# Block cipher – Wikipedia

In cryptography, a

**block cipher**is a deterministic algorithm operating on fixed-length groups of bits, called

*blocks*. They are specified elementary components in the design of many cryptanalytic protocols and are widely used to the encoding of large amounts of data, including data exchange protocols. It uses blocks as an uniform transformation. even a secure blocking nothing is desirable for the encoding of only a single barricade of data at a time, using a fix identify. A multitude of modes of mathematical process have been designed to allow their repeated use in a dependable means to achieve the security goals of confidentiality and authenticity. however, block ciphers may besides feature as building blocks in early cryptanalytic protocols, such as universal joint hashish functions and pseudorandom number generators .

## definition [edit ]

A barricade code consists of two pair algorithms, one for encoding, E, and the early for decoding, D. [ 1 ] Both algorithms accept two inputs : an remark block of size n bits and a key of size kilobyte bits ; and both yield an n-bit output signal stop. The decoding algorithm D is defined to be the inverse officiate of encoding, i.e., D = E−1. More formally, [ 2 ] [ 3 ] a parry cipher is specified by an encoding affair

Reading: Block cipher – Wikipedia

- e K ( P ) : = E ( K, P ) : { 0, 1 } kelvin × { 0, 1 } newton → { 0, 1 } north, { \displaystyle E_ { K } ( P ) : =E ( K, P ) : \ { 0,1\ } ^ { kelvin } \times \ { 0,1\ } ^ { north } \rightarrow \ { 0,1\ } ^ { n }, }

which takes as input a key K, of bit duration kilobyte ( called the *key size* ), and a bite string P, of duration normality ( called the *block size* ), and returns a string C of nitrogen bits. P is called the plaintext, and C is termed the ciphertext. For each K, the function EK ( P ) is required to be an invertible map on { 0,1 } n. The inverse for E is defined as a routine

- E K − 1 ( C ) : = D K ( C ) = D ( K, C ) : { 0, 1 } k × { 0, 1 } newton → { 0, 1 } nitrogen, { \displaystyle E_ { K } ^ { -1 } ( C ) : =D_ { K } ( C ) =D ( K, C ) : \ { 0,1\ } ^ { kilobyte } \times \ { 0,1\ } ^ { n } \rightarrow \ { 0,1\ } ^ { newton }, }

taking a key K and a ciphertext C to return a plaintext value P, such that

- ∀ K : D K ( E K ( P ) ) = P. { \displaystyle \forall K : D_ { K } ( E_ { K } ( P ) ) =P. }

For exemplar, a pulley cipher encoding algorithm might take a 128-bit engine block of plaintext as input signal, and end product a corresponding 128-bit obstruct of ciphertext. The accurate transformation is controlled using a second stimulation – the secret key. Decryption is similar : the decoding algorithm takes, in this model, a 128-bit blockage of ciphertext together with the privy identify, and yields the original 128-bit jam of apparent text. [ 4 ] For each key *K*, *EK* is a permutation ( a bijective function ) over the set of input blocks. Each samara selects one permutation from the put of ( 2 nitrogen ) ! { \displaystyle ( 2^ { nitrogen } ) ! } potential permutations .

## history [edit ]

The modern design of block ciphers is based on the concept of an iterate product code. In his germinal 1949 publication, *Communication Theory of Secrecy Systems*, Claude Shannon analyzed product ciphers and suggested them as a think of of efficaciously improving security by combining simple operations such as substitutions and permutations. [ 6 ] Iterated product ciphers carry out encoding in multiple rounds, each of which uses a different subkey derived from the original key. One widespread implementation of such ciphers, named a Feistel network after Horst Feistel, is notably implemented in the DES zero. [ 7 ] many other realizations of block ciphers, such as the AES, are classified as substitution–permutation networks. The root of all cryptanalytic block formats used within the Payment Card Industry Data Security Standard ( PCI DSS ) and american National Standards Institute ( ANSI ) standards lies with the Atalla Key Block ( AKB ), which was a key invention of the Atalla Box, the first hardware security faculty ( HSM ). It was developed in 1972 by Mohamed M. Atalla, collapse of Atalla Corporation ( now Utimaco Atalla ), and released in 1973. The AKB was a key obstruct, which is required to securely interchange symmetrical keys or PINs with other actors of the banking industry. This batten interchange is performed using the AKB format. [ 9 ] The Atalla Box protected over 90 % of all ATM networks in operation as of 1998, [ 10 ] and Atalla products silent secure the majority of the worldly concern ‘s ATM transactions as of 2014. [ 11 ] The publication of the DES cipher by the United States National Bureau of Standards ( subsequently the U.S. National Institute of Standards and Technology, NIST ) in 1977 was cardinal in the public understand of advanced block nothing invention. It besides influenced the academic development of cryptanalytic attacks. Both differential and linear cryptanalysis arose out of studies on the DES purpose. As of 2016 there is a palette of attack techniques against which a block cipher must be fasten, in addition to being robust against brute-force attacks .

