2

I haven't really seen what computational complexity class of decryption of AES is. Can anyone provide reference papers or answers here?

e-sushi
  • 17,891
  • 12
  • 83
  • 229
Dotdats
  • 21
  • 1
  • 2
  • so you're asking if there's something like "NP" and "P" (for RSA and co) for AES decryption of unknown plaintexts? – SEJPM Jun 06 '15 at 10:22
  • 1
    yes. is it in RE, R, EXPTIME, PSPACE or any. These things. – Dotdats Jun 06 '15 at 10:26
  • 4
    My intuition tells me "no". You can't classify AES decryption that way because it's not how it works. These classes are for reference problems, to describe how the complexity of a problem scales with it's size. AES' complexity doesn't scale. It's discrete and either 128, 192 or 256 bit (+/- a bit for cryptanalytic progress). So maybe one could say that AES decryption falls into NP as complexity grows exponentially with bitlength (128 bit -> $2^{128}$, 192 bit -> $2^{192}$, ...) but you can't state security for 512 bit because it should be the same (as of now) as for 256... – SEJPM Jun 06 '15 at 10:30
  • We now have an answer for this question, but it does focus on the modes of operation for block ciphers instead of the block cipher itself. Please indicate in your question which one of the two is meant. – Maarten Bodewes Jun 06 '15 at 12:36
  • @Maarten Bodewes I think the question means: "Can the problem of recovering a plaintext from a ciphertext which is the encryption of the plaintext under some unknown AES key be classified in terms of P and NP and similar? And if so what class applies?" – SEJPM Jun 06 '15 at 13:44
  • @SOJPM Agreed, but that cannot be concluded from the question itself, it can only be inferred from the second comment of this question. It should not be required to read through all the comments to understand the question. – Maarten Bodewes Jun 06 '15 at 13:47
  • 1
    @SOJPM One more point to add to your "intuition" is that the key size also affects other internal parameters. The subkey derivation and amount of rounds also changes. What happens if AES-512 is used is completely unclear, and it would be tricky to take this into account if we just look at AES-128, 192 and 256. – Maarten Bodewes Jun 06 '15 at 16:52

1 Answers1

4

The time of AES encryption/decryption in any of the standard modes like CBC or CTR or GCM is polynomial (more precisely, linear) in the size of the message.

Proof: One call to the AES encryption/decryption function takes some constant number of steps, which we can represent with the constant $c$. For example, AES-128 makes one call to the key schedule to generate the round keys, one 'whitening' step with a round key, and then 10 calls to the round function, which itself takes a constant number of simpler steps - 16 parallel applications of the S-Box, one 'ShiftRows' transposition of bytes, 4 parallel applications of the MixColumns linear function (absent in the last round), and one AddRoundKey step. AES-192 and AES-256 similarly make constant numbers of calls to the round function.

For any of the standard modes and a message of bit-length $\ell$, the number of calls to the AES encryption/decryption function is some linear function, $f(\ell)$. For example, the cipher-call function for CTR is: $f^{CTR}(\ell) = \lceil \frac{\ell}{128} \rceil$.

Sometimes these modes have to do other things than make calls to the block cipher (e.g. GCM has to do one finite field multiplication per 128-bit message block), but in the standard modes these are also always linear or constant in the length of the message. Let's say the function $g(\ell)$ returns the number of 'extraneous' (non-AES) steps as a function of the message length.

Therefore, the encryption/decryption time for AES in any of the standard modes is some linear function of the length of the message, $c \cdot f(\ell) + g(\ell)$.

J.D.
  • 4,445
  • 16
  • 21