Cipher security summary

This article summarizes publicly known attacks against block ciphers and stream ciphers. Note that there are perhaps attacks that are not publicly known, and not all entries may be up to date.

Table color key

No known successful attacks — attack only breaks a reduced version of the cipher

Theoretical break — attack breaks all rounds and has lower complexity than security claim

Attack demonstrated in practice

Best attack

This column lists the complexity of the attack:

If the attack doesn't break the full cipher, "rounds" refers to how many rounds were broken
"time" — time complexity, number of cipher evaluations for the attacker
"data" — required known plaintext-ciphertext pairs (if applicable)
"memory" — how many blocks worth of data needs to be stored (if applicable)
"related keys" — for related-key attacks, how many related key queries are needed

Common ciphers

Key recovery attacks

Attacks that lead to disclosure of the key.

Cipher	Security claim	Best attack	Publish date	Comment
AES128	2¹²⁸	2^126.1 time, 2⁸⁸ data, 2⁸ memory	2011-08-17	Independent biclique attack.^[1]
AES192	2¹⁹²	2^189.7 time, 2⁸⁰ data, 2⁸ memory
AES256	2²⁵⁶	2^254.4 time, 2⁴⁰ data, 2⁸ memory
Blowfish	2⁴⁴⁸	4 of 16 rounds	1997	Differential cryptanalysis.^[2] Author of Blowfish recommends using Twofish instead.^[3]
DES	2⁵⁶	2³⁹ – 2⁴³ time, 2⁴³ known plaintexts	2001	Linear cryptanalysis.^[4] In addition, broken by brute force in 2⁵⁶ time, no later than 1998-07-17, see EFF DES cracker.^[5] Cracking hardware is available for purchase since 2006.^[6]
Triple DES	2¹⁶⁸	2¹¹³ time, 2³² data, 2⁸⁸ memory	1998-03-23	Extension of the meet-in-the-middle attack. Time complexity is 2¹¹³ steps, but along with proposed techniques, it is estimated to be equivalent to 2⁹⁰ single DES encryption steps. The paper also proposes other time-memory tradeoffs.^[7]
KASUMI	2¹²⁸	2³² time, 2²⁶ data, 2³⁰ memory, 4 related keys	2010-01-10	The cipher used in 3G cell phone networks. This attack takes less than two hours on a single PC, but isn't applicable to 3G due to known plaintext and related key requirements.^[8]
RC4	Up to 2²⁰⁴⁸	2²⁰ time, 2^16.4 related keys (95% success probability)	2007	Commonly known as PTW attack, it can break WEP encryption in Wi-Fi on an ordinary computer in negligible time.^[9] This is an improvement of the original Fluhrer, Mantin and Shamir attack published in 2001.^[10]
Serpent-128	2¹²⁸	10 of 32 rounds (2⁸⁹ time, 2¹¹⁸ data)	2002-02-04	Linear cryptanalysis.^[11]
Serpent-192	2¹⁹²	11 of 32 rounds (2¹⁸⁷ time, 2¹¹⁸ data)
Serpent-256	2²⁵⁶	11 of 32 rounds (2¹⁸⁷ time, 2¹¹⁸ data)
Twofish	2¹²⁸ – 2²⁵⁶	6 of 16 rounds (2²⁵⁶ time)	1999-10-05	Impossible differential attack.^[12]

Distinguishing attacks

Attacks that allow distinguishing ciphertext from random data.

Cipher	Security claim	Best attack	Publish date	Comment
RC4	up to 2²⁰⁴⁸	?? time, 2^30.6 bytes data (90% probability)	2000	Paper.^[13]

Less common ciphers

Key recovery attacks

Attacks that lead to disclosure of the key.

