About

The AKE98 cipher is a symmetric block cipher built on a 16-round Feistel network operating on 64-bit blocks with a 128-bit key. Each round applies a fixed 8×8 S-box substitution, bitwise rotation by round-dependent offsets, and XOR mixing with a derived round key. The key schedule expands a passphrase-derived 128-bit master key into 16 unique 32-bit subkeys using circular shifts and the GF(2⁸) field constant 0x1B. Cipher Block Chaining (CBC) mode ensures identical plaintext blocks produce distinct ciphertext blocks. A random 8-byte initialization vector (IV) is generated per encryption and prepended to the output. Without CBC, an attacker performing frequency analysis on repeated blocks could extract structural information from the plaintext. The passphrase undergoes SHA-256 hashing to produce the master key, preventing weak-key patterns from short or predictable phrases. This tool approximates academic-grade encryption for educational and light-duty confidentiality purposes. It is not a replacement for AES-256-GCM or NaCl/libsodium in production security contexts.

Formulas

The Feistel round function F for round i operates on the right half R and round key K_i:

F(R, K_i) = RotL(S(R ⊕ K_i), r_i)

Each full round updates the halves as:

L_i+1 = R_i

R_i+1 = L_i ⊕ F(R_i, K_i)

CBC encryption chains blocks via the initialization vector:

C_j = E_K(P_j ⊕ C_j−1)

where C₀ = IV. Decryption reverses: P_j = D_K(C_j) ⊕ C_j−1.

Variable legend: L, R = left/right 32-bit halves. K_i = round subkey. S = S-box substitution (byte-wise). RotL = circular left rotation. r_i = rotation offset for round i. P_j = plaintext block j. C_j = ciphertext block j. IV = initialization vector. ⊕ = bitwise XOR.

Reference Data

Parameter	Value	Description
Block Size	64 bits (8 bytes)	Data processed per cipher operation
Key Length	128 bits (16 bytes)	Derived from SHA-256 of passphrase
Rounds	16	Feistel network iterations
S-box Size	8×8 (256 entries)	Fixed substitution lookup table
Mode	CBC	Cipher Block Chaining with random IV
IV Length	64 bits	Prepended to ciphertext output
Padding	PKCS#7	Pads plaintext to block boundary
Key Derivation	SHA-256	Web Crypto API hash of passphrase
Output Encoding	Base64	Safe for text transport and storage
Round Key Size	32 bits	Extracted from expanded key schedule
Rotation Offsets	3, 5, 7, 11 (cycled)	Left-rotate amounts per round
Feistel Function	S-box → Rotate → XOR	Non-linear mixing per half-block
Decryption	Reverse round order	Feistel property: same structure, reversed keys
Avalanche Target	≥ 50% bit flip	1-bit input change → ~half output bits change
GF(2⁸) Constant	0x1B	Irreducible polynomial for key schedule mixing

Frequently Asked Questions

A Feistel network splits each block into two halves and applies the round function F only to one half, XORing the result into the other. Because XOR is its own inverse (A ⊕ B ⊕ B = A), decryption uses the identical F function but feeds the round keys in reverse order (K₁₅ down to K₀). No separate decryption circuit or inverse S-box is needed. This is the defining property that Horst Feistel established in the Lucifer cipher lineage.

ECB (Electronic Codebook) encrypts each block independently. Identical plaintext blocks produce identical ciphertext blocks, leaking structural patterns (the classic "ECB penguin" problem). CBC chains each block to the previous ciphertext via XOR before encryption. A random 8-byte IV ensures that even the same message encrypted twice produces entirely different ciphertext. The trade-off is that CBC is sequential and cannot be parallelized during encryption.

The passphrase is hashed through SHA-256, so even a 1-character passphrase produces a full 128-bit key with uniform distribution. However, an attacker can brute-force short passphrases by trying all candidates and hashing each one. A 4-character lowercase passphrase has only ~460,000 possibilities. Use at least 12 characters mixing upper/lowercase, digits, and symbols. The SHA-256 step prevents timing-based key recovery but does not substitute for passphrase entropy.

PKCS#7 appends N bytes each of value N to fill the last block to 8 bytes. For example, if 5 bytes remain, it appends 3 bytes of value 0x03. A full block of padding (8 bytes of 0x08) is added when the plaintext is already block-aligned, ensuring unambiguous removal. If the wrong passphrase is used during decryption, the final block will contain garbage bytes that fail the padding validation check. This tool detects invalid padding and reports a decryption error rather than outputting corrupted data.

No. AKE98 is an educational cipher that demonstrates Feistel network principles. Its 64-bit block size is vulnerable to birthday-bound attacks after approximately 2³² blocks (~32 GB) of data encrypted under the same key. Modern standards require AES-256-GCM (128-bit blocks, authenticated encryption) or ChaCha20-Poly1305. Use this tool for learning cryptographic concepts, CTF challenges, or lightweight obfuscation where regulatory compliance is not required.

The avalanche effect means a single bit change in input should flip approximately 50% of output bits. The S-box provides non-linear substitution: adjacent input values map to distant output values. Combined with bit rotation and XOR mixing across 16 rounds, even a 1-bit difference in plaintext or key propagates through the entire ciphertext block. Without the S-box, the cipher would be purely linear (XOR + rotation) and trivially breakable via Gaussian elimination over GF(2).