The patent papers gave some hints, but important details, like the layout of the so-called S-boxes, remained secret.
Though released as binary only, disassembly revealed the missing details and allowed reimplementation of the algorithm in higher-level programming languages.
), either by reverse-engineering and breaking the algorithms altogether, or by intercepting the keys in real-time as they are generated on a legitimate decoder, and then distributing them to others (so-called card sharing).
This significantly speeds up a brute force search implemented in software, although the factor is too low for a practical real-time attack.
The block cipher part is harder to bit slice, as the S-boxes involved are too large (8x8) to be efficiently implemented using logical operations, a prerequisite for bit slicing to be more efficient than a regular implementation.
However, as all operations are on 8-bit subblocks, the algorithm can be implemented using regular SIMD, or a form of “byteslicing”.
As most SIMD instruction sets, (with the exception of AVX2) do not support parallel look-up tables, the S-box lookups are done in a non-bytesliced implementation, but their integration into the rest of the algorithm is not hampered markedly by the byteslicing.
The basic idea was to introduce a few deliberate faults in the intermediate calculations, making it possible to deduce the last eight round keys.