Chosen-plaintext attact on AES with MixColumns omitted

Zyx

1/28/24, 2:53 PM

Jean-Philippe Aumasson' "Serious Cryptography" says: "Without MixColumns, changes in a byte would not affect any other bytes of the state. A chosen-plaintext attacker could then decrypt any ciphertext after storing 16 lookup tables of 256 bytes each that hold the encrypted values of each possible value of a byte."

What would that attack look like? I can't beat the fact that SubBytes in non-linear.

203

1 + 0

cryptanalysis

aes

rijndael

Score:5

Crypto

Amit

1/28/24, 3:02 PM

From what I understand, he is basically saying that without MixColumns AES reduces to be a byte by byte cipher. So an attacker that can encrypt arbitrary plaintexts (that's the meaning of a chosen plaintext attack) can just request the encryption oracle to encrypt 16 byte blocks, while iterating each of the 256 possible byte values from 0x00-0xFF (==256 possibilities for each byte), thus obtaining as said 16 lookup tables, one for each byte of the block. This will basically expose the entirety of this "degenerate AES" cipher, under this specific key.

(Just to be clear: It doesn't matter that the S-boxes are not linear, they still operate on each byte independently, which is why the MixColumns step is so crucial, it does more than only "mix the columns!!" :)).

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Chosen-plaintext attact on AES with MixColumns omitted

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.