[Cryptography] If diffusion is perfect how much confusion do you really need?

Ray Dillinger bear at sonic.net
Mon Jun 1 16:05:38 EDT 2015 

(warning: cipher design post)

Let's say, in theory, that I have a "perfect" diffusion mechanism
that can be defined for blocks of many different sizes.  I'm denoting
it as a "D-box."  I think that I may ACTUALLY have one (defined
using modular multiplication and some bit-slicing), but right now
I'm not asking whether mine is actually a perfect D-box; I'm asking
what the value of a perfect D-box would be.

If I send a block of data through a D-box, the result is an output
the same size as the block, in which every bit of input has an
absolutely equal and nonlinear influence on every bit of the
output.  Flip any nonempty subset of input bits, and roughly half
of the output bits will change.

But this mechanism which provides perfect diffusion, provides no
confusion whatsoever.  Like P-boxes, it is trivially reversible,
and anyone given the whole set of output bits can easily derive
all the input bits. I'll denote the reversed D-box as a "Xob-d".

Now, I believe, but could be wrong here, that if you have such a
"perfect" diffusion mechanism, you need very little confusion to
create a secure cipher.

in catenative notation, using no S-boxes whatsoever and xor as
a trivial, reversible method of combining message with key, I
can't think of a single attack that applies to this utterly
simple, fast, three-and-a-half round construction:

M > ^key | D-box | ^key | D-box | ^key | D-box | ^key = C

And the decryption is in fact the very same operation using the
reversed D-boxes:

C > ^key | Xob-d | ^key | Xob-d | ^key | Xob-d | ^key = M




So far my cipher design ideas have fallen into very few categories:

A) Sent to /dev/null when I figured out how to break them.
   (by FAR the majority)

B) Broken by people smarter or more knowledgeable than me.
   (relatively few)

C) secure (provably as secure as some off-the-shelf
   PRNG or other cipher I used as a primitive) and with
   interesting properties, but too slow or requiring too
   much state to be advantageous over existing ciphers.
   (mostly thought experiments)

D) Built out of off-the-shelf components and suitable for a
   protocol with odd requirements but too specialized and
   not fast enough to be of general use (what people very
   occasionally pay me for doing).

But I think this is different.  This is a construction I'm
actually confident in for mathematical reasons, and it's
fast, and it requires very little state, and it's general,
and it could be ridiculously fast (and small) in silicon,
and it's so simple that it would be easy to get right.

Am I hallucinating here?  Can anybody put this firmly in
category B, or should I start writing a paper and some code
to submit for the next design competition?  Surely this is
too simple to've not been considered and debunked by someone
smarter than me.

			Bear


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20150601/91a0ed6a/attachment.sig>

More information about the cryptography mailing list