There are many 64 bit block ciphers, but few have a good security reputation. Use Blowfish.


Generally, you should use AES when encrypting things. It has a minimum block size of 128 bits. This is fine if you want to encrypt 16 bytes or more. However, if you want your ciphertext to be smaller, you need another solution, such as a block cipher with a 64 bit block size. Encrypting a single block gives you a ciphertext of 8 bytes, which is feasible for use in a URL, for example.

Alphabetical list

This is supposed to be an exhaustive list of block ciphers with a 64 bit block size.

Cipher   Author Year Notes
ANU-II L Dahiphale, Bansod, Patil 2017 So lightweight is hardly provides any security
ANU L Bansod, Patil, Sutar, Pisharoty 2016 Predecessor to ANU-II
BEST-1 L Jacob John 2014 Better Encryption Security Technique, so maybe only better and not best?
Blowfish Bruce Schneier 1993 Considered secure, wide software support, not side-channel resistant
BORON L Bansod, Pisharoty, Patil 2017 Has withstood some cryptanalysis
CAST-128 / CAST5 Adams & Tavares 1996 Used in GPG
CHAM L Roh et al. 2019 Revised after weaknesses found by cryptanalysis
CIKS-1   Moldovyan et al. 2002 Data-dependent permutations, fast in hardware
COCONUT98 Vaudenay 1998 Uses Vaudenay’s decorrelation theory. Proven secure, but broken nevertheless
CRAFT H Beierle et al. 2019 Protects against physical attacks, such as differential fault injection
CRAX L Beierle et al. 2020 Efficient in software, no key schedule
Cryptomeria / C2 4C Entity 2003 Successor to CSS for DRM on DVDs
CS-Cipher   Stern & Vaudenay 1998 Uses FFT in the round function.
DABC L Chen, Li, Guo 2023 ARX based with high diffusion
DES, 3DES, DES-X IBM 1975 Outdated but still reasonably secure, as long as used with a sufficiently long key. Wide software support and often used for NIST compliance.
DULBC L Yang, Li, Guo, Huang 2022 Uses one of four different round functions depending on the key
FEAL Shimizu & Miyaguchi 1987 Practical attacks were quickly found, even after the authors increased the number of rounds.
FeW   Kumar, Pal, Panigrahi 2018 Feistel-M structure, elaborate security analysis in original paper
FUTURE L Gupta, Pandey, Samanta 2022 Encrypts data in a single clock cycle by using an unrolled implementation
GOST (Magma) USSR ~1970 Declassified in 1994.
Halka L Das 2014 80-bit keys. Claims to be small in hardware, fast in software. Multiplicative inverse for 8-bit S-boxes.
Hierocrypt-L1   Toshiba 2000 CRYPTREC candidate
HIGHT ‡L Hong et al. 2006 Has received some analysis and improvements
Hisec   AlDabbagh et al. 2014 Feistel-like with 80 bit key
ICE   Kwan 1997 Similar to DES
ICEBERG H Standaert et al. 2004 Designed for FPGAs. Involutional; encryption and decryption use the same algorithm, but a different internal key
IDEA NXT   Junod & Vaudenay 2003 Successor to IDEA
IDEA Lai and Massey 1991 International Data Encryption Algorithm
KASUMI Mitsubishi 1998 A variation of MISTY1 modified for mobile phone networks.
KATAN64 / KTANTAN64 ‡H De Cannière, Dunkelman & Knežević 2009 Efficient hardware oriented cipher.
KHAZAD   Rijmen & Barreto 2000 NESSIE finalist. Involutional subcomponents
Khufu / Khafre Merkle 1989 Leaked by a reviewer after the NSA asked Xerox not to publish it
KLEIN L Gong et al. 2010 Key length at most 96 bits
KN-Cipher Nyberg & Knudsen 1995 Prototype, provably secure against differential cryptanalysis, but evenso broken by differential cryptanalysis
LBlock ‡L Wu & Zhang 2011 Key size of 80 bits
LED HL Guo, Peyrin, Poschmann, Robshaw 2011 No key schedule, protects against related-key attacks
LiCi L Patil, Bansod, Kant 2017 Feistel network with 31 rounds
Lilliput L Berger et al. 2015 Explores matrix representation of Feistel networks
LOKI89/91 Brown, Pieprzyk & Seberry 1990 Similar to DES, not recommended for production use
M6 Hitachi 1997 Designed for FireWire. Key of up to 64 bits. Algorithm not fully published.
M8   Hitachi 1999 Similar to M6, but more complicated and with longer keys
MacGuffin Schneier & Blaze 1994 Broken during the same workshop in which it was designed
MANTIS T Beierle et al. 2016 Low latency
mCrypton ‡LH   2006 Designed for RFID chips
MESH   Nakahara, Rijmen, Preneel, Vandewalle 2002 Similar to IDEA
MIBS Izadi, Sadeghiyan et al. 2009 80 bit keys
Midori L Banik et al. 2015 Designed for low energy use
MISTY1 Matsui 1997 NESSIE selected, CRYPTREC candidate
MULTI2 Hitachi 1988 Key size of 64 bits. Used for TV enryption in Japan.
MultiSwap Microsoft 1999 Designed for DRM in Windows
NewDES Scott 1985 Author admitted later that he “did not know much about cryptography back then”, and “that NEWDES is not very good”
Nimbus Alexis Machado 2000 Simple round function.
NLBSIT L Al-Ahdal, Al-Rummana, Shinde, Deskmukh 2020 64 bit key
NUSH Lebedev & Volchkov 2000 Designed for the Russian company LAN Crypto
Piccolo HL Shibutani et al. 2011 From Sony, protects against related-key attacks
PRESENT-GRP HL Thorat & Inamdar 2018 Variant of PRESENT, with grouping permutations
PRESENT HL Bogdanov, Knudsen, Leander, Paar, Poschmann, Robshaw, Seurin, Vikkelsoe 2007 Designed by cooperation of European universities and companies, ISO-standardized. Well-studied, and often used as benchmark in cipher research
PRIDE L Albrecht et al. 2014 Focusses on the linear layer of the cipher. Fast in software
Prince HL Borghoff et al. 2012 Involation, which they call alpha reflection
PUFFIN ‡HL Cheng, Heys, Wang 2008 Involutional subcomponents
QARMA, V2 HT Avanzi 2017 Used in ARMv8 CPUs
QTL L Li, Liu, Wang 2016 No key schedule, Feistel variant
RAMus LT Posteuca & Rijmen 2022 Designed to encrypt RAM
RC2 / ARC2 ★‡ Rivest 1987 Developed for use in Lotus Notes.
RC5   Rivest 1994 Complex key schedule, simple encryption/decryption algorithm
RECTANGLE L Zhang et al. 2015 Uses bit slicing
Red Pike   GCHQ ~1990 Classified UK cipher
RoadRunneR L Baysal & Şahin 2016 Provable 8-bit security, efficient on ATtiny45, introduces unique ST/A metric for fair comparison.
SAFER   Massey et al. 2000 From Cylink Corporation. Various variants available.
SAT_Jo Joshitta & Arockiam 2018 80 bits key. Similar to PRESENT, but less secure
SHARK   Rijmen et al. 1996 a predecessor of AES.
Simeck L Yang et al. 2015 Based on Simon/Speck
SKINNY T Beierle et al. 2016 Claims to be better than Simon
Skipjack   NSA 1998 Small key size of 80 bits. Intended for use in the controversial Clipper chip.
SPARX L Dinu et al. 2016 Design strategy with provable security
Speck / Simon   NSA 2013 Promising cipher, well analyzed, but designed by the NSA
Spectr-H64 Moldovyan et al. 2001 Predecessor of CIKS-1
SPEED Yuliang Zheng 1997 Inspired by RC5, uses non-lineair Boolean operations
SPNRX L Wang, Zhao, Chen 2022 Mix of SPN and ARX
SXAL Laurel Intelligent Systems 1993 Part of MBAL, used in Japanese smart cards
TEA Needham & Wheeler 1994 Tiny Encryption Algorithm. Vulnerable to related-key attacks. Improved with XTEA and XXTEA.
Treyfer Gideon Yuval 1997 Key size of 64 bits, extremely simple algorithm
TWINE L NEC 2011 Tries to be fast in both hardware and software
ULC L Sliman et al. 2021 80 bit key
XTEA Needham & Wheeler 1997 Based on TEA
XXTEA Needham & Wheeler 1998 Based on TEA
µ² L Yeoh, Teh, Sazali 2019 80 bit key Feistel variant


