Block Ciphers - A Survey

In this paper we give a short overview of the state of the art of secret key block ciphers. We focus on the main application of block ciphers, namely for encryption. The most important known attacks on block ciphers are linear cryptanalysis and differential cryptanalysis. Linear cryptanalysis makes use of so-called linear hulls i.e., the parity of a subset of plaintext bits which after a certain number of rounds equals the parity of a subset of ciphertext bits with a probability sufficiently far away from one half. Differential cryptanalysis makes use of so-called differentials (A, B), i.e., a pair of plaintexts with difference A, which after a certain number of rounds result in a difference B with a high probability. The hulls and differentials can be used to derive (parts of) the secret key. Also, several extensions of the two above attacks have been introduced lately: the truncated differential attack [38,39], the higher order differential attack [43,38,28], the multiple linear attack [30], and the non-linear/linear attack [41]. Also, a combination of the two methods, the differential-linear attack [27], has been considered. Other (general) attacks are the non-surjective attack [68] and the interpolation attack [28]. To improve resistance against differential and linear cryptanalysis it has been suggested to use power polynomials in a finite field [3,62,51]. On the other hand, it has been shown that if a cipher consists solely of such functions other efficient attacks become possible [28]. Another well-known way of improving the security of a block cipher is by means of multiple encryption, i.e., where a plaintext block is processed several times using the same (component) block cipher with different keys. In § 2 an introduction to block ciphers is given and § 3 lists and discusses the modes of operation for encryption. In § 4 we describe the theoretical and practical security of block ciphers. The most important methods of cryptanalysing block ciphers are given in § 5. § 6 discusses design principles of block ciphers, in particular it is shown how to build ciphers immune to the attacks described in previous sections. The theory of multiple encryption is described in § 7. In § 8 we summarise our results.