Is it possible to find the key for AES ECB if I have a list of plaintext and corresponding ciphertext?
Clash Royale CLAN TAG#URR8PPP
up vote
4
down vote
favorite
Assume I have a list of plaintext text and its corresponding ciphertext which was created using a specific key with AES in ECB mode.
Can I recover that key?
If, how big does the list of plaintext and matching ciphertext have to be to be able to find it in a feasable amount of time (say in 1 or 2 hours)?
aes attack known-plaintext-attack ecb
edited 5 hours ago
e-sushi♦
13.4k860168
asked 13 hours ago
Richard Jones
241
New contributor
Richard Jones is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
up vote
4
down vote
favorite
Assume I have a list of plaintext text and its corresponding ciphertext which was created using a specific key with AES in ECB mode.
Can I recover that key?
If, how big does the list of plaintext and matching ciphertext have to be to be able to find it in a feasable amount of time (say in 1 or 2 hours)?
aes attack known-plaintext-attack ecb
edited 5 hours ago
e-sushi♦
13.4k860168
asked 13 hours ago
Richard Jones
241
New contributor
Richard Jones is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
up vote
4
down vote
favorite
up vote
4
down vote
favorite
Assume I have a list of plaintext text and its corresponding ciphertext which was created using a specific key with AES in ECB mode.
Can I recover that key?
If, how big does the list of plaintext and matching ciphertext have to be to be able to find it in a feasable amount of time (say in 1 or 2 hours)?
aes attack known-plaintext-attack ecb
edited 5 hours ago
e-sushi♦
13.4k860168
asked 13 hours ago
Richard Jones
241
New contributor
Richard Jones is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Assume I have a list of plaintext text and its corresponding ciphertext which was created using a specific key with AES in ECB mode.
Can I recover that key?
If, how big does the list of plaintext and matching ciphertext have to be to be able to find it in a feasable amount of time (say in 1 or 2 hours)?
aes attack known-plaintext-attack ecb
aes attack known-plaintext-attack ecb
edited 5 hours ago
e-sushi♦
13.4k860168
asked 13 hours ago
Richard Jones
241
New contributor
Richard Jones is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited 5 hours ago
e-sushi♦
13.4k860168
asked 13 hours ago
Richard Jones
241
New contributor
Richard Jones is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited 5 hours ago
e-sushi♦
13.4k860168
edited 5 hours ago
e-sushi♦
13.4k860168
edited 5 hours ago
e-sushi♦
13.4k860168
13.4k860168
asked 13 hours ago
Richard Jones
241
New contributor
Richard Jones is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 13 hours ago
Richard Jones
241
asked 13 hours ago
Richard Jones
241
241
New contributor
Richard Jones is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
Richard Jones is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Richard Jones is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
add a comment |
2 Answers
2
active
oldest
votes
up vote
6
down vote
Assume I have a list of plaintext text and its corresponding ciphertext which was created using a specific key with AES in ECB mode.
Can I recover that key?
No. This is what is referred to as a known plaintext attack, and secure block ciphers are designed to prevent exactly this kind of attack. This answer on the Mathematics Stack Exchange goes into more detail about the notion of IND-CPA ("indistinguishability") which AES is conjectured to meet and how that implies that a known plaintext attack is impossible.
edited 5 hours ago
e-sushi♦
13.4k860168
answered 7 hours ago
kiwidrew
2236
New contributor
kiwidrew is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
up vote
4
down vote
What is the simplest attack is the Brute Force Attack. However, it is infeasible to brute-force even AES-128 bit, AES also supports 192, and 256-bit keys sizes. To break the AES-128 with brute force, you need to execute $2^128$ AES operations, today's top computers can reach $2^63$ around one hour.
In brute-force, the number of elements in your list is not important. The problem is the key-size. You have to check every possible key to match one of your plaintext-ciphertext pair;
for each k in possible keys
if E(k,P1) == C1
testWithSomeOtherPair(k)
Once you found you can verify with the other plaintext-ciphertext pairs.
Note: there are other types of attacks (related-key attacks) faster than the brute-force for AES-192 and AES-256 with $2^176$ and $2^99.5$-time, respectively. But they are still infeasible to reach. For AES-128, the fastest known is the Biclique attack with $2^126.2$ and that is still infeasible and in practice, the brute-force may still beat the Biclique attack which requires $2^88$-data and $2^8$-memory. Biclique attack for AES-192 and AES-256 runs with $2^189.7$ and $2^254.4$ computational complexity, respectively.
answered 13 hours ago
kelalaka
2,778625
So even if we have millions of texts and their corresponding ciphertext using our key, it wouldn't help us to find the key?
