26

Why is there a requirement of "Non-Linear functions" as a component of many popular block ciphers (e.g. the S-box in DES or 3DES)?

How does it make the cipher more secure?

The only intuition I have is a non linear function can have many roots (solutions). E.g. for a non linear $y = F(x)$, if attacker knows $y$ to find out the $x$, there might be many choices which satisfy $y= F(x)$ hence it adds up complexity at attacker's end when he tries to make his way back (trace back) from cipher text to plain text.

Any references or detailed material are appreciated.

Paŭlo Ebermann
  • 22,946
  • 7
  • 82
  • 119
David
  • 443
  • 1
  • 4
  • 6

3 Answers3

25

If a block cipher is linear with respect to some field, then, given a few known plaintext-ciphertext pairs, it is possible to recover the key using a simple Gaussian elimination. This clearly contradicts the security properties one expects from a secure block cipher.

cryptopathe
  • 1,215
  • 10
  • 13
17

Here's the cryptography theory perspective.

We want block ciphers to resemble pseudo-random permutations (PRPs). PRPs are a desirable modeling goal because a block cipher under a given key is a permutation on the input, and a PRP is simply a random collection of permutations. The block cipher's key can never be better at creating permutations than an actual random sampling of them, but we want it to be as close as possible. Detectable deviation from PRP-like behavior is considered a weakness in a block cipher.

To compare a block cipher to a PRP we use the CPA model, where an attacker queries a black box with plaintext and receives the corresponding permuted output. They try to determine if the black box is choosing the ciphertext output by apply a random permutation or the given block cipher with an unknown key to the plaintext. If they guess correctly they win the game. If they can win the game with probability greater than 50% then they've broken the block cipher. (Look at these notes, pages 1 - 8, specifically 7, for a picture and more precise definition of this model.)

An attacker can distinguish a block cipher from a PRP if said block cipher has linear properties. They can learn those linear properties then query the black box with plaintexts that should produce certain properties in the ciphertext. If the black box replies back with ciphertext that matches those expected properties for more than 50% of the input queries, then the attacker guesses that the black box houses the block cipher because a random permutation would honor those linear properties with only 50% probability. (Otherwise, they guess that the black box is using a random permutation.) Then the attacker wins the distinguishing game.

Of course, if you're looking for a practical reason, this raises the question of why we care about PRP models to begin with.

B-Con
  • 6,196
  • 1
  • 31
  • 45
2

Almost all block cipher performs some types of substitution and permutation in every round function. For AES, ShiftRow, MixColumn, AddRoundKey are linear operations; only S-box operation is a nonlinear operation. If all operations in a round function are linear then there is no advantage of having multiple(10,12,14) iterative encryption rounds to produce the ciphertext from the plaintext. Because all linear operations can be replaced by just a single linear operation. Which is same as the AES encryption can be replaced with a single function. More importantly when the attacker has plenty of plaintext and ciphertext pairs with the derived linear function, it can perform Gaussian elimination for the key.

Radium
  • 187
  • 7