#### Cryptography - Block Cipher Algorithms

#### 3-Way

Alias: "ThreeWay"

Designer: Joan Daemen

Published: 1994

Alias: ThreeWay

Key length: 96 bits.

Block size: 12 bytes.

3-Way is vulnerable to related-key attacks, and therefore it should only be used with keys that are generated by a strong RNG, or by a source of bits that are sufficiently uncorrelated (such as the output of a hash function).

#### AES128

Designers: Joan Daemen, Vincent Rijmen

Alias: "OpenPGP.Cipher.7"

Description: AES128 is defined as Rijndael with a 128-bit block size and 10 rounds.

Key length: 128 bits.

Block size: 16 bytes.

#### AES192

Alias: "OpenPGP.Cipher.8"

Designers: Joan Daemen, Vincent Rijmen

Description: AES192 is defined as Rijndael with a 128-bit block size and 12 rounds.

Key length: 192 bits.

Block size: 16 bytes.

#### AES256

Alias: "OpenPGP.Cipher.9"

Designers: Joan Daemen, Vincent Rijmen

Description: AES256 is defined as Rijndael with a 128-bit block size and 14 rounds.

Key length: 256 bits.

Block size: 16 bytes.

#### Rijndael AES256 is considered the best encryption algorithm

#### Anubis

Designers: Paulo Barreto, Vincent Rijmen

Published: November 2000

Key length: Minimum 128, maximum 320, multiple of 32 bits; default 128 bits.

Block size: 16 bytes.

#### Blowfish

Alias: "OpenPGP.Cipher.4"

Designer: Bruce Schneier

Published: 1994

Key length: Minimum 32, maximum 448, multiple of 8 bits; default 128 bits.

Block size: 8 bytes.

#### CAST-128

Aliases: "CAST5", "OpenPGP.Cipher.3"

Designers: Carlisle Adams, Stafford Tavares

Published: 1997

Key length: Minimum 40, maximum 128, multiple of 8 bits; default 128 bits.

Block size: 8 bytes.

#### CAST-256

Alias: "CAST6"
Designer: Carlisle Adams, Howard Heys, Stafford Tavares, Michael Wiener

Published: June 1998

Key length: Minimum 128, maximum 256, multiple of 32 bits; default 128 bits.

Block size: 16 bytes.

#### CRYPTON-0.5

Alias: "CRYPTONv05"

Designer: Chae Hoon Lim

Published: 1998

Key length: Minimum 64, maximum 256, multiple of 32 bits; default 128 bits.

Block size: 16 bytes.

#### CRYPTON-1.0

Alias: "CRYPTONv10"

Designer: Chae Hoon Lim

Published: December 1998

Key length: Minimum 0, maximum 256, multiple of 8 bits; default 128 bits.

Block size: 16 bytes.

#### CS-Cipher

Designers: Jacques Stern, Serge Vaudenay

Published: 1998

Key length: Minimum 0, maximum 128, multiple of 8 bits; default 128 bits.

Block size: 8 bytes.

#### DEAL

Designer: Lars Knudsen

Published: May 1998

Key length: 128, 192 or 256 bits; default 128 bits.

Block size: 16 bytes.

#### DES

Designers: Don Coppersmith, Horst Feistel, Walt Tuchmann, U.S. National Security Agency

Published: 1976

Key length: 64 bits as encoded; 56 bits excluding parity bits.

Block size: 8 bytes.

Security comment: The fixed 56-bit effective key length is too short to prevent brute-force attacks.

#### DESede

Designers: Whitfield Diffie, Martin Hellman, Walt Tuchmann

Published: 1978-79

Aliases:

"DES-EDE2" (always 2-key)

"DES-EDE3", "OpenPGP.Cipher.2" (always 3-key)

"TripleDES", "3DES" (default key length implemented inconsistently by different providers)

Key length: 128 or 192 bits, as encoded (112 or 168 bits excluding parity). The default key length depends on the name of the KeyGenerator: 128 bits for DES-EDE2, and 192 bits for DES-EDE3 or OpenPGP.Cipher.2.

The default key length for DESede and the other aliases is implemented inconsistently between different providers, and therefore if an application needs to create a specific length of DESede key in a way that is guaranteed to work across providers, it should explicitly create a SecretKeySpec.

