Block cipher

In cryptography, a block cipher is a symmetric key cipher operating on fixed-length groups of bits, called blocks, with an unvarying transformation. A block cipher encryption algorithm might take (for example) a 128-bit block of plaintext as input, and output a corresponding 128-bit block of ciphertext. The exact transformation is controlled using a second input — the secret key. Decryption is similar: the decryption algorithm takes, in this example, a 128-bit block of ciphertext together with the secret key, and yields the original 128-bit block of plain text.

A message longer than the block size (128 bits in the above example) can still be encrypted with a block cipher by breaking the message into blocks and encrypting each block individually. However, in this method all blocks are encrypted with the same key, which degrades security (because each repetition in the plaintext becomes a repetition in the ciphertext). To overcome this issue, modes of operation are used to make encryption probabilistic. Some modes of operation, despite the fact that their underlying implementation is a block cipher, allow the encryption of individual bits. The resulting cipher is called a stream cipher.

An early and highly influential block cipher design was the Data Encryption Standard (DES), developed at IBM and published as a standard in 1977. A successor to DES, the Advanced Encryption Standard (AES), was adopted in 2001.



A block cipher consists of two paired algorithms, one for encryption, E, and the other for decryption, E−1. Both algorithms accept two inputs: an input block of size n bits and a key of size k bits, yielding an n-bit output block. For any one fixed key, decryption is the inverse function of encryption, so that

E_K(M) = C \; ; \quad E_K^{-1}(C)=M

for any block M and key K. M is termed the plaintext and C the ciphertext.

For each key K, EK is a permutation (a bijective mapping) over the set of input blocks. Each key selects one permutation from the possible set of (2n)!.

The block size, n, is typically 64 or 128 bits, although some ciphers have a variable block size. 64 bits was the most common length until the mid-1990s, when new designs began to switch to the longer 128-bit length. One of several modes of operation is generally used along with a padding scheme to allow plaintexts of arbitrary lengths to be encrypted. Each mode has different characteristics in regard to error propagation, ease of random access and vulnerability to certain types of attack. Typical key sizes (k) include 40,[1] 56,[1] 64, 80, 128,[1] 192 and 256, 512, 1024, 2048, 4096 bits. As of 2011, 128 bits is normally taken as the minimum key length needed to prevent brute force attacks. For creating ciphers with arbitrary block sizes (or on domains that aren't powers of two) see Format-preserving encryption.

Iterated block ciphers

Most block ciphers are constructed by repeatedly applying a simpler function. This approach is known as iterated block cipher (see also product cipher). Each iteration is termed a round, and the repeated function is termed the round function; anywhere between 4 to 32 rounds are typical.

Usually, the round function R takes different round keys Ki as second input, which are derived from the original key:

M_i = R_{K_i}(M_{i-1})

where M0 is the plaintext and Mr the ciphertext, with r being the round number.

Frequently, key whitening is used in addition to this. At the beginning and the end, the data is modified with key material (often with XOR, but simple arithmetic operations like adding and subtracting are also used):

 M_0 = M \oplus K_0
M_i = R_{K_i}(M_{i-1})\; ; \; i = 1 \dots r
C = M_r \oplus K_{r+1}

Many block ciphers can be categorised as Feistel networks, or, as more general substitution-permutation networks. Arithmetic operations, logical operations (especially XOR), S-boxes and various permutations are all frequently used as components.


Lucifer is generally considered to be the first civilian block cipher, developed at IBM in the 1970s based on work done by Horst Feistel. A revised version of the algorithm was adopted as a US government FIPS standard, the DES. It was chosen by the US National Bureau of Standards (NBS) after a public invitation for submissions and some internal changes by NBS (and, potentially, the NSA). DES was publicly released in 1976 and has been widely used.

DES was designed to, among other things, resist a certain cryptanalytic attack known to the NSA and rediscovered by IBM, though unknown publicly until rediscovered again and published by Eli Biham and Adi Shamir in the late 1980s. The technique is called differential cryptanalysis and remains one of the few general attacks against block ciphers; linear cryptanalysis is another, but may have been unknown even to the NSA, prior to its publication by Mitsuru Matsui. DES prompted a large amount of other work and publications in cryptography and cryptanalysis in the open community and it inspired many new cipher designs.

DES has a block size of 64 bits and a key size of 56 bits. 64-bit blocks became common in block cipher designs after DES. Key length depended on several factors, including government regulation. Many observers in the 1970s commented that the 56-bit key length used for DES was too short. As time went on, its inadequacy became apparent, especially after a special purpose machine designed to break DES was demonstrated in 1998 by the Electronic Frontier Foundation. A variant of DES, Triple DES, triple-encrypts blocks with either two different keys (2 key TDES, resulting in a 112-bit keys and 80-bit security) or three keys (3 key TDES, resulting in a 168-bit key and 112-bit security). It was widely adopted as a replacement. As of 2011, the three-key version is still considered secure, though National Institute of Standards and Technology(NIST) standards no longer permit the use of the two-key version in new applications, due to its 80 bit security level.

