HOME

TheInfoList



OR:

In
cryptography Cryptography, or cryptology (from grc, , translit=kryptós "hidden, secret"; and ''graphein'', "to write", or ''-logia'', "study", respectively), is the practice and study of techniques for secure communication in the presence of adver ...
, a block cipher is a
deterministic algorithm In computer science, a deterministic algorithm is an algorithm that, given a particular input, will always produce the same output, with the underlying machine always passing through the same sequence of states. Deterministic algorithms are by far ...
operating on fixed-length groups of
bit The bit is the most basic unit of information in computing and digital communications. The name is a portmanteau of binary digit. The bit represents a logical state with one of two possible values. These values are most commonly represente ...
s, called ''blocks''. Block ciphers are specified elementary components in the design of many
cryptographic protocol A security protocol (cryptographic protocol or encryption protocol) is an abstract or concrete protocol that performs a security-related function and applies cryptographic methods, often as sequences of cryptographic primitives. A protocol describe ...
s and are widely used to
encrypt In cryptography, encryption is the process of encoding information. This process converts the original representation of the information, known as plaintext, into an alternative form known as ciphertext. Ideally, only authorized parties can decip ...
large amounts of data, including in data exchange protocols. A block cipher uses blocks as an unvarying transformation. Even a secure block cipher is suitable for the encryption of only a single block of data at a time, using a fixed key. A multitude of
modes of operation In cryptography, a block cipher mode of operation is an algorithm that uses a block cipher to provide information security such as confidentiality or authenticity. A block cipher by itself is only suitable for the secure cryptographic transfor ...
have been designed to allow their repeated use in a secure way to achieve the security goals of confidentiality and
authenticity Authenticity or authentic may refer to: * Authentication, the act of confirming the truth of an attribute Arts and entertainment * Authenticity in art, ways in which a work of art or an artistic performance may be considered authentic Music * A ...
. However, block ciphers may also feature as building blocks in other cryptographic protocols, such as
universal hash function In mathematics and computing, universal hashing (in a randomized algorithm or data structure) refers to selecting a hash function at random from a family of hash functions with a certain mathematical property (see definition below). This guarantees ...
s and
pseudorandom number generator A pseudorandom number generator (PRNG), also known as a deterministic random bit generator (DRBG), is an algorithm for generating a sequence of numbers whose properties approximate the properties of sequences of random numbers. The PRNG-generate ...
s.


Definition

A block cipher consists of two paired
algorithm In mathematics and computer science, an algorithm () is a finite sequence of rigorous instructions, typically used to solve a class of specific Computational problem, problems or to perform a computation. Algorithms are used as specificat ...
s, one for encryption, , and the other for decryption, . Both algorithms accept two inputs: an input block of size bits and a
key Key or The Key may refer to: Common meanings * Key (cryptography), a piece of information that controls the operation of a cryptography algorithm * Key (lock), device used to control access to places or facilities restricted by a lock * Key (map ...
of size bits; and both yield an -bit output block. The decryption algorithm is defined to be the
inverse function In mathematics, the inverse function of a function (also called the inverse of ) is a function that undoes the operation of . The inverse of exists if and only if is bijective, and if it exists, is denoted by f^ . For a function f\colon X\t ...
of encryption, i.e., . More formally,, chapter 3. a block cipher is specified by an encryption function :E_K(P) := E(K,P): \^k \times \^n \rightarrow \^n, which takes as input a key , of bit length (called the ''key size''), and a bit string , of length (called the ''block size''), and returns a string of bits. is called the
plaintext In cryptography, plaintext usually means unencrypted information pending input into cryptographic algorithms, usually encryption algorithms. This usually refers to data that is transmitted or stored unencrypted. Overview With the advent of comp ...
, and is termed the
ciphertext In cryptography, ciphertext or cyphertext is the result of encryption performed on plaintext using an algorithm, called a cipher. Ciphertext is also known as encrypted or encoded information because it contains a form of the original plaintext ...
. For each , the function () is required to be an invertible mapping on . The inverse for is defined as a function :E_K^(C) := D_K(C) = D(K,C): \^k \times \^n \rightarrow \^n, taking a key and a ciphertext to return a plaintext value , such that :\forall P: D_K(E_K(P)) = P. For example, a block cipher encryption algorithm might take a 128-bit block of plaintext as input, and output a corresponding 128-bit block of ciphertext. The exact transformation is controlled using a second input – the secret key. Decryption is similar: the decryption algorithm takes, in this example, a 128-bit block of ciphertext together with the secret key, and yields the original 128-bit block of plain text. For each key ''K'', ''EK'' is a
permutation In mathematics, a permutation of a set is, loosely speaking, an arrangement of its members into a sequence or linear order, or if the set is already ordered, a rearrangement of its elements. The word "permutation" also refers to the act or proc ...
(a
bijective In mathematics, a bijection, also known as a bijective function, one-to-one correspondence, or invertible function, is a function between the elements of two sets, where each element of one set is paired with exactly one element of the other s ...
mapping) over the set of input blocks. Each key selects one permutation from the set of (2^n)! possible permutations.


