General  

Designers  Toshiba 
First published  2000 
Related to  Hierocrypt3 
Certification  CRYPTREC 
Cipher detail  
Key sizes  128 bits 
Block sizes  64 bits 
Structure  Nested SPN 
Rounds  6.5 
Best public cryptanalysis  
Integral attack against 3.5 rounds 
General  

Designers  Toshiba 
First published  2000 
Related to  HierocryptL1 
Certification  CRYPTREC 
Cipher detail  
Key sizes  128, 192, or 256 bits 
Block sizes  128 bits 
Structure  Nested SPN 
Rounds  6.5, 7.5, or 8.5 
Best public cryptanalysis  
Integral attack against 3.5 rounds 
In cryptography, HierocryptL1 and Hierocrypt3 are block ciphers created by Toshiba in 2000. They were submitted to the NESSIE project, but were not selected. Both algorithms are among the cryptographic techniques recommended for Japanese government use by CRYPTREC.
The Hierocrypt ciphers are very similar, differing mainly in block size: 64 bits for HierocryptL1, 128 bits for Hierocrypt3. HierocryptL1's key size is 128 bits, while Hierocrypt3 can use keys of 128, 192, or 256 bits. The number of rounds of encryption also varies: HierocryptL1 uses 6.5 rounds, and Hierocrypt3 uses 6.5, 7.5, or 8.5, depending on the key size.
The Hierocrypt ciphers use a nested substitutionpermutation network (SPN) structure. Each round consists of parallel applications of a transformation called the XSbox, followed by a linear diffusion operation. The final halfround replaces the diffusion with a simple postwhitening. The XSbox, which is shared by the two algorithms, is itself an SPN, consisting of a subkey XOR, an Sbox lookup, a linear diffusion, another subkey XOR, and another Sbox lookup. The diffusion operations use two MDS matrices, and there is a single 8×8bit Sbox. The key schedule uses the binary expansions of the square roots of some small integers as a source of "nothing up my sleeve numbers".
No analysis of the full ciphers has been announced, but certain weaknesses were discovered in the Hierocrypt key schedule, linear relationships between the master key and some subkeys. There has also been some success applying integral cryptanalysis to reducedround Hierocrypt variants; attacks faster than exhaustive search have been found for 3.5 rounds of each cipher.
