This article summarizes publicly known attacks against block ciphers and stream ciphers. Note that there are perhaps attacks that are not publicly known, and not all entries may be up to date.
This column lists the complexity of the attack:
Attacks that lead to disclosure of the key or plaintext.
Cipher | Security claim | Best attack | Publish date | Comment |
---|---|---|---|---|
AES128 | 2128 | 2126.1 time, 288 data, 28 memory | 2011-08-17 | Independent biclique attack. [1] |
AES192 | 2192 | 2189.7 time, 280 data, 28 memory | ||
AES256 | 2256 | 2254.4 time, 240 data, 28 memory | ||
Blowfish | Up to 2448 | 4 of 16 rounds; 64-bit block is vulnerable to SWEET32 attack. | 2016 | Differential cryptanalysis. [2] Author of Blowfish (Bruce Schneier) recommends using Twofish instead. [3] SWEET32 attack demonstrated birthday attacks to recover plaintext with its 64-bit block size, vulnerable to protocols such as TLS, SSH, IPsec, and OpenVPN, without attacking the cipher itself. [4] |
Twofish | 2128 – 2256 | 6 of 16 rounds (2256 time) | 1999-10-05 | Impossible differential attack. [5] |
Serpent-128 | 2128 | 10 of 32 rounds (289 time, 2118 data) | 2002-02-04 | Linear cryptanalysis. [6] |
Serpent-192 | 2192 | 11 of 32 rounds (2187 time, 2118 data) | ||
Serpent-256 | 2256 | |||
DES | 256 | 239 – 243 time, 243 known plaintexts | 2001 | Linear cryptanalysis. [7] In addition, broken by brute force in 256 time, no later than 1998-07-17, see EFF DES cracker. [8] Cracking hardware is available for purchase since 2006. [9] |
Triple DES | 2168 | 2113 time, 232 data, 288 memory; 64-bit block is vulnerable to SWEET32 attack. | 2016 | Extension of the meet-in-the-middle attack. Time complexity is 2113 steps, but along with proposed techniques, it is estimated to be equivalent to 290 single DES encryption steps. The paper also proposes other time–memory tradeoffs. [10] SWEET32 attack demonstrated birthday attacks to recover plaintext with its 64-bit block size, vulnerable to protocols such as TLS, SSH, IPsec, and OpenVPN. [4] |
KASUMI | 2128 | 232 time, 226 data, 230 memory, 4 related keys | 2010-01-10 | The cipher used in 3G cell phone networks. This attack takes less than two hours on a single PC, but isn't applicable to 3G due to known plaintext and related key requirements. [11] |
RC4 | Up to 22048 | 220 time, 216.4 related keys(95% success probability) | 2007 | Commonly known as PTW attack, it can break WEP encryption in Wi-Fi on an ordinary computer in negligible time. [12] This is an improvement of the original Fluhrer, Mantin and Shamir attack published in 2001. [13] |
Attacks that allow distinguishing ciphertext from random data.
Cipher | Security claim | Best attack | Publish date | Comment |
---|---|---|---|---|
RC4 | up to 22048 | ?? time, 230.6 bytes data (90% probability) | 2000 | Paper. [14] |
Attacks that lead to disclosure of the key.
Cipher | Security claim | Best attack | Publish date | Comment |
---|---|---|---|---|
CAST (not CAST-128) | 264 | 248 time, 217 chosen plaintexts | 1997-11-11 | Related-key attack. [15] |
CAST-128 | 2128 | 6 of 16 rounds (288.51 time, 253.96 data) | 2009-08-23 | Known-plaintext linear cryptanalysis. [16] |
CAST-256 | 2256 | 24 of 48 rounds (2156.2 time, 2124.1 data) | ||
IDEA | 2128 | 2126.1 time | 2012-04-15 | Narrow-biclique attack. [17] |
MISTY1 | 2128 | 269.5 time, 264 chosen plaintexts | 2015-07-30 | Chosen-ciphertext, integral cryptanalysis, [18] an improvement over a previous chosen-plaintext attack. [19] |
RC2 | 264 – 2128 | Unknown[ clarification needed ] time, 234 chosen plaintexts | 1997-11-11 | Related-key attack. [15] |
RC5 | 2128 | Unknown | ||
SEED | 2128 | Unknown | ||
Skipjack | 280 | 280 | ECRYPT II recommendations note that, as of 2012, 80 bit ciphers provide only "Very short-term protection against agencies". [20] NIST recommends not to use Skipjack after 2010. [21] | |
TEA | 2128 | 232 time, 223 chosen plaintexts | 1997-11-11 | Related-key attack. [15] |
XTEA | 2128 | Unknown | ||
XXTEA | 2128 | 259 chosen plaintexts | 2010-05-04 | Chosen-plaintext, differential cryptanalysis. [22] |
Attacks that allow distinguishing ciphertext from random data.
Cipher | Security claim | Best attack | Publish date | Comment |
---|---|---|---|---|
CAST-256 | 2256 | 28 of 48 rounds (2246.9 time, 268 memory, 298.8 data) | 2012-12-04 | Multidimensional zero-correlation cryptanalysis. [23] |
The Advanced Encryption Standard (AES), also known by its original name Rijndael, is a specification for the encryption of electronic data established by the U.S. National Institute of Standards and Technology (NIST) in 2001.
In cryptography, a block cipher is a deterministic algorithm that operates on fixed-length groups of bits, called blocks. Block ciphers are the elementary building blocks of many cryptographic protocols. They are ubiquitous in the storage and exchange of data, where such data is secured and authenticated via encryption.
The Data Encryption Standard is a symmetric-key algorithm for the encryption of digital data. Although its short key length of 56 bits makes it too insecure for modern applications, it has been highly influential in the advancement of cryptography.