History

The modern design of block ciphers is based on the concept of an iterated
product cipher In cryptography, a product cipher combines two or more transformations in a manner intending that the resulting cipher is more secure than the individual components to make it resistant to cryptanalysis.Handbook of Applied Cryptography by Alfred J. ...
. In his seminal 1949 publication, ''
Communication Theory of Secrecy Systems "Communication Theory of Secrecy Systems" is a paper published in 1949 by Claude Shannon discussing cryptography from the viewpoint of information theory. It is one of the foundational treatments (arguably ''the'' foundational treatment) of modern c ...
'',
Claude Shannon Claude Elwood Shannon (April 30, 1916 – February 24, 2001) was an American people, American mathematician, electrical engineering, electrical engineer, and cryptography, cryptographer known as a "father of information theory". As a 21-year-o ...
analyzed product ciphers and suggested them as a means of effectively improving security by combining simple operations such as
substitution Substitution may refer to: Arts and media *Chord substitution, in music, swapping one chord for a related one within a chord progression * Substitution (poetry), a variation in poetic scansion * "Substitution" (song), a 2009 song by Silversun Pi ...
s and
permutation In mathematics, a permutation of a set is, loosely speaking, an arrangement of its members into a sequence or linear order, or if the set is already ordered, a rearrangement of its elements. The word "permutation" also refers to the act or proc ...
s. Iterated product ciphers carry out encryption in multiple rounds, each of which uses a different subkey derived from the original key. One widespread implementation of such ciphers, named a
Feistel network In cryptography, a Feistel cipher (also known as Luby–Rackoff block cipher) is a symmetric structure used in the construction of block ciphers, named after the German-born physicist and cryptographer Horst Feistel, who did pioneering research whi ...
after
Horst Feistel Horst Feistel (January 30, 1915 – November 14, 1990) was a German-American cryptographer who worked on the design of ciphers at IBM, initiating research that culminated in the development of the Data Encryption Standard (DES) in the 1970s. The ...
, is notably implemented in the
DES Des is a masculine given name, mostly a short form (hypocorism) of Desmond. People named Des include: People * Des Buckingham, English football manager * Des Corcoran, (1928–2004), Australian politician * Des Dillon (disambiguation), sever ...
cipher., p. 455. Many other realizations of block ciphers, such as the AES, are classified as
substitution–permutation network In cryptography, an SP-network, or substitution–permutation network (SPN), is a series of linked mathematical operations used in block cipher algorithms such as AES (Rijndael), 3-Way, Kalyna, Kuznyechik, PRESENT, SAFER, SHARK, and Square. S ...
s. The root of all
cryptographic Cryptography, or cryptology (from grc, , translit=kryptós "hidden, secret"; and ''graphein'', "to write", or '' -logia'', "study", respectively), is the practice and study of techniques for secure communication in the presence of adve ...
block formats used within the
Payment Card Industry Data Security Standard The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard used to handle credit cards from major card brands. The standard is administered by the Payment Card Industry Security Standards Council and its use i ...
(PCI DSS) and
American National Standards Institute The American National Standards Institute (ANSI ) is a private non-profit organization that oversees the development of voluntary consensus standards for products, services, processes, systems, and personnel in the United States. The organi ...
(ANSI) standards lies with the Atalla Key Block (AKB), which was a key innovation of the
Atalla Box Utimaco Atalla, founded as Atalla Technovation and formerly known as Atalla Corporation or HP Atalla, is a security vendor, active in the market segments of data security and cryptography. Atalla provides government-grade end-to-end products in ...
, the first
hardware security module A hardware security module (HSM) is a physical computing device that safeguards and manages secrets (most importantly digital keys), performs encryption and decryption functions for digital signatures, strong authentication and other cryptograp ...
(HSM). It was developed in 1972 by
Mohamed M. Atalla Mohamed M. Atalla ( ar, محمد عطاالله; August 4, 1924 – December 30, 2009) was an Egyptian-American engineer, physicist, cryptographer, inventor and entrepreneur. He was a semiconductor pioneer who made important contributions to ...
, founder of
Atalla Corporation Utimaco Atalla, founded as Atalla Technovation and formerly known as Atalla Corporation or HP Atalla, is a security vendor, active in the market segments of data security and cryptography. Atalla provides government-grade end-to-end products in ...
(now
Utimaco Atalla Utimaco Atalla, founded as Atalla Technovation and formerly known as Atalla Corporation or HP Atalla, is a security vendor, active in the market segments of data security and cryptography. Atalla provides government-grade end-to-end products in ...
), and released in 1973. The AKB was a key block, which is required to securely interchange symmetric keys or
PINs A pin is a device used for fastening objects or material together. Pin or PIN may also refer to: Computers and technology * Personal identification number (PIN), to access a secured system ** PIN pad, a PIN entry device * PIN, a former Dutch de ...
with other actors of the
banking industry {{set category, first= industries (branches of an economy), alternative=industries, topic=Industry (economics) For other meanings of "industries", see :Industries. ...
. This secure interchange is performed using the AKB format. The Atalla Box protected over 90% of all ATM networks in operation as of 1998, and Atalla products still secure the majority of the world's ATM transactions as of 2014. The publication of the DES cipher by the United States National Bureau of Standards (subsequently the U.S.
National Institute of Standards and Technology The National Institute of Standards and Technology (NIST) is an agency of the United States Department of Commerce whose mission is to promote American innovation and industrial competitiveness. NIST's activities are organized into physical sci ...
, NIST) in 1977 was fundamental in the public understanding of modern block cipher design. It also influenced the academic development of
cryptanalytic attack Cryptanalysis (from the Greek ''kryptós'', "hidden", and ''analýein'', "to analyze") refers to the process of analyzing information systems in order to understand hidden aspects of the systems. Cryptanalysis is used to breach cryptographic se ...
s. Both differential and
linear cryptanalysis In cryptography, linear cryptanalysis is a general form of cryptanalysis based on finding affine approximations to the action of a cipher. Attacks have been developed for block ciphers and stream ciphers. Linear cryptanalysis is one of the two most ...
arose out of studies on the DES design. there is a palette of attack techniques against which a block cipher must be secure, in addition to being robust against
brute-force attack In cryptography, a brute-force attack consists of an attacker submitting many passwords or passphrases with the hope of eventually guessing correctly. The attacker systematically checks all possible passwords and passphrases until the correct ...
s.


Design


Iterated block ciphers

Most block cipher algorithms are classified as ''iterated block ciphers'' which means that they transform fixed-size blocks of
plaintext In cryptography, plaintext usually means unencrypted information pending input into cryptographic algorithms, usually encryption algorithms. This usually refers to data that is transmitted or stored unencrypted. Overview With the advent of comp ...
into identically sized blocks of
ciphertext In cryptography, ciphertext or cyphertext is the result of encryption performed on plaintext using an algorithm, called a cipher. Ciphertext is also known as encrypted or encoded information because it contains a form of the original plaintext ...
, via the repeated application of an invertible transformation known as the ''round function'', with each iteration referred to as a ''round''. Usually, the round function ''R'' takes different ''round keys'' ''Ki'' as second input, which are derived from the original key: :M_i = R_(M_) where M_0 is the plaintext and M_r the ciphertext, with ''r'' being the number of rounds. Frequently,
key whitening In cryptography, key whitening is a technique intended to increase the security of an iterated block cipher. It consists of steps that combine the data with portions of the key. Details The most common form of key whitening is xor-encrypt-xor -- ...
is used in addition to this. At the beginning and the end, the data is modified with key material (often with
XOR Exclusive or or exclusive disjunction is a logical operation that is true if and only if its arguments differ (one is true, the other is false). It is symbolized by the prefix operator J and by the infix operators XOR ( or ), EOR, EXOR, , ...
, but simple arithmetic operations like adding and subtracting are also used): : M_0 = M \oplus K_0 :M_i = R_(M_)\; ; \; i = 1 \dots r :C = M_r \oplus K_ Given one of the standard iterated block cipher design schemes, it is fairly easy to construct a block cipher that is cryptographically secure, simply by using a large number of rounds. However, this will make the cipher inefficient. Thus, efficiency is the most important additional design criterion for professional ciphers. Further, a good block cipher is designed to avoid side-channel attacks, such as branch prediction and input-dependent memory accesses that might leak secret data via the cache state or the execution time. In addition, the cipher should be concise, for small hardware and software implementations. Finally, the cipher should be easily cryptanalyzable, such that it can be shown how many rounds the cipher needs to be reduced to, so that the existing cryptographic attacks would work – and, conversely, that it can be shown that the number of actual rounds is large enough to protect against them.


Substitution–permutation networks

One important type of iterated block cipher known as a ''
substitution–permutation network In cryptography, an SP-network, or substitution–permutation network (SPN), is a series of linked mathematical operations used in block cipher algorithms such as AES (Rijndael), 3-Way, Kalyna, Kuznyechik, PRESENT, SAFER, SHARK, and Square. S ...
(SPN)'' takes a block of the plaintext and the key as inputs, and applies several alternating rounds consisting of a substitution stage followed by a permutation stage—to produce each block of ciphertext output. The non-linear substitution stage mixes the key bits with those of the plaintext, creating Shannon's ''
confusion In medicine, confusion is the quality or state of being bewildered or unclear. The term "acute mental confusion"
''. The linear permutation stage then dissipates redundancies, creating ''
diffusion Diffusion is the net movement of anything (for example, atoms, ions, molecules, energy) generally from a region of higher concentration to a region of lower concentration. Diffusion is driven by a gradient in Gibbs free energy or chemical p ...
''. A ''
substitution box In cryptography, an S-box (substitution-box) is a basic component of symmetric key algorithms which performs substitution. In block ciphers, they are typically used to obscure the relationship between the key and the ciphertext, thus ensuring Shan ...
(S-box)'' substitutes a small block of input bits with another block of output bits. This substitution must be one-to-one, to ensure invertibility (hence decryption). A secure S-box will have the property that changing one input bit will change about half of the output bits on average, exhibiting what is known as the
avalanche effect In cryptography, the avalanche effect is the desirable property of cryptographic algorithms, typically block ciphers and cryptographic hash functions, wherein if an input is changed slightly (for example, flipping a single bit), the output changes ...
—i.e. it has the property that each output bit will depend on every input bit. A ''
permutation box In cryptography, a permutation box (or P-box) is a method of bit-shuffling used to permute or transpose bits across S-boxes inputs, retaining diffusion while transposing. In block ciphers, the S-boxes and P-boxes are used to make the relation ...
(P-box)'' is a
permutation In mathematics, a permutation of a set is, loosely speaking, an arrangement of its members into a sequence or linear order, or if the set is already ordered, a rearrangement of its elements. The word "permutation" also refers to the act or proc ...
of all the bits: it takes the outputs of all the S-boxes of one round, permutes the bits, and feeds them into the S-boxes of the next round. A good P-box has the property that the output bits of any S-box are distributed to as many S-box inputs as possible. At each round, the round key (obtained from the key with some simple operations, for instance, using S-boxes and P-boxes) is combined using some group operation, typically
XOR Exclusive or or exclusive disjunction is a logical operation that is true if and only if its arguments differ (one is true, the other is false). It is symbolized by the prefix operator J and by the infix operators XOR ( or ), EOR, EXOR, , ...
.
Decryption In cryptography, encryption is the process of encoding information. This process converts the original representation of the information, known as plaintext, into an alternative form known as ciphertext. Ideally, only authorized parties can decip ...
is done by simply reversing the process (using the inverses of the S-boxes and P-boxes and applying the round keys in reversed order).


