3

I presented our mathematician with an idea:

If you have a black box that encrypts or decrypts AES with the same 128 bit key (you don't have any direct access to the key), and you control the input and the direction (enc/dec) and can see the output, can you mathematically derive the key? How many tests will you have to run to be able to derive the key?

He said he remembers there was a paper that said it will take only $2^{16}$ tries to derive the key. Does this paper exist? Dan anybody point me in the right direction?

AleksanderCH
  • 6,435
  • 10
  • 29
  • 62
Anton Vainer
  • 45
  • 4

1 Answers1

5

What you describe is Chosen-Plaintext Attack (CPA) and AES and secure block ciphers are designed to be secure against this.

Having $2^{16}$ chosen-plaintext under one key doesn't help you to extract the AES key. You have to go to the full-brute force to find the key.

Since you have one target, you cannot get help from attacking many keys simultaneously. In some cases, the black box may reside in many days in front of you, thus, during those days, you will get many target keys.

For $t$ targets, the expected cost breaking one of the $t$ keys is $2^{128}/t$ and that will be far below $2^{128}$. If you have a billion target (~$2^{30}$) the cost will be ~$2^{98}$ to find one of the target keys.

kelalaka
  • 48,443
  • 11
  • 116
  • 196