For my version of this attack I used the FEAL4 version depicted here http://theamazingking.com/crypto-feal.php and in the book "Applied Cryptanalysis Breaking Ciphers in the Real World -- Mark Stamp, Richard M. Low", which means that six 32-bit subkeys are used (2 at the start to XOR with the plaintext, the rest XOR before each round function F).
Now I managed to continue the instructions for all rounds and even k4 and k5, and the correct keys are among the candidates I found. However, when I tried to distinguish the real key like an attacker would, I noticed that all 256 candidates are valid and can decrypt any message encrypted with the original key (checked for 10000 random plaintexts for all candidates).
Now my question, is this normal or even expected?
If it helps, I implemented it with Sage math.
