Let\'s say that we have a hardware AES implementation that, on request, will enc

Question

Let's say that we have a hardware AES implementation that, on request, will encrypt or decrypt a 16-byte block of data in ECB mode using a fixed key, but refuses to reveal its fixed key. In other words, an oracle.

This oracle has a flaw: if you read the hardware's output registers before the device says that its output is ready, it will return the result of the intermediate rounds rather than only the 10th (final) round.

Is it possible to attack this system to go after the embedded key? I suppose that this means my question is about chosen-plaintext attacks against reduced-round variants of Rijndael-128.

Explanation / Answer

If you can read the intermediate states of the encryption algorithm you could recover, one by one all the round keys. Given a AES round, all the operation between the two AddRoundKey (at the beginning and the ond of the round) are invertible.

Take for example round 1: you get the internal state before AddRoundKey (of round 2), you get back at the beginning of round 1, and you get the plaintext XORed with the first round key.

Finally, recovering all round keys is equivalent to recover the master key.

Related Questions

Navigate

• Browse (All)
• Browse L
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.