Cryptographic

Algorithms
Click here for an introduction to some basic concepts and design principles of secret key cryptography.

Block ciphers Stream ciphers Hash algorithms

 MISTY  ORYX  MD2

 3-Way  MMB  RC4  MD4
 Blowfish  NewDES  SEAL  MD5
 CAST  RC2  RIPEMD
 CMEA  RC5  SHA1
 DES  RC6  Snefru
 Triple-DES  REDOC  Tiger
 DEAL  Rijndael
 FEAL  Safer
 GOST  Serpent
 IDEA  SQUARE
 LOKI  Skipjack
 Lucifer  Tiny Encryption
 MacGuffin Algorithm
 MARS  Twofish

Block
Ciphers

3-Way

3-Way is a simple and fast cipher designed by Joan Daemen. 3-Way features a 96-bit key length and a
96-bit block length. 3-Way is an iterated block cipher that repeats some relatively simple operations a
specified number of rounds. David Wagner, John Kelsey, and Bruce Schneier of Counterpane
Systems have discovered a related key attack on 3-Way that requires one related key query and about
222 chosen plaintexts, described in this paper. 3-Way is unpatented.

Blowfish

Blowfish is a block cipher designed by Bruce Schneier, author of Applied Cryptography. Blowfish
combines a Feistel network, key-dependent S-Boxes, and a non-invertible F function to create what is
perhaps one of the most secure algorithms available. Schneier's paper is available here. Blowfish is
also described in the Concepts of Cryptography page. The only known attacks against Blowfish are
based on its weak key classes.

Blowfish is implemented in Kremlin.

CAST

CAST, designed by Carlisle Adams and Stafford Taveres, is shaping up to be a solid algorithm. Its
design is very similar to Blowfish's, with key-dependent S-Boxes, a non-invertible f function, and a
Feistel network-like structure (called a substitution-permutation network). David Wagner, John Kelsey,
and Bruce Schneier have discovered a related-key attack on the 64-bit version of CAST that requires
approximately 217 chosen plaintexts, one related query, and 248offline computations (described in this
paper). The attack is infeasible at best. CAST is patented by Entrust Technologies, which has
generously released it for free use. The CAST cipher design process is described in this paper and the
128-bit version is described in this addendum. Carlisle Adams has submitted a version of CAST (CAST-
256) as an AES candidate.
CAST-128 is implemented in Kremlin.

CMEA

CMEA is the encryption algorithm developed by the Telecommunications Industry Association to

encrypt digital cellular phone data. It uses a 64-bit key and features a variable block length. CMEA is
used to encrypt the control channel of cellular phones. It is distinct from ORYX, an also insecure stream
cipher that is used to encrypt data transmitted over digital cellular phones. It has been broken
by David Wagner, John Kelsey, and Bruce Schneier of Counterpane Systems. Their paper, which also
provides an excellent description of the CMEA algorithm, is available here.

DES

Designed at IBM during the 1970s and officially adopted as the NIST standard encryption algorithm for
unclassified data in 1976, DES has become the bastion of the cryptography market. However, DES has
since become outdated, its long reign as official NIST algorithm ending in 1997. Though DES accepts a
64-bit key, the key setup routines effectively discard 8 bits, giving DES a 56-bit effective keylength.
DES remains widely in use. During the design of DES, the NSAprovided secret S-Boxes. After
differential cryptanalysis had been discovered outside the closed fortress of the NSA, it was revealed
that the DES S-boxes were designed to be resistant against differential cryptanalysis. DES is becoming
weaker and weaker over time; modern computing power is fast approaching the computational
horsepower needed to easily crack DES.

DES was designed to be implemented only in hardware, and is therefore extremely slow in software.
A recent successful effort to crack DES took several thousand computers several months. The EFF has
sponsored the development of a crypto chip named "Deep Crack" that can process 88 billion DES keys
per second and has successfully cracked 56 bit DES in less than 3 days.

DES is implemented in Kremlin (accessible through Kremlin SDK API).

Triple-DES

A variant of DES, Triple-DES (also 3DES) is based on using DES three times. This means that the input
data is encrypted three times. The Triple-DES is considered much stronger than DES, however, it is
rather slow compared to some new block ciphers.

DEAL

DEAL is an interesting AES submission and, like all AES submissions, it uses a 128 bit block and
accepts 128 bit, 192 bit, and 256 bit keylengths. It uses DES as its inner round function and its authors
suggest at least 6, preferably 8 rounds (there are some attacks against DEAL). There is a paper
available here that describes some attacks, all of which can be cured by using at least 8 rounds.

FEAL

Developed by the Nippon Telephone & Telegraph as an improvement to DES, the Fast Data
Encipherment Algorithm (FEAL) is very insecure. FEAL-4, FEAL-8, and FEAL-N are all susceptible to a
variety of cryptanalytic attacks, some requiring as little as 12 chosen plaintexts. FEAL is patented.

