Trjtdtk

Mounting TV on a weird wall that has some material between the drywall and stud

One-one communication

License to disallow distribution in closed source software, but allow exceptions made by owner?

Tips to organize LaTeX presentations for a semester

How to write capital alpha?

How can I prevent/balance waiting and turtling as a response to cooldown mechanics

Tannaka duality for semisimple groups

Putting class ranking in CV, but against dept guidelines

retrieve food groups from food item list

Getting out of while loop on console

How many time has Arya actually used Needle?

What adaptations would allow standard fantasy dwarves to survive in the desert?

Should a wizard buy fine inks every time he want to copy spells into his spellbook?

What is the chair depicted in Cesare Maccari's 1889 painting "Cicerone denuncia Catilina"?

What does it mean that physics no longer uses mechanical models to describe phenomena?

Nose gear failure in single prop aircraft: belly landing or nose-gear up landing?

How would you say "es muy psicólogo"?

Why is a lens darker than other ones when applying the same settings?

Simple Http Server

The Nth Gryphon Number

Can you force honesty by using the Speak with Dead and Zone of Truth spells together?

What does Turing mean by this statement?

Is openssl rand command cryptographically secure?

Sally's older brother

Is it possible to mathematically extract an AES key from black-box encrypt/decrypt hardware?

3

1

$begingroup$

I presented our mathematician with an idea:

If you have a black box that encrypts or decrypts AES with the same 128 bit key (you don't have any direct access to the key), and you control the input and the direction (enc/dec) and can see the output,
can you mathematically derive the key? How many tests will you have to run to be able to derive the key?

He said he remembers there was a paper that said it will take only $2^16$ tries to derive the key. Does this paper exist? Dan anybody point me in the right direction?

aes chosen-plaintext-attack chosen-ciphertext-attack key-recovery

share|improve this question

edited Apr 3 at 10:53

AleksanderRas

3,0221937

asked Apr 3 at 9:34

Anton VainerAnton Vainer

253

$endgroup$

• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  $begingroup$
  This seems like almost a duplicate of Shortcuts / practicality of brute forcing block cipher (AES) + ECB with known plaintext and Is it possible to obtain AES-128 key from a known ciphertext-plaintext pair? except that those questions ask about known-plaintext rather than chosen-plaintext attacks. The answers are effectively the same, though.
  $endgroup$
  – Ilmari Karonen
  Apr 3 at 10:24
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  $begingroup$
  Only with side channel attacks like power analysis. Otherwise it is infeasible
  $endgroup$
  – Natanael
  Apr 4 at 0:02
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  $begingroup$
  Any chance this relates to the lack of AES' information theoretic security? 65,536 IO pairings may well completely determine a mathematical model of the interior of the box. Simultaneous equation solving would then theoretically allow key recovery much more readily than brute force. Does this sound familiar at all?
  $endgroup$
  – Paul Uszak
  Apr 4 at 0:38
  

  
  
  
  

add a comment | 

3

1

$begingroup$

I presented our mathematician with an idea:

If you have a black box that encrypts or decrypts AES with the same 128 bit key (you don't have any direct access to the key), and you control the input and the direction (enc/dec) and can see the output,
can you mathematically derive the key? How many tests will you have to run to be able to derive the key?

He said he remembers there was a paper that said it will take only $2^16$ tries to derive the key. Does this paper exist? Dan anybody point me in the right direction?

aes chosen-plaintext-attack chosen-ciphertext-attack key-recovery

share|improve this question

edited Apr 3 at 10:53

AleksanderRas

3,0221937

asked Apr 3 at 9:34

Anton VainerAnton Vainer

253

$endgroup$

• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  $begingroup$
  This seems like almost a duplicate of Shortcuts / practicality of brute forcing block cipher (AES) + ECB with known plaintext and Is it possible to obtain AES-128 key from a known ciphertext-plaintext pair? except that those questions ask about known-plaintext rather than chosen-plaintext attacks. The answers are effectively the same, though.
  $endgroup$
  – Ilmari Karonen
  Apr 3 at 10:24
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  $begingroup$
  Only with side channel attacks like power analysis. Otherwise it is infeasible
  $endgroup$
  – Natanael
  Apr 4 at 0:02
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  $begingroup$
  Any chance this relates to the lack of AES' information theoretic security? 65,536 IO pairings may well completely determine a mathematical model of the interior of the box. Simultaneous equation solving would then theoretically allow key recovery much more readily than brute force. Does this sound familiar at all?
  $endgroup$
  – Paul Uszak
  Apr 4 at 0:38
  

  
  
  
  

add a comment | 

$begingroup$

I presented our mathematician with an idea:

If you have a black box that encrypts or decrypts AES with the same 128 bit key (you don't have any direct access to the key), and you control the input and the direction (enc/dec) and can see the output,
can you mathematically derive the key? How many tests will you have to run to be able to derive the key?

