The security of encrypted data is not a consequence of keeping the encryption algorithm secret. Cryptographers have researched the standard encryption algorithms over the years since they were proposed, trying to break them through various types of attacks. The best algorithms are secure not because the algorithm used is secret, but because research has shown that the cipher is unbreakable. Be wary of encryption products that don't specify which algorithm is used or that use 'a new secret cipher.
Instead, the best encryption algorithms derive their security entirely though the secrecy of the keys used. Keep your keys secret, and your encrypted data will be safe.
Symmetric Ciphers
Symmetric algorithms use the same key for encryption and decryption. The strength of a symmetric algorithm is usually specified by the key length. DES, for example uses 56-bit keys, whereas Blowfish uses 128-bit keys. The greater the number of bits in the key the more secure the encrypted data is.
Symmetric algorithms are the most popular encryption algorithms, mainly because they tend to be fast (essentially all symmetric algorithms shuffle and manipulate the bits in your plaintext and the bits in the key through several similar cycles) and hence are very efficient at encrypting large amounts of data.
There are two main types of symmetric ciphers: block ciphers and stream ciphers.
Symmetric Stream Ciphers
Stream ciphers encrypt data one bit at a time. A stream of plaintext (unencrypted) bits flows in one side, and a stream of ciphertext (encrypted) bits flows out the other. At least, this is the way it works mathematically; in practice, the data is always encrypted in byte units. Ciphertext encrypted with stream ciphers is always the same size as the original plaintext.
The essential mathematical process is the XOR operation. A stream of random bits is produced and each bit of plaintext is XORed with a random bit to produce a ciphertext bit. The essence of a stream cipher is then how the random bits are produced. Also, the stream of random bits must be reproducible otherwise decryption wouldn't work.
Stream ciphers are not generally considered as secure as block ciphers. They are attacked through analyzing the random bit generator. On the plus side, stream ciphers do tend to be the fastest ciphers.
Error propagation is usually minimized when stream ciphers are used. If a bit of ciphertext gets garbled, many stream cipher algorithms will produce only a single bit of garbled plaintext.
Notes on Symmetric Block Ciphers
Although block ciphers define how to encrypt a single block of plaintext, generally the algorithms do not discuss what to do about encrypting a sequence of blocks, or encrypting a block of data that is smaller than the algorithm's block size.
There are two main methods for encrypting a sequence of blocks. Either the blocks are treated independently and the cipher is used on each block without reference to what has gone before, or the results of encrypting previous blocks affect the encryption of the current block. These two methods are formally known as the Electronic Codebook (ECB) mode and Cipher Block Chaining (CBC) mode, respectively.
ECB mode encrypts each block independently. Identical blocks of plaintext (either in the same message or in a different message that is encrypted with the same key) are transformed into identical ciphertext blocks. If the plaintext to be encrypted contains substantial repetition, then it is feasible for the ciphertext to be broken one block at a time. It is also possible for someone to replace individual blocks in some kind of attack. With ECB mode, if a single bit of the ciphertext block is garbled, then the entire corresponding plaintext block is also garbled, but the corruption does not spread.
CBC mode, on the other hand, adds a feedback mechanism. The results of the encryption of previous blocks are fed back into the encryption of the current block. Each ciphertext block is dependent not only on the plaintext block that generated it, but also on all previous plaintext blocks. This ensures that even if the plaintext contains many identical blocks, they each encrypt to a different ciphertext block. At the expense of some extra work (maintaining the feedback register and the XOR operation), the resulting ciphertext is more secure.
As with ECB mode, if a single bit of the ciphertext block is garbled, then the corresponding plaintext block is also garbled. In addition, a bit in the subsequent plaintext block (in the same position as the original garbled bit) is garbled. Synchronization errors are fatal. If there are extra or missing bytes in the ciphertext, the plaintext is garbled from that point on.
CBC mode works like this. After a plaintext block is encrypted, the resulting ciphertext is stored in a feedback register (it's a simple buffer). Before the next plaintext block is encrypted, it is XOR'ed with the feedback register. The result is then encrypted with the cipher. The resulting ciphertext is again stored in the feedback register, and the cyclew is repeated with the next plaintext block.
Decryption is just as straightforward, if a little more involved. It involves two feedback registers, the output register and the input register. A ciphertext block is stored in the output feedback register and is then decrypted normally. This decrypted block is then XORed with the input register to produce the plaintext block. The output register is then copied to the input register and the cycle is repeated with the next ciphertext block.
Although CBC mode forces identical plaintext blocks to encrypt to different ciphertext blocks, messages that start with the same data will encrypt the same way up until the first difference since the initial plaintext blocks are identical. Encrypting random data as the first block can prevent this. This block of random data is called the initialization vector.
An initialization vector is random data, usually the same number of bits as the block size, which is used as a starting point when encrypting a set of data. The initialization vector has no meaning; it's just there to make each message unique. When the block containing the initialization vector is decrypted, it is just used to fill the feedback register and is otherwise ignored. A timestamp often makes a good initialization vector, but any random bits can be used.

