If you are given the ciphertext and the first half bytes (8 bytes) of the encryption key (key is 16 bytes in total), can you use this to break AES-128 ECB encryption and determine the last 8 bytes of the encryption key? (As opposed to trying all 256^8 possibilities for the last 8 bytes of the key, which is A LOT of possibilities and would take days/months to compute)
Asked
Active
Viewed 5,371 times
2 Answers
5
You can't use it to "break the encryption", but you can guess at the remaining 8 bytes of the key. The remaining 8 bytes should be feasible to find, especially if you can run the search in parallel.
1
The most correct answer would be "It depends".
There are attacks on AES with reduced rounds, which are better than brute force. If you give the attacker half of the key, he might be able to translate this knowledge on the round keys - but that's not for sure and for a detailed analysis it would be required to specify exactly which bits are given (and that would be far, far too much for a question here).
Depending on that knowledge about the round keys, it might be easier to find exploitable characteristics in the rounds, so that an attack is possible.
In general, this is loosely related to key-related attacks, where the attacker is not given part of the key, but he knows the relation between two keys (I think the XOR of the keys) and gets oracle access to both.
Regarding your last sentence: $2^{64}$ is a lot of possibilities, but the assumption about days/months not necessarily true. That depends highly on the amount of processing power you can get. For example the bitcoin network is (atm) roughly at 1800 peta-hashes per second (source). If we assume hashes and encrytpions take roughly the same time, the bitcoin network could try all $2^{64}$ in $\approx 10$ seconds. And the estimated time to find the correct one is half of that.
tylo
- 12,864
- 26
- 40