## design [edit ]

### Iterated pulley ciphers [edit ]

Most jam cipher algorithm are classified as *iterated block ciphers* which means that they transform fixed-size blocks of plaintext into identically sized blocks of ciphertext, via the recur application of an invertible transformation known as the *round function*, with each iteration referred to as a *round*. [ 12 ] normally, the round affair *R* takes different *round keys* *Ki* as second input, which are derived from the original winder : [ *citation needed* ]

- M iodine = R K i ( M i − 1 ) { \displaystyle M_ { one } =R_ { K_ { iodine } } ( M_ { i-1 } ) }

where M 0 { \displaystyle M_ { 0 } } is the plaintext and M roentgen { \displaystyle M_ { gas constant } } the ciphertext, with *r* being the number of rounds. frequently, samara whitening is used in addition to this. At the begin and the end, the datum is modified with winder material ( frequently with XOR, but dim-witted arithmetical operations like adding and subtracting are besides used ) : [ *citation needed* ]

- M 0 = M ⊕ K 0 { \displaystyle M_ { 0 } =M\oplus K_ { 0 } }
- M i = R K i ( M i − 1 ) ; one = 1 … radius { \displaystyle M_ { one } =R_ { K_ { one } } ( M_ { i-1 } ) \ ; ; \ ; i=1\dots r }
- C = M r ⊕ K r + 1 { \displaystyle C=M_ { gas constant } \oplus K_ { r+1 } }

Given one of the standard iterated blocking cipher design schemes, it is reasonably easy to construct a jam code that is cryptographically guarantee, plainly by using a large number of rounds. however, this will make the code ineffective. frankincense, efficiency is the most important extra design criterion for professional ciphers. Further, a good block cipher is designed to avoid side-channel attacks, such as branch prediction and input-dependent memory accesses that might leak secret data via the hoard express or the execution time. In summation, the cipher should be concise, for minor hardware and software implementations. last, the cipher should be easily cryptanalyzable, such that it can be shown how many rounds the calculate needs to be reduced to, so that the existing cryptanalytic attacks would work – and, conversely, that it can be shown that the number of actual rounds is large enough to protect against them. [ *citation needed* ]

### Substitution–permutation networks [edit ]

*Si*, the P-boxes are the same *P*, and the round keys are the *Ki*. A sketch of a substitution–permutation network with 3 rounds, encrypting a plaintext block of 16 bits into a ciphertext parry of 16 bits. The S-boxes are the, the P-boxes are the lapp, and the round keys are the One crucial character of iterate block cipher known as a *substitution–permutation network (SPN)* takes a block of the plaintext and the key as inputs, and applies several alternating rounds consisting of a substitution stage followed by a permutation stage —to produce each block of ciphertext output. [ 13 ] The non-linear substitution degree mixes the key bits with those of the plaintext, creating Shannon ‘s *confusion*. The linear permutation stage then dissipates redundancies, creating *diffusion*. [ 14 ] [ 15 ] A *substitution box (S-box)* substitutes a belittled block of input signal bits with another block of output bits. This substitution must be one-to-one, to ensure invertibility ( therefore decoding ). A impregnable S-box will have the property that changing one input bit will change about half of the output bits on average, exhibiting what is known as the avalanche effect —i.e. it has the property that each output bite will depend on every input bite. [ 16 ] A *permutation box (P-box)* is a permutation of all the bits : it takes the outputs of all the S-boxes of one round, permutes the bits, and feeds them into the S-boxes of the adjacent polish. A good P-box has the property that the end product bits of any S-box are distributed to as many S-box inputs as potential. [ *citation needed* ] At each round, the circle key ( obtained from the winder with some childlike operations, for case, using S-boxes and P-boxes ) is combined using some group operation, typically XOR. [ *citation needed* ] decoding is done by plainly reversing the process ( using the inverses of the S-boxes and P-boxes and applying the round key in invert order ). [ 17 ]

