Talk:Confusion and diffusion
This article is rated Start-class on Wikipedia's content assessment scale. It is of interest to the following WikiProjects: | ||||||||||||||
|
Undone edits
[edit]Hello,
this is one of my first visits on Wikipedia, and if my editing experience is very scarce yet, I duly apologize.
OK, now to the discussion: I have recently been editing the article "confusion and diffusion" because I became aware of a statement in the article which simply is not true in my opinion.
Unfortunately my changes have been un-done so I wanted to take a chance to argue in favour of what I think is correct.
The point is that confusion and diffusion are -- at least in some lecture notes and books -- explained just in a self-respective way: confusing.
But if you happen to have read Shannon's original paper, which should be taken as the origin of any citations, the terms are made rather clear:
There are two "inputs" which lead to a ciphertext. One is the plaintext, the other one is the key. Diffusion leads to an elimination of a statistical relation between changes in single plaintext bits and changes in single ciphertext bits. If you change a plaintext bits, a cipher with good diffusion should lead to a 50 pc chance for _any_ ciphertext bit to change.
Confusion, on the other hand, does the same for the key<->ciphertext relation.
As I stated, I did the changes the day before yesterday, but they have been un-done.
Please read the original paper to get the terms correct, and then please re-do my changes. The current explanation is simply incorrect.
A link:
http://www.cs.ucla.edu/~jkong/research/security/shannon1949.pdf
- Thanks for your contributions, and Wikipedia:Welcome to Wikipedia! Your above definition isn't how I understand confusion and diffusion, but it's been a little while since I've read Shannon's paper, so it might well be different. I'll have a leaf through it now, though it would be most helpful if you could give some relevant quotes from Shannon's paper. — Matt 07:37, 11 Jun 2004 (UTC)
- To be more specific, the thing that I disagree with about your above definition is the assertion that confusion is the just the same thing as diffusion, but between key and ciphertext, not plaintext and ciphertext. I think confusion is about complexity of the relationship between the inputs and outputs, and diffusion is about the extent to which a small change in an input propagates to the output. — Matt 08:43, 11 Jun 2004 (UTC)
Shannon's paper
[edit]Now Shannon's paper is very lenghty indeed. If you are just interested in the issues of statistical methods reading especially Section 23 ("statistical methods") is sufficient.
Regards
OT
Quotations
[edit]Shannon writes:
Two methods (other than recourse to ideal systems) suggest themselves for frustrating a statistical analysis. These we may call the methods of diffusion and confusion. In the method of diffusion the statistical structure of M which leads to its redundancy is "dissipated" into long range statistics—i.e., into statistical structure involving long combinations of letters in the cryptogram...
The method of confusion is to make the relation between the simple statistics of E and the simple description of K a very complex and involved one.
Schneier writes in Applied Cryptography:
Confusion serves to hide any relationship between the plaintext, the ciphertext and the key. Remember how linear and differential cryptanalysis can exploit even a slight relationship between these three things? Good confusion makes the relationship statistics so complicated that even these powerful cryptanalytic tools won't work.
Diffusion spreads the influence of individual plaintext or key bits over as much of the ciphertext as possible. This also hides statistical relationships and makes cryptanalysis more difficult.
— Matt 08:04, 11 Jun 2004 (UTC)
...and Menezes, van Oorschot, Vanstone write (Handbook of Applied Cryptography):
p.20 1.36: Confusion is intended to make the relationship between the key and ciphertext as complex as possible. Diffusion refers to rearranging or spreading out the bits in the message so that any redundancy in the plaintext is spread out over the ciphertext.
— OT Fri Jun 11 10:29:59 CEST 2004
William Stallings, Cryptography and Network Security (3rd ed. p66-67):
In diffusion, the statistical structure of the plaintext is dissipated into long range statistics of the ciphertext. this is achieved by having each plaintext digit affect the value of many ciphertext digits, which is equivalent to saying that each ciphertext digit is affected by many plaintext digits...
The mechanism of diffusion seeks to make the statistical relationship between the plaintext and ciphertext as complex as possible to thwart attempts to deduce the key. On the other hand, confusion seeks to make the relationship between the statistics of the ciphertext and the value of the encryption key as complex as possible, again to thwart attempts to recover the key. Thus, even if the attacker can get some handle on the statistics of the ciphertext, the way in which the key was used to produce that ciphertext is so complex as to make it difficult to deduce the key.