Feistel ciphers

In a ''
Feistel cipher In cryptography, a Feistel cipher (also known as Luby–Rackoff block cipher) is a symmetric structure used in the construction of block ciphers, named after the German-born physicist and cryptographer Horst Feistel, who did pioneering research whi ...
'', the block of plain text to be encrypted is split into two equal-sized halves. The round function is applied to one half, using a subkey, and then the output is XORed with the other half. The two halves are then swapped. Let be the round function and let K_0,K_1,\ldots,K_ be the sub-keys for the rounds 0,1,\ldots,n respectively. Then the basic operation is as follows: Split the plaintext block into two equal pieces, (L_0, R_0) For each round i =0,1,\dots,n, compute :L_ = R_i\, :R_= L_i \oplus (R_i, K_i). Then the ciphertext is (R_, L_). Decryption of a ciphertext (R_, L_) is accomplished by computing for i=n,n-1,\ldots,0 :R_ = L_\, :L_ = R_ \oplus (L_, K_). Then (L_0,R_0) is the plaintext again. One advantage of the Feistel model compared to a
substitution–permutation network In cryptography, an SP-network, or substitution–permutation network (SPN), is a series of linked mathematical operations used in block cipher algorithms such as AES (Rijndael), 3-Way, Kalyna, Kuznyechik, PRESENT, SAFER, SHARK, and Square. S ...
is that the round function does not have to be invertible.


Lai–Massey ciphers

The Lai–Massey scheme offers security properties similar to those of the
Feistel structure In cryptography, a Feistel cipher (also known as Luby–Rackoff block cipher) is a symmetric structure used in the construction of block ciphers, named after the German-born physicist and cryptographer Horst Feistel, who did pioneering research w ...
. It also shares its advantage that the round function \mathrm F does not have to be invertible. Another similarity is that it also splits the input block into two equal pieces. However, the round function is applied to the difference between the two, and the result is then added to both half blocks. Let \mathrm F be the round function and \mathrm H a half-round function and let K_0,K_1,\ldots,K_n be the sub-keys for the rounds 0,1,\ldots,n respectively. Then the basic operation is as follows: Split the plaintext block into two equal pieces, (L_0, R_0) For each round i =0,1,\dots,n, compute :(L_',R_') = \mathrm H(L_i' + T_i,R_i' + T_i), where T_i = \mathrm F(L_i' - R_i', K_i) and (L_0',R_0') = \mathrm H(L_0,R_0) Then the ciphertext is (L_, R_) = (L_',R_'). Decryption of a ciphertext (L_, R_) is accomplished by computing for i=n,n-1,\ldots,0 :(L_i',R_i') = \mathrm H^(L_' - T_i, R_' - T_i) where T_i = \mathrm F(L_' - R_',K_i) and (L_',R_')=\mathrm H^(L_,R_) Then (L_0,R_0) = (L_0',R_0') is the plaintext again.


Operations


ARX (add–rotate–XOR)

Many modern block ciphers and hashes are ARX algorithms—their round function involves only three operations: (A) modular addition, (R)
rotation Rotation, or spin, is the circular movement of an object around a '' central axis''. A two-dimensional rotating object has only one possible central axis and can rotate in either a clockwise or counterclockwise direction. A three-dimensional ...
with fixed rotation amounts, and (X)
XOR Exclusive or or exclusive disjunction is a logical operation that is true if and only if its arguments differ (one is true, the other is false). It is symbolized by the prefix operator J and by the infix operators XOR ( or ), EOR, EXOR, , ...
. Examples include
ChaCha20 Salsa20 and the closely related ChaCha are stream ciphers developed by Daniel J. Bernstein. Salsa20, the original cipher, was designed in 2005, then later submitted to the eSTREAM European Union cryptographic validation process by Bernstein. Ch ...
,
Speck Speck can refer to a number of European cured pork products, typically salted and air-cured and often lightly smoked but not cooked. In Germany, speck is pickled pork fat with or without some meat in it. Throughout much of the rest of Europe a ...
, XXTEA, and
BLAKE Blake is a surname which originated from Old English. Its derivation is uncertain; it could come from "blac", a nickname for someone who had dark hair or skin, or from "blaac", a nickname for someone with pale hair or skin. Another theory, presuma ...
. Many authors draw an ARX network, a kind of
data flow diagram A data-flow diagram is a way of representing a flow of data through a process or a system (usually an information system). The DFD also provides information about the outputs and inputs of each entity and the process itself. A data-flow diagram ha ...
, to illustrate such a round function. These ARX operations are popular because they are relatively fast and cheap in hardware and software, their implementation can be made extremely simple, and also because they run in constant time, and therefore are immune to
timing attack In cryptography, a timing attack is a side-channel attack in which the attacker attempts to compromise a cryptosystem by analyzing the time taken to execute cryptographic algorithms. Every logical operation in a computer takes time to execute, and ...
s. The
rotational cryptanalysis In cryptography, rotational cryptanalysis is a generic cryptanalytic attack against algorithms that rely on three operations: modular addition, rotation and XOR — ARX for short. Algorithms relying on these operations are popular because they ...
technique attempts to attack such round functions.


Other operations

Other operations often used in block ciphers include data-dependent rotations as in
RC5 In cryptography, RC5 is a symmetric-key block cipher notable for its simplicity. Designed by Ronald Rivest in 1994, ''RC'' stands for "Rivest Cipher", or alternatively, "Ron's Code" (compare RC2 and RC4). The Advanced Encryption Standard (AES) c ...
and
RC6 In cryptography, RC6 (Rivest cipher 6) is a symmetric key block cipher derived from RC5. It was designed by Ron Rivest, Matt Robshaw, Ray Sidney, and Yiqun Lisa Yin to meet the requirements of the Advanced Encryption Standard (AES) competition. T ...
, a
substitution box In cryptography, an S-box (substitution-box) is a basic component of symmetric key algorithms which performs substitution. In block ciphers, they are typically used to obscure the relationship between the key and the ciphertext, thus ensuring Shan ...
implemented as a
lookup table In computer science, a lookup table (LUT) is an array that replaces runtime computation with a simpler array indexing operation. The process is termed as "direct addressing" and LUTs differ from hash tables in a way that, to retrieve a value v wi ...
as in
Data Encryption Standard The Data Encryption Standard (DES ) is a symmetric-key algorithm for the encryption of digital data. Although its short key length of 56 bits makes it too insecure for modern applications, it has been highly influential in the advancement of cry ...
and
Advanced Encryption Standard The Advanced Encryption Standard (AES), also known by its original name Rijndael (), is a specification for the encryption of electronic data established by the U.S. National Institute of Standards and Technology (NIST) in 2001. AES is a variant ...
, a
permutation box In cryptography, a permutation box (or P-box) is a method of bit-shuffling used to permute or transpose bits across S-boxes inputs, retaining diffusion while transposing. In block ciphers, the S-boxes and P-boxes are used to make the relation ...
, and multiplication as in
IDEA In common usage and in philosophy, ideas are the results of thought. Also in philosophy, ideas can also be mental representational images of some object. Many philosophers have considered ideas to be a fundamental ontological category of being ...
.


