7

Let's say I have a large amount of files, say 20GB worth, all encrypted with the same AES key. Each file is encrypted individually.

Now, suppose I get ahold of 10GB of these files in decrypted format. And let's say I can even match up which files are which by using their sizes.

Seems I have a whole lot of information here - is it possible for me to crack the key and get the other 10GB of data out in unencrypted form?

Please help me understand why this is possible or not possible. I've searched the net extensively and I cannot find anyone discussing this topic. All I can find are generic statements about how AES is "unbreakable." But I am curious if this unbreakability holds in the event that a large amount of data has been compromised.

MikeC8
  • 3,783
  • 4
  • 27
  • 33
  • In ECB mode there would be problems. You still couldn't recover the key, but you'd learn something about the plaintext. In a decent mode, such as CBC or CTR, additional known plaintext doesn't help much. – CodesInChaos Jul 30 '12 at 11:51
  • 4
    This question appears to be off-topic because it is about cryptography. – Cole Tobin Oct 19 '13 at 22:04

2 Answers2

12

No, it is not (believed) possible.

The attack scenario you are referring to is a commonly studied scenario, called ''known-plaintext attack''.

A cipher is only considered secure if it is resistant against this (and many other) attacks. "Resistant" in this context means that having plaintext (no matter how much) does not make it any easier to find a key.

As to why this is the case, this is hard to understand without knowing a lot about the structure of AES and the possible attack modes. For an introduction, see e.g. the references of the Wikipedia article on AES, or have a look at The Design of RijndaeL: AES - The Advanced Encryption Standard (by Daemen & Rijmen themselves).

Related question: Why is AES resistant to known-plaintext attacks?

Community
  • 1
  • 1
sleske
  • 81,358
  • 34
  • 189
  • 227
  • Ok, this helps me in my research, now knowing that what I am trying to investigate is called "known-plaintext.". Thank you. I am still a bit confused though, conceptually. I understand that AES has been designed very well, but I cannot fathom how it could be that having more and more "known plaintext" could not decrease the time to crack the key. More information is more information, right? Mustn't it reveal *something*? As the amount of known plaintext increases, surely time-to-crack decreases? – MikeC8 Jul 30 '12 at 06:56
  • @MikeC8: As I wrote, the answer is no. And to understand why, you'll have to do some reading. You might also want to ask on http://crypto.stackexchange.com/ , they are more qualified than I am. – sleske Jul 30 '12 at 07:07
  • 1
    @MikeC8: *"As to why this is the case, this is hard to understand without knowing a lot about the structure of AES"* - Actually, that's not really true. There's no real *reason* AES is resistant to known-plaintext attacks, other than the fact that lots and lots of smart people have put their minds to it, and no one has come up with anything yet. This is the way it is with most block-ciphers *(as opposed to, say, symmetric-key ciphers, most of which have proofs saying something like "known-plaintext attacks are at least as difficult as factoring large integers")* – BlueRaja - Danny Pflughoeft Jul 30 '12 at 16:04
  • Also IIRC there **is** a known-plaintext attack on AES that reduces the expected brute-force time of AES-128 by 2-bits (to 125-bits), but it requires something like 2^99 plaintexts, so is currently only a theoretical concern. Keep in mind Bruce Schneier's famous quote, though: *"Attacks only get better, they never get worse!"* – BlueRaja - Danny Pflughoeft Jul 30 '12 at 18:57
  • 1
    @BlueRaja-DannyPflughoeft that would be asymmetric ciphers? – Maarten Bodewes Aug 05 '12 at 20:54
  • @owlstead: yes, whoops, that is clearly what I meant to type :) – BlueRaja - Danny Pflughoeft Aug 05 '12 at 22:15
1

AES is not a stream cipher and the output varies a lot for a small input changes (avalanche effect)

Breaking AES encryption using decrypted data

Community
  • 1
  • 1
Petteri H
  • 11,779
  • 12
  • 64
  • 94