REDOC II (Cusick and Wood, 1990) operates on 80-bit blocks with a 160-bit key. The cipher has 10 rounds, and uses key-dependent S-boxes and masks used to select the tables for use in different rounds of the cipher. Cusick found an attack on one round, and Biham and Shamir (1991) used differential cryptanalysis to attack one round with 2300 encryptions. Biham and Shamir also found a way of recovering three masks for up to four rounds faster than exhaustive search. A prize of US$5,000 was offered for the best attack on one round of REDOC-II, and $20,000 for the best practical known-plaintext attack.
REDOC III is a more efficient cipher. It operates on an 80-bit block and accepts a variable-length key of up to 20,480 bits. The algorithm consists only of XORing key bytes with message bytes, and uses no permutations or substitutions. Ken Shirriff describes a differential attack on REDOC-III requiring 220chosen plaintexts and 230 memory.
^Bruce Schneier Applied cryptography: protocols, algorithms, and source code in C 1996 "REDOC III REDOC HI is a streamlined version of REDOC n, also designed by Michael Wood . It operates on an 80-bit block. The key length is variable and can be as large as 2560 bytes (20480 bits). "
Thomas W. Cusick and Michael C. Wood: The REDOC II Cryptosystem, CRYPTO 1990, pp545–563.
Eli Biham and Adi Shamir, Differential Cryptanalysis of Snefru, Khafre, REDOC-II, LOKI and Lucifer. Advances in Cryptology—CRYPTO '91, Springer-Verlag, pp156–171 (gzipped PostScript).
Ken Shirriff, Differential Cryptanalysis of REDOC-III, (PS)