Confusion and diffusion
View on Wikipediafrom Wikipedia
 | This article needs additional citations for verification. (April 2009) |
In cryptography, confusion and diffusion are two properties of a secure cipher identified by Claude Shannon in his 1945 classified report A Mathematical Theory of Cryptography.[1] These properties, when present, work together to thwart the application of statistics, and other methods of cryptanalysis.
Confusion in a symmetric cipher is obscuring the local correlation between the input (plaintext), and output (ciphertext) by varying the application of the key to the data, while diffusion is hiding the plaintext statistics by spreading it over a larger area of ciphertext.[2] Although ciphers can be confusion-only (substitution cipher, one-time pad) or diffusion-only (transposition cipher), any "reasonable" block cipher uses both confusion and diffusion.[2] These concepts are also important in the design of cryptographic hash functions, and pseudorandom number generators, where decorrelation of the generated values is the main feature. Diffusion (and its avalanche effect) is also applicable to non-cryptographic hash functions.
Definition
[edit]Confusion
[edit]Confusion means that each binary digit (bit) of the ciphertext should depend on several parts of the key, obscuring the connections between the two.[3]
The property of confusion hides the relationship between the ciphertext and the key.
This property makes it difficult to find the key from the ciphertext and if a single bit in a key is changed, the calculation of most or all of the bits in the ciphertext will be affected.
Confusion increases the ambiguity of ciphertext and it is used by both block and stream ciphers.
In substitution–permutation networks, confusion is provided by substitution boxes.[4]
Diffusion
[edit]Diffusion means that if we change a single bit of the plaintext, then about half of the bits in the ciphertext should change, and similarly, if we change one bit of the ciphertext, then about half of the plaintext bits should change.[5] This is equivalent to the expectation that encryption schemes exhibit an avalanche effect.
The purpose of diffusion is to hide the statistical relationship between the ciphertext and the plain text. For example, diffusion ensures that any patterns in the plaintext, such as redundant bits, are not apparent in the ciphertext.[3] Block ciphers achieve this by "diffusing" the information about the plaintext's structure across the rows and columns of the cipher.
In substitution–permutation networks, diffusion is provided by permutation boxes (a.k.a. permutation layer[4]). In the beginning of the 21st century a consensus had appeared where the designers preferred the permutation layer to consist of linear Boolean functions, although nonlinear functions can be used, too.[4]
Theory
[edit]In Shannon's original definitions, confusion refers to making the relationship between the ciphertext and the symmetric key as complex and involved as possible; diffusion refers to dissipating the statistical structure of plaintext over the bulk of ciphertext. This complexity is generally implemented through a well-defined and repeatable series of substitutions and permutations. Substitution refers to the replacement of certain components (usually bits) with other components, following certain rules. Permutation refers to manipulation of the order of bits according to some algorithm. To be effective, any non-uniformity of plaintext bits needs to be redistributed across much larger structures in the ciphertext, making that non-uniformity much harder to detect.
In particular, for a randomly chosen input, if one flips the i-th bit, then the probability that the j-th output bit will change should be one half, for any i and j—this is termed the strict avalanche criterion. More generally, one may require that flipping a fixed set of bits should change each output bit with probability one half.
One aim of confusion is to make it very hard to find the key even if one has a large number of plaintext-ciphertext pairs produced with the same key. Therefore, each bit of the ciphertext should depend on the entire key, and in different ways on different bits of the key. In particular, changing one bit of the key should change the ciphertext completely.
Practical applications
[edit]Design of a modern block cipher uses both confusion and diffusion,[2] with confusion changing data between the input and the output by applying a key-dependent non-linear transformation (linear calculations are easier to reverse and thus are easier to break).
