Cryptography Stack Exchange
Cryptography Stack Exchange

Questions tagged [related-keys]

Keys with an exploitable mathematical relationship, and the attacks they enable

Related keys are pairs or larger sets of keys which have an exploitable mathematical relationship for a given cipher. This relationship can be simple, such as differing in a few bits (like equivalent keys in TEA), or it can be more complex (like related-key boomerang attacks against the AES key schedule).

Related-key attacks are typically only an issue for ciphers (stream or block) used in woefully-incompetent protocols, or when a block cipher is used as the building block for a hash function. As such, many new cipher constructions do not consider related-key attacks to be a major threat.

26 questions
22
votes
1 answer

Related-key attacks on AES

According to Wikipedia: Related-key attacks can break AES-192 and AES-256 with complexities $2^{176}$ and $2^{99.5}$, respectively. What are the requirements for these attacks (i.e how many related keys, what should the relationship between the…
Chris Smith
  • 1,202
  • 1
  • 11
  • 18
17
votes
2 answers

Are AES-256's related-key weaknesses exploitable if it is used to build a hash?

Assume it is made a hash based on AES-256 encryption (perhaps because this is hardware-accelerated, but no standard hash is); and it is used the Merkle–Damgård structure, that is padding of the message into $n$ padded message blocks $M_i$ (appending…
fgrieu
  • 149,326
  • 13
  • 324
  • 622
9
votes
1 answer

What is a related key?

We talk of related keys and related key attacks, but what is a 'related key'? So in three related parts:- How can one key be related to another key? Is there a metric describing the degree of relationship? Is there a link between the nature of …
Paul Uszak
  • 15,905
  • 2
  • 32
  • 83
7
votes
2 answers

Will a SHAKE128 stream cipher be vulnerable to related key attacks?

Suppose that SHAKE is seeded with key concatenated to an IV, will the 'key' stream produced by SHAKE128 vulnerable to related key attacks like RC4 is? My guess is no because seed is already "absorbed" before the key stream is "squeezed" out.
DannyNiu
  • 10,640
  • 2
  • 27
  • 64
7
votes
1 answer

Elliptic curve cryptography related key attacks

This question is an extension of Families of public/private keys in elliptic curve cryptography As described above, bitcoin "type 2" deterministic wallets use a root private/public key pair, where subsequent keys take advantage of the fact that in…
user2006
  • 95
  • 2
6
votes
0 answers

Is AES resilient to chosen plaintext with access to related keys (key expansion primitives)?

I'm interested in knowing whether a cryptosystem is broken given access to a few primitives. $\DeclareMathOperator{\KEYEXP}{KEY\_EXP}$ $\DeclareMathOperator{\E}{E}$ Suppose that you have access to an oracle that can provide you $\E(k, m)$ for any…
SciresM
  • 61
  • 2
6
votes
1 answer

More rounds after AES related key attack?

In his blog Schneier discusses that there is a new related key attack on 10 rounds of AES-256 "Another attack can break a 10 round version of AES-256 in 245 time, but it uses a stronger type of related subkey attack". My question is how many more…
PYZH
  • 83
  • 6
4
votes
0 answers

AES-256 9 round related key attack - getting possible state differences

I'm trying to implement related key attack on 9 round AES256, described here: Biryukov, Dunkelman, Keller, Khovratovich, Shamir, but I am stuck at the very beginning with Observation A, used to validate state difference before final round. Since I…
Tlsfd
  • 41
  • 1
3
votes
1 answer

How exactly to concatenate two differential trails to form a boomerang disguisher in practice?

I've been reading many papers on boomerang/rectangle attacks. The general strategy is to find two trails for a small number of rounds and then concatenate them to form a longer distinguisher. Specifically, they decompose the cipher $E$ to $E = E_1…
tcapwasraw
  • 63
  • 4
3
votes
1 answer

Are two keys derived from the same password vulnerable to a related key attack?

Background I am currently writing a password manager application. As usual, the passwords are put in a file encrypted using a user-entered password. I'm using the NaCl library but actually it's not really important. Here is what I do to encrypt the…
Zaphod
  • 55
  • 4
2
votes
0 answers

Encrypting with one key and decrypting with a related key

Given $n$-bit block cipher $E$ (and its inverse $E^{-1}$), define block cipher $E^\prime_k(m) = E_k(E_{f(k)}^{-1}(m))$ where $k,f(k) \in \{0,1\}^n$ and $\forall k:f(k) \ne k$. Under the ideal block cipher model, there exists no function $f$ which…
forest
  • 15,626
  • 2
  • 49
  • 103
2
votes
1 answer

Does Wikipedia's WEP - RC4 example really demonstrate a related key attack or just an IV reuse attack?

On Wikipedia's Related Key attacks page, there is a section about WEP as an example to related key attacks. Encryption uses the RC4 algorithm, a stream cipher. It is essential that the same key never be used twice with a stream cipher. To prevent…
kelalaka
  • 49,797
  • 12
  • 123
  • 211
2
votes
1 answer

Related-key attacks against Salsa20 and ChaCha

From the Salsa20 security document, DJB states that he doesn't care about related key attacks: The standard solutions to all the standard cryptographic problems—encryption, authentication, etc.—are protocols that do not allow related-key attacks on…
forest
  • 15,626
  • 2
  • 49
  • 103
2
votes
1 answer

RC4 Klein (or other) attack susceptibility question

What issues do yall see with the following in terms of key recovery and related key attacks: RC4 used to "sign" a nonce: 3 byte nonce concatenated with 16 byte long term key > RC4 Keystream Generator > 259 bytes keystream output Discard first 256…
HANGOBA
  • 21
  • 1
1
vote
1 answer

Is there any practical use of reduced rounds of AES

There are lots of attacks which are on reduced block ciphers. There are practical attack on five rounds of AES-128five rounds aes broken in six minutes. I was just wondering if there is any practical application of reduced rounds of AES where less…
Radium
  • 187
  • 7
1
2