Click here for an introduction to some basic
concepts and design principles of secret key cryptography.
3-Way is a simple and fast cipher designed by Joan Daemen. 3-Way features
a 96-bit key length and a 96-bit block length. 3-Way is an iterated
block cipher that repeats some relatively simple operations a specified
number of rounds. David Wagner,
John Kelsey, and Bruce
Schneier of Counterpane Systems
have discovered a related key attack on 3-Way that requires one related
key query and about 222 chosen plaintexts, described in this
paper. 3-Way is unpatented.
Blowfish is a block cipher designed by Bruce
Schneier, author of Applied
Cryptography. Blowfish combines a Feistel network, key-dependent
S-Boxes, and a non-invertible F function to create what is perhaps one
of the most secure algorithms available. Schneier's paper is available
is also described in the Concepts of Cryptography
page. The only known attacks against Blowfish are based on its weak
Blowfish is implemented in Kremlin.
CAST, designed by Carlisle Adams and Stafford Taveres, is shaping
up to be a solid algorithm. Its design is very similar to Blowfish's,
with key-dependent S-Boxes, a non-invertible f function, and a Feistel
network-like structure (called a substitution-permutation network).
David Wagner, John Kelsey,
and Bruce Schneier
have discovered a related-key attack on the 64-bit version of CAST that
requires approximately 217 chosen plaintexts, one related
query, and 248 offline computations (described in this
paper). The attack is infeasible at best. CAST is patented by Entrust
Technologies, which has generously released
it for free use. The CAST cipher design process is described in
this paper and the
128-bit version is described in this
addendum. Carlisle Adams has submitted a version of CAST (CAST-256)
as an AES candidate.
CAST-128 is implemented in Kremlin.
CMEA is the encryption algorithm developed by the Telecommunications
Industry Association to encrypt digital cellular phone data. It uses
a 64-bit key and features a variable block length. CMEA is used to encrypt
the control channel of cellular phones. It is distinct from ORYX, an
also insecure stream cipher that is used to encrypt data transmitted
over digital cellular phones. It has been broken by David
Wagner, John Kelsey, and Bruce
Schneier of Counterpane Systems.
Their paper, which also provides an excellent description of the CMEA
algorithm, is available here.
Designed at IBM during the 1970s and officially adopted as the NIST
standard encryption algorithm for unclassified data in 1976, DES has
become the bastion of the cryptography market. However, DES has since
become outdated, its long reign as official NIST algorithm ending in
1997. Though DES accepts a 64-bit key, the key setup routines effectively
discard 8 bits, giving DES a 56-bit effective keylength. DES remains
widely in use. During the design of DES, the NSA
provided secret S-Boxes. After differential cryptanalysis had been discovered
outside the closed fortress of the NSA, it was revealed that the DES
S-boxes were designed to be resistant against differential cryptanalysis.
DES is becoming weaker and weaker over time; modern computing power
is fast approaching the computational horsepower needed to easily crack
DES was designed to be implemented only in hardware, and is therefore
extremely slow in software. A recent
successful effort to crack DES took several thousand computers several
months. The EFF has sponsored the development
of a crypto chip named "Deep Crack" that can process 88 billion
DES keys per second and has
successfully cracked 56 bit DES in less than 3 days.
DES is implemented in Kremlin (accessible
through Kremlin SDK API).
A variant of DES, Triple-DES
(also 3DES) is based on using DES three times. This means that the input
data is encrypted three times. The Triple-DES is considered much stronger
than DES, however, it is rather slow compared to some new block ciphers.
DEAL is an interesting AES submission and, like all AES submissions,
it uses a 128 bit block and accepts 128 bit, 192 bit, and 256 bit keylengths.
It uses DES as its inner round function and its authors suggest at least
6, preferably 8 rounds (there are some attacks against DEAL). There
is a paper available here
that describes some attacks, all of which can be cured by using at least
Developed by the Nippon Telephone & Telegraph as an improvement
to DES, the Fast Data Encipherment Algorithm (FEAL) is very insecure.
FEAL-4, FEAL-8, and FEAL-N are all susceptible to a variety of cryptanalytic
attacks, some requiring as little as 12 chosen plaintexts. FEAL is patented.
GOST is a cryptographic algorithm from Russia that appears to be the
Russian analog to DES both politically and technologically. Its designers
took no chances, iterating the GOST algorithm for 32 rounds and using
a 256 bit key. Although GOST's conservative design inspires confidence,
John Kelsey has discovered a key-relation attack on GOST, described
in a post to sci.crypt on 10 February 1996. There are also weak
keys in GOST, but there are too few to be a problem when GOST is
used with its standard set of S-boxes. You can read the official GOST
algorithm description (translated from Russian) here.
