Given partial key exposure and encryption oracle, can we recover full AES key?












1














Suppose I have an encryption oracle for AES with some key $k$ (16 bytes) and that I know $n$ bytes of it. Is it possible to recover the rest ($16 - n$) in complexity less than $256^{16-n}$?






aes chosen-plaintext-attack







share|improve this question









New contributor




enedil is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.




















  • @kelalaka but this is not faster than $256^{16-n}$ (I corrected myself).
    – enedil
    Dec 21 at 21:37






  • 1




    Your writing style is strange, anyway $256^{16-n} = 2^{128-8cdot n}$. What is the value of n? if n = 5,6,7,8....15-btye then brute force works.
    – kelalaka
    Dec 21 at 21:41










  • @kelalaka $n$ can be between $1$ and $15$. I'm interested if there are some publications on this topic. Brute force will not deliver the answer faster than brute force - $256^{16-n}$ is exactly the time needed by brute force. I don't know how should it be possible to brute it with $n = 5$, as $256^{16-5} = 256^11 = 2^88$, which is totally too big. It becomes manageable with $n = 11$.
    – enedil
    Dec 21 at 21:51






  • 1




    Bitcoin mining reached $approx 2^{91}$ SHA-256 mining in one year. Summit can reach $2^{73}$ in one year.
    – kelalaka
    Dec 21 at 21:56












  • @kelalaka I mean breaking it by myself :c
    – enedil
    Dec 21 at 22:05
















1














Suppose I have an encryption oracle for AES with some key $k$ (16 bytes) and that I know $n$ bytes of it. Is it possible to recover the rest ($16 - n$) in complexity less than $256^{16-n}$?






aes chosen-plaintext-attack







share|improve this question









New contributor




enedil is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.




















  • @kelalaka but this is not faster than $256^{16-n}$ (I corrected myself).
    – enedil
    Dec 21 at 21:37






  • 1




    Your writing style is strange, anyway $256^{16-n} = 2^{128-8cdot n}$. What is the value of n? if n = 5,6,7,8....15-btye then brute force works.
    – kelalaka
    Dec 21 at 21:41










  • @kelalaka $n$ can be between $1$ and $15$. I'm interested if there are some publications on this topic. Brute force will not deliver the answer faster than brute force - $256^{16-n}$ is exactly the time needed by brute force. I don't know how should it be possible to brute it with $n = 5$, as $256^{16-5} = 256^11 = 2^88$, which is totally too big. It becomes manageable with $n = 11$.
    – enedil
    Dec 21 at 21:51






  • 1




    Bitcoin mining reached $approx 2^{91}$ SHA-256 mining in one year. Summit can reach $2^{73}$ in one year.
    – kelalaka
    Dec 21 at 21:56












  • @kelalaka I mean breaking it by myself :c
    – enedil
    Dec 21 at 22:05














1












1








1







Suppose I have an encryption oracle for AES with some key $k$ (16 bytes) and that I know $n$ bytes of it. Is it possible to recover the rest ($16 - n$) in complexity less than $256^{16-n}$?






aes chosen-plaintext-attack







share|improve this question









New contributor




enedil is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











Suppose I have an encryption oracle for AES with some key $k$ (16 bytes) and that I know $n$ bytes of it. Is it possible to recover the rest ($16 - n$) in complexity less than $256^{16-n}$?






aes chosen-plaintext-attack




aes chosen-plaintext-attack






share|improve this question









New contributor




enedil is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











share|improve this question









New contributor




enedil is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









share|improve this question




share|improve this question








edited Dec 21 at 23:46





















New contributor




enedil is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









asked Dec 21 at 21:30









enedil

1064




1064




New contributor




enedil is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.





New contributor





enedil is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.






enedil is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.












  • @kelalaka but this is not faster than $256^{16-n}$ (I corrected myself).
    – enedil
    Dec 21 at 21:37






  • 1




    Your writing style is strange, anyway $256^{16-n} = 2^{128-8cdot n}$. What is the value of n? if n = 5,6,7,8....15-btye then brute force works.
    – kelalaka
    Dec 21 at 21:41










  • @kelalaka $n$ can be between $1$ and $15$. I'm interested if there are some publications on this topic. Brute force will not deliver the answer faster than brute force - $256^{16-n}$ is exactly the time needed by brute force. I don't know how should it be possible to brute it with $n = 5$, as $256^{16-5} = 256^11 = 2^88$, which is totally too big. It becomes manageable with $n = 11$.
    – enedil
    Dec 21 at 21:51