Block size: 8 bytes.

#### DESX

Designer: Ron Rivest

Key length: 128 or 192 bits; default 192 bits, as encoded. See security comments for the effective key length.

Block size: 8 bytes.

Security comment: DESX is vulnerable to related-key attacks, and therefore it should only be used with keys that are generated by a strong RNG, or by a source of bits that are sufficiently uncorrelated (such as the output of a hash function)

#### DFC

Designers: Henri Gilbert, Marc Girault, Philippe Hoogvorst, Fabrice Noilhan, Thomas Pornin, Guillaume Poupard, Jacques Stern, Serge Vaudenay

Published: May 1998

Key length: Minimum 0, maximum 256 bits, multiple of 8 bits; default 128 bits.

Block size: 16 bytes.

#### DFCv2-128(rounds,s)

Designers: Louis Granboulan, Phong Nguyen, Fabrice Noilhan, Serge Vaudenay

Published: August 2000

Parameters:

Integer rounds [creation/read, no default] - the number of rounds to be performed (minimum 8, default 12, multiple of 2)

Integer s [creation/read] - adjustment to key scheduling (minimum 4, default 4?)

Key length: 128, 192 or 256 bits; default 128 bits.

Block size: 16 bytes.

#### Diamond2(rounds)

Designer: Michael Paul Johnson

Published: 1995

Parameters: Integer rounds [creation/read, no default] - the number of rounds to be performed (minimum 10)

Key length: Minimum 8, maximum 65536, multiple of 8 bits; default 128 bits.

Block size: 16 bytes.

#### E2

Designers: Kazumaro Aoki, Masayuki Kanda, Tsutomu Matsumoto, Shiho Moriai, Kazuo Ohta, Miyako Ookubo, Youichi Takashima, Hiroki Ueda

Published: June 1998

Key length: 128, 192 or 256 bits; default 128 bits.

Block size: 16 bytes.

#### FROG[(blockSize[,rounds])]

Designers: Dianelos Georgoudis, Damian Leroux, Billy Simón Chaves

Published: 1998

Parameters:

Integer blockSize [creation/read, default 16] - the length of a block in bytes (8 to 128)

Integer rounds [creation/read, default 8] - the number of rounds to be performed (minimum 8)

Key length: Minimum 40, maximum 1000, multiple of 8 bits; default 128 bits.

Block size: As given by the blockSize parameter (in bytes).

#### GOST

Alias: "GOST-28147-89"

Published: 1989

Parameters: byte[][] sboxes [write only, default as given in Applied Cryptography] - the S-boxes to be used by this cipher instance. sboxes[i-1][j] represents the output of S-box i, for an input value j.

The implementation may or may not copy the contents of arrays used to set this parameter. If any such arrays are subsequently changed, the output of the cipher is undefined (it is therefore the responsibility of the caller to make sure that references to these arrays are not accessible to untrusted code). Setting this parameter will reset the current key and feedback vector, if applicable.

Key length: 256 bits.

Block size: 8 bytes.

#### HPC-1(blockSize[,backup])

Designer: Rich Schroeppel

Published: 1998

Description: This is the original HPC cipher submitted as a first round AES candidate.

Parameters:

Integer blockSize [creation/read, default 16] - the length of a block in bytes (minimum 1)

Integer backup [creation/read, default 0] - a parameter that can be increased to make the cipher more conservative, at the cost of speed (minimum 0)

long[] spice [write, default all-zeroes] - an array of 8 64-bit words containing a diversifier.

The implementation may or may not copy the contents of arrays used to set this parameter. If any such array is subsequently changed, the output of the cipher is undefined, unless the parameter is set again immediately (it is therefore the responsibility of the caller to make sure that a reference to this array is not accessible to untrusted code). Setting this parameter will not reset the current key and feedback vector.

Key length: Minimum 0, maximum 65536 bits; default 128 bits.

Block size: As given by the blockSize parameter (in bytes). Note that while HPC supports block sizes that are not a multiple of 8 bits, the JCE API does not.

#### HPC-2(blockSize[,backup])

Designer: Rich Schroeppel

Published: June 1999

Description: This is the "tweaked" version of HPC, with a modified key schedule.