There is also a description of the GOST algorithm here.
IDEA, developed in Zurich, Switzerland by Xuejia Lai and James Massey,
is generally regarded to be one of the best and most secure block algorithm
available to the public today. It utilizes a 128-bit key and is designed
to be resistant to differential cryptanalysis. Some
attacks have been made against reduced round IDEA. Unfortunately,
IDEA is patented; licensing information can be obtained from Ascom.
LOKI was designed as a possible replacement for DES. It operates on
a 64-bit block and a 64-bit key. The first version of LOKI to be released
was broken by differential cryptanalysis and was shown to have an 8-bit
complementation property (this means that the number of keys that need
to be searched in a brute force attack is reduced by 256). LOKI was
revised and re-released as LOKI91. LOKI91 is secure against differential
cryptanalysis, but LOKI easily falls to a chosen-key attack. The designers
of LOKI have proposed LOKI97
as an AES candidate, but linear
and differential attacks on LOKI97 have already been proposed.
Lucifer was one of the first modern cryptographic algorithms. It was
designed at IBM in the 1960s by Horst Feistel, of Feistel network fame.
Lucifer is often considered to be a precursor to DES. There are several
incarnations of Lucifer, each with the same name, which creates a good
deal of confusion. No version is secure. A paper on the differential
cryptanlysis of Lucifer was written by Ishai Ben-Aroya & Eli
MacGuffin is a cipher developed by Matt Blaze and Bruce Schneier as
an experiment in cipher design. It uses a Feistel network (see the cryptography
overview for details), but does not split the input evenly, instead
dividing the 64 bit block into one 16 bit part and another 48 bit part.
This is called a generalized unbalanced Feistel network (GUFN). Details
are available here.
A differential attack on MacGuffin has
been found that requires approximately 251.5 chosen plaintexts.
MARS is IBM's AES submission. There
is a MARS web
page with a link to the MARS
paper. MARS uses 128 bit blocks and supports variable key sizes
(from 128 to 1248 bits). MARS is unique in that it combines virtually
every design technique known to cryptographers in one algorithm. It
uses addition and subtractions, S-boxes, fixed and data dependent rotations,
Misty is a cryptographic algorithm developed by Mitsubishi Electric
after they broke DES in 1994. It is designed to withstand linear and
differential cryptanalysis, but has not yet been cryptanalysed. As it
has not undergone intensive peer review, the usual caution is recommended.
It is being considered for inclusion into the SET 2.0 standard. Visit
web page or read the author's paper
MMB was designed as an alternative to IDEA that uses a 128-bit block
instead of IDEA's 64-bit block. It was designed using the same principles
as IDEA. Unfortunately, it is not as secure as IDEA and several attacks
exist against it. Its author, Joan Daemen, abandoned it and designed
Although NewDES was developed by Robert Scott to possibly replace
DES, NewDES has fallen short of expectations. NewDES has been proven
to be weaker than DES, requiring 24 related-key probes and 530 chosen
plaintext/ciphertext queries, as described in this
NewDES is implemented in Kremlin
RC2, like RC4, was formerly a trade secret, but code purporting to
be RC2 was posted to sci.crypt. It is archived here.
David Wagner, John Kelsey,
and Bruce Schneier
discovered a related-key attack on RC2 that requires one related-key
query and approximately 234 chosen plaintexts. RC2 is not
patented by RSA Data Security, Inc;
it is just protected as a trade secret.
RC5 is a group of algorithms designed by Ron Rivest of RSA Data Security
that can take on a variable block size, key size, and number of rounds.
The block size is generally dependent on the word size of the machine
the particular version of RC5 was designed to run on; on 32-bit processors
(with 32-bit words), RC5 generally has a 64-bit block size. David
Wagner, John Kelsey, and Bruce
Schneier have found
weak keys in RC5, with the probability of selecting a weak key to
be 2-10r, where r is the number of rounds. For sufficiently
large r values (greater than 10), this is not a problem as long as you
are not trying to build a hash function based on RC5. Kundsen has also
found a differential attack
on RC5. RC5 is described in this
RSA document. RC5 is patented by RSA
RC6 is Ronald Rivest's AES submission. Like all AES ciphers, RC6 works
on 128 bit blocks. It can accept variable length keys. It is very similar
to RC5, incorporating the results of various studies on RC5 to improve
the algorithm. The studies of RC5 found that not all bits of data are
used to determine the rotation amount (rotation is used extensively
in RC5); RC6 uses multiplication to determine the rotation amount and
uses all bits of input data to determine the rotation amount, strengthening
the avalanche effect.
