Cryptography Reference
In-Depth Information
are the properties it should have as a
minimum
requirement. You should not
expect a stronger statement than this in this section either.
So what does the 'ideal' encryption algorithm look like, and how should it be
implemented?
1. It should implement
confusion
, i.e., the relationship between plaintext
and ciphertext should not be discernible. (This property is so matter-of-
fact that it is listed here for the sake of completeness only — it sounds
so prettily scientific.) Plaintext and ciphertext have to be statistically
independent.
2. It has to implement
diffusion
, i.e., structures in the plaintext should
be blurred to the largest possible extent. For example, the CBC mode
should be used when working with block ciphers.
3. The key length should be large enough to make brute force too costly
compared with the value of the message (bear in mind that computers
are getting continually faster!).
4.
Identical or similar plaintexts
should never create
identical or similar
ciphertexts
. You should always use block ciphers in combination with
a mode that uses a random initialization vector (Section 5.1.1); this is
mandatory for stream ciphers to prevent insertion attacks.
5. A ciphertext must not be
statistically distinguishable from a sequence of
random numbers
. This applies not only to the character distribution, but
also to correlations between characters or bits, even when the plaintext
is a constant character sequence (see Point 4 above).
6.
No exploitable cycles
should occur in constant, periodic, or otherwise
strikingly structured plaintext, i.e., the ciphertext must not repeat itself
from a point forward. Though iterations occur theoretically, except
for the one-time pad, their period should be long enough to prevent
exploitable cryptanalysis.
7. Block algorithms are required to support the
avalanche effect
: a change
to an arbitrary plaintext bit must influence every ciphertext bit with a
probability of exactly 50 %, when using a random key; otherwise, there
might be a risk of linear cryptanalysis attacks. This is an aggravation
of Point 1 above.
8.
Known-plaintext or chosen-plaintext attacks
should not be practically
feasible.
9. In particular, the algorithm should not be vulnerable to
differential or
linear cryptanalysis
.
