Score:0

If I encrypt two plaintexts with different keys, XOR the ciphertexts and send to an adversary, what can he/she do with what I sent?

il flag

Let's suppose I encrypt two blocks of 1MiB with AES-256 in CBC mode, each one using different keys, XOR the resulting ciphertexts and send this XORed block to an adversary. Remembering that the adversary will not have access to resulting ciphertexts, only the XOR of them.

What could he/she do with the XORed block? Can he/she find the keys I used, or even the plaintext of one of the ciphertexts in less than 2^256 tries (256-bits).

This question could sound strange but it's part of one of my researches.

PS: Sorry for my English.

Maarten Bodewes avatar
in flag
"I encrypt two blocks of 1MiB with AES-256 in CBC mode, each one using different keys, XOR the resulting **plaintexts**". The output of a cipher is ciphertext ,not plaintext.
alpominth avatar
il flag
@MaartenBodewes Sorry, I corrected the text.
ph flag
If I'm reading it right, since the second plaintext and key are unrelated to the first, the attacker could generate the second ciphertext themselves. Imagine if that made it easier to recover your plaintext.
cn flag
I suggest looking into existing related key attacks.
Score:1
in flag

Obviously an adversary doesn't gain any advantage if they obtain the ciphertext in the generic attack scenario for CBC mode. The XOR of the ciphertext has less information, so that certainly won't help.

Even if the adversary does get part of the plaintext it would not obtain any additional info when it comes to the cipher. That said, a XOR of a partial plaintext can of course contain information in itself.

Furthermore, if a plaintext oracle exists (CBC is an unauthenticated mode) then it might well be that a XOR of a partial plaintext can be used to obtain more information. That's outside of the security definition of the cipher itself though; it would come down to insecure usage.

alpominth avatar
il flag
>The XOR of the ciphertext has less information, so that certainly won't help. -- Can the adversary still brute-force one of the 1MiB encrypted blocks if having only the XOR of the two ciphertexts?
Maarten Bodewes avatar
in flag
I guess that would be tricky, just like it would be tricky for the consumer of the XOR'ed ciphertext. Impossible to brute-force? No, you take plaintext, try all the keys for both ciphers and see if the XOR matches. Usually part of the plaintext message is known.
alpominth avatar
il flag
Thanks @Maarten Bodewes, I was thinking it would be impossible.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.