Top

Public Key Algorithms

Public key algorithms use a different key for encryption and decryption, and the decryption key cannot (practically) be derived from the encryption key. Public key methods are important because they can be used to transmit encryption keys or other data securely even when the parties have no opportunity to agree on a secret key in private. All known methods are quite slow, and they are usually only used to encrypt session keys (randomly generated "normal" keys), that are then used to encrypt the bulk of the data using a symmetric cipher (see below).

RSA (Rivest-Shamir-Adelman) is the most commonly used public key algorithm. Can be used both for encryption and for signing. It is generally considered to be secure when sufficiently long keys are used (512 bits is insecure, 768 bits is moderately secure, and 1024 bits is good). The security of RSA relies on the difficulty of factoring large integers. Dramatic advances in factoring large integers would make RSA vulnerable. RSA is currently the most important public key algorithm. At present, 512 bit keys are considered weak, 1024 bit keys are probably secure enough for most purposes, and 2048 bit keys are likely to remain secure for decades.
One should know that RSA is very vulnerable to chosen plaintext attacks. There is also a new timing attack that can be used to break many implementations of RSA. The RSA algorithm is believed to be safe when used properly, but one must be very careful when using it to avoid these attacks.

Diffie-Hellman is a commonly used public-key algorithm for key exchange. It is generally considered to be secure when sufficiently long keys and proper generators are used. The security of Diffie-Hellman relies on the difficulty of the discrete logarithm problem (which is believed to be computationally equivalent to factoring large integers). Diffie-Hellman is claimed to be patented in the United States, but the patent expires April 29, 1997. There are also strong rumors that the patent might in fact be invalid (there is evidence of it having been published over an year before the patent application was wiled).
Diffie-Hellman is sensitive to the choice of the strong prime and the generator. One possible prime/generator pair is suggested in the Photuris draft. The size of the secret exponent is also important for its security. Conservative advice is to make the random exponent twice as long as the intended session key.
One should note the results presented in Brian A. LaMacchia and Andrew M. Odlyzko, Computation of Discrete Logarithms in Prime Fields, Designs, Codes and Cryptography 1 (1991), 47-62. Basically, they conclude that by doing precomputations, it is possible to compute discrete logarithms relative to a particular prime efficiently. The work needed for the precomputation is approximately equal or slightly higher than the work needed for factoring a composite number of the same size. In practice this means that if the same prime is used for a large number of exchanges, it should be larger than 512 bits in size, preferably 1024 bits.

Elliptic curve public key cryptosystems is an emerging field. They have been slow to execute, but have become feasible with modern computers. They are considered to be fairly secure, but haven't yet undergone the same scrutiny as for example RSA.

ElGamal public key cryptosystem. Based on the discrete logarithm problem. See e.g. Bruce Schneier: Applied Cryptography, John Wiley and Sons, 1994.

LUC is a public key encryption system. It uses Lucas functions instead of exponentiation.

Top

Symmetric Ciphers

Symmetric algorithms use the same key for encryption and decryption. The strength of a symmetric algorithm is usually specified by the key length. DES, for example uses 56-bit keys, whereas Blowfish uses 128-bit keys. The greater the number of bits in the key the more secure the encrypted data is. Symmetric algorithms are the most popular encryption algorithms, mainly because they tend to be fast (essentially all symmetric algorithms shuffle and manipulate the bits in your plaintext and the bits in the key through several similar cycles) and hence are very efficient at encrypting large amounts of data.

There are two main types of symmetric ciphers: block ciphers and stream ciphers.

