Editing Confusion and diffusion

{{Short description|Properties of the operation of a secure cipher}}
{{More citations needed|date=April 2009}}

In [[cryptography]], '''confusion''' and '''diffusion''' are two properties of a secure [[cipher]] identified by [[Claude Elwood Shannon|Claude Shannon]] in his 1945 classified report ''A Mathematical Theory of Cryptography''.<ref>{{Cite book|title=Model Based Inference in the Life Sciences: A Primer on Evidence|date=2008-01-01|publisher=Springer New York|isbn=9780387740737|pages=51–82|language=en|doi=10.1007/978-0-387-74075-1_3|chapter = Information Theory and Entropy}}</ref>  These properties, when present, work together to thwart the application of [[statistics]], and other methods of [[cryptanalysis]].

Confusion in a [[symmetric cipher]] is obscuring the local correlation between the input ([[plaintext]]), and output ([[ciphertext]]) by varying the application of the [[Key (cryptography)|key]] to the data, while diffusion is hiding the plaintext statistics by spreading it over a larger area of ciphertext.{{sfn|Stamp|Low|2007|p=182}} Although ciphers can be confusion-only ([[substitution cipher]], [[one-time pad]]) or diffusion-only ([[transposition cipher]]), any "reasonable" [[block cipher]] uses both confusion and diffusion.{{sfn|Stamp|Low|2007|p=182}} These concepts are also important in the design of [[cryptographic hash function|cryptographic hash functions]], and [[pseudorandom number generator]]s, where decorrelation of the generated values is the main feature. Diffusion (and its [[avalanche effect]]) is also applicable to [[non-cryptographic hash function]]s.

==Definition==

===Confusion===

Confusion means that each binary digit (bit) of the ciphertext should depend on several parts of the key, obscuring the connections between the two.<ref name=":0">{{Cite journal|last=Shannon|first=C. E.|date=October 1949|title=Communication Theory of Secrecy Systems*|url=https://ieeexplore.ieee.org/document/6769090|journal=Bell System Technical Journal|language=en|volume=28|issue=4|pages=656–715|doi=10.1002/j.1538-7305.1949.tb00928.x|url-access=subscription}}</ref>

The property of confusion hides the relationship between the ciphertext and the key.

This property makes it difficult to find the key from the ciphertext and if a single bit in a key is changed, the calculation of  most or all of the bits in the ciphertext will be affected.

Confusion increases the ambiguity of ciphertext and it is used by both block and stream ciphers.

In [[substitution–permutation network]]s, confusion is provided by [[substitution box]]es.{{sfn|Liu|Rijmen|Leander|2018|p=1}}

===Diffusion===

Diffusion means that if we change a single bit of the plaintext, then about half of the bits in the ciphertext should change, and similarly, if we change one bit of the ciphertext, then about half of the plaintext bits should change.<ref>{{cite book|last1=Stallings|first1=William|title=Cryptography and Network Security|date=2014|publisher=Prentice Hall|location=Upper Saddle River, N.J.|isbn=978-0133354690|pages=67–68|edition=6th}}</ref> This is equivalent to the expectation that encryption schemes exhibit an [[avalanche effect]].

The purpose of diffusion is to hide the statistical relationship between the ciphertext and the plain text. For example, diffusion ensures that any patterns in the plaintext, such as redundant bits, are not apparent in the ciphertext.<ref name=":0"/> Block ciphers achieve this by "diffusing" the information about the plaintext's structure across the rows and columns of the cipher.

In substitution–permutation networks, diffusion is provided by [[permutation box]]es (a.k.a. permutation layer{{sfn|Liu|Rijmen|Leander|2018|p=1}}). In the beginning of the 21st century a consensus had appeared where the designers preferred the permutation layer to consist of [[Linearity#Boolean functions|linear Boolean functions]], although nonlinear functions can be used, too.{{sfn|Liu|Rijmen|Leander|2018|p=1}}

==Theory==
In Shannon's original definitions, ''confusion'' refers to making the relationship between the [[ciphertext]] and the [[symmetric key]] as complex and involved as possible; ''diffusion'' refers to dissipating the statistical structure of [[plaintext]] over the bulk of [[ciphertext]]. This complexity is generally implemented through a well-defined and repeatable series of ''substitutions'' and ''permutations''. Substitution refers to the replacement of certain components (usually bits) with other components, following certain rules. Permutation refers to manipulation of the order of bits according to some algorithm. To be effective, any non-uniformity of plaintext bits needs to be redistributed across much larger structures in the ciphertext, making that non-uniformity much harder to detect.