GOST

GOST is a cryptographic algorithm from Russia that appears to be the Russian analog to DES both
politically and technologically. Its designers took no chances, iterating the GOST algorithm for 32
rounds and using a 256 bit key. Although GOST's conservative design inspires confidence, John Kelsey
has discovered a key-relation attack on GOST, described in a post to sci.crypt on 10 February 1996.
There are also weak keys in GOST, but there are too few to be a problem when GOST is used with its
standard set of S-boxes. You can read the official GOST algorithm description (translated from
Russian) here. There is also a description of the GOST algorithm here.
IDEA

IDEA, developed in Zurich, Switzerland by Xuejia Lai and James Massey, is generally regarded to be
one of the best and most secure block algorithm available to the public today. It utilizes a 128-bit key
and is designed to be resistant to differential cryptanalysis. Some attacks have been made against
reduced round IDEA. Unfortunately, IDEA is patented; licensing information can be obtained
from Ascom.

LOKI

LOKI was designed as a possible replacement for DES. It operates on a 64-bit block and a 64-bit key.
The first version of LOKI to be released was broken by differential cryptanalysis and was shown to have
an 8-bit complementation property (this means that the number of keys that need to be searched in a
brute force attack is reduced by 256). LOKI was revised and re-released as LOKI91. LOKI91 is secure
against differential cryptanalysis, but LOKI easily falls to a chosen-key attack. The designers of LOKI
have proposed LOKI97 as an AES candidate, but linear and differential attacks on LOKI97 have already
been proposed.

Lucifer

Lucifer was one of the first modern cryptographic algorithms. It was designed at IBM in the 1960s by
Horst Feistel, of Feistel network fame. Lucifer is often considered to be a precursor to DES. There are
several incarnations of Lucifer, each with the same name, which creates a good deal of confusion. No
version is secure. A paper on the differential cryptanlysis of Lucifer was written by Ishai Ben-Aroya &
Eli Biham.

MacGuffin

MacGuffin is a cipher developed by Matt Blaze and Bruce Schneier as an experiment in cipher design.
It uses a Feistel network (see the cryptography overviewfor details), but does not split the input
evenly, instead dividing the 64 bit block into one 16 bit part and another 48 bit part. This is called a
generalized unbalanced Feistel network (GUFN). Details are available here. A differential attack on
MacGuffin has been found that requires approximately 251.5 chosen plaintexts.

MARS

MARS is IBM's AES submission. There is a MARS web page with a link to the MARS paper. MARS uses
128 bit blocks and supports variable key sizes (from 128 to 1248 bits). MARS is unique in that it
combines virtually every design technique known to cryptographers in one algorithm. It uses addition
and subtractions, S-boxes, fixed and data dependent rotations, and multiplications.

MISTY

Misty is a cryptographic algorithm developed by Mitsubishi Electric after they broke DES in 1994. It is
designed to withstand linear and differential cryptanalysis, but has not yet been cryptanalysed. As it
has not undergone intensive peer review, the usual caution is recommended. It is being considered for
inclusion into the SET 2.0 standard. Visit the MISTY web page or read the author's paper on MISTY.

MMB

MMB was designed as an alternative to IDEA that uses a 128-bit block instead of IDEA's 64-bit block. It
was designed using the same principles as IDEA. Unfortunately, it is not as secure as IDEA and several
attacks exist against it. Its author, Joan Daemen, abandoned it and designed 3-Way.

NewDES

Although NewDES was developed by Robert Scott to possibly replace DES, NewDES has fallen short of
expectations. NewDES has been proven to be weaker than DES, requiring 24 related-key probes and
530 chosen plaintext/ciphertext queries, as described in this paper.
NewDES is implemented in Kremlin

RC2

RC2, like RC4, was formerly a trade secret, but code purporting to be RC2 was posted to sci.crypt. It is
archived here. David Wagner, John Kelsey, and Bruce Schneier have discovered a related-key attack on
RC2 that requires one related-key query and approximately 234 chosen plaintexts. RC2 is not patented
byRSA Data Security, Inc; it is just protected as a trade secret.

RC5

RC5 is a group of algorithms designed by Ron Rivest of RSA Data Security that can take on a variable
block size, key size, and number of rounds. The block size is generally dependent on the word size of
the machine the particular version of RC5 was designed to run on; on 32-bit processors (with 32-bit
words), RC5 generally has a 64-bit block size. David Wagner, John Kelsey, and Bruce
Schneier have found weak keys in RC5, with the probability of selecting a weak key to be 2-10r, where r
is the number of rounds. For sufficiently large r values (greater than 10), this is not a problem as long
as you are not trying to build a hash function based on RC5. Kundsen has also found a
differential attack on RC5. RC5 is described in this RSA document. RC5 is patented by RSA Security,
Inc.

