A **block cipher** is a mathematical function, typically implemented in modern times by a computer program function, that takes two inputs and produces one output. The two inputs are called the "plaintext block" and the "key". The output is called the "ciphertext block". Typically, each input and output consists of a certain number of bits, with the plaintext block and ciphertext block the same size, and the key perhaps of the same size or perhaps different. The function must meet certain requirements, probably the most important being:

- Knowing both the plaintext block and the key, it must be easy (for a computer) to calculate the ciphertext block.
- Knowing both the ciphertext block and the key, it must be easy (for a computer) to calculate the plaintext block.
- Knowing both the plaintext block and the ciphertext block, it must be as difficult as possible (for a team of highly motivated experts with many computers) to find the key.

The first well known and widely used block cipher was DES, which began to be used circa 1976. From then until the end of the twentieth century, it became customary for block ciphers to have a block size of 64 bits and a key size of at least 56 bits, with 64 or 128 bits perhaps being most common except for DES. In the USSR, a cipher called GOST was probably quite widely used, though it is little known in the West. It had a block size of 64 bits and a key of 256 bits. Circa 2000, security experts began to realize that larger block sizes are strongly advised and that key sizes should be at least 128 bits. AES is an example of this new breed of cipher.

A common method for construction of block ciphers is to use the Feistel network or one of its relatives to combine multiple rounds of repeated

- bit-shuffling
- simple non-linear functions (often called S boxes)
- linear mixing (in the sense of modular algebra) using XOR

Many other block ciphers have been proposed publicly (and probably quite a few more are kept secret). A few are: RC5, Safer block cipher (and its successors to be discussed in that article), IDEA, Blowfish, 3-Way, and also the losing AES finalists: Twofish, Serpent, RC6, and Mars.

It is occasionally practical to use a block cipher to encrypt a message exactly the same size at the plaintext block. However, in most applications, the block cipher must be used as a component in a larger scheme. See block cipher modes of operation for a discussion of how this is done.

Much cryptanalysis theory and practice relevant to block ciphers has been published since about 1988. Some of the better known methods include differential cryptanalysis, linear cryptanalysis, slide attack cryptanalysis, algebraic cryptanalysis. For a modern proposal for a block cipher to be taken seriously, there must be good reason to believe it is strongly resistant to all these.