Symmetric Stream Ciphers vs. Block Ciphers

Stream ciphers encrypt data one bit at a time. A stream of plaintext (unencrypted) bits flows in one side, and a stream of ciphertext (encrypted) bits flows out the other. At least, this is the way it works mathematically; in practice, the data is always encrypted in byte units. Ciphertext encrypted with stream ciphers is always the same size as the original plaintext. The essential mathematical process is the XOR operation. A stream of random bits is produced and each bit of plaintext is XORed with a random bit to produce a ciphertext bit. The essence of a stream cipher is then how the random bits are produced. Also, the stream of random bits must be reproducible otherwise decryption wouldn't work. Stream ciphers are not generally considered as secure as block ciphers. They are attacked through analyzing the random bit generator. On the plus side, stream ciphers do tend to be the fastest ciphers. Error propagation is usually minimized when stream ciphers are used. If a bit of ciphertext gets garbled, many stream cipher algorithms will produce only a single bit of garbled plaintext.

Symmetric Ciphers

3-Way    
Block Cipher
Designer:
Joan Daemen
Published: 1994
Key length: 96 bits.
Block size: 12 bytes.
Security comment:
3-Way is vulnerable to related-key attacks, and therefore it should only be used with keys that are generated by a strong PRNG, or by a source of bits that are sufficiently uncorrelated (such as the output of a hash function).

Blowfish

Block Cipher
Designer:
Bruce Schneier
Published:
1994
Key length:
Minimum 32, maximum 448, multiple of 8 bits; default 128 bits.
Block size: 8 bytes.
Security comment:
The weak keys described in S. Vaudenay's paper do not appear to be significant for full (16-round) Blowfish.

CAST-128    
Block Cipher
Designers:
Carlisle Adams, Stafford Tavares
Published:
1997
4 1994, issued April 23 1996.
Key length: Minimum 40, maximum 128, multiple of 8 bits; default 128 bits.
Block size: 8 bytes.
Comment:
Strictly speaking the alias "CAST5" only applies to CAST-128 with a key size of 80 or 128 bits. Implementations MAY enforce this.

CAST-256    
Block Cipher
Designer:
Carlisle Adams, Howard Heys, Stafford Tavares, Michael Wiener
Published:
June 1998
Key length:
Minimum 128, maximum 256, multiple of 32 bits; default 128 bits.
Block size:
16 bytes.

CRYPTON-0.5    
Block Cipher
Designer:
Chae Hoon Lim
Published:
1998
Key length: Minimum 64, maximum 256, multiple of 32 bits; default 128 bits.
Block size: 16 bytes.

CRYPTON-1.0    
Block Cipher
Designer:
Chae Hoon Lim
Published:
December 1998
Block size: 16 bytes.

CS-Cipher    
Block Cipher
Designers:
Jacques Stern, Serge Vaudenay
Published:
1998
Key length: Minimum 0, maximum 128, multiple of 8 bits; default 128 bits.
Block size: 8 bytes.

DEAL    
Block Cipher
Designer:
Lars Knudsen
Published:
May 1998
Key length: 128, 192 or 256 bits; default 128 bits.
Block size: 16 bytes.
Comment:

DES   
Block Cipher
Designers:
Don Coppersmith, Horst Feistel, Walt Tuchmann, U.S. National Security Agency
Published:
1976
Key length: 64 bits as encoded; 56 bits excluding parity bits.
Block size: 8 bytes.
Security comment:
The fixed 56-bit effective key length is too short to prevent brute-force attacks.

TRIPLE DES  
Block Cipher
Designers:
Whitfield Diffie, Martin Hellman, Walt Tuchmann
Published:
1978

DESX    
Block Cipher
Designer:
Ron Rivest

DFC    
Block Cipher
Designers:
Henri Gilbert, Marc Girault, Philippe Hoogvorst, Fabrice Noilhan, Thomas Pornin, Guillaume Poupard, Jacques Stern, Serge Vaudenay
Published:
May 1998
Key length: Minimum 0, maximum 256 bits, multiple of 8 bits; default 128 bits.
Block size: 16 bytes.

Diamond2    Block Cipher
Designer:
Michael Paul Johnson
Published:
1995
Key length: Minimum 8, maximum 65536, multiple of 8 bits; default 128 bits.
Block size: 16 bytes.

E2    
Block Cipher
Designers:
Kazumaro Aoki, Masayuki Kanda, Tsutomu Matsumoto, Shiho Moriai, Kazuo Ohta, Miyako Ookubo, Youichi Takashima, Hiroki Ueda
Published:
June 1998
Key length: 128, 192 or 256 bits; default 128 bits.
Block size: 16 bytes.

