2

My securities instructor recently posed this question to the class and I am bending my brain in half trying to figure it out.

Suppose $y_1 = AES(K, x_1)$ and $y_2 = AES(K,x_2)$, and suppose you know the pairs $(x_1,y_1)$ and $(x_2,y_2)$. Without knowing $K$, how can you construct a new pair $(x_3,y_3)$ such that $y_3 = AES(K,x_3)$?

It seems like that shouldn't be possible.... right?

Paŭlo Ebermann
  • 22,946
  • 7
  • 82
  • 119
A Student
  • 21
  • 1

1 Answers1

6

If this is simply the AES permutation on a single block, it's hard to find such a pair.

If it's AES-ECB with multiple blocks, you can pick each block from either (x1,y1) or (x2,y2), producing a new message that contains parts from each of them.

With other modes it depends on that mode, but with many modes there will be a similar mixing attack as for ECB.

CodesInChaos
  • 25,121
  • 2
  • 90
  • 129