All geek questions in one place

Decrypt the same text using different keys (AES)

Suppose I have a key - k and plain text P. Then I encrypt P with AES using the k key:

C = AES_k (P)

Now let's say that I have another simple text that I have chosen - P *. This simple text has nothing to do with P, I select it as if what I want.

Is it possible to find the key - k *, so when I decrypt C with k *, I get P *?

Value: D_k * (AES_k (P)) = P *

+4
source share
4 answers

I do not think that the key will necessarily exist. The key determines the permutation of all possible block values. Having a 128-bit block size, there is (2 ^ 128)! possible permutations. With a 256-bit key, there are 2 ^ 256 possible keys. This is significantly less than the number of permutations, and therefore, no permutation can be specified. I think - although I certainly can’t prove or even claim that this means that there can be no definite permutation that maps your selected second plaintext to ciphertext.

If such a permutation really exists, I think it will be very difficult to find. If it were easy, well-known ciphertext attacks would be trivial.

+8
source

I assume that your plaintexts and ciphertexts P, P * and C are 128-bit blocks.

If your keys k and k * are 128-bit long (i.e., you use AES-128), then with a probability of about 36.8% there is no solution: more formally, if you consider the set of all possible values ​​for combinations C and P * (2 256 ), then for approximately e -1 of them there does not exist k * such that AES_k * (P *) = C.

This follows from the fact that for a given value of P *, a function that converts k * to AES_k * (P *) should behave as a random function, and a random function from a set of size N to a set of identical size N has an average coverage of 1 -1 sets of recipients. Here, for a given P *, there are about 63.2% of 128-bit words, which are possible outputs of P * AES encryption with a 128-bit key.

On the other hand, if you allow k * to be wider (AES also accepts 192-bit and 256-bit keys), then there should be many k * solutions in your equation.

In any case, in fact, the search for k * (even a 192-bit or 256-bit k *) should not be feasible, while the coefficient of operation is close to operations 2 128 . The ability to find k * with less work than can be seen as a structural flaw in AES. Knowing P and k does not help in any way: for a given 128-bit encrypted text C, it is easy to find matching pairs (P, k).

Note: if you take AES and change the roles of plaintext and key, then you get a rough emulation of a hash function with limited input and 128-bit output. What you are asking for is the possibility of attacking the prefix of this hash function.

+4
source

This should not be possible for any plain text that you choose. The ability to decrypt encrypted text into arbitrary plaintext would mean something known as perfect security (or perfect secrecy ).

For example, if I have an ADGWTX cipher, and I know that it is encrypted using a simple XOR and a 6-letter key, I still cannot break it without additional key information. Because one key will give me ESCAPE, and the other key will give me ATTACK.

Great security is a one-time-panel feature ( http://en.wikipedia.org/wiki/One-time_pad ), but not AES.

+1
source

You can get k * and decrypt C to get the plaintext P *, but only by decrypting it using a different type of encryption, for example, perhaps for Vernama encryption.

you can get k *, so D_k * (AES_k (P)) creates your P *.

you just do: P * ^ C to get your k * then if you decrypt: k * ^ C you get P * (if both C and P * are the same size)

but if the size of your P * is less than C, then it will produce duplicate P *

^: bitwise XOR

I'm not sure what you want, you did not mention that you want to decrypt it using AES.

+1
source

Source: https://habr.com/ru/post/1339561/

More articles:


All Articles