Score:0

Crypto

Setting AES Sbox output to 0

hooujki

1/11/23, 1:46 PM

What would happen if one would set the AES Sboxes to always output 0? Could one retrieve the key by doing so? Or what would happen if there were no Sboxes?

0 + 0

encryption

Score:4

Crypto

Daniel S

1/11/23, 2:42 PM

Setting the $S$-box to always output zero would mean that AES encryption would always output the final round key, irrespective of input. To see this not that in the final round all bytes are substituted (i.e. set to zero in this case), then shifted per ShiftRows and then have the final round key added.

For AES-256 and AES-192 there is not enough information in the 128-bit final round key to uniquely determine all of the bits of cryptovariable, but a significant amount of information is provided. For AES-128 the key schedule can be reversed and the cryptovariable recovered.

If there were no $S$-boxes, the other functions are linear in their operation and the whole function would mean that output was an affine function of the input. Such a function is extremely cryptographically weak.

0 + 0

hooujki

1/11/23, 3:15 PM

thank you for the answer. Why is AES 256 not vulnerable to this kind of weakness of setting SBOX output to 0, while AES 128 is?

Daniel S

1/11/23, 4:29 PM

The block size of AES means that exactly 128-bits of information are released, effectively reducing the unknown bits of key by 128-bits. In the case of AES-128 this reduces the unknown bits to essentially 0 and with AES-256 it reduces the possible number of keys to $2^{128}$ instead of $2^{256}$.

poncho

1/11/23, 4:35 PM

@hooujki: of course, we're generally not interested in the exact key value; instead, we're interested in what that key would tell us, that is, information about what transform the cipher does. It turns out that for AES with an all-0 sbox, for any key size, a single ciphertext output would tell us everything about the transform (and hence the fact that we can't learn anything more about the key is usually not important)

hooujki

1/11/23, 5:26 PM

@DanielS could you explain it more easily? I understand the concept of AES128, since it outputs 128bit value at the end, we would get the last round key and then recompute the other key parts? AES256 still outputs 128 bit but has a 256 long key, hence we only get 128bit of the correct key and would have to bruteforce the other 128bit, but its (currently) impossible?

hooujki

1/11/23, 5:28 PM

@poncho can we reconstruct all the keys knowing only the last round key? how does the knowledge of the last round key make the scheme insecure? what do you mean by transform?

poncho

1/11/23, 8:05 PM

@hooujki: By 'transform', the point of a block cipher is to convert a plaintext block into a ciphertext block (and typically invertibly; with an all-0's sbox, it isn't, but lets ignore that for now); the security goal for the block cipher is to make the attacker unable to predict this mapping for the plaintext/ciphertext blocks he has not been given. The scheme is insecure because it makes all possible plaintexts into a single ciphertext; hence if you see one ciphertext, you can predict how it will handle any plaintext.

hooujki

1/11/23, 9:24 PM

@poncho lets say I have the possibility to manipulate the SBOX operation, to set it to 0 or let it run normally. I could set it firstly to output 0 to retrieve the last round key, but what about the other round keys? How do I retrieve them having only the last key?

poncho

1/11/23, 10:07 PM

@hooujki: well, the obvious approach would be to set the SBOX to be linear; then a plaintext/ciphertext pair will give you a set of linear (in $GF(2)$) equation on the key bits (either the original key, or the subkeys, depending on whether your SBOX changes apply to the key scheduling or not). By trying enough different sets of linear equations (2 if your changes apply to the key schedule, 15 if not), you should be able to get enough linear equations to rederive the key.

hooujki

1/12/23, 11:31 AM

@poncho thanks, I have seen the internal structure of AES 192 and 256 and the last key seems to be only 128 bit, compared to other round keys, which are 256 bit? Therefore recreating the forelast key is hard since we miss the other half of the key?

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Setting AES Sbox output to 0

TH: การตั้งค่าเอาต์พุต AES Sbox เป็น 0

RO: Setarea ieșirii AES Sbox la 0

RU: Установка выхода AES Sbox на 0

VI: Đặt đầu ra AES Sbox thành 0

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.