Modes of operation

A block cipher by itself allows encryption only of a single data block of the cipher's block length. For a variable-length message, the data must first be partitioned into separate cipher blocks. In the simplest case, known as
electronic codebook In cryptography, a block cipher mode of operation is an algorithm that uses a block cipher to provide information security such as confidentiality or authenticity. A block cipher by itself is only suitable for the secure cryptographic transforma ...
(ECB) mode, a message is first split into separate blocks of the cipher's block size (possibly extending the last block with
padding Padding is thin cushioned material sometimes added to clothes. Padding may also be referred to as batting when used as a layer in lining quilts or as a packaging or stuffing material. When padding is used in clothes, it is often done in an attempt ...
bits), and then each block is encrypted and decrypted independently. However, such a naive method is generally insecure because equal plaintext blocks will always generate equal ciphertext blocks (for the same key), so patterns in the plaintext message become evident in the ciphertext output. To overcome this limitation, several so called
block cipher modes of operation In cryptography, a block cipher mode of operation is an algorithm that uses a block cipher to provide information security such as confidentiality or authenticity. A block cipher by itself is only suitable for the secure cryptographic transforma ...
have been designed and specified in national recommendations such as NIST 800-38A and BSI TR-02102 and international standards such as
ISO/IEC 10116 ISO/IEC 10116 ''Information technology — Security techniques — Modes of operation for an n-bit block cipher'' is an international standard that specifies modes of operation for block ciphers of any length. The modes defined are: * Electroni ...
. The general concept is to use
randomization Randomization is the process of making something random. Randomization is not haphazard; instead, a random process is a sequence of random variables describing a process whose outcomes do not follow a deterministic pattern, but follow an evolution d ...
of the plaintext data based on an additional input value, frequently called an
initialization vector In cryptography, an initialization vector (IV) or starting variable (SV) is an input to a cryptographic primitive being used to provide the initial state. The IV is typically required to be random or pseudorandom, but sometimes an IV only needs to ...
, to create what is termed
probabilistic encryption Probabilistic encryption is the use of randomness in an encryption algorithm, so that when encrypting the same message several times it will, in general, yield different ciphertexts. The term "probabilistic encryption" is typically used in referen ...
. In the popular
cipher block chaining In cryptography, a block cipher mode of operation is an algorithm that uses a block cipher to provide information security such as confidentiality or authenticity. A block cipher by itself is only suitable for the secure cryptographic transforma ...
(CBC) mode, for encryption to be
secure Secure may refer to: * Security, being protected against danger or loss(es) **Physical security, security measures that are designed to deny unauthorized access to facilities, equipment, and resources **Information security, defending information ...
the initialization vector passed along with the plaintext message must be a random or
pseudo-random A pseudorandom sequence of numbers is one that appears to be statistically random, despite having been produced by a completely deterministic and repeatable process. Background The generation of random numbers has many uses, such as for random ...
value, which is added in an
exclusive-or Exclusive or or exclusive disjunction is a logical operation that is true if and only if its arguments differ (one is true, the other is false). It is symbolized by the prefix operator J and by the infix operators XOR ( or ), EOR, EXOR, , , ...
manner to the first plaintext block before it is being encrypted. The resultant ciphertext block is then used as the new initialization vector for the next plaintext block. In the
cipher feedback In cryptography, a block cipher mode of operation is an algorithm that uses a block cipher to provide information security such as confidentiality or authenticity. A block cipher by itself is only suitable for the secure cryptographic transform ...
(CFB) mode, which emulates a self-synchronizing stream cipher, the initialization vector is first encrypted and then added to the plaintext block. The
output feedback In cryptography, a block cipher mode of operation is an algorithm that uses a block cipher to provide information security such as confidentiality or authenticity. A block cipher by itself is only suitable for the secure cryptographic transform ...
(OFB) mode repeatedly encrypts the initialization vector to create a key stream for the emulation of a synchronous stream cipher. The newer
counter Counter may refer to: Mathematics and computing * Counter machine, a subclass of register machines * Counter (digital), an electronic device, mechanical device, or computer program for counting * Loop counter, the variable that controls the iter ...
(CTR) mode similarly creates a key stream, but has the advantage of only needing unique and not (pseudo-)random values as initialization vectors; the needed randomness is derived internally by using the initialization vector as a block counter and encrypting this counter for each block. From a security-theoretic point of view, modes of operation must provide what is known as
semantic security In cryptography, a semantically secure cryptosystem is one where only negligible information about the plaintext can be feasibly extracted from the ciphertext. Specifically, any probabilistic, polynomial-time algorithm (PPTA) that is given the ciph ...
. Informally, it means that given some ciphertext under an unknown key one cannot practically derive any information from the ciphertext (other than the length of the message) over what one would have known without seeing the ciphertext. It has been shown that all of the modes discussed above, with the exception of the ECB mode, provide this property under so-called
chosen plaintext attack A chosen-plaintext attack (CPA) is an attack model for cryptanalysis which presumes that the attacker can obtain the ciphertexts for arbitrary plaintexts.Ross Anderson, ''Security Engineering: A Guide to Building Dependable Distributed Systems'' ...
s.


Padding

Some modes such as the CBC mode only operate on complete plaintext blocks. Simply extending the last block of a message with zero-bits is insufficient since it does not allow a receiver to easily distinguish messages that differ only in the amount of padding bits. More importantly, such a simple solution gives rise to very efficient
padding oracle attack In cryptography, a padding oracle attack is an attack which uses the Padding (cryptography), padding validation of a cryptographic message to decrypt the ciphertext. In cryptography, variable-length plaintext messages often have to be padded (expa ...
s. A suitable padding scheme is therefore needed to extend the last plaintext block to the cipher's block size. While many popular schemes described in standards and in the literature have been shown to be vulnerable to padding oracle attacks, a solution which adds a one-bit and then extends the last block with zero-bits, standardized as "padding method 2" in ISO/IEC 9797-1, has been proven secure against these attacks.


Cryptanalysis


Brute-force attacks

This property results in the cipher's security degrading quadratically, and needs to be taken into account when selecting a block size. There is a trade-off though as large block sizes can result in the algorithm becoming inefficient to operate. Earlier block ciphers such as the
DES Des is a masculine given name, mostly a short form (hypocorism) of Desmond. People named Des include: People * Des Buckingham, English football manager * Des Corcoran, (1928–2004), Australian politician * Des Dillon (disambiguation), sever ...
have typically selected a 64-bit block size, while newer designs such as the AES support block sizes of 128 bits or more, with some ciphers supporting a range of different block sizes.


