Cryptography Reference
In-Depth Information
ers of DES chose to interleave some confusion functions with some
diffusion functions to produce incomprehensible results.
The best way to judge the strength of an encryption system like
DES is to try to break it. Talking about highly technical things like
code breaking at a high level can be futile because the important
details can often be so subtle that the hand-waving metaphors end
up flying right over the salient fact. Still, a quick sketch of an attack
on the alternating layers of confusion and diffusion in DES can give
at least an intuitive feel for why the system is effective.
Imagine that you're going to break one round of DES. You have
the 64 bits produced by one step of confusion and one step of
diffusion. You want to reconstruct the 64 bits from the begin-
ning and determine the 56 key bits that were entered. Since only
one round has finished, you can immediately discover one half
of the bits. The main advantage that you have is that not much
diffusion has taken place. Thirty-two bits are always unchanged
by each round. This makes it easier to determine if the other
half could come from the same file. Plus, these 32 bits were also
the ones that fed into the confusion function. If the confusion
process is not too complicated, then it may be possible to run
it in reverse. The DES confusion process is pretty basic, and it
is fairly straightforward to go backward. It's just a table lookup.
If you can guess the key or the structure of the input, then it is
simple.
Now imagine doing the same thing after 16 rounds of confusion
and diffusion. Although you can work backward, you'll quickly dis-
cover that the confusion is harder to run in reverse. After only one
round, you could recover the 32 bits of the left half that entered the
function. But you can't get 32 bits of the original message after 16
rounds. If you try to work backward, you'll quickly discover that ev-
erything is dependent on everything else. The diffusion has forced
everything to affect everything else. You can't localize your search to
one 4-bit block or another because all of the input bits have affected
all of the other bits in the process of the 16 rounds. The changes have
percolated throughout the process.
Rijndael is similar in theme to DES, but much more efficient for
modern CPUs. The S-boxes from DES are relatively simple to imple-
ment on customchips, but they are still complicated to simulate with
the general purpose CPUs used inmost computers. The confusion in
AES is accomplished by multiplying by a polynomial and the diffu-
sion occurs when the subblocks of the message block are scrambled.
This math is muchmore basic than the complex S-boxes because the
general-purpose CPUs are designed to handle basic arithmetic.
