The Data Encryption Standard (DES) is an algorithm developed in
the mid-1970s. It was turned into a standard by the US National Institute of Standards and Technology (NIST), and was also adopted by several other governments worldwide. It was and still is widely used, especially in the financial industry.

DES is a block cipher with 64-bit block size. It uses 56-bit keys. This makes it susceptible to exhaustive key search with modern computers and special-purpose hardware. DES is still strong enough to keep most random hackers and individuals out, but it is easily breakable with special hardware by government, criminal organizations, or major corporations. DES is getting too weak, and should not be used in new applications.

A variant of DES, Triple-DES (also 3DES) is based on using DES three times (normally in an encrypt-decrypt-encrypt sequence with three different, unrelated keys). The Triple-DES is arguably much stronger than (single) DES, however, it is rather slow compared to some new block ciphers.

In response to the growing feasibility of attacks against DES, NIST launched a call for proposals for an official successor that meets 21st century security needs. This successor is to be called the Advanced Encryption Standard (AES). Five algorithms made it into the second round, from which Rijndael was selected to be final standard. We will now have a quick look at each of them and their cryptographic peculiarities.

All the ciphers have 128 bit block size and they support 128, 192 and 256 bit keys. The rather large key sizes are probably required to give means for construction of efficient hash functions.


Rijndael follows the tradition of square ciphers (it is based on ideas similar to the Square cipher). NIST gave as its reasons for selecting Rijndael that it performs very well in hardware and software across a wide range of environments in all possible modes. It has excellent key setup time and has low memory requirements, in addition its operations are easy to defend against power and timing attacks.

NIST stated that all five finalists had adequate security and that there was nothing wrong with the other four ciphers. After all analysis and received comments were considered, NIST considered Rijndael the best choice for the AES. The other four finalists are mentioned below.

RC6 follows the ideas of RC5 - but with many improvements. For example, it attempts to avoid some of the differential attacks against RC5's data dependent rotations. However, there are some attacks that get quite far, and it is unclear whether RC6 is well enough analyzed yet.

Serpent has a basically conservative but in many ways innovative design. It may be implemented by bitslice (or vector) gate logic throughout. This makes it rather complicated to implement from scratch, and writing it in a non-bitslice way involves an efficiency penalty.

The 32 rounds lead to probably the highest security margin on all AES candidates, while it is still fast enough for all purposes.

Twofish is a new block cipher designed by Counterpane (whose CEO is Bruce Schneier). The design is highly delicate, with many alternative ways of implementation. It is cryptanalysed in much detail, by the very authoritative "extended Twofish team". It is basically a Feistel cipher, but utilizes many different ideas.

This cipher has key dependent S-boxes like Blowfish (another cipher by Bruce Schneier).

Blowfish was designed by Bruce Schneier. It is a block cipher with 64-bit block size and variable length keys (up to 448 bits). It has gained a fair amount of acceptance in a number of applications, including Nautilus and PGPfone.

Blowfish utilizes the idea of randomized S-boxes: while doing key scheduling, it generates large pseudo-random look-up tables by doing several encryptions. The tables depend on the user supplied key in a very complex way. This approach has been proven to be highly resistant against many attacks such as differential and linear cryptanalysis. Unfortunately it also means that it is not the algorithm of choice for environments where large memory space (something like than 4096 bytes) is not available..

IDEA (International Data Encryption Algorithm) is an algorithm developed at ETH Zurich in Switzerland by Xuejia Lai. It uses a 128 bit key, and it is generally considered to be very secure. It has been one of the best publicly known algorithms for some time (before the AES standard started its second round, see above). It has been around now for several years, and no practical attacks on it have been published despite of numerous attempts to analyze it.

One of the best attacks uses the impossible differential idea of Biham, Shamir and Biryukov. They can attack only 4.5 rounds of IDEA and this poses no threat to the total of 8.5 rounds used in IDEA.

IDEA is patented in the United States and in most European countries.


RC4 is a stream cipher designed by Ron Rivest at RSA Data Security, Inc. It used to be a trade secret, until someone posted source code for an algorithm on the usenet, claiming it to be equivalent to RC4. There is very strong evidence that the posted algorithm is indeed equivalent to RC4. The algorithm is very fast. Its security is unknown, but breaking it does not seem trivial either. Because of its speed, it
may have uses in certain applications. It accepts keys of arbitrary length.

RC4 is essentially a pseudo random number generator, and the output of the generator is exclusive-ored with the data stream. For this reason, it is very important that the same RC4 key never be used to encrypt two different data streams.

Modes Of Operation

Many commonly used ciphers are block ciphers. Block ciphers transform a fixed-size block of data (usually 64 bits) it into another fixed-size block (possibly 64 bits wide again) using a function selected by the key. If the key, input block and output block have all n bits, a block cipher basically defines a one-to-one mapping from n-bit integers to permutations of n-bit integers.

If the same block is encrypted twice with the same key, the resulting ciphertext blocks are also the same (this mode of encryption is called electronic code book, or ECB). This information could be useful for an attacker. To cause identical plaintext blocks being encrypt to different ciphertext blocks, two standard modes are commonly used:

• CBC (cipher block chaining): a ciphertext block is obtained by first XORing the plaintext block with the previous ciphertext block, and encrypting the resulting value. This way leading blocks influence all trailing blocks, which increases the number of plaintext bits one ciphertext bit depends on, but also leads to synchronization problems if one block is lost.
  
