Due to their ubiquitous use, block ciphers are often called the work horse of cryptography. They operate on plaintexts of a fixed size, called blocks, and produce ciphertexts of the same length.
A *block cipher* is a [Shannon cipher](../index.md) $(\textit{Enc}, \textit{Dec})$ with identical message and ciphertext spaces, i.e. $\mathcal{M} \equiv \mathcal{C}$, such that for every key $k \in \mathcal{K}$ the encryption function $\textit{Enc}_k$ is a [pseudorandom permutation](../../Primitives/Pseudorandom%20Permutations%20(PRPs).md) over $\mathcal{M}$ and the decryption function $\textit{Dec}_k$ is its inverse.
The construction of a block cipher is rooted in [pseudorandom permutations (PRPs)](../../Primitives/Pseudorandom%20Permutations%20(PRPs).md), hence why the plaintexts (also known as the *data blocks*) and the ciphertexts are always of the same length. Furthermore, since every PRP is required to be invertible, there is a natural implementation for the decryption function which is simply the inverse of the PRP used for encryption.
In practice, block ciphers are built by iteration in the so-called rounds using a round function and each block cipher uses a different number of rounds.
The first phase of encryption is the key expansion. The key
Similarly, decryption also begins by expanding the master key
The reason for constructing practical block ciphers is two fold. First, encryption and decryption use more or less the same algorithm which makes it easy to create specialised hardware for them, drastically speeding up these operations.
The Advanced Encryption Standard (AES) is the most ubiquitous block cipher in the world and most CPUs have dedicated hardware and instructions for it.
Second, the round function
Although iteration can be used to achieve security, not all round functions can be used. For example, no matter how many times one iterates a linear round function, it will never be secure.