Is it possible to mathematically extract an AES key from black-box encrypt/decrypt hardware?Is it possible to obtain AES-128 key from a known ciphertext-plaintext pair?Shortcuts / practicality of brute forcing block cipher (AES) + ECB with known plaintextdecrypt AES without whole keyIs my understanding of CPA indistinguishability experiment correct?Decrypt AES-encrypted data with another keyBreak AES-CFB mode having access to a AES-CTR black boxIs CBC mode with a fixed IV secure, if a counter is prepended to the plaintext?Decrypt AES key with RSA public keyWhy is Byte-at-a-time ECB decryption a vulnerability?AES encryption using a Diffie-Hellman questionPublic-private algorithm where it is not possible to recover public key from private key?Recovery of private key in AES-CBC from two ciphertexts with different IV, but identical plantext
How much of data wrangling is a data scientist's job?
Did Shadowfax go to Valinor?
NMaximize is not converging to a solution
Why is 150k or 200k jobs considered good when there's 300k+ births a month?
Approximately how much travel time was saved by the opening of the Suez Canal in 1869?
Is it tax fraud for an individual to declare non-taxable revenue as taxable income? (US tax laws)
strTok function (thread safe, supports empty tokens, doesn't change string)
Fully-Firstable Anagram Sets
Alternative to sending password over mail?
Is it possible to run Internet Explorer on OS X El Capitan?
Do I have a twin with permutated remainders?
What's the point of deactivating Num Lock on login screens?
What does it mean to describe someone as a butt steak?
Theorems that impeded progress
Why doesn't Newton's third law mean a person bounces back to where they started when they hit the ground?
Why "Having chlorophyll without photosynthesis is actually very dangerous" and "like living with a bomb"?
Has there ever been an airliner design involving reducing generator load by installing solar panels?
Why does Kotter return in Welcome Back Kotter?
meaning of に in 本当に?
Important Resources for Dark Age Civilizations?
Could an aircraft fly or hover using only jets of compressed air?
Rock identification in KY
How do I deal with an unproductive colleague in a small company?
How is the claim "I am in New York only if I am in America" the same as "If I am in New York, then I am in America?
Is it possible to mathematically extract an AES key from black-box encrypt/decrypt hardware?
Is it possible to obtain AES-128 key from a known ciphertext-plaintext pair?Shortcuts / practicality of brute forcing block cipher (AES) + ECB with known plaintextdecrypt AES without whole keyIs my understanding of CPA indistinguishability experiment correct?Decrypt AES-encrypted data with another keyBreak AES-CFB mode having access to a AES-CTR black boxIs CBC mode with a fixed IV secure, if a counter is prepended to the plaintext?Decrypt AES key with RSA public keyWhy is Byte-at-a-time ECB decryption a vulnerability?AES encryption using a Diffie-Hellman questionPublic-private algorithm where it is not possible to recover public key from private key?Recovery of private key in AES-CBC from two ciphertexts with different IV, but identical plantext
$begingroup$
I presented our mathematician with an idea:
If you have a black box that encrypts or decrypts AES with the same 128 bit key (you don't have any direct access to the key), and you control the input and the direction (enc/dec) and can see the output,
can you mathematically derive the key? How many tests will you have to run to be able to derive the key?
He said he remembers there was a paper that said it will take only $2^16$ tries to derive the key. Does this paper exist? Dan anybody point me in the right direction?
aes chosen-plaintext-attack chosen-ciphertext-attack key-recovery
edited 2 days ago
AleksanderRas
2,9521935
asked 2 days ago
Anton VainerAnton Vainer
253
$endgroup$
add a comment |
$begingroup$
I presented our mathematician with an idea:
If you have a black box that encrypts or decrypts AES with the same 128 bit key (you don't have any direct access to the key), and you control the input and the direction (enc/dec) and can see the output,
can you mathematically derive the key? How many tests will you have to run to be able to derive the key?
He said he remembers there was a paper that said it will take only $2^16$ tries to derive the key. Does this paper exist? Dan anybody point me in the right direction?
aes chosen-plaintext-attack chosen-ciphertext-attack key-recovery
edited 2 days ago
AleksanderRas
2,9521935
asked 2 days ago
Anton VainerAnton Vainer
253
$endgroup$
1
$begingroup$
This seems like almost a duplicate of Shortcuts / practicality of brute forcing block cipher (AES) + ECB with known plaintext and Is it possible to obtain AES-128 key from a known ciphertext-plaintext pair? except that those questions ask about known-plaintext rather than chosen-plaintext attacks. The answers are effectively the same, though.
