Cipher security summary

Cipher security summary

This article summarizes publicly known attacks against ciphers. Note that not all entries may be up to date.

Table color key
No known successful attacks
Theoretical break
Attack demonstrated in practice

The Best attack column lists the complexity of the attack:

  • If the attack doesn't break the full cipher, "rounds" refers to how many rounds were broken
  • "time" — time complexity, number of cipher evaluations for the attacker
  • "data" — required known plaintext-ciphertext pairs (if applicable)
  • "memory" — how many blocks worth of data needs to be stored (if applicable)
  • "related keys" — for related-key attacks, how many related key queries are needed


Common ciphers

Key recovery attacks

Attacks that lead to disclosure of the key.

Cipher Security claim Best attack Attack date Comment
AES128 2128 2126.1 time, 288 data, 28 memory 2011-08-17[1] Independent biclique attacks
AES192 2192 2189.7 time, 280 data, 28 memory
AES256 2256 2254.4 time, 240 data, 28 memory
Blowfish 2448 4 of 16 rounds 1997[2]
DES 256 256 time 1998-07-17[3] Broken by brute force, see EFF DES cracker. Off-the-shelf hardware is available for $10,000.[4]
Triple DES 2168 2113 time, 232 data, 288 memory 1998-03-23[5]
KASUMI 2128 232 time, 226 data, 230 memory, 4 related keys 2010-01-10[6] The cipher used in 3G cell phone networks. This attack takes less than two hours on a single PC, but isn't applicable to 3G due to known plaintext and related key requirements.
Serpent-128 2128 10 of 32 rounds (289 time, 2118 data) 2002-02-04[7] Linear cryptanalysis
Serpent-192 2192 11 of 32 rounds (2187 time, 2118 data)
Serpent-256 2256
Twofish 2128..2256 6 of 16 rounds (2256 time) 1999-10-05[8]

Less common ciphers

Key recovery attacks

Attacks that lead to disclosure of the key.

Cipher Security claim Best attack Attack date Comment
CAST-128 2128 248 time, 217 chosen plaintexts 1997-11-11[9] Related-key attack
IDEA 2128 6 of 8.5 rounds (2126.8 time, 264 data) 2007-03-26[10] Differential-linear attack
RC2 264..2128 2?? time, 234 chosen plaintexts 1997-11-11[9] Related-key attack
RC5 2128 ?
SEED 2128 ?
Skipjack 280 31 of 32 rounds (275 time, 241 chosen plaintexts) 1999-05-02[11] Chosen plaintext impossible differential cryptanalysis
TEA 2128 232 time, 223 chosen plaintexts 1997-11-11[9] Related-key attack
XTEA 2128 ?
XXTEA 2128 259 chosen plaintexts 2010-05-04[12] Chosen-plaintext, differential cryptanalysis

See also


  1. ^ Vincent Rijmen (1997). "Cryptanalysis and Design of Iterated Block Ciphers". Ph.D thesis. 
  2. ^ "DES Cracker Project". EFF. "On Wednesday, July 17, 1998 the EFF DES Cracker, which was built for less than $250,000, easily won RSA Laboratory's "DES Challenge II" contest and a $10,000 cash prize." 
  3. ^ "COPACOBANA – Special-Purpose Hardware for Code-Breaking". 
  4. ^ Stefan Lucks (1998-03-23). Attacking Triple Encryption. 
  5. ^ Orr Dunkelman, Nathan Keller, Adi Shamir (2010-01-10). A Practical-Time Attack on the A5/3 Cryptosystem Used in Third Generation GSM Telephony. 
  6. ^ Eli Biham, Orr Dunkelman, Nathan Keller (2002-02-04). Linear Cryptanalysis of Reduced Round Serpent. FSE 2002. 
  7. ^ Niels Ferguson (1999-10-05). Impossible Differentials in Twofish. 
  8. ^ a b c John Kelsey, Bruce Schneier, David Wagner (1997-11-11). "Related-key cryptanalysis of 3-WAY, Biham-DES, CAST, DES-X NewDES, RC2, and TEA". Lecture Notes in Computer Science 1334: 233–246. doi:10.1007/BFb0028479. 
  9. ^ Eli Biham, Orr Dunkelman, Nathan Keller (2007-03-26). A New Attack on 6-Round IDEA. FSE 2007. 
  10. ^ Eli Biham, Adi Shamir, Alex Biryukov (1999-05-02). "Cryptanalysis of Skipjack reduced to 31 rounds using impossible differentials.". EUROCRYPT: 12–23. 
  11. ^ Elias Yarrkov (2010-05-04). Cryptanalysis of XXTEA. 

Wikimedia Foundation. 2010.

Look at other dictionaries:

  • Block cipher — In cryptography, a block cipher is a symmetric key cipher operating on fixed length groups of bits, called blocks, with an unvarying transformation. A block cipher encryption algorithm might take (for example) a 128 bit block of plaintext as… …   Wikipedia

  • Block cipher modes of operation — This article is about cryptography. For method of operating , see modus operandi. In cryptography, modes of operation is the procedure of enabling the repeated and secure use of a block cipher under a single key.[1][2] A block cipher by itself… …   Wikipedia

  • Nimbus (cipher) — This article is about the block cipher. For other uses, see Nimbus (disambiguation). Nimbus General Designers Alexis Machado First published 2000 Cipher detail Key sizes 128 bits Block sizes …   Wikipedia

  • Cryptomeria cipher — The Feistel function of the Cryptomeria cipher. General Designers 4C Entity First published …   Wikipedia

  • Mercy (cipher) — This article is about the block cipher. For other uses, see Mercy (disambiguation). Mercy General Designers Paul Crowley First published April 2000[1] Derived from WAKE …   Wikipedia

  • DFC (cipher) — This article is about the block cipher. For other uses, see DFC (disambiguation). DFC General Designers Jacques Stern, Serge Vaudenay, et al. First published 1998 Related to COCONUT98 Cipher detail …   Wikipedia

  • Crab (cipher) — This article is about the block cipher. For other uses, see Crab (disambiguation). Crab General Designers Burt Kaliski, Matt Robshaw First published 1993 Derived from MD5 Related to SHACAL …   Wikipedia

  • Information security — Components: or qualities, i.e., Confidentiality, Integrity and Availability (CIA). Information Systems are decomposed in three main portions, hardware, software and communications with the purpose to identify and apply information security… …   Wikipedia

  • Data Encryption Standard — The Feistel function (F function) of DES General Designers IBM First publis …   Wikipedia

  • International Data Encryption Algorithm — IDEA An encryption round of IDEA General Designers Xuejia Lai and James Massey …   Wikipedia

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”