Block ciphers with a 64 bit block size
There are many 64 bit block ciphers, but few have a good security reputation. Use Blowfish.
Introduction
Generally, you should use AES when encrypting things. It has a minimum block size of 128 bits. This is fine if you want to encrypt 16 bytes or more. However, if you want your ciphertext to be smaller, you need another solution, such as a block cipher with a 64 bit block size. Encrypting a single block gives you a ciphertext of 8 bytes, which is feasible for use in a URL, for example.
Alphabetical list
This is supposed to be an exhaustive list of block ciphers with a 64 bit block size.
| Cipher | Author | Year | Notes | |
|---|---|---|---|---|
| ANU-II | L† | Dahiphale, Bansod, Patil | 2017 | So lightweight is hardly provides any security |
| ANU | L | Bansod, Patil, Sutar, Pisharoty | 2016 | Predecessor to ANU-II |
| BEST-1 | L | Jacob John | 2014 | Better Encryption Security Technique, so maybe only better and not best? |
| Blowfish | ★ | Bruce Schneier | 1993 | Considered secure, wide software support, not side-channel resistant |
| BORON | L | Bansod, Pisharoty, Patil | 2017 | Has withstood some cryptanalysis |
| CAST-128 / CAST5 | ★ | Adams & Tavares | 1996 | Used in GPG |
| CHAM | L | Roh et al. | 2019 | Revised after weaknesses found by cryptanalysis |
| CIKS-1 | Moldovyan et al. | 2002 | Data-dependent permutations, fast in hardware | |
| CIPHERUNICORN-E | NEC | 1998 | CRYPTREC candidate | |
| COCONUT98 | ‡ | Vaudenay | 1998 | Uses Vaudenay’s decorrelation theory. Proven secure, but broken nevertheless |
| CRAFT | H‡ | Beierle et al. | 2019 | Protects against physical attacks, such as differential fault injection |
| CRAX | L | Beierle et al. | 2020 | Efficient in software, no key schedule |
| Cryptomeria / C2 | ‡ | 4C Entity | 2003 | Successor to CSS for DRM on DVDs |
| CS-Cipher | Stern & Vaudenay | 1998 | Uses FFT in the round function. | |
| DABC | L | Chen, Li, Guo | 2023 | ARX based with high diffusion |
| DES, 3DES, DES-X | ★ | IBM | 1975 | Outdated but still reasonably secure, as long as used with a sufficiently long key. Wide software support and often used for NIST compliance. |
| DULBC | L | Yang, Li, Guo, Huang | 2022 | Uses one of four different round functions depending on the key |
| FEAL | † | Shimizu & Miyaguchi | 1987 | Practical attacks were quickly found, even after the authors increased the number of rounds. |
| FeW | Kumar, Pal, Panigrahi | 2018 | Feistel-M structure, elaborate security analysis in original paper | |
| FUTURE | L | Gupta, Pandey, Samanta | 2022 | Encrypts data in a single clock cycle by using an unrolled implementation |
| GOST (Magma) | ‡ | USSR | ~1970 | Declassified in 1994. |
| Halka | L | Das | 2014 | 80-bit keys. Claims to be small in hardware, fast in software. Multiplicative inverse for 8-bit S-boxes. |
| Hierocrypt-L1 | Toshiba | 2000 | CRYPTREC candidate | |
| HIGHT | ‡L | Hong et al. | 2006 | Has received some analysis and improvements |
| Hisec | AlDabbagh et al. | 2014 | Feistel-like with 80 bit key | |
| ICE | Kwan | 1997 | Similar to DES | |
| ICEBERG | H | Standaert et al. | 2004 | Designed for FPGAs. Involutional; encryption and decryption use the same algorithm, but a different internal key |
| IDEA NXT | Junod & Vaudenay | 2003 | Successor to IDEA | |
| IDEA | ★ | Lai and Massey | 1991 | International Data Encryption Algorithm |
| KASUMI | † | Mitsubishi | 1998 | A variation of MISTY1 modified for mobile phone networks. |
| KATAN64 / KTANTAN64 | ‡H | De Cannière, Dunkelman & Knežević | 2009 | Efficient hardware oriented cipher. |
