View Single Post
Old 08-26-2018, 09:32
chants chants is offline
Join Date: Jul 2016
Posts: 621
Rept. Given: 18
Rept. Rcvd 41 Times in 25 Posts
Thanks Given: 569
Thanks Rcvd at 928 Times in 423 Posts
chants Reputation: 41
Well the mathematical or formulaic "white-box" strategy does seem like a total dead-end here. 10 rounds through the AES substitution-permutation network (well I suppose 8 + the first and last which are slightly different) and even with a linear s-box, its pretty much hard to mathematically deduce anything.

From the "black-box" way you mentioned. Well first we know the high bit of each byte is 0, giving 16 bits of 128. But 2^112 is still way too big and even playing with ascii character ranges does not get us within brute force range. So my guess here is quite obvious: linear cryptanalysis. Obviously differential is useless here as you did not give us two or more input-output pairs. But the linear s-boxes should cause a linear bias: Statistical bias in the output bits based on the key bits. It should theoretically get this within range for a practical attack. Is this the right direction?
Reply With Quote
The Following User Says Thank You to chants For This Useful Post:
niculaita (08-26-2018)