Cryptography Reference
In-Depth Information
Choosing a block size thus involves a compromise between security and efficiency.
DES has a block size of 64. Modern block cipher algorithms such as AES tend to
have a block size of 128.
4.3.2
Properties of block ciphers
Unlike stream ciphers, block ciphers tend not to be associated with generic
properties. This is because block ciphers vary so much in their technical design.
However, as a general rule, block ciphers are associated with:
Versatility
. Block ciphers are not just used for encryption, but also as components
of other cryptographic primitives such as MACs and hash functions.
Compatibility
. Well-respected block ciphers such as AES are the most widely
implemented and used encryption algorithms, resulting in them becoming
default choices of encryption algorithm for many applications. This aids
compatibility.
Adaptability
. Block ciphers can be implemented in different modes of operation
(see Section 4.6) in order to achieve different properties.
Two aspects of block ciphers that may not always be desirable are:
Error propagation
. This is inevitable if a block cipher is used in the simplemanner
depicted in Figure 4.3. For example, a 1-bit transmission error only changes one
bit of a ciphertext block, but the result of decrypting this erroneous ciphertext
block will be a plaintext block with, on average, half of its bits incorrect. This
is because:
1. A good block cipher should have the property that two ciphertext blocks that
differ in just one bit (or, indeed, any number of bits) should have corresponding
plaintext blocks that have no apparent relationship (they are
independent
of
one another). To understand why, recall that our standard assumptions in
Section 1.5.1 assume that an attacker knows plaintext/ciphertext pairs. If an
attacker sees a new ciphertext block that differs from a ciphertext block that
they already know the corresponding plaintext block for (even if this new
ciphertext block differs only in one bit) then the attacker should not be able to
predict any bits of the new plaintext block. If they could, then the block cipher
would have to be regarded as insecure.
2. If two plaintext blocks
P
1
and
P
2
have no apparent relationship then this means
that for every bit in
P
1
, the corresponding bit in
P
2
should be 'unpredictable'.
This means that there is a half chance that the corresponding bit in
P
2
is
different, and a half chance that it is the same. (If it was always different
then it would be very predictable!) Thus, on average,
P
1
and
P
2
will have
half of their bits in common, and these coinciding bits happen 'by chance'.
Importantly, however, although an attacker can expect that, on average, half
