Given partial key exposure and encryption oracle, can we recover full AES key?
Clash Royale CLAN TAG#URR8PPP
Suppose I have an encryption oracle for AES with some key $k$ (16 bytes) and that I know $n$ bytes of it. Is it possible to recover the rest ($16 - n$) in complexity less than $256^16-n$?
aes chosen-plaintext-attack
add a comment |
Suppose I have an encryption oracle for AES with some key $k$ (16 bytes) and that I know $n$ bytes of it. Is it possible to recover the rest ($16 - n$) in complexity less than $256^16-n$?
aes chosen-plaintext-attack
@kelalaka but this is not faster than $256^16-n$ (I corrected myself).
– enedil
Dec 21 '18 at 21:37
1
Your writing style is strange, anyway $256^16-n = 2^128-8cdot n$. What is the value of n? if n = 5,6,7,8....15-btye then brute force works.
– kelalaka
Dec 21 '18 at 21:41
@kelalaka $n$ can be between $1$ and $15$. I'm interested if there are some publications on this topic. Brute force will not deliver the answer faster than brute force - $256^16-n$ is exactly the time needed by brute force. I don't know how should it be possible to brute it with $n = 5$, as $256^16-5 = 256^11 = 2^88$, which is totally too big. It becomes manageable with $n = 11$.
– enedil
Dec 21 '18 at 21:51
1
Bitcoin mining reached $approx 2^91$ SHA-256 mining in one year. Summit can reach $2^73$ in one year.
– kelalaka
Dec 21 '18 at 21:56
@kelalaka I mean breaking it by myself :c
– enedil
Dec 21 '18 at 22:05
add a comment |
Suppose I have an encryption oracle for AES with some key $k$ (16 bytes) and that I know $n$ bytes of it. Is it possible to recover the rest ($16 - n$) in complexity less than $256^16-n$?
aes chosen-plaintext-attack
Suppose I have an encryption oracle for AES with some key $k$ (16 bytes) and that I know $n$ bytes of it. Is it possible to recover the rest ($16 - n$) in complexity less than $256^16-n$?
aes chosen-plaintext-attack
aes chosen-plaintext-attack
edited Dec 21 '18 at 23:46
asked Dec 21 '18 at 21:30
enedil
1064
1064
@kelalaka but this is not faster than $256^16-n$ (I corrected myself).
– enedil
Dec 21 '18 at 21:37
1
Your writing style is strange, anyway $256^16-n = 2^128-8cdot n$. What is the value of n? if n = 5,6,7,8....15-btye then brute force works.
– kelalaka
Dec 21 '18 at 21:41
@kelalaka $n$ can be between $1$ and $15$. I'm interested if there are some publications on this topic. Brute force will not deliver the answer faster than brute force - $256^16-n$ is exactly the time needed by brute force. I don't know how should it be possible to brute it with $n = 5$, as $256^16-5 = 256^11 = 2^88$, which is totally too big. It becomes manageable with $n = 11$.
– enedil
Dec 21 '18 at 21:51
1
Bitcoin mining reached $approx 2^91$ SHA-256 mining in one year. Summit can reach $2^73$ in one year.
– kelalaka
Dec 21 '18 at 21:56
@kelalaka I mean breaking it by myself :c
– enedil
Dec 21 '18 at 22:05
add a comment |
@kelalaka but this is not faster than $256^16-n$ (I corrected myself).
– enedil
Dec 21 '18 at 21:37
1
Your writing style is strange, anyway $256^16-n = 2^128-8cdot n$. What is the value of n? if n = 5,6,7,8....15-btye then brute force works.
– kelalaka
Dec 21 '18 at 21:41
@kelalaka $n$ can be between $1$ and $15$. I'm interested if there are some publications on this topic. Brute force will not deliver the answer faster than brute force - $256^16-n$ is exactly the time needed by brute force. I don't know how should it be possible to brute it with $n = 5$, as $256^16-5 = 256^11 = 2^88$, which is totally too big. It becomes manageable with $n = 11$.
– enedil
Dec 21 '18 at 21:51
1
Bitcoin mining reached $approx 2^91$ SHA-256 mining in one year. Summit can reach $2^73$ in one year.
– kelalaka
Dec 21 '18 at 21:56
@kelalaka I mean breaking it by myself :c
– enedil
Dec 21 '18 at 22:05
@kelalaka but this is not faster than $256^16-n$ (I corrected myself).
– enedil
Dec 21 '18 at 21:37
@kelalaka but this is not faster than $256^16-n$ (I corrected myself).