In particular, for a randomly chosen input, if one flips the ''i''-th bit, then the probability that the ''j''-th output bit will change should be one half, for any ''i'' and ''j''—this is termed the [[Avalanche effect|strict avalanche criterion]]. More generally, one may require that flipping a fixed set of bits should change each output bit with probability one half.

One aim of confusion is to make it very hard to find the key even if one has a large number of plaintext-ciphertext pairs produced with the same key. Therefore, each bit of the ciphertext should depend on the entire key, and in different ways on different bits of the key. In particular, changing one bit of the key should change the ciphertext completely.

==Practical applications==
Design of a modern [[block cipher]] uses both confusion and diffusion,{{sfn|Stamp|Low|2007|p=182}}
with confusion changing data between the input and the output by applying a key-dependent non-linear transformation (linear calculations are easier to reverse and thus are easier to break).

Confusion inevitably involves some diffusion,{{sfn|Daemen|Rijmen|2013|p=130}} so a design with a very wide-input [[S-box]] can provide the necessary diffusion properties,{{citation needed|date=April 2023}} but will be very costly in implementation. Therefore, the practical ciphers utilize relatively small S-boxes, operating on small groups of bits ("bundles"{{sfn|Daemen|Rijmen|2013|p=20}}). For example, the design of AES has 8-bit S-boxes, [[Serpent (cipher)|Serpent]] − 4-bit, [[BaseKing]] and [[3-way]] − 3-bit.{{sfn|Daemen|Rijmen|2013|p=21}} Small S-boxes provide almost no diffusion, so the resources are spent on simpler diffusion transformations.{{sfn|Daemen|Rijmen|2013|p=130}} For example, the [[wide trail strategy]] popularized by the [[Rijndael]] design, involves a linear mixing transformation that provides high diffusion,{{sfn|Daemen|Rijmen|2013|p=126}} although the security proofs do not depend on the diffusion layer being linear.{{sfn|Liu|Rijmen|Leander|2018|p=2}}

One of the most researched cipher structures uses the [[substitution-permutation network]] (SPN) where each [[Round (cryptography)|round]] includes a layer of local nonlinear permutations ([[S-box]]es) for confusion and a '''linear diffusion''' transformation (usually a multiplication by a matrix over a [[finite field]]).{{sfn|Li|Wang|2017}} Modern block ciphers mostly follow the  confusion layer/diffusion layer model, with the efficiency of the diffusion layer estimated using the so-called [[branch number]], a numerical parameter that can reach the value <math>s+1</math> for {{mvar|s}} input bundles for the perfect diffusion transformation.{{sfn|Sajadieh|Dakhilalian|Mala|Sepehrdad|2012}} Since the transformations that have high branch numbers (and thus require a lot of bundles as inputs) are costly in implementation, the diffusion layer is sometimes (for example, in the AES) composed from two sublayers, "local diffusion" that processes subsets of the bundles in a [[Bricklayer function|bricklayer]] fashion (each subset is transformed independently) and  "dispersion" that makes the bits that were "close" (within one subset of bundles) to become "distant" (spread to different subsets and thus be locally diffused within these new subsets on the next round).{{sfn|Daemen|Rijmen|2013|p=131}}

===Analysis of AES===
{{Unreferenced section|date=June 2019}}The [[Advanced Encryption Standard]] (AES) has both excellent confusion and diffusion. Its confusion look-up tables are very non-linear and good at destroying patterns.<ref>{{Cite book|title=Cryptography and Network Security: Principles and Practice, Global Edition|last=William|first=Stallings|publisher=Pearson|year=2017|isbn=978-1292158587|pages=177}}</ref> Its diffusion stage spreads every part of the input to every part of the output: changing one bit of input changes half the output bits on average. Both confusion and diffusion are repeated multiple times for each input to increase the amount of scrambling. The secret key is mixed in at every stage so that an attacker cannot precalculate what the cipher does.
None of this happens when a simple one-stage scramble is based on a key. Input patterns would flow straight through to the output. It might look random to the eye but analysis would find obvious patterns and the cipher could be broken.