DES has been superseded as a United States Federal Standard by the AES, adopted by National Institute of Standards and Technology (NIST) in 2001 after a 5-year public competition. The cipher was developed by two Belgian cryptographers, Joan Daemen and Vincent Rijmen, and submitted under the name Rijndael. AES has a block size of 128 bits and three possible key sizes, 128, 192 and 256 bits. The US Government permits the use of AES to protect classified information in systems approved by NSA.


In addition to linear and differential cryptanalysis, there is a growing catalog of attacks: truncated differential cryptanalysis, partial differential cryptanalysis, integral cryptanalysis, which encompasses square and integral attacks, slide attacks, boomerang attacks, the XSL attack, impossible differential cryptanalysis and algebraic attacks. For a new block cipher design to have any credibility, it must demonstrate evidence of security against known attacks.

Tweakable block ciphers

M. Liskov, R. Rivest, and D. Wagner have described a generalized version of block ciphers called "tweakable" block ciphers. A tweakable block cipher accepts a second input called the tweak along with its usual plaintext or ciphertext input. The tweak, along with the key, selects the permutation computed by the cipher. If changing tweaks is sufficiently lightweight (compared with a usually fairly expensive key setup operation), then some interesting new operation modes become possible. The disk encryption theory article describes some of these modes.

Block ciphers and other cryptographic primitives

Block ciphers can be used to build other cryptographic primitives. For these other primitives to be cryptographically secure care has to be taken to build them the right way.

Stream ciphers can be built using block ciphers. OFB-mode and CTR mode are block modes that turn a block cipher into a stream cipher.

Cryptographic hash functions can be built using block ciphers. See one-way compression function for descriptions of several such methods. The methods resemble the block cipher modes of operation usually used for encryption.

Just as block ciphers can be used to build hash functions, hash functions can be used to build block ciphers. Examples of such block ciphers are SHACAL, BEAR and LION.

Cryptographically secure pseudorandom number generators (CSPRNGs) can be built using block ciphers.

Secure pseudorandom permutations of arbitrarily sized finite sets can be constructed with block ciphers; see Format-Preserving Encryption.

Message authentication codes (MACs) are often built from block ciphers. CBC-MAC, OMAC and PMAC are such MACs.

Authenticated encryption is also built from block ciphers. It means to both encrypt and MAC at the same time. That is to both provide confidentiality and authentication. CCM, EAX, GCM and OCB are such authenticated encryption modes.

See also


  • M. Liskov, R. Rivest, and D. Wagner, "Tweakable Block Ciphers", Crypto 2002 PDF.

External links

Wikimedia Foundation. 2010.

Look at other dictionaries:

  • Block Cipher —   [engl.], blockweise Verschlüsselung …   Universal-Lexikon

  • Block cipher modes of operation — This article is about cryptography. For method of operating , see modus operandi. In cryptography, modes of operation is the procedure of enabling the repeated and secure use of a block cipher under a single key.[1][2] A block cipher by itself… …   Wikipedia

  • Iraqi block cipher — In cryptography, the Iraqi block cipher was a block cipher published in C source code form by anonymous FTP upload around July 1999, and widely distributed on Usenet. It is a five round unbalanced Feistel cipher operating on a 256 bit block with… …   Wikipedia

  • GOST (block cipher) — Infobox block cipher name = GOST 28147 89 caption = Diagram of GOST designers = USSR publish date = 1994 (declassified) derived from = derived to = key size = 256 bits block size = 64 bits structure = Feistel network rounds = 32 cryptanalysis =… …   Wikipedia

  • KASUMI (block cipher) — Infobox block cipher name = KASUMI caption = designers = Security Algorithms Group of Experts publish date = derived from = MISTY1 derived to = key size = 128 bits block size = 64 bits structure = Feistel network rounds = 8 cryptanalysis =… …   Wikipedia

  • ABC (block cipher) — Infobox block cipher name = ABC designers = Dieter Schmidt publish date = May 27 2002 derived from = MMB, SAFER derived to = related to = certification = key size = 512 bits block size = 256 bits structure = Substitution permutation network… …   Wikipedia

  • S-1 block cipher — In cryptography, the S 1 block cipher was a block cipher posted in source code form on Usenet on 11 August 1995. Although incorrect security markings immediately indicated a hoax, there were several features of the code which suggested it might… …   Wikipedia

  • AEAD block cipher modes of operation — Authenticated Encryption with Associated Data (AEAD) is a class of block cipher modes which encrypt (parts of) the message and authenticate the message simultaneously. Interest in these modes was sparked by the publication of Charanjit Jutla s… …   Wikipedia

  • Cipher — For other uses, see Cipher (disambiguation). Edward Larsson s rune cipher resembling that found on the Kensington Runestone. Also includes runically unrelated blackletter writing style and pigpen cipher. In cryptography, a cipher (or cypher) is… …   Wikipedia

  • Cipher security summary — This article summarizes publicly known attacks against ciphers. Note that not all entries may be up to date. Table color key No known successful attacks Theoretical break Attack demonstrated in practice The Best attack column lists the complexity …   Wikipedia

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”