Block cipher: Difference between revisions

From Citizendium
Jump to navigation Jump to search
imported>Sandy Harris
mNo edit summary
 
(289 intermediate revisions by 6 users not shown)
Line 1: Line 1:
{{subpages}}
{{PropDel}}<br><br>{{subpages}}
{{main|Cryptography}}
{{TOC|right}}
{{TOC|right}}
In [[cryptography]], '''block ciphers''' are one of the two main types of [[symmetric cipher]]; they operate on fixed-size blocks of [[plaintext]], giving a block of [[ciphertext]] for each. The other main type are [[stream cipher]]s, which generate a continuous stream of keying material to be mixed with messages.


'''Block ciphers''' are one of the two main types of [[symmetric cipher]]; they operate on fixed-size blocks of [[plaintext]], giving a block of [[ciphertext]] for each. The other main type are [[stream cipher]]s, which generate a continuous stream of keying material to be mixed with messages.
The basic function of block ciphers is to keep messages or stored data [[Information_security#Content_confidentiality | secret]]; the intent is that an unauthorised person be completely unable to read the enciphered material. Block ciphers therefore use a [[Key (cryptography)|key]] and are designed to be hard to read without that key. Of course an attacker's intent is exactly the opposite; he wants to read the material without authorisation, and often without the key. See [[cryptanalysis]] for his methods.


There is an extensive literature both on the design of block ciphers and on methods of attacking them. For the design, see below and articles on specific ciphers. For the attacks, see [[cryptanalysis]] and articles on specific attacks. The standard references ''Applied Cryptography''
Among the best-known and most widely used block ciphers are two US government standards. The [[Data Encryption Standard]] (DES) from the 1970s is now considered obsolete; the [[Advanced Encryption Standard]] (AES) replaced it in 2002. To choose the new standard, the [[National Institute of Standards and Technology]] ran an AES competition. Fifteen ciphers were entered, five finalists selected, and eventually AES chosen. Text below gives an overview; for details of the process and the criteria, and descriptions of all fifteen candidates, see the [[AES competition]] article.
<ref name="schneier">{{citation
| first = Bruce | last = Schneier
| title = Applied Cryptography
| date = 2nd edition, 1996,
| publisher = John Wiley & Sons
|ISBN =0-471-11709-9}}</ref>
and ''Handbook of Applied Cryptography''
<ref name=HAC>{{citation
| first1 = AJ | last1 = Menezes | first2 = PC | last2= van Oorschot | first3= SA | last3 = Vanstone 
| url=http://www.cacr.math.uwaterloo.ca/hac/
| title = Handbook of Applied Cryptography
| date = Fifth Edition, 2001
| ISBN=0-8493-8523-7}}</ref>,
each have a large section on block ciphers.
 
Among the best-known and most widely used block ciphers are two US government standards. The [[#DES | Data Encryption Standard]] (DES) from the 1970s is now considered obsolete; the [[#AES | Advanced Encryption Standard]] (AES) replaced it in 2002.  


To choose the new standard, the [[National Institute of Standards and Technology]] ran an [[#The_AES_generation | AES contest]]. Fifteen ciphers were entered, five finalists selected, and eventually AES chosen. Text below covers all fifteen candidates. The five finalists were Rijndael which became [[#AES | AES]], [[#Twofish | Twofish]], [[#Mars | Mars]],  [[#RC6 | RC6]] and  [[# Serpent | Serpent ]].
These standards greatly influenced the design of other block ciphers, and the latter part of this article is divided into sections based on that. [[#DES and alternatives | DES and alternatives]] describes 20th century block ciphers, all with the 64-bit block size of DES. [[#The AES generation | The AES generation]] describes the next generation, the first 21st century ciphers, all with the 128-bit block size of AES. [[#Large-block ciphers | Large-block ciphers]] covers a few special cases that do not fit in the other sections.


== Context ==
== Context ==
Block ciphers are essential components in many security systems. However, just having a good block cipher does not give you security, much as just having good tires does not give you transportation. It may not even help; good tires are of little use if you need a boat. Even in systems where block ciphers are needed, they are never the whole story. This section gives an overview of the rest of the story; it aims to provide a context for the rest of the article by mentioning some issues that, while outside the study of the ciphers themselves, are crucially important in understanding and using these ciphers.


Block ciphers are essential components in many security systems. However, just having a good block cipher does not give you security, much as just having good tires does not give you transportation. It may not even help; good tires are of little use if you need a boat. Even in systems where block ciphers are needed, they are never the whole story.
Any cipher is worthless without a good key. Keys must be kept secure, they should be large enough and sufficiently random that searching for the key (a [[brute force attack]]) is effectively impossible, and in any application which encrypts large volumes of data, the key must be changed from time to time. See the [[cryptography#Keying | cryptography]] article for discussion.


Most of this article deals with block ciphers themselves. The major sections are:
It is hard to design any system that must withstand adversaries; see [[Cryptography#Cryptography_is_difficult|cryptography is difficult]]. In particular, block ciphers must withstand [[cryptanalysis]]; it is impossible to design a good block cipher, or to evaluate the security of one, without a thorough understanding of the available attack methods. Also, [[Kerckhoffs' Principle]] applies to block ciphers; no cipher can be considered secure unless it can resist an attacker who knows all its details except the key in use. Analysis of security claims cannot even begin until all internal details of a cipher are published, so anyone making security claims without publishing those details will be either ignored or mocked by most experts.
* [[#Size parameters|Size parameters]] describes how block size and key size are chosen
* [[#Principles and techniques | Principles and techniques]] defines terms and introduces major ideas and methods
* [[#DES and alternatives | DES and alternatives]] describes 20th century block ciphers, from the 70s into the 90s
* [[#The AES generation | The AES generation]] describes the next generation, the first 21st century ciphers
* [[#Large-block ciphers | Large-block ciphers]] covers a few special cases that do not fit in the other sections


This section aims to provide a context for those by mentioning some issues that, while outside the study of the ciphers themselves, are crucially important in understanding and using these ciphers.
A block cipher defines how a single block is encrypted; a [[block cipher modes of operation| mode of operation]] defines how multiple block encryptions are combined to achieve some larger goal. Using a mode that is inappropriate for the application at hand may lead to insecurity, even if the cipher itself is secure. A block cipher can be used to build another cryptographic function such as a [[random number generator]], a [[stream cipher]], or a [[cryptographic hash]]. These are primarily a matter of choosing the correct mode, but there are more general design issues as well; see the linked articles for details.


* It is hard to design any system that must withstand adversaries; see [[Cryptography#Cryptography_is_difficult|cryptography is difficult]] and [[information security]].
Block ciphers are often used as components in [[hybrid cryptosystem]]s; these combine [[public key]] (asymmetric) cryptography with [[symmetric key cryptography | secret key]] (symmetric) techniques such as block ciphers or [[stream cipher]]s. Typically, the symmetric cipher is the workhorse that encrypts large amounts of data; the public key mechanism manages keys for the symmetric cipher and provides [[Information_security#Source_authentication|authentication]]. Generally other components such as [[cryptographic hash]]es and a cryptographically strong [[random number generator]] are required as well. Such a system can only be as strong as its weakest link, and it may not even be that strong. Using secure components including good block ciphers is certainly necessary, but just having good components does not guarantee that the ''system'' will be secure. See [[hybrid cryptosystem]] for how the components fit together, and [[information security]] for broader issues.
* Block ciphers must withstand [[cryptanalysis]]. It is impossible to design a good block cipher, or evaluate the security of one, without a thorough understanding of the available attack methods.
* [[Kerckhoffs' Principle]] applies to block ciphers. No cipher can be considered secure unless it can resist an attacker who knows all its details except the key in use. Analysis of security claims cannot even begin until all internal details of a cipher are published. Anyone making security claims without publishing those details will be either ignored or mocked by most experts.
* Any cipher is worthless without a good key. In any application which encrypts large volumes of data, the key must be changed from time to time. See the [[cryptography#Keying | cryptography]] article for discussion and [[random number]] for the methods used to generate keys which an opponent cannot guess.
* Various [[block cipher modes of operation]] are used when multiple blocks are to be encrypted. The block cipher defines how a single block is encrypted; the mode defines how multiple block encryptions are combined to achieve some larger goal. Using a mode that is inappropriate for the application at hand may lead to insecurity, even if the cipher itself is secure.
 
Block ciphers are often used as components in [[hybrid cryptosystem]]s. These combine [[public key]] (asymmetric) cryptography with [[symmetric key cryptography | secret key]] (symmetric) techniques such as block ciphers or [[stream cipher]]s; generally other components such as [[cryptographic hash]]es and a cryptographically strong [[random number]] generator are used as well. Such a hybrid system can only be as strong as its weakest link, and it may not even be that strong. Using secure components including good block ciphers is certainly necessary, but just having good components does not guarantee that the ''system'' will be secure. See [[hybrid cryptosystem]] for how the components fit together, and [[information security]] for broader issues.


That said, we turn to the block ciphers themselves.
That said, we turn to the block ciphers themselves.


== Size parameters ==
== Size parameters ==
One could say  there are only three things to worry about in designing a block cipher:
One could say  there are only three things to worry about in designing a block cipher:
* make the '''block size large enough''' that an enemy cannot create a [[code book attack | code book]], collecting so many known plaintext/ciphertext pairs that the cipher is broken.
* make the '''block size large enough''' that an enemy cannot create a [[code book attack | code book]], collecting so many known plaintext/ciphertext pairs that the cipher is broken.
* make the '''key size large enough''' that he cannot use a [[brute force]] attack, trying all possible keys
* make the '''key size large enough''' that he cannot use a [[brute force attack]], trying all possible keys
* then '''design the cipher well enough''' that no other attack is effective
* then '''design the cipher well enough''' that no other attack is effective


Line 61: Line 34:
If two or more ciphers use the same block and key sizes, they are effectively interchangeable. One can replace another in almost any application without requiring any other change to the application. This might be done to comply with a particular government's standards, to replace a cipher against which some new attack had been discovered, to provide efficiency in a particular environment, or simply to suit a preference.
If two or more ciphers use the same block and key sizes, they are effectively interchangeable. One can replace another in almost any application without requiring any other change to the application. This might be done to comply with a particular government's standards, to replace a cipher against which some new attack had been discovered, to provide efficiency in a particular environment, or simply to suit a preference.


Nearly all cryptographic libraries give a developer a choice of components, and some protocols such as [[IPsec]] allow a network administrator to select ciphers. This may be a good idea if all the available ciphers are strong, but if some are weak it just gives the developer or administrator, neither of whom is likely to be an expert on ciphers, an opportunity to get it wrong. There is an argument that supporting multiple ciphers is an unnecessary complication. On the other hand, being able to change ciphers easily if one is broken provides a valuable safety mechanism.
Nearly all cryptographic libraries give a developer a choice of components, and some protocols such as [[IPsec]] allow a network administrator to select ciphers. This may be a good idea if all the available ciphers are strong, but if some are weak it just gives the developer or administrator, neither of whom is likely to be an expert on ciphers, an opportunity to get it wrong. There is an argument that supporting multiple ciphers is an unnecessary complication. On the other hand, being able to change ciphers easily if one is broken provides a valuable safety mechanism. Striking some sort of balance with a few strong ciphers is probably the best policy.


=== Block size ===
=== Block size ===
The block size of a cipher is chosen partly for implementation convenience; using a multiple of 32 bits makes software implementations simpler. However, it must also be large enough to guard against [[code book attack]]s.
The block size of a cipher is chosen partly for implementation convenience; using a multiple of 32 bits makes software implementations simpler. However, it must also be large enough to guard against [[code book attack]]s.


DES and the [[#DES and alternatives | generation of ciphers]] that followed it all used a 64-bit block size. To weaken such a cipher significantly the attacker must buld up a [[code book attack | code book]] with 2<sup>32</sup> blocks, 32 gigabytes of data, all encrypted with the same key, As long as the cipher user changes keys reasonably often, a code book attack is not a threat. Procedures and protocols for block cipher usage therefore always include a re-keying policy.
DES and the [[#DES and alternatives | generation of ciphers]] that followed it all used a 64-bit block size. To weaken such a cipher significantly the attacker must build up a code book with 2<sup>32</sup> blocks, 32 gigabytes of data, all encrypted with the same key, As long as the cipher user changes keys reasonably often, a code book attack is not a threat. Procedures and protocols for block cipher usage therefore always include a re-keying policy.


However, with [[Moore's Law]] making larger code books more practical, [[NIST]] chose to play it safe in their [[#The AES generation | AES specifications]]; they used a 128-bit block size. This was a somewhat controversial innovation at the time (1998), since it meant changes to a number of applications and it was not absolutely clear that the larger size was necessary. However, it has since become common practice; later ciphers such as [[#Camellia|Camellia]] and [[#SEED|SEED]] also use 128 bits.
However, with [[Moore's Law]] making larger code books more practical, [[NIST]] chose to play it safe in their [[#The AES generation|AES specifications]]; they used a 128-bit block size. This was a somewhat controversial innovation at the time (1998), since it meant changes to a number of applications and it was not absolutely clear that the larger size was necessary. However, it has since become common practice; later ciphers such as [[Camellia (cipher)|Camellia]], [[SEED (cipher)|SEED]] and [[ARIA (cipher)|ARIA]] also use 128 bits.


There are also a few ciphers which either support variable block size or have a large fixed block size. See the section on [[#Large-block ciphers|large-block ciphers]] for details.
There are also a few ciphers which either support variable block size or have a large fixed block size. See the section on [[#Large-block ciphers|large-block ciphers]] for details.


=== Key size ===
=== Key size ===
In theory, any cipher except a [[one-time pad]] can be broken by a [[brute force attack]]; the enemy just has to try keys until he finds the right one. However, the attack is practical only if the cipher's key size is inadequate. If the key uses <math>n</math> bits, there are 2<sup>n</sup> possible keys and on average the attacker must test half of them, so the average cost of the attack is 2<sup>n-1</sup> encryptions.
'''Current block ciphers all use at least 128-bit keys''', which makes brute force attacks utterly impractical. Suppose an attacker has a billion processors in a monster parallel machine (several orders of magnitude more than any current machine) and each processor can test a billion keys a second (also a generous estimate; if the clock is ''k'' GHz, the processor must do an encryption in ''k'' cycles to achieve this). This amazingly powerful attacker can test about 2<sup>60</sup> keys a second, so he needs 2<sup>67</sup> seconds against a 128-bit key. There are about 2<sup>25</sup> seconds in a year, so that is about 2<sup>42</sup> years. This is over 4,000,000,000,000 (four trillion) years so the cipher is clearly secure against brute force.


In theory, any cipher can be broken by a [[brute force]] attack; the enemy just has to try keys until he finds the right one. However, the attack is practical only if the cipher's key size is inadequate. '''Current block ciphers all use at least 128-bit keys''' to protect against brute force attacks; many support larger keys as well. If the key uses n-bits, there are 2<sup>n</sup> possible keys and on average the attacker must test half of them, so the average cost of the attack is 2<sup>n-1</sup> encryptions.
Many ciphers support larger keys as well; the reasons are discussed in the [[Brute_force#Choosing_key_sizes|brute force attack]] article.
 
Key size is critical in [[stream cipher]]s as well as block ciphers, for the same reasons. In many applications of [[cryptographic hash]] algorithms, no key is used. However in applications where a key is used, such as [[hashed message authentication code]]s, key size is naturally an issue.


== Principles and techniques ==
== Principles and techniques ==
This section introduces the main principles of block cipher design, defines standard terms, and describes common techniques.
This section introduces the main principles of block cipher design, defines standard terms, and describes common techniques.


Line 86: Line 58:


=== Iterated block ciphers ===
=== Iterated block ciphers ===
Nearly all block ciphers are '''iterated block ciphers'''; they have multiple '''rounds''', each applying the same transformation to the output of the previous round. At setup time, a number of '''round keys''' or '''subkeys''' are computed from the '''primary key'''; the method used is called the cipher's '''key schedule'''. In the actual encryption or decryption, each round uses its own round key. This allows the designer to define some relatively simple transformation, called a '''round function''', and apply it repeatedly to create a cipher with enough overall complexity to thwart attacks.


Nearly all block ciphers are '''iterated block ciphers'''; they have multiple '''rounds''', each applying the same transformation to the output of the previous round. At setup time the '''primary key''' undergoes '''key scheduling''' giving a number of '''round keys'''. In the actual encryption or decryption, each round uses its own round key. This allows the designer to define some relatively simple transformation, called a '''round function''', and apply it repeatedly to create a cipher with enough overall complexity to thwart attacks.
Three common ways to design iterated block ciphers &mdash; [[#SP networks|SP networks]], [[#Feistel structures|Feistel structures]] and the [[#Lai-Massey scheme|Lai-Massey construction]] &mdash; and two important ways to look at the complexity requirements  &mdash; [[#Avalanche|avalanche]] and  [[#Nonlinearity|nonlinearity]] &mdash; are covered in following sections.
 
Two common ways to design iterated block ciphers &mdash; [[#SP networks | SP networks]] and [[#Feistel structures | Feistel structures]] &mdash; and two important ways to look at the complexity requirements  &mdash; [[#Avalanche | avalanche]] and  [[#Non-linearity | non-linearity]] &mdash; are covered in following sections.


Any iterated cipher can be made more secure by increasing the number of rounds or made faster by reducing the number. In choosing the number of rounds, the cipher designer tries to strike a balance that achieves both security and efficiency simultaneously. Often a safety margin is applied; if the cipher appears to be secure after a certain number of rounds, the designer specifies a somewhat larger number for actual use.  
Any iterated cipher can be made more secure by increasing the number of rounds or made faster by reducing the number. In choosing the number of rounds, the cipher designer tries to strike a balance that achieves both security and efficiency simultaneously. Often a safety margin is applied; if the cipher appears to be secure after a certain number of rounds, the designer specifies a somewhat larger number for actual use.  


There is a trade-off that can be made in the design. With a simple fast round function, many rounds may be required to achieve adequate security; for example, [[#GOST | GOST]] and [[#TEA | TEA]] both use 32 rounds. A more complex round function might allow fewer rounds; for example, [[#IDEA | IDEA]] uses only 8 rounds. Since the ciphers with fast round functions generally need more rounds and the ones with few rounds generally need slower round functions, neither strategy is clearly better. Secure and reasonably efficient ciphers can be designed either way, and compromises are common.
There is a trade-off that can be made in the design. With a simple fast round function, many rounds may be required to achieve adequate security; for example, [[GOST cipher| GOST]] and [[Tiny Encryption Algorithm| TEA]] both use 32 rounds. A more complex round function might allow fewer rounds; for example, [[International Data Encryption Algorithm| IDEA]] uses only 8 rounds. Since the ciphers with fast round functions generally need more rounds and the ones with few rounds generally need slower round functions, neither strategy is clearly better. Secure and reasonably efficient ciphers can be designed either way, and compromises are common.


In [[cryptanalysis]] it is common to attack '''reduced round''' versions of a cipher. For example, in attacking a 16-round cipher, the analyst might start by trying to break a two-round or four-round version. Such attacks are much easier. Success against the reduced round version may lead to insights that are useful in work against the full cipher, or even to an attack that can be extended to break the full cipher.
In [[cryptanalysis]] it is common to attack '''reduced round''' versions of a cipher. For example, in attacking a 16-round cipher, the analyst might start by trying to break a two-round or four-round version. Such attacks are much easier. Success against the reduced round version may lead to insights that are useful in work against the full cipher, or even to an attack that can be extended to break the full cipher.


=== Whitening and tweaking ===
=== Whitening and tweaking ===
Nearly all block ciphers use the same basic design, an iterated block cipher with multiple rounds. However, some have additional things outside that basic structure.
Nearly all block ciphers use the same basic design, an iterated block cipher with multiple rounds. However, some have additional things outside that basic structure.


