If I encrypt two plaintexts with different keys, XOR the ciphertexts and send to an adversary, what can he/she do with what I sent?

alpominth

3/26/24, 4:13 AM

Let's suppose I encrypt two blocks of 1MiB with AES-256 in CBC mode, each one using different keys, XOR the resulting ciphertexts and send this XORed block to an adversary. Remembering that the adversary will not have access to resulting ciphertexts, only the XOR of them.

What could he/she do with the XORed block? Can he/she find the keys I used, or even the plaintext of one of the ciphertexts in less than 2^256 tries (256-bits).

This question could sound strange but it's part of one of my researches.

PS: Sorry for my English.

116

1 + 4

block-cipher

xor

Maarten Bodewes

3/26/24, 9:43 AM

"I encrypt two blocks of 1MiB with AES-256 in CBC mode, each one using different keys, XOR the resulting **plaintexts**". The output of a cipher is ciphertext ,not plaintext.

alpominth

3/26/24, 7:18 PM

@MaartenBodewes Sorry, I corrected the text.

bmm6o

3/27/24, 3:15 PM

If I'm reading it right, since the second plaintext and key are unrelated to the first, the attacker could generate the second ciphertext themselves. Imagine if that made it easier to recover your plaintext.

tylo

3/27/24, 4:26 PM

I suggest looking into existing related key attacks.

Score:1

Crypto

Maarten Bodewes

3/26/24, 11:31 AM

Obviously an adversary doesn't gain any advantage if they obtain the ciphertext in the generic attack scenario for CBC mode. The XOR of the ciphertext has less information, so that certainly won't help.

Even if the adversary does get part of the plaintext it would not obtain any additional info when it comes to the cipher. That said, a XOR of a partial plaintext can of course contain information in itself.

Furthermore, if a plaintext oracle exists (CBC is an unauthenticated mode) then it might well be that a XOR of a partial plaintext can be used to obtain more information. That's outside of the security definition of the cipher itself though; it would come down to insecure usage.

+ 3

alpominth

3/27/24, 11:06 AM

>The XOR of the ciphertext has less information, so that certainly won't help. -- Can the adversary still brute-force one of the 1MiB encrypted blocks if having only the XOR of the two ciphertexts?

Maarten Bodewes

3/27/24, 12:10 PM

I guess that would be tricky, just like it would be tricky for the consumer of the XOR'ed ciphertext. Impossible to brute-force? No, you take plaintext, try all the keys for both ciphers and see if the XOR matches. Usually part of the plaintext message is known.

alpominth

3/27/24, 2:11 PM

Thanks @Maarten Bodewes, I was thinking it would be impossible.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: If I encrypt two plaintexts with different keys, XOR the ciphertexts and send to an adversary, what can he/she do with what I sent?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.