HPC-1
Block Cipher
Designer:
Rich Schroeppel
Published:
1998

HPC-2    
Block Cipher
Designer:
Rich Schroeppel
Published:
June 1999
Description:
This is the "tweaked" version of HPC, with a modified key schedule.
Key length:
Minimum 0, maximum 65536 bits; default 128 bits.
Block size: As given by the blockSize parameter (in bytes). Note that while HPC supports block sizes that are not a multiple of 8 bits, the JCE API does not.

ICE    
Block Cipher
Designer:
Matthew Kwan
Published:
1997
Key length:
Minimum 64, multiple of 64 bits; default 128 bits.
Block size: 8 bytes.

IDEA    
Block Cipher
Designers:
Xuejia Lai, James Massey
Published:
1992
Key length: 128 bits.
Block size: 8 bytes.

ISAAC-BE    
Stream Cipher
Designer:
Robert J. Jenkins Jr.
Published:
1996

ISAAC-LE   
Stream Cipher
Designer:
Robert J. Jenkins Jr.
Published:
1996

ISAAC-64-BE    
Stream Cipher
Designer:
Robert J. Jenkins Jr.
Published:
1996

ISAAC-64-LE    
Stream Cipher
Designer:
Robert J. Jenkins Jr.
Published:
1996

JEROBOAM    
Stream Cipher
Designer:
Hervé Chabanne, Emmanuel Michon
Published:
1998
Key length: 128 or 248 bits

MAGENTA     Block Cipher
Designers:
Michael Jacobson Jr., Klaus Huber
Published:
August 1998

RC2    
Block Cipher
Designer:
Ron Rivest
Published:
1998
Key length: Minimum 0; maximum 1024, multiple of 8 bits; default 128 bits.
Block size: 8 bytes.

RC4    
Stream Cipher
Designer:
Ron Rivest
Published:
September 1994
Key length: Minimum 8, maximum 2048, multiple of 8 bits; default 128 bits.

RC5  
Block Cipher
Designer:
Ron Rivest
Published:
January 1995
Key length: Minimum 0; maximum 65536, multiple of 8 bits; default 128 bits.
Block size: 8 bytes.

RC5-64
Block Cipher
Designer:
Ron Rivest
Published:
January 1995

RC6
Block Cipher
Designers:
Ron Rivest, Matthew Robshaw, Raymond Sidney, Yiqun Lisa Yin
Published:
1998

RC6-64  
Block Cipher
Designers:
Ron Rivest, Matthew Robshaw, Raymond Sidney, Yiqun Lisa Yin
Published:
1998?
Key length: Minimum 0; maximum 2040, multiple of 8 bits; default 128 bits.
Block size:
32 bytes.

Rijndael   
Block Cipher
Designers:
Joan Daemen, Vincent Rijmen
Published:
November 1998

Rijndael-192    
Block Cipher
Designers:
Joan Daemen, Vincent Rijmen
Published:
November 1998
Key length: 128, 192 or 256 bits; default 128 bits.
Block size: 24 bytes.

Rijndael-256    
Block Cipher
Designers:
Joan Daemen, Vincent Rijmen
Published:
November 1998
Key length: 128, 192 or 256 bits; default 128 bits.
Block size: 32 bytes.

SAFER+-2    
Block Cipher
Designers:
James Massey, Gurgen Khachatrian, Melsik Kuregian
Published:
May 1999
Key length: 128, 192 or 256 bits; default 128 bits.
Block size: 16 bytes.

Sapphire-II     Stream Cipher
Designer:
Michael Paul Johnson
Published:
January? 1995
Key length: Minimum 8, maximum 2040, multiple of 8 bits; default 128 bits.

Serpent     Block Cipher
Designers:
Ross Anderson, Eli Biham, Lars Knudsen
Published:
1998?
Key length: 128, 192 or 256 bits; default 128 bits.
Block size: 16 bytes.

SKIPJACK    
Block Cipher
Designer:
U.S. National Security Agency
Published:
June 1998
Key length: 80 bits.
Block size: 8 bytes.

Twofish    
Block Cipher
Designers:
Bruce Schneier, John Kelsey, Doug Whiting, David Wagner, Chris Hall, Niels Ferguson
Published:
1998
Key length: Minimum 8, maximum 256, multiple of 8 bits; default 128 bits.
Block size: 16 bytes.