'''Whitening''' involves mixing additional material derived from the key into the plaintext before the first round, or into the ciphertext after the last round. or both. The technique was introduced by [[Ron Rivest]] in [[#Variations on DES | DES-X]] and has since been used in other ciphers such as [[#RC6|RC6]], [[#Blowfish| Blowfish]] and [[#Twofish| Twofish]]. If the whitening material uses additional key bits, as in DES-X, then this greatly increases resistance to brute force attacks because of the larger key. If the whitening material is derived from the primary key during key scheduling, then resistance to brute force is not increased since the primary key remains the same size. However, using whitening is generally much cheaper than adding a round, and it does increase resistance to other attacks; see papers cited for [[#Variations on DES | DES-X]].
'''Whitening''' involves mixing additional material derived from the key into the plaintext before the first round, or into the ciphertext after the last round, or both. The technique was introduced by [[Ron Rivest]] in [[Data Encryption Standard#Variations on DES|DES-X]] and has since been used in other ciphers such as [[Rivest ciphers#RC6|RC6]], [[Blowfish (cipher)| Blowfish]] and [[Twofish]]. If the whitening material uses additional key bits, as in DES-X, then this greatly increases resistance to brute force attacks because of the larger key. If the whitening material is derived from the primary key during key scheduling, then resistance to brute force is not increased since the primary key remains the same size. However, using whitening is generally much cheaper than adding a round, and it does increase resistance to other attacks; see papers cited for [[Data Encryption Standard#Variations on DES | DES-X]].


A recent development is the '''tweakable''' block cipher
A recent development is the '''tweakable''' block cipher
Line 114: Line 84:
Where a normal block cipher has only two inputs, plaintext and key, a tweakable block cipher has a third input called the '''tweak'''. The tweak, along with the key, controls the operation of the cipher. Whitening can be seen as one form of tweaking, but many others are possible.
Where a normal block cipher has only two inputs, plaintext and key, a tweakable block cipher has a third input called the '''tweak'''. The tweak, along with the key, controls the operation of the cipher. Whitening can be seen as one form of tweaking, but many others are possible.


If changing tweaks is sufficiently lightweight, compared to the key scheduling operation which is often fairly expensive, then some new [[Block_cipher_modes_of_operation#Tweakable_modes | modes of operation]] become possible. Unlike the key, the tweak need not always be secret, though it should be somewhat [[random number |random]] and in some applications it should change from block to block. Tweakable ciphers and the associated modes are an active area of current research.
If changing tweaks is sufficiently lightweight, compared to the key scheduling operation which is often fairly expensive, then some new [[Block_cipher_modes_of_operation#Tweakable_modes|modes of operation]] become possible. Unlike the key, the tweak need not always be secret, though it should be somewhat random and in some applications it should change from block to block. Tweakable ciphers and the associated modes are an active area of current research.


The [[#Hasty Pudding|Hasty Pudding Cipher]] was one of the first tweakable ciphers, pre-dating the ''Tweakable Block Ciphers'' paper and referring to what would now be called the tweak as "spice".
The [[Hasty Pudding (cipher)|Hasty Pudding Cipher]] was one of the first tweakable ciphers, pre-dating the ''Tweakable Block Ciphers'' paper and referring to what would now be called the tweak as "spice".


=== Avalanche ===
=== Avalanche ===
The designer wants changes to quickly propagate through the cipher. This was named the '''avalanche effect''' in a paper <ref>{{ citation | author = Horst Feistel | title = Cryptography and Computer Privacy | journal = Scientific American | date = 1973 | url = http://www3.edgenet.net/dcowley/docs.html }}</ref> by [[Horst Feistel]]. The idea is that changes should build up like an avalanche, so that a tiny initial change (consider a snowball tossed onto a mountain) quickly creates large effects. The term and its exact application were new, but the basic concept was not; avalanche is a variant of [[Claude Shannon]]'s diffusion, and that in turn is a formalisation of ideas that were already in use.


The designer wants changes to quickly propagate through the cipher. This was named the '''avalanche effect''' in a paper <ref>{{ citation | author = Horst Feistel | title = Cryptography and Computer Privacy | journal = Scientific American | date = 1973 | url = http://www3.edgenet.net/dcowley/docs.html }}</ref> by [[Horst Feistel]]. The idea is that changes should build up like an avalanche, so that a tiny initial change quickly creates large effects. The term and its exact application were new, but the basic concept was not; avalanche is a variant of [[Claude Shannon]]'s diffusion and that in turn is a formalisation of ideas that were already in use.
If a single bit of input or of the round key is changed at round <math>n</math>, that should affect all bits of the ciphertext by round <math>n+x</math> for some reasonably small <math>x</math>. Ideally, <math>x</math> would be 1, but this is not generally achieved in practice. Certainly <math>x</math> must be much less than the total number of rounds; if <math>x</math> is large, then the cipher will need more rounds to be secure.
 
If a single bit of input is changed at round <math>n</math>, that should affect all bits of the ciphertext by round <math>n+x</math> for some reasonably small <math>x</math>. Ideally, <math>x</math> would be 1, but this is not generally achieved in practice. Certainly <math>x</math> must be much less than the total number of rounds; if <math>x</math> is large, then the cipher will need more rounds to be secure.


The '''strict avalanche criterion''' <ref name=SAC> {{citation | author = A. F. Webster and [[Stafford E. Tavares]] | title = On the design of S-boxes | journal = Advances in Cryptology - Crypto '85 (Lecture Notes in Computer Science) | date = 1985 }} </ref> is a strong version of the requirement for good avalanche properties. Complementing any single bit of the input or the key should give exactly a 50% chance of a change in any given bit of output.
The '''strict avalanche criterion''' <ref name=SAC> {{citation | author = A. F. Webster and [[Stafford E. Tavares]] | title = On the design of S-boxes | journal = Advances in Cryptology - Crypto '85 (Lecture Notes in Computer Science) | date = 1985 }} </ref> is a strong version of the requirement for good avalanche properties. Complementing any single bit of the input or the key should give exactly a 50% chance of a change in any given bit of output.


=== Cipher structures ===
=== Cipher structures ===
In [[Claude Shannon]]'s  
In [[Claude Shannon]]'s  
<ref>{{citation
<ref>{{citation
Line 136: Line 104:
| date = 1949
| date = 1949
| pages = pp.656-715
| pages = pp.656-715
| url = http://www.prism.net/user/dcowley/docs.html }}</ref>.
| url = http://www.prism.net/user/dcowley/docs.html }}</ref>
terms, a cipher needs both '''confusion''' and '''diffusion''', and a general design principle is that of the '''product cipher''' which combines several operations to achieve both goals. This goes back to the combination of substitution and transposition in various [[Cipher#Classical_cipher_components | classical ciphers]] from before the advent of computers. All modern block ciphers are product ciphers.
terms, a cipher needs both '''confusion''' and '''diffusion''', and a general design principle is that of the '''product cipher''' which combines several operations to achieve both goals. This goes back to the combination of substitution and transposition in various [[Cipher#Classical_cipher_components | classical ciphers]] from before the advent of computers. All modern block ciphers are product ciphers.


Two structures are very commonly used in building block ciphers &mdash; SP networks and the Feistel structure. In Shannon's terms, both are product ciphers. Either structure is a known quantity for a cipher designer, part of the toolkit. He or she gets big chunks of a design &mdash; an overall cipher structure with a well-defined hole for the  round function to fit into &mdash; from the structure, This leaves him or her free to concentrate on the hard part, designing the actual round function. Neither structure gives ideal avalanche in a single round but, with any reasonable round function, both give excellent avalanche after a few rounds.
Two structures are very commonly used in building block ciphers &mdash; SP networks and the Feistel structure. The Lai-Massey construction is a third alternative, less common than the other two. In Shannon's terms, all of these are product ciphers. Any of these structures is a known quantity for a cipher designer, part of the toolkit. He or she gets big chunks of a design &mdash; an overall cipher structure with a well-defined hole for the  round function to fit into &mdash; from the structure, This leaves him or her free to concentrate on the hard part, designing the actual round function. None of these structures gives ideal avalanche in a single round but, with any reasonable round function, all give excellent avalanche after a few rounds.


Not all block ciphers use one of these structures, but most do. This section describes these two common structures.
Not all block ciphers use one of these structures, but most do. This section describes these common structures.


==== SP networks ====
==== SP networks ====
A '''substitution-permutation network''' or '''SP network''' or '''SPN''' is Shannon's own design for a product cipher. It uses two layers in each round: a '''substitution layer''' provides confusion, then a '''permutation layer''' provides diffusion.
A '''substitution-permutation network''' or '''SP network''' or '''SPN''' is Shannon's own design for a product cipher. It uses two layers in each round: a '''substitution layer''' provides confusion, then a '''permutation layer''' provides diffusion.


Line 154: Line 121:


==== Feistel structure ====
==== Feistel structure ====
Another way to build an iterated block cipher is to use the '''Feistel structure'''. This technique was devised by [[Horst Feistel]] of IBM and used in [[#DES|DES]]. Such ciphers are known as '''Feistel ciphers''' or '''Feistel networks'''. In Shannon's terms, they are another class of product cipher.
Another way to build an iterated block cipher is to use the '''Feistel structure'''. This technique was devised by [[Horst Feistel]] of IBM and used in [[#DES|DES]]. Such ciphers are known as '''Feistel ciphers''' or '''Feistel networks'''. In Shannon's terms, they are another class of product cipher.


Line 175: Line 141:
based on that shows that a Feistel cipher with seven rounds can be secure.
based on that shows that a Feistel cipher with seven rounds can be secure.


In a Feistel cipher, each round uses an operation  called the '''F function''' whose input is half a block and a round key; the output is a half-block of scrambled data which is XORed into the other half block of text. The rounds alternate direction &mdash; in one data from the left half-block is input and the right half-block is changed, and in the next round that is reversed.  
In a Feistel cipher, each round uses an operation  called the '''F-function''' whose input is half a block and a round key; the output is a half-block of scrambled data which is XOR-ed into the other half-block of text. The rounds alternate direction &mdash; in one data from the left half-block is input and the right half-block is changed, and in the next round that is reversed.  


Showing the half-blocks as left and right, XOR as ^ and round key for round n as k<sub>n</sub>, even numbered rounds are then:
Showing the half-blocks as left and right, bitwise XOR as <math>\oplus</math> (each bit of the output word is the XOR of the corresponding bits of the two input words) and round key for round <math>n</math> as k<sub>n</sub>, even numbered rounds are then:


: left<sub>n</sub> = left<sub>n-1</sub> ^ F(right<sub>n-1</sub>, k<sub>n</sub>)
: <math> \text{left}_n = \text{left}_{n-1} \oplus F( \text{right}_{n-1}, k_n ) </math>
: right<sub>n</sub> = right<sub>n-1</sub>
: <math> \text{right}_n = \text{right}_{n-1} </math>


and odd-numbered rounds are
and odd-numbered rounds are


: right<sub>n</sub> = right<sub>n-1</sub> ^ F(left<sub>n-1</sub>, k<sub>n</sub>)
: <math> \text{right}_n = \text{right}_{n-1} \oplus F( \text{left}_{n-1}, k_n ) </math>
: left<sub>n</sub> = left<sub>n-1</sub>
: <math> \text{left}_n = \text{left}_{n-1} </math>


Since XOR is its own inverse (a^b^b=a for any a,b) and the half-block that is used as input to the F function is unchanged in each round, reversing a Feistel round is straightforward. Just calculate the F function again with the same inputs and XOR the result into the ciphertext to cancel out the previous XOR. For example, the decryption step matching the first example above is:
Since XOR is its own inverse (a<math>\oplus</math>b<math>\oplus</math>b=a for any a,b) and the half-block that is used as input to the F-function is unchanged in each round, reversing a Feistel round is straightforward. Just calculate the F-function again with the same inputs and XOR the result into the ciphertext to cancel out the previous XOR. For example, the decryption step matching the first example above is:


: left<sub>n-1</sub> = left<sub>n</sub> ^ F(right<sub>n</sub>, k<sub>n</sub>)
: <math> \text{left}_{n-1} = \text{left}_n \oplus F( \text{right}_n, k_n ) </math>
: right<sub>n-1</sub> = right<sub>n</sub>
: <math> \text{right}_{n-1} = \text{right}_n </math>


In some ciphers, including those based on SP networks, all operations must be reversible so that decryption can work. The main advantage of a Feistel cipher over an SP network is that the F function itself need not be reversible, only repeatable. This gives the designer extra flexibility; almost any operation he can think up can be used in the F function. On the other hand, in the Feistel construction, only half the output changes in each round while an SP network can change all of it in a single round.
In some ciphers, including those based on SP networks, all operations must be reversible so that decryption can work. The main advantage of a Feistel cipher over an SP network is that the F-function itself need not be reversible, only repeatable. This gives the designer extra flexibility; almost any operation he can think up can be used in the F-function. On the other hand, in the Feistel construction, only half the output changes in each round while an SP network changes all of it in a single round.


There is a variant called an unbalanced Feistel cipher in which the block is split into two unequal-sized pieces rather than two equal halves. [[#Skipjack|Skipjack]] was a well-known example. There are also variations which treat the text as four blocks rather than just two; [[#MARS|MARS]] and [[#CAST-256|CAST-256]] are examples.
A single round in a Feistel cipher has less than ideal avalanche properties; only half the output is changed. However, the other half is changed in the next round so, with a good F-function, a Feistel cipher can have excellent overall avalanche properties within a few rounds. It is possible to design a Feistel cipher so that the F-function itself has ideal avalanche properties &mdash; every output bit depends nonlinearly on every input bit and every key bit &mdash; details are in a [[#Large_S-boxes|later section]].


A single round in a Feistel cipher has less than ideal avalanche properties; only half the output is changed. However, the other half is changed in the next round so, with a good F function, a Feistel cipher can have excellent overall avalanche properties within a few rounds.
There is a variant called an unbalanced Feistel cipher in which the block is split into two unequal-sized pieces rather than two equal halves. [[Skipjack]] was a well-known example. There are also variations which treat the text as four blocks rather than just two; [[MARS (cipher)|MARS]] and [[CAST (cipher)#CAST-256|CAST-256]] are examples.


The hard part of Feistel cipher design is of course the F function. Design goals include efficiency, easy implementation, and good avalanche properties. Also, it is critically important that the F-function be highly non-linear. All other operations in a Feistel cipher are linear and a cipher without enough non-linearity is weak; see the next section.
The hard part of Feistel cipher design is of course the F-function. Design goals include efficiency, easy implementation, and good avalanche properties. Also, it is critically important that the F-function be highly nonlinear. All other operations in a Feistel cipher are linear and a cipher without enough nonlinearity is weak; see below.


=== Non-linearity ===
==== Lai-Massey scheme ====
This structure was introduced in a thesis by [[Xuejia Lai]], supervised by [[James Massey]], in a cipher which later became the [[International Data Encryption Algorithm]], IDEA.<ref name=idea>{{citation
| author = X. Lai
| title = On the Design and Security of Block Ciphers
| journal = ETH Series in Information Processing, v. 1
| publisher = Hartung-Gorre Verlag
| date = 1992
}}</ref> It has since been used in other ciphers such as [[FOX (cipher)|FOX]], later renamed [[IDEA NXT]]. Perhaps the best-known analysis is by [[Serge Vaudenay]], one of the designers of FOX. <ref>{{citation
| author = S. Vaudenay
| title = On the Lai-Massey Scheme
| conference = Asiacrypt 99
| publisher = Springer-Verlag, LCNS
| date = 1999
}}</ref>
 
One paper <ref>{{citation
| title = Lai-Massey Scheme and Quasi-Feistel Networks
| author = Aaram Yun, Je Hong Park and Jooyoung Lee
| url = http://eprint.iacr.org/2007/347
| date = 2007
}}</ref>
proposes a general class of "quasi-Feistel networks", with the Lai-Massey scheme as one instance, and shows that several of the well-known results on Feistel networks (such as the Luby-Rackoff and Patarin papers referenced above) can be generalised to the whole class. Another <ref>{{citation
| title = Pseudorandomness Analysis of the Lai-Massey Scheme
| author = Yiyuan Luo, [[Xuejia Lai]], Zheng Gong and Zhongming Wu
| url = http://eprint.iacr.org/2009/266
| date = 2009
}}</ref> gives some specific results for the Lai-Massey scheme.


To be secure, '''every cipher must contain non-linear operations'''. If all operations in a cipher were linear &mdash; in any algebraic system, with the attacker making the choice of system and perhaps trying more than one &mdash; then the cipher could be reduced to a system of linear equations and broken by an [[algebraic attack]]. The attacker can also try [[linear cryptanalysis]]. If he can find a good enough linear ''approximation'' for the round function and has enough known plaintext/ciphertext pairs, then this will break the cipher. Defining "enough" in the two places where it occurs in the previous sentence is tricky; see [[linear cryptanalysis]].
=== Nonlinearity ===
To be secure, '''every cipher must contain nonlinear operations'''. If all operations in a cipher were linear then the cipher could be reduced to a system of linear equations and be broken by an [[algebraic attack]]. The attacker can choose which algebraic system to use; for example, against one cipher he might treat the text as a vector of bits and use Boolean algebra while for another he might choose to treat it as a vector of bytes and use arithmetic modulo 2<sup>8</sup>. The attacker can also try linear cryptanalysis. If he can find a good enough linear ''approximation'' for the round function and has enough known plaintext/ciphertext pairs, then this will break the cipher. Defining "enough" in the two places where it occurs in the previous sentence is tricky; see [[linear cryptanalysis]].


What makes these attacks impractical is a combination of the sheer size of the system of equations used (large block size, whitening, and more rounds all increase this) and non-linearity in the relations involved. In any algebra, solving a system of ''linear'' equations is more-or-less straightforward provided there are more equations than variables. However, solving ''non-linear'' systems of equations is far harder, so the cipher designer strives to introduce [[non-linearity]] to the system, preferably to have at least some components that are ''not even close to linear''. Combined with good avalanche properties and enough rounds, this makes both direct algebraic analysis and [[linear cryptanalysis]] prohibitively difficult.
What makes these attacks impractical is a combination of the sheer size of the system of equations used (large block size, whitening, and more rounds all increase this) and nonlinearity in the relations involved. In any algebra, solving a system of ''linear'' equations is more-or-less straightforward provided there are more equations than variables. However, solving ''nonlinear'' systems of equations is far harder, so the cipher designer strives to introduce nonlinearity to the system, preferably to have at least some components that are ''not even close to linear''. Combined with good avalanche properties and enough rounds, this makes both direct algebraic analysis and linear cryptanalysis prohibitively difficult.


There are several ways to add non-linearity; some ciphers rely on only one while others use several.
There are several ways to add nonlinearity; some ciphers rely on only one while others use several.


One method is '''mixing operations from different algebras'''. If the cipher relies only on Boolean operations, the cryptanalyst can try to attack using Boolean algebra; if it uses only arithmetic operations, he can try normal algebra. If it uses both, he has a problem. Of course arithmetic operations can be expressed in Boolean algebra or vice versa, but the expressions are inconveniently (for the cryptanalyst!) complex and non-linear whichever way he tries it.
One method is '''mixing operations from different algebras'''. If the cipher relies only on Boolean operations, the cryptanalyst can try to attack using Boolean algebra; if it uses only arithmetic operations, he can try normal algebra. If it uses both, he has a problem. Of course arithmetic operations can be expressed in Boolean algebra or vice versa, but the expressions are inconveniently (for the cryptanalyst!) complex and nonlinear whichever way he tries it.


For example, in the [[#Blowfish | Blowfish]] F function, it is necessary to combine four 32-bit words into one. This is not done with a straightforward x = a+b+c+d or x=a^b^c^d but instead with x = ((a+b)^c)+d. On most computers this costs no more, but it makes the analyst's job harder.
For example, in the [[Blowfish (cipher)| Blowfish]] F-function, it is necessary to combine four 32-bit words into one. This is not done with just addition, x = a+b+c+d or just Boolean operations x = a<math>\oplus</math>b<math>\oplus</math>c<math>\oplus</math>d but instead with a mixture, x = ((a+b)<math>\oplus</math>c)+d. On most computers this costs no more, but it makes the analyst's job harder.


