The Block Cipher Lounge

(This page was last updated 23.04.99)

Welcome!

On this page we try to give an overview of recent block ciphers. We also provide some pointers to people who make fast implementations.

The US administration decided to start the development of the Advanced Encryption Standard (AES), a replacement algorithm for the Data Encryption Standard (DES). We devote a special page to this topic.

Security

Table 1: Security of some selected proposals

(See below for the notation of the table.)
Name Version Author(s) Block Key Rounds Attack(s)
DES (77) IBM/NSA 64 56 16 K:43/19/13 [M94]
3-DES (77) Diffie, Hellman 64 168 48 K:2/112/56
2k3-DES (78) Tuchmann 64 112 48 K:n/120-n/n [OW91] , C:56/56/56/ [M79]
FEAL-N (87-90) Miyaguchi, .. 64 128 N K:2/./.(4), C:4/./.(8) [AO96]
RC2 (89) Rivest 64 8-1024 18 C:64/64/.(16) [KRRR98]
Khufu (90) Merkle 64 512 8s, s>1 C:52/./.(26) [BBS99]
Khafre (90) Merkle 64 64t, t>0 8s, s>1 C:52/./.(26) [BBS99]
IDEA (91) Lai, Massey, Murphy 64 128 8,5 C:64/112/32(4,5) [BBS99]
LOKI (90) Brown, Pieprzyk, Seberry 64 64 16 C:54/./.(14), K:62/./.(11)
(91) Brown, Kwan, Pieprzyk, Seberry 64 64 16 C:58/./.(13) [K94] , K:60/./.(11) [SF97]
SAFER K (93) Massey 64 64,128 6,10 C:45/./32(5) [KB96]
SK (95) Massey, Knudsen 64 40,64,128 8,10 ?
Blowfish (93) Schneier 64 32-448 16 ?
RC5 32/12/k (94) Rivest 64 8s, s<256 12 C:54/./. [KM96]
64/16/16 (94) Rivest 128 8s, s<256 16 C:83/./. [KM96] , C:123/./.(24) [KM96]
CAST-128 (95) Adams 64 40-128 12, 16 ?
SHARK (96) Rijmen, Daemen, Preneel, Bosselaers, de Win 64 128 6 ?
SQUARE (97) Daemen, Knudsen, Rijmen 128 128 8 CP:32/72/32(6) [DKR97]
MISTY 1 (97) Matsui 64 128 8 ?
2 (97) Matsui 64 128 12 ?
ICE (97) Kwan 64 64 16 CP:62/62/30 [VRKR98]
Skipjack (98) NSA? 64 80 32 [BS98]
Rainbow (98) Lee, Kim 128 128 7 ?
SMS4 (?) ? 128 128 ? ?
Name Version Author(s) Block Key Rounds Attack(s)



The notation of the table:

Name Name of the block cipher
Version Name (year) of version
Author(s) Name of the designer(s)
Block the block length in bits
Key the key length in bits
Rounds the number of rounds of the cipher
Attack(s)
K:a/b/c denotes that the best known plaintext attack requires 2a plaintext/ciphertexts, has a workload of 2b encryptions and requires 2c words of memory.
C:a/b/c denotes that the best chosen plaintext attack requires 2a plaintext/ciphertexts, has a workload of 2b encryptions and requires 2c words of memory.

A `.' means that this resource requirement is either negligible or unknown to us.

(r): the number of rounds of the attack. If blank, r=Rounds
[SA]: the paper describing the attack
?: No attacks known



CAVEAT! No known attacks (?) does not necessarily mean that the block cipher is secure.


Badly Broken Ciphers

Here we try to list some modern ciphers that were broken or show other serious weaknesses.

Akelarre:

There are several different versions of this cipher. We did only see one of them, and that version is very weak.

FEAL-4

G-DES

SPEED

Performance

Here we list some people that make fast implementations of block ciphers, and put figures on the web.

Your Input

Hello you there, readers. We are only two researchers and we can use some help to extend this block cipher lounge. Currently we are looking for more information on ``commercial'' encryption algorithms, especially the secret ones. Do you know how, for instance, Stealth works ? We 'd like to. We are interested in every block cipher.