There are two versions of the REDOC algorithm, REDOC II, and REDOC
III. REDOC II is considered to be secure; an attack has been made against
one round of REDOC II, but could not be extended to all 10 recommended
rounds. REDOC II is interesting in that it uses data masks to select
the values in the S-boxes. REDOC II uses a 160-bit key and works on
an 80-bit block. REDOC III was an attempt to make the painfully slow
REDOC II faster. REDOC III, like REDOC III, operates on an 80-bit block,
but can accept keys up to 20480 bits. However, REDOC III falls to differential
cryptanalysis, as described in this
Rijndael is an AES
winner by Joan Daemen and Vincent
Rijmen. The cipher has a variable block and key length, and the
authors have demonstrated how to extend the block length and key length
by multiples of 32 bits. The design of Rijndael was influenced by the
SQUARE algorithm. The authors provide a Rijndael
specification and a more theoretical paper on their design
principles. The authors have vowed to never patent Rijndael.
Safer was developed by Robert Massey at the request of Cylink Corporation.
There are several different versions of Safer, with 40, 64, and 128-bit
keys. A weakness in the key schedule was corrected, with an S being
added to the original Safer K designation to create Safer SK. There
are some attacks
against reduced round variants of Safer. Safer is secure against differential
and linear cryptanalysis. However, Bruce
Schneier, author of Applied
Cryptography, recommends against using Safer because, "Safer
was designed for Cylink, and Cylink is tainted by the NSA."
Safer SK-128 is implemented in Kremlin.
Serpent is an AES submission by Ross Anderson, Eli Biham, and Lars
Knudsen. Its authors combined the design principles of DES with the
recent development of bitslicing techniques to create a very secure
and very fast algorithm. While bitslicing is generally used to encrypt
multiple blocks in parallel, the designers of Serpent have embraced
the technique of bitslicing and incorporated it into the design of the
algorithm itself. Serpent uses 128 bit blocks and 256 bit keys. Like
DES, Serpent includes an initial and final permutation of no cryptographic
significance; these permutations are used to optimize the data before
encryption. Serpent was released at the 5th International Workshop on
Fast Software Encryption. This iteration of Serpent was called Serpent
0 and used the original DES S-boxes. After comments, the key schedule
of Sperpent was changed slightly and the S-boxes were changed; this
new iteration of Serpent is called Serpent 1. Serpent 1 resists both
linear and differential attacks. The Serpent paper is available here.
SQUARE is an iterated block cipher that uses a 128-bit key length
and a 128-bit block length. The round function of SQUARE is composed
of four transformations: a linear transformation, a nonlinear transformation,
a byte permutation, and a bitwise round-key addition. SQUARE was designed
to be resistant to linear and differential cryptanalysis, and succeeds
in this respect. The designers of SQUARE have developed an attack on
SQUARE, but it cannot be extended past 6 rounds. A paper on SQUARE is
and there are links to the paper and source code on the designers' web
In what surely signals the end of the Clipper chip project, the NSA
released Skipjack, its formerly secret encryption algorithm, to
the public. Skipjack uses an 80 bit key. A fuzzy scan of the official
NSA paper is available here
at the NIST web site, but it has been
transcribed by the folks
over at jya.com. A reference implementation
(in C) is available here,
and an optimized version is available here.
Eli Biham and Adi Shamir have published some
initial cryptanalytic results (which are growing more and more interesting
as time progresses).
Tiny Encryption Algorithm (TEA)
TEA is a cryptographic algorithm designed to minimize memory footprint,
and maximize speed. However, the cryptographers from Counterpane
Systems have discovered
three related-key attacks on TEA, the best of which requires only
223 chosen plaintexts and one related key query. The problems
arise from the overly simple key schedule. Each TEA key can be found
to have three other equivalent keys, as described in a
paper by David Wagner,
John Kelsey, and Bruce
Schneier. This precludes the possibility of using TEA as a hash
function. Roger Needham and David Wheeler have proposed
extensions to TEA that counter the above attacks.
Twofish is Counterpane Systems'
AES submission. Designed by the Counterpane Team (Bruce
Schneier, John Kelsey, Doug Whiting, David
Wagner, Chris Hall, and Niels Ferguson), Twofish has undergone extensive
analysis by the Counterpane Team. There is a paper
available from the Twofish
web page and source
is provided in optimized C and assembly.