Other operations can also be used, albeit at higher costs. [[#IDEA | IDEA]] uses multiplication modulo 2<sup>16</sup>+1 and [[#AES | AES]] does matrix multiplications with polynomials in a [[Galois field]].  
Other operations can also be used, albeit at higher costs. [[International Data Encryption Algorithm | IDEA]] uses multiplication modulo 2<sup>16</sup>+1 and [[#AES | AES]] does matrix multiplications with polynomials in a [[Galois field]].  


'''Rotations''', also called '''circular shifts''', on words or registers are non-linear in normal algebra, though they are easily described in Boolean algebra. [[#GOST | GOST]] uses rotations by a constant amount, [[#CAST-128 | CAST-128]] and [[#CAST-256 | CAST-256]] use a key-dependent rotation in the F function, and [[#RC5 | RC5]], [[#RC6 | RC6]] and [[#MARS | MARS]] all use data-dependent rotations.
'''Rotations''', also called '''circular shifts''', on words or registers are nonlinear in normal algebra, though they are easily described in Boolean algebra. [[GOST cipher| GOST]] uses rotations by a constant amount, [[CAST (cipher)#CAST-128 | CAST-128]] and [[CAST (cipher)#CAST-256 | CAST-256]] use a key-dependent rotation in the F-function, and [[Rivest ciphers#RC5 | RC5]], [[Rivest ciphers#RC6 | RC6]] and [[#MARS | MARS]] all use data-dependent rotations.


A general operation for introducing non-linearity is the substitution box or '''S-box'''; see following section.
A general operation for introducing nonlinearity is the substitution box or '''S-box'''; see following section.


Non-linearity is also an important consideration in the design of [[stream cipher]]s and [[cryptographic hash]] algorithms. For hashes, much of the mathematics and many of the techniques used are similar to those for block ciphers. For stream ciphers, rather different mathematics and methods apply (see [[Berlekamp-Massey algorithm]] for example), but the basic principle is the same.
Nonlinearity is also an important consideration in the design of [[stream cipher]]s and [[cryptographic hash]] algorithms. For hashes, much of the mathematics and many of the techniques used are similar to those for block ciphers. For stream ciphers, rather different mathematics and methods apply (see [[Berlekamp-Massey algorithm]] for example), but the basic principle is the same.


=== S-boxes ===
=== S-boxes ===
S-boxes or '''substitution boxes''' are look-up tables. The basic operation involved is a = sbox[b] which, at least for reasonable sizes of a and b, is easily done on any computer.
S-boxes or '''substitution boxes''' are look-up tables. The basic operation involved is a = sbox[b] which, at least for reasonable sizes of a and b, is easily done on any computer.


There is an extensive literature on the design of good S-boxes, much of it emphasizing achieving high non-linearity though other criteria are also used. See [[Block_cipher/External_Links#Other_links| external links]] and references below.
S-boxes are described as <math>m</math> by <math>n</math>, with <math>m</math> representing the number of input bits and <math>n</math> the number of output bits. For example, [[#DES|DES]] uses 6 by 4 S-boxes. The storage requirement for an <math>m</math> by <math>n</math> S-box is 2<sup>m</sup>''n'' bits, so large values of <math>m</math> (many input bits) are problematic. Values up to eight are common and [[MARS (cipher)| MARS]] has a 9 by 32 S-box; going much beyond that would be expensive. Large values of <math>n</math> (many output bits) are not a problem; 32 is common and at least one system, the Tiger hash algorithm
 
S-boxes are described as <math>m*n</math> or <math>m</math> by <math>n</math>, with <math>m</math> representing the number of input bits and <math>n</math> the number of output bits. For example, [[#DES|DES]] uses 6 by 4 S-boxes. The storage requirement for an <math>m*n</math> S-box is 2<sup>m</sup>*n bits, so large values of <math>m</math> (many input bits) are problematic. Values up to eight are common; going much beyond that would be expensive. Large values of <math>n</math> (many output bits) are not a problem; 32 is common and at least one system, the Tiger hash algorithm
<ref>{{citation
<ref>{{citation
  | title=Tiger: a fast new hash function
  | title=Tiger: a fast new hash function
Line 235: Line 225:
uses 64.
uses 64.


S-boxes are often used in the S-layer of an [[#Substitution-permutation networks | SP Network]]. In this application, the S-box must have an inverse to be used in decryption. It must therefore have the same number of bits for input and output; only <math>n*n</math> S-boxes can be used. For example, [[#AES|AES]] is an SP network with a single <math>8*8</math> S-box and [[#Serpent|Serpent]] is one with eight <math>4*4</math> S-boxes.
S-boxes are often used in the S-layer of an [[#Substitution-permutation networks | SP Network]]. In this application, the S-box must have an inverse to be used in decryption. It must therefore have the same number of bits for input and output; only <math>n</math> by <math>n</math> S-boxes can be used. For example, [[#AES|AES]] is an SP network with a single 8 by 8 S-box and [[#Serpent|Serpent]] is one with eight 4 by 4 S-boxes. Another common application is in the F-function of a [[#Feistel structure | Feistel cipher]]. Since the F-function need not be reversible, there is no need to construct an inverse S-box for decryption and S-boxes of any size may be used.


Another common application is in the F function of a [[#Feistel structure | Feistel cipher]]. Since the F function need not be reversible, there is no need to construct an inverse S-box for decryption and S-boxes of any size may be used. The first generation of Feistel ciphers used relatively small S-boxes, <math>6*4</math> for [[#DES|DES]] and <math>4*4</math> for [[#GOST|GOST]]. Later Feistel ciphers use larger ones, <math>8*32</math> for both  [[#CAST|CAST]] and [[#Blowfish|Blowfish]]; the reasons for this are discussed in the [[#F function and S-boxes|CAST S-boxes]] section.
With either an SP network or a Feistel construction, '''nonlinear S-boxes and enough rounds give a highly nonlinear cipher'''.


With either an SP network or a Feistel construction, '''non-linear S-boxes and enough rounds give a highly non-linear cipher'''.
==== Large S-boxes ====
The first generation of Feistel ciphers used relatively small S-boxes, 6 by 4 for [[Data Encryption Standard|DES]] and 4 by 4 for [[GOST cipher|GOST]]. In these ciphers the F-function is essentially one round of an [[#Substitution-permutation networks | SP Network]]. The eight S-boxes give 32 bits of S-box output. Those bits, reordered by a simple transformation, become the 32-bit output of the F-function. Avalanche properties are less than ideal since each output bit depends only on the inputs to one S-box. The output transformation (a bit permutation in DES, a rotation in GOST) compensates for this, ensuring that the output from one S-box in one round affects several S-boxes in the next round so that good avalanche is achieved after a few rounds.


In '''perfectly non-linear S-boxes'''
Later Feistel ciphers use larger S-boxes; [[CAST (cipher)| CAST-128 or CAST-256]] and [[Blowfish (cipher) | Blowfish]] all use four 8 by 32 S-boxes. They do not use S-box bits directly as F-function output. Instead, they take a 32-bit word from each  S-box, then combine them to form a 32-bit output. This gives an F-function with '''ideal avalanche properties'''; every bit of input and every bit of round key affects every bit of output. No output transformation is required in such an F-function, and Blowfish has none. However, one may be used anyway; the CAST ciphers add a key-dependent rotation.
<ref>{{citation
| author = Kaisa Nyberg
| title = Perfect nonlinear S-boxes
| journal = Eurocrypt'91, LNCS 547
| publisher = Springer-Verlag
| date = 1991 }}</ref>,
not only are all columns [[bent function]]s (the most non-linear possible Boolean functions), but all linear combinations of columns are bent functions as well. This is possible only if <math>m >= 2n</math>, there are at least twice as many input bits as output bits. Such S-boxes are therefore not much used.
 
S-boxes are sometimes used as an analytic tool even for operations that are not actually implemented as S-boxes. Any operation whose output is fully determined by its inputs can be described by an S-box; concatenate all inputs into an index, look that index up, get the output. For example, the [[#IDEA | IDEA]] cipher uses a multiplication operation with two 16-bit inputs and one 16-bit output; it can be modeled as a 32*16 S-box. In an academic paper, one might use such a model in order to apply standard tools for measuring S-box non-linearity. A well-funded cryptanalyst might actually build the S-box (8 gigabytes of memory) either to use in his analysis or to speed up an attack.
 
== DES and alternatives ==
 
The [[Data Encryption Standard]], '''DES''', was made a US government standard block cipher in the late 70s. That standard marked the beginning of an era in work related to block ciphers. For an entire generation, every student of [[cryptanalysis]] tried to find a way to break DES and every student of [[cryptography]] tried to devise a cipher that was demonstrably better than DES. Very few succeeded.


This section covers 20th century block ciphers, DES and the ciphers which followed DES in the 80s and 90s.  DES served as a sort of baseline for cipher design in this era; the design goal for all these ciphers was to replace DES in some of its many applications with something faster, more secure, or both. All of the followers &mdash; GOST, Blowfish, CAST-128, IDEA and others &mdash; used 64-bit blocks, like DES, but all used 128-bit or longer keys for better resistance to [[brute force]]. Many of the techniques used came from DES and many of the design principles came from analysis of DES.
With the Feistel structure and such an F-function, complete avalanche &mdash; all 64 output bits depend on all 64 input bits &mdash; is achieved in three rounds, and the cipher meets the '''strict avalanche criterion''' <ref name="SAC" />; complementing any input bit has a 50% chance of changing any given output bit.


The era effectively ended when the US government began working on a new cipher standard to replace their Data Encryption Standard, the [[#AES | Advanced Encryption Standard]] or AES. A whole new generation of ciphers arose, the first 21st century block ciphers. Of course these designs still drew on the experience gained in the post-DES generation, but overall these ciphers are quite different. In particular, they all use 128-bit blocks and most support key sizes up to 256 bits. We cover them in the [[#The_AES_generation | next section]].
These ciphers are primarily designed for software implementation, rather than the 1970s hardware DES was designed for, so looking up a full computer word at a time makes sense. An 8 by 32 S-box takes one K byte of storage; several can be used on a modern machine without difficulty. They need only four S-box lookups, rather than the eight in DES or GOST, so the F-function and therefore the whole cipher can be reasonably efficient.


=== DES ===
==== S-box design ====
There is an extensive literature on the design of good S-boxes, much of it emphasizing achieving high nonlinearity though other criteria are also used. See [[Block_cipher/External_Links#Literature_surveys| external links]].


The [[Data Encryption Standard]], DES, is among the the best known and most thoroughly analysed block ciphers. It was invented by [[IBM]], and was made a US government standard for non-classified government data and for regulated industries such as banking, in the late 70s. From then until about the turn of the century, it was very widely used. DES operates on 64-bit blocks and takes a 56-bit key.
The CAST S-boxes use [[bent function]]s (the most highly nonlinear Boolean functions) as their columns. That is, the mapping from all the input bits to any single output bit is a bent function. A paper on generating the S-boxes is Mister & Adams "Practical S-box Design"
 
DES is now considered obsolete; its small key size makes it vulnerable to a [[brute force]] attack, given modern computers. In 2002, DES was replaced as a US government standard by the [[#AES | Advanced Encryption Standard]] which uses 128-bit blocks and takes 128, 192 or 256-bit keys.
 
Some applications still use [[#Triple DES | Triple DES]], a variant which applies DES three times with two or three different keys; see next section.
 
Every new [[cryptanalysis | cryptanalytic]] technique invented since DES became a standard has been tested against DES. None of them have broken it completely, but two &mdash; [[differential cryptanalysis]] and [[linear cryptanalysis]] &mdash; give attacks theoretically significantly better than brute force. This does not appear to have much practical importance since both require enormous numbers of known or chosen plaintexts and DES can be broken by brute force with one known plaintext. All the older publicly known cryptanalytic techniques have also been tried, or at least considered, for use against DES; none of them work.
 
==== DES internals ====
 
DES operates on 64-bit blocks and takes a 56-bit key. It is a [[Feistel cipher]] with 16 rounds and a 48-bit round key for each round, To generate the round keys, the 56-bit key is split into two 28-bit halves and those halves are circularly shifted after each round by one or two bits. Then 48 bits from them are selected and permuted to form the round key.
 
DES uses eight S-boxes, each 6 bits in and 4 out. The F function works as follows:
: expand the 32-bit input to 48 bits, simply by copying some bits twice
: XOR with the 48-bit round key
: split the result into 8 6-bit chunks
: pass each chunk through a different S-box, giving 32 output bits
: permute the output bits
The permutation ensures rapid avalanche; a one-bit change in key affects one S-box; a one-bit change in the input block affects one or two S-boxes. With the permutation, changing the output of one S-box affects several S-boxes in the next round. After a few rounds, the effect spreads to the entire output.
 
DES was originally designed for hardware implementation and includes some operations, such as the bit permutations used in both key scheduling and the F function, which are inconvenient to do in software. There have been many software implementations of DES, many of them provide acceptable performance, and some have been widely used, but later ciphers designed with software implementation in mind are generally faster.
 
==== DES's Achilles' heel: key length ====
 
DES can no longer be considered secure in any application where there is significant risk that an adversary will deploy large resources.
 
DES uses a 56-bit key. That is simply too small to resist a [[brute force attack]], an exhaustive search in which the enemy just tries keys until he finds the right one. If an enemy either has money to spend on specialised hardware or has access to many general-purpose computers, then DES is not secure against that enemy. Of course this also applies to any other cipher with a small key.
 
In 1998, the [[Electronic Frontier Foundation]] built a $200,000 machine that finds a DES key in a few days; details are in ''Cracking DES''
<ref>{{citation
| author = Electronic Frontier Foundation
| title = Cracking DES: Secrets of Encryption Research, Wiretap Politics, and Chip Design
| publisher = Electronic Frontier Foundation
| url = http://cryptome.org/cracking-des/cracking-des.htm
| isbn = ISBN: 1-56592-520-3 
| date = 1998 }}</ref>.
In 2006, two German universities built a €9,000 "Cost-Optimized Parallel COde Breaker" or Copacobana
<ref>{{citation
| author = Sandeep Kumar et al.
| title = How to Break DES for 8,980 Euro
| journal=SHARCS 2006 Conference Proceedings
| url = http://www.copacobana.org/ 
| date = 2006 }}</ref>
machine based on [[Field programmable gate array]]s that breaks DES in just under a week on average. That machine is commercially available.
 
Many computing tasks are quite difficult to parallelize. Cipher-cracking is one of the few exceptions; adding more hardware just makes it faster without raising any tricky communication problems. One Copacobana machine breaks DES in a week, so an attacker using seven of them can do it in a day and so on. On an intelligence agency budget, using 168 of them to crack a key an hour, or 10,000 to crack a key a minute, would be feasible if any worthwhile target still used DES.
 
DES has also been cracked by people using many general-purpose computers. In 1998 [[RSA Laboratories]] ran a "DES Challenge" offering a cash prize to crack a DES key. The winners
<ref>{{citation
| title=A Brute Force Search of DES Keyspace
| author=Matt Curtin & Justin Dolske
| journal=;login
| publisher=Usenix Assocation
| date=May 1998
| url=http://www.interhack.net/pubs/des-key-crack/
}}</ref>
used many machines connected by the Internet, "a peak of about 14,000 unique hosts within a single 24-hour period"; it took them three months to find one key. Today, the machines are much faster, according to [[Moore's Law]] roughly 100 times faster. Presumably a network of comparable size today could break DES in about a day and a smaller network could do it in a few weeks or months. Many large organisations &mdash; business, government, criminal, ... &mdash; have enough computing power for this.
 
Even today, it would still take decades for an attacker with a single machine to find a DES key. However, a lone attacker might be able to do it fairly quickly by using machines at an employer or a university.
 
Despite this, DES is still moderately widely deployed in legacy applications. In some cases &mdash; depending on the value of the information, the threats, the costs of changing to a stronger cipher, and the risks of changing a working system &mdash; keeping it in service may be reasonable. However, against serious threats it must be considered insecure; certainly there is no reason to even consider it for new applications.
 
==== Variations on DES ====
 
DES is vulnerable to [[brute force]] attack because of its small key. However, it has withstood decades of intensive analysis with no catastrophic flaws found, so it appears to be basically a remarkably solid design. Various people have therefore sought ways to achieve larger key size while retaining the basic DES algorithm.
 
[[Ron Rivest]] proposed '''DESX''' or DES-X, essentially DES with [[#Whitening_and_tweaking|whitening]]. 64 bits of key material are XORed into the plaintext before encryption, and 64 more into the ciphertext afterward. With the 56 bits of DES key, the gives 184 total keys bits so the cipher is safe from brute force attacks. Encryption overheads are only a tiny bit more than DES; the cost of the XORs. Analysis
<ref>{{citation
| author = Joe Kilian and Phillip Rogaway
| title = How to protect DES against exhaustive key search
| journal = Advances in Cryptology - Crypto '96
| publisher = Springer-Verlag
| date = 1996
| pages = 252–267
| url = http://wwwcsif.cs.ucdavis.edu/~rogaway/papers/desx.ps }}</ref>
<ref>{{citation
| author = Phillip Rogaway
| title = The Security of DESX
| journal = RSA Cryptobytes
| date = Summer 1996
| url = http://www.cs.ucdavis.edu/~rogaway/papers/cryptobytes.pdf }}</ref>
of resistance to [[linear cryptanalysis]] and [[differential cryptanalysis]] shows that it is better than DES against these attacks, but not hugely so.
 
Biham and Biryukov
<ref>{{citation
| author=Eli Biham, Alex Biryukov,
| title=How to Strengthen DES Using Existing Hardware,
| date=May 1994
| journal=Asiacrypt'94, LNCS 917
| url=http://www.cs.technion.ac.il/users/wwwb/cgi-bin/tr-info.cgi?1994/CS/CS0816}}</ref>
proposed techniques in which additional key bits are used to alter the S-boxes before encryption. This increases setup cost somewhat, but the overheads per block encrypted or decrypted are identical to those for DES. It is resistant to brute force and somewhat better than DES against other attacks. The technique can be used with some hardware encryption devices that DESX could not be used on.
 
Another approach is to use '''independent round keys'''. DES has 16 48-bit round keys, a total of 768 bits of keying material, but in normal DES they are all derived from the 56-bit main key. Use 768 independent key bits and the cipher is obviously resistant to brute force, one proposal was '''G-DES''' or Generalised DES
<ref name="gdes">{{citation
| author = Andreas Pfitzmann and Ralf Amann
| title = More Efficient Software Implementations of Generalized DES
| journal = Computers & Security,
| year = 1990
| volume = 12
| pages = 477-500 }}</ref>.
However, Schneier at al.
<ref>{{citation
| title=Key-Schedule Cryptanalysis of 3-WAY, IDEA, G-DES, RC4, SAFER, and Triple-DES
| author=J. Kelsey, B. Schneier, and D. Wagner
| journal =Advances in Cryptology--CRYPTO '96 Proceedings
| publisher=Springer-Verlag
| date=August 1996
| pages=237-251.
| url=http://www.schneier.com/paper-key-schedule.pdf}}</ref>
demonstrate that the technique has weaknesses.
 
=== Triple DES ===
Another way to derive a stronger cipher from DES is to apply DES multiple times with different keys.
 
Just applying DES twice, '''double DES''', is '''ineffective'''. Using two 56-bit keys gives 112 total key bits, so a [[brute force]] attack needs 2<sup>111</sup> encryptions. However, brute force is not the best attack. A [[meet-in-the-middle attack]] needs only 2<sup>57</sup> DES operations, though a large amount of memory is also required. That is, double DES is only four times stronger than DES, which can be broken by [[brute force]] with an average of 2<sup>55</sup> encryptions.
 
'''Triple DES''' or '''3DES''' is '''effective'''. Apply DES three times with two or three different keys. This is also vulnerable to a meet-in-the-middle attack, but the work factor for that attack is 2<sup>112</sup>. That provides adequate protection for many applications, and no better attack is known.
 
