Jump to content

Main menu Navigation ●Main page ●Contents ●Current events ●Random article ●About Wikipedia ●Contact us ●Donate Contribute ●Help ●Learn to edit ●Community portal ●Recent changes ●Upload file

●Create account ●Log in ●Create account ● Log in Pages for logged out editors learn more ●Contributions ●Talk

(Top) 1 Table color key 2 Best attack 3 Common ciphers 3.1 Key or plaintext recovery attacks 3.2 Distinguishing attacks 4 Less common ciphers 4.1 Key recovery attacks 4.2 Distinguishing attacks 5 See also 6 References

Cipher security summary

Add links ●Article ●Talk ●Read ●Edit ●View history Tools Actions ●Read ●Edit ●View history General ●What links here ●Related changes ●Upload file ●Special pages ●Permanent link ●Page information ●Cite this page ●Get shortened URL ●Download QR code ●Wikidata item Print/export ●Download as PDF ●Printable version Appearance From Wikipedia, the free encyclopedia

This article summarizes publicly known attacks against block ciphers and stream ciphers. Note that there are perhaps attacks that are not publicly known, and not all entries may be up to date.

Table color key

[edit]

No known successful attacks — attack only breaks a reduced version of the cipher

Theoretical break — attack breaks all rounds and has lower complexity than security claim

Attack demonstrated in practice

Best attack

[edit]

This column lists the complexity of the attack:

If the attack doesn't break the full cipher, "rounds" refers to how many rounds were broken
"time" — time complexity, number of cipher evaluations for the attacker
"data" — required known plaintext-ciphertext pairs (if applicable)
"memory" — how many blocks worth of data needs to be stored (if applicable)
"related keys" — for related-key attacks, how many related key queries are needed

Common ciphers

[edit]

Key or plaintext recovery attacks

[edit]

Attacks that lead to disclosure of the key or plaintext.

Cipher	Security claim	Best attack	Publish date	Comment
AES128	2¹²⁸	2^126.1 time, 2⁸⁸ data, 2⁸ memory	2011-08-17	Independent biclique attack.^[1]
AES192	2¹⁹²	2^189.7 time, 2⁸⁰ data, 2⁸ memory
AES256	2²⁵⁶	2^254.4 time, 2⁴⁰ data, 2⁸ memory
Blowfish	Up to 2⁴⁴⁸	4 of 16 rounds; 64-bit block is vulnerable to SWEET32 attack.	2016	Differential cryptanalysis.^[2] Author of Blowfish (Bruce Schneier) recommends using Twofish instead.^[3] SWEET32 attack demonstrated birthday attacks to recover plaintext with its 64-bit block size, vulnerable to protocols such as TLS, SSH, IPsec, and OpenVPN, without attacking the cipher itself.^[4]
Twofish	2¹²⁸ – 2²⁵⁶	6 of 16 rounds (2²⁵⁶ time)	1999-10-05	Impossible differential attack.^[5]
Serpent-128	2¹²⁸	10 of 32 rounds (2⁸⁹ time, 2¹¹⁸ data)	2002-02-04	Linear cryptanalysis.^[6]
Serpent-192	2¹⁹²	11 of 32 rounds (2¹⁸⁷ time, 2¹¹⁸ data)
Serpent-256	2²⁵⁶	11 of 32 rounds (2¹⁸⁷ time, 2¹¹⁸ data)
DES	2⁵⁶	2³⁹ – 2⁴³ time, 2⁴³ known plaintexts	2001	Linear cryptanalysis.^[7] In addition, broken by brute force in 2⁵⁶ time, no later than 1998-07-17, see EFF DES cracker.^[8] Cracking hardware is available for purchase since 2006.^[9]
Triple DES	2¹⁶⁸	2¹¹³ time, 2³² data, 2⁸⁸ memory; 64-bit block is vulnerable to SWEET32 attack.	2016	Extension of the meet-in-the-middle attack. Time complexity is 2¹¹³ steps, but along with proposed techniques, it is estimated to be equivalent to 2⁹⁰ single DES encryption steps. The paper also proposes other time–memory tradeoffs.^[10] SWEET32 attack demonstrated birthday attacks to recover plaintext with its 64-bit block size, vulnerable to protocols such as TLS, SSH, IPsec, and OpenVPN.^[4]
KASUMI	2¹²⁸	2³² time, 2²⁶ data, 2³⁰ memory, 4 related keys	2010-01-10	The cipher used in 3G cell phone networks. This attack takes less than two hours on a single PC, but isn't applicable to 3G due to known plaintext and related key requirements.^[11]
RC4	Up to 2²⁰⁴⁸	2²⁰ time, 2^16.4 related keys (95% success probability)	2007	Commonly known as PTW attack, it can break WEP encryption in Wi-Fi on an ordinary computer in negligible time.^[12] This is an improvement of the original Fluhrer, Mantin and Shamir attack published in 2001.^[13]

Distinguishing attacks

[edit]

Attacks that allow distinguishing ciphertext from random data.