Parameters:

Integer blockSize [creation/read, default 16] - the length of a block in bytes (minimum 1)

Integer backup [creation/read, default 0] - a parameter that can be increased to make the cipher more conservative, at the cost of speed (minimum 0)

long[] spice [write, default all-zeroes] - an array of 8 64-bit words containing a diversifier.

The implementation may or may not copy the contents of arrays used to set this parameter. If any such array is subsequently changed, the output of the cipher is undefined, unless the parameter is set again immediately (it is therefore the responsibility of the caller to make sure that a reference to this array is not accessible to untrusted code). Setting this parameter will not reset the current key and feedback vector.

Key length: Minimum 0, maximum 65536 bits; default 128 bits.

Block size: As given by the blockSize parameter (in bytes). Note that while HPC supports block sizes that are not a multiple of 8 bits, the JCE API does not.

#### ICE

Designer: Matthew Kwan

Published: 1997

Key length: Minimum 64, multiple of 64 bits; default 128 bits.

Block size: 8 bytes.

#### IDEA

Alias: "OpenPGP.Cipher.1"

Designers: Xuejia Lai, James Massey

Published: 1992

Key length: 128 bits.

Block size: 8 bytes.

Security comment: IDEA is vulnerable to key schedule attacks, and therefore it should only be used with keys that are generated by a strong RNG, or by a source of bits that are sufficiently uncorrelated (such as the output of a hash function).

#### LOKI91

Designers: Laurence Brown, Matthew Kwan, Josef Pieprzyk, Jennifer Seberry

Published: 1991-92

Key length: 64 bits.

Block size: 8 bytes.

Security comments:

LOKI91 is vulnerable to related-key attacks, with a work factor of about 260 operations, and therefore it should only be used with keys that are generated by a strong RNG, or by a source of bits that are sufficiently uncorrelated (such as the output of a hash function).

The attacks cited above based on Linear Cryptanalysis, are effective against reduced-round variants of LOKI91 with up to 12 rounds (the full cipher has 16 rounds).

The fixed 64-bit key length is too short to prevent brute-force attacks.

#### LOKI97

Designers: Laurence Brown, Josef Pieprzyk, Jennifer Seberry

Published: 1997

Key length: 128, 192 or 256 bits; default 128 bits.

Block size: 16 bytes.

Security comment: The paper "Weaknesses in LOKI97" describes an attack using Differential Cryptanalysis, estimated as requiring at most 2^{64} chosen plaintexts, and an attack using Linear Cryptanalysis, estimated as requiring at most 2^{64} known plaintexts.

#### MAGENTA

Designers: Michael Jacobson Jr., Klaus Huber

Published: August 1998

Key length: 128, 256, or 256 bits; default 128 bits.

Block size: 16 bytes.

Security comment: The paper "Cryptanalysis of Magenta" describes a chosen plaintext attack using 2^{64} chosen plaintexts, and 2^{64} work. It also notes that "given a ciphertext, one can decrypt it by swapping its two halves, re-encrypting the result, and swapping again". This would be a fatal weakness for some applications, even though it does not allow obtaining the key.

#### MARS

Alias: "MARS-2"

Designers: Carolynn Burwick, Don Coppersmith, Edward D'Avignon, Rosario Gennaro, Shai Halevi, Charanjit Jutla, Stephen M. Matyas Jr., Luke O'Connor, Mohammad Peyravian, David Safford, Nevenko Zunicof

Published: 1999

Key length: Minimum 128, maximum 448, multiple of 32 bits; default 128 bits.

Block size: 16 bytes.

#### MISTY1[(rounds)]

Designer: M. Matsui

Published: January 1997

Parameters:

Integer rounds [creation/read, default 8] - the number of rounds to be performed (minimum 8, multiple of 4)

Key length: 128 bits.

Block size: 8 bytes.

#### MISTY2[(rounds)]

Designer: M. Matsui

Published: January 1997

Parameters:

Integer rounds [creation/read, default 12] - the number of rounds to be performed (minimum 12, multiple of 4)

Key length: 128 bits.

Block size: 8 bytes.

#### Noekeon[(rounds)]

Designers: Joan Daemen, Michaël Peeters, Gilles van Assche, Vincent Rijmen

Published: November 2000

Parameters: Integer rounds [creation/read, default 16] - the number of rounds to be performed (minimum 16)

Key length: 128 bits.