  
• CFB (cipher feedback): the kth ciphertext block is obtained by encrypting the (k-1)th ciphertext block and XORing the result onto the plaintext. Interestingly, an CFB feedback loop can also be used as a pseudo-random number generator if one simply feeds one block of true random data with trailing blocks of zeroes into the encryption routine (although the expected period of this PRNG would be only about 2^n/2 where n is the block size of the cipher).
  
  
• Stream ciphers. A stream cipher consists of a state machine that outputs at each state transition one bit of information. This stream of output bits is commonly called the running key. The encryption can be implemented by just exclusively-oring the running key to the plaintext message.
  
  The state machine is nothing more than a pseudo-random number generator. For example, we can build one from a block cipher by encrypting repeatedly its own output. Typically, more elaborate constructions are used for stream ciphers to obtain high-speed.
  
  Some of the more well-known stream ciphers are RC4 and SEAL. Several stream ciphers are based on linear-feedback shift registers (LFSR), such as A5/1 used in GSM. These have the benefit of being very fast (several times faster than usual block ciphers).
  
  
• SSSC (self-synchronizing stream ciphers): The class of self-synchronizing stream ciphers has the convenient property that it corrects the output stream after bit flips or even dropped bits after a short time (say, a few hundred bits).
  
  SSSC's can be constructed using block ciphers in a CFB-related way. Assume that we have already encrypted n bits of the message and know that much of the ciphertext (where n denotes the block length of the cipher). Then we produce a new running key (see above) bit by encrypting the n ciphertext bits. Take one bit of the output of the cipher to be the new running key bit. Now moving one bit further we can iterate this procedure for the whole length of the message.
  
  It is easy to see that a one bit error in a ciphertext cannot affect the decrypted plaintext after n bits. This makes the cipher self-synchronizing.
  
  The block cipher used should have sufficiently large block size to avoid substitution attacks, for example.
  

Cryptographic Hash Functions

Cryptographic hash functions are used in various contexts, for example to compute the message digest when making a digital signature. A hash function compresses the bits of a message to a fixed-size hash value in a way that distributes the possible messages evenly among the possible hash values.

• SHA-1 (Secure Hash Algorithm) (also SHS, Secure Hash Standard): This is a cryptographic hash algorithm published by the United States Government. It produces an 160 bit hash value from an arbitrary length string. It is considered to be very good.
  
• MD5 (Message Digest Algorithm 5) is a cryptographic hash algorithm developed at RSA.  It can be used to hash an arbitrary length byte string into a 128 bit value.
  
  
• MD2, MD4: These are older hash algorithms from RSA Data Security. They have known flaws (Hans Dobbertin, FSE'96, LNCS 1039), and their use is not recommended.
  

Random Rumber Generator

Cryptographic systems need cryptographically strong (pseudo) random numbers that cannot be guessed by an attacker. Random numbers are typically used to generate keys, and their quality is critical for the quality of the resulting systems.  A cryptographically good pseudo-random number generator should pass all the basic tests for statistical randomness. Cryptographic pseudo-random number generators typically have a large pool ("seed value") containing randomness. Bits are returned from this pool by taking data from the pool, optionally running the data through a cryptographic hash function to avoid revealing the contents of the pool. When more bits are needed, the pool is stirred by encrypting its contents by a suitable cipher with a random key (that may be taken from an unreturned part of the pool) in a mode which
makes every bit of the pool depend on every other bit of the pool. New environmental noise should be mixed into the pool before stirring to make predicting previous or future values even more impossible.

Digital Signatures

Some public-key algorithms can be used to generate digital signatures. A digital signature is a small amount of data that was created using some secret key, and there is a public key that can be used to verify that the signature was really generated using the corresponding private key. The algorithm used to generate the signature must be such that without knowing the secret key it is not possible to create a signature that would verify as valid.

Digital signatures are used to verify that a message really comes from the claimed sender (assuming only the sender knows the secret key corresponding to his/her public key). They can also be used to timestamp documents: a trusted party signs the document and its timestamp with his/her secret key, thus testifying that the document existed at the stated time.

Digital signatures can also be used to testify (or certify) that a public key belongs to a particular person. This is done by signing the combination of the key and the information about its owner by a trusted key. The digital signature by a third party (owner of the trusted key), the public key and information about the owner of the public key are often called certificates.

A digital signature of an arbitrary document is typically created by computing a message digest from the document, and concatenating it with information about the signer, a timestamp, etc. The resulting string is then encrypted using the private key of the signer using a suitable algorithm. The resulting encrypted block of bits is the
signature. It is often distributed together with information about the public key that was used to sign it. To verify a signature, the recipient first determines whether it trusts that the key belongs to the person it is supposed to belong to (using the web of trust or a priori knowledge), and then decrypts the signature using the public key of the person. If the signature decrypts properly and the information matches that of the message (proper message digest etc.), the signature is accepted as valid.