$endgroup$
– Ilmari Karonen
2 days ago
1
$begingroup$
Only with side channel attacks like power analysis. Otherwise it is infeasible
$endgroup$
– Natanael
2 days ago
$begingroup$
Any chance this relates to the lack of AES' information theoretic security? 65,536 IO pairings may well completely determine a mathematical model of the interior of the box. Simultaneous equation solving would then theoretically allow key recovery much more readily than brute force. Does this sound familiar at all?
$endgroup$
– Paul Uszak
2 days ago
add a comment |
$begingroup$
I presented our mathematician with an idea:
If you have a black box that encrypts or decrypts AES with the same 128 bit key (you don't have any direct access to the key), and you control the input and the direction (enc/dec) and can see the output,
can you mathematically derive the key? How many tests will you have to run to be able to derive the key?
He said he remembers there was a paper that said it will take only $2^16$ tries to derive the key. Does this paper exist? Dan anybody point me in the right direction?
aes chosen-plaintext-attack chosen-ciphertext-attack key-recovery
edited 2 days ago
AleksanderRas
2,9521935
asked 2 days ago
Anton VainerAnton Vainer
253
$endgroup$
I presented our mathematician with an idea:
If you have a black box that encrypts or decrypts AES with the same 128 bit key (you don't have any direct access to the key), and you control the input and the direction (enc/dec) and can see the output,
can you mathematically derive the key? How many tests will you have to run to be able to derive the key?
He said he remembers there was a paper that said it will take only $2^16$ tries to derive the key. Does this paper exist? Dan anybody point me in the right direction?
aes chosen-plaintext-attack chosen-ciphertext-attack key-recovery
aes chosen-plaintext-attack chosen-ciphertext-attack key-recovery
edited 2 days ago
AleksanderRas
2,9521935
asked 2 days ago
Anton VainerAnton Vainer
253
edited 2 days ago
AleksanderRas
2,9521935
asked 2 days ago
Anton VainerAnton Vainer
253
edited 2 days ago
AleksanderRas
2,9521935
edited 2 days ago
AleksanderRas
2,9521935
edited 2 days ago
AleksanderRas
2,9521935
2,9521935
asked 2 days ago
Anton VainerAnton Vainer
253
asked 2 days ago
Anton VainerAnton Vainer
253
asked 2 days ago
Anton VainerAnton Vainer
253
253
1
$begingroup$
This seems like almost a duplicate of Shortcuts / practicality of brute forcing block cipher (AES) + ECB with known plaintext and Is it possible to obtain AES-128 key from a known ciphertext-plaintext pair? except that those questions ask about known-plaintext rather than chosen-plaintext attacks. The answers are effectively the same, though.
$endgroup$
– Ilmari Karonen
2 days ago
1
$begingroup$
Only with side channel attacks like power analysis. Otherwise it is infeasible
$endgroup$
– Natanael
2 days ago
$begingroup$
Any chance this relates to the lack of AES' information theoretic security? 65,536 IO pairings may well completely determine a mathematical model of the interior of the box. Simultaneous equation solving would then theoretically allow key recovery much more readily than brute force. Does this sound familiar at all?
$endgroup$
– Paul Uszak
2 days ago
add a comment |
1
$begingroup$
This seems like almost a duplicate of Shortcuts / practicality of brute forcing block cipher (AES) + ECB with known plaintext and Is it possible to obtain AES-128 key from a known ciphertext-plaintext pair? except that those questions ask about known-plaintext rather than chosen-plaintext attacks. The answers are effectively the same, though.
$endgroup$
– Ilmari Karonen
2 days ago
1
$begingroup$
Only with side channel attacks like power analysis. Otherwise it is infeasible
$endgroup$
– Natanael
2 days ago
$begingroup$
Any chance this relates to the lack of AES' information theoretic security? 65,536 IO pairings may well completely determine a mathematical model of the interior of the box. Simultaneous equation solving would then theoretically allow key recovery much more readily than brute force. Does this sound familiar at all?