Top

Cryptographic Algorithms Descriptions
Block Ciphers
3-Way
3-Way is a simple and fast cipher designed by Joan Daemen. 3-Way features a 96-bit key length and a 96-bit block length. 3-Way is an iterated block cipher that repeats some relatively simple operations a specified number of rounds. David Wagner, John Kelsey, and Bruce Schneier of Counterpane Systems have discovered a related key attack on 3-Way that requires one related key query and about 222 chosen plaintexts, described in this paper. 3-Way is unpatented.
Blowfish
Blowfish is a block cipher designed by Bruce Schneier, author of Applied Cryptography. Blowfish combines a Feistel network, key-dependent S-Boxes, and a non-invertible F function to create what is perhaps one of the most secure algorithms available. There are no known attacks against Blowfish. Schneier's paper is available here. Blowfish is also described in the Concepts of Cryptography page.
CAST
CAST, designed by Carlisle Adams and Stafford Taveres, is shaping up to be a solid algorithm. Its design is very similar to Blowfish's, with key-dependent S-Boxes, a non-invertible f function, and a Feistel network-like structure (called a substitution-permutation network). David Wagner, John Kelsey, and Bruce Schneier have discovered a related-key attack on the 64-bit version of CAST that requires approximately 217 chosen plaintexts, one related query, and 248 offline computations (described in this paper). The attack is infeasible at best. CAST is patented by Entrust Technologies, which has generously released it for free use. The CAST cipher design process is described in this paper and the 128-bit version is described in this addendum. Carlisle Adams has submitted a version of CAST (CAST-256) as an AES candidate.
CMEA
CMEA is the encryption algorithm developed by the Telecommunications Industry Association to encrypt digital cellular phone data. It uses a 64-bit key and features a variable block length. CMEA is used to encrypt the control channel of cellular phones. It is distinct from ORYX, an also insecure stream cipher that is used to encrypt data transmitted over digital cellular phones. It has been broken by David Wagner, John Kelsey, and Bruce Schneier of Counterpane Systems. Their paper, which also provides an excellent description of the CMEA algorithm, is available here.
DES
Designed at IBM during the 1970s and officially adopted as the NIST standard encryption algorithm for unclassified data in 1976, DES has become the bastion of the cryptography market. However, DES has since become outdated, its long reign as official NIST algorithm ending in 1997. Though DES accepts a 64-bit key, the key setup routines effectively discard 8 bits, giving DES a 56-bit effective keylength. DES remains widely in use. During the design of DES, the NSA provided secret S-Boxes. After differential cryptanalysis had been discovered outside the closed fortress of the NSA, it was revealed that the DES S-boxes were designed to be resistant against differential cryptanalysis. DES is becoming weaker and weaker over time; modern computing power is fast approaching the computational horsepower needed to easily crack DES.
DES was designed to be implemented only in hardware, and is therefore extremely slow in software. A recent successful effort to crack DES took several thousand computers several months. However, there are designs for a hardware DES-cracking machine. Such a machine is estimated to cost $1 million dollars, but would be able to break DES in approximately 7 minutes. It is speculated that the US government has such a machine. In conclusion, DES is a dying algorithm - use it only when it is acceptable to have your data read by a government-strength power and, with a massive effort, by the public.
DEAL
DEAL is an interesting AES submission and, like all AES submissions, it uses a 128 bit block and accepts 128 bit, 192 bit, and 256 bit keylengths. It uses DES as its inner round function and its authors suggest at least 6, preferably 8 rounds (there are some attacks against DEAL). There is a paper available here that describes some attacks, all of which can be cured by using at least 8 rounds.
FEAL
Developed by the Nippon Telephone & Telegraph as an improvement to DES, the Fast Data Encipherment Algorithm (FEAL) is very insecure. FEAL-4, FEAL-8, and FEAL-N are all susceptible to a variety of cryptanalytic attacks, some requiring as little as 12 chosen plaintexts. FEAL is patented.
GOST
GOST is a cryptographic algorithm from Russia that appears to be the Russian analog to DES both politically and technologically. Its designers took no chances, iterating the GOST algorithm for 32 rounds and using a 256 bit key. Although GOST's conservative design inspires confidence, John Kelsey has discovered a key-relation attack on GOST, described in a post to sci.crypt on 10 February 1996. There are also weak keys in GOST, but there are too few to be a problem when GOST is used with its standard set of S-boxes. You can read the official GOST algorithm description (translated from Russian) here. There is also a description of the GOST algorithm here.
