Skip to content(if available)orjump to list(if available)

Learn How to Break AES

Learn How to Break AES

56 comments

·March 4, 2025
Visit

tptacek

David Wong hasn't been at NCC Cryptography for a long time, so I assume we'll be waiting a long time before we get to Linear and Differential cryptanalysis, but if that's a thing you're interested in, what you want is the Heys tutorial:

http://www.cs.bc.edu/~straubin/crypto2017/heys.pdf

My recommendation: print it out to a PDF with huge margins so you can make notes, and then work through all the worked examples.

pbsd

Interestingly enough, the Square attack (otherwise more generally known as integral cryptanalysis) is much more powerful than regular linear or differential cryptanalysis when applied to the AES.

baby

I'm actually looking for an intern to reboot this project :) if anybody is interested https://blog.zksecurity.xyz/posts/internship-2025/

underdeserver

Just in case anyone's wondering, AES - the regular AES-128, 192 or 256 - is not publicly broken (yet).

tialaramex

In fact it is IMO unlikely this primitive will ever be broken. Its predecessor, DES was "broken" only in the sense that it was intended to be possible to break it with enough computing power when it shipped, as a NOBUS (Nobody But Us can break it) by the US government. In 1975 this is a NOBUS, in 2025 it's basically saying "Please hack us China" so we don't do that any more.

Although cryptanalysis of DES did reveal some flaws, the actual breaks, including ones you'd use today if tasked to break DES at scale, all target exactly the two deliberately chosen weaknesses from when it was designed 50 years ago - its keys are too small and its block sizes are too short, that's all, and that's enough.

In AES neither of these flaws is present, hence I am not alone in thinking we probably won't ever build another one.

You might think well, in 50 years we'll have better computers so that's dumb. Nope. Unless there's an actual mathematical break what runs out isn't mere human ingenuity, it's plain physics.

cakealert

Modern ciphers including AES subscribe to the philosophy of using a simple round and then repeat it a bunch of times.

While this is most likely sound (due to the sensitivity to initial conditions aka avalanche effect) there is a small chance that this creates a mathematical structure that will one day get exploited.

AES is even more vulnerable to this chance than usual because it actually uses mathematical functions for several of its components (the sbox and the 32-bit linear permutation). No one has been able to exploit this combination yet though.

Contrast this with SHA-2 for example, it's an unbalanced Feistel permutation that had a lot of 'random' nonlinear crap thrown in. SHA-2 can actually be used as a block cipher (SHACAL-2) however there is no HW acceleration for the inverse permutation - so you would be limited to CTR-like modes.

adrian_b

While what you say about the vulnerabilities of AES is true, it is very easy to modify AES to remove these weaknesses, and in a way that still allows the use of the special AES instructions of CPU ISAs like Intel/AMD x86-64 or ARM Aarch64, so that the decreasing of the encryption/decryption throughput would be very small.

There are several ways to achieve this. An example would be to replace a few of the XOR (additions modulo 2) operations that introduce subkeys between the AES rounds with another kind of addition instructions, e.g. with addition modulo 2^64.

These additions do not commute with the operations in the Galois field used by AES and they completely destroy the system of equations in that Galois field that is equivalent with the standard AES, making impossible any algebraic attempts at breaking AES. Moreover, if the additions would replace XOR in irregular places, that would make some of the rounds distinct from the others, breaking an attack that depends on all the rounds being identical. By replacing quasi-randomly the XOR operations with either addition modulo 2^64 or addition modulo 2^32 it is possible to make all the AES rounds distinct, with no pair of identical rounds and with only a negligible throughput decrease.

Also using the usual hardware AES instructions, it is simple to implement the Rijndael variant with a block size of 256 bits, which is much stronger than the standard AES with a block size of 128 bits (this has been described in an Intel application note when they have introduced the AES instructions in the Intel Westmere CPUs, in 2010).

So any possible advances in the cryptanalysis of AES will have effects only for the decryption of old recordings of encrypted information.

Future encrypted information will be easily protected against any advances with only software changes.

tptacek

Exploitable mathematical structure arising purely from the concept of an iterated cipher is probably what Nick meant there by "an actual mathematical break". SHACAL-2 is also an iterated cipher with a relatively simple round structure.

hinkley

> in 2025 it's basically saying "Please hack us China" so we don't do that any more.

It took almost two decades to explain that to sitting presidents and Congress.

'We' have been telling 'them' that shit won't scale since at least the 90's.

Everyone forgets about Al Gore's black sheep - the Clipper Chip.

bluGill

That is in the US. Major European countries still haven't figured that out. (I'm not sure if US congress really has either, but at least I haven't seen any backdoor movements come out in the past few years)

BTW, if you are keeping score: stop. Every country has things they do well and things they do bad. Look for and fix your local bads, this isn't a game of who is better, it is a game everyone should win.

SAI_Peregrinus

I suspect we might move to some sort of cipher that uses the AES round function but isn't full AES, like AEGIS, for performance benefits. Same permutation, but arguably a different primitive. That move won't be because AES got broken though, it'd be because AES wasn't as fast as desired.

upofadown

>...all target exactly the two deliberately chosen weaknesses from when it was designed 50 years ago...

I would quibble the deliberate part for the block length (and perhaps strengthen your point). DES came out in the 70's and people were still designing 64 bit ciphers in the 90's. Examples: IDEA, CAST5, Blowfish. I think that it is most likely that the the 56 bit key length was really the only factor intended to make DES deliberately weak. Gigabyte scale files/sessions were just not a thing back then.

adrian_b

The ancestor of DES at IBM, Lucifer, had both an 128-bit block length and 128-bit keys.