Cipher	Security claim	Best attack	Publish date	Comment
CAST (not CAST-128)	2⁶⁴	2⁴⁸ time, 2¹⁷ chosen plaintexts	1997-11-11	Related-key attack.^[14]
CAST-128	2¹²⁸	6 of 16 rounds (2^88.51 time, 2^53.96 data)	2009-08-23	Known-plaintext linear cryptanalysis.^[15]
CAST-256	2²⁵⁶	24 of 48 rounds (2^156.2 time, 2^124.1 data)	2009-08-23	Known-plaintext linear cryptanalysis.^[15]
IDEA	2¹²⁸	2^126.1 time	2012-04-15	Narrow-biclique attack.^[16]
MISTY1	2¹²⁸	2^69.5 time, 2⁶⁴ chosen plaintexts	2015-07-30	Chosen-ciphertext, integral cryptanalysis,^[17] an improvement over a previous chosen-plaintext attack.^[18]
RC2	2⁶⁴ – 2¹²⁸	Unknown^{[clarification needed]} time, 2³⁴ chosen plaintexts	1997-11-11	Related-key attack.^[14]
RC5	2¹²⁸	Unknown
SEED	2¹²⁸	Unknown
Skipjack	2⁸⁰	2⁸⁰		ECRYPT II recommendations note that, as of 2012, 80 bit ciphers provide only "Very short-term protection against agencies".^[19] NIST recommends not to use Skipjack after 2010.^[20]
TEA	2¹²⁸	2³² time, 2²³ chosen plaintexts	1997-11-11	Related-key attack.^[14]
XTEA	2¹²⁸	Unknown
XXTEA	2¹²⁸	2⁵⁹ chosen plaintexts	2010-05-04	Chosen-plaintext, differential cryptanalysis.^[21]

Distinguishing attacks

Attacks that allow distinguishing ciphertext from random data.

Cipher	Security claim	Best attack	Publish date	Comment
CAST-256	2²⁵⁶	28 of 48 rounds (2^246.9 time, 2⁶⁸ memory, 2^98.8 data)	2012-12-04	Multidimensional zero-correlation cryptanalysis.^[22]

References

↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ ^14.0 ^14.1 ^14.2 Lua error in package.lua at line 80: module 'strict' not found.
↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ Yearly Report on Algorithms and Keysizes (2012), D.SPA.20 Rev. 1.0, ICT-2007-216676 ECRYPT II, 09/2012.
↑ Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths, NIST
↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ Lua error in package.lua at line 80: module 'strict' not found.

[aes-related-1] Lua error in package.lua at line 80: module 'strict' not found.

[2] Lua error in package.lua at line 80: module 'strict' not found.

[3] Lua error in package.lua at line 80: module 'strict' not found.

[4] Lua error in package.lua at line 80: module 'strict' not found.

[5] Lua error in package.lua at line 80: module 'strict' not found.

[6] Lua error in package.lua at line 80: module 'strict' not found.

[7] Lua error in package.lua at line 80: module 'strict' not found.

[a5-3-broken-8] Lua error in package.lua at line 80: module 'strict' not found.

[9] Lua error in package.lua at line 80: module 'strict' not found.

[10] Lua error in package.lua at line 80: module 'strict' not found.

[11] Lua error in package.lua at line 80: module 'strict' not found.

[12] Lua error in package.lua at line 80: module 'strict' not found.

[13] Lua error in package.lua at line 80: module 'strict' not found.

[kelsey1997-14] 14.0 ^14.1 ^14.2 Lua error in package.lua at line 80: module 'strict' not found.

[cast-2009-15] Lua error in package.lua at line 80: module 'strict' not found.

[idea-related-16] Lua error in package.lua at line 80: module 'strict' not found.

[misty1-17] Lua error in package.lua at line 80: module 'strict' not found.

[18] Lua error in package.lua at line 80: module 'strict' not found.

[19] Yearly Report on Algorithms and Keysizes (2012), D.SPA.20 Rev. 1.0, ICT-2007-216676 ECRYPT II, 09/2012.

[20] Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths, NIST

[yarrkov-broken-21] Lua error in package.lua at line 80: module 'strict' not found.

[22] Lua error in package.lua at line 80: module 'strict' not found.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

[14]

[15]

[16]

[17]

[18]

[19]

[20]

[21]

[22]

Cipher security summary

Contents

Table color key

Best attack

Common ciphers

Key recovery attacks

Distinguishing attacks

Less common ciphers

Key recovery attacks

Distinguishing attacks

See also

References

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

Tools