IDEA
IDEA, developed in Zurich, Switzerland by Xuejia Lai and James Massey, is generally regarded to be the best and most secure block algorithm available to the public today. It utilizes a 128-bit key and is designed to be resistant to differential cryptanalysis. Some attacks have been made against reduced round IDEA. Unfortunately, IDEA is patented; licensing information can be obtained from Ascom.
LOKI
LOKI was designed as a possible replacement for DES. It operates on a 64-bit block and a 64-bit key. The first version of LOKI to be released was broken by differential cryptanalysis and was shown to have an 8-bit complementation property (this means that the number of keys that need to be searched in a brute force attack is reduced by 256). LOKI was revised and re-released as LOKI91. LOKI91 is secure against differential cryptanalysis, but LOKI easily falls to a chosen-key attack. The designers of LOKI have proposed LOKI97 as an AES candidate, but linear and differential attacks on LOKI97 have already been proposed.
Lucifer
Lucifer was one of the first modern cryptographic algorithms. It was designed at IBM in the 1960s by Horst Feistel, of Feistel network fame. Lucifer is often considered to be a precursor to DES. There are several incarnations of Lucifer, each with the same name, which creates a good deal of confusion. No version is secure. A paper on the differential cryptanlysis of Lucifer was written by Ishai Ben-Aroya & Eli Biham.
MacGuffin
MacGuffin is a cipher developed by Matt Blaze and Bruce Schneier as an experiment in cipher design. It uses a Feistel network (see the cryptography overview for details), but does not split the input evenly, instead dividing the 64 bit block into one 16 bit part and another 48 bit part. This is called a generalized unbalanced Feistel network (GUFN). Details are available in this paper. A differential attack on MacGuffin has been found that requires approximately 251.5 chosen plaintexts.
MARS
MARS is IBM's AES submission. There is a MARS web page, but it provides little more than a link to the MARS paper. MARS uses 128 bit blocks and supports variable key sizes (from 128 to 1248 bits). MARS is unique in that it combines virtually every design technique known to cryptographers in one algorithm. It uses addition and subtractions, S-boxes, fixed and data dependent rotations, and multiplications.
MISTY
Misty is a cryptographic algorithm developed by Mitsubishi Electric after they broke DES in 1994. It is designed to withstand linear and differential cryptanalysis, but has not yet been cryptanalysed. As it has not undergone intensive peer review, the usual caution is recommended. It is being considered for inclusion into the SET 2.0 standard.
MMB
MMB was designed as an alternative to IDEA that uses a 128-bit block instead of IDEA's 64-bit block. It was designed using the same principles as IDEA. Unfortunately, it is not as secure as IDEA and several attacks exist against it. Its author, Joan Daemen, abandoned it and designed 3-Way.
NewDES
Although NewDES was developed by Robert Scott to possibly replace DES, NewDES has fallen short of expectations. NewDES has been proven to be weaker than DES, requiring 24 related-key probes and 530 chosen plaintext/ciphertext queries, as described in this paper.
RC2
RC2, like RC4, was formerly a trade secret, but code purporting to be RC2 was posted to sci.crypt. It is archived here and here. David Wagner, John Kelsey, and Bruce Schneier have discovered a related-key attack on RC2 that requires one related-key query and approximately 234 chosen plaintexts. RC2 is not patented by RSA Data Security, Inc; it is just protected as a trade secret.
RC5
RC5 is a group of algorithms designed by Ron Rivest of RSA Data Security that can take on a variable block size, key size, and number of rounds. The block size is generally dependent on the word size of the machine the particular version of RC5 was designed to run on; on 32-bit processors (with 32-bit words), RC5 generally has a 64-bit block size. David Wagner, John Kelsey, and Bruce Schneier have found weak keys in RC5, with the probability of selecting a weak key to be 2-10r, where r is the number of rounds. For sufficiently large r values (greater than 10), this is not a problem as long as you are not trying to build a hash function based on RC5. Kundsen has also found a differential attack on RC5. RC5 is described in this RSA document. RC5 is patented by RSA Data Security, Inc.
RC6
RC6 is Ronald Rivest's AES submission. Like all AES ciphers, RC6 works on 128 bit blocks. It can accept variable length keys. It is very similar to RC5, incorporating the results of various studies on RC5 to improve the algorithm. The studies of RC5 found that not all bits of data are used to determine the rotation amount (rotation is used extensively in RC5); RC6 uses multiplication to determine the rotation amount and uses all bits of input data to determine the rotation amount, strengthening the avalanche effect.
