Crypto Wiki
This article is about the block cipher algorithm. For the ultrafast laser pulse measurement technique, see frequency-resolved optical gating. For the amphibian, see Frog. For other uses, see Frog (disambiguation).

Template:Infobox block cipher In cryptography, FROG is a block cipher authored by Georgoudis, Leroux and Chaves. The algorithm can work with any block size between 8 and 128 bytes, and supports key sizes between 5 and 125 bytes. The algorithm consists of 8 rounds and has a very complicated key schedule.

It was submitted in 1998 by TecApro, a Costa Rican software company, to the AES competition as a candidate to become the Advanced Encryption Standard. Wagner et al. (1999) found a number of weak key classes for FROG. Other problems included very slow key setup and relatively slow encryption. FROG was not selected as a finalist.

Design philosophy[]

Normally a block cipher applies a fixed sequence of primitive mathematical or logical operators (such as additions, XORs, etc) on the plaintext and secret key in order to produce the ciphertext. An attacker uses this knowledge to search for weaknesses in the cipher which may allow the recovery of the plaintext.

FROG's design philosophy is to hide the exact sequence of primitive operations even though the cipher itself is known. While other ciphers use the secret key only as data (which are combined with the plaintext to produce the ciphertext), FROG uses the key both as data and as instructions on how to combine these data. In effect an expanded version of the key is used by FROG as a program. FROG itself operates as an interpreter that applies this key-dependent program on the plaintext to produce the ciphertext. Decryption works by applying the same program in reverse on the ciphertext.


The FROG key schedule (or internal key) is 2304 bytes long. It is produced recursively by iteratively applying FROG to an empty plaintext. The resulting block is processed to produce a well formatted internal key with 8 records. FROG has 8 rounds, the operations of each round codified by one record in the internal key. All operations are byte-wide and consist of XORs and substitutions. A detailed description of the cipher can be found here.

FROG is very easy to implement (the reference C version has only about 150 lines of code). Much of the code needed to implement FROG is used to generate the secret internal key; the internal cipher itself is a very short piece of code. It is possible to write an assembly routine of just 22 machine instructions that does full FROG encryptions and decryption. The implementation will run well on 8 bit processors because it uses only byte-level instructions. No bit-specific operations are used. Once the internal key has been computed, the algorithm is fairly fast: a version implemented using 8086 assembler achieves processing speeds of over 2.2 megabytes per second when run on a 200 MHz Pentium PC.


FROG's design philosophy is meant to defend against unforeseen/unknown types of attacks. Nevertheless, the very fact that the key is used as the encryption program means that some keys may correspond to weak encryption programs. David Wagner et al. found that 2-33 of the keys are weak and that in these cases the key can be broken with 258 chosen plaintexts.

Another flaw of FROG is that the decryption function has a much slower diffusion than the encryption function. Here 2-29 of keys are weak and can be broken using 236 chosen ciphertexts.


  • David Wagner, Niels Ferguson and Bruce Schneier, Cryptanalysis of FROG, in proceedings of the 2nd AES candidate conference, pp175–181, NIST, 1999 [1].
  • Dianelos Georgoudis, Damian Leroux and Billy Simón Chaves, The FROG Encryption Algorithm, June 15, 1998 [2].

de:Free Ranging On Grid es:FROG fr:FROG it:FROG nl:Free Ranging On Grid fi:FROG