— Matt 09:04, 11 Jun 2004 (UTC)
Clarification: First try
[edit]OK, I try to offer an explanation for both terms in my own words, and try to bit more precise than in my first uttering:
"Diffusion" is the spreading the redundancy of a plaintext over the ciphertext. What does that mean? In the set of all clear text messages, "sensible" clear text messages have a certain correlation between two-, three- and more-letter combinations (e.g. a "q" is always followd by a "u"). A cipher with good diffusion eliminates this correlation. Changes in one bit or letter affect every bit in the ciphertext. No correlation then means: the chances for a change in any ciphertext bit is 50 per cent.
I think we both agree with this definition.
- Yes, I think I broadly agree, though I might have a minor quibble: I think the property you mention is also termed the Strict Avalanche Criterion (SAC). I think diffusion is a more general concept than SAC that covers properties such as completeness, avalanche, higher-order SAC, that kind of thing; general dependancy of output digits on input digits, which can be measured using a variety of criteria. — Matt 10:48, 11 Jun 2004 (UTC)
- Right, then let us put it this way: if diffusion (i.e. the spreading of correlation) is taken to the one extreme so that a change in a single bit of plaintext leads to a 50 pc chance for any single bit in the ciphertext to change, then the cipher meets the SAC. Diffusion alone also includes stages in-between where the SAC is not met.
- Diffusion also (IMO) includes stronger criteria, such as SAC of order n... etc (fixing any n or fewer bits to a fixed constant, the resulting function is still SAC). — Matt 11:04, 11 Jun 2004 (UTC)
Now to "confusion": Shannon's view is to have the influence of the key bits on the ciperhtext such that a statistical analysis of the ciphertext does not help to cut out a simply-structured subset which the correct key most probably is situated in. Tying down the key closer and closer shall be practically impossible because the subset is too folded (in a geometric view) inside the set of all keys.
It should therefore be as difficult as possible to infer the key by a known-plaintext attack, for example.
It is generally stated that a complex polyalphabetic substitution rule does just that.
Now to the often-stated relation between diffusion/confusion and transposition/substitution: clearly, transposition adds to the diffusion of the cipher, but only if additional steps are taken. A simple transposition does not spread the influence of a bit change. It simply transposes it.
Similarly, a polyalphabetic cipher alone does not lead to confusion, because a simple key change only leads to a simple ciphertext change (Take Vigenere: if you just change the first key letter of a say ten-letter Vigenere key, then cipher text letters 1,11,21,31 etc are changed, none else.)
So even though transposition is the ingredient for diffusion, and substitution is the ingredient for confusion, it is an iterated combination of both, which really provides both confusion and diffusion.
I'd like to point out that transposition by itself dissipates the higher order n-gram statistics, but not the unigram statistics. User:Dvunkannon —Preceding comment was added at 20:35, 21 November 2007 (UTC)
Confusion
[edit]I think that both of you, User:OT and User:Matt Crypto, are right below in some sense, even though you are disagreeing with each other. The relationship between the key and the ciphertext is complex exactly because the cryptosytem has the property that changing one bit of the key changes the ciphertext completely, and hence in order to change only one bit of the ciphertext you certainly would have to change the key completely. There are basically equivalent properties. I will try to clarify these things here now. --GaborPete (talk) 04:35, 5 April 2009 (UTC)
- I'm not really satisfied with my own work, but presently that's what I can do. --GaborPete (talk) 10:31, 5 April 2009 (UTC)
And I agree with User:Dvunkannon (if it was him at the end): claiming that S-boxes are for confusion and P-boxes are for diffusion is complete nonsense. In the substitution–permutation network article it had been stated the opposite way, which is also complete nonsense, I have just changed that there. Both diffusion and confusion are the results of using S-boxes and P-boxes together in the right way. If you introduce the key with XORs, as usual, then it's impossible to achieve only confusion or only diffusion, whatever your S-boxes and P-boxes are. (This is related to my previous comment, too.) --GaborPete (talk) 04:35, 5 April 2009 (UTC)
- I have now deleted the following paragraph: --GaborPete (talk) 10:31, 5 April 2009 (UTC)
- Substitution (a plaintext symbol is replaced by another) has been identified as a mechanism for primarily confusion (see S-box); conversely transposition (rearranging the order of symbols, see P-box) is a technique for diffusion, although other mechanisms are also used in modern practice, such as linear transformations (e.g. in Rijndael). Product ciphers use alternating substitution and transposition phases to achieve both confusion and diffusion respectively.
