Score:2

ECB... lacks diffusion(?)

cn flag

I noticed that the wikipedia page for 'block cipher modes of encryption' states, "The disadvantage of this method is a lack of diffusion.", referring to ECB mode for block cipher encryption.

From some reading, ECB takes identical plaintext blocks to identical ciphertext blocks, as long as the key does not change. (making it insecure to use in general, as illustrated with the image of Tux the penguin on the aforementioned wiki page)

But my confusion is that this doesn't seem to have anything to do with diffusion? From reading,

Diffusion is an encryption operation where the influence of one plaintext symbol is spread over many ciphertext symbols with the goal of hiding statistical properties of the plaintext. [Paar, Understanding Cryptography 1st ed., 3.1.1]

Which seems to refer to the ability of an encryption method to obscure statistical properties such as those that arise in natural human language (for instance, letter frequencies) in order to stymie probabilistic attacks on the ciphertext.

Is there some other meaning/application of 'diffusion' that I'm not seeing at the moment?

fgrieu avatar
ng flag
Consider that in ECB encryption, a plaintext symbol is a block of the plaintext (in the sense block has for the block cipher), and things should start to make sense.
us flag
I agree. Criticizing ECB on the basis of "lacking diffusion" seems to miss the mark in my opinion. It is true that one plaintext block influences only one ciphertext block in ECB. But CTR mode has an even more extreme "lack of diffusion" yet is much more secure than ECB. One plaintext *bit* influences only one ciphertext *bit* in CTR.
kelalaka avatar
in flag
ECB doesn't have the IV-reuse problem that can remove confidentiality. ECB enables block identification and as a result frequency attacks.
user2357 avatar
us flag
The diffusion is on the level of each block alone. Even in the CBC, if you change the last block, it will effect no other blocks.
Score:2
in flag

I agree with your observation. The wiki's assessment of the weakness of ECB being a lack of diffusion is not very precise. I have a feeling that they're using diffusion in a generic sense, not the exact definition of diffusion in cryptography. Diffusion in the exact cryptographic sense happens inside the block cipher like AES.

What we need on the higher level (when we connect the block ciphers together, aka modes of operation) is randomization, not diffusion. Randomization, by using an IV or a nonce, makes sure that if an input (plaintext) is repeated, it will never produce the same output (ciphertext). This in fact gives us the notion of IND-CPA (indistinguishability against chosen plaintext attack). So in brief, ECB is broken because it doesn't meet the IND-CPA notion, not because of lack of diffusion. In plain English, if I choose two plaintext to be the same, I can easily distinguish the ciphertext (e.g. the Penguin example).

Wikipedia does not have the most precise language when it comes to cryptography. My advice if you want to learn more about the symmetric modes of encryption, is to either consult the NIST SP800 Recommendation for Block Cipher Modes of Operation or Rogaway's Evaluation of Some Blockcipher Modes of Operation.

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.