– Richard Jones
12 hours ago
Short answer no. For brute-force, you need only a couple of pairs. There are attacks like biclique attack, but that requires $2^126.2$ operations for AES-128. You can find some other attacks at Wikipedia but you will not see they are better than biclique attack.
– kelalaka
12 hours ago
@RichardJones - Note that in a straight brute force attack, knowing the plain text is only for verification - that is, knowing the plain text doesn't help in the decryption at all, and probably isn't necessary (an incorrect key is usually going to generate gibberish in at least some part of a sufficient length message).
– Clockwork-Muse
4 hours ago
add a comment |
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
6
down vote
Assume I have a list of plaintext text and its corresponding ciphertext which was created using a specific key with AES in ECB mode.
Can I recover that key?
No. This is what is referred to as a known plaintext attack, and secure block ciphers are designed to prevent exactly this kind of attack. This answer on the Mathematics Stack Exchange goes into more detail about the notion of IND-CPA ("indistinguishability") which AES is conjectured to meet and how that implies that a known plaintext attack is impossible.
edited 5 hours ago
e-sushi♦
13.4k860168
answered 7 hours ago
kiwidrew
2236
New contributor
kiwidrew is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
up vote
6
down vote
Assume I have a list of plaintext text and its corresponding ciphertext which was created using a specific key with AES in ECB mode.
Can I recover that key?
No. This is what is referred to as a known plaintext attack, and secure block ciphers are designed to prevent exactly this kind of attack. This answer on the Mathematics Stack Exchange goes into more detail about the notion of IND-CPA ("indistinguishability") which AES is conjectured to meet and how that implies that a known plaintext attack is impossible.
edited 5 hours ago
e-sushi♦
13.4k860168
answered 7 hours ago
kiwidrew
2236
New contributor
kiwidrew is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
up vote
6
down vote
up vote
6
down vote
Assume I have a list of plaintext text and its corresponding ciphertext which was created using a specific key with AES in ECB mode.
Can I recover that key?
No. This is what is referred to as a known plaintext attack, and secure block ciphers are designed to prevent exactly this kind of attack. This answer on the Mathematics Stack Exchange goes into more detail about the notion of IND-CPA ("indistinguishability") which AES is conjectured to meet and how that implies that a known plaintext attack is impossible.
edited 5 hours ago
e-sushi♦
13.4k860168
answered 7 hours ago
kiwidrew
2236
New contributor
kiwidrew is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Assume I have a list of plaintext text and its corresponding ciphertext which was created using a specific key with AES in ECB mode.
Can I recover that key?
No. This is what is referred to as a known plaintext attack, and secure block ciphers are designed to prevent exactly this kind of attack. This answer on the Mathematics Stack Exchange goes into more detail about the notion of IND-CPA ("indistinguishability") which AES is conjectured to meet and how that implies that a known plaintext attack is impossible.
edited 5 hours ago
e-sushi♦
13.4k860168
answered 7 hours ago
kiwidrew
2236
New contributor
kiwidrew is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited 5 hours ago
e-sushi♦
13.4k860168
edited 5 hours ago
e-sushi♦
13.4k860168
edited 5 hours ago
e-sushi♦
13.4k860168
13.4k860168
answered 7 hours ago
kiwidrew
2236
New contributor
kiwidrew is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered 7 hours ago
kiwidrew
2236
answered 7 hours ago
kiwidrew
2236
2236
New contributor
kiwidrew is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
kiwidrew is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
kiwidrew is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
add a comment |
up vote
4
down vote
What is the simplest attack is the Brute Force Attack. However, it is infeasible to brute-force even AES-128 bit, AES also supports 192, and 256-bit keys sizes. To break the AES-128 with brute force, you need to execute $2^128$ AES operations, today's top computers can reach $2^63$ around one hour.
In brute-force, the number of elements in your list is not important. The problem is the key-size. You have to check every possible key to match one of your plaintext-ciphertext pair;
for each k in possible keys
if E(k,P1) == C1
testWithSomeOtherPair(k)
Once you found you can verify with the other plaintext-ciphertext pairs.