There are two more slightly confusing things in the present text, I will change them, too:
- I think it is dangerous to connect the word "substitution" in a substitution–permutation network with a substitution cipher. For example, in Rijndael, a main example of an SP network, an S-box substitutes 8-bit blocks by 8-bit blocks. On the other hand, when hearing "substitution cipher", one usually thinks of changing one character to another character, maybe pairs to pairs, or triplets to triplets, at most, but not octets to octets. True, an ASCII character is usually 8 bits, or something like that, but then Rijndael mixes these bits among the 8-bit blocks, not at all respecting ASCII characters or anything like that.
- The transposition (mathematics) link is wrong. That means something else. --GaborPete (talk) 04:35, 5 April 2009 (UTC)
- OK, I didn't really change them, rather deleted. But I have put a sentence containing substitution cipher and transposition cipher into the substitution–permutation network article. --GaborPete (talk) 10:31, 5 April 2009 (UTC)
Use in "A Mathematical Theory of Cryptography" (1945)
[edit]Shannon's 1949 paper (Communication Theory of Secrecy Systems) is a revised and declassified version of a 1945 paper (A Mathematical Theory of Cryptography - there's a copy here: https://www.iacr.org/museum/shannon45.html). They're pretty similar. I just checked and Confusion and Diffusion are actually defined in the earlier paper, so I'd like to change the article to reference that earlier piece unless someone has an objection. Shane Lin (talk) 10:08, 26 October 2015 (UTC)
Confusion in hashes
[edit]The non-keyed hashes do not have confusion in its standard definition, so I have modified the lead accordingly. A good WP:RS for that assertion is remarkably hard to find, though. Dimawik (talk) 20:55, 25 April 2023 (UTC)
hash functions of hash tables
[edit]I changed it to: These concepts are also important in the design of cryptographic hash functions, pseudorandom number generators and for the hash functions of hash tables, where decorrelation of the generated values is the main feature.
It was changed to: These concepts are also important in the design of cryptographic hash functions and pseudorandom number generators, where decorrelation of the generated values is the main feature, diffusion is also applicable to non-keyed hash functions.
The Issue: Hash functions of hash tables do have keys. Consider javas HashMap<T,U> that has keys of type T and values of type U. T has a function like hashCode() or something. The same is true also with basically all other modern object oriented languages, for their implementations of hash tables. This function hashCode() takes some fields of the object T and generates a hash value from it. The hash value needs to be decorrelated from the fields it was generated from. It needs to have both properties; Confusion and Diffusion to generate the hash value, so that the hash table can be balanced. I think the usage in hash functions for hash tables is quite common, and should therefore be mentioned. Why was my text removed, and replaced with that of non-keyed hash functions? Thanks · · · Omnissiahs hierophant (talk) 06:09, 26 April 2023 (UTC)
- For an example, let's start with one of a simplest hash functions, the cyclic redundancy check. It obviously has no security properties whatsoever (it is a linear Boolean function, after all), and cannot be made into a keyed hash function (the one suitable for authentication) using the construct that you describe. Generally speaking, this construct will only turn hash into an authentication mechanism (HMAC) -- and this is the definition for a "keyed hash", as it is not an arbitrary hash with some key prepended to the data (cf. [1]) -- for the hash that was of a cryptographic-quality from the start (an thus is already covered in the text). So generic statement that confusion is important in hash design is not exactly correct, as some very popular non-cryptographic hashes clearly cannot take a key (in its cryptographic meaning) in any shape or form, so confusion is simply not applicable to them. I have tried to correct that by stating that diffusion is important to all hashes. I have no objection to any other language that will not contradict the underlined text. For example, (a) your original text can be restored and modified to limit the hash functions of hash tables to a subset of these functions that (1) use a key and (2) provide some confusion with respect to the said key. Another alternative is to (b) put the word "sometimes" when describing the confusion and non-keyed hash functions. Yet another approach is to (c) revert to the original text that did not attempt to describe properties of non-cryptographic-quality hashes. One more solution can be found by (d) locating a WP:RS in the field of cryptography that deals with the non-cryptographic hashes and use the confusion language from this source (I have tried, not very hard, and failed).Dimawik (talk) 02:46, 27 April 2023 (UTC)