Differential cryptanalysis is a general form of cryptanalysis applicable primarily to block ciphers, but also to stream ciphers and cryptographic hash functions. In the broadest sense, it is the study of how differences in information input can affect the resultant difference at the output. In the case of a block cipher, it refers to a set of techniques for tracing differences through the network of transformation, discovering where the cipher exhibits non-random behavior, and exploiting such properties to recover the secret key.
In cryptography, the International Data Encryption Algorithm (IDEA), originally called Improved Proposed Encryption Standard (IPES), is a symmetric-key block cipher designed by James Massey of ETH Zurich and Xuejia Lai and was first described in 1991. The algorithm was intended as a replacement for the Data Encryption Standard (DES). IDEA is a minor revision of an earlier cipher Proposed Encryption Standard (PES).
In cryptography, RC4 is a stream cipher. While it is remarkable for its simplicity and speed in software, multiple vulnerabilities have been discovered in RC4, rendering it insecure. It is especially vulnerable when the beginning of the output keystream is not discarded, or when nonrandom or related keys are used. Particularly problematic uses of RC4 have led to very insecure protocols such as WEP.
Articles related to cryptography include:
The GOST block cipher (Magma), defined in the standard GOST 28147-89, is a Soviet and Russian government standard symmetric key block cipher with a block size of 64 bits. The original standard, published in 1989, did not give the cipher any name, but the most recent revision of the standard, GOST R 34.12-2015, specifies that it may be referred to as Magma. The GOST hash function is based on this cipher. The new standard also specifies a new 128-bit block cipher called Kuznyechik.
In cryptography, the Tiny Encryption Algorithm (TEA) is a block cipher notable for its simplicity of description and implementation, typically a few lines of code. It was designed by David Wheeler and Roger Needham of the Cambridge Computer Laboratory; it was first presented at the Fast Software Encryption workshop in Leuven in 1994, and first published in the proceedings of that workshop.
In cryptography, RC2 is a symmetric-key block cipher designed by Ron Rivest in 1987. "RC" stands for "Ron's Code" or "Rivest Cipher"; other ciphers designed by Rivest include RC4, RC5, and RC6.
In cryptography, Khufu and Khafre are two block ciphers designed by Ralph Merkle in 1989 while working at Xerox's Palo Alto Research Center. Along with Snefru, a cryptographic hash function, the ciphers were named after the Egyptian Pharaohs Khufu, Khafre and Sneferu.
In cryptography, the eXtended Sparse Linearization (XSL) attack is a method of cryptanalysis for block ciphers. The attack was first published in 2002 by researchers Nicolas Courtois and Josef Pieprzyk. It has caused some controversy as it was claimed to have the potential to break the Advanced Encryption Standard (AES) cipher, also known as Rijndael, faster than an exhaustive search. Since AES is already widely used in commerce and government for the transmission of secret information, finding a technique that can shorten the amount of time it takes to retrieve the secret message without having the key could have wide implications.
In cryptography, a related-key attack is any form of cryptanalysis where the attacker can observe the operation of a cipher under several different keys whose values are initially unknown, but where some mathematical relationship connecting the keys is known to the attacker. For example, the attacker might know that the last 80 bits of the keys are always the same, even though they don't know, at first, what the bits are. This appears, at first glance, to be an unrealistic model; it would certainly be unlikely that an attacker could persuade a human cryptographer to encrypt plaintexts under numerous secret keys related in some way.
In cryptography, COCONUT98 is a block cipher designed by Serge Vaudenay in 1998. It was one of the first concrete applications of Vaudenay's decorrelation theory, designed to be provably secure against differential cryptanalysis, linear cryptanalysis, and even certain types of undiscovered cryptanalytic attacks.
The following outline is provided as an overview of and topical guide to cryptography:
PRESENT is a lightweight block cipher, developed by the Orange Labs (France), Ruhr University Bochum (Germany) and the Technical University of Denmark in 2007. PRESENT was designed by Andrey Bogdanov, Lars R. Knudsen, Gregor Leander, Christof Paar, Axel Poschmann, Matthew J. B. Robshaw, Yannick Seurin, and C. Vikkelsoe. The algorithm is notable for its compact size.
A biclique attack is a variant of the meet-in-the-middle (MITM) method of cryptanalysis. It utilizes a biclique structure to extend the number of possibly attacked rounds by the MITM attack. Since biclique cryptanalysis is based on MITM attacks, it is applicable to both block ciphers and (iterated) hash-functions. Biclique attacks are known for having weakened both full AES and full IDEA, though only with slight advantage over brute force. It has also been applied to the KASUMI cipher and preimage resistance of the Skein-512 and SHA-2 hash functions.
Dmitry Khovratovich is a cryptographer, currently a Lead Cryptographer for the Dusk Network, researcher for the Ethereum Foundation, and member of the International Association for Cryptologic Research. He developed, together with Alex Biryukov, the Equihash proof-of-work algorithm which is currently being used as consensus mechanism for the Zcash cryptocurrency, and the Argon2 key derivation function, which won the Password Hashing Competition in July 2015.
Orr Dunkelman is an Israeli cryptographer and cryptanalyst, currently a professor at the University of Haifa Computer Science department. Dunkelman is a co-director of the Center for Cyber Law & Privacy at the University of Haifa and a co-founder of Privacy Israel, an Israeli NGO for promoting privacy in Israel.
In cryptography, a round or round function is a basic transformation that is repeated (iterated) multiple times inside the algorithm. Splitting a large algorithmic function into rounds simplifies both implementation and cryptanalysis.
On Wednesday, July 17, 1998 the EFF DES Cracker, which was built for less than $250,000, easily won RSA Laboratory's "DES Challenge II" contest and a $10,000 cash prize.