Confusion inevitably involves some diffusion,[6] so a design with a very wide-input S-box can provide the necessary diffusion properties,[citation needed] but will be very costly in implementation. Therefore, the practical ciphers utilize relatively small S-boxes, operating on small groups of bits ("bundles"[7]). For example, the design of AES has 8-bit S-boxes, Serpent − 4-bit, BaseKing and 3-way − 3-bit.[8] Small S-boxes provide almost no diffusion, so the resources are spent on simpler diffusion transformations.[6] For example, the wide trail strategy popularized by the Rijndael design, involves a linear mixing transformation that provides high diffusion,[9] although the security proofs do not depend on the diffusion layer being linear.[10]
One of the most researched cipher structures uses the substitution-permutation network (SPN) where each round includes a layer of local nonlinear permutations (S-boxes) for confusion and a linear diffusion transformation (usually a multiplication by a matrix over a finite field).[11] Modern block ciphers mostly follow the confusion layer/diffusion layer model, with the efficiency of the diffusion layer estimated using the so-called branch number, a numerical parameter that can reach the value for s input bundles for the perfect diffusion transformation.[12] Since the transformations that have high branch numbers (and thus require a lot of bundles as inputs) are costly in implementation, the diffusion layer is sometimes (for example, in the AES) composed from two sublayers, "local diffusion" that processes subsets of the bundles in a bricklayer fashion (each subset is transformed independently) and "dispersion" that makes the bits that were "close" (within one subset of bundles) to become "distant" (spread to different subsets and thus be locally diffused within these new subsets on the next round).[13]
Analysis of AES
[edit] |
The Advanced Encryption Standard (AES) has both excellent confusion and diffusion. Its confusion look-up tables are very non-linear and good at destroying patterns.[14] Its diffusion stage spreads every part of the input to every part of the output: changing one bit of input changes half the output bits on average. Both confusion and diffusion are repeated multiple times for each input to increase the amount of scrambling. The secret key is mixed in at every stage so that an attacker cannot precalculate what the cipher does.
None of this happens when a simple one-stage scramble is based on a key. Input patterns would flow straight through to the output. It might look random to the eye but analysis would find obvious patterns and the cipher could be broken.
See also
[edit]References
[edit]- ^ "Information Theory and Entropy". Model Based Inference in the Life Sciences: A Primer on Evidence. Springer New York. 2008-01-01. pp. 51–82. doi:10.1007/978-0-387-74075-1_3. ISBN 9780387740737.
- ^ a b c Stamp & Low 2007, p. 182.
- ^ a b Shannon, C. E. (October 1949). "Communication Theory of Secrecy Systems*". Bell System Technical Journal. 28 (4): 656–715. doi:10.1002/j.1538-7305.1949.tb00928.x.
- ^ a b c Liu, Rijmen & Leander 2018, p. 1.
- ^ Stallings, William (2014). Cryptography and Network Security (6th ed.). Upper Saddle River, N.J.: Prentice Hall. pp. 67–68. ISBN 978-0133354690.
- ^ a b Daemen & Rijmen 2013, p. 130.
- ^ Daemen & Rijmen 2013, p. 20.
- ^ Daemen & Rijmen 2013, p. 21.
- ^ Daemen & Rijmen 2013, p. 126.
- ^ Liu, Rijmen & Leander 2018, p. 2.
- ^ Li & Wang 2017.
- ^ Sajadieh et al. 2012.
- ^ Daemen & Rijmen 2013, p. 131.
- ^ William, Stallings (2017). Cryptography and Network Security: Principles and Practice, Global Edition. Pearson. p. 177. ISBN 978-1292158587.
Sources
[edit]- Claude E. Shannon, "A Mathematical Theory of Cryptography", Bell System Technical Memo MM 45-110-02, September 1, 1945.
- Claude E. Shannon, "Communication Theory of Secrecy Systems", Bell System Technical Journal, vol. 28–4, pages 656–715, 1949. [1] Archived 2007-06-05 at the Wayback Machine
- Wade Trappe and Lawrence C. Washington, Introduction to Cryptography with Coding Theory. Second edition. Pearson Prentice Hall, 2006.
- Li, Chaoyun; Wang, Qingju (2017). "Design of Lightweight Linear Diffusion Layers from Near-MDS Matrices" (PDF). IACR Transactions on Symmetric Cryptology. 1: 129–155. doi:10.13154/tosc.v2017.i1.129-155.
- Sajadieh, Mahdi; Dakhilalian, Mohammad; Mala, Hamid; Sepehrdad, Pouyan (2012). "Recursive Diffusion Layers for Block Ciphers and Hash Functions". Fast Software Encryption (PDF). Lecture Notes in Computer Science. Vol. 7549. Springer Berlin Heidelberg. pp. 385–401. doi:10.1007/978-3-642-34047-5_22. eISSN 1611-3349. ISBN 978-3-642-34046-8. ISSN 0302-9743.
- Daemen, Joan; Rijmen, Vincent (9 March 2013). The Design of Rijndael: AES - The Advanced Encryption Standard (PDF). Springer Science & Business Media. ISBN 978-3-662-04722-4. OCLC 1259405449.
- Stamp, Mark; Low, Richard M. (15 June 2007). Applied Cryptanalysis: Breaking Ciphers in the Real World. John Wiley & Sons. ISBN 978-0-470-14876-1. OCLC 1044324461.
- Liu, Yunwen; Rijmen, Vincent; Leander, Gregor (20 January 2018). "Nonlinear diffusion layers" (PDF). Designs, Codes and Cryptography. 86 (11): 2469–2484. doi:10.1007/s10623-018-0458-5. eISSN 1573-7586. ISSN 0925-1022.