$endgroup$
– Paul Uszak
2 days ago
1
1
$begingroup$
This seems like almost a duplicate of Shortcuts / practicality of brute forcing block cipher (AES) + ECB with known plaintext and Is it possible to obtain AES-128 key from a known ciphertext-plaintext pair? except that those questions ask about known-plaintext rather than chosen-plaintext attacks. The answers are effectively the same, though.
$endgroup$
– Ilmari Karonen
2 days ago
$begingroup$
This seems like almost a duplicate of Shortcuts / practicality of brute forcing block cipher (AES) + ECB with known plaintext and Is it possible to obtain AES-128 key from a known ciphertext-plaintext pair? except that those questions ask about known-plaintext rather than chosen-plaintext attacks. The answers are effectively the same, though.
$endgroup$
– Ilmari Karonen
2 days ago
1
1
$begingroup$
Only with side channel attacks like power analysis. Otherwise it is infeasible
$endgroup$
– Natanael
2 days ago
$begingroup$
Only with side channel attacks like power analysis. Otherwise it is infeasible
$endgroup$
– Natanael
2 days ago
$begingroup$
Any chance this relates to the lack of AES' information theoretic security? 65,536 IO pairings may well completely determine a mathematical model of the interior of the box. Simultaneous equation solving would then theoretically allow key recovery much more readily than brute force. Does this sound familiar at all?
$endgroup$
– Paul Uszak
2 days ago
$begingroup$
Any chance this relates to the lack of AES' information theoretic security? 65,536 IO pairings may well completely determine a mathematical model of the interior of the box. Simultaneous equation solving would then theoretically allow key recovery much more readily than brute force. Does this sound familiar at all?
$endgroup$
– Paul Uszak
2 days ago
add a comment |
1 Answer
1
active
oldest
votes
$begingroup$
What you describe is Chosen-Plaintext Attack (CPA) and AES and secure block ciphers are designed to be secure against this.
Having $2^16$ chosen-plaintext under one key doesn't help you to extract the AES key. You have to go to the full-brute force to find the key.
Since you have one target you cannot get help from attacking many keys simultaneously. For $t$ target the expected cost is $2^128/t$ that will be far below $2^128/t$. If you have a billion target (~$2^30$) the cost will be ~$2^98$ to find one of the target keys.
answered 2 days ago
kelalakakelalaka
8,68022351
$endgroup$
$begingroup$
What does the sentence ‘For $t$ target the expected cost is $2^128/t$ that will be far below $2^128/t$.’ mean?
$endgroup$
– Squeamish Ossifrage
2 days ago
$begingroup$
In some cases, the black box may reside in many days in front of you, thus, during those days, you will get many target keys.
$endgroup$
– kelalaka
yesterday
add a comment |
Your Answer
StackExchange.ifUsing("editor", function ()
return StackExchange.using("mathjaxEditing", function ()
StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix)
StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [["$", "$"], ["\\(","\\)"]]);
);
);
, "mathjax-editing");
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "281"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f68497%2fis-it-possible-to-mathematically-extract-an-aes-key-from-black-box-encrypt-decry%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
$begingroup$
What you describe is Chosen-Plaintext Attack (CPA) and AES and secure block ciphers are designed to be secure against this.
Having $2^16$ chosen-plaintext under one key doesn't help you to extract the AES key. You have to go to the full-brute force to find the key.
Since you have one target you cannot get help from attacking many keys simultaneously. For $t$ target the expected cost is $2^128/t$ that will be far below $2^128/t$. If you have a billion target (~$2^30$) the cost will be ~$2^98$ to find one of the target keys.
answered 2 days ago
kelalakakelalaka
8,68022351
$endgroup$
$begingroup$
What does the sentence ‘For $t$ target the expected cost is $2^128/t$ that will be far below $2^128/t$.’ mean?
$endgroup$
– Squeamish Ossifrage
2 days ago
$begingroup$
In some cases, the black box may reside in many days in front of you, thus, during those days, you will get many target keys.
$endgroup$
– kelalaka
yesterday
add a comment |
$begingroup$
What you describe is Chosen-Plaintext Attack (CPA) and AES and secure block ciphers are designed to be secure against this.
Having $2^16$ chosen-plaintext under one key doesn't help you to extract the AES key. You have to go to the full-brute force to find the key.
