Why is AES resistant to known-plaintext attacks?

Question

At least it's my understanding that AES isn't affected by known-plaintext. Is it immune to such an attack, or just resistant? Does this vary for chosen-plaintext?

Answer 1

A known-plaintext attack (i.e. knowing a pair of corresponding plaintext and ciphertext) always allows a brute-force attack on a cipher:

• Simply try all keys, decrypt the ciphertext and see if it matches the plaintext.

This always works for every cipher, and will give you the matching key. (For very short plaintext-ciphertext pairs, you might get multiple matching keys. Then you need to try more pairs to eliminate the wrong ones).

If you have no known plaintext, only the ciphertext, you can do it similarly, but you also need a function which says whether what you decrypted is a plausible plaintext.

The problem with try all keys is that for every modern cipher (i.e. key sizes of 128 bit or more) the key space is that large that you need much more time than the remaining lifetime of the universe to check a significant portion of all keys.

So, the question is, are there any attacks which are faster than brute-force?

For now, there seem to be some attacks which are slightly faster (like needing only $2^{125}$ steps instead of $2^{127}$ for brute-force, a bit better for the 256-bit-key version) and needing either a really large amount of chosen plain- or ciphertexts (and knowing the result), or even larger amounts of known plaintexts. These are still not practically doable in our world.

There are no proofs that AES (or any block cipher) is really secure, only the heuristic "many smart people tried to break it and until now, nobody was successful" (or at least, nobody who succeeded told the public).

Answer 2

Well, the answer to 'why is AES resistant to known-plaintext attacks' is that, well, lots of really bright people have thought hard about how to break AES, and no one has come up with a practical way, either assuming known plaintext or chosen plaintext. See how-much-would-to-cost-to-brute-force-AES for a discussion on what it would take, given the current state of knowledge.

So, the answer to 'is it immune', the answer is, yes, as far as we know, it is.

Answer 3

Since no one really answered the question:

AES is only resistant to known-text attacks if you always use a different randomized initialization vector (IV) for every single message.

To oversimplify a bit, AES combines the Key with the IV to produce the cipher, and the cipher is rotated in blocks throughout the length of the message based on the previous block. So long as the IV is unique to the message (it needn't be secret), then not only can the Key not be recovered, but the knowledge of matching plaintext-ciphertext somewhere in a message provides no information about anything anywhere else in the message.

On the other hand if the Key and IV are reused between messages then the same plaintext will lead to the same ciphertext, so you can potentially decrypt a message using a sufficiently large corpus of known matching plaintext/ciphertext pairs, even without ever recovering the key.

Answer 4

Differential cryptanalysis is a form of a plaintext attack. The Wikipedia article on Differential cryptanalysis says that AES has been designed with resistance against this attack in mind. Wikipedia even say this resistance can be proven mathematically, but do not source it.

Answer 5

The classic attack using known plaintext essentially runs the encryption backwards and constructs the key. No brute force is needed, you just need enough matching plaintext and ciphertext, where "enough" can be as little as the key length (for sufficiently vulnerable ciphers). Resistant ciphers do internal mixing of the cipher state so this is not possible.

The first encryption system you ever thought of is probably to XOR the plaintext with the output of a pseudorandom number generator. This encryption system has only about 64 bits of hidden state, 8 of which are revealed by each encrypted letter. You get the idea.

Answer 6

We can actually do one better than:

"lots of really bright people have thought hard about how to break AES, and no one has come up with a practical way, either assuming known plaintext or chosen plaintext"

Assume you have plaintext a that is encrypted into ciphertext z. AES has two steps that work together to thwart a known-plaintext attack.

The actual round key and sbox steps simplified for explanation purposes would be something like for key k, ciphertext z = sbox(a * k) where the sbox is a simple substitution through a lookup table. Every byte is replaced with the corresponding byte from the table.

Imagine AES encryption was equal to sbox(a) * k. A known plaintext attack would occur as follows: \begin{equation} sbox(a) \cdot k = z\\ k = \frac{z}{sbox(a)} \end{equation} The key has been calculated. However, AES is set up more like sbox(a * k), so a known plaintext attack would look like this: \begin{equation} sbox(a \cdot k) = z \end{equation} There is no way to isolate k because we need to know the value of k to know what the substituted value is. In other words, we have an expression a * k that we cannot yet solve for a number because we don't know k. An expression cannot be substituted in an sbox, so the key cannot be calculated. Hence, the known plaintext attack has been thwarted.