ORYX is the algorithm used to encrypt data sent over digital cellular
phones. It is a stream cipher based on three 32-bit Galois LFSRs. It
is distinct from CMEA, which is a block cipher used to encrypt the cellular
data control channel. The cryptographic tag-team from Counterpane
Systems (David Wagner,
John Kelsey, and Bruce
Schneier) have developed
an attack on ORYX that requires approximately 24 bytes of known
plaintext and about 216 initial guesses.
The RC4 algorithm is a stream cipher from RSA
Data Security, Inc. Though RC4 was originally a trade secret, the
alleged source code was published
anonymously in 1994. The published algorithm performs identically
to RC4 implementations in official RSA products. RC4 is widely used
in many applications and is generally regarded to be secure. There are
no known attacks against RC4. RC4 is not patented by RSA
Data Security, Inc; it is just protected as a trade secret.
The 40-bit exportable version of RC4 has been
broken by brute force!
RC4 is implemented in Kremlin.
SEAL, designed by Don Coppersmith of IBM Corp, is probably the fastest
secure encryption algorithm available. The key setup process of SEAL
requires several kilobytes of space and rather intensive computation
involving SHA1, but only five operations per byte are required to generate
the keystream. SEAL is particularly appropriate for disk encryption
and similar applications where data must be read from the middle of
a ciphertext stream. A paper is available here.
SEAL is patented, and can be licensed from IBM.
MD2 is generally considered to be a dead algorithm. It was designed
to work on 8-bit processors and, in today's 32-bit world, is rarely
used. It produces a 128-bit digest. MD2 is different in design from
MD4 and MD5, in that it first pads the message so that its length in
bits is divisible by 256. It then adds a 256-bit checksum. If this checksum
is not added, the MD2 function has been found to have collisions. There
are no known attacks on the full version of MD2. MD2 is described in
Although MD4 is now considered insecure, its design is the basis for
the design of most other cryptographic hashes and therefore merits description.
First, the message to be operated on is padded so that its length in
bits plus 448 is divisible by 512. Then, in what is called a Damgård/Merkle
iterative structure, the message is processed with a compression function
in 512-bit blocks to generate a digest value. In MD4 this digest is
128 bits long. Hans Dobbertin developed an attack on the full MD4 that
will generate collisions in about a minute on most PCs. An overview
of the design and a description of the security of MD2, MD4, and MD5,
are described in this
While MD4 was designed for speed, a more conservative approach was
taken in the design of MD5. However, applying the same techniques he
used to attack MD4, Hans Dobbertin has shown that collisions
can be found for the MD5 compression function in about 10 hours
on a PC. While these attacks have not been extended to the full MD5
algorithm, they still do not inspire confidence in the algorithm. RSA
is quick to point out that these collision attacks do not compromise
the integrity of MD5 when used with existing digital signatures. MD5,
like MD4, produces a 128-bit digest. An RFC describing MD5 in detail
is available here.
The use of MD5, as well as MD4, is not recommended in new applications.
RIPEMD and its successors were developed by the European RIPE project.
Its authors found
collisions for a version of RIPEMD restricted to two rounds. This
attack can also be applied to MD4 and MD5. The original RIPEMD algorithm
was then strengthened and renamed to RIPEMD-160. As implied by the name,
RIPEMD-160 produces a 160-bit digest. A comprehensive description of
RIPEMD-160 can be found here.
SHA1 was developed by the NSA for
NIST as part of the Secure Hash Standard (SHS). SHA1 is similar in design
to MD4. The original published algorithm, known as SHA, was modified
by NSA to protect against an unspecified attack; the updated algorithm
is named SHA1. It produces a 160-bit digest -- large enough to protect
against "birthday" attacks, where two different messages are
selected to produce the same signature, for the next decade. The official
FIPS description of SHA1 can be found
SHA1 is implemented in Kremlin.
Snefru is a hash function designed by Ralph Merkle, the designer of
the Khufu and Khafre encryption algorithms. 2-round Snefru has been
broken by Eli Biham. Snefru 2.5, the latest edition of the hash algorithm,
can generate either a 128-bit or a 256-bit digest.
Tiger is a new hash algorithm by Ross Anderson and Eli Biham. It is
designed to work with 64-bit processors such as the Digital Alpha and,
unlike MD4, does not rely on rotations (the Alpha has no such rotate
instruction). In order to provide drop-in compatibility with other hashes,
Tiger can generate a 128-bit, a 160-bit or a 192-bit digest. The Tiger
home page contains more information.
Want to add to the list of algorithms (or found a mistake)? Please