- Sorry for delay, it took some time to obtain energy for this. SHA is a keyless hash algoritm, and it has both confusion and diffusion properties, see the abstracts of these papers.[1][2] Does it really need to have a key to be called Confusion? Also I think most hash functions have no keys (SHA256, MD5, Adler32, my home-made non-cryptographic hashfunctions, et.c.)? Confusion can (i think) be done with just xoring or adding with a constant, et.c. I might be wrong as usual but those papers say SHA256 has confusion at least · · · Omnissiahs hierophant (talk) 08:34, 7 May 2023 (UTC)
- I think that we have purely terminological disagreement here, so I would break my previous statements into numbered pieces and add some additional information. This way, we will be able to discuss small pieces of my text (or linkages between these pieces) separately and hopefully reach a wp:consensus. So,
- This article is about cryptography, and the terms used here are the ones the cryptographers use. In particular, a key (cryptography) has a particular meaning that is different from the ones in non-cryptographic contexts;
- Keyed hash function in cryptography is also a very specific thing - it is a construct (with a key in a sense of #1) that can be used for message authentication, for example, an HMAC. This application needs a special hash function (it should be a cryptographic hash);
- The word confusion in this context is related to application of the (usually secret) key to the data;
- The non-cryptographic hash functions are, well, not cryptographic, so they cannot be used for keyed hash function in a sense of #2 (as adding a key in some way to the hash input does not make it a keyed hash function in a sense of #2);
- You list a set of cryptographic hashes (SHAS-256, MD5) and say they do have confusion property. You are correct, and this fact is already reflected in the text already ("These concepts [both confusion and diffusion] are also important in the design of cryptographic hash functions");
- Any hash function that is useful needs the diffusion property, this fact is also reflected by a statement diffusion is also applicable to non-keyed hash functions. With that statement I have covered both cryptographic hashes that are used without key (they are already covered per #5, but there is no harm in re-including them), as well as hash functions that cannot be made into the keyed ones as defined by #2 no matter how hard one tries;
- To the best of my understanding, you adding "my home-made non-cryptographic hashfunctions" to the list alongside SHA-256 means that you think that any hash function has the confusion property;
- I have responded with an example of CRC, which is
- a. A hash function
- b. Is linear with respect to its argument
- c. Creating a construct per #2 is thus not achievable
- d. Thus, per #3, I fail to understand how the term confusion can be applied to this function
- Prior to the work on the text, it might be useful to synchronize our use of terminology. Please let me know which ones of the statements above (if any) you disagree with. Dimawik (talk) 01:54, 8 May 2023 (UTC)
- I have added a new page, Non-cryptographic hash function that can be used for all the subtleties. Some text can be migrated there and expanded without the space limitations. Dimawik (talk) 00:57, 30 May 2023 (UTC)
- I have changed the text slightly to link to non-crypto hash page (instead of non-keyed) and avalanche effect (a typical term used when discussing non-crypto hashes that refers to the effect of diffusion - and confusion). I am not sure if this is better, so feel free to revert and continue the discussion. Dimawik (talk) 01:31, 30 May 2023 (UTC)
- I have added a new page, Non-cryptographic hash function that can be used for all the subtleties. Some text can be migrated there and expanded without the space limitations. Dimawik (talk) 00:57, 30 May 2023 (UTC)
- I think that we have purely terminological disagreement here, so I would break my previous statements into numbered pieces and add some additional information. This way, we will be able to discuss small pieces of my text (or linkages between these pieces) separately and hopefully reach a wp:consensus. So,
- Sorry for delay, it took some time to obtain energy for this. SHA is a keyless hash algoritm, and it has both confusion and diffusion properties, see the abstracts of these papers.[1][2] Does it really need to have a key to be called Confusion? Also I think most hash functions have no keys (SHA256, MD5, Adler32, my home-made non-cryptographic hashfunctions, et.c.)? Confusion can (i think) be done with just xoring or adding with a constant, et.c. I might be wrong as usual but those papers say SHA256 has confusion at least · · · Omnissiahs hierophant (talk) 08:34, 7 May 2023 (UTC)
References
- ^ "Construction and Analysis of SHA-256 Compression Function Based on Chaos S-Box".
