The block cipher NSABC (public domain)

We introduce NSABC/w – Nice-Structured Algebraic Block Cipher using w-bit word arithmetic, a 4w-bit analogous of Skipjack [NSA98] with 5w-bit key. The Skipjack’s internal 4-round Feistel structure is replaced with a w-bit, 2-round cascade of a binary operation (x,z)\mapsto(x\boxdot z)\lll(w/2) that permutes a text word x under control of a key word z. The operation \boxdot, similarly to the multiplication in IDEA [LM91, LMM91], bases on an algebraic group over w-bit words, so it is also capable of decrypting by means of the inverse element of z in the group. The cipher utilizes a secret 4w-bit tweak – an easily changeable parameter with unique value for each block encrypted under the same key [LRW02] – that is derived from the block index and an additional 4w -bit key. A software implementation for w=64 takes circa 9 clock cycles per byte on x86-64 processors.

💡 Research Summary

The paper introduces NSABC (Nice‑Structured Algebraic Block Cipher), a word‑oriented block cipher that builds on the structural ideas of Skipjack while replacing its internal 4‑round Feistel network with a two‑round cascade operating on a single w‑bit word. The cipher works on a 4w‑bit block and uses a 5w‑bit key; an optional 4w‑bit tweak can be added to obtain a unique per‑block variant, following the LRW tweakable‑block‑cipher model.

The core primitive is a quasi‑group operation ⊡ defined as x⊡y = 2·x·y ⊞ x ⊟ y (where ⊞ and ⊟ denote addition and subtraction modulo 2^w). This operation is derived from another quasi‑group ⊙ (x⊙y = 2·x·y ⊞ x ⊞ y) which is isomorphic to multiplication of odd integers modulo 2^w+1. Because ⊙ forms a proper group with unit 0 and an efficiently computable inverse, ⊡ inherits a right‑inverse property: (x⊡y)⊡¯y = x, where ¯y is the inverse of y in the ⊡‑quasi‑group. Consequently decryption can be performed by using the inverse key word rather than a separate inverse algorithm.

Encryption proceeds in 32 rounds, arranged as four passes of eight rounds each: A‑type, B‑type, A‑type, B‑type. In each round a “G‑box” first applies the ⊡ operation with the current round key and a unit element e (derived from a separate w‑bit unit key U), then rotates the result left by w/2 bits. For A‑type rounds the G‑box output replaces the first word x0 and is XOR‑ed into x1; for B‑type rounds the XOR with x3 is performed before the G‑box. Between rounds a word‑wise XOR with the tweak schedule (derived from the 4w‑bit tweak T) is applied, providing diffusion across the four words.

The key schedule mirrors Skipjack: the 5w‑bit master key Z is rotated and mixed to produce 32 round sub‑keys z_k. The unit schedule is generated from the unit key U, yielding the per‑round unit element e_k used in ⊡_e. The tweak schedule is a simple linear transformation of T, allowing the same cipher core to be reused with a different tweak for each block.

Performance measurements on an x86‑64 platform with w = 64 show that the implementation requires roughly 9 CPU cycles per byte, thanks to the exclusive use of word‑level arithmetic (addition, subtraction, rotation, XOR) and the avoidance of S‑boxes. This makes NSABC attractive for software‑only environments and for platforms where table‑lookups are costly.

From a cryptanalytic perspective, the use of the ⊙/⊡ quasi‑group introduces non‑linear mixing similar to IDEA’s multiplication modulo 2^w+1, which is known to resist linear and differential attacks. However, the algebraic expressions are relatively low‑degree polynomials; thus attacks based on higher‑order differentials, XL‑type algebraic solving, or Gröbner‑basis methods could be feasible if enough plaintext‑ciphertext pairs are available. The round function’s simplicity also means that the cipher’s security heavily relies on the diffusion provided by the alternating A/B pattern and the tweak‑induced XORs. The key schedule’s simple rotation may be a point of concern, as it does not add independent diffusion; formal proofs of resistance to related‑key attacks are absent.

The authors claim that the tweak makes the cipher “tweak‑able” in the LRW sense, allowing a unique cipher instance per block without re‑keying. This is useful for modes that require per‑block variability (e.g., disk encryption). Nevertheless, if the tweak is public, the security gain is limited to preventing simple replay attacks.

In conclusion, NSABC offers an elegant, scalable design that combines Skipjack’s structural simplicity with IDEA‑style algebraic mixing, achieving high software efficiency and straightforward implementation. The paper, however, lacks a thorough security analysis, formal proofs, or extensive cryptanalytic evaluation. Consequently, while the construction is promising, further peer‑reviewed analysis and possibly modifications would be required before NSABC could be recommended for production‑grade cryptographic use.