Movatterモバイル変換

Cipher security summary

From Wikipedia, the free encyclopedia

Attacks against common ciphers

This article summarizes publicly knownattacks againstblock ciphers andstream ciphers. Note that there are perhaps attacks that are not publicly known, and not all entries may be up to date.

Table color key

[edit]

No known successful attacks — attack only breaks a reduced version of the cipher

Theoretical break — attack breaks all rounds and has lower complexity than security claim

Attack demonstrated in practice

Best attack

[edit]

This column lists the complexity of the attack:

If the attack doesn't break the full cipher, "rounds" refers to how many rounds were broken
"time" —time complexity, number of cipher evaluations for the attacker
"data" — required known plaintext-ciphertext pairs (if applicable)
"memory" — how many blocks worth of data needs to be stored (if applicable)
"related keys" — forrelated-key attacks, how many related key queries are needed

Common ciphers

[edit]

Key or plaintext recovery attacks

[edit]

Attacks that lead to disclosure of thekey or plaintext.

Cipher	Security claim	Best attack	Publish date	Comment
AES128	2¹²⁸	2^126.1 time, 2⁸⁸ data, 2⁸ memory	2011-08-17	Independentbiclique attack.^[1]
AES192	2¹⁹²	2^189.7 time, 2⁸⁰ data, 2⁸ memory
AES256	2²⁵⁶	2^254.4 time, 2⁴⁰ data, 2⁸ memory
Blowfish	Up to 2⁴⁴⁸	4 of 16 rounds; 64-bit block is vulnerable to SWEET32 attack.	2016	Differential cryptanalysis.^[2] Author of Blowfish (Bruce Schneier) recommends using Twofish instead.^[3] SWEET32 attack demonstrated birthday attacks to recover plaintext with its 64-bitblock size, vulnerable to protocols such asTLS,SSH,IPsec, andOpenVPN, without attacking the cipher itself.^[4]
Twofish	2¹²⁸ – 2²⁵⁶	6 of 16 rounds (2²⁵⁶ time)	1999-10-05	Impossible differential attack.^[5]
Serpent-128	2¹²⁸	10 of 32 rounds (2⁸⁹ time, 2¹¹⁸ data)	2002-02-04	Linear cryptanalysis.^[6]
Serpent-192	2¹⁹²	11 of 32 rounds (2¹⁸⁷ time, 2¹¹⁸ data)
Serpent-256	2²⁵⁶	11 of 32 rounds (2¹⁸⁷ time, 2¹¹⁸ data)
DES	2⁵⁶	2³⁹ – 2⁴³ time, 2⁴³known plaintexts	2001	Linear cryptanalysis.^[7] In addition, broken by brute force in 2⁵⁶ time, no later than 1998-07-17, seeEFF DES cracker.^[8] Cracking hardware is available for purchase since 2006.^[9]
Triple DES	2¹⁶⁸	2¹¹³ time, 2³² data, 2⁸⁸ memory; 64-bit block is vulnerable to SWEET32 attack.	2016	Extension of themeet-in-the-middle attack. Time complexity is 2¹¹³ steps, but along with proposed techniques, it is estimated to be equivalent to 2⁹⁰ single DES encryption steps. The paper also proposes othertime–memory tradeoffs.^[10] SWEET32 attack demonstrated birthday attacks to recover plaintext with its 64-bitblock size, vulnerable to protocols such asTLS,SSH,IPsec, andOpenVPN.^[4]
KASUMI	2¹²⁸	2³² time, 2²⁶ data, 2³⁰ memory, 4 related keys	2010-01-10	The cipher used in3G cell phone networks. This attack takes less than two hours on a single PC, but isn't applicable to 3G due to known plaintext and related key requirements.^[11]
RC4	Up to 2²⁰⁴⁸	2²⁰ time, 2^16.4 related keys(95% success probability)	2007	Commonly known as PTW attack, it can breakWEP encryption inWi-Fi on an ordinary computer in negligible time.^[12] This is an improvement of the originalFluhrer, Mantin and Shamir attack published in 2001.^[13]

Distinguishing attacks

[edit]

Main article:Distinguishing attack

Attacks that allow distinguishing ciphertext from random data.

Cipher	Security claim	Best attack	Publish date	Comment
RC4	up to 2²⁰⁴⁸	?? time, 2^30.6 bytes data (90% probability)	2000	Paper.^[14]

Less-common ciphers

[edit]

Key recovery attacks

[edit]

Attacks that lead to disclosure of thekey.