REDOC
There are two versions of the REDOC algorithm, REDOC II, and REDOC III. REDOC II is considered to be secure; an attack has been made against one round of REDOC II, but could not be extended to all 10 recommended rounds. REDOC II is interesting in that it uses data masks to select the values in the S-boxes. REDOC II uses a 160-bit key and works on an 80-bit block. REDOC III was an attempt to make the painfully slow REDOC II faster. REDOC III, like REDOC III, operates on an 80-bit block, but can accept keys up to 20480 bits. However, REDOC III falls to differential cryptanalysis, as described in this paper.
Rijndael
Rijndael is an AES submission by Joan Daemen and Vincent Rijmen. The cipher has a variable block and key length, and the authors have demonstrated how to extend the block length and key length by muliples of 32 bits. The design of Rijndael was influenced by the SQUARE algorithm. The authors provide a Rijndael specification and a more theoretical paper on their design prinicples. The authors have vowed to never patent Rijndael.
Safer
Safer was developed by Robert Massey at the request of Cylink Corporation. There are several different versions of Safer, with 40, 64, and 128-bit keys. A weakness in the key schedule was corrected, with an S being added to the original Safer K designation to create Safer SK. There are some attacks against reduced round variants of Safer. Safer is secure against differential and linear cryptanalysis. However, Bruce Schneier, author of Applied Cryptography, recommends against using Safer because, "Safer was designed for Cylink, and Cylink is tainted by the NSA."
Serpent
Serpent is an AES submission by Ross Anderson, Eli Biham, Lars Knudsen. Its authors combined the design principles of DES with the recent development of bitslicing techniques to create a very secure and very fast algorithm. While bitslicing is generally used to encrypt multiple blocks in parallel, the designers of Serpent have embraced the technique of bitslicing and the influence has extended to the design of the algorithm itself. Serpent uses 128 bit blocks and 256 bit keys. Like DES, Serpent includes an initial and final permutation of no cryptographic significance; these permutations are used to optimize the data before encryption. Serpent was released at the 5th International Workshop on Fast Software Encryption. This iteration of Serpent was called Serpent 0 and used the original DES S-boxes. After comments, the key schedule of Sperpent was changed slightly and the S-boxes were changed; this new iteration of Serpent is called Serpent 1. Serpent 1 resists both linear and differential attacks. The Serpent paper is available here.
SQUARE
SQUARE is an iterated block cipher that uses a 128-bit key length and a 128-bit block length. The round function of SQUARE is composed of four transformations: a linear transformation, a nonlinear transformation, a byte permutation, and a bitwise round-key addition. SQUARE was designed to be resistant to linear and differential cryptanalysis, and succeeds in this respect. The designers of SQUARE have developed an attack on SQUARE, but it cannot be extended past 6 rounds. A paper on SQUARE is available here and there are links to the paper and source code on the designers' web site.
Skipjack
In what surely signals the end of the Clipper chip project, the NSA has released Skipjack, its formerly secret encryption algorithm, to the public. Skipjack uses an 80 bit key. A fuzzy scan of the official NSA paper is available here at the NIST web site, but it has been transcribed by the folks over at jya.com. A reference implementation (in C) is available here, and an optimized version is available here. Eli Biham and Adi Shamir have published some initial cryptanalytic results.
Tiny Encryption Algorithm (TEA)
TEA is a cryptographic algorithm designed to minimize memory footprint, and maximize speed. However, the cryptographers from Counterpane Systems have discovered three related-key attacks on TEA, the best of which requires only 223 chosen plaintexts and one related key query. The problems arise from the overly simple key schedule. Each TEA key can be found to have three other equivalent keys, as described in a paper by David Wagner, John Kelsey, and Bruce Schneier. This precludes the possibility of using TEA as a hash function. Roger Needham and David Wheeler have proposed extensions to TEA that counters the above attacks.
Twofish
Twofish is Counterpane Systems' AES submission. Designed by the Counterpane Team (Bruce Schneier, John Kelsey, Doug Whiting, David Wagner, Chris Hall, and Niels Ferguson), Twofish has undergone extensive analysis by the Counterpane Team. There is a paper available from the Twofish web page and source is provided in optimized C and assembly.