Triple DES can be somewhat slow compared to other ciphers. It requires three DES encryptions per block. DES was designed for hardware implementation and includes some operations which are difficult in software. For new applications, '''a newer cipher will generally be both faster and more secure'''. Triple DES provides only 2<sup>112</sup> strength against a [[meet-in-the-middle attack]]. Any of the [[#The_AES_generation | AES generation]] of ciphers is completely resistant to that attack, and for most of them no known attack is better than brute force which has cost 2<sup>127</sup>.
 
Triple DES is, however, still '''widely deployed in legacy applications'''. Consider a bank with several thousand ATM machines, with built-in hardware or well-tested software for triple DES. Changing those will certainly be expensive and will entail some risk of bugs in the new system; it may not be worth it.
 
Triple DES can be done with three keys, two keys or just one key, though the one-key variant should never be used. In all cases, the order of operations is EDE or encrypt-decrypt-encrypt.
 
The three-key variant is widely used; for example RFC 2451 specifies it for use in [[IPsec]].
 
In the two-key variant the first and third keys are the same. This gives a saving in key storage and key transmission overheads, only 112 bits are required rather than 168. Either two-key or three-key 3DES has 2<sup>112</sup> strength against a meet-in-the-middle attack, and that is the best known attack against either. The three-key variant is stronger against brute force, but that does not matter much since a better attack is known. Overall, it appears the two-key variant is just as strong.
 
The one-key variant is a "worst of both worlds" solution, the overheads of triple DES (three times those of DES) with the security of DES (inadequate against brute force attacks). The only possible reason to use this would be to make two systems communicate when one can only do DES and the other only Triple DES. Using one-key Triple DES on one end would allow encrypted communication, but it would only be as secure as DES.
 
=== GOST ===
 
The GOST cipher, and the related GOST hash algorithm, were standards in the [[Soviet Union]].
 
The GOST cipher <ref name="schneier">{{citation | page=331}} </ref> resembles DES in some ways; it is an iterated block cipher with a Feistel structure using eight s-boxes in the F function; each s-box produces four bits of output and these are combined to produce the 32-bit output. However, it differs from DES in other ways. There is no expansion from 32 bits to 48, so s-box inputs are only four bits rather than six, and there is no permutation of the output bits, only an 11-bit circular shift; these differences make GOST easier to implement in software than DES. However, they may also weaken the cipher; GOST compensates by increasing the number of rounds to 32 rather than DES's 16.
 
GOST also uses a 256-bit key which makes it, unlike DES, thoroughly resistant to [[brute force]] attacks.
 
Moreover, each implementation of GOST can use different S-boxes; an organisation can have its own implementation with its own S-boxes. If those S-boxes are kept secret, the total secret information is about 610 bits <ref name="schneier" />,
 
=== CAST ===
 
The original work on CAST was in [[Carlisle Adams]]' PhD thesis <ref>{{citation
| author = C. M. Adams
| title = A Formal and Practical Design Procedure for Substitution-Permutation Network Cryptosystems
| publisher = Department of Electrical Engineering, Queen's University
| date = 1990 }}</ref>. A well-known paper is "Constructing Symmetric Ciphers using the CAST Design Procedure".  <ref>{{citation
| author = C. M. Adams
| title = Constructing Symmetric Ciphers using the CAST Design Procedure
| journal = Designs, Codes and Cryptography
| publisher = Springer Netherlands
| date = November 1997
| url = http://jya.com/cast.html
}}</ref>. There is also a [http://www.patentstorm.us/patents/5825886.html US patent] on some of the techniques.
 
"CAST" is a general procedure for constructing a family of ciphers; individual ciphers have names like "CAST-128".
 
==== F function and S-boxes ====
 
CAST ciphers are Feistel ciphers using large S-boxes, 8*32 rather than the 6*4 of DES. They are primarily designed for software implementation, rather than the 1970s hardware DES was designed for, so looking up a full computer word at a time makes sense. An 8*32 S-box takes one K byte of storage; several can be used on a modern machine without difficulty.
 
In earlier Feistel ciphers, [[#DES | DES]] and [[#GOST | GOST]], the F function is essentially one round of an [[#Substitution-permutation networks | SP Network]]. These ciphers  use eight 6*4 or 4*4 S-boxes to get 32 bits of S-box output. Those bits, reordered by a simple transformation, become the 32-bit output of the F function. Avalanche properties are less than ideal since each output bit depends only on the inputs to one S-box. The output transformation compensates for this, ensuring that the output from one S-box in one round affects several S-boxes in the next round so that good avalanche is achieved after a few rounds.
 
CAST ciphers, and [[#Blowfish | Blowfish]], use bigger S-boxes and do not use S-box bits directly as F function output. Instead, they take 32-bit words from several S-boxes and combine them to form a 32-bit output, so that the '''F function has ideal avalanche properties''' &mdash; every output bit depends on all S-box output words, and therefore on all input bits and all key bits. With the Feistel structure and such an F function, complete avalanche &mdash; all 64 output bits depend on all 64 input bits &mdash; is achieved in three rounds. This also requires fewer S-box lookups than the eight in DES or GOST so the F function, and therefore the whole cipher, can be reasonably efficient.
 
No output transformation is required in such an F function, but one may be used anyway; CAST-128 has a key-dependent rotation.
 
The CAST S-boxes use [[bent function]]s (the most highly non-linear Boolean functions) as their columns. That is, the mapping from all the input bits to any single output bit is a bent function. Such S-boxes meet the '''strict avalanche criterion''' <ref name="SAC" />; not only does every every bit of round input and every bit of round key affect every bit of round output, but complementing any input bit has exactly a 50% chance of changing any given output bit. A paper on generating the S-boxes is Mister & Adams "Practical S-box Design"
<ref name="sbox">{{citation
<ref name="sbox">{{citation
  | author = S. Mister, C. Adams
  | author = S. Mister, C. Adams
Line 435: Line 247:
  | journal = Selected Areas in Cryptography (SAC '96)  
  | journal = Selected Areas in Cryptography (SAC '96)  
  | date = August, 1996
  | date = August, 1996
| url=http://adonis.ee.queensu.ca:8000/sac/sac96/papers/paper7.ps
  | pages = 61-76 }}</ref>.
  | pages = 61-76 }}</ref>.
Bent functions are combined to get additional desirable traits &mdash; a balanced S-box (equal probability of 0 and 1 output), miniumum correlation among output bits, and high overall S-box non-linearity.
Bent functions are combined to get additional desirable traits &mdash; a balanced S-box (equal probability of 0 and 1 output), minimum correlation among output bits, and high overall S-box nonlinearity.
 
The first CAST cipher <ref name="schneier" /> (in the thesis) was a Feistel cipher with 64-bit blocks, a 64-bit key, 8 rounds with 16-bit round keys, a very simple key schedule, and six 8*32 S-boxes. For the F function, split the 32-bit input into 4 bytes and the round key into 2 bytes. Run each of the 6 bytes through a different S-box to get 6 32-bit outputs and combine those outputs using XOR. This cipher was not much used; when people mention "CAST", they almost always mean the widely deployed CAST-128.


==== Resisting linear & differential attacks ====
[[Blowfish (cipher) | Blowfish]] uses a different approach, generating random S-boxes as part of the key scheduling operation at cipher setup time. Such S-boxes are not as nonlinear as the carefully constructed CAST ones, but they are nonlinear enough and, unlike the CAST S-boxes, they are unknown to an attacker.


One objective of the CAST design procedure is to produce ciphers that are not vulnerable to either [[linear cryptanalysis]] or [[differential cryptanalysis]]
In '''perfectly nonlinear S-boxes'''
<ref>{{citation
<ref>{{citation
  | author = H.M. Heys and S.E. Tavares
  | author = [[Kaisa Nyberg]]
  | title = On the Security of the CAST Encryption Algorithm
  | title = Perfect nonlinear S-boxes
  | journal = Canadian Conference on Electrical & Computer Engineering
  | journal = Eurocrypt'91, LNCS 547
  | date = September 1994 }}</ref>.
| publisher = Springer-Verlag
These are the only known attacks that break [[#DES| DES]] with less effort than brute force. More generally, they are the most powerful known [[cryptanalysis | cryptanalytic]] methods of attacking block ciphers. Both, however, require large numbers of known or chosen plaintexts, so a simple defense against them is to re-key often enough that the enemy cannot collect sufficient texts.
  | date = 1991 }}</ref>,
not only are all columns [[bent function]]s (the most nonlinear possible Boolean functions), but all linear combinations of columns are bent functions as well. This is possible only if <math>m \ge 2n</math>, there are at least twice as many input bits as output bits. Such S-boxes are therefore not much used.


CAST goes further, building a cipher that is '''provably immune to linear or differential analysis''' with any number of texts. The method, taking linear cryptanalysis as our example and abbreviating it LC, is as follows:
==== S-boxes in analysis ====
S-boxes are sometimes used as an analytic tool even for operations that are not actually implemented as S-boxes. Any operation whose output is fully determined by its inputs can be described by an S-box; concatenate all inputs into an index, look that index up, get the output. For example, the [[International Data Encryption Algorithm | IDEA]] cipher uses a multiplication operation with two 16-bit inputs and one 16-bit output; it can be modeled as a 32 by 16 S-box. In an academic paper, one might use such a model in order to apply standard tools for measuring S-box nonlinearity. A well-funded cryptanalyst might actually build the S-box (8 gigabytes of memory) either to use in his analysis or to speed up an attack.


: start from properties of the F function, particularly the bent functions in the S-boxes
=== Resisting linear & differential attacks ===
: derive a limit m, the maximum possible quality of any linear approximation to a single round
Two very powerful [[cryptanalysis | cryptanalytic]] methods of attacking block ciphers are [[linear cryptanalysis]] and [[differential cryptanalysis]]. The former works by finding linear approximations for the nonlinear components of a cipher, then combining them using the [[piling-up lemma]] to attack the whole cipher. The latter looks at how small changes in the input affect the output, and how such changes propagate through multiple rounds. These are the only known attacks that break [[Data Encryption Standard|DES]] with less effort than brute force, and they are completely general attacks that apply to any block cipher..
: consider the number of rounds, r, as a variable
: derive an expression for e, the effort required to break the cipher by LC, in terms of r and m
: find the minimum r such that e exceeds the effort required for brute force, making LC ''impractical''
: derive an expression for c, the number of chosen plaintexts required for LC, also in terms of r and m
: (LC with only known plaintext requires more texts, so it can be ignored)
: find the minimum r such that c exceeds the number of ''possible'' plaintexts, 2<sup>blocksize</sup>, making LC ''impossible''
A similar approach applied to differentials gives values for r that make differential cryptanalysis impractical or impossible. Choose the actual number of rounds so that, at a minimum, both attacks are impractical. Ideally, make both impossible, then add a safety factor.


This type of analysis is now a standard part of the cryptographer's toolkit. Many of the [[#The_AES_generation | AES candidates]], for example, included proofs along these lines in their design documentation, and [[#AES|AES]] itself uses such a calculation to determine the number of rounds required for various key sizes.
Both these attacks, however, require large numbers of known or chosen plaintexts, so a simple defense against them is to re-key often enough that the enemy cannot collect sufficient texts.


==== CAST-128 ====
Techniques introduced for [[CAST (cipher)|CAST]] go further, building a cipher that is '''provably immune to linear or differential analysis''' with any number of texts. The method, taking linear cryptanalysis as our example and abbreviating it LC, is as follows:
 
# start from properties of the round function (for CAST, from [[bent function]]s in the S-boxes)
'''CAST-128''', also called CAST5, is the best-known and most widely used CAST cipher. It replaced [[#IDEA | IDEA]] in [[PGP]] in version 3.0 and is specified in all versions of the [[Open PGP]] standard
# derive a limit <math>m</math>, the maximum possible quality of any linear approximation to a single round
<ref>{{citation
# consider the number of rounds, <math>r</math>, as a variable
| id=RFC 4880
# derive an expression for <math>e</math>, the effort required to break the cipher by LC, in terms of <math>r</math> and <math>m</math>
| title=OpenPGP Message Format
# find the minimum <math>r</math> such that <math>e</math> exceeds the effort required for brute force, making LC ''impractical''
| author= J. Callas, L. Donnerhacke, H. Finney,  D. Shaw & R. Thayer
# derive an expression for <math>c</math>, the number of chosen plaintexts required for LC, also in terms of <math>r</math> and <math>m</math> (LC with only known plaintext requires more texts, so it can be ignored)
| url = http://www.ietf.org/rfc/rfc4880.txt
# find the minimum <math>r</math> such that <math>c</math> exceeds the number of ''possible'' plaintexts, 2<sup>blocksize</sup>, making LC ''impossible''
| date=November 2007}}</ref>.
   
[[Nortel]] and their spin-off [[Entrust]] also used it in several products; Adams worked for both companies.
A similar approach applied to differentials gives values for <math>r</math> that make differential cryptanalysis impractical or impossible. Choose the actual number of rounds so that, at a minimum, both attacks are impractical. Ideally, make both impossible, then add a safety factor. There are other methods of constructing ciphers provably immune to these attacks. [[Serge Vaudenay]]'s work on [[decorrelation theory]] gives one <ref>{{citation
 
| author = Serge Vaudenay
CAST-128 is a Feistel cipher with 64-bit blocks and 16 rounds. Key sizes from 40 to 128 bits are supported; 128 is almost invariably used. There are eight 8*32 S-boxes, four used in the key schedule and the other four in actual encryption. Round keys are 37 bits.
| title= Decorrelation: A Theory for Block Cipher Security
 
| journal = Journal of Cryptology
The F function XORs the input with 32 bits of round key, splits the result into bytes and runs each byte through a different S-box to get four 32-bit results. Those are combined non-linearly, using different combining functions in different rounds. Finally, the output is given a rotation controlled by the other 5 round key bits.
| publisher = Springer
 
|date= 2003
The cipher is freely available for any use. There is an RFC describing it; see [[Block_cipher/External_Links#RFCs_for_block_ciphers|external links]]. A descendant named [[#CAST-256 | CAST-256]] was an AES candidate; there is also an RFC for that.
 
The RFCs provide a set of standard S-boxes that are normally used in any implementation of either CAST-128 or CAST-256. However, it would be possible for a large organisation to have its own version of either cipher, by generating its own S-boxes using the Mister & Adams paper <ref name="sbox" /> as a guide.
 
=== Blowfish ===
 
'''Blowfish'''
<ref>{{citation
| author-Bruce Schneier
| title=Description of a New Variable-Length Key, 64-Bit Block Cipher (Blowfish)
| journal=Fast Software Encryption, Cambridge Security Workshop Proceedings
| publisher=Springer-Verlag
| date=December 1993
| pages=191-204
| url=http://www.schneier.com/blowfish.html
}}</ref>
}}</ref>
was designed by [[Bruce Schneier]]. It is a Feistel cipher with 64-bit blocks and 16 rounds. Supported key sizes are 32 to 576 bits; at least 128 is recommended.
and Knudsen-Nyberg ciphers are another. <ref>{{citation
 
| author = Kaissa Nyberg and Lars Knudsen
The F function XORs the input with the 32-bit round key, splits the result into bytes and runs each byte through a different S-box to get four 32-bit results. Those are combined non-linearly with x = ((a+b)^c)+d. As for [[Block_cipher#F_function_and_S-boxes|CAST]], the '''F function has ideal avalanche properties''' &mdash; every output bit depends non-linearly on all input bits and all key bits. Complete avalanche &mdash; all 64 output bits depend on all 64 input bits &mdash; is achieved in three rounds.
| title = Provable security against a differential attack
 
| journal =Journal of Cryptology
Blowfish S-boxes are key-dependent, randomly generated at cipher setup time. They are not as non-linear as the carefully optimised CAST S-boxes, but they have the advantage of being unknown to an attacker and they are, with overwhelming probability, non-linear enough. The key scheduling starts with a round key array of 18 32-bit entries (16 actual round keys plus 64 bits for [[#Whitening_and_tweaking|whitening]]) and four S-boxes, all initialised with apparently random bits derived from an expansion of pi. XOR the primary key into the round key array; the key can be any size up to the 576 bits of that array, Then run the cipher repeatedly and use the output to change both the round keys and the S-boxes; this takes 521 cipher iterations.
| date = 1995
 
For some applications, this key setup is inconveniently expensive; Blowfish may not be the best choice if keys need to be changed often. However, the actual encryption and decryption are fast.
 
The cipher is freely available for any use. It has a home page; see [[Block_cipher/External_Links#Homepages_for_block_ciphers | external links]].
 
=== IDEA ===
 
IDEA
<ref name=idea>{{citation
| author = X. Lai
| title = On the Design and Security of Block Ciphers
| journal = ETH Series in Information Processing, v. 1
| publisher = Hartung-Gorre Verlag
| date = 1992
}}</ref>
}}</ref>
is the [[International Data Encryption Algorithm]], a European standard. It is a iterated block cipher, but does not have a Feistel structure. Block size is 64 bits, key 128. No S-boxes are used.


IDEA achieves non-linearity by mixing operations from three different algebraic systems. All operations have 16-bit words as both input and output. Two are just bitwise XOR and addition modulo 2<sup>16</sup>. The third is basically multiplication modulo the prime number 2<sup>16</sup>+1, but modified so that the "x*0 yields zero for all x" case does not weaken the cipher.
This type of analysis is now a standard part of the cryptographer's toolkit. Many of the [[#The_AES_generation|AES candidates]], for example, included proofs along these lines in their design documentation, and [[AES]] itself uses such a calculation to determine the number of rounds required for various key sizes.


The IDEA multiplication operation is highly non-linear and has good avalanche properties; every output bit depends on all input bits. It requires both a multiplication and a remainder operation, so it is not nearly as cheap as addition or XOR, but it is reasonably fast on a modern 32-bit or larger CPU. In most environments it will be more expensive than S-box lookups but in some, such as an embedded processor with limited cache, it may be cheaper.
== DES and alternatives ==
 
The [[Data Encryption Standard]], DES, is among the best known and most thoroughly analysed block ciphers. It was invented by [[IBM]] and was made a US government standard, for non-classified government data and for regulated industries such as banking, in the late 70s. From then until about the turn of the century, it was very widely used. It is now considered obsolete because its 56-bit key is too short to resist [[brute force attack]]s if the opponents have recent technology.
In any case, IDEA uses only 8 rounds so it can afford a moderately expensive operation in the round function.
 
=== RC5 ===
 
RC5, '''Rivest Cipher 5''' was from [[Ron Rivest]]. It was the first well-known cipher to make extensive use of '''data-dependent rotations''' to achieve non-linearity. It is a Feistel cipher.


There is an RFC giving an RC5 specification for Internet use; see [[Block_cipher/External_Links#RFCs_for_block_ciphers | external links]].
The DES standard marked the beginning of an era in [[cryptography]]. Of course, much work continued to be done in secret by military and intelligence organisations of various nations, but from the time of DES cryptography also developed as an open academic discipline complete with journals, conferences, courses and textbooks. In particular, there was a lot of work related to block ciphers. For an entire generation, every student of [[cryptanalysis]] tried to find a way to break DES and every student of [[cryptography]] tried to devise a cipher that was demonstrably better than DES. Very few succeeded.


Its descendant [[#RC6 | RC6]], also using data-dependent rotations, was an AES finalist.  [[RSA Laboratories]] have a page describing both ciphers; see [[Block_cipher/External_Links#Homepages_for_block_ciphers | external links]].
Every new [[cryptanalysis|cryptanalytic]] technique invented since DES became a standard has been tested against DES. None of them have broken it completely, but two &mdash; [[differential cryptanalysis]] and [[linear cryptanalysis]] &mdash; give attacks theoretically significantly better than brute force. This does not appear to have much practical importance since both require enormous numbers of known or chosen plaintexts, all encrypted with the same key, so reasonably frequent key changes provide an effective defense. All the older publicly known cryptanalytic techniques have also been tried, or at least considered, for use against DES; none of them work.


=== Skipjack ===
DES served as a sort of baseline for cipher design through the 80s and 90s; the design goal for almost any 20th century block cipher was to replace DES in some of its many applications with something faster, more secure, or both. All these ciphers used 64-bit blocks, like DES, but most used 128-bit or longer keys for better resistance to brute force attacks.