Note: there are other types of attacks (related-key attacks) faster than the brute-force for AES-192 and AES-256 with $2^176$ and $2^99.5$-time, respectively. But they are still infeasible to reach. For AES-128, the fastest known is the Biclique attack with $2^126.2$ and that is still infeasible and in practice, the brute-force may still beat the Biclique attack which requires $2^88$-data and $2^8$-memory. Biclique attack for AES-192 and AES-256 runs with $2^189.7$ and $2^254.4$ computational complexity, respectively.
answered 13 hours ago
kelalaka
2,778625
So even if we have millions of texts and their corresponding ciphertext using our key, it wouldn't help us to find the key?
– Richard Jones
12 hours ago
Short answer no. For brute-force, you need only a couple of pairs. There are attacks like biclique attack, but that requires $2^126.2$ operations for AES-128. You can find some other attacks at Wikipedia but you will not see they are better than biclique attack.
– kelalaka
12 hours ago
@RichardJones - Note that in a straight brute force attack, knowing the plain text is only for verification - that is, knowing the plain text doesn't help in the decryption at all, and probably isn't necessary (an incorrect key is usually going to generate gibberish in at least some part of a sufficient length message).
– Clockwork-Muse
4 hours ago
add a comment |
up vote
4
down vote
What is the simplest attack is the Brute Force Attack. However, it is infeasible to brute-force even AES-128 bit, AES also supports 192, and 256-bit keys sizes. To break the AES-128 with brute force, you need to execute $2^128$ AES operations, today's top computers can reach $2^63$ around one hour.
In brute-force, the number of elements in your list is not important. The problem is the key-size. You have to check every possible key to match one of your plaintext-ciphertext pair;
for each k in possible keys
if E(k,P1) == C1
testWithSomeOtherPair(k)
Once you found you can verify with the other plaintext-ciphertext pairs.
Note: there are other types of attacks (related-key attacks) faster than the brute-force for AES-192 and AES-256 with $2^176$ and $2^99.5$-time, respectively. But they are still infeasible to reach. For AES-128, the fastest known is the Biclique attack with $2^126.2$ and that is still infeasible and in practice, the brute-force may still beat the Biclique attack which requires $2^88$-data and $2^8$-memory. Biclique attack for AES-192 and AES-256 runs with $2^189.7$ and $2^254.4$ computational complexity, respectively.
answered 13 hours ago
kelalaka
2,778625
So even if we have millions of texts and their corresponding ciphertext using our key, it wouldn't help us to find the key?
– Richard Jones
12 hours ago
Short answer no. For brute-force, you need only a couple of pairs. There are attacks like biclique attack, but that requires $2^126.2$ operations for AES-128. You can find some other attacks at Wikipedia but you will not see they are better than biclique attack.
– kelalaka
12 hours ago
@RichardJones - Note that in a straight brute force attack, knowing the plain text is only for verification - that is, knowing the plain text doesn't help in the decryption at all, and probably isn't necessary (an incorrect key is usually going to generate gibberish in at least some part of a sufficient length message).
– Clockwork-Muse
4 hours ago
add a comment |
up vote
4
down vote
up vote
4
down vote
What is the simplest attack is the Brute Force Attack. However, it is infeasible to brute-force even AES-128 bit, AES also supports 192, and 256-bit keys sizes. To break the AES-128 with brute force, you need to execute $2^128$ AES operations, today's top computers can reach $2^63$ around one hour.
In brute-force, the number of elements in your list is not important. The problem is the key-size. You have to check every possible key to match one of your plaintext-ciphertext pair;
for each k in possible keys
if E(k,P1) == C1
testWithSomeOtherPair(k)
Once you found you can verify with the other plaintext-ciphertext pairs.
Note: there are other types of attacks (related-key attacks) faster than the brute-force for AES-192 and AES-256 with $2^176$ and $2^99.5$-time, respectively. But they are still infeasible to reach. For AES-128, the fastest known is the Biclique attack with $2^126.2$ and that is still infeasible and in practice, the brute-force may still beat the Biclique attack which requires $2^88$-data and $2^8$-memory. Biclique attack for AES-192 and AES-256 runs with $2^189.7$ and $2^254.4$ computational complexity, respectively.
answered 13 hours ago
kelalaka
2,778625
What is the simplest attack is the Brute Force Attack. However, it is infeasible to brute-force even AES-128 bit, AES also supports 192, and 256-bit keys sizes. To break the AES-128 with brute force, you need to execute $2^128$ AES operations, today's top computers can reach $2^63$ around one hour.