  • 1




    Bitcoin mining reached $approx 2^{91}$ SHA-256 mining in one year. Summit can reach $2^{73}$ in one year.
    – kelalaka
    Dec 21 at 21:56












  • @kelalaka I mean breaking it by myself :c
    – enedil
    Dec 21 at 22:05


















  • @kelalaka but this is not faster than $256^{16-n}$ (I corrected myself).
    – enedil
    Dec 21 at 21:37






  • 1




    Your writing style is strange, anyway $256^{16-n} = 2^{128-8cdot n}$. What is the value of n? if n = 5,6,7,8....15-btye then brute force works.
    – kelalaka
    Dec 21 at 21:41










  • @kelalaka $n$ can be between $1$ and $15$. I'm interested if there are some publications on this topic. Brute force will not deliver the answer faster than brute force - $256^{16-n}$ is exactly the time needed by brute force. I don't know how should it be possible to brute it with $n = 5$, as $256^{16-5} = 256^11 = 2^88$, which is totally too big. It becomes manageable with $n = 11$.
    – enedil
    Dec 21 at 21:51






  • 1




    Bitcoin mining reached $approx 2^{91}$ SHA-256 mining in one year. Summit can reach $2^{73}$ in one year.
    – kelalaka
    Dec 21 at 21:56












  • @kelalaka I mean breaking it by myself :c
    – enedil
    Dec 21 at 22:05
















@kelalaka but this is not faster than $256^{16-n}$ (I corrected myself).
– enedil
Dec 21 at 21:37




@kelalaka but this is not faster than $256^{16-n}$ (I corrected myself).
– enedil
Dec 21 at 21:37




1




1




Your writing style is strange, anyway $256^{16-n} = 2^{128-8cdot n}$. What is the value of n? if n = 5,6,7,8....15-btye then brute force works.
– kelalaka
Dec 21 at 21:41




Your writing style is strange, anyway $256^{16-n} = 2^{128-8cdot n}$. What is the value of n? if n = 5,6,7,8....15-btye then brute force works.
– kelalaka
Dec 21 at 21:41












@kelalaka $n$ can be between $1$ and $15$. I'm interested if there are some publications on this topic. Brute force will not deliver the answer faster than brute force - $256^{16-n}$ is exactly the time needed by brute force. I don't know how should it be possible to brute it with $n = 5$, as $256^{16-5} = 256^11 = 2^88$, which is totally too big. It becomes manageable with $n = 11$.
– enedil
Dec 21 at 21:51




@kelalaka $n$ can be between $1$ and $15$. I'm interested if there are some publications on this topic. Brute force will not deliver the answer faster than brute force - $256^{16-n}$ is exactly the time needed by brute force. I don't know how should it be possible to brute it with $n = 5$, as $256^{16-5} = 256^11 = 2^88$, which is totally too big. It becomes manageable with $n = 11$.
– enedil
Dec 21 at 21:51




1




1




Bitcoin mining reached $approx 2^{91}$ SHA-256 mining in one year. Summit can reach $2^{73}$ in one year.
– kelalaka
Dec 21 at 21:56






Bitcoin mining reached $approx 2^{91}$ SHA-256 mining in one year. Summit can reach $2^{73}$ in one year.
– kelalaka
Dec 21 at 21:56














@kelalaka I mean breaking it by myself :c
– enedil
Dec 21 at 22:05




@kelalaka I mean breaking it by myself :c
– enedil
Dec 21 at 22:05










1 Answer
1






active

oldest

votes


















4














No, there is no known easier attack than doing a brute force search on the unknown key bits.



In particular, if there were, then this show an attack on the standard (no key bits leaked) AES, because what an attacker could do is go through all possible $2^{8n}$ settings of those key bits, assume those, and run his 'less-than-brute-force' attack on the remaining key bits. If this attack (when his guess for the 'known' key bits is correct) takes an expected time of less than the time taken to compute $2^{128 - 8n-1}$ AES evaluations, then the total time will take less than the time taken to do $2^{128-1}$ evaluations, that is, it shows that there is a faster-than-generic attack






share|improve this answer

















  • 1




    But you assume known plaintext attack, while I'm talking about a decryption oracle. Well, I wouldn't be surprised if this doesn't change much here, but nevertheless, your answer doesn't address it.
    – enedil
    Dec 21 at 22:50










  • @enedil We kinda assume known plaintext attacks by default when addressing this kind of issue, but you're right, it does seem to be missing.
    – Maarten Bodewes
    Dec 21 at 22:52











Your Answer





StackExchange.ifUsing("editor", function () {
return StackExchange.using("mathjaxEditing", function () {
StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix) {
StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [["$", "$"], ["\\(","\\)"]]);
});
});
}, "mathjax-editing");

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "281"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});






enedil is a new contributor. Be nice, and check out our Code of Conduct.










draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f66040%2fgiven-partial-key-exposure-and-encryption-oracle-can-we-recover-full-aes-key%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









4














No, there is no known easier attack than doing a brute force search on the unknown key bits.



