There are many 64 bit block ciphers, but few have a good security reputation. Use Blowfish.


Generally, you should use AES when encrypting things. It has a minimum block size of 128 bits. This is fine if you want to encrypt 16 bytes or more. However, if you want your ciphertext to be smaller, you need another solution, such as a block cipher with a 64 bit block size. Encrypting a single block gives you a ciphertext of 8 bytes, which is feasible for use in a URL, for example.

Alphabetical list

This is supposed to be an exhaustive list of block ciphers with a 64 bit block size.

Cipher   Author Year Notes
BEST-1 L Jacob John 2014 Better Encryption Security Technique, so maybe only better and not best?
Blowfish Bruce Schneier 1993 Considered secure, wide software support
CAST-128 / CAST5 Adams & Tavares 1996 Used in GPG
CIKS-1   Moldovyan et al. 2002 Data-dependent permutations, fast in hardware
COCONUT98 Vaudenay 1998 Uses Vaudenay’s decorrelation theory. Proven secure, but broken nevertheless
CRAFT H Beierle et al. 2019 Protects against physical attacks, such as differential fault injection
Cryptomeria / C2 4C Entity 2003 Successor to CSS for DRM on DVDs
CS-Cipher   Stern & Vaudenay 1998 Uses FFT in the round function.
DES, 3DES, DES-X IBM 1975 Outdated but still reasonably secure, as long as used with a sufficiently long key. Wide software support and often used for NIST compliance.
FEAL Shimizu & Miyaguchi 1987 Practical attacks were quickly found, even after the authors increased the number of rounds.
FeW   Kumar, Pal, Panigrahi 2018 Feistel-M structure, elaborate security analysis in original paper
GOST (Magma) USSR ~1970 Declassified in 1994.
Halka L Das 2014 80-bit keys. Claims to be small in hardware, fast in software. Multiplicative inverse for 8-bit S-boxes.
Hierocrypt-L1   Toshiba 2000 CRYPTREC candidate
HIGHT ‡L Hong et al. 2006 Has received some analysis and improvements
Hisec   AlDabbagh et al. 2014  
ICE   Kwan 1997 Similar to DES
ICEBERG H Standaert et al. 2004 Designed for FPGAs. Involutional; encryption and decryption use the same algorithm, but a different internal key
IDEA Lai and Massey 1991 International Data Encryption Algorithm
IDEA NXT   Junod & Vaudenay 2003 Successor to IDEA
KASUMI Mitsubishi 1998 A variation of MISTY1 modified for mobile phone networks.
KATAN64 / KTANTAN64 ‡H De Cannière, Dunkelman & Knežević 2009 Efficient hardware oriented cipher.
KHAZAD   Rijmen & Barreto 2000 NESSIE finalist. Involutional subcomponents
Khufu / Khafre Merkle 1989 Leaked by a reviewer after the NSA asked Xerox not to publish it
KLEIN L Gong et al. 2010 Key length at most 96 bits
KN-Cipher Nyberg & Knudsen 1995 Prototype, provably secure against differential cryptanalysis, but evenso broken by differential cryptanalysis
LBlock ‡L Wu & Zhang 2011 Key size of 80 bits
LED HL Guo, Peyrin, Poschmann, Robshaw 2011 No key schedule, protects against related-key attacks
Lilliput L Berger et al. 2015 Explores matrix representation of Feistel networks
LOKI89/91 Brown, Pieprzyk & Seberry 1990 Similar to DES, not recommended for production use
M6 Hitachi 1997 Designed for FireWire. Key of up to 64 bits. Algorithm not fully published.
M8   Hitachi 1999 Similar to M6, but more complicated and with longer keys
MacGuffin Schneier & Blaze 1994 Broken during the same workshop in which it was designed
mCrypton ‡LH   2006 Designed for RFID chips
MIBS Izadi, Sadeghiyan et al. 2009 80 bit keys
MESH   Nakahara, Rijmen, Preneel, Vandewalle 2002 Similar to IDEA
Midori L Banik et al. 2015 Designed for low energy use
MISTY1 Matsui 1997 NESSIE selected, CRYPTREC candidate
MULTI2 Hitachi 1988 Key size of 64 bits. Used for TV enryption in Japan.
MultiSwap Microsoft 1999 Designed for DRM in Windows
NewDES Scott 1985 Author admitted later that he “did not know much about cryptography back then”, and “that NEWDES is not very good”
Nimbus Alexis Machado 2000 Simple round function.
NUSH Lebedev & Volchkov 2000 Designed for the Russian company LAN Crypto
Piccolo HL Shibutani et al. 2011 From Sony, protects against related-key attacks
PRESENT HL Bogdanov, Knudsen, Leander, Paar, Poschmann, Robshaw, Seurin, Vikkelsoe 2007 Designed by cooperation of European universities and companies, ISO-standardized. Well-studied, and often used as benchmark in cipher research
PRESENT-GRP HL Thorat & Inamdar 2018 Variant of PRESENT, with grouping permutations
PRIDE L Albrecht et al. 2014 Focusses on the linear layer of the cipher. Fast in software
Prince HL Borghoff et al. 2012 Involation, which they call alpha reflection
PUFFIN ‡HL Cheng, Heys, Wang 2008 Involutional subcomponents
QARMA, V2 HT Avanzi 2017 Used in ARMv8 CPUs
RC2 / ARC2 ★‡ Rivest 1987 Developed for use in Lotus Notes.
RC5   Rivest 1994 Complex key schedule, simple encryption/decryption algorithm
RECTANGLE L Zhang et al. 2015 Uses bit slicing
Red Pike   GCHQ ~1990 Classified UK cipher
RoadRunneR L Baysal & Şahin 2016 Provable 8-bit security, efficient on ATtiny45, introduces unique ST/A metric for fair comparison.
SAFER   Massey et al. 2000 From Cylink Corporation. Various variants available.
SHARK   Rijmen et al. 1996 a predecessor of AES.
Simeck L Yang et al. 2015 Based on Simon/Speck
SKINNY / MANTIS T Beierle et al. 2016 Claims to be better than Simon
Skipjack   NSA 1998 Small key size of 80 bits. Intended for use in the controversial Clipper chip.
SPARX L Dinu et al. 2016 Design strategy with provable security
Speck / Simon   NSA 2013 Promising cipher, well analyzed, but designed by the NSA
Spectr-H64 Moldovyan et al. 2001 Predecessor of CIKS-1
SPEED Yuliang Zheng 1997 Inspired by RC5, uses non-lineair Boolean operations
SXAL Laurel Intelligent Systems 1993 Part of MBAL, used in Japanese smart cards
TEA Needham & Wheeler 1994 Tiny Encryption Algorithm. Vulnerable to related-key attacks. Improved with XTEA and XXTEA.
Treyfer Gideon Yuval 1997 Key size of 64 bits, extremely simple algorithm
TWINE L NEC 2011 Tries to be fast in both hardware and software
XTEA Needham & Wheeler 1997 Based on TEA
XXTEA Needham & Wheeler 1998 Based on TEA