### Feistel ciphers [edit ]

*Feistel ciphers* many blocking ciphers, such as DES and Blowfish utilize structures known as In a *Feistel cipher*, the obstruct of obviously text to be encrypted is split into two equal-sized halves. The polish function is applied to one half, using a subkey, and then the output is XORed with the other half. The two halves are then swapped. Let F { \displaystyle { \rm { F } } } be the round function and let K 0, K 1, …, K n { \displaystyle K_ { 0 }, K_ { 1 }, \ldots, K_ { normality } } be the sub-keys for the rounds 0, 1, …, n { \displaystyle 0,1, \ldots, north } respectively. then the basic operation is as follows : Split the plaintext block into two adequate pieces, ( L 0 { \displaystyle L_ { 0 } } , R 0 { \displaystyle R_ { 0 } } ) For each round i = 0, 1, …, north { \displaystyle i=0,1, \dots, nitrogen } , calculate

- L one + 1 = R iodine { \displaystyle L_ { i+1 } =R_ { one } \, }
- roentgen iodine + 1 = L one ⊕ F ( R one, K i ) { \displaystyle R_ { i+1 } =L_ { one } \oplus { \rm { F } } ( R_ { one }, K_ { i } ) }

then the ciphertext is ( R north + 1, L n + 1 ) { \displaystyle ( R_ { n+1 }, L_ { n+1 } ) } . decoding of a ciphertext ( R nitrogen + 1, L n + 1 ) { \displaystyle ( R_ { n+1 }, L_ { n+1 } ) } is accomplished by computing for iodine = nitrogen, north − 1, …, 0 { \displaystyle i=n, n-1, \ldots ,0 }

- roentgen one = L one + 1 { \displaystyle R_ { iodine } =L_ { i+1 } \, }
- L one = R one + 1 ⊕ F ( L i + 1, K i ) { \displaystyle L_ { iodine } =R_ { i+1 } \oplus { \rm { F } } ( L_ { i+1 }, K_ { i } ) }

then ( L 0, R 0 ) { \displaystyle ( L_ { 0 }, R_ { 0 } ) } is the plaintext again. One advantage of the Feistel model compared to a substitution–permutation network is that the cycle affair F { \displaystyle { \rm { F } } } does not have to be invertible .

### Lai–Massey ciphers [edit ]

The Lai–Massey system. The archetypal calculate utilizing it is IDEA The Lai–Massey system offers security properties exchangeable to those of the Feistel structure. It besides shares its advantage that the turn routine F { \displaystyle \mathrm { F } } does not have to be invertible. Another similarity is that it besides splits the input signal forget into two equal pieces. however, the round officiate is applied to the difference between the two, and the solution is then added to both half blocks. Let F { \displaystyle \mathrm { F } } be the circle function and H { \displaystyle \mathrm { H } } a half-round affair and let K 0, K 1, …, K n { \displaystyle K_ { 0 }, K_ { 1 }, \ldots, K_ { newton } } be the sub-keys for the rounds 0, 1, …, nitrogen { \displaystyle 0,1, \ldots, north } respectively. then the basic operation is as follows : Split the plaintext obstruct into two equal pieces, ( L 0 { \displaystyle L_ { 0 } }, R 0 { \displaystyle R_ { 0 } } ) For each round i = 0, 1, …, newton { \displaystyle i=0,1, \dots, nitrogen }, calculate

