"our guys" provides no information about the strength of the cipher as seen by our Opponents. Increasing Probable Strength and Reducing Possible Loss Technical strength is just one of the many possibilities for weakness in a cipher system, and perhaps even the least likely. It is surprisingly difficult to construct a cipher system without "holes," despite using good ciphers, and The Opponents get to exploit any overlooked problems. Users must be educated in security, and must actively keep secrets or there will be nothing to protect. In contrast, cryptanalysis is very expensive, success is never assured, and even many of the known attacks are essentially impossible in practice. Nevertheless, it is a disturbing fact that we do not know and cannot guarantee a "true" strength for any cipher. But there are approaches which may reduce the probability of technical weakness and the extent of any loss: 1. We can extrapolate various attacks beyond weakness levels actually shown, and thus possibly avoid some weak ciphers. 2. We can use systems that change ciphers periodically. This will reduce the amount of information under any one cipher, and so limit the damage if that cipher is weak. 3. We can use multiple encryption with different keys and different ciphers as our standard mode. In this way, not just one but multiple ciphers must each be penetrated simultaneously to expose the protected data. 4. We can use systems that allow us to stop using ciphers when they are shown weak, and switch to others. Kinds of Cipher Strength In general, we can consider a cipher to be a large key-selected transformation between plaintext and ciphertext, with two main types of strength:  One type of "strength" is an inability to extrapolate from known parts of the transformation (e.g., known plaintext) to model or even approximate the transformation at new points of interest (message ciphertexts).  Another type of "strength" is an inability to develop a particular key, given the known cipher and a large number of known transformation points. Views of Strength Strength is the effectiveness of fixed defense in the cryptography war. In real war, a strong defense might be a fortification at the top of a mountain which could only be approached on a single long and narrow path. Unfortunately, in real military action, time after time, making assumptions about what the opponent "could not" do turned out to be deadly mistakes. In cryptography we can at least imagine that someday we might prove that all approaches but one are actually impossible, and then guard that last approach; see mathematical cryptography. The Future of Strength It is sometimes convenient to see security as a fence around a restricted compound: We can beef up the front gate, and in some way measure that increase in "strength." But none of that matters if someone cuts through elsewhere, or tunnels under, or jumps over. Until we can produce a cipher design which reduces all the possible avenues of attack to exactly one, it will be very difficult to measure "strength." One possibility might be to construct ciphers in layers of different puzzles: Now, the obvious point of having multiple puzzles is to require multiple solutions before the cipher is broken. But a perhaps less obvious point is to set up the design so that the solution to one puzzle requires The Opponent to commit (in an information sense) in a way that prevents the solution to the next puzzle. Also see design strength, perfect secrecy, ideal secrecy, and security. Strict Avalanche Criterion (SAC) A term used in S-box analysis to describe the contents of an invertible substitution or, equivalently, a block cipher. If we have some input value, and then change one bit in that value, we expect about half the output bits to change; this is the avalanche effect, and is caused by an avalanche process. The Strict Avalanche Criterion requires that each output bit change with probability one-half (over all possible input starting values). This is stricter than avalanche, since if a particular half of the output bits changed all the time, a strict interpretationist might call that "avalanche." Also see complete. As introduced in Webster and Tavares: "If a cryptographic function is to satisfy the strict avalanche criterion, then each output bit should change with a probability of one half whenever a single input bit is complemented." [p.524] Webster, A. and S. Tavares. 1985. On the Design of S-Boxes. Advances in Cryptology CRYPTO '85. 523-534. Although the SAC has tightened the understanding of "avalanche," even SAC can be taken too literally. Consider the scaled-down block cipher model of a small invertible keyed substitution table: Any input bit-change thus selects a different table element, and so produces a random new value (over all possible keys). But when we compare the new value with the old, we find that typically half the bits change, and sometimes all the bits change, but never is there no change at all. This is a tiny bias toward change. If we have a 2-bit (4-element) table, there are 4 values, but after we take one as the original, there are only 3 changed values, not 4. We will see changes of 1 bit, 1 bit, and 2 bits. But this is a change expectation of 2/3 for each output bit, instead of exactly 1/2 as one might interpret from SAC. Although this bias is clearly