Stream Ciphers
ORYX
ORYX is the algorithm used to encrypt data sent over digital cellular phones. It is a stream cipher based on three 32-bit Galois LFSRs. It is distinct from CMEA, which is a block cipher used to encrypt the cellular data control channel. The cryptographic tag-team from Counterpane Systems (David Wagner, John Kelsey, and Bruce Schneier) have developed an attack on ORYX that requires approximately 24 bytes of known plaintext and about 216 initial guesses. Source code for ORYX is available here.
RC4
The RC4 algorithm is a stream cipher from RSA Data Security, Inc. Though RC4 was originally a trade secret, the alleged source code was published anonymously in 1994. The published algorithm performs identically to RC4 implementations in official RSA products. RC4 is widely used in many applications and is generally regarded to be secure. There are no known attacks against RC4. RC4 is not patented by RSA Data Security, Inc; it is just protected as a trade secret.
The 40-bit exportable version of RC4 has been broken by brute force!
SEAL
SEAL, designed by Don Coppersmith of IBM Corp, is probably the fastest secure encryption algorithm available. The key setup process of SEAL requires several kilobytes of space and rather intensive computation involving SHA1, but only five operations per byte are required to generate the keystream. SEAL is particularly appropriate for disk encryption and related applications. A paper is available here. SEAL is patented, and can be licensed from IBM.
Hash Algorithms
MD2
MD2 is generally considered to be a dead algorithm. It was designed to work on 8-bit processors and, in today's 32-bit world, is rarely used. It produces a 128-bit digest. MD2 is different in design from MD4 and MD5, in that it first pads the message so that its length in bits is divisible by 256. It then adds a 256-bit checksum. If this checksum is not added, the MD2 function has been found to have collisions. There are no known attacks on the full version of MD2. MD2 is described in RFC 1319.
MD4
Although MD4 is now considered insecure, its design is the basis for the design of most other cryptographic hashes and therefore merits description. First, the message to be operated on is padded so that its length in bits plus 448 is divisible by 512. Then, in what is called a Damgård/Merkle iterative structure, the message is processed with a compression function in 512-bit blocks to generate a digest value. In MD4 this digest is 128 bits long. Hans Dobbertin developed an attack on the full MD4 that will generate collisions in about a minute on most PCs. An overview of the design and a description of the security of MD2, MD4, and MD5, are described in this RSA document.
MD5
While MD4 was designed for speed, a more conservative approach was taken in the design of MD5. However, applying the same techniques he used to attack MD4, Hans Dobbertin has shown that collisions can be found for the MD5 compression function in about 10 hours on a PC. While these attacks have not been extended to the full MD5 algorithm, they still do not inspire confidence in the algorithm. RSA is quick to point out that these collision attacks do not compromise the integrity of MD5 when used with existing digital signatures. MD5, like MD4, produces a 128-bit digest. An RFC describing MD5 in detail is available here.
RIPEMD
RIPEMD and its successors were developed by the European RIPE project. Its authors found collisions for a version of RIPEMD restricted to two rounds. This attack can also be applied to MD4 and MD5. The original RIPEMD algorithm was then strengthened and renamed to RIPEMD-160. As implied by the name, RIPEMD-160 produces a 160-bit digest. A comprehensive description of RIPEMD-160 can be found here.
SHA1
SHA1 was developed by the NSA for NIST as part of the Secure Hash Standard (SHS). SHA1 is similar in design to MD4. The original published algorithm, known as SHA, was modified by NSA to protect against an unspecified attack; the updated algorithm is named SHA1. It produces a 160-bit digest -- large enough to protect against "birthday" attacks, where two different messages are selected to produce the same signature, for the next decade. The official FIPS description of SHA1 can be found here.
Snefru
Snefru is a hash function designed by Ralph Merke, the designer of the Khufu and Khafre encryption algorithms. 2-round Snefru has been broken by Eli Biham. There is a $1000 reward for anyone who breaks 4-round Snefru. Snefru 2.5, the latest edition of the hash algorithm, can generate either a 128-bit or a 256-bit digest.
Tiger
Tiger is a new hash algorithm by Ross Anderson and Eli Biham. It is designed to work with 64-bit processors such as the Digital Alpha and, unlike MD4, does not rely on rotations (the Alpha has no such rotate instruction). In order to provide drop-in compatibility with other hashes, Tiger can generate a 128-bit, a 160-bit or a 192-bit digest. The Tiger home page contains more information.