In particular, if there were, then this show an attack on the standard (no key bits leaked) AES, because what an attacker could do is go through all possible $2^{8n}$ settings of those key bits, assume those, and run his 'less-than-brute-force' attack on the remaining key bits. If this attack (when his guess for the 'known' key bits is correct) takes an expected time of less than the time taken to compute $2^{128 - 8n-1}$ AES evaluations, then the total time will take less than the time taken to do $2^{128-1}$ evaluations, that is, it shows that there is a faster-than-generic attack






share|improve this answer

















  • 1




    But you assume known plaintext attack, while I'm talking about a decryption oracle. Well, I wouldn't be surprised if this doesn't change much here, but nevertheless, your answer doesn't address it.
    – enedil
    Dec 21 at 22:50










  • @enedil We kinda assume known plaintext attacks by default when addressing this kind of issue, but you're right, it does seem to be missing.
    – Maarten Bodewes
    Dec 21 at 22:52
















4














No, there is no known easier attack than doing a brute force search on the unknown key bits.



In particular, if there were, then this show an attack on the standard (no key bits leaked) AES, because what an attacker could do is go through all possible $2^{8n}$ settings of those key bits, assume those, and run his 'less-than-brute-force' attack on the remaining key bits. If this attack (when his guess for the 'known' key bits is correct) takes an expected time of less than the time taken to compute $2^{128 - 8n-1}$ AES evaluations, then the total time will take less than the time taken to do $2^{128-1}$ evaluations, that is, it shows that there is a faster-than-generic attack






share|improve this answer

















  • 1




    But you assume known plaintext attack, while I'm talking about a decryption oracle. Well, I wouldn't be surprised if this doesn't change much here, but nevertheless, your answer doesn't address it.
    – enedil
    Dec 21 at 22:50










  • @enedil We kinda assume known plaintext attacks by default when addressing this kind of issue, but you're right, it does seem to be missing.
    – Maarten Bodewes
    Dec 21 at 22:52














4












4








4






No, there is no known easier attack than doing a brute force search on the unknown key bits.



In particular, if there were, then this show an attack on the standard (no key bits leaked) AES, because what an attacker could do is go through all possible $2^{8n}$ settings of those key bits, assume those, and run his 'less-than-brute-force' attack on the remaining key bits. If this attack (when his guess for the 'known' key bits is correct) takes an expected time of less than the time taken to compute $2^{128 - 8n-1}$ AES evaluations, then the total time will take less than the time taken to do $2^{128-1}$ evaluations, that is, it shows that there is a faster-than-generic attack






share|improve this answer












No, there is no known easier attack than doing a brute force search on the unknown key bits.



In particular, if there were, then this show an attack on the standard (no key bits leaked) AES, because what an attacker could do is go through all possible $2^{8n}$ settings of those key bits, assume those, and run his 'less-than-brute-force' attack on the remaining key bits. If this attack (when his guess for the 'known' key bits is correct) takes an expected time of less than the time taken to compute $2^{128 - 8n-1}$ AES evaluations, then the total time will take less than the time taken to do $2^{128-1}$ evaluations, that is, it shows that there is a faster-than-generic attack







share|improve this answer












share|improve this answer



share|improve this answer










answered Dec 21 at 22:08









poncho

90.2k2139233




90.2k2139233








  • 1




    But you assume known plaintext attack, while I'm talking about a decryption oracle. Well, I wouldn't be surprised if this doesn't change much here, but nevertheless, your answer doesn't address it.
    – enedil
    Dec 21 at 22:50










  • @enedil We kinda assume known plaintext attacks by default when addressing this kind of issue, but you're right, it does seem to be missing.
    – Maarten Bodewes
    Dec 21 at 22:52














  • 1




    But you assume known plaintext attack, while I'm talking about a decryption oracle. Well, I wouldn't be surprised if this doesn't change much here, but nevertheless, your answer doesn't address it.
    – enedil
    Dec 21 at 22:50










  • @enedil We kinda assume known plaintext attacks by default when addressing this kind of issue, but you're right, it does seem to be missing.
    – Maarten Bodewes
    Dec 21 at 22:52








1




1




But you assume known plaintext attack, while I'm talking about a decryption oracle. Well, I wouldn't be surprised if this doesn't change much here, but nevertheless, your answer doesn't address it.
– enedil
Dec 21 at 22:50