| KHAZAD | Rijmen & Barreto | 2000 | NESSIE finalist. Involutional subcomponents | |
| Khufu / Khafre | † | Merkle | 1989 | Leaked by a reviewer after the NSA asked Xerox not to publish it |
| KLEIN | L | Gong et al. | 2010 | Key length at most 96 bits |
| KN-Cipher | † | Nyberg & Knudsen | 1995 | Prototype, provably secure against differential cryptanalysis, but evenso broken by differential cryptanalysis |
| LBlock | ‡L | Wu & Zhang | 2011 | Key size of 80 bits |
| LED | HL | Guo, Peyrin, Poschmann, Robshaw | 2011 | No key schedule, protects against related-key attacks |
| LiCi | L | Patil, Bansod, Kant | 2017 | Feistel network with 31 rounds |
| Lilliput | L | Berger et al. | 2015 | Explores matrix representation of Feistel networks |
| LOKI89/91 | ‡ | Brown, Pieprzyk & Seberry | 1990 | Similar to DES, not recommended for production use |
| M6 | † | Hitachi | 1997 | Designed for FireWire. Key of up to 64 bits. Algorithm not fully published. |
| M8 | Hitachi | 1999 | Similar to M6, but more complicated and with longer keys | |
| MacGuffin | † | Schneier & Blaze | 1994 | Broken during the same workshop in which it was designed |
| MANTIS | T‡ | Beierle et al. | 2016 | Low latency |
| mCrypton | ‡LH | 2006 | Designed for RFID chips | |
| MESH | Nakahara, Rijmen, Preneel, Vandewalle | 2002 | Similar to IDEA | |
| MIBS | ‡ | Izadi, Sadeghiyan et al. | 2009 | 80 bit keys |
| Midori | L | Banik et al. | 2015 | Designed for low energy use |
| MISTY1 | ‡ | Matsui | 1997 | NESSIE selected, CRYPTREC candidate |
| MULTI2 | ‡ | Hitachi | 1988 | Key size of 64 bits. Used for TV enryption in Japan. |
| MultiSwap | † | Microsoft | 1999 | Designed for DRM in Windows |
| NewDES | ‡ | Scott | 1985 | Author admitted later that he “did not know much about cryptography back then”, and “that NEWDES is not very good” |
| Nimbus | † | Alexis Machado | 2000 | Simple round function. |
| NLBSIT | L | Al-Ahdal, Al-Rummana, Shinde, Deskmukh | 2020 | 64 bit key |
| NUSH | ‡ | Lebedev & Volchkov | 2000 | Designed for the Russian company LAN Crypto |
| Piccolo | HL | Shibutani et al. | 2011 | From Sony, protects against related-key attacks |
| PRESENT-GRP | HL | Thorat & Inamdar | 2018 | Variant of PRESENT, with grouping permutations |
| PRESENT | HL | Bogdanov, Knudsen, Leander, Paar, Poschmann, Robshaw, Seurin, Vikkelsoe | 2007 | Designed by cooperation of European universities and companies, ISO-standardized. Well-studied, and often used as benchmark in cipher research |
| PRIDE | L | Albrecht et al. | 2014 | Focusses on the linear layer of the cipher. Fast in software |
| Prince | HL | Borghoff et al. | 2012 | Involation, which they call alpha reflection |
| PUFFIN | ‡HL | Cheng, Heys, Wang | 2008 | Involutional subcomponents |
| QARMA, V2 | HT | Avanzi | 2017 | Used in ARMv8 CPUs |
| QTL | L‡ | Li, Liu, Wang | 2016 | No key schedule, Feistel variant |
| RAMus | LT | Posteuca & Rijmen | 2022 | Designed to encrypt RAM |
| RC2 / ARC2 | ★‡ | Rivest | 1987 | Developed for use in Lotus Notes. |
| RC5 | Rivest | 1994 | Complex key schedule, simple encryption/decryption algorithm | |
| RECTANGLE | L | Zhang et al. | 2015 | Uses bit slicing |
| Red Pike | GCHQ | ~1990 | Classified UK cipher | |
| RoadRunneR | L | Baysal & Şahin | 2016 | Provable 8-bit security, efficient on ATtiny45, introduces unique ST/A metric for fair comparison. |
| SAFER | Massey et al. | 2000 | From Cylink Corporation. Various variants available. | |
| SAT_Jo | ‡ | Joshitta & Arockiam | 2018 | 80 bits key. Similar to PRESENT, but less secure |
| SHARK | Rijmen et al. | 1996 | a predecessor of AES. | |
