Block cipher security summary

From Wikipedia, the free encyclopedia
Jump to: navigation, search

This article summarizes publicly known attacks against block ciphers. Note that not all entries may be up to date.

Table color key[edit]

  No known successful attacks
  Theoretical break
  Attack demonstrated in practice

Best attack[edit]

This column lists the complexity of the attack:

  • If the attack doesn't break the full cipher, "rounds" refers to how many rounds were broken
  • "time" — time complexity, number of cipher evaluations for the attacker
  • "data" — required known plaintext-ciphertext pairs (if applicable)
  • "memory" — how many blocks worth of data needs to be stored (if applicable)
  • "related keys" — for related-key attacks, how many related key queries are needed

Common ciphers[edit]

Key recovery attacks[edit]

Attacks that lead to disclosure of the key.

Cipher Security claim Best attack Attack date Comment
AES128 2128 2126.1 time, 288 data, 28 memory 2011-08-17[1] Independent biclique attacks
AES192 2192 2189.7 time, 280 data, 28 memory
AES256 2256 2254.4 time, 240 data, 28 memory
Blowfish 2448 4 of 16 rounds 1997[2] The author recommends to use Twofish instead.[3]
DES 256 239 – 243 time, 243 known plaintexts 2001[4] Linear cryptanalysis. In addition, broken by brute force in 256 time, no later than 1998-07-17, see EFF DES cracker.[5] Cracking hardware is available for purchase since 2006.[6]
Triple DES 2168 2113 time, 232 data, 288 memory 1998-03-23[7]
KASUMI 2128 232 time, 226 data, 230 memory, 4 related keys 2010-01-10[8] The cipher used in 3G cell phone networks. This attack takes less than two hours on a single PC, but isn't applicable to 3G due to known plaintext and related key requirements.
Serpent-128 2128 10 of 32 rounds (289 time, 2118 data) 2002-02-04[9] Linear cryptanalysis
Serpent-192 2192 11 of 32 rounds (2187 time, 2118 data)
Serpent-256 2256
Twofish 2128 – 2256 6 of 16 rounds (2256 time) 1999-10-05[10]

Less common ciphers[edit]

Key recovery attacks[edit]

Attacks that lead to disclosure of the key.

Cipher Security claim Best attack Attack date Comment
CAST (not CAST-128) 264 248 time, 217 chosen plaintexts 1997-11-11[11] Related-key attack
IDEA 2128 2126.1 time 2012-04-15[12] Narrow-Bicliques attack
RC2 264 – 2128 Unknown[clarification needed] time, 234 chosen plaintexts 1997-11-11[11] Related-key attack
RC5 2128 Unknown
SEED 2128 Unknown
Skipjack 280 280 ECRYPT II recommendations note that, as of 2012, 80 bit ciphers provide only "Very short-term protection against agencies".[13] NIST recommends not to use Skipjack after 2010.[14]
TEA 2128 232 time, 223 chosen plaintexts 1997-11-11[11] Related-key attack
XTEA 2128 Unknown
XXTEA 2128 259 chosen plaintexts 2010-05-04[15] Chosen-plaintext, differential cryptanalysis

See also[edit]

References[edit]

  1. ^ Vincent Rijmen (1997). "Cryptanalysis and Design of Iterated Block Ciphers". Ph.D thesis. 
  2. ^ https://www.computerworld.com.au/article/46254/bruce_almighty_schneier_preaches_security_linux_faithful/
  3. ^ Junod, Pascal. "On the Complexity of Matsui's Attack." Selected Areas in Cryptography, 2001, pp199–211.
  4. ^ "DES Cracker Project". EFF. "On Wednesday, July 17, 1998 the EFF DES Cracker, which was built for less than $250,000, easily won RSA Laboratory's "DES Challenge II" contest and a $10,000 cash prize." 
  5. ^ "COPACOBANA – Special-Purpose Hardware for Code-Breaking". 
  6. ^ Stefan Lucks (1998-03-23). Attacking Triple Encryption. 
  7. ^ Orr Dunkelman, Nathan Keller, Adi Shamir (2010-01-10). A Practical-Time Attack on the A5/3 Cryptosystem Used in Third Generation GSM Telephony. 
  8. ^ Eli Biham, Orr Dunkelman, Nathan Keller (2002-02-04). Linear Cryptanalysis of Reduced Round Serpent. FSE 2002. 
  9. ^ Niels Ferguson (1999-10-05). Impossible Differentials in Twofish. 
  10. ^ a b c John Kelsey, Bruce Schneier, David Wagner (1997-11-11). "Related-key cryptanalysis of 3-WAY, Biham-DES, CAST, DES-X NewDES, RC2, and TEA". Lecture Notes in Computer Science 1334: 233–246. doi:10.1007/BFb0028479. 
  11. ^ Yearly Report on Algorithms and Keysizes (2012), D.SPA.20 Rev. 1.0, ICT-2007-216676 ECRYPT II, 09/2012.
  12. ^ Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths, NIST
  13. ^ Elias Yarrkov (2010-05-04). Cryptanalysis of XXTEA.