5

Within the scope of a study project I'm looking for an approach to assess the quality of AES encryption in practice. To do so, I modified the OpenSSL source code to be able to log metrics while encrypting thousands of blocks to obtain a representative result.

The first criteria for assessment is to check for the Avalanche criteria:

During (AES) encryption rounds I copy the current block to be encrypted (let's call it $I_o$), flip one bit (let's call it $I_c$) and encrypt it as well, so the same operation is applied (before roundkey is modified, shifting etc.). This results in the blocks $C_o$ and $C_c$, which I check for their Hamming Distance ($\operatorname{HD}$). AES seems to do a good job, for each byte the $\operatorname{HD}(C_o, C_c)$ is continuously ~ 4 bit.

At this point I'm struggling with two questions:

  1. Does it matter WHICH bit I'm flipping? Is it legit to always flip the MSB f.e. or should it be a random position?

  2. The presence of the Avalanche effect implies for an attacker to have a 50/50 chance to predict the input ($I$) state of one bit for each round. So the benefit of applying several rounds (in my case $b/k=128$ bit -> 10 rounds) is to reduce the probability for an attacker to predict a bit's original (plain) state to $0.5^{10}$?

Thanks for any inspiration! :)

Maarten Bodewes
  • 92,551
  • 13
  • 161
  • 313
Oliver Jl
  • 61
  • 4
  • Related question and answer http://crypto.stackexchange.com/questions/34269/calculation-of-the-avalanche-effect-coefficient?rq=1 – kodlu May 15 '16 at 22:14

1 Answers1

5

Does it matter WHICH bit I'm flipping? Is it legit to always flip the MSB f.e. or should it be a random position?

If you see the cipher design as a black box then certainly yes. It could well be that the design would be more secure for certain positions than the other. This would indicate a (local) weakness.

Note that the Hamming distance is just one method of testing (pseudo) randomness.

The presence of the Avalanche effect implies for an attacker to have a 50/50 chance to predict the input (I) state of one bit for each round. So the benefit of applying several rounds (in my case b/k=128 bit -> 10 rounds) is to reduce the probability for an attacker to predict a bit's original (plain) state to 0,5^10?

No. Each bit has two states. This means that one state is correct and one state is incorrect. If you can "predict" the state with a chance of 0.5 then you're perfectly secure.

Guessing a bit right with a chance lower than 0.5 actually doesn't make sense at all. It means you guess wrong with a high probability. In that case you just have to invert the bit to get a higher result (of $1 - P$ where $P$ is the probability).

The additional rounds are needed to protect against other attacks than simply performing black box testing. AES has been "broken" up to 7, 8 or 9 rounds for 128, 192 and 256 bits respectively.

Maarten Bodewes
  • 92,551
  • 13
  • 161
  • 313