He said he remembers there was a paper that said it will take only $2^16$ tries to derive the key. Does this paper exist? Dan anybody point me in the right direction?

aes chosen-plaintext-attack chosen-ciphertext-attack key-recovery

share|improve this question

edited Apr 3 at 10:53

AleksanderRas

3,0221937

asked Apr 3 at 9:34

Anton VainerAnton Vainer

253

$endgroup$

share|improve this question

edited Apr 3 at 10:53

AleksanderRas

3,0221937

asked Apr 3 at 9:34

Anton VainerAnton Vainer

253

share|improve this question

edited Apr 3 at 10:53

AleksanderRas

3,0221937

asked Apr 3 at 9:34

Anton VainerAnton Vainer

253

edited Apr 3 at 10:53

AleksanderRas

3,0221937

edited Apr 3 at 10:53

AleksanderRas

3,0221937

asked Apr 3 at 9:34

Anton VainerAnton Vainer

253

asked Apr 3 at 9:34

Anton VainerAnton Vainer

253

1 Answer
1

active

oldest

votes

5

$begingroup$

What you describe is Chosen-Plaintext Attack (CPA) and AES and secure block ciphers are designed to be secure against this.

Having $2^16$ chosen-plaintext under one key doesn't help you to extract the AES key. You have to go to the full-brute force to find the key.

Since you have one target, you cannot get help from attacking many keys simultaneously. In some cases, the black box may reside in many days in front of you, thus, during those days, you will get many target keys.

For $t$ targets, the expected cost breaking one of the $t$ keys is $2^128/t$ and that will be far below $2^128$. If you have a billion target (~$2^30$) the cost will be ~$2^98$ to find one of the target keys.

share|improve this answer

edited Apr 6 at 16:04

answered Apr 3 at 10:07

kelalakakelalaka

8,88032351

$endgroup$

add a comment | 

Your Answer

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "281"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f68497%2fis-it-possible-to-mathematically-extract-an-aes-key-from-black-box-encrypt-decry%23new-answer', 'question_page');

);

Post as a guest

Name

Email

Required, but never shown

5

$begingroup$

What you describe is Chosen-Plaintext Attack (CPA) and AES and secure block ciphers are designed to be secure against this.

Having $2^16$ chosen-plaintext under one key doesn't help you to extract the AES key. You have to go to the full-brute force to find the key.

Since you have one target, you cannot get help from attacking many keys simultaneously. In some cases, the black box may reside in many days in front of you, thus, during those days, you will get many target keys.

For $t$ targets, the expected cost breaking one of the $t$ keys is $2^128/t$ and that will be far below $2^128$. If you have a billion target (~$2^30$) the cost will be ~$2^98$ to find one of the target keys.

share|improve this answer

edited Apr 6 at 16:04

answered Apr 3 at 10:07

kelalakakelalaka

8,88032351

$endgroup$

add a comment | 

5

$begingroup$

What you describe is Chosen-Plaintext Attack (CPA) and AES and secure block ciphers are designed to be secure against this.

Having $2^16$ chosen-plaintext under one key doesn't help you to extract the AES key. You have to go to the full-brute force to find the key.

Since you have one target, you cannot get help from attacking many keys simultaneously. In some cases, the black box may reside in many days in front of you, thus, during those days, you will get many target keys.

For $t$ targets, the expected cost breaking one of the $t$ keys is $2^128/t$ and that will be far below $2^128$. If you have a billion target (~$2^30$) the cost will be ~$2^98$ to find one of the target keys.

share|improve this answer

edited Apr 6 at 16:04

answered Apr 3 at 10:07

kelalakakelalaka

8,88032351

$endgroup$

add a comment | 

$begingroup$

What you describe is Chosen-Plaintext Attack (CPA) and AES and secure block ciphers are designed to be secure against this.

Having $2^16$ chosen-plaintext under one key doesn't help you to extract the AES key. You have to go to the full-brute force to find the key.

Since you have one target, you cannot get help from attacking many keys simultaneously. In some cases, the black box may reside in many days in front of you, thus, during those days, you will get many target keys.

For $t$ targets, the expected cost breaking one of the $t$ keys is $2^128/t$ and that will be far below $2^128$. If you have a billion target (~$2^30$) the cost will be ~$2^98$ to find one of the target keys.

share|improve this answer

edited Apr 6 at 16:04

answered Apr 3 at 10:07

kelalakakelalaka

8,88032351

$endgroup$

share|improve this answer

edited Apr 6 at 16:04

answered Apr 3 at 10:07

kelalakakelalaka

8,88032351

answered Apr 3 at 10:07

kelalakakelalaka

8,88032351

answered Apr 3 at 10:07

kelalakakelalaka

8,88032351