StarCTF 2019 - notfeal (Crypto, 740)




This service gives us 50 ciphertext of our chosen plaintext, then it gives us the encrypted flag.


It’s a typical setting of chosen plaintext attack.

We found an attack on FEAL in this link.

However, the cipher in this challenge is slightly different from FEAL.

The output of round function fbox is reversed, and the direction of round function is left to right (i.e. l, r = r, fbox(l ^ ks[i]) ^ l)

Fortunately, since the difference of fbox is only about the position of bytes, the differential characteristic is still perserved in this modified FEAL.

Use the following input differential:

Round4: 00000000  80800000
Round3: 80800000  80800000
Round2: 00000002  00000002
Round1:  random  (00000002 ^ random)

The output differential will be 00000002.

Implement the algorithm in the link to get the flag.

You may get 4 possible key each round, that’s fine.

Every chain of keys you find can decrypt the flag well.