NOEKEON has a 128-bit block and key size. Each round of NOEKEON employs a sequence of self-inverse transformations which can be implemented easily in hardware or software, even where differential power analysis is a concern. It is designed according to a variant of the wide-trail strategy.
Cryptanalysis by Lars Knudsen and Håvard Raddum in April 2001 showed that "indirect mode" NOEKEON was still vulnerable to certain peculiar kinds of related-key cryptanalysis, and showed weaknesses in NOEKEON-variant ciphers which cast doubt on the design strategy behind NOEKEON and thus on its security. As a result, it was not a NESSIE selected algorithm.
The authors of NOEKEON contend ("On NOEKEON, no!") that the related-key attacks required to break "indirect mode" NOEKEON are not a practical concern, and that it is as a result of deliberate design that NOEKEON is not vulnerable to the attacks that break the variant ciphers; they assert that NOEKEON is still a good and useful cipher.
