Score:1

Crypto

Is there any fundamental difference between the block cipher operations encryption and decryption?

eddydee123

4/1/23, 5:56 PM

Is there any fundamental reason to designate one direction of a block cipher as "encryption" and the other "decryption"? Or are these arbitrary choices? Or perhaps practical decisions for specific cipher designs?

Put another way, if the designers of DES or AES had chosen to label what are known as "encryption" as "decryption" and vice versa, would the world be any different?

Is it that there is an indistinguishability proof/argument for $E_k(m0)$ vs. $E_k(m1)$ while there is no such for $D_k(m0)$ vs. $D_k(m1)$?

Or perhaps $E$ has different performance characteristics than $D$, and some assumption has been made about the relative frequency of one operation vs. the other?

e.g. for AES encryption is apparently more efficient than decryption, and some assumption has been made that it's more important to be able to encrypt quickly than to decrypt (not sure why that should be so...)

111

0 + 0

encryption

block-cipher

pseudo-random-permutation

decryption

kelalaka

4/1/23, 6:04 PM

No, we just want both of them efficient. The small difference is there due to the design.

eddydee123

4/1/23, 6:06 PM

@kelalaka can you clarify what you mean by "due to the design" - is this a deliberate design choice? Or an accidental outcome of the way the AES cipher is designed?

kelalaka

4/1/23, 6:14 PM

With a little search in out site; [AES encryption takes more time to decrypt than encrypt](https://crypto.stackexchange.com/q/14978/18298)

eddydee123

4/1/23, 6:20 PM

@kelalaka Would you like to post an answer including the quote from the discussion you referenced "MACs only need the encryption primitive, and even some encryption/decryption algorithms (CTR, EAX) only use the encryption primitive of the underlying block cipher. So the Rijndael algorithm was optimised for encryption speed over decryption speed". Except that that statement is made without any reference, so it's not clear if it's fact or opinion

Maarten Bodewes

4/1/23, 9:18 PM

It would be very strange for a (keyed) pseudo random permutation (PRP) to be secure in one direction and not in the other.

eddydee123

4/2/23, 9:45 AM

@MaartenBodewes - very strange yes, but would it violate the security property of the PRP? If the attacker cannot make decryption queries (CPA but not CCA), then it seems this strange PRP would be secure

Score:4

Crypto

Daniel S

4/2/23, 7:13 AM

From a cryptanalytic point of view, there is only difference in the labelling of the attack assumptions. All modern block ciphers are designed to be secure against both CPA (chosen plaintext attacks) and CCA (chosen ciphertext attacks). A CPA attack on the encryption function is a CCA attack on the decryption function and vice-versa.

There's an argument to make the encryption function the quicker of the two as certain modes (Cipher Block Chaining) are parallelisable for the decryptor but not for the encryptor. Faster encryption now balances the clock time for the operations better. Other modes do not require decryption at all (Counter modes, Output Feedback mode). Block cipher designers like to produce designs that work well for all modes and so encryption faster than decryption is a legitimate, but not compulsory, design decision.

0 + 0

poncho

4/2/23, 2:47 PM

Fun fact: it is possible to implement CBC-mode encryption using the block cipher in the decrypt direction (you process the message in reverse order, working with the last block first, doing a CFB-style operation - still not parallelizable); hence, for CBC mode, it might make sense to make the 'decrypt' operation the more efficient one :-)

Daniel S

4/2/23, 3:49 PM

@poncho I'm not sure if I fully follow what you're describing. Is it written down somewhere?

poncho

4/2/23, 5:07 PM

Someone suggested it a few years ago here on crypto.stackexchange. The idea is fairly simple; assuming you have plaintext blocks $P_0, P_1, ..., P_n$, you select a random final ciphertext block $C_n$, and iteratively compute $C_{i-1} = P_i \oplus D_k( C_i )$; the final $C_{-1}$ value is the IV to send with the message. It is easy to see that if $C_n$ was selected uniformly at random, it generates ciphertexts/IVs with the same probability distribution as the normal CBC-mode implementation with a uniformly selected IV (and hence is equally secure)

Score:0

Crypto

Fractalice

4/2/23, 6:14 PM

There's no fundamental difference. We can even swap encryption and decryption functions, and nothing will happen:

$c = D_k(m), m = E_k(c).$

Of course, depending on cipher and implementation, one direction may be faster than the other.

0 + 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Is there any fundamental difference between the block cipher operations encryption and decryption?

TH: มีความแตกต่างพื้นฐานระหว่างการเข้ารหัสและถอดรหัสการดำเนินการเข้ารหัสบล็อกหรือไม่?

RO: Există vreo diferență fundamentală între criptarea și decriptarea operațiunilor de criptare bloc?

RU: Есть ли принципиальная разница между шифрованием операций блочного шифрования и дешифрованием?

VI: Có sự khác biệt cơ bản nào giữa mã hóa và giải mã hoạt động mật mã khối không?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.