RSA Laboratories

3.6.7 What are some other block ciphers?

Many of the block ciphers proposed in recent years, including those listed below, were developed (at least in part) either as successors to DES or as candidates for the Advanced Encryption Standard, AES. See Sections 3.2 and 3.3 for more information on DES and AES, respectively. For descriptions of the five finalists to the AES (MARS, Rijndael, RC6, Serpent, and Twofish), see Question 3.3.2.

IDEA (International Data Encryption Algorithm) [LMM92] is the second version of a block cipher designed and presented by Lai and Massey [LM91]. It is a 64-bit iterative block cipher with a 128-bit key. The encryption process requires eight complex rounds. While the cipher does not have a Feistel structure (see Question 2.1.4), decryption is carried out in the same manner as encryption once the decryption subkeys have been calculated from the encryption subkeys. The cipher structure was designed to be easily implemented in both software and hardware, and the security of IDEA relies on the use of three incompatible types of arithmetic operations on 16-bit words. However some of the arithmetic operations used in IDEA are not that fast in software. As a result the speed of IDEA in software is similar to that of DES.

One of the principles used during the design of IDEA was to facilitate analysis of its strength against differential cryptanalysis (see Question 2.4.5) and IDEA is considered to be immune to differential cryptanalysis. Furthermore there are no linear cryptanalytic attacks on IDEA and there are no known algebraic weaknesses in IDEA. The most significant cryptanalytic result is due to Daemen [DGV94], who discovered a large class of 251 weak keys (see Question 2.4.5) for which the use of such a key during encryption could be detected easily and the key recovered. However, since there are 2128 possible keys, this result has no impact on the practical security of the cipher for encryption provided the encryption keys are chosen at random. IDEA is generally considered to be a very secure cipher and both the cipher development and its theoretical basis have been openly and widely discussed.

SAFER (Secure And Fast Encryption Routine) is a non-proprietary block cipher developed by Massey in 1993 for Cylink Corporation [Mas93]. It is a byte-oriented algorithm with a 64-bit block size and, in one version, a 64-bit key size. It has a variable number of rounds, but a minimum of six rounds is recommended. Unlike most recent block ciphers, SAFER has slightly different encryption and decryption procedures. Only byte-based operations are employed to ensure its utility in smart card-based applications that have limited processing power. When first announced, SAFER was intended to be implemented with a key of length 64 bits and it was accordingly named SAFER K-64. Another version of SAFER was designed that could handle 128-bit keys and was named SAFER K-128. A variant - SAFER+ - was submitted to the AES, but the algorithm did not qualify for the second round, due to its lack of speed.

Early cryptanalysis of SAFER K-64 [Mas93] showed that SAFER K-64 could be considered immune to both differential and linear cryptanalysis (see Question 2.4.5) when the number of rounds is greater than six. However, Knudsen [Knu95] discovered a weakness in the key schedule of SAFER K-64 and a new key schedule for the family of SAFER ciphers soon followed. These new versions of SAFER are denoted SAFER SK-64 and SAFER SK-128 where SK denotes a strengthened key schedule (though one joke has it that SK really stands for ``Stop Knudsen'', a wise precaution in the design of any block cipher). Most recently, a version of SAFER called SAFER SK-40 was announced, which uses a 40-bit key and has five rounds (thereby increasing the speed of encryption). This reduced-round version is secure against differential and linear cryptanalysis in the sense that any such attack would require more effort than a brute-force search for a 40-bit key.

The Fast Data Encipherment Algorithm (FEAL) was presented by Shimizu and Miyaguchi [SM88] as an alternative to DES. The original cipher (called FEAL-4) was a four-round cryptosystem with a 64-bit block size and a 64-bit key size and it was designed to give high performance in software. Soon a variety of attacks against FEAL-4 were announced including one attack that required only 20 chosen plaintexts [Mur90]. Several results in the cryptanalysis of FEAL-8 (eight-round version) led the designers to introduce a revised version, FEAL-N, where N denoted the number of rounds. Biham and Shamir [BS91b] developed differential cryptanalytic attacks against FEAL-N for up to 31 rounds. In 1994, Ohta and Aoki presented a linear cryptanalytic attack against FEAL-8 that required 225 known plaintexts [OA94], and other improvements [KR95a] followed. In the wake of these numerous attacks, FEAL and its derivatives should be considered insecure.

Skipjack is the encryption algorithm contained in the Clipper chip (see Question 6.2.4), designed by the NSA (see Question 6.2.2). It uses an 80-bit key to encrypt 64-bit blocks of data. Skipjack is expected to be more secure than DES in the absence of any analytic attack since it uses 80-bit keys. By contrast, DES uses 56-bit keys.

Initially, the details of Skipjack were classified and the decision not to make the details of the algorithm publicly available was widely criticized. Some people were suspicious that Skipjack might not be secure, either due to an oversight by its designers, or by the deliberate introduction of a secret trapdoor. Since Skipjack was not public, it could not be widely scrutinized and there was little public confidence in the cipher.

Aware of such criticism, the government invited a small group of independent cryptographers to examine the Skipjack algorithm. They issued a report [BDK93] that stated that although their study was too limited to reach a definitive conclusion, they nevertheless believed Skipjack was secure.

In June 1998 Skipjack was declassified by the NSA. Early cryptanalysis has failed to find any substantial weakness in the cipher.

Blowfish is a 64-bit block cipher developed by Bruce Schneier [Sch93]. It is a Feistel cipher (see Question 2.1.4) and each round consists of a key-dependent permutation and a key-and-data-dependent substitution. All operations are based on XORs and additions on 32-bit words. The key has a variable length (with a maximum length of 448 bits) and is used to generate several subkey arrays. This cipher was designed specifically for 32-bit machines and is significantly faster than DES. There was an open competition for the cryptanalysis of Blowfish supported by Dr. Dobb's Journal with a $1000 prize. This contest ended in April 1995 [Sch95]; among the results were the discoveries of existence of certain weak keys (see Question 2.4.5), an attack against a three-round version of Blowfish, and a differential attack against certain variants of Blowfish. However, Blowfish can still be considered secure, and Schneier has invited cryptanalysts to continue investigating his cipher. The AES candidate Twofish is based on Blowfish.

CAST-128 is another popular 64-bit Feistel cipher allowing key sizes up to 128 bits. The name CAST stands for Carlisle Adams and Stafford Tavares, the original inventors of CAST. CAST-128 consists of 16 non-identical rounds, where each round is built up by simple operations such as integer and bitwise addition and rotation. CAST-128 is owned by Entrust Technologies but is free for commercial as well as non-commercial use. The algorithm has been widely adopted by the internet community and is part of products from Pretty Good Privacy, IBM, and Microsoft. CAST-256 is a freely available extension of CAST-128 accepting up to 256 bits of key size and with a 128-bit block size. CAST-256 was one of the original candidates for the AES. Though no security weaknesses were found, the algorithm did not qualify for the second round. CAST-256 and the finalist Serpent share the property of strongly favoring security over speed, and since it is considered as unlikely that two ``slow'' algorithms would be selected for the AES, only one of them qualified for the second round. We emphasize that CAST-256 can be considered as secure.

Top of the page