Differential cryptanalysis


Linear cryptanalysis

''
Linear cryptanalysis In cryptography, linear cryptanalysis is a general form of cryptanalysis based on finding affine approximations to the action of a cipher. Attacks have been developed for block ciphers and stream ciphers. Linear cryptanalysis is one of the two most ...
'' is a form of cryptanalysis based on finding
affine Affine may describe any of various topics concerned with connections or affinities. It may refer to: * Affine, a relative by marriage in law and anthropology * Affine cipher, a special case of the more general substitution cipher * Affine comb ...
approximations to the action of a
cipher In cryptography, a cipher (or cypher) is an algorithm for performing encryption or decryption—a series of well-defined steps that can be followed as a procedure. An alternative, less common term is ''encipherment''. To encipher or encode i ...
. Linear cryptanalysis is one of the two most widely used attacks on block ciphers; the other being
differential cryptanalysis Differential cryptanalysis is a general form of cryptanalysis applicable primarily to block ciphers, but also to stream ciphers and cryptographic hash functions. In the broadest sense, it is the study of how differences in information input can aff ...
. The discovery is attributed to
Mitsuru Matsui is a Japanese cryptographer and senior researcher for Mitsubishi Electric Company. Career While researching error-correcting codes in 1990, Matsui was inspired by Eli Biham and Adi Shamir's differential cryptanalysis, and discovered the techni ...
, who first applied the technique to the
FEAL In cryptography, FEAL (the Fast data Encipherment ALgorithm) is a block cipher proposed as an alternative to the Data Encryption Standard (DES), and designed to be much faster in software. The Feistel based algorithm was first published in 1987 ...
cipher (Matsui and Yamagishi, 1992).


Integral cryptanalysis

''
Integral cryptanalysis In cryptography, integral cryptanalysis is a cryptanalytic attack that is particularly applicable to block ciphers based on substitution–permutation networks. It was originally designed by Lars Knudsen as a dedicated attack against Square, so ...
'' is a cryptanalytic attack that is particularly applicable to block ciphers based on substitution–permutation networks. Unlike differential cryptanalysis, which uses pairs of chosen plaintexts with a fixed XOR difference, integral cryptanalysis uses sets or even multisets of chosen plaintexts of which part is held constant and another part varies through all possibilities. For example, an attack might use 256 chosen plaintexts that have all but 8 of their bits the same, but all differ in those 8 bits. Such a set necessarily has an XOR sum of 0, and the XOR sums of the corresponding sets of ciphertexts provide information about the cipher's operation. This contrast between the differences of pairs of texts and the sums of larger sets of texts inspired the name "integral cryptanalysis", borrowing the terminology of calculus.


Other techniques

In addition to linear and differential cryptanalysis, there is a growing catalog of attacks:
truncated differential cryptanalysis In cryptography, truncated differential cryptanalysis is a generalization of differential cryptanalysis, an attack against block ciphers. Lars Knudsen developed the technique in 1994. Whereas ordinary differential cryptanalysis analyzes the full di ...
, partial differential cryptanalysis,
integral cryptanalysis In cryptography, integral cryptanalysis is a cryptanalytic attack that is particularly applicable to block ciphers based on substitution–permutation networks. It was originally designed by Lars Knudsen as a dedicated attack against Square, so ...
, which encompasses square and integral attacks,
slide attack The slide attack is a form of cryptanalysis designed to deal with the prevailing idea that even weak ciphers can become very strong by increasing the number of rounds, which can ward off a differential attack. The slide attack works in such a way ...
s,
boomerang attack In cryptography, the boomerang attack is a method for the cryptanalysis of block ciphers based on differential cryptanalysis. The attack was published in 1999 by David Wagner, who used it to break the COCONUT98 cipher. The boomerang attack ...
s, the
XSL attack In cryptography, the ''eXtended Sparse Linearization'' (XSL) attack is a method of cryptanalysis for block ciphers. The attack was first published in 2002 by researchers Nicolas Courtois and Josef Pieprzyk. It has caused some controversy as it was ...
,
impossible differential cryptanalysis In cryptography, impossible differential cryptanalysis is a form of differential cryptanalysis for block ciphers. While ordinary differential cryptanalysis tracks differences that propagate through the cipher with greater than expected probability, ...
and algebraic attacks. For a new block cipher design to have any credibility, it must demonstrate evidence of security against known attacks.


Provable security

When a block cipher is used in a given
mode of operation In cryptography, a block cipher mode of operation is an algorithm that uses a block cipher to provide information security such as confidentiality or authenticity. A block cipher by itself is only suitable for the secure cryptographic transform ...
, the resulting algorithm should ideally be about as secure as the block cipher itself. ECB (discussed above) emphatically lacks this property: regardless of how secure the underlying block cipher is, ECB mode can easily be attacked. On the other hand, CBC mode can be proven to be secure under the assumption that the underlying block cipher is likewise secure. Note, however, that making statements like this requires formal mathematical definitions for what it means for an encryption algorithm or a block cipher to "be secure". This section describes two common notions for what properties a block cipher should have. Each corresponds to a mathematical model that can be used to prove properties of higher level algorithms, such as CBC. This general approach to cryptography – proving higher-level algorithms (such as CBC) are secure under explicitly stated assumptions regarding their components (such as a block cipher) – is known as ''provable security''.


Standard model

Informally, a block cipher is secure in the standard model if an attacker cannot tell the difference between the block cipher (equipped with a random key) and a random permutation. To be a bit more precise, let ''E'' be an ''n''-bit block cipher. We imagine the following game: # The person running the game flips a coin. #* If the coin lands on heads, he chooses a random key ''K'' and defines the function ''f'' = ''E''''K''. #* If the coin lands on tails, he chooses a random permutation on the set of ''n''-bit strings, and defines the function ''f'' = . # The attacker chooses an ''n''-bit string ''X'', and the person running the game tells him the value of ''f''(''X''). # Step 2 is repeated a total of ''q'' times. (Each of these ''q'' interactions is a ''query''.) # The attacker guesses how the coin landed. He wins if his guess is correct. The attacker, which we can model as an algorithm, is called an ''
adversary An adversary is generally considered to be a person, group, or force that opposes and/or attacks. Adversary may also refer to: * Satan ("adversary" in Hebrew), in Judeo-Christian religion Entertainment Fiction * Adversary (comics), villain fro ...
''. The function ''f'' (which the adversary was able to query) is called an ''
oracle An oracle is a person or agency considered to provide wise and insightful counsel or prophetic predictions, most notably including precognition of the future, inspired by deities. As such, it is a form of divination. Description The word '' ...
''. Note that an adversary can trivially ensure a 50% chance of winning simply by guessing at random (or even by, for example, always guessing "heads"). Therefore, let ''P''''E''(''A'') denote the probability that the adversary ''A'' wins this game against ''E'', and define the ''advantage'' of ''A'' as 2(''P''''E''(''A'') − 1/2). It follows that if ''A'' guesses randomly, its advantage will be 0; on the other hand, if ''A'' always wins, then its advantage is 1. The block cipher ''E'' is a ''pseudo-random permutation'' (PRP) if no adversary has an advantage significantly greater than 0, given specified restrictions on ''q'' and the adversary's running time. If in Step 2 above adversaries have the option of learning ''f''−1(''X'') instead of ''f''(''X'') (but still have only small advantages) then ''E'' is a ''strong'' PRP (SPRP). An adversary is ''non-adaptive'' if it chooses all ''q'' values for ''X'' before the game begins (that is, it does not use any information gleaned from previous queries to choose each ''X'' as it goes). These definitions have proven useful for analyzing various modes of operation. For example, one can define a similar game for measuring the security of a block cipher-based encryption algorithm, and then try to show (through a reduction argument) that the probability of an adversary winning this new game is not much more than ''P''''E''(''A'') for some ''A''. (The reduction typically provides limits on ''q'' and the running time of ''A''.) Equivalently, if ''P''''E''(''A'') is small for all relevant ''A'', then no attacker has a significant probability of winning the new game. This formalizes the idea that the higher-level algorithm inherits the block cipher's security.


