Avalanche functions (by )

Why is this a good thing? Well, say that we just encrypted each mini-block of the block with the mini-cipher using the same key. If the attacker found out that bytes 5-9 of the plaintext contained the amount of money to be moved in a transaction, and that the encryption used a four-byte mini-block, then they would use any of a number of techniques to cause somebody to send them a small sum of money - and lie in wait in a BT manhole outside the bank until they see a packet they suspect to be their transaction coming in, and flip a few bits of the second mini-block (bytes 5,6,7 and 8). When the corrupted mini-block is decrypted, it is likely to decrypt to a much larger number in the amount transferred field than should be there...

Ok, that attack can be circumvented in a number of ways without messing with the crypto, but a more insidious danger of this way of creating a variable size block cypher (known in the trade as ECB, or Electronic Code Book) is that it is quite likely that many messages will have the same values in certain places in the plaintext. If the attacker can guess these locations, then by looking at the corresponding locations in the ciphertext in several messages they can start to make some educated guesses as to what the key might be, with a "known plaintext attack".

Pages: 1 2 3 4 5 6 7 8

categories Crypto / security | | datetime Mon 4th Jul 2005 1:07 am

2 Comments

  • By Ketos, Tue 8th May 2007 @ 9:56 pm

    This function really doesn't work very well. What has happened is that each output subblock is the input subblock XORed with the sum of all of the input subblocks. Hence you retain pattern: (I_i is the ith input block. O_i is the ith output block) O_i = I_1 + ... + I_i-1 + I_i+1 +... + I_n = = I_1 + ... + I_i-1 + I_i+1 +... + I_n + I_i + I_i because XORing twice makes no difference = Sum + I_i

    Hence O_i + O_j = Sum + I_i + Sum + I_j = I_i + I_j This property will be retained through multiple repetitions. For lots of data (esp. text or other structured stuff) these XOR differences let you reproduce the plaintext.

  • By alaric, Thu 10th May 2007 @ 4:30 pm

    Yep - it's not a cryptosystem in itself (there's no key, for a start!). It's just a way of diffusing changes. There's certainly no advantage in multiple repetitions since it's self inverting...

    However, if you have a small fixed-block-size cipher with decent properties (eg, AES) and want to apply it to an arbitrarily sized block, you can apply it to each subblock in parallel, then diffuse dependencies by using the XOR avalanche function, then apply AES to each subblock once more, diffuse again, AES again. Three rounds of AES is certainly the minimum required for security, maybe more.

    Think of it as a mode rather than as a cipher 😉

Other Links to this Post

RSS feed for comments on this post. TrackBack URI

Leave a comment

WordPress Themes

Creative Commons Attribution-NonCommercial-ShareAlike 2.0 UK: England & Wales
Creative Commons Attribution-NonCommercial-ShareAlike 2.0 UK: England & Wales