References

[A97]
C. Adams, "Constructing Symmetric Ciphers Using the CAST Design Procedure", Designs, Codes and Cryptography, vol.12, no.3, November 1997, pp.283-316 (see also Selected Areas in Cryptography, Kluwer Academic Publishers, 1997, pp.71-104).
[A97-2]
C. Adams, "The CAST-128 Encryption Algorithm", RFC 2144, May 1997.
[AO96]
K. Aoki and K. Ohta, ``Differential-linear cryptanalysis of FEAL-8,'' IEICE Transactions on fundamentals of Electronics, communications and computer sciences, Vol. E79-A, No. 1, January 1996.
[BS93]
E. Biham and A. Shamir, Differential Cryptanalysis of the Data Encryption Standard, Springer-Verlag, 1993.
[BS98]
E. Biham, A. Biruykov, A. Shamir ``Cryptanalysis of Skipjack Reduced to 31 Rounds using Impossible Differentials''
[BBS99]
E. Biham, A. Biruykov, A. Shamir ``Miss in the middle attacks on IDEA, Khufu and Khafre,'' Fast Software Encryption '99, LNCS.
[DKR97]
J. Daemen, L.R. Knudsen and V. Rijmen, ``The block cipher SQUARE,'' Fast Software Encryption, LNCS 1267, E. Biham, Ed., Springer-Verlag, pp. 149-165.
[GC94]
H. Gilbert and P. Chauvaud, ``A chosen plaintext attack of the 16-round Khufu cryptosystem,'' Advances in Cryptology, Proceedings Crypto'94, LNCS 839, Y.~Desmedt, Ed., Springer-Verlag, 1994, pp. 359-368.
[KL98]
C-H.~Lee, J-S.~Kim, ``Rainbow'' .
[SMS4]
Chinese encryption system for wireless networks, ``SMS4'' .
[K94]
L.R. Knudsen, ``Block ciphers - analysis, design and applications,'' PhD. Thesis, DAIMI PB 485, Aarhus University, 1994.
[KB96]
L.R.~Knudsen and T.A.~Berson, ``Truncated differentials of SAFER,'' Fast Software Encryption, LNCS 1039, D. Gollmann, Ed., Springer-Verlag, 1996, pp. 15-26.
[KM96]
L.R.~Knudsen and W.~Meier, ``Improved differential attack on RC5,'' Advances in Cryptology, Proceedings Crypto'96, LNCS 1109, N. Koblitz, Ed., Springer-Verlag, 1996, pp. 216-228.
[KRRR98]
L.R. Knudsen, V. Rijmen, R.L. Rivest and M.J.B. Robshaw, ``On the design and security of RC2,'' Fast Software Encryption, LNCS 1372, S. Vaudenay, Ed., Springer-Verlag, 1998, pp. 206-221.
[M94]
M. Matsui, ``Linear cryptanalysis method for DES cipher,'' Advances in Cryptology, Proceedings Eurocrypt'93, LNCS 765, T. Helleseth, Ed., Springer-Verlag, 1994, pp. 386-397.
[M79]
R.C. Merkle, Secrecy, authentication, and public key systems, UMI Research Press, Ann Arbor, Michigan, 1979.
[SF97]
K. Sakurai and S. Furuya, ``Improving linear cryptanalysis of LOKI91 by probabilistic counting method,'' Fast Software Encryption, LNCS 1267, E. Biham, Ed., Springer-Verlag, pp 114-133.
[OW91]
P.C. van Oorschot and M. Wiener, ``A known-plaintext attack on two-key triple encryption,'' Advances in Cryptology, Proceedings Eurocrypt'90, LNCS 473, I.B. Damgård, Ed., Springer-Verlag, 1991, pp. 318-325.
[VRKR]
B. Van Rompay, L.R. Knudsen and V. Rijmen, ``Differential cryptanalysis of the ICE encryption algorithm,'' Fast Software Encryption, LNCS 1372, S. Vaudenay, Ed., Springer-Verlag, 1998, pp. 270-283.




This page was created 26.03.97 by Lars R. Knudsen and Vincent Rijmen.

The page is maintained by Lars R. Knudsen and Vincent Rijmen.
All comments welcome.


To Lars' homepage.
To Vincent's homepage.


WATCH OUT: Big brother might be watching you!