RC6

RC6 is Ronald Rivest's AES submission. Like all AES ciphers, RC6 works on 128 bit blocks. It can accept
variable length keys. It is very similar to RC5, incorporating the results of various studies on RC5 to
improve the algorithm. The studies of RC5 found that not all bits of data are used to determine the
rotation amount (rotation is used extensively in RC5); RC6 uses multiplication to determine the
rotation amount and uses all bits of input data to determine the rotation amount, strengthening the
avalanche effect.

REDOC

There are two versions of the REDOC algorithm, REDOC II, and REDOC III. REDOC II is considered to be
secure; an attack has been made against one round of REDOC II, but could not be extended to all 10
recommended rounds. REDOC II is interesting in that it uses data masks to select the values in the S-
boxes. REDOC II uses a 160-bit key and works on an 80-bit block. REDOC III was an attempt to make
the painfully slow REDOC II faster. REDOC III, like REDOC III, operates on an 80-bit block, but can
accept keys up to 20480 bits. However, REDOC III falls to differential cryptanalysis, as described in this
paper.

Rijndael

Rijndael is an AES winner by Joan Daemen and Vincent Rijmen. The cipher has a variable block and key
length, and the authors have demonstrated how to extend the block length and key length by
multiples of 32 bits. The design of Rijndael was influenced by the SQUARE algorithm. The authors
provide a Rijndael specification and a more theoretical paper on their design principles. The authors
have vowed to never patent Rijndael.

Safer

Safer was developed by Robert Massey at the request of Cylink Corporation. There are several
different versions of Safer, with 40, 64, and 128-bit keys. A weakness in the key schedule was
corrected, with an S being added to the original Safer K designation to create Safer SK. There are
some attacks against reduced round variants of Safer. Safer is secure against differential and linear
cryptanalysis. However, Bruce Schneier, author of Applied Cryptography, recommends against using
Safer because, "Safer was designed for Cylink, and Cylink is tainted by the NSA."

Safer SK-128 is implemented in Kremlin.

Serpent

Serpent is an AES submission by Ross Anderson, Eli Biham, and Lars Knudsen. Its authors combined
the design principles of DES with the recent development of bitslicing techniques to create a very
secure and very fast algorithm. While bitslicing is generally used to encrypt multiple blocks in parallel,
the designers of Serpent have embraced the technique of bitslicing and incorporated it into the design
of the algorithm itself. Serpent uses 128 bit blocks and 256 bit keys. Like DES, Serpent includes an
initial and final permutation of no cryptographic significance; these permutations are used to optimize
the data before encryption. Serpent was released at the 5th International Workshop on Fast Software
Encryption. This iteration of Serpent was called Serpent 0 and used the original DES S-boxes. After
comments, the key schedule of Sperpent was changed slightly and the S-boxes were changed; this
new iteration of Serpent is called Serpent 1. Serpent 1 resists both linear and differential attacks. The
Serpent paper is available here.

SQUARE

SQUARE is an iterated block cipher that uses a 128-bit key length and a 128-bit block length. The
round function of SQUARE is composed of four transformations: a linear transformation, a nonlinear
transformation, a byte permutation, and a bitwise round-key addition. SQUARE was designed to be
resistant to linear and differential cryptanalysis, and succeeds in this respect. The designers of
SQUARE have developed an attack on SQUARE, but it cannot be extended past 6 rounds. A paper on
SQUARE is available here and there are links to the paper and source code on the designers' web site.

Skipjack

In what surely signals the end of the Clipper chip project, the NSA has released Skipjack, its formerly
secret encryption algorithm, to the public. Skipjack uses an 80 bit key. A fuzzy scan of the official NSA
paper is available here at the NIST web site, but it has been transcribed by the folks over at jya.com. A
reference implementation (in C) is available here, and an optimized version is available here. Eli Biham
and Adi Shamir have published some initial cryptanalytic results(which are growing more and more
interesting as time progresses).

Tiny Encryption Algorithm (TEA)

TEA is a cryptographic algorithm designed to minimize memory footprint, and maximize speed.
However, the cryptographers from Counterpane Systems havediscovered three related-key attacks on
TEA, the best of which requires only 223 chosen plaintexts and one related key query. The problems
arise from the overly simple key schedule. Each TEA key can be found to have three other equivalent
keys, as described in a paper by David Wagner, John Kelsey, and Bruce Schneier. This precludes the
possibility of using TEA as a hash function. Roger Needham and David Wheeler have
proposed extensions to TEA that counter the above attacks.

Twofish

Twofish is Counterpane Systems' AES submission. Designed by the Counterpane Team (Bruce
Schneier, John Kelsey, Doug Whiting, David Wagner, Chris Hall, and Niels Ferguson), Twofish has
undergone extensive analysis by the Counterpane Team. There is a paper available from the Twofish
web page and source is provided in optimized C and assembly.

