis has been used successfully against FEAL -4 by Sean Murphy, said he needed only 20 chosen plaintext blocks.

The developers then improved in 1989 their algorithm by the number of rounds increased to eight ( FEAL -8). This algorithm has been successfully kryptoanalysiert also in the same year by Biham and Shamir at the conference Securicom '89.

The developers found themselves then forced, leaving their target, with a few laps to achieve efficient software implementation, and published FEAL -N with a variable number of rounds. On the Securicom '91 was shown by Biham and Shamir again, the FEAL -N can be cracked more efficiently than brute force for less than 32 rounds.

The developers of FEAL designed parallel in 1990 and FEAL -NX, a variant which worked with 128 -bit keys instead of the 64 bit long keys originally selected. Much to the chagrin of the developers was shown at the '91 Securicom of Biham and Shamir that FEAL -NX with 128 -bit key is just as easy to break as FEAL -N with 64 -bit keys.

In addition, modifications were of different development teams designed to strengthen, as FEAL -N ( X) S, which is to strengthen FEAL by a dynamic Vertauschungsfunktion. However, all these extensions very the expense of data throughput.

FEAL is mainly used for testing new and refining of cryptanalytic attack. FEAL, no matter the version, should not be used in safety critical areas because of its known weaknesses. FEAL was further patented in the United States, the patent expired in 2009.


  • Block encryption