Ideal cipher model


Practical evaluation

Block ciphers may be evaluated according to multiple criteria in practice. Common factors include: *Key parameters, such as its key size and block size, both of which provide an upper bound on the security of the cipher. *The ''estimated security level'', which is based on the confidence gained in the block cipher design after it has largely withstood major efforts in cryptanalysis over time, the design's mathematical soundness, and the existence of practical or certificational attacks. *The cipher's ''complexity'' and its suitability for implementation in hardware or
software Software is a set of computer programs and associated documentation and data. This is in contrast to hardware, from which the system is built and which actually performs the work. At the lowest programming level, executable code consists ...
. Hardware implementations may measure the complexity in terms of
gate count {{unreferenced, date=December 2015 In microprocessor design, gate count refers to the number of logic gates built with transistors and other electronic devices, that are needed to implement a design. Even with today's processor technology providing ...
or energy consumption, which are important parameters for resource-constrained devices. *The cipher's ''performance'' in terms of processing
throughput Network throughput (or just throughput, when in context) refers to the rate of message delivery over a communication channel, such as Ethernet or packet radio, in a communication network. The data that these messages contain may be delivered ov ...
on various platforms, including its
memory Memory is the faculty of the mind by which data or information is encoded, stored, and retrieved when needed. It is the retention of information over time for the purpose of influencing future action. If past events could not be remembered, ...
requirements. *The ''cost'' of the cipher, which refers to licensing requirements that may apply due to
intellectual property right Intellectual property (IP) is a category of property that includes intangible creations of the human intellect. There are many types of intellectual property, and some countries recognize more than others. The best-known types are patents, cop ...
s. *The ''flexibility'' of the cipher, which includes its ability to support multiple key sizes and block lengths.


Notable block ciphers


Lucifer / DES

Lucifer Lucifer is one of various figures in folklore associated with the planet Venus. The entity's name was subsequently absorbed into Christianity as a name for the devil. Modern scholarship generally translates the term in the relevant Bible passage ...
is generally considered to be the first civilian block cipher, developed at IBM in the 1970s based on work done by
Horst Feistel Horst Feistel (January 30, 1915 – November 14, 1990) was a German-American cryptographer who worked on the design of ciphers at IBM, initiating research that culminated in the development of the Data Encryption Standard (DES) in the 1970s. The ...
. A revised version of the algorithm was adopted as a U.S. government
Federal Information Processing Standard The Federal Information Processing Standards (FIPS) of the United States are a set of publicly announced standards that the National Institute of Standards and Technology (NIST) has developed for use in computer systems of non-military, American ...
: FIPS PUB 46
Data Encryption Standard The Data Encryption Standard (DES ) is a symmetric-key algorithm for the encryption of digital data. Although its short key length of 56 bits makes it too insecure for modern applications, it has been highly influential in the advancement of cry ...
(DES). It was chosen by the U.S. National Bureau of Standards (NBS) after a public invitation for submissions and some internal changes by NBS (and, potentially, the
NSA The National Security Agency (NSA) is a national-level intelligence agency of the United States Department of Defense, under the authority of the Director of National Intelligence (DNI). The NSA is responsible for global monitoring, collectio ...
). DES was publicly released in 1976 and has been widely used. DES was designed to, among other things, resist a certain cryptanalytic attack known to the NSA and rediscovered by IBM, though unknown publicly until rediscovered again and published by
Eli Biham Eli Biham ( he, אלי ביהם) is an Israeli cryptographer and cryptanalyst, currently a professor at the Technion - Israel Institute of Technology Computer Science department. Starting from October 2008 and till 2013, Biham was the dean of t ...
and
Adi Shamir Adi Shamir ( he, עדי שמיר; born July 6, 1952) is an Israeli cryptographer. He is a co-inventor of the Rivest–Shamir–Adleman (RSA) algorithm (along with Ron Rivest and Len Adleman), a co-inventor of the Feige–Fiat–Shamir identificat ...
in the late 1980s. The technique is called
differential cryptanalysis Differential cryptanalysis is a general form of cryptanalysis applicable primarily to block ciphers, but also to stream ciphers and cryptographic hash functions. In the broadest sense, it is the study of how differences in information input can aff ...
and remains one of the few general attacks against block ciphers;
linear cryptanalysis In cryptography, linear cryptanalysis is a general form of cryptanalysis based on finding affine approximations to the action of a cipher. Attacks have been developed for block ciphers and stream ciphers. Linear cryptanalysis is one of the two most ...
is another, but may have been unknown even to the NSA, prior to its publication by
Mitsuru Matsui is a Japanese cryptographer and senior researcher for Mitsubishi Electric Company. Career While researching error-correcting codes in 1990, Matsui was inspired by Eli Biham and Adi Shamir's differential cryptanalysis, and discovered the techni ...
. DES prompted a large amount of other work and publications in cryptography and
cryptanalysis Cryptanalysis (from the Greek ''kryptós'', "hidden", and ''analýein'', "to analyze") refers to the process of analyzing information systems in order to understand hidden aspects of the systems. Cryptanalysis is used to breach cryptographic sec ...
in the open community and it inspired many new cipher designs. DES has a block size of 64 bits and a
key size In cryptography, key size, key length, or key space refer to the number of bits in a key used by a cryptographic algorithm (such as a cipher). Key length defines the upper-bound on an algorithm's security (i.e. a logarithmic measure of the fastest ...
of 56 bits. 64-bit blocks became common in block cipher designs after DES. Key length depended on several factors, including government regulation. Many observers in the 1970s commented that the 56-bit key length used for DES was too short. As time went on, its inadequacy became apparent, especially after a special purpose machine designed to break DES was demonstrated in 1998 by the
Electronic Frontier Foundation The Electronic Frontier Foundation (EFF) is an international non-profit digital rights group based in San Francisco, California. The foundation was formed on 10 July 1990 by John Gilmore, John Perry Barlow and Mitch Kapor to promote Internet ci ...
. An extension to DES,
Triple DES In cryptography, Triple DES (3DES or TDES), officially the Triple Data Encryption Algorithm (TDEA or Triple DEA), is a symmetric-key block cipher, which applies the DES cipher algorithm three times to each data block. The Data Encryption Standa ...
, triple-encrypts each block with either two independent keys (112-bit key and 80-bit security) or three independent keys (168-bit key and 112-bit security). It was widely adopted as a replacement. As of 2011, the three-key version is still considered secure, though the
National Institute of Standards and Technology The National Institute of Standards and Technology (NIST) is an agency of the United States Department of Commerce whose mission is to promote American innovation and industrial competitiveness. NIST's activities are organized into physical sci ...
(NIST) standards no longer permit the use of the two-key version in new applications, due to its 80-bit security level.NIST Special Publication 800-57 ''Recommendation for Key Management — Part 1: General (Revised)'', March, 2007


