Can a block-cipher considered secure if a bit-change of the input leads to a 50% chance change for every single output bit? -> round number?

Question

Block-cipher use self-inverse ($f(f(x)) = x $) operations which then will be applied to the plaintext and most likely contain some constants which can be based at a key. To get security such operations which interpret the input in different ways are aligned to each other. This process gets repeated multiple rounds with different keys. In optimal case a random input lies inside a closed cycle (if block-cipher applied over and over again) with a random cycle size (uniform, given random key).

By testing around I noticed this can happen with just some very simple operations of XOR, Bit-Rotation and addition. (called ARX)

E.g.: for one round with input $m$:

$$ m = XOR(m, R_i) \\ m = RotateBit(m,5) \\ m = m + K_i $$

$R_i, K_i$ are round keys for round $i$.

• XOR alone is not secure because that operation is just at single bits without impact to each other.

• Bit rotation is added to increase the impact of a single bit to every other bit. At its own also not secure because it has only impact at single bits each

• Addition is added as as 2nd kind of input interpretation (as number instead of bits). Here the bits can impact each other.

With this I got some good (but not perfect) uniform distribution of the different cycle lengths (given random key and input).

---

The question is how many rounds need to be applied for security? It need to be at least the total bit-size so every bit can reach every other position due to bit rotation.

Here is some related thread for AES.

But as a more general metric (for custom block-cipher) can the security measured with the impact of a bit change in the input to every bit of the output?

In optimal case every possible bit change of every possible input should lead to 50% different bits at the output (with each bit being different to same amount).

The round number can be increased until it reaches a suitable level of security.

Answer 1

But as a more general metric (for custom block-cipher) can the security measured with the impact of a bit change in the input to every bit of the output?

Trivially no. If the block cipher's round function is linear, then no number of rounds will make inverting it any more difficult.

You also didn't describe whether you're talking about Confusion, Diffusion, or both.

Confusion defines a relationship between the key and the ciphertext: each bit of the ciphertext is dependent on many bits of the key, so that if any bit of the key is changed approximately 50% of the bits of the ciphertext will change.

Diffusion defines a relationship between the plaintext and the ciphertext: each bit in the ciphertext is dependent on many bits of the plaintext, so that if any bit of the plaintext is changed approximately 50% of the bits of the ciphertext will change.

Both are necessary, but not sufficient, for security. When combined with a non-linear round function you might get a decent block cipher, but even then it's possible for information to leak resulting in insecurity.

Also, block ciphers on their own are only at best IND-CPA secure (the weakest form of security) if exactly one block is encrypted with any given key. More blocks being encrypted means that any two identical plaintext blocks will have identical ciphertext, which is a break in the indistinguishability. To be IND-CPA secure a mode of operation like CTR mode (turning it into a stream cipher) or CBC mode (chaining ciphertext blocks) is required. But even that isn't "secure", since an attacker can alter the ciphertext and cause a victim to decrypt to get incorrect plaintext, so an Authenticated Encryption mode is needed for proper IND-CCA3 security. That'd be something like GCM, SIV, GCM-SIV, or OCB mode. And even that has some caveats, since such modes require a "nonce" (Number used ONCE) that eliminates (GCM, OCB) or reduces (GCM-SIV, SIV) security if re-used.