- ( L i + 1 ′, R i + 1 ′ ) = H ( L i ′ + T iodine, R i ′ + T i ), { \displaystyle ( L_ { i+1 } ‘, R_ { i+1 } ‘ ) =\mathrm { H } ( L_ { one } ‘+T_ { iodine }, R_ { iodine } ‘+T_ { one } ), }

where T i = F ( L i ′ − R one ′, K i ) { \displaystyle T_ { one } =\mathrm { F } ( L_ { iodine } ‘-R_ { one } ‘, K_ { i } ) } and ( L 0 ′, R 0 ′ ) = H ( L 0, R 0 ) { \displaystyle ( L_ { 0 } ‘, R_ { 0 } ‘ ) =\mathrm { H } ( L_ { 0 }, R_ { 0 } ) } then the ciphertext is ( L n + 1, R n + 1 ) = ( L normality + 1 ′, R n + 1 ′ ) { \displaystyle ( L_ { n+1 }, R_ { n+1 } ) = ( L_ { n+1 } ‘, R_ { n+1 } ‘ ) } .

decoding of a ciphertext ( L normality + 1, R n + 1 ) { \displaystyle ( L_ { n+1 }, R_ { n+1 } ) } is accomplished by computing for iodine = n, n − 1, …, 0 { \displaystyle i=n, n-1, \ldots ,0 }

- ( L one ′, R i ′ ) = H − 1 ( L i + 1 ′ − T one, R i + 1 ′ − T i ) { \displaystyle ( L_ { iodine } ‘, R_ { i } ‘ ) =\mathrm { H } ^ { -1 } ( L_ { i+1 } ‘-T_ { iodine }, R_ { i+1 } ‘-T_ { i } ) }

where T i = F ( L i + 1 ′ − R i + 1 ′, K i ) { \displaystyle T_ { one } =\mathrm { F } ( L_ { i+1 } ‘-R_ { i+1 } ‘, K_ { i } ) } and ( L nitrogen + 1 ′, R n + 1 ′ ) = H − 1 ( L newton + 1, R n + 1 ) { \displaystyle ( L_ { n+1 } ‘, R_ { n+1 } ‘ ) =\mathrm { H } ^ { -1 } ( L_ { n+1 }, R_ { n+1 } ) } then ( L 0, R 0 ) = ( L 0 ′, R 0 ′ ) { \displaystyle ( L_ { 0 }, R_ { 0 } ) = ( L_ { 0 } ‘, R_ { 0 } ‘ ) } is the plaintext again .

### Operations [edit ]

#### ARX ( add–rotate–XOR ) [edit ]

many modern block ciphers and hashes are **ARX** algorithms—their round officiate involves only three operations : ( A ) modular summation, ( R ) rotation with repair rotation amounts, and ( X ) XOR. Examples include ChaCha20, Speck, XXTEA, and BLAKE. many authors draw an ARX network, a kind of data stream diagram, to illustrate such a round function. [ 20 ] These ARX operations are democratic because they are relatively debauched and bum in hardware and software, their execution can be made extremely simpleton, and besides because they run in ceaseless prison term, and consequently are immune to timing attacks. The rotational cryptanalysis technique attempts to attack such circle functions .

#### other operations [edit ]

early operations often used in jam ciphers include data-dependent rotations as in RC5 and RC6, a substitution box implemented as a search table as in Data Encryption Standard and Advanced Encryption Standard, a permutation box, and generation as in IDEA .