Cipher	Security claim	Best attack	Publish date	Comment
CAST (notCAST-128)	2⁶⁴	2⁴⁸ time, 2¹⁷ chosen plaintexts	1997-11-11	Related-key attack.^[15]
CAST-128	2¹²⁸	6 of 16 rounds (2^88.51 time, 2^53.96 data)	2009-08-23	Known-plaintext linear cryptanalysis.^[16]
CAST-256	2²⁵⁶	24 of 48 rounds (2^156.2 time, 2^124.1 data)	2009-08-23	Known-plaintext linear cryptanalysis.^[16]
IDEA	2¹²⁸	2^126.1 time	2012-04-15	Narrow-biclique attack.^[17]
MISTY1	2¹²⁸	2^69.5 time, 2⁶⁴ chosen plaintexts	2015-07-30	Chosen-ciphertext,integral cryptanalysis,^[18] an improvement over a previous chosen-plaintext attack.^[19]
RC2	2⁶⁴ – 2¹²⁸	Unknown^{[clarification needed]} time, 2³⁴ chosen plaintexts	1997-11-11	Related-key attack.^[15]
RC5	2¹²⁸	Unknown
SEED	2¹²⁸	Unknown
Skipjack	2⁸⁰	2⁸⁰		ECRYPT II recommendations note that, as of 2012, 80 bit ciphers provide only "Very short-term protection against agencies".^[20] NIST recommends not to use Skipjack after 2010.^[21]
TEA	2¹²⁸	2³² time, 2²³ chosen plaintexts	1997-11-11	Related-key attack.^[15]
XTEA	2¹²⁸	Unknown
XXTEA	2¹²⁸	2⁵⁹ chosen plaintexts	2010-05-04	Chosen-plaintext,differential cryptanalysis.^[22]

Distinguishing attacks

[edit]

Main article:Distinguishing attack

Attacks that allow distinguishing ciphertext from random data.

Cipher	Security claim	Best attack	Publish date	Comment
CAST-256	2²⁵⁶	28 of 48 rounds (2^246.9 time, 2⁶⁸ memory, 2^98.8 data)	2012-12-04	Multidimensionalzero-correlation cryptanalysis.^[23]

References

[edit]

^Andrey Bogdanov; Dmitry Khovratovich; Christian Rechberger (2011-08-17)."Biclique Cryptanalysis of the Full AES".Cryptology ePrint Archive.
^Vincent Rijmen (1997)."Cryptanalysis and Design of Iterated Block Ciphers".Ph.D. Thesis.
^Dahna McConnachie (2007-12-27)."Bruce Almighty: Schneier preaches security to Linux faithful".Computerworld. Archived fromthe original on 2012-06-03. Retrieved2014-02-13.
^^a ^bKarthikeyan Bhargavan, Gaëtan Leurent (August 2016)."On the Practical (In-)Security of 64-bit Block Ciphers — Collision Attacks on HTTP over TLS and OpenVPN". ACM CCS 2016.
^Niels Ferguson (1999-10-05)."Impossible Differentials in Twofish".Schneier.
^Eli Biham; Orr Dunkelman; Nathan Keller (2002-02-04).Linear Cryptanalysis of Reduced Round Serpent. FSE 2002.doi:10.1007/3-540-45473-X_2.
^Junod, Pascal (2001).On the Complexity of Matsui's Attack.Selected Areas in Cryptography. pp. 199–211. Archived fromthe original on 2009-05-27.
^"DES Cracker Project".EFF. Archived fromthe original on May 7, 2017. RetrievedAugust 26, 2015.On Wednesday, July 17, 1998 the EFF DES Cracker, which was built for less than $250,000, easily won RSA Laboratory's "DES Challenge II" contest and a $10,000 cash prize.
^"COPACOBANA – Special-Purpose Hardware for Code-Breaking".
^Stefan Lucks (1998-03-23). "Attacking Triple Encryption".Fast Software Encryption. Lecture Notes in Computer Science. Vol. 1372. Springer. pp. 239–253.doi:10.1007/3-540-69710-1_16.ISBN 978-3-540-64265-7.
^Orr Dunkelman; Nathan Keller; Adi Shamir (2010-01-10)."A Practical-Time Attack on the A5/3 Cryptosystem Used in Third Generation GSM Telephony".Cryptology ePrint Archive.
^Erik Tews; Ralf-Philipp Weinmann; Andrei Pyshkin (2007).Breaking 104 Bit WEP in Less Than 60 Seconds. WISA 2007.
^Scott Fluhrer; Itsik Mantin; Adi Shamir (2001-12-20).Weaknesses in the Key Scheduling Algorithm of RC4(PDF). Selected Areas in Cryptography 2001.
^Scott R. Fluhrer; David A. McGrew.Statistical Analysis of the Alleged RC4 Keystream Generator(PDF). FSE 2000. pp. 19–30. Archived fromthe original(PDF) on 2014-05-02.
^^a ^b ^cJohn Kelsey; Bruce Schneier; David Wagner (1997-11-11)."Related-key cryptanalysis of 3-WAY, Biham-DES, CAST, DES-X NewDES, RC2, and TEA". In Yongfei Han; Tatsuaki Okamoto; Sihan Quing (eds.).Information and Communications Security: First International Conference. Vol. 1334. Springer. pp. 233–246.CiteSeerX 10.1.1.35.8112.doi:10.1007/BFb0028479.ISBN 978-3-540-63696-0.
^Meiqin Wang; Xiaoyun Wang; Changhui Hu (2009-08-23). "New Linear Cryptanalytic Results of Reduced-Round of CAST-128 and CAST-256".Selected Areas in Cryptography. Lecture Notes in Computer Science. Vol. 5381. pp. 429–441.doi:10.1007/978-3-642-04159-4_28.ISBN 978-3-642-04158-7.S2CID 35612393.
^Dmitry Khovratovich; Gaetan Leurent; Christian Rechberger."Narrow-Bicliques: Cryptanalysis of Full IDEA"(PDF). Archived fromthe original(PDF) on 2013-12-03. Retrieved2015-08-26.
^Achiya Bar-On (2015-07-30)."A 2⁷⁰ Attack on the Full MISTY1".Cryptology ePrint Archive.
^Yosuke Todo (2015-07-06).Integral Cryptanalysis on Full MISTY1. CRYPTO 2015.
^"ECRYPT II Yearly Report on Algorithms and Keysizes (2011-2012)"(PDF).CORDIS. 30 September 2012. D.SPA.20 Rev. 1.0, ICT-2007-216676 ECRYPT II.
^Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths, NIST
^Elias Yarrkov (2010-05-04)."Cryptanalysis of XXTEA".Cryptology ePrint Archive.
^Andrey Bogdanov; Gregor Leander;Kaisa Nyberg; Meiqin Wang (2012-12-04)."Integral and multidimensional linear distinguishers with correlation zero"(PDF).Advances in Cryptology – ASIACRYPT 2012: 18th International Conference on the Theory and Application of Cryptology and Information Security. Vol. 7658. Springer. pp. 244–261.doi:10.1007/978-3-642-34961-4.ISBN 978-3-642-34960-7.S2CID 26601027.

