Suppose I have an encryption oracle for AES with some key $k$ (16 bytes) and that I know $n$ bytes of it. Is it possible to recover the rest ($16 - n$) in complexity less than $256^{16-n}$?
Asked
Active
Viewed 665 times
1 Answers
4
No, there is no known easier attack than doing a brute force search on the unknown key bits.
In particular, if there were, then this show an attack on the standard (no key bits leaked) AES, because what an attacker could do is go through all possible $2^{8n}$ settings of those key bits, assume those, and run his 'less-than-brute-force' attack on the remaining key bits. If this attack (when his guess for the 'known' key bits is correct) takes an expected time of less than the time taken to compute $2^{128 - 8n-1}$ AES evaluations, then the total time will take less than the time taken to do $2^{128-1}$ evaluations, that is, it shows that there is a faster-than-generic attack
poncho
- 154,064
- 12
- 239
- 382