Jump to content

Avalanche effect

From Wikipedia, the free encyclopedia
This article is about cryptography. For other uses, see Snowball effect and Avalanche (disambiguation).

In cryptography, the avalanche effect is the desirable property of cryptographic algorithms, typically block ciphers[1] and cryptographic hash functions, wherein if an input is changed slightly (for example, flipping a single bit), the output changes significantly (e.g., half the output bits flip). In the case of high-quality block ciphers, such a small change in either the key or the plaintext should cause a drastic change in the ciphertext. The actual term was first used by Horst Feistel,[1] although the concept dates back to at least Shannon's diffusion.

The SHA-1 hash function exhibits good avalanche effect. When a single bit is changed the hash sum becomes completely different.

If a block cipher or cryptographic hash function does not exhibit the avalanche effect to a significant degree, then it has poor randomization, and thus a cryptanalyst can make predictions about the input, being given only the output. This may be sufficient to partially or completely break the algorithm. Thus, the avalanche effect is a desirable condition from the point of view of the designer of the cryptographic algorithm or device. Failure to incorporate this characteristic leads to the hash function being exposed to attacks including collision attacks, length extension attacks, and preimage attacks.[2]

Constructing a cipher or hash to exhibit a substantial avalanche effect is one of the primary design objectives, and mathematically the construction takes advantage of the butterfly effect.[3] This is why most block ciphers are product ciphers. It is also why hash functions have large data blocks. Both of these features allow small changes to propagate rapidly through iterations of the algorithm.

Strict avalanche criterion

[edit]

The strict avalanche criterion (SAC) is a formalization of the avalanche effect. It is satisfied if, whenever a single input bit is flipped, each of the output bits changes with a 50% probability. More precisely, it is satisfied if, for all bit positions i and j, when a random input X is selected, there is a 50% chance that f(X) and f(Xi) differ at position j, where Xi is X with the bit at position i flipped.[4] The SAC builds on the concepts of completeness and avalanche and was introduced by Webster and Tavares in 1985.[5]

At least one alternative definition of the strict avalanche criterion exists in the literature. Vaughn and Borowczak define the criterion as being satisfied if, when two random inputs X and Y are selected which differ in exactly one position, the Hamming distance between f(X) and f(Y) is distributed according to the binomial distribution B(n, 1/2), where n is the number of bits in X or Y.[6]

Higher-order generalizations of SAC involve multiple input bits. Boolean functions which satisfy the highest order SAC are always bent functions, also called maximally nonlinear functions, also called "perfect nonlinear" functions.[7]

Bit independence criterion

[edit]

The bit independence criterion (BIC) states that output bits j and k should change independently when any single input bit i is inverted, for all i, j and k.[8]

See also

[edit]

References

[edit]
  1. ^ a b Feistel, Horst (1973). "Cryptography and Computer Privacy". Scientific American. 228 (5): 15–23. Bibcode:1973SciAm.228e..15F. doi:10.1038/scientificamerican0573-15.
  2. ^ Upadhyay, D., Gaikwad, N., Zaman, M., & Sampalli, S. (2022). Investigating the Avalanche Effect of Various Cryptographically Secure Hash Functions and Hash-Based Applications. IEEE Access, 10, 112472–112486. https://doi.org/10.1109/ACCESS.2022.3215778
  3. ^ Al-Kuwari, Saif; Davenport, James H.; Bradford, Russell J. (2011). Cryptographic Hash Functions: Recent Design Trends and Security Notions. Inscrypt '10.
  4. ^ Webster, A.F., Tavares, S.E. (1986). On the Design of S-Boxes. In: Williams, H.C. (eds) Advances in Cryptology — CRYPTO ’85 Proceedings. CRYPTO 1985. Lecture Notes in Computer Science, vol 218. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-39799-X_41. Retrieved 16 May 2026.
  5. ^ Webster, A. F.; Tavares, Stafford E. (1985). "On the design of S-boxes". Advances in Cryptology – Crypto '85. Lecture Notes in Computer Science. Vol. 218. New York, NY: Springer-Verlag New York, Inc. pp. 523–534. ISBN 0-387-16463-4.
  6. ^ Vaughn, R.; Borowczak, M. Strict Avalanche Criterion of SHA-256 and Sub-Function-Removed Variants. Cryptography 2024, 8, 40. https://doi.org/10.3390/cryptography8030040. Retrieved 16 May 2026.
  7. ^ Adams, C. M.; Tavares, S. E. (January 1990). The Use of Bent Sequences to Achieve Higher-Order Strict Avalanche Criterion in S-box Design (Report). Technical Report TR 90-013. Queen's University. CiteSeerX 10.1.1.41.8374.
  8. ^ William, Stallings (2016). Cryptography and network security : principles and practice (Seventh ed.). Boston. p. 136. ISBN 9780134444284. OCLC 933863805.{{cite book}}: CS1 maint: location missing publisher (link)
[edit]
Retrieved from "https://en.wikipedia.org/w/index.php?title=Avalanche_effect&oldid=1354479388"