3

My understanding of the cryptanalysis of AES, is based on what I've read on Wikipedia and my intuition, I have nothing but self-taught education on the subject.

So I want you to imagine: I have only TWO blocks of 128-bit cipher text.

The input was 256bits, we did not use any padding, we also ignored IVs and Salts, when implementing our "demonstration of Rijndael". Finally and most importantly, the two blocks of cipher text, are different by just one bit (in an arbitrary space), however: When presented with the two 128-bit blocks (and just a 128-bit key, both in same), we can come under two conditions:

Condition one: We know none of the weaknesses and similar plain-texts in these two blocks, I just mentioned, how easily could we discover it?

Condition two: We know everything I just mentioned above, apart from which bit is flipped and what the two plain texts and the key (let's keep it simple and make the key, only 128 bits). Can we discover much here? How do we go about it?

I said in the title, this is about "practical attacks", I don't know if even with all these conditions knowingly been met, there is much we can do, however since we've used Rijndael, so grossly incorrectly, I assume we're on our way to be able to deduce some information... In which of either, both or none, does an "attacker" learn anything about these two blocks, they weren't told?

r3mainer
  • 2,063
  • 15
  • 15
Iam Nick
  • 540
  • 2
  • 12
  • This is actually how CTR mode works, where a series of very similar plaintexts are encrypted, to generate an output. In this case, the output, even knowing the inputs only differ by 1 bit (and we may have thousands) still appears cryptographically pseudorandom, even if the attacker also knows the nonce, and not just the counter – Richie Frame Jan 15 '16 at 20:49

1 Answers1

1

What you're describing is a ciphertext-only attack on AES.
No, there's no (known) ciphertext-only attack on AES.

Condition one: We know none of the weaknesses and similar plain-texts in these two blocks, I just mentioned, how easily could we discover it?

By the lack of an transmitted IV, an attacker can learn whether the two messages are equal and that no IV was used. He can't learn anything else about the relationship of the plain texts without actually brute-forcing the key.

Condition two: We know everything I just mentioned above, apart from which bit is flipped and what the two plain texts and the key (let's keep it simple and make the key, only 128 bits). Can we discover much here? How do we go about it?

You can't learn anything about the plain texts you didn't already know without brute-forcing the key.

...since we've used Rijndael, so grossly incorrectly...

We have indeed, yes, however more advanced defensive measures (i.e. use of authenticated encryption and IVs) mainly protects you from more advanced attack scenarios, where the attacker can actually decrypt and encrypt arbitrary data under the challenged key to distinguish unknown plain texts.
The scenario you give however is even safe when using ECB mode, which are you doing. ECB mode is safe as long as all plain texts (under a given key) are different, your messages are different so they are secure. The only thing you can tell by observing ECB encrypted data is whether one block equals the other.

SEJPM
  • 45,967
  • 7
  • 99
  • 205
  • ECB mode does allow information to be leaked, see The Penguin. If there is repeated data within a single message information can be gained. – zaph Jan 15 '16 at 15:48
  • Assuming you're right, your answer confirms my suspicions :-)... I could have asked a broader question about at how many blocks of Rijndael used this way does it take before we can we gather any info (related-text-attack, in this case) but I wanted to keep it easy to answer, thanks @SEJPM and at squeamish ossifrage for correcting some small errors in the question. – Iam Nick Jan 15 '16 at 16:01
  • @zaph, yeah I was aware, which is why I said, "we change one bit", meaning the two plain-texts must be different and thus would be the cipher-texts... Nice demonstration with the penguin image though, as additional info about why not to use ECB-mode. – Iam Nick Jan 15 '16 at 16:37
  • My comment was directed toward the answer and the general statement about ECB mode in the last sentence. – zaph Jan 15 '16 at 16:43
  • @zaph, indeed if data is repeated (i.e. if plain text blocks are equal) you can see block patterns. However a whole 16-byte block needs to be repeated in order to get the same cipher text block and observe the repetition. Random ECB link – SEJPM Jan 15 '16 at 19:22