Confusion and diffusion
View on Grokipediafrom Grokipedia
Origins and Historical Development
Claude Shannon's Introduction
Claude Shannon introduced the concepts of confusion and diffusion in his seminal 1949 paper "Communication Theory of Secrecy Systems," published in the Bell System Technical Journal.[1] This work, originally stemming from a classified report Shannon prepared during World War II at Bell Laboratories, applied principles of information theory to analyze the security of secrecy systems.[1] Shannon's framework aimed to quantify the strength of ciphers against cryptanalytic attacks by modeling them as communication channels where the goal is to ensure that ciphertext reveals no useful information about the plaintext without knowledge of the key.[1] Confusion, as defined by Shannon, refers to the obfuscation of the relationship between the key and the ciphertext statistics, making it difficult for an adversary to infer the key from observed cryptograms.[1] Specifically, he described confusion as a method to render the connection between simple statistics of the cryptogram and a straightforward description of the key highly complex and involved.[1] This property thwarts attempts at key recovery by ensuring that even if patterns in the ciphertext are detected, they do not directly map to key elements.[1] Diffusion, in contrast, addresses the dissemination of the plaintext's statistical structure throughout the ciphertext to eliminate detectable redundancies.[1] Shannon explained that diffusion dissipates the statistical dependencies in the plaintext—such as those arising from language redundancy—into long-range correlations involving extended sequences of ciphertext symbols.[1] By spreading the influence of each plaintext element across the entire output, diffusion requires an attacker to intercept and analyze vast amounts of ciphertext to uncover any underlying patterns.[1] In an ideal secrecy system, Shannon advocated for a design where each ciphertext symbol depends in a complex manner on every plaintext symbol and every key bit, combining confusion and diffusion to approximate perfect secrecy.[1] He noted that such involvement of the full message and key in producing each cryptogram element maximizes security by complicating both statistical and probable-word attacks.[1] This principle underpins his broader theory, where perfect secrecy ensures the ciphertext provides no information about the plaintext beyond its length.[1]Evolution in Cryptographic Design
Following Claude Shannon's foundational concepts of confusion and diffusion introduced in 1949, these principles began influencing practical cryptographic designs in the 1970s through IBM's development of the Lucifer block cipher. Lucifer, detailed in a 1971 IBM research report, employed substitution boxes (S-boxes) to provide nonlinear confusion by obscuring the relationship between plaintext and key inputs, while fixed permutations served as diffusion layers to spread statistical dependencies across the ciphertext.[4] This structure marked an early application of product ciphers, where alternating substitution and permutation operations aimed to achieve Shannon's goals in a 128-bit block with variable key sizes up to 128 bits.[4] The principles evolved further with the Data Encryption Standard (DES), adopted by the National Bureau of Standards (NBS, now NIST) in 1977 as Federal Information Processing Standard (FIPS) 46. DES modified Lucifer by reducing the key size to 56 bits and implementing a Feistel network structure across 16 rounds, which balanced confusion via eight S-boxes in the round function and diffusion through half-block swaps and expansion permutations, avoiding the need for full block-wide permutations in each round. The Feistel design, pioneered in Lucifer, ensured invertibility for decryption while propagating changes from a single bit across the entire block over multiple rounds, enhancing overall security without requiring complex full permutations.[5] By the 1990s, cryptographic designers shifted toward substitution-permutation networks (SPNs) for more efficient and provably secure diffusion, particularly in response to emerging analytical threats. SPNs, building on Shannon's original substitution-permutation idea but refined for modern hardware, featured iterative layers of parallel S-boxes for confusion followed by linear diffusion transformations like bit permutations or matrix multiplications, allowing better resistance to attacks through optimized branch numbers and uniform diffusion. This evolution culminated in the AES selection process, where NIST chose the Rijndael algorithm in 2000 after evaluating 15 candidates, praising its SPN structure for achieving strong confusion via byte-oriented S-boxes and efficient diffusion through ShiftRows and MixColumns operations.[6] These advancements proved crucial in resisting early cryptanalytic attacks developed in the 1980s and 1990s. Differential cryptanalysis, introduced by Biham and Shamir in 1990, exploited probabilistic differences in inputs to target DES-like ciphers, but DES's S-boxes and Feistel-induced diffusion limited full breaks to impractical complexities exceeding 2^47 chosen plaintexts. Similarly, linear cryptanalysis by Matsui in 1993 approximated linear relations between plaintext, ciphertext, and keys, yet DES's nonlinear confusion and multi-round diffusion required 2^43 known plaintexts for a practical attack, validating the principles' role in elevating security margins.[7] SPN designs in later ciphers like Rijndael further strengthened these defenses by incorporating provable bounds against both attacks.Core Principles
Confusion