==See also==
* [[Algorithmic information theory]]
* [[Avalanche effect]]
* [[Substitution–permutation network]]

==References==
{{Reflist}}

== Sources ==
* Claude E. Shannon, [https://www.iacr.org/museum/shannon45.html "A Mathematical Theory of Cryptography"], Bell System Technical Memo MM 45-110-02, September 1, 1945.
* Claude E. Shannon, "[[Communication Theory of Secrecy Systems]]", ''Bell System Technical Journal'', vol. 28–4, pages 656–715, 1949. [http://netlab.cs.ucla.edu/wiki/files/shannon1949.pdf] {{Webarchive|url=https://web.archive.org/web/20070605092733/http://netlab.cs.ucla.edu/wiki/files/shannon1949.pdf |date=2007-06-05 }}
* Wade Trappe and Lawrence C. Washington, ''Introduction to Cryptography with Coding Theory. Second edition.'' Pearson Prentice Hall, 2006.
* {{cite journal |last1=Li |first1=Chaoyun |last2=Wang |first2=Qingju |title=Design of Lightweight Linear Diffusion Layers from Near-MDS Matrices |journal=IACR Transactions on Symmetric Cryptology |date=2017 |volume=1 |pages=129–155 |doi=10.13154/tosc.v2017.i1.129-155 |url=https://www.esat.kuleuven.be/cosic/publications/article-2752.pdf}}
* {{cite book | title = Fast Software Encryption | last1 = Sajadieh | first1 = Mahdi | last2 = Dakhilalian | first2 = Mohammad | last3 = Mala | first3 = Hamid | last4 = Sepehrdad | first4 = Pouyan | chapter = Recursive Diffusion Layers for Block Ciphers and Hash Functions | date = 2012 | pages = 385–401 | publisher = Springer Berlin Heidelberg | issn = 0302-9743 | eissn = 1611-3349 | doi = 10.1007/978-3-642-34047-5_22 | url = https://iacr.org/workshops/fse2012/FSEpreproceedings/PDF/18.pdf}}
* {{cite book | first1 = Joan | last1 = Daemen | first2 = Vincent | last2 = Rijmen | date = 9 March 2013 | title = The Design of Rijndael: AES - The Advanced Encryption Standard | publisher = Springer Science & Business Media | pages = | isbn = 978-3-662-04722-4 | oclc = 1259405449 | url = https://cs.ru.nl/~joan/papers/JDA_VRI_Rijndael_2002.pdf}}
* {{cite book | first1 = Mark | last1 = Stamp | first2 = Richard M. | last2 = Low | date = 15 June 2007 | title = Applied Cryptanalysis: Breaking Ciphers in the Real World | publisher = John Wiley & Sons | pages = | isbn = 978-0-470-14876-1 | oclc = 1044324461 | url = https://books.google.com/books?id=buVGyPNbwJUC}}
* {{cite journal | last1 = Liu | first1 = Yunwen | last2 = Rijmen | first2 = Vincent | last3 = Leander | first3 = Gregor | title = Nonlinear diffusion layers | journal = Designs, Codes and Cryptography | date = 20 January 2018 | volume = 86 | issue = 11 | pages = 2469–2484 | issn = 0925-1022 | eissn = 1573-7586 | doi = 10.1007/s10623-018-0458-5 | pmid = | url = https://www.esat.kuleuven.be/cosic/publications/article-2868.pdf }}
{{Cryptography block}}

[[Category:Symmetric-key cryptography]]