Block size: 16 bytes.

#### Noekeon-Direct[(rounds)]

Designers: Joan Daemen, Michaël Peeters, Gilles van Assche, Vincent Rijmen

Published: November 2000

Parameters: Integer rounds [creation/read, default 16] - the number of rounds to be performed (minimum 16)

Key length: 128 bits.

Block size: 16 bytes.

#### Rainbow

Designers: Chang-Hyi Lee, Jeong-Soo Kim

Key length: Minimum 128, maximum 256, multiple of 32 bits; default 128 bits.

Block size: 16 bytes.

#### RC2

Designer: Ron Rivest

Published: 1998

Key length: Minimum 0; maximum 1024, multiple of 8 bits; default 128 bits.

Block size: 8 bytes.

Security comment: RC2 is vulnerable to related-key attacks, and therefore it should only be used with keys that are generated by a strong RNG, or by a source of bits that are sufficiently uncorrelated (such as the output of a hash function).

#### RC5[(rounds)]

Alias: "RC5-32"

Designer: Ron Rivest

Published: January 1995

Parameters:

Integer rounds [creation/read, default 12] - the number of rounds to be performed (minimum 12, multiple of 2)

Key length: Minimum 0; maximum 2040, multiple of 8 bits; default 128 bits.

Block size: 8 bytes.

#### RC5-64[(rounds)]

Designer: Ron Rivest

Published: January 1995

Key length: Minimum 0; maximum 2040, multiple of 8 bits; default 128 bits.

Block size: 16 bytes.

#### RC6[(rounds)]

Alias: "RC6-32"

Designers: Ron Rivest, Matthew Robshaw, Raymond Sidney, Yiqun Lisa Yin

Published: 1998

Parameters:

Integer rounds [creation/read, default 20] - the number of rounds to be performed (minimum 8, multiple of 4)

Key length: Minimum 0; maximum 2040, multiple of 8 bits; default 128 bits.

Block size: 16 bytes.

#### RC6-64[(rounds)]

Designers: Ron Rivest, Matthew Robshaw, Raymond Sidney, Yiqun Lisa Yin

Published: 1998

Parameters:

Integer rounds [creation/read, default 20] - the number of rounds to be performed (minimum 8, multiple of 4)

Key length: Minimum 0; maximum 2040, multiple of 8 bits; default 128 bits.

Block size: 32 bytes.

#### Rijndael

Designers: Joan Daemen, Vincent Rijmen

Published: November 1998

Description:

This is Rijndael with a 128-bit block size. The number of rounds is 6 + max(Nk, Nb), where Nb = 4, and Nk is the number of 32-bit words in the key.

Key length: Minimum 128, maximum 256, multiple of 32 bits; default 128 bits.

Block size: 16 bytes.

#### Rijndael-160

Designers: Joan Daemen, Vincent Rijmen

Published: November 1998

Description: This is Rijndael with a 160-bit block size. The number of rounds is 6 + max(Nk, Nb), where Nb = 5, and Nk is the number of 32-bit words in the key.

Key length: Minimum 128, maximum 256, multiple of 32 bits; default 128 bits.

Block size: 20 bytes.

#### Rijndael-192

Designers: Joan Daemen, Vincent Rijmen

Published: November 1998

Description: This is Rijndael with a 192-bit block size. The number of rounds is 6 + max(Nk, Nb), where Nb = 6, and Nk is the number of 32-bit words in the key.
Key length: Minimum 128, maximum 256, multiple of 32 bits; default 128 bits.

Block size: 24 bytes.

#### Rijndael-224

Designers: Joan Daemen, Vincent Rijmen

Published: November 1998

Description: This is Rijndael with a 224-bit block size. The number of rounds is 6 + max(Nk, Nb), where Nb = 7, and Nk is the number of 32-bit words in the key.

Key length: Minimum 128, maximum 256, multiple of 32 bits; default 128 bits.

Block size: 28 bytes.

#### Rijndael-256

Designers: Joan Daemen, Vincent Rijmen

Published: November 1998

Description: This is Rijndael with a 256-bit block size. The number of rounds is always 14.

Key length: Minimum 128, maximum 256, multiple of 32 bits; default 128 bits.