size-related, its source is invertibility and the definition of change. Thus, even a large block cipher must have some bias, though it is unlikely that we could measure enough cases to see it. The point is that one can extend some of these definitions well beyond their intended role. Subjective In the study of logic, a particular interpretation of reality, rather than objective reality itself. Substitution The concept of replacing one symbol with another symbol. This might be as simple as a grade-school lined sheet with the alphabet down the left side, and a substitute listed for each letter. In computer science this might be a simple array of values, any one of which can be selected by indexing from the start of the array. See substitution table. Cryptography recognizes four types of substitution:  Simple Substitution or Monoalphabetic Substitution,  Homophonic Substitution,  Polyalphabetic Substitution, and  Polygram Substitution. Substitution-Permutation A method of constructing block ciphers in which block elements are substituted, and the resulting bits typically transposed or scrambled into a new arrangement. This would be one round of many. One of the advantages of S-P construction is that the "permutation" stage can be simply a re-arrangement of wires, taking almost no time. Such a stage is more clearly described as a limited set of "transpositions," rather than the more general "permutation" term. Since substitutions are also permutations (albeit with completely different costs and effects), one might fairly describe such a cipher as a "permutation-permutation cipher," which is not particularly helpful. A disadvantage of the S-P construction is the need for special substitution patterns which support diffusion. S-P ciphers diffuse bit-changes across the block round-by-round; if one of the substitution table output bits does not change, then no change can be conducted to one of the tables in the next round, which has the effect of reducing the complexity of the cipher. Consequently, special tables are required in S-P designs, but even special tables can only reduce and not eliminate the effect. See Complete. Substitution Table (Also S-box.) A linear array of values, indexed by position, which includes any value at most once. In cryptographic service, we normally use binary- power invertible tables with the same input and output range. For example, a byte-substitution table will have 256 elements, and will contain each of the values 0 255 exactly once. Any value 0 255 into that table will select some element for output which will also be in the range 0 255. For the same range of input and output values, two invertible substitution tables differ only in the order or permutation of the values in the table. There are 256 factorial different byte-substitution tables, which is a keyspace of 1648 bits. A keyed simple substitution table of sufficient size is the ideal block cipher. Unfortunately, with 128-bit blocks being the modern minimum for strength, there would be 2 128 entries in that table, which is completely out of the question. A keyed substitution table of practical size can only be thought of as a weak block cipher by itself, but it can be part of a combination of components which produce a stronger cipher. And since an invertible substitution table is the ideal tiny block cipher, it can be used for direct experimental comparison to a scalable block cipher of that same tiny size. Superencryption Usually the outer-level encryption of a multiple encryption. Often relatively weak, relying upon the text randomization effect of the lower-level encryption. Surjective Onto. A mapping f: X -> Y where f(x) covers all elements in Y. Not necessarily invertible, since multiple elements x in X could produce the same f(x) in Y. Switch Classically, an electro-mechanical device which physically presses two conductors together at a contact point, thus "making" a circuit, and also pulls the conductors apart, thus allowing air to insulate them and thus "breaking" the circuit. More generally, something which exhibits a significant change in some parameter between "ON" and "OFF." Switching Function A logic function. Symmetric Cipher A secret key cipher. Symmetric Group The symmetric group is the set of all one-to-one mappings from a set into itself. The collection of all permutations of some set. Suppose we consider a block cipher to be a key-selected permutation of the block values: One question of interest is whether our cipher construction could, if necessary, reach every possible permutation, the symmetric group. System An interconnecting network of components which coordinate to perform a larger function. Also a system of ideas. See system design. System Design The design of potentially complex systems. . types of strength:  One type of "strength" is an inability to extrapolate from known parts of the transformation (e.g., known plaintext) to model or even approximate the transformation. interest (message ciphertexts).  Another type of "strength" is an inability to develop a particular key, given the known cipher and a large number of known transformation points. Views. one-half (over all possible input starting values). This is stricter than avalanche, since if a particular half of the output bits changed all the time, a strict interpretationist might call