Therefore there is no doubt that both the reduction of the key length and of the block length have been deliberate.

The only thing that can be argued is that perhaps the motivation for the reduction in the block length could have been less for weakening the cipher, but more for reducing the cost of the hardware, based on the assumption that the cipher will be used only for the encryption of amounts of data that are very small for today, but which could have seemed big during the mid seventies.

randomtoast

Grovers algorithm can brute-force a 128-bit symmetric cryptographic key in roughly 2^64 iterations (on a quantum computer which we likely have in 50 years), instead of 2^128. Now, lets find another attack vector (maybe with the help of AI) that reduces the 64 a bit and you are in the realm of feasibility.

adgjlsfhk1

2^64 work that is non-paralellizable isn't a threat. 64 bits of classical security is insufficient because computers can do thousands of operations in parallel, and you can combine the effort of millions of computers. Grover's algorithm gives you a sequential complexity of 2^64, so if you have a quantum comptuer with a clock speed of 20GHZ (current quantum computers are in the khz to low mhz range), and you pretend that the quantum computer can process 14 rounds of AES per clock cycle (in reality it would be hundreds of cycles), it will take a quantum computer running for 30 years continuously to crack a single key (and if the temperature ever rises 1 millionth of a degree or the computer loses power for a nanosecond, you have to start over).

metacritic12

But everyone will upgrade to AES-256 (many system already has), and that truly will be the final symmetric algo even with moore's law.

kali_00

[dead]

userbinator

Certainly one of the most clickbaity titles I've seen.

MontagFTB

If you're interested in this sort of thing, I cannot recommend the cryptopals crypto challenges enough. They are a series of project that take you from XOR up through breaking AES and beyond:

https://cryptopals.com/

cinntaile

You also have https://cryptohack.org/

secret-noun

The writing of Cryptopals is unclear. I've made it about half-way through the challenges twice over the past decade. I get that it's prompting me to learn on my own, as if I was a real cryptanalyst encountering a system for the first time, but I literally do not understand what is being asked or the constraints of the problems sometimes. It's like author is trying to be clever and curt and gate-keeper-y on purpose. "You should be able to do this with a shitty, hastily-written problem description, right?"

tptacek

We ran these challenges at Matasano with the public, under a system where you could only get the next 8 challenges after demonstrating that you'd solved the previous 8, after I wrote an internal guide for our consultants on the cryptographic vulnerabilities they should be capable of addressing on engagements. What you're reading there is basically an internal README. They got very popular (many, many people have solved all of them without additional prompting), but we didn't really invest any extra time in cleaning them up or refining their pedagogy.

thenewwazoo

…and thank you (all) for doing so. It’s my go-to motivation when teaching Rust to experienced programmers. It’s a raging success every time.

null

[deleted]

Retr0id

Neat, I'm looking forward to the Differential Cryptanalysis portion! It's something I've tried to learn in the past but I've been struggling to find approachable resources.

alabhyajindal

This looks very nice! Thank you!

I'm currently taking Cryptography at university and I find the resources online to be quite scarce. I mostly find myself reading Wikipedia. I don't know if I'm missing some background knowledge but some of the math notations tend to be quite difficult to understand. I have spent around 10 hours trying to understand Differential Cryptanalysis unsuccessfully!

__alexander

If you haven’t seen it already, check out “Understanding Cryptography: A Textbook for Students and Practitioners”. Probably one of the best and approachable books on cryptography. Plus all the lectures are on YouTube so you can read a chapter and then watch the lecture. Also with the math notation, you a take a photo of it and ask ChatGPT to try to explain it.

alabhyajindal

Thank you! I'll take a look! Yes, I agree with the suggestion on math notation - I should start doing that.

binwiederhier

I can highly recommend Cryptography Engineering by Bruce Schneier. I read it years ago and to this day it still helps me regularly.

zelphirkalt

Yeah when it comes to math Wikipedia is rarely a good introduction to any topic. Maybe if one studied mathematics before or something, but definitely not for most other people.

baby

that's really a shame actually, I think many people try to use wikipedia for Math and it's almost never a good idea

baby

Not so long ago I wrote the book I wish I had when I was studying cryptography back in uni: https://livebook.manning.com/book/real-world-cryptography/ch...

oulipo

Cool! Would be nice to also include side-channel attacks

tptacek

Side channels aren't block cipher cryptanalysis. There's some very basic side channel stuff in Cryptopals, but modern side channel analysis is primarily microarchitectural, which is a significant change in focus, and someone should do a standalone resource on that.

oulipo

Well it's very connected, you're using the knowledge about block cipher to attack them, even though it's not the "pure mathematical attack", it's still the most widespread attack against current cryptographic systems

Retr0id

That's not true, there are plenty of side-channel attacks that fall squarely within the realm of block cipher cryptanalysis. Examples include Differential Fault Analysis (DFA), Correlation Power Analysis (CPA) and more.

It's true that practical side-channel leaks on software block cipher implementations tend to be microarchitectural (e.g. cache timing), but that's only because the "easier" attacks are already mitigated or considered out of scope (e.g. no physical access).

tptacek

Eh, fair enough. Something like differential fault analysis would make a lot of sense in a block cipher cryptanalysis sequence.

Retr0id

I recently did a CTF challenge write-up for an AES timing side-channel, which I tried to make similarly approachable: https://www.da.vidbuchanan.co.uk/blog/uoftctf-timed-aes.html

It's not quite the same "lab exercises" format but the CTF challenge files are public, so you can try it for yourself.