IDEA

The ''
International Data Encryption Algorithm In cryptography, the International Data Encryption Algorithm (IDEA), originally called Improved Proposed Encryption Standard (IPES), is a symmetric-key block cipher designed by James Massey of ETH Zurich and Xuejia Lai and was first described in ...
'' (''IDEA'') is a block cipher designed by
James Massey James Lee Massey (February 11, 1934 – June 16, 2013) was an American information theorist and cryptographer, Professor Emeritus of Digital Technology at ETH Zurich. His notable work includes the application of the Berlekamp–Massey algorithm to ...
of
ETH Zurich (colloquially) , former_name = eidgenössische polytechnische Schule , image = ETHZ.JPG , image_size = , established = , type = Public , budget = CHF 1.896 billion (2021) , rector = Günther Dissertori , president = Joël Mesot , ac ...
and
Xuejia Lai Xuejia Lai () is a cryptographer, currently a professor at Shanghai Jiao Tong University. His notable work includes the design of the block cipher IDEA based on the Lai-Massey scheme, the theory of Markov ciphers, and the cryptanalysis of a numbe ...
; it was first described in 1991, as an intended replacement for DES. IDEA operates on 64-bit blocks using a 128-bit key, and consists of a series of eight identical transformations (a ''round'') and an output transformation (the ''half-round''). The processes for encryption and decryption are similar. IDEA derives much of its security by interleaving operations from different
groups A group is a number of persons or things that are located, gathered, or classed together. Groups of people * Cultural group, a group whose members share the same cultural identity * Ethnic group, a group whose members share the same ethnic iden ...
modular Broadly speaking, modularity is the degree to which a system's components may be separated and recombined, often with the benefit of flexibility and variety in use. The concept of modularity is used primarily to reduce complexity by breaking a sy ...
addition and multiplication, and bitwise ''
exclusive or Exclusive or or exclusive disjunction is a logical operation that is true if and only if its arguments differ (one is true, the other is false). It is symbolized by the prefix operator J and by the infix operators XOR ( or ), EOR, EXOR, , ...
(XOR)'' – which are algebraically "incompatible" in some sense. The designers analysed IDEA to measure its strength against
differential cryptanalysis Differential cryptanalysis is a general form of cryptanalysis applicable primarily to block ciphers, but also to stream ciphers and cryptographic hash functions. In the broadest sense, it is the study of how differences in information input can aff ...
and concluded that it is immune under certain assumptions. No successful
linear Linearity is the property of a mathematical relationship (''function'') that can be graphically represented as a straight line. Linearity is closely related to '' proportionality''. Examples in physics include rectilinear motion, the linear r ...
or algebraic weaknesses have been reported. , the best attack which applies to all keys can break full 8.5-round IDEA using a narrow-bicliques attack about four times faster than brute force.


RC5

RC5 is a block cipher designed by
Ronald Rivest Ronald Linn Rivest (; born May 6, 1947) is a cryptographer and an Institute Professor at MIT. He is a member of MIT's Department of Electrical Engineering and Computer Science (EECS) and a member of MIT's Computer Science and Artificial Intell ...
in 1994 which, unlike many other ciphers, has a variable block size (32, 64 or 128 bits), key size (0 to 2040 bits) and number of rounds (0 to 255). The original suggested choice of parameters were a block size of 64 bits, a 128-bit key and 12 rounds. A key feature of RC5 is the use of data-dependent rotations; one of the goals of RC5 was to prompt the study and evaluation of such operations as a cryptographic primitive. RC5 also consists of a number of
modular Broadly speaking, modularity is the degree to which a system's components may be separated and recombined, often with the benefit of flexibility and variety in use. The concept of modularity is used primarily to reduce complexity by breaking a sy ...
additions and XORs. The general structure of the algorithm is a Feistel-like network. The encryption and decryption routines can be specified in a few lines of code. The key schedule, however, is more complex, expanding the key using an essentially
one-way function In computer science, a one-way function is a function that is easy to compute on every input, but hard to invert given the image of a random input. Here, "easy" and "hard" are to be understood in the sense of computational complexity theory, spe ...
with the binary expansions of both e and the
golden ratio In mathematics, two quantities are in the golden ratio if their ratio is the same as the ratio of their sum to the larger of the two quantities. Expressed algebraically, for quantities a and b with a > b > 0, where the Greek letter phi ( ...
as sources of "
nothing up my sleeve number In cryptography, nothing-up-my-sleeve numbers are any numbers which, by their construction, are above suspicion of hidden properties. They are used in creating cryptographic functions such as hashes and ciphers. These algorithms often need rando ...
s". The tantalizing simplicity of the algorithm together with the novelty of the data-dependent rotations has made RC5 an attractive object of study for cryptanalysts. 12-round RC5 (with 64-bit blocks) is susceptible to a
differential attack Differential cryptanalysis is a general form of cryptanalysis applicable primarily to block ciphers, but also to stream ciphers and cryptographic hash functions. In the broadest sense, it is the study of how differences in information input can af ...
using 244 chosen plaintexts.Biryukov A. and Kushilevitz E. (1998). Improved Cryptanalysis of RC5. EUROCRYPT 1998. 18–20 rounds are suggested as sufficient protection.


Rijndael / AES

The ''Rijndael'' cipher developed by Belgian cryptographers,
Joan Daemen Joan Daemen (; born 1965) is a Belgian cryptographer who co-designed with Vincent Rijmen the Rijndael cipher, which was selected as the Advanced Encryption Standard (AES) in 2001. More recently, he co-designed the Keccak cryptographic hash, whi ...
and
Vincent Rijmen Vincent Rijmen (; born 16 October 1970) is a Belgian cryptographer and one of the two designers of the Rijndael, the Advanced Encryption Standard. Rijmen is also the co-designer of the WHIRLPOOL cryptographic hash function, and the block cipher ...
was one of the competing designs to replace DES. It won the 5-year public competition to become the AES, (Advanced Encryption Standard). Adopted by NIST in 2001, AES has a fixed block size of 128 bits and a key size of 128, 192, or 256 bits, whereas Rijndael can be specified with block and key sizes in any multiple of 32 bits, with a minimum of 128 bits. The block size has a maximum of 256 bits, but the keysize has no theoretical maximum. AES operates on a 4×4
column-major order In computing, row-major order and column-major order are methods for storing multidimensional arrays in linear storage such as random access memory. The difference between the orders lies in which elements of an array are contiguous in memory. In ...
matrix of bytes, termed the ''state'' (versions of Rijndael with a larger block size have additional columns in the state).


Blowfish

''
Blowfish Tetraodontidae is a family of primarily marine and estuarine fish of the order Tetraodontiformes. The family includes many familiar species variously called pufferfish, puffers, balloonfish, blowfish, blowies, bubblefish, globefish, swellfis ...
'' is a block cipher, designed in 1993 by
Bruce Schneier Bruce Schneier (; born January 15, 1963) is an American cryptographer, computer security professional, privacy specialist, and writer. Schneier is a Lecturer in Public Policy at the Harvard Kennedy School and a Fellow at the Berkman Klein Cente ...
and included in a large number of cipher suites and encryption products. Blowfish has a 64-bit block size and a variable
key length In cryptography, key size, key length, or key space refer to the number of bits in a key used by a cryptographic algorithm (such as a cipher). Key length defines the upper-bound on an algorithm's security (i.e. a logarithmic measure of the fastest ...
from 1 bit up to 448 bits. It is a 16-round
Feistel cipher In cryptography, a Feistel cipher (also known as Luby–Rackoff block cipher) is a symmetric structure used in the construction of block ciphers, named after the German-born physicist and cryptographer Horst Feistel, who did pioneering research whi ...
and uses large key-dependent
S-boxes In cryptography, an S-box (substitution-box) is a basic component of symmetric key algorithms which performs substitution. In block ciphers, they are typically used to obscure the relationship between the key and the ciphertext, thus ensuring Shan ...
. Notable features of the design include the key-dependent
S-box In cryptography, an S-box (substitution-box) is a basic component of symmetric key algorithms which performs substitution. In block ciphers, they are typically used to obscure the relationship between the key and the ciphertext, thus ensuring Sha ...
es and a highly complex
key schedule In cryptography, the so-called product ciphers are a certain kind of cipher, where the (de-)ciphering of data is typically done as an iteration of ''rounds''. The setup for each round is generally the same, except for round-specific fixed valu ...
. It was designed as a general-purpose algorithm, intended as an alternative to the ageing DES and free of the problems and constraints associated with other algorithms. At the time Blowfish was released, many other designs were proprietary, encumbered by
patent A patent is a type of intellectual property that gives its owner the legal right to exclude others from making, using, or selling an invention for a limited period of time in exchange for publishing an enabling disclosure of the invention."A p ...
s or were commercial/government secrets. Schneier has stated that, "Blowfish is unpatented, and will remain so in all countries. The algorithm is hereby placed in the
public domain The public domain (PD) consists of all the creative work A creative work is a manifestation of creative effort including fine artwork (sculpture, paintings, drawing, sketching, performance art), dance, writing (literature), filmmaking, ...
, and can be freely used by anyone." The same applies to
Twofish In cryptography, Twofish is a symmetric key block cipher with a block size of 128 bits and key sizes up to 256 bits. It was one of the five finalists of the Advanced Encryption Standard contest, but it was not selected for standardization. Twof ...
, a successor algorithm from Schneier.


