The other thing I noticed that really makes me question this is that G1 only uses 4 of its 8 input bits. As I wrote, it is equivalent to parity(i&0x17). A bit is a terrible thing to waste, and it is hard to imagine why it would do this intentionally. G1 may not be that important an element of the cipher but why throw away four bits?

It is possible I suppose that the F and G boxes are not the ones used in the "real" version of whatever cipher this is, so this apparent weakness and the ones which Matt has pointed out may not be that significant.

While I'm loath to make any statement that could be interpreted as defending this cipher, these are, as you say, only "apparent" weaknesses. Other than the "r vs. i" bug, which a very forgiving observer might attribute to some kind of error (maybe the code was typed in from a printout; maybe the program was taken from a "working copy" in the middle of being modified), so far, no one has demonstrated conclusively that these unorthodox and seemingly unsound design characteristics actually help the cryptanalyst in this particular cipher. I'm talking out of my hat here, but for all we know carefully selected non-uniformly distributed s-boxes and key schedules that throw out the odd bit here and there in just the right way might thwart some killer cryptanalytic technique that isn't yet known in the civilian world. Hardly likely, but still remotely possible. We can't completely rule this out unless we've seen that the cipher falls to the various known meta-attacks, like differential and linear cryptanalysis. I don't really think this is worth the trouble, however, given that these techniques can require considerable effort and skill to apply to an arbitrary cipher and that everything else about this thing points to a hoax designed to provoke just such a waste of time. (Someone will no doubt make me eat my words by doing a rump session talk at CRYPTO on how interesting the linear and differential analysis of this cipher turned out to be.) -matt PS to whoever posted this thing, if you're reading this: If this cipher isn't what its comments assert, and you've just added spooky labels to get people interested in evaluating some design technique that you've invented because you think no one will take you seriously if you just come clean, you're wrong. An intellegently-written description of your ideas, coupled with an easily-evaluated example, can get a lot of attention from the crypto community no matter what the source. I've personally looked at several such schemes, and had at one of my own (MacGuffin, which you're obviously familar with) widely examined by doing just that. You could have produced such a description with about as much effort as you've obviously already gone to in creating the "S-1" code, with far greater potential rewards. And if this is just a random hoax, well, I guess it looks like you've suceeded.