## Modes of operation [edit ]

Insecure encoding of an visualize as a result of electronic codebook ( ECB ) mood encoding. A stuff code by itself allows encoding only of a unmarried datum block of the calculate ‘s block length. For a variable-length message, the data must first be partitioned into break zero blocks. In the simplest case, known as electronic codebook ( ECB ) manner, a message is first gear split into separate blocks of the cipher ‘s block size ( possibly extending the last pulley with padding bits ), and then each block is encrypted and decrypted independently. however, such a uninitiate method acting is broadly insecure because peer plaintext blocks will constantly generate equal ciphertext blocks ( for the lapp keystone ), so patterns in the plaintext message become discernible in the ciphertext output. To overcome this limitation, respective so called forget cipher modes of operation have been designed [ 22 ] and specified in national recommendations such as NIST 800-38A [ 24 ] and BSI TR-02102 [ 25 ] and international standards such as ISO/IEC 10116. [ 26 ] The general concept is to use randomization of the plaintext data based on an extra input signal rate, frequently called an low-level formatting vector, to create what is termed probabilistic encoding. In the popular cipher block chain ( CBC ) manner, for encoding to be secure the low-level formatting vector passed along with the plaintext message must be a random or pseudo-random value, which is added in an exclusive-or manner to the beginning plaintext block before it is being encrypted. The vector sum ciphertext barricade is then used as the new low-level formatting vector for the next plaintext obstruct. In the nothing feedback ( CFB ) mode, which emulates a self-synchronizing pour zero, the low-level formatting vector is first encrypted and then added to the plaintext barricade. The output feedback ( OFB ) manner repeatedly encrypts the low-level formatting vector to create a key stream for the emulation of a synchronous flow code. The newer counter ( CTR ) mode similarly creates a samara stream, but has the advantage of only needing alone and not ( pseudo- ) random values as low-level formatting vectors ; the necessitate randomness is derived internally by using the low-level formatting vector as a engine block counterpunch and encrypting this counter for each jam. [ 24 ] From a security-theoretic point of see, modes of operation must provide what is known as semantic security. informally, it means that given some ciphertext under an unknown key one can not much derive any information from the ciphertext ( other than the length of the message ) over what one would have known without seeing the ciphertext. It has been shown that all of the modes discussed above, with the exception of the ECB mode, provide this property under alleged chosen plaintext attacks .

## Padding [edit ]

Some modes such as the CBC mode only operate on arrant plaintext blocks. Simply extending the last block of a message with zero-bits is insufficient since it does not allow a liquidator to easily distinguish messages that differ lone in the amount of padding bits. More importantly, such a simpleton solution gives rise to very effective padding oracle attacks. [ 29 ] A desirable embroider system is consequently needed to extend the last plaintext stuff to the calculate ‘s block size. While many popular schemes described in standards and in the literature have been shown to be vulnerable to padding oracle attacks, [ 29 ] [ 30 ] a solution which adds a one-bit and then extends the last obstruct with zero-bits, standardized as “ padding method 2 ” in ISO/IEC 9797-1, [ 31 ] has been raise impregnable against these attacks. [ 30 ]

## cryptanalysis [edit ]

### Brute-force attacks [edit ]

This property results in the cipher ‘s security degrade quadratically, and needs to be taken into account when selecting a block size. There is a tradeoff though as large block sizes can result in the algorithm becoming ineffective to operate. [ 32 ] Earlier obstruct ciphers such as the DES have typically selected a 64-bit block size, while newer designs such as the AES support obstruct sizes of 128 bits or more, with some ciphers supporting a range of different block sizes. [ 33 ]

### differential cryptanalysis [edit ]

### linear cryptanalysis [edit ]

*Linear cryptanalysis* is a form of cryptanalysis based on finding affine approximations to the action of a zero. linear cryptanalysis is one of the two most wide used attacks on jam ciphers ; the other being derived function cryptanalysis. [ 34 ] The discovery is attributed to Mitsuru Matsui, who first base applied the technique to the FEAL zero ( Matsui and Yamagishi, 1992 ). [ 35 ]

### integral cryptanalysis [edit ]

*Integral cryptanalysis* is a cryptanalytic attack that is particularly applicable to block ciphers based on substitution–permutation networks. Unlike differential gear cryptanalysis, which uses pairs of chosen plaintexts with a sterilize XOR difference, integral cryptanalysis uses sets or even multisets of choose plaintexts of which part is held ceaseless and another part varies through all possibilities. For model, an attack might use 256 chosen plaintexts that have all but 8 of their bits the same, but all differ in those 8 bits. Such a set necessarily has an XOR sum of 0, and the XOR sums of the correspond sets of ciphertexts provide data about the nothing ‘s operation. This line between the differences of pairs of text and the sums of larger sets of text inspired the name “ built-in cryptanalysis ”, borrowing the terminology of tartar. [ *citation needed* ]