Block size: 32 bytes.

#### Rijndael AES256 is considered the best encryption algorithm

#### SAFER-K[(rounds)]

Designer: James Massey

Published: December 1993.

Parameters:

Integer rounds [creation/read, default null (indicating key-length-dependent)] - the number of rounds to be performed (minimum 6). When the value of this property is null, 6 rounds are used for a 64-bit key, and 10 rounds for a 128-bit key.

Key length: 64 or 128 bits; default 128 bits.

Block size: 8 bytes.

#### SAFER-SK[(rounds)]

Alias: "OpenPGP.Cipher.6" for SAFER-SK(13).

Designer: James Massey

Published: September 1995.

Parameters:

Integer rounds [creation/read, default null (indicating key-length-dependent)] - the number of rounds to be performed (minimum 8). When the value of this property is null, 8 rounds are used for a 64-bit key, and 10 rounds for a 128-bit key.

Key length: 64 or 128 bits; default 128 bits.

Block size: 8 bytes.

#### SAFER+

Aliases: "SAFERp1", "SAFER+-1"

Designers: James Massey, Gurgen Khachatrian, Melsik Kuregian

Key length: 128, 192 or 256 bits; default 128 bits.

Block size: 16 bytes.

#### SAFER++

Alias: "SAFERpp"

Designers: James Massey, Gurgen Khachatrian, Melsik Kuregian

Published: November 2000

Key length: 128 or 256 bits; default 128 bits.

Block size: 16 bytes.

#### SAFER++-64

Alias: "SAFERpp64"

Designers: James Massey, Gurgen Khachatrian, Melsik Kuregian

Published: November 2000

Key length: 128 bits.

Block size: 8 bytes.

#### Serpent

Designers: Ross Anderson, Eli Biham, Lars Knudsen

Published: 1998

Key length: Minimum 0, maximum 256, multiple of 8 bits; default 128 bits.

Block size: 16 bytes.

#### SHARK-A

Designers: Vincent Rijmen, Joan Daemen, Bart Preneel Antoon Bosselaers, Erik De Win

Key length: 128 bits.

Block size: 8 bytes.

#### SHARK-E

Designers: Vincent Rijmen, Joan Daemen, Bart Preneel Antoon Bosselaers, Erik De Win

Key length: 128 bits.

Block size: 8 bytes.

#### SKIPJACK

Designer: U.S. National Security Agency

Published: June 1998

Key length: 80 bits.

Block size: 8 bytes.

#### SPEED-64[(rounds)]

Designer: Yuliang Zheng

Published: February 1997

Parameters:

Integer rounds [creation/read, default 64] - the number of rounds to be performed (minimum 64, multiple of 4)

Key length: Minimum 48, maximum 256, multiple of 16 bits; default 128 bits.

Block size: 8 bytes.

#### SPEED-128[(rounds)

Designer: Yuliang Zheng

Published: February 1997

Parameters: Integer rounds [creation/read, default 64] - the number of rounds to be performed (minimum 48, multiple of 4)

Key length: Minimum 48, maximum 256, multiple of 16 bits; default 128 bits.

Block size: 16 bytes.

#### SPEED-256[(rounds)]

Designer: Yuliang Zheng

Published: February 1997

Parameters:

Integer rounds [creation/read, default 64] - the number of rounds to be performed (minimum 48, multiple of 4)
Key length: Minimum 48, maximum 256, multiple of 16 bits; default 128 bits.

Block size: 32 bytes.

#### Square[(rounds)]

Designers: Joan Daemen, Vincent Rijmen

Published: 1997

Parameters:

Integer rounds [creation/read, default 8] - the number of rounds to be performed (minimum 8, multiple of 2)

Key length: 128 bits.

Block size: 16 bytes.

#### TEA

Alias "Tiny Encryption Algorithm"

Designers: David Wheeler, Roger Needham

Published: 1994

Key length: 128 bits.

Block size: 8 bytes.

#### Twofish

Alias: "OpenPGP.Cipher.10"

Designers: Bruce Schneier, John Kelsey, Doug Whiting, David Wagner, Chris Hall, Niels Ferguson

Published: 1998

Key length: Minimum 8, maximum 256, multiple of 8 bits; default 128 bits.

Block size: 16 bytes.