Cipher	Security claim	Best attack	Publish date	Comment
RC4	up to 2²⁰⁴⁸	?? time, 2^30.6 bytes data (90% probability)	2000	Paper.^[14]

Less common ciphers

[edit]

Key recovery attacks

[edit]

Attacks that lead to disclosure of the key.

Cipher	Security claim	Best attack	Publish date	Comment
CAST (not CAST-128)	2⁶⁴	2⁴⁸ time, 2¹⁷ chosen plaintexts	1997-11-11	Related-key attack.^[15]
CAST-128	2¹²⁸	6 of 16 rounds (2^88.51 time, 2^53.96 data)	2009-08-23	Known-plaintext linear cryptanalysis.^[16]
CAST-256	2²⁵⁶	24 of 48 rounds (2^156.2 time, 2^124.1 data)	2009-08-23	Known-plaintext linear cryptanalysis.^[16]
IDEA	2¹²⁸	2^126.1 time	2012-04-15	Narrow-biclique attack.^[17]
MISTY1	2¹²⁸	2^69.5 time, 2⁶⁴ chosen plaintexts	2015-07-30	Chosen-ciphertext, integral cryptanalysis,^[18] an improvement over a previous chosen-plaintext attack.^[19]
RC2	2⁶⁴ – 2¹²⁸	Unknown^{[clarification needed]} time, 2³⁴ chosen plaintexts	1997-11-11	Related-key attack.^[15]
RC5	2¹²⁸	Unknown
SEED	2¹²⁸	Unknown
Skipjack	2⁸⁰	2⁸⁰		ECRYPT II recommendations note that, as of 2012, 80 bit ciphers provide only "Very short-term protection against agencies".^[20] NIST recommends not to use Skipjack after 2010.^[21]
TEA	2¹²⁸	2³² time, 2²³ chosen plaintexts	1997-11-11	Related-key attack.^[15]
XTEA	2¹²⁸	Unknown
XXTEA	2¹²⁸	2⁵⁹ chosen plaintexts	2010-05-04	Chosen-plaintext, differential cryptanalysis.^[22]

Distinguishing attacks

[edit]

Attacks that allow distinguishing ciphertext from random data.

Cipher	Security claim	Best attack	Publish date	Comment
CAST-256	2²⁵⁶	28 of 48 rounds (2^246.9 time, 2⁶⁸ memory, 2^98.8 data)	2012-12-04	Multidimensional zero-correlation cryptanalysis.^[23]

References

[edit]

^ Andrey Bogdanov; Dmitry Khovratovich; Christian Rechberger (2011-08-17). "Biclique Cryptanalysis of the Full AES". Cryptology ePrint Archive.

^ Vincent Rijmen (1997). "Cryptanalysis and Design of Iterated Block Ciphers". Ph.D. Thesis.

^ Dahna McConnachie (2007-12-27). "Bruce Almighty: Schneier preaches security to Linux faithful". Computerworld. Archived from the original on 2012-06-03. Retrieved 2014-02-13.

^ ^a ^b Karthikeyan Bhargavan, Gaëtan Leurent (August 2016). "On the Practical (In-)Security of 64-bit Block Ciphers — Collision Attacks on HTTP over TLS and OpenVPN". ACM CCS 2016.

^ Niels Ferguson (1999-10-05). "Impossible Differentials in Twofish". Schneier.

^ Eli Biham; Orr Dunkelman; Nathan Keller (2002-02-04). Linear Cryptanalysis of Reduced Round Serpent. FSE 2002. doi:10.1007/3-540-45473-X_2.

^ Junod, Pascal (2001). On the Complexity of Matsui's Attack. Selected Areas in Cryptography. pp. 199–211. Archived from the original on 2009-05-27.

^ "DES Cracker Project". EFF. Archived from the original on May 7, 2017. Retrieved August 26, 2015. On Wednesday, July 17, 1998 the EFF DES Cracker, which was built for less than $250,000, easily won RSA Laboratory's "DES Challenge II" contest and a $10,000 cash prize.

^ "COPACOBANA – Special-Purpose Hardware for Code-Breaking".

^ Stefan Lucks (1998-03-23). "Attacking Triple Encryption". Fast Software Encryption. Lecture Notes in Computer Science. Vol. 1372. Springer. pp. 239–253. doi:10.1007/3-540-69710-1_16. ISBN 978-3-540-64265-7.

^ Orr Dunkelman; Nathan Keller; Adi Shamir (2010-01-10). "A Practical-Time Attack on the A5/3 Cryptosystem Used in Third Generation GSM Telephony". Cryptology ePrint Archive.

^ Erik Tews; Ralf-Philipp Weinmann; Andrei Pyshkin (2007). Breaking 104 Bit WEP in Less Than 60 Seconds. WISA 2007.

^ Scott Fluhrer; Itsik Mantin; Adi Shamir (2001-12-20). Weaknesses in the Key Scheduling Algorithm of RC4 (PDF). Selected Areas in Cryptography 2001.

^ Scott R. Fluhrer; David A. McGrew. Statistical Analysis of the Alleged RC4 Keystream Generator (PDF). FSE 2000. pp. 19–30. Archived from the original (PDF) on 2014-05-02.