### other techniques [edit ]

The development of the boomerang attack enabled derived function cryptanalysis techniques to be applied to many ciphers that had previously been deemed fasten against differential attacks In addition to linear and differential cryptanalysis, there is a growing catalogue of attacks : truncated differential gear cryptanalysis, partial derivative differential gear cryptanalysis, integral cryptanalysis, which encompasses squarely and integral attacks, slide attacks, backfire attacks, the XSL attack, impossible differential cryptanalysis and algebraic attacks. For a modern block calculate design to have any credibility, it must demonstrate tell of security against known attacks. [ *citation needed* ]

## demonstrable security system [edit ]

When a block code is used in a given mode of operation, the resulting algorithm should ideally be about angstrom procure as the pulley zero itself. ECB ( discussed above ) decidedly lacks this property : regardless of how secure the fundamental blocking nothing is, ECB mode can well be attacked. On the early hand, CBC mode can be proven to be secure under the assumption that the underlying block calculate is besides plug. note, however, that making statements like this requires formal mathematical definitions for what it means for an encoding algorithm or a block code to “ be guarantee ”. This department describes two common notions for what properties a parry cipher should have. Each corresponds to a mathematical model that can be used to prove properties of higher level algorithm, such as CBC. This general access to cryptography – proving higher-level algorithm ( such as CBC ) are secure under explicitly stated assumptions regarding their components ( such as a block cipher ) – is known as *provable security* .

### Standard model [edit ]

colloquially, a pulley cipher is secure in the standard model if an attacker can not tell the deviation between the obstruct calculate ( equipped with a random key ) and a random permutation. To be a act more precise, let *E* be an *n* -bit obstruct code. We imagine the postdate game :

- The person running the game flips a coin.
- If the coin lands on heads, he chooses a random key
*K*and defines the function*f*=*E**K*. - If the coin lands on tails, he chooses a random permutation π on the set of
*n*-bit strings, and defines the function*f*= π.

- If the coin lands on heads, he chooses a random key
- The attacker chooses an
*n*-bit string*X*, and the person running the game tells him the value of*f*(*X*). - Step 2 is repeated a total of
*q*times. (Each of these*q*interactions is a*query*.) - The attacker guesses how the coin landed. He wins if his guess is correct.

The attacker, which we can model as an algorithm, is called an *adversary*. The function *f* ( which the adversary was able to query ) is called an *oracle*. note that an adversary can trivially ensure a 50 % probability of winning plainly by guessing at random ( or flush by, for exemplar, constantly guessing “ heads ” ). consequently, let *P* *E* ( *A* ) denote the probability that the adversary *A* wins this crippled against *E*, and define the *advantage* of *A* as 2 ( *P* *E* ( *A* ) − 1/2 ). It follows that if *A* guesses randomly, its advantage will be 0 ; on the other handwriting, if *A* constantly wins, then its advantage is 1. The block zero *E* is a *pseudo-random permutation* ( PRP ) if no adversary has an advantage significantly greater than 0, given specified restrictions on *q* and the adversary ‘s run time. If in Step 2 above adversaries have the choice of learning *f* −1 ( *X* ) alternatively of *f* ( *X* ) ( but placid have only small advantages ) then *E* is a *strong* PRP ( SPRP ). An adversary is *non-adaptive* if it chooses all *q* values for *X* before the game begins ( that is, it does not use any information gleaned from previous queries to choose each *X* as it goes ). These definitions have proven utilitarian for analyzing assorted modes of mathematical process. For exemplar, one can define a similar game for measuring the security of a block cipher-based encoding algorithm, and then try to show ( through a reduction argument ) that the probability of an adversary fetching this newfangled game is not much more than *P* *E* ( *A* ) for some *A*. ( The decrease typically provides limits on *q* and the run clock of *A*. ) Equivalently, if *P* *E* ( *A* ) is small for all relevant *A*, then no attacker has a meaning probability of winning the newly game. This formalizes the theme that the higher-level algorithm inherits the block calculate ‘s security .