In brute-force, the number of elements in your list is not important. The problem is the key-size. You have to check every possible key to match one of your plaintext-ciphertext pair;
for each k in possible keys
if E(k,P1) == C1
testWithSomeOtherPair(k)
Once you found you can verify with the other plaintext-ciphertext pairs.
Note: there are other types of attacks (related-key attacks) faster than the brute-force for AES-192 and AES-256 with $2^176$ and $2^99.5$-time, respectively. But they are still infeasible to reach. For AES-128, the fastest known is the Biclique attack with $2^126.2$ and that is still infeasible and in practice, the brute-force may still beat the Biclique attack which requires $2^88$-data and $2^8$-memory. Biclique attack for AES-192 and AES-256 runs with $2^189.7$ and $2^254.4$ computational complexity, respectively.
answered 13 hours ago
kelalaka
2,778625
edited 12 hours ago
answered 13 hours ago
kelalaka
2,778625
answered 13 hours ago
kelalaka
2,778625
answered 13 hours ago
kelalaka
2,778625
2,778625
So even if we have millions of texts and their corresponding ciphertext using our key, it wouldn't help us to find the key?
– Richard Jones
12 hours ago
Short answer no. For brute-force, you need only a couple of pairs. There are attacks like biclique attack, but that requires $2^126.2$ operations for AES-128. You can find some other attacks at Wikipedia but you will not see they are better than biclique attack.
– kelalaka
12 hours ago
@RichardJones - Note that in a straight brute force attack, knowing the plain text is only for verification - that is, knowing the plain text doesn't help in the decryption at all, and probably isn't necessary (an incorrect key is usually going to generate gibberish in at least some part of a sufficient length message).
– Clockwork-Muse
4 hours ago
add a comment |
So even if we have millions of texts and their corresponding ciphertext using our key, it wouldn't help us to find the key?
– Richard Jones
12 hours ago
Short answer no. For brute-force, you need only a couple of pairs. There are attacks like biclique attack, but that requires $2^126.2$ operations for AES-128. You can find some other attacks at Wikipedia but you will not see they are better than biclique attack.
– kelalaka
12 hours ago
@RichardJones - Note that in a straight brute force attack, knowing the plain text is only for verification - that is, knowing the plain text doesn't help in the decryption at all, and probably isn't necessary (an incorrect key is usually going to generate gibberish in at least some part of a sufficient length message).
– Clockwork-Muse
4 hours ago
So even if we have millions of texts and their corresponding ciphertext using our key, it wouldn't help us to find the key?
– Richard Jones
12 hours ago
So even if we have millions of texts and their corresponding ciphertext using our key, it wouldn't help us to find the key?
– Richard Jones
12 hours ago
Short answer no. For brute-force, you need only a couple of pairs. There are attacks like biclique attack, but that requires $2^126.2$ operations for AES-128. You can find some other attacks at Wikipedia but you will not see they are better than biclique attack.
– kelalaka
12 hours ago
Short answer no. For brute-force, you need only a couple of pairs. There are attacks like biclique attack, but that requires $2^126.2$ operations for AES-128. You can find some other attacks at Wikipedia but you will not see they are better than biclique attack.
– kelalaka
12 hours ago
@RichardJones - Note that in a straight brute force attack, knowing the plain text is only for verification - that is, knowing the plain text doesn't help in the decryption at all, and probably isn't necessary (an incorrect key is usually going to generate gibberish in at least some part of a sufficient length message).
– Clockwork-Muse
4 hours ago
@RichardJones - Note that in a straight brute force attack, knowing the plain text is only for verification - that is, knowing the plain text doesn't help in the decryption at all, and probably isn't necessary (an incorrect key is usually going to generate gibberish in at least some part of a sufficient length message).
– Clockwork-Muse
4 hours ago
add a comment |
Richard Jones is a new contributor. Be nice, and check out our Code of Conduct.
Richard Jones is a new contributor. Be nice, and check out our Code of Conduct.
Richard Jones is a new contributor. Be nice, and check out our Code of Conduct.
Richard Jones is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f63883%2fis-it-possible-to-find-the-key-for-aes-ecb-if-i-have-a-list-of-plaintext-and-cor%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