^ ^a ^b ^c John Kelsey; Bruce Schneier; David Wagner (1997-11-11). "Related-key cryptanalysis of 3-WAY, Biham-DES, CAST, DES-X NewDES, RC2, and TEA". In Yongfei Han; Tatsuaki Okamoto; Sihan Quing (eds.). Information and Communications Security: First International Conference. Vol. 1334. Springer. pp. 233–246. CiteSeerX 10.1.1.35.8112. doi:10.1007/BFb0028479. ISBN 978-3-540-63696-0.

^ Meiqin Wang; Xiaoyun Wang; Changhui Hu (2009-08-23). "New Linear Cryptanalytic Results of Reduced-Round of CAST-128 and CAST-256". Selected Areas in Cryptography. Lecture Notes in Computer Science. Vol. 5381. pp. 429–441. doi:10.1007/978-3-642-04159-4_28. ISBN 978-3-642-04158-7. S2CID 35612393.

^ Achiya Bar-On (2015-07-30). "A 2⁷⁰ Attack on the Full MISTY1". Cryptology ePrint Archive.

^ Yosuke Todo (2015-07-06). Integral Cryptanalysis on Full MISTY1. CRYPTO 2015.

^ "ECRYPT II Yearly Report on Algorithms and Keysizes (2011-2012)" (PDF). CORDIS. 30 September 2012. D.SPA.20 Rev. 1.0, ICT-2007-216676 ECRYPT II.

^ Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths, NIST

^ Elias Yarrkov (2010-05-04). "Cryptanalysis of XXTEA". Cryptology ePrint Archive.

^ Andrey Bogdanov; Gregor Leander; Kaisa Nyberg; Meiqin Wang (2012-12-04). "Integral and multidimensional linear distinguishers with correlation zero" (PDF). Advances in Cryptology – ASIACRYPT 2012: 18th International Conference on the Theory and Application of Cryptology and Information Security. Vol. 7658. Springer. pp. 244–261. doi:10.1007/978-3-642-34961-4. ISBN 978-3-642-34960-7. S2CID 26601027.

v t e Block ciphers (security summary)
Common algorithms	AES Blowfish DES (internal mechanics, Triple DES) Serpent SM4 Twofish
Less common algorithms	ARIA Camellia CAST-128 GOST IDEA LEA RC5 RC6 SEED Skipjack TEA XTEA
Other algorithms	3-Way Adiantum Akelarre Anubis Ascon BaseKing BassOmatic BATON BEAR and LION CAST-256 Chiasmus CIKS-1 CIPHERUNICORN-A CIPHERUNICORN-E CLEFIA CMEA Cobra COCONUT98 Crab Cryptomeria/C2 CRYPTON CS-Cipher DEAL DES-X DFC E2 FEAL FEA-M FROG G-DES Grand Cru Hasty Pudding cipher Hierocrypt ICE IDEA NXT Intel Cascade Cipher Iraqi Kalyna KASUMI KeeLoq KHAZAD Khufu and Khafre KN-Cipher Kuznyechik Ladder-DES LOKI (97, 89/91) Lucifer M6 M8 MacGuffin Madryga MAGENTA MARS Mercy MESH MISTY1 MMB MULTI2 MultiSwap New Data Seal NewDES Nimbus NOEKEON NUSH PRESENT Prince Q RC2 REDOC Red Pike S-1 SAFER SAVILLE SC2000 SHACAL SHARK Simon Speck Spectr-H64 Square SXAL/MBAL Threefish Treyfer UES xmx XXTEA Zodiac
Design	Feistel network Key schedule Lai–Massey scheme Product cipher S-box P-box SPN Confusion and diffusion Round Avalanche effect Block size Key size Key whitening (Whitening transformation)
Attack (cryptanalysis)	Brute-force (EFF DES cracker) MITM Biclique attack 3-subset MITM attack Linear (Piling-up lemma) Differential Impossible Truncated Higher-order Differential-linear Distinguishing (Known-key) Integral/Square Boomerang Mod n Related-key Slide Rotational Side-channel Timing Power-monitoring Electromagnetic Acoustic Differential-fault XSL Interpolation Partitioning Rubber-hose Black-bag Davies Rebound Weak key Tau Chi-square Time/memory/data tradeoff
Standardization	AES process CRYPTREC NESSIE NSA Suite B CNSA
Utilization	Initialization vector Mode of operation Padding

Cryptography

General

Mathematics

Category

Retrieved from "https://en.wikipedia.org/w/index.php?title=Cipher_security_summary&oldid=1228172725" Categories: ●Block ciphers ●Cryptography lists and comparisons Hidden categories: ●Articles with short description ●Short description is different from Wikidata ●Wikipedia articles needing clarification from May 2014 ●This page was last edited on 9 June 2024, at 20:43 (UTC). ●Text is available under the Creative Commons Attribution-ShareAlike License 4.0; additional terms may apply. By using this site, you agree to the Terms of Use and Privacy Policy. Wikipedia® is a registered trademark of the Wikimedia Foundation, Inc., a non-profit organization. ●Privacy policy ●About Wikipedia ●Disclaimers ●Contact Wikipedia ●Code of Conduct ●Developers ●Statistics ●Cookie statement ●Mobile view