### Ideal calculate model [edit ]

## practical evaluation [edit ]

Block ciphers may be evaluated according to multiple criteria in rehearse. common factors include : [ 37 ]

- Key parameters, such as its key size and block size, both of which provide an upper bound on the security of the cipher.
- The
*estimated security level*, which is based on the confidence gained in the block cipher design after it has largely withstood major efforts in cryptanalysis over time, the design’s mathematical soundness, and the existence of practical or certificational[38] attacks. - The cipher’s
*complexity*and its suitability for implementation in hardware or software. Hardware implementations may measure the complexity in terms of gate count or energy consumption, which are important parameters for resource-constrained devices. - The cipher’s
*performance*in terms of processing throughput on various platforms, including its memory requirements. - The
*cost*of the cipher, which refers to licensing requirements that may apply due to intellectual property rights. - The
*flexibility*of the cipher, which includes its ability to support multiple key sizes and block lengths.

## noteworthy pulley ciphers [edit ]

### Lucifer / DES [edit ]

morning star is generally considered to be the first gear civilian forget calculate, developed at IBM in the 1970s based on work done by Horst Feistel. A revised version of the algorithm was adopted as a U.S. politics Federal Information Processing Standard : FIPS PUB 46 Data Encryption Standard ( DES ). [ 39 ] It was chosen by the U.S. National Bureau of Standards ( NBS ) after a public invitation for submissions and some inner changes by NBS ( and, potentially, the NSA ). DES was publicly released in 1976 and has been widely used. [ *citation needed* ] DES was designed to, among other things, resist a certain cryptanalytic attack known to the NSA and rediscovered by IBM, though strange publicly until rediscovered again and published by Eli Biham and Adi Shamir in the late 1980s. The technique is called differential cryptanalysis and remains one of the few general attacks against block ciphers ; linear cryptanalysis is another, but may have been unknown flush to the NSA, prior to its publication by Mitsuru Matsui. DES prompted a large sum of other make and publications in cryptography and cryptanalysis in the open community and it inspired many raw code designs. [ *citation needed* ] DES has a block size of 64 bits and a cardinal size of 56 bits. 64-bit blocks became common in block zero designs after DES. Key duration depended on respective factors, including government regulation. many observers [ *who?* ] in the 1970s commented that the 56-bit key length used for DES was excessively short. As time went on, its inadequacy became apparent, specially after a special purpose machine designed to break DES was demonstrated in 1998 by the Electronic Frontier Foundation. An extension to DES, Triple DES, triple-encrypts each block with either two independent keys ( 112-bit key and 80-bit security ) or three autonomous keys ( 168-bit keystone and 112-bit security ). It was widely adopted as a replacement. As of 2011, the three-key interpretation is still considered secure, though the National Institute of Standards and Technology ( NIST ) standards no longer permit the practice of the two-key version in new applications, due to its 80-bit security level. [ 40 ]

### theme [edit ]

The *International Data Encryption Algorithm* ( *IDEA* ) is a obstruct cipher designed by James Massey of ETH Zurich and Xuejia Lai ; it was first described in 1991, as an intended surrogate for DES. IDEA operates on 64-bit blocks using a 128-bit key, and consists of a series of eight identical transformations ( a *round* ) and an output signal transformation ( the *half-round* ). The processes for encoding and decoding are similar. IDEA derives much of its security by interleaving operations from unlike groups – modular summation and multiplication, and bitwise *exclusive or (XOR)* – which are algebraically “ uncongenial ” in some smell. The designers analysed IDEA to measure its persuasiveness against derived function cryptanalysis and concluded that it is immune under certain assumptions. No successful linear or algebraic weaknesses have been reported. As of 2012, the best attack which applies to all keys can break full 8.5-round IDEA using a narrow-bicliques attack about four times faster than beast force .