| Simeck | L | Yang et al. | 2015 | Based on Simon/Speck |
| SKINNY | T | Beierle et al. | 2016 | Claims to be better than Simon |
| Skipjack | NSA | 1998 | Small key size of 80 bits. Intended for use in the controversial Clipper chip. | |
| SPARX | L | Dinu et al. | 2016 | Design strategy with provable security |
| Speck / Simon | NSA | 2013 | Promising cipher, well analyzed, but designed by the NSA | |
| Spectr-H64 | † | Moldovyan et al. | 2001 | Predecessor of CIKS-1 |
| SPEED | ‡ | Yuliang Zheng | 1997 | Inspired by RC5, uses non-lineair Boolean operations |
| SPNRX | L | Wang, Zhao, Chen | 2022 | Mix of SPN and ARX |
| SXAL | ‡ | Laurel Intelligent Systems | 1993 | Part of MBAL, used in Japanese smart cards |
| TEA | ‡ | Needham & Wheeler | 1994 | Tiny Encryption Algorithm. Vulnerable to related-key attacks. Improved with XTEA and XXTEA. |
| Treyfer | ‡ | Gideon Yuval | 1997 | Key size of 64 bits, extremely simple algorithm |
| TWINE | L | NEC | 2011 | Tries to be fast in both hardware and software |
| ULC | L‡ | Sliman et al. | 2021 | 80 bit key |
| XTEA | ‡ | Needham & Wheeler | 1997 | Based on TEA |
| XXTEA | ‡ | Needham & Wheeler | 1998 | Based on TEA |
| µ² | L | Yeoh, Teh, Sazali | 2019 | 80 bit key Feistel variant |
Marks:
- ★: popular, widely used cipher
- †: seriously broken, practical attack
- ‡: somewhat broken, impractical attack
- T: tweakable
- L: claims to be lightweight
- H: meant for hardware implementation
Honorouble mention
Ascon is a lightweight authenticated block cipher with a block size of 64 bits. However, it is more similar to a stream cipher than a pseudorandom permutation. It’s only secure when used with an IV, and its output contains an authentication tag. A great cipher, but not suitable for creating 64-bit ciphertexts.
Discussion
Judging from the list, there are sufficient ciphers to choose from. However, few to none have the same universally acclaimed security reputation as AES. AES’s rigorous evaluation and selection process have positioned it as the gold standard for 128-bit block ciphers, but there is no 64-bit block cipher with a similar prestige. MISTY1 was the NESSIE winner, but didn’t hold up to further cryptanalysis since then. CRYPTREC recognized that none of these ciphers have similar security and popularity as AES, and stopped recommending 64-bit block ciphers altogether.
Interestingly, some ciphers within the above list were initially hailed as “provably” secure solutions, yet fell victim to the evolution of cryptanalysis techniques. It shows how difficult it is to show that a certain cipher is actually secure. However, increasingly this burden is placed on the designers of the cipher. Ciphers that shuffled enough bits around would be considered secure, as long as someone analyzed them and didn’t find a practical attack. Now the burden of proof is on the designer, and when a cipher is proposed it is expected that it comes with a security analysis.
Recommendation
Use Blowfish. It’s fast, well-supported, created and analyzed by experienced cryptographers. However, it is not secure against timing attacks or other side-channel attacks.
Alternatively:
- If you trust the NSA, consider Speck.
- If you need NIST approval, use 3DES.
More information
- A review of lightweight block ciphers
- Lightweight Cryptography Algorithms for Resource-Constrained IoT Devices: A Review, Comparison and Research Opportunities
- Format-preserving encryption
- Format-transforming encryption
- CTR mode
- security - Is it possible to implement AES with a 64-bit I/O block size? - Stack Overflow