  • ★: popular, widely used cipher
  • †: seriously broken, practical attack
  • ‡: somewhat broken, impractical attack
  • T: tweakable
  • L: claims to be lightweight
  • H: meant for hardware implementation

Honorouble mention

Ascon is a lightweight authenticated block cipher with a block size of 64 bits. However, it is more similar to a stream cipher than a pseudorandom permutation. It’s only secure when used with an IV, and its output contains an authentication tag. A great cipher, but not suitable for creating 64-bit ciphertexts.


Judging from the list, there are sufficient ciphers to choose from. However, few to none have the same universally acclaimed security reputation as AES. AES’s rigorous evaluation and selection process have positioned it as the gold standard for 128-bit block ciphers, but there is no 64-bit block cipher with a similar prestige. MISTY1 was the NESSIE winner, but didn’t hold up to further cryptanalysis since then. CRYPTREC recognized that none of these ciphers have similar security and popularity as AES, and stopped recommending 64-bit block ciphers altogether.

Interestingly, some ciphers within the above list were initially hailed as “provably” secure solutions, yet fell victim to the evolution of cryptanalysis techniques. It shows how difficult it is to show that a certain cipher is actually secure. However, increasingly this burden is placed on the designers of the cipher. Ciphers that shuffled enough bits around would be considered secure, as long as someone analyzed them and didn’t find a practical attack. Now the burden of proof is on the designer, and when a cipher is proposed it is expected that it comes with a security analysis.


Use Blowfish. It’s fast, well-supported, created and analyzed by experienced cryptographers.


  • If you trust the NSA, consider Speck.
  • If you need NIST approval, use 3DES.

More information