Skipjack was a block cipher devised by the [[NSA]], originally intended for use in the controversial [[Clipper chip]]. It was to be used only in tamperproof hardware, and the algorithm was originally classified. This added to the controversy, with many people citing [[Kerckhoffs' Principle]] and arguing that a cipher whose details were classified could not be trusted. Some felt that nothing from the NSA should be trusted in any case.
Ciphers of this generation include:
* The [[Data Encryption Standard]] itself, the first well-known Feistel cipher, using 16 rounds and eight 6 by 4 S-boxes.
* The [[GOST cipher]], a Soviet standard similar in design to DES, a 32-round Feistel cipher using eight 4 by 4 S-boxes.
* IDEA, the [[International Data Encryption Algorithm]], a European standard, not a Feistel cipher, with only 8 rounds and no S-boxes.
* [[Rivest ciphers#RC2|RC2]], a Feistel cipher from [[RSA Security]] which was approved for easy export from the US (provided it was used with only a 40-bit key), so widely deployed.
* [[Rivest ciphers#RC5|RC5]], a Feistel cipher from [[RSA security]]. This was fairly widely deployed, often replacing RC2 in applications.
* [[CAST cipher#CAST-128|CAST-128]], a widely used 16-round Feistel cipher, with 8 by 32 S-boxes.
* [[Blowfish (cipher)| Blowfish]], another widely used 16-round Feistel cipher with 8 by 32 S-boxes.
* The [[Tiny Encryption Algorithm]], or '''TEA''', designed to be very small and fast but still secure, a 32-round Feistel cipher without S-boxes.
* [[Skipjack]], an algorithm designed by the [[NSA]] for use in the [[Clipper chip]], a 32-round unbalanced Feistel cipher.
* [[SAFER (cipher)|SAFER]] and [[LOKI (cipher)|LOKI]], two families of ciphers which each included an original version against which [[Lars Knudsen]] found an attack and a revised version to block that attack. Each had a descendant which was an [[#The_AES_generation|AES candidate]].
* [[Triple DES]], applying DES three times with different keys


Eventually, the algorithm was de-classified. Skipjack is an [[#Feistel structure|unbalanced Feistel cipher]] with 64-bit blocks, an 80-bit key and 32 rounds. Once the algorithm was public, the first paper describing an attack on a reduced-round version
Many of the techniques used in these ciphers came from DES and many of the design principles came from analysis of DES. However, there were also new design ideas. The [[CAST cipher|CAST]] ciphers were the first to use [[#large S-boxes|large S-boxes]] which allow the F-function of a [[Feistel cipher]] to have ideal [[#Avalanche|avalanche]] properties, and to use [[bent function]]s in the S-box columns. [[Blowfish (cipher)| Blowfish]] introduced key-dependent S-boxes. Several introduced new ways to achieve nonlinearity: data-dependent rotations in [[Rivest ciphers#RC5|RC5]], key-dependent rotations in [[CAST cipher#CAST-128|CAST-128]], a clever variant on multiplication in [[International Data Encryption Algorithm|IDEA]], and the [[pseudo-Hadamard transform]] in [[SAFER (cipher)|SAFER]].
<ref>{{citation
  | author = Eli Biham & Adi Shamir
  | title = Initial observations on Skipjack
  | url = http://www.cs.technion.ac.il/~biham/Reports/SkipJack/note1.html
}}</ref>
appeared in days and other papers on cryptanalysis of Skipjack
<ref>{{citation
  | author = Eli Biham, Adi Shamir & Alex Biryukov
  | title = Cryptanalysis of Skipjack reduced to 31 rounds using impossible differentials.
  | journal = EUROCRYPT
  | pages = 12-23
  | date = 1999
}}</ref>
<ref>{{citation
  | author = Lars Knudsen & David Wagner
  | title = Truncated differentials and Skipjack
  | journal = CRYPTO
  | date = 1999
}}
</ref>
followed.


=== TEA ===
The era effectively ended when the US government began working on a new cipher standard to replace their Data Encryption Standard, the [[Advanced Encryption Standard]] or AES. A whole new generation of ciphers arose, the first 21st century block ciphers. Of course these designs still drew on the experience gained in the post-DES generation, but overall these ciphers are quite different. In particular, they all use 128-bit blocks and most support key sizes up to 256 bits.
 
The '''Tiny Encryption Algorithm''', or '''TEA'''
<ref> {{citation
| title =  TEA, a Tiny Encryption Algorithm
| author = David J. Wheeler, Roger M. Needham
| url = http://www.cl.cam.ac.uk/ftp/users/djw3/tea.ps
| date = 1994 }}</ref>
is a cipher designed for small size and easy software implementation. It is a Feistel cipher with 64-bit blocks, a 128-bit key, 32 rounds and a very simple round function using only 32-bit operations &mdash; addition, bitwise XOR and shift. In C, the encryption and decryption routines are under 10 lines each. No S-boxes are used, so the data space required is also tiny.
 
TEA has some weaknesses. Equivalent keys are one problem; each key is equivalent to three others, so the effective key size is only 126 bits.
<ref name="kelsey1996">{{citation
| first = John
| last = Kelsey
| coauthors =  Schneier, Bruce; Wagner, David
| url = http://www.schneier.com/paper-key-schedule.pdf
| title = Key-schedule cryptanalysis of IDEA, G-DES, GOST, SAFER, and Triple-DES
| journal =  Lecture Notes in Computer Science
| volume = 1109
| pages = 237–251 | date = 1996
| doi = 10.1007/3-540-68697-5_19}}</ref>
As a result, TEA is weak if used to build a [[cryptographic hash]]. This weakness led to a method for [[Hacker (computing)|hacking]] [[Microsoft]]'s [[Xbox]] [[game console]], where the cipher was used as a hash function.
<ref>{{cite web |url=http://www.xbox-linux.org/wiki/17_Mistakes_Microsoft_Made_in_the_Xbox_Security_System#Startup_Security.2C_Take_Two |title=17 Mistakes Microsoft Made in the Xbox Security System |author=Michael Steil }}</ref>
TEA is also susceptible to a [[related-key attack]] which requires 2<sup>23</sup> [[chosen plaintext]]s under a related-key pair, with 2<sup>32</sup> time complexity
<ref name="kelsey1997">{{citation
| first = John
| last = Kelsey
| coauthors =  Schneier, Bruce; Wagner, David
| title = Related-key cryptanalysis of 3-WAY, Biham-DES, CAST, DES-X NewDES, RC2, and TEA
| url = http://citeseer.ist.psu.edu/318172.html |
journal = Lecture Notes in Computer Science |
volume = 1334 | pages = 233–246 | date = 1997 |
doi = 10.1007/BFb0028479}}</ref>.
 
Partly because of these weaknesses, a number of revisions of TEA have been designed. Block TEA or XTEA extends TEA to build a [[#Large-block_ciphers|variable block size]] cipher. XXTEA is a later revision.
 
The cipher is freely available for any use. It has a home page; see [[Block_cipher/External_Links#Homepages_for_block_ciphers | external links]].


== The AES generation ==
== The AES generation ==
By the 90s, the [[Data Encryption Standard]] was clearly obsolete; its small key size made it more and more vulnerable to [[brute force attack]]s as computers became faster. The US [[National Institute of Standards and Technology]] (NIST) therefore began work on an [[Advanced Encryption Standard]], '''AES''', a block cipher to replace DES in government applications and in regulated industries.


Starting in the late 90s, the US [[National Institute of Standards and Technology]] (NIST) ran a contest to find a block cipher to replace [[#DES |DES]]. The entire process was completely open; even their requirements document was published and comment or criticism invited before a final version was written, and all of the later work toward the choice of a standard was public as well. The whole process was widely praised by cryptographers as a fine example of taking [[Kerckhoffs' Principle]] into account. This was in sharp contrast to some of the criticisms that had been made of the secrecy in the [[#DES|DES]] standardisation process which was run by [[NIST]]'s ancestor, the [[National Bureau of Standards]].  
To do this, they ran a very open international AES competition, starting in 1998. Their requirements specified a block cipher with 128-bit [[#Block_size | block size]] and support for 128, 192 or 256-bit [[#Key size | key sizes]]. Evaluation criteria included security, performance on a range of platforms from 8-bit CPUs (e.g. in smart cards) up, and ease of implementation in both software and hardware.
 
The final requirements specified a block cipher with 128-bit [[#Block_size | block size]] and support for 128, 192 or 256-bit [[#Key size | key sizes]]. Evaluation criteria included security, performance on a range of platforms from 8-bit CPUs (e.g. in smart cards) up, and ease of implementation in both software and hardware.
 
Fifteen submissions meeting basic criteria were received, not just from the US but from many other countries as well. All of the entries were [[#Iterated block ciphers | iterated block ciphers]]; in Shannon's terms all were [[#Cipher_structures|product ciphers]]. Most used an [[#SP network | SP network]] or [[#Feistel structure | Feistel structure]], or variations of those. Several had [[#Resisting_linear_.26_differential_attacks |  proofs of resistance]] to various attacks.
 
In alphabetical order, the fifteen first round candidates were:
: [[#CAST-256|CAST-256]], [[#CRYPTON|CRYPTON]], [[#DEAL|DEAL]], [[#DFC|DFC]], [[#E2|E2]], [[#FROG|FROG]], [[#Hasty Pudding|Hasty Pudding]], [[#LOKI97|LOKI97]], [[#MAGENTA|MAGENTA]], [[#MARS|MARS]], [[#RC6|RC6]], [[#AES|Rijndael]], [[#SAFER+|SAFER+]], [[#Serpent|Serpent]], and [[#Twofish|Twofish]]
All are described below.
 
NIST succeeded in rounding up a fine group of suspects; many of the world's best-known cryptographers participated in various design teams and others contributed to analysis of candidates. We provide a table listing some of the [[Block_cipher/Catalogs/AES_players|major players]] involved.
 
After much analysis and testing, and two conferences, the field was narrowed to five finalists &mdash; [[#Twofish | Twofish]], [[#MARS | MARS]], [[#Serpent | Serpent]],  [[#RC6 | RC6]], and  [[#AES | Rjindael]]. After another year of analysis and testing focused on the finalists, and another conference with all of the finalist teams giving presentations, they chose a winner. In October 2002, Rijndael was chosen to become the [[Advanced Encryption Standard]] or AES. See [[Block_cipher/External_Links#AES_links | external links]] for the official standard.
 
The contest was open and international and extensive work was done on testing and comparing the various candidates. To facilitate this, NIST defined some standard interfaces which everybody used. For almost all candidate ciphers, implementations with these interfaces are readily available; see [[Block_cipher/External_Links#AES_links | external links]]. Many, though not all, of these ciphers have open licenses. This means that anyone implementing AES has the option of adding other ciphers at minimum cost, in particular the other three finalists with open licenses  &mdash; [[#Twofish | Twofish]], [[#MARS | MARS]], and [[#Serpent | Serpent]]. This gives a cheap insurance policy against the (presumably remote) chance of someone finding a good attack on AES.
 
Because of the [[birthday attack]], a [[cryptographic hash]] needs to provide output of 2n bits to resist attacks as well as a cipher with an n-bit key. NIST has therefore issued standards for the [[SHA-2]] family of hashes &mdash; SHA-256, SHA-384 and SHA-512 to match the strength of AES, plus SHA-224 to match the 112-bit strength of [[#Triple DES | Triple DES]]. However, those hashes are all derived from [[SHA]] and weaknesses have been shown in that, so in 2008 NIST started a contest similar to the AES contest to design an [[Advanced Hash Standard]] which can (if it proves necessary) replace SHA-2 as AES replaced DES.
 
=== AES ===
 
The [[Advanced Encryption Standard]] or '''AES''' is the algorithm formerly known as '''Rijndael''' (pronounced approximately "rhine doll"). It was designed by two Belgians, Joan Daemen and Vincent Rijmen.
 
It is an iterated block cipher, but not a [[#Feistel structure | Feistel cipher]]; the overall structure is an [[#SP network | SP network]]. Non-linearity is obtained by mixing operations from different algebraic groups. There are four operations.


Two give confusion:
Fifteen submissions meeting basic criteria were received. All were [[#Iterated block ciphers|iterated block ciphers]]; in Shannon's terms all were [[#Cipher_structures|product ciphers]]. Most used an [[#SP network | SP network]] or [[#Feistel structure|Feistel structure]], or variations of those. Several had [[#Resisting_linear_.26_differential_attacks|proofs of resistance]] to various attacks. The [[AES competition]] article covers all candidates and many have their own articles as well. Here we give only a summary.
: AddRoundKey: bitwise XOR of 128-bit state and 128-bit round key
: SubBytes: run individual bytes through an 8*8 S-box
The other two give diffusion, treating the 128-bit block as a four by four matrix of bytes:
: ShiftRows: cyclicly shift each row by a fixed amount
: MixColumns: treat each column as a polynomial over the [[Galois field]] '''GF'''(''2<sup>8</sup>''); multiply it by one constant polynomial modulo another 


It encrypts 128-bit blocks with a 128, 192 or 256-bit key. The number of rounds varies with key size: 10 for 128-bit keys, 12 for 192-bit keys and 14 for 256-bit keys. The numbers of rounds were chosen based on an analysis showing that they are enough to give [[#Resisting_linear_.26_differential_attacks | resistance]] to [[linear cryptanalysis]] and [[differential cryptanalysis]].
After much analysis and testing, and two conferences, the field was narrowed to five finalists:
* [[Twofish]], a cipher with key-dependent S-boxes, from a team at [[Bruce Schneier]]'s company Counterpane
* [[MARS (cipher)| MARS]], a variant of Feistel cipher using data-dependent rotations, from [[IBM]]
* [[Serpent (cipher)| Serpent]], an SP network, from an international group of well-known players
* [[Rivest ciphers#RC6 | RC6]], a  cipher using data-dependent rotations, from a team led by [[Ron Rivest]]
* [[Advanced Encryption Standard | Rijndael]]. an SP network, from two Belgian designers


The cipher is freely available for any use. See [[Block_cipher/External_Links#AES_links | external links]] for much more information.
After another year of analysis and testing, they chose a winner. In October 2002, Rijndael was chosen to become the [[Advanced Encryption Standard]] or AES. See [[Block_cipher/External_Links#AES_links | external links]] for the official standard.


=== Other finalists ===
An entire [[#DES_and_alternatives|generation]] of block ciphers used the 64-bit block size of DES, but since AES many new designs use a 128-bit block size.


There were originally fifteen AES candidates, but that was narrowed to five finalists for the second round of analysis. This section covers the four ciphers that made it into the finals but did not win.
As discussed under [[#Size parameters|size parameters]], if two or more ciphers have the same block and key sizes, then they are effectively interchangeable; replacing one cipher with another requires no other changes in an application. When asked to implement AES, the implementer might include the other finalists &mdash; [[Twofish]], [[Serpent (cipher)| Serpent]]. [[Rivest ciphers#RC5|RC6]] and [[MARS (cipher)| MARS]] &mdash; as well. This provides useful insurance against the (presumably unlikely) risk of someone finding a good attack on AES. Little extra effort is required since open source implementations of all these ciphers are readily available, see [[Block_cipher/External_Links#AES_links|external links]]. All except RC6 have completely open licenses.


==== Twofish ====
There are also many other ciphers that might be used. There were ten AES candidates that did not make it into the finals:
* [[CAST (cipher)#CAST-256|CAST-256]], based on CAST-128 and with the same theoretical advantages
* [[DFC (cipher)| DFC]], based on another theoretical analysis proving resistance to various attacks.
* [[Hasty Pudding (cipher)|Hasty Pudding]], a variable block size [[#Whitening_and_tweaking|tweakable]] cipher
* [[DEAL (cipher)|DEAL]], a Feistel cipher using DES as the round function
* [[FROG (cipher)| FROG]], an innovative cipher; interesting but weak
* [[E2 (cipher)| E2]], from Japan
* [[CRYPTON (cipher)| CRYPTON]], a Korean cipher with some design similarities to AES
* [[MAGENTA (cipher)|MAGENTA]], Deutsche Telekom's candidate, quickly broken
* '''LOKI97''', one of the [[LOKI (cipher)|LOKI]] family of ciphers, from Australia
* '''SAFER+''', one of the [[SAFER (cipher)|SAFER]] family of ciphers, from Cylink Corporation


[[Twofish]]
Some should not be considered. Magenta and FROG have been broken, DEAL is slow, and E2 has been replaced by its descendant Camellia.
<ref>{{citation
| title = Twofish: A 128-Bit Block Cipher
| author = Bruce Schneier, John Kelsey, Doug Whiting, David Wagner, Chris Hall, Niels Ferguson
| conference = First Advanced Encryption Standard (AES) Conference
| url = http://www.schneier.com/paper-twofish-paper.html
| date = 1998}}</ref>
was an AES finalist cipher from [[Bruce Schneier]]'s company [[Counterpane]]. Except for the name, it has little relationship to [[#Blowfish | Blowfish]]; Twofish was a new design.


Like all AES candidates, it uses 128-bit blocks and supports key sizes of 128, 192 or 256 bits. It is a 16-round [[#Feistel structure | Feistel cipher]] using four key-dependent 8*8 S-boxes.
There are also some newer 128-bit ciphers that are widely used in certain countries:


The cipher is freely available for any use. It has a home page; see [[Block_cipher/External_Links#Homepages_for_block_ciphers | external links]].
* [[Camellia (cipher)|Camellia]], an 18-round Feistel cipher widely used in Japan and one of the standard ciphers for the [[NESSIE]] (New European Schemes for Signatures, Integrity and Encryption) project.
 
* [[SEED (cipher)|SEED]], developed by the [[Korean Information Security Agency]] (KISA) and widely used in Korea.
It has a successor named "Threefish", used in the [[Skein (hash algorithm) | Skein]] hash algorithm, a candidate in the [[Advanced Hash Standard]] contest.
 
==== Serpent ====
 
'''Serpent''' was an AES finalist cipher from an international team of well-known researchers &mdash; [[Ross Anderson]] (UK), [[Eli Biham]] (Israel), and [[Lars Knudsen]] (Norway). Like all AES candidates, it uses 128-bit blocks and supports key sizes of 128, 192 or 256 bits.
 
Serpent is an [[#SP network | SP network]] with 32 rounds. It uses eight 4 by 4 S-boxes, but unlike other ciphers it does not use them all in each round. Instead each round uses eight copies of the same S-box, so that 32-bit computer instructions can do eight 4-bit operations in parallel. Each of the eight S-boxes is used in four different rounds,
 
The cipher is freely available for any use.  It has a home page; see [[Block_cipher/External_Links#Homepages_for_block_ciphers | external links]].
 
==== RC6 ====
 
'''RC6''' was an AES finalist cipher from a team led by [[Ron Rivest]]. Like all AES candidates, it uses 128-bit blocks and supports key sizes of 128, 192 or 256 bits.
 
Like [[#RC5 | RC5]], RC6 made extensive use of data-dependent rotations. [[RSA Laboratories]] have a page describing both ciphers; see [[Block_cipher/External_Links#Homepages_for_block_ciphers | external links]].
.
 
RC6 is the only one of the five finalists which does not have a completely open license; it is still proprietary to [[RSA Laboratories]].
 
==== MARS ====
 
'''MARS'''  was an AES finalist cipher from [[IBM]]. Like all AES candidates, it uses 128-bit blocks and supports key sizes of 128, 192 or 256 bits.
 
It uses a variant of the [[#Feistel structure | Feistel structure]] which they call a "type 3 Feistel network"; the 128-bit block is treated as four 32-bit sub-blocks; each round uses one sub-block as input and modifies all of the other three sub-blocks. Like RC6, it uses data-dependent rotations. One 9*32 S-box is used; for some operations it is treated as two 8*32 S-boxes.
 
The cipher is now freely available.  It has a home page; see [[Block_cipher/External_Links#Homepages_for_block_ciphers | external links]].
 
=== Unconventional AES candidates ===
 
This section covers two AES candidate ciphers that introduced new design ideas. Neither was chosen for consideration in the final round.
 