Generalizations


Tweakable block ciphers

M. Liskov, R. Rivest, and D. Wagner have described a generalized version of block ciphers called "tweakable" block ciphers. A tweakable block cipher accepts a second input called the ''tweak'' along with its usual plaintext or ciphertext input. The tweak, along with the key, selects the permutation computed by the cipher. If changing tweaks is sufficiently lightweight (compared with a usually fairly expensive key setup operation), then some interesting new operation modes become possible. The
disk encryption theory Disk encryption is a special case of data rest protection when the storage medium is a sector-addressable device (e.g., a hard disk). This article presents cryptographic aspects of the problem. For an overview, see disk encryption. For discussion ...
article describes some of these modes.


Format-preserving encryption

Block ciphers traditionally work over a binary
alphabet An alphabet is a standardized set of basic written graphemes (called letters) that represent the phonemes of certain spoken languages. Not all writing systems represent language in this way; in a syllabary, each character represents a syll ...
. That is, both the input and the output are binary strings, consisting of ''n'' zeroes and ones. In some situations, however, one may wish to have a block cipher that works over some other alphabet; for example, encrypting 16-digit credit card numbers in such a way that the ciphertext is also a 16-digit number might facilitate adding an encryption layer to legacy software. This is an example of ''format-preserving encryption''. More generally, format-preserving encryption requires a keyed permutation on some finite
language Language is a structured system of communication. The structure of a language is its grammar and the free components are its vocabulary. Languages are the primary means by which humans communicate, and may be conveyed through a variety of met ...
. This makes format-preserving encryption schemes a natural generalization of (tweakable) block ciphers. In contrast, traditional encryption schemes, such as CBC, are not permutations because the same plaintext can encrypt to multiple different ciphertexts, even when using a fixed key.


Relation to other cryptographic primitives

Block ciphers can be used to build other cryptographic primitives, such as those below. For these other primitives to be cryptographically secure, care has to be taken to build them the right way. *
Stream cipher stream cipher is a symmetric key cipher where plaintext digits are combined with a pseudorandom cipher digit stream (keystream). In a stream cipher, each plaintext digit is encrypted one at a time with the corresponding digit of the keystream ...
s can be built using block ciphers. OFB-mode and CTR mode are block modes that turn a block cipher into a stream cipher. *
Cryptographic hash function A cryptographic hash function (CHF) is a hash algorithm (a map of an arbitrary binary string to a binary string with fixed size of n bits) that has special properties desirable for cryptography: * the probability of a particular n-bit output re ...
s can be built using block ciphers. See
one-way compression function In cryptography, a one-way compression function is a function that transforms two fixed-length inputs into a fixed-length output. The transformation is "one-way", meaning that it is difficult given a particular output to compute inputs which compre ...
for descriptions of several such methods. The methods resemble the block cipher modes of operation usually used for encryption. *
Cryptographically secure pseudorandom number generator A cryptographically secure pseudorandom number generator (CSPRNG) or cryptographic pseudorandom number generator (CPRNG) is a pseudorandom number generator (PRNG) with properties that make it suitable for use in cryptography. It is also loosely kno ...
s (CSPRNGs) can be built using block ciphers. * Secure pseudorandom permutations of arbitrarily sized finite sets can be constructed with block ciphers; see
Format-Preserving Encryption In cryptography, format-preserving encryption (FPE), refers to encrypting in such a way that the output (the ciphertext) is in the same format as the input (the plaintext). The meaning of "format" varies. Typically only finite sets of characters ar ...
. * A publicly known
unpredictable permutation In cryptography, a pseudorandom permutation (PRP) is a function that cannot be distinguished from a random permutation (that is, a permutation selected at random with uniform probability, from the family of all permutations on the function's domain ...
combined with key whitening is enough to construct a block cipher -- such as the single-key Even-Mansour cipher, perhaps the simplest possible provably secure block cipher. Orr Dunkelman, Nathan Keller, and
Adi Shamir Adi Shamir ( he, עדי שמיר; born July 6, 1952) is an Israeli cryptographer. He is a co-inventor of the Rivest–Shamir–Adleman (RSA) algorithm (along with Ron Rivest and Len Adleman), a co-inventor of the Feige–Fiat–Shamir identificat ...

"Minimalism in Cryptography: The Even–Mansour Scheme Revisited"
*
Message authentication code In cryptography, a message authentication code (MAC), sometimes known as a ''tag'', is a short piece of information used for authenticating a message. In other words, to confirm that the message came from the stated sender (its authenticity) and ...
s (MACs) are often built from block ciphers.
CBC-MAC In cryptography, a cipher block chaining message authentication code (CBC-MAC) is a technique for constructing a message authentication code (MAC) from a block cipher. The message is encrypted with some block cipher algorithm in cipher block cha ...
, OMAC and PMAC are such MACs. *
Authenticated encryption Authenticated Encryption (AE) and Authenticated Encryption with Associated Data (AEAD) are forms of encryption which simultaneously assure the confidentiality and authenticity of data. Programming interface A typical application programming in ...
is also built from block ciphers. It means to both encrypt and MAC at the same time. That is to both provide
confidentiality Confidentiality involves a set of rules or a promise usually executed through confidentiality agreements that limits the access or places restrictions on certain types of information. Legal confidentiality By law, lawyers are often required ...
and
authentication Authentication (from ''authentikos'', "real, genuine", from αὐθέντης ''authentes'', "author") is the act of proving an assertion, such as the identity of a computer system user. In contrast with identification, the act of indicati ...
. CCM, EAX, GCM and OCB are such authenticated encryption modes. Just as block ciphers can be used to build hash functions, like SHA-1 and SHA-2 are based on block ciphers which are also used independently as
SHACAL SHACAL-1 (originally simply SHACAL) is a 160-bit block cipher based on SHA-1, and supports keys from 128-bit to 512-bit. SHACAL-2 is a 256-bit block cipher based upon the larger hash function SHA-256. Both SHACAL-1 and SHACAL-2 were selected fo ...
, hash functions can be used to build block ciphers. Examples of such block ciphers are BEAR and LION.


See also

* Cipher security summary *
Topics in cryptography The following outline is provided as an overview of and topical guide to cryptography: Cryptography (or cryptology) – practice and study of hiding information. Modern cryptography intersects the disciplines of mathematics, computer scienc ...
*
XOR cipher In cryptography, the simple XOR cipher is a type of ''additive cipher'', an encryption algorithm that operates according to the principles: :A \oplus 0 = A, :A \oplus A = 0, :A \oplus B = B \oplus A, :(A \oplus B) \oplus C = A \oplus (B \oplus C), ...


References


Further reading

*


External links


A list of many symmetric algorithms, the majority of which are block ciphers.



What is a block cipher?
from RSA FAQ
Block Cipher based on Gold Sequences and Chaotic Logistic Tent System
{{DEFAULTSORT:Block Cipher * Cryptographic primitives Arab inventions Egyptian inventions