- ^ A bot will complete this citation soon. Click here to jump the queue arXiv:1609.00616.
Examples of ciphers that have confusion and diffusion
[edit]The article states that substitution cipher and OTP are confusion only, and transposition is diffusion-only. But I think that none of them have diffusion, since for all three ciphers a small change of the plaintext will result in an equally small change of the ciphertext. I think TC and SC can be said to have confusion, but OTP cannot (clearly, each part of the ciphertext depends on one part only of the key). So if no-one objects, I'll fix this. Nsuta (talk) 14:27, 24 September 2024 (UTC)
- Let's discuss the sources first. Can you please declare here the WP:RS that you plan to use to write the new text? Dimawik (talk) 04:20, 25 September 2024 (UTC)
- Yes, good question. I confess I haven't researched good sources (but of course that's needed). It might be hard to find sources, because the examples are so trivial. I'm afraid I don't know if the Stamp & Low book cited for that sentence actually mentions those examples; I sort of doubt it, because the examples seem wrong to me. Do you happen to know? Nsuta (talk) 09:33, 25 September 2024 (UTC)
- It very much depends on your geographic location, but for me this link opens the page 182. I have read the book before and, yes, this is exactly what the authors state. The definitions of confusion and diffusion are not very firm, these are mostly the ideas on the cipher design. To me there is nothing wrong with the statement about transposition cipher being a diffusion-only cipher: the results on the picture there look scrambled, which is exactly what I expect the diffusion to do. Dimawik (talk) 23:35, 25 September 2024 (UTC)
- Hi, thanks for looking that up. Unfortunately I can't read p182 ("image not found"), possibly as you say due to some kind of geographic restriction (interestingly I can see several other pages). I still don't get it - for example, diffusion says a small change in the plaintext will result in a big change in the ciphertext, whereas with transposition cipher, the change in the ciphertext will be the same size as the change in the plaintext. For example, if you change 1 bit or 1 character in the plaintext, you'll see a 1 bit or 1 character change in the ciphertext. So I'd say we don't have diffusion. However, not having an authoritative source, I won't change the article. Nsuta (talk) 14:02, 13 October 2024 (UTC)
- My interpretation of your words is that the transposition cipher is very weak against the differential cryptanalysis. Yes, this is correct. A single round of a modern symmetrical cipher will exhibit a similar problem, as diffusion function is usually linear or close to it - that's why these ciphers have multiple rounds. Essentially a typical confusion applies (nonlinear) changes locally, while diffusion spreads them apart. Working together in multiple rounds, they spread nonlinear changes wide. One can make a cipher by using a confusion circuit with very wide input/output (like 128 bits), but this would be prohibitively expensive, so practical cipher has narrow (4-8 bits I/O) confusion circuit and wide, but simple diffusion one. Dimawik (talk) 09:47, 17 October 2024 (UTC)
- Hi, thanks for looking that up. Unfortunately I can't read p182 ("image not found"), possibly as you say due to some kind of geographic restriction (interestingly I can see several other pages). I still don't get it - for example, diffusion says a small change in the plaintext will result in a big change in the ciphertext, whereas with transposition cipher, the change in the ciphertext will be the same size as the change in the plaintext. For example, if you change 1 bit or 1 character in the plaintext, you'll see a 1 bit or 1 character change in the ciphertext. So I'd say we don't have diffusion. However, not having an authoritative source, I won't change the article. Nsuta (talk) 14:02, 13 October 2024 (UTC)
- It very much depends on your geographic location, but for me this link opens the page 182. I have read the book before and, yes, this is exactly what the authors state. The definitions of confusion and diffusion are not very firm, these are mostly the ideas on the cipher design. To me there is nothing wrong with the statement about transposition cipher being a diffusion-only cipher: the results on the picture there look scrambled, which is exactly what I expect the diffusion to do. Dimawik (talk) 23:35, 25 September 2024 (UTC)
- Yes, good question. I confess I haven't researched good sources (but of course that's needed). It might be hard to find sources, because the examples are so trivial. I'm afraid I don't know if the Stamp & Low book cited for that sentence actually mentions those examples; I sort of doubt it, because the examples seem wrong to me. Do you happen to know? Nsuta (talk) 09:33, 25 September 2024 (UTC)