BATON is a classified block cipher, presumably designed by the NSA. Very little is know (publicly) about this cipher; what follows is what little information I could gather, plus a pile of wild speculation. Other ciphers which may be related are JUNIPER and MEDLEY.

BATON was designed sometime in the early 1990s, and began showing up in devices in the 1995 to 1998 timeframe, including a number built for VPN and voice systems, and there is even an 802.11b PCMCIA card that encrypts traffic using BATON (presumably in favor of WEP, though the vendor's documentation is not clear about that). BATON is by most accounts very fast in hardware, and in particular much faster than Skipjack, another NSA design.

BATON encrypts 96-bit or 128-bit blocks under the control of a 320-bit key, but according to the PKCS #11/Cryptoki specifications, 160 bits of the key are used as a checksum; all keys for BATON must be generated by the crypto hardware implementing it, presumably to make life harder for people attempting to derive information about the algorithm using the hardware as a black box. Naturally, the checksum algorithm is secret, to prevent attackers from presenting modified keys to the device. Any key which does not have a valid checksum is rejected. When used in a block cipher mode which takes an initialization vector (IV), such as CBC or CTR (these are specifically mentioned for use with BATON in the PKCS #11 documentation), the IV is 192 bits long and is also generated by the hardware. Typically, an IV is as long as the block size, which suggests that the IV also includes a checksum of some sort.

The use of a 160 bit key is interesting. Generally speaking, one would want to use a key that is as long as possible/useful, since in most designs the length of the key does not affect the performance of the cipher in any way. However, if you know a cipher can be broken in 2n operations regardless of the key size, you might as well go ahead and use an n bit key; using a longer key is just a waste of storage space. So we might theorize that, as of 1993, the NSA did not feel confident in building a cipher with a strength of more than 2160, though this is a conclusion extrapolted from a very small number of data points.

BATON's ability to be used as either a 96-bit or 128-bit block cipher is, by the standards of public cryptography, quite bizarre. One possibility that suggests itself is that 96 bits is 3 32-bit words, and 128 bits is 4. So perhaps BATON uses 32 bit words internally, and when used as a 96-bit cipher, one of those words is set to a constant, or a value based on the current key and/or the other 3 input words. While this offers a possible method of how it is done, the why is a complete mystery. However, this would only work in certain modes, such as OFB and CTR, which do not require that the block cipher be decryptable. If this is how it worked, using BATON in ECB or CBC mode would be unpossible.

To emphasize the point that much of this writeup is speculation1, the only publicly known NSA block cipher design, Skipjack, is quite unlike modern public designs. The original Clipper Chip plan was that hundreds of thousands of smart cards with Skipjack ASICs in them would be produced and made available to the public. The NSA had to know that at some point, someone would manage to reverse engineer the design and publish it2, so they probably held back on their best tricks. BATON was never intended for use except by approved government agencies (and probably trusted defense contractors and the like), so the risk was much smaller. Thus, they were free to use all their design techniques, and BATON's design is more likely than not based on a series of NSA designs extending back decades, and has about as much relation to any public cipher (including Skipjack) as a giant squid has with my left foot.

Sadly, odds are that even after BATON has ceased to be operationally effective and has been fully phased out (probably by 2030 at the latest), the design will not be published. The NSA's mission is not to enhance the public state of the art in cryptography, or to satisfy the curiosity of crypto geeks. It is to secure the sensitive communications of the US government, and to attack the communications of every other country. Neither of those missions is enhanced by releasing the design, in particular if the design of BATON does, in fact, contain any interesting tricks which could be reused by another country's intelligence agencies.


  1. Hopefully it is clear to the reader which parts are known fact and which parts are my speculation. If any portion seems uncertain in that respect, please let me know.
  2. They solved this problem by declassifying the design and publishing it themselves a few years later on.