– enedil
Dec 21 '18 at 21:37
1
1
Your writing style is strange, anyway $256^16-n = 2^128-8cdot n$. What is the value of n? if n = 5,6,7,8....15-btye then brute force works.
– kelalaka
Dec 21 '18 at 21:41
Your writing style is strange, anyway $256^16-n = 2^128-8cdot n$. What is the value of n? if n = 5,6,7,8....15-btye then brute force works.
– kelalaka
Dec 21 '18 at 21:41
@kelalaka $n$ can be between $1$ and $15$. I'm interested if there are some publications on this topic. Brute force will not deliver the answer faster than brute force - $256^16-n$ is exactly the time needed by brute force. I don't know how should it be possible to brute it with $n = 5$, as $256^16-5 = 256^11 = 2^88$, which is totally too big. It becomes manageable with $n = 11$.
– enedil
Dec 21 '18 at 21:51
@kelalaka $n$ can be between $1$ and $15$. I'm interested if there are some publications on this topic. Brute force will not deliver the answer faster than brute force - $256^16-n$ is exactly the time needed by brute force. I don't know how should it be possible to brute it with $n = 5$, as $256^16-5 = 256^11 = 2^88$, which is totally too big. It becomes manageable with $n = 11$.
– enedil
Dec 21 '18 at 21:51
1
1
Bitcoin mining reached $approx 2^91$ SHA-256 mining in one year. Summit can reach $2^73$ in one year.
– kelalaka
Dec 21 '18 at 21:56
Bitcoin mining reached $approx 2^91$ SHA-256 mining in one year. Summit can reach $2^73$ in one year.
– kelalaka
Dec 21 '18 at 21:56
@kelalaka I mean breaking it by myself :c
– enedil
Dec 21 '18 at 22:05
@kelalaka I mean breaking it by myself :c
– enedil
Dec 21 '18 at 22:05
add a comment |
1 Answer
1
active
oldest
votes
No, there is no known easier attack than doing a brute force search on the unknown key bits.
In particular, if there were, then this show an attack on the standard (no key bits leaked) AES, because what an attacker could do is go through all possible $2^8n$ settings of those key bits, assume those, and run his 'less-than-brute-force' attack on the remaining key bits. If this attack (when his guess for the 'known' key bits is correct) takes an expected time of less than the time taken to compute $2^128 - 8n-1$ AES evaluations, then the total time will take less than the time taken to do $2^128-1$ evaluations, that is, it shows that there is a faster-than-generic attack
1
But you assume known plaintext attack, while I'm talking about a decryption oracle. Well, I wouldn't be surprised if this doesn't change much here, but nevertheless, your answer doesn't address it.
– enedil
Dec 21 '18 at 22:50
@enedil We kinda assume known plaintext attacks by default when addressing this kind of issue, but you're right, it does seem to be missing.
– Maarten Bodewes♦
Dec 21 '18 at 22:52
add a comment |
Your Answer
StackExchange.ifUsing("editor", function ()
return StackExchange.using("mathjaxEditing", function ()
StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix)
StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [["$", "$"], ["\\(","\\)"]]);
);
);
, "mathjax-editing");
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "281"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f66040%2fgiven-partial-key-exposure-and-encryption-oracle-can-we-recover-full-aes-key%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
No, there is no known easier attack than doing a brute force search on the unknown key bits.
In particular, if there were, then this show an attack on the standard (no key bits leaked) AES, because what an attacker could do is go through all possible $2^8n$ settings of those key bits, assume those, and run his 'less-than-brute-force' attack on the remaining key bits. If this attack (when his guess for the 'known' key bits is correct) takes an expected time of less than the time taken to compute $2^128 - 8n-1$ AES evaluations, then the total time will take less than the time taken to do $2^128-1$ evaluations, that is, it shows that there is a faster-than-generic attack
1
But you assume known plaintext attack, while I'm talking about a decryption oracle. Well, I wouldn't be surprised if this doesn't change much here, but nevertheless, your answer doesn't address it.
– enedil
Dec 21 '18 at 22:50
@enedil We kinda assume known plaintext attacks by default when addressing this kind of issue, but you're right, it does seem to be missing.
– Maarten Bodewes♦
Dec 21 '18 at 22:52
add a comment |
No, there is no known easier attack than doing a brute force search on the unknown key bits.
In particular, if there were, then this show an attack on the standard (no key bits leaked) AES, because what an attacker could do is go through all possible $2^8n$ settings of those key bits, assume those, and run his 'less-than-brute-force' attack on the remaining key bits. If this attack (when his guess for the 'known' key bits is correct) takes an expected time of less than the time taken to compute $2^128 - 8n-1$ AES evaluations, then the total time will take less than the time taken to do $2^128-1$ evaluations, that is, it shows that there is a faster-than-generic attack
1
But you assume known plaintext attack, while I'm talking about a decryption oracle. Well, I wouldn't be surprised if this doesn't change much here, but nevertheless, your answer doesn't address it.