==== Hasty Pudding ====
 
The '''Hasty Pudding''' cipher or '''HPC''', from [[Rich Schroeppel]] was, in some ways, the most interesting of the AES candidates. It did not make it into the finals.
 
Hasty Pudding is a '''variable size block cipher'''; blocks can be any size the application requires. It therefore might be ideal for things like encrypting disk blocks; see [[#Large block ciphers| large block ciphers]]. Also, quoting the home page "Arbitrary sets, such as dates, or the printable subset of ascii, or the 20-bit primes, can be encrypted to themselves." Key size is also variable; any integer number of bits. For AES use, the block size would be fixed at 128 bits and key size at 128, 192 or 256 bits.
 
Hasty Pudding is also a [[#Whitening and tweaking| tweakable]] block cipher, though it was designed before that term came into use. What is now called the "tweak" is called "spice" in Hasty Pudding.
 
The cipher is freely available for any use.  It has a home page; see [[Block_cipher/External_Links#Homepages_for_block_ciphers | external links]].
 
==== FROG ====
'''FROG'''
<ref>{{citation
| title= The FROG Encryption Algorithm
| author= Dianelos Georgoudis, Damian Leroux and Billy Simón Chaves
| date= June 15, 1998
}}</ref>
was an AES candidate cipher; it did not make it into the finals.
 
Like [[#Hasty Pudding|Hasty Pudding]], FROG is a [[#Large block ciphers| variable size block cipher]] and a rather unorthodox design. It supports block sizes from 8 to 128 bytes and key sizes from 5 to 125 bytes. For AES use, the block size would be fixed at 128 bits and key size at 128, 192 or 256 bits.
 
FROG introduced a novel design principle. Most block ciphers use round keys as data, thereby making each round different, but each round uses exactly the same sequence of operations. FROG uses data derived from the primary key as a program for an interpreter, so that each round can use a different sequence of operations. Eight rounds are used. Encryption and decryption are fast, but the key schedule is rather slow because it has to build a program for the interpreter.
 
While it was generally agreed that FROG was an interesting bit of work, it was found to have some weaknesses
<ref>{{citation
| title= Cryptanalysis of FROG
| author= D. Wagner, N. Ferguson, and B. Schneier
| conference = Second AES candidate Conference
| date= 1999
| url = http://www.schneier.com/paper-frog.html
}}</ref>.
 
=== Other AES candidates ===
 
This section covers the other ciphers that were proposed as AES candidates but not chosen for consideration in the final round.
 
==== CAST 256 ====
 
'''CAST-256'''
<ref>{{citation
| id=RFC2612
| title=The CAST-256 Encryption Algorithm
| author= C. Adams & J. Gilchrist
| publisher=IETF
| date=June 1999
}}</ref>
was an AES candidate cipher from a Canadian team; it did not make it into the finals. Like all AES candidates, it uses 128-bit blocks and supports key sizes of 128, 192 or 256 bits.
 
It is a Feistel-like cipher extended to four 32-bit sub-blocks instead of the two sub-blocks used in CAST-128 for 64-bit blocks. In the terms used by the MARS team, it is a "type one Feistel network"; each round takes one 32-bit sub-block as input and alters one 32-bit sub-block;  48 rounds are used. The F function and S-boxes are from [[#CAST-128 | CAST-128]].
 
It is freely available for any use. There is an RFC describing it; see [[Block_cipher/External_Links#RFCs_for_block_ciphers|external links]].
 
==== CRYPTON ====
'''CRYPTON'''
<ref>{{citation
| title =  CRYPTON: A New 128-bit Block Cipher - Specification and Analysis (Version 1.0)
| author= Chae Hoon Lim, Hyo Sun Hwang
| url = http://crypt.future.co.kr/~chlim/pub/cryptonv10.ps
}}</ref>
<ref>{{citation
| title = Hardware Design and Performance Estimation of The 128-bit Block Cipher CRYPTON
| author = Eunjong Hong, Jai-Hoon Chung, Chae Hoon Lim
| url = http://dasan.sejong.ac.kr/~chlim/pub/ches99.doc
}}</ref>
was an AES candidate cipher from a Korean team; it did not make it into the finals. Like all AES candidates, it uses 128-bit blocks and supports key sizes of 128, 192 or 256 bits.
 
CRYPTON uses an SP network with 12 rounds, does byte-level substitutions, and for some operations treats the 128-bit text as a four-by-four array of bytes. Overall, the design is rather similar to [[#AES|AES]] though some of the operations are different.
 
==== DEAL ====
'''DEAL''', the '''Data Encryption Algorithm with Larger blocks'''
was an AES candidate cipher; it did not make it into the finals. Like all AES candidates, it uses 128-bit blocks and supports key sizes of 128, 192 or 256 bits.
 
DEAL is a Feistel cipher using [[#DES|DES]] as the F function. Six rounds were used with a 128-bit or 192-bit key and 8 rounds with a 256-bit key. The idea was originally proposed
<ref>{{citation
| title = DEAL - A 128-bit Block Cipher
| author = Lars Knudsen
| url = http://www2.mat.dtu.dk/people/Lars.R.Knudsen/newblock.html
}}</ref>
by [[Lars Knudsen]], but the AES submission was from [[Richard Outerbridge]]. Knudsen was a member of the [[#Serpent|Serpent]] team for AES.
 
DEAL has approximately the overheads of [[#Triple DES| Triple DES]], making it too slow to be a competitive candidate for AES. There were also some [[cryptanalysis|cryptanalytic]] results
<ref>{{citation
| author = John Kelsey & Bruce Schneier
| title = Key-Schedule Cryptanalysis of DEAL
| booktitle = Selected Areas in Cryptography (SAC '99)
| pages = 118-134
| publisher = Springer-Verlag
| date = August 1999
| url = http://www.schneier.com/paper-deal.html
}}</ref>
<ref>{{citation
| author = Stefan Lucks
| title = On Security of the 128-Bit Block Cipher DEAL
[ booktitle = Fast Software Encryption (FSE '99)
| date = 1999
| pages = 60-70
}}</ref>
against the cipher.
 
==== DFC ====
'''DFC''' or '''De-correlated Fast Cipher'''
<ref>{{citation
| title= H. Gilbert, M. Girault, P. Hoogvorst, F. Noilhan, T. Pornin, G. Poupard, J. Stern, S. Vaudenay
| author= Decorrelated Fast Cipher: an AES candidate
| date= May 1998
| url = http://citeseer.ist.psu.edu/gilbert98decorrelated.html
}}</ref>
<ref>{{citation
| author = Louis Granboulan, Phong Q. Nguyen, Fabrice Noilhan, Serge Vaudenay
| title = DFCv2
| booktitle = Selected Areas in Cryptography, SAC 2000
| pages = 57-71
| publisher = Springer-Verlag
| date = 2000
| url = http://citeseer.ist.psu.edu/granboulan00dfcv.html
}}</ref>
was an AES candidate cipher from a French team; it did not make it into the finals. Like all AES candidates, it uses 128-bit blocks and supports key sizes of 128, 192 or 256 bits. It is a six-round Feistel cipher using a single 6 by 32 S-box.
 
This cipher was based on [[Serge Vaudenay]]'s theoretical work on [[decorrelation theory]]. That theory gives methods of constructing ciphers which are provably immune to [[differential cryptanalysis]], [[linear cryptanalysis]], and any other attacks that meet some fairly broad assumptions.
 
However, some attacks on DFC were found by going outside those assumptions, [[Cryptanalysis#Side_channel_attacks|timing attack]]s on some implementations
<ref>{{citation
| author = Ian Harvey
| date = March 1999
| title = The DFC Cipher: An Attack on Careless Implementations
| conference = Second AES Candidate Conference
| url = http://csrc.nist.gov/archive/aes/round1/conf2/papers/harvey.pdf
| doi = 10.1.1.42.3196
}}</ref>
and a more general attack using a variant of differential analysis
<ref>{{citation
| author = Lars Knudsen & Vincent Rijmen
    | title = On the Decorrelated Fast Cipher (DFC) and Its Theory
    | booktitle = 6th International Workshop on [[Fast Software Encryption]] (FSE '99)
    | pages = pp.81&ndash;94
    | publisher = Springer-Verlag
    | date - March 1999
    | url = http://www.cosic.esat.kuleuven.be/publications/article-367.ps
}}</ref>.
 
==== E2 ====
'''E2''' was an AES candidate cipher from [[Nippon Telephone and Telegraph]]; it did not make it into the finals. Like all AES candidates, it uses 128-bit blocks and supports key sizes of 128, 192 or 256 bits. It is a 12-round Feistel network using a single 8 by 8 S-box.
 
There has been no published cryptanalysis of the full E2, but there is an attack on a reduced-round version
<ref>{{ citation
| author = Mitsuru Matsui, Toshio Tokita
| title = Cryptanalysis of a Reduced Version of the Block Cipher E2
| booktitle = 6th International Workshop on [[Fast Software Encryption]] (FSE 1999)
| pages = 71-80
| publisher = Springer-Verlag
| date = March 1999
| url = http://www.mathmagic.cn/Crypt1998-2003/bibs/1636/16360071.htm
}}</ref>.
 
[[#Camellia|Camellia]] shares some design features with E2 and has largely replaced it.
 
==== LOKI97 ====
'''LOKI97''' was an AES candidate cipher from an Australian group; it did not make it into the finals. Like all AES candidates, it uses 128-bit blocks and supports key sizes of 128, 192 or 256 bits. LOKI97 is one of a whole family of LOKI ciphers designed by the same group. It is a 16-round Feistel cipher with an F function that is basically two rounds of an SP network. This contrasts with [[#DES|DES]] where the F function is a single SP round.
 
The cipher is freely available for any use. It has a home page; see [[Block_cipher/External_Links#Homepages_for_block_ciphers | external links]].
 
==== MAGENTA ====
'''MAGENTA''' or '''Multifunctional Algorithm for General-purpose Encryption and Network Telecommunication Applications''' was [[Deutsche Telekom]]'s entry in the AES competition. Like all AES candidates, it uses 128-bit blocks and supports key sizes of 128, 192 or 256 bits. It is a Feistel cipher with six or eight rounds.
 
MAGENTA
<ref>{{citation
| title = The MAGENTA Block Cipher Algorithm
| author = M J Jacobson Jr & K Huber
| url = http://vision.gel.ulaval.ca/~klein/maitrise/aes/magenta.pdf
}}</ref>
is often cited as an example of [[Kerckhoffs' Principle]], a demonstration of why unpublished and therefore unanalysed ciphers cannot be trusted. Of the 15 AES candidates, 14 were made public before the first AES conference. The MAGENTA team were the one exception; they made nothing public until their conference presentation. That presentation was given one morning, to an audience that included many of the world's top cryptographers. Some saw flaws, and there was intense discussion over lunch. By that evening, a draft paper on breaking the cipher was circulating and the final version
<ref>{{citation
| author = Eli Biham, Alex Biryukov, Niels Ferguson, Lars Knudsen, Bruce Schneier and Adi Shamir
| title = Cryptanalysis of Magenta
| conference = Second AES candidate conference
| date = April 1999
| url = http://www.schneier.com/paper-magenta.pdf
}}</ref>
was presented at the second AES conference. The attackers included members of both the Twofish and Serpent teams, plus others.
 
==== Safer+ ====
'''Safer+''' was an AES candidate cipher; it did not make it into the finals. Like all AES candidates, it uses 128-bit blocks and supports key sizes of 128, 192 or 256 bits. It is an SP network using two S-boxes. 8 rounds are used with a 128-bit key, 12 for a 192-bit key, and 15 for a 256-bit key.
 
Safer+ is one of a family of [[SAFER]] or '''Secure and Fast Encryption Routine''' ciphers designed by [[James Massey]] and co-workers for [[Cylink]] Corporation. All of these ciphers are unpatented and freely available for any use. There have been published attacks on some of them, but later versions have modifications to block those attacks.
 
=== Other 128-bit ciphers ===
 
An entire [[#DES_and_alternatives|generation]] of block ciphers used the 64-bit block size of [[#DES|DES]], but since [[#AES|AES]] many new designs use a 128-bit block size. This section describes some of them.
 
==== Camellia ====
'''Camellia''' is a cipher from [[Mitsubshi]] and [[Nippon Telephone and Telegraph]]. It was not an AES candidate, but has the same 128-bit block size so it could be used as a drop-in replacement for AES in many applications. It is one of the standard ciphers for the [[NESSIE]] (New European Schemes for Signatures, Integrity and Encryption) project.
 
Camellia is an 18-round Feistel cipher. Some of the design is quite similar to NTT's earlier cipher [[#E2|E2]], which was an AES candidate.
 
The cipher is freely available for any use. It has a home page; see [[Block_cipher/External_Links#Homepages_for_block_ciphers | external links]].
 
==== SEED ====
'''SEED''' is a block cipher developed by the [[Korean Information Security Agency]] (KISA) and widely used in Korea. It was not an AES candidate. It is a 16-round Feistel cipher using two 8 by 8 S-boxes. It uses 128-bit blocks and takes a 128-bit key, so it could be used as a drop-in replacement for AES-128 in many applications
 
It has a home page; see [[Block_cipher/External_Links#Homepages_for_block_ciphers | external links]].


== Large-block ciphers ==
== Large-block ciphers ==
For most applications a 64-bit or 128-bit block size is a fine choice; nearly all common block ciphers use one or the other. Such ciphers can be used to encrypt objects larger than their block size; just choose an appropriate [[Block cipher modes of operation|mode of operation]].


For most applications a 64-bit or 128-bit block size is a fine choice; nearly all common block ciphers use one or the other. Such ciphers can be used to encrypt objects larger than their block size; just choose an appropriate [[Block cipher modes of operation|mode of operation]].
For nearly all ciphers, the block size is a power of two. [[Joan Daemen]]'s PhD thesis, though, had two exceptions: [[3-Way]] uses 96 bits (three 32-bit words) and [[BaseKing]] 192 (three 64-bit words). Neither cipher was widely used, but they did influence later designs. Daemen was one of the designers of [[Square (cipher)|Square]] and of Rijndael which became the [[Advanced Encryption Standard]].


However, a few ciphers supporting larger block sizes do exist; this section discusses them.
A few ciphers supporting larger block sizes do exist; this section discusses them.


A block cipher with larger blocks may be more efficient; it takes fewer block operations to encrypt a given amount of data. It may also be more secure in some ways; diffusion takes place across a larger block size, so data is more thoroughly mixed, and large blocks make a [[code book attack]] more difficult. On the other hand, great care must be taken to ensure adequate diffusion within a block so a large-block cipher may need more rounds, larger blocks require more padding, and there is not a great deal of literature on designing and attacking such ciphers so it is hard to know if one is secure. Large-block ciphers are inconvenient for some applications and simply do not fit in some protocols.
A block cipher with larger blocks may be more efficient; it takes fewer block operations to encrypt a given amount of data. It may also be more secure in some ways; diffusion takes place across a larger block size, so data is more thoroughly mixed, and large blocks make a [[code book attack]] more difficult. On the other hand, great care must be taken to ensure adequate diffusion within a block so a large-block cipher may need more rounds, larger blocks require more padding, and there is not a great deal of literature on designing and attacking such ciphers so it is hard to know if one is secure. Large-block ciphers are inconvenient for some applications and simply do not fit in some protocols.


Some block ciphers, such as [[#TEA | Block TEA]] and [[#Hasty Pudding|Hasty Pudding]], support variable block sizes. They may therefore be both efficient and convenient in applications that need to encrypt many items of a fixed size, for example disk blocks or database records. However, just using the cipher in [[Block_cipher_modes_of_operation#Electronic_Code_Book.2C_ECB | ECB mode]] to encrypt each block under the same key is unwise, especially if encrypting many objects. With ECB mode, identical blocks will encrypt to the same ciphertext and give the enemy some information. One solution is to use a [[#Whitening_and_tweaking| tweakable]] cipher such as Hasty Pudding with the block number or other object identifier as the tweak. Another is to use [[Block_cipher_modes_of_operation#Cipher_Block_Chaining.2C_CBC |CBC mode]] with an initialisation vector derived from an object identifier.
Some block ciphers, such as [[Tiny Encryption Algorithm| Block TEA]] and [[Hasty Pudding (cipher)|Hasty Pudding]], support variable block sizes. They may therefore be both efficient and convenient in applications that need to encrypt many items of a fixed size, for example disk blocks or database records. However, just using the cipher in [[Block_cipher_modes_of_operation#Electronic_Code_Book.2C_ECB | ECB mode]] to encrypt each block under the same key is unwise, especially if encrypting many objects. With ECB mode, identical blocks will encrypt to the same ciphertext and give the enemy some information. One solution is to use a [[#Whitening_and_tweaking|tweakable]] cipher such as Hasty Pudding with the block number or other object identifier as the tweak. Another is to use [[Block_cipher_modes_of_operation#Cipher_Block_Chaining.2C_CBC |CBC mode]] with an initialisation vector derived from an object identifier.


[[Cryptographic hash]] algorithms can be built using a block cipher as a component. There are general-purpose methods for this that can use existing block ciphers; ''Applied Cryptography''
[[Cryptographic hash]] algorithms can be built using a block cipher as a component. There are general-purpose methods for this that can use existing block ciphers; ''Applied Cryptography''
<ref name="schneier" />
<ref name="schneier">{{citation
gives a long list and describes weaknesses in many of them. However, some hashes include a specific-purpose block cipher as part of the hash design. One example is [[Hash_(cryptography)#Whirlpool|Whirlpool]], a 512-bit hash using a block cipher similar in design to [[#AES|AES]] but with 512-bit blocks and a 512-bit key. Another is the [[Hash_(cryptography)#The_Advanced_Hash_Standard | Advanced Hash Standard]] candidate [[Hash_(cryptography)#Skein|Skein]] which uses a [[#Whitening_and_tweaking| tweakable]] block cipher called Threefish. Threefish has 256-bit, 512-bit and 1024-bit versions; in each version block size and key size are both that number of bits.
| first = Bruce | last = Schneier
| title = Applied Cryptography
| date = 2nd edition, 1996,
| publisher = John Wiley & Sons
|ISBN =0-471-11709-9}}</ref>
gives a long list and describes weaknesses in many of them. However, some hashes include a specific-purpose block cipher as part of the hash design. One example is [[Hash_(cryptography)#Whirlpool|Whirlpool]], a 512-bit hash using a block cipher similar in design to AES but with 512-bit blocks and a 512-bit key. Another is the [[Hash_(cryptography)#The_Advanced_Hash_Standard|Advanced Hash Standard]] candidate [[Hash_(cryptography)#Skein|Skein]] which uses a [[#Whitening_and_tweaking| tweakable]] block cipher called [[Threefish]]. Threefish has 256-bit, 512-bit and 1024-bit versions; in each version block size and key size are both that number of bits.


It is possible to go the other way and use any [[cryptographic hash]] to build a block cipher; again  ''Applied Cryptography'' <ref name="schneier" /> has a list of techniques and describes weaknesses. The simplest method is to make a Feistel cipher with double the hash's block size; the F function is then just to hash text and round key together. This technique is rarely used, partly because a hash makes a rather expensive round function and partly because the block cipher block size would have to be inconveniently large; for example using a 160-bit bit hash such as [[SHA-1]] would give a 320-bit block cipher.
It is possible to go the other way and use any [[cryptographic hash]] to build a block cipher; again  ''Applied Cryptography'' <ref name="schneier" /> has a list of techniques and describes weaknesses. The simplest method is to make a Feistel cipher with double the hash's block size; the F-function is then just to hash text and round key together. This technique is rarely used, partly because a hash makes a rather expensive round function and partly because the block cipher block size would have to be inconveniently large; for example using a 160-bit bit hash such as [[SHA-1]] would give a 320-bit block cipher.


