Shannon identified two properties — confusion and diffusion — as essential for secure ciphers. A cipher applies a complex substitution to each byte independently but never mixes bytes across positions. Which property is missing, and what attack does this enable?
Think about your answer, then reveal below.
Model answer: Diffusion is missing. Without mixing bytes across positions, each ciphertext byte depends only on the corresponding plaintext byte and the key. An attacker can mount a codebook attack on each byte position independently — with only 256 possible values per byte, each position can be broken by exhaustive search regardless of the overall key length. Diffusion ensures each plaintext bit influences many ciphertext bits, so local analysis is insufficient.
Confusion makes the relationship between key and ciphertext complex (achieved via S-boxes). Diffusion spreads the influence of each plaintext bit across the entire ciphertext block (achieved via permutation layers and MixColumns in AES). Both are needed: confusion without diffusion allows divide-and-conquer attacks; diffusion without confusion leaves the key-ciphertext relationship exploitably simple.
Question 2 Multiple Choice
AES uses a substitution-permutation network (SPN) rather than a Feistel network. What is the structural difference?
ASPN encrypts the entire block through substitution and permutation layers each round, while a Feistel network splits the block in half and processes only one half per round using the other half as input to a round function
BSPN uses only substitution operations while Feistel uses only permutations
CSPN requires the round function to be invertible while Feistel does not
DThere is no structural difference — SPN and Feistel are different names for the same design
In a Feistel network (used by DES), the block is split into left and right halves; each round applies a round function F to one half and XORs the result with the other half, then swaps. Crucially, F does not need to be invertible — decryption works by running rounds in reverse order. In an SPN (used by AES), the entire block passes through substitution (S-boxes), permutation, and mixing layers each round. Each layer must be invertible for decryption. AES chose SPN for better parallelism and stronger diffusion per round.
Question 3 True / False
A block cipher with a 128-bit key and 128-bit block size achieves perfect secrecy for single-block messages.
TTrue
FFalse
Answer: False
Shannon's theorem requires |K| >= |M| for perfect secrecy. Here |K| = 2^128 and |M| = 2^128, so the sizes match — but perfect secrecy also requires that for every (m, c) pair, exactly one key maps m to c. A block cipher is a keyed permutation, so each key defines a bijection on the block space. With 2^128 keys and 2^128! possible permutations, the cipher covers only a vanishing fraction of all permutations. Some (m, c) pairs may be unreachable by any key, giving them zero posterior probability. The cipher provides computational security, not perfect secrecy.
Question 4 Multiple Choice
Why is treating a block cipher as a pseudorandom permutation (PRP) the right security definition rather than requiring it to be a truly random permutation?
AA truly random permutation on 128-bit blocks would require storing 2^128 entries, which is physically impossible — so PRP captures the best achievable security: no efficient distinguisher can tell the cipher from a random permutation
BTruly random permutations are weaker than PRPs for cryptographic purposes
CThe PRP definition is easier to prove but provides weaker guarantees
DBlock ciphers are not actually permutations since they can map two inputs to the same output
A truly random permutation on {0,1}^128 is a uniformly random bijection — specifying it requires roughly 128 * 2^128 bits, far beyond any physical storage. A block cipher with a 128-bit key selects from only 2^128 permutations. The PRP definition acknowledges this gap and asks for the best possible property: no polynomial-time algorithm with oracle access can distinguish the cipher (under a random key) from a truly random permutation with non-negligible advantage. This is the computational analogue of perfect secrecy for permutations.
Question 5 True / False
DES was broken primarily because its 56-bit key was too short for brute force, not because of fundamental design flaws in the Feistel structure.
TTrue
FFalse
Answer: True
The Feistel structure of DES remains sound — 3DES (triple-DES), which applies DES three times with different keys to achieve 112-bit effective key length, was used securely for decades. DES fell because 2^56 operations became feasible: the EFF's Deep Crack machine brute-forced a DES key in 22 hours in 1998. This illustrates that key length is a separate concern from cipher structure, and why AES was designed with 128, 192, and 256-bit key options.