3

I am working with symmetric algorithms in Java with javax.crypo and Bouncy Castle libraries and I need to calculate the avalanche effect of different symmetric algorithms such as DES, 3DES, Blowfish and AES.

I have read about the avalanche effect and means that when an input text is changed slightly (for example, flipping a single bit) the output changes significantly. To calculate this, I made some test by creating a new text changing the first word in the original text and later encrypting both texts. After this I compared the bits that had changed between the original text and the new text.

To this tests I used the four algorithms in CBC operation mode and with PKCS5PADDING. As I know, the change between the encrypted texts must to be high although the changed word is only in the first block of the text, because the input in CBC mode is the encrypted text generated by the previous block, so all blocks are used to generate the final text. So, I think that the change must be considerable.

I read that the 50% of change is a satisfactory value because it means that a change of a word or a single bit in the input changes the output with a 50% probability, and it is strong. The problem is that the results in my tests are about 50% for the four algorithms, and I think that it is no correct, because the difference will be higher and I suppose that AES that works with S-boxes as substitution for encryption must have more change. I have been searching a estimation of avalanche effect result values for these algorithms, to contrast with my results, but I haven't found a estimation. So, I don't know if I am calculating the avalanche effect correctly.

I calculated the avalanche effect in the resulting ciphertexts, not in each round during the encryption process.

I was looking for information and I have found few articles on this subject in which they show: the password used, the original ciphertext, and the encrypted text on it that has made one change. The comparison is performed by bitwise between the two ciphered texts, and so I understand, not in the ciphertext during rounds in the encryption process. It is not like this? Some of these articles are: link and link

Am I calculating the avalanche effect correctly in the symmetric algorithms?

Is there some estimated values about this effect in the algorithms?

CGG
  • 229
  • 1
  • 8
  • 15
  • 2
    Why do you think that 50% of the bits changing for all tested algorithms is not correct? – Stephen Touset Oct 01 '16 at 19:26
  • 2
    Put another way, if 25% of bits flipping would be considered insufficient for a block cipher, do you see why 75% of bits flipping would be equally concerning? – Stephen Touset Oct 01 '16 at 19:30
  • Yes, I have understood that part. However, the problem is that I think that I am doing the test incorrectly because I have obtained a similar result with each algorithm and I think that the differences, for example, between AES and DES have to be bigger. Or the best results and the best algorithms always have around the 50% of change? – CGG Oct 01 '16 at 20:57
  • 1
    I don't think you have stopped to consider the implications of my question. If any block cipher exhibited any noticeable deviation from half of its bits being flipped at random (either fewer or more), it would be considered a critical failure of the cipher. Imagine, for the sake of argument, that AES scored 75% in your tests. An attacker could construct AES' by flipping all of the output bits of AES. By definition, AES' would have an "avalanche factor" of 25% and would have strong attacks against it. – Stephen Touset Oct 02 '16 at 03:39
  • 3
    To summarize: 50% of output bits being flipped at random (on average) is not merely a "satisfactory value". It is the only acceptable value for a block cipher. – Stephen Touset Oct 02 '16 at 03:46
  • The avalanche effect for a block cipher is defined different from what you have done. It concerns the effect of flipping of individual bits that are input to a block of the cipher. See Wiki and the literature references given there. – Mok-Kong Shen Oct 02 '16 at 10:20

2 Answers2

7

You appear to be under the impression that AES should score better than DES, because AES is stronger than DES.

The issue is that your test is extremely crude; any decent block cipher will pass the test.

If I were to go to an analogy, it's as if you have devised a test for automobiles, which the sole check being 'is there an engine?'. You run your test on a Yugo, and it passes, you run your test on a high-end Porsche, and it passes; and you ask, the Porsche is a much better car than the Yugo; why isn't it scoring better?

As for the differences between AES and DES, the important ones are:

  • AES has a much larger key than DES. The DES key is small enough that it can be (and has been) brute forced (that is, checking each key individually) by adversaries with a reasonable amount of resources; the AES key space is so much larger that, even with the "small" setting of 128 bits, it's infeasible to do so.

  • The AES block size is larger than DES; with DES (and CBC mode), you'll start to leak contents of the plaintext after encrypting a few Gigabytes; the same will happen with AES, but only after a truly huge amount of data has been encrypted (e.g. the amount of data that travels over the entire internet in a week)

  • There's also some known ways to apply linear cryptanalysis to DES; however (again) only after a large amount of data has been encrypted.

Your tests won't pick up on any of these differences, and so (as far as your test is concerned), DES and AES look equally good.

poncho
  • 147,019
  • 11
  • 229
  • 360
4

If more than 50% of the bits flipped on average this would be a weakness. To illustrate this, say 75% of the output bits flipped.

Then by simply changing 2 district input bits separately you'd get that the same subset of 50% of the output bits are flipping, which is highly nonrandom behaviour.

kodlu
  • 22,423
  • 2
  • 27
  • 57