2

My securities instructor recently posed this question to the class and I am bending my brain in half trying to figure it out.

Suppose $y_1 = AES(K, x_1)$ and $y_2 = AES(K,x_2)$, and suppose you know the pairs $(x_1,y_1)$ and $(x_2,y_2)$. Without knowing $K$, how can you construct a new pair $(x_3,y_3)$ such that $y_3 = AES(K,x_3)$?

It seems like that shouldn't be possible.... right?

Paŭlo Ebermann
  • 22,656
  • 7
  • 79
  • 117
A Student
  • 21
  • 1
  • 2
    The obvious question is "what do they mean by the AES function()". If it's just AES in ECB mode, then yes, that should not be possible. If they mean AES in some other mode, that might be possible, depending on what that other mode was. – poncho Apr 10 '13 at 01:48
  • 1
    If it's just "the AES permutation" (so to speak), then it should not be possible. $\hspace{1.7 in}$ If it's AES in ECB mode, then it's quite easy. $;;$ –  Apr 10 '13 at 05:33

1 Answers1

6

If this is simply the AES permutation on a single block, it's hard to find such a pair.

If it's AES-ECB with multiple blocks, you can pick each block from either (x1,y1) or (x2,y2), producing a new message that contains parts from each of them.

With other modes it depends on that mode, but with many modes there will be a similar mixing attack as for ECB.

CodesInChaos
  • 24,841
  • 2
  • 89
  • 128