Stream
Ciphers

ORYX

ORYX is the algorithm used to encrypt data sent over digital cellular phones. It is a stream cipher
based on three 32-bit Galois LFSRs. It is distinct from CMEA, which is a block cipher used to encrypt the
cellular data control channel. The cryptographic tag-team from Counterpane Systems (David Wagner,
John Kelsey, and Bruce Schneier) have developed an attack on ORYX that requires approximately 24
bytes of known plaintext and about 216 initial guesses.
RC4

The RC4 algorithm is a stream cipher from RSA Data Security, Inc. Though RC4 was originally a trade
secret, the alleged source code was published anonymously in 1994. The published algorithm performs
identically to RC4 implementations in official RSA products. RC4 is widely used in many applications
and is generally regarded to be secure. There are no known attacks against RC4. RC4 is not patented
by RSA Data Security, Inc; it is just protected as a trade secret.

The 40-bit exportable version of RC4 has been broken by brute force!

RC4 is implemented in Kremlin.

SEAL

SEAL, designed by Don Coppersmith of IBM Corp, is probably the fastest secure encryption algorithm
available. The key setup process of SEAL requires several kilobytes of space and rather intensive
computation involving SHA1, but only five operations per byte are required to generate the keystream.
SEAL is particularly appropriate for disk encryption and similar applications where data must be read
from the middle of a ciphertext stream. A paper is available here. SEAL is patented, and can be
licensed from IBM.

Hash
Algorithms

MD2

MD2 is generally considered to be a dead algorithm. It was designed to work on 8-bit processors and,
in today's 32-bit world, is rarely used. It produces a 128-bit digest. MD2 is different in design from MD4
and MD5, in that it first pads the message so that its length in bits is divisible by 256. It then adds a
256-bit checksum. If this checksum is not added, the MD2 function has been found to have collisions.
There are no known attacks on the full version of MD2. MD2 is described in RFC 1319.

MD4

Although MD4 is now considered insecure, its design is the basis for the design of most other
cryptographic hashes and therefore merits description. First, the message to be operated on is padded
so that its length in bits plus 448 is divisible by 512. Then, in what is called a Damgård/Merkle iterative
structure, the message is processed with a compression function in 512-bit blocks to generate a digest
value. In MD4 this digest is 128 bits long. Hans Dobbertin developed an attack on the full MD4 that will
generate collisions in about a minute on most PCs. An overview of the design and a description of the
security of MD2, MD4, and MD5, are described in this RSA document.

MD5

While MD4 was designed for speed, a more conservative approach was taken in the design of MD5.
However, applying the same techniques he used to attack MD4, Hans Dobbertin has shown
that collisions can be found for the MD5 compression function in about 10 hours on a PC. While these
attacks have not been extended to the full MD5 algorithm, they still do not inspire confidence in the
algorithm. RSA is quick to point out that these collision attacks do not compromise the integrity of MD5
when used with existing digital signatures. MD5, like MD4, produces a 128-bit digest. An RFC
describing MD5 in detail is available here. The use of MD5, as well as MD4, is not recommended in new
applications.

RIPEMD

RIPEMD and its successors were developed by the European RIPE project. Its authors found
collisions for a version of RIPEMD restricted to two rounds. This attack can also be applied to MD4 and
MD5. The original RIPEMD algorithm was then strengthened and renamed to RIPEMD-160. As implied
by the name, RIPEMD-160 produces a 160-bit digest. A comprehensive description of RIPEMD-160 can
be found here.

SHA1

SHA1 was developed by the NSA for NIST as part of the Secure Hash Standard (SHS). SHA1 is similar in
design to MD4. The original published algorithm, known as SHA, was modified by NSA to protect
against an unspecified attack; the updated algorithm is named SHA1. It produces a 160-bit digest --
large enough to protect against "birthday" attacks, where two different messages are selected to
produce the same signature, for the next decade. The official FIPS description of SHA1 can be
found here.

SHA1 is implemented in Kremlin.

Snefru

Snefru is a hash function designed by Ralph Merkle, the designer of the Khufu and Khafre encryption
algorithms. 2-round Snefru has been broken by Eli Biham. Snefru 2.5, the latest edition of the hash
algorithm, can generate either a 128-bit or a 256-bit digest.

Tiger

Tiger is a new hash algorithm by Ross Anderson and Eli Biham. It is designed to work with 64-bit
processors such as the Digital Alpha and, unlike MD4, does not rely on rotations (the Alpha has no such
rotate instruction). In order to provide drop-in compatibility with other hashes, Tiger can generate a
128-bit, a 160-bit or a 192-bit digest. The Tiger home page contains more information.