But you assume known plaintext attack, while I'm talking about a decryption oracle. Well, I wouldn't be surprised if this doesn't change much here, but nevertheless, your answer doesn't address it.
– enedil
Dec 21 at 22:50












@enedil We kinda assume known plaintext attacks by default when addressing this kind of issue, but you're right, it does seem to be missing.
– Maarten Bodewes
Dec 21 at 22:52




@enedil We kinda assume known plaintext attacks by default when addressing this kind of issue, but you're right, it does seem to be missing.
– Maarten Bodewes
Dec 21 at 22:52










enedil is a new contributor. Be nice, and check out our Code of Conduct.










draft saved

draft discarded


















enedil is a new contributor. Be nice, and check out our Code of Conduct.













enedil is a new contributor. Be nice, and check out our Code of Conduct.












enedil is a new contributor. Be nice, and check out our Code of Conduct.
















Thanks for contributing an answer to Cryptography Stack Exchange!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


Use MathJax to format equations. MathJax reference.


To learn more, see our tips on writing great answers.





Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


Please pay close attention to the following guidance:


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f66040%2fgiven-partial-key-exposure-and-encryption-oracle-can-we-recover-full-aes-key%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







-

Popular posts from this blog

Сан-Квентин

Image
Сан-Квентин Местоположение Сан-Квентин, Калифорния Координаты 37°56′13″ с. ш. 122°29′20″ з. д. H G Я O L Текущий статус Действует Режим безопасности минимальный и максимальный Количество мест 3 302 Открытие Июнь 1852 Находится в ведомстве California Department of Corrections and Rehabilitation Начальник Mike Martel, начальник  Сан-Квентин на Викискладе Сан-Квентин (англ.  San Quentin ) — тюрьма, располагающаяся на 432 акрах (около 1,7 км²), на мысе Сан-Квентин, в округе Марин, штат Калифорния, США. Тюрьма штата Калифорния Сан-Квентин была открыта в июле 1852 года и является старейшей в штате. Она была построена заключёнными, которые проживали в течение строительства на тюремном судне Вабан. В Сан-Квентине отбывали наказание и мужчины, и женщины до 1934 года, когда построили женскую тюрьму в Техачапи и туда перевели всех заключённых женщин. В Сан-Квентине приводятся в исполнение смертные казни, для этого имеется газовая камера, но...
Read more

8-я гвардейская общевойсковая армия

Image
8-я гвардейская общевойсковая ордена Ленина армия Награды: Войска: РККА → Советская армия → СВ России Род войск: Формирование: 1943 Расформирование (преобразование): 1992 Предшественник: 62-я армия (1942—43) → 8-я гвардейская общевойсковая армия (1943—92) → 8-й гвардейский армейский корпус (1992—98) Боевой путь Изюм-Барвенковская операция Донбасская операция Запорожская операция Битва за Днепр Днепропетровская операция Березнеговато-Снигирёвская операция Одесская операция Люблин-Брестская операция Варшавско-Познанская операция Восточно-Померанская операция Берлинская наступательная операция У этого термина существуют и другие значения, см. 8-я армия. Фотография Гвардейского Красного Знамени (лицевая сторона) 8-й гвардейской армии , образца 1943 года. Фотография Гвардейского Красного Знамени (оборотная сторона) 8-й гвардейской армии , образца 1943 года. 8-я гвардейская общевойсковая ордена Ленина армия  — гвардейское фор...
Read more

Алькесар

Image
Муниципалитет Алькесар Alquézar Герб 42°10′16″ с. ш. 0°01′27″ в. д. H G Я O L Страна Испания   Испания Автономное сообщество Арагон Провинция Уэска Комарка Сомонтано-де-Барбастро Алькальд Хосе Марияно Альтемир Ласкорс (ИСРП) История и география Площадь 32,36 км² Высота НУМ 660 м Часовой пояс UTC+1, летом UTC+2 Население Население 313 человек ( 2010 ) Плотность 9,92 чел./км² Этнохороним alquezarano/-a Цифровые идентификаторы Телефонный код +34 974 Почтовые индексы 22112 Автомобильный код HU alquezar.org   (исп.) Показать/скрыть карты Алькесар Алькесар Алькесар  Аудио, фото и видео на Викискладе Алькесар (исп.  Alquézar ) — муниципалитет в Испании, входит в провинцию Уэска, в составе автономного сообщества Арагон. Муниципалитет находится в составе района (комарки) Сомонтано-де-Барбастро. Занимает площадь 32,36 км². Население — 321 челове...
Read more