Editing Block cipher (section)

==Notable block ciphers==

===Lucifer / DES===
{{main|Lucifer (cipher)|Data Encryption Standard}}
[[Lucifer (cipher)|Lucifer]] is generally considered to be the first civilian block cipher, developed at [[IBM]] in the 1970s based on work done by [[Horst Feistel]]. A revised version of the algorithm was adopted as a U.S. government [[Federal Information Processing Standard]]: FIPS PUB 46 [[Data Encryption Standard]] (DES).<ref>[http://csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdf FIPS PUB 46-3 ''Data Encryption Standard (DES)''] (This is the third edition, 1999, but includes historical information in the preliminary section 12.)</ref> It was chosen by the U.S. National Bureau of Standards (NBS) after a public invitation for submissions and some internal changes by [[National Institute of Standards and Technology|NBS]] (and, potentially, the [[NSA]]). DES was publicly released in 1976 and has been widely used.{{citation needed|date=April 2012}}

DES was designed to, among other things, resist a certain cryptanalytic attack known to the NSA and rediscovered by IBM, though unknown publicly until rediscovered again and published by [[Eli Biham]] and [[Adi Shamir]] in the late 1980s. The technique is called [[differential cryptanalysis]] and remains one of the few general attacks against block ciphers; [[linear cryptanalysis]] is another but may have been unknown even to the NSA, prior to its publication by [[Mitsuru Matsui]]. DES prompted a large amount of other work and publications in cryptography and [[cryptanalysis]] in the open community and it inspired many new cipher designs.{{citation needed|date=April 2012}}

DES has a block size of 64 bits and a [[key size]] of 56 bits. 64-bit blocks became common in block cipher designs after DES. Key length depended on several factors, including government regulation. Many observers{{who|date=April 2012}} in the 1970s commented that the 56-bit key length used for DES was too short. As time went on, its inadequacy became apparent, especially after a [[EFF DES cracker|special-purpose machine designed to break DES]] was demonstrated in 1998 by the [[Electronic Frontier Foundation]]. An extension to DES, [[Triple DES]], triple-encrypts each block with either two independent keys (112-bit key and 80-bit security) or three independent keys (168-bit key and 112-bit security). It was widely adopted as a replacement. As of 2011, the three-key version is still considered secure, though the [[National Institute of Standards and Technology]] (NIST) standards no longer permit the use of the two-key version in new applications, due to its 80-bit security level.<ref name="NIST_SP_800-57">[http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57-Part1-revised2_Mar08-2007.pdf NIST Special Publication 800-57 ''Recommendation for Key Management — Part 1: General (Revised)'', March, 2007] {{webarchive|url=https://web.archive.org/web/20140606050814/http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57-Part1-revised2_Mar08-2007.pdf|date=June 6, 2014}}.</ref>

===IDEA===
The ''[[International Data Encryption Algorithm]]'' (''IDEA'') is a block cipher designed by [[James Massey]] of [[ETH Zurich]] and [[Xuejia Lai]]; it was first described in 1991, as an intended replacement for DES.

IDEA operates on 64-bit [[block size (cryptography)|blocks]] using a 128-bit key and consists of a series of eight identical transformations (a ''round'') and an output transformation (the ''half-round''). The processes for encryption and decryption are similar. IDEA derives much of its security by interleaving operations from different [[group (mathematics)|groups]] – [[modular arithmetic|modular]] addition and multiplication, and bitwise ''[[exclusive or]] (XOR)'' – which are algebraically "incompatible" in some sense.

The designers analysed IDEA to measure its strength against [[differential cryptanalysis]] and concluded that it is immune under certain assumptions. No successful [[linear cryptanalysis|linear]] or algebraic weaknesses have been reported. {{As of|2012}}, the best attack which applies to all keys can break a full 8.5-round IDEA using a narrow-bicliques attack about four times faster than brute force.

===RC5===
[[File:RC5 InfoBox Diagram.svg|thumb|160px|right|One round (two half-rounds) of the RC5 block cipher]]
{{Main|RC5}}
RC5 is a block cipher designed by [[Ron Rivest|Ronald Rivest]] in 1994 which, unlike many other ciphers, has a variable block size (32, 64, or 128 bits), key size (0 to 2040 bits), and a number of rounds (0 to 255). The original suggested choice of parameters was a block size of 64 bits, a 128-bit key, and 12 rounds.

A key feature of RC5 is the use of data-dependent rotations; one of the goals of RC5 was to prompt the study and evaluation of such operations as a cryptographic primitive. RC5 also consists of a number of [[modular arithmetic|modular]] additions and XORs. The general structure of the algorithm is a [[Feistel cipher|Feistel]]-like a network. The encryption and decryption routines can be specified in a few lines of code. The key schedule, however, is more complex, expanding the key using an essentially [[one-way function]] with the binary expansions of both [[e (mathematical constant)|e]] and the [[golden ratio]] as sources of "[[nothing up my sleeve number]]s". The tantalizing simplicity of the algorithm together with the novelty of the data-dependent rotations has made RC5 an attractive object of study for cryptanalysts.

12-round RC5 (with 64-bit blocks) is susceptible to a [[differential cryptanalysis|differential attack]] using 2<sup>44</sup> chosen plaintexts.<ref name="Biryukov">Biryukov A. and Kushilevitz E. (1998). Improved Cryptanalysis of RC5. EUROCRYPT 1998.</ref> 18–20 rounds are suggested as sufficient protection.

===Rijndael / AES===
{{Main|Advanced Encryption Standard}}
The ''Rijndael'' cipher developed by Belgian cryptographers, [[Joan Daemen]] and [[Vincent Rijmen]] was one of the competing designs to replace DES. It won the [[Advanced Encryption Standard process|5-year public competition]] to become the AES (Advanced Encryption Standard).

Adopted by NIST in 2001, AES has a fixed block size of 128 bits and a key size of 128, 192, or 256 bits, whereas Rijndael can be specified with block and key sizes in any multiple of 32 bits, with a minimum of 128 bits. The block size has a maximum of 256 bits, but the key size has no theoretical maximum. AES operates on a 4×4 [[column-major order]] matrix of bytes, termed the ''state'' (versions of Rijndael with a larger block size have additional columns in the state).

===Blowfish===
{{Main|Blowfish (cipher)}}
''[[Blowfish (cipher)|Blowfish]]'' is a block cipher, designed in 1993 by [[Bruce Schneier]] and included in a large number of cipher suites and encryption products. Blowfish has a 64-bit block size and a variable [[key length]] from 1 bit up to 448 bits.<ref name=blowfish-paper>{{cite journal |author=Bruce Schneier |author-link=Bruce Schneier |year=1994 |title=Description of a New Variable-Length Key, 64-Bit Block Cipher (Blowfish) |url=http://www.schneier.com/paper-blowfish-fse.html |journal=Dr. Dobb's Journal |volume=19 |issue=4 |pages=38–40}}</ref> It is a 16-round [[Feistel cipher]] and uses large key-dependent [[Substitution box|S-boxes]]. Notable features of the design include the key-dependent [[S-box]]es and a highly complex [[key schedule]].

It was designed as a general-purpose algorithm, intended as an alternative to the aging DES and free of the problems and constraints associated with other algorithms. At the time Blowfish was released, many other designs were proprietary, encumbered by [[patent]]s, or were commercial/government secrets. Schneier has stated that "Blowfish is unpatented, and will remain so in all countries. The algorithm is hereby placed in the [[public domain]], and can be freely used by anyone." The same applies to [[Twofish]], a successor algorithm from Schneier.