### RC5 [edit ]

One attack ( two half-rounds ) of the RC5 block cipher RC5 is a obstruct cipher designed by Ronald Rivest in 1994 which, unlike many other ciphers, has a variable block size ( 32, 64 or 128 bits ), keystone size ( 0 to 2040 bits ) and total of rounds ( 0 to 255 ). The original indicate choice of parameters were a block size of 64 bits, a 128-bit key and 12 rounds. A key feature of RC5 is the practice of data-dependent rotations ; one of the goals of RC5 was to prompt the sketch and evaluation of such operations as a cryptanalytic crude. RC5 besides consists of a number of modular additions and XORs. The general structure of the algorithm is a Feistel -like net. The encoding and decoding routines can be specified in a few lines of code. The key agenda, however, is more complex, expanding the samara using an basically one-way serve with the binary star expansions of both east and the fortunate proportion as sources of “ nothing up my sleeve numbers “. The tantalising simplicity of the algorithm together with the freshness of the data-dependent rotations has made RC5 an attractive object of sketch for cryptanalysts. 12-round RC5 ( with 64-bit blocks ) is susceptible to a differential attack using 244 chosen plaintexts. [ 41 ] 18–20 rounds are suggested as sufficient security .

### Rijndael / AES [edit ]

The *Rijndael* code developed by belgian cryptographers, Joan Daemen and Vincent Rijmen was one of the competing designs to replace DES. It won the 5-year public competition to become the AES, ( Advanced Encryption Standard ). Adopted by NIST in 2001, AES has a fixed forget size of 128 bits and a key size of 128, 192, or 256 bits, whereas Rijndael can be specified with block and key sizes in any multiple of 32 bits, with a minimum of 128 bits. The blocksize has a utmost of 256 bits, but the keysize has no theoretical maximum. AES operates on a 4×4 column-major decree matrix of bytes, termed the *state* ( versions of Rijndael with a larger obstruct size have extra column in the state ) .

### blowfish [edit ]

*Blowfish* is a blocking cipher, designed in 1993 by Bruce Schneier and included in a large number of nothing suites and encoding products. Blowfish has a 64-bit block size and a variable star samara distance from 1 bit up to 448 bits. [ 42 ] It is a 16-round Feistel zero and uses bombastic key-dependent S-boxes. noteworthy features of the design include the key-dependent S-boxes and a highly complex key schedule. It was designed as a general-purpose algorithm, intended as an alternative to the aging DES and release of the problems and constraints associated with other algorithm. At the time Blowfish was released, many other designs were proprietary, encumbered by patents or were commercial/government secrets. Schneier has stated that, “ Blowfish is unpatented, and will remain indeed in all countries. The algorithm is hereby placed in the public domain, and can be freely used by anyone. ” The same applies to Twofish, a successor algorithm from Schneier .

## Generalizations [edit ]

### Tweakable block ciphers [edit ]

M. Liskov, R. Rivest, and D. Wagner have described a generalized translation of block ciphers called “ tweakable ” stop ciphers. [ 43 ] A tweakable blockage nothing accepts a second stimulation called the *tweak* along with its common plaintext or ciphertext input. The tweak, along with the key, selects the substitution computed by the cipher. If changing tweak is sufficiently lightweight ( compared with a normally fairly expensive key apparatus process ), then some concern new operation modes become possible. The harrow encoding theory article describes some of these modes .

### Format-preserving encoding [edit ]

Block ciphers traditionally work over a binary star alphabet. That is, both the input and the output are binary strings, consisting of *n* zeroes and ones. In some situations, however, one may wish to have a blocking cipher that works over some other alphabet ; for example, encrypting 16-digit credit card numbers in such a means that the ciphertext is besides a 16-digit number might facilitate adding an encoding layer to bequest software. This is an exemplar of *format-preserving encryption*. More by and large, format-preserving encoding requires a key substitution on some finite speech. This makes format-preserving encoding schemes a natural generalization of ( tweakable ) block ciphers. In contrast, traditional encoding schemes, such as CBC, are not permutations because the same plaintext can encrypt to multiple different ciphertexts, even when using a fixed keystone .

## relation back to other cryptanalytic primitives [edit ]

Block ciphers can be used to build other cryptanalytic primitives, such as those below. For these early primitives to be cryptographically secure, care has to be taken to build them the right way.

merely as stuff ciphers can be used to build hashish functions, like SHA-1 and SHA-2 are based on block ciphers which are besides used independently as SHACAL, hash functions can be used to build obstruct ciphers. Examples of such block ciphers are BEAR and LION .