The hash-to-cipher technique was, however, important in one legal proceeding, the [[Cryptography_controversy#Export_Controls | Bernstein case]]. At the time, US law strictly controlled export of cryptography because of its possible military uses, but hash functions were allowed because they are designed to provide authentication rather than secrecy. Bernstein's code built a block cipher from a hash, effectively circumventing those regulations. Moreover, he sued the government over his right to publish his work, claiming the export regulations were an unconstitutional restriction on freedom of speech. The courts agreed, effectively striking down the export controls.
The hash-to-cipher technique was, however, important in one legal proceeding, the [[Cryptography_controversy#Export_Controls|Bernstein case]]. At the time, US law strictly controlled export of cryptography because of its possible military uses, but hash functions were allowed because they are designed to provide authentication rather than secrecy. Bernstein's code built a block cipher from a hash, effectively circumventing those regulations. Moreover, he sued the government over his right to publish his work, claiming the export regulations were an unconstitutional restriction on freedom of speech. The courts agreed, effectively striking down the export controls.


It is also possible to use a [[public key]] operation as a block cipher. For example, one might use [[RSA]] with 1024-bit keys as a block cipher with 1024-bit blocks. Since the round function is itself cryptographically secure, only one round is needed. However, this is rarely done; public key techniques are expensive so this would give a very slow block cipher. A much more common practice is to use [[public key]] methods, block ciphers, and [[cryptographic hash]]es together in a [[hybrid cryptosystem]].
It is also possible to use a [[public key]] operation as a block cipher. For example, one might use the [[RSA algorithm]] with 1024-bit keys as a block cipher with 1024-bit blocks. Since the round function is itself cryptographically secure, only one round is needed. However, this is rarely done; public key techniques are expensive so this would give a very slow block cipher. A much more common practice is to use public key methods, block ciphers, and cryptographic hashes together in a [[hybrid cryptosystem]].


==References==
==References==
{{reflist|2}}
{{reflist|2}}[[Category:Suggestion Bot Tag]]

Latest revision as of 16:00, 19 July 2024

This article may be deleted soon.
To oppose or discuss a nomination, please go to CZ:Proposed for deletion and follow the instructions.

For the monthly nomination lists, see
Category:Articles for deletion.


In cryptography, block ciphers are one of the two main types of symmetric cipher; they operate on fixed-size blocks of plaintext, giving a block of ciphertext for each. The other main type are stream ciphers, which generate a continuous stream of keying material to be mixed with messages.

The basic function of block ciphers is to keep messages or stored data secret; the intent is that an unauthorised person be completely unable to read the enciphered material. Block ciphers therefore use a key and are designed to be hard to read without that key. Of course an attacker's intent is exactly the opposite; he wants to read the material without authorisation, and often without the key. See cryptanalysis for his methods.

Among the best-known and most widely used block ciphers are two US government standards. The Data Encryption Standard (DES) from the 1970s is now considered obsolete; the Advanced Encryption Standard (AES) replaced it in 2002. To choose the new standard, the National Institute of Standards and Technology ran an AES competition. Fifteen ciphers were entered, five finalists selected, and eventually AES chosen. Text below gives an overview; for details of the process and the criteria, and descriptions of all fifteen candidates, see the AES competition article.

These standards greatly influenced the design of other block ciphers, and the latter part of this article is divided into sections based on that. DES and alternatives describes 20th century block ciphers, all with the 64-bit block size of DES. The AES generation describes the next generation, the first 21st century ciphers, all with the 128-bit block size of AES. Large-block ciphers covers a few special cases that do not fit in the other sections.

Context

Block ciphers are essential components in many security systems. However, just having a good block cipher does not give you security, much as just having good tires does not give you transportation. It may not even help; good tires are of little use if you need a boat. Even in systems where block ciphers are needed, they are never the whole story. This section gives an overview of the rest of the story; it aims to provide a context for the rest of the article by mentioning some issues that, while outside the study of the ciphers themselves, are crucially important in understanding and using these ciphers.

Any cipher is worthless without a good key. Keys must be kept secure, they should be large enough and sufficiently random that searching for the key (a brute force attack) is effectively impossible, and in any application which encrypts large volumes of data, the key must be changed from time to time. See the cryptography article for discussion.

It is hard to design any system that must withstand adversaries; see cryptography is difficult. In particular, block ciphers must withstand cryptanalysis; it is impossible to design a good block cipher, or to evaluate the security of one, without a thorough understanding of the available attack methods. Also, Kerckhoffs' Principle applies to block ciphers; no cipher can be considered secure unless it can resist an attacker who knows all its details except the key in use. Analysis of security claims cannot even begin until all internal details of a cipher are published, so anyone making security claims without publishing those details will be either ignored or mocked by most experts.

A block cipher defines how a single block is encrypted; a mode of operation defines how multiple block encryptions are combined to achieve some larger goal. Using a mode that is inappropriate for the application at hand may lead to insecurity, even if the cipher itself is secure. A block cipher can be used to build another cryptographic function such as a random number generator, a stream cipher, or a cryptographic hash. These are primarily a matter of choosing the correct mode, but there are more general design issues as well; see the linked articles for details.

Block ciphers are often used as components in hybrid cryptosystems; these combine public key (asymmetric) cryptography with secret key (symmetric) techniques such as block ciphers or stream ciphers. Typically, the symmetric cipher is the workhorse that encrypts large amounts of data; the public key mechanism manages keys for the symmetric cipher and provides authentication. Generally other components such as cryptographic hashes and a cryptographically strong random number generator are required as well. Such a system can only be as strong as its weakest link, and it may not even be that strong. Using secure components including good block ciphers is certainly necessary, but just having good components does not guarantee that the system will be secure. See hybrid cryptosystem for how the components fit together, and information security for broader issues.

That said, we turn to the block ciphers themselves.

Size parameters

One could say there are only three things to worry about in designing a block cipher:

  • make the block size large enough that an enemy cannot create a code book, collecting so many known plaintext/ciphertext pairs that the cipher is broken.
  • make the key size large enough that he cannot use a brute force attack, trying all possible keys
  • then design the cipher well enough that no other attack is effective

Getting adequate block size and key size is the easy part; just choose large enough numbers. This section describes how those choices are made. Making ciphers that resist attacks that are cleverer than brute force (see cryptanalysis) is far more difficult. The following section, Principles and techniques covers ideas and methods for that.

Later on, we describe two generations of actual ciphers. The 20th century ciphers use 64-bit blocks and key sizes from 56 bits up. The 21st century ciphers use 128-bit blocks and 128-bit or larger keys.

If two or more ciphers use the same block and key sizes, they are effectively interchangeable. One can replace another in almost any application without requiring any other change to the application. This might be done to comply with a particular government's standards, to replace a cipher against which some new attack had been discovered, to provide efficiency in a particular environment, or simply to suit a preference.

Nearly all cryptographic libraries give a developer a choice of components, and some protocols such as IPsec allow a network administrator to select ciphers. This may be a good idea if all the available ciphers are strong, but if some are weak it just gives the developer or administrator, neither of whom is likely to be an expert on ciphers, an opportunity to get it wrong. There is an argument that supporting multiple ciphers is an unnecessary complication. On the other hand, being able to change ciphers easily if one is broken provides a valuable safety mechanism. Striking some sort of balance with a few strong ciphers is probably the best policy.

Block size

The block size of a cipher is chosen partly for implementation convenience; using a multiple of 32 bits makes software implementations simpler. However, it must also be large enough to guard against code book attacks.

DES and the generation of ciphers that followed it all used a 64-bit block size. To weaken such a cipher significantly the attacker must build up a code book with 232 blocks, 32 gigabytes of data, all encrypted with the same key, As long as the cipher user changes keys reasonably often, a code book attack is not a threat. Procedures and protocols for block cipher usage therefore always include a re-keying policy.

However, with Moore's Law making larger code books more practical, NIST chose to play it safe in their AES specifications; they used a 128-bit block size. This was a somewhat controversial innovation at the time (1998), since it meant changes to a number of applications and it was not absolutely clear that the larger size was necessary. However, it has since become common practice; later ciphers such as Camellia, SEED and ARIA also use 128 bits.

There are also a few ciphers which either support variable block size or have a large fixed block size. See the section on large-block ciphers for details.

Key size

In theory, any cipher except a one-time pad can be broken by a brute force attack; the enemy just has to try keys until he finds the right one. However, the attack is practical only if the cipher's key size is inadequate. If the key uses Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle n} bits, there are 2n possible keys and on average the attacker must test half of them, so the average cost of the attack is 2n-1 encryptions.

Current block ciphers all use at least 128-bit keys, which makes brute force attacks utterly impractical. Suppose an attacker has a billion processors in a monster parallel machine (several orders of magnitude more than any current machine) and each processor can test a billion keys a second (also a generous estimate; if the clock is k GHz, the processor must do an encryption in k cycles to achieve this). This amazingly powerful attacker can test about 260 keys a second, so he needs 267 seconds against a 128-bit key. There are about 225 seconds in a year, so that is about 242 years. This is over 4,000,000,000,000 (four trillion) years so the cipher is clearly secure against brute force.

Many ciphers support larger keys as well; the reasons are discussed in the brute force attack article.

Principles and techniques

This section introduces the main principles of block cipher design, defines standard terms, and describes common techniques.

All of the principles and many of the terms and techniques discussed here for block ciphers also apply to other cryptographic primitives such as stream ciphers and cryptographic hash algorithms.

Iterated block ciphers

Nearly all block ciphers are iterated block ciphers; they have multiple rounds, each applying the same transformation to the output of the previous round. At setup time, a number of round keys or subkeys are computed from the primary key; the method used is called the cipher's key schedule. In the actual encryption or decryption, each round uses its own round key. This allows the designer to define some relatively simple transformation, called a round function, and apply it repeatedly to create a cipher with enough overall complexity to thwart attacks.

Three common ways to design iterated block ciphers — SP networks, Feistel structures and the Lai-Massey construction — and two important ways to look at the complexity requirements — avalanche and nonlinearity — are covered in following sections.

Any iterated cipher can be made more secure by increasing the number of rounds or made faster by reducing the number. In choosing the number of rounds, the cipher designer tries to strike a balance that achieves both security and efficiency simultaneously. Often a safety margin is applied; if the cipher appears to be secure after a certain number of rounds, the designer specifies a somewhat larger number for actual use.

There is a trade-off that can be made in the design. With a simple fast round function, many rounds may be required to achieve adequate security; for example, GOST and TEA both use 32 rounds. A more complex round function might allow fewer rounds; for example, IDEA uses only 8 rounds. Since the ciphers with fast round functions generally need more rounds and the ones with few rounds generally need slower round functions, neither strategy is clearly better. Secure and reasonably efficient ciphers can be designed either way, and compromises are common.

In cryptanalysis it is common to attack reduced round versions of a cipher. For example, in attacking a 16-round cipher, the analyst might start by trying to break a two-round or four-round version. Such attacks are much easier. Success against the reduced round version may lead to insights that are useful in work against the full cipher, or even to an attack that can be extended to break the full cipher.

Whitening and tweaking

Nearly all block ciphers use the same basic design, an iterated block cipher with multiple rounds. However, some have additional things outside that basic structure.

Whitening involves mixing additional material derived from the key into the plaintext before the first round, or into the ciphertext after the last round, or both. The technique was introduced by Ron Rivest in DES-X and has since been used in other ciphers such as RC6, Blowfish and Twofish. If the whitening material uses additional key bits, as in DES-X, then this greatly increases resistance to brute force attacks because of the larger key. If the whitening material is derived from the primary key during key scheduling, then resistance to brute force is not increased since the primary key remains the same size. However, using whitening is generally much cheaper than adding a round, and it does increase resistance to other attacks; see papers cited for DES-X.

A recent development is the tweakable block cipher [1]. Where a normal block cipher has only two inputs, plaintext and key, a tweakable block cipher has a third input called the tweak. The tweak, along with the key, controls the operation of the cipher. Whitening can be seen as one form of tweaking, but many others are possible.

If changing tweaks is sufficiently lightweight, compared to the key scheduling operation which is often fairly expensive, then some new modes of operation become possible. Unlike the key, the tweak need not always be secret, though it should be somewhat random and in some applications it should change from block to block. Tweakable ciphers and the associated modes are an active area of current research.

The Hasty Pudding Cipher was one of the first tweakable ciphers, pre-dating the Tweakable Block Ciphers paper and referring to what would now be called the tweak as "spice".

Avalanche

The designer wants changes to quickly propagate through the cipher. This was named the avalanche effect in a paper [2] by Horst Feistel. The idea is that changes should build up like an avalanche, so that a tiny initial change (consider a snowball tossed onto a mountain) quickly creates large effects. The term and its exact application were new, but the basic concept was not; avalanche is a variant of Claude Shannon's diffusion, and that in turn is a formalisation of ideas that were already in use.

If a single bit of input or of the round key is changed at round Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle n} , that should affect all bits of the ciphertext by round Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle n+x} for some reasonably small Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle x} . Ideally, would be 1, but this is not generally achieved in practice. Certainly Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle x} must be much less than the total number of rounds; if Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle x} is large, then the cipher will need more rounds to be secure.

The strict avalanche criterion [3] is a strong version of the requirement for good avalanche properties. Complementing any single bit of the input or the key should give exactly a 50% chance of a change in any given bit of output.

Cipher structures

In Claude Shannon's [4] terms, a cipher needs both confusion and diffusion, and a general design principle is that of the product cipher which combines several operations to achieve both goals. This goes back to the combination of substitution and transposition in various classical ciphers from before the advent of computers. All modern block ciphers are product ciphers.

Two structures are very commonly used in building block ciphers — SP networks and the Feistel structure. The Lai-Massey construction is a third alternative, less common than the other two. In Shannon's terms, all of these are product ciphers. Any of these structures is a known quantity for a cipher designer, part of the toolkit. He or she gets big chunks of a design — an overall cipher structure with a well-defined hole for the round function to fit into — from the structure, This leaves him or her free to concentrate on the hard part, designing the actual round function. None of these structures gives ideal avalanche in a single round but, with any reasonable round function, all give excellent avalanche after a few rounds.

Not all block ciphers use one of these structures, but most do. This section describes these common structures.

SP networks

A substitution-permutation network or SP network or SPN is Shannon's own design for a product cipher. It uses two layers in each round: a substitution layer provides confusion, then a permutation layer provides diffusion.

The S-layer typically uses look-up tables called substitution boxes or S-boxes, though other mechanisms are also possible. The input is XOR-ed with a round key, split into parts and each part used as an index into an S-box. The S-box output then replaces that part so the combined S-box outputs become the S-layer output. S-boxes are discussed in more detail in their own section below.

The P-layer permutes the resulting bits, providing diffusion or in Feistel's terms helping to ensure avalanche.

A single round of an SP network does not provide ideal avalanche; output bits are affected only by inputs to their S-box, not by all input bits. However, the P-layer ensures that the output of one S-box in one round will affect several S-boxes in the next round so, after a few rounds, overall avalanche properties can be very good.

Feistel structure

Another way to build an iterated block cipher is to use the Feistel structure. This technique was devised by Horst Feistel of IBM and used in DES. Such ciphers are known as Feistel ciphers or Feistel networks. In Shannon's terms, they are another class of product cipher.

Feistel ciphers are sometimes referred to as Luby-Rackoff ciphers after the authors of a theoretical paper [5] analyzing some of their properties. Later work [6] based on that shows that a Feistel cipher with seven rounds can be secure.

In a Feistel cipher, each round uses an operation called the F-function whose input is half a block and a round key; the output is a half-block of scrambled data which is XOR-ed into the other half-block of text. The rounds alternate direction — in one data from the left half-block is input and the right half-block is changed, and in the next round that is reversed.

Showing the half-blocks as left and right, bitwise XOR as Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle \oplus} (each bit of the output word is the XOR of the corresponding bits of the two input words) and round key for round Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle n} as kn, even numbered rounds are then:

Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle \text{left}_n = \text{left}_{n-1} \oplus F( \text{right}_{n-1}, k_n ) }
Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle \text{right}_n = \text{right}_{n-1} }

and odd-numbered rounds are

Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle \text{right}_n = \text{right}_{n-1} \oplus F( \text{left}_{n-1}, k_n ) }
Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle \text{left}_n = \text{left}_{n-1} }

Since XOR is its own inverse (aFailed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle \oplus} bFailed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle \oplus} b=a for any a,b) and the half-block that is used as input to the F-function is unchanged in each round, reversing a Feistel round is straightforward. Just calculate the F-function again with the same inputs and XOR the result into the ciphertext to cancel out the previous XOR. For example, the decryption step matching the first example above is:

Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle \text{left}_{n-1} = \text{left}_n \oplus F( \text{right}_n, k_n ) }
Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle \text{right}_{n-1} = \text{right}_n }

In some ciphers, including those based on SP networks, all operations must be reversible so that decryption can work. The main advantage of a Feistel cipher over an SP network is that the F-function itself need not be reversible, only repeatable. This gives the designer extra flexibility; almost any operation he can think up can be used in the F-function. On the other hand, in the Feistel construction, only half the output changes in each round while an SP network changes all of it in a single round.

A single round in a Feistel cipher has less than ideal avalanche properties; only half the output is changed. However, the other half is changed in the next round so, with a good F-function, a Feistel cipher can have excellent overall avalanche properties within a few rounds. It is possible to design a Feistel cipher so that the F-function itself has ideal avalanche properties — every output bit depends nonlinearly on every input bit and every key bit — details are in a later section.

There is a variant called an unbalanced Feistel cipher in which the block is split into two unequal-sized pieces rather than two equal halves. Skipjack was a well-known example. There are also variations which treat the text as four blocks rather than just two; MARS and CAST-256 are examples.

The hard part of Feistel cipher design is of course the F-function. Design goals include efficiency, easy implementation, and good avalanche properties. Also, it is critically important that the F-function be highly nonlinear. All other operations in a Feistel cipher are linear and a cipher without enough nonlinearity is weak; see below.

Lai-Massey scheme

This structure was introduced in a thesis by Xuejia Lai, supervised by James Massey, in a cipher which later became the International Data Encryption Algorithm, IDEA.[7] It has since been used in other ciphers such as FOX, later renamed IDEA NXT. Perhaps the best-known analysis is by Serge Vaudenay, one of the designers of FOX. [8]

One paper [9] proposes a general class of "quasi-Feistel networks", with the Lai-Massey scheme as one instance, and shows that several of the well-known results on Feistel networks (such as the Luby-Rackoff and Patarin papers referenced above) can be generalised to the whole class. Another [10] gives some specific results for the Lai-Massey scheme.

Nonlinearity

To be secure, every cipher must contain nonlinear operations. If all operations in a cipher were linear then the cipher could be reduced to a system of linear equations and be broken by an algebraic attack. The attacker can choose which algebraic system to use; for example, against one cipher he might treat the text as a vector of bits and use Boolean algebra while for another he might choose to treat it as a vector of bytes and use arithmetic modulo 28. The attacker can also try linear cryptanalysis. If he can find a good enough linear approximation for the round function and has enough known plaintext/ciphertext pairs, then this will break the cipher. Defining "enough" in the two places where it occurs in the previous sentence is tricky; see linear cryptanalysis.

What makes these attacks impractical is a combination of the sheer size of the system of equations used (large block size, whitening, and more rounds all increase this) and nonlinearity in the relations involved. In any algebra, solving a system of linear equations is more-or-less straightforward provided there are more equations than variables. However, solving nonlinear systems of equations is far harder, so the cipher designer strives to introduce nonlinearity to the system, preferably to have at least some components that are not even close to linear. Combined with good avalanche properties and enough rounds, this makes both direct algebraic analysis and linear cryptanalysis prohibitively difficult.

There are several ways to add nonlinearity; some ciphers rely on only one while others use several.

One method is mixing operations from different algebras. If the cipher relies only on Boolean operations, the cryptanalyst can try to attack using Boolean algebra; if it uses only arithmetic operations, he can try normal algebra. If it uses both, he has a problem. Of course arithmetic operations can be expressed in Boolean algebra or vice versa, but the expressions are inconveniently (for the cryptanalyst!) complex and nonlinear whichever way he tries it.