  • ★: popular, widely used cipher
  • †: seriously broken, practical attack
  • ‡: somewhat broken, impractical attack
  • T: tweakable
  • L: claims to be lightweight
  • H: meant for hardware implementation

Honorouble mention

Ascon is a lightweight authenticated block cipher with a block size of 64 bits. However, it is more similar to a stream cipher than a pseudorandom permutation. It’s only secure when used with an IV, and its output contains an authentication tag. A great cipher, but not suitable for creating 64-bit ciphertexts.


Judging from the list, there are sufficient ciphers to choose from. However, few to none have the same universally acclaimed security reputation as AES. AES’s rigorous evaluation and selection process have positioned it as the gold standard for 128-bit block ciphers, but there is no 64-bit block cipher with a similar prestige. MISTY1 was the NESSIE winner, but didn’t hold up to further cryptanalysis since then. CRYPTREC recognized that none of these ciphers have similar security and popularity as AES, and stopped recommending 64-bit block ciphers altogether.

Interestingly, some ciphers within the above list were initially hailed as “provably” secure solutions, yet fell victim to the evolution of cryptanalysis techniques. It shows how difficult it is to show that a certain cipher is actually secure. However, increasingly this burden is placed on the designers of the cipher. Ciphers that shuffled enough bits around would be considered secure, as long as someone analyzed them and didn’t find a practical attack. Now the burden of proof is on the designer, and when a cipher is proposed it is expected that it comes with a security analysis.


Use Blowfish. It’s fast, well-supported, created and analyzed by experienced cryptographers. However, it is not secure against timing attacks or other side-channel attacks.


  • If you trust the NSA, consider Speck.
  • If you need NIST approval, use 3DES.

More information