2

Consider a single round of a cryptographic permutation, what is so special about it that lacking some bits of information that either get mixed into it as a subkey or omitted at the end (sponge construction) makes you unable to revert it efficiently once it gets looped in sufficient number?

The best analogy I could come up with is a chaotic dynamical system, where any tiny change eventually gets amplified out of control (where the evolution of the two systems - changed and unchanged - no longer encodes any information about the change). And even though it is in a continuous domain where gradients can be analytically computed, after a certain point they either explode to infinity or vanish to 0.

There, there is the jargon of stretching and folding - the fractal dimension, how points get stretched out into the fractal dimension and then get folded back (this achieves a mixing of sort and eventually any two points no matter how close get further and further apart until eventually they completely dissociate as they each get sent into different parts of the attractor).

This seems similar to confusion and diffusion.

Is what's being done in cryptographic permutations the same phenomenon but in a discrete domain?

kelalaka
  • 48,443
  • 11
  • 116
  • 196
  • 1
    The most simple (but not perfectly correct) analogy is addition. If I give you the number "427601", you have no idea what two integers I added to get it, despite addition being a trivial, public operation. – forest Aug 30 '19 at 06:26
  • @forest But this analogy seems bad. A permutation is a one-to-one mapping, it perfectly preserves information. Addition does not. –  Aug 30 '19 at 06:29
  • Correct. It is a very simple analogy. I'm currently looking for a much better explanation, which I think I found on some site describing differential cryptanalysis. – forest Aug 30 '19 at 06:31
  • 1
    I would say what makes crypto permutations 'special' is that in most cases they are designed to be pseudo random permutations for the point of view of someone who doesn't have the key that selects the permutation. In other words, if we haven't observed anything then for an output y, all input $x$ have the same probability of being the input that gives this output.(The probabilities change after we observe a tuple $(x', y')$). So reversing is difficult unless you have alot of observations. Furthermore the permutaions have very large input and output spaces. – Marc Ilunga Aug 30 '19 at 11:29
  • 2
    So an adversary will need an exponential number of observation before the posterior probabilities allow for brute force or something like that. This is what the CBC-MAC for example uses, a chaining of permutations seeded by a random IV. And we can show that CBC MAC is secure up to $q$ queries where $q$ is essentially exponential. A bit of an unorganized answer(in the comments). I can write it better later. ;) – Marc Ilunga Aug 30 '19 at 11:35
  • @MarcIlunga what you described unfortunately is perfectly obvious to anyone versed in the literature of the field. But does not aid the intuition at all. Intuitive explanation for what makes pseudo-random-permutations possible is the question. Why does confusion and diffusion occur? –  Aug 31 '19 at 22:54
  • @AlexAnuvin Are you aware of the concepts of confusion and diffusion? – forest Sep 01 '19 at 08:10
  • Anyway, this is an extremely good explanation (for hashes): https://crypto.stackexchange.com/q/45377/54184 – forest Sep 01 '19 at 08:19
  • @forest well this is better but still unsatisfying. First, when speaking of one way functions the construction of the permutation must be a Feistel network. SPN's don't have one way functions at all and achieve confusion and diffusion, how? Then the example of addition is highly problematic because while he says you can't solve for it all, with addition you actually can solve for everything trivially. –  Sep 01 '19 at 15:47
  • @AlexAnuvin Maybe https://www.moserware.com/2009/09/stick-figure-guide-to-advanced.html will help for SPN. – forest Sep 02 '19 at 01:00

0 Answers0