About

Akelarre is a symmetric block cipher proposed in 1996 by researchers at the Spanish National Research Council (CSIC). It operates on 128-bit blocks and combines additive subkeys modulo 2³² with data-dependent bitwise rotations across configurable rounds (typically 4). The cipher was designed to merge concepts from IDEA (addition/multiplication mixing) and RC5 (data-dependent rotations) into a single AR (Addition-Rotation) structure. Cryptanalysts later demonstrated structural weaknesses: in 2000, Knudsen and Rijmen showed that the cipher's lack of substitution (S-boxes) permits differential-style attacks that recover the key in fewer than 2³² chosen plaintexts for reduced-round variants. This tool implements the full algorithm faithfully for educational and research purposes. It is not suitable for protecting sensitive data in production environments.

The key schedule expands a user-supplied key (minimum 128 bits) into 2R + 4 subkeys of 32 bits each, where R is the number of rounds. Incorrect key entry produces ciphertext that decrypts to garbage without any error signal. There is no authentication or integrity check. If you modify even a single bit of the key or ciphertext, decryption will silently produce incorrect output. Pro tip: always verify a round-trip (encrypt then decrypt) with your exact key before discarding plaintext.

Formulas

Akelarre splits each 128-bit plaintext block into four 32-bit words: A, B, C, D. The input transformation adds subkeys:

A ← A + K₀ mod 2³²
B ← B + K₁ mod 2³²
C ← C + K₂ mod 2³²
D ← D + K₃ mod 2³²

Each round r (1 ≤ r ≤ R) performs an AR (Addition-Rotation) operation. The four words are concatenated into a 128-bit value and rotated left by a data-dependent amount derived from the round subkey:

rot = K_2r+2 ∧ 0x7F mod 128
Concatenate: W = A || B || C || D
W ← ROL₁₂₈(W, rot)
Split back to A, B, C, D

After rotation, additive mixing applies the second round subkey:

A ← A + K_2r+3 mod 2³²
C ← C + K_2r+3 mod 2³²

After all R rounds, the output transformation subtracts the final subkeys. The total subkey count is 2R + 4.

Where: K_i = the i-th 32-bit subkey derived from key expansion. ROL₁₂₈ = left circular rotation of a 128-bit concatenated word. R = number of rounds (default 4). A, B, C, D = the four 32-bit words of each block.

Reference Data

Property	Akelarre	IDEA	RC5	AES-128	Blowfish
Year	1996	1991	1994	2001	1993
Block Size (bits)	128	64	64	128	64
Key Size (bits)	128+	128	0 - 2040	128/192/256	32 - 448
Default Rounds	4	8.5	12	10	16
Structure	AR network	Lai-Massey	Feistel-like	SPN	Feistel
Operations	+ mod 2³², rotation	+, ×, XOR	+, XOR, rotation	SubBytes, ShiftRows, MixCols, AddKey	XOR, +, S-box
S-boxes	None	None (implicit)	None	Yes (8×8)	Yes (key-dependent)
Data-Dependent Rotation	Yes	No	Yes	No	No
Known Attacks	Differential (Knudsen 2000)	None practical	Differential (reduced)	None practical	None practical (full rounds)
Status	Broken (academic)	Legacy	Legacy	Current standard	Legacy but safe
Origin	Spain (CSIC)	Switzerland (ETH)	USA (RSA Labs)	Belgium (KU Leuven)	USA (Schneier)
Subkeys per Round	2	6	2	1 (round key)	2
Total Subkeys (R rounds)	2R + 4	52	2R + 2	R + 1	R + 2

Frequently Asked Questions

In 2000, Lars Knudsen and Vincent Rijmen published an attack demonstrating that Akelarre's reliance on addition and rotation without any nonlinear substitution layer (S-boxes) makes it vulnerable to differential-style cryptanalysis. The attack can recover the full key using approximately 2³² chosen plaintexts for the standard 4-round version. The cipher's designers intended the data-dependent rotations to provide sufficient diffusion, but the purely linear mixing proved insufficient against structured differentials.

This tool requires a minimum key length of 16 bytes (128 bits). If you supply fewer characters, the tool will reject the input and display an error. The key bytes are used directly in the key schedule expansion. Using a weak or short key (even if padded) drastically reduces security. For educational exploration, use a full 16-character ASCII key or longer.

Akelarre operates on 128-bit (16-byte) blocks. If your plaintext is not a multiple of 16 bytes, PKCS#7 padding appends n bytes each with value n, where n = 16 − (length mod 16). If the plaintext is already a multiple of 16, a full 16-byte padding block is added. During decryption, this padding is stripped. If the wrong key is used, padding validation will fail and the tool will report a decryption error.

Marginally. The fundamental weakness of Akelarre is structural: no S-boxes or nonlinear layers exist to break linear/differential patterns. Adding rounds from 4 to 8 increases the computational cost of attack but does not change the asymptotic attack complexity class. Knudsen's attack scales roughly linearly with round count. For comparison, AES uses 10 rounds with a SubBytes S-box layer that provides the nonlinearity Akelarre lacks.

No. Akelarre is a broken cipher with known practical key-recovery attacks. This tool exists for cryptographic education, algorithm study, and historical research. For real-world encryption, use AES-256-GCM via the Web Crypto API or a vetted library implementing ChaCha20-Poly1305. Never rely on Akelarre for confidentiality.

Both are lossless representations of the raw ciphertext bytes. Hex encoding uses characters 0 - 9 and a - f, producing 2 characters per byte (doubling size). Base64 uses 64 ASCII characters and produces roughly 4 characters per 3 bytes (33% size increase). Base64 is more compact for transmission. Hex is easier to read and debug byte-by-byte. Both decode identically to the same ciphertext.