v t e Block ciphers (security summary)
Common algorithms	AES Blowfish DES (internal mechanics,Triple DES) Serpent SM4 Twofish
Less common algorithms	ARIA Camellia CAST-128 GOST IDEA LEA RC5 RC6 SEED Skipjack TEA XTEA
Other algorithms	3-Way Adiantum Akelarre Anubis Ascon BaseKing BassOmatic BATON BEAR and LION CAST-256 Chiasmus CIKS-1 CIPHERUNICORN-A CIPHERUNICORN-E CLEFIA CMEA Cobra COCONUT98 Crab Cryptomeria/C2 CRYPTON CS-Cipher DEAL DES-X DFC E2 FEAL FEA-M FROG G-DES Grand Cru Hasty Pudding cipher Hierocrypt ICE IDEA NXT Intel Cascade Cipher Iraqi Kalyna KASUMI KeeLoq KHAZAD Khufu and Khafre KN-Cipher Kuznyechik Ladder-DES LOKI (97,89/91) Lucifer M6 M8 MacGuffin Madryga MAGENTA MARS Mercy MESH MISTY1 MMB MULTI2 MultiSwap New Data Seal NewDES Nimbus NOEKEON NUSH PRESENT Prince Q QARMA RC2 REDOC Red Pike S-1 SAFER SAVILLE SC2000 SHACAL SHARK Simon Speck Spectr-H64 Square SXAL/MBAL Threefish Treyfer UES xmx XXTEA Zodiac
Design	Feistel network Key schedule Lai–Massey scheme Product cipher S-box P-box SPN Confusion and diffusion Round Avalanche effect Block size Key size Key whitening (Whitening transformation)
Attack (cryptanalysis)	Brute-force (EFF DES cracker) MITM Biclique attack 3-subset MITM attack Linear (Piling-up lemma) Differential Impossible Truncated Higher-order Differential-linear Distinguishing (Known-key) Integral/Square Boomerang Modn Related-key Slide Rotational Side-channel Timing Power-monitoring Electromagnetic Acoustic Differential-fault XSL Interpolation Partitioning Rubber-hose Black-bag Davies Rebound Weak key Tau Chi-square Time/memory/data tradeoff
Standardization	AES process CRYPTREC NESSIE NSA Suite B CNSA
Utilization	Initialization vector Mode of operation Padding

v t e Cryptography
General	History of cryptography Outline of cryptography Classical cipher Cryptographic protocol Authentication protocol Cryptographic primitive Cryptanalysis Cryptocurrency Cryptosystem Cryptographic nonce Cryptovirology Hash function Cryptographic hash function Key derivation function Secure Hash Algorithms Digital signature Kleptography Key (cryptography) Key exchange Key generator Key schedule Key stretching Keygen Machines Cryptojacking malware Ransomware Random number generation Cryptographically secure pseudorandom number generator (CSPRNG) Pseudorandom noise (PRN) Secure channel Insecure channel Subliminal channel Encryption Decryption End-to-end encryption Harvest now, decrypt later Information-theoretic security Plaintext Codetext Ciphertext Shared secret Trapdoor function Trusted timestamping Key-based routing Onion routing Garlic routing Kademlia Mix network
Mathematics	Cryptographic hash function Block cipher Stream cipher Symmetric-key algorithm Authenticated encryption Public-key cryptography Quantum key distribution Quantum cryptography Post-quantum cryptography Message authentication code Random numbers Steganography
Category