2

How would one go about selecting an appropriate bijective function for introducing permutations into a cipher or hash?

For example, $f(x) = x+1 \space mod \space n$ is a bijective function, but isn't particularly good as a permutation, in that the outputs do not vary sufficiently when an input bit is changed.

The same applies to $f(X_i) = X_{\sigma(i)}$, where $\sigma(i) \equiv i+1\space mod\space |X|$, i.e. a circular shift.

If I understand it correctly, modular exponentiation can be bijective if you select appropriate parameters, but it's rather slow.

Polynomial
  • 3,577
  • 4
  • 30
  • 45

1 Answers1

4

It depends. There is no single answer, and no single recipe that works for all block ciphers. The permutation is chosen to work well with the rest of the block cipher design. Therefore, this question can't be answered in general. A question like "Why did cipher X use Y as its permutation?" would be more meaningful and more answerable.

For instance, some ciphers use a permutation to diffuse the bits, or to resist some kinds of attacks (e.g., algebraic attacks). As CodesInChaos says, often one chooses a permutation that is as fast as possible and just barely good enough to meet the other requirements.

D.W.
  • 36,982
  • 13
  • 107
  • 196