Kinds of Cipher Strength In general, we can consider a cipher to be a large key-selected transformation between plaintext and ciphertext, with two main types of strength: One type of
Trang 1"our guys" provides no information about the strength of the cipher as seen
by our Opponents
Increasing Probable Strength and Reducing Possible Loss
Technical strength is just one of the many possibilities for weakness in a cipher system, and perhaps even the least likely It is surprisingly difficult to construct a cipher system without "holes," despite using good ciphers, and The Opponents get to exploit any overlooked problems Users must be
educated in security, and must actively keep secrets or there will be nothing
to protect In contrast, cryptanalysis is very expensive, success is never assured, and even many of the known attacks are essentially impossible in practice
Nevertheless, it is a disturbing fact that we do not know and cannot
guarantee a "true" strength for any cipher But there are approaches which
may reduce the probability of technical weakness and the extent of any loss:
1 We can extrapolate various attacks beyond weakness levels actually
shown, and thus possibly avoid some weak ciphers
2 We can use systems that change ciphers periodically This will reduce the amount of information under any one cipher, and so limit the damage if that cipher is weak
3 We can use multiple encryption with different keys and different ciphers as our standard mode In this way, not just one but multiple ciphers must each be penetrated simultaneously to expose the
protected data
4 We can use systems that allow us to stop using ciphers when they are shown weak, and switch to others
Kinds of Cipher Strength
In general, we can consider a cipher to be a large key-selected
transformation between plaintext and ciphertext, with two main types of strength:
One type of "strength" is an inability to extrapolate from known parts
of the transformation (e.g., known plaintext) to model or even
approximate the transformation at new points of interest (message ciphertexts)
Trang 2 Another type of "strength" is an inability to develop a particular key, given the known cipher and a large number of known transformation points
Views of Strength
Strength is the effectiveness of fixed defense in the cryptography war In real war, a strong defense might be a fortification at the top of a mountain which could only be approached on a single long and narrow path Unfortunately,
in real military action, time after time, making assumptions about what the opponent "could not" do turned out to be deadly mistakes In cryptography
we can at least imagine that someday we might prove that all approaches but one are actually impossible, and then guard that last approach; see
mathematical cryptography
The Future of Strength
It is sometimes convenient to see security as a fence around a restricted compound: We can beef up the front gate, and in some way measure that increase in "strength." But none of that matters if someone cuts through elsewhere, or tunnels under, or jumps over Until we can produce a cipher design which reduces all the possible avenues of attack to exactly one, it will
be very difficult to measure "strength."
One possibility might be to construct ciphers in layers of different puzzles: Now, the obvious point of having multiple puzzles is to require multiple solutions before the cipher is broken But a perhaps less obvious point is to set up the design so that the solution to one puzzle requires The Opponent to
commit (in an information sense) in a way that prevents the solution to the
next puzzle
Also see design strength, perfect secrecy, ideal secrecy, and security
Strict Avalanche Criterion (SAC)
A term used in S-box analysis to describe the contents of an invertible
substitution or, equivalently, a block cipher If we have some input value, and then change one bit in that value, we expect about half the output bits to change; this is the avalanche effect, and is caused by an avalanche process
The Strict Avalanche Criterion requires that each output bit change with
probability one-half (over all possible input starting values) This is stricter
Trang 3than avalanche, since if a particular half of the output bits changed all the time, a strict interpretationist might call that "avalanche." Also see complete
As introduced in Webster and Tavares:
"If a cryptographic function is to satisfy the strict avalanche criterion, then each output bit should change with a probability of one half whenever a single input bit is complemented." [p.524]
Webster, A and S Tavares 1985 On the Design of S-Boxes Advances in Cryptology CRYPTO '85 523-534
Although the SAC has tightened the understanding of "avalanche," even SAC can be taken too literally Consider the scaled-down block cipher
model of a small invertible keyed substitution table: Any input bit-change thus selects a different table element, and so produces a random new value (over all possible keys) But when we compare the new value with the old,
we find that typically half the bits change, and sometimes all the bits change, but never is there no change at all This is a tiny bias toward change