For example, in the Blowfish F-function, it is necessary to combine four 32-bit words into one. This is not done with just addition, x = a+b+c+d or just Boolean operations x = aFailed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle \oplus} bFailed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle \oplus} cFailed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle \oplus} d but instead with a mixture, x = ((a+b)Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle \oplus} c)+d. On most computers this costs no more, but it makes the analyst's job harder.

Other operations can also be used, albeit at higher costs. IDEA uses multiplication modulo 216+1 and AES does matrix multiplications with polynomials in a Galois field.

Rotations, also called circular shifts, on words or registers are nonlinear in normal algebra, though they are easily described in Boolean algebra. GOST uses rotations by a constant amount, CAST-128 and CAST-256 use a key-dependent rotation in the F-function, and RC5, RC6 and MARS all use data-dependent rotations.

A general operation for introducing nonlinearity is the substitution box or S-box; see following section.

Nonlinearity is also an important consideration in the design of stream ciphers and cryptographic hash algorithms. For hashes, much of the mathematics and many of the techniques used are similar to those for block ciphers. For stream ciphers, rather different mathematics and methods apply (see Berlekamp-Massey algorithm for example), but the basic principle is the same.

S-boxes

S-boxes or substitution boxes are look-up tables. The basic operation involved is a = sbox[b] which, at least for reasonable sizes of a and b, is easily done on any computer.

S-boxes are described as Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle m} by Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle n} , with Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle m} representing the number of input bits and Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle n} the number of output bits. For example, DES uses 6 by 4 S-boxes. The storage requirement for an Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle m} by Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle n} S-box is 2mn bits, so large values of Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle m} (many input bits) are problematic. Values up to eight are common and MARS has a 9 by 32 S-box; going much beyond that would be expensive. Large values of Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle n} (many output bits) are not a problem; 32 is common and at least one system, the Tiger hash algorithm [11], uses 64.

S-boxes are often used in the S-layer of an SP Network. In this application, the S-box must have an inverse to be used in decryption. It must therefore have the same number of bits for input and output; only Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle n} by Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle n} S-boxes can be used. For example, AES is an SP network with a single 8 by 8 S-box and Serpent is one with eight 4 by 4 S-boxes. Another common application is in the F-function of a Feistel cipher. Since the F-function need not be reversible, there is no need to construct an inverse S-box for decryption and S-boxes of any size may be used.

With either an SP network or a Feistel construction, nonlinear S-boxes and enough rounds give a highly nonlinear cipher.

Large S-boxes

The first generation of Feistel ciphers used relatively small S-boxes, 6 by 4 for DES and 4 by 4 for GOST. In these ciphers the F-function is essentially one round of an SP Network. The eight S-boxes give 32 bits of S-box output. Those bits, reordered by a simple transformation, become the 32-bit output of the F-function. Avalanche properties are less than ideal since each output bit depends only on the inputs to one S-box. The output transformation (a bit permutation in DES, a rotation in GOST) compensates for this, ensuring that the output from one S-box in one round affects several S-boxes in the next round so that good avalanche is achieved after a few rounds.

Later Feistel ciphers use larger S-boxes; CAST-128 or CAST-256 and Blowfish all use four 8 by 32 S-boxes. They do not use S-box bits directly as F-function output. Instead, they take a 32-bit word from each S-box, then combine them to form a 32-bit output. This gives an F-function with ideal avalanche properties; every bit of input and every bit of round key affects every bit of output. No output transformation is required in such an F-function, and Blowfish has none. However, one may be used anyway; the CAST ciphers add a key-dependent rotation.

With the Feistel structure and such an F-function, complete avalanche — all 64 output bits depend on all 64 input bits — is achieved in three rounds, and the cipher meets the strict avalanche criterion [3]; complementing any input bit has a 50% chance of changing any given output bit.

These ciphers are primarily designed for software implementation, rather than the 1970s hardware DES was designed for, so looking up a full computer word at a time makes sense. An 8 by 32 S-box takes one K byte of storage; several can be used on a modern machine without difficulty. They need only four S-box lookups, rather than the eight in DES or GOST, so the F-function and therefore the whole cipher can be reasonably efficient.

S-box design

There is an extensive literature on the design of good S-boxes, much of it emphasizing achieving high nonlinearity though other criteria are also used. See external links.

The CAST S-boxes use bent functions (the most highly nonlinear Boolean functions) as their columns. That is, the mapping from all the input bits to any single output bit is a bent function. A paper on generating the S-boxes is Mister & Adams "Practical S-box Design" [12]. Bent functions are combined to get additional desirable traits — a balanced S-box (equal probability of 0 and 1 output), minimum correlation among output bits, and high overall S-box nonlinearity.

Blowfish uses a different approach, generating random S-boxes as part of the key scheduling operation at cipher setup time. Such S-boxes are not as nonlinear as the carefully constructed CAST ones, but they are nonlinear enough and, unlike the CAST S-boxes, they are unknown to an attacker.

In perfectly nonlinear S-boxes [13], not only are all columns bent functions (the most nonlinear possible Boolean functions), but all linear combinations of columns are bent functions as well. This is possible only if Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle m \ge 2n} , there are at least twice as many input bits as output bits. Such S-boxes are therefore not much used.

S-boxes in analysis

S-boxes are sometimes used as an analytic tool even for operations that are not actually implemented as S-boxes. Any operation whose output is fully determined by its inputs can be described by an S-box; concatenate all inputs into an index, look that index up, get the output. For example, the IDEA cipher uses a multiplication operation with two 16-bit inputs and one 16-bit output; it can be modeled as a 32 by 16 S-box. In an academic paper, one might use such a model in order to apply standard tools for measuring S-box nonlinearity. A well-funded cryptanalyst might actually build the S-box (8 gigabytes of memory) either to use in his analysis or to speed up an attack.

Resisting linear & differential attacks

Two very powerful cryptanalytic methods of attacking block ciphers are linear cryptanalysis and differential cryptanalysis. The former works by finding linear approximations for the nonlinear components of a cipher, then combining them using the piling-up lemma to attack the whole cipher. The latter looks at how small changes in the input affect the output, and how such changes propagate through multiple rounds. These are the only known attacks that break DES with less effort than brute force, and they are completely general attacks that apply to any block cipher..

Both these attacks, however, require large numbers of known or chosen plaintexts, so a simple defense against them is to re-key often enough that the enemy cannot collect sufficient texts.

Techniques introduced for CAST go further, building a cipher that is provably immune to linear or differential analysis with any number of texts. The method, taking linear cryptanalysis as our example and abbreviating it LC, is as follows:

  1. start from properties of the round function (for CAST, from bent functions in the S-boxes)
  2. derive a limit Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle m} , the maximum possible quality of any linear approximation to a single round
  3. consider the number of rounds, Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle r} , as a variable
  4. derive an expression for Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle e} , the effort required to break the cipher by LC, in terms of Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle r} and Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle m}
  5. find the minimum Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle r} such that Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle e} exceeds the effort required for brute force, making LC impractical
  6. derive an expression for Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle c} , the number of chosen plaintexts required for LC, also in terms of Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle r} and Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle m} (LC with only known plaintext requires more texts, so it can be ignored)
  7. find the minimum Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle r} such that Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle c} exceeds the number of possible plaintexts, 2blocksize, making LC impossible

A similar approach applied to differentials gives values for Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle r} that make differential cryptanalysis impractical or impossible. Choose the actual number of rounds so that, at a minimum, both attacks are impractical. Ideally, make both impossible, then add a safety factor. There are other methods of constructing ciphers provably immune to these attacks. Serge Vaudenay's work on decorrelation theory gives one [14] and Knudsen-Nyberg ciphers are another. [15]

This type of analysis is now a standard part of the cryptographer's toolkit. Many of the AES candidates, for example, included proofs along these lines in their design documentation, and AES itself uses such a calculation to determine the number of rounds required for various key sizes.

DES and alternatives

The Data Encryption Standard, DES, is among the best known and most thoroughly analysed block ciphers. It was invented by IBM and was made a US government standard, for non-classified government data and for regulated industries such as banking, in the late 70s. From then until about the turn of the century, it was very widely used. It is now considered obsolete because its 56-bit key is too short to resist brute force attacks if the opponents have recent technology.

The DES standard marked the beginning of an era in cryptography. Of course, much work continued to be done in secret by military and intelligence organisations of various nations, but from the time of DES cryptography also developed as an open academic discipline complete with journals, conferences, courses and textbooks. In particular, there was a lot of work related to block ciphers. For an entire generation, every student of cryptanalysis tried to find a way to break DES and every student of cryptography tried to devise a cipher that was demonstrably better than DES. Very few succeeded.

Every new cryptanalytic technique invented since DES became a standard has been tested against DES. None of them have broken it completely, but two — differential cryptanalysis and linear cryptanalysis — give attacks theoretically significantly better than brute force. This does not appear to have much practical importance since both require enormous numbers of known or chosen plaintexts, all encrypted with the same key, so reasonably frequent key changes provide an effective defense. All the older publicly known cryptanalytic techniques have also been tried, or at least considered, for use against DES; none of them work.

DES served as a sort of baseline for cipher design through the 80s and 90s; the design goal for almost any 20th century block cipher was to replace DES in some of its many applications with something faster, more secure, or both. All these ciphers used 64-bit blocks, like DES, but most used 128-bit or longer keys for better resistance to brute force attacks.

Ciphers of this generation include:

  • The Data Encryption Standard itself, the first well-known Feistel cipher, using 16 rounds and eight 6 by 4 S-boxes.
  • The GOST cipher, a Soviet standard similar in design to DES, a 32-round Feistel cipher using eight 4 by 4 S-boxes.
  • IDEA, the International Data Encryption Algorithm, a European standard, not a Feistel cipher, with only 8 rounds and no S-boxes.
  • RC2, a Feistel cipher from RSA Security which was approved for easy export from the US (provided it was used with only a 40-bit key), so widely deployed.
  • RC5, a Feistel cipher from RSA security. This was fairly widely deployed, often replacing RC2 in applications.
  • CAST-128, a widely used 16-round Feistel cipher, with 8 by 32 S-boxes.
  • Blowfish, another widely used 16-round Feistel cipher with 8 by 32 S-boxes.
  • The Tiny Encryption Algorithm, or TEA, designed to be very small and fast but still secure, a 32-round Feistel cipher without S-boxes.
  • Skipjack, an algorithm designed by the NSA for use in the Clipper chip, a 32-round unbalanced Feistel cipher.
  • SAFER and LOKI, two families of ciphers which each included an original version against which Lars Knudsen found an attack and a revised version to block that attack. Each had a descendant which was an AES candidate.
  • Triple DES, applying DES three times with different keys

Many of the techniques used in these ciphers came from DES and many of the design principles came from analysis of DES. However, there were also new design ideas. The CAST ciphers were the first to use large S-boxes which allow the F-function of a Feistel cipher to have ideal avalanche properties, and to use bent functions in the S-box columns. Blowfish introduced key-dependent S-boxes. Several introduced new ways to achieve nonlinearity: data-dependent rotations in RC5, key-dependent rotations in CAST-128, a clever variant on multiplication in IDEA, and the pseudo-Hadamard transform in SAFER.

The era effectively ended when the US government began working on a new cipher standard to replace their Data Encryption Standard, the Advanced Encryption Standard or AES. A whole new generation of ciphers arose, the first 21st century block ciphers. Of course these designs still drew on the experience gained in the post-DES generation, but overall these ciphers are quite different. In particular, they all use 128-bit blocks and most support key sizes up to 256 bits.

The AES generation

By the 90s, the Data Encryption Standard was clearly obsolete; its small key size made it more and more vulnerable to brute force attacks as computers became faster. The US National Institute of Standards and Technology (NIST) therefore began work on an Advanced Encryption Standard, AES, a block cipher to replace DES in government applications and in regulated industries.

To do this, they ran a very open international AES competition, starting in 1998. Their requirements specified a block cipher with 128-bit block size and support for 128, 192 or 256-bit key sizes. Evaluation criteria included security, performance on a range of platforms from 8-bit CPUs (e.g. in smart cards) up, and ease of implementation in both software and hardware.

Fifteen submissions meeting basic criteria were received. All were iterated block ciphers; in Shannon's terms all were product ciphers. Most used an SP network or Feistel structure, or variations of those. Several had proofs of resistance to various attacks. The AES competition article covers all candidates and many have their own articles as well. Here we give only a summary.

After much analysis and testing, and two conferences, the field was narrowed to five finalists:

  • Twofish, a cipher with key-dependent S-boxes, from a team at Bruce Schneier's company Counterpane
  • MARS, a variant of Feistel cipher using data-dependent rotations, from IBM
  • Serpent, an SP network, from an international group of well-known players
  • RC6, a cipher using data-dependent rotations, from a team led by Ron Rivest
  • Rijndael. an SP network, from two Belgian designers

After another year of analysis and testing, they chose a winner. In October 2002, Rijndael was chosen to become the Advanced Encryption Standard or AES. See external links for the official standard.

An entire generation of block ciphers used the 64-bit block size of DES, but since AES many new designs use a 128-bit block size.

As discussed under size parameters, if two or more ciphers have the same block and key sizes, then they are effectively interchangeable; replacing one cipher with another requires no other changes in an application. When asked to implement AES, the implementer might include the other finalists — Twofish, Serpent. RC6 and MARS — as well. This provides useful insurance against the (presumably unlikely) risk of someone finding a good attack on AES. Little extra effort is required since open source implementations of all these ciphers are readily available, see external links. All except RC6 have completely open licenses.

There are also many other ciphers that might be used. There were ten AES candidates that did not make it into the finals:

  • CAST-256, based on CAST-128 and with the same theoretical advantages
  • DFC, based on another theoretical analysis proving resistance to various attacks.
  • Hasty Pudding, a variable block size tweakable cipher
  • DEAL, a Feistel cipher using DES as the round function
  • FROG, an innovative cipher; interesting but weak
  • E2, from Japan
  • CRYPTON, a Korean cipher with some design similarities to AES
  • MAGENTA, Deutsche Telekom's candidate, quickly broken
  • LOKI97, one of the LOKI family of ciphers, from Australia
  • SAFER+, one of the SAFER family of ciphers, from Cylink Corporation

Some should not be considered. Magenta and FROG have been broken, DEAL is slow, and E2 has been replaced by its descendant Camellia.

There are also some newer 128-bit ciphers that are widely used in certain countries:

  • Camellia, an 18-round Feistel cipher widely used in Japan and one of the standard ciphers for the NESSIE (New European Schemes for Signatures, Integrity and Encryption) project.
  • SEED, developed by the Korean Information Security Agency (KISA) and widely used in Korea.

Large-block ciphers

For most applications a 64-bit or 128-bit block size is a fine choice; nearly all common block ciphers use one or the other. Such ciphers can be used to encrypt objects larger than their block size; just choose an appropriate mode of operation.

For nearly all ciphers, the block size is a power of two. Joan Daemen's PhD thesis, though, had two exceptions: 3-Way uses 96 bits (three 32-bit words) and BaseKing 192 (three 64-bit words). Neither cipher was widely used, but they did influence later designs. Daemen was one of the designers of Square and of Rijndael which became the Advanced Encryption Standard.

A few ciphers supporting larger block sizes do exist; this section discusses them.

A block cipher with larger blocks may be more efficient; it takes fewer block operations to encrypt a given amount of data. It may also be more secure in some ways; diffusion takes place across a larger block size, so data is more thoroughly mixed, and large blocks make a code book attack more difficult. On the other hand, great care must be taken to ensure adequate diffusion within a block so a large-block cipher may need more rounds, larger blocks require more padding, and there is not a great deal of literature on designing and attacking such ciphers so it is hard to know if one is secure. Large-block ciphers are inconvenient for some applications and simply do not fit in some protocols.

Some block ciphers, such as Block TEA and Hasty Pudding, support variable block sizes. They may therefore be both efficient and convenient in applications that need to encrypt many items of a fixed size, for example disk blocks or database records. However, just using the cipher in ECB mode to encrypt each block under the same key is unwise, especially if encrypting many objects. With ECB mode, identical blocks will encrypt to the same ciphertext and give the enemy some information. One solution is to use a tweakable cipher such as Hasty Pudding with the block number or other object identifier as the tweak. Another is to use CBC mode with an initialisation vector derived from an object identifier.

Cryptographic hash algorithms can be built using a block cipher as a component. There are general-purpose methods for this that can use existing block ciphers; Applied Cryptography [16] gives a long list and describes weaknesses in many of them. However, some hashes include a specific-purpose block cipher as part of the hash design. One example is Whirlpool, a 512-bit hash using a block cipher similar in design to AES but with 512-bit blocks and a 512-bit key. Another is the Advanced Hash Standard candidate Skein which uses a tweakable block cipher called Threefish. Threefish has 256-bit, 512-bit and 1024-bit versions; in each version block size and key size are both that number of bits.

It is possible to go the other way and use any cryptographic hash to build a block cipher; again Applied Cryptography [16] has a list of techniques and describes weaknesses. The simplest method is to make a Feistel cipher with double the hash's block size; the F-function is then just to hash text and round key together. This technique is rarely used, partly because a hash makes a rather expensive round function and partly because the block cipher block size would have to be inconveniently large; for example using a 160-bit bit hash such as SHA-1 would give a 320-bit block cipher.

The hash-to-cipher technique was, however, important in one legal proceeding, the Bernstein case. At the time, US law strictly controlled export of cryptography because of its possible military uses, but hash functions were allowed because they are designed to provide authentication rather than secrecy. Bernstein's code built a block cipher from a hash, effectively circumventing those regulations. Moreover, he sued the government over his right to publish his work, claiming the export regulations were an unconstitutional restriction on freedom of speech. The courts agreed, effectively striking down the export controls.

It is also possible to use a public key operation as a block cipher. For example, one might use the RSA algorithm with 1024-bit keys as a block cipher with 1024-bit blocks. Since the round function is itself cryptographically secure, only one round is needed. However, this is rarely done; public key techniques are expensive so this would give a very slow block cipher. A much more common practice is to use public key methods, block ciphers, and cryptographic hashes together in a hybrid cryptosystem.

References

  1. M. Liskov, R. Rivest, and D. Wagner (2002), "Tweakable Block Ciphers", LNCS, Crypto 2002
  2. Horst Feistel (1973), "Cryptography and Computer Privacy", Scientific American
  3. 3.0 3.1 A. F. Webster and Stafford E. Tavares (1985), "On the design of S-boxes", Advances in Cryptology - Crypto '85 (Lecture Notes in Computer Science)
  4. C. E. Shannon (1949), "Communication Theory of Secrecy Systems", Bell Systems Technical Journal 28: pp.656-715
  5. M. Luby and C. Rackoff, "How to Construct Pseudorandom Permutations and Pseudorandom Functions", SIAM J. Comput
  6. Jacques Patarin (Oct 2003), "Luby-Rackoff: 7 Rounds Are Enough for Security", Lecture Notes in Computer Science 2729: 513 - 529
  7. X. Lai (1992), "On the Design and Security of Block Ciphers", ETH Series in Information Processing, v. 1
  8. S. Vaudenay (1999), On the Lai-Massey Scheme, Springer-Verlag, LCNS
  9. Aaram Yun, Je Hong Park and Jooyoung Lee (2007), Lai-Massey Scheme and Quasi-Feistel Networks
  10. Yiyuan Luo, Xuejia Lai, Zheng Gong and Zhongming Wu (2009), Pseudorandomness Analysis of the Lai-Massey Scheme
  11. Ross Anderson & Eli Biham (1996), "Tiger: a fast new hash function", Fast Software Encryption, Third International Workshop Proceedings
  12. S. Mister, C. Adams (August, 1996), "Practical S-Box Design", Selected Areas in Cryptography (SAC '96): 61-76
  13. Kaisa Nyberg (1991), "Perfect nonlinear S-boxes", Eurocrypt'91, LNCS 547
  14. Serge Vaudenay (2003), "Decorrelation: A Theory for Block Cipher Security", Journal of Cryptology
  15. Kaissa Nyberg and Lars Knudsen (1995), "Provable security against a differential attack", Journal of Cryptology
  16. 16.0 16.1 Schneier, Bruce (2nd edition, 1996,), Applied Cryptography, John Wiley & Sons, ISBN 0-471-11709-9