– enedil
Dec 21 '18 at 22:50
@enedil We kinda assume known plaintext attacks by default when addressing this kind of issue, but you're right, it does seem to be missing.
– Maarten Bodewes♦
Dec 21 '18 at 22:52
add a comment |
No, there is no known easier attack than doing a brute force search on the unknown key bits.
In particular, if there were, then this show an attack on the standard (no key bits leaked) AES, because what an attacker could do is go through all possible $2^8n$ settings of those key bits, assume those, and run his 'less-than-brute-force' attack on the remaining key bits. If this attack (when his guess for the 'known' key bits is correct) takes an expected time of less than the time taken to compute $2^128 - 8n-1$ AES evaluations, then the total time will take less than the time taken to do $2^128-1$ evaluations, that is, it shows that there is a faster-than-generic attack
No, there is no known easier attack than doing a brute force search on the unknown key bits.
In particular, if there were, then this show an attack on the standard (no key bits leaked) AES, because what an attacker could do is go through all possible $2^8n$ settings of those key bits, assume those, and run his 'less-than-brute-force' attack on the remaining key bits. If this attack (when his guess for the 'known' key bits is correct) takes an expected time of less than the time taken to compute $2^128 - 8n-1$ AES evaluations, then the total time will take less than the time taken to do $2^128-1$ evaluations, that is, it shows that there is a faster-than-generic attack
answered Dec 21 '18 at 22:08
poncho
90.3k2141234
90.3k2141234
1
But you assume known plaintext attack, while I'm talking about a decryption oracle. Well, I wouldn't be surprised if this doesn't change much here, but nevertheless, your answer doesn't address it.
– enedil
Dec 21 '18 at 22:50
@enedil We kinda assume known plaintext attacks by default when addressing this kind of issue, but you're right, it does seem to be missing.
– Maarten Bodewes♦
Dec 21 '18 at 22:52
add a comment |
1
But you assume known plaintext attack, while I'm talking about a decryption oracle. Well, I wouldn't be surprised if this doesn't change much here, but nevertheless, your answer doesn't address it.
– enedil
Dec 21 '18 at 22:50
@enedil We kinda assume known plaintext attacks by default when addressing this kind of issue, but you're right, it does seem to be missing.
– Maarten Bodewes♦
Dec 21 '18 at 22:52
1
1
But you assume known plaintext attack, while I'm talking about a decryption oracle. Well, I wouldn't be surprised if this doesn't change much here, but nevertheless, your answer doesn't address it.
– enedil
Dec 21 '18 at 22:50
But you assume known plaintext attack, while I'm talking about a decryption oracle. Well, I wouldn't be surprised if this doesn't change much here, but nevertheless, your answer doesn't address it.
– enedil
Dec 21 '18 at 22:50
@enedil We kinda assume known plaintext attacks by default when addressing this kind of issue, but you're right, it does seem to be missing.
– Maarten Bodewes♦
Dec 21 '18 at 22:52
@enedil We kinda assume known plaintext attacks by default when addressing this kind of issue, but you're right, it does seem to be missing.
– Maarten Bodewes♦
Dec 21 '18 at 22:52
add a comment |
Thanks for contributing an answer to Cryptography Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
Use MathJax to format equations. MathJax reference.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f66040%2fgiven-partial-key-exposure-and-encryption-oracle-can-we-recover-full-aes-key%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
@kelalaka but this is not faster than $256^16-n$ (I corrected myself).
– enedil
Dec 21 '18 at 21:37
1
Your writing style is strange, anyway $256^16-n = 2^128-8cdot n$. What is the value of n? if n = 5,6,7,8....15-btye then brute force works.
– kelalaka
Dec 21 '18 at 21:41
@kelalaka $n$ can be between $1$ and $15$. I'm interested if there are some publications on this topic. Brute force will not deliver the answer faster than brute force - $256^16-n$ is exactly the time needed by brute force. I don't know how should it be possible to brute it with $n = 5$, as $256^16-5 = 256^11 = 2^88$, which is totally too big. It becomes manageable with $n = 11$.
– enedil
Dec 21 '18 at 21:51
1
Bitcoin mining reached $approx 2^91$ SHA-256 mining in one year. Summit can reach $2^73$ in one year.
– kelalaka
Dec 21 '18 at 21:56
@kelalaka I mean breaking it by myself :c
– enedil
Dec 21 '18 at 22:05