If we have a 2-bit (4-element) table, there are 4 values, but after we take one
as the original, there are only 3 changed values, not 4 We will see changes
of 1 bit, 1 bit, and 2 bits But this is a change expectation of 2/3 for each output bit, instead of exactly 1/2 as one might interpret from SAC Although
this bias is clearly size-related, its source is invertibility and the definition of change Thus, even a large block cipher must have some bias, though it is
unlikely that we could measure enough cases to see it The point is that one can extend some of these definitions well beyond their intended role
Subjective
In the study of logic, a particular interpretation of reality, rather than
objective reality itself
Substitution
The concept of replacing one symbol with another symbol This might be as simple as a grade-school lined sheet with the alphabet down the left side, and a substitute listed for each letter In computer science this might be a simple array of values, any one of which can be selected by indexing from the start of the array See substitution table
Cryptography recognizes four types of substitution:
Trang 4 Simple Substitution or Monoalphabetic Substitution,
Homophonic Substitution,
Polyalphabetic Substitution, and
Polygram Substitution
Substitution-Permutation
A method of constructing block ciphers in which block elements are
substituted, and the resulting bits typically transposed or scrambled into a new arrangement This would be one round of many
One of the advantages of S-P construction is that the "permutation" stage can be simply a re-arrangement of wires, taking almost no time Such a stage
is more clearly described as a limited set of "transpositions," rather than the
more general "permutation" term Since substitutions are also permutations
(albeit with completely different costs and effects), one might fairly describe such a cipher as a "permutation-permutation cipher," which is not
particularly helpful
A disadvantage of the S-P construction is the need for special substitution patterns which support diffusion S-P ciphers diffuse bit-changes across the block round-by-round; if one of the substitution table output bits does not change, then no change can be conducted to one of the tables in the next round, which has the effect of reducing the complexity of the cipher
Consequently, special tables are required in S-P designs, but even special tables can only reduce and not eliminate the effect See Complete
Substitution Table
(Also S-box.) A linear array of values, indexed by position, which includes any value at most once In cryptographic service, we normally use binary-power invertible tables with the same input and output range For example, a byte-substitution table will have 256 elements, and will contain each of the values 0 255 exactly once Any value 0 255 into that table will select some element for output which will also be in the range 0 255
For the same range of input and output values, two invertible substitution tables differ only in the order or permutation of the values in the table There are 256 factorial different byte-substitution tables, which is a keyspace of
1648 bits
A keyed simple substitution table of sufficient size is the ideal block cipher Unfortunately, with 128-bit blocks being the modern minimum for strength,
Trang 5there would be 2128 entries in that table, which is completely out of the
question
A keyed substitution table of practical size can only be thought of as a weak
block cipher by itself, but it can be part of a combination of components which produce a stronger cipher And since an invertible substitution table is the ideal tiny block cipher, it can be used for direct experimental comparison
to a scalable block cipher of that same tiny size
Superencryption
Usually the outer-level encryption of a multiple encryption Often relatively weak, relying upon the text randomization effect of the lower-level
encryption
Surjective
Onto A mapping f: X -> Y where f(x) covers all elements in Y Not
necessarily invertible, since multiple elements x in X could produce the same f(x) in Y
Switch
Classically, an electro-mechanical device which physically presses two conductors together at a contact point, thus "making" a circuit, and also pulls the conductors apart, thus allowing air to insulate them and thus "breaking" the circuit More generally, something which exhibits a significant change in some parameter between "ON" and "OFF."
Switching Function
A logic function
Symmetric Cipher
A secret key cipher
Symmetric Group
The symmetric group is the set of all one-to-one mappings from a set into itself The collection of all permutations of some set
Suppose we consider a block cipher to be a key-selected permutation of the block values: One question of interest is whether our cipher construction could, if necessary, reach every possible permutation, the symmetric group
System
An interconnecting network of components which coordinate to perform a larger function Also a system of ideas See system design
System Design
The design of potentially complex systems