MacGuffin (cipher)

Encyclopedia

In cryptography

,

created in 1994 by Bruce Schneier

and Matt Blaze

at a Fast Software Encryption workshop

. It was intended as a catalyst for analysis of a new cipher structure, known as Generalized Unbalanced Feistel Networks

(GUFNs). The cryptanalysis

proceeded very quickly, so quickly that the cipher was broken at the same workshop by Vincent Rijmen

and Bart Preneel

.

, their main change being that the data block is not split into equal halves in the Feistel network. Instead, 48 bits of the 64-bit data block are fed through the round function, whose output is XORed with the other 16 bits of the data block. The algorithm was experimental, intended to explore the security properties of unbalanced Feistel networks.

The diagram to the right shows one round of MacGuffin. The 64-bit data block is broken into four 16-bit words (each represented by one line). The rightmost three are XORed with subkey bits derived from the secret key. They are then fed through eight S-boxes, each of which takes six bits of input and produces two bits of output. The output (a total of 16 bits) is then recombined and XORed with the leftmost word of the data block. The new leftmost block is then rotated into the rightmost position of the resulting data block. The algorithm then continues with more rounds.

MacGuffin's key schedule

is a modified version of the encryption algorithm itself. Since MacGuffin is a Feistel network, decryption is easy; simply run the encryption algorithm in reverse.

Schneier and Blaze recommended using 32 rounds, and specified MacGuffin with a 128-bit key.

. They showed that 32 rounds of MacGuffin is weaker than 16 rounds of DES, since it took "a few hours" to get good differential characteristics for DES with good starting values, and the same time to get good differential characteristics for MacGuffin with no starting values. They found that it is possible to get the last round key with differential cryptanalysis, and from that reverse the last round and repeat the attack for the rest of the rounds.

Rijmen and Preneel tried attacking MacGuffin with different S-boxes, taken directly from DES. This version proved to be slightly stronger, but they warn that designing an algorithm to resist only known attacks is generally not a good design principle.

Cryptography

Cryptography is the practice and study of techniques for secure communication in the presence of third parties...

,

**MacGuffin**is a block cipherBlock cipher

In cryptography, a block cipher is a symmetric key cipher operating on fixed-length groups of bits, called blocks, with an unvarying transformation. A block cipher encryption algorithm might take a 128-bit block of plaintext as input, and output a corresponding 128-bit block of ciphertext...

created in 1994 by Bruce Schneier

Bruce Schneier

Bruce Schneier is an American cryptographer, computer security specialist, and writer. He is the author of several books on general security topics, computer security and cryptography, and is the founder and chief technology officer of BT Managed Security Solutions, formerly Counterpane Internet...

and Matt Blaze

Matt Blaze

Matt Blaze is a researcher in the areas of secure systems, cryptography, and trust management. He is currently an Associate Professor of Computer and Information Science at the University of Pennsylvania; he received his PhD in Computer Science from Princeton University.In 1992, while working for...

at a Fast Software Encryption workshop

Fast Software Encryption

Fast Software Encryption, often abbreviated FSE, is a workshop for cryptography research, focused on symmetric-key cryptography with an emphasis on fast, practical techniques, as opposed to theory...

. It was intended as a catalyst for analysis of a new cipher structure, known as Generalized Unbalanced Feistel Networks

Feistel cipher

In cryptography, a Feistel cipher is a symmetric structure used in the construction of block ciphers, named after the German-born physicist and cryptographer Horst Feistel who did pioneering research while working for IBM ; it is also commonly known as a Feistel network. A large proportion of block...

(GUFNs). The cryptanalysis

Cryptanalysis

Cryptanalysis is the study of methods for obtaining the meaning of encrypted information, without access to the secret information that is normally required to do so. Typically, this involves knowing how the system works and finding a secret key...

proceeded very quickly, so quickly that the cipher was broken at the same workshop by Vincent Rijmen

Vincent Rijmen

Vincent Rijmen is a Belgian cryptographer and one of the two designers of the Rijndael, the Advanced Encryption Standard. Rijmen is also the co-designer of the WHIRLPOOL cryptographic hash function, and the block ciphers Anubis, KHAZAD, Square, NOEKEON and SHARK.In 1993, Rijmen obtained a degree...

and Bart Preneel

Bart Preneel

Bart Preneel is a Belgian cryptographer and cryptanalyst. He is a professor at Katholieke Universiteit Leuven, in the COSIC group, president of the International Association for Cryptologic Research, and project manager of ECRYPT....

.

## The algorithm

Schneier and Blaze based MacGuffin on DESData Encryption Standard

The Data Encryption Standard is a block cipher that uses shared secret encryption. It was selected by the National Bureau of Standards as an official Federal Information Processing Standard for the United States in 1976 and which has subsequently enjoyed widespread use internationally. It is...

, their main change being that the data block is not split into equal halves in the Feistel network. Instead, 48 bits of the 64-bit data block are fed through the round function, whose output is XORed with the other 16 bits of the data block. The algorithm was experimental, intended to explore the security properties of unbalanced Feistel networks.

The diagram to the right shows one round of MacGuffin. The 64-bit data block is broken into four 16-bit words (each represented by one line). The rightmost three are XORed with subkey bits derived from the secret key. They are then fed through eight S-boxes, each of which takes six bits of input and produces two bits of output. The output (a total of 16 bits) is then recombined and XORed with the leftmost word of the data block. The new leftmost block is then rotated into the rightmost position of the resulting data block. The algorithm then continues with more rounds.

MacGuffin's key schedule

Key schedule

[[Image:DES-key-schedule.png|thumbnail|220px|The key schedule of DES [[Image:DES-key-schedule.png|thumbnail|220px|The key schedule of DES [[Image:DES-key-schedule.png|thumbnail|220px|The key schedule of DES ("[[Image:DES-key-schedule.png|thumbnail|220px|The key schedule of DES ("...

is a modified version of the encryption algorithm itself. Since MacGuffin is a Feistel network, decryption is easy; simply run the encryption algorithm in reverse.

Schneier and Blaze recommended using 32 rounds, and specified MacGuffin with a 128-bit key.

## Cryptanalysis of MacGuffin

At the same workshop where MacGuffin was introduced, Rijmen and Preneel showed that it was vulnerable to differential cryptanalysisDifferential cryptanalysis

Differential cryptanalysis is a general form of cryptanalysis applicable primarily to block ciphers, but also to stream ciphers and cryptographic hash functions. In the broadest sense, it is the study of how differences in an input can affect the resultant difference at the output...

. They showed that 32 rounds of MacGuffin is weaker than 16 rounds of DES, since it took "a few hours" to get good differential characteristics for DES with good starting values, and the same time to get good differential characteristics for MacGuffin with no starting values. They found that it is possible to get the last round key with differential cryptanalysis, and from that reverse the last round and repeat the attack for the rest of the rounds.

Rijmen and Preneel tried attacking MacGuffin with different S-boxes, taken directly from DES. This version proved to be slightly stronger, but they warn that designing an algorithm to resist only known attacks is generally not a good design principle.