Since you have one target you cannot get help from attacking many keys simultaneously. For $t$ target the expected cost is $2^128/t$ that will be far below $2^128/t$. If you have a billion target (~$2^30$) the cost will be ~$2^98$ to find one of the target keys.
answered 2 days ago
kelalakakelalaka
8,68022351
$endgroup$
$begingroup$
What does the sentence ‘For $t$ target the expected cost is $2^128/t$ that will be far below $2^128/t$.’ mean?
$endgroup$
– Squeamish Ossifrage
2 days ago
$begingroup$
In some cases, the black box may reside in many days in front of you, thus, during those days, you will get many target keys.
$endgroup$
– kelalaka
yesterday
add a comment |
$begingroup$
What you describe is Chosen-Plaintext Attack (CPA) and AES and secure block ciphers are designed to be secure against this.
Having $2^16$ chosen-plaintext under one key doesn't help you to extract the AES key. You have to go to the full-brute force to find the key.
Since you have one target you cannot get help from attacking many keys simultaneously. For $t$ target the expected cost is $2^128/t$ that will be far below $2^128/t$. If you have a billion target (~$2^30$) the cost will be ~$2^98$ to find one of the target keys.
answered 2 days ago
kelalakakelalaka
8,68022351
$endgroup$
What you describe is Chosen-Plaintext Attack (CPA) and AES and secure block ciphers are designed to be secure against this.
Having $2^16$ chosen-plaintext under one key doesn't help you to extract the AES key. You have to go to the full-brute force to find the key.
Since you have one target you cannot get help from attacking many keys simultaneously. For $t$ target the expected cost is $2^128/t$ that will be far below $2^128/t$. If you have a billion target (~$2^30$) the cost will be ~$2^98$ to find one of the target keys.
answered 2 days ago
kelalakakelalaka
8,68022351
edited 2 days ago
answered 2 days ago
kelalakakelalaka
8,68022351
answered 2 days ago
kelalakakelalaka
8,68022351
answered 2 days ago
kelalakakelalaka
8,68022351
8,68022351
$begingroup$
What does the sentence ‘For $t$ target the expected cost is $2^128/t$ that will be far below $2^128/t$.’ mean?
$endgroup$
– Squeamish Ossifrage
2 days ago
$begingroup$
In some cases, the black box may reside in many days in front of you, thus, during those days, you will get many target keys.
$endgroup$
– kelalaka
yesterday
add a comment |
$begingroup$
What does the sentence ‘For $t$ target the expected cost is $2^128/t$ that will be far below $2^128/t$.’ mean?
$endgroup$
– Squeamish Ossifrage
2 days ago
$begingroup$
In some cases, the black box may reside in many days in front of you, thus, during those days, you will get many target keys.
$endgroup$
– kelalaka
yesterday
$begingroup$
What does the sentence ‘For $t$ target the expected cost is $2^128/t$ that will be far below $2^128/t$.’ mean?
$endgroup$
– Squeamish Ossifrage
2 days ago
$begingroup$
What does the sentence ‘For $t$ target the expected cost is $2^128/t$ that will be far below $2^128/t$.’ mean?
$endgroup$
– Squeamish Ossifrage
2 days ago
$begingroup$
In some cases, the black box may reside in many days in front of you, thus, during those days, you will get many target keys.
$endgroup$
– kelalaka
yesterday
$begingroup$
In some cases, the black box may reside in many days in front of you, thus, during those days, you will get many target keys.
$endgroup$
– kelalaka
yesterday
add a comment |
Thanks for contributing an answer to Cryptography Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
Use MathJax to format equations. MathJax reference.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f68497%2fis-it-possible-to-mathematically-extract-an-aes-key-from-black-box-encrypt-decry%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
1
$begingroup$
This seems like almost a duplicate of Shortcuts / practicality of brute forcing block cipher (AES) + ECB with known plaintext and Is it possible to obtain AES-128 key from a known ciphertext-plaintext pair? except that those questions ask about known-plaintext rather than chosen-plaintext attacks. The answers are effectively the same, though.
$endgroup$
– Ilmari Karonen
2 days ago
1
$begingroup$
Only with side channel attacks like power analysis. Otherwise it is infeasible
$endgroup$
– Natanael
2 days ago
$begingroup$
Any chance this relates to the lack of AES' information theoretic security? 65,536 IO pairings may well completely determine a mathematical model of the interior of the box. Simultaneous equation solving would then theoretically allow key recovery much more readily than brute force. Does this sound familiar at all?
$endgroup$
– Paul Uszak
2 days ago