Confusion, as introduced by Claude Shannon in his seminal 1949 paper "Communication Theory of Secrecy Systems," refers to the cryptographic principle of complicating the statistical relationship between the key and the ciphertext to thwart analysis by adversaries. Shannon described it as a method to "make the relation between the simple statistics of [the cryptogram] and the simple description of [the key] a very complex and involved one," thereby limiting the effectiveness of statistical cryptanalytic techniques.[1] In practice, confusion is achieved through non-linear transformations that obscure the direct mapping between key bits and ciphertext bits, ensuring that a small change in the key results in a drastic and unpredictable alteration in the ciphertext, which complicates key recovery efforts. These transformations are typically implemented using substitution boxes (S-boxes), which are look-up tables that map a fixed-size input block of bits to an output block in a non-linear manner, resisting predictable linear approximations.[8] A prominent example is the 8-bit S-box employed in the Advanced Encryption Standard (AES), where each byte of the state undergoes substitution via a table derived from the multiplicative inverse in the finite field GF(2^8) followed by an affine transformation, providing essential non-linearity to the cipher. This design ensures that the S-box has high nonlinearity, measured by the maximum bias in linear approximations being low, thereby enhancing resistance to linear cryptanalysis.[8][9] The importance of confusion lies in its role to prevent attacks such as known-plaintext attacks by rendering statistical correlations between the key and ciphertext highly complex and non-intuitive, making it exceedingly difficult for an attacker to deduce the key from observed plaintext-ciphertext pairs. When combined with diffusion, confusion contributes to the overall security of block ciphers by jointly obscuring both key and plaintext influences on the output.[1]Diffusion
Diffusion is a fundamental principle in cryptography that disperses the statistical structure of the plaintext across the ciphertext, ensuring that the output appears randomized and independent of the input statistics. Introduced by Claude Shannon, diffusion aims to make the ciphertext statistics independent of the plaintext by spreading the influence of individual plaintext bits over many ciphertext bits, thereby frustrating attempts at statistical analysis. This randomization effect is crucial for hiding patterns and preventing cryptanalysts from exploiting partial knowledge of the plaintext to recover more information.[1] In practice, diffusion is achieved through linear transformations that redistribute the influence of input bits across the output. Common mechanisms include bit permutations, which rearrange bits to spread dependencies; matrix multiplications over finite fields, which mix groups of bits; and operations like row shifts in cipher structures. These linear layers operate on the entire block or state, propagating changes from one part of the input to multiple parts of the output, often in combination with multiple rounds to achieve full diffusion. For instance, in substitution-permutation networks, permutation steps provide the linear mixing needed to ensure that after a few rounds, every output bit depends on every input bit.[10] A prominent example of diffusion in action is the MixColumns transformation in the Advanced Encryption Standard (AES). This step operates on the 4x4 byte array representing the cipher state, treating each column as a polynomial over the finite field GF(2^8). It multiplies the column by a fixed polynomial {03}x^3 + {01}x^2 + {01}x + {02} modulo x^4 + 1, effectively mixing the four bytes of each column such that each output byte is a linear combination of all four input bytes. This byte-level diffusion ensures that a single bit change in the input affects all four output bytes in the column, contributing to the overall avalanche effect across the 128-bit block after multiple rounds.[8] The importance of diffusion lies in its ability to avert pattern detection in the ciphertext, particularly when an adversary has knowledge of portions of the plaintext. By making local changes in the input produce widespread, unpredictable alterations in the output, diffusion prevents linear or differential attacks that rely on predictable relationships between plaintext and ciphertext. In Shannon's original intent, this principle complements confusion by ensuring that even if some key information is guessed, the dispersed plaintext statistics remain obscured, requiring an impractically large amount of ciphertext to reveal underlying patterns.[1]Theoretical Foundations
Mathematical Models of Security
Claude Shannon introduced an entropy-based model for secrecy systems in which confusion and diffusion play central roles in achieving cryptographic security. In this framework, confusion operates by complicating the relationship between the key and the ciphertext, thereby increasing the contribution of key entropy to the overall uncertainty of the ciphertext; specifically, given the key, the ciphertext's entropy H(C|K) should approach the plaintext's entropy H(P), making it difficult to discern key influences without the key. Diffusion, conversely, ensures that the statistical structure of the plaintext is dispersed across the ciphertext, such that changes in the plaintext propagate broadly, with the entropy of the ciphertext H(C) ideally equaling the sum of plaintext and key entropies H(P) + H(K) under perfect conditions. This model, grounded in information theory, posits that a secure system maximizes ciphertext unpredictability while minimizing leakage of plaintext information. The perfect diffusion model represents an ideal scenario where each output bit of the cipher depends equally on all input bits, ensuring complete mixing and resistance to partial analysis. This uniformity implies that no subset of input bits disproportionately influences the output, promoting balanced propagation of information across the entire block. A key quantitative measure of diffusion uniformity is the strict avalanche criterion, which requires that flipping a single input bit causes each output bit to flip with probability exactly 1/2, formally expressed as
for all input bits and output bits , where denotes the difference between two ciphertexts derived from inputs differing only in that bit. This criterion captures the desired avalanche effect, where local changes yield globally random-like alterations in the output.
From an information-theoretic perspective, the combined application of confusion and diffusion minimizes the mutual information between plaintext and ciphertext , ideally approaching zero for perfect secrecy, as any residual correlation would allow statistical inference of the plaintext from the ciphertext. Shannon's analysis shows that effective confusion obscures key-ciphertext dependencies, while diffusion flattens plaintext influences, jointly reducing to negligible levels even for non-uniform sources. However, these models assume infinite key lengths to achieve perfect secrecy, where key entropy must at least match message length; in practical finite-key systems, approximations introduce minor information leakage, necessitating iterative rounds to approach theoretical bounds.
Key Criteria and Metrics
Evaluating the effectiveness of confusion and diffusion in cryptographic designs requires quantitative metrics that extend Shannon's foundational qualitative principles of making ciphertext dependent on plaintext and key in a complex manner. The strict avalanche criterion (SAC) serves as a key metric for both confusion and diffusion components. For confusion, typically implemented via substitution boxes (S-boxes), SAC stipulates that flipping a single input bit (simulating a key bit change) should cause each output bit to flip with probability exactly 1/2, ensuring balanced sensitivity to key variations. Similarly, for diffusion, SAC applies to plaintext bits: a single plaintext bit flip must invert each output bit with probability 1/2, promoting rapid spreading of changes across the output. This criterion is tested by computing the avalanche effect over all possible single-bit inputs, where ideal adherence yields a dependency matrix with entries close to 0.5. The bit independence criterion (BIC) complements SAC by assessing the independence of output bit changes. BIC requires that when a single input bit is flipped, the resulting flips in any pair of output bits occur independently, with their joint probability approximating 1/4 for each combination (00, 01, 10, 11). For an S-box or diffusion layer, BIC is evaluated by examining the correlation between pairs of output bits across all input pairs differing in one bit; low pairwise correlations (near zero) indicate strong bit independence, resisting attacks that exploit output dependencies. For diffusion layers, often linear transformations like mix columns, the branch number quantifies the minimum diffusion achieved. Defined for a linear transformation $ F: \mathbb{F}{2^m}^n \to \mathbb{F}{2^m}^n $ as
where $ w(\cdot) $ denotes the number of nonzero coordinates (Hamming weight over the vector), the branch number measures how input differences spread to outputs. The maximum possible branch number is $ n+1 $, achieved by maximum distance separable (MDS) codes, ensuring at least $ B-1 $ active S-boxes in multi-round differentials or linear trails, thus bounding attack complexities.
In confusion components, particularly S-boxes, nonlinearity measures the deviation from linear functions, crucial for resisting linear cryptanalysis. The nonlinearity $ \mathrm{NL}(f) $ of an $ n $-bit Boolean function $ f $ is the minimum Hamming distance to any affine function, equivalently
where the maximum is over input masks $ \mathbf{u} $ and constant $ v $, derived from the Walsh transform.[11] High nonlinearity (approaching the Nyberg bound of $ 2^{n-1} - 2^{n/2-1} $ for even $ n $) ensures low correlations in linear approximations, with optimal S-boxes achieving at least 8 for 4-bit inputs.[11]
Testing these properties involves correlation tests for linear approximations in confusion components. The linear approximation table (LAT) for an S-box tabulates the correlation $ c(\alpha, \beta) = \left| \frac{1}{2^k} \sum_{\mathbf{x}} (-1)^{\beta \cdot S(\mathbf{x}) + \alpha \cdot \mathbf{x}} \right| $ for input mask $ \alpha $ and output mask $ \beta $, over all $ 2^k $ inputs, where low maximum entries (e.g., $ \leq 0.25 $ for 4-bit S-boxes) confirm resistance to linear attacks. These tests, applied